1. 27 Jun, 2019 8 commits
  2. 25 Jun, 2019 17 commits
    • Govind Singh's avatar
      ath10k: Add WMI diag fw logging support for WCN3990 · d9e47698
      Govind Singh authored
      Integrated WiFi chipset ex:WCN399x supports fw logging
      using WMI copy engine and shared mem DIAG based fw logging.
      By default shared mem DIAG based fw logging is enabled.
      To support WMI copy engine based fw logging add QMI
      control message to enable WMI copy engine based fw logging.
      
      Enable WMI based fw logging using fw_diag_log module parameter.
      
      insmod ath10k_core.ko fw_diag_log=1
      
      DIAG utility(https://github.com/andersson/diag) implements extraction
      of diagnostics related messages between application processor and
      various subsystems while shared mem DIAG based fw logging is enabled.
      
      Testing: Tested on WCN3990/QCA6174 HW
      Tested FW: WLAN.HL.3.1-00959-QCAHLSWMTPLZ-1
      Signed-off-by: default avatarGovind Singh <govinds@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d9e47698
    • Wen Gong's avatar
      ath10k: add report MIC error for sdio chip · 47ed1b4e
      Wen Gong authored
      Firmware will report flag with HTT_RX_IND_MPDU_STATUS_TKIP_MIC_ERR
      if MIC error, the flag will be used in mac80211.
      
      ieee80211_rx_h_michael_mic_verify will check the flag and start TKIP
      countermeasures.
      
      Now countermeasure tests pass both with WPA only and WPA2/WPA mixed
      mode.
      
      Tested with QCA6174 SDIO with firmware
      WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      47ed1b4e
    • Ashok Raj Nagarajan's avatar
      ath10k: add support for controlling tx power to a station · 33410a51
      Ashok Raj Nagarajan authored
      This patch will add the support to control the transmit power for traffic
      to a station associated with the AP.
      
      Underlying firmware will enforce that the maximum tx power will be based
      on the regulatory requirements. If the user given transmit power is greater
      than the allowed tx power in the given channel, then the firmware will use
      the maximum tx power in the same channel.
      
      Max and Min tx power values will depends on no of tx chain masks,
      for QCA9984 allowed tx power range values from 6 to 23.
      
      When 0 is sent to the firmware as tx power, it will revert to the default
      tx power for the station.
      
      Tested Hardware : QCA9984
      Tested Firmware : 10.4-3.9.0.2-00046
      Co-developed-by: default avatarBalaji Pothunoori <bpothuno@codeaurora.org>
      Signed-off-by: default avatarAshok Raj Nagarajan <arnagara@codeaurora.org>
      Signed-off-by: default avatarBalaji Pothunoori <bpothuno@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      33410a51
    • Dundi Raviteja's avatar
      ath10k: Add peer delete response event · c6f537a1
      Dundi Raviteja authored
      Peer creation in firmware fails if last peer deletion is still
      in progress.
      
      The firmware sends a peer delete response event if it advertises
      the service WMI_SERVICE_SYNC_DELETE_CMDS. This peer delete response
      event is used to synchronize the peer deletion.
      
      Add peer delete response event and wait for the event after
      deleting every peer from host driver to synchronize with firmware.
      
      Tested HW: WCN3990
      Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
      Signed-off-by: default avatarDundi Raviteja <dundi@codeaurora.org>
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      c6f537a1
    • Rakesh Pillai's avatar
      ath10k: wait for vdev delete response from firmware · fe36e70f
      Rakesh Pillai authored
      When we add an interface immediately after removing
      the interface the vdev deletion in firmware might not
      have been completed. We need to synchronize the vdev creation
      with the firmware.
      
      Wait for vdev delete response from firmware when we
      remove an interface.
      
      Tested HW: WCN3990
      Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      fe36e70f
    • Miaoqing Pan's avatar
      ath10k: fix PCIE device wake up failed · 011d4111
      Miaoqing Pan authored
      Observed PCIE device wake up failed after ~120 iterations of
      soft-reboot test. The error message is
      "ath10k_pci 0000:01:00.0: failed to wake up device : -110"
      
      The call trace as below:
      ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait ->
      ath10k_pci_is_awake
      
      Once trigger the device to wake up, we will continuously check the RTC
      state until it returns RTC_STATE_V_ON or timeout.
      
      But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON.
      Occasionally, we get 0x7 on the fist read, we thought as a failure
      case, but actually is the right value, also verified with the spec.
      So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed
      ~2000 iterations.
      
      Tested HW: QCA9984
      Signed-off-by: default avatarMiaoqing Pan <miaoqing@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      011d4111
    • Miaoqing Pan's avatar
      ath10k: fix failure to set multiple fixed rate · 8b97b055
      Miaoqing Pan authored
      Currently, below fixed rate commands are broken,
      iw wlanx set bitrates legacy-<2.4|5> ht-mcs-<2.4|5> vht-mcs-<2.4|5> \
      <NSS:MCSx>
      iw wlanx set bitrates legacy-<2.4|5> <legacy rate> ht-mcs-<2.4|5> \
      vht-mcs-<2.4|5> <NSS:MCSx>
      
      There are two methods to set fixed rate, both failed,
      - Use vdev fixed rate command
        This command only support one single rate, but it's broken due to
        mac80211 change commit e8e4f528 ("mac80211: reject/clear user
        rate mask if not usable"), which requires user to specify at least
        one legacy rate. So we can't use this command to set ht/vht single
        rate any more.
      - Use peer_assoc command
        This command can update rx capability for multiple rates, it will
        work fine for ht mcs rates, as each supported mcs can be advertised
        in ht_mcs index mask. But this will not work with vht rates because,
        as per the vht mcs capability advertisement, there are only two bits
        to indicate the supported mcs. E.g. only support 0-7, 0-8, 0-9.
      
      So introduced new WMI command: WMI_PEER_PARAM_FIXED_RATE. After peer
      assoc, the peer fixed rate cmd will work for that specific peer.
      Remaining peers will use auto rate. If both vdev fixed rate and peer
      fixed rates are given, peer fixed rate will take effect to peers for
      which this cmd is given. Remaining peers in that vdev, will use vdev
      fixed rate.
      
      Tested HW: QCA9984
      Tested FW: 10.4-3.9.0.2-00035
      Signed-off-by: default avatarMiaoqing Pan <miaoqing@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      8b97b055
    • Fabio Estevam's avatar
      ath10k: Change the warning message string · 265df32e
      Fabio Estevam authored
      The "WARNING" string confuses syzbot, which thinks it found
      a crash [1].
      
      Change the string to avoid such problem.
      
      [1] https://lkml.org/lkml/2019/5/9/243
      
      Reported-by: syzbot+c1b25598aa60dcd47e78@syzkaller.appspotmail.com
      Suggested-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      265df32e
    • Miaoqing Pan's avatar
      ath10k: fix fw crash by moving chip reset after napi disabled · 08d80e4c
      Miaoqing Pan authored
      On SMP platform, when continuously running wifi up/down, the napi
      poll can be scheduled during chip reset, which will call
      ath10k_pci_has_fw_crashed() to check the fw status. But in the reset
      period, the value from FW_INDICATOR_ADDRESS register will return
      0xdeadbeef, which also be treated as fw crash. Fix the issue by
      moving chip reset after napi disabled.
      
      ath10k_pci 0000:01:00.0: firmware crashed! (guid 73b30611-5b1e-4bdd-90b4-64c81eb947b6)
      ath10k_pci 0000:01:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe
      ath10k_pci 0000:01:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal otp max-sta 512 raw 0 hwcrypto 1
      ath10k_pci 0000:01:00.0: failed to get memcpy hi address for firmware address 4: -16
      ath10k_pci 0000:01:00.0: failed to read firmware dump area: -16
      ath10k_pci 0000:01:00.0: Copy Engine register dump:
      ath10k_pci 0000:01:00.0: [00]: 0x0004a000   0   0   0   0
      ath10k_pci 0000:01:00.0: [01]: 0x0004a400   0   0   0   0
      ath10k_pci 0000:01:00.0: [02]: 0x0004a800   0   0   0   0
      ath10k_pci 0000:01:00.0: [03]: 0x0004ac00   0   0   0   0
      ath10k_pci 0000:01:00.0: [04]: 0x0004b000   0   0   0   0
      ath10k_pci 0000:01:00.0: [05]: 0x0004b400   0   0   0   0
      ath10k_pci 0000:01:00.0: [06]: 0x0004b800   0   0   0   0
      ath10k_pci 0000:01:00.0: [07]: 0x0004bc00   1   0   1   0
      ath10k_pci 0000:01:00.0: [08]: 0x0004c000   0   0   0   0
      ath10k_pci 0000:01:00.0: [09]: 0x0004c400   0   0   0   0
      ath10k_pci 0000:01:00.0: [10]: 0x0004c800   0   0   0   0
      ath10k_pci 0000:01:00.0: [11]: 0x0004cc00   0   0   0   0
      
      Tested HW: QCA9984,QCA9887,WCN3990
      Signed-off-by: default avatarMiaoqing Pan <miaoqing@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      08d80e4c
    • Claire Chang's avatar
      ath10k: add missing error handling · 4b553f3c
      Claire Chang authored
      In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
      ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
      This will make the driver think the allocation for skb is successful and
      try to access the skb. If we enable failslab, system will easily crash with
      NULL pointer dereferencing.
      
      Call trace of CONFIG_FAILSLAB:
      ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
      process_sdio_pending_irqs+0x4c/0x174
      sdio_run_irqs+0x3c/0x64
      sdio_irq_work+0x1c/0x28
      
      Fixes: d96db25d ("ath10k: add initial SDIO support")
      Signed-off-by: default avatarClaire Chang <tientzu@chromium.org>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      4b553f3c
    • Balaji Pothunoori's avatar
      ath10k: enabling tx stats support over pktlog · 4fa42ade
      Balaji Pothunoori authored
      For QCA988X target, pktlog gives details of the tx bitrate
      which is used in the driver for station info.
      
      Enabling pktlog by default will cause more interrupts
      in target to host CE pipe, which can impact more CPU usage
      for targets ex:WCN3990 and also not required for all other
      platforms (eg: WCN3990), for getting tx bitrate.
      
      Enable pktlog only for QCA988X based on hardware params.
      
      Tested HW : WCN3990
      Tested FW : WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
      
      Fixes: e8123bb7 ("ath10k: add per peer tx stats support for 10.2.4")
      Signed-off-by: default avatarBalaji Pothunoori <bpothuno@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      4fa42ade
    • Claire Chang's avatar
      ath10k: acquire lock to fix lockdep's warning · ef9cc0c4
      Claire Chang authored
      Lockdep warns at lockdep_assert_held(&ar->data_lock) in
      ath10k_htt_rx_pn_check_replay_hl(). Acquire ar->data_lock before calling
      ath10k_htt_rx_pn_check_replay_hl() to fix it.
      
      Call trace:
      ath10k_htt_rx_pn_check_replay_hl+0x118/0x134 [ath10k_core]
      ath10k_htt_rx_proc_rx_ind_hl+0xd8/0x250 [ath10k_core]
      ath10k_htt_t2h_msg_handler+0x148/0xf30 [ath10k_core]
      ath10k_htt_htc_t2h_msg_handler+0x24/0x40 [ath10k_core]
      ath10k_sdio_irq_handler+0x374/0xaa4 [ath10k_sdio]
      
      Fixes: 130c7749 ("ath10k: add PN replay protection for high latency devices")
      Signed-off-by: default avatarClaire Chang <tientzu@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      ef9cc0c4
    • Wen Gong's avatar
      ath10k: change firmware file name for UTF mode of SDIO/USB · 54f6643b
      Wen Gong authored
      Firmware name for UTF mode of SDIO has changed from utf-2.bin to
      utf-sdio-2.bin, so it need to change in ath10k, otherwise it will
      fail for UTF mode.
      
      After change the name in ath10k, it will success for UTF mode of
      SDIO/USB.
      
      Tested with QCA6174 SDIO with firmware
      WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      54f6643b
    • Wen Gong's avatar
      ath10k: add support for firmware crash recovery on SDIO chip · 0f132ba7
      Wen Gong authored
      The command to simulate firmware crash:
      echo soft > /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash
      
      It will send WMI_FORCE_FW_HANG_ASSERT to firmware, then it will trigger
      CPU interrupt status register for SDIO chip, ath10k driver need to
      configure it while enable SDIO interrupt, otherwise ath10k driver will
      not get the assert error info.
      
      After this change, it will success for simulate firmware crash.
      
      Tested with QCA6174 SDIO with firmware
      WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Tested-by: default avatarClaire Chang <tientzu@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      0f132ba7
    • Venkateswara Naralasetty's avatar
      ath10k: Add wrapper function to ath10k debug · 9d740d63
      Venkateswara Naralasetty authored
      ath10k_dbg() is called in ath10k_process_rx() with huge set of arguments
      which is causing CPU overhead even when debug_mask is not set.
      Good improvement was observed in the receive side performance when call
      to ath10k_dbg() is avoided in the RX path.
      
      Since currently all debug messages are sent via tracing infrastructure,
      we cannot entirely avoid calling ath10k_dbg. Therefore, call to
      ath10k_dbg() is made conditional based on tracing config in the driver.
      
      Trasmit performance remains unchanged with this patch; below are some
      experimental results with this patch and tracing disabled.
      
      mesh mode:
      
      		w/o this patch          with this patch
      Traffic       TP      CPU Usage      TP      CPU usage
      
      TCP          840Mbps    76.53%      960Mbps    78.14%
      UDP          1030Mbps   74.58%      1132Mbps   74.31%
      
      Infra mode:
      
      		w/o this patch          with this patch
      Traffic        TP      CPU Usage      TP      CPU usage
      
      TCP Rx       1241Mbps   80.89%      1270Mbps   73.50%
      UDP Rx       1433Mbps   81.77%      1472Mbps   72.80%
      
      Tested platform	: IPQ8064
      hardware used	: QCA9984
      firmware ver	: ver 10.4-3.5.3-00057
      Signed-off-by: default avatarKan Yan <kyan@chromium.org>
      Signed-off-by: default avatarVenkateswara Naralasetty <vnaralas@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      9d740d63
    • Erik Stromdahl's avatar
      ath10k: add htt_h2t_aggr_cfg_msg op for high latency devices · bc31c2cf
      Erik Stromdahl authored
      Without this op, it will not be possible to configure aggregation for
      high latency devices.
      Signed-off-by: default avatarErik Stromdahl <erik.stromdahl@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      bc31c2cf
    • Erik Stromdahl's avatar
      ath10k: add inline wrapper for htt_h2t_aggr_cfg_msg · 74ee5715
      Erik Stromdahl authored
      This is done in order to make the *htt_h2t_aggr_cfg_msg* op align better
      with the rest of the htt ops (whom all have inline wrappers).
      
      It also adds support for the case when the op is missing (function
      pointer is NULL).
      
      As a result of this, the name of the 32 bit implementation in htt_tx.c
      was changed and the function was made static.
      Signed-off-by: default avatarErik Stromdahl <erik.stromdahl@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      74ee5715
  3. 27 May, 2019 5 commits
    • Kalle Valo's avatar
      Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git · 889ca180
      Kalle Valo authored
      ath.git patches for 5.3. Major changes:
      
      ath10k
      
      * enable SDIO support, first one being QCA6174 hw3.2
      889ca180
    • YueHaibing's avatar
      cxgb4: Make t4_get_tp_e2c_map static · f4aa8012
      YueHaibing authored
      Fix sparse warning:
      
      drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:6216:14:
       warning: symbol 't4_get_tp_e2c_map' was not declared. Should it be static?
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4aa8012
    • David Ahern's avatar
      selftest: Fixes for icmp_redirect test · 99513cfa
      David Ahern authored
      I was really surprised that the IPv6 mtu exception followed by redirect
      test was passing as nothing about the code suggests it should. The problem
      is actually with the logic in the test script.
      
      Fix the test cases as follows:
      1. add debug function to dump the initial and redirect gateway addresses
         for ipv6. This is shown only in verbose mode. It helps verify the
         output of 'route get'.
      
      2. fix the check_exception logic for the reset case to make sure that
         for IPv4 neither mtu nor redirect appears in the 'route get' output.
         For IPv6, make sure mtu is not present and the gateway is the initial
         R1 lladdr.
      
      3. fix the reset logic by using a function to delete the routes added by
         initial_route_*. This format works better for the nexthop version of
         the tests.
      
      While improving the test cases, go ahead and ensure that forwarding is
      disabled since IPv6 redirect requires it.
      
      Also, runs with kernel debugging enabled sometimes show a failure with
      one of the ipv4 tests, so spread the pings over longer time interval.
      
      The end result is that 2 tests now show failures:
      
      TEST: IPv6: mtu exception plus redirect                    [FAIL]
      
      and the VRF version.
      
      This is a bug in the IPv6 logic that will need to be fixed
      separately. Redirect followed by MTU works because __ip6_rt_update_pmtu
      hits the 'if (!rt6_cache_allowed_for_pmtu(rt6))' path and updates the
      mtu on the exception rt6_info.
      
      MTU followed by redirect does not have this logic. rt6_do_redirect
      creates a new exception and then rt6_insert_exception removes the old
      one which has the MTU exception.
      
      Fixes: ec810535 ("selftests: Add redirect tests")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99513cfa
    • Colin Ian King's avatar
      ipv4: remove redundant assignment to n · df801522
      Colin Ian King authored
      The pointer n is being assigned a value however this value is
      never read in the code block and the end of the code block
      continues to the next loop iteration. Clean up the code by
      removing the redundant assignment.
      
      Fixes: 1bff1a0c ("ipv4: Add function to send route updates")
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df801522
    • Heiner Kallweit's avatar
      net: phy: bcm87xx: improve bcm87xx_config_init and feature detection · 476cc6c9
      Heiner Kallweit authored
      PHY drivers don't have to and shouldn't fiddle with phylib internals.
      Most of the code in bcm87xx_config_init() can be removed because
      phylib takes care.
      
      In addition I replaced usage of PHY_10GBIT_FEC_FEATURES with an
      implementation of the get_features callback. PHY_10GBIT_FEC_FEATURES
      is used by this driver only and it's questionable whether there
      will be any other PHY supporting this mode only. Having said that
      in one of the next kernel versions we may decide to remove it.
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      476cc6c9
  4. 26 May, 2019 10 commits
    • David S. Miller's avatar
      Merge branch 'inet-frags-avoid-possible-races-at-netns-dismantle' · 8fb91c35
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      inet: frags: avoid possible races at netns dismantle
      
      This patch series fixes a race happening on netns dismantle with
      frag queues. While rhashtable_free_and_destroy() is running,
      concurrent timers might run inet_frag_kill() and attempt
      rhashtable_remove_fast() calls. This is not allowed by
      rhashtable logic.
      
      Since I do not want to add expensive synchronize_rcu() calls
      in the netns dismantle path, I had to no longer inline
      netns_frags structures, but dynamically allocate them.
      
      The ten first patches make this preparation, so that
      the last patch clearly shows the fix.
      
      As this patch series is not exactly trivial, I chose to
      target 5.3. We will backport it once soaked a bit.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8fb91c35
    • Eric Dumazet's avatar
      inet: frags: rework rhashtable dismantle · 3c8fc878
      Eric Dumazet authored
      syszbot found an interesting use-after-free [1] happening
      while IPv4 fragment rhashtable was destroyed at netns dismantle.
      
      While no insertions can possibly happen at the time a dismantling
      netns is destroying this rhashtable, timers can still fire and
      attempt to remove elements from this rhashtable.
      
      This is forbidden, since rhashtable_free_and_destroy() has
      no synchronization against concurrent inserts and deletes.
      
      Add a new fqdir->dead flag so that timers do not attempt
      a rhashtable_remove_fast() operation.
      
      We also have to respect an RCU grace period before starting
      the rhashtable_free_and_destroy() from process context,
      thus we use rcu_work infrastructure.
      
      This is a refinement of a prior rough attempt to fix this bug :
      https://marc.info/?l=linux-netdev&m=153845936820900&w=2
      
      Since the rhashtable cleanup is now deferred to a work queue,
      netns dismantles should be slightly faster.
      
      [1]
      BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline]
      BUG: KASAN: use-after-free in rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212
      Read of size 8 at addr ffff8880a6497b70 by task kworker/0:0/5
      
      CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc1+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events rht_deferred_worker
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
       __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       kasan_report+0x12/0x20 mm/kasan/common.c:614
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
       __read_once_size include/linux/compiler.h:194 [inline]
       rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212
       rht_deferred_worker+0x111/0x2030 lib/rhashtable.c:411
       process_one_work+0x989/0x1790 kernel/workqueue.c:2269
       worker_thread+0x98/0xe40 kernel/workqueue.c:2415
       kthread+0x354/0x420 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 32687:
       save_stack+0x23/0x90 mm/kasan/common.c:71
       set_track mm/kasan/common.c:79 [inline]
       __kasan_kmalloc mm/kasan/common.c:489 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
       __do_kmalloc_node mm/slab.c:3620 [inline]
       __kmalloc_node+0x4e/0x70 mm/slab.c:3627
       kmalloc_node include/linux/slab.h:590 [inline]
       kvmalloc_node+0x68/0x100 mm/util.c:431
       kvmalloc include/linux/mm.h:637 [inline]
       kvzalloc include/linux/mm.h:645 [inline]
       bucket_table_alloc+0x90/0x480 lib/rhashtable.c:178
       rhashtable_init+0x3f4/0x7b0 lib/rhashtable.c:1057
       inet_frags_init_net include/net/inet_frag.h:109 [inline]
       ipv4_frags_init_net+0x182/0x410 net/ipv4/ip_fragment.c:683
       ops_init+0xb3/0x410 net/core/net_namespace.c:130
       setup_net+0x2d3/0x740 net/core/net_namespace.c:316
       copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439
       create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
       ksys_unshare+0x440/0x980 kernel/fork.c:2692
       __do_sys_unshare kernel/fork.c:2760 [inline]
       __se_sys_unshare kernel/fork.c:2758 [inline]
       __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758
       do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 7:
       save_stack+0x23/0x90 mm/kasan/common.c:71
       set_track mm/kasan/common.c:79 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
       __cache_free mm/slab.c:3432 [inline]
       kfree+0xcf/0x220 mm/slab.c:3755
       kvfree+0x61/0x70 mm/util.c:460
       bucket_table_free+0x69/0x150 lib/rhashtable.c:108
       rhashtable_free_and_destroy+0x165/0x8b0 lib/rhashtable.c:1155
       inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:152
       ipv4_frags_exit_net+0x73/0x90 net/ipv4/ip_fragment.c:695
       ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154
       cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553
       process_one_work+0x989/0x1790 kernel/workqueue.c:2269
       worker_thread+0x98/0xe40 kernel/workqueue.c:2415
       kthread+0x354/0x420 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      The buggy address belongs to the object at ffff8880a6497b40
       which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 48 bytes inside of
       1024-byte region [ffff8880a6497b40, ffff8880a6497f40)
      The buggy address belongs to the page:
      page:ffffea0002992580 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff8880a64964c0 compound_mapcount: 0
      flags: 0x1fffc0000010200(slab|head)
      raw: 01fffc0000010200 ffffea0002916e88 ffffea000218fe08 ffff8880aa400ac0
      raw: ffff8880a64964c0 ffff8880a6496040 0000000100000005 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8880a6497a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880a6497a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      >ffff8880a6497b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                   ^
       ffff8880a6497b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880a6497c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 648700f7 ("inet: frags: use rhashtables for reassembly units")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c8fc878
    • Eric Dumazet's avatar
      net: dynamically allocate fqdir structures · 4907abc6
      Eric Dumazet authored
      Following patch will add rcu grace period before fqdir
      rhashtable destruction, so we need to dynamically allocate
      fqdir structures to not force expensive synchronize_rcu() calls
      in netns dismantle path.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4907abc6
    • Eric Dumazet's avatar
      net: add a net pointer to struct fqdir · a39aca67
      Eric Dumazet authored
      fqdir will soon be dynamically allocated.
      
      We need to reach the struct net pointer from fqdir,
      so add it, and replace the various container_of() constructs
      by direct access to the new field.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a39aca67
    • Eric Dumazet's avatar
      net: rename inet_frags_init_net() to fdir_init() · 9cce45f2
      Eric Dumazet authored
      And pass an extra parameter, since we will soon
      dynamically allocate fqdir structures.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9cce45f2
    • Eric Dumazet's avatar
      ieee820154: 6lowpan: no longer reference init_net in lowpan_frags_ns_ctl_table · d2dfd435
      Eric Dumazet authored
      (struct net *)->ieee802154_lowpan.fqdir will soon be a pointer, so make
      sure lowpan_frags_ns_ctl_table[] does not reference init_net.
      
      lowpan_frags_ns_sysctl_register() can perform the needed initialization
      for all netns.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2dfd435
    • Eric Dumazet's avatar
      netfilter: ipv6: nf_defrag: no longer reference init_net in nf_ct_frag6_sysctl_table · 3bb13dd4
      Eric Dumazet authored
      (struct net *)->nf_frag.fqdir will soon be a pointer, so make
      sure nf_ct_frag6_sysctl_table[] does not reference init_net.
      
      nf_ct_frag6_sysctl_register() can perform the needed initialization
      for all netns.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bb13dd4
    • Eric Dumazet's avatar
      ipv6: no longer reference init_net in ip6_frags_ns_ctl_table[] · 8668d0e2
      Eric Dumazet authored
      (struct net *)->ipv6.fqdir will soon be a pointer, so make
      sure ip6_frags_ns_ctl_table[] does not reference init_net.
      
      ip6_frags_ns_ctl_register() can perform the needed initialization
      for all netns.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8668d0e2
    • Eric Dumazet's avatar
      ipv4: no longer reference init_net in ip4_frags_ns_ctl_table[] · 8dfdb313
      Eric Dumazet authored
      (struct net *)->ipv4.fqdir will soon be a pointer, so make
      sure ip4_frags_ns_ctl_table[] does not reference init_net.
      
      ip4_frags_ns_ctl_register() can perform the needed initialization
      for all netns.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8dfdb313
    • Eric Dumazet's avatar
      net: rename struct fqdir fields · 803fdd99
      Eric Dumazet authored
      Rename the @frags fields from structs netns_ipv4, netns_ipv6,
      netns_nf_frag and netns_ieee802154_lowpan to @fqdir
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      803fdd99