1. 07 11月, 2019 6 次提交
    • C
      net: mscc: ocelot: fix NULL pointer on LAG slave removal · 3b3eed8e
      Claudiu Manoil 提交于
      lag_upper_info may be NULL on slave removal.
      
      Fixes: dc96ee37 ("net: mscc: ocelot: add bonding support")
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3b3eed8e
    • C
      net: mscc: ocelot: don't handle netdev events for other netdevs · 7afb3e57
      Claudiu Manoil 提交于
      The check that the event is actually for this device should be moved
      from the "port" handler to the net device handler.
      
      Otherwise the port handler will deny bonding configuration for other
      net devices in the same system (like enetc in the LS1028A) that don't
      have the lag_upper_info->tx_type restriction that ocelot has.
      
      Fixes: dc96ee37 ("net: mscc: ocelot: add bonding support")
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7afb3e57
    • D
      Merge branch 'net-bcmgenet-restore-internal-EPHY-support' · cc59dbcc
      David S. Miller 提交于
      Doug Berger says:
      
      ====================
      net: bcmgenet: restore internal EPHY support (part 2)
      
      This is a follow up to my previous submission (see [1]).
      
      The first commit provides what is intended to be a complete solution
      for the issues that can result from insufficient clocking of the MAC
      during reset of its state machines. It should be backported to the
      stable releases.
      
      It is intended to replace the partial solution of commit 1f515486
      ("net: bcmgenet: soft reset 40nm EPHYs before MAC init") which is
      reverted by the second commit of this series and should not be back-
      ported as noted in [2].
      
      The third commit corrects a timing hazard with a polled PHY that can
      occur when the MAC resumes and also when a v3 internal EPHY is reset
      by the change in commit 25382b99 ("net: bcmgenet: reset 40nm EPHY
      on energy detect"). It is expected that commit 25382b99 be back-
      ported to stable first before backporting this commit.
      
      [1] https://lkml.org/lkml/2019/10/16/1706
      [2] https://lkml.org/lkml/2019/10/31/749
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cc59dbcc
    • D
      net: bcmgenet: reapply manual settings to the PHY · 0686bd9d
      Doug Berger 提交于
      The phy_init_hw() function may reset the PHY to a configuration
      that does not match manual network settings stored in the phydev
      structure. If the phy state machine is polled rather than event
      driven this can create a timing hazard where the phy state machine
      might alter the settings stored in the phydev structure from the
      value read from the BMCR.
      
      This commit follows invocations of phy_init_hw() by the bcmgenet
      driver with invocations of the genphy_config_aneg() function to
      ensure that the BMCR is written to match the settings held in the
      phydev structure. This prevents the risk of manual settings being
      accidentally altered.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: NDoug Berger <opendmb@gmail.com>
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0686bd9d
    • D
      Revert "net: bcmgenet: soft reset 40nm EPHYs before MAC init" · 6b6d017f
      Doug Berger 提交于
      This reverts commit 1f515486.
      
      This commit improved the chances of the umac resetting cleanly by
      ensuring that the PHY was restored to its normal operation prior
      to resetting the umac. However, there were still cases when the
      PHY might not be driving a Tx clock to the umac during this window
      (e.g. when the PHY detects no link).
      
      The previous commit now ensures that the unimac receives clocks
      from the MAC during its reset window so this commit is no longer
      needed. This commit also has an unintended negative impact on the
      MDIO performance of the UniMAC MDIO interface because it is used
      before the MDIO interrupts are reenabled, so it should be removed.
      Signed-off-by: NDoug Berger <opendmb@gmail.com>
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6b6d017f
    • D
      net: bcmgenet: use RGMII loopback for MAC reset · 3a55402c
      Doug Berger 提交于
      As noted in commit 28c2d1a7 ("net: bcmgenet: enable loopback
      during UniMAC sw_reset") the UniMAC must be clocked while sw_reset
      is asserted for its state machines to reset cleanly.
      
      The transmit and receive clocks used by the UniMAC are derived from
      the signals used on its PHY interface. The bcmgenet MAC can be
      configured to work with different PHY interfaces including MII,
      GMII, RGMII, and Reverse MII on internal and external interfaces.
      Unfortunately for the UniMAC, when configured for MII the Tx clock
      is always driven from the PHY which places it outside of the direct
      control of the MAC.
      
      The earlier commit enabled a local loopback mode within the UniMAC
      so that the receive clock would be derived from the transmit clock
      which addressed the observed issue with an external GPHY disabling
      it's Rx clock. However, when a Tx clock is not available this
      loopback is insufficient.
      
      This commit implements a workaround that leverages the fact that
      the MAC can reliably generate all of its necessary clocking by
      enterring the external GPHY RGMII interface mode with the UniMAC in
      local loopback during the sw_reset interval. Unfortunately, this
      has the undesirable side efect of the RGMII GTXCLK signal being
      driven during the same window.
      
      In most configurations this is a benign side effect as the signal
      is either not routed to a pin or is already expected to drive the
      pin. The one exception is when an external MII PHY is expected to
      drive the same pin with its TX_CLK output creating output driver
      contention.
      
      This commit exploits the IEEE 802.3 clause 22 standard defined
      isolate mode to force an external MII PHY to present a high
      impedance on its TX_CLK output during the window to prevent any
      contention at the pin.
      
      The MII interface is used internally with the 40nm internal EPHY
      which agressively disables its clocks for power savings leading to
      incomplete resets of the UniMAC and many instabilities observed
      over the years. The workaround of this commit is expected to put
      an end to those problems.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: NDoug Berger <opendmb@gmail.com>
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3a55402c
  2. 06 11月, 2019 13 次提交
    • T
      Documentation: TLS: Add missing counter description · 2836654a
      Tariq Toukan 提交于
      Add TLS TX counter description for the handshake retransmitted
      packets that triggers the resync procedure then skip it, going
      into the regular transmit flow.
      
      Fixes: 46a3ea98 ("net/mlx5e: kTLS, Enhance TX resync flow")
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Acked-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2836654a
    • P
      NFC: fdp: fix incorrect free object · 517ce4e9
      Pan Bian 提交于
      The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
      incorrect, which may result in a system crash or other security impacts.
      The expected object to free is *fw_vsc_cfg.
      Signed-off-by: NPan Bian <bianpan2016@163.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      517ce4e9
    • E
      net: prevent load/store tearing on sk->sk_stamp · f75359f3
      Eric Dumazet 提交于
      Add a couple of READ_ONCE() and WRITE_ONCE() to prevent
      load-tearing and store-tearing in sock_read_timestamp()
      and sock_write_timestamp()
      
      This might prevent another KCSAN report.
      
      Fixes: 3a0ed3e9 ("sock: Make sock->sk_stamp thread-safe")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Deepa Dinamani <deepa.kernel@gmail.com>
      Acked-by: NDeepa Dinamani <deepa.kernel@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f75359f3
    • S
      net: qualcomm: rmnet: Fix potential UAF when unregistering · e7a86c68
      Sean Tranchetti 提交于
      During the exit/unregistration process of the RmNet driver, the function
      rmnet_unregister_real_device() is called to handle freeing the driver's
      internal state and removing the RX handler on the underlying physical
      device. However, the order of operations this function performs is wrong
      and can lead to a use after free of the rmnet_port structure.
      
      Before calling netdev_rx_handler_unregister(), this port structure is
      freed with kfree(). If packets are received on any RmNet devices before
      synchronize_net() completes, they will attempt to use this already-freed
      port structure when processing the packet. As such, before cleaning up any
      other internal state, the RX handler must be unregistered in order to
      guarantee that no further packets will arrive on the device.
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Signed-off-by: NSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e7a86c68
    • J
      net/tls: fix sk_msg trim on fallback to copy mode · 683916f6
      Jakub Kicinski 提交于
      sk_msg_trim() tries to only update curr pointer if it falls into
      the trimmed region. The logic, however, does not take into the
      account pointer wrapping that sk_msg_iter_var_prev() does nor
      (as John points out) the fact that msg->sg is a ring buffer.
      
      This means that when the message was trimmed completely, the new
      curr pointer would have the value of MAX_MSG_FRAGS - 1, which is
      neither smaller than any other value, nor would it actually be
      correct.
      
      Special case the trimming to 0 length a little bit and rework
      the comparison between curr and end to take into account wrapping.
      
      This bug caused the TLS code to not copy all of the message, if
      zero copy filled in fewer sg entries than memcopy would need.
      
      Big thanks to Alexander Potapenko for the non-KMSAN reproducer.
      
      v2:
       - take into account that msg->sg is a ring buffer (John).
      
      Link: https://lore.kernel.org/netdev/20191030160542.30295-1-jakub.kicinski@netronome.com/ (v1)
      
      Fixes: d829e9c4 ("tls: convert to generic sk_msg interface")
      Reported-by: syzbot+f8495bff23a879a6d0bd@syzkaller.appspotmail.com
      Reported-by: syzbot+6f50c99e8f6194bf363f@syzkaller.appspotmail.com
      Co-developed-by: NJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      683916f6
    • D
      mlx4_core: fix wrong comment about the reason of subtract one from the max_cqes · 57d0f00d
      Dotan Barak 提交于
      The reason for the pre-allocation of one CQE is to enable resizing of
      the CQ.
      Fix comment accordingly.
      Signed-off-by: NDotan Barak <dotanb@dev.mellanox.co.il>
      Signed-off-by: NEli Cohen <eli@mellanox.co.il>
      Signed-off-by: NVladimir Sokolovsky <vlad@mellanox.com>
      Signed-off-by: NYuval Shaia <yuval.shaia@oracle.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      57d0f00d
    • F
      net: dsa: bcm_sf2: Fix driver removal · e684000b
      Florian Fainelli 提交于
      With the DSA core doing the call to dsa_port_disable() we do not need to
      do that within the driver itself. This could cause an use after free
      since past dsa_unregister_switch() we should not be accessing any
      dsa_switch internal structures.
      
      Fixes: 0394a63a ("net: dsa: enable and disable all ports")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e684000b
    • J
      net: sched: prevent duplicate flower rules from tcf_proto destroy race · 59eb87cb
      John Hurley 提交于
      When a new filter is added to cls_api, the function
      tcf_chain_tp_insert_unique() looks up the protocol/priority/chain to
      determine if the tcf_proto is duplicated in the chain's hashtable. It then
      creates a new entry or continues with an existing one. In cls_flower, this
      allows the function fl_ht_insert_unque to determine if a filter is a
      duplicate and reject appropriately, meaning that the duplicate will not be
      passed to drivers via the offload hooks. However, when a tcf_proto is
      destroyed it is removed from its chain before a hardware remove hook is
      hit. This can lead to a race whereby the driver has not received the
      remove message but duplicate flows can be accepted. This, in turn, can
      lead to the offload driver receiving incorrect duplicate flows and out of
      order add/delete messages.
      
      Prevent duplicates by utilising an approach suggested by Vlad Buslov. A
      hash table per block stores each unique chain/protocol/prio being
      destroyed. This entry is only removed when the full destroy (and hardware
      offload) has completed. If a new flow is being added with the same
      identiers as a tc_proto being detroyed, then the add request is replayed
      until the destroy is complete.
      
      Fixes: 8b64678e ("net: sched: refactor tp insert/delete for concurrent execution")
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Reported-by: NLouis Peens <louis.peens@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59eb87cb
    • N
      net: hns3: Use the correct style for SPDX License Identifier · 2ef17216
      Nishad Kamdar 提交于
      This patch corrects the SPDX License Identifier style in
      header files related to Hisilicon network devices. For C header files
      Documentation/process/license-rules.rst mandates C-like comments
      (opposed to C source files where C++ style should be used)
      
      Changes made by using a script provided by Joe Perches here:
      https://lkml.org/lkml/2019/2/7/46.
      Suggested-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NNishad Kamdar <nishadkamdar@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2ef17216
    • J
      bonding: fix state transition issue in link monitoring · 1899bb32
      Jay Vosburgh 提交于
      Since de77ecd4 ("bonding: improve link-status update in
      mii-monitoring"), the bonding driver has utilized two separate variables
      to indicate the next link state a particular slave should transition to.
      Each is used to communicate to a different portion of the link state
      change commit logic; one to the bond_miimon_commit function itself, and
      another to the state transition logic.
      
      	Unfortunately, the two variables can become unsynchronized,
      resulting in incorrect link state transitions within bonding.  This can
      cause slaves to become stuck in an incorrect link state until a
      subsequent carrier state transition.
      
      	The issue occurs when a special case in bond_slave_netdev_event
      sets slave->link directly to BOND_LINK_FAIL.  On the next pass through
      bond_miimon_inspect after the slave goes carrier up, the BOND_LINK_FAIL
      case will set the proposed next state (link_new_state) to BOND_LINK_UP,
      but the new_link to BOND_LINK_DOWN.  The setting of the final link state
      from new_link comes after that from link_new_state, and so the slave
      will end up incorrectly in _DOWN state.
      
      	Resolve this by combining the two variables into one.
      Reported-by: NAleksei Zakharov <zakharov.a.g@yandex.ru>
      Reported-by: NSha Zhang <zhangsha.zhang@huawei.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Fixes: de77ecd4 ("bonding: improve link-status update in mii-monitoring")
      Signed-off-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1899bb32
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 41de23e2
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-11-02
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 6 non-merge commits during the last 6 day(s) which contain
      a total of 8 files changed, 35 insertions(+), 9 deletions(-).
      
      The main changes are:
      
      1) Fix ppc BPF JIT's tail call implementation by performing a second pass
         to gather a stable JIT context before opcode emission, from Eric Dumazet.
      
      2) Fix build of BPF samples sys_perf_event_open() usage to compiled out
         unavailable test_attr__{enabled,open} checks. Also fix potential overflows
         in bpf_map_{area_alloc,charge_init} on 32 bit archs, from Björn Töpel.
      
      3) Fix narrow loads of bpf_sysctl context fields with offset > 0 on big endian
         archs like s390x and also improve the test coverage, from Ilya Leoshkevich.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      41de23e2
    • I
      taprio: fix panic while hw offload sched list swap · 0763b3e8
      Ivan Khoronzhuk 提交于
      Don't swap oper and admin schedules too early, it's not correct and
      causes crash.
      
      Steps to reproduce:
      
      1)
      tc qdisc replace dev eth0 parent root handle 100 taprio \
          num_tc 3 \
          map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 \
          queues 1@0 1@1 1@2 \
          base-time $SOME_BASE_TIME \
          sched-entry S 01 80000 \
          sched-entry S 02 15000 \
          sched-entry S 04 40000 \
          flags 2
      
      2)
      tc qdisc replace dev eth0 parent root handle 100 taprio \
          base-time $SOME_BASE_TIME \
          sched-entry S 01 90000 \
          sched-entry S 02 20000 \
          sched-entry S 04 40000 \
          flags 2
      
      3)
      tc qdisc replace dev eth0 parent root handle 100 taprio \
          base-time $SOME_BASE_TIME \
          sched-entry S 01 150000 \
          sched-entry S 02 200000 \
          sched-entry S 04 40000 \
          flags 2
      
      Do 2 3 2 .. steps  more times if not happens and observe:
      
      [  305.832319] Unable to handle kernel write to read-only memory at
      virtual address ffff0000087ce7f0
      [  305.910887] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
      [  305.919306] Hardware name: Texas Instruments AM654 Base Board (DT)
      
      [...]
      
      [  306.017119] x1 : ffff800848031d88 x0 : ffff800848031d80
      [  306.022422] Call trace:
      [  306.024866]  taprio_free_sched_cb+0x4c/0x98
      [  306.029040]  rcu_process_callbacks+0x25c/0x410
      [  306.033476]  __do_softirq+0x10c/0x208
      [  306.037132]  irq_exit+0xb8/0xc8
      [  306.040267]  __handle_domain_irq+0x64/0xb8
      [  306.044352]  gic_handle_irq+0x7c/0x178
      [  306.048092]  el1_irq+0xb0/0x128
      [  306.051227]  arch_cpu_idle+0x10/0x18
      [  306.054795]  do_idle+0x120/0x138
      [  306.058015]  cpu_startup_entry+0x20/0x28
      [  306.061931]  rest_init+0xcc/0xd8
      [  306.065154]  start_kernel+0x3bc/0x3e4
      [  306.068810] Code: f2fbd5b7 f2fbd5b6 d503201f f9400422 (f9000662)
      [  306.074900] ---[ end trace 96c8e2284a9d9d6e ]---
      [  306.079507] Kernel panic - not syncing: Fatal exception in interrupt
      [  306.085847] SMP: stopping secondary CPUs
      [  306.089765] Kernel Offset: disabled
      
      Try to explain one of the possible crash cases:
      
      The "real" admin list is assigned when admin_sched is set to
      new_admin, it happens after "swap", that assigns to oper_sched NULL.
      Thus if call qdisc show it can crash.
      
      Farther, next second time, when sched list is updated, the admin_sched
      is not NULL and becomes the oper_sched, previous oper_sched was NULL so
      just skipped. But then admin_sched is assigned new_admin, but schedules
      to free previous assigned admin_sched (that already became oper_sched).
      
      Farther, next third time, when sched list is updated,
      while one more swap, oper_sched is not null, but it was happy to be
      freed already (while prev. admin update), so while try to free
      oper_sched the kernel panic happens at taprio_free_sched_cb().
      
      So, move the "swap emulation" where it should be according to function
      comment from code.
      
      Fixes: 9c66d156 ("taprio: Add support for hardware offloading")
      Signed-off-by: NIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Acked-by: NVinicius Costa Gomes <vinicius.gomes@intel.com>
      Tested-by: NVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0763b3e8
    • D
      Merge tag 'linux-can-fixes-for-5.4-20191105' of... · fc564e09
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-5.4-20191105' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-11-05
      
      this is a pull request of 33 patches for net/master.
      
      In the first patch Wen Yang's patch adds a missing of_node_put() to CAN device
      infrastructure.
      
      Navid Emamdoost's patch for the gs_usb driver fixes a memory leak in the
      gs_can_open() error path.
      
      Johan Hovold provides two patches, one for the mcba_usb, the other for the
      usb_8dev driver. Both fix a use-after-free after USB-disconnect.
      
      Joakim Zhang's patch improves the flexcan driver, the ECC mechanism is now
      completely disabled instead of masking the interrupts.
      
      The next three patches all target the peak_usb driver. Stephane Grosjean's
      patch fixes a potential out-of-sync while decoding packets, Johan Hovold's
      patch fixes a slab info leak, Jeroen Hofstee's patch adds missing reporting of
      bus off recovery events.
      
      Followed by three patches for the c_can driver. Kurt Van Dijck's patch fixes
      detection of potential missing status IRQs, Jeroen Hofstee's patches add a chip
      reset on open and add missing reporting of bus off recovery events.
      
      Appana Durga Kedareswara rao's patch for the xilinx driver fixes the flags
      field initialization for axi CAN.
      
      The next seven patches target the rx-offload helper, they are by me and Jeroen
      Hofstee. The error handling in case of a queue overflow is fixed removing a
      memory leak. Further the error handling in case of queue overflow and skb OOM
      is cleaned up.
      
      The next two patches are by me and target the flexcan and ti_hecc driver. In
      case of a error during can_rx_offload_queue_sorted() the error counters in the
      drivers are incremented.
      
      Jeroen Hofstee provides 6 patches for the ti_hecc driver, which properly stop
      the device in ifdown, improve the rx-offload support (which hit mainline in
      v5.4-rc1), and add missing FIFO overflow and state change reporting.
      
      The following four patches target the j1939 protocol. Colin Ian King's patch
      fixes a memory leak in the j1939_sk_errqueue() handling. Three patches by
      Oleksij Rempel fix a memory leak on socket release and fix the EOMA packet in
      the transport protocol.
      
      Timo Schlüßler's patch fixes a potential race condition in the mcp251x driver
      on after suspend.
      
      The last patch is by Yegor Yefremov and updates the SPDX-License-Identifier to
      v3.0.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fc564e09
  3. 05 11月, 2019 21 次提交