1. 23 12月, 2019 5 次提交
    • L
      iwlwifi: mvm: fix NVM check for 3168 devices · b3f20e09
      Luca Coelho 提交于
      We had a check on !NVM_EXT and then a check for NVM_SDP in the else
      block of this if.  The else block, obviously, could only be reached if
      using NVM_EXT, so it would never be NVM_SDP.
      
      Fix that by checking whether the nvm_type is IWL_NVM instead of
      checking for !IWL_NVM_EXT to solve this issue.
      Reported-by: NStefan Sperling <stsp@stsp.name>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      b3f20e09
    • L
      iwlwifi: fix TLV fragment allocation loop · 4f565ee2
      Luca Coelho 提交于
      In the allocation loop, "pages" will never become zero (because of the
      DIV_ROUND_UP), so if we can't allocate any size and pages becomes 1,
      we will keep trying to allocate 1 page until it succeeds.  And in that
      case, as coverity reported, block will never be NULL.
      Reported-by: Ncoverity-bot <keescook+coverity-bot@chromium.org>
      Addresses-Coverity-ID: 1487402 ("Control flow issues")
      Fixes: 14124b25 ("iwlwifi: dbg_ini: implement monitor allocation flow")
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Fixes: 14124b25 ("iwlwifi: dbg_ini: implement monitor allocation flow")
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      4f565ee2
    • J
      iwlwifi: pcie: allocate smaller dev_cmd for TX headers · a89c72ff
      Johannes Berg 提交于
      As noted in the previous commit, due to the way we allocate the
      dev_cmd headers with 324 byte size, and 4/8 byte alignment, the
      part we use of them (bytes 20..40-68) could still cross a page
      and thus 2^32 boundary.
      
      Address this by using alignment to ensure that the allocation
      cannot cross a page boundary, on hardware that's affected. To
      make that not cause more memory consumption, reduce the size of
      the allocations to the necessary size - we go from 324 bytes in
      each allocation to 60/68 on gen2 depending on family, and ~120
      or so on gen1 (so on gen1 it's a pure reduction in size, since
      we don't need alignment there).
      
      To avoid size and clearing issues, add a new structure that's
      just the header, and use kmem_cache_zalloc().
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      a89c72ff
    • J
      iwlwifi: pcie: detect the DMA bug and warn if it happens · c5a4e8eb
      Johannes Berg 提交于
      Warn if the DMA bug is going to happen. We don't have a good
      way of actually aborting in this case and we have workarounds
      in place for the cases where it happens, but in order to not
      be surprised add a safety-check and warn.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      c5a4e8eb
    • J
      iwlwifi: pcie: work around DMA hardware bug · c4a786b3
      Johannes Berg 提交于
      There's a hardware bug in the flow handler (DMA engine), if the
      address + len of some TB wraps around a 2^32 boundary, the carry
      bit is then carried over into the next TB.
      
      Work around this by copying the data to a new page when we find
      this situation, and then copy it in a way that we cannot hit the
      very end of the page.
      
      To be able to free the new page again later we need to chain it
      to the TSO page, use the last pointer there to make sure we can
      never use the page fully for DMA, and thus cannot cause the same
      overflow situation on this page.
      
      This leaves a few potential places (where we didn't observe the
      problem) unaddressed:
       * The second TB could reach or cross the end of a page (and thus
         2^32) due to the way we allocate the dev_cmd for the header
       * For host commands, a similar thing could happen since they're
         just kmalloc().
      We'll address these in further commits.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      c4a786b3
  2. 20 12月, 2019 2 次提交
  3. 19 12月, 2019 3 次提交
    • W
      libertas: Fix two buffer overflows at parsing bss descriptor · e5e884b4
      Wen Huang 提交于
      add_ie_rates() copys rates without checking the length
      in bss descriptor from remote AP.when victim connects to
      remote attacker, this may trigger buffer overflow.
      lbs_ibss_join_existing() copys rates without checking the length
      in bss descriptor from remote IBSS node.when victim connects to
      remote attacker, this may trigger buffer overflow.
      Fix them by putting the length check before performing copy.
      
      This fix addresses CVE-2019-14896 and CVE-2019-14897.
      This also fix build warning of mixed declarations and code.
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NWen Huang <huangwenabc@gmail.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      e5e884b4
    • D
      mt76: Off by one in mt76_calc_rx_airtime() · b43e36d7
      Dan Carpenter 提交于
      The sband->bitrates[] array has "sband->n_bitrates" elements so this
      check needs to be >= instead of > or we could read beyond the end of the
      array.
      
      These values come from when we call mt76_register_device():
      
      	ret = mt76_register_device(&dev->mt76, true, mt7603_rates,
      				   ARRAY_SIZE(mt7603_rates));
      
      Here sband->bitrates[] is mt7603_rates[] and ->n_bitrates is the
      ARRAY_SIZE()
      
      Fixes: 5ce09c1a ("mt76: track rx airtime for airtime fairness and survey")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      b43e36d7
    • A
      mt76: fix LED link time failure · d68f4e43
      Arnd Bergmann 提交于
      The mt76_led_cleanup() function is called unconditionally, which
      leads to a link error when CONFIG_LEDS is a loadable module or
      disabled but mt76 is built-in:
      
      drivers/net/wireless/mediatek/mt76/mac80211.o: In function `mt76_unregister_device':
      mac80211.c:(.text+0x2ac): undefined reference to `led_classdev_unregister'
      
      Use the same trick that is guarding the registration, using an
      IS_ENABLED() check for the CONFIG_MT76_LEDS symbol that indicates
      whether LEDs can be used or not.
      
      Fixes: 36f7e2b2 ("mt76: do not use devm API for led classdev")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NFelix Fietkau <nbd@nbd.name>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      d68f4e43
  4. 18 12月, 2019 4 次提交
    • J
      nfp: flower: fix stats id allocation · 39f14c00
      John Hurley 提交于
      As flower rules are added, they are given a stats ID based on the number
      of rules that can be supported in firmware. Only after the initial
      allocation of all available IDs does the driver begin to reuse those that
      have been released.
      
      The initial allocation of IDs was modified to account for multiple memory
      units on the offloaded device. However, this introduced a bug whereby the
      counter that controls the IDs could be decremented before the ID was
      assigned (where it is further decremented). This means that the stats ID
      could be assigned as -1/0xfffffff which is out of range.
      
      Fix this by only decrementing the main counter after the current ID has
      been assigned.
      
      Fixes: 467322e2 ("nfp: flower: support multiple memory units for filter offloads")
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      39f14c00
    • O
      net: ag71xx: fix compile warnings · 9d4b98af
      Oleksij Rempel 提交于
      drivers/net/ethernet/atheros/ag71xx.c: In function 'ag71xx_probe':
      drivers/net/ethernet/atheros/ag71xx.c:1776:30: warning: passing argument 2 of
       'of_get_phy_mode' makes pointer from integer without a cast [-Wint-conversion]
      In file included from drivers/net/ethernet/atheros/ag71xx.c:33:
      ./include/linux/of_net.h:15:69: note: expected 'phy_interface_t *'
       {aka 'enum <anonymous> *'} but argument is of type 'int'
      
      Fixes: 0c65b2b9 ("net: of_get_phy_mode: Change API to solve int/unit warnings")
      Signed-off-by: NOleksij Rempel <o.rempel@pengutronix.de>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d4b98af
    • B
      net: qlogic: Fix error paths in ql_alloc_large_buffers() · cad46039
      Ben Hutchings 提交于
      ql_alloc_large_buffers() has the usual RX buffer allocation
      loop where it allocates skbs and maps them for DMA.  It also
      treats failure as a fatal error.
      
      There are (at least) three bugs in the error paths:
      
      1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the
      first buffer that couldn't be allocated will have .skb == NULL.
      But the qla_buf[] array is not zero-initialised.
      
      2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[].  This is
      incorrect for the last allocated skb, if DMA mapping failed.
      
      3. Commit 1acb8f2a ("net: qlogic: Fix memory leak in
      ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any()
      after the skb is recorded in lrg_buf[], so ql_free_large_buffers()
      will double-free it.
      
      The bugs are somewhat inter-twined, so fix them all at once:
      
      * Clear each entry in qla_buf[] before attempting to allocate
        an skb for it.  This goes half-way to fixing bug 1.
      * Set the .skb field only after the skb is DMA-mapped.  This
        fixes the rest.
      
      Fixes: 1357bfcf ("qla3xxx: Dynamically size the rx buffer queue ...")
      Fixes: 0f8ab89e ("qla3xxx: Check return code from pci_map_single() ...")
      Fixes: 1acb8f2a ("net: qlogic: Fix memory leak in ql_alloc_large_buffers")
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cad46039
    • I
      dpaa2-ptp: fix double free of the ptp_qoriq IRQ · daa6eb5a
      Ioana Ciornei 提交于
      Upon reusing the ptp_qoriq driver, the ptp_qoriq_free() function was
      used on the remove path to free any allocated resources.
      The ptp_qoriq IRQ is among these resources that are freed in
      ptp_qoriq_free() even though it is also a managed one (allocated using
      devm_request_threaded_irq).
      
      Drop the resource managed version of requesting the IRQ in order to not
      trigger a double free of the interrupt as below:
      
      [  226.731005] Trying to free already-free IRQ 126
      [  226.735533] WARNING: CPU: 6 PID: 749 at kernel/irq/manage.c:1707
      __free_irq+0x9c/0x2b8
      [  226.743435] Modules linked in:
      [  226.746480] CPU: 6 PID: 749 Comm: bash Tainted: G        W
      5.4.0-03629-gfd7102c32b2c-dirty #912
      [  226.755857] Hardware name: NXP Layerscape LX2160ARDB (DT)
      [  226.761244] pstate: 40000085 (nZcv daIf -PAN -UAO)
      [  226.766022] pc : __free_irq+0x9c/0x2b8
      [  226.769758] lr : __free_irq+0x9c/0x2b8
      [  226.773493] sp : ffff8000125039f0
      (...)
      [  226.856275] Call trace:
      [  226.858710]  __free_irq+0x9c/0x2b8
      [  226.862098]  free_irq+0x30/0x70
      [  226.865229]  devm_irq_release+0x14/0x20
      [  226.869054]  release_nodes+0x1b0/0x220
      [  226.872790]  devres_release_all+0x34/0x50
      [  226.876790]  device_release_driver_internal+0x100/0x1c0
      
      Fixes: d346c9e8 ("dpaa2-ptp: reuse ptp_qoriq driver")
      Cc: Yangbo Lu <yangbo.lu@nxp.com>
      Signed-off-by: NIoana Ciornei <ioana.ciornei@nxp.com>
      Reviewed-by: NYangbo Lu <yangbo.lu@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      daa6eb5a
  5. 17 12月, 2019 3 次提交
  6. 16 12月, 2019 3 次提交
  7. 15 12月, 2019 12 次提交
    • R
      net: phylink: fix interface passed to mac_link_up · 9b2079c0
      Russell King 提交于
      A mismerge between the following two commits:
      
      c6787263 ("net: phylink: ensure consistent phy interface mode")
      27755ff8 ("net: phylink: Add phylink_mac_link_{up, down} wrapper functions")
      
      resulted in the wrong interface being passed to the mac_link_up()
      function. Fix this up.
      
      Fixes: b4b12b0d ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net")
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      9b2079c0
    • T
      gtp: avoid zero size hashtable · 6a902c0f
      Taehee Yoo 提交于
      GTP default hashtable size is 1024 and userspace could set specific
      hashtable size with IFLA_GTP_PDP_HASHSIZE. If hashtable size is set to 0
      from userspace,  hashtable will not work and panic will occur.
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      6a902c0f
    • T
      gtp: fix an use-after-free in ipv4_pdp_find() · 94dc550a
      Taehee Yoo 提交于
      ipv4_pdp_find() is called in TX packet path of GTP.
      ipv4_pdp_find() internally uses gtp->tid_hash to lookup pdp context.
      In the current code, gtp->tid_hash and gtp->addr_hash are freed by
      ->dellink(), which is gtp_dellink().
      But gtp_dellink() would be called while packets are processing.
      So, gtp_dellink() should not free gtp->tid_hash and gtp->addr_hash.
      Instead, dev->priv_destructor() would be used because this callback
      is called after all packet processing safely.
      
      Test commands:
          ip link add veth1 type veth peer name veth2
          ip a a 172.0.0.1/24 dev veth1
          ip link set veth1 up
          ip a a 172.99.0.1/32 dev lo
      
          gtp-link add gtp1 &
      
          gtp-tunnel add gtp1 v1 200 100 172.99.0.2 172.0.0.2
          ip r a  172.99.0.2/32 dev gtp1
          ip link set gtp1 mtu 1500
      
          ip netns add ns2
          ip link set veth2 netns ns2
          ip netns exec ns2 ip a a 172.0.0.2/24 dev veth2
          ip netns exec ns2 ip link set veth2 up
          ip netns exec ns2 ip a a 172.99.0.2/32 dev lo
          ip netns exec ns2 ip link set lo up
      
          ip netns exec ns2 gtp-link add gtp2 &
          ip netns exec ns2 gtp-tunnel add gtp2 v1 100 200 172.99.0.1 172.0.0.1
          ip netns exec ns2 ip r a 172.99.0.1/32 dev gtp2
          ip netns exec ns2 ip link set gtp2 mtu 1500
      
          hping3 172.99.0.2 -2 --flood &
          ip link del gtp1
      
      Splat looks like:
      [   72.568081][ T1195] BUG: KASAN: use-after-free in ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.568916][ T1195] Read of size 8 at addr ffff8880b9a35d28 by task hping3/1195
      [   72.569631][ T1195]
      [   72.569861][ T1195] CPU: 2 PID: 1195 Comm: hping3 Not tainted 5.5.0-rc1 #199
      [   72.570547][ T1195] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   72.571438][ T1195] Call Trace:
      [   72.571764][ T1195]  dump_stack+0x96/0xdb
      [   72.572171][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.572761][ T1195]  print_address_description.constprop.5+0x1be/0x360
      [   72.573400][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.573971][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.574544][ T1195]  __kasan_report+0x12a/0x16f
      [   72.575014][ T1195]  ? ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.575593][ T1195]  kasan_report+0xe/0x20
      [   72.576004][ T1195]  ipv4_pdp_find.isra.12+0x130/0x170 [gtp]
      [   72.576577][ T1195]  gtp_build_skb_ip4+0x199/0x1420 [gtp]
      [ ... ]
      [   72.647671][ T1195] BUG: unable to handle page fault for address: ffff8880b9a35d28
      [   72.648512][ T1195] #PF: supervisor read access in kernel mode
      [   72.649158][ T1195] #PF: error_code(0x0000) - not-present page
      [   72.649849][ T1195] PGD a6c01067 P4D a6c01067 PUD 11fb07067 PMD 11f939067 PTE 800fffff465ca060
      [   72.652958][ T1195] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [   72.653834][ T1195] CPU: 2 PID: 1195 Comm: hping3 Tainted: G    B             5.5.0-rc1 #199
      [   72.668062][ T1195] RIP: 0010:ipv4_pdp_find.isra.12+0x86/0x170 [gtp]
      [ ... ]
      [   72.679168][ T1195] Call Trace:
      [   72.679603][ T1195]  gtp_build_skb_ip4+0x199/0x1420 [gtp]
      [   72.681915][ T1195]  ? ipv4_pdp_find.isra.12+0x170/0x170 [gtp]
      [   72.682513][ T1195]  ? lock_acquire+0x164/0x3b0
      [   72.682966][ T1195]  ? gtp_dev_xmit+0x35e/0x890 [gtp]
      [   72.683481][ T1195]  gtp_dev_xmit+0x3c2/0x890 [gtp]
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      94dc550a
    • T
      gtp: fix wrong condition in gtp_genl_dump_pdp() · 94a6d9fb
      Taehee Yoo 提交于
      gtp_genl_dump_pdp() is ->dumpit() callback of GTP module and it is used
      to dump pdp contexts. it would be re-executed because of dump packet size.
      
      If dump packet size is too big, it saves current dump pointer
      (gtp interface pointer, bucket, TID value) then it restarts dump from
      last pointer.
      Current GTP code allows adding zero TID pdp context but dump code
      ignores zero TID value. So, last dump pointer will not be found.
      
      In addition, this patch adds missing rcu_read_lock() in
      gtp_genl_dump_pdp().
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      94a6d9fb
    • T
      gtp: do not allow adding duplicate tid and ms_addr pdp context · 6b01b1d9
      Taehee Yoo 提交于
      GTP RX packet path lookups pdp context with TID. If duplicate TID pdp
      contexts are existing in the list, it couldn't select correct pdp context.
      So, TID value  should be unique.
      GTP TX packet path lookups pdp context with ms_addr. If duplicate ms_addr pdp
      contexts are existing in the list, it couldn't select correct pdp context.
      So, ms_addr value should be unique.
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      6b01b1d9
    • M
      bonding: fix active-backup transition after link failure · 5d485ed8
      Mahesh Bandewar 提交于
      After the recent fix in commit 1899bb32 ("bonding: fix state
      transition issue in link monitoring"), the active-backup mode with
      miimon initially come-up fine but after a link-failure, both members
      transition into backup state.
      
      Following steps to reproduce the scenario (eth1 and eth2 are the
      slaves of the bond):
      
          ip link set eth1 up
          ip link set eth2 down
          sleep 1
          ip link set eth2 up
          ip link set eth1 down
          cat /sys/class/net/eth1/bonding_slave/state
          cat /sys/class/net/eth2/bonding_slave/state
      
      Fixes: 1899bb32 ("bonding: fix state transition issue in link monitoring")
      CC: Jay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NMahesh Bandewar <maheshb@google.com>
      Acked-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      5d485ed8
    • M
      bnx2x: Fix logic to get total no. of PFs per engine · ee699f89
      Manish Chopra 提交于
      Driver doesn't calculate total number of PFs configured on a
      given engine correctly which messed up resources in the PFs
      loaded on that engine, leading driver to exceed configuration
      of resources (like vlan filters etc.) beyond the limit per
      engine, which ended up with asserts from the firmware.
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      ee699f89
    • M
      bnx2x: Do not handle requests from VFs after parity · 7113f796
      Manish Chopra 提交于
      Parity error from the hardware will cause PF to lose the state
      of their VFs due to PF's internal reload and hardware reset following
      the parity error. Restrict any configuration request from the VFs after
      the parity as it could cause unexpected hardware behavior, only way
      for VFs to recover would be to trigger FLR on VFs and reload them.
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      7113f796
    • A
      net: ethernet: ti: build cpsw-common for switchdev · ed56dd8f
      Arnd Bergmann 提交于
      Without the common part of the driver, the new file fails to link:
      
      drivers/net/ethernet/ti/cpsw_new.o: In function `cpsw_probe':
      cpsw_new.c:(.text+0x312c): undefined reference to `ti_cm_get_macid'
      
      Use the same Makefile hack as before, and build cpsw-common.o for
      any driver that needs it.
      
      Fixes: ed3525ed ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      ed56dd8f
    • A
      net: ethernet: ti: select PAGE_POOL for switchdev driver · 99e9fe22
      Arnd Bergmann 提交于
      The new driver misses a dependency:
      
      drivers/net/ethernet/ti/cpsw_new.o: In function `cpsw_rx_handler':
      cpsw_new.c:(.text+0x259c): undefined reference to `__page_pool_put_page'
      cpsw_new.c:(.text+0x25d0): undefined reference to `page_pool_alloc_pages'
      drivers/net/ethernet/ti/cpsw_priv.o: In function `cpsw_fill_rx_channels':
      cpsw_priv.c:(.text+0x22d8): undefined reference to `page_pool_alloc_pages'
      cpsw_priv.c:(.text+0x2420): undefined reference to `__page_pool_put_page'
      drivers/net/ethernet/ti/cpsw_priv.o: In function `cpsw_create_xdp_rxqs':
      cpsw_priv.c:(.text+0x2624): undefined reference to `page_pool_create'
      drivers/net/ethernet/ti/cpsw_priv.o: In function `cpsw_run_xdp':
      cpsw_priv.c:(.text+0x2dc8): undefined reference to `__page_pool_put_page'
      
      Other drivers use 'select' for PAGE_POOL, so do the same here.
      
      Fixes: ed3525ed ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
      Acked-by: NJesper Dangaard Brouer <brouer@redhat.com>
      Reviewed-by: NGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      99e9fe22
    • H
      hv_netvsc: Fix tx_table init in rndis_set_subchannel() · c39ea5cb
      Haiyang Zhang 提交于
      Host can provide send indirection table messages anytime after RSS is
      enabled by calling rndis_filter_set_rss_param(). So the host provided
      table values may be overwritten by the initialization in
      rndis_set_subchannel().
      
      To prevent this problem, move the tx_table initialization before calling
      rndis_filter_set_rss_param().
      
      Fixes: a6fb6aa3 ("hv_netvsc: Set tx_table to equal weight after subchannels open")
      Signed-off-by: NHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      c39ea5cb
    • R
      net: marvell: mvpp2: phylink requires the link interrupt · f3f2364e
      Russell King 提交于
      phylink requires the MAC to report when its link status changes when
      operating in inband modes.  Failure to report link status changes
      means that phylink has no idea when the link events happen, which
      results in either the network interface's carrier remaining up or
      remaining permanently down.
      
      For example, with a fiber module, if the interface is brought up and
      link is initially established, taking the link down at the far end
      will cut the optical power.  The SFP module's LOS asserts, we
      deactivate the link, and the network interface reports no carrier.
      
      When the far end is brought back up, the SFP module's LOS deasserts,
      but the MAC may be slower to establish link.  If this happens (which
      in my tests is a certainty) then phylink never hears that the MAC
      has established link with the far end, and the network interface is
      stuck reporting no carrier.  This means the interface is
      non-functional.
      
      Avoiding the link interrupt when we have phylink is basically not
      an option, so remove the !port->phylink from the test.
      
      Fixes: 4bb04326 ("net: mvpp2: phylink support")
      Tested-by: NSven Auhagen <sven.auhagen@voleatech.de>
      Tested-by: NAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      f3f2364e
  8. 14 12月, 2019 4 次提交
    • E
      6pack,mkiss: fix possible deadlock · 5c9934b6
      Eric Dumazet 提交于
      We got another syzbot report [1] that tells us we must use
      write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
      
      [1]
      
      WARNING: inconsistent lock state
      5.5.0-rc1-syzkaller #0 Not tainted
      --------------------------------
      inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
      syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
      ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
      {HARDIRQ-ON-W} state was registered at:
        lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
        __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
        _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
        sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
        tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
        tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
        tiocsetd drivers/tty/tty_io.c:2337 [inline]
        tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
        vfs_ioctl fs/ioctl.c:47 [inline]
        file_ioctl fs/ioctl.c:545 [inline]
        do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
        ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
        __do_sys_ioctl fs/ioctl.c:756 [inline]
        __se_sys_ioctl fs/ioctl.c:754 [inline]
        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
        do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      irq event stamp: 3946
      hardirqs last  enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
      hardirqs last  enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
      hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
      softirqs last  enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
      softirqs last  enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
      softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
      softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(disc_data_lock);
        <Interrupt>
          lock(disc_data_lock);
      
       *** DEADLOCK ***
      
      5 locks held by syz-executor826/9605:
       #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
       #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
       #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
       #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
       #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
       #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
      
      stack backtrace:
      CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
       valid_state kernel/locking/lockdep.c:3112 [inline]
       mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
       mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
       mark_usage kernel/locking/lockdep.c:3554 [inline]
       __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
       lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
       __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
       _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
       sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
       sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
       tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
       tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
       tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
       uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
       serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
       serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
       serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
       serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
       __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
       handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
       handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
       handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
       generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
       do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
       common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
       </IRQ>
      RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
      RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
      Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
      RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
      RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
      RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
      RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
      R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
      R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
       mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
       __mutex_lock_common kernel/locking/mutex.c:962 [inline]
       __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
       tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
       tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
       __fput+0x2ff/0x890 fs/file_table.c:280
       ____fput+0x16/0x20 fs/file_table.c:313
       task_work_run+0x145/0x1c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x8e7/0x2ef0 kernel/exit.c:797
       do_group_exit+0x135/0x360 kernel/exit.c:895
       __do_sys_exit_group kernel/exit.c:906 [inline]
       __se_sys_exit_group kernel/exit.c:904 [inline]
       __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x43fef8
      Code: Bad RIP value.
      RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
      RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
      R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
      R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
      
      Fixes: 6e4e2f81 ("6pack,mkiss: fix lock inconsistency")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      5c9934b6
    • T
      net/ibmvnic: Fix typo in retry check · 8f9cc1ee
      Thomas Falcon 提交于
      This conditional is missing a bang, with the intent
      being to break when the retry count reaches zero.
      
      Fixes: 476d96ca ("ibmvnic: Bound waits for device queries")
      Suggested-by: NJuliet Kim <julietk@linux.vnet.ibm.com>
      Signed-off-by: NThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      8f9cc1ee
    • A
      ptp: clockmatrix: add I2C dependency · 03b06e3f
      Arnd Bergmann 提交于
      Without I2C, we get a link failure:
      
      drivers/ptp/ptp_clockmatrix.o: In function `idtcm_xfer.isra.3':
      ptp_clockmatrix.c:(.text+0xcc): undefined reference to `i2c_transfer'
      drivers/ptp/ptp_clockmatrix.o: In function `idtcm_driver_init':
      ptp_clockmatrix.c:(.init.text+0x14): undefined reference to `i2c_register_driver'
      drivers/ptp/ptp_clockmatrix.o: In function `idtcm_driver_exit':
      ptp_clockmatrix.c:(.exit.text+0x10): undefined reference to `i2c_del_driver'
      
      Fixes: 3a6ba7dc ("ptp: Add a ptp clock driver for IDT ClockMatrix.")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NVincent Cheng <vincent.cheng.xh@renesas.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      03b06e3f
    • J
      bnxt: apply computed clamp value for coalece parameter · 6adc4601
      Jonathan Lemon 提交于
      After executing "ethtool -C eth0 rx-usecs-irq 0", the box becomes
      unresponsive, likely due to interrupt livelock.  It appears that
      a minimum clamp value for the irq timer is computed, but is never
      applied.
      
      Fix by applying the corrected clamp value.
      
      Fixes: 74706afa ("bnxt_en: Update interrupt coalescing logic.")
      Signed-off-by: NJonathan Lemon <jonathan.lemon@gmail.com>
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      6adc4601
  9. 13 12月, 2019 3 次提交
  10. 11 12月, 2019 1 次提交