“a69afe3263717ba9384cf18d05722c598f6820af”上不存在“README.md”
  1. 01 11月, 2019 2 次提交
    • L
      igb/igc: Don't warn on fatal read failures when the device is removed · 94bc1e52
      Lyude Paul 提交于
      Fatal read errors are worth warning about, unless of course the device
      was just unplugged from the machine - something that's a rather normal
      occurrence when the igb/igc adapter is located on a Thunderbolt dock. So,
      let's only WARN() if there's a fatal read error while the device is
      still present.
      
      This fixes the following WARN splat that's been appearing whenever I
      unplug my Caldigit TS3 Thunderbolt dock from my laptop:
      
        igb 0000:09:00.0 enp9s0: PCIe link lost
        ------------[ cut here ]------------
        igb: Failed to read reg 0x18!
        WARNING: CPU: 7 PID: 516 at
        drivers/net/ethernet/intel/igb/igb_main.c:756 igb_rd32+0x57/0x6a [igb]
        Modules linked in: igb dca thunderbolt fuse vfat fat elan_i2c mei_wdt
        mei_hdcp i915 wmi_bmof intel_wmi_thunderbolt iTCO_wdt
        iTCO_vendor_support x86_pkg_temp_thermal intel_powerclamp joydev
        coretemp crct10dif_pclmul crc32_pclmul i2c_algo_bit ghash_clmulni_intel
        intel_cstate drm_kms_helper intel_uncore syscopyarea sysfillrect
        sysimgblt fb_sys_fops intel_rapl_perf intel_xhci_usb_role_switch mei_me
        drm roles idma64 i2c_i801 ucsi_acpi typec_ucsi mei intel_lpss_pci
        processor_thermal_device typec intel_pch_thermal intel_soc_dts_iosf
        intel_lpss int3403_thermal thinkpad_acpi wmi int340x_thermal_zone
        ledtrig_audio int3400_thermal acpi_thermal_rel acpi_pad video
        pcc_cpufreq ip_tables serio_raw nvme nvme_core crc32c_intel uas
        usb_storage e1000e i2c_dev
        CPU: 7 PID: 516 Comm: kworker/u16:3 Not tainted 5.2.0-rc1Lyude-Test+ #14
        Hardware name: LENOVO 20L8S2N800/20L8S2N800, BIOS N22ET35W (1.12 ) 04/09/2018
        Workqueue: kacpi_hotplug acpi_hotplug_work_fn
        RIP: 0010:igb_rd32+0x57/0x6a [igb]
        Code: 87 b8 fc ff ff 48 c7 47 08 00 00 00 00 48 c7 c6 33 42 9b c0 4c 89
        c7 e8 47 45 cd dc 89 ee 48 c7 c7 43 42 9b c0 e8 c1 94 71 dc <0f> 0b eb
        08 8b 00 ff c0 75 b0 eb c8 44 89 e0 5d 41 5c c3 0f 1f 44
        RSP: 0018:ffffba5801cf7c48 EFLAGS: 00010286
        RAX: 0000000000000000 RBX: ffff9e7956608840 RCX: 0000000000000007
        RDX: 0000000000000000 RSI: ffffba5801cf7b24 RDI: ffff9e795e3d6a00
        RBP: 0000000000000018 R08: 000000009dec4a01 R09: ffffffff9e61018f
        R10: 0000000000000000 R11: ffffba5801cf7ae5 R12: 00000000ffffffff
        R13: ffff9e7956608840 R14: ffff9e795a6f10b0 R15: 0000000000000000
        FS:  0000000000000000(0000) GS:ffff9e795e3c0000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000564317bc4088 CR3: 000000010e00a006 CR4: 00000000003606e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         igb_release_hw_control+0x1a/0x30 [igb]
         igb_remove+0xc5/0x14b [igb]
         pci_device_remove+0x3b/0x93
         device_release_driver_internal+0xd7/0x17e
         pci_stop_bus_device+0x36/0x75
         pci_stop_bus_device+0x66/0x75
         pci_stop_bus_device+0x66/0x75
         pci_stop_and_remove_bus_device+0xf/0x19
         trim_stale_devices+0xc5/0x13a
         ? __pm_runtime_resume+0x6e/0x7b
         trim_stale_devices+0x103/0x13a
         ? __pm_runtime_resume+0x6e/0x7b
         trim_stale_devices+0x103/0x13a
         acpiphp_check_bridge+0xd8/0xf5
         acpiphp_hotplug_notify+0xf7/0x14b
         ? acpiphp_check_bridge+0xf5/0xf5
         acpi_device_hotplug+0x357/0x3b5
         acpi_hotplug_work_fn+0x1a/0x23
         process_one_work+0x1a7/0x296
         worker_thread+0x1a8/0x24c
         ? process_scheduled_works+0x2c/0x2c
         kthread+0xe9/0xee
         ? kthread_destroy_worker+0x41/0x41
         ret_from_fork+0x35/0x40
        ---[ end trace 252bf10352c63d22 ]---
      Signed-off-by: NLyude Paul <lyude@redhat.com>
      Fixes: 47e16692 ("igb/igc: warn when fatal read failure happens")
      Acked-by: NSasha Neftin <sasha.neftin@intel.com>
      Tested-by: NAaron Brown <aaron.f.brown@intel.com>
      Acked-by: NFeng Tang <feng.tang@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      94bc1e52
    • I
      netdevsim: Fix use-after-free during device dismantle · 6d6f0383
      Ido Schimmel 提交于
      Commit da58f90f ("netdevsim: Add devlink-trap support") added
      delayed work to netdevsim that periodically iterates over the registered
      netdevsim ports and reports various packet traps via devlink.
      
      While the delayed work takes the 'port_list_lock' mutex to protect
      against concurrent addition / deletion of ports, during device creation
      / dismantle ports are added / deleted without this lock, which can
      result in a use-after-free [1].
      
      Fix this by making sure that the ports list is always modified under the
      lock.
      
      [1]
      [   59.205543] ==================================================================
      [   59.207748] BUG: KASAN: use-after-free in nsim_dev_trap_report_work+0xa67/0xad0
      [   59.210247] Read of size 8 at addr ffff8883cbdd3398 by task kworker/3:1/38
      [   59.212584]
      [   59.213148] CPU: 3 PID: 38 Comm: kworker/3:1 Not tainted 5.4.0-rc3-custom-16119-ge6abb5f0261e #2013
      [   59.215896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
      [   59.218384] Workqueue: events nsim_dev_trap_report_work
      [   59.219428] Call Trace:
      [   59.219924]  dump_stack+0xa9/0x10e
      [   59.220623]  print_address_description.constprop.4+0x21/0x340
      [   59.221976]  ? vprintk_func+0x66/0x240
      [   59.222752]  __kasan_report.cold.8+0x78/0x91
      [   59.223602]  ? nsim_dev_trap_report_work+0xa67/0xad0
      [   59.224603]  kasan_report+0xe/0x20
      [   59.225296]  nsim_dev_trap_report_work+0xa67/0xad0
      [   59.226435]  ? rcu_read_lock_sched_held+0xaf/0xe0
      [   59.227512]  ? trace_event_raw_event_rcu_quiescent_state_report+0x360/0x360
      [   59.228851]  process_one_work+0x98f/0x1760
      [   59.229684]  ? pwq_dec_nr_in_flight+0x330/0x330
      [   59.230656]  worker_thread+0x91/0xc40
      [   59.231587]  ? process_one_work+0x1760/0x1760
      [   59.232451]  kthread+0x34a/0x410
      [   59.233104]  ? __kthread_queue_delayed_work+0x240/0x240
      [   59.234141]  ret_from_fork+0x3a/0x50
      [   59.234982]
      [   59.235371] Allocated by task 187:
      [   59.236189]  save_stack+0x19/0x80
      [   59.236853]  __kasan_kmalloc.constprop.5+0xc1/0xd0
      [   59.237822]  kmem_cache_alloc_trace+0x14c/0x380
      [   59.238769]  __nsim_dev_port_add+0xaf/0x5c0
      [   59.239627]  nsim_dev_probe+0x4fc/0x1140
      [   59.240550]  really_probe+0x264/0xc00
      [   59.241418]  driver_probe_device+0x208/0x2e0
      [   59.242255]  __device_attach_driver+0x215/0x2d0
      [   59.243150]  bus_for_each_drv+0x154/0x1d0
      [   59.243944]  __device_attach+0x1ba/0x2b0
      [   59.244923]  bus_probe_device+0x1dd/0x290
      [   59.245805]  device_add+0xbac/0x1550
      [   59.246528]  new_device_store+0x1f4/0x400
      [   59.247306]  bus_attr_store+0x7b/0xa0
      [   59.248047]  sysfs_kf_write+0x10f/0x170
      [   59.248941]  kernfs_fop_write+0x283/0x430
      [   59.249843]  __vfs_write+0x81/0x100
      [   59.250546]  vfs_write+0x1ce/0x510
      [   59.251190]  ksys_write+0x104/0x200
      [   59.251873]  do_syscall_64+0xa4/0x4e0
      [   59.252642]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [   59.253837]
      [   59.254203] Freed by task 187:
      [   59.254811]  save_stack+0x19/0x80
      [   59.255463]  __kasan_slab_free+0x125/0x170
      [   59.256265]  kfree+0x100/0x440
      [   59.256870]  nsim_dev_remove+0x98/0x100
      [   59.257651]  nsim_bus_remove+0x16/0x20
      [   59.258382]  device_release_driver_internal+0x20b/0x4d0
      [   59.259588]  bus_remove_device+0x2e9/0x5a0
      [   59.260551]  device_del+0x410/0xad0
      [   59.263777]  device_unregister+0x26/0xc0
      [   59.264616]  nsim_bus_dev_del+0x16/0x60
      [   59.265381]  del_device_store+0x2d6/0x3c0
      [   59.266295]  bus_attr_store+0x7b/0xa0
      [   59.267192]  sysfs_kf_write+0x10f/0x170
      [   59.267960]  kernfs_fop_write+0x283/0x430
      [   59.268800]  __vfs_write+0x81/0x100
      [   59.269551]  vfs_write+0x1ce/0x510
      [   59.270252]  ksys_write+0x104/0x200
      [   59.270910]  do_syscall_64+0xa4/0x4e0
      [   59.271680]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [   59.272812]
      [   59.273211] The buggy address belongs to the object at ffff8883cbdd3200
      [   59.273211]  which belongs to the cache kmalloc-512 of size 512
      [   59.275838] The buggy address is located 408 bytes inside of
      [   59.275838]  512-byte region [ffff8883cbdd3200, ffff8883cbdd3400)
      [   59.278151] The buggy address belongs to the page:
      [   59.279215] page:ffffea000f2f7400 refcount:1 mapcount:0 mapping:ffff8883ecc0ce00 index:0x0 compound_mapcount: 0
      [   59.281449] flags: 0x200000000010200(slab|head)
      [   59.282356] raw: 0200000000010200 ffffea000f2f3a08 ffffea000f2fd608 ffff8883ecc0ce00
      [   59.283949] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
      [   59.285608] page dumped because: kasan: bad access detected
      [   59.286981]
      [   59.287337] Memory state around the buggy address:
      [   59.288310]  ffff8883cbdd3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   59.289763]  ffff8883cbdd3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   59.291452] >ffff8883cbdd3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   59.292945]                             ^
      [   59.293815]  ffff8883cbdd3400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   59.295220]  ffff8883cbdd3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   59.296872] ==================================================================
      
      Fixes: da58f90f ("netdevsim: Add devlink-trap support")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: syzbot+9ed8f68ab30761f3678e@syzkaller.appspotmail.com
      Acked-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6d6f0383
  2. 31 10月, 2019 7 次提交
  3. 30 10月, 2019 21 次提交
    • T
      bonding: fix using uninitialized mode_lock · ad9bd8da
      Taehee Yoo 提交于
      When a bonding interface is being created, it setups its mode and options.
      At that moment, it uses mode_lock so mode_lock should be initialized
      before that moment.
      
      rtnl_newlink()
      	rtnl_create_link()
      		alloc_netdev_mqs()
      			->setup() //bond_setup()
      	->newlink //bond_newlink
      		bond_changelink()
      		register_netdevice()
      			->ndo_init() //bond_init()
      
      After commit 089bca2c ("bonding: use dynamic lockdep key instead of
      subclass"), mode_lock is initialized in bond_init().
      So in the bond_changelink(), un-initialized mode_lock can be used.
      mode_lock should be initialized in bond_setup().
      This patch partially reverts commit 089bca2c ("bonding: use dynamic
      lockdep key instead of subclass")
      
      Test command:
          ip link add bond0 type bond mode 802.3ad lacp_rate 0
      
      Splat looks like:
      [   60.615127] INFO: trying to register non-static key.
      [   60.615900] the code is fine but needs lockdep annotation.
      [   60.616697] turning off the locking correctness validator.
      [   60.617490] CPU: 1 PID: 957 Comm: ip Not tainted 5.4.0-rc3+ #109
      [   60.618350] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   60.619481] Call Trace:
      [   60.619918]  dump_stack+0x7c/0xbb
      [   60.620453]  register_lock_class+0x1215/0x14d0
      [   60.621131]  ? alloc_netdev_mqs+0x7b3/0xcc0
      [   60.621771]  ? is_bpf_text_address+0x86/0xf0
      [   60.622416]  ? is_dynamic_key+0x230/0x230
      [   60.623032]  ? unwind_get_return_address+0x5f/0xa0
      [   60.623757]  ? create_prof_cpu_mask+0x20/0x20
      [   60.624408]  ? arch_stack_walk+0x83/0xb0
      [   60.625023]  __lock_acquire+0xd8/0x3de0
      [   60.625616]  ? stack_trace_save+0x82/0xb0
      [   60.626225]  ? stack_trace_consume_entry+0x160/0x160
      [   60.626957]  ? deactivate_slab.isra.80+0x2c5/0x800
      [   60.627668]  ? register_lock_class+0x14d0/0x14d0
      [   60.628380]  ? alloc_netdev_mqs+0x7b3/0xcc0
      [   60.629020]  ? save_stack+0x69/0x80
      [   60.629574]  ? save_stack+0x19/0x80
      [   60.630121]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
      [   60.630859]  ? __kmalloc_node+0x16f/0x480
      [   60.631472]  ? alloc_netdev_mqs+0x7b3/0xcc0
      [   60.632121]  ? rtnl_create_link+0x2ed/0xad0
      [   60.634388]  ? __rtnl_newlink+0xad4/0x11b0
      [   60.635024]  lock_acquire+0x164/0x3b0
      [   60.635608]  ? bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
      [   60.636463]  _raw_spin_lock_bh+0x38/0x70
      [   60.637084]  ? bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
      [   60.637930]  bond_3ad_update_lacp_rate+0x91/0x200 [bonding]
      [   60.638753]  ? bond_3ad_lacpdu_recv+0xb30/0xb30 [bonding]
      [   60.639552]  ? bond_opt_get_val+0x180/0x180 [bonding]
      [   60.640307]  ? ___slab_alloc+0x5aa/0x610
      [   60.640925]  bond_option_lacp_rate_set+0x71/0x140 [bonding]
      [   60.641751]  __bond_opt_set+0x1ff/0xbb0 [bonding]
      [   60.643217]  ? kasan_unpoison_shadow+0x30/0x40
      [   60.643924]  bond_changelink+0x9a4/0x1700 [bonding]
      [   60.644653]  ? memset+0x1f/0x40
      [   60.742941]  ? bond_slave_changelink+0x1a0/0x1a0 [bonding]
      [   60.752694]  ? alloc_netdev_mqs+0x8ea/0xcc0
      [   60.753330]  ? rtnl_create_link+0x2ed/0xad0
      [   60.753964]  bond_newlink+0x1e/0x60 [bonding]
      [   60.754612]  __rtnl_newlink+0xb9f/0x11b0
      [ ... ]
      
      Reported-by: syzbot+8da67f407bcba2c72e6e@syzkaller.appspotmail.com
      Reported-by: syzbot+0d083911ab18b710da71@syzkaller.appspotmail.com
      Fixes: 089bca2c ("bonding: use dynamic lockdep key instead of subclass")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ad9bd8da
    • A
      net: fec_ptp: Use platform_get_irq_xxx_optional() to avoid error message · b86bcb29
      Anson Huang 提交于
      Use platform_get_irq_byname_optional() and platform_get_irq_optional()
      instead of platform_get_irq_byname() and platform_get_irq() for optional
      IRQs to avoid below error message during probe:
      
      [    0.795803] fec 30be0000.ethernet: IRQ pps not found
      [    0.800787] fec 30be0000.ethernet: IRQ index 3 not found
      Signed-off-by: NAnson Huang <Anson.Huang@nxp.com>
      Acked-by: NFugang Duan <fugang.duan@nxp.com>
      Reviewed-by: NStephen Boyd <swboyd@chromium.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b86bcb29
    • A
      net: fec_main: Use platform_get_irq_byname_optional() to avoid error message · 3b56be21
      Anson Huang 提交于
      Failed to get irq using name is NOT fatal as driver will use index
      to get irq instead, use platform_get_irq_byname_optional() instead
      of platform_get_irq_byname() to avoid below error message during
      probe:
      
      [    0.819312] fec 30be0000.ethernet: IRQ int0 not found
      [    0.824433] fec 30be0000.ethernet: IRQ int1 not found
      [    0.829539] fec 30be0000.ethernet: IRQ int2 not found
      Signed-off-by: NAnson Huang <Anson.Huang@nxp.com>
      Acked-by: NFugang Duan <fugang.duan@nxp.com>
      Reviewed-by: NStephen Boyd <swboyd@chromium.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3b56be21
    • X
      vxlan: check tun_info options_len properly · eadf52cf
      Xin Long 提交于
      This patch is to improve the tun_info options_len by dropping
      the skb when TUNNEL_VXLAN_OPT is set but options_len is less
      than vxlan_metadata. This can void a potential out-of-bounds
      access on ip_tun_info.
      
      Fixes: ee122c79 ("vxlan: Flow based tunneling")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eadf52cf
    • J
      net: hisilicon: Fix ping latency when deal with high throughput · e56bd641
      Jiangfeng Xiao 提交于
      This is due to error in over budget processing.
      When dealing with high throughput, the used buffers
      that exceeds the budget is not cleaned up. In addition,
      it takes a lot of cycles to clean up the used buffer,
      and then the buffer where the valid data is located can take effect.
      Signed-off-by: NJiangfeng Xiao <xiaojiangfeng@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e56bd641
    • E
      net/mlx4_core: Dynamically set guaranteed amount of counters per VF · e19868ef
      Eran Ben Elisha 提交于
      Prior to this patch, the amount of counters guaranteed per VF in the
      resource tracker was MLX4_VF_COUNTERS_PER_PORT * MLX4_MAX_PORTS. It was
      set regardless if the VF was single or dual port.
      This caused several VFs to have no guaranteed counters although the
      system could satisfy their request.
      
      The fix is to dynamically guarantee counters, based on each VF
      specification.
      
      Fixes: 9de92c60 ("net/mlx4_core: Adjust counter grant policy in the resource tracker")
      Signed-off-by: NEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: NJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e19868ef
    • A
      net/mlx5e: Initialize on stack link modes bitmap · 926b37f7
      Aya Levin 提交于
      Initialize link modes bitmap on stack before using it, otherwise the
      outcome of ethtool set link ksettings might have unexpected values.
      
      Fixes: 4b95840a ("net/mlx5e: Fix matching of speed to PRM link modes")
      Signed-off-by: NAya Levin <ayal@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      926b37f7
    • A
      net/mlx5e: Fix ethtool self test: link speed · 534e7366
      Aya Levin 提交于
      Ethtool self test contains a test for link speed. This test reads the
      PTYS register and determines whether the current speed is valid or not.
      Change current implementation to use the function mlx5e_port_linkspeed()
      that does the same check and fails when speed is invalid. This code
      redundancy lead to a bug when mlx5e_port_linkspeed() was updated with
      expended speeds and the self test was not.
      
      Fixes: 2c81bfd5 ("net/mlx5e: Move port speed code from en_ethtool.c to en/port.c")
      Signed-off-by: NAya Levin <ayal@mellanox.com>
      Reviewed-by: NMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      534e7366
    • M
      net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget · 9df86bdb
      Maxim Mikityanskiy 提交于
      When CQE compression is enabled, compressed CQEs use the following
      structure: a title is followed by one or many blocks, each containing 8
      mini CQEs (except the last, which may contain fewer mini CQEs).
      
      Due to NAPI budget restriction, a complete structure is not always
      parsed in one NAPI run, and some blocks with mini CQEs may be deferred
      to the next NAPI poll call - we have the mlx5e_decompress_cqes_cont call
      in the beginning of mlx5e_poll_rx_cq. However, if the budget is
      extremely low, some blocks may be left even after that, but the code
      that follows the mlx5e_decompress_cqes_cont call doesn't check it and
      assumes that a new CQE begins, which may not be the case. In such cases,
      random memory corruptions occur.
      
      An extremely low NAPI budget of 8 is used when busy_poll or busy_read is
      active.
      
      This commit adds a check to make sure that the previous compressed CQE
      has been completely parsed after mlx5e_decompress_cqes_cont, otherwise
      it prevents a new CQE from being fetched in the middle of a compressed
      CQE.
      
      This commit fixes random crashes in __build_skb, __page_pool_put_page
      and other not-related-directly places, that used to happen when both CQE
      compression and busy_poll/busy_read were enabled.
      
      Fixes: 7219ab34 ("net/mlx5e: CQE compression")
      Signed-off-by: NMaxim Mikityanskiy <maximmi@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      9df86bdb
    • V
      net/mlx5e: Don't store direct pointer to action's tunnel info · 2a4b6526
      Vlad Buslov 提交于
      Geneve implementation changed mlx5 tc to user direct pointer to tunnel_key
      action's internal struct ip_tunnel_info instance. However, this leads to
      use-after-free error when initial filter that caused creation of new encap
      entry is deleted or when tunnel_key action is manually overwritten through
      action API. Moreover, with recent TC offloads API unlocking change struct
      flow_action_entry->tunnel point to temporal copy of tunnel info that is
      deallocated after filter is offloaded to hardware which causes bug to
      reproduce every time new filter is attached to existing encap entry with
      following KASAN bug:
      
      [  314.885555] ==================================================================
      [  314.886641] BUG: KASAN: use-after-free in memcmp+0x2c/0x60
      [  314.886864] Read of size 1 at addr ffff88886c746280 by task tc/2682
      
      [  314.887179] CPU: 22 PID: 2682 Comm: tc Not tainted 5.3.0-rc7+ #703
      [  314.887188] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
      [  314.887195] Call Trace:
      [  314.887215]  dump_stack+0x9a/0xf0
      [  314.887236]  print_address_description+0x67/0x323
      [  314.887248]  ? memcmp+0x2c/0x60
      [  314.887257]  ? memcmp+0x2c/0x60
      [  314.887272]  __kasan_report.cold+0x1a/0x3d
      [  314.887474]  ? __mlx5e_tc_del_fdb_peer_flow+0x100/0x1b0 [mlx5_core]
      [  314.887484]  ? memcmp+0x2c/0x60
      [  314.887509]  kasan_report+0xe/0x12
      [  314.887521]  memcmp+0x2c/0x60
      [  314.887662]  mlx5e_tc_add_fdb_flow+0x51b/0xbe0 [mlx5_core]
      [  314.887838]  ? mlx5e_encap_take+0x110/0x110 [mlx5_core]
      [  314.887902]  ? lockdep_init_map+0x87/0x2c0
      [  314.887924]  ? __init_waitqueue_head+0x4f/0x60
      [  314.888062]  ? mlx5e_alloc_flow.isra.0+0x18c/0x1c0 [mlx5_core]
      [  314.888207]  __mlx5e_add_fdb_flow+0x2d7/0x440 [mlx5_core]
      [  314.888359]  ? mlx5e_tc_update_neigh_used_value+0x6f0/0x6f0 [mlx5_core]
      [  314.888374]  ? match_held_lock+0x2e/0x240
      [  314.888537]  mlx5e_configure_flower+0x830/0x16a0 [mlx5_core]
      [  314.888702]  ? __mlx5e_add_fdb_flow+0x440/0x440 [mlx5_core]
      [  314.888713]  ? down_read+0x118/0x2c0
      [  314.888728]  ? down_read_killable+0x300/0x300
      [  314.888882]  ? mlx5e_rep_get_ethtool_stats+0x180/0x180 [mlx5_core]
      [  314.888899]  tc_setup_cb_add+0x127/0x270
      [  314.888937]  fl_hw_replace_filter+0x2ac/0x380 [cls_flower]
      [  314.888976]  ? fl_hw_destroy_filter+0x1b0/0x1b0 [cls_flower]
      [  314.888990]  ? fl_change+0xbcf/0x27ef [cls_flower]
      [  314.889030]  ? fl_change+0xa57/0x27ef [cls_flower]
      [  314.889069]  fl_change+0x16bd/0x27ef [cls_flower]
      [  314.889135]  ? __rhashtable_insert_fast.constprop.0+0xa00/0xa00 [cls_flower]
      [  314.889167]  ? __radix_tree_lookup+0xa4/0x130
      [  314.889200]  ? fl_get+0x169/0x240 [cls_flower]
      [  314.889218]  ? fl_walk+0x230/0x230 [cls_flower]
      [  314.889249]  tc_new_tfilter+0x5e1/0xd40
      [  314.889281]  ? __rhashtable_insert_fast.constprop.0+0xa00/0xa00 [cls_flower]
      [  314.889309]  ? tc_del_tfilter+0xa30/0xa30
      [  314.889335]  ? __lock_acquire+0x5b5/0x2460
      [  314.889378]  ? find_held_lock+0x85/0xa0
      [  314.889442]  ? tc_del_tfilter+0xa30/0xa30
      [  314.889465]  rtnetlink_rcv_msg+0x4ab/0x5f0
      [  314.889488]  ? rtnl_dellink+0x490/0x490
      [  314.889518]  ? lockdep_hardirqs_on+0x260/0x260
      [  314.889538]  ? netlink_deliver_tap+0xab/0x5a0
      [  314.889550]  ? match_held_lock+0x1b/0x240
      [  314.889575]  netlink_rcv_skb+0xd0/0x200
      [  314.889588]  ? rtnl_dellink+0x490/0x490
      [  314.889605]  ? netlink_ack+0x440/0x440
      [  314.889635]  ? netlink_deliver_tap+0x161/0x5a0
      [  314.889648]  ? lock_downgrade+0x360/0x360
      [  314.889657]  ? lock_acquire+0xe5/0x210
      [  314.889686]  netlink_unicast+0x296/0x350
      [  314.889707]  ? netlink_attachskb+0x390/0x390
      [  314.889726]  ? _copy_from_iter_full+0xe0/0x3a0
      [  314.889738]  ? __virt_addr_valid+0xbb/0x130
      [  314.889771]  netlink_sendmsg+0x394/0x600
      [  314.889800]  ? netlink_unicast+0x350/0x350
      [  314.889817]  ? move_addr_to_kernel.part.0+0x90/0x90
      [  314.889852]  ? netlink_unicast+0x350/0x350
      [  314.889872]  sock_sendmsg+0x96/0xa0
      [  314.889891]  ___sys_sendmsg+0x482/0x520
      [  314.889919]  ? copy_msghdr_from_user+0x250/0x250
      [  314.889930]  ? __fput+0x1fa/0x390
      [  314.889941]  ? task_work_run+0xb7/0xf0
      [  314.889957]  ? exit_to_usermode_loop+0x117/0x120
      [  314.889972]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  314.889982]  ? do_syscall_64+0x74/0xe0
      [  314.889992]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  314.890012]  ? mark_lock+0xac/0x9a0
      [  314.890028]  ? __lock_acquire+0x5b5/0x2460
      [  314.890053]  ? mark_lock+0xac/0x9a0
      [  314.890083]  ? __lock_acquire+0x5b5/0x2460
      [  314.890112]  ? match_held_lock+0x1b/0x240
      [  314.890144]  ? __fget_light+0xa1/0xf0
      [  314.890166]  ? sockfd_lookup_light+0x91/0xb0
      [  314.890187]  __sys_sendmsg+0xba/0x130
      [  314.890201]  ? __sys_sendmsg_sock+0xb0/0xb0
      [  314.890225]  ? __blkcg_punt_bio_submit+0xd0/0xd0
      [  314.890264]  ? lockdep_hardirqs_off+0xbe/0x100
      [  314.890274]  ? mark_held_locks+0x24/0x90
      [  314.890286]  ? do_syscall_64+0x1e/0xe0
      [  314.890308]  do_syscall_64+0x74/0xe0
      [  314.890325]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  314.890336] RIP: 0033:0x7f00ca33d7b8
      [  314.890348] Code: 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 8f 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 89 5
      4
      [  314.890356] RSP: 002b:00007ffea2983928 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  314.890369] RAX: ffffffffffffffda RBX: 000000005d777d5b RCX: 00007f00ca33d7b8
      [  314.890377] RDX: 0000000000000000 RSI: 00007ffea2983990 RDI: 0000000000000003
      [  314.890384] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000006
      [  314.890392] R10: 0000000000404eda R11: 0000000000000246 R12: 0000000000000001
      [  314.890400] R13: 000000000047f640 R14: 00007ffea2987b58 R15: 0000000000000021
      
      [  314.890529] Allocated by task 2687:
      [  314.890684]  save_stack+0x1b/0x80
      [  314.890694]  __kasan_kmalloc.constprop.0+0xc2/0xd0
      [  314.890705]  __kmalloc_track_caller+0x102/0x340
      [  314.890721]  kmemdup+0x1d/0x40
      [  314.890730]  tc_setup_flow_action+0x731/0x2c27
      [  314.890743]  fl_hw_replace_filter+0x23b/0x380 [cls_flower]
      [  314.890756]  fl_change+0x16bd/0x27ef [cls_flower]
      [  314.890765]  tc_new_tfilter+0x5e1/0xd40
      [  314.890776]  rtnetlink_rcv_msg+0x4ab/0x5f0
      [  314.890786]  netlink_rcv_skb+0xd0/0x200
      [  314.890796]  netlink_unicast+0x296/0x350
      [  314.890805]  netlink_sendmsg+0x394/0x600
      [  314.890815]  sock_sendmsg+0x96/0xa0
      [  314.890825]  ___sys_sendmsg+0x482/0x520
      [  314.890834]  __sys_sendmsg+0xba/0x130
      [  314.890844]  do_syscall_64+0x74/0xe0
      [  314.890854]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  314.890937] Freed by task 2687:
      [  314.891076]  save_stack+0x1b/0x80
      [  314.891086]  __kasan_slab_free+0x12c/0x170
      [  314.891095]  kfree+0xeb/0x2f0
      [  314.891106]  tc_cleanup_flow_action+0x69/0xa0
      [  314.891119]  fl_hw_replace_filter+0x2c5/0x380 [cls_flower]
      [  314.891132]  fl_change+0x16bd/0x27ef [cls_flower]
      [  314.891140]  tc_new_tfilter+0x5e1/0xd40
      [  314.891151]  rtnetlink_rcv_msg+0x4ab/0x5f0
      [  314.891161]  netlink_rcv_skb+0xd0/0x200
      [  314.891170]  netlink_unicast+0x296/0x350
      [  314.891180]  netlink_sendmsg+0x394/0x600
      [  314.891190]  sock_sendmsg+0x96/0xa0
      [  314.891200]  ___sys_sendmsg+0x482/0x520
      [  314.891208]  __sys_sendmsg+0xba/0x130
      [  314.891218]  do_syscall_64+0x74/0xe0
      [  314.891228]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  314.891315] The buggy address belongs to the object at ffff88886c746280
                      which belongs to the cache kmalloc-96 of size 96
      [  314.891762] The buggy address is located 0 bytes inside of
                      96-byte region [ffff88886c746280, ffff88886c7462e0)
      [  314.892196] The buggy address belongs to the page:
      [  314.892387] page:ffffea0021b1d180 refcount:1 mapcount:0 mapping:ffff88835d00ef80 index:0x0
      [  314.892398] flags: 0x57ffffc0000200(slab)
      [  314.892413] raw: 0057ffffc0000200 ffffea00219e0340 0000000800000008 ffff88835d00ef80
      [  314.892423] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
      [  314.892430] page dumped because: kasan: bad access detected
      
      [  314.892515] Memory state around the buggy address:
      [  314.892707]  ffff88886c746180: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.892976]  ffff88886c746200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.893251] >ffff88886c746280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.893522]                    ^
      [  314.893657]  ffff88886c746300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.893924]  ffff88886c746380: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
      [  314.894189] ==================================================================
      
      Fix the issue by duplicating tunnel info into per-encap copy that is
      deallocated with encap structure. Also, duplicate tunnel info in flow parse
      attribute to support cases when flow might be attached asynchronously.
      
      Fixes: 1f6da306 ("net/mlx5e: Geneve, Keep tunnel info as pointer to the original struct")
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: NYevgeny Kliteynik <kliteyn@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      2a4b6526
    • E
      net/mlx5: Fix NULL pointer dereference in extended destination · 0fd79b1e
      Eli Britstein 提交于
      The cited commit refactored the encap id into a struct pointed from the
      destination.
      Bug fix for the case there is no encap for one of the destinations.
      
      Fixes: 2b688ea5 ("net/mlx5: Add flow steering actions to fs_cmd shim layer")
      Signed-off-by: NEli Britstein <elibr@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      0fd79b1e
    • P
      net/mlx5: Fix rtable reference leak · 2347cee8
      Parav Pandit 提交于
      If the rt entry gateway family is not AF_INET for multipath device,
      rtable reference is leaked.
      Hence, fix it by releasing the reference.
      
      Fixes: 5fb091e8 ("net/mlx5e: Use hint to resolve route when in HW multipath mode")
      Fixes: e32ee6c7 ("net/mlx5e: Support tunnel encap over tagged Ethernet")
      Signed-off-by: NParav Pandit <parav@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      2347cee8
    • V
      net/mlx5e: Only skip encap flows update when encap init failed · 64d7b685
      Vlad Buslov 提交于
      When encap entry initialization completes successfully e->compl_result is
      set to positive value and not zero, like mlx5e_rep_update_flows() assumes
      at the moment. Fix the conditional to only skip encap flows update when
      e->compl_result < 0.
      
      Fixes: 2a1f1768 ("net/mlx5e: Refactor neigh update for concurrent execution")
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      64d7b685
    • M
      net/mlx5e: Replace kfree with kvfree when free vhca stats · 5dfb6335
      Maor Gottlieb 提交于
      Memory allocated by kvzalloc should be freed by kvfree.
      
      Fixes: cef35af3 ("net/mlx5e: Add mlx5e HV VHCA stats agent")
      Signed-off-by: NMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      5dfb6335
    • D
      net/mlx5e: Remove incorrect match criteria assignment line · 752d3dc0
      Dmytro Linkin 提交于
      Driver have function, which enable match criteria for misc parameters
      in dependence of eswitch capabilities.
      
      Fixes: 4f5d1bea ("Merge branch 'mlx5-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux")
      Signed-off-by: NDmytro Linkin <dmitrolin@mellanox.com>
      Reviewed-by: NJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Reviewed-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      752d3dc0
    • D
      net/mlx5e: Determine source port properly for vlan push action · d5dbcc4e
      Dmytro Linkin 提交于
      Termination tables are used for vlan push actions on uplink ports.
      To support RoCE dual port the source port value was placed in a register.
      Fix the code to use an API method returning the source port according to
      the FW capabilities.
      
      Fixes: 10caabda ("net/mlx5e: Use termination table for VLAN push actions")
      Signed-off-by: NDmytro Linkin <dmitrolin@mellanox.com>
      Reviewed-by: NJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: NOz Shlomo <ozsh@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      d5dbcc4e
    • V
      net: mscc: ocelot: refuse to overwrite the port's native vlan · b9cd75e6
      Vladimir Oltean 提交于
      The switch driver keeps a "vid" variable per port, which signifies _the_
      VLAN ID that is stripped on that port's egress (aka the native VLAN on a
      trunk port).
      
      That is the way the hardware is designed (mostly). The port->vid is
      programmed into REW:PORT:PORT_VLAN_CFG:PORT_VID and the rewriter is told
      to send all traffic as tagged except the one having port->vid.
      
      There exists a possibility of finer-grained egress untagging decisions:
      using the VCAP IS1 engine, one rule can be added to match every
      VLAN-tagged frame whose VLAN should be untagged, and set POP_CNT=1 as
      action. However, the IS1 can hold at most 512 entries, and the VLANs are
      in the order of 6 * 4096.
      
      So the code is fine for now. But this sequence of commands:
      
      $ bridge vlan add dev swp0 vid 1 pvid untagged
      $ bridge vlan add dev swp0 vid 2 untagged
      
      makes untagged and pvid-tagged traffic be sent out of swp0 as tagged
      with VID 1, despite user's request.
      
      Prevent that from happening. The user should temporarily remove the
      existing untagged VLAN (1 in this case), add it back as tagged, and then
      add the new untagged VLAN (2 in this case).
      
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
      Fixes: 7142529f ("net: mscc: ocelot: add VLAN filtering")
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b9cd75e6
    • V
      net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before link is up · 1c44ce56
      Vladimir Oltean 提交于
      Background information: the driver operates the hardware in a mode where
      a single VLAN can be transmitted as untagged on a particular egress
      port. That is the "native VLAN on trunk port" use case. Its value is
      held in port->vid.
      
      Consider the following command sequence (no network manager, all
      interfaces are down, debugging prints added by me):
      
      $ ip link add dev br0 type bridge vlan_filtering 1
      $ ip link set dev swp0 master br0
      
      Kernel code path during last command:
      
      br_add_slave -> ocelot_netdevice_port_event (NETDEV_CHANGEUPPER):
      [   21.401901] ocelot_vlan_port_apply: port 0 vlan aware 0 pvid 0 vid 0
      
      br_add_slave -> nbp_vlan_init -> switchdev_port_attr_set -> ocelot_port_attr_set (SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING):
      [   21.413335] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 0 vid 0
      
      br_add_slave -> nbp_vlan_init -> nbp_vlan_add -> br_switchdev_port_vlan_add -> switchdev_port_obj_add -> ocelot_port_obj_add -> ocelot_vlan_vid_add
      [   21.667421] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 1
      
      So far so good. The bridge has replaced the driver's default pvid used
      in standalone mode (0) with its own default_pvid (1). The port's vid
      (native VLAN) has also changed from 0 to 1.
      
      $ ip link set dev swp0 up
      
      [   31.722956] 8021q: adding VLAN 0 to HW filter on device swp0
      do_setlink -> dev_change_flags -> vlan_vid_add -> ocelot_vlan_rx_add_vid -> ocelot_vlan_vid_add:
      [   31.728700] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 0
      
      The 8021q module uses the .ndo_vlan_rx_add_vid API on .ndo_open to make
      ports be able to transmit and receive 802.1p-tagged traffic by default.
      This API is supposed to offload a VLAN sub-interface, which for a switch
      port means to add a VLAN that is not a pvid, and tagged on egress.
      
      But the driver implementation of .ndo_vlan_rx_add_vid is wrong: it adds
      back vid 0 as "egress untagged". Now back to the initial paragraph:
      there is a single untagged VID that the driver keeps track of, and that
      has just changed from 1 (the pvid) to 0. So this breaks the bridge
      core's expectation, because it has changed vid 1 from untagged to
      tagged, when what the user sees is.
      
      $ bridge vlan
      port    vlan ids
      swp0     1 PVID Egress Untagged
      
      br0      1 PVID Egress Untagged
      
      But curiously, instead of manifesting itself as "untagged and
      pvid-tagged traffic gets sent as tagged on egress", the bug:
      
      - is hidden when vlan_filtering=0
      - manifests as dropped traffic when vlan_filtering=1, due to this setting:
      
      	if (port->vlan_aware && !port->vid)
      		/* If port is vlan-aware and tagged, drop untagged and priority
      		 * tagged frames.
      		 */
      		val |= ANA_PORT_DROP_CFG_DROP_UNTAGGED_ENA |
      		       ANA_PORT_DROP_CFG_DROP_PRIO_S_TAGGED_ENA |
      		       ANA_PORT_DROP_CFG_DROP_PRIO_C_TAGGED_ENA;
      
      which would have made sense if it weren't for this bug. The setting's
      intention was "this is a trunk port with no native VLAN, so don't accept
      untagged traffic". So the driver was never expecting to set VLAN 0 as
      the value of the native VLAN, 0 was just encoding for "invalid".
      
      So the fix is to not send 802.1p traffic as untagged, because that would
      change the port's native vlan to 0, unbeknownst to the bridge, and
      trigger unexpected code paths in the driver.
      
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
      Fixes: 7142529f ("net: mscc: ocelot: add VLAN filtering")
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NAlexandre Belloni <alexandre.belloni@bootlin.com>
      Reviewed-by: NHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1c44ce56
    • N
      wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle · 6f3ef5c2
      Navid Emamdoost 提交于
      In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
      buffer for cmd should be released before returning. The
      documentation for i2400m_msg_to_dev() says when it returns the buffer
      can be reused. Meaning cmd should be released in either case. Move
      kfree(cmd) before return to be reached by all execution paths.
      
      Fixes: 2507e6ab ("wimax: i2400: fix memory leak")
      Signed-off-by: NNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6f3ef5c2
    • J
      net: hisilicon: Fix "Trying to free already-free IRQ" · 63a41746
      Jiangfeng Xiao 提交于
      When rmmod hip04_eth.ko, we can get the following warning:
      
      Task track: rmmod(1623)>bash(1591)>login(1581)>init(1)
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac()
      Trying to free already-free IRQ 200
      Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv
      CPU: 0 PID: 1623 Comm: rmmod Tainted: G           O    4.4.193 #1
      Hardware name: Hisilicon A15
      [<c020b408>] (rtos_unwind_backtrace) from [<c0206624>] (show_stack+0x10/0x14)
      [<c0206624>] (show_stack) from [<c03f2be4>] (dump_stack+0xa0/0xd8)
      [<c03f2be4>] (dump_stack) from [<c021a780>] (warn_slowpath_common+0x84/0xb0)
      [<c021a780>] (warn_slowpath_common) from [<c021a7e8>] (warn_slowpath_fmt+0x3c/0x68)
      [<c021a7e8>] (warn_slowpath_fmt) from [<c026876c>] (__free_irq+0xa4/0x2ac)
      [<c026876c>] (__free_irq) from [<c0268a14>] (free_irq+0x60/0x7c)
      [<c0268a14>] (free_irq) from [<c0469e80>] (release_nodes+0x1c4/0x1ec)
      [<c0469e80>] (release_nodes) from [<c0466924>] (__device_release_driver+0xa8/0x104)
      [<c0466924>] (__device_release_driver) from [<c0466a80>] (driver_detach+0xd0/0xf8)
      [<c0466a80>] (driver_detach) from [<c0465e18>] (bus_remove_driver+0x64/0x8c)
      [<c0465e18>] (bus_remove_driver) from [<c02935b0>] (SyS_delete_module+0x198/0x1e0)
      [<c02935b0>] (SyS_delete_module) from [<c0202ed0>] (__sys_trace_return+0x0/0x10)
      ---[ end trace bb25d6123d849b44 ]---
      
      Currently "rmmod hip04_eth.ko" call free_irq more than once
      as devres_release_all and hip04_remove both call free_irq.
      This results in a 'Trying to free already-free IRQ' warning.
      To solve the problem free_irq has been moved out of hip04_remove.
      Signed-off-by: NJiangfeng Xiao <xiaojiangfeng@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63a41746
    • W
      fjes: Handle workqueue allocation failure · 85ac30fa
      Will Deacon 提交于
      In the highly unlikely event that we fail to allocate either of the
      "/txrx" or "/control" workqueues, we should bail cleanly rather than
      blindly march on with NULL queue pointer(s) installed in the
      'fjes_adapter' instance.
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Reported-by: NNicolas Waisman <nico@semmle.com>
      Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/Signed-off-by: NWill Deacon <will@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      85ac30fa
  4. 29 10月, 2019 4 次提交
    • D
      net: usb: lan78xx: Disable interrupts before calling generic_handle_irq() · 0a29ac5b
      Daniel Wagner 提交于
      lan78xx_status() will run with interrupts enabled due to the change in
      ed194d13 ("usb: core: remove local_irq_save() around ->complete()
      handler"). generic_handle_irq() expects to be run with IRQs disabled.
      
      [    4.886203] 000: irq 79 handler irq_default_primary_handler+0x0/0x8 enabled interrupts
      [    4.886243] 000: WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:152 __handle_irq_event_percpu+0x154/0x168
      [    4.896294] 000: Modules linked in:
      [    4.896301] 000: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.6 #39
      [    4.896310] 000: Hardware name: Raspberry Pi 3 Model B+ (DT)
      [    4.896315] 000: pstate: 60000005 (nZCv daif -PAN -UAO)
      [    4.896321] 000: pc : __handle_irq_event_percpu+0x154/0x168
      [    4.896331] 000: lr : __handle_irq_event_percpu+0x154/0x168
      [    4.896339] 000: sp : ffff000010003cc0
      [    4.896346] 000: x29: ffff000010003cc0 x28: 0000000000000060
      [    4.896355] 000: x27: ffff000011021980 x26: ffff00001189c72b
      [    4.896364] 000: x25: ffff000011702bc0 x24: ffff800036d6e400
      [    4.896373] 000: x23: 000000000000004f x22: ffff000010003d64
      [    4.896381] 000: x21: 0000000000000000 x20: 0000000000000002
      [    4.896390] 000: x19: ffff8000371c8480 x18: 0000000000000060
      [    4.896398] 000: x17: 0000000000000000 x16: 00000000000000eb
      [    4.896406] 000: x15: ffff000011712d18 x14: 7265746e69206465
      [    4.896414] 000: x13: ffff000010003ba0 x12: ffff000011712df0
      [    4.896422] 000: x11: 0000000000000001 x10: ffff000011712e08
      [    4.896430] 000: x9 : 0000000000000001 x8 : 000000000003c920
      [    4.896437] 000: x7 : ffff0000118cc410 x6 : ffff0000118c7f00
      [    4.896445] 000: x5 : 000000000003c920 x4 : 0000000000004510
      [    4.896453] 000: x3 : ffff000011712dc8 x2 : 0000000000000000
      [    4.896461] 000: x1 : 73a3f67df94c1500 x0 : 0000000000000000
      [    4.896466] 000: Call trace:
      [    4.896471] 000:  __handle_irq_event_percpu+0x154/0x168
      [    4.896481] 000:  handle_irq_event_percpu+0x50/0xb0
      [    4.896489] 000:  handle_irq_event+0x40/0x98
      [    4.896497] 000:  handle_simple_irq+0xa4/0xf0
      [    4.896505] 000:  generic_handle_irq+0x24/0x38
      [    4.896513] 000:  intr_complete+0xb0/0xe0
      [    4.896525] 000:  __usb_hcd_giveback_urb+0x58/0xd8
      [    4.896533] 000:  usb_giveback_urb_bh+0xd0/0x170
      [    4.896539] 000:  tasklet_action_common.isra.0+0x9c/0x128
      [    4.896549] 000:  tasklet_hi_action+0x24/0x30
      [    4.896556] 000:  __do_softirq+0x120/0x23c
      [    4.896564] 000:  irq_exit+0xb8/0xd8
      [    4.896571] 000:  __handle_domain_irq+0x64/0xb8
      [    4.896579] 000:  bcm2836_arm_irqchip_handle_irq+0x60/0xc0
      [    4.896586] 000:  el1_irq+0xb8/0x140
      [    4.896592] 000:  arch_cpu_idle+0x10/0x18
      [    4.896601] 000:  do_idle+0x200/0x280
      [    4.896608] 000:  cpu_startup_entry+0x20/0x28
      [    4.896615] 000:  rest_init+0xb4/0xc0
      [    4.896623] 000:  arch_call_rest_init+0xc/0x14
      [    4.896632] 000:  start_kernel+0x454/0x480
      
      Fixes: ed194d13 ("usb: core: remove local_irq_save() around ->complete() handler")
      Cc: Woojung Huh <woojung.huh@microchip.com>
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Stefan Wahren <wahrenst@gmx.net>
      Cc: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: NDaniel Wagner <dwagner@suse.de>
      Tested-by: NStefan Wahren <wahrenst@gmx.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0a29ac5b
    • A
      net: dsa: sja1105: improve NET_DSA_SJA1105_TAS dependency · 5d294fc4
      Arnd Bergmann 提交于
      An earlier bugfix introduced a dependency on CONFIG_NET_SCH_TAPRIO,
      but this missed the case of NET_SCH_TAPRIO=m and NET_DSA_SJA1105=y,
      which still causes a link error:
      
      drivers/net/dsa/sja1105/sja1105_tas.o: In function `sja1105_setup_tc_taprio':
      sja1105_tas.c:(.text+0x5c): undefined reference to `taprio_offload_free'
      sja1105_tas.c:(.text+0x3b4): undefined reference to `taprio_offload_get'
      drivers/net/dsa/sja1105/sja1105_tas.o: In function `sja1105_tas_teardown':
      sja1105_tas.c:(.text+0x6ec): undefined reference to `taprio_offload_free'
      
      Change the dependency to only allow selecting the TAS code when it
      can link against the taprio code.
      
      Fixes: a8d570de ("net: dsa: sja1105: Add dependency for NET_DSA_SJA1105_TAS")
      Fixes: 317ab5b8 ("net: dsa: sja1105: Configure the Time-Aware Scheduler via tc-taprio offload")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5d294fc4
    • B
      net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum · 88824e3b
      Benjamin Herrenschmidt 提交于
      We are calling the checksum helper after the dma_map_single()
      call to map the packet. This is incorrect as the checksumming
      code will touch the packet from the CPU. This means the cache
      won't be properly flushes (or the bounce buffering will leave
      us with the unmodified packet to DMA).
      
      This moves the calculation of the checksum & vlan tags to
      before the DMA mapping.
      
      This also has the side effect of fixing another bug: If the
      checksum helper fails, we goto "drop" to drop the packet, which
      will not unmap the DMA mapping.
      Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Fixes: 05690d63 ("ftgmac100: Upgrade to NETIF_F_HW_CSUM")
      Reviewed-by: NVijay Khemka <vijaykhemka@fb.com>
      Tested-by: NVijay Khemka <vijaykhemka@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      88824e3b
    • N
      net: dpaa2: Use the correct style for SPDX License Identifier · 7de4344f
      Nishad Kamdar 提交于
      This patch corrects the SPDX License Identifier style in
      header files related to DPAA2 Ethernet driver supporting
      Freescale SoCs with DPAA2. For C header files
      Documentation/process/license-rules.rst mandates C-like comments
      (opposed to C source files where C++ style should be used)
      
      Changes made by using a script provided by Joe Perches here:
      https://lkml.org/lkml/2019/2/7/46.
      Suggested-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NNishad Kamdar <nishadkamdar@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7de4344f
  5. 26 10月, 2019 3 次提交
    • R
      cxgb4: request the TX CIDX updates to status page · 7c3bebc3
      Raju Rangoju 提交于
      For adapters which support the SGE Doorbell Queue Timer facility,
      we configured the Ethernet TX Queues to send CIDX Updates to the
      Associated Ethernet RX Response Queue with CPL_SGE_EGR_UPDATE
      messages to allow us to respond more quickly to the CIDX Updates.
      But, this was adding load to PCIe Link RX bandwidth and,
      potentially, resulting in higher CPU Interrupt load.
      
      This patch requests the HW to deliver the CIDX updates to the TX
      queue status page rather than generating an ingress queue message
      (as an interrupt). With this patch, the load on RX bandwidth is
      reduced and a substantial improvement in BW is noticed at lower
      IO sizes.
      
      Fixes: d429005f ("cxgb4/cxgb4vf: Add support for SGE doorbell queue timer")
      Signed-off-by: NRaju Rangoju <rajur@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7c3bebc3
    • N
      net: ethernet: Use the correct style for SPDX License Identifier · 16d65287
      Nishad Kamdar 提交于
      This patch corrects the SPDX License Identifier style in
      header file related to ethernet driver for Cortina Gemini
      devices. For C header files Documentation/process/license-rules.rst
      mandates C-like comments (opposed to C source files where
      C++ style should be used)
      
      Changes made by using a script provided by Joe Perches here:
      https://lkml.org/lkml/2019/2/7/46.
      Suggested-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NNishad Kamdar <nishadkamdar@gmail.com>
      Acked-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      16d65287
    • B
      net: mvneta: make stub functions static inline · 3f6b2c44
      Ben Dooks (Codethink) 提交于
      If the CONFIG_MVNET_BA is not set, then make the stub functions
      static inline to avoid trying to export them, and remove hte
      following sparse warnings:
      
      drivers/net/ethernet/marvell/mvneta_bm.h:163:6: warning: symbol 'mvneta_bm_pool_destroy' was not declared. Should it be static?
      drivers/net/ethernet/marvell/mvneta_bm.h:165:6: warning: symbol 'mvneta_bm_bufs_free' was not declared. Should it be static?
      drivers/net/ethernet/marvell/mvneta_bm.h:167:5: warning: symbol 'mvneta_bm_construct' was not declared. Should it be static?
      drivers/net/ethernet/marvell/mvneta_bm.h:168:5: warning: symbol 'mvneta_bm_pool_refill' was not declared. Should it be static?
      drivers/net/ethernet/marvell/mvneta_bm.h:170:23: warning: symbol 'mvneta_bm_pool_use' was not declared. Should it be static?
      drivers/net/ethernet/marvell/mvneta_bm.h:181:18: warning: symbol 'mvneta_bm_get' was not declared. Should it be static?
      drivers/net/ethernet/marvell/mvneta_bm.h:182:6: warning: symbol 'mvneta_bm_put' was not declared. Should it be static?
      Signed-off-by: NBen Dooks (Codethink) <ben.dooks@codethink.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3f6b2c44
  6. 25 10月, 2019 3 次提交
    • T
      virt_wifi: fix refcnt leak in module exit routine · 1962f86b
      Taehee Yoo 提交于
      virt_wifi_newlink() calls netdev_upper_dev_link() and it internally
      holds reference count of lower interface.
      
      Current code does not release a reference count of the lower interface
      when the lower interface is being deleted.
      So, reference count leaks occur.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add vw1 link dummy0 type virt_wifi
          ip link del dummy0
      
      Splat looks like:
      [  133.787526][  T788] WARNING: CPU: 1 PID: 788 at net/core/dev.c:8274 rollback_registered_many+0x835/0xc80
      [  133.788355][  T788] Modules linked in: virt_wifi cfg80211 dummy team af_packet sch_fq_codel ip_tables x_tables unix
      [  133.789377][  T788] CPU: 1 PID: 788 Comm: ip Not tainted 5.4.0-rc3+ #96
      [  133.790069][  T788] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [  133.791167][  T788] RIP: 0010:rollback_registered_many+0x835/0xc80
      [  133.791906][  T788] Code: 00 4d 85 ff 0f 84 b5 fd ff ff ba c0 0c 00 00 48 89 de 4c 89 ff e8 9b 58 04 00 48 89 df e8 30
      [  133.794317][  T788] RSP: 0018:ffff88805ba3f338 EFLAGS: 00010202
      [  133.795080][  T788] RAX: ffff88805e57e801 RBX: ffff88805ba34000 RCX: ffffffffa9294723
      [  133.796045][  T788] RDX: 1ffff1100b746816 RSI: 0000000000000008 RDI: ffffffffabcc4240
      [  133.797006][  T788] RBP: ffff88805ba3f4c0 R08: fffffbfff5798849 R09: fffffbfff5798849
      [  133.797993][  T788] R10: 0000000000000001 R11: fffffbfff5798848 R12: dffffc0000000000
      [  133.802514][  T788] R13: ffff88805ba3f440 R14: ffff88805ba3f400 R15: ffff88805ed622c0
      [  133.803237][  T788] FS:  00007f2e9608c0c0(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
      [  133.804002][  T788] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  133.804664][  T788] CR2: 00007f2e95610603 CR3: 000000005f68c004 CR4: 00000000000606e0
      [  133.805363][  T788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  133.806073][  T788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  133.806787][  T788] Call Trace:
      [  133.807069][  T788]  ? generic_xdp_install+0x310/0x310
      [  133.807612][  T788]  ? lock_acquire+0x164/0x3b0
      [  133.808077][  T788]  ? is_bpf_text_address+0x5/0xf0
      [  133.808640][  T788]  ? deref_stack_reg+0x9c/0xd0
      [  133.809138][  T788]  ? __nla_validate_parse+0x98/0x1ab0
      [  133.809944][  T788]  unregister_netdevice_many.part.122+0x13/0x1b0
      [  133.810599][  T788]  rtnl_delete_link+0xbc/0x100
      [  133.811073][  T788]  ? rtnl_af_register+0xc0/0xc0
      [  133.811672][  T788]  rtnl_dellink+0x30e/0x8a0
      [  133.812205][  T788]  ? is_bpf_text_address+0x5/0xf0
      [ ... ]
      
      [  144.110530][  T788] unregister_netdevice: waiting for dummy0 to become free. Usage count = 1
      
      This patch adds notifier routine to delete upper interface before deleting
      lower interface.
      
      Fixes: c7cdba31 ("mac80211-next: rtnetlink wifi simulation device")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1962f86b
    • T
      net: remove unnecessary variables and callback · f3b0a18b
      Taehee Yoo 提交于
      This patch removes variables and callback these are related to the nested
      device structure.
      devices that can be nested have their own nest_level variable that
      represents the depth of nested devices.
      In the previous patch, new {lower/upper}_level variables are added and
      they replace old private nest_level variable.
      So, this patch removes all 'nest_level' variables.
      
      In order to avoid lockdep warning, ->ndo_get_lock_subclass() was added
      to get lockdep subclass value, which is actually lower nested depth value.
      But now, they use the dynamic lockdep key to avoid lockdep warning instead
      of the subclass.
      So, this patch removes ->ndo_get_lock_subclass() callback.
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f3b0a18b
    • T
      vxlan: add adjacent link to limit depth level · 0ce1822c
      Taehee Yoo 提交于
      Current vxlan code doesn't limit the number of nested devices.
      Nested devices would be handled recursively and this routine needs
      huge stack memory. So, unlimited nested devices could make
      stack overflow.
      
      In order to fix this issue, this patch adds adjacent links.
      The adjacent link APIs internally check the depth level.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add vxlan0 type vxlan id 0 group 239.1.1.1 dev dummy0 \
      	    dstport 4789
          for i in {1..100}
          do
      	    let A=$i-1
      	    ip link add vxlan$i type vxlan id $i group 239.1.1.1 \
      		    dev vxlan$A dstport 4789
          done
          ip link del dummy0
      
      The top upper link is vxlan100 and the lowest link is vxlan0.
      When vxlan0 is deleting, the upper devices will be deleted recursively.
      It needs huge stack memory so it makes stack overflow.
      
      Splat looks like:
      [  229.628477] =============================================================================
      [  229.629785] BUG page->ptl (Not tainted): Padding overwritten. 0x0000000026abf214-0x0000000091f6abb2
      [  229.629785] -----------------------------------------------------------------------------
      [  229.629785]
      [  229.655439] ==================================================================
      [  229.629785] INFO: Slab 0x00000000ff7cfda8 objects=19 used=19 fp=0x00000000fe33776c flags=0x200000000010200
      [  229.655688] BUG: KASAN: stack-out-of-bounds in unmap_single_vma+0x25a/0x2e0
      [  229.655688] Read of size 8 at addr ffff888113076928 by task vlan-network-in/2334
      [  229.655688]
      [  229.629785] Padding 0000000026abf214: 00 80 14 0d 81 88 ff ff 68 91 81 14 81 88 ff ff  ........h.......
      [  229.629785] Padding 0000000001e24790: 38 91 81 14 81 88 ff ff 68 91 81 14 81 88 ff ff  8.......h.......
      [  229.629785] Padding 00000000b39397c8: 33 30 62 a7 ff ff ff ff ff eb 60 22 10 f1 ff 1f  30b.......`"....
      [  229.629785] Padding 00000000bc98f53a: 80 60 07 13 81 88 ff ff 00 80 14 0d 81 88 ff ff  .`..............
      [  229.629785] Padding 000000002aa8123d: 68 91 81 14 81 88 ff ff f7 21 17 a7 ff ff ff ff  h........!......
      [  229.629785] Padding 000000001c8c2369: 08 81 14 0d 81 88 ff ff 03 02 00 00 00 00 00 00  ................
      [  229.629785] Padding 000000004e290c5d: 21 90 a2 21 10 ed ff ff 00 00 00 00 00 fc ff df  !..!............
      [  229.629785] Padding 000000000e25d731: 18 60 07 13 81 88 ff ff c0 8b 13 05 81 88 ff ff  .`..............
      [  229.629785] Padding 000000007adc7ab3: b3 8a b5 41 00 00 00 00                          ...A....
      [  229.629785] FIX page->ptl: Restoring 0x0000000026abf214-0x0000000091f6abb2=0x5a
      [  ... ]
      
      Fixes: acaf4e70 ("net: vxlan: when lower dev unregisters remove vxlan dev as well")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0ce1822c
反馈
建议
客服 返回
顶部