1. 31 Aug, 2020 6 commits
  2. 28 Aug, 2020 23 commits
  3. 27 Aug, 2020 11 commits
    • Nicolas Dichtel's avatar
      gtp: add notification mechanism · 50aba46c
      Nicolas Dichtel authored
      Like all other network functions, let's notify gtp context on creation and
      deletion.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: default avatarGabriel Ganne <gabriel.ganne@6wind.com>
      Acked-by: default avatarHarald Welte <laforge@gnumonks.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50aba46c
    • David S. Miller's avatar
      Merge branch 's390-qeth-next' · 44771ea5
      David S. Miller authored
      Julian Wiedmann says:
      
      ====================
      s390/qeth: updates 2020-08-27
      
      please apply the following patch series for qeth to netdev's net-next tree.
      
      Patch 8 makes some improvements to how we handle HW address events,
      avoiding some uncertainty around processing stale events after we
      switched off the feature.
      Except for that it's all straight-forward cleanups.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44771ea5
    • Julian Wiedmann's avatar
      s390/qeth: strictly order bridge address events · 9d6a569a
      Julian Wiedmann authored
      The current code for bridge address events has two shortcomings in its
      control sequence:
      
      1. after disabling address events via PNSO, we don't flush the remaining
         events from the event_wq. So if the feature is re-enabled fast
         enough, stale events could leak over.
      2. PNSO and the events' arrival via the READ ccw device are unordered.
         So even if we flushed the workqueue, it's difficult to say whether
         the READ device might produce more events onto the workqueue
         afterwards.
      
      Fix this by
      1. explicitly fencing off the events when we no longer care, in the
         READ device's event handler. This ensures that once we flush the
         workqueue, it doesn't get additional address events.
      2. Flush the workqueue after disabling the events & fencing them off.
         As the code that triggers the flush will typically hold the sbp_lock,
         we need to rework the worker code to avoid a deadlock here in case
         of a 'notifications-stopped' event. In case of lock contention,
         requeue such an event with a delay. We'll eventually aquire the lock,
         or spot that the feature has been disabled and the event can thus be
         discarded.
      
      This leaves the theoretical race that a stale event could arrive
      _after_ we re-enabled ourselves to receive events again. Such an event
      would be impossible to distinguish from a 'good' event, nothing we can
      do about it.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d6a569a
    • Julian Wiedmann's avatar
      s390/qeth: unify structs for bridge port state · 65b0494e
      Julian Wiedmann authored
      The data returned from IPA_SBP_QUERY_BRIDGE_PORTS and
      IPA_SBP_BRIDGE_PORT_STATE_CHANGE has the same format. Use a single
      struct definition for it.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65b0494e
    • Julian Wiedmann's avatar
      s390/qeth: copy less data from bridge state events · 61c6f217
      Julian Wiedmann authored
      Current code copies _all_ entries from the event into a worker, when we
      later only need specific data from the first entry.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61c6f217
    • Julian Wiedmann's avatar
      s390/qeth: don't let HW override the configured port role · a04f0eca
      Julian Wiedmann authored
      The only time that our Bridgeport role should change is when we change
      the configuration ourselves. In which case we also adjust our internal
      state tracking, no need to do it again when we receive the corresponding
      event.
      
      Removing the locked section helps a subsequent patch that needs to flush
      the workqueue while under sbp_lock.
      
      It would be nice to raise a warning here in case HW does weird things
      after all, but this could end up generating false-positives when we
      change the configuration ourselves.
      Suggested-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a04f0eca
    • Julian Wiedmann's avatar
      s390/qeth: don't disable address events during initialization · 16379503
      Julian Wiedmann authored
      A newly initialized device is disabled for address events, there's no
      need to explicitly disable them.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16379503
    • Julian Wiedmann's avatar
      s390/qeth: make queue lock a proper spinlock · a1668474
      Julian Wiedmann authored
      queue->state is a ternary spinlock in disguise, used by
      OSA's TX completion path to lock the Output Queue and flush any pending
      packets on it to the device. If the Queue is already locked by our TX
      code, setting the lock word to QETH_OUT_Q_LOCKED_FLUSH lets the TX
      completion code move on - the TX path will later take care of things
      when it unlocks the Queue.
      
      This sort of DIY locking is a non-starter of course, just let the
      TX completion path block on the spinlock when necessary. If that ends up
      causing additional latency due to lock contention, then converting
      the OSA path to use xmit_more is the right way to go forward.
      
      Also slightly expand the locked section and capture all of
      qeth_do_send_packet(), so that the update for the 'bufs_pack' statistics
      is done race-free.
      
      While reworking the TX completion path's code, remove a barrier() that
      doesn't make any sense.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1668474
    • Julian Wiedmann's avatar
      s390/qeth: use to_delayed_work() · beaadcc6
      Julian Wiedmann authored
      Avoid poking around in the delayed_work struct's internals.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      beaadcc6
    • Julian Wiedmann's avatar
      s390/qeth: clean up qeth_l3_send_setdelmc()'s declaration · b14912eb
      Julian Wiedmann authored
      Clarify that the 'ipacmd' parameter is an enum, and thus compatible to
      what qeth_ipa_alloc_cmd() expects as input.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b14912eb
    • Hoang Huu Le's avatar
      tipc: fix use-after-free in tipc_bcast_get_mode · fdeba99b
      Hoang Huu Le authored
      Syzbot has reported those issues as:
      
      ==================================================================
      BUG: KASAN: use-after-free in tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759
      Read of size 1 at addr ffff88805e6b3571 by task kworker/0:6/3850
      
      CPU: 0 PID: 3850 Comm: kworker/0:6 Not tainted 5.8.0-rc7-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events tipc_net_finalize_work
      
      Thread 1's call trace:
      [...]
        kfree+0x103/0x2c0 mm/slab.c:3757 <- bcbase releasing
        tipc_bcast_stop+0x1b0/0x2f0 net/tipc/bcast.c:721
        tipc_exit_net+0x24/0x270 net/tipc/core.c:112
      [...]
      
      Thread 2's call trace:
      [...]
        tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759 <- bcbase
      has already been freed by Thread 1
      
        tipc_node_broadcast+0x9e/0xcc0 net/tipc/node.c:1744
        tipc_nametbl_publish+0x60b/0x970 net/tipc/name_table.c:752
        tipc_net_finalize net/tipc/net.c:141 [inline]
        tipc_net_finalize+0x1fa/0x310 net/tipc/net.c:131
        tipc_net_finalize_work+0x55/0x80 net/tipc/net.c:150
      [...]
      
      ==================================================================
      BUG: KASAN: use-after-free in tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
      Read of size 8 at addr ffff888052ab2000 by task kworker/0:13/30628
      CPU: 0 PID: 30628 Comm: kworker/0:13 Not tainted 5.8.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events tipc_net_finalize_work
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1f0/0x31e lib/dump_stack.c:118
       print_address_description+0x66/0x5a0 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report+0x132/0x1d0 mm/kasan/report.c:530
       tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
       tipc_net_finalize+0x85/0xe0 net/tipc/net.c:138
       tipc_net_finalize_work+0x50/0x70 net/tipc/net.c:150
       process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
       worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
       kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
      [...]
      Freed by task 14058:
       save_stack mm/kasan/common.c:48 [inline]
       set_track mm/kasan/common.c:56 [inline]
       kasan_set_free_info mm/kasan/common.c:316 [inline]
       __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x10a/0x220 mm/slab.c:3757
       tipc_exit_net+0x29/0x50 net/tipc/core.c:113
       ops_exit_list net/core/net_namespace.c:186 [inline]
       cleanup_net+0x708/0xba0 net/core/net_namespace.c:603
       process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
       worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
       kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
      
      Fix it by calling flush_scheduled_work() to make sure the
      tipc_net_finalize_work() stopped before releasing bcbase object.
      
      Reported-by: syzbot+6ea1f7a8df64596ef4d7@syzkaller.appspotmail.com
      Reported-by: syzbot+e9cc557752ab126c1b99@syzkaller.appspotmail.com
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarHoang Huu Le <hoang.h.le@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdeba99b