- 05 Jun, 2023 3 commits
-
-
Dave Marchevsky authored
This patch fixes an incorrect assumption made in the original bpf_refcount series [0], specifically that the BPF program calling bpf_refcount_acquire on some node can always guarantee that the node is alive. In that series, the patch adding failure behavior to rbtree_add and list_push_{front, back} breaks this assumption for non-owning references. Consider the following program: n = bpf_kptr_xchg(&mapval, NULL); /* skip error checking */ bpf_spin_lock(&l); if(bpf_rbtree_add(&t, &n->rb, less)) { bpf_refcount_acquire(n); /* Failed to add, do something else with the node */ } bpf_spin_unlock(&l); It's incorrect to assume that bpf_refcount_acquire will always succeed in this scenario. bpf_refcount_acquire is being called in a critical section here, but the lock being held is associated with rbtree t, which isn't necessarily the lock associated with the tree that the node is already in. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop in it, the program has no ownership of the node's lifetime. Therefore the node's refcount can be decr'd to 0 at any time after the failing rbtree_add. If this happens before the refcount_acquire above, the node might be free'd, and regardless refcount_acquire will be incrementing a 0 refcount. Later patches in the series exercise this scenario, resulting in the expected complaint from the kernel (without this patch's changes): refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110 Modules linked in: bpf_testmod(O) CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0xbc/0x110 Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680 RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7 R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388 R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048 FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> bpf_refcount_acquire_impl+0xb5/0xc0 (rest of output snipped) The patch addresses this by changing bpf_refcount_acquire_impl to use refcount_inc_not_zero instead of refcount_inc and marking bpf_refcount_acquire KF_RET_NULL. For owning references, though, we know the above scenario is not possible and thus that bpf_refcount_acquire will always succeed. Some verifier bookkeeping is added to track "is input owning ref?" for bpf_refcount_acquire calls and return false from is_kfunc_ret_null for bpf_refcount_acquire on owning refs despite it being marked KF_RET_NULL. Existing selftests using bpf_refcount_acquire are modified where necessary to NULL-check its return value. [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/ Fixes: d2dcc67d ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail") Reported-by:Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by:
Dave Marchevsky <davemarchevsky@fb.com> Link: https://lore.kernel.org/r/20230602022647.1571784-5-davemarchevsky@fb.comSigned-off-by:
Alexei Starovoitov <ast@kernel.org>
-
Dave Marchevsky authored
Given the pointer to struct bpf_{rb,list}_node within a local kptr and the byte offset of that field within the kptr struct, the calculation changed by this patch is meant to find the beginning of the kptr so that it can be passed to bpf_obj_drop. Unfortunately instead of doing ptr_to_kptr = ptr_to_node_field - offset_bytes the calculation is erroneously doing ptr_to_ktpr = ptr_to_node_field - (offset_bytes * sizeof(struct bpf_rb_node)) or the bpf_list_node equivalent. This patch fixes the calculation. Fixes: d2dcc67d ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail") Signed-off-by: -
Dave Marchevsky authored
In verifier.c, fixup_kfunc_call uses struct bpf_insn_aux_data's kptr_struct_meta field to pass information about local kptr types to various helpers and kfuncs at runtime. The recent bpf_refcount series added a few functions to the set that need this information: * bpf_refcount_acquire * Needs to know where the refcount field is in order to increment * Graph collection insert kfuncs: bpf_rbtree_add, bpf_list_push_{front,back} * Were migrated to possibly fail by the bpf_refcount series. If insert fails, the input node is bpf_obj_drop'd. bpf_obj_drop needs the kptr_struct_meta in order to decr refcount and properly free special fields. Unfortunately the verifier handling of collection insert kfuncs was not modified to actually populate kptr_struct_meta. Accordingly, when the node input to those kfuncs is passed to bpf_obj_drop, it is done so without the information necessary to decr refcount. This patch fixes the issue by populating kptr_struct_meta for those kfuncs. Fixes: d2dcc67d ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail") Signed-off-by:
-
- 01 Jun, 2023 2 commits
-
-
Louis DeLosSantos authored
Add additional test cases to `fib_lookup.c` prog_test. These test cases add a new /24 network to the previously unused veth2 device, removes the directly connected route from the main routing table and moves it to table 100. The first test case then confirms a fib lookup for a remote address in this directly connected network, using the main routing table fails. The second test case ensures the same fib lookup using table 100 succeeds. An additional pair of tests which function in the same manner are added for IPv6. Signed-off-by:
Louis DeLosSantos <louis.delos.devel@gmail.com> Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20230505-bpf-add-tbid-fib-lookup-v2-2-0a31c22c748c@gmail.com
-
Louis DeLosSantos authored
Add ability to specify routing table ID to the `bpf_fib_lookup` BPF helper. A new field `tbid` is added to `struct bpf_fib_lookup` used as parameters to the `bpf_fib_lookup` BPF helper. When the helper is called with the `BPF_FIB_LOOKUP_DIRECT` and `BPF_FIB_LOOKUP_TBID` flags the `tbid` field in `struct bpf_fib_lookup` will be used as the table ID for the fib lookup. If the `tbid` does not exist the fib lookup will fail with `BPF_FIB_LKUP_RET_NOT_FWDED`. The `tbid` field becomes a union over the vlan related output fields in `struct bpf_fib_lookup` and will be zeroed immediately after usage. This functionality is useful in containerized environments. For instance, if a CNI wants to dictate the next-hop for traffic leaving a container it can create a container-specific routing table and perform a fib lookup against this table in a "host-net-namespace-side" TC program. This functionality also allows `ip rule` like functionality at the TC layer, allowing an eBPF program to pick a routing table based on some aspect of the sk_buff. As a concrete use case, this feature will be used in Cilium's SRv6 L3VPN datapath. When egress traffic leaves a Pod an eBPF program attached by Cilium will determine which VRF the egress traffic should target, and then perform a FIB lookup in a specific table representing this VRF's FIB. Signed-off-by:
-
- 31 May, 2023 4 commits
-
-
Jesper Dangaard Brouer authored
Default samples/pktgen scripts send 60 byte packets as hardware adds 4-bytes FCS checksum, which fulfils minimum Ethernet 64 bytes frame size. XDP layer will not necessary have access to the 4-bytes FCS checksum. This leads to bpf_xdp_load_bytes() failing as it tries to copy 64-bytes from an XDP packet that only have 60-bytes available. Fixes: 77225174 ("samples/bpf: fixup some tools to be able to support xdp multibuffer") Signed-off-by:
Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by:
Tariq Toukan <tariqt@nvidia.com> Link: https://lore.kernel.org/bpf/168545704139.2996228.2516528552939485216.stgit@firesoul
-
Jarkko Sakkinen authored
bpfilter_umh_cleanup() is the same function as umd_cleanup_helper(). Drop the redundant function. Signed-off-by:
Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by:
-
Azeem Shaikh authored
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. This is not the case here, however, in an effort to remove strlcpy() completely [2], lets replace strlcpy() here with strscpy(). No return values were used, so a direct replacement is safe. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89Signed-off-by:
Azeem Shaikh <azeemshaikh38@gmail.com> Signed-off-by:
Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/bpf/20230530155659.309657-1-azeemshaikh38@gmail.com
-
Su Hui authored
Use struct_size() instead of hand writing it. This is less verbose and more informative. Signed-off-by:
Su Hui <suhui@nfschina.com> Signed-off-by:
Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20230531043251.989312-1-suhui@nfschina.com
-
- 30 May, 2023 31 commits
-
-
Yonghong Song authored
Add two selftests where map creation key/value type_id's are decl_tags. Without previous patch, kernel warnings will appear similar to the one in the previous patch. With the previous patch, both kernel warnings are silenced. Signed-off-by:
Martin KaFai Lau <martin.lau@kernel.org>
-
Yonghong Song authored
syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... Call Trace: <TASK> map_check_btf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With the following btf [1] DECL_TAG 'a' type_id=4 component_idx=-1 [2] PTR '(anon)' type_id=0 [3] TYPE_TAG 'a' type_id=2 [4] VAR 'a' type_id=3, linkage=static and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), the following WARN_ON_ONCE in btf_type_id_size() is triggered: if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && !btf_type_is_var(size_type))) return NULL; Note that 'return NULL' is the correct behavior as we don't want a DECL_TAG type to be used as a btf_{key,value}_type_id even for the case like 'DECL_TAG -> STRUCT'. So there is no correctness issue here, we just want to silence warning. To silence the warning, I added DECL_TAG as one of kinds in btf_type_nosize() which will cause btf_type_id_size() returning NULL earlier without the warning. [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ Reported-by: syzbot+958967f249155967d42a@syzkaller.appspotmail.com Signed-off-by: -
Heiner Kallweit authored
Check whether first PCI read returns 0xffffffff. Currently, if this is the case, the user sees the following misleading message: unknown chip XID fcf, contact r8169 maintainers (see MAINTAINERS file) Signed-off-by:
Heiner Kallweit <hkallweit1@gmail.com> Reviewed-by:
Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/75b54d23-fefe-2bf4-7e80-c9d3bc91af11@gmail.comSigned-off-by:
Paolo Abeni <pabeni@redhat.com>
-
Andy Shevchenko authored
There is no gpiod_export() and gpiod_unexport() looks pretty much stray. The gpiod_export() and gpiod_unexport() shouldn't be used in the code, GPIO sysfs is deprecated. That said, simply drop the stray call. Signed-off-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Link: https://lore.kernel.org/r/20230528142531.38602-1-andriy.shevchenko@linux.intel.comSigned-off-by:
-
Christophe JAILLET authored
Use vzalloc() instead of hand writing it with vmalloc()+memset(). This is less verbose. Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reviewed-by:
-
Paolo Abeni authored
Parthiban Veerasooran says: ==================== microchip_t1s: Update on Microchip 10BASE-T1S PHY driver This patch series contain the below updates, - Fixes on the Microchip LAN8670/1/2 10BASE-T1S PHYs support in the net/phy/microchip_t1s.c driver. - Adds support for the Microchip LAN8650/1 Rev.B0 10BASE-T1S Internal PHYs in the net/phy/microchip_t1s.c driver. ==================== Link: https://lore.kernel.org/r/20230526152348.70781-1-Parthiban.Veerasooran@microchip.comSigned-off-by:
-
Parthiban Veerasooran authored
Add support for the Microchip LAN865x Rev.B0 10BASE-T1S Internal PHYs (LAN8650/1). The LAN865x combines a Media Access Controller (MAC) and an internal 10BASE-T1S Ethernet PHY to access 10BASE‑T1S networks. As LAN867X and LAN865X are using the same function for the read_status, rename the function as lan86xx_read_status. Reviewed-by:
Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com> Reviewed-by:
Ramón Nordin Rodriguez <ramon.nordin.rodriguez@ferroamp.se> Signed-off-by:
-
Parthiban Veerasooran authored
By default, except Reset Complete interrupt in the Interrupt Mask 2 Register all other interrupts are disabled/masked. As Reset Complete status is already handled, it doesn't make sense to disable it. Reviewed-by:
-
Parthiban Veerasooran authored
As per the datasheet DS-LAN8670-1-2-60001573C.pdf, the Reset Complete status bit in the STS2 register has to be checked before proceeding to the initial configuration. Reading STS2 register will also clear the Reset Complete interrupt which is non-maskable. Reviewed-by:
-
Parthiban Veerasooran authored
As per AN1699, the initial configuration in the driver applies to LAN867x Rev.B1 hardware revision. 0x0007C160 (Rev.A0) and 0x0007C161 (Rev.B0) never released to production and hence they don't need to be supported. Reviewed-by:
-
Parthiban Veerasooran authored
Replace read-modify-write code in the lan867x_config_init function to avoid handling data type mismatch and to simplify the code. Reviewed-by:
-
Parthiban Veerasooran authored
Remove LAN867X from the driver description as this driver is common for all the Microchip 10BASE-T1S PHYs. Reviewed-by:
-
Paolo Abeni authored
Oleksij Rempel says: ==================== Microchip DSA Driver Improvements changes v2: - set .max_register = U8_MAX, it should be more readable - clarify in the RMW error handling patch, logging behavior expectation. I'd like to share a set of patches for the Microchip DSA driver. These patches were chosen from a bigger set because they are simpler and should be easier to review. The goal is to make the code easier to read, get rid of unused code, and handle errors better. ==================== Link: https://lore.kernel.org/r/20230526073445.668430-1-o.rempel@pengutronix.deSigned-off-by:
-
Oleksij Rempel authored
This update introduces specific register access boundaries for the KSZ8873 and KSZ8863 chips within the DSA Microchip driver. The outlined ranges target global control registers, port registers, and advanced control registers. Signed-off-by:
Oleksij Rempel <o.rempel@pengutronix.de> Signed-off-by:
-
Oleksij Rempel authored
This patch prepares the ksz8863_smi part of ksz8 driver to utilize the regmap register access validation feature. Signed-off-by:
Vladimir Oltean <olteanv@gmail.com> Signed-off-by:
-
Oleksij Rempel authored
The only place where this variable would be set to false is the ksz8_config_cpu_port() function. But it is done in a bogus way: for (i = 0; i < dev->phy_port_cnt; i++) { if (i == dev->phy_port_cnt) <--- will be never executed. break; p->on = 1; So, we never have a situation where p->on = 0. In this case, we can just remove it. Signed-off-by: -
Vladimir Oltean authored
It is not immediately obvious that this driver allocates, via the KSZ_REGMAP_TABLE() macro, 3 regmaps for register access: dev->regmap[0] for 8-bit access, dev->regmap[1] for 16-bit and dev->regmap[2] for 32-bit access. In future changes that add support for reg_fields, each field will have to specify through which of the 3 regmaps it's going to go. Add an enum now, to denote one of the 3 register access widths, and make the code go through some wrapper functions for easier review and further modification. Signed-off-by:
Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by:
-
Oleksij Rempel authored
This patch refines the error handling mechanism for 8-bit register read-modify-write operations. In case of a failure, it now logs an error message detailing the problematic offset. This enhancement aids in debugging by providing more precise information when these operations encounter issues. Furthermore, the ksz_prmw8() function has been updated to return error values rather than void, enabling calling functions to appropriately respond to errors. Additionally, in case of an error that affects both the current and future accesses, the PHY driver will log the errors consistently, akin to the existing behavior in all ksz_read*/ksz_write* helpers. Signed-off-by:
-
Jakub Kicinski authored
Donald Hunter says: ==================== netlink: specs: add ynl spec for ovs_flow Add a ynl specification for ovs_flow. The spec is sufficient to dump ovs flows but some attrs have been left as binary blobs because ynl doesn't support C arrays in struct definitions yet. Patches 1-3 add features for genetlink-legacy specs Patch 4 is the ovs_flow netlink spec ==================== Link: https://lore.kernel.org/r/20230527133107.68161-1-donald.hunter@gmail.comSigned-off-by:
Jakub Kicinski <kuba@kernel.org>
-
Donald Hunter authored
Add a ynl specification for ovs_flow. This spec is sufficient to dump ovs flows. Some attrs are left as binary blobs because ynl doesn't support C arrays in struct definitions yet. Signed-off-by:
Donald Hunter <donald.hunter@gmail.com> Signed-off-by:
-
Donald Hunter authored
Support decoding scalars as enums in struct members for genetlink-legacy specs. Signed-off-by:
-
Donald Hunter authored
This eliminates the need for e.g. --json '{"dp-ifindex":0}' which is not too big a deal for ovs but will get tiresome for fixed header structs that have many members. Signed-off-by: -
Donald Hunter authored
Make it possible to document the meaning of struct member attributes in genetlink-legacy specs. Signed-off-by:
-
Simon Horman authored
Make some minor spelling corrections in comments. Found by inspection. Signed-off-by:
Simon Horman <horms@kernel.org> Reviewed-by:
Jiri Pirko <jiri@nvidia.com> Link: https://lore.kernel.org/r/20230526-devlink-spelling-v1-1-9a3e36cdebc8@kernel.orgSigned-off-by:
-
Dan Carpenter authored
The "len" variable needs to be signed for the error handling to work correctly. Fixes: 2e910b95 ("net: Add a function to splice pages into an skbuff for MSG_SPLICE_PAGES") Signed-off-by:
Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by:
David Howells <dhowells@redhat.com> Reviewed-by:
-
Russell King (Oracle) authored
Rather than using put_device(&mdiodev->dev), use the proper interface provided to dispose of the mdiodev - that being mdio_device_free(). Signed-off-by:
Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Reviewed-by:
Ioana Ciornei <ioana.ciornei@nxp.com> Tested-by:
-
Jakub Kicinski authored
Russell King says: ==================== net: pcs: add helpers to xpcs and lynx to manage mdiodev This morning, we have had two instances where the destruction of the MDIO device associated with XPCS and Lynx has been wrong. Rather than allowing this pattern of errors to continue, let's make it easier for driver authors to get this right by adding a helper. The changes are essentially: 1. Add two new mdio device helpers to manage the underlying struct device reference count. Note that the existing mdio_device_free() doesn't actually free anything, it merely puts the reference count. 2. Make the existing _create() and _destroy() PCS driver methods increment and decrement this refcount using these helpers. This results in no overall change, although drivers may hang on to the mdio device for a few cycles longer. 3. Add _create_mdiodev() which creates the mdio device before calling the existing _create() method. Once the _create() method has returned, we put the reference count on the mdio device. If _create() was successful, then the reference count taken there will "hold" the mdio device for the lifetime of the PCS (in other words, until _destroy() is called.) However, if _create() failed, then dropping the refcount at this point will free the mdio device. This is the exact behaviour we desire. 4. Convert users that create a mdio device and then call the PCS's _create() method over to the new _create_mdiodev() method, and simplify the cleanup. We also have DPAA2 and fmem_memac that look up their PCS rather than creating it. These could also drop their reference count on the MDIO device immediately after calling lynx_pcs_create(), which would then mean we wouldn't need lynx_get_mdio_device() and the associated complexity to put the device in dpaa2_pcs_destroy() and pcs_put(). Note that DPAA2 bypasses the mdio device's abstractions by calling put_device() directly. ==================== Link: https://lore.kernel.org/r/ZHCGZ8IgAAwr8bla@shell.armlinux.org.ukSigned-off-by:
-
Russell King (Oracle) authored
Use the newly introduced lynx_pcs_create_mdiodev() which simplifies the creation and destruction of the lynx PCS. Signed-off-by:
-
Russell King (Oracle) authored
Use the newly introduced lynx_pcs_create_mdiodev() which simplifies the creation and destruction of the lynx PCS. Signed-off-by:
-
Russell King (Oracle) authored
Add lynx_pcs_create_mdiodev() to simplify the creation of the mdio device associated with lynx PCS. In order to allow lynx_pcs_destroy() to clean this up, we need to arrange for lynx_pcs_create() to take a refcount on the mdiodev, and lynx_pcs_destroy() to put it. Adding the refcounting to lynx_pcs_create()..lynx_pcs_destroy() will be transparent to existing users of these interfaces. Signed-off-by:
-
Russell King (Oracle) authored
Use the new xpcs_create_mdiodev() creator, which simplifies the creation and destruction of the mdio device associated with xpcs. Signed-off-by:
-
