1. 05 Jul, 2022 2 commits
    • Vladimir Oltean's avatar
      selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT · b8e629b0
      Vladimir Oltean authored
      As mentioned in the blamed commit, flood_unicast_test() works by
      checking the match count on a tc filter placed on the receiving
      interface.
      
      But the second host interface (host2_if) has no interest in receiving a
      packet with MAC DA de:ad:be:ef:13:37, so its RX filter drops it even
      before the ingress tc filter gets to be executed. So we will incorrectly
      get the message "Packet was not flooded when should", when in fact, the
      packet was flooded as expected but dropped due to an unrelated reason,
      at some other layer on the receiving side.
      
      Force h2 to accept this packet by temporarily placing it in promiscuous
      mode. Alternatively we could either deliver to its MAC address or use
      tcpdump_start, but this has the fewest complications.
      
      This fixes the "flooding" test from bridge_vlan_aware.sh and
      bridge_vlan_unaware.sh, which calls flood_test from the lib.
      
      Fixes: 236dd50b ("selftests: forwarding: Add a test for flooded traffic")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b8e629b0
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-5.19-20220704' of... · 7e8c182c
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-5.19-20220704' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      can 2022-07-04
      
      The 1st patch is by Oliver Hartkopp, targets the BCM CAN protocol and
      converts a costly synchronize_rcu() to call_rcu() to fix a performance
      regression.
      
      Srinivas Neeli's patch for the xilinx_can driver drops the brp limit
      down to 1, as only the pre-production silicon have an issue with a brp
      of 1.
      
      The next patch is by Duy Nguyen and fixes the data transmission on
      R-Car V3U SoCs in the rcar_canfd driver.
      
      Rhett Aultman's patch fixes a DMA memory leak in the gs_usb driver.
      
      Liang He's patch removes an extra of_node_get() in the grcan driver.
      
      The next 2 patches are by me, target the m_can driver and fix the
      timestamp handling used for peripheral devices like the tcan4x5x.
      
      Jimmy Assarsson contributes 3 patches for the kvaser_usb driver and
      fixes CAN clock and bit timing related issues.
      
      The remaining 5 patches target the mcp251xfd driver. Thomas Kopp
      contributes 2 patches to improve the workaround for broken CRC when
      reading the TBC register. 3 patches by me add a missing
      hrtimer_cancel() during the ndo_stop() callback, and fix the reading
      of the Device ID register.
      
      * tag 'linux-can-fixes-for-5.19-20220704' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix endianness conversion
        can: mcp251xfd: mcp251xfd_register_get_dev_id(): use correct length to read dev_id
        can: mcp251xfd: mcp251xfd_stop(): add missing hrtimer_cancel()
        can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register
        can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd
        can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits
        can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression
        can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info
        can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits
        can: m_can: m_can_chip_config(): actually enable internal timestamping
        can: grcan: grcan_probe(): remove extra of_node_get()
        can: gs_usb: gs_usb_open/close(): fix memory leak
        can: rcar_canfd: Fix data transmission failed on R-Car V3U
        Revert "can: xilinx_can: Limit CANFD brp to 2"
        can: bcm: use call_rcu() instead of costly synchronize_rcu()
      ====================
      
      Link: https://lore.kernel.org/r/20220704122613.1551119-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7e8c182c
  2. 04 Jul, 2022 20 commits
  3. 03 Jul, 2022 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 280e3a85
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Insufficient validation of element datatype and length in
         nft_setelem_parse_data(). At least commit 7d740264 updates
         maximum element data area up to 64 bytes when only 16 bytes
         where supported at the time. Support for larger element size
         came later in fdb9c405 though. Picking this older commit
         as Fixes: tag to be safe than sorry.
      
      2) Memleak in pipapo destroy path, reproducible when transaction
         in aborted. This is already triggering in the existing netfilter
         test infrastructure since more recent new tests are covering this
         path.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      280e3a85
  4. 02 Jul, 2022 5 commits
  5. 01 Jul, 2022 6 commits
    • Daniel Borkmann's avatar
      bpf, selftests: Add verifier test case for jmp32's jeq/jne · a49b8ce7
      Daniel Borkmann authored
      Add a test case to trigger the verifier's incorrect conclusion in the
      case of jmp32's jeq/jne. Also here, make use of dead code elimination,
      so that we can see the verifier bailing out on unfixed kernels.
      
      Before:
      
        # ./test_verifier 724
        #724/p jeq32/jne32: bounds checking FAIL
        Failed to load prog 'Permission denied'!
        R4 !read_ok
        verification time 8 usec
        stack depth 0
        processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 0
        Summary: 0 PASSED, 0 SKIPPED, 1 FAILED
      
      After:
      
        # ./test_verifier 724
        #724/p jeq32/jne32: bounds checking OK
        Summary: 1 PASSED, 0 SKIPPED, 0 FAILED
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20220701124727.11153-4-daniel@iogearbox.net
      a49b8ce7
    • Daniel Borkmann's avatar
      bpf, selftests: Add verifier test case for imm=0,umin=0,umax=1 scalar · 73c4936f
      Daniel Borkmann authored
      Add a test case to trigger the constant scalar issue which leaves the
      register in scalar(imm=0,umin=0,umax=1,var_off=(0x0; 0x0)) state. Make
      use of dead code elimination, so that we can see the verifier bailing
      out on unfixed kernels. For the condition, we use jle given it checks
      on umax bound.
      
      Before:
      
        # ./test_verifier 743
        #743/p jump & dead code elimination FAIL
        Failed to load prog 'Permission denied'!
        R4 !read_ok
        verification time 11 usec
        stack depth 0
        processed 13 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
        Summary: 0 PASSED, 0 SKIPPED, 1 FAILED
      
      After:
      
        # ./test_verifier 743
        #743/p jump & dead code elimination OK
        Summary: 1 PASSED, 0 SKIPPED, 0 FAILED
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20220701124727.11153-3-daniel@iogearbox.net
      73c4936f
    • Daniel Borkmann's avatar
      bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals · 3844d153
      Daniel Borkmann authored
      Kuee reported a corner case where the tnum becomes constant after the call
      to __reg_bound_offset(), but the register's bounds are not, that is, its
      min bounds are still not equal to the register's max bounds.
      
      This in turn allows to leak pointers through turning a pointer register as
      is into an unknown scalar via adjust_ptr_min_max_vals().
      
      Before:
      
        func#0 @0
        0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
        0: (b7) r0 = 1                        ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))
        1: (b7) r3 = 0                        ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))
        2: (87) r3 = -r3                      ; R3_w=scalar()
        3: (87) r3 = -r3                      ; R3_w=scalar()
        4: (47) r3 |= 32767                   ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)
        5: (75) if r3 s>= 0x0 goto pc+1       ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
        6: (95) exit
      
        from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
        7: (d5) if r3 s<= 0x8000 goto pc+1    ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
        8: (95) exit
      
        from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
        9: (07) r3 += -32767                  ; R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0))  <--- [*]
        10: (95) exit
      
      What can be seen here is that R3=scalar(umin=32767,umax=32768,var_off=(0x7fff;
      0x8000)) after the operation R3 += -32767 results in a 'malformed' constant, that
      is, R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)). Intersecting with var_off has
      not been done at that point via __update_reg_bounds(), which would have improved
      the umax to be equal to umin.
      
      Refactor the tnum <> min/max bounds information flow into a reg_bounds_sync()
      helper and use it consistently everywhere. After the fix, bounds have been
      corrected to R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) and thus the register
      is regarded as a 'proper' constant scalar of 0.
      
      After:
      
        func#0 @0
        0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
        0: (b7) r0 = 1                        ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))
        1: (b7) r3 = 0                        ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))
        2: (87) r3 = -r3                      ; R3_w=scalar()
        3: (87) r3 = -r3                      ; R3_w=scalar()
        4: (47) r3 |= 32767                   ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)
        5: (75) if r3 s>= 0x0 goto pc+1       ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
        6: (95) exit
      
        from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
        7: (d5) if r3 s<= 0x8000 goto pc+1    ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)
        8: (95) exit
      
        from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))
        9: (07) r3 += -32767                  ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))  <--- [*]
        10: (95) exit
      
      Fixes: b03c9f9f ("bpf/verifier: track signed and unsigned min/max values")
      Reported-by: default avatarKuee K1r0a <liulin063@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20220701124727.11153-2-daniel@iogearbox.net
      3844d153
    • Daniel Borkmann's avatar
      bpf: Fix incorrect verifier simulation around jmp32's jeq/jne · a12ca627
      Daniel Borkmann authored
      Kuee reported a quirk in the jmp32's jeq/jne simulation, namely that the
      register value does not match expectations for the fall-through path. For
      example:
      
      Before fix:
      
        0: R1=ctx(off=0,imm=0) R10=fp0
        0: (b7) r2 = 0                        ; R2_w=P0
        1: (b7) r6 = 563                      ; R6_w=P563
        2: (87) r2 = -r2                      ; R2_w=Pscalar()
        3: (87) r2 = -r2                      ; R2_w=Pscalar()
        4: (4c) w2 |= w6                      ; R2_w=Pscalar(umin=563,umax=4294967295,var_off=(0x233; 0xfffffdcc),s32_min=-2147483085) R6_w=P563
        5: (56) if w2 != 0x8 goto pc+1        ; R2_w=P571  <--- [*]
        6: (95) exit
        R0 !read_ok
      
      After fix:
      
        0: R1=ctx(off=0,imm=0) R10=fp0
        0: (b7) r2 = 0                        ; R2_w=P0
        1: (b7) r6 = 563                      ; R6_w=P563
        2: (87) r2 = -r2                      ; R2_w=Pscalar()
        3: (87) r2 = -r2                      ; R2_w=Pscalar()
        4: (4c) w2 |= w6                      ; R2_w=Pscalar(umin=563,umax=4294967295,var_off=(0x233; 0xfffffdcc),s32_min=-2147483085) R6_w=P563
        5: (56) if w2 != 0x8 goto pc+1        ; R2_w=P8  <--- [*]
        6: (95) exit
        R0 !read_ok
      
      As can be seen on line 5 for the branch fall-through path in R2 [*] is that
      given condition w2 != 0x8 is false, verifier should conclude that r2 = 8 as
      upper 32 bit are known to be zero. However, verifier incorrectly concludes
      that r2 = 571 which is far off.
      
      The problem is it only marks false{true}_reg as known in the switch for JE/NE
      case, but at the end of the function, it uses {false,true}_{64,32}off to
      update {false,true}_reg->var_off and they still hold the prior value of
      {false,true}_reg->var_off before it got marked as known. The subsequent
      __reg_combine_32_into_64() then propagates this old var_off and derives new
      bounds. The information between min/max bounds on {false,true}_reg from
      setting the register to known const combined with the {false,true}_reg->var_off
      based on the old information then derives wrong register data.
      
      Fix it by detangling the BPF_JEQ/BPF_JNE cases and updating relevant
      {false,true}_{64,32}off tnums along with the register marking to known
      constant.
      
      Fixes: 3f50f132 ("bpf: Verifier, do explicit ALU32 bounds tracking")
      Reported-by: default avatarKuee K1r0a <liulin063@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20220701124727.11153-1-daniel@iogearbox.net
      a12ca627
    • Li kunyu's avatar
      net: usb: Fix typo in code · 8dfeee9d
      Li kunyu authored
      Remove the repeated ';' from code.
      Signed-off-by: default avatarLi kunyu <kunyu@nfschina.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8dfeee9d
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 71560d98
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-06-30
      
      This series contains updates to i40e driver only.
      
      Lukasz adds reporting of packets dropped for being too large into the Rx
      dropped statistics.
      
      Norbert clears VF filter and MAC address to resolve issue with older VFs
      being unable to change their MAC address.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71560d98
  6. 30 Jun, 2022 6 commits