1. 19 Jan, 2022 20 commits
    • Ard Biesheuvel's avatar
      net: cpsw: avoid alignment faults by taking NET_IP_ALIGN into account · 1771afd4
      Ard Biesheuvel authored
      Both versions of the CPSW driver declare a CPSW_HEADROOM_NA macro that
      takes NET_IP_ALIGN into account, but fail to use it appropriately when
      storing incoming packets in memory. This results in the IPv4 source and
      destination addresses to appear misaligned in memory, which causes
      aligment faults that need to be fixed up in software.
      
      So let's switch from CPSW_HEADROOM to CPSW_HEADROOM_NA where needed.
      This gets rid of any alignment faults on the RX path on a Beaglebone
      White.
      
      Fixes: 9ed4050c ("net: ethernet: ti: cpsw: add XDP support")
      Cc: Grygorii Strashko <grygorii.strashko@ti.com>
      Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1771afd4
    • Krzysztof Kozlowski's avatar
      nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() · dded0892
      Krzysztof Kozlowski authored
      Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer
      (which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after
      a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM.
      
      KASAN report:
      
        BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0
        Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899
      
        CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x45/0x59
         ? nfc_alloc_send_skb+0x2d/0xc0
         __kasan_report.cold+0x117/0x11c
         ? mark_lock+0x480/0x4f0
         ? nfc_alloc_send_skb+0x2d/0xc0
         kasan_report+0x38/0x50
         nfc_alloc_send_skb+0x2d/0xc0
         nfc_llcp_send_ui_frame+0x18c/0x2a0
         ? nfc_llcp_send_i_frame+0x230/0x230
         ? __local_bh_enable_ip+0x86/0xe0
         ? llcp_sock_connect+0x470/0x470
         ? llcp_sock_connect+0x470/0x470
         sock_sendmsg+0x8e/0xa0
         ____sys_sendmsg+0x253/0x3f0
         ...
      
      The issue was visible only with multiple simultaneous calls to bind() and
      sendmsg(), which resulted in most of the bind() calls to fail.  The
      bind() was failing on checking if there is available WKS/SDP/SAP
      (respective bit in 'struct nfc_llcp_local' fields).  When there was no
      available WKS/SDP/SAP, the bind returned error but the sendmsg() to such
      socket was able to trigger mentioned NULL pointer dereference of
      nfc_llcp_sock->dev.
      
      The code looks simply racy and currently it protects several paths
      against race with checks for (!nfc_llcp_sock->local) which is NULL-ified
      in error paths of bind().  The llcp_sock_sendmsg() did not have such
      check but called function nfc_llcp_send_ui_frame() had, although not
      protected with lock_sock().
      
      Therefore the race could look like (same socket is used all the time):
        CPU0                                     CPU1
        ====                                     ====
        llcp_sock_bind()
        - lock_sock()
          - success
        - release_sock()
        - return 0
                                                 llcp_sock_sendmsg()
                                                 - lock_sock()
                                                 - release_sock()
        llcp_sock_bind(), same socket
        - lock_sock()
          - error
                                                 - nfc_llcp_send_ui_frame()
                                                   - if (!llcp_sock->local)
          - llcp_sock->local = NULL
          - nfc_put_device(dev)
                                                   - dereference llcp_sock->dev
        - release_sock()
        - return -ERRNO
      
      The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the
      lock, which is racy and ineffective check.  Instead, its caller
      llcp_sock_sendmsg(), should perform the check inside lock_sock().
      
      Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com
      Fixes: b874dec2 ("NFC: Implement LLCP connection less Tx path")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dded0892
    • David S. Miller's avatar
      Merge branch 'axienet-fixes' · 8c8963b2
      David S. Miller authored
      Robert Hancock says:
      
      ====================
      Xilinx axienet fixes
      
      Various fixes for the Xilinx AXI Ethernet driver.
      
      Changed since v2:
      -added Reviewed-by tags, added some explanation to commit
      messages, no code changes
      
      Changed since v1:
      -corrected a Fixes tag to point to mainline commit
      -split up reset changes into 3 patches
      -added ratelimit on netdev_warn in TX busy case
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c8963b2
    • Robert Hancock's avatar
      net: axienet: increase default TX ring size to 128 · 2d19c3fd
      Robert Hancock authored
      With previous changes to make the driver handle the TX ring size more
      correctly, the default TX ring size of 64 appears to significantly
      bottleneck TX performance to around 600 Mbps on a 1 Gbps link on ZynqMP.
      Increasing this to 128 seems to bring performance up to near line rate and
      shouldn't cause excess bufferbloat (this driver doesn't yet support modern
      byte-based queue management).
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d19c3fd
    • Robert Hancock's avatar
      net: axienet: fix for TX busy handling · bb193e3d
      Robert Hancock authored
      Network driver documentation indicates we should be avoiding returning
      NETDEV_TX_BUSY from ndo_start_xmit in normal cases, since it requires
      the packets to be requeued. Instead the queue should be stopped after
      a packet is added to the TX ring when there may not be enough room for an
      additional one. Also, when TX ring entries are completed, we should only
      wake the queue if we know there is room for another full maximally
      fragmented packet.
      
      Print a warning if there is insufficient space at the start of start_xmit,
      since this should no longer happen.
      
      Combined with increasing the default TX ring size (in a subsequent
      patch), this appears to recover the TX performance lost by previous changes
      to actually manage the TX ring state properly.
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb193e3d
    • Robert Hancock's avatar
      net: axienet: fix number of TX ring slots for available check · aba57a82
      Robert Hancock authored
      The check for the number of available TX ring slots was off by 1 since a
      slot is required for the skb header as well as each fragment. This could
      result in overwriting a TX ring slot that was still in use.
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aba57a82
    • Robert Hancock's avatar
      net: axienet: Fix TX ring slot available check · 996defd7
      Robert Hancock authored
      The check for whether a TX ring slot was available was incorrect,
      since a slot which had been loaded with transmit data but the device had
      not started transmitting would be treated as available, potentially
      causing non-transmitted slots to be overwritten. The control field in
      the descriptor should be checked, rather than the status field (which may
      only be updated when the device completes the entry).
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      996defd7
    • Robert Hancock's avatar
      net: axienet: limit minimum TX ring size · 70f5817d
      Robert Hancock authored
      The driver will not work properly if the TX ring size is set to below
      MAX_SKB_FRAGS + 1 since it needs to hold at least one full maximally
      fragmented packet in the TX ring. Limit setting the ring size to below
      this value.
      
      Fixes: 8b09ca82 ("net: axienet: Make RX/TX ring sizes configurable")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70f5817d
    • Robert Hancock's avatar
      net: axienet: add missing memory barriers · 95978df6
      Robert Hancock authored
      This driver was missing some required memory barriers:
      
      Use dma_rmb to ensure we see all updates to the descriptor after we see
      that an entry has been completed.
      
      Use wmb and rmb to avoid stale descriptor status between the TX path and
      TX complete IRQ path.
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95978df6
    • Robert Hancock's avatar
      net: axienet: reset core on initialization prior to MDIO access · 04cc2da3
      Robert Hancock authored
      In some cases where the Xilinx Ethernet core was used in 1000Base-X or
      SGMII modes, which use the internal PCS/PMA PHY, and the MGT
      transceiver clock source for the PCS was not running at the time the
      FPGA logic was loaded, the core would come up in a state where the
      PCS could not be found on the MDIO bus. To fix this, the Ethernet core
      (including the PCS) should be reset after enabling the clocks, prior to
      attempting to access the PCS using of_mdio_find_device.
      
      Fixes: 1a025560 (net: axienet: Properly handle PCS/PMA PHY for 1000BaseX mode)
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      04cc2da3
    • Robert Hancock's avatar
      net: axienet: Wait for PhyRstCmplt after core reset · b400c2f4
      Robert Hancock authored
      When resetting the device, wait for the PhyRstCmplt bit to be set
      in the interrupt status register before continuing initialization, to
      ensure that the core is actually ready. When using an external PHY, this
      also ensures we do not start trying to access the PHY while it is still
      in reset. The PHY reset is initiated by the core reset which is
      triggered just above, but remains asserted for 5ms after the core is
      reset according to the documentation.
      
      The MgtRdy bit could also be waited for, but unfortunately when using
      7-series devices, the bit does not appear to work as documented (it
      seems to behave as some sort of link state indication and not just an
      indication the transceiver is ready) so it can't really be relied on for
      this purpose.
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b400c2f4
    • Robert Hancock's avatar
      net: axienet: increase reset timeout · 2e5644b1
      Robert Hancock authored
      The previous timeout of 1ms was too short to handle some cases where the
      core is reset just after the input clocks were started, which will
      be introduced in an upcoming patch. Increase the timeout to 50ms. Also
      simplify the reset timeout checking to use read_poll_timeout.
      
      Fixes: 8a3b7a25 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
      Signed-off-by: default avatarRobert Hancock <robert.hancock@calian.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e5644b1
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 99845220
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2022-01-19
      
      We've added 12 non-merge commits during the last 8 day(s) which contain
      a total of 12 files changed, 262 insertions(+), 64 deletions(-).
      
      The main changes are:
      
      1) Various verifier fixes mainly around register offset handling when
         passed to helper functions, from Daniel Borkmann.
      
      2) Fix XDP BPF link handling to assert program type,
         from Toke Høiland-Jørgensen.
      
      3) Fix regression in mount parameter handling for BPF fs,
         from Yafang Shao.
      
      4) Fix incorrect integer literal when marking scratched stack slots
         in verifier, from Christy Lee.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, selftests: Add ringbuf memory type confusion test
        bpf, selftests: Add various ringbuf tests with invalid offset
        bpf: Fix ringbuf memory type confusion when passing to helpers
        bpf: Fix out of bounds access for ringbuf helpers
        bpf: Generally fix helper register offset check
        bpf: Mark PTR_TO_FUNC register initially with zero offset
        bpf: Generalize check_ctx_reg for reuse with other types
        bpf: Fix incorrect integer literal used for marking scratched stack.
        bpf/selftests: Add check for updating XDP bpf_link with wrong program type
        bpf/selftests: convert xdp_link test to ASSERT_* macros
        xdp: check prog type before updating BPF link
        bpf: Fix mount source show for bpffs
      ====================
      
      Link: https://lore.kernel.org/r/20220119011825.9082-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      99845220
    • Daniel Borkmann's avatar
      bpf, selftests: Add ringbuf memory type confusion test · 37c8d480
      Daniel Borkmann authored
      Add two tests, one which asserts that ring buffer memory can be passed to
      other helpers for populating its entry area, and another one where verifier
      rejects different type of memory passed to bpf_ringbuf_submit().
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      37c8d480
    • Daniel Borkmann's avatar
      bpf, selftests: Add various ringbuf tests with invalid offset · 722e4db3
      Daniel Borkmann authored
      Assert that the verifier is rejecting invalid offsets on the ringbuf entries:
      
        # ./test_verifier | grep ring
        #947/u ringbuf: invalid reservation offset 1 OK
        #947/p ringbuf: invalid reservation offset 1 OK
        #948/u ringbuf: invalid reservation offset 2 OK
        #948/p ringbuf: invalid reservation offset 2 OK
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      722e4db3
    • Daniel Borkmann's avatar
      bpf: Fix ringbuf memory type confusion when passing to helpers · a672b2e3
      Daniel Borkmann authored
      The bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_MEM
      in their bpf_func_proto definition as their first argument, and thus both expect
      the result from a prior bpf_ringbuf_reserve() call which has a return type of
      RET_PTR_TO_ALLOC_MEM_OR_NULL.
      
      While the non-NULL memory from bpf_ringbuf_reserve() can be passed to other
      helpers, the two sinks (bpf_ringbuf_submit(), bpf_ringbuf_discard()) right now
      only enforce a register type of PTR_TO_MEM.
      
      This can lead to potential type confusion since it would allow other PTR_TO_MEM
      memory to be passed into the two sinks which did not come from bpf_ringbuf_reserve().
      
      Add a new MEM_ALLOC composable type attribute for PTR_TO_MEM, and enforce that:
      
       - bpf_ringbuf_reserve() returns NULL or PTR_TO_MEM | MEM_ALLOC
       - bpf_ringbuf_submit() and bpf_ringbuf_discard() only take PTR_TO_MEM | MEM_ALLOC
         but not plain PTR_TO_MEM arguments via ARG_PTR_TO_ALLOC_MEM
       - however, other helpers might treat PTR_TO_MEM | MEM_ALLOC as plain PTR_TO_MEM
         to populate the memory area when they use ARG_PTR_TO_{UNINIT_,}MEM in their
         func proto description
      
      Fixes: 457f4436 ("bpf: Implement BPF ring buffer and verifier support for it")
      Reported-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a672b2e3
    • Daniel Borkmann's avatar
      bpf: Fix out of bounds access for ringbuf helpers · 64620e0a
      Daniel Borkmann authored
      Both bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_MEM
      in their bpf_func_proto definition as their first argument. They both expect
      the result from a prior bpf_ringbuf_reserve() call which has a return type of
      RET_PTR_TO_ALLOC_MEM_OR_NULL.
      
      Meaning, after a NULL check in the code, the verifier will promote the register
      type in the non-NULL branch to a PTR_TO_MEM and in the NULL branch to a known
      zero scalar. Generally, pointer arithmetic on PTR_TO_MEM is allowed, so the
      latter could have an offset.
      
      The ARG_PTR_TO_ALLOC_MEM expects a PTR_TO_MEM register type. However, the non-
      zero result from bpf_ringbuf_reserve() must be fed into either bpf_ringbuf_submit()
      or bpf_ringbuf_discard() but with the original offset given it will then read
      out the struct bpf_ringbuf_hdr mapping.
      
      The verifier missed to enforce a zero offset, so that out of bounds access
      can be triggered which could be used to escalate privileges if unprivileged
      BPF was enabled (disabled by default in kernel).
      
      Fixes: 457f4436 ("bpf: Implement BPF ring buffer and verifier support for it")
      Reported-by: <tr3e.wang@gmail.com> (SecCoder Security Lab)
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      64620e0a
    • Daniel Borkmann's avatar
      bpf: Generally fix helper register offset check · 6788ab23
      Daniel Borkmann authored
      Right now the assertion on check_ptr_off_reg() is only enforced for register
      types PTR_TO_CTX (and open coded also for PTR_TO_BTF_ID), however, this is
      insufficient since many other PTR_TO_* register types such as PTR_TO_FUNC do
      not handle/expect register offsets when passed to helper functions.
      
      Given this can slip-through easily when adding new types, make this an explicit
      allow-list and reject all other current and future types by default if this is
      encountered.
      
      Also, extend check_ptr_off_reg() to handle PTR_TO_BTF_ID as well instead of
      duplicating it. For PTR_TO_BTF_ID, reg->off is used for BTF to match expected
      BTF ids if struct offset is used. This part still needs to be allowed, but the
      dynamic off from the tnum must be rejected.
      
      Fixes: 69c087ba ("bpf: Add bpf_for_each_map_elem() helper")
      Fixes: eaa6bcb7 ("bpf: Introduce bpf_per_cpu_ptr()")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      6788ab23
    • Daniel Borkmann's avatar
      bpf: Mark PTR_TO_FUNC register initially with zero offset · d400a6cf
      Daniel Borkmann authored
      Similar as with other pointer types where we use ldimm64, clear the register
      content to zero first, and then populate the PTR_TO_FUNC type and subprogno
      number. Currently this is not done, and leads to reuse of stale register
      tracking data.
      
      Given for special ldimm64 cases we always clear the register offset, make it
      common for all cases, so it won't be forgotten in future.
      
      Fixes: 69c087ba ("bpf: Add bpf_for_each_map_elem() helper")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      d400a6cf
    • Daniel Borkmann's avatar
      bpf: Generalize check_ctx_reg for reuse with other types · be80a1d3
      Daniel Borkmann authored
      Generalize the check_ctx_reg() helper function into a more generic named one
      so that it can be reused for other register types as well to check whether
      their offset is non-zero. No functional change.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      be80a1d3
  2. 18 Jan, 2022 1 commit
    • Eric Dumazet's avatar
      netns: add schedule point in ops_exit_list() · 2836615a
      Eric Dumazet authored
      When under stress, cleanup_net() can have to dismantle
      netns in big numbers. ops_exit_list() currently calls
      many helpers [1] that have no schedule point, and we can
      end up with soft lockups, particularly on hosts
      with many cpus.
      
      Even for moderate amount of netns processed by cleanup_net()
      this patch avoids latency spikes.
      
      [1] Some of these helpers like fib_sync_up() and fib_sync_down_dev()
      are very slow because net/ipv4/fib_semantics.c uses host-wide hash tables,
      and ifindex is used as the only input of two hash functions.
          ifindexes tend to be the same for all netns (lo.ifindex==1 per instance)
          This will be fixed in a separate patch.
      
      Fixes: 72ad937a ("net: Add support for batching network namespace cleanups")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2836615a
  3. 17 Jan, 2022 5 commits
  4. 16 Jan, 2022 3 commits
    • Moshe Tal's avatar
      bonding: Fix extraction of ports from the packet headers · 429e3d12
      Moshe Tal authored
      Wrong hash sends single stream to multiple output interfaces.
      
      The offset calculation was relative to skb->head, fix it to be relative
      to skb->data.
      
      Fixes: a815bde5 ("net, bonding: Refactor bond_xmit_hash for use with
      xdp_buff")
      Reviewed-by: default avatarJussi Maki <joamaki@gmail.com>
      Reviewed-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Signed-off-by: default avatarMoshe Tal <moshet@nvidia.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      429e3d12
    • Wen Gu's avatar
      net/smc: Fix hung_task when removing SMC-R devices · 56d99e81
      Wen Gu authored
      A hung_task is observed when removing SMC-R devices. Suppose that
      a link group has two active links(lnk_A, lnk_B) associated with two
      different SMC-R devices(dev_A, dev_B). When dev_A is removed, the
      link group will be removed from smc_lgr_list and added into
      lgr_linkdown_list. lnk_A will be cleared and smcibdev(A)->lnk_cnt
      will reach to zero. However, when dev_B is removed then, the link
      group can't be found in smc_lgr_list and lnk_B won't be cleared,
      making smcibdev->lnk_cnt never reaches zero, which causes a hung_task.
      
      This patch fixes this issue by restoring the implementation of
      smc_smcr_terminate_all() to what it was before commit 349d4312
      ("net/smc: fix kernel panic caused by race of smc_sock"). The original
      implementation also satisfies the intention that make sure QP destroy
      earlier than CQ destroy because we will always wait for smcibdev->lnk_cnt
      reaches zero, which guarantees QP has been destroyed.
      
      Fixes: 349d4312 ("net/smc: fix kernel panic caused by race of smc_sock")
      Signed-off-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56d99e81
    • Eric Dumazet's avatar
      ipv4: update fib_info_cnt under spinlock protection · 0a6e6b3c
      Eric Dumazet authored
      In the past, free_fib_info() was supposed to be called
      under RTNL protection.
      
      This eventually was no longer the case.
      
      Instead of enforcing RTNL it seems we simply can
      move fib_info_cnt changes to occur when fib_info_lock
      is held.
      
      v2: David Laight suggested to update fib_info_cnt
      only when an entry is added/deleted to/from the hash table,
      as fib_info_cnt is used to make sure hash table size
      is optimal.
      
      BUG: KCSAN: data-race in fib_create_info / free_fib_info
      
      write to 0xffffffff86e243a0 of 4 bytes by task 26429 on cpu 0:
       fib_create_info+0xe78/0x3440 net/ipv4/fib_semantics.c:1428
       fib_table_insert+0x148/0x10c0 net/ipv4/fib_trie.c:1224
       fib_magic+0x195/0x1e0 net/ipv4/fib_frontend.c:1087
       fib_add_ifaddr+0xd0/0x2e0 net/ipv4/fib_frontend.c:1109
       fib_netdev_event+0x178/0x510 net/ipv4/fib_frontend.c:1466
       notifier_call_chain kernel/notifier.c:83 [inline]
       raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:391
       __dev_notify_flags+0x1d3/0x3b0
       dev_change_flags+0xa2/0xc0 net/core/dev.c:8872
       do_setlink+0x810/0x2410 net/core/rtnetlink.c:2719
       rtnl_group_changelink net/core/rtnetlink.c:3242 [inline]
       __rtnl_newlink net/core/rtnetlink.c:3396 [inline]
       rtnl_newlink+0xb10/0x13b0 net/core/rtnetlink.c:3506
       rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5571
       netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2496
       rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5589
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0x5fc/0x6c0 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0x726/0x840 net/netlink/af_netlink.c:1921
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       ____sys_sendmsg+0x39a/0x510 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       __sys_sendmsg+0x195/0x230 net/socket.c:2492
       __do_sys_sendmsg net/socket.c:2501 [inline]
       __se_sys_sendmsg net/socket.c:2499 [inline]
       __x64_sys_sendmsg+0x42/0x50 net/socket.c:2499
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      read to 0xffffffff86e243a0 of 4 bytes by task 31505 on cpu 1:
       free_fib_info+0x35/0x80 net/ipv4/fib_semantics.c:252
       fib_info_put include/net/ip_fib.h:575 [inline]
       nsim_fib4_rt_destroy drivers/net/netdevsim/fib.c:294 [inline]
       nsim_fib4_rt_replace drivers/net/netdevsim/fib.c:403 [inline]
       nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:431 [inline]
       nsim_fib4_event drivers/net/netdevsim/fib.c:461 [inline]
       nsim_fib_event drivers/net/netdevsim/fib.c:881 [inline]
       nsim_fib_event_work+0x15ca/0x2cf0 drivers/net/netdevsim/fib.c:1477
       process_one_work+0x3fc/0x980 kernel/workqueue.c:2298
       process_scheduled_works kernel/workqueue.c:2361 [inline]
       worker_thread+0x7df/0xa70 kernel/workqueue.c:2447
       kthread+0x2c7/0x2e0 kernel/kthread.c:327
       ret_from_fork+0x1f/0x30
      
      value changed: 0x00000d2d -> 0x00000d2e
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 31505 Comm: kworker/1:21 Not tainted 5.16.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events nsim_fib_event_work
      
      Fixes: 48bb9eb4 ("netdevsim: fib: Add dummy implementation for FIB offload")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Ido Schimmel <idosch@mellanox.com>
      Cc: Jiri Pirko <jiri@mellanox.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a6e6b3c
  5. 15 Jan, 2022 7 commits
    • Wen Gu's avatar
      net/smc: Remove unused function declaration · 9404bc1e
      Wen Gu authored
      The declaration of smc_wr_tx_dismiss_slots() is unused.
      So remove it.
      
      Fixes: 349d4312 ("net/smc: fix kernel panic caused by race of smc_sock")
      Signed-off-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Reviewed-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9404bc1e
    • Slark Xiao's avatar
      net: wwan: Fix MRU mismatch issue which may lead to data connection lost · f542cdfa
      Slark Xiao authored
      In pci_generic.c there is a 'mru_default' in struct mhi_pci_dev_info.
      This value shall be used for whole mhi if it's given a value for a specific product.
      But in function mhi_net_rx_refill_work(), it's still using hard code value MHI_DEFAULT_MRU.
      'mru_default' shall have higher priority than MHI_DEFAULT_MRU.
      And after checking, this change could help fix a data connection lost issue.
      
      Fixes: 5c2c8531 ("bus: mhi: pci-generic: configurable network interface MRU")
      Signed-off-by: default avatarShujun Wang <wsj20369@163.com>
      Signed-off-by: default avatarSlark Xiao <slark_xiao@163.com>
      Reviewed-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f542cdfa
    • Mohammad Athari Bin Ismail's avatar
      net: phy: marvell: add Marvell specific PHY loopback · 020a45af
      Mohammad Athari Bin Ismail authored
      Existing genphy_loopback() is not applicable for Marvell PHY. Besides
      configuring bit-6 and bit-13 in Page 0 Register 0 (Copper Control
      Register), it is also required to configure same bits  in Page 2
      Register 21 (MAC Specific Control Register 2) according to speed of
      the loopback is operating.
      
      Tested working on Marvell88E1510 PHY for all speeds (1000/100/10Mbps).
      
      FIXME: Based on trial and error test, it seem 1G need to have delay between
      soft reset and loopback enablement.
      
      Fixes: 014068dc ("net: phy: genphy_loopback: add link speed configuration")
      Cc: <stable@vger.kernel.org> # 5.15.x
      Signed-off-by: default avatarMohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      020a45af
    • Christophe JAILLET's avatar
      net: ethernet: sun4i-emac: Fix an error handling path in emac_probe() · 9a9acdcc
      Christophe JAILLET authored
      A dma_request_chan() call is hidden in emac_configure_dma().
      It must be released in the probe if an error occurs, as already done in
      the remove function.
      
      Add the corresponding dma_release_channel() call.
      
      Fixes: 47869e82 ("sun4i-emac.c: add dma support")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a9acdcc
    • Tom Rix's avatar
      net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config() · 214b3369
      Tom Rix authored
      Clang static analysis reports this problem
      mtk_eth_soc.c:394:7: warning: Branch condition evaluates
        to a garbage value
                      if (err)
                          ^~~
      
      err is not initialized and only conditionally set.
      So intitialize err.
      
      Fixes: 7e538372 ("net: ethernet: mediatek: Re-add support SGMII")
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      214b3369
    • Vladimir Oltean's avatar
      net: mscc: ocelot: don't dereference NULL pointers with shared tc filters · 80f15f3b
      Vladimir Oltean authored
      The following command sequence:
      
      tc qdisc del dev swp0 clsact
      tc qdisc add dev swp0 ingress_block 1 clsact
      tc qdisc add dev swp1 ingress_block 1 clsact
      tc filter add block 1 flower action drop
      tc qdisc del dev swp0 clsact
      
      produces the following NPD:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000014
      pc : vcap_entry_set+0x14/0x70
      lr : ocelot_vcap_filter_del+0x198/0x234
      Call trace:
       vcap_entry_set+0x14/0x70
       ocelot_vcap_filter_del+0x198/0x234
       ocelot_cls_flower_destroy+0x94/0xe4
       felix_cls_flower_del+0x70/0x84
       dsa_slave_setup_tc_block_cb+0x13c/0x60c
       dsa_slave_setup_tc_block_cb_ig+0x20/0x30
       tc_setup_cb_reoffload+0x44/0x120
       fl_reoffload+0x280/0x320
       tcf_block_playback_offloads+0x6c/0x184
       tcf_block_unbind+0x80/0xe0
       tcf_block_setup+0x174/0x214
       tcf_block_offload_cmd.isra.0+0x100/0x13c
       tcf_block_offload_unbind+0x5c/0xa0
       __tcf_block_put+0x54/0x174
       tcf_block_put_ext+0x5c/0x74
       clsact_destroy+0x40/0x60
       qdisc_destroy+0x4c/0x150
       qdisc_put+0x70/0x90
       qdisc_graft+0x3f0/0x4c0
       tc_get_qdisc+0x1cc/0x364
       rtnetlink_rcv_msg+0x124/0x340
      
      The reason is that the driver isn't prepared to receive two tc filters
      with the same cookie. It unconditionally creates a new struct
      ocelot_vcap_filter for each tc filter, and it adds all filters with the
      same identifier (cookie) to the ocelot_vcap_block.
      
      The problem is here, in ocelot_vcap_filter_del():
      
      	/* Gets index of the filter */
      	index = ocelot_vcap_block_get_filter_index(block, filter);
      	if (index < 0)
      		return index;
      
      	/* Delete filter */
      	ocelot_vcap_block_remove_filter(ocelot, block, filter);
      
      	/* Move up all the blocks over the deleted filter */
      	for (i = index; i < block->count; i++) {
      		struct ocelot_vcap_filter *tmp;
      
      		tmp = ocelot_vcap_block_find_filter_by_index(block, i);
      		vcap_entry_set(ocelot, i, tmp);
      	}
      
      what will happen is ocelot_vcap_block_get_filter_index() will return the
      index (@index) of the first filter found with that cookie. This is _not_
      the index of _this_ filter, but the other one with the same cookie,
      because ocelot_vcap_filter_equal() gets fooled.
      
      Then later, ocelot_vcap_block_remove_filter() is coded to remove all
      filters that are ocelot_vcap_filter_equal() with the passed @filter.
      So unexpectedly, both filters get deleted from the list.
      
      Then ocelot_vcap_filter_del() will attempt to move all the other filters
      up, again finding them by index (@i). The block count is 2, @index was 0,
      so it will attempt to move up filter @i=0 and @i=1. It assigns tmp =
      ocelot_vcap_block_find_filter_by_index(block, i), which is now a NULL
      pointer because ocelot_vcap_block_remove_filter() has removed more than
      one filter.
      
      As far as I can see, this problem has been there since the introduction
      of tc offload support, however I cannot test beyond the blamed commit
      due to hardware availability. In any case, any fix cannot be backported
      that far, due to lots of changes to the code base.
      
      Therefore, let's go for the correct solution, which is to not call
      ocelot_vcap_filter_add() and ocelot_vcap_filter_del(), unless the filter
      is actually unique and not shared. For the shared filters, we should
      just modify the ingress port mask and call ocelot_vcap_filter_replace(),
      a function introduced by commit 95706be1 ("net: mscc: ocelot: create
      a function that replaces an existing VCAP filter"). This way,
      block->rules will only contain filters with unique cookies, by design.
      
      Fixes: 07d985ee ("net: dsa: felix: Wire up the ocelot cls_flower methods")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80f15f3b
    • Eric Dumazet's avatar
      af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress · 9d6d7f1c
      Eric Dumazet authored
      wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress
      without synchronization.
      
      Adds READ_ONCE()/WRITE_ONCE() and their associated comments
      to better document the intent.
      
      BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc
      
      write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0:
       unix_inflight+0x1e8/0x260 net/unix/scm.c:63
       unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121
       unix_scm_to_skb net/unix/af_unix.c:1674 [inline]
       unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817
       unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       ____sys_sendmsg+0x39a/0x510 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549
       __do_sys_sendmmsg net/socket.c:2578 [inline]
       __se_sys_sendmmsg net/socket.c:2575 [inline]
       __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1:
       wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196
       unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772
       unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       ____sys_sendmsg+0x39a/0x510 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549
       __do_sys_sendmmsg net/socket.c:2578 [inline]
       __se_sys_sendmmsg net/socket.c:2575 [inline]
       __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      value changed: 0x00000002 -> 0x00000004
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 9915672d ("af_unix: limit unix_tot_inflight")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9d6d7f1c
  6. 14 Jan, 2022 4 commits
    • Kai-Heng Feng's avatar
      net: stmmac: Fix "Unbalanced pm_runtime_enable!" warning · d90d0c17
      Kai-Heng Feng authored
      If the device is PCI based like intel-eth-pci, pm_runtime_enable() is
      already called by pci_pm_init().
      
      So only pm_runtime_enable() when it's not already enabled.
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d90d0c17
    • Miaoqian Lin's avatar
      lib82596: Fix IRQ check in sni_82596_probe · 99218cbf
      Miaoqian Lin authored
      platform_get_irq() returns negative error number instead 0 on failure.
      And the doc of platform_get_irq() provides a usage example:
      
          int irq = platform_get_irq(pdev, 0);
          if (irq < 0)
              return irq;
      
      Fix the check of return value to catch errors correctly.
      
      Fixes: 11597885 ("i825xx: Move the Intel 82586/82593/82596 based drivers")
      Signed-off-by: default avatarMiaoqian Lin <linmq006@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99218cbf
    • Michael Ellerman's avatar
      net: apple: bmac: Fix build since dev_addr constification · ea938248
      Michael Ellerman authored
      Since commit adeef3e3 ("net: constify netdev->dev_addr") the bmac
      driver no longer builds with the following errors (pmac32_defconfig):
      
        linux/drivers/net/ethernet/apple/bmac.c: In function ‘bmac_probe’:
        linux/drivers/net/ethernet/apple/bmac.c:1287:20: error: assignment of read-only location ‘*(dev->dev_addr + (sizetype)j)’
         1287 |   dev->dev_addr[j] = rev ? bitrev8(addr[j]): addr[j];
              |                    ^
      
      Fix it by making the modifications to a local macaddr variable and then
      passing that to eth_hw_addr_set().
      
      We don't use the existing addr variable because the bitrev8() would
      mutate it, but it is already used unreversed later in the function.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea938248
    • Michael Ellerman's avatar
      net: apple: mace: Fix build since dev_addr constification · 6c8dc12c
      Michael Ellerman authored
      Since commit adeef3e3 ("net: constify netdev->dev_addr") the mace
      driver no longer builds with various errors (pmac32_defconfig):
      
        linux/drivers/net/ethernet/apple/mace.c: In function ‘mace_probe’:
        linux/drivers/net/ethernet/apple/mace.c:170:20: error: assignment of read-only location ‘*(dev->dev_addr + (sizetype)j)’
          170 |   dev->dev_addr[j] = rev ? bitrev8(addr[j]): addr[j];
              |                    ^
        linux/drivers/net/ethernet/apple/mace.c: In function ‘mace_reset’:
        linux/drivers/net/ethernet/apple/mace.c:349:32: warning: passing argument 2 of ‘__mace_set_address’ discards ‘const’ qualifier from pointer target type
          349 |     __mace_set_address(dev, dev->dev_addr);
              |                             ~~~^~~~~~~~~~
        linux/drivers/net/ethernet/apple/mace.c:93:62: note: expected ‘void *’ but argument is of type ‘const unsigned char *’
           93 | static void __mace_set_address(struct net_device *dev, void *addr);
              |                                                        ~~~~~~^~~~
        linux/drivers/net/ethernet/apple/mace.c: In function ‘__mace_set_address’:
        linux/drivers/net/ethernet/apple/mace.c:388:36: error: assignment of read-only location ‘*(dev->dev_addr + (sizetype)i)’
          388 |  out_8(&mb->padr, dev->dev_addr[i] = p[i]);
              |                                    ^
      
      Fix it by making the modifications to a local macaddr variable and then
      passing that to eth_hw_addr_set(), as well as adding some missing const
      qualifiers.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c8dc12c