1. 25 Jan, 2020 5 commits
  2. 24 Jan, 2020 21 commits
  3. 23 Jan, 2020 14 commits
    • Cong Wang's avatar
      net_sched: fix datalen for ematch · 61678d28
      Cong Wang authored
      syzbot reported an out-of-bound access in em_nbyte. As initially
      analyzed by Eric, this is because em_nbyte sets its own em->datalen
      in em_nbyte_change() other than the one specified by user, but this
      value gets overwritten later by its caller tcf_em_validate().
      We should leave em->datalen untouched to respect their choices.
      
      I audit all the in-tree ematch users, all of those implement
      ->change() set em->datalen, so we can just avoid setting it twice
      in this case.
      
      Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
      Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61678d28
    • David S. Miller's avatar
      Merge branch 'Fixes-for-SONIC-ethernet-driver' · 42c9bdae
      David S. Miller authored
      Finn Thain says:
      
      ====================
      Fixes for SONIC ethernet driver
      
      Various SONIC driver problems have become apparent over the years,
      including tx watchdog timeouts, lost packets and duplicated packets.
      
      The problems are mostly caused by bugs in buffer handling, locking and
      (re-)initialization code.
      
      This patch series resolves these problems.
      
      This series has been tested on National Semiconductor hardware (macsonic),
      qemu-system-m68k (macsonic) and qemu-system-mips64el (jazzsonic).
      
      The emulated dp8393x device used in QEMU also has bugs.
      I have fixed the bugs that I know of in a series of patches at,
      https://github.com/fthain/qemu/commits/sonic
      
      Changed since v1:
       - Minor revisions as described in commit logs.
       - Deferred net-next patches.
      Changed since v2:
       - Minor revisions as described in commit logs.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42c9bdae
    • Finn Thain's avatar
      net/sonic: Prevent tx watchdog timeout · 686f85d7
      Finn Thain authored
      Section 5.5.3.2 of the datasheet says,
      
          If FIFO Underrun, Byte Count Mismatch, Excessive Collision, or
          Excessive Deferral (if enabled) errors occur, transmission ceases.
      
      In this situation, the chip asserts a TXER interrupt rather than TXDN.
      But the handler for the TXDN is the only way that the transmit queue
      gets restarted. Hence, an aborted transmission can result in a watchdog
      timeout.
      
      This problem can be reproduced on congested link, as that can result in
      excessive transmitter collisions. Another way to reproduce this is with
      a FIFO Underrun, which may be caused by DMA latency.
      
      In event of a TXER interrupt, prevent a watchdog timeout by restarting
      transmission.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      686f85d7
    • Finn Thain's avatar
      net/sonic: Fix CAM initialization · 772f6642
      Finn Thain authored
      Section 4.3.1 of the datasheet says,
      
          This bit [TXP] must not be set if a Load CAM operation is in
          progress (LCAM is set). The SONIC will lock up if both bits are
          set simultaneously.
      
      Testing has shown that the driver sometimes attempts to set LCAM
      while TXP is set. Avoid this by waiting for command completion
      before and after giving the LCAM command.
      
      After issuing the Load CAM command, poll for !SONIC_CR_LCAM rather than
      SONIC_INT_LCD, because the SONIC_CR_TXP bit can't be used until
      !SONIC_CR_LCAM.
      
      When in reset mode, take the opportunity to reset the CAM Enable
      register.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      772f6642
    • Finn Thain's avatar
      net/sonic: Fix command register usage · 27e0c31c
      Finn Thain authored
      There are several issues relating to command register usage during
      chip initialization.
      
      Firstly, the SONIC sometimes comes out of software reset with the
      Start Timer bit set. This gets logged as,
      
          macsonic macsonic eth0: sonic_init: status=24, i=101
      
      Avoid this by giving the Stop Timer command earlier than later.
      
      Secondly, the loop that waits for the Read RRA command to complete has
      the break condition inverted. That's why the for loop iterates until
      its termination condition. Call the helper for this instead.
      
      Finally, give the Receiver Enable command after clearing interrupts,
      not before, to avoid the possibility of losing an interrupt.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27e0c31c
    • Finn Thain's avatar
      net/sonic: Quiesce SONIC before re-initializing descriptor memory · 3f4b7e6a
      Finn Thain authored
      Make sure the SONIC's DMA engine is idle before altering the transmit
      and receive descriptors. Add a helper for this as it will be needed
      again.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f4b7e6a
    • Finn Thain's avatar
      net/sonic: Fix receive buffer replenishment · 89ba879e
      Finn Thain authored
      As soon as the driver is finished with a receive buffer it allocs a new
      one and overwrites the corresponding RRA entry with a new buffer pointer.
      
      Problem is, the buffer pointer is split across two word-sized registers.
      It can't be updated in one atomic store. So this operation races with the
      chip while it stores received packets and advances its RRP register.
      This could result in memory corruption by a DMA write.
      
      Avoid this problem by adding buffers only at the location given by the
      RWP register, in accordance with the National Semiconductor datasheet.
      
      Re-factor this code into separate functions to calculate a RRA pointer
      and to update the RWP.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89ba879e
    • Finn Thain's avatar
      net/sonic: Improve receive descriptor status flag check · 94b16634
      Finn Thain authored
      After sonic_tx_timeout() calls sonic_init(), it can happen that
      sonic_rx() will subsequently encounter a receive descriptor with no
      flags set. Remove the comment that says that this can't happen.
      
      When giving a receive descriptor to the SONIC, clear the descriptor
      status field. That way, any rx descriptor with flags set can only be
      a newly received packet.
      
      Don't process a descriptor without the LPKT bit set. The buffer is
      still in use by the SONIC.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94b16634
    • Finn Thain's avatar
      net/sonic: Avoid needless receive descriptor EOL flag updates · eaabfd19
      Finn Thain authored
      The while loop in sonic_rx() traverses the rx descriptor ring. It stops
      when it reaches a descriptor that the SONIC has not used. Each iteration
      advances the EOL flag so the SONIC can keep using more descriptors.
      Therefore, the while loop has no definite termination condition.
      
      The algorithm described in the National Semiconductor literature is quite
      different. It consumes descriptors up to the one with its EOL flag set
      (which will also have its "in use" flag set). All freed descriptors are
      then returned to the ring at once, by adjusting the EOL flags (and link
      pointers).
      
      Adopt the algorithm from datasheet as it's simpler, terminates quickly
      and avoids a lot of pointless descriptor EOL flag changes.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eaabfd19
    • Finn Thain's avatar
      net/sonic: Fix receive buffer handling · 9e311820
      Finn Thain authored
      The SONIC can sometimes advance its rx buffer pointer (RRP register)
      without advancing its rx descriptor pointer (CRDA register). As a result
      the index of the current rx descriptor may not equal that of the current
      rx buffer. The driver mistakenly assumes that they are always equal.
      This assumption leads to incorrect packet lengths and possible packet
      duplication. Avoid this by calling a new function to locate the buffer
      corresponding to a given descriptor.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e311820
    • Finn Thain's avatar
      net/sonic: Fix interface error stats collection · 427db97d
      Finn Thain authored
      The tx_aborted_errors statistic should count packets flagged with EXD,
      EXC, FU, or BCM bits because those bits denote an aborted transmission.
      That corresponds to the bitmask 0x0446, not 0x0642. Use macros for these
      constants to avoid mistakes. Better to leave out FIFO Underruns (FU) as
      there's a separate counter for that purpose.
      
      Don't lump all these errors in with the general tx_errors counter as
      that's used for tx timeout events.
      
      On the rx side, don't count RDE and RBAE interrupts as dropped packets.
      These interrupts don't indicate a lost packet, just a lack of resources.
      When a lack of resources results in a lost packet, this gets reported
      in the rx_missed_errors counter (along with RFO events).
      
      Don't double-count rx_frame_errors and rx_crc_errors.
      
      Don't use the general rx_errors counter for events that already have
      special counters.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      427db97d
    • Finn Thain's avatar
      net/sonic: Use MMIO accessors · e3885f57
      Finn Thain authored
      The driver accesses descriptor memory which is simultaneously accessed by
      the chip, so the compiler must not be allowed to re-order CPU accesses.
      sonic_buf_get() used 'volatile' to prevent that. sonic_buf_put() should
      have done so too but was overlooked.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3885f57
    • Finn Thain's avatar
      net/sonic: Clear interrupt flags immediately · 5fedabf5
      Finn Thain authored
      The chip can change a packet's descriptor status flags at any time.
      However, an active interrupt flag gets cleared rather late. This
      allows a race condition that could theoretically lose an interrupt.
      Fix this by clearing asserted interrupt flags immediately.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5fedabf5
    • Finn Thain's avatar
      net/sonic: Add mutual exclusion for accessing shared state · 865ad2f2
      Finn Thain authored
      The netif_stop_queue() call in sonic_send_packet() races with the
      netif_wake_queue() call in sonic_interrupt(). This causes issues
      like "NETDEV WATCHDOG: eth0 (macsonic): transmit queue 0 timed out".
      Fix this by disabling interrupts when accessing tx_skb[] and next_tx.
      Update a comment to clarify the synchronization properties.
      
      Fixes: efcce839 ("[PATCH] macsonic/jazzsonic network drivers update")
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      865ad2f2