1. 15 Dec, 2023 7 commits
  2. 14 Dec, 2023 28 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c7402612
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
      "Current release - regressions:
      
         - tcp: fix tcp_disordered_ack() vs usec TS resolution
      
        Current release - new code bugs:
      
         - dpll: sanitize possible null pointer dereference in
           dpll_pin_parent_pin_set()
      
         - eth: octeon_ep: initialise control mbox tasks before using APIs
      
        Previous releases - regressions:
      
         - io_uring/af_unix: disable sending io_uring over sockets
      
         - eth: mlx5e:
             - TC, don't offload post action rule if not supported
             - fix possible deadlock on mlx5e_tx_timeout_work
      
         - eth: iavf: fix iavf_shutdown to call iavf_remove instead iavf_close
      
         - eth: bnxt_en: fix skb recycling logic in bnxt_deliver_skb()
      
         - eth: ena: fix DMA syncing in XDP path when SWIOTLB is on
      
         - eth: team: fix use-after-free when an option instance allocation
           fails
      
        Previous releases - always broken:
      
         - neighbour: don't let neigh_forced_gc() disable preemption for long
      
         - net: prevent mss overflow in skb_segment()
      
         - ipv6: support reporting otherwise unknown prefix flags in
           RTM_NEWPREFIX
      
         - tcp: remove acked SYN flag from packet in the transmit queue
           correctly
      
         - eth: octeontx2-af:
             - fix a use-after-free in rvu_nix_register_reporters
             - fix promisc mcam entry action
      
         - eth: dwmac-loongson: make sure MDIO is initialized before use
      
         - eth: atlantic: fix double free in ring reinit logic"
      
      * tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        net: atlantic: fix double free in ring reinit logic
        appletalk: Fix Use-After-Free in atalk_ioctl
        net: stmmac: Handle disabled MDIO busses from devicetree
        net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
        dpaa2-switch: do not ask for MDB, VLAN and FDB replay
        dpaa2-switch: fix size of the dma_unmap
        net: prevent mss overflow in skb_segment()
        vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
        Revert "tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set"
        MIPS: dts: loongson: drop incorrect dwmac fallback compatible
        stmmac: dwmac-loongson: drop useless check for compatible fallback
        stmmac: dwmac-loongson: Make sure MDIO is initialized before use
        tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set
        dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
        net: ena: Fix XDP redirection error
        net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
        net: ena: Fix xdp drops handling due to multibuf packets
        net: ena: Destroy correct number of xdp queues upon failure
        net: Remove acked SYN flag from packet in the transmit queue correctly
        qed: Fix a potential use-after-free in qed_cxt_tables_alloc
        ...
      c7402612
    • Linus Torvalds's avatar
      Merge tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · bdb2701f
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
        "Some fixes to quota accounting code, mostly around error handling and
         correctness:
      
         - free reserves on various error paths, after IO errors or
           transaction abort
      
         - don't clear reserved range at the folio release time, it'll be
           properly cleared after final write
      
         - fix integer overflow due to int used when passing around size of
           freed reservations
      
         - fix a regression in squota accounting that missed some cases with
           delayed refs"
      
      * tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: ensure releasing squota reserve on head refs
        btrfs: don't clear qgroup reserved bit in release_folio
        btrfs: free qgroup pertrans reserve on transaction abort
        btrfs: fix qgroup_free_reserved_data int overflow
        btrfs: free qgroup reserve when ORDERED_IOERR is set
      bdb2701f
    • Igor Russkikh's avatar
      net: atlantic: fix double free in ring reinit logic · 7bb26ea7
      Igor Russkikh authored
      Driver has a logic leak in ring data allocation/free,
      where double free may happen in aq_ring_free if system is under
      stress and driver init/deinit is happening.
      
      The probability is higher to get this during suspend/resume cycle.
      
      Verification was done simulating same conditions with
      
          stress -m 2000 --vm-bytes 20M --vm-hang 10 --backoff 1000
          while true; do sudo ifconfig enp1s0 down; sudo ifconfig enp1s0 up; done
      
      Fixed by explicitly clearing pointers to NULL on deallocation
      
      Fixes: 018423e9 ("net: ethernet: aquantia: Add ring support code")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Closes: https://lore.kernel.org/netdev/CAHk-=wiZZi7FcvqVSUirHBjx0bBUZ4dFrMDVLc3+3HCrtq0rBA@mail.gmail.com/Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Link: https://lore.kernel.org/r/20231213094044.22988-1-irusskikh@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7bb26ea7
    • Hyunwoo Kim's avatar
      appletalk: Fix Use-After-Free in atalk_ioctl · 189ff167
      Hyunwoo Kim authored
      Because atalk_ioctl() accesses sk->sk_receive_queue
      without holding a sk->sk_receive_queue.lock, it can
      cause a race with atalk_recvmsg().
      A use-after-free for skb occurs with the following flow.
      ```
      atalk_ioctl() -> skb_peek()
      atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
      ```
      Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      189ff167
    • Andrew Halaney's avatar
      net: stmmac: Handle disabled MDIO busses from devicetree · e23c0d21
      Andrew Halaney authored
      Many hardware configurations have the MDIO bus disabled, and are instead
      using some other MDIO bus to talk to the MAC's phy.
      
      of_mdiobus_register() returns -ENODEV in this case. Let's handle it
      gracefully instead of failing to probe the MAC.
      
      Fixes: 47dd7a54 ("net: add support for STMicroelectronics Ethernet controllers.")
      Signed-off-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20231212-b4-stmmac-handle-mdio-enodev-v2-1-600171acf79f@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e23c0d21
    • Sneh Shah's avatar
      net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX · 981d947b
      Sneh Shah authored
      In 10M SGMII mode all the packets are being dropped due to wrong Rx clock.
      SGMII 10MBPS mode needs RX clock divider programmed to avoid drops in Rx.
      Update configure SGMII function with Rx clk divider programming.
      
      Fixes: 463120c3 ("net: stmmac: dwmac-qcom-ethqos: add support for SGMII")
      Tested-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Signed-off-by: default avatarSneh Shah <quic_snehshah@quicinc.com>
      Reviewed-by: default avatarBjorn Andersson <quic_bjorande@quicinc.com>
      Link: https://lore.kernel.org/r/20231212092208.22393-1-quic_snehshah@quicinc.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      981d947b
    • Johannes Berg's avatar
      wifi: cfg80211: fix certs build to not depend on file order · 3c2a8ebe
      Johannes Berg authored
      The file for the new certificate (Chen-Yu Tsai's) didn't
      end with a comma, so depending on the file order in the
      build rule, we'd end up with invalid C when concatenating
      the (now two) certificates. Fix that.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarBiju Das <biju.das.jz@bp.renesas.com>
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Fixes: fb768d3b ("wifi: cfg80211: Add my certificate")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3c2a8ebe
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 89e0c646
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-12 (iavf)
      
      This series contains updates to iavf driver only.
      
      Piotr reworks Flow Director states to deal with issues in restoring
      filters.
      
      Slawomir fixes shutdown processing as it was missing needed calls.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        iavf: Fix iavf_shutdown to call iavf_remove instead iavf_close
        iavf: Handle ntuple on/off based on new state machines for flow director
        iavf: Introduce new state machines for flow director
      ====================
      
      Link: https://lore.kernel.org/r/20231212203613.513423-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      89e0c646
    • Jakub Kicinski's avatar
      Merge branch 'dpaa2-switch-various-fixes' · dc84bb19
      Jakub Kicinski authored
      Ioana Ciornei says:
      
      ====================
      dpaa2-switch: various fixes
      
      The first patch fixes the size passed to two dma_unmap_single() calls
      which was wrongly put as the size of the pointer.
      
      The second patch is new to this series and reverts the behavior of the
      dpaa2-switch driver to not ask for object replay upon offloading so that
      we avoid the errors encountered when a VLAN is installed multiple times
      on the same port.
      ====================
      
      Link: https://lore.kernel.org/r/20231212164326.2753457-1-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dc84bb19
    • Ioana Ciornei's avatar
      dpaa2-switch: do not ask for MDB, VLAN and FDB replay · f24a49a3
      Ioana Ciornei authored
      Starting with commit 4e51bf44 ("net: bridge: move the switchdev
      object replay helpers to "push" mode") the switchdev_bridge_port_offload()
      helper was extended with the intention to provide switchdev drivers easy
      access to object addition and deletion replays. This works by calling
      the replay helpers with non-NULL notifier blocks.
      
      In the same commit, the dpaa2-switch driver was updated so that it
      passes valid notifier blocks to the helper. At that moment, no
      regression was identified through testing.
      
      In the meantime, the blamed commit changed the behavior in terms of
      which ports get hit by the replay. Before this commit, only the initial
      port which identified itself as offloaded through
      switchdev_bridge_port_offload() got a replay of all port objects and
      FDBs. After this, the newly joining port will trigger a replay of
      objects on all bridge ports and on the bridge itself.
      
      This behavior leads to errors in dpaa2_switch_port_vlans_add() when a
      VLAN gets installed on the same interface multiple times.
      
      The intended mechanism to address this is to pass a non-NULL ctx to the
      switchdev_bridge_port_offload() helper and then check it against the
      port's private structure. But since the driver does not have any use for
      the replayed port objects and FDBs until it gains support for LAG
      offload, it's better to fix the issue by reverting the dpaa2-switch
      driver to not ask for replay. The pointers will be added back when we
      are prepared to ignore replays on unrelated ports.
      
      Fixes: b28d580e ("net: bridge: switchdev: replay all VLAN groups")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-3-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f24a49a3
    • Ioana Ciornei's avatar
      dpaa2-switch: fix size of the dma_unmap · 2aad7d41
      Ioana Ciornei authored
      The size of the DMA unmap was wrongly put as a sizeof of a pointer.
      Change the value of the DMA unmap to be the actual macro used for the
      allocation and the DMA map.
      
      Fixes: 1110318d ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-2-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2aad7d41
    • Eric Dumazet's avatar
      net: prevent mss overflow in skb_segment() · 23d05d56
      Eric Dumazet authored
      Once again syzbot is able to crash the kernel in skb_segment() [1]
      
      GSO_BY_FRAGS is a forbidden value, but unfortunately the following
      computation in skb_segment() can reach it quite easily :
      
      	mss = mss * partial_segs;
      
      65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
      a bad final result.
      
      Make sure to limit segmentation so that the new mss value is smaller
      than GSO_BY_FRAGS.
      
      [1]
      
      general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
      CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3c #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
      ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
      skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
      __skb_gso_segment+0x339/0x710 net/core/gso.c:124
      skb_gso_segment include/net/gso.h:83 [inline]
      validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
      __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
      dev_queue_xmit include/linux/netdevice.h:3134 [inline]
      packet_xmit+0x257/0x380 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3087 [inline]
      packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f8692032aa9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
      RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
      R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
      </TASK>
      Modules linked in:
      ---[ end trace 0000000000000000 ]---
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 3953c46c ("sk_buff: allow segmenting based on frag sizes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      23d05d56
    • Nikolay Kuratov's avatar
      vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() · 60316d7f
      Nikolay Kuratov authored
      We need to do signed arithmetic if we expect condition
      `if (bytes < 0)` to be possible
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE
      
      Fixes: 06a8fc78 ("VSOCK: Introduce virtio_vsock_common.ko")
      Signed-off-by: default avatarNikolay Kuratov <kniv@yandex-team.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20231211162317.4116625-1-kniv@yandex-team.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      60316d7f
    • Rahul Rameshbabu's avatar
      net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors · b13559b7
      Rahul Rameshbabu authored
      snprintf returns the length of the formatted string, excluding the trailing
      null, without accounting for truncation. This means that is the return
      value is greater than or equal to the size parameter, the fw_version string
      was truncated.
      
      Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
      Fixes: 1b2bd0c0 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      b13559b7
    • Rahul Rameshbabu's avatar
      net/mlx5e: Correct snprintf truncation handling for fw_version buffer · ad436b9c
      Rahul Rameshbabu authored
      snprintf returns the length of the formatted string, excluding the trailing
      null, without accounting for truncation. This means that is the return
      value is greater than or equal to the size parameter, the fw_version string
      was truncated.
      Reported-by: default avatarDavid Laight <David.Laight@ACULAB.COM>
      Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/
      Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
      Fixes: 41e63c2b ("net/mlx5e: Check return value of snprintf writing to fw_version buffer")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ad436b9c
    • Dan Carpenter's avatar
      net/mlx5e: Fix error codes in alloc_branch_attr() · d792e5f7
      Dan Carpenter authored
      Set the error code if set_branch_dest_ft() fails.
      
      Fixes: ccbe3300 ("net/mlx5e: TC, Don't offload post action rule if not supported")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      d792e5f7
    • Dan Carpenter's avatar
      net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get() · 86d59226
      Dan Carpenter authored
      Preserve the error code if esw_add_restore_rule() fails.  Don't return
      success.
      
      Fixes: 67027828 ("net/mlx5e: TC, Set CT miss to the specific ct action instance")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      86d59226
    • Vlad Buslov's avatar
      net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num · 04ad04e4
      Vlad Buslov authored
      Currently the destination rep pointer is only used for comparisons or to
      obtain vport number from it. Since it is used both during flow creation and
      deletion it may point to representor of another eswitch instance which can
      be deallocated during driver unload even when there are rules pointing to
      it[0]. Refactor the code to store vport number and 'valid' flag instead of
      the representor pointer.
      
      [0]:
      [176805.886303] ==================================================================
      [176805.889433] BUG: KASAN: slab-use-after-free in esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.892981] Read of size 2 at addr ffff888155090aa0 by task modprobe/27280
      
      [176805.895462] CPU: 3 PID: 27280 Comm: modprobe Tainted: G    B              6.6.0-rc3+ #1
      [176805.896771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [176805.898514] Call Trace:
      [176805.899026]  <TASK>
      [176805.899519]  dump_stack_lvl+0x33/0x50
      [176805.900221]  print_report+0xc2/0x610
      [176805.900893]  ? mlx5_chains_put_table+0x33d/0x8d0 [mlx5_core]
      [176805.901897]  ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.902852]  kasan_report+0xac/0xe0
      [176805.903509]  ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.904461]  esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.905223]  __mlx5_eswitch_del_rule+0x1ae/0x460 [mlx5_core]
      [176805.906044]  ? esw_cleanup_dests+0x440/0x440 [mlx5_core]
      [176805.906822]  ? xas_find_conflict+0x420/0x420
      [176805.907496]  ? down_read+0x11e/0x200
      [176805.908046]  mlx5e_tc_rule_unoffload+0xc4/0x2a0 [mlx5_core]
      [176805.908844]  mlx5e_tc_del_fdb_flow+0x7da/0xb10 [mlx5_core]
      [176805.909597]  mlx5e_flow_put+0x4b/0x80 [mlx5_core]
      [176805.910275]  mlx5e_delete_flower+0x5b4/0xb70 [mlx5_core]
      [176805.911010]  tc_setup_cb_reoffload+0x27/0xb0
      [176805.911648]  fl_reoffload+0x62d/0x900 [cls_flower]
      [176805.912313]  ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
      [176805.913151]  ? __fl_put+0x230/0x230 [cls_flower]
      [176805.913768]  ? filter_irq_stacks+0x90/0x90
      [176805.914335]  ? kasan_save_stack+0x1e/0x40
      [176805.914893]  ? kasan_set_track+0x21/0x30
      [176805.915484]  ? kasan_save_free_info+0x27/0x40
      [176805.916105]  tcf_block_playback_offloads+0x79/0x1f0
      [176805.916773]  ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
      [176805.917647]  tcf_block_unbind+0x12d/0x330
      [176805.918239]  tcf_block_offload_cmd.isra.0+0x24e/0x320
      [176805.918953]  ? tcf_block_bind+0x770/0x770
      [176805.919551]  ? _raw_read_unlock_irqrestore+0x30/0x30
      [176805.920236]  ? mutex_lock+0x7d/0xd0
      [176805.920735]  ? mutex_unlock+0x80/0xd0
      [176805.921255]  tcf_block_offload_unbind+0xa5/0x120
      [176805.921909]  __tcf_block_put+0xc2/0x2d0
      [176805.922467]  ingress_destroy+0xf4/0x3d0 [sch_ingress]
      [176805.923178]  __qdisc_destroy+0x9d/0x280
      [176805.923741]  dev_shutdown+0x1c6/0x330
      [176805.924295]  unregister_netdevice_many_notify+0x6ef/0x1500
      [176805.925034]  ? netdev_freemem+0x50/0x50
      [176805.925610]  ? _raw_spin_lock_irq+0x7b/0xd0
      [176805.926235]  ? _raw_spin_lock_bh+0xe0/0xe0
      [176805.926849]  unregister_netdevice_queue+0x1e0/0x280
      [176805.927592]  ? unregister_netdevice_many+0x10/0x10
      [176805.928275]  unregister_netdev+0x18/0x20
      [176805.928835]  mlx5e_vport_rep_unload+0xc0/0x200 [mlx5_core]
      [176805.929608]  mlx5_esw_offloads_unload_rep+0x9d/0xc0 [mlx5_core]
      [176805.930492]  mlx5_eswitch_unload_vf_vports+0x108/0x1a0 [mlx5_core]
      [176805.931422]  ? mlx5_eswitch_unload_sf_vport+0x50/0x50 [mlx5_core]
      [176805.932304]  ? rwsem_down_write_slowpath+0x11f0/0x11f0
      [176805.932987]  mlx5_eswitch_disable_sriov+0x6f9/0xa60 [mlx5_core]
      [176805.933807]  ? mlx5_core_disable_hca+0xe1/0x130 [mlx5_core]
      [176805.934576]  ? mlx5_eswitch_disable_locked+0x580/0x580 [mlx5_core]
      [176805.935463]  mlx5_device_disable_sriov+0x138/0x490 [mlx5_core]
      [176805.936308]  mlx5_sriov_disable+0x8c/0xb0 [mlx5_core]
      [176805.937063]  remove_one+0x7f/0x210 [mlx5_core]
      [176805.937711]  pci_device_remove+0x96/0x1c0
      [176805.938289]  device_release_driver_internal+0x361/0x520
      [176805.938981]  ? kobject_put+0x5c/0x330
      [176805.939553]  driver_detach+0xd7/0x1d0
      [176805.940101]  bus_remove_driver+0x11f/0x290
      [176805.943847]  pci_unregister_driver+0x23/0x1f0
      [176805.944505]  mlx5_cleanup+0xc/0x20 [mlx5_core]
      [176805.945189]  __x64_sys_delete_module+0x2b3/0x450
      [176805.945837]  ? module_flags+0x300/0x300
      [176805.946377]  ? dput+0xc2/0x830
      [176805.946848]  ? __kasan_record_aux_stack+0x9c/0xb0
      [176805.947555]  ? __call_rcu_common.constprop.0+0x46c/0xb50
      [176805.948338]  ? fpregs_assert_state_consistent+0x1d/0xa0
      [176805.949055]  ? exit_to_user_mode_prepare+0x30/0x120
      [176805.949713]  do_syscall_64+0x3d/0x90
      [176805.950226]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [176805.950904] RIP: 0033:0x7f7f42c3f5ab
      [176805.951462] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48
      [176805.953710] RSP: 002b:00007fff07dc9d08 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [176805.954691] RAX: ffffffffffffffda RBX: 000055b6e91c01e0 RCX: 00007f7f42c3f5ab
      [176805.955691] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6e91c0248
      [176805.956662] RBP: 000055b6e91c01e0 R08: 0000000000000000 R09: 0000000000000000
      [176805.957601] R10: 00007f7f42d9eac0 R11: 0000000000000206 R12: 000055b6e91c0248
      [176805.958593] R13: 0000000000000000 R14: 000055b6e91bfb38 R15: 0000000000000000
      [176805.959599]  </TASK>
      
      [176805.960324] Allocated by task 20490:
      [176805.960893]  kasan_save_stack+0x1e/0x40
      [176805.961463]  kasan_set_track+0x21/0x30
      [176805.962019]  __kasan_kmalloc+0x77/0x90
      [176805.962554]  esw_offloads_init+0x1bb/0x480 [mlx5_core]
      [176805.963318]  mlx5_eswitch_init+0xc70/0x15c0 [mlx5_core]
      [176805.964092]  mlx5_init_one_devl_locked+0x366/0x1230 [mlx5_core]
      [176805.964902]  probe_one+0x6f7/0xc90 [mlx5_core]
      [176805.965541]  local_pci_probe+0xd7/0x180
      [176805.966075]  pci_device_probe+0x231/0x6f0
      [176805.966631]  really_probe+0x1d4/0xb50
      [176805.967179]  __driver_probe_device+0x18d/0x450
      [176805.967810]  driver_probe_device+0x49/0x120
      [176805.968431]  __driver_attach+0x1fb/0x490
      [176805.968976]  bus_for_each_dev+0xed/0x170
      [176805.969560]  bus_add_driver+0x21a/0x570
      [176805.970124]  driver_register+0x133/0x460
      [176805.970684]  0xffffffffa0678065
      [176805.971180]  do_one_initcall+0x92/0x2b0
      [176805.971744]  do_init_module+0x22d/0x720
      [176805.972318]  load_module+0x58c3/0x63b0
      [176805.972847]  init_module_from_file+0xd2/0x130
      [176805.973441]  __x64_sys_finit_module+0x389/0x7c0
      [176805.974045]  do_syscall_64+0x3d/0x90
      [176805.974556]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176805.975566] Freed by task 27280:
      [176805.976077]  kasan_save_stack+0x1e/0x40
      [176805.976655]  kasan_set_track+0x21/0x30
      [176805.977221]  kasan_save_free_info+0x27/0x40
      [176805.977834]  ____kasan_slab_free+0x11a/0x1b0
      [176805.978505]  __kmem_cache_free+0x163/0x2d0
      [176805.979113]  esw_offloads_cleanup_reps+0xb8/0x120 [mlx5_core]
      [176805.979963]  mlx5_eswitch_cleanup+0x182/0x270 [mlx5_core]
      [176805.980763]  mlx5_cleanup_once+0x9a/0x1e0 [mlx5_core]
      [176805.981477]  mlx5_uninit_one+0xa9/0x180 [mlx5_core]
      [176805.982196]  remove_one+0x8f/0x210 [mlx5_core]
      [176805.982868]  pci_device_remove+0x96/0x1c0
      [176805.983461]  device_release_driver_internal+0x361/0x520
      [176805.984169]  driver_detach+0xd7/0x1d0
      [176805.984702]  bus_remove_driver+0x11f/0x290
      [176805.985261]  pci_unregister_driver+0x23/0x1f0
      [176805.985847]  mlx5_cleanup+0xc/0x20 [mlx5_core]
      [176805.986483]  __x64_sys_delete_module+0x2b3/0x450
      [176805.987126]  do_syscall_64+0x3d/0x90
      [176805.987665]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176805.988667] Last potentially related work creation:
      [176805.989305]  kasan_save_stack+0x1e/0x40
      [176805.989839]  __kasan_record_aux_stack+0x9c/0xb0
      [176805.990443]  kvfree_call_rcu+0x84/0xa30
      [176805.990973]  clean_xps_maps+0x265/0x6e0
      [176805.991547]  netif_reset_xps_queues.part.0+0x3f/0x80
      [176805.992226]  unregister_netdevice_many_notify+0xfcf/0x1500
      [176805.992966]  unregister_netdevice_queue+0x1e0/0x280
      [176805.993638]  unregister_netdev+0x18/0x20
      [176805.994205]  mlx5e_remove+0xba/0x1e0 [mlx5_core]
      [176805.994872]  auxiliary_bus_remove+0x52/0x70
      [176805.995490]  device_release_driver_internal+0x361/0x520
      [176805.996196]  bus_remove_device+0x1e1/0x3d0
      [176805.996767]  device_del+0x390/0x980
      [176805.997270]  mlx5_rescan_drivers_locked.part.0+0x130/0x540 [mlx5_core]
      [176805.998195]  mlx5_unregister_device+0x77/0xc0 [mlx5_core]
      [176805.998989]  mlx5_uninit_one+0x41/0x180 [mlx5_core]
      [176805.999719]  remove_one+0x8f/0x210 [mlx5_core]
      [176806.000387]  pci_device_remove+0x96/0x1c0
      [176806.000938]  device_release_driver_internal+0x361/0x520
      [176806.001612]  unbind_store+0xd8/0xf0
      [176806.002108]  kernfs_fop_write_iter+0x2c0/0x440
      [176806.002748]  vfs_write+0x725/0xba0
      [176806.003294]  ksys_write+0xed/0x1c0
      [176806.003823]  do_syscall_64+0x3d/0x90
      [176806.004357]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176806.005317] The buggy address belongs to the object at ffff888155090a80
                       which belongs to the cache kmalloc-64 of size 64
      [176806.006774] The buggy address is located 32 bytes inside of
                       freed 64-byte region [ffff888155090a80, ffff888155090ac0)
      
      [176806.008773] The buggy address belongs to the physical page:
      [176806.009480] page:00000000a407e0e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155090
      [176806.010633] flags: 0x200000000000800(slab|node=0|zone=2)
      [176806.011352] page_type: 0xffffffff()
      [176806.011905] raw: 0200000000000800 ffff888100042640 ffffea000422b1c0 dead000000000004
      [176806.012949] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
      [176806.013933] page dumped because: kasan: bad access detected
      
      [176806.014935] Memory state around the buggy address:
      [176806.015601]  ffff888155090980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.016568]  ffff888155090a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.017497] >ffff888155090a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.018438]                                ^
      [176806.019007]  ffff888155090b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.020001]  ffff888155090b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.020996] ==================================================================
      
      Fixes: a508728a ("net/mlx5e: VF tunnel RX traffic offloading")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      04ad04e4
    • Moshe Shemesh's avatar
      net/mlx5: Fix fw tracer first block check · 4261edf1
      Moshe Shemesh authored
      While handling new traces, to verify it is not the first block being
      written, last_timestamp is checked. But instead of checking it is non
      zero it is verified to be zero. Fix to verify last_timestamp is not
      zero.
      
      Fixes: c71ad41c ("net/mlx5: FW tracer, events handling")
      Signed-off-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Reviewed-by: default avatarFeras Daoud <ferasda@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      4261edf1
    • Carolina Jubran's avatar
      net/mlx5e: XDP, Drop fragmented packets larger than MTU size · bcaf109f
      Carolina Jubran authored
      XDP transmits fragmented packets that are larger than MTU size instead of
      dropping those packets. The drop check that checks whether a packet is larger
      than MTU is comparing MTU size against the linear part length only.
      
      Adjust the drop check to compare MTU size against both linear and non-linear
      part lengths to avoid transmitting fragmented packets larger than MTU size.
      
      Fixes: 39a1665d ("net/mlx5e: Implement sending multi buffer XDP frames")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      bcaf109f
    • Chris Mi's avatar
      net/mlx5e: Decrease num_block_tc when unblock tc offload · be86106f
      Chris Mi authored
      The cited commit increases num_block_tc when unblock tc offload.
      Actually should decrease it.
      
      Fixes: c8e350e6 ("net/mlx5e: Make TC and IPsec offloads mutually exclusive on a netdev")
      Signed-off-by: default avatarChris Mi <cmi@nvidia.com>
      Reviewed-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      be86106f
    • Jianbo Liu's avatar
      net/mlx5e: Fix overrun reported by coverity · da75fa54
      Jianbo Liu authored
      Coverity Scan reports the following issue. But it's impossible that
      mlx5_get_dev_index returns 7 for PF, even if the index is calculated
      from PCI FUNC ID. So add the checking to make coverity slience.
      
      CID 610894 (#2 of 2): Out-of-bounds write (OVERRUN)
      Overrunning array esw->fdb_table.offloads.peer_miss_rules of 4 8-byte
      elements at element index 7 (byte offset 63) using index
      mlx5_get_dev_index(peer_dev) (which evaluates to 7).
      
      Fixes: 9bee385a ("net/mlx5: E-switch, refactor FDB miss rule add/remove")
      Signed-off-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      da75fa54
    • Dinghao Liu's avatar
      net/mlx5e: fix a potential double-free in fs_udp_create_groups · e75efc64
      Dinghao Liu authored
      When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
      fs_udp_create_groups() will free ft->g. However, its caller
      fs_udp_create_table() will free ft->g again through calling
      mlx5e_destroy_flow_table(), which will lead to a double-free.
      Fix this by setting ft->g to NULL in fs_udp_create_groups().
      
      Fixes: 1c80bd68 ("net/mlx5e: Introduce Flow Steering UDP API")
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      e75efc64
    • Shifeng Li's avatar
      net/mlx5e: Fix a race in command alloc flow · 8f5100da
      Shifeng Li authored
      Fix a cmd->ent use after free due to a race on command entry.
      Such race occurs when one of the commands releases its last refcount and
      frees its index and entry while another process running command flush
      flow takes refcount to this command entry. The process which handles
      commands flush may see this command as needed to be flushed if the other
      process allocated a ent->idx but didn't set ent to cmd->ent_arr in
      cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into
      the spin lock.
      
      [70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
      [70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361
      [70013.081968]
      [70013.082028] Workqueue: events aer_isr
      [70013.082053] Call Trace:
      [70013.082067]  dump_stack+0x8b/0xbb
      [70013.082086]  print_address_description+0x6a/0x270
      [70013.082102]  kasan_report+0x179/0x2c0
      [70013.082173]  mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
      [70013.082267]  mlx5_cmd_flush+0x80/0x180 [mlx5_core]
      [70013.082304]  mlx5_enter_error_state+0x106/0x1d0 [mlx5_core]
      [70013.082338]  mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core]
      [70013.082377]  remove_one+0x200/0x2b0 [mlx5_core]
      [70013.082409]  pci_device_remove+0xf3/0x280
      [70013.082439]  device_release_driver_internal+0x1c3/0x470
      [70013.082453]  pci_stop_bus_device+0x109/0x160
      [70013.082468]  pci_stop_and_remove_bus_device+0xe/0x20
      [70013.082485]  pcie_do_fatal_recovery+0x167/0x550
      [70013.082493]  aer_isr+0x7d2/0x960
      [70013.082543]  process_one_work+0x65f/0x12d0
      [70013.082556]  worker_thread+0x87/0xb50
      [70013.082571]  kthread+0x2e9/0x3a0
      [70013.082592]  ret_from_fork+0x1f/0x40
      
      The logical relationship of this error is as follows:
      
                   aer_recover_work              |          ent->work
      -------------------------------------------+------------------------------
      aer_recover_work_func                      |
      |- pcie_do_recovery                        |
        |- report_error_detected                 |
          |- mlx5_pci_err_detected               |cmd_work_handler
            |- mlx5_enter_error_state            |  |- cmd_alloc_index
              |- enter_error_state               |    |- lock cmd->alloc_lock
                |- mlx5_cmd_flush                |    |- clear_bit
                  |- mlx5_cmd_trigger_completions|    |- unlock cmd->alloc_lock
                    |- lock cmd->alloc_lock      |
                    |- vector = ~dev->cmd.vars.bitmask
                    |- for_each_set_bit          |
                      |- cmd_ent_get(cmd->ent_arr[i]) (UAF)
                    |- unlock cmd->alloc_lock    |  |- cmd->ent_arr[ent->idx]=ent
      
      The cmd->ent_arr[ent->idx] assignment and the bit clearing are not
      protected by the cmd->alloc_lock in cmd_work_handler().
      
      Fixes: 50b2412b ("net/mlx5: Avoid possible free of command entry while timeout comp handler")
      Reviewed-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Signed-off-by: default avatarShifeng Li <lishifeng@sangfor.com.cn>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8f5100da
    • Shifeng Li's avatar
      net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() · ddb38ddf
      Shifeng Li authored
      Out_sz that the size of out buffer is calculated using query_nic_vport
      _context_in structure when driver query the MAC list. However query_nic
      _vport_context_in structure is smaller than query_nic_vport_context_out.
      When allowed_list_size is greater than 96, calling ether_addr_copy() will
      trigger an slab-out-of-bounds.
      
      [ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
      [ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461
      [ 1170.055870]
      [ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
      [ 1170.055936] Call Trace:
      [ 1170.055949]  dump_stack+0x8b/0xbb
      [ 1170.055958]  print_address_description+0x6a/0x270
      [ 1170.055961]  kasan_report+0x179/0x2c0
      [ 1170.056061]  mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
      [ 1170.056162]  esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core]
      [ 1170.056257]  esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core]
      [ 1170.056377]  esw_vport_change_handler+0x6b/0x90 [mlx5_core]
      [ 1170.056381]  process_one_work+0x65f/0x12d0
      [ 1170.056383]  worker_thread+0x87/0xb50
      [ 1170.056390]  kthread+0x2e9/0x3a0
      [ 1170.056394]  ret_from_fork+0x1f/0x40
      
      Fixes: e16aea27 ("net/mlx5: Introduce access functions to modify/query vport mac lists")
      Cc: Ding Hui <dinghui@sangfor.com.cn>
      Signed-off-by: default avatarShifeng Li <lishifeng@sangfor.com.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ddb38ddf
    • Vlad Buslov's avatar
      net/mlx5e: fix double free of encap_header · 8e13cd73
      Vlad Buslov authored
      Cited commit introduced potential double free since encap_header can be
      destroyed twice in some cases - once by error cleanup sequence in
      mlx5e_tc_tun_{create|update}_header_ipv{4|6}(), once by generic
      mlx5e_encap_put() that user calls as a result of getting an error from
      tunnel create|update. At the same time the point where e->encap_header is
      assigned can't be delayed because the function can still return non-error
      code 0 as a result of checking for NUD_VALID flag, which will cause
      neighbor update to dereference NULL encap_header.
      
      Fix the issue by:
      
      - Nulling local encap_header variables in
      mlx5e_tc_tun_{create|update}_header_ipv{4|6}() to make kfree(encap_header)
      call in error cleanup sequence noop after that point.
      
      - Assigning reformat_params.data from e->encap_header instead of local
      variable encap_header that was set to NULL pointer by previous step. Also
      assign reformat_params.size from e->encap_size for uniformity and in order
      to make the code less error-prone in the future.
      
      Fixes: d589e785 ("net/mlx5e: Allow concurrent creation of encap entries")
      Reported-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Reported-by: default avatarCruz Zhao <cruzzhao@linux.alibaba.com>
      Reported-by: default avatarTianchen Ding <dtcccc@linux.alibaba.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8e13cd73
    • Vlad Buslov's avatar
      Revert "net/mlx5e: fix double free of encap_header" · 5d089684
      Vlad Buslov authored
      This reverts commit 6f9b1a07.
      
      This patch is causing a null ptr issue, the proper fix is in the next
      patch.
      
      Fixes: 6f9b1a07 ("net/mlx5e: fix double free of encap_header")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      5d089684
    • Vlad Buslov's avatar
      Revert "net/mlx5e: fix double free of encap_header in update funcs" · 66ca8d4d
      Vlad Buslov authored
      This reverts commit 3a4aa3cb.
      
      This patch is causing a null ptr issue, the proper fix is in the next
      patch.
      
      Fixes: 3a4aa3cb ("net/mlx5e: fix double free of encap_header in update funcs")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      66ca8d4d
  3. 13 Dec, 2023 5 commits