1. 05 Apr, 2024 11 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-6.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · c42881d4
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This became a bit bigger collection of patches, but almost all are
        about device-specific fixes, and should be safe for 6.9:
      
         - Lots of ASoC Intel SOF-related fixes/updates
      
         - Locking fixes in SoundWire drivers
      
         - ASoC AMD ACP/SOF updates
      
         - ASoC ES8326 codec fixes
      
         - HD-audio codec fixes and quirks
      
         - A regression fix in emu10k1 synth code"
      
      * tag 'sound-6.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (49 commits)
        ASoC: SOF: Core: Add remove_late() to sof_init_environment failure path
        ASoC: SOF: amd: fix for false dsp interrupts
        ASoC: SOF: Intel: lnl: Disable DMIC/SSP offload on remove
        ASoC: Intel: avs: boards: Add modules description
        ASoC: codecs: ES8326: Removing the control of ADC_SCALE
        ASoC: codecs: ES8326: Solve a headphone detection issue after suspend and resume
        ASoC: codecs: ES8326: modify clock table
        ASoC: codecs: ES8326: Solve error interruption issue
        ALSA: line6: Zero-initialize message buffers
        ALSA: hda/realtek: cs35l41: Support ASUS ROG G634JYR
        ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
        ALSA: hda/realtek: Add sound quirks for Lenovo Legion slim 7 16ARHA7 models
        Revert "ALSA: emu10k1: fix synthesizer sample playback position and caching"
        OSS: dmasound/paula: Mark driver struct with __refdata to prevent section mismatch
        ALSA: hda/realtek: Add quirks for ASUS Laptops using CS35L56
        ASoC: amd: acp: fix for acp_init function error handling
        ASoC: tas2781: mark dvc_tlv with __maybe_unused
        ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
        ASoC: rt-sdw*: add __func__ to all error logs
        ASoC: rt722-sdca-sdw: fix locking sequence
        ...
      c42881d4
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-04-05' of https://gitlab.freedesktop.org/drm/kernel · 89103a16
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes, mostly xe and i915, amdgpu on a week off, otherwise a
        nouveau fix for a crash with new vulkan cts tests, and a couple of
        cleanups and misc fixes.
      
        display:
         - fix typos in kerneldoc
      
        prime:
         - unbreak dma-buf export for virt-gpu
      
        nouveau:
         - uvmm: fix remap address calculation
         - minor cleanups
      
        panfrost:
         - fix power-transition timeouts
      
        xe:
         - Stop using system_unbound_wq for preempt fences
         - Fix saving unordered rebinding fences by attaching them as kernel
           feces to the vm's resv
         - Fix TLB invalidation fences completing out of order
         - Move rebind TLB invalidation to the ring ops to reduce the latency
      
        i915:
         - A few DisplayPort related fixes
         - eDP PSR fixes
         - Remove some VM space restrictions on older platforms
         - Disable automatic load CCS load balancing"
      
      * tag 'drm-fixes-2024-04-05' of https://gitlab.freedesktop.org/drm/kernel: (22 commits)
        drm/xe: Use ordered wq for preempt fence waiting
        drm/xe: Move vma rebinding to the drm_exec locking loop
        drm/xe: Make TLB invalidation fences unordered
        drm/xe: Rework rebinding
        drm/xe: Use ring ops TLB invalidation for rebinds
        drm/i915/mst: Reject FEC+MST on ICL
        drm/i915/mst: Limit MST+DSC to TGL+
        drm/i915/dp: Fix the computation for compressed_bpp for DISPLAY < 13
        drm/i915/gt: Enable only one CCS for compute workload
        drm/i915/gt: Do not generate the command streamer for all the CCS
        drm/i915/gt: Disable HW load balancing for CCS
        drm/i915/gt: Limit the reserved VM space to only the platforms that need it
        drm/i915/psr: Fix intel_psr2_sel_fetch_et_alignment usage
        drm/i915/psr: Move writing early transport pipe src
        drm/i915/psr: Calculate PIPE_SRCSZ_ERLY_TPT value
        drm/i915/dp: Remove support for UHBR13.5
        drm/i915/dp: Fix DSC state HW readout for SST connectors
        drm/display: fix typo
        drm/prime: Unbreak virtgpu dma-buf export
        nouveau/uvmm: fix addr/range calcs for remap operations
        ...
      89103a16
    • Linus Torvalds's avatar
      Merge tag '9p-for-6.9-rc3' of https://github.com/martinetd/linux · e8b0ccb2
      Linus Torvalds authored
      Pull minor 9p cleanups from Dominique Martinet:
      
       - kernel doc fix & removal of unused flag
      
       - fix some bogus debug statement for read/write
      
      * tag '9p-for-6.9-rc3' of https://github.com/martinetd/linux:
        9p: remove SLAB_MEM_SPREAD flag usage
        9p: Fix read/write debug statements to report server reply
        9p/trans_fd: remove Excess kernel-doc comment
      e8b0ccb2
    • Linus Torvalds's avatar
      Merge tag '6.9-rc2-ksmbd-server-fixes' of git://git.samba.org/ksmbd · 405ac6a5
      Linus Torvalds authored
      Pull smb server fixes from Steve French:
       "Three fixes, all also for stable:
      
         - encryption fix
      
         - memory overrun fix
      
         - oplock break fix"
      
      * tag '6.9-rc2-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
        ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1
        ksmbd: validate payload size in ipc response
        ksmbd: don't send oplock break if rename fails
      405ac6a5
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.9-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · fae02687
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
       "This contains a few small fixes. This comes with some delay because I
        wanted to wait on people running their reproducers and the Easter
        Holidays meant that those replies came in a little later than usual:
      
         - Fix handling of preventing writes to mounted block devices.
      
           Since last kernel we allow to prevent writing to mounted block
           devices provided CONFIG_BLK_DEV_WRITE_MOUNTED isn't set and the
           block device is opened with restricted writes. When we switched to
           opening block devices as files we altered the mechanism by which we
           recognize when a block device has been opened with write
           restrictions.
      
           The detection logic assumed that only read-write mounted
           filesystems would apply write restrictions to their block devices
           from other openers. That of course is not true since it also makes
           sense to apply write restrictions for filesystems that are
           read-only.
      
           Fix the detection logic using an FMODE_* bit. We still have a few
           left since we freed up a couple a while ago. I also picked up a
           patch to free up four additional FMODE_* bits scheduled for the
           next merge window.
      
         - Fix counting the number of writers to a block device. This just
           changes the logic to be consistent.
      
         - Fix a bug in aio causing a NULL pointer derefernce after we
           implemented batched processing in aio.
      
         - Finally, add the changes we discussed that allows to yield block
           devices early even though file closing itself is deferred.
      
           This also allows us to remove two holder operations to get and
           release the holder to align lifetime of file and holder of the
           block device"
      
      * tag 'vfs-6.9-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        aio: Fix null ptr deref in aio_complete() wakeup
        fs,block: yield devices early
        block: count BLK_OPEN_RESTRICT_WRITES openers
        block: handle BLK_OPEN_RESTRICT_WRITES correctly
      fae02687
    • Kent Overstreet's avatar
      aio: Fix null ptr deref in aio_complete() wakeup · caeb4b0a
      Kent Overstreet authored
      list_del_init_careful() needs to be the last access to the wait queue
      entry - it effectively unlocks access.
      
      Previously, finish_wait() would see the empty list head and skip taking
      the lock, and then we'd return - but the completion path would still
      attempt to do the wakeup after the task_struct pointer had been
      overwritten.
      
      Fixes: 71eb6b6b ("fs/aio: obey min_nr when doing wakeups")
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/linux-fsdevel/CAHTA-ubfwwB51A5Wg5M6H_rPEQK9pNf8FkAGH=vr=FEkyRrtqw@mail.gmail.com/Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
      Link: https://lore.kernel.org/stable/20240331215212.522544-1-kent.overstreet%40linux.dev
      Link: https://lore.kernel.org/r/20240331215212.522544-1-kent.overstreet@linux.devSigned-off-by: default avatarChristian Brauner <brauner@kernel.org>
      caeb4b0a
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v6.9-rc2' of... · 100c8542
      Takashi Iwai authored
      Merge tag 'asoc-fix-v6.9-rc2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v6.9
      
      A relatively large set of fixes here, the biggest piece of it is a
      series correcting some problems with the delay reporting for Intel SOF
      cards but there's a bunch of other things.  Everything here is driver
      specific except for a fix in the core for an issue with sign extension
      handling volume controls.
      100c8542
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2024-04-04' of... · 4c859574
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2024-04-04' of https://anongit.freedesktop.org/git/drm/drm-intel into drm-fixes
      
      Display fixes:
      - A few DisplayPort related fixes (Imre, Arun, Ankit, Ville)
      - eDP PSR fixes (Jouni)
      
      Core/GT fixes:
      - Remove some VM space restrictions on older platforms (Andi)
      - Disable automatic load CCS load balancing (Andi)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Zg7nSK5oTmWfKPPI@intel.com
      4c859574
    • Dave Airlie's avatar
      Merge tag 'drm-xe-fixes-2024-04-04' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · a5b5ab33
      Dave Airlie authored
      - Stop using system_unbound_wq for preempt fences,
        as this can cause starvation when reaching more
        than max_active defined by workqueue
      - Fix saving unordered rebinding fences by attaching
        them as kernel feces to the vm's resv
      - Fix TLB invalidation fences completing out of order
      - Move rebind TLB invalidation to the ring ops to reduce
        the latency
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Lucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/tizan6wdpxu4ayudeikjglxdgzmnhdzj3li3z2pgkierjtozzw@lbfddeg43a7h
      a5b5ab33
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2024-04-04' of... · 4cf09f17
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2024-04-04' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
      
      Short summary of fixes pull:
      
      display:
      - fix typos in kerneldoc
      
      nouveau:
      - uvmm: fix remap address calculation
      - minor cleanups
      
      panfrost:
      - fix power-transition timeouts
      
      prime:
      - unbreak dma-buf export for virt-gpu
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240404104813.GA27376@localhost.localdomain
      4cf09f17
    • Sean Christopherson's avatar
      x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word · 8cb4a9a8
      Sean Christopherson authored
      Add CPUID_LNX_5 to track cpufeatures' word 21, and add the appropriate
      compile-time assert in KVM to prevent direct lookups on the features in
      CPUID_LNX_5.  KVM uses X86_FEATURE_* flags to manage guest CPUID, and so
      must translate features that are scattered by Linux from the Linux-defined
      bit to the hardware-defined bit, i.e. should never try to directly access
      scattered features in guest CPUID.
      
      Opportunistically add NR_CPUID_WORDS to enum cpuid_leafs, along with a
      compile-time assert in KVM's CPUID infrastructure to ensure that future
      additions update cpuid_leafs along with NCAPINTS.
      
      No functional change intended.
      
      Fixes: 7f274e60 ("x86/cpufeatures: Add new word for scattered features")
      Cc: Sandipan Das <sandipan.das@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Acked-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8cb4a9a8
  2. 04 Apr, 2024 29 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c88b9b4c
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, bluetooth and bpf.
      
        Fairly usual collection of driver and core fixes. The large selftest
        accompanying one of the fixes is also becoming a common occurrence.
      
        Current release - regressions:
      
         - ipv6: fix infinite recursion in fib6_dump_done()
      
         - net/rds: fix possible null-deref in newly added error path
      
        Current release - new code bugs:
      
         - net: do not consume a full cacheline for system_page_pool
      
         - bpf: fix bpf_arena-related file descriptor leaks in the verifier
      
         - drv: ice: fix freeing uninitialized pointers, fixing misuse of the
           newfangled __free() auto-cleanup
      
        Previous releases - regressions:
      
         - x86/bpf: fixes the BPF JIT with retbleed=stuff
      
         - xen-netfront: add missing skb_mark_for_recycle, fix page pool
           accounting leaks, revealed by recently added explicit warning
      
         - tcp: fix bind() regression for v6-only wildcard and v4-mapped-v6
           non-wildcard addresses
      
         - Bluetooth:
            - replace "hci_qca: Set BDA quirk bit if fwnode exists in DT" with
              better workarounds to un-break some buggy Qualcomm devices
            - set conn encrypted before conn establishes, fix re-connecting to
              some headsets which use slightly unusual sequence of msgs
      
         - mptcp:
            - prevent BPF accessing lowat from a subflow socket
            - don't account accept() of non-MPC client as fallback to TCP
      
         - drv: mana: fix Rx DMA datasize and skb_over_panic
      
         - drv: i40e: fix VF MAC filter removal
      
        Previous releases - always broken:
      
         - gro: various fixes related to UDP tunnels - netns crossing
           problems, incorrect checksum conversions, and incorrect packet
           transformations which may lead to panics
      
         - bpf: support deferring bpf_link dealloc to after RCU grace period
      
         - nf_tables:
            - release batch on table validation from abort path
            - release mutex after nft_gc_seq_end from abort path
            - flush pending destroy work before exit_net release
      
         - drv: r8169: skip DASH fw status checks when DASH is disabled"
      
      * tag 'net-6.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (81 commits)
        netfilter: validate user input for expected length
        net/sched: act_skbmod: prevent kernel-infoleak
        net: usb: ax88179_178a: avoid the interface always configured as random address
        net: dsa: sja1105: Fix parameters order in sja1110_pcs_mdio_write_c45()
        net: ravb: Always update error counters
        net: ravb: Always process TX descriptor ring
        netfilter: nf_tables: discard table flag update with pending basechain deletion
        netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
        netfilter: nf_tables: reject new basechain after table flag update
        netfilter: nf_tables: flush pending destroy work before exit_net release
        netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
        netfilter: nf_tables: release batch on table validation from abort path
        Revert "tg3: Remove residual error handling in tg3_suspend"
        tg3: Remove residual error handling in tg3_suspend
        net: mana: Fix Rx DMA datasize and skb_over_panic
        net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()
        net: phy: micrel: lan8814: Fix when enabling/disabling 1-step timestamping
        net: stmmac: fix rx queue priority assignment
        net: txgbe: fix i2c dev name cannot match clkdev
        net: fec: Set mac_managed_pm during probe
        ...
      c88b9b4c
    • Linus Torvalds's avatar
      Merge tag 'bcachefs-2024-04-03' of https://evilpiepirate.org/git/bcachefs · ec25bd8d
      Linus Torvalds authored
      Pull bcachefs repair code from Kent Overstreet:
       "A couple more small fixes, and new repair code.
      
        We can now automatically recover from arbitrary corrupted interior
        btree nodes by scanning, and we can reconstruct metadata as needed to
        bring a filesystem back into a working, consistent, read-write state
        and preserve access to whatevver wasn't corrupted.
      
        Meaning - you can blow away all metadata except for extents and
        dirents leaf nodes, and repair will reconstruct everything else and
        give you your data, and under the correct paths. If inodes are missing
        i_size will be slightly off and permissions/ownership/timestamps will
        be gone, and we do still need the snapshots btree if snapshots were in
        use - in the future we'll be able to guess the snapshot tree structure
        in some situations.
      
        IOW - aside from shaking out remaining bugs (fuzz testing is still
        coming), repair code should be complete and if repair ever doesn't
        work that's the highest priority bug that I want to know about
        immediately.
      
        This patchset was kindly tested by a user from India who accidentally
        wiped one drive out of a three drive filesystem with no replication on
        the family computer - it took a couple weeks but we got everything
        important back"
      
      * tag 'bcachefs-2024-04-03' of https://evilpiepirate.org/git/bcachefs:
        bcachefs: reconstruct_inode()
        bcachefs: Subvolume reconstruction
        bcachefs: Check for extents that point to same space
        bcachefs: Reconstruct missing snapshot nodes
        bcachefs: Flag btrees with missing data
        bcachefs: Topology repair now uses nodes found by scanning to fill holes
        bcachefs: Repair pass for scanning for btree nodes
        bcachefs: Don't skip fake btree roots in fsck
        bcachefs: bch2_btree_root_alloc() -> bch2_btree_root_alloc_fake()
        bcachefs: Etyzinger cleanups
        bcachefs: bch2_shoot_down_journal_keys()
        bcachefs: Clear recovery_passes_required as they complete without errors
        bcachefs: ratelimit informational fsck errors
        bcachefs: Check for bad needs_discard before doing discard
        bcachefs: Improve bch2_btree_update_to_text()
        mean_and_variance: Drop always failing tests
        bcachefs: fix nocow lock deadlock
        bcachefs: BCH_WATERMARK_interior_updates
        bcachefs: Fix btree node reserve
      ec25bd8d
    • Chaitanya Kumar Borah's avatar
      ASoC: SOF: Core: Add remove_late() to sof_init_environment failure path · 90f8917e
      Chaitanya Kumar Borah authored
      In cases where the sof driver is unable to find the firmware and/or
      topology file [1], it exits without releasing the i915 runtime
      pm wakeref [2]. This results in dmesg warnings[3] during
      suspend/resume or driver unbind. Add remove_late() to the failure path
      of sof_init_environment so that i915 wakeref is released appropriately
      
      [1]
      
      [    8.990366] sof-audio-pci-intel-mtl 0000:00:1f.3: SOF firmware and/or topology file not found.
      [    8.990396] sof-audio-pci-intel-mtl 0000:00:1f.3: Supported default profiles
      [    8.990398] sof-audio-pci-intel-mtl 0000:00:1f.3: - ipc type 1 (Requested):
      [    8.990399] sof-audio-pci-intel-mtl 0000:00:1f.3:  Firmware file: intel/sof-ipc4/mtl/sof-mtl.ri
      [    8.990401] sof-audio-pci-intel-mtl 0000:00:1f.3:  Topology file: intel/sof-ace-tplg/sof-mtl-rt711-2ch.tplg
      [    8.990402] sof-audio-pci-intel-mtl 0000:00:1f.3: Check if you have 'sof-firmware' package installed.
      [    8.990403] sof-audio-pci-intel-mtl 0000:00:1f.3: Optionally it can be manually downloaded from:
      [    8.990404] sof-audio-pci-intel-mtl 0000:00:1f.3:    https://github.com/thesofproject/sof-bin/
      [    8.999088] sof-audio-pci-intel-mtl 0000:00:1f.3: error: sof_probe_work failed err: -2
      
      [2]
      
      ref_tracker: 0000:00:02.0@ffff9b8511b6a378 has 1/5 users at
           track_intel_runtime_pm_wakeref.part.0+0x36/0x70 [i915]
           __intel_runtime_pm_get+0x51/0xb0 [i915]
           intel_runtime_pm_get+0x17/0x20 [i915]
           intel_display_power_get+0x2f/0x70 [i915]
           i915_audio_component_get_power+0x23/0x120 [i915]
           snd_hdac_display_power+0x89/0x130 [snd_hda_core]
           hda_codec_i915_init+0x3f/0x50 [snd_sof_intel_hda]
           hda_dsp_probe_early+0x170/0x250 [snd_sof_intel_hda_common]
           snd_sof_device_probe+0x224/0x320 [snd_sof]
           sof_pci_probe+0x15b/0x220 [snd_sof_pci]
           hda_pci_intel_probe+0x30/0x70 [snd_sof_intel_hda_common]
           local_pci_probe+0x4c/0xb0
           pci_device_probe+0xcc/0x250
           really_probe+0x18e/0x420
           __driver_probe_device+0x7e/0x170
           driver_probe_device+0x23/0xa0
      
      [3]
      [  484.105070] ------------[ cut here ]------------
      [  484.108238] thunderbolt 0000:00:0d.2: PM: pci_pm_suspend_late+0x0/0x50 returned 0 after 0 usecs
      [  484.117106] i915 0000:00:02.0: i915 raw-wakerefs=1 wakelocks=1 on cleanup
      [  484.792005] WARNING: CPU: 2 PID: 2405 at drivers/gpu/drm/i915/intel_runtime_pm.c:444 intel_runtime_pm_driver_release+0x6c/0x80
      Tested-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Reviewed-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Reviewed-by: default avatarBard Liao <yung-chuan.liao@linux.intel.com>
      Reviewed-by: default avatarPéter Ujfalusi <peter.ujfalusi@linux.intel.com>
      Reviewed-by: default avatarKai Vehmanen <kai.vehmanen@linux.intel.com>
      Signed-off-by: default avatarChaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
      Signed-off-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Acked-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      Link: https://github.com/thesofproject/linux/pull/4878Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://msgid.link/r/20240404184813.134566-1-pierre-louis.bossart@linux.intel.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      90f8917e
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 1cfa2f10
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2024-04-04
      
      We've added 7 non-merge commits during the last 5 day(s) which contain
      a total of 9 files changed, 75 insertions(+), 24 deletions(-).
      
      The main changes are:
      
      1) Fix x86 BPF JIT under retbleed=stuff which causes kernel panics due to
         incorrect destination IP calculation and incorrect IP for relocations,
         from Uros Bizjak and Joan Bruguera Micó.
      
      2) Fix BPF arena file descriptor leaks in the verifier,
         from Anton Protopopov.
      
      3) Defer bpf_link deallocation to after RCU grace period as currently
         running multi-{kprobes,uprobes} programs might still access cookie
         information from the link, from Andrii Nakryiko.
      
      4) Fix a BPF sockmap lock inversion deadlock in map_delete_elem reported
         by syzkaller, from Jakub Sitnicki.
      
      5) Fix resolve_btfids build with musl libc due to missing linux/types.h
         include, from Natanael Copa.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, sockmap: Prevent lock inversion deadlock in map delete elem
        x86/bpf: Fix IP for relocating call depth accounting
        x86/bpf: Fix IP after emitting call depth accounting
        bpf: fix possible file descriptor leaks in verifier
        tools/resolve_btfids: fix build with musl libc
        bpf: support deferring bpf_link dealloc to after RCU grace period
        bpf: put uprobe link's path and task in release callback
      ====================
      
      Link: https://lore.kernel.org/r/20240404183258.4401-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1cfa2f10
    • Eric Dumazet's avatar
      netfilter: validate user input for expected length · 0c83842d
      Eric Dumazet authored
      I got multiple syzbot reports showing old bugs exposed
      by BPF after commit 20f2505f ("bpf: Try to avoid kzalloc
      in cgroup/{s,g}etsockopt")
      
      setsockopt() @optlen argument should be taken into account
      before copying data.
      
       BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
       BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
       BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
       BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
      Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238
      
      CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
      Call Trace:
       <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
        print_address_description mm/kasan/report.c:377 [inline]
        print_report+0x169/0x550 mm/kasan/report.c:488
        kasan_report+0x143/0x180 mm/kasan/report.c:601
        kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
        __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
        copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
        copy_from_sockptr include/linux/sockptr.h:55 [inline]
        do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
        do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
        nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101
        do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
        __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
        __do_sys_setsockopt net/socket.c:2343 [inline]
        __se_sys_setsockopt net/socket.c:2340 [inline]
        __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
       do_syscall_64+0xfb/0x240
       entry_SYSCALL_64_after_hwframe+0x72/0x7a
      RIP: 0033:0x7fd22067dde9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9
      RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8
       </TASK>
      
      Allocated by task 7238:
        kasan_save_stack mm/kasan/common.c:47 [inline]
        kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
        poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
        __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
        kasan_kmalloc include/linux/kasan.h:211 [inline]
        __do_kmalloc_node mm/slub.c:4069 [inline]
        __kmalloc_noprof+0x200/0x410 mm/slub.c:4082
        kmalloc_noprof include/linux/slab.h:664 [inline]
        __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869
        do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
        __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
        __do_sys_setsockopt net/socket.c:2343 [inline]
        __se_sys_setsockopt net/socket.c:2340 [inline]
        __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
       do_syscall_64+0xfb/0x240
       entry_SYSCALL_64_after_hwframe+0x72/0x7a
      
      The buggy address belongs to the object at ffff88802cd73da0
       which belongs to the cache kmalloc-8 of size 8
      The buggy address is located 0 bytes inside of
       allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)
      
      The buggy address belongs to the physical page:
      page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73
      flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)
      page_type: 0xffffefff(slab)
      raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122
      raw: ffff88802cd73020 000000008080007f 00000001ffffefff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5103, tgid 2119833701 (syz-executor.4), ts 5103, free_ts 70804600828
        set_page_owner include/linux/page_owner.h:32 [inline]
        post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1490
        prep_new_page mm/page_alloc.c:1498 [inline]
        get_page_from_freelist+0x2e7e/0x2f40 mm/page_alloc.c:3454
        __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4712
        __alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
        alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
        alloc_slab_page+0x5f/0x120 mm/slub.c:2249
        allocate_slab+0x5a/0x2e0 mm/slub.c:2412
        new_slab mm/slub.c:2465 [inline]
        ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3615
        __slab_alloc+0x58/0xa0 mm/slub.c:3705
        __slab_alloc_node mm/slub.c:3758 [inline]
        slab_alloc_node mm/slub.c:3936 [inline]
        __do_kmalloc_node mm/slub.c:4068 [inline]
        kmalloc_node_track_caller_noprof+0x286/0x450 mm/slub.c:4089
        kstrdup+0x3a/0x80 mm/util.c:62
        device_rename+0xb5/0x1b0 drivers/base/core.c:4558
        dev_change_name+0x275/0x860 net/core/dev.c:1232
        do_setlink+0xa4b/0x41f0 net/core/rtnetlink.c:2864
        __rtnl_newlink net/core/rtnetlink.c:3680 [inline]
        rtnl_newlink+0x180b/0x20a0 net/core/rtnetlink.c:3727
        rtnetlink_rcv_msg+0x89b/0x10d0 net/core/rtnetlink.c:6594
        netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2559
        netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
        netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361
      page last free pid 5146 tgid 5146 stack trace:
        reset_page_owner include/linux/page_owner.h:25 [inline]
        free_pages_prepare mm/page_alloc.c:1110 [inline]
        free_unref_page+0xd3c/0xec0 mm/page_alloc.c:2617
        discard_slab mm/slub.c:2511 [inline]
        __put_partials+0xeb/0x130 mm/slub.c:2980
        put_cpu_partial+0x17c/0x250 mm/slub.c:3055
        __slab_free+0x2ea/0x3d0 mm/slub.c:4254
        qlink_free mm/kasan/quarantine.c:163 [inline]
        qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
        kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
        __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
        kasan_slab_alloc include/linux/kasan.h:201 [inline]
        slab_post_alloc_hook mm/slub.c:3888 [inline]
        slab_alloc_node mm/slub.c:3948 [inline]
        __do_kmalloc_node mm/slub.c:4068 [inline]
        __kmalloc_node_noprof+0x1d7/0x450 mm/slub.c:4076
        kmalloc_node_noprof include/linux/slab.h:681 [inline]
        kvmalloc_node_noprof+0x72/0x190 mm/util.c:634
        bucket_table_alloc lib/rhashtable.c:186 [inline]
        rhashtable_rehash_alloc+0x9e/0x290 lib/rhashtable.c:367
        rht_deferred_worker+0x4e1/0x2440 lib/rhashtable.c:427
        process_one_work kernel/workqueue.c:3218 [inline]
        process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299
        worker_thread+0x86d/0xd70 kernel/workqueue.c:3380
        kthread+0x2f0/0x390 kernel/kthread.c:388
        ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
        ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
      
      Memory state around the buggy address:
       ffff88802cd73c80: 07 fc fc fc 05 fc fc fc 05 fc fc fc fa fc fc fc
       ffff88802cd73d00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
      >ffff88802cd73d80: fa fc fc fc 01 fc fc fc fa fc fc fc fa fc fc fc
                                     ^
       ffff88802cd73e00: fa fc fc fc fa fc fc fc 05 fc fc fc 07 fc fc fc
       ffff88802cd73e80: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Link: https://lore.kernel.org/r/20240404122051.2303764-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0c83842d
    • Jakub Kicinski's avatar
      Merge tag 'nf-24-04-04' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d432f7bd
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      Patch #1 unlike early commit path stage which triggers a call to abort,
               an explicit release of the batch is required on abort, otherwise
               mutex is released and commit_list remains in place.
      
      Patch #2 release mutex after nft_gc_seq_end() in commit path, otherwise
               async GC worker could collect expired objects.
      
      Patch #3 flush pending destroy work in module removal path, otherwise UaF
               is possible.
      
      Patch #4 and #6 restrict the table dormant flag with basechain updates
      	 to fix state inconsistency in the hook registration.
      
      Patch #5 adds missing RCU read side lock to flowtable type to avoid races
      	 with module removal.
      
      * tag 'nf-24-04-04' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: discard table flag update with pending basechain deletion
        netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
        netfilter: nf_tables: reject new basechain after table flag update
        netfilter: nf_tables: flush pending destroy work before exit_net release
        netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
        netfilter: nf_tables: release batch on table validation from abort path
      ====================
      
      Link: https://lore.kernel.org/r/20240404104334.1627-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d432f7bd
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · a66323e4
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2024-04-03 (ice, idpf)
      
      This series contains updates to ice and idpf drivers.
      
      Dan Carpenter initializes some pointer declarations to NULL as needed for
      resource cleanup on ice driver.
      
      Petr Oros corrects assignment of VLAN operators to fix Rx VLAN filtering
      in legacy mode for ice.
      
      Joshua calls eth_type_trans() on unknown packets to prevent possible
      kernel panic on idpf.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        idpf: fix kernel panic on unknown packet types
        ice: fix enabling RX VLAN filtering
        ice: Fix freeing uninitialized pointers
      ====================
      
      Link: https://lore.kernel.org/r/20240403201929.1945116-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a66323e4
    • Eric Dumazet's avatar
      net/sched: act_skbmod: prevent kernel-infoleak · d313eb8b
      Eric Dumazet authored
      syzbot found that tcf_skbmod_dump() was copying four bytes
      from kernel stack to user space [1].
      
      The issue here is that 'struct tc_skbmod' has a four bytes hole.
      
      We need to clear the structure before filling fields.
      
      [1]
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
       BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
       BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
       BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
       BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
       BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
        instrument_copy_to_user include/linux/instrumented.h:114 [inline]
        copy_to_user_iter lib/iov_iter.c:24 [inline]
        iterate_ubuf include/linux/iov_iter.h:29 [inline]
        iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
        iterate_and_advance include/linux/iov_iter.h:271 [inline]
        _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
        copy_to_iter include/linux/uio.h:196 [inline]
        simple_copy_to_iter net/core/datagram.c:532 [inline]
        __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
        skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
        skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
        netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
        sock_recvmsg_nosec net/socket.c:1046 [inline]
        sock_recvmsg+0x2c4/0x340 net/socket.c:1068
        __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
        __do_sys_recvfrom net/socket.c:2260 [inline]
        __se_sys_recvfrom net/socket.c:2256 [inline]
        __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
       do_syscall_64+0xd5/0x1f0
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      Uninit was stored to memory at:
        pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
        netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
        netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
        nlmsg_unicast include/net/netlink.h:1144 [inline]
        nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
        rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
        rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
        tcf_add_notify net/sched/act_api.c:2048 [inline]
        tcf_action_add net/sched/act_api.c:2071 [inline]
        tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
        rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
        netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
        rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
        netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
        netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
        netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:745
        ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
        __sys_sendmsg net/socket.c:2667 [inline]
        __do_sys_sendmsg net/socket.c:2676 [inline]
        __se_sys_sendmsg net/socket.c:2674 [inline]
        __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
       do_syscall_64+0xd5/0x1f0
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      Uninit was stored to memory at:
        __nla_put lib/nlattr.c:1041 [inline]
        nla_put+0x1c6/0x230 lib/nlattr.c:1099
        tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
        tcf_action_dump_old net/sched/act_api.c:1191 [inline]
        tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
        tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
        tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
        tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
        tcf_add_notify net/sched/act_api.c:2042 [inline]
        tcf_action_add net/sched/act_api.c:2071 [inline]
        tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
        rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
        netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
        rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
        netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
        netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
        netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x30f/0x380 net/socket.c:745
        ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
        ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
        __sys_sendmsg net/socket.c:2667 [inline]
        __do_sys_sendmsg net/socket.c:2676 [inline]
        __se_sys_sendmsg net/socket.c:2674 [inline]
        __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
       do_syscall_64+0xd5/0x1f0
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      Local variable opt created at:
        tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
        tcf_action_dump_old net/sched/act_api.c:1191 [inline]
        tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
      
      Bytes 188-191 of 248 are uninitialized
      Memory access of size 248 starts at ffff888117697680
      Data copied to user address 00007ffe56d855f0
      
      Fixes: 86da71b5 ("net_sched: Introduce skbmod action")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Link: https://lore.kernel.org/r/20240403130908.93421-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d313eb8b
    • Jose Ignacio Tornos Martinez's avatar
      net: usb: ax88179_178a: avoid the interface always configured as random address · 2e91bb99
      Jose Ignacio Tornos Martinez authored
      After the commit d2689b6a ("net: usb: ax88179_178a: avoid two
      consecutive device resets"), reset is not executed from bind operation and
      mac address is not read from the device registers or the devicetree at that
      moment. Since the check to configure if the assigned mac address is random
      or not for the interface, happens after the bind operation from
      usbnet_probe, the interface keeps configured as random address, although the
      address is correctly read and set during open operation (the only reset
      now).
      
      In order to keep only one reset for the device and to avoid the interface
      always configured as random address, after reset, configure correctly the
      suitable field from the driver, if the mac address is read successfully from
      the device registers or the devicetree. Take into account if a locally
      administered address (random) was previously stored.
      
      cc: stable@vger.kernel.org # 6.6+
      Fixes: d2689b6a ("net: usb: ax88179_178a: avoid two consecutive device resets")
      Reported-by: default avatarDave Stevenson  <dave.stevenson@raspberrypi.com>
      Signed-off-by: default avatarJose Ignacio Tornos Martinez <jtornosm@redhat.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240403132158.344838-1-jtornosm@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2e91bb99
    • Matthew Brost's avatar
      drm/xe: Use ordered wq for preempt fence waiting · 77a01101
      Matthew Brost authored
      Preempt fences can sleep waiting for an exec queue suspend operation to
      complete. If the system_unbound_wq is used for waiting and the number of
      waiters exceeds max_active this will result in other users of the
      system_unbound_wq getting starved. Use a device private work queue for
      preempt fences to avoid starvation of the system_unbound_wq.
      
      Even though suspend operations can complete out-of-order, all suspend
      operations within a VM need to complete before the preempt rebind worker
      can start. With that, use a device private ordered wq for preempt fence
      waiting.
      
      v2:
       - Add comment about cleanup on failure (Matt R)
       - Update commit message (Lucas)
      
      Fixes: dd08ebf6 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
      Signed-off-by: default avatarMatthew Brost <matthew.brost@intel.com>
      Reviewed-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240401221913.139672-2-matthew.brost@intel.comSigned-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      (cherry picked from commit 37c15c4a)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      77a01101
    • Thomas Hellström's avatar
      drm/xe: Move vma rebinding to the drm_exec locking loop · 3edd52be
      Thomas Hellström authored
      Rebinding might allocate page-table bos, causing evictions.
      To support blocking locking during these evictions,
      perform the rebinding in the drm_exec locking loop.
      
      Also Reserve fence slots where actually needed rather than trying to
      predict how many fence slots will be needed over a complete
      wound-wait transaction.
      
      v2:
      - Remove a leftover call to xe_vm_rebind() (Matt Brost)
      - Add a helper function xe_vm_validate_rebind() (Matt Brost)
      v3:
      - Add comments and squash with previous patch (Matt Brost)
      
      Fixes: 24f947d5 ("drm/xe: Use DRM GPUVM helpers for external- and evicted objects")
      Fixes: 29f424eb ("drm/xe/exec: move fence reservation")
      Cc: Matthew Auld <matthew.auld@intel.com>
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240327091136.3271-5-thomas.hellstrom@linux.intel.com
      (cherry picked from commit 7ee7dd6f)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      3edd52be
    • Thomas Hellström's avatar
      drm/xe: Make TLB invalidation fences unordered · fd1c8085
      Thomas Hellström authored
      They can actually complete out-of-order, so allocate a unique
      fence context for each fence.
      
      Fixes: 5387e865 ("drm/xe: Add TLB invalidation fence after rebinds issued from execs")
      Cc: Matthew Brost <matthew.brost@intel.com>
      Cc: <stable@vger.kernel.org> # v6.8+
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240327091136.3271-4-thomas.hellstrom@linux.intel.com
      (cherry picked from commit 0453f175)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      fd1c8085
    • Thomas Hellström's avatar
      drm/xe: Rework rebinding · a00e7e3f
      Thomas Hellström authored
      Instead of handling the vm's rebind fence separately,
      which is error prone if they are not strictly ordered,
      attach rebind fences as kernel fences to the vm's resv.
      
      Fixes: dd08ebf6 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: Matthew Brost <matthew.brost@intel.com>
      Cc: <stable@vger.kernel.org> # v6.8+
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240327091136.3271-3-thomas.hellstrom@linux.intel.com
      (cherry picked from commit 5a091aff)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      a00e7e3f
    • Thomas Hellström's avatar
      drm/xe: Use ring ops TLB invalidation for rebinds · 3c88b8f4
      Thomas Hellström authored
      For each rebind we insert a GuC TLB invalidation and add a
      corresponding unordered TLB invalidation fence. This might
      add a huge number of TLB invalidation fences to wait for so
      rather than doing that, defer the TLB invalidation to the
      next ring ops for each affected exec queue. Since the TLB
      is invalidated on exec_queue switch, we need to invalidate
      once for each affected exec_queue.
      
      v2:
      - Simplify if-statements around the tlb_flush_seqno.
        (Matthew Brost)
      - Add some comments and asserts.
      
      Fixes: 5387e865 ("drm/xe: Add TLB invalidation fence after rebinds issued from execs")
      Cc: Matthew Brost <matthew.brost@intel.com>
      Cc: <stable@vger.kernel.org> # v6.8+
      Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
      Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240327091136.3271-2-thomas.hellstrom@linux.intel.com
      (cherry picked from commit 4fc4899e)
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      3c88b8f4
    • Vijendar Mukunda's avatar
      ASoC: SOF: amd: fix for false dsp interrupts · b9846a38
      Vijendar Mukunda authored
      Before ACP firmware loading, DSP interrupts are not expected.
      Sometimes after reboot, it's observed that before ACP firmware is loaded
      false DSP interrupt is reported.
      Registering the interrupt handler before acp initialization causing false
      interrupts sometimes on reboot as ACP reset is not applied.
      Correct the sequence by invoking acp initialization sequence prior to
      registering interrupt handler.
      
      Fixes: 738a2b5e ("ASoC: SOF: amd: Add IPC support for ACP IP block")
      Signed-off-by: default avatarVijendar Mukunda <Vijendar.Mukunda@amd.com>
      Link: https://msgid.link/r/20240404041717.430545-1-Vijendar.Mukunda@amd.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      b9846a38
    • Christophe JAILLET's avatar
      net: dsa: sja1105: Fix parameters order in sja1110_pcs_mdio_write_c45() · c120209b
      Christophe JAILLET authored
      The definition and declaration of sja1110_pcs_mdio_write_c45() don't have
      parameters in the same order.
      
      Knowing that sja1110_pcs_mdio_write_c45() is used as a function pointer
      in 'sja1105_info' structure with .pcs_mdio_write_c45, and that we have:
      
         int (*pcs_mdio_write_c45)(struct mii_bus *bus, int phy, int mmd,
      				  int reg, u16 val);
      
      it is likely that the definition is the one to change.
      
      Found with cppcheck, funcArgOrderDifferent.
      
      Fixes: ae271547 ("net: dsa: sja1105: C45 only transactions for PCS")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarMichael Walle <mwalle@kernel.org>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/ff2a5af67361988b3581831f7bd1eddebfb4c48f.1712082763.git.christophe.jaillet@wanadoo.frSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c120209b
    • Paul Barker's avatar
      net: ravb: Always update error counters · 101b7641
      Paul Barker authored
      The error statistics should be updated each time the poll function is
      called, even if the full RX work budget has been consumed. This prevents
      the counts from becoming stuck when RX bandwidth usage is high.
      
      This also ensures that error counters are not updated after we've
      re-enabled interrupts as that could result in a race condition.
      
      Also drop an unnecessary space.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarPaul Barker <paul.barker.ct@bp.renesas.com>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Link: https://lore.kernel.org/r/20240402145305.82148-2-paul.barker.ct@bp.renesas.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      101b7641
    • Paul Barker's avatar
      net: ravb: Always process TX descriptor ring · 596a4254
      Paul Barker authored
      The TX queue should be serviced each time the poll function is called,
      even if the full RX work budget has been consumed. This prevents
      starvation of the TX queue when RX bandwidth usage is high.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: default avatarPaul Barker <paul.barker.ct@bp.renesas.com>
      Reviewed-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
      Link: https://lore.kernel.org/r/20240402145305.82148-1-paul.barker.ct@bp.renesas.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      596a4254
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: discard table flag update with pending basechain deletion · 1bc83a01
      Pablo Neira Ayuso authored
      Hook unregistration is deferred to the commit phase, same occurs with
      hook updates triggered by the table dormant flag. When both commands are
      combined, this results in deleting a basechain while leaving its hook
      still registered in the core.
      
      Fixes: 179d9ba5 ("netfilter: nf_tables: fix table flag updates")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1bc83a01
    • Ziyang Xuan's avatar
      netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() · 24225011
      Ziyang Xuan authored
      nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can
      concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().
      And thhere is not any protection when iterate over nf_tables_flowtables
      list in __nft_flowtable_type_get(). Therefore, there is pertential
      data-race of nf_tables_flowtables list entry.
      
      Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list
      in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller
      nft_flowtable_type_get() to protect the entire type query process.
      
      Fixes: 3b49e2e9 ("netfilter: nf_tables: add flow table netlink frontend")
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      24225011
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: reject new basechain after table flag update · 994209dd
      Pablo Neira Ayuso authored
      When dormant flag is toggled, hooks are disabled in the commit phase by
      iterating over current chains in table (existing and new).
      
      The following configuration allows for an inconsistent state:
      
        add table x
        add chain x y { type filter hook input priority 0; }
        add table x { flags dormant; }
        add chain x w { type filter hook input priority 1; }
      
      which triggers the following warning when trying to unregister chain w
      which is already unregistered.
      
      [  127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50                                                                     1 __nf_unregister_net_hook+0x21a/0x260
      [...]
      [  127.322519] Call Trace:
      [  127.322521]  <TASK>
      [  127.322524]  ? __warn+0x9f/0x1a0
      [  127.322531]  ? __nf_unregister_net_hook+0x21a/0x260
      [  127.322537]  ? report_bug+0x1b1/0x1e0
      [  127.322545]  ? handle_bug+0x3c/0x70
      [  127.322552]  ? exc_invalid_op+0x17/0x40
      [  127.322556]  ? asm_exc_invalid_op+0x1a/0x20
      [  127.322563]  ? kasan_save_free_info+0x3b/0x60
      [  127.322570]  ? __nf_unregister_net_hook+0x6a/0x260
      [  127.322577]  ? __nf_unregister_net_hook+0x21a/0x260
      [  127.322583]  ? __nf_unregister_net_hook+0x6a/0x260
      [  127.322590]  ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]
      [  127.322655]  nft_table_disable+0x75/0xf0 [nf_tables]
      [  127.322717]  nf_tables_commit+0x2571/0x2620 [nf_tables]
      
      Fixes: 179d9ba5 ("netfilter: nf_tables: fix table flag updates")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      994209dd
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: flush pending destroy work before exit_net release · 24cea967
      Pablo Neira Ayuso authored
      Similar to 2c9f0293 ("netfilter: nf_tables: flush pending destroy
      work before netlink notifier") to address a race between exit_net and
      the destroy workqueue.
      
      The trace below shows an element to be released via destroy workqueue
      while exit_net path (triggered via module removal) has already released
      the set that is used in such transaction.
      
      [ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
      [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465
      [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359
      [ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
      [ 1360.547984] Call Trace:
      [ 1360.547991]  <TASK>
      [ 1360.547998]  dump_stack_lvl+0x53/0x70
      [ 1360.548014]  print_report+0xc4/0x610
      [ 1360.548026]  ? __virt_addr_valid+0xba/0x160
      [ 1360.548040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
      [ 1360.548054]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
      [ 1360.548176]  kasan_report+0xae/0xe0
      [ 1360.548189]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
      [ 1360.548312]  nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
      [ 1360.548447]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]
      [ 1360.548577]  ? _raw_spin_unlock_irq+0x18/0x30
      [ 1360.548591]  process_one_work+0x2f1/0x670
      [ 1360.548610]  worker_thread+0x4d3/0x760
      [ 1360.548627]  ? __pfx_worker_thread+0x10/0x10
      [ 1360.548640]  kthread+0x16b/0x1b0
      [ 1360.548653]  ? __pfx_kthread+0x10/0x10
      [ 1360.548665]  ret_from_fork+0x2f/0x50
      [ 1360.548679]  ? __pfx_kthread+0x10/0x10
      [ 1360.548690]  ret_from_fork_asm+0x1a/0x30
      [ 1360.548707]  </TASK>
      
      [ 1360.548719] Allocated by task 192061:
      [ 1360.548726]  kasan_save_stack+0x20/0x40
      [ 1360.548739]  kasan_save_track+0x14/0x30
      [ 1360.548750]  __kasan_kmalloc+0x8f/0xa0
      [ 1360.548760]  __kmalloc_node+0x1f1/0x450
      [ 1360.548771]  nf_tables_newset+0x10c7/0x1b50 [nf_tables]
      [ 1360.548883]  nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]
      [ 1360.548909]  nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]
      [ 1360.548927]  netlink_unicast+0x367/0x4f0
      [ 1360.548935]  netlink_sendmsg+0x34b/0x610
      [ 1360.548944]  ____sys_sendmsg+0x4d4/0x510
      [ 1360.548953]  ___sys_sendmsg+0xc9/0x120
      [ 1360.548961]  __sys_sendmsg+0xbe/0x140
      [ 1360.548971]  do_syscall_64+0x55/0x120
      [ 1360.548982]  entry_SYSCALL_64_after_hwframe+0x55/0x5d
      
      [ 1360.548994] Freed by task 192222:
      [ 1360.548999]  kasan_save_stack+0x20/0x40
      [ 1360.549009]  kasan_save_track+0x14/0x30
      [ 1360.549019]  kasan_save_free_info+0x3b/0x60
      [ 1360.549028]  poison_slab_object+0x100/0x180
      [ 1360.549036]  __kasan_slab_free+0x14/0x30
      [ 1360.549042]  kfree+0xb6/0x260
      [ 1360.549049]  __nft_release_table+0x473/0x6a0 [nf_tables]
      [ 1360.549131]  nf_tables_exit_net+0x170/0x240 [nf_tables]
      [ 1360.549221]  ops_exit_list+0x50/0xa0
      [ 1360.549229]  free_exit_list+0x101/0x140
      [ 1360.549236]  unregister_pernet_operations+0x107/0x160
      [ 1360.549245]  unregister_pernet_subsys+0x1c/0x30
      [ 1360.549254]  nf_tables_module_exit+0x43/0x80 [nf_tables]
      [ 1360.549345]  __do_sys_delete_module+0x253/0x370
      [ 1360.549352]  do_syscall_64+0x55/0x120
      [ 1360.549360]  entry_SYSCALL_64_after_hwframe+0x55/0x5d
      
      (gdb) list *__nft_release_table+0x473
      0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).
      11349           list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
      11350                   list_del(&flowtable->list);
      11351                   nft_use_dec(&table->use);
      11352                   nf_tables_flowtable_destroy(flowtable);
      11353           }
      11354           list_for_each_entry_safe(set, ns, &table->sets, list) {
      11355                   list_del(&set->list);
      11356                   nft_use_dec(&table->use);
      11357                   if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
      11358                           nft_map_deactivate(&ctx, set);
      (gdb)
      
      [ 1360.549372] Last potentially related work creation:
      [ 1360.549376]  kasan_save_stack+0x20/0x40
      [ 1360.549384]  __kasan_record_aux_stack+0x9b/0xb0
      [ 1360.549392]  __queue_work+0x3fb/0x780
      [ 1360.549399]  queue_work_on+0x4f/0x60
      [ 1360.549407]  nft_rhash_remove+0x33b/0x340 [nf_tables]
      [ 1360.549516]  nf_tables_commit+0x1c6a/0x2620 [nf_tables]
      [ 1360.549625]  nfnetlink_rcv_batch+0x728/0xdc0 [nfnetlink]
      [ 1360.549647]  nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]
      [ 1360.549671]  netlink_unicast+0x367/0x4f0
      [ 1360.549680]  netlink_sendmsg+0x34b/0x610
      [ 1360.549690]  ____sys_sendmsg+0x4d4/0x510
      [ 1360.549697]  ___sys_sendmsg+0xc9/0x120
      [ 1360.549706]  __sys_sendmsg+0xbe/0x140
      [ 1360.549715]  do_syscall_64+0x55/0x120
      [ 1360.549725]  entry_SYSCALL_64_after_hwframe+0x55/0x5d
      
      Fixes: 0935d558 ("netfilter: nf_tables: asynchronous release")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      24cea967
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path · 0d459e2f
      Pablo Neira Ayuso authored
      The commit mutex should not be released during the critical section
      between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
      worker could collect expired objects and get the released commit lock
      within the same GC sequence.
      
      nf_tables_module_autoload() temporarily releases the mutex to load
      module dependencies, then it goes back to replay the transaction again.
      Move it at the end of the abort phase after nft_gc_seq_end() is called.
      
      Cc: stable@vger.kernel.org
      Fixes: 72034434 ("netfilter: nf_tables: GC transaction race with abort path")
      Reported-by: default avatarKuan-Ting Chen <hexrabbit@devco.re>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0d459e2f
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: release batch on table validation from abort path · a45e6889
      Pablo Neira Ayuso authored
      Unlike early commit path stage which triggers a call to abort, an
      explicit release of the batch is required on abort, otherwise mutex is
      released and commit_list remains in place.
      
      Add WARN_ON_ONCE to ensure commit_list is empty from the abort path
      before releasing the mutex.
      
      After this patch, commit_list is always assumed to be empty before
      grabbing the mutex, therefore
      
        03c1f1ef ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()")
      
      only needs to release the pending modules for registration.
      
      Cc: stable@vger.kernel.org
      Fixes: c0391b6a ("netfilter: nf_tables: missing validation from the abort path")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a45e6889
    • Paolo Abeni's avatar
      Revert "tg3: Remove residual error handling in tg3_suspend" · 72076fc9
      Paolo Abeni authored
      This reverts commit 9ab4ad29.
      
      I went out of coffee and applied it to the wrong tree. Blame on me.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      72076fc9
    • Nikita Kiryushin's avatar
      tg3: Remove residual error handling in tg3_suspend · 9ab4ad29
      Nikita Kiryushin authored
      As of now, tg3_power_down_prepare always ends with success, but
      the error handling code from former tg3_set_power_state call is still here.
      
      This code became unreachable in commit c866b7ea ("tg3: Do not use
      legacy PCI power management").
      
      Remove (now unreachable) error handling code for simplification and change
      tg3_power_down_prepare to a void function as its result is no more checked.
      Signed-off-by: default avatarNikita Kiryushin <kiryushin@ancud.ru>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240401191418.361747-1-kiryushin@ancud.ruSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      9ab4ad29
    • Haiyang Zhang's avatar
      net: mana: Fix Rx DMA datasize and skb_over_panic · c0de6ab9
      Haiyang Zhang authored
      mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be
      multiple of 64. So a packet slightly bigger than mtu+14, say 1536,
      can be received and cause skb_over_panic.
      
      Sample dmesg:
      [ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:<NULL>
      [ 5325.243689] ------------[ cut here ]------------
      [ 5325.245748] kernel BUG at net/core/skbuff.c:192!
      [ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      [ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60
      [ 5325.302941] Call Trace:
      [ 5325.304389]  <IRQ>
      [ 5325.315794]  ? skb_panic+0x4f/0x60
      [ 5325.317457]  ? asm_exc_invalid_op+0x1f/0x30
      [ 5325.319490]  ? skb_panic+0x4f/0x60
      [ 5325.321161]  skb_put+0x4e/0x50
      [ 5325.322670]  mana_poll+0x6fa/0xb50 [mana]
      [ 5325.324578]  __napi_poll+0x33/0x1e0
      [ 5325.326328]  net_rx_action+0x12e/0x280
      
      As discussed internally, this alignment is not necessary. To fix
      this bug, remove it from the code. So oversized packets will be
      marked as CQE_RX_TRUNCATED by NIC, and dropped.
      
      Cc: stable@vger.kernel.org
      Fixes: 2fbbd712 ("net: mana: Enable RX path to handle various MTU sizes")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: default avatarDexuan Cui <decui@microsoft.com>
      Link: https://lore.kernel.org/r/1712087316-20886-1-git-send-email-haiyangz@microsoft.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c0de6ab9
    • Eric Dumazet's avatar
      net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() · 7eb32236
      Eric Dumazet authored
      qdisc_tree_reduce_backlog() is called with the qdisc lock held,
      not RTNL.
      
      We must use qdisc_lookup_rcu() instead of qdisc_lookup()
      
      syzbot reported:
      
      WARNING: suspicious RCU usage
      6.1.74-syzkaller #0 Not tainted
      -----------------------------
      net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      3 locks held by udevd/1142:
        #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]
        #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
        #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282
        #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
        #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297
        #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]
        #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
        #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792
      
      stack backtrace:
      CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
      Call Trace:
       <TASK>
        [<ffffffff85b85f14>] __dump_stack lib/dump_stack.c:88 [inline]
        [<ffffffff85b85f14>] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106
        [<ffffffff85b86007>] dump_stack+0x15/0x1e lib/dump_stack.c:113
        [<ffffffff81802299>] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592
        [<ffffffff84f0054c>] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305
        [<ffffffff84f037c3>] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811
        [<ffffffff84f5b78c>] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51
        [<ffffffff84fbcf63>] qdisc_enqueue include/net/sch_generic.h:833 [inline]
        [<ffffffff84fbcf63>] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723
        [<ffffffff84eecab9>] dequeue_skb net/sched/sch_generic.c:292 [inline]
        [<ffffffff84eecab9>] qdisc_restart net/sched/sch_generic.c:397 [inline]
        [<ffffffff84eecab9>] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415
        [<ffffffff84d7aa96>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
        [<ffffffff84d85d29>] net_tx_action+0x7c9/0x970 net/core/dev.c:5313
        [<ffffffff85e002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616
        [<ffffffff81568bca>] invoke_softirq kernel/softirq.c:447 [inline]
        [<ffffffff81568bca>] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700
        [<ffffffff81568ae9>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712
        [<ffffffff85b89f52>] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107
        [<ffffffff85c00ccb>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656
      
      Fixes: d636fc5d ("net: sched: add rcu annotations around qdisc->qdisc_sleeping")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Link: https://lore.kernel.org/r/20240402134133.2352776-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7eb32236
    • Horatiu Vultur's avatar
      net: phy: micrel: lan8814: Fix when enabling/disabling 1-step timestamping · de99e1ea
      Horatiu Vultur authored
      There are 2 issues with the blamed commit.
      1. When the phy is initialized, it would enable the disabled of UDPv4
         checksums. The UDPv6 checksum is already enabled by default. So when
         1-step is configured then it would clear these flags.
      2. After the 1-step is configured, then if 2-step is configured then the
         1-step would be still configured because it is not clearing the flag.
         So the sync frames will still have origin timestamps set.
      
      Fix this by reading first the value of the register and then
      just change bit 12 as this one determines if the timestamp needs to
      be inserted in the frame, without changing any other bits.
      
      Fixes: ece19502 ("net: phy: micrel: 1588 support for LAN8814 phy")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Reviewed-by: default avatarDivya Koppera <divya.koppera@microchip.com>
      Link: https://lore.kernel.org/r/20240402071634.2483524-1-horatiu.vultur@microchip.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      de99e1ea