Vladimir Oltean [Sun, 7 Mar 2021 10:21:56 +0000 (12:21 +0200)]
net: dsa: fix switchdev objects on bridge master mistakenly being applied on ports
Tobias reports that after the blamed patch, VLAN objects being added to
a bridge device are being added to all slave ports instead (swp2, swp3).
ip link add br0 type bridge vlan_filtering 1
ip link set swp2 master br0
ip link set swp3 master br0
bridge vlan add dev br0 vid 100 self
This is because the fix was too broad: we made dsa_port_offloads_netdev
say "yes, I offload the br0 bridge" for all slave ports, but we didn't
add the checks whether the switchdev object was in fact meant for the
physical port or for the bridge itself. So we are reacting on events in
a way in which we shouldn't.
The reason why the fix was too broad is because the question itself,
"does this DSA port offload this netdev", was too broad in the first
place. The solution is to disambiguate the question and separate it into
two different functions, one to be called for each switchdev attribute /
object that has an orig_dev == net_bridge (dsa_port_offloads_bridge),
and the other for orig_dev == net_bridge_port (*_offloads_bridge_port).
In the case of VLAN objects on the bridge interface, this solves the
problem because we know that VLAN objects are per bridge port and not
per bridge. And when orig_dev is equal to the net_bridge, we offload it
as a bridge, but not as a bridge port; that's how we are able to skip
reacting on those events. Note that this is compatible with future plans
to have explicit offloading of VLAN objects on the bridge interface as a
bridge port (in DSA, this signifies that we should add that VLAN towards
the CPU port).
Fixes:
99b8202b179f ("net: dsa: fix SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING getting ignored")
Reported-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Tobias Waldekranz <tobias@waldekranz.com>
Tested-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jia-Ju Bai [Sun, 7 Mar 2021 09:12:56 +0000 (01:12 -0800)]
net: wan: fix error return code of uhdlc_init()
When priv->rx_skbuff or priv->tx_skbuff is NULL, no error return code of
uhdlc_init() is assigned.
To fix this bug, ret is assigned with -ENOMEM in these cases.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jia-Ju Bai [Sun, 7 Mar 2021 08:40:12 +0000 (00:40 -0800)]
net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch()
When hns_assemble_skb() returns NULL to skb, no error return code of
hns_nic_clear_all_rx_fetch() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Grant Grundler [Sat, 6 Mar 2021 22:12:32 +0000 (14:12 -0800)]
net: usb: log errors to dmesg/syslog
Errors in protocol should be logged when the driver aborts operations.
If the driver can carry on and "humor" the device, then emitting
the message as debug output level is fine.
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Grant Grundler [Sat, 6 Mar 2021 22:12:31 +0000 (14:12 -0800)]
net: usb: cdc_ncm: emit dev_err on error paths
Several error paths in bind/probe code will only emit
output using dev_dbg. But if we are going to fail the
bind/probe, emit related output with "err" priority.
Signed-off-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bhaskar Chowdhury [Sat, 6 Mar 2021 21:20:28 +0000 (02:50 +0530)]
net: ethernet: chelsio: inline_crypto: Mundane typos fixed throughout the file chcr_ktls.c
Mundane typos fixes throughout the file.
s/establised/established/
s/availbale/available/
s/vaues/values/
s/Incase/In case/
Signed-off-by: Bhaskar Chowdhury <unixbhaskar@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Philipp Zabel [Fri, 5 Mar 2021 09:14:48 +0000 (10:14 +0100)]
net: dsa: bcm_sf2: simplify optional reset handling
As of commit
bb475230b8e5 ("reset: make optional functions really
optional"), the reset framework API calls use NULL pointers to describe
optional, non-present reset controls.
This allows to unconditionally return errors from
devm_reset_control_get_optional_exclusive.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 7 Mar 2021 01:02:40 +0000 (17:02 -0800)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for net:
1) Fix incorrect enum type definition in nfnetlink_cthelper UAPI,
from Dmitry V. Levin.
2) Remove extra space in deprecated automatic helper assignment
notice, from Klemen Košir.
3) Drop early socket demux socket after NAT mangling, from
Florian Westphal. Add a test to exercise this bug.
4) Fix bogus invalid packet report in the conntrack TCP tracker,
also from Florian.
5) Fix access to xt[NFPROTO_UNSPEC] list with no mutex
in target/match_revfn(), from Vasily Averin.
6) Disallow updates on the table ownership flag.
7) Fix double hook unregistration of tables with owner.
8) Remove bogus check on the table owner in __nft_release_tables().
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Fri, 5 Mar 2021 22:17:29 +0000 (14:17 -0800)]
ethernet: alx: fix order of calls on resume
netif_device_attach() will unpause the queues so we can't call
it before __alx_open(). This went undetected until
commit
b0999223f224 ("alx: add ability to allocate and free
alx_napi structures") but now if stack tries to xmit immediately
on resume before __alx_open() we'll crash on the NAPI being null:
BUG: kernel NULL pointer dereference, address:
0000000000000198
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G OE 5.10.0-3-amd64 #1 Debian 5.10.13-1
Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77-D3H, BIOS F15 11/14/2013
RIP: 0010:alx_start_xmit+0x34/0x650 [alx]
Code: 41 56 41 55 41 54 55 53 48 83 ec 20 0f b7 57 7c 8b 8e b0
0b 00 00 39 ca 72 06 89 d0 31 d2 f7 f1 89 d2 48 8b 84 df
RSP: 0018:
ffffb09240083d28 EFLAGS:
00010297
RAX:
0000000000000000 RBX:
ffffa04d80ae7800 RCX:
0000000000000004
RDX:
0000000000000000 RSI:
ffffa04d80afa000 RDI:
ffffa04e92e92a00
RBP:
0000000000000042 R08:
0000000000000100 R09:
ffffa04ea3146700
R10:
0000000000000014 R11:
0000000000000000 R12:
ffffa04e92e92100
R13:
0000000000000001 R14:
ffffa04e92e92a00 R15:
ffffa04e92e92a00
FS:
0000000000000000(0000) GS:
ffffa0508f600000(0000) knlGS:
0000000000000000
i915 0000:00:02.0: vblank wait timed out on crtc 0
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000198 CR3:
000000004460a001 CR4:
00000000001706f0
Call Trace:
dev_hard_start_xmit+0xc7/0x1e0
sch_direct_xmit+0x10f/0x310
Cc: <stable@vger.kernel.org> # 4.9+
Fixes:
bc2bebe8de8e ("alx: remove WoL support")
Reported-by: Zbynek Michl <zbynek.michl@gmail.com>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983595
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Tested-by: Zbynek Michl <zbynek.michl@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
George McCollister [Fri, 5 Mar 2021 22:24:45 +0000 (16:24 -0600)]
lan743x: trim all 4 bytes of the FCS; not just 2
Trim all 4 bytes of the received FCS; not just 2 of them. Leaving 2
bytes of the FCS on the frame breaks DSA tailing tag drivers.
Fixes:
a8db76d40e4d ("lan743x: boost performance on cpu archs w/o dma cache snooping")
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Braun [Thu, 4 Mar 2021 19:52:52 +0000 (20:52 +0100)]
gianfar: fix jumbo packets+napi+rx overrun crash
When using jumbo packets and overrunning rx queue with napi enabled,
the following sequence is observed in gfar_add_rx_frag:
| lstatus | | skb |
t | lstatus, size, flags | first | len, data_len, *ptr |
---+--------------------------------------+-------+-----------------------+
13 |
18002348, 9032, INTERRUPT LAST | 0 | 9600, 8000,
f554c12e |
12 |
10000640, 1600, INTERRUPT | 0 | 8000, 6400,
f554c12e |
11 |
10000640, 1600, INTERRUPT | 0 | 6400, 4800,
f554c12e |
10 |
10000640, 1600, INTERRUPT | 0 | 4800, 3200,
f554c12e |
09 |
10000640, 1600, INTERRUPT | 0 | 3200, 1600,
f554c12e |
08 |
14000640, 1600, INTERRUPT FIRST | 0 | 1600, 0,
f554c12e |
07 |
14000640, 1600, INTERRUPT FIRST | 1 | 0, 0,
f554c12e |
06 |
1c000080, 128, INTERRUPT LAST FIRST | 1 | 0, 0,
abf3bd6e |
05 |
18002348, 9032, INTERRUPT LAST | 0 | 8000, 6400,
c5a57780 |
04 |
10000640, 1600, INTERRUPT | 0 | 6400, 4800,
c5a57780 |
03 |
10000640, 1600, INTERRUPT | 0 | 4800, 3200,
c5a57780 |
02 |
10000640, 1600, INTERRUPT | 0 | 3200, 1600,
c5a57780 |
01 |
10000640, 1600, INTERRUPT | 0 | 1600, 0,
c5a57780 |
00 |
14000640, 1600, INTERRUPT FIRST | 1 | 0, 0,
c5a57780 |
So at t=7 a new packets is started but not finished, probably due to rx
overrun - but rx overrun is not indicated in the flags. Instead a new
packets starts at t=8. This results in skb->len to exceed size for the LAST
fragment at t=13 and thus a negative fragment size added to the skb.
This then crashes:
kernel BUG at include/linux/skbuff.h:2277!
Oops: Exception in kernel mode, sig: 5 [#1]
...
NIP [
c04689f4] skb_pull+0x2c/0x48
LR [
c03f62ac] gfar_clean_rx_ring+0x2e4/0x844
Call Trace:
[
ec4bfd38] [
c06a84c4] _raw_spin_unlock_irqrestore+0x60/0x7c (unreliable)
[
ec4bfda8] [
c03f6a44] gfar_poll_rx_sq+0x48/0xe4
[
ec4bfdc8] [
c048d504] __napi_poll+0x54/0x26c
[
ec4bfdf8] [
c048d908] net_rx_action+0x138/0x2c0
[
ec4bfe68] [
c06a8f34] __do_softirq+0x3a4/0x4fc
[
ec4bfed8] [
c0040150] run_ksoftirqd+0x58/0x70
[
ec4bfee8] [
c0066ecc] smpboot_thread_fn+0x184/0x1cc
[
ec4bff08] [
c0062718] kthread+0x140/0x144
[
ec4bff38] [
c0012350] ret_from_kernel_thread+0x14/0x1c
This patch fixes this by checking for computed LAST fragment size, so a
negative sized fragment is never added.
In order to prevent the newer rx frame from getting corrupted, the FIRST
flag is checked to discard the incomplete older frame.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Efremov [Fri, 5 Mar 2021 17:02:12 +0000 (20:02 +0300)]
sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count
RXMAC_BC_FRM_CNT_COUNT added to mp->rx_bcasts twice in a row
in niu_xmac_interrupt(). Remove the second addition.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Efremov [Fri, 5 Mar 2021 16:26:22 +0000 (19:26 +0300)]
net/hamradio/6pack: remove redundant check in sp_encaps()
"len > sp->mtu" checked twice in a row in sp_encaps().
Remove the second check.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hayes Wang [Fri, 5 Mar 2021 09:34:41 +0000 (17:34 +0800)]
r8169: fix r8168fp_adjust_ocp_cmd function
The (0xBAF70000 & 0x00FFF000) << 6 should be (0xf70 << 18).
Fixes:
561535b0f239 ("r8169: fix OCP access on RTL8117")
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Acked-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Xu Wang [Fri, 5 Mar 2021 09:33:06 +0000 (09:33 +0000)]
selftest/net/ipsec.c: Remove unneeded semicolon
fix semicolon.cocci warning:
tools/testing/selftests/net/ipsec.c:1788:2-3: Unneeded semicolon
Signed-off-by: Xu Wang <vulab@iscas.ac.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Junlin Yang [Fri, 5 Mar 2021 08:48:39 +0000 (16:48 +0800)]
ibmvnic: remove excessive irqsave
ibmvnic_remove locks multiple spinlocks while disabling interrupts:
spin_lock_irqsave(&adapter->state_lock, flags);
spin_lock_irqsave(&adapter->rwi_lock, flags);
As reported by coccinelle, the second _irqsave() overwrites the value
saved in 'flags' by the first _irqsave(), therefore when the second
_irqrestore() comes,the value in 'flags' is not valid,the value saved
by the first _irqsave() has been lost.
This likely leads to IRQs remaining disabled. So remove the second
_irqsave():
spin_lock_irqsave(&adapter->state_lock, flags);
spin_lock(&adapter->rwi_lock);
Generated by: ./scripts/coccinelle/locks/flags.cocci
./drivers/net/ethernet/ibm/ibmvnic.c:5413:1-18:
ERROR: nested lock+irqsave that reuses flags from line 5404.
Fixes:
4a41c421f367 ("ibmvnic: serialize access to work queue on remove")
Signed-off-by: Junlin Yang <yangjunlin@yulong.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Nazarov [Fri, 5 Mar 2021 08:05:54 +0000 (11:05 +0300)]
CIPSO: Fix unaligned memory access in cipso_v4_gentag_hdr
We need to use put_unaligned when writing 32-bit DOI value
in cipso_v4_gentag_hdr to avoid unaligned memory access.
v2: unneeded type cast removed as Ondrej Mosnacek suggested.
Signed-off-by: Sergey Nazarov <s-nazarov@yandex.ru>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wong Vee Khee [Fri, 5 Mar 2021 06:03:42 +0000 (14:03 +0800)]
stmmac: intel: Fixes clock registration error seen for multiple interfaces
Issue seen when enumerating multiple Intel mGbE interfaces in EHL.
[ 6.898141] intel-eth-pci 0000:00:1d.2: enabling device (0000 -> 0002)
[ 6.900971] intel-eth-pci 0000:00:1d.2: Fail to register stmmac-clk
[ 6.906434] intel-eth-pci 0000:00:1d.2: User ID: 0x51, Synopsys ID: 0x52
We fix it by making the clock name to be unique following the format
of stmmac-pci_name(pci_dev) so that we can differentiate the clock for
these Intel mGbE interfaces in EHL platform as follow:
/sys/kernel/debug/clk/stmmac-0000:00:1d.1
/sys/kernel/debug/clk/stmmac-0000:00:1d.2
/sys/kernel/debug/clk/stmmac-0000:00:1e.4
Fixes:
58da0cfa6cf1 ("net: stmmac: create dwmac-intel.c to contain all Intel platform")
Signed-off-by: Wong Vee Khee <vee.khee.wong@intel.com>
Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
Co-developed-by: Ong Boon Leong <boon.leong.ong@intel.com>
Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ong Boon Leong [Fri, 5 Mar 2021 05:49:30 +0000 (13:49 +0800)]
net: stmmac: Fix VLAN filter delete timeout issue in Intel mGBE SGMII
For Intel mGbE controller, MAC VLAN filter delete operation will time-out
if serdes power-down sequence happened first during driver remove() with
below message.
[82294.764958] intel-eth-pci 0000:00:1e.4 eth2: stmmac_dvr_remove: removing driver
[82294.778677] intel-eth-pci 0000:00:1e.4 eth2: Timeout accessing MAC_VLAN_Tag_Filter
[82294.779997] intel-eth-pci 0000:00:1e.4 eth2: failed to kill vid 0081/0
[82294.947053] intel-eth-pci 0000:00:1d.2 eth1: stmmac_dvr_remove: removing driver
[82295.002091] intel-eth-pci 0000:00:1d.1 eth0: stmmac_dvr_remove: removing driver
Therefore, we delay the serdes power-down to be after unregister_netdev()
which triggers the VLAN filter delete.
Fixes:
b9663b7ca6ff ("net: stmmac: Enable SERDES power up/down sequence")
Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jia-Ju Bai [Fri, 5 Mar 2021 03:10:10 +0000 (19:10 -0800)]
net: intel: iavf: fix error return code of iavf_init_get_resources()
When iavf_process_config() fails, no error return code of
iavf_init_get_resources() is assigned.
To fix this bug, err is assigned with the return value of
iavf_process_config(), and then err is checked.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jia-Ju Bai [Fri, 5 Mar 2021 02:06:48 +0000 (18:06 -0800)]
net: tehuti: fix error return code in bdx_probe()
When bdx_read_mac() fails, no error return code of bdx_probe()
is assigned.
To fix this bug, err is assigned with -EFAULT as error return code.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Kevin(Yudong) Yang [Wed, 3 Mar 2021 14:43:54 +0000 (09:43 -0500)]
net/mlx4_en: update moderation when config reset
This patch fixes a bug that the moderation config will not be
applied when calling mlx4_en_reset_config. For example, when
turning on rx timestamping, mlx4_en_reset_config() will be called,
causing the NIC to forget previous moderation config.
This fix is in phase with a previous fix:
commit
79c54b6bbf06 ("net/mlx4_en: Fix TX moderation info loss
after set_ringparam is called")
Tested: Before this patch, on a host with NIC using mlx4, run
netserver and stream TCP to the host at full utilization.
$ sar -I SUM 1
INTR intr/s
14:03:56 sum 48758.00
After rx hwtstamp is enabled:
$ sar -I SUM 1
14:10:38 sum 317771.00
We see the moderation is not working properly and issued 7x more
interrupts.
After the patch, and turned on rx hwtstamp, the rate of interrupts
is as expected:
$ sar -I SUM 1
14:52:11 sum 49332.00
Fixes:
79c54b6bbf06 ("net/mlx4_en: Fix TX moderation info loss after set_ringparam is called")
Signed-off-by: Kevin(Yudong) Yang <yyd@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
CC: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 5 Mar 2021 20:29:36 +0000 (12:29 -0800)]
Merge git://git./pub/scm/linux/kernel/git/bpf/bpf
Alexei Starovoitov says:
====================
pull-request: bpf 2021-03-04
The following pull-request contains BPF updates for your *net* tree.
We've added 7 non-merge commits during the last 4 day(s) which contain
a total of 9 files changed, 128 insertions(+), 40 deletions(-).
The main changes are:
1) Fix 32-bit cmpxchg, from Brendan.
2) Fix atomic+fetch logic, from Ilya.
3) Fix usage of bpf_csum_diff in selftests, from Yauheni.
====================
Brendan Jackman [Fri, 5 Mar 2021 02:56:46 +0000 (18:56 -0800)]
bpf: Explicitly zero-extend R0 after 32-bit cmpxchg
As pointed out by Ilya and explained in the new comment, there's a
discrepancy between x86 and BPF CMPXCHG semantics: BPF always loads
the value from memory into r0, while x86 only does so when r0 and the
value in memory are different. The same issue affects s390.
At first this might sound like pure semantics, but it makes a real
difference when the comparison is 32-bit, since the load will
zero-extend r0/rax.
The fix is to explicitly zero-extend rax after doing such a
CMPXCHG. Since this problem affects multiple archs, this is done in
the verifier by patching in a BPF_ZEXT_REG instruction after every
32-bit cmpxchg. Any archs that don't need such manual zero-extension
can do a look-ahead with insn_is_zext to skip the unnecessary mov.
Note this still goes on top of Ilya's patch:
https://lore.kernel.org/bpf/
20210301154019.129110-1-iii@linux.ibm.com/T/#u
Differences v5->v6[1]:
- Moved is_cmpxchg_insn and ensured it can be safely re-used. Also renamed it
and removed 'inline' to match the style of the is_*_function helpers.
- Fixed up comments in verifier test (thanks for the careful review, Martin!)
Differences v4->v5[1]:
- Moved the logic entirely into opt_subreg_zext_lo32_rnd_hi32, thanks to Martin
for suggesting this.
Differences v3->v4[1]:
- Moved the optimization against pointless zext into the correct place:
opt_subreg_zext_lo32_rnd_hi32 is called _after_ fixup_bpf_calls.
Differences v2->v3[1]:
- Moved patching into fixup_bpf_calls (patch incoming to rename this function)
- Added extra commentary on bpf_jit_needs_zext
- Added check to avoid adding a pointless zext(r0) if there's already one there.
Difference v1->v2[1]: Now solved centrally in the verifier instead of
specifically for the x86 JIT. Thanks to Ilya and Daniel for the suggestions!
[1] v5: https://lore.kernel.org/bpf/CA+i-1C3ytZz6FjcPmUg5s4L51pMQDxWcZNvM86w4RHZ_o2khwg@mail.gmail.com/T/#t
v4: https://lore.kernel.org/bpf/CA+i-1C3ytZz6FjcPmUg5s4L51pMQDxWcZNvM86w4RHZ_o2khwg@mail.gmail.com/T/#t
v3: https://lore.kernel.org/bpf/
08669818-c99d-0d30-e1db-
53160c063611@iogearbox.net/T/#t
v2: https://lore.kernel.org/bpf/
08669818-c99d-0d30-e1db-
53160c063611@iogearbox.net/T/#t
v1: https://lore.kernel.org/bpf/
d7ebaefb-bfd6-a441-3ff2-
2fdfe699b1d2@iogearbox.net/T/#t
Reported-by: Ilya Leoshkevich <iii@linux.ibm.com>
Fixes:
5ffa25502b5a ("bpf: Add instructions for atomic_[cmp]xchg")
Signed-off-by: Brendan Jackman <jackmanb@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Paul Moore [Thu, 4 Mar 2021 21:29:51 +0000 (16:29 -0500)]
cipso,calipso: resolve a number of problems with the DOI refcounts
The current CIPSO and CALIPSO refcounting scheme for the DOI
definitions is a bit flawed in that we:
1. Don't correctly match gets/puts in netlbl_cipsov4_list().
2. Decrement the refcount on each attempt to remove the DOI from the
DOI list, only removing it from the list once the refcount drops
to zero.
This patch fixes these problems by adding the missing "puts" to
netlbl_cipsov4_list() and introduces a more conventional, i.e.
not-buggy, refcounting mechanism to the DOI definitions. Upon the
addition of a DOI to the DOI list, it is initialized with a refcount
of one, removing a DOI from the list removes it from the list and
drops the refcount by one; "gets" and "puts" behave as expected with
respect to refcounts, increasing and decreasing the DOI's refcount by
one.
Fixes:
b1edeb102397 ("netlabel: Replace protocol/NetLabel linking with refrerence counts")
Fixes:
d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.")
Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Wiesner [Thu, 4 Mar 2021 16:18:28 +0000 (17:18 +0100)]
ibmvnic: always store valid MAC address
The last change to ibmvnic_set_mac(),
8fc3672a8ad3, meant to prevent
users from setting an invalid MAC address on an ibmvnic interface
that has not been brought up yet. The change also prevented the
requested MAC address from being stored by the adapter object for an
ibmvnic interface when the state of the ibmvnic interface is
VNIC_PROBED - that is after probing has finished but before the
ibmvnic interface is brought up. The MAC address stored by the
adapter object is used and sent to the hypervisor for checking when
an ibmvnic interface is brought up.
The ibmvnic driver ignoring the requested MAC address when in
VNIC_PROBED state caused LACP bonds (bonds in 802.3ad mode) with more
than one slave to malfunction. The bonding code must be able to
change the MAC address of its slaves before they are brought up
during enslaving. The inability of kernels with
8fc3672a8ad3 to set
the MAC addresses of bonding slaves is observable in the output of
"ip address show". The MAC addresses of the slaves are the same as
the MAC address of the bond on a working system whereas the slaves
retain their original MAC addresses on a system with a malfunctioning
LACP bond.
Fixes:
8fc3672a8ad3 ("ibmvnic: fix ibmvnic_set_mac")
Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hillf Danton [Thu, 4 Mar 2021 18:30:09 +0000 (10:30 -0800)]
netdevsim: init u64 stats for 32bit hardware
Init the u64 stats in order to avoid the lockdep prints on the 32bit
hardware like
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 4695 Comm: syz-executor.0 Not tainted 5.11.0-rc5-syzkaller #0
Hardware name: ARM-Versatile Express
Backtrace:
[<
826fc5b8>] (dump_backtrace) from [<
826fc82c>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:252)
[<
826fc814>] (show_stack) from [<
8270d1f8>] (__dump_stack lib/dump_stack.c:79 [inline])
[<
826fc814>] (show_stack) from [<
8270d1f8>] (dump_stack+0xa8/0xc8 lib/dump_stack.c:120)
[<
8270d150>] (dump_stack) from [<
802bf9c0>] (assign_lock_key kernel/locking/lockdep.c:935 [inline])
[<
8270d150>] (dump_stack) from [<
802bf9c0>] (register_lock_class+0xabc/0xb68 kernel/locking/lockdep.c:1247)
[<
802bef04>] (register_lock_class) from [<
802baa2c>] (__lock_acquire+0x84/0x32d4 kernel/locking/lockdep.c:4711)
[<
802ba9a8>] (__lock_acquire) from [<
802be840>] (lock_acquire.part.0+0xf0/0x554 kernel/locking/lockdep.c:5442)
[<
802be750>] (lock_acquire.part.0) from [<
802bed10>] (lock_acquire+0x6c/0x74 kernel/locking/lockdep.c:5415)
[<
802beca4>] (lock_acquire) from [<
81560548>] (seqcount_lockdep_reader_access include/linux/seqlock.h:103 [inline])
[<
802beca4>] (lock_acquire) from [<
81560548>] (__u64_stats_fetch_begin include/linux/u64_stats_sync.h:164 [inline])
[<
802beca4>] (lock_acquire) from [<
81560548>] (u64_stats_fetch_begin include/linux/u64_stats_sync.h:175 [inline])
[<
802beca4>] (lock_acquire) from [<
81560548>] (nsim_get_stats64+0xdc/0xf0 drivers/net/netdevsim/netdev.c:70)
[<
8156046c>] (nsim_get_stats64) from [<
81e2efa0>] (dev_get_stats+0x44/0xd0 net/core/dev.c:10405)
[<
81e2ef5c>] (dev_get_stats) from [<
81e53204>] (rtnl_fill_stats+0x38/0x120 net/core/rtnetlink.c:1211)
[<
81e531cc>] (rtnl_fill_stats) from [<
81e59d58>] (rtnl_fill_ifinfo+0x6d4/0x148c net/core/rtnetlink.c:1783)
[<
81e59684>] (rtnl_fill_ifinfo) from [<
81e5ceb4>] (rtmsg_ifinfo_build_skb+0x9c/0x108 net/core/rtnetlink.c:3798)
[<
81e5ce18>] (rtmsg_ifinfo_build_skb) from [<
81e5d0ac>] (rtmsg_ifinfo_event net/core/rtnetlink.c:3830 [inline])
[<
81e5ce18>] (rtmsg_ifinfo_build_skb) from [<
81e5d0ac>] (rtmsg_ifinfo_event net/core/rtnetlink.c:3821 [inline])
[<
81e5ce18>] (rtmsg_ifinfo_build_skb) from [<
81e5d0ac>] (rtmsg_ifinfo+0x44/0x70 net/core/rtnetlink.c:3839)
[<
81e5d068>] (rtmsg_ifinfo) from [<
81e45c2c>] (register_netdevice+0x664/0x68c net/core/dev.c:10103)
[<
81e455c8>] (register_netdevice) from [<
815608bc>] (nsim_create+0xf8/0x124 drivers/net/netdevsim/netdev.c:317)
[<
815607c4>] (nsim_create) from [<
81561184>] (__nsim_dev_port_add+0x108/0x188 drivers/net/netdevsim/dev.c:941)
[<
8156107c>] (__nsim_dev_port_add) from [<
815620d8>] (nsim_dev_port_add_all drivers/net/netdevsim/dev.c:990 [inline])
[<
8156107c>] (__nsim_dev_port_add) from [<
815620d8>] (nsim_dev_probe+0x5cc/0x750 drivers/net/netdevsim/dev.c:1119)
[<
81561b0c>] (nsim_dev_probe) from [<
815661dc>] (nsim_bus_probe+0x10/0x14 drivers/net/netdevsim/bus.c:287)
[<
815661cc>] (nsim_bus_probe) from [<
811724c0>] (really_probe+0x100/0x50c drivers/base/dd.c:554)
[<
811723c0>] (really_probe) from [<
811729c4>] (driver_probe_device+0xf8/0x1c8 drivers/base/dd.c:740)
[<
811728cc>] (driver_probe_device) from [<
81172fe4>] (__device_attach_driver+0x8c/0xf0 drivers/base/dd.c:846)
[<
81172f58>] (__device_attach_driver) from [<
8116fee0>] (bus_for_each_drv+0x88/0xd8 drivers/base/bus.c:431)
[<
8116fe58>] (bus_for_each_drv) from [<
81172c6c>] (__device_attach+0xdc/0x1d0 drivers/base/dd.c:914)
[<
81172b90>] (__device_attach) from [<
8117305c>] (device_initial_probe+0x14/0x18 drivers/base/dd.c:961)
[<
81173048>] (device_initial_probe) from [<
81171358>] (bus_probe_device+0x90/0x98 drivers/base/bus.c:491)
[<
811712c8>] (bus_probe_device) from [<
8116e77c>] (device_add+0x320/0x824 drivers/base/core.c:3109)
[<
8116e45c>] (device_add) from [<
8116ec9c>] (device_register+0x1c/0x20 drivers/base/core.c:3182)
[<
8116ec80>] (device_register) from [<
81566710>] (nsim_bus_dev_new drivers/net/netdevsim/bus.c:336 [inline])
[<
8116ec80>] (device_register) from [<
81566710>] (new_device_store+0x178/0x208 drivers/net/netdevsim/bus.c:215)
[<
81566598>] (new_device_store) from [<
8116fcb4>] (bus_attr_store+0x2c/0x38 drivers/base/bus.c:122)
[<
8116fc88>] (bus_attr_store) from [<
805b4b8c>] (sysfs_kf_write+0x48/0x54 fs/sysfs/file.c:139)
[<
805b4b44>] (sysfs_kf_write) from [<
805b3c90>] (kernfs_fop_write_iter+0x128/0x1ec fs/kernfs/file.c:296)
[<
805b3b68>] (kernfs_fop_write_iter) from [<
804d22fc>] (call_write_iter include/linux/fs.h:1901 [inline])
[<
805b3b68>] (kernfs_fop_write_iter) from [<
804d22fc>] (new_sync_write fs/read_write.c:518 [inline])
[<
805b3b68>] (kernfs_fop_write_iter) from [<
804d22fc>] (vfs_write+0x3dc/0x57c fs/read_write.c:605)
[<
804d1f20>] (vfs_write) from [<
804d2604>] (ksys_write+0x68/0xec fs/read_write.c:658)
[<
804d259c>] (ksys_write) from [<
804d2698>] (__do_sys_write fs/read_write.c:670 [inline])
[<
804d259c>] (ksys_write) from [<
804d2698>] (sys_write+0x10/0x14 fs/read_write.c:667)
[<
804d2688>] (sys_write) from [<
80200060>] (ret_fast_syscall+0x0/0x2c arch/arm/mm/proc-v7.S:64)
Fixes:
83c9e13aa39a ("netdevsim: add software driver for testing offloads")
Reported-by: syzbot+e74a6857f2d0efe3ad81@syzkaller.appspotmail.com
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Mar 2021 22:30:13 +0000 (14:30 -0800)]
Merge branch 'mptcp-fixes'
Mat Martineau says:
====================
mptcp: Fixes for v5.12
These patches from the MPTCP tree fix a few multipath TCP issues:
Patches 1 and 5 clear some stale pointers when subflows close.
Patches 2, 4, and 9 plug some memory leaks.
Patch 3 fixes a memory accounting error identified by syzkaller.
Patches 6 and 7 fix a race condition that slowed data transmission.
Patch 8 adds missing wakeups when write buffer space is freed.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Geliang Tang [Thu, 4 Mar 2021 21:32:16 +0000 (13:32 -0800)]
mptcp: free resources when the port number is mismatched
When the port number is mismatched with the announced ones, use
'goto dispose_child' to free the resources instead of using 'goto out'.
This patch also moves the port number checking code in
subflow_syn_recv_sock before mptcp_finish_join, otherwise subflow_drop_ctx
will fail in dispose_child.
Fixes:
5bc56388c74f ("mptcp: add port number check for MP_JOIN")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Thu, 4 Mar 2021 21:32:15 +0000 (13:32 -0800)]
mptcp: fix missing wakeup
__mptcp_clean_una() can free write memory and should wake-up
user-space processes when needed.
When such function is invoked by the MPTCP receive path, the wakeup
is not needed, as the TCP stack will later trigger subflow_write_space
which will do the wakeup as needed.
Other __mptcp_clean_una() call sites need an additional wakeup check
Let's bundle the relevant code in a new helper and use it.
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/165
Fixes:
6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks")
Fixes:
64b9cea7a0af ("mptcp: fix spurious retransmissions")
Tested-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Thu, 4 Mar 2021 21:32:14 +0000 (13:32 -0800)]
mptcp: fix race in release_cb
If we receive a MPTCP_PUSH_PENDING even from a subflow when
mptcp_release_cb() is serving the previous one, the latter
will be delayed up to the next release_sock(msk).
Address the issue implementing a test/serve loop for such
event.
Additionally rename the push helper to __mptcp_push_pending()
to be more consistent with the existing code.
Fixes:
6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Thu, 4 Mar 2021 21:32:13 +0000 (13:32 -0800)]
mptcp: factor out __mptcp_retrans helper()
Will simplify the following patch, no functional change
intended.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Thu, 4 Mar 2021 21:32:12 +0000 (13:32 -0800)]
mptcp: reset 'first' and ack_hint on subflow close
Just like with last_snd, we have to NULL 'first' on subflow close.
ack_hint isn't strictly required (its never dereferenced), but better to
clear this explicitly as well instead of making it an exception.
msk->first is dereferenced unconditionally at accept time, but
at that point the ssk is not on the conn_list yet -- this means
worker can't see it when iterating the conn_list.
Reported-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Thu, 4 Mar 2021 21:32:11 +0000 (13:32 -0800)]
mptcp: dispose initial struct socket when its subflow is closed
Christoph Paasch reported following crash:
dst_release underflow
WARNING: CPU: 0 PID: 1319 at net/core/dst.c:175 dst_release+0xc1/0xd0 net/core/dst.c:175
CPU: 0 PID: 1319 Comm: syz-executor217 Not tainted 5.11.0-rc6af8e85128b4d0d24083c5cac646e891227052e0c #70
Call Trace:
rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503
rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612
__mkroute_output net/ipv4/route.c:2484 [inline]
...
The worker leaves msk->subflow alone even when it
happened to close the subflow ssk associated with it.
Fixes:
866f26f2a9c33b ("mptcp: always graft subflow socket to parent")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/157
Reported-by: Christoph Paasch <cpaasch@apple.com>
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Thu, 4 Mar 2021 21:32:10 +0000 (13:32 -0800)]
mptcp: fix memory accounting on allocation error
In case of memory pressure the MPTCP xmit path keeps
at most a single skb in the tx cache, eventually freeing
additional ones.
The associated counter for forward memory is not update
accordingly, and that causes the following splat:
WARNING: CPU: 0 PID: 12 at net/core/stream.c:208 sk_stream_kill_queues+0x3ca/0x530 net/core/stream.c:208
Modules linked in:
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.11.0-rc2 #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:sk_stream_kill_queues+0x3ca/0x530 net/core/stream.c:208
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 63 01 00 00 8b ab 00 01 00 00 e9 60 ff ff ff e8 2f 24 d3 fe 0f 0b eb 97 e8 26 24 d3 fe <0f> 0b eb a0 e8 1d 24 d3 fe 0f 0b e9 a5 fe ff ff 4c 89 e7 e8 0e d0
RSP: 0018:
ffffc900000c7bc8 EFLAGS:
00010293
RAX:
0000000000000000 RBX:
0000000000000000 RCX:
0000000000000000
RDX:
ffff88810030ac40 RSI:
ffffffff8262ca4a RDI:
0000000000000003
RBP:
0000000000000d00 R08:
0000000000000000 R09:
ffffffff85095aa7
R10:
ffffffff8262c9ea R11:
0000000000000001 R12:
ffff888108908100
R13:
ffffffff85095aa0 R14:
ffffc900000c7c48 R15:
1ffff92000018f85
FS:
0000000000000000(0000) GS:
ffff88811b200000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00007fa7444baef8 CR3:
0000000035ee9005 CR4:
0000000000170ef0
Call Trace:
__mptcp_destroy_sock+0x4a7/0x6c0 net/mptcp/protocol.c:2547
mptcp_worker+0x7dd/0x1610 net/mptcp/protocol.c:2272
process_one_work+0x896/0x1170 kernel/workqueue.c:2275
worker_thread+0x605/0x1350 kernel/workqueue.c:2421
kthread+0x344/0x410 kernel/kthread.c:292
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296
At close time, as reported by syzkaller/Christoph.
This change address the issue properly updating the fwd
allocated memory counter in the error path.
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/136
Fixes:
724cfd2ee8aa ("mptcp: allocate TX skbs in msk context")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Thu, 4 Mar 2021 21:32:09 +0000 (13:32 -0800)]
mptcp: put subflow sock on connect error
mptcp_add_pending_subflow() performs a sock_hold() on the subflow,
then adds the subflow to the join list.
Without a sock_put the subflow sk won't be freed in case connect() fails.
unreferenced object 0xffff88810c03b100 (size 3000):
[..]
sk_prot_alloc.isra.0+0x2f/0x110
sk_alloc+0x5d/0xc20
inet6_create+0x2b7/0xd30
__sock_create+0x17f/0x410
mptcp_subflow_create_socket+0xff/0x9c0
__mptcp_subflow_connect+0x1da/0xaf0
mptcp_pm_nl_work+0x6e0/0x1120
mptcp_worker+0x508/0x9a0
Fixes:
5b950ff4331ddda ("mptcp: link MPC subflow into msk only after accept")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Thu, 4 Mar 2021 21:32:08 +0000 (13:32 -0800)]
mptcp: reset last_snd on subflow close
Send logic caches last active subflow in the msk, so it needs to be
cleared when the cached subflow is closed.
Fixes:
d5f49190def61c ("mptcp: allow picking different xmit subflows")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/155
Reported-by: Christoph Paasch <cpaasch@apple.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Maximilian Heyne [Thu, 4 Mar 2021 14:43:17 +0000 (14:43 +0000)]
net: sched: avoid duplicates in classes dump
This is a follow up of commit
ea3274695353 ("net: sched: avoid
duplicates in qdisc dump") which has fixed the issue only for the qdisc
dump.
The duplicate printing also occurs when dumping the classes via
tc class show dev eth0
Fixes:
59cc1f61f09c ("net: sched: convert qdisc linked list to hashtable")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniele Palmas [Thu, 4 Mar 2021 13:15:13 +0000 (14:15 +0100)]
net: usb: qmi_wwan: allow qmimux add/del with master up
There's no reason for preventing the creation and removal
of qmimux network interfaces when the underlying interface
is up.
This makes qmi_wwan mux implementation more similar to the
rmnet one, simplifying userspace management of the same
logical interfaces.
Fixes:
c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
Reported-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Thu, 4 Mar 2021 10:56:54 +0000 (12:56 +0200)]
net: dsa: sja1105: fix ucast/bcast flooding always remaining enabled
In the blamed patch I managed to introduce a bug while moving code
around: the same logic is applied to the ucast_egress_floods and
bcast_egress_floods variables both on the "if" and the "else" branches.
This is clearly an unintended change compared to how the code used to be
prior to that bugfix, so restore it.
Fixes:
7f7ccdea8c73 ("net: dsa: sja1105: fix leakage of flooded frames outside bridging domain")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Thu, 4 Mar 2021 10:56:53 +0000 (12:56 +0200)]
net: dsa: sja1105: fix SGMII PCS being forced to SPEED_UNKNOWN instead of SPEED_10
When using MLO_AN_PHY or MLO_AN_FIXED, the MII_BMCR of the SGMII PCS is
read before resetting the switch so it can be reprogrammed afterwards.
This works for the speeds of 1Gbps and 100Mbps, but not for 10Mbps,
because SPEED_10 is actually 0, so AND-ing anything with 0 is false,
therefore that last branch is dead code.
Do what others do (genphy_read_status_fixed, phy_mii_ioctl) and just
remove the check for SPEED_10, let it fall into the default case.
Fixes:
ffe10e679cec ("net: dsa: sja1105: Add support for the SGMII port")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Thu, 4 Mar 2021 10:29:43 +0000 (12:29 +0200)]
net: mscc: ocelot: properly reject destination IP keys in VCAP IS1
An attempt is made to warn the user about the fact that VCAP IS1 cannot
offload keys matching on destination IP (at least given the current half
key format), but sadly that warning fails miserably in practice, due to
the fact that it operates on an uninitialized "match" variable. We must
first decode the keys from the flow rule.
Fixes:
75944fda1dfe ("net: mscc: ocelot: offload ingress skbedit and vlan actions to VCAP IS1")
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Mar 2021 22:04:49 +0000 (14:04 -0800)]
Merge branch 'nexthop-blackhole'
Ido Schimmel says:
====================
nexthop: Do not flush blackhole nexthops when loopback goes down
Patch #1 prevents blackhole nexthops from being flushed when the
loopback device goes down given that as far as user space is concerned,
these nexthops do not have a nexthop device.
Patch #2 adds a test case.
There are no regressions in fib_nexthops.sh with this change:
# ./fib_nexthops.sh
...
Tests passed: 165
Tests failed: 0
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Ido Schimmel [Thu, 4 Mar 2021 08:57:54 +0000 (10:57 +0200)]
selftests: fib_nexthops: Test blackhole nexthops when loopback goes down
Test that blackhole nexthops are not flushed when the loopback device
goes down.
Output without previous patch:
# ./fib_nexthops.sh -t basic
Basic functional tests
----------------------
TEST: List with nothing defined [ OK ]
TEST: Nexthop get on non-existent id [ OK ]
TEST: Nexthop with no device or gateway [ OK ]
TEST: Nexthop with down device [ OK ]
TEST: Nexthop with device that is linkdown [ OK ]
TEST: Nexthop with device only [ OK ]
TEST: Nexthop with duplicate id [ OK ]
TEST: Blackhole nexthop [ OK ]
TEST: Blackhole nexthop with other attributes [ OK ]
TEST: Blackhole nexthop with loopback device down [FAIL]
TEST: Create group [ OK ]
TEST: Create group with blackhole nexthop [FAIL]
TEST: Create multipath group where 1 path is a blackhole [ OK ]
TEST: Multipath group can not have a member replaced by blackhole [ OK ]
TEST: Create group with non-existent nexthop [ OK ]
TEST: Create group with same nexthop multiple times [ OK ]
TEST: Replace nexthop with nexthop group [ OK ]
TEST: Replace nexthop group with nexthop [ OK ]
TEST: Nexthop group and device [ OK ]
TEST: Test proto flush [ OK ]
TEST: Nexthop group and blackhole [ OK ]
Tests passed: 19
Tests failed: 2
Output with previous patch:
# ./fib_nexthops.sh -t basic
Basic functional tests
----------------------
TEST: List with nothing defined [ OK ]
TEST: Nexthop get on non-existent id [ OK ]
TEST: Nexthop with no device or gateway [ OK ]
TEST: Nexthop with down device [ OK ]
TEST: Nexthop with device that is linkdown [ OK ]
TEST: Nexthop with device only [ OK ]
TEST: Nexthop with duplicate id [ OK ]
TEST: Blackhole nexthop [ OK ]
TEST: Blackhole nexthop with other attributes [ OK ]
TEST: Blackhole nexthop with loopback device down [ OK ]
TEST: Create group [ OK ]
TEST: Create group with blackhole nexthop [ OK ]
TEST: Create multipath group where 1 path is a blackhole [ OK ]
TEST: Multipath group can not have a member replaced by blackhole [ OK ]
TEST: Create group with non-existent nexthop [ OK ]
TEST: Create group with same nexthop multiple times [ OK ]
TEST: Replace nexthop with nexthop group [ OK ]
TEST: Replace nexthop group with nexthop [ OK ]
TEST: Nexthop group and device [ OK ]
TEST: Test proto flush [ OK ]
TEST: Nexthop group and blackhole [ OK ]
Tests passed: 21
Tests failed: 0
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ido Schimmel [Thu, 4 Mar 2021 08:57:53 +0000 (10:57 +0200)]
nexthop: Do not flush blackhole nexthops when loopback goes down
As far as user space is concerned, blackhole nexthops do not have a
nexthop device and therefore should not be affected by the
administrative or carrier state of any netdev.
However, when the loopback netdev goes down all the blackhole nexthops
are flushed. This happens because internally the kernel associates
blackhole nexthops with the loopback netdev.
This behavior is both confusing to those not familiar with kernel
internals and also diverges from the legacy API where blackhole IPv4
routes are not flushed when the loopback netdev goes down:
# ip route add blackhole 198.51.100.0/24
# ip link set dev lo down
# ip route show 198.51.100.0/24
blackhole 198.51.100.0/24
Blackhole IPv6 routes are flushed, but at least user space knows that
they are associated with the loopback netdev:
# ip -6 route show 2001:db8:1::/64
blackhole 2001:db8:1::/64 dev lo metric 1024 pref medium
Fix this by only flushing blackhole nexthops when the loopback netdev is
unregistered.
Fixes:
ab84be7e54fc ("net: Initial nexthop code")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reported-by: Donald Sharp <sharpd@nvidia.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Drew Fustini [Thu, 4 Mar 2021 05:55:49 +0000 (21:55 -0800)]
net: sctp: trivial: fix typo in comment
Fix typo of 'overflow' for comment in sctp_tsnmap_check().
Reported-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Drew Fustini <drew@beagleboard.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Mar 2021 21:47:42 +0000 (13:47 -0800)]
Merge branch '10GbE' of git://git./linux/kernel/git/tnguy/net-queue
Tony Nguyen says:
====================
Intel Wired LAN Driver Updates 2021-03-03
This series contains updates to ixgbe and ixgbevf drivers.
Bartosz Golaszewski does not error on -ENODEV from ixgbe_mii_bus_init()
as this is valid for some devices with a shared bus for ixgbe.
Antony Antony adds a check to fail for non transport mode SA with
offload as this is not supported for ixgbe and ixgbevf.
Dinghao Liu fixes a memory leak on failure to program a perfect filter
for ixgbe.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Dinghao Liu [Sun, 3 Jan 2021 08:08:42 +0000 (16:08 +0800)]
ixgbe: Fix memleak in ixgbe_configure_clsu32
When ixgbe_fdir_write_perfect_filter_82599() fails,
input allocated by kzalloc() has not been freed,
which leads to memleak.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Antony Antony [Wed, 14 Oct 2020 14:17:48 +0000 (16:17 +0200)]
ixgbe: fail to create xfrm offload of IPsec tunnel mode SA
Based on talks and indirect references ixgbe IPsec offlod do not
support IPsec tunnel mode offload. It can only support IPsec transport
mode offload. Now explicitly fail when creating non transport mode SA
with offload to avoid false performance expectations.
Fixes:
63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
Signed-off-by: Antony Antony <antony@phenome.org>
Acked-by: Shannon Nelson <snelson@pensando.io>
Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Ilya Leoshkevich [Mon, 1 Mar 2021 15:40:19 +0000 (16:40 +0100)]
bpf: Account for BPF_FETCH in insn_has_def32()
insn_has_def32() returns false for 32-bit BPF_FETCH insns. This makes
adjust_insn_aux_data() incorrectly set zext_dst, as can be seen in [1].
This happens because insn_no_def() does not know about the BPF_FETCH
variants of BPF_STX.
Fix in two steps.
First, replace insn_no_def() with insn_def_regno(), which returns the
register an insn defines. Normally insn_no_def() calls are followed by
insn->dst_reg uses; replace those with the insn_def_regno() return
value.
Second, adjust the BPF_STX special case in is_reg64() to deal with
queries made from opt_subreg_zext_lo32_rnd_hi32(), where the state
information is no longer available. Add a comment, since the purpose
of this special case is not clear at first glance.
[1] https://lore.kernel.org/bpf/
20210223150845.1857620-1-jackmanb@google.com/
Fixes:
5ffa25502b5a ("bpf: Add instructions for atomic_[cmp]xchg")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Brendan Jackman <jackmanb@google.com>
Link: https://lore.kernel.org/bpf/20210301154019.129110-1-iii@linux.ibm.com
Maciej Fijalkowski [Wed, 3 Mar 2021 18:56:36 +0000 (19:56 +0100)]
libbpf: Clear map_info before each bpf_obj_get_info_by_fd
xsk_lookup_bpf_maps, based on prog_fd, looks whether current prog has a
reference to XSKMAP. BPF prog can include insns that work on various BPF
maps and this is covered by iterating through map_ids.
The bpf_map_info that is passed to bpf_obj_get_info_by_fd for filling
needs to be cleared at each iteration, so that it doesn't contain any
outdated fields and that is currently missing in the function of
interest.
To fix that, zero-init map_info via memset before each
bpf_obj_get_info_by_fd call.
Also, since the area of this code is touched, in general strcmp is
considered harmful, so let's convert it to strncmp and provide the
size of the array name for current map_info.
While at it, do s/continue/break/ once we have found the xsks_map to
terminate the search.
Fixes:
5750902a6e9b ("libbpf: proper XSKMAP cleanup")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/20210303185636.18070-4-maciej.fijalkowski@intel.com
Maciej Fijalkowski [Wed, 3 Mar 2021 18:56:35 +0000 (19:56 +0100)]
samples, bpf: Add missing munmap in xdpsock
We mmap the umem region, but we never munmap it.
Add the missing call at the end of the cleanup.
Fixes:
3945b37a975d ("samples/bpf: use hugepages in xdpsock app")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/20210303185636.18070-3-maciej.fijalkowski@intel.com
Maciej Fijalkowski [Wed, 3 Mar 2021 18:56:34 +0000 (19:56 +0100)]
xsk: Remove dangling function declaration from header file
xdp_umem_query() is dead for a long time, drop the declaration from
include/linux/netdevice.h
Fixes:
c9b47cc1fabc ("xsk: fix bug when trying to use both copy and zero-copy on one queue id")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/20210303185636.18070-2-maciej.fijalkowski@intel.com
Pablo Neira Ayuso [Thu, 4 Mar 2021 03:00:09 +0000 (04:00 +0100)]
netfilter: nftables: bogus check for netlink portID with table owner
The existing branch checks for 0 != table->nlpid which always evaluates
true for tables that have an owner.
Fixes:
6001a930ce03 ("netfilter: nftables: introduce table ownership")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Pablo Neira Ayuso [Wed, 3 Mar 2021 22:58:27 +0000 (23:58 +0100)]
netfilter: nftables: fix possible double hook unregistration with table owner
Skip hook unregistration of owner tables from the netns exit path,
nft_rcv_nl_event() unregisters the table hooks before tearing down
the table content.
Fixes:
6001a930ce03 ("netfilter: nftables: introduce table ownership")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
zhang kai [Tue, 2 Mar 2021 10:16:07 +0000 (18:16 +0800)]
rtnetlink: using dev_base_seq from target net
Signed-off-by: zhang kai <zhangkaiheb@126.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jisheng Zhang [Tue, 2 Mar 2021 09:19:32 +0000 (17:19 +0800)]
net: 9p: advance iov on empty read
I met below warning when cating a small size(about 80bytes) txt file
on 9pfs(msize=2097152 is passed to 9p mount option), the reason is we
miss iov_iter_advance() if the read count is 0 for zerocopy case, so
we didn't truncate the pipe, then iov_iter_pipe() thinks the pipe is
full. Fix it by removing the exception for 0 to ensure to call
iov_iter_advance() even on empty read for zerocopy case.
[ 8.279568] WARNING: CPU: 0 PID: 39 at lib/iov_iter.c:1203 iov_iter_pipe+0x31/0x40
[ 8.280028] Modules linked in:
[ 8.280561] CPU: 0 PID: 39 Comm: cat Not tainted 5.11.0+ #6
[ 8.281260] RIP: 0010:iov_iter_pipe+0x31/0x40
[ 8.281974] Code: 2b 42 54 39 42 5c 76 22 c7 07 20 00 00 00 48 89 57 18 8b 42 50 48 c7 47 08 b
[ 8.283169] RSP: 0018:
ffff888000cbbd80 EFLAGS:
00000246
[ 8.283512] RAX:
0000000000000010 RBX:
ffff888000117d00 RCX:
0000000000000000
[ 8.283876] RDX:
ffff88800031d600 RSI:
0000000000000000 RDI:
ffff888000cbbd90
[ 8.284244] RBP:
ffff888000cbbe38 R08:
0000000000000000 R09:
ffff8880008d2058
[ 8.284605] R10:
0000000000000002 R11:
ffff888000375510 R12:
0000000000000050
[ 8.284964] R13:
ffff888000cbbe80 R14:
0000000000000050 R15:
ffff88800031d600
[ 8.285439] FS:
00007f24fd8af600(0000) GS:
ffff88803ec00000(0000) knlGS:
0000000000000000
[ 8.285844] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 8.286150] CR2:
00007f24fd7d7b90 CR3:
0000000000c97000 CR4:
00000000000406b0
[ 8.286710] Call Trace:
[ 8.288279] generic_file_splice_read+0x31/0x1a0
[ 8.289273] ? do_splice_to+0x2f/0x90
[ 8.289511] splice_direct_to_actor+0xcc/0x220
[ 8.289788] ? pipe_to_sendpage+0xa0/0xa0
[ 8.290052] do_splice_direct+0x8b/0xd0
[ 8.290314] do_sendfile+0x1ad/0x470
[ 8.290576] do_syscall_64+0x2d/0x40
[ 8.290818] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 8.291409] RIP: 0033:0x7f24fd7dca0a
[ 8.292511] Code: c3 0f 1f 80 00 00 00 00 4c 89 d2 4c 89 c6 e9 bd fd ff ff 0f 1f 44 00 00 31 8
[ 8.293360] RSP: 002b:
00007ffc20932818 EFLAGS:
00000206 ORIG_RAX:
0000000000000028
[ 8.293800] RAX:
ffffffffffffffda RBX:
0000000001000000 RCX:
00007f24fd7dca0a
[ 8.294153] RDX:
0000000000000000 RSI:
0000000000000003 RDI:
0000000000000001
[ 8.294504] RBP:
0000000000000003 R08:
0000000000000000 R09:
0000000000000000
[ 8.294867] R10:
0000000001000000 R11:
0000000000000206 R12:
0000000000000003
[ 8.295217] R13:
0000000000000001 R14:
0000000000000001 R15:
0000000000000000
[ 8.295782] ---[ end trace
63317af81b3ca24b ]---
Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hayes Wang [Wed, 3 Mar 2021 08:39:47 +0000 (16:39 +0800)]
Revert "r8152: adjust the settings about MAC clock speed down for RTL8153"
This reverts commit
134f98bcf1b898fb9d6f2b91bc85dd2e5478b4b8.
The r8153_mac_clk_spd() is used for RTL8153A only, because the register
table of RTL8153B is different from RTL8153A. However, this function would
be called when RTL8153B calls r8153_first_init() and r8153_enter_oob().
That causes RTL8153B becomes unstable when suspending and resuming. The
worst case may let the device stop working.
Besides, revert this commit to disable MAC clock speed down for RTL8153A.
It would avoid the known issue when enabling U1. The data of the first
control transfer may be wrong when exiting U1.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matthias Schiffer [Wed, 3 Mar 2021 15:50:49 +0000 (16:50 +0100)]
net: l2tp: reduce log level of messages in receive path, add counter instead
Commit
5ee759cda51b ("l2tp: use standard API for warning log messages")
changed a number of warnings about invalid packets in the receive path
so that they are always shown, instead of only when a special L2TP debug
flag is set. Even with rate limiting these warnings can easily cause
significant log spam - potentially triggered by a malicious party
sending invalid packets on purpose.
In addition these warnings were noticed by projects like Tunneldigger [1],
which uses L2TP for its data path, but implements its own control
protocol (which is sufficiently different from L2TP data packets that it
would always be passed up to userspace even with future extensions of
L2TP).
Some of the warnings were already redundant, as l2tp_stats has a counter
for these packets. This commit adds one additional counter for invalid
packets that are passed up to userspace. Packets with unknown session are
not counted as invalid, as there is nothing wrong with the format of
these packets.
With the additional counter, all of these messages are either redundant
or benign, so we reduce them to pr_debug_ratelimited().
[1] https://github.com/wlanslovenija/tunneldigger/issues/160
Fixes:
5ee759cda51b ("l2tp: use standard API for warning log messages")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Atish Patra [Wed, 3 Mar 2021 19:55:49 +0000 (11:55 -0800)]
net: macb: Add default usrio config to default gem config
There is no usrio config defined for default gem config leading to
a kernel panic devices that don't define a data. This issue can be
reprdouced with microchip polar fire soc where compatible string
is defined as "cdns,macb".
Fixes:
edac63861db7 ("add userio bits as platform configuration")
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Mar 2021 00:35:24 +0000 (16:35 -0800)]
Merge tag 'wireless-drivers-2021-03-03' of git://git./linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
====================
wireless-drivers fixes for v5.12
Second set of fixes for v5.12. Only three iwlwifi fixes this time, the
crash with MVM being the most important one and reported by multiple
people.
iwlwifi
* fix kernel crash regression when using LTO with MVM devices
* fix printk format warnings
* fix potential deadlock found by lockdep
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Jakub Kicinski [Wed, 3 Mar 2021 02:46:43 +0000 (18:46 -0800)]
docs: networking: drop special stable handling
Leave it to Greg.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ong Boon Leong [Wed, 3 Mar 2021 15:08:40 +0000 (20:38 +0530)]
net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10
We introduce dwmac410_dma_init_channel() here for both EQoS v4.10 and
above which use different DMA_CH(n)_Interrupt_Enable bit definitions for
NIE and AIE.
Fixes:
48863ce5940f ("stmmac: add DMA support for GMAC 4.xx")
Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
Signed-off-by: Ramesh Babu B <ramesh.babu.b@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Suchanek [Tue, 2 Mar 2021 19:47:47 +0000 (20:47 +0100)]
ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning.
GCC 7.5 reports:
../drivers/net/ethernet/ibm/ibmvnic.c: In function 'ibmvnic_reset_init':
../drivers/net/ethernet/ibm/ibmvnic.c:5373:51: warning: 'old_num_tx_queues' may be used uninitialized in this function [-Wmaybe-uninitialized]
../drivers/net/ethernet/ibm/ibmvnic.c:5373:6: warning: 'old_num_rx_queues' may be used uninitialized in this function [-Wmaybe-uninitialized]
The variable is initialized only if(reset) and used only if(reset &&
something) so this is a false positive. However, there is no reason to
not initialize the variables unconditionally avoiding the warning.
Fixes:
635e442f4a48 ("ibmvnic: merge ibmvnic_reset_init and ibmvnic_init")
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Tue, 2 Mar 2021 11:21:54 +0000 (14:21 +0300)]
octeontx2-af: cn10k: fix an array overflow in is_lmac_valid()
The value of "lmac_id" can be controlled by the user and if it is larger
then the number of bits in long then it reads outside the bitmap.
The highest valid value is less than MAX_LMAC_PER_CGX (4).
Fixes:
91c6945ea1f9 ("octeontx2-af: cn10k: Add RPM MAC support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Kosina [Tue, 2 Mar 2021 10:34:51 +0000 (11:34 +0100)]
iwlwifi: don't call netif_napi_add() with rxq->lock held (was Re: Lockdep warning in iwl_pcie_rx_handle())
We can't call netif_napi_add() with rxq-lock held, as there is a potential
for deadlock as spotted by lockdep (see below). rxq->lock is not
protecting anything over the netif_napi_add() codepath anyway, so let's
drop it just before calling into NAPI.
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-rc1-00002-gbada49429032 #5 Not tainted
--------------------------------------------------------
irq/136-iwlwifi/565 just changed the state of lock:
ffff89f28433b0b0 (&rxq->lock){+.-.}-{2:2}, at: iwl_pcie_rx_handle+0x7f/0x960 [iwlwifi]
but this lock took another, SOFTIRQ-unsafe lock in the past:
(napi_hash_lock){+.+.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(napi_hash_lock);
local_irq_disable();
lock(&rxq->lock);
lock(napi_hash_lock);
<Interrupt>
lock(&rxq->lock);
*** DEADLOCK ***
1 lock held by irq/136-iwlwifi/565:
#0:
ffff89f2b1440170 (sync_cmd_lockdep_map){+.+.}-{0:0}, at: iwl_pcie_irq_handler+0x5/0xb30
the shortest dependencies between 2nd lock and 1st lock:
-> (napi_hash_lock){+.+.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire+0x277/0x3d0
_raw_spin_lock+0x2c/0x40
netif_napi_add+0x14b/0x270
e1000_probe+0x2fe/0xee0 [e1000e]
local_pci_probe+0x42/0x90
pci_device_probe+0x10b/0x1c0
really_probe+0xef/0x4b0
driver_probe_device+0xde/0x150
device_driver_attach+0x4f/0x60
__driver_attach+0x9c/0x140
bus_for_each_dev+0x79/0xc0
bus_add_driver+0x18d/0x220
driver_register+0x5b/0xf0
do_one_initcall+0x5b/0x300
do_init_module+0x5b/0x21c
load_module+0x1dae/0x22c0
__do_sys_finit_module+0xad/0x110
do_syscall_64+0x33/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
SOFTIRQ-ON-W at:
lock_acquire+0x277/0x3d0
_raw_spin_lock+0x2c/0x40
netif_napi_add+0x14b/0x270
e1000_probe+0x2fe/0xee0 [e1000e]
local_pci_probe+0x42/0x90
pci_device_probe+0x10b/0x1c0
really_probe+0xef/0x4b0
driver_probe_device+0xde/0x150
device_driver_attach+0x4f/0x60
__driver_attach+0x9c/0x140
bus_for_each_dev+0x79/0xc0
bus_add_driver+0x18d/0x220
driver_register+0x5b/0xf0
do_one_initcall+0x5b/0x300
do_init_module+0x5b/0x21c
load_module+0x1dae/0x22c0
__do_sys_finit_module+0xad/0x110
do_syscall_64+0x33/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
INITIAL USE at:
lock_acquire+0x277/0x3d0
_raw_spin_lock+0x2c/0x40
netif_napi_add+0x14b/0x270
e1000_probe+0x2fe/0xee0 [e1000e]
local_pci_probe+0x42/0x90
pci_device_probe+0x10b/0x1c0
really_probe+0xef/0x4b0
driver_probe_device+0xde/0x150
device_driver_attach+0x4f/0x60
__driver_attach+0x9c/0x140
bus_for_each_dev+0x79/0xc0
bus_add_driver+0x18d/0x220
driver_register+0x5b/0xf0
do_one_initcall+0x5b/0x300
do_init_module+0x5b/0x21c
load_module+0x1dae/0x22c0
__do_sys_finit_module+0xad/0x110
do_syscall_64+0x33/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
}
... key at: [<
ffffffffae84ef38>] napi_hash_lock+0x18/0x40
... acquired at:
_raw_spin_lock+0x2c/0x40
netif_napi_add+0x14b/0x270
_iwl_pcie_rx_init+0x1f4/0x710 [iwlwifi]
iwl_pcie_rx_init+0x1b/0x3b0 [iwlwifi]
iwl_trans_pcie_start_fw+0x2ac/0x6a0 [iwlwifi]
iwl_mvm_load_ucode_wait_alive+0x116/0x460 [iwlmvm]
iwl_run_init_mvm_ucode+0xa4/0x3a0 [iwlmvm]
iwl_op_mode_mvm_start+0x9ed/0xbf0 [iwlmvm]
_iwl_op_mode_start.isra.4+0x42/0x80 [iwlwifi]
iwl_opmode_register+0x71/0xe0 [iwlwifi]
iwl_mvm_init+0x34/0x1000 [iwlmvm]
do_one_initcall+0x5b/0x300
do_init_module+0x5b/0x21c
load_module+0x1dae/0x22c0
__do_sys_finit_module+0xad/0x110
do_syscall_64+0x33/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
[ ... lockdep output trimmed .... ]
Fixes:
25edc8f259c7106 ("iwlwifi: pcie: properly implement NAPI")
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Acked-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2103021134060.12405@cbobk.fhfr.pm
Pierre-Louis Bossart [Tue, 2 Mar 2021 01:16:37 +0000 (19:16 -0600)]
iwlwifi: fix ARCH=i386 compilation warnings
An unsigned long variable should rely on '%lu' format strings, not '%zd'
Fixes:
a1a6a4cf49ece ("iwlwifi: pnvm: implement reading PNVM from UEFI")
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Acked-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210302011640.1276636-1-pierre-louis.bossart@linux.intel.com
Wei Yongjun [Tue, 23 Feb 2021 14:00:39 +0000 (14:00 +0000)]
iwlwifi: mvm: add terminate entry for dmi_system_id tables
Make sure dmi_system_id tables are NULL terminated. This crashed when LTO was enabled:
BUG: KASAN: global-out-of-bounds in dmi_check_system+0x5a/0x70
Read of size 1 at addr
ffffffffc16af750 by task NetworkManager/1913
CPU: 4 PID: 1913 Comm: NetworkManager Not tainted 5.12.0-rc1+ #10057
Hardware name: LENOVO 20THCTO1WW/20THCTO1WW, BIOS N2VET27W (1.12 ) 12/21/2020
Call Trace:
dump_stack+0x90/0xbe
print_address_description.constprop.0+0x1d/0x140
? dmi_check_system+0x5a/0x70
? dmi_check_system+0x5a/0x70
kasan_report.cold+0x7b/0xd4
? dmi_check_system+0x5a/0x70
__asan_load1+0x4d/0x50
dmi_check_system+0x5a/0x70
iwl_mvm_up+0x1360/0x1690 [iwlmvm]
? iwl_mvm_send_recovery_cmd+0x270/0x270 [iwlmvm]
? setup_object.isra.0+0x27/0xd0
? kasan_poison+0x20/0x50
? ___slab_alloc.constprop.0+0x483/0x5b0
? mempool_kmalloc+0x17/0x20
? ftrace_graph_ret_addr+0x2a/0xb0
? kasan_poison+0x3c/0x50
? cfg80211_iftype_allowed+0x2e/0x90 [cfg80211]
? __kasan_check_write+0x14/0x20
? mutex_lock+0x86/0xe0
? __mutex_lock_slowpath+0x20/0x20
__iwl_mvm_mac_start+0x49/0x290 [iwlmvm]
iwl_mvm_mac_start+0x37/0x50 [iwlmvm]
drv_start+0x73/0x1b0 [mac80211]
ieee80211_do_open+0x53e/0xf10 [mac80211]
? ieee80211_check_concurrent_iface+0x266/0x2e0 [mac80211]
ieee80211_open+0xb9/0x100 [mac80211]
__dev_open+0x1b8/0x280
Fixes:
a2ac0f48a07c ("iwlwifi: mvm: implement approved list for the PPAG feature")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Victor Michel <vic.michel.web@gmail.com>
Acked-by: Luca Coelho <luciano.coelho@intel.com>
[kvalo@codeaurora.org: improve commit log]
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210223140039.1708534-1-weiyongjun1@huawei.com
Biao Huang [Tue, 2 Mar 2021 03:33:23 +0000 (11:33 +0800)]
net: ethernet: mtk-star-emac: fix wrong unmap in RX handling
mtk_star_dma_unmap_rx() should unmap the dma_addr of old skb rather than
that of new skb.
Assign new_dma_addr to desc_data.dma_addr after all handling of old skb
ends to avoid unexpected receive side error.
Fixes:
f96e9641e92b ("net: ethernet: mtk-star-emac: fix error path in RX handling")
Signed-off-by: Biao Huang <biao.huang@mediatek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wong Vee Khee [Tue, 2 Mar 2021 08:57:21 +0000 (16:57 +0800)]
stmmac: intel: Fix mdio bus registration issue for TGL-H/ADL-S
On Intel platforms which consist of two Ethernet Controllers such as
TGL-H and ADL-S, a unique MDIO bus id is required for MDIO bus to be
successful registered:
[ 13.076133] sysfs: cannot create duplicate filename '/class/mdio_bus/stmmac-1'
[ 13.083404] CPU: 8 PID: 1898 Comm: systemd-udevd Tainted: G U 5.11.0-net-next #106
[ 13.092410] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DRR4 CRB, BIOS ADLIFSI1.R00.1494.B00.
2012031421 12/03/2020
[ 13.105709] Call Trace:
[ 13.108176] dump_stack+0x64/0x7c
[ 13.111553] sysfs_warn_dup+0x56/0x70
[ 13.115273] sysfs_do_create_link_sd.isra.2+0xbd/0xd0
[ 13.120371] device_add+0x4df/0x840
[ 13.123917] ? complete_all+0x2a/0x40
[ 13.127636] __mdiobus_register+0x98/0x310 [libphy]
[ 13.132572] stmmac_mdio_register+0x1c5/0x3f0 [stmmac]
[ 13.137771] ? stmmac_napi_add+0xa5/0xf0 [stmmac]
[ 13.142493] stmmac_dvr_probe+0x806/0xee0 [stmmac]
[ 13.147341] intel_eth_pci_probe+0x1cb/0x250 [dwmac_intel]
[ 13.152884] pci_device_probe+0xd2/0x150
[ 13.156897] really_probe+0xf7/0x4d0
[ 13.160527] driver_probe_device+0x5d/0x140
[ 13.164761] device_driver_attach+0x4f/0x60
[ 13.168996] __driver_attach+0xa2/0x140
[ 13.172891] ? device_driver_attach+0x60/0x60
[ 13.177300] bus_for_each_dev+0x76/0xc0
[ 13.181188] bus_add_driver+0x189/0x230
[ 13.185083] ? 0xffffffffc0795000
[ 13.188446] driver_register+0x5b/0xf0
[ 13.192249] ? 0xffffffffc0795000
[ 13.195577] do_one_initcall+0x4d/0x210
[ 13.199467] ? kmem_cache_alloc_trace+0x2ff/0x490
[ 13.204228] do_init_module+0x5b/0x21c
[ 13.208031] load_module+0x2a0c/0x2de0
[ 13.211838] ? __do_sys_finit_module+0xb1/0x110
[ 13.216420] __do_sys_finit_module+0xb1/0x110
[ 13.220825] do_syscall_64+0x33/0x40
[ 13.224451] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 13.229515] RIP: 0033:0x7fc2b1919ccd
[ 13.233113] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 31 0c 00 f7 d8 64 89 01 48
[ 13.251912] RSP: 002b:
00007ffcea2e5b98 EFLAGS:
00000246 ORIG_RAX:
0000000000000139
[ 13.259527] RAX:
ffffffffffffffda RBX:
0000560558920f10 RCX:
00007fc2b1919ccd
[ 13.266706] RDX:
0000000000000000 RSI:
00007fc2b1a881e3 RDI:
0000000000000012
[ 13.273887] RBP:
0000000000020000 R08:
0000000000000000 R09:
0000000000000000
[ 13.281036] R10:
0000000000000012 R11:
0000000000000246 R12:
00007fc2b1a881e3
[ 13.288183] R13:
0000000000000000 R14:
0000000000000000 R15:
00007ffcea2e5d58
[ 13.295389] libphy: mii_bus stmmac-1 failed to register
Fixes:
88af9bd4efbd ("stmmac: intel: Add ADL-S 1Gbps PCI IDs")
Fixes:
8450e23f142f ("stmmac: intel: Add PCI IDs for TGL-H platform")
Signed-off-by: Wong Vee Khee <vee.khee.wong@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso [Sat, 27 Feb 2021 21:31:27 +0000 (22:31 +0100)]
netfilter: nftables: disallow updates on table ownership
Disallow updating the ownership bit on an existing table: Do not allow
to grab ownership on an existing table. Do not allow to drop ownership
on an existing table.
Fixes:
6001a930ce03 ("netfilter: nftables: introduce table ownership")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Yauheni Kaliuta [Sun, 28 Feb 2021 10:30:17 +0000 (12:30 +0200)]
selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier
The verifier test labelled "valid read map access into a read-only array
2" calls the bpf_csum_diff() helper and checks its return value. However,
architecture implementations of csum_partial() (which is what the helper
uses) differ in whether they fold the return value to 16 bit or not. For
example, x86 version has ...
if (unlikely(odd)) {
result = from32to16(result);
result = ((result >> 8) & 0xff) | ((result & 0xff) << 8);
}
... while generic lib/checksum.c does:
result = from32to16(result);
if (odd)
result = ((result >> 8) & 0xff) | ((result & 0xff) << 8);
This makes the helper return different values on different architectures,
breaking the test on non-x86. To fix this, add an additional instruction
to always mask the return value to 16 bits, and update the expected return
value accordingly.
Fixes:
fb2abb73e575 ("bpf, selftest: test {rd, wr}only flags and direct value access")
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20210228103017.320240-1-yauheni.kaliuta@redhat.com
Ilya Leoshkevich [Sat, 27 Feb 2021 05:17:26 +0000 (06:17 +0100)]
selftests/bpf: Use the last page in test_snprintf_btf on s390
test_snprintf_btf fails on s390, because NULL points to a readable
struct lowcore there. Fix by using the last page instead.
Error message example:
printing
fffffffffffff000 should generate error, got (361)
Fixes:
076a95f5aff2 ("selftests/bpf: Add bpf_snprintf_btf helper tests")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20210227051726.121256-1-iii@linux.ibm.com
Eric Dumazet [Mon, 1 Mar 2021 18:29:17 +0000 (10:29 -0800)]
tcp: add sanity tests to TCP_QUEUE_SEQ
Qingyu Li reported a syzkaller bug where the repro
changes RCV SEQ _after_ restoring data in the receive queue.
mprotect(0x4aa000, 12288, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000,
16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
recvfrom(3, NULL, 20, 0, NULL, NULL) = -1 ECONNRESET (Connection reset by peer)
syslog shows:
[ 111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
[ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0
This should not be allowed. TCP_QUEUE_SEQ should only be used
when queues are empty.
This patch fixes this case, and the tx path as well.
Fixes:
ee9952831cfd ("tcp: Initial repair mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=212005
Reported-by: Qingyu Li <ieatmuttonchuan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrea Parri (Microsoft) [Mon, 1 Mar 2021 18:25:30 +0000 (19:25 +0100)]
hv_netvsc: Fix validation in netvsc_linkstatus_callback()
Contrary to the RNDIS protocol specification, certain (pre-Fe)
implementations of Hyper-V's vSwitch did not account for the status
buffer field in the length of an RNDIS packet; the bug was fixed in
newer implementations. Validate the status buffer fields using the
length of the 'vmtransfer_page' packet (all implementations), that
is known/validated to be less than or equal to the receive section
size and not smaller than the length of the RNDIS message.
Reported-by: Dexuan Cui <decui@microsoft.com>
Suggested-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Fixes:
505e3f00c3f36 ("hv_netvsc: Add (more) validation for untrusted Hyper-V values")
Signed-off-by: David S. Miller <davem@davemloft.net>
DENG Qingfang [Mon, 1 Mar 2021 16:01:59 +0000 (00:01 +0800)]
net: dsa: tag_mtk: fix 802.1ad VLAN egress
A different TPID bit is used for 802.1ad VLAN frames.
Reported-by: Ilario Gelmetti <iochesonome@gmail.com>
Fixes:
f0af34317f4b ("net: dsa: mediatek: combine MediaTek tag with VLAN tag")
Signed-off-by: DENG Qingfang <dqfext@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Willem de Bruijn [Mon, 1 Mar 2021 15:09:44 +0000 (15:09 +0000)]
net: expand textsearch ts_state to fit skb_seq_state
The referenced commit expands the skb_seq_state used by
skb_find_text with a 4B frag_off field, growing it to 48B.
This exceeds container ts_state->cb, causing a stack corruption:
[ 73.238353] Kernel panic - not syncing: stack-protector: Kernel stack
is corrupted in: skb_find_text+0xc5/0xd0
[ 73.247384] CPU: 1 PID: 376 Comm: nping Not tainted 5.11.0+ #4
[ 73.252613] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.14.0-2 04/01/2014
[ 73.260078] Call Trace:
[ 73.264677] dump_stack+0x57/0x6a
[ 73.267866] panic+0xf6/0x2b7
[ 73.270578] ? skb_find_text+0xc5/0xd0
[ 73.273964] __stack_chk_fail+0x10/0x10
[ 73.277491] skb_find_text+0xc5/0xd0
[ 73.280727] string_mt+0x1f/0x30
[ 73.283639] ipt_do_table+0x214/0x410
The struct is passed between skb_find_text and its callbacks
skb_prepare_seq_read, skb_seq_read and skb_abort_seq read through
the textsearch interface using TS_SKB_CB.
I assumed that this mapped to skb->cb like other .._SKB_CB wrappers.
skb->cb is 48B. But it maps to ts_state->cb, which is only 40B.
skb->cb was increased from 40B to 48B after ts_state was introduced,
in commit
3e3850e989c5 ("[NETFILTER]: Fix xfrm lookup in
ip_route_me_harder/ip6_route_me_harder").
Increase ts_state.cb[] to 48 to fit the struct.
Also add a BUILD_BUG_ON to avoid a repeat.
The alternative is to directly add a dependency from textsearch onto
linux/skbuff.h, but I think the intent is textsearch to have no such
dependencies on its callers.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=211911
Fixes:
97550f6fa592 ("net: compound page support in skb_seq_read")
Reported-by: Kris Karas <bugs-a17@moonlit-rail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Masanari Iida [Mon, 1 Mar 2021 12:28:23 +0000 (21:28 +0900)]
docs: networking: bonding.rst Fix a typo in bonding.rst
This patch fixes a spelling typo in bonding.rst.
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 1 Mar 2021 21:37:08 +0000 (13:37 -0800)]
Merge tag 'linux-can-fixes-for-5.12-
20210301' of git://git./linux/kernel/git/mkl/linux-can
Marc Kleine-Budde says:
====================
pull-request: can 2021-03-01
this is a pull request of 6 patches for net/master.
The first 3 patches are by Joakim Zhang for the flexcan driver and fix
the probing and starting of the chip.
The next patch is by me, for the mcp251xfd driver and reverts the BQL
support. BQL support got mainline with rc1 and assumes that CAN frames
are always echoed, which is not the case. A proper fix requires
changes more changes and will be rolled out via linux-can-next later.
Oleksij Rempel's patch fixes the socket ref counting if socket was
closed before setting skb ownership.
Torin Cooper-Bennun's patch for the tcan4x5x driver fixes a race
condition, where the chip is first attached the bus and then the MRAM
is initialized, which may result in lost data.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 1 Mar 2021 21:34:47 +0000 (13:34 -0800)]
Merge branch 'enetc-fixes'
Vladimir Oltean says:
====================
Fixes for NXP ENETC driver
This contains an assorted set of fixes collected over the past 2 weeks
on the enetc driver. Some are related to VLAN processing, some to
physical link settings, some are fixups of previous hardware workarounds,
and some are simply zero-day data path bugs that for some reason were
never caught or at least identified.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:18 +0000 (13:18 +0200)]
net: enetc: keep RX ring consumer index in sync with hardware
The RX rings have a producer index owned by hardware, where newly
received frame buffers are placed, and a consumer index owned by
software, where newly allocated buffers are placed, in expectation of
hardware being able to place frame data in them.
Hardware increments the producer index when a frame is received, however
it is not allowed to increment the producer index to match the consumer
index (RBCIR) since the ring can hold at most RBLENR[LENGTH]-1 received
BDs. Whenever the producer index matches the value of the consumer
index, the ring has no unprocessed received frames and all BDs in the
ring have been initialized/prepared by software, i.e. hardware owns all
BDs in the ring.
The code uses the next_to_clean variable to keep track of the producer
index, and the next_to_use variable to keep track of the consumer index.
The RX rings are seeded from enetc_refill_rx_ring, which is called from
two places:
1. initially the ring is seeded until full with enetc_bd_unused(rx_ring),
i.e. with 511 buffers. This will make next_to_clean=0 and next_to_use=511:
.ndo_open
-> enetc_open
-> enetc_setup_bdrs
-> enetc_setup_rxbdr
-> enetc_refill_rx_ring
2. then during the data path processing, it is refilled with 16 buffers
at a time:
enetc_msix
-> napi_schedule
-> enetc_poll
-> enetc_clean_rx_ring
-> enetc_refill_rx_ring
There is just one problem: the initial seeding done during .ndo_open
updates just the producer index (ENETC_RBPIR) with 0, and the software
next_to_clean and next_to_use variables. Notably, it will not update the
consumer index to make the hardware aware of the newly added buffers.
Wait, what? So how does it work?
Well, the reset values of the producer index and of the consumer index
of a ring are both zero. As per the description in the second paragraph,
it means that the ring is full of buffers waiting for hardware to put
frames in them, which by coincidence is almost true, because we have in
fact seeded 511 buffers into the ring.
But will the hardware attempt to access the 512th entry of the ring,
which has an invalid BD in it? Well, no, because in order to do that, it
would have to first populate the first 511 entries, and the NAPI
enetc_poll will kick in by then. Eventually, after 16 processed slots
have become available in the RX ring, enetc_clean_rx_ring will call
enetc_refill_rx_ring and then will [ finally ] update the consumer index
with the new software next_to_use variable. From now on, the
next_to_clean and next_to_use variables are in sync with the producer
and consumer ring indices.
So the day is saved, right? Well, not quite. Freeing the memory
allocated for the rings is done in:
enetc_close
-> enetc_clear_bdrs
-> enetc_clear_rxbdr
-> this just disables the ring
-> enetc_free_rxtx_rings
-> enetc_free_rx_ring
-> sets next_to_clean and next_to_use to 0
but again, nothing is committed to the hardware producer and consumer
indices (yay!). The assumption is that the ring is disabled, so the
indices don't matter anyway, and it's the responsibility of the "open"
code path to set those up.
.. Except that the "open" code path does not set those up properly.
While initially, things almost work, during subsequent enetc_close ->
enetc_open sequences, we have problems. To be precise, the enetc_open
that is subsequent to enetc_close will again refill the ring with 511
entries, but it will leave the consumer index untouched. Untouched
means, of course, equal to the value it had before disabling the ring
and draining the old buffers in enetc_close.
But as mentioned, enetc_setup_rxbdr will at least update the producer
index though, through this line of code:
enetc_rxbdr_wr(hw, idx, ENETC_RBPIR, 0);
so at this stage we'll have:
next_to_clean=0 (in hardware 0)
next_to_use=511 (in hardware we'll have the refill index prior to enetc_close)
Again, the next_to_clean and producer index are in sync and set to
correct values, so the driver manages to limp on. Eventually, 16 ring
entries will be consumed by enetc_poll, and the savior
enetc_clean_rx_ring will come and call enetc_refill_rx_ring, and then
update the hardware consumer ring based upon the new next_to_use.
So.. it works?
Well, by coincidence, it almost does, but there's a circumstance where
enetc_clean_rx_ring won't be there to save us. If the previous value of
the consumer index was 15, there's a problem, because the NAPI poll
sequence will only issue a refill when 16 or more buffers have been
consumed.
It's easiest to illustrate this with an example:
ip link set eno0 up
ip addr add 192.168.100.1/24 dev eno0
ping 192.168.100.1 -c 20 # ping this port from another board
ip link set eno0 down
ip link set eno0 up
ping 192.168.100.1 -c 20 # ping it again from the same other board
One by one:
1. ip link set eno0 up
-> calls enetc_setup_rxbdr:
-> calls enetc_refill_rx_ring(511 buffers)
-> next_to_clean=0 (in hw 0)
-> next_to_use=511 (in hw 0)
2. ping 192.168.100.1 -c 20 # ping this port from another board
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=1 next_to_clean 0 (in hw 1) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=2 next_to_clean 1 (in hw 2) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=3 next_to_clean 2 (in hw 3) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=4 next_to_clean 3 (in hw 4) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=5 next_to_clean 4 (in hw 5) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=6 next_to_clean 5 (in hw 6) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=7 next_to_clean 6 (in hw 7) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=8 next_to_clean 7 (in hw 8) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=9 next_to_clean 8 (in hw 9) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=10 next_to_clean 9 (in hw 10) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=11 next_to_clean 10 (in hw 11) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=12 next_to_clean 11 (in hw 12) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=13 next_to_clean 12 (in hw 13) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=14 next_to_clean 13 (in hw 14) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=15 next_to_clean 14 (in hw 15) next_to_use 511 (in hw 0)
enetc_clean_rx_ring: enetc_refill_rx_ring(16) increments next_to_use by 16 (mod 512) and writes it to hw
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=0 next_to_clean 15 (in hw 16) next_to_use 15 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=1 next_to_clean 16 (in hw 17) next_to_use 15 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=2 next_to_clean 17 (in hw 18) next_to_use 15 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=3 next_to_clean 18 (in hw 19) next_to_use 15 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=4 next_to_clean 19 (in hw 20) next_to_use 15 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=5 next_to_clean 20 (in hw 21) next_to_use 15 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=6 next_to_clean 21 (in hw 22) next_to_use 15 (in hw 15)
20 packets transmitted, 20 packets received, 0% packet loss
3. ip link set eno0 down
enetc_free_rx_ring: next_to_clean 0 (in hw 22), next_to_use 0 (in hw 15)
4. ip link set eno0 up
-> calls enetc_setup_rxbdr:
-> calls enetc_refill_rx_ring(511 buffers)
-> next_to_clean=0 (in hw 0)
-> next_to_use=511 (in hw 15)
5. ping 192.168.100.1 -c 20 # ping it again from the same other board
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=1 next_to_clean 0 (in hw 1) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=2 next_to_clean 1 (in hw 2) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=3 next_to_clean 2 (in hw 3) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=4 next_to_clean 3 (in hw 4) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=5 next_to_clean 4 (in hw 5) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=6 next_to_clean 5 (in hw 6) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=7 next_to_clean 6 (in hw 7) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=8 next_to_clean 7 (in hw 8) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=9 next_to_clean 8 (in hw 9) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=10 next_to_clean 9 (in hw 10) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=11 next_to_clean 10 (in hw 11) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=12 next_to_clean 11 (in hw 12) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=13 next_to_clean 12 (in hw 13) next_to_use 511 (in hw 15)
enetc_clean_rx_ring: rx_frm_cnt=1 cleaned_cnt=14 next_to_clean 13 (in hw 14) next_to_use 511 (in hw 15)
20 packets transmitted, 12 packets received, 40% packet loss
And there it dies. No enetc_refill_rx_ring (because cleaned_cnt must be equal
to 15 for that to happen), no nothing. The hardware enters the condition where
the producer (14) + 1 is equal to the consumer (15) index, which makes it
believe it has no more free buffers to put packets in, so it starts discarding
them:
ip netns exec ns0 ethtool -S eno0 | grep -v ': 0'
NIC statistics:
Rx ring 0 discarded frames: 8
Summarized, if the interface receives between 16 and 32 (mod 512) frames
and then there is a link flap, then the port will eventually die with no
way to recover. If it receives less than 16 (mod 512) frames, then the
initial NAPI poll [ before the link flap ] will not update the consumer
index in hardware (it will remain zero) which will be ok when the buffers
are later reinitialized. If more than 32 (mod 512) frames are received,
the initial NAPI poll has the chance to refill the ring twice, updating
the consumer index to at least 32. So after the link flap, the consumer
index is still wrong, but the post-flap NAPI poll gets a chance to
refill the ring once (because it passes through cleaned_cnt=15) and
makes the consumer index be again back in sync with next_to_use.
The solution to this problem is actually simple, we just need to write
next_to_use into the hardware consumer index at enetc_open time, which
always brings it back in sync after an initial buffer seeding process.
The simpler thing would be to put the write to the consumer index into
enetc_refill_rx_ring directly, but there are issues with the MDIO
locking: in the NAPI poll code we have the enetc_lock_mdio() taken from
top-level and we use the unlocked enetc_wr_reg_hot, whereas in
enetc_open, the enetc_lock_mdio() is not taken at the top level, but
instead by each individual enetc_wr_reg, so we are forced to put an
additional enetc_wr_reg in enetc_setup_rxbdr. Better organization of
the code is left as a refactoring exercise.
Fixes:
d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:17 +0000 (13:18 +0200)]
net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr
The Station Interface Receive Interrupt Detect Register (SIRXIDR)
contains a 16-bit wide mask of 'interrupt detected' events for each ring
associated with a port. Bit i is write-1-to-clean for RX ring i.
I have no explanation whatsoever how this line of code came to be
inserted in the blamed commit. I checked the downstream versions of that
patch and none of them have it.
The somewhat comical aspect of it is that we're writing a binary number
to the SIRXIDR register, which is derived from enetc_bd_unused(rx_ring).
Since the RX rings have 512 buffer descriptors, we end up writing 511 to
this register, which is 0x1ff, so we are effectively clearing the
'interrupt detected' event for rings 0-8.
This register is not what is used for interrupt handling though - it
only provides a summary for the entire SI. The hardware provides one
separate Interrupt Detect Register per RX ring, which auto-clears upon
read. So there doesn't seem to be any adverse effect caused by this
bogus write.
There is, however, one reason why this should be handled as a bugfix:
next_to_clean _should_ be committed to hardware, just not to that
register, and this was obscuring the fact that it wasn't. This is fixed
in the next patch, and removing the bogus line now allows the fix patch
to be backported beyond that point.
Fixes:
fd5736bf9f23 ("enetc: Workaround for MDIO register access issue")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:16 +0000 (13:18 +0200)]
net: enetc: force the RGMII speed and duplex instead of operating in inband mode
The ENETC port 0 MAC supports in-band status signaling coming from a PHY
when operating in RGMII mode, and this feature is enabled by default.
It has been reported that RGMII is broken in fixed-link, and that is not
surprising considering the fact that no PHY is attached to the MAC in
that case, but a switch.
This brings us to the topic of the patch: the enetc driver should have
not enabled the optional in-band status signaling for RGMII unconditionally,
but should have forced the speed and duplex to what was resolved by
phylink.
Note that phylink does not accept the RGMII modes as valid for in-band
signaling, and these operate a bit differently than 1000base-x and SGMII
(notably there is no clause 37 state machine so no ACK required from the
MAC, instead the PHY sends extra code words on RXD[3:0] whenever it is
not transmitting something else, so it should be safe to leave a PHY
with this option unconditionally enabled even if we ignore it). The spec
talks about this here:
https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/138/RGMIIv1_5F00_3.pdf
Fixes:
71b77a7a27a3 ("enetc: Migrate to PHYLINK and PCS_LYNX")
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:15 +0000 (13:18 +0200)]
net: enetc: don't disable VLAN filtering in IFF_PROMISC mode
Quoting from the blamed commit:
In promiscuous mode, it is more intuitive that all traffic is received,
including VLAN tagged traffic. It appears that it is necessary to set
the flag in PSIPVMR for that to be the case, so VLAN promiscuous mode is
also temporarily enabled. On exit from promiscuous mode, the setting
made by ethtool is restored.
Intuitive or not, there isn't any definition issued by a standards body
which says that promiscuity has anything to do with VLAN filtering - it
only has to do with accepting packets regardless of destination MAC address.
In fact people are already trying to use this misunderstanding/bug of
the enetc driver as a justification to transform promiscuity into
something it never was about: accepting every packet (maybe that would
be the "rx-all" netdev feature?):
https://lore.kernel.org/netdev/
20201110153958.ci5ekor3o2ekg3ky@ipetronik.com/
This is relevant because there are use cases in the kernel (such as
tc-flower rules with the protocol 802.1Q and a vlan_id key) which do not
(yet) use the vlan_vid_add API to be compatible with VLAN-filtering NICs
such as enetc, so for those, disabling rx-vlan-filter is currently the
only right solution to make these setups work:
https://lore.kernel.org/netdev/CA+h21hoxwRdhq4y+w8Kwgm74d4cA0xLeiHTrmT-VpSaM7obhkg@mail.gmail.com/
The blamed patch has unintentionally introduced one more way for this to
work, which is to enable IFF_PROMISC, however this is non-portable
because port promiscuity is not meant to disable VLAN filtering.
Therefore, it could invite people to write broken scripts for enetc, and
then wonder why they are broken when migrating to other drivers that
don't handle promiscuity in the same way.
Fixes:
7070eea5e95a ("enetc: permit configuration of rx-vlan-filter with ethtool")
Cc: Markus Blöchl <Markus.Bloechl@ipetronik.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:14 +0000 (13:18 +0200)]
net: enetc: fix incorrect TPID when receiving 802.1ad tagged packets
When the enetc ports have rx-vlan-offload enabled, they report a TPID of
ETH_P_8021Q regardless of what was actually in the packet. When
rx-vlan-offload is disabled, packets have the proper TPID. Fix this
inconsistency by finishing the TODO left in the code.
Fixes:
d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:13 +0000 (13:18 +0200)]
net: enetc: take the MDIO lock only once per NAPI poll cycle
The workaround for the ENETC MDIO erratum caused a performance
degradation of 82 Kpps (seen with IP forwarding of two 1Gbps streams of
64B packets). This is due to excessive locking and unlocking in the fast
path, which can be avoided.
By taking the MDIO read-side lock only once per NAPI poll cycle, we are
able to regain 54 Kpps (65%) of the performance hit. The rest of the
performance degradation comes from the TX data path, but unfortunately
it doesn't look like we can optimize that away easily, even with
netdev_xmit_more(), there just isn't any skb batching done, to help with
taking the MDIO lock less often than once per packet.
We need to change the register accessor type for enetc_get_tx_tstamp,
because it now runs under the enetc_lock_mdio as per the new call path
detailed below:
enetc_msix
-> napi_schedule
-> enetc_poll
-> enetc_lock_mdio
-> enetc_clean_tx_ring
-> enetc_get_tx_tstamp
-> enetc_clean_rx_ring
-> enetc_unlock_mdio
Fixes:
fd5736bf9f23 ("enetc: Workaround for MDIO register access issue")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:12 +0000 (13:18 +0200)]
net: enetc: initialize RFS/RSS memories for unused ports too
Michael reports that since linux-next-
20210211, the AER messages for ECC
errors have started reappearing, and this time they can be reliably
reproduced with the first ping on one of his LS1028A boards.
$ ping 1[ 33.258069] pcieport 0000:00:1f.0: AER: Multiple Corrected error received: 0000:00:00.0
72.16.0.1
PING [ 33.267050] pcieport 0000:00:1f.0: AER: can't find device of ID0000
172.16.0.1 (172.16.0.1): 56 data bytes
64 bytes from 172.16.0.1: seq=0 ttl=64 time=17.124 ms
64 bytes from 172.16.0.1: seq=1 ttl=64 time=0.273 ms
$ devmem 0x1f8010e10 32
0xC0000006
It isn't clear why this is necessary, but it seems that for the errors
to go away, we must clear the entire RFS and RSS memory, not just for
the ports in use.
Sadly the code is structured in such a way that we can't have unified
logic for the used and unused ports. For the minimal initialization of
an unused port, we need just to enable and ioremap the PF memory space,
and a control buffer descriptor ring. Unused ports must then free the
CBDR because the driver will exit, but used ports can not pick up from
where that code path left, since the CBDR API does not reinitialize a
ring when setting it up, so its producer and consumer indices are out of
sync between the software and hardware state. So a separate
enetc_init_unused_port function was created, and it gets called right
after the PF memory space is enabled.
Fixes:
07bf34a50e32 ("net: enetc: initialize the RFS and RSS memories")
Reported-by: Michael Walle <michael@walle.cc>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Tested-by: Michael Walle <michael@walle.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladimir Oltean [Mon, 1 Mar 2021 11:18:11 +0000 (13:18 +0200)]
net: enetc: don't overwrite the RSS indirection table when initializing
After the blamed patch, all RX traffic gets hashed to CPU 0 because the
hashing indirection table set up in:
enetc_pf_probe
-> enetc_alloc_si_resources
-> enetc_configure_si
-> enetc_setup_default_rss_table
is overwritten later in:
enetc_pf_probe
-> enetc_init_port_rss_memory
which zero-initializes the entire port RSS table in order to avoid ECC errors.
The trouble really is that enetc_init_port_rss_memory really neads
enetc_alloc_si_resources to be called, because it depends upon
enetc_alloc_cbdr and enetc_setup_cbdr. But that whole enetc_configure_si
thing could have been better thought out, it has nothing to do in a
function called "alloc_si_resources", especially since its counterpart,
"free_si_resources", does nothing to unwind the configuration of the SI.
The point is, we need to pull out enetc_configure_si out of
enetc_alloc_resources, and move it after enetc_init_port_rss_memory.
This allows us to set up the default RSS indirection table after
initializing the memory.
Fixes:
07bf34a50e32 ("net: enetc: initialize the RFS and RSS memories")
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yejune Deng [Mon, 1 Mar 2021 06:05:48 +0000 (14:05 +0800)]
inetpeer: use div64_ul() and clamp_val() calculate inet_peer_threshold
In inet_initpeers(), struct inet_peer on IA32 uses 128 bytes in nowdays.
Get rid of the cascade and use div64_ul() and clamp_val() calculate that
will not need to be adjusted in the future as suggested by Eric Dumazet.
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Yejune Deng <yejune.deng@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Skripkin [Sun, 28 Feb 2021 23:22:40 +0000 (02:22 +0300)]
net/qrtr: fix __netdev_alloc_skb call
syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER.
It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(),
which tries to allocate skb. Since the value comes from the untrusted source
there is no need to raise a warning in __alloc_pages_nodemask().
[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014
Call Trace:
__alloc_pages include/linux/gfp.h:511 [inline]
__alloc_pages_node include/linux/gfp.h:524 [inline]
alloc_pages_node include/linux/gfp.h:538 [inline]
kmalloc_large_node+0x60/0x110 mm/slub.c:3999
__kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496
__kmalloc_reserve net/core/skbuff.c:150 [inline]
__alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210
__netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446
netdev_alloc_skb include/linux/skbuff.h:2832 [inline]
qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442
qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x426/0x650 fs/read_write.c:518
vfs_write+0x791/0xa30 fs/read_write.c:605
ksys_write+0x12d/0x250 fs/read_write.c:658
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Acked-by: Alexander Lobakin <alobakin@pm.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 1 Mar 2021 21:22:34 +0000 (13:22 -0800)]
Merge branch 'sh_eth-masks'
Sergey Shtylyov says:
====================
Fix TRSCER masks in the Ether driver
Here are 3 patches against DaveM's 'net' repo. I'm fixing the TRSCER masks in
the driver to match the manuals...
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Shtylyov [Sun, 28 Feb 2021 20:27:32 +0000 (23:27 +0300)]
sh_eth: fix TRSCER mask for R7S9210
According to the RZ/A2M Group User's Manual: Hardware, Rev. 2.00,
the TRSCER register has bit 9 reserved, hence we can't use the driver's
default TRSCER mask. Add the explicit initializer for sh_eth_cpu_data::
trscer_err_mask for R7S9210.
Fixes:
6e0bb04d0e4f ("sh_eth: Add R7S9210 support")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Shtylyov [Sun, 28 Feb 2021 20:26:34 +0000 (23:26 +0300)]
sh_eth: fix TRSCER mask for R7S72100
According to the RZ/A1H Group, RZ/A1M Group User's Manual: Hardware,
Rev. 4.00, the TRSCER register has bit 9 reserved, hence we can't use
the driver's default TRSCER mask. Add the explicit initializer for
sh_eth_cpu_data::trscer_err_mask for R7S72100.
Fixes:
db893473d313 ("sh_eth: Add support for r7s72100")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Shtylyov [Sun, 28 Feb 2021 20:25:43 +0000 (23:25 +0300)]
sh_eth: fix TRSCER mask for SH771x
According to the SH7710, SH7712, SH7713 Group User's Manual: Hardware,
Rev. 3.00, the TRSCER register actually has only bit 7 valid (and named
differently), with all the other bits reserved. Apparently, this was not
the case with some early revisions of the manual as we have the other
bits declared (and set) in the original driver. Follow the suit and add
the explicit sh_eth_cpu_data::trscer_err_mask initializer for SH771x...
Fixes:
86a74ff21a7a ("net: sh_eth: add support for Renesas SuperH Ethernet")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tong Zhang [Sun, 28 Feb 2021 03:55:50 +0000 (22:55 -0500)]
atm: lanai: dont run lanai_dev_close if not open
lanai_dev_open() can fail. When it fail, lanai->base is unmapped and the
pci device is disabled. The caller, lanai_init_one(), then tries to run
atm_dev_deregister(). This will subsequently call lanai_dev_close() and
use the already released MMIO area.
To fix this issue, set the lanai->base to NULL if open fail,
and test the flag in lanai_dev_close().
[ 8.324153] lanai: lanai_start() failed, err=19
[ 8.324819] lanai(itf 0): shutting down interface
[ 8.325211] BUG: unable to handle page fault for address:
ffffc90000180024
[ 8.325781] #PF: supervisor write access in kernel mode
[ 8.326215] #PF: error_code(0x0002) - not-present page
[ 8.326641] PGD
100000067 P4D
100000067 PUD
100139067 PMD
10013a067 PTE 0
[ 8.327206] Oops: 0002 [#1] SMP KASAN NOPTI
[ 8.327557] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7-00090-gdcc0b49040c7 #12
[ 8.328229] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-4
[ 8.329145] RIP: 0010:lanai_dev_close+0x4f/0xe5 [lanai]
[ 8.329587] Code: 00 48 c7 c7 00 d3 01 c0 e8 49 4e 0a c2 48 8d bd 08 02 00 00 e8 6e 52 14 c1 48 80
[ 8.330917] RSP: 0018:
ffff8881029ef680 EFLAGS:
00010246
[ 8.331196] RAX:
000000000003fffe RBX:
ffff888102fb4800 RCX:
ffffffffc001a98a
[ 8.331572] RDX:
ffffc90000180000 RSI:
0000000000000246 RDI:
ffff888102fb4000
[ 8.331948] RBP:
ffff888102fb4000 R08:
ffffffff8115da8a R09:
ffffed102053deaa
[ 8.332326] R10:
0000000000000003 R11:
ffffed102053dea9 R12:
ffff888102fb48a4
[ 8.332701] R13:
ffffffffc00123c0 R14:
ffff888102fb4b90 R15:
ffff888102fb4b88
[ 8.333077] FS:
00007f08eb9056a0(0000) GS:
ffff88815b400000(0000) knlGS:
0000000000000000
[ 8.333502] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 8.333806] CR2:
ffffc90000180024 CR3:
0000000102a28000 CR4:
00000000000006f0
[ 8.334182] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 8.334557] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 8.334932] Call Trace:
[ 8.335066] atm_dev_deregister+0x161/0x1a0 [atm]
[ 8.335324] lanai_init_one.cold+0x20c/0x96d [lanai]
[ 8.335594] ? lanai_send+0x2a0/0x2a0 [lanai]
[ 8.335831] local_pci_probe+0x6f/0xb0
[ 8.336039] pci_device_probe+0x171/0x240
[ 8.336255] ? pci_device_remove+0xe0/0xe0
[ 8.336475] ? kernfs_create_link+0xb6/0x110
[ 8.336704] ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
[ 8.336983] really_probe+0x161/0x420
[ 8.337181] driver_probe_device+0x6d/0xd0
[ 8.337401] device_driver_attach+0x82/0x90
[ 8.337626] ? device_driver_attach+0x90/0x90
[ 8.337859] __driver_attach+0x60/0x100
[ 8.338065] ? device_driver_attach+0x90/0x90
[ 8.338298] bus_for_each_dev+0xe1/0x140
[ 8.338511] ? subsys_dev_iter_exit+0x10/0x10
[ 8.338745] ? klist_node_init+0x61/0x80
[ 8.338956] bus_add_driver+0x254/0x2a0
[ 8.339164] driver_register+0xd3/0x150
[ 8.339370] ? 0xffffffffc0028000
[ 8.339550] do_one_initcall+0x84/0x250
[ 8.339755] ? trace_event_raw_event_initcall_finish+0x150/0x150
[ 8.340076] ? free_vmap_area_noflush+0x1a5/0x5c0
[ 8.340329] ? unpoison_range+0xf/0x30
[ 8.340532] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
[ 8.340806] ? unpoison_range+0xf/0x30
[ 8.341014] ? unpoison_range+0xf/0x30
[ 8.341217] do_init_module+0xf8/0x350
[ 8.341419] load_module+0x3fe6/0x4340
[ 8.341621] ? vm_unmap_ram+0x1d0/0x1d0
[ 8.341826] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
[ 8.342101] ? module_frob_arch_sections+0x20/0x20
[ 8.342358] ? __do_sys_finit_module+0x108/0x170
[ 8.342604] __do_sys_finit_module+0x108/0x170
[ 8.342841] ? __ia32_sys_init_module+0x40/0x40
[ 8.343083] ? file_open_root+0x200/0x200
[ 8.343298] ? do_sys_open+0x85/0xe0
[ 8.343491] ? filp_open+0x50/0x50
[ 8.343675] ? exit_to_user_mode_prepare+0xfc/0x130
[ 8.343935] do_syscall_64+0x33/0x40
[ 8.344132] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 8.344401] RIP: 0033:0x7f08eb887cf7
[ 8.344594] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 41
[ 8.345565] RSP: 002b:
00007ffcd5c98ad8 EFLAGS:
00000246 ORIG_RAX:
0000000000000139
[ 8.345962] RAX:
ffffffffffffffda RBX:
00000000008fea70 RCX:
00007f08eb887cf7
[ 8.346336] RDX:
0000000000000000 RSI:
00000000008fd9e0 RDI:
0000000000000003
[ 8.346711] RBP:
0000000000000003 R08:
0000000000000000 R09:
0000000000000001
[ 8.347085] R10:
00007f08eb8eb300 R11:
0000000000000246 R12:
00000000008fd9e0
[ 8.347460] R13:
0000000000000000 R14:
00000000008fddd0 R15:
0000000000000001
[ 8.347836] Modules linked in: lanai(+) atm
[ 8.348065] CR2:
ffffc90000180024
[ 8.348244] ---[ end trace
7fdc1c668f2003e5 ]---
[ 8.348490] RIP: 0010:lanai_dev_close+0x4f/0xe5 [lanai]
[ 8.348772] Code: 00 48 c7 c7 00 d3 01 c0 e8 49 4e 0a c2 48 8d bd 08 02 00 00 e8 6e 52 14 c1 48 80
[ 8.349745] RSP: 0018:
ffff8881029ef680 EFLAGS:
00010246
[ 8.350022] RAX:
000000000003fffe RBX:
ffff888102fb4800 RCX:
ffffffffc001a98a
[ 8.350397] RDX:
ffffc90000180000 RSI:
0000000000000246 RDI:
ffff888102fb4000
[ 8.350772] RBP:
ffff888102fb4000 R08:
ffffffff8115da8a R09:
ffffed102053deaa
[ 8.351151] R10:
0000000000000003 R11:
ffffed102053dea9 R12:
ffff888102fb48a4
[ 8.351525] R13:
ffffffffc00123c0 R14:
ffff888102fb4b90 R15:
ffff888102fb4b88
[ 8.351918] FS:
00007f08eb9056a0(0000) GS:
ffff88815b400000(0000) knlGS:
0000000000000000
[ 8.352343] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 8.352647] CR2:
ffffc90000180024 CR3:
0000000102a28000 CR4:
00000000000006f0
[ 8.353022] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 8.353397] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 8.353958] modprobe (95) used greatest stack depth: 26216 bytes left
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tong Zhang [Sat, 27 Feb 2021 21:15:06 +0000 (16:15 -0500)]
atm: eni: dont release is never initialized
label err_eni_release is reachable when eni_start() fail.
In eni_start() it calls dev->phy->start() in the last step, if start()
fail we don't need to call phy->stop(), if start() is never called, we
neither need to call phy->stop(), otherwise null-ptr-deref will happen.
In order to fix this issue, don't call phy->stop() in label err_eni_release
[ 4.875714] ==================================================================
[ 4.876091] BUG: KASAN: null-ptr-deref in suni_stop+0x47/0x100 [suni]
[ 4.876433] Read of size 8 at addr
0000000000000030 by task modprobe/95
[ 4.876778]
[ 4.876862] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7-00090-gdcc0b49040c7 #2
[ 4.877290] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd94
[ 4.877876] Call Trace:
[ 4.878009] dump_stack+0x7d/0xa3
[ 4.878191] kasan_report.cold+0x10c/0x10e
[ 4.878410] ? __slab_free+0x2f0/0x340
[ 4.878612] ? suni_stop+0x47/0x100 [suni]
[ 4.878832] suni_stop+0x47/0x100 [suni]
[ 4.879043] eni_do_release+0x3b/0x70 [eni]
[ 4.879269] eni_init_one.cold+0x1152/0x1747 [eni]
[ 4.879528] ? _raw_spin_lock_irqsave+0x7b/0xd0
[ 4.879768] ? eni_ioctl+0x270/0x270 [eni]
[ 4.879990] ? __mutex_lock_slowpath+0x10/0x10
[ 4.880226] ? eni_ioctl+0x270/0x270 [eni]
[ 4.880448] local_pci_probe+0x6f/0xb0
[ 4.880650] pci_device_probe+0x171/0x240
[ 4.880864] ? pci_device_remove+0xe0/0xe0
[ 4.881086] ? kernfs_create_link+0xb6/0x110
[ 4.881315] ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
[ 4.881594] really_probe+0x161/0x420
[ 4.881791] driver_probe_device+0x6d/0xd0
[ 4.882010] device_driver_attach+0x82/0x90
[ 4.882233] ? device_driver_attach+0x90/0x90
[ 4.882465] __driver_attach+0x60/0x100
[ 4.882671] ? device_driver_attach+0x90/0x90
[ 4.882903] bus_for_each_dev+0xe1/0x140
[ 4.883114] ? subsys_dev_iter_exit+0x10/0x10
[ 4.883346] ? klist_node_init+0x61/0x80
[ 4.883557] bus_add_driver+0x254/0x2a0
[ 4.883764] driver_register+0xd3/0x150
[ 4.883971] ? 0xffffffffc0038000
[ 4.884149] do_one_initcall+0x84/0x250
[ 4.884355] ? trace_event_raw_event_initcall_finish+0x150/0x150
[ 4.884674] ? unpoison_range+0xf/0x30
[ 4.884875] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
[ 4.885150] ? unpoison_range+0xf/0x30
[ 4.885352] ? unpoison_range+0xf/0x30
[ 4.885557] do_init_module+0xf8/0x350
[ 4.885760] load_module+0x3fe6/0x4340
[ 4.885960] ? vm_unmap_ram+0x1d0/0x1d0
[ 4.886166] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
[ 4.886441] ? module_frob_arch_sections+0x20/0x20
[ 4.886697] ? __do_sys_finit_module+0x108/0x170
[ 4.886941] __do_sys_finit_module+0x108/0x170
[ 4.887178] ? __ia32_sys_init_module+0x40/0x40
[ 4.887419] ? file_open_root+0x200/0x200
[ 4.887634] ? do_sys_open+0x85/0xe0
[ 4.887826] ? filp_open+0x50/0x50
[ 4.888009] ? fpregs_assert_state_consistent+0x4d/0x60
[ 4.888287] ? exit_to_user_mode_prepare+0x2f/0x130
[ 4.888547] do_syscall_64+0x33/0x40
[ 4.888739] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 4.889010] RIP: 0033:0x7ff62fcf1cf7
[ 4.889202] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f71
[ 4.890172] RSP: 002b:
00007ffe6644ade8 EFLAGS:
00000246 ORIG_RAX:
0000000000000139
[ 4.890570] RAX:
ffffffffffffffda RBX:
0000000000f2ca70 RCX:
00007ff62fcf1cf7
[ 4.890944] RDX:
0000000000000000 RSI:
0000000000f2b9e0 RDI:
0000000000000003
[ 4.891318] RBP:
0000000000000003 R08:
0000000000000000 R09:
0000000000000001
[ 4.891691] R10:
00007ff62fd55300 R11:
0000000000000246 R12:
0000000000f2b9e0
[ 4.892064] R13:
0000000000000000 R14:
0000000000f2bdd0 R15:
0000000000000001
[ 4.892439] ==================================================================
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guangbin Huang [Sat, 27 Feb 2021 03:05:58 +0000 (11:05 +0800)]
net: phy: fix save wrong speed and duplex problem if autoneg is on
If phy uses generic driver and autoneg is on, enter command
"ethtool -s eth0 speed 50" will not change phy speed actually, but
command "ethtool eth0" shows speed is 50Mb/s because phydev->speed
has been set to 50 and no update later.
And duplex setting has same problem too.
However, if autoneg is on, phy only changes speed and duplex according to
phydev->advertising, but not phydev->speed and phydev->duplex. So in this
case, phydev->speed and phydev->duplex don't need to be set in function
phy_ethtool_ksettings_set() if autoneg is on.
Fixes:
51e2a3846eab ("PHY: Avoid unnecessary aneg restarts")
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jason A. Donenfeld [Sat, 27 Feb 2021 00:40:19 +0000 (01:40 +0100)]
net: always use icmp{,v6}_ndo_send from ndo_start_xmit
There were a few remaining tunnel drivers that didn't receive the prior
conversion to icmp{,v6}_ndo_send. Knowing now that this could lead to
memory corrution (see
ee576c47db60 ("net: icmp: pass zeroed opts from
icmp{,v6}_ndo_send before sending") for details), there's even more
imperative to have these all converted. So this commit goes through the
remaining cases that I could find and does a boring translation to the
ndo variety.
The Fixes: line below is the merge that originally added icmp{,v6}_
ndo_send and converted the first batch of icmp{,v6}_send users. The
rationale then for the change applies equally to this patch. It's just
that these drivers were left out of the initial conversion because these
network devices are hiding in net/ rather than in drivers/net/.
Cc: Florian Westphal <fw@strlen.de>
Cc: Willem de Bruijn <willemb@google.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: David Ahern <dsahern@kernel.org>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Fixes:
803381f9f117 ("Merge branch 'icmp-account-for-NAT-when-sending-icmps-from-ndo-layer'")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
DENG Qingfang [Sun, 28 Feb 2021 17:08:23 +0000 (01:08 +0800)]
net: dsa: tag_rtl4_a: fix egress tags
Commit
86dd9868b878 has several issues, but was accepted too soon
before anyone could take a look.
- Double free. dsa_slave_xmit() will free the skb if the xmit function
returns NULL, but the skb is already freed by eth_skb_pad(). Use
__skb_put_padto() to avoid that.
- Unnecessary allocation. It has been done by DSA core since commit
a3b0b6479700.
- A u16 pointer points to skb data. It should be __be16 for network
byte order.
- Typo in comments. "numer" -> "number".
Fixes:
86dd9868b878 ("net: dsa: tag_rtl4_a: Support also egress tags")
Signed-off-by: DENG Qingfang <dqfext@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Beulich [Thu, 25 Feb 2021 15:39:01 +0000 (16:39 +0100)]
xen-netback: use local var in xenvif_tx_check_gop() instead of re-calculating
shinfo already holds the result of skb_shinfo(skb) at this point - no
need to re-invoke the construct even twice.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>