1. 28 Jul, 2023 5 commits
    • Yuanjun Gong's avatar
      net: dsa: fix value check in bcm_sf2_sw_probe() · dadc5b86
      Yuanjun Gong authored
      in bcm_sf2_sw_probe(), check the return value of clk_prepare_enable()
      and return the error code if clk_prepare_enable() returns an
      unexpected value.
      
      Fixes: e9ec5c3b ("net: dsa: bcm_sf2: request and handle clocks")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20230726170506.16547-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dadc5b86
    • Eric Dumazet's avatar
      net: flower: fix stack-out-of-bounds in fl_set_key_cfm() · 4d50e500
      Eric Dumazet authored
      Typical misuse of
      
      	nla_parse_nested(array, XXX_MAX, ...);
      
      array must be declared as
      
      	struct nlattr *array[XXX_MAX + 1];
      
      v2: Based on feedbacks from Ido Schimmel and Zahari Doychev,
      I also changed TCA_FLOWER_KEY_CFM_OPT_MAX and cfm_opt_policy
      definitions.
      
      syzbot reported:
      
      BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
      Write of size 32 at addr ffffc90003a0ee20 by task syz-executor296/5014
      
      CPU: 0 PID: 5014 Comm: syz-executor296 Not tainted 6.5.0-rc2-syzkaller-00307-gd192f538 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0x163/0x540 mm/kasan/report.c:475
      kasan_report+0x175/0x1b0 mm/kasan/report.c:588
      kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
      __asan_memset+0x23/0x40 mm/kasan/shadow.c:84
      __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
      __nla_parse+0x40/0x50 lib/nlattr.c:700
      nla_parse_nested include/net/netlink.h:1262 [inline]
      fl_set_key_cfm+0x1e3/0x440 net/sched/cls_flower.c:1718
      fl_set_key+0x2168/0x6620 net/sched/cls_flower.c:1884
      fl_tmplt_create+0x1fe/0x510 net/sched/cls_flower.c:2666
      tc_chain_tmplt_add net/sched/cls_api.c:2959 [inline]
      tc_ctl_chain+0x131d/0x1ac0 net/sched/cls_api.c:3068
      rtnetlink_rcv_msg+0x82b/0xf50 net/core/rtnetlink.c:6424
      netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2549
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x7c3/0x990 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0xa2a/0xd60 net/netlink/af_netlink.c:1914
      sock_sendmsg_nosec net/socket.c:725 [inline]
      sock_sendmsg net/socket.c:748 [inline]
      ____sys_sendmsg+0x592/0x890 net/socket.c:2494
      ___sys_sendmsg net/socket.c:2548 [inline]
      __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2577
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f54c6150759
      Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007ffe06c30578 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f54c619902d RCX: 00007f54c6150759
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007ffe06c30590 R08: 0000000000000000 R09: 00007ffe06c305f0
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54c61c35f0
      R13: 00007ffe06c30778 R14: 0000000000000001 R15: 0000000000000001
      </TASK>
      
      The buggy address belongs to stack of task syz-executor296/5014
      and is located at offset 32 in frame:
      fl_set_key_cfm+0x0/0x440 net/sched/cls_flower.c:374
      
      This frame has 1 object:
      [32, 56) 'nla_cfm_opt'
      
      The buggy address belongs to the virtual mapping at
      [ffffc90003a08000, ffffc90003a11000) created by:
      copy_process+0x5c8/0x4290 kernel/fork.c:2330
      
      Fixes: 7cfffd5f ("net: flower: add support for matching cfm fields")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Simon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarZahari Doychev <zdoychev@maxlinear.com>
      Link: https://lore.kernel.org/r/20230726145815.943910-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4d50e500
    • Jakub Kicinski's avatar
      MAINTAINERS: stmmac: retire Giuseppe Cavallaro · fa467226
      Jakub Kicinski authored
      I tried to get stmmac maintainers to be more active by agreeing with
      them off-list on a review rotation. I pinged Peppe 3 times over 2 weeks
      during his "shift month", no reviews are flowing.
      
      All the contributions are much appreciated! But stmmac is quite
      active, we need participating maintainers :(
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230726151120.1649474-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa467226
    • Russell King (Oracle)'s avatar
      net: dsa: fix older DSA drivers using phylink · 9945c1fb
      Russell King (Oracle) authored
      Older DSA drivers that do not provide an dsa_ops adjust_link method end
      up using phylink. Unfortunately, a recent phylink change that requires
      its supported_interfaces bitmap to be filled breaks these drivers
      because the bitmap remains empty.
      
      Rather than fixing each driver individually, fix it in the core code so
      we have a sensible set of defaults.
      Reported-by: default avatarSergei Antonov <saproj@gmail.com>
      Fixes: de5c9bf4 ("net: phylink: require supported_interfaces to be filled")
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Tested-by: Vladimir Oltean <olteanv@gmail.com> # dsa_loop
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/E1qOflM-001AEz-D3@rmk-PC.armlinux.org.ukSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9945c1fb
    • Lin Ma's avatar
      rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length · d73ef2d6
      Lin Ma authored
      There are totally 9 ndo_bridge_setlink handlers in the current kernel,
      which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3)
      i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5)
      ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7)
      nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink.
      
      By investigating the code, we find that 1-7 parse and use nlattr
      IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can
      lead to an out-of-attribute read and allow a malformed nlattr (e.g.,
      length 0) to be viewed as a 2 byte integer.
      
      To avoid such issues, also for other ndo_bridge_setlink handlers in the
      future. This patch adds the nla_len check in rtnl_bridge_setlink and
      does an early error return if length mismatches. To make it works, the
      break is removed from the parsing for IFLA_BRIDGE_FLAGS to make sure
      this nla_for_each_nested iterates every attribute.
      
      Fixes: b1edc14a ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
      Fixes: 51616018 ("i40e: Add support for getlink, setlink ndo ops")
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://lore.kernel.org/r/20230726075314.1059224-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d73ef2d6
  2. 27 Jul, 2023 15 commits
  3. 26 Jul, 2023 20 commits
    • Jakub Kicinski's avatar
      Merge branch 'mptcp-more-fixes-for-6-5' · 2e3c5df2
      Jakub Kicinski authored
      Mat Martineau says:
      
      ====================
      mptcp: More fixes for 6.5
      
      Patch 1: Better detection of ip6tables vs ip6tables-legacy tools for
      self tests. Fix for 6.4 and newer.
      
      Patch 2: Only generate "new listener" event if listen operation
      succeeds. Fix for 6.2 and newer.
      ====================
      
      Link: https://lore.kernel.org/r/20230725-send-net-20230725-v1-0-6f60fe7137a9@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2e3c5df2
    • Paolo Abeni's avatar
      mptcp: more accurate NL event generation · 21d9b73a
      Paolo Abeni authored
      Currently the mptcp code generate a "new listener" event even
      if the actual listen() syscall fails. Address the issue moving
      the event generation call under the successful branch.
      
      Cc: stable@vger.kernel.org
      Fixes: f8c9dfbd ("mptcp: add pm listener events")
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Link: https://lore.kernel.org/r/20230725-send-net-20230725-v1-2-6f60fe7137a9@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      21d9b73a
    • Matthieu Baerts's avatar
      selftests: mptcp: join: only check for ip6tables if needed · 016e7ba4
      Matthieu Baerts authored
      If 'iptables-legacy' is available, 'ip6tables-legacy' command will be
      used instead of 'ip6tables'. So no need to look if 'ip6tables' is
      available in this case.
      
      Cc: stable@vger.kernel.org
      Fixes: 0c4cd3f8 ("selftests: mptcp: join: use 'iptables-legacy' if available")
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarMat Martineau <martineau@kernel.org>
      Link: https://lore.kernel.org/r/20230725-send-net-20230725-v1-1-6f60fe7137a9@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      016e7ba4
    • Jakub Kicinski's avatar
      Merge branch 'tools-ynl-gen-fix-parse-multi-attr-enum-attribute' · fa29d467
      Jakub Kicinski authored
      Arkadiusz Kubalewski says:
      
      ====================
      tools: ynl-gen: fix parse multi-attr enum attribute
      
      Fix the issues with parsing enums in ynl.py script.
      ====================
      
      Link: https://lore.kernel.org/r/20230725101642.267248-1-arkadiusz.kubalewski@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa29d467
    • Arkadiusz Kubalewski's avatar
      tools: ynl-gen: fix parse multi-attr enum attribute · df15c15e
      Arkadiusz Kubalewski authored
      When attribute is enum type and marked as multi-attr, the netlink
      respond is not parsed, fails with stack trace:
      Traceback (most recent call last):
        File "/net-next/tools/net/ynl/./test.py", line 520, in <module>
          main()
        File "/net-next/tools/net/ynl/./test.py", line 488, in main
          dplls=dplls_get(282574471561216)
        File "/net-next/tools/net/ynl/./test.py", line 48, in dplls_get
          reply=act(args)
        File "/net-next/tools/net/ynl/./test.py", line 41, in act
          reply = ynl.dump(args.dump, attrs)
        File "/net-next/tools/net/ynl/lib/ynl.py", line 598, in dump
          return self._op(method, vals, dump=True)
        File "/net-next/tools/net/ynl/lib/ynl.py", line 584, in _op
          rsp_msg = self._decode(gm.raw_attrs, op.attr_set.name)
        File "/net-next/tools/net/ynl/lib/ynl.py", line 451, in _decode
          self._decode_enum(rsp, attr_spec)
        File "/net-next/tools/net/ynl/lib/ynl.py", line 408, in _decode_enum
          value = enum.entries_by_val[raw].name
      TypeError: unhashable type: 'list'
      error: 1
      
      Redesign _decode_enum(..) to take a enum int value and translate
      it to either a bitmask or enum name as expected.
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Link: https://lore.kernel.org/r/20230725101642.267248-3-arkadiusz.kubalewski@intel.comReviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      df15c15e
    • Arkadiusz Kubalewski's avatar
      tools: ynl-gen: fix enum index in _decode_enum(..) · d7ddf5f4
      Arkadiusz Kubalewski authored
      Remove wrong index adjustment, which is leftover from adding
      support for sparse enums.
      enum.entries_by_val() function shall not subtract the start-value, as
      it is indexed with real enum value.
      
      Fixes: c311aaa7 ("tools: ynl: fix enum-as-flags in the generic CLI")
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Link: https://lore.kernel.org/r/20230725101642.267248-2-arkadiusz.kubalewski@intel.comReviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d7ddf5f4
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.5-3' of... · 0a8db05b
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
       "Misc small fixes and hw-id additions"
      
      * tag 'platform-drivers-x86-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: huawei-wmi: Silence ambient light sensor
        platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100
        platform/x86: asus-wmi: Fix setting RGB mode on some TUF laptops
        platform/x86: think-lmi: Use kfree_sensitive instead of kfree
        platform/x86/intel/hid: Add HP Dragonfly G2 to VGBS DMI quirks
        platform/x86: intel: hid: Always call BTNL ACPI method
        platform/x86/amd/pmf: Notify OS power slider update
        platform/x86/amd/pmf: reduce verbosity of apmf_get_system_params
        platform/x86: serial-multi-instantiate: Auto detect IRQ resource for CSC3551
        platform/x86/amd: pmc: Use release_mem_region() to undo request_mem_region_muxed()
        platform/x86: touchscreen_dmi.c: small changes for Archos 101 Cesium Educ tablet
      0a8db05b
    • Linus Torvalds's avatar
      Merge tag '6.5-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd · f40125c0
      Linus Torvalds authored
      Pull ksmbd server fixes from Steve French:
      
       - fixes for two possible out of bounds access (in negotiate, and in
         decrypt msg)
      
       - fix unsigned compared to zero warning
      
       - fix path lookup crossing a mountpoint
      
       - fix case when first compound request is a tree connect
      
       - fix memory leak if reads are compounded
      
      * tag '6.5-rc3-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
        ksmbd: fix out of bounds in init_smb2_rsp_hdr()
        ksmbd: no response from compound read
        ksmbd: validate session id and tree id in compound request
        ksmbd: fix out of bounds in smb3_decrypt_req()
        ksmbd: check if a mount point is crossed during path lookup
        ksmbd: Fix unsigned expression compared with zero
      f40125c0
    • Linus Torvalds's avatar
      mm: suppress mm fault logging if fatal signal already pending · 5f0bc0b0
      Linus Torvalds authored
      Commit eda00472 ("mm: make the page fault mmap locking killable")
      intentionally made it much easier to trigger the "page fault fails
      because a fatal signal is pending" situation, by having the mmap locking
      fail early in that case.
      
      We have long aborted page faults in other fatal cases when the actual IO
      for a page is interrupted by SIGKILL - which is particularly useful for
      the traditional case of NFS hanging due to network issues, but local
      filesystems could cause it too if you happened to get the SIGKILL while
      waiting for a page to be faulted in (eg lock_folio_maybe_drop_mmap()).
      
      So aborting the page fault wasn't a new condition - but it now triggers
      earlier, before we even get to 'handle_mm_fault()'.  And as a result the
      error doesn't go through our 'fault_signal_pending()' logic, and doesn't
      get filtered away there.
      
      Normally you'd never even notice, because if a fatal signal is pending,
      the new SIGSEGV we send ends up being ignored anyway.
      
      But it turns out that there is one very noticeable exception: if you
      enable 'show_unhandled_signals', the aborted page fault will be logged
      in the kernel messages, and you'll get a scary line looking something
      like this in your logs:
      
        pverados[2183248]: segfault at 55e5a00f9ae0 ip 000055e5a00f9ae0 sp 00007ffc0720bea8 error 14 in perl[55e5a00d4000+195000] likely on CPU 10 (core 4, socket 0)
      
      which is rather misleading.  It's not really a segfault at all, it's
      just "the thread was killed before the page fault completed, so we
      aborted the page fault".
      
      Fix this by just making it clear that a pending fatal signal means that
      any new signal coming in after that is implicitly handled.  This will
      avoid the misleading logging, since now the signal isn't 'unhandled' any
      more.
      Reported-and-tested-by: default avatarFiona Ebner <f.ebner@proxmox.com>
      Tested-by: default avatarThomas Lamprecht <t.lamprecht@proxmox.com>
      Link: https://lore.kernel.org/lkml/8d063a26-43f5-0bb7-3203-c6a04dc159f8@proxmox.com/Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Fixes: eda00472 ("mm: make the page fault mmap locking killable")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5f0bc0b0
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID · 0ebc1064
      Pablo Neira Ayuso authored
      Bail out with EOPNOTSUPP when adding rule to bound chain via
      NFTA_RULE_CHAIN_ID. The following warning splat is shown when
      adding a rule to a deleted bound chain:
      
       WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
       CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1
       RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
      
      Fixes: d0e2c7de ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
      Reported-by: default avatarKevin Rich <kevinrich1337@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      0ebc1064
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR · 0a771f7b
      Pablo Neira Ayuso authored
      On error when building the rule, the immediate expression unbinds the
      chain, hence objects can be deactivated by the transaction records.
      
      Otherwise, it is possible to trigger the following warning:
      
       WARNING: CPU: 3 PID: 915 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
       CPU: 3 PID: 915 Comm: chain-bind-err- Not tainted 6.1.39 #1
       RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
      
      Fixes: 4bedf9ee ("netfilter: nf_tables: fix chain binding transaction logic")
      Reported-by: default avatarKevin Rich <kevinrich1337@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      0a771f7b
    • Florian Westphal's avatar
      netfilter: nft_set_rbtree: fix overlap expiration walk · f718863a
      Florian Westphal authored
      The lazy gc on insert that should remove timed-out entries fails to release
      the other half of the interval, if any.
      
      Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
      in nftables.git and kmemleak enabled kernel.
      
      Second bug is the use of rbe_prev vs. prev pointer.
      If rbe_prev() returns NULL after at least one iteration, rbe_prev points
      to element that is not an end interval, hence it should not be removed.
      
      Lastly, check the genmask of the end interval if this is active in the
      current generation.
      
      Fixes: c9e6978e ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      f718863a
    • Filipe Manana's avatar
      btrfs: check for commit error at btrfs_attach_transaction_barrier() · b28ff3a7
      Filipe Manana authored
      btrfs_attach_transaction_barrier() is used to get a handle pointing to the
      current running transaction if the transaction has not started its commit
      yet (its state is < TRANS_STATE_COMMIT_START). If the transaction commit
      has started, then we wait for the transaction to commit and finish before
      returning - however we completely ignore if the transaction was aborted
      due to some error during its commit, we simply return ERR_PT(-ENOENT),
      which makes the caller assume everything is fine and no errors happened.
      
      This could make an fsync return success (0) to user space when in fact we
      had a transaction abort and the target inode changes were therefore not
      persisted.
      
      Fix this by checking for the return value from btrfs_wait_for_commit(),
      and if it returned an error, return it back to the caller.
      
      Fixes: d4edf39b ("Btrfs: fix uncompleted transaction")
      CC: stable@vger.kernel.org # 4.19+
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      b28ff3a7
    • Muhammad Husaini Zulkifli's avatar
      igc: Fix Kernel Panic during ndo_tx_timeout callback · d4a7ce64
      Muhammad Husaini Zulkifli authored
      The Xeon validation group has been carrying out some loaded tests
      with various HW configurations, and they have seen some transmit
      queue time out happening during the test. This will cause the
      reset adapter function to be called by igc_tx_timeout().
      Similar race conditions may arise when the interface is being brought
      down and up in igc_reinit_locked(), an interrupt being generated, and
      igc_clean_tx_irq() being called to complete the TX.
      
      When the igc_tx_timeout() function is invoked, this patch will turn
      off all TX ring HW queues during igc_down() process. TX ring HW queues
      will be activated again during the igc_configure_tx_ring() process
      when performing the igc_up() procedure later.
      
      This patch also moved existing igc_disable_tx_ring_hw() to avoid using
      forward declaration.
      
      Kernel trace:
      [ 7678.747813] ------------[ cut here ]------------
      [ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out
      [ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0
      [ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat
      nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO)
      cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO)
      vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO)
      sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO)
      dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO)
      svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO)
      fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO)
      regsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel
      snd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci
      [ 7678.784496]  input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight
      configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid
      mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a
      usbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore
      crct10dif_generic ptp crct10dif_common usb_common pps_core
      [ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0
      [ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c
      89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e
      89 c0 48 0f a3 05 0a c1
      [ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282
      [ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000
      [ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880
      [ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb
      [ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000
      [ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18
      [ 7679.318648] FS:  0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000
      [ 7679.332064] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8
      [ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
      [ 7679.379370] PKRU: 55555554
      [ 7679.386446] Call Trace:
      [ 7679.393152]  <TASK>
      [ 7679.399363]  ? __pfx_dev_watchdog+0x10/0x10
      [ 7679.407870]  call_timer_fn+0x31/0x110
      [ 7679.415698]  expire_timers+0xb2/0x120
      [ 7679.423403]  run_timer_softirq+0x179/0x1e0
      [ 7679.431532]  ? __schedule+0x2b1/0x820
      [ 7679.439078]  __do_softirq+0xd1/0x295
      [ 7679.446426]  ? __pfx_smpboot_thread_fn+0x10/0x10
      [ 7679.454867]  run_ksoftirqd+0x22/0x30
      [ 7679.462058]  smpboot_thread_fn+0xb7/0x160
      [ 7679.469670]  kthread+0xcd/0xf0
      [ 7679.476097]  ? __pfx_kthread+0x10/0x10
      [ 7679.483211]  ret_from_fork+0x29/0x50
      [ 7679.490047]  </TASK>
      [ 7679.495204] ---[ end trace 0000000000000000 ]---
      [ 7679.503179] igc 0000:01:00.0 enp1s0: Register Dump
      [ 7679.511230] igc 0000:01:00.0 enp1s0: Register Name   Value
      [ 7679.519892] igc 0000:01:00.0 enp1s0: CTRL            181c0641
      [ 7679.528782] igc 0000:01:00.0 enp1s0: STATUS          40280683
      [ 7679.537551] igc 0000:01:00.0 enp1s0: CTRL_EXT        10000040
      [ 7679.546284] igc 0000:01:00.0 enp1s0: MDIC            180a3800
      [ 7679.554942] igc 0000:01:00.0 enp1s0: ICR             00000081
      [ 7679.563503] igc 0000:01:00.0 enp1s0: RCTL            04408022
      [ 7679.571963] igc 0000:01:00.0 enp1s0: RDLEN[0-3]      00001000 00001000 00001000 00001000
      [ 7679.583075] igc 0000:01:00.0 enp1s0: RDH[0-3]        00000068 000000b6 0000000f 00000031
      [ 7679.594162] igc 0000:01:00.0 enp1s0: RDT[0-3]        00000066 000000b2 0000000e 00000030
      [ 7679.605174] igc 0000:01:00.0 enp1s0: RXDCTL[0-3]     02040808 02040808 02040808 02040808
      [ 7679.616196] igc 0000:01:00.0 enp1s0: RDBAL[0-3]      1bb7c000 1bb7f000 1bb82000 0ef33000
      [ 7679.627242] igc 0000:01:00.0 enp1s0: RDBAH[0-3]      00000001 00000001 00000001 00000001
      [ 7679.638256] igc 0000:01:00.0 enp1s0: TCTL            a503f0fa
      [ 7679.646607] igc 0000:01:00.0 enp1s0: TDBAL[0-3]      2ba4a000 1bb6f000 1bb74000 1bb79000
      [ 7679.657609] igc 0000:01:00.0 enp1s0: TDBAH[0-3]      00000001 00000001 00000001 00000001
      [ 7679.668551] igc 0000:01:00.0 enp1s0: TDLEN[0-3]      00001000 00001000 00001000 00001000
      [ 7679.679470] igc 0000:01:00.0 enp1s0: TDH[0-3]        000000a7 0000002d 000000bf 000000d9
      [ 7679.690406] igc 0000:01:00.0 enp1s0: TDT[0-3]        000000a7 0000002d 000000bf 000000d9
      [ 7679.701264] igc 0000:01:00.0 enp1s0: TXDCTL[0-3]     02100108 02100108 02100108 02100108
      [ 7679.712123] igc 0000:01:00.0 enp1s0: Reset adapter
      [ 7683.085967] igc 0000:01:00.0 enp1s0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
      [ 8086.945561] ------------[ cut here ]------------
      Entering kdb (current=0xffffffff8220b200, pid 0) on processor 0
      Oops: (null) due to oops @ 0xffffffff81573888
      RIP: 0010:dql_completed+0x148/0x160
      Code: c9 00 48 89 57 58 e9 46 ff ff ff 45 85 e4 41 0f 95 c4 41 39 db 0f 95
      c1 41 84 cc 74 05 45 85 ed 78 0a 44 89 c1 e9 27 ff ff ff <0f> 0b 01 f6 44 89
      c1 29 f1 0f 48 ca eb 8c cc cc cc cc cc cc cc cc
      RSP: 0018:ffa0000000003e00 EFLAGS: 00010287
      RAX: 000000000000006c RBX: ffa0000003eb0f78 RCX: ff11000109938000
      RDX: 0000000000000003 RSI: 0000000000000160 RDI: ff110001002e9480
      RBP: ffa0000000003ed8 R08: ff110001002e93c0 R09: ffa0000000003d28
      R10: 0000000000007cc0 R11: 0000000000007c54 R12: 00000000ffffffd9
      R13: ff1100037039cb00 R14: 00000000ffffffd9 R15: ff1100037039c048
      FS:  0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007ffff7fca168 CR3: 000000013b08a003 CR4: 0000000000471ef8
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       <IRQ>
       ? igc_poll+0x1a9/0x14d0 [igc]
       __napi_poll+0x2e/0x1b0
       net_rx_action+0x126/0x250
       __do_softirq+0xd1/0x295
       irq_exit_rcu+0xc5/0xf0
       common_interrupt+0x86/0xa0
       </IRQ>
       <TASK>
       asm_common_interrupt+0x27/0x40
      RIP: 0010:cpuidle_enter_state+0xd3/0x3e0
      Code: 73 f1 ff ff 49 89 c6 8b 05 e2 ca a7 00 85 c0 0f 8f b3 02 00 00 31 ff e8 1b
      de 75 ff 80 7d d7 00 0f 85 cd 01 00 00 fb 45 85 ff <0f> 88 fd 00 00 00 49 63 cf
      4c 2b 75 c8 48 8d 04 49 48 89 ca 48 8d
      RSP: 0018:ffffffff82203df0 EFLAGS: 00000202
      RAX: ff11000361e2a200 RBX: 0000000000000002 RCX: 000000000000001f
      RDX: 0000000000000000 RSI: 000000003cf3cf3d RDI: 0000000000000000
      RBP: ffffffff82203e28 R08: 0000075ae38471c8 R09: 0000000000000018
      R10: 000000000000031a R11: ffffffff8238dca0 R12: ffd1ffffff200000
      R13: ffffffff8238dca0 R14: 0000075ae38471c8 R15: 0000000000000002
       cpuidle_enter+0x2e/0x50
       call_cpuidle+0x23/0x40
       do_idle+0x1be/0x220
       cpu_startup_entry+0x20/0x30
       rest_init+0xb5/0xc0
       arch_call_rest_init+0xe/0x30
       start_kernel+0x448/0x760
       x86_64_start_kernel+0x109/0x150
       secondary_startup_64_no_verify+0xe0/0xeb
       </TASK>
      more>
      [0]kdb>
      
      [0]kdb>
      [0]kdb> go
      Catastrophic error detected
      kdb_continue_catastrophic=0, type go a second time if you really want to
      continue
      [0]kdb> go
      Catastrophic error detected
      kdb_continue_catastrophic=0, attempting to continue
      [ 8086.955689] refcount_t: underflow; use-after-free.
      [ 8086.955697] WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0xc2/0x110
      [ 8086.955706] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat
      nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO)
      cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO)
      svfs_pci_hotplug(PO) vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO)
      svheartbeat(PO) ioapic(PO) sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO)
      smbus(PO) spiflash_cdf(PO) arden(PO) dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO)
      pch(PO) sviotargets(PO) svbdf(PO) svmem(PO) svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO)
      svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO) fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O)
      ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO) regsupport(O) libnvdimm nls_cp437
      snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg
      snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci
      [ 8086.955751]  input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm
      fuse backlight configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic
      pegasus mmc_block usbhid mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa
      scsi_transport_sas e1000e e1000 e100 ax88179_178a usbnet xhci_pci sd_mod xhci_hcd t10_pi
      crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore crct10dif_generic ptp crct10dif_common
      usb_common pps_core
      [ 8086.955784] RIP: 0010:refcount_warn_saturate+0xc2/0x110
      [ 8086.955788] Code: 01 e8 82 e7 b4 ff 0f 0b 5d c3 cc cc cc cc 80 3d 68 c6 eb 00 00 75 81
      48 c7 c7 a0 87 f6 81 c6 05 58 c6 eb 00 01 e8 5e e7 b4 ff <0f> 0b 5d c3 cc cc cc cc 80 3d
      42 c6 eb 00 00 0f 85 59 ff ff ff 48
      [ 8086.955790] RSP: 0018:ffa0000000003da0 EFLAGS: 00010286
      [ 8086.955793] RAX: 0000000000000000 RBX: ff1100011da40ee0 RCX: ff11000361e1b888
      [ 8086.955794] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ff11000361e1b880
      [ 8086.955795] RBP: ffa0000000003da0 R08: 80000000ffff9f45 R09: ffa0000000003d28
      [ 8086.955796] R10: ff1100035f840000 R11: 0000000000000028 R12: ff11000319ff8000
      [ 8086.955797] R13: ff1100011bb79d60 R14: 00000000ffffffd6 R15: ff1100037039cb00
      [ 8086.955798] FS:  0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000
      [ 8086.955800] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 8086.955801] CR2: 00007ffff7fca168 CR3: 000000013b08a003 CR4: 0000000000471ef8
      [ 8086.955803] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 8086.955803] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
      [ 8086.955804] PKRU: 55555554
      [ 8086.955805] Call Trace:
      [ 8086.955806]  <IRQ>
      [ 8086.955808]  tcp_wfree+0x112/0x130
      [ 8086.955814]  skb_release_head_state+0x24/0xa0
      [ 8086.955818]  napi_consume_skb+0x9c/0x160
      [ 8086.955821]  igc_poll+0x5d8/0x14d0 [igc]
      [ 8086.955835]  __napi_poll+0x2e/0x1b0
      [ 8086.955839]  net_rx_action+0x126/0x250
      [ 8086.955843]  __do_softirq+0xd1/0x295
      [ 8086.955846]  irq_exit_rcu+0xc5/0xf0
      [ 8086.955851]  common_interrupt+0x86/0xa0
      [ 8086.955857]  </IRQ>
      [ 8086.955857]  <TASK>
      [ 8086.955858]  asm_common_interrupt+0x27/0x40
      [ 8086.955862] RIP: 0010:cpuidle_enter_state+0xd3/0x3e0
      [ 8086.955866] Code: 73 f1 ff ff 49 89 c6 8b 05 e2 ca a7 00 85 c0 0f 8f b3 02 00 00 31 ff e8
      1b de 75 ff 80 7d d7 00 0f 85 cd 01 00 00 fb 45 85 ff <0f> 88 fd 00 00 00 49 63 cf 4c 2b 75
      c8 48 8d 04 49 48 89 ca 48 8d
      [ 8086.955867] RSP: 0018:ffffffff82203df0 EFLAGS: 00000202
      [ 8086.955869] RAX: ff11000361e2a200 RBX: 0000000000000002 RCX: 000000000000001f
      [ 8086.955870] RDX: 0000000000000000 RSI: 000000003cf3cf3d RDI: 0000000000000000
      [ 8086.955871] RBP: ffffffff82203e28 R08: 0000075ae38471c8 R09: 0000000000000018
      [ 8086.955872] R10: 000000000000031a R11: ffffffff8238dca0 R12: ffd1ffffff200000
      [ 8086.955873] R13: ffffffff8238dca0 R14: 0000075ae38471c8 R15: 0000000000000002
      [ 8086.955875]  cpuidle_enter+0x2e/0x50
      [ 8086.955880]  call_cpuidle+0x23/0x40
      [ 8086.955884]  do_idle+0x1be/0x220
      [ 8086.955887]  cpu_startup_entry+0x20/0x30
      [ 8086.955889]  rest_init+0xb5/0xc0
      [ 8086.955892]  arch_call_rest_init+0xe/0x30
      [ 8086.955895]  start_kernel+0x448/0x760
      [ 8086.955898]  x86_64_start_kernel+0x109/0x150
      [ 8086.955900]  secondary_startup_64_no_verify+0xe0/0xeb
      [ 8086.955904]  </TASK>
      [ 8086.955904] ---[ end trace 0000000000000000 ]---
      [ 8086.955912] ------------[ cut here ]------------
      [ 8086.955913] kernel BUG at lib/dynamic_queue_limits.c:27!
      [ 8086.955918] invalid opcode: 0000 [#1] SMP
      [ 8086.955922] RIP: 0010:dql_completed+0x148/0x160
      [ 8086.955925] Code: c9 00 48 89 57 58 e9 46 ff ff ff 45 85 e4 41 0f 95 c4 41 39 db
      0f 95 c1 41 84 cc 74 05 45 85 ed 78 0a 44 89 c1 e9 27 ff ff ff <0f> 0b 01 f6 44 89
      c1 29 f1 0f 48 ca eb 8c cc cc cc cc cc cc cc cc
      [ 8086.955927] RSP: 0018:ffa0000000003e00 EFLAGS: 00010287
      [ 8086.955928] RAX: 000000000000006c RBX: ffa0000003eb0f78 RCX: ff11000109938000
      [ 8086.955929] RDX: 0000000000000003 RSI: 0000000000000160 RDI: ff110001002e9480
      [ 8086.955930] RBP: ffa0000000003ed8 R08: ff110001002e93c0 R09: ffa0000000003d28
      [ 8086.955931] R10: 0000000000007cc0 R11: 0000000000007c54 R12: 00000000ffffffd9
      [ 8086.955932] R13: ff1100037039cb00 R14: 00000000ffffffd9 R15: ff1100037039c048
      [ 8086.955933] FS:  0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000
      [ 8086.955934] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 8086.955935] CR2: 00007ffff7fca168 CR3: 000000013b08a003 CR4: 0000000000471ef8
      [ 8086.955936] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 8086.955937] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
      [ 8086.955938] PKRU: 55555554
      [ 8086.955939] Call Trace:
      [ 8086.955939]  <IRQ>
      [ 8086.955940]  ? igc_poll+0x1a9/0x14d0 [igc]
      [ 8086.955949]  __napi_poll+0x2e/0x1b0
      [ 8086.955952]  net_rx_action+0x126/0x250
      [ 8086.955956]  __do_softirq+0xd1/0x295
      [ 8086.955958]  irq_exit_rcu+0xc5/0xf0
      [ 8086.955961]  common_interrupt+0x86/0xa0
      [ 8086.955964]  </IRQ>
      [ 8086.955965]  <TASK>
      [ 8086.955965]  asm_common_interrupt+0x27/0x40
      [ 8086.955968] RIP: 0010:cpuidle_enter_state+0xd3/0x3e0
      [ 8086.955971] Code: 73 f1 ff ff 49 89 c6 8b 05 e2 ca a7 00 85 c0 0f 8f b3 02 00 00
      31 ff e8 1b de 75 ff 80 7d d7 00 0f 85 cd 01 00 00 fb 45 85 ff <0f> 88 fd 00 00 00
      49 63 cf 4c 2b 75 c8 48 8d 04 49 48 89 ca 48 8d
      [ 8086.955972] RSP: 0018:ffffffff82203df0 EFLAGS: 00000202
      [ 8086.955973] RAX: ff11000361e2a200 RBX: 0000000000000002 RCX: 000000000000001f
      [ 8086.955974] RDX: 0000000000000000 RSI: 000000003cf3cf3d RDI: 0000000000000000
      [ 8086.955974] RBP: ffffffff82203e28 R08: 0000075ae38471c8 R09: 0000000000000018
      [ 8086.955975] R10: 000000000000031a R11: ffffffff8238dca0 R12: ffd1ffffff200000
      [ 8086.955976] R13: ffffffff8238dca0 R14: 0000075ae38471c8 R15: 0000000000000002
      [ 8086.955978]  cpuidle_enter+0x2e/0x50
      [ 8086.955981]  call_cpuidle+0x23/0x40
      [ 8086.955984]  do_idle+0x1be/0x220
      [ 8086.955985]  cpu_startup_entry+0x20/0x30
      [ 8086.955987]  rest_init+0xb5/0xc0
      [ 8086.955990]  arch_call_rest_init+0xe/0x30
      [ 8086.955992]  start_kernel+0x448/0x760
      [ 8086.955994]  x86_64_start_kernel+0x109/0x150
      [ 8086.955996]  secondary_startup_64_no_verify+0xe0/0xeb
      [ 8086.955998]  </TASK>
      [ 8086.955999] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype
      nft_compat nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO)
      rktpm(PO) cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO)
      svfs_pci_hotplug(PO) vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO)
      svheartbeat(PO) ioapic(PO) sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO)
      smbus(PO) spiflash_cdf(PO) arden(PO) dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO)
      pch(PO) sviotargets(PO) svbdf(PO) svmem(PO) svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO)
      svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO) fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O)
      ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO) regsupport(O) libnvdimm nls_cp437
      snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg
      snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci
      [ 8086.956029]  input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm
      fuse backlight configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic
      pegasus mmc_block usbhid mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa
      scsi_transport_sas e1000e e1000 e100 ax88179_178a usbnet xhci_pci sd_mod xhci_hcd t10_pi
      crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore crct10dif_generic ptp crct10dif_common
      usb_common pps_core
      [16762.543675] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.593 msecs
      [16762.543678] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.595 msecs
      [16762.543673] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.495 msecs
      [16762.543679] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.599 msecs
      [16762.543678] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.598 msecs
      [16762.543690] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.605 msecs
      [16762.543684] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.599 msecs
      [16762.543693] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 8675587.613 msecs
      [16762.543784] ---[ end trace 0000000000000000 ]---
      [16762.849099] RIP: 0010:dql_completed+0x148/0x160
      PANIC: Fatal exception in interrupt
      
      Fixes: 9b275176 ("igc: Add ndo_tx_timeout support")
      Tested-by: default avatarAlejandra Victoria Alcaraz <alejandra.victoria.alcaraz@intel.com>
      Signed-off-by: default avatarMuhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
      Acked-by: default avatarSasha Neftin <sasha.neftin@intel.com>
      Tested-by: default avatarNaama Meir <naamax.meir@linux.intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d4a7ce64
    • Christian Marangi's avatar
      net: dsa: qca8k: fix mdb add/del case with 0 VID · dfd739f1
      Christian Marangi authored
      The qca8k switch doesn't support using 0 as VID and require a default
      VID to be always set. MDB add/del function doesn't currently handle
      this and are currently setting the default VID.
      
      Fix this by correctly handling this corner case and internally use the
      default VID for VID 0 case.
      
      Fixes: ba8f870d ("net: dsa: qca8k: add support for mdb_add/del")
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfd739f1
    • Christian Marangi's avatar
      net: dsa: qca8k: fix broken search_and_del · ae70dcb9
      Christian Marangi authored
      On deleting an MDB entry for a port, fdb_search_and_del is used.
      An FDB entry can't be modified so it needs to be deleted and readded
      again with the new portmap (and the port deleted as requested)
      
      We use the SEARCH operator to search the entry to edit by vid and mac
      address and then we check the aging if we actually found an entry.
      
      Currently the code suffer from a bug where the searched fdb entry is
      never read again with the found values (if found) resulting in the code
      always returning -EINVAL as aging was always 0.
      
      Fix this by correctly read the fdb entry after it was searched.
      
      Fixes: ba8f870d ("net: dsa: qca8k: add support for mdb_add/del")
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae70dcb9
    • Christian Marangi's avatar
      net: dsa: qca8k: fix search_and_insert wrong handling of new rule · 80248d41
      Christian Marangi authored
      On inserting a mdb entry, fdb_search_and_insert is used to add a port to
      the qca8k target entry in the FDB db.
      
      A FDB entry can't be modified so it needs to be removed and insert again
      with the new values.
      
      To detect if an entry already exist, the SEARCH operation is used and we
      check the aging of the entry. If the entry is not 0, the entry exist and
      we proceed to delete it.
      
      Current code have 2 main problem:
      - The condition to check if the FDB entry exist is wrong and should be
        the opposite.
      - When a FDB entry doesn't exist, aging was never actually set to the
        STATIC value resulting in allocating an invalid entry.
      
      Fix both problem by adding aging support to the function, calling the
      function with STATIC as aging by default and finally by correct the
      condition to check if the entry actually exist.
      
      Fixes: ba8f870d ("net: dsa: qca8k: add support for mdb_add/del")
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80248d41
    • Christian Marangi's avatar
      net: dsa: qca8k: enable use_single_write for qca8xxx · 2c39dd02
      Christian Marangi authored
      The qca8xxx switch supports 2 way to write reg values, a slow way using
      mdio and a fast way by sending specially crafted mgmt packet to
      read/write reg.
      
      The fast way can support up to 32 bytes of data as eth packet are used
      to send/receive.
      
      This correctly works for almost the entire regmap of the switch but with
      the use of some kernel selftests for dsa drivers it was found a funny
      and interesting hw defect/limitation.
      
      For some specific reg, bulk write won't work and will result in writing
      only part of the requested regs resulting in half data written. This was
      especially hard to track and discover due to the total strangeness of
      the problem and also by the specific regs where this occurs.
      
      This occurs in the specific regs of the ATU table, where multiple entry
      needs to be written to compose the entire entry.
      It was discovered that with a bulk write of 12 bytes on
      QCA8K_REG_ATU_DATA0 only QCA8K_REG_ATU_DATA0 and QCA8K_REG_ATU_DATA2
      were written, but QCA8K_REG_ATU_DATA1 was always zero.
      Tcpdump was used to make sure the specially crafted packet was correct
      and this was confirmed.
      
      The problem was hard to track as the lack of QCA8K_REG_ATU_DATA1
      resulted in an entry somehow possible as the first bytes of the mac
      address are set in QCA8K_REG_ATU_DATA0 and the entry type is set in
      QCA8K_REG_ATU_DATA2.
      
      Funlly enough writing QCA8K_REG_ATU_DATA1 results in the same problem
      with QCA8K_REG_ATU_DATA2 empty and QCA8K_REG_ATU_DATA1 and
      QCA8K_REG_ATU_FUNC correctly written.
      A speculation on the problem might be that there are some kind of
      indirection internally when accessing these regs and they can't be
      accessed all together, due to the fact that it's really a table mapped
      somewhere in the switch SRAM.
      
      Even more funny is the fact that every other reg was tested with all
      kind of combination and they are not affected by this problem. Read
      operation was also tested and always worked so it's not affected by this
      problem.
      
      The problem is not present if we limit writing a single reg at times.
      
      To handle this hardware defect, enable use_single_write so that bulk
      api can correctly split the write in multiple different operation
      effectively reverting to a non-bulk write.
      
      Cc: Mark Brown <broonie@kernel.org>
      Fixes: c766e077 ("net: dsa: qca8k: convert to regmap read/write API")
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c39dd02
    • Alex Elder's avatar
      net: ipa: only reset hashed tables when supported · e11ec2b8
      Alex Elder authored
      Last year, the code that manages GSI channel transactions switched
      from using spinlock-protected linked lists to using indexes into the
      ring buffer used for a channel.  Recently, Google reported seeing
      transaction reference count underflows occasionally during shutdown.
      
      Doug Anderson found a way to reproduce the issue reliably, and
      bisected the issue to the commit that eliminated the linked lists
      and the lock.  The root cause was ultimately determined to be
      related to unused transactions being committed as part of the modem
      shutdown cleanup activity.  Unused transactions are not normally
      expected (except in error cases).
      
      The modem uses some ranges of IPA-resident memory, and whenever it
      shuts down we zero those ranges.  In ipa_filter_reset_table() a
      transaction is allocated to zero modem filter table entries.  If
      hashing is not supported, hashed table memory should not be zeroed.
      But currently nothing prevents that, and the result is an unused
      transaction.  Something similar occurs when we zero routing table
      entries for the modem.
      
      By preventing any attempt to clear hashed tables when hashing is not
      supported, the reference count underflow is avoided in this case.
      
      Note that there likely remains an issue with properly freeing unused
      transactions (if they occur due to errors).  This patch addresses
      only the underflows that Google originally reported.
      
      Cc: <stable@vger.kernel.org> # 6.1.x
      Fixes: d338ae28 ("net: ipa: kill all other transaction lists")
      Tested-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Link: https://lore.kernel.org/r/20230724224055.1688854-1-elder@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e11ec2b8
    • Jakub Kicinski's avatar
      Merge branch 'net-fix-error-warning-by-fstrict-flex-arrays-3' · a49441c9
      Jakub Kicinski authored
      Kuniyuki Iwashima says:
      
      ====================
      net: Fix error/warning by -fstrict-flex-arrays=3.
      
      df8fc4e9 ("kbuild: Enable -fstrict-flex-arrays=3") started applying
      strict rules for standard string functions (strlen(), memcpy(), etc.) if
      CONFIG_FORTIFY_SOURCE=y.
      
      This series fixes two false positives caught by syzkaller.
      
      v2: https://lore.kernel.org/netdev/20230720004410.87588-1-kuniyu@amazon.com/
      v1: https://lore.kernel.org/netdev/20230719185322.44255-1-kuniyu@amazon.com/
      ====================
      
      Link: https://lore.kernel.org/r/20230724213425.22920-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a49441c9