1. 04 Oct, 2024 8 commits
    • Linus Torvalds's avatar
      Merge tag 'fsnotify_for_v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · e02f08e2
      Linus Torvalds authored
      Pull fsnotify fixes from Jan Kara:
       "Fixes for an inotify deadlock and a data race in fsnotify"
      
      * tag 'fsnotify_for_v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        inotify: Fix possible deadlock in fsnotify_destroy_mark
        fsnotify: Avoid data race between fsnotify_recalc_mask() and fsnotify_object_watched()
      e02f08e2
    • Linus Torvalds's avatar
      Merge tag 'fs_for_v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 4770119d
      Linus Torvalds authored
      Pull UDF fixes from Jan Kara:
       "A couple of UDF error handling fixes for issues spotted by syzbot"
      
      * tag 'fs_for_v6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: fix uninit-value use in udf_get_fileshortad
        udf: refactor inode_bmap() to handle error
        udf: refactor udf_next_aext() to handle error
        udf: refactor udf_current_aext() to handle error
      4770119d
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.12-rc2' of https://github.com/ceph/ceph-client · a3a37691
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "A fix from Patrick for a variety of CephFS lockup scenarios caused by
        a regression in cap handling which sneaked in through the netfs helper
        library in 5.18 (marked for stable) and an unrelated one-line cleanup"
      
      * tag 'ceph-for-6.12-rc2' of https://github.com/ceph/ceph-client:
        ceph: fix cap ref leak via netfs init_request
        ceph: use struct_size() helper in __ceph_pool_perm_get()
      a3a37691
    • Linus Torvalds's avatar
      Merge tag 'for-6.12-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 79eb2c07
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - in incremental send, fix invalid clone operation for file that got
         its size decreased
      
       - fix __counted_by() annotation of send path cache entries, we do not
         store the terminating NUL
      
       - fix a longstanding bug in relocation (and quite hard to hit by
         chance), drop back reference cache that can get out of sync after
         transaction commit
      
       - wait for fixup worker kthread before finishing umount
      
       - add missing raid-stripe-tree extent for NOCOW files, zoned mode
         cannot have NOCOW files but RST is meant to be a standalone feature
      
       - handle transaction start error during relocation, avoid potential
         NULL pointer dereference of relocation control structure (reported by
         syzbot)
      
       - disable module-wide rate limiting of debug level messages
      
       - minor fix to tracepoint definition (reported by checkpatch.pl)
      
      * tag 'for-6.12-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: disable rate limiting when debug enabled
        btrfs: wait for fixup workers before stopping cleaner kthread during umount
        btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
        btrfs: send: fix invalid clone operation for file that got its size decreased
        btrfs: tracepoints: end assignment with semicolon at btrfs_qgroup_extent event class
        btrfs: drop the backref cache during relocation if we commit
        btrfs: also add stripe entries for NOCOW writes
        btrfs: send: fix buffer overflow detection when copying path to cache entry
      79eb2c07
    • Linus Torvalds's avatar
      Merge tag 'v6.12-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · b7a838ee
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
      
       - statfs fix (e.g. when limited access to root directory of share)
      
       - special file handling fixes: fix packet validation to avoid buffer
         overflow for reparse points, fixes for symlink path parsing (one for
         reparse points, and one for SFU use case), and fix for cleanup after
         failed SET_REPARSE operation.
      
       - fix for SMB2.1 signing bug introduced by recent patch to NFS symlink
         path, and NFS reparse point validation
      
       - comment cleanup
      
      * tag 'v6.12-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Do not convert delimiter when parsing NFS-style symlinks
        cifs: Validate content of NFS reparse point buffer
        cifs: Fix buffer overflow when parsing NFS reparse points
        smb: client: Correct typos in multiple comments across various files
        smb: client: use actual path when queryfs
        cifs: Remove intermediate object of failed create reparse call
        Revert "smb: client: make SHA-512 TFM ephemeral"
        smb: Update comments about some reparse point tags
        cifs: Check for UTF-16 null codepoint in SFU symlink target location
      b7a838ee
    • Linus Torvalds's avatar
      Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 6cca1195
      Linus Torvalds authored
      Pull close_range() fix from Al Viro:
       "Fix the logic in descriptor table trimming"
      
      * tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        close_range(): fix the logics in descriptor table trimming
      6cca1195
    • Linus Torvalds's avatar
      Merge tag 'rust-fixes-6.12' of https://github.com/Rust-for-Linux/linux · 0c559323
      Linus Torvalds authored
      Pull Rust fixes from Miguel Ojeda:
       "Toolchain and infrastructure:
      
         - Fix/improve a couple 'depends on' on the newly added CFI/KASAN
           suppport to avoid build errors/warnings
      
         - Fix ARCH_SLAB_MINALIGN multiple definition error for RISC-V under
           !CONFIG_MMU
      
         - Clean upcoming (Rust 1.83.0) Clippy warnings
      
        'kernel' crate:
      
         - 'sync' module: fix soundness issue by requiring 'T: Sync' for
           'LockedBy::access'; and fix helpers build error under PREEMPT_RT
      
         - Fix trivial sorting issue ('rustfmtcheck') on the v6.12 Rust merge"
      
      * tag 'rust-fixes-6.12' of https://github.com/Rust-for-Linux/linux:
        rust: kunit: use C-string literals to clean warning
        cfi: encode cfi normalized integers + kasan/gcov bug in Kconfig
        rust: KASAN+RETHUNK requires rustc 1.83.0
        rust: cfi: fix `patchable-function-entry` starting version
        rust: mutex: fix __mutex_init() usage in case of PREEMPT_RT
        rust: fix `ARCH_SLAB_MINALIGN` multiple definition error
        rust: sync: require `T: Sync` for `LockedBy::access`
        rust: kernel: sort Rust modules
      0c559323
    • Linus Torvalds's avatar
      Merge tag 'pull-fixes.ufs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 263a25de
      Linus Torvalds authored
      Pull ufs fix from Al Viro:
       "Fix ufs_rename() braino introduced this cycle.
      
        The 'folio_release_kmap(dir_folio, new_dir)' in ufs_rename() part of
        folio conversion should've been getting a pointer to ufs directory
        entry within the page, rather than a pointer to directory struct
        inode..."
      
      * tag 'pull-fixes.ufs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        ufs_rename(): fix bogus argument of folio_release_kmap()
      263a25de
  2. 03 Oct, 2024 29 commits
    • Johannes Weiner's avatar
      sched: psi: fix bogus pressure spikes from aggregation race · 3840cbe2
      Johannes Weiner authored
      Brandon reports sporadic, non-sensical spikes in cumulative pressure
      time (total=) when reading cpu.pressure at a high rate. This is due to
      a race condition between reader aggregation and tasks changing states.
      
      While it affects all states and all resources captured by PSI, in
      practice it most likely triggers with CPU pressure, since scheduling
      events are so frequent compared to other resource events.
      
      The race context is the live snooping of ongoing stalls during a
      pressure read. The read aggregates per-cpu records for stalls that
      have concluded, but will also incorporate ad-hoc the duration of any
      active state that hasn't been recorded yet. This is important to get
      timely measurements of ongoing stalls. Those ad-hoc samples are
      calculated on-the-fly up to the current time on that CPU; since the
      stall hasn't concluded, it's expected that this is the minimum amount
      of stall time that will enter the per-cpu records once it does.
      
      The problem is that the path that concludes the state uses a CPU clock
      read that is not synchronized against aggregators; the clock is read
      outside of the seqlock protection. This allows aggregators to race and
      snoop a stall with a longer duration than will actually be recorded.
      
      With the recorded stall time being less than the last snapshot
      remembered by the aggregator, a subsequent sample will underflow and
      observe a bogus delta value, resulting in an erratic jump in pressure.
      
      Fix this by moving the clock read of the state change into the seqlock
      protection. This ensures no aggregation can snoop live stalls past the
      time that's recorded when the state concludes.
      Reported-by: default avatarBrandon Duffany <brandon@buildbuddy.io>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=219194
      Link: https://lore.kernel.org/lkml/20240827121851.GB438928@cmpxchg.org/
      Fixes: df774306 ("psi: Reduce calls to sched_clock() in psi")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reviewed-by: default avatarChengming Zhou <chengming.zhou@linux.dev>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3840cbe2
    • Pali Rohár's avatar
      cifs: Do not convert delimiter when parsing NFS-style symlinks · d3a49f60
      Pali Rohár authored
      NFS-style symlinks have target location always stored in NFS/UNIX form
      where backslash means the real UNIX backslash and not the SMB path
      separator.
      
      So do not mangle slash and backslash content of NFS-style symlink during
      readlink() syscall as it is already in the correct Linux form.
      
      This fixes interoperability of NFS-style symlinks with backslashes created
      by Linux NFS3 client throw Windows NFS server and retrieved by Linux SMB
      client throw Windows SMB server, where both Windows servers exports the
      same directory.
      
      Fixes: d5ecebc4 ("smb3: Allow query of symlinks stored as reparse points")
      Acked-by: default avatarPaulo Alcantara (Red Hat) <pc@manguebit.com>
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      d3a49f60
    • Pali Rohár's avatar
      cifs: Validate content of NFS reparse point buffer · 556ac52b
      Pali Rohár authored
      Symlink target location stored in DataBuffer is encoded in UTF-16. So check
      that symlink DataBuffer length is non-zero and even number. And check that
      DataBuffer does not contain UTF-16 null codepoint because Linux cannot
      process symlink with null byte.
      
      DataBuffer for char and block devices is 8 bytes long as it contains two
      32-bit numbers (major and minor). Add check for this.
      
      DataBuffer buffer for sockets and fifos zero-length. Add checks for this.
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Reviewed-by: default avatarPaulo Alcantara (Red Hat) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      556ac52b
    • Pali Rohár's avatar
      cifs: Fix buffer overflow when parsing NFS reparse points · e2a8910a
      Pali Rohár authored
      ReparseDataLength is sum of the InodeType size and DataBuffer size.
      So to get DataBuffer size it is needed to subtract InodeType's size from
      ReparseDataLength.
      
      Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
      at position after the end of the buffer because it does not subtract
      InodeType size from the length. Fix this problem and correctly subtract
      variable len.
      
      Member InodeType is present only when reparse buffer is large enough. Check
      for ReparseDataLength before accessing InodeType to prevent another invalid
      memory access.
      
      Major and minor rdev values are present also only when reparse buffer is
      large enough. Check for reparse buffer size before calling reparse_mkdev().
      
      Fixes: d5ecebc4 ("smb3: Allow query of symlinks stored as reparse points")
      Reviewed-by: default avatarPaulo Alcantara (Red Hat) <pc@manguebit.com>
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      e2a8910a
    • Linus Torvalds's avatar
      Merge tag 'net-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 8c245fe7
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from ieee802154, bluetooth and netfilter.
      
        Current release - regressions:
      
         - eth: mlx5: fix wrong reserved field in hca_cap_2 in mlx5_ifc
      
         - eth: am65-cpsw: fix forever loop in cleanup code
      
        Current release - new code bugs:
      
         - eth: mlx5: HWS, fixed double-free in error flow of creating SQ
      
        Previous releases - regressions:
      
         - core: avoid potential underflow in qdisc_pkt_len_init() with UFO
      
         - core: test for not too small csum_start in virtio_net_hdr_to_skb()
      
         - vrf: revert "vrf: remove unnecessary RCU-bh critical section"
      
         - bluetooth:
             - fix uaf in l2cap_connect
             - fix possible crash on mgmt_index_removed
      
         - dsa: improve shutdown sequence
      
         - eth: mlx5e: SHAMPO, fix overflow of hd_per_wq
      
         - eth: ip_gre: fix drops of small packets in ipgre_xmit
      
        Previous releases - always broken:
      
         - core: fix gso_features_check to check for both
           dev->gso_{ipv4_,}max_size
      
         - core: fix tcp fraglist segmentation after pull from frag_list
      
         - netfilter: nf_tables: prevent nf_skb_duplicated corruption
      
         - sctp: set sk_state back to CLOSED if autobind fails in
           sctp_listen_start
      
         - mac802154: fix potential RCU dereference issue in
           mac802154_scan_worker
      
         - eth: fec: restart PPS after link state change"
      
      * tag 'net-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (48 commits)
        sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
        dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems
        doc: net: napi: Update documentation for napi_schedule_irqoff
        net/ncsi: Disable the ncsi work before freeing the associated structure
        net: phy: qt2025: Fix warning: unused import DeviceId
        gso: fix udp gso fraglist segmentation after pull from frag_list
        bridge: mcast: Fail MDB get request on empty entry
        vrf: revert "vrf: Remove unnecessary RCU-bh critical section"
        net: ethernet: ti: am65-cpsw: Fix forever loop in cleanup code
        net: phy: realtek: Check the index value in led_hw_control_get
        ppp: do not assume bh is held in ppp_channel_bridge_input()
        selftests: rds: move include.sh to TEST_FILES
        net: test for not too small csum_start in virtio_net_hdr_to_skb()
        net: gso: fix tcp fraglist segmentation after pull from frag_list
        ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
        net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check
        net: add more sanity checks to qdisc_pkt_len_init()
        net: avoid potential underflow in qdisc_pkt_len_init() with UFO
        net: ethernet: ti: cpsw_ale: Fix warning on some platforms
        net: microchip: Make FDMA config symbol invisible
        ...
      8c245fe7
    • Linus Torvalds's avatar
      Merge tag 'v6.12-rc1-ksmbd-fixes' of git://git.samba.org/ksmbd · 9c02404b
      Linus Torvalds authored
      Pull smb server fixes from Steve French:
      
       - small cleanup patches leveraging struct size to improve access bounds checking
      
      * tag 'v6.12-rc1-ksmbd-fixes' of git://git.samba.org/ksmbd:
        ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
        ksmbd: Annotate struct copychunk_ioctl_req with __counted_by_le()
        ksmbd: Use struct_size() to improve get_file_alternate_info()
      9c02404b
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.12-rc2.fixes.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · 20c2474f
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
       "vfs:
      
         - Ensure that iter_folioq_get_pages() advances to the next slot
           otherwise it will end up using the same folio with an out-of-bound
           offset.
      
        iomap:
      
         - Dont unshare delalloc extents which can't be reflinked, and thus
           can't be shared.
      
         - Constrain the file range passed to iomap_file_unshare() directly in
           iomap instead of requiring the callers to do it.
      
        netfs:
      
         - Use folioq_count instead of folioq_nr_slot to prevent an
           unitialized value warning in netfs_clear_buffer().
      
         - Fix missing wakeup after issuing writes by scheduling the write
           collector only if all the subrequest queues are empty and thus no
           writes are pending.
      
         - Fix two minor documentation bugs"
      
      * tag 'vfs-6.12-rc2.fixes.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        iomap: constrain the file range passed to iomap_file_unshare
        iomap: don't bother unsharing delalloc extents
        netfs: Fix missing wakeup after issuing writes
        Documentation: add missing folio_queue entry
        folio_queue: fix documentation
        netfs: Fix a KMSAN uninit-value error in netfs_clear_buffer
        iov_iter: fix advancing slot in iter_folioq_get_pages()
      20c2474f
    • Xin Long's avatar
      sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start · 8beee4d8
      Xin Long authored
      In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
      sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
      
      Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
      is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
      be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
      is NULL.
      
        KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
        RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
        Call Trace:
         <TASK>
         __sys_listen_socket net/socket.c:1883 [inline]
         __sys_listen+0x1b7/0x230 net/socket.c:1894
         __do_sys_listen net/socket.c:1902 [inline]
      
      Fixes: 5e8f3f70 ("sctp: simplify sctp listening code")
      Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8beee4d8
    • Ravikanth Tuniki's avatar
      dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems · c6929644
      Ravikanth Tuniki authored
      Add missing reg minItems as based on current binding document
      only ethernet MAC IO space is a supported configuration.
      
      There is a bug in schema, current examples contain 64-bit
      addressing as well as 32-bit addressing. The schema validation
      does pass incidentally considering one 64-bit reg address as
      two 32-bit reg address entries. If we change axi_ethernet_eth1
      example node reg addressing to 32-bit schema validation reports:
      
      Documentation/devicetree/bindings/net/xlnx,axi-ethernet.example.dtb:
      ethernet@40000000: reg: [[1073741824, 262144]] is too short
      
      To fix it add missing reg minItems constraints and to make things clearer
      stick to 32-bit addressing in examples.
      
      Fixes: cbb1ca6d ("dt-bindings: net: xlnx,axi-ethernet: convert bindings document to yaml")
      Signed-off-by: default avatarRavikanth Tuniki <ravikanth.tuniki@amd.com>
      Signed-off-by: default avatarRadhey Shyam Pandey <radhey.shyam.pandey@amd.com>
      Acked-by: default avatarConor Dooley <conor.dooley@microchip.com>
      Link: https://patch.msgid.link/1727723615-2109795-1-git-send-email-radhey.shyam.pandey@amd.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c6929644
    • Sean Anderson's avatar
      doc: net: napi: Update documentation for napi_schedule_irqoff · b63ad06d
      Sean Anderson authored
      Since commit 8380c81d ("net: Treat __napi_schedule_irqoff() as
      __napi_schedule() on PREEMPT_RT"), napi_schedule_irqoff will do the
      right thing if IRQs are threaded. Therefore, there is no need to use
      IRQF_NO_THREAD.
      Signed-off-by: default avatarSean Anderson <sean.anderson@linux.dev>
      Reviewed-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
      Reviewed-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Link: https://patch.msgid.link/20240930153955.971657-1-sean.anderson@linux.devSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b63ad06d
    • Paolo Abeni's avatar
      Merge tag 'nf-24-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 1127c73a
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix incorrect documentation in uapi/linux/netfilter/nf_tables.h
         regarding flowtable hooks, from Phil Sutter.
      
      2) Fix nft_audit.sh selftests with newer nft binaries, due to different
         (valid) audit output, also from Phil.
      
      3) Disable BH when duplicating packets via nf_dup infrastructure,
         otherwise race on nf_skb_duplicated for locally generated traffic.
         From Eric.
      
      4) Missing return in callback of selftest C program, from zhang jiao.
      
      netfilter pull request 24-10-02
      
      * tag 'nf-24-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        selftests: netfilter: Add missing return value
        netfilter: nf_tables: prevent nf_skb_duplicated corruption
        selftests: netfilter: Fix nft_audit.sh for newer nft binaries
        netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
      ====================
      
      Link: https://patch.msgid.link/20241002202421.1281311-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1127c73a
    • Darrick J. Wong's avatar
      iomap: constrain the file range passed to iomap_file_unshare · a311a08a
      Darrick J. Wong authored
      File contents can only be shared (i.e. reflinked) below EOF, so it makes
      no sense to try to unshare ranges beyond EOF.  Constrain the file range
      parameters here so that we don't have to do that in the callers.
      
      Fixes: 5f4e5752 ("fs: add iomap_file_dirty")
      Signed-off-by: default avatarDarrick J. Wong <djwong@kernel.org>
      Link: https://lore.kernel.org/r/20241002150213.GC21853@frogsfrogsfrogsReviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      a311a08a
    • Darrick J. Wong's avatar
      iomap: don't bother unsharing delalloc extents · f7a4874d
      Darrick J. Wong authored
      If unshare encounters a delalloc reservation in the srcmap, that means
      that the file range isn't shared because delalloc reservations cannot be
      reflinked.  Therefore, don't try to unshare them.
      Signed-off-by: default avatarDarrick J. Wong <djwong@kernel.org>
      Link: https://lore.kernel.org/r/20241002150040.GB21853@frogsfrogsfrogsReviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
      f7a4874d
    • Eddie James's avatar
      net/ncsi: Disable the ncsi work before freeing the associated structure · a0ffa68c
      Eddie James authored
      The work function can run after the ncsi device is freed, resulting
      in use-after-free bugs or kernel panic.
      
      Fixes: 2d283bdd ("net/ncsi: Resource management")
      Signed-off-by: default avatarEddie James <eajames@linux.ibm.com>
      Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a0ffa68c
    • Patrick Donnelly's avatar
      ceph: fix cap ref leak via netfs init_request · ccda9910
      Patrick Donnelly authored
      Log recovered from a user's cluster:
      
          <7>[ 5413.970692] ceph:  get_cap_refs 00000000958c114b ret 1 got Fr
          <7>[ 5413.970695] ceph:  start_read 00000000958c114b, no cache cap
          ...
          <7>[ 5473.934609] ceph:   my wanted = Fr, used = Fr, dirty -
          <7>[ 5473.934616] ceph:  revocation: pAsLsXsFr -> pAsLsXs (revoking Fr)
          <7>[ 5473.934632] ceph:  __ceph_caps_issued 00000000958c114b cap 00000000f7784259 issued pAsLsXs
          <7>[ 5473.934638] ceph:  check_caps 10000000e68.fffffffffffffffe file_want - used Fr dirty - flushing - issued pAsLsXs revoking Fr retain pAsLsXsFsr  AUTHONLY NOINVAL FLUSH_FORCE
      
      The MDS subsequently complains that the kernel client is late releasing
      caps.
      
      Approximately, a series of changes to this code by commits 49870056
      ("ceph: convert ceph_readpages to ceph_readahead"), 2de16041
      ("netfs: Change ->init_request() to return an error code") and
      a5c9dc44 ("ceph: Make ceph_init_request() check caps on readahead")
      resulted in subtle resource cleanup to be missed. The main culprit is
      the change in error handling in 2de16041 which meant that a failure
      in init_request() would no longer cause cleanup to be called. That
      would prevent the ceph_put_cap_refs() call which would cleanup the
      leaked cap ref.
      
      Cc: stable@vger.kernel.org
      Fixes: a5c9dc44 ("ceph: Make ceph_init_request() check caps on readahead")
      Link: https://tracker.ceph.com/issues/67008Signed-off-by: default avatarPatrick Donnelly <pdonnell@redhat.com>
      Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      ccda9910
    • Thorsten Blum's avatar
      ceph: use struct_size() helper in __ceph_pool_perm_get() · 7264745d
      Thorsten Blum authored
      Use struct_size() to calculate the number of bytes to be allocated.
      Signed-off-by: default avatarThorsten Blum <thorsten.blum@toblux.com>
      Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      7264745d
    • FUJITA Tomonori's avatar
      net: phy: qt2025: Fix warning: unused import DeviceId · fa7dfeae
      FUJITA Tomonori authored
      Fix the following warning when the driver is compiled as built-in:
      
            warning: unused import: `DeviceId`
            --> drivers/net/phy/qt2025.rs:18:5
            |
         18 |     DeviceId, Driver,
            |     ^^^^^^^^
            |
            = note: `#[warn(unused_imports)]` on by default
      
      device_table in module_phy_driver macro is defined only when the
      driver is built as a module. Use phy::DeviceId in the macro instead of
      importing `DeviceId` since `phy` is always used.
      
      Fixes: fd3eaad8 ("net: phy: add Applied Micro QT2025 PHY driver")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202409190717.i135rfVo-lkp@intel.com/Reviewed-by: default avatarAlice Ryhl <aliceryhl@google.com>
      Reviewed-by: default avatarTrevor Gross <tmgross@umich.edu>
      Signed-off-by: default avatarFUJITA Tomonori <fujita.tomonori@gmail.com>
      Reviewed-by: default avatarFiona Behrens <me@kloenk.dev>
      Acked-by: default avatarMiguel Ojeda <ojeda@kernel.org>
      Link: https://patch.msgid.link/20240926121404.242092-1-fujita.tomonori@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa7dfeae
    • Willem de Bruijn's avatar
      gso: fix udp gso fraglist segmentation after pull from frag_list · a1e40ac5
      Willem de Bruijn authored
      Detect gso fraglist skbs with corrupted geometry (see below) and
      pass these to skb_segment instead of skb_segment_list, as the first
      can segment them correctly.
      
      Valid SKB_GSO_FRAGLIST skbs
      - consist of two or more segments
      - the head_skb holds the protocol headers plus first gso_size
      - one or more frag_list skbs hold exactly one segment
      - all but the last must be gso_size
      
      Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
      modify these skbs, breaking these invariants.
      
      In extreme cases they pull all data into skb linear. For UDP, this
      causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
      udp_hdr(seg->next)->dest.
      
      Detect invalid geometry due to pull, by checking head_skb size.
      Don't just drop, as this may blackhole a destination. Convert to be
      able to pass to regular skb_segment.
      
      Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/
      Fixes: 9fd1ff5d ("udp: Support UDP fraglist GRO/GSO.")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Cc: stable@vger.kernel.org
      Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a1e40ac5
    • Ido Schimmel's avatar
      bridge: mcast: Fail MDB get request on empty entry · 555f45d2
      Ido Schimmel authored
      When user space deletes a port from an MDB entry, the port is removed
      synchronously. If this was the last port in the entry and the entry is
      not joined by the host itself, then the entry is scheduled for deletion
      via a timer.
      
      The above means that it is possible for the MDB get netlink request to
      retrieve an empty entry which is scheduled for deletion. This is
      problematic as after deleting the last port in an entry, user space
      cannot rely on a non-zero return code from the MDB get request as an
      indication that the port was successfully removed.
      
      Fix by returning an error when the entry's port list is empty and the
      entry is not joined by the host.
      
      Fixes: 68b380a3 ("bridge: mcast: Add MDB get support")
      Reported-by: default avatarJamie Bainbridge <jamie.bainbridge@gmail.com>
      Closes: https://lore.kernel.org/netdev/c92569919307749f879b9482b0f3e125b7d9d2e3.1726480066.git.jamie.bainbridge@gmail.com/Tested-by: default avatarJamie Bainbridge <jamie.bainbridge@gmail.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://patch.msgid.link/20240929123640.558525-1-idosch@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      555f45d2
    • Willem de Bruijn's avatar
      vrf: revert "vrf: Remove unnecessary RCU-bh critical section" · b04c4d9e
      Willem de Bruijn authored
      This reverts commit 504fc6f4.
      
      dev_queue_xmit_nit is expected to be called with BH disabled.
      __dev_queue_xmit has the following:
      
              /* Disable soft irqs for various locks below. Also
               * stops preemption for RCU.
               */
              rcu_read_lock_bh();
      
      VRF must follow this invariant. The referenced commit removed this
      protection. Which triggered a lockdep warning:
      
      	================================
      	WARNING: inconsistent lock state
      	6.11.0 #1 Tainted: G        W
      	--------------------------------
      	inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
      	btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
      	ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
      	{IN-SOFTIRQ-W} state was registered at:
      	  lock_acquire+0x19a/0x4f0
      	  _raw_spin_lock+0x27/0x40
      	  packet_rcv+0xa33/0x1320
      	  __netif_receive_skb_core.constprop.0+0xcb0/0x3a90
      	  __netif_receive_skb_list_core+0x2c9/0x890
      	  netif_receive_skb_list_internal+0x610/0xcc0
                [...]
      
      	other info that might help us debug this:
      	 Possible unsafe locking scenario:
      
      	       CPU0
      	       ----
      	  lock(rlock-AF_PACKET);
      	  <Interrupt>
      	    lock(rlock-AF_PACKET);
      
      	 *** DEADLOCK ***
      
      	Call Trace:
      	 <TASK>
      	 dump_stack_lvl+0x73/0xa0
      	 mark_lock+0x102e/0x16b0
      	 __lock_acquire+0x9ae/0x6170
      	 lock_acquire+0x19a/0x4f0
      	 _raw_spin_lock+0x27/0x40
      	 tpacket_rcv+0x863/0x3b30
      	 dev_queue_xmit_nit+0x709/0xa40
      	 vrf_finish_direct+0x26e/0x340 [vrf]
      	 vrf_l3_out+0x5f4/0xe80 [vrf]
      	 __ip_local_out+0x51e/0x7a0
                [...]
      
      Fixes: 504fc6f4 ("vrf: Remove unnecessary RCU-bh critical section")
      Link: https://lore.kernel.org/netdev/20240925185216.1990381-1-greearb@candelatech.com/Reported-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://patch.msgid.link/20240929061839.1175300-1-willemdebruijn.kernel@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b04c4d9e
    • Dan Carpenter's avatar
      net: ethernet: ti: am65-cpsw: Fix forever loop in cleanup code · 3c97fe4f
      Dan Carpenter authored
      This error handling has a typo.  It should i++ instead of i--.  In the
      original code the error handling will loop until it crashes.
      
      Fixes: da70d184 ("net: ethernet: ti: am65-cpsw: Introduce multi queue Rx")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarAlexander Sverdlin <alexander.sverdlin@siemens.com>
      Reviewed-by: default avatarRoger Quadros <rogerq@kernel.org>
      Link: https://patch.msgid.link/8e7960cc-415d-48d7-99ce-f623022ec7b5@stanley.mountainSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3c97fe4f
    • Hui Wang's avatar
      net: phy: realtek: Check the index value in led_hw_control_get · c283782f
      Hui Wang authored
      Just like rtl8211f_led_hw_is_supported() and
      rtl8211f_led_hw_control_set(), the rtl8211f_led_hw_control_get() also
      needs to check the index value, otherwise the caller is likely to get
      an incorrect rules.
      
      Fixes: 17784801 ("net: phy: realtek: Add support for PHY LEDs on RTL8211F")
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Reviewed-by: default avatarMarek Vasut <marex@denx.de>
      Link: https://patch.msgid.link/20240927114610.1278935-1-hui.wang@canonical.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c283782f
    • Eric Dumazet's avatar
      ppp: do not assume bh is held in ppp_channel_bridge_input() · aec72910
      Eric Dumazet authored
      Networking receive path is usually handled from BH handler.
      However, some protocols need to acquire the socket lock, and
      packets might be stored in the socket backlog is the socket was
      owned by a user process.
      
      In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
      might call the sk->sk_backlog_rcv() handler in process context.
      
      sybot caught ppp was not considering this case in
      ppp_channel_bridge_input() :
      
      WARNING: inconsistent lock state
      6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
      --------------------------------
      inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
       ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
       ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
       ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
      {SOFTIRQ-ON-W} state was registered at:
         lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
         __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
         _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
         spin_lock include/linux/spinlock.h:351 [inline]
         ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
         ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
         pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
         sk_backlog_rcv include/net/sock.h:1111 [inline]
         __release_sock+0x1a8/0x3d8 net/core/sock.c:3004
         release_sock+0x68/0x1b8 net/core/sock.c:3558
         pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
         sock_sendmsg_nosec net/socket.c:730 [inline]
         __sock_sendmsg net/socket.c:745 [inline]
         __sys_sendto+0x374/0x4f4 net/socket.c:2204
         __do_sys_sendto net/socket.c:2216 [inline]
         __se_sys_sendto net/socket.c:2212 [inline]
         __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
         __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
         invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
         el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
         do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
         el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
         el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
         el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
      irq event stamp: 282914
       hardirqs last  enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
       hardirqs last  enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
       hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
       hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
       softirqs last  enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]
       softirqs last  enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582
       softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&pch->downl);
        <Interrupt>
          lock(&pch->downl);
      
       *** DEADLOCK ***
      
      1 lock held by ksoftirqd/1/24:
        #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325
      
      stack backtrace:
      CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
      Call trace:
        dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
        show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
        __dump_stack lib/dump_stack.c:93 [inline]
        dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
        dump_stack+0x1c/0x28 lib/dump_stack.c:128
        print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000
       mark_lock_irq+0x980/0xd2c
        mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677
        __lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096
        lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
        __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
        _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
        spin_lock include/linux/spinlock.h:351 [inline]
        ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
        ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
        ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495
        tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785
        tasklet_action+0x68/0x8c kernel/softirq.c:811
        handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554
        run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
        smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164
        kthread+0x288/0x310 kernel/kthread.c:389
        ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
      
      Fixes: 4cf476ce ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls")
      Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#uSigned-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Tom Parkin <tparkin@katalix.com>
      Cc: James Chapman <jchapman@katalix.com>
      Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aec72910
    • Hangbin Liu's avatar
      selftests: rds: move include.sh to TEST_FILES · 8ed7cf66
      Hangbin Liu authored
      The include.sh file is generated for inclusion and should not be executable.
      Otherwise, it will be added to kselftest-list.txt. Additionally, add the
      executable bit for test.py at the same time to ensure proper functionality.
      
      Fixes: 3ade6ce1 ("selftests: rds: add testing infrastructure")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://patch.msgid.link/20240927041349.81216-1-liuhangbin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8ed7cf66
    • Eric Dumazet's avatar
      net: test for not too small csum_start in virtio_net_hdr_to_skb() · 49d14b54
      Eric Dumazet authored
      syzbot was able to trigger this warning [1], after injecting a
      malicious packet through af_packet, setting skb->csum_start and thus
      the transport header to an incorrect value.
      
      We can at least make sure the transport header is after
      the end of the network header (with a estimated minimal size).
      
      [1]
      [   67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0
      mac=(-1,-1) mac_len=0 net=(16,-6) trans=10
      shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
      csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)
      hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0
      priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0
      encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
      [   67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9
      [   67.877764] sk family=17 type=3 proto=0
      [   67.878279] skb linear:   00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00
      [   67.879128] skb frag:     00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02
      [   67.879877] skb frag:     00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.880647] skb frag:     00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00
      [   67.881156] skb frag:     00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.881753] skb frag:     00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.882173] skb frag:     00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.882790] skb frag:     00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.883171] skb frag:     00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.883733] skb frag:     00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.884206] skb frag:     00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e
      [   67.884704] skb frag:     000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00
      [   67.885139] skb frag:     000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.885677] skb frag:     000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.886042] skb frag:     000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.886408] skb frag:     000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.887020] skb frag:     000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.887384] skb frag:     00000100: 00 00
      [   67.887878] ------------[ cut here ]------------
      [   67.887908] offset (-6) >= skb_headlen() (14)
      [   67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs
      [   67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011
      [   67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
      [   67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891043] Call Trace:
      [   67.891173]  <TASK>
      [   67.891274] ? __warn (kernel/panic.c:741)
      [   67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)
      [   67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)
      [   67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
      [   67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
      [   67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))
      [   67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:113)
      [   67.891459] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200)
      [   67.891470] ? ip_route_output_flow (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:96 (discriminator 13) ./include/linux/rcupdate.h:871 (discriminator 13) net/ipv4/route.c:2625 (discriminator 13) ./include/net/route.h:141 (discriminator 13) net/ipv4/route.c:2852 (discriminator 13))
      [   67.891484] ipvlan_process_v4_outbound (drivers/net/ipvlan/ipvlan_core.c:445 (discriminator 1))
      [   67.891581] ipvlan_queue_xmit (drivers/net/ipvlan/ipvlan_core.c:542 drivers/net/ipvlan/ipvlan_core.c:604 drivers/net/ipvlan/ipvlan_core.c:670)
      [   67.891596] ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:227)
      [   67.891607] dev_hard_start_xmit (./include/linux/netdevice.h:4916 ./include/linux/netdevice.h:4925 net/core/dev.c:3588 net/core/dev.c:3604)
      [   67.891620] __dev_queue_xmit (net/core/dev.h:168 (discriminator 25) net/core/dev.c:4425 (discriminator 25))
      [   67.891630] ? skb_copy_bits (./include/linux/uaccess.h:233 (discriminator 1) ./include/linux/uaccess.h:260 (discriminator 1) ./include/linux/highmem-internal.h:230 (discriminator 1) net/core/skbuff.c:3018 (discriminator 1))
      [   67.891645] ? __pskb_pull_tail (net/core/skbuff.c:2848 (discriminator 4))
      [   67.891655] ? skb_partial_csum_set (net/core/skbuff.c:5657)
      [   67.891666] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/skbuff.h:2791 (discriminator 3) ./include/linux/skbuff.h:2799 (discriminator 3) ./include/linux/virtio_net.h:109 (discriminator 3))
      [   67.891684] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
      [   67.891700] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
      [   67.891716] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
      [   67.891734] ? do_sock_setsockopt (net/socket.c:2335)
      [   67.891747] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
      [   67.891761] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
      [   67.891772] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
      [   67.891785] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
      
      Fixes: 9181d6f8 ("net: add more sanity check in virtio_net_hdr_to_skb()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://patch.msgid.link/20240926165836.3797406-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      49d14b54
    • Felix Fietkau's avatar
      net: gso: fix tcp fraglist segmentation after pull from frag_list · 17bd3bd8
      Felix Fietkau authored
      Detect tcp gso fraglist skbs with corrupted geometry (see below) and
      pass these to skb_segment instead of skb_segment_list, as the first
      can segment them correctly.
      
      Valid SKB_GSO_FRAGLIST skbs
      - consist of two or more segments
      - the head_skb holds the protocol headers plus first gso_size
      - one or more frag_list skbs hold exactly one segment
      - all but the last must be gso_size
      
      Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
      modify these skbs, breaking these invariants.
      
      In extreme cases they pull all data into skb linear. For TCP, this
      causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at
      tcp_hdr(seg->next).
      
      Detect invalid geometry due to pull, by checking head_skb size.
      Don't just drop, as this may blackhole a destination. Convert to be
      able to pass to regular skb_segment.
      
      Approach and description based on a patch by Willem de Bruijn.
      
      Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/
      Link: https://lore.kernel.org/netdev/20240922150450.3873767-1-willemdebruijn.kernel@gmail.com/
      Fixes: bee88cd5 ("net: add support for segmenting TCP fraglist GSO packets")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://patch.msgid.link/20240926085315.51524-1-nbd@nbd.nameSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      17bd3bd8
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2024-09-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 854e9bf5
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2024-09-25
      
      * tag 'mlx5-fixes-2024-09-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
        net/mlx5e: SHAMPO, Fix overflow of hd_per_wq
        net/mlx5: HWS, changed E2BIG error to a negative return code
        net/mlx5: HWS, fixed double-free in error flow of creating SQ
        net/mlx5: Fix wrong reserved field in hca_cap_2 in mlx5_ifc
        net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
        net/mlx5: Added cond_resched() to crdump collection
        net/mlx5: Fix error path in multi-packet WQE transmit
      ====================
      
      Link: https://patch.msgid.link/20240925202013.45374-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      854e9bf5
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · e5e3f369
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
       - MGMT: Fix possible crash on mgmt_index_removed
       - L2CAP: Fix uaf in l2cap_connect
       - Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
      
      * tag 'for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
        Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
        Bluetooth: L2CAP: Fix uaf in l2cap_connect
        Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
      ====================
      
      Link: https://patch.msgid.link/20240927145730.2452175-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e5e3f369
    • Jakub Kicinski's avatar
      Merge tag 'ieee802154-for-net-2024-09-27' of... · cb3ad113
      Jakub Kicinski authored
      Merge tag 'ieee802154-for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan
      
      Stefan Schmidt says:
      
      ====================
      pull-request: ieee802154 for net 2024-09-27
      
      Jinjie Ruan added the use of IRQF_NO_AUTOEN in the mcr20a driver and fixed
      and addiotinal build dependency problem while doing so.
      
      Jiawei Ye, ensured a correct RCU handling in mac802154_scan_worker.
      
      * tag 'ieee802154-for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan:
        net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()
        mac802154: Fix potential RCU dereference issue in mac802154_scan_worker
        ieee802154: Fix build error
      ====================
      
      Link: https://patch.msgid.link/20240927094351.3865511-1-stefan@datenfreihafen.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cb3ad113
  3. 02 Oct, 2024 3 commits
    • Linus Torvalds's avatar
      Merge tag 'pull-work.unaligned' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 7ec46210
      Linus Torvalds authored
      Pull generic unaligned.h cleanups from Al Viro:
       "Get rid of architecture-specific <asm/unaligned.h> includes, replacing
        them with a single generic <linux/unaligned.h> header file.
      
        It's the second largest (after asm/io.h) class of asm/* includes, and
        all but two architectures actually end up using exact same file.
      
        Massage the remaining two (arc and parisc) to do the same and just
        move the thing to from asm-generic/unaligned.h to linux/unaligned.h"
      
      [ This is one of those things that we're better off doing outside the
        merge window, and would only cause extra conflict noise if it was in
        linux-next for the next release due to all the trivial #include line
        updates.  Rip off the band-aid.   - Linus ]
      
      * tag 'pull-work.unaligned' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        move asm/unaligned.h to linux/unaligned.h
        arc: get rid of private asm/unaligned.h
        parisc: get rid of private asm/unaligned.h
      7ec46210
    • Shen Lichuan's avatar
      smb: client: Correct typos in multiple comments across various files · e9f49fee
      Shen Lichuan authored
      Fixed some confusing typos that were currently identified witch codespell,
      the details are as follows:
      
      -in the code comments:
      fs/smb/client/cifsacl.h:58: inheritence ==> inheritance
      fs/smb/client/cifsencrypt.c:242: origiginal ==> original
      fs/smb/client/cifsfs.c:164: referece ==> reference
      fs/smb/client/cifsfs.c:292: ned ==> need
      fs/smb/client/cifsglob.h:779: initital ==> initial
      fs/smb/client/cifspdu.h:784: altetnative ==> alternative
      fs/smb/client/cifspdu.h:2409: conrol ==> control
      fs/smb/client/cifssmb.c:1218: Expirement ==> Experiment
      fs/smb/client/cifssmb.c:3021: conver ==> convert
      fs/smb/client/cifssmb.c:3998: asterik ==> asterisk
      fs/smb/client/file.c:2505: useable ==> usable
      fs/smb/client/fs_context.h:263: timemout ==> timeout
      fs/smb/client/misc.c:257: responsbility ==> responsibility
      fs/smb/client/netmisc.c:1006: divisable ==> divisible
      fs/smb/client/readdir.c:556: endianess ==> endianness
      fs/smb/client/readdir.c:818: bu ==> by
      fs/smb/client/smb2ops.c:2180: snaphots ==> snapshots
      fs/smb/client/smb2ops.c:3586: otions ==> options
      fs/smb/client/smb2pdu.c:2979: timestaps ==> timestamps
      fs/smb/client/smb2pdu.c:4574: memmory ==> memory
      fs/smb/client/smb2transport.c:699: origiginal ==> original
      fs/smb/client/smbdirect.c:222: happenes ==> happens
      fs/smb/client/smbdirect.c:1347: registartions ==> registrations
      fs/smb/client/smbdirect.h:114: accoutning ==> accounting
      Signed-off-by: default avatarShen Lichuan <shenlichuan@vivo.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      e9f49fee
    • Al Viro's avatar
      move asm/unaligned.h to linux/unaligned.h · 5f60d5f6
      Al Viro authored
      asm/unaligned.h is always an include of asm-generic/unaligned.h;
      might as well move that thing to linux/unaligned.h and include
      that - there's nothing arch-specific in that header.
      
      auto-generated by the following:
      
      for i in `git grep -l -w asm/unaligned.h`; do
      	sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i
      done
      for i in `git grep -l -w asm-generic/unaligned.h`; do
      	sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i
      done
      git mv include/asm-generic/unaligned.h include/linux/unaligned.h
      git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h
      sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild
      sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h
      5f60d5f6