1. 20 Jan, 2019 3 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 6436408e
      David S. Miller authored
      
      
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-01-20
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a out-of-bounds access in __bpf_redirect_no_mac, from Willem.
      
      2) Fix bpf_setsockopt to reset sock dst on SO_MARK changes, from Peter.
      
      3) Fix map in map masking to prevent out-of-bounds access under
         speculative execution, from Daniel.
      
      4) Fix bpf_setsockopt's SO_MAX_PACING_RATE to support TCP internal
         pacing, from Yuchung.
      
      5) Fix json writer license in bpftool, from Thomas.
      
      6) Fix AF_XDP to check if an actually queue exists during umem
         setup, from Krzysztof.
      
      7) Several fixes to BPF stackmap's build id handling. Another fix
         for bpftool build to account for libbfd variations wrt linking
         requirements, from Stanislav.
      
      8) Fix BPF samples build with clang by working around missing asm
         goto, from Yonghong.
      
      9) Fix libbpf to retry program load on signal interrupt, from Lorenz.
      
      10) Various minor compile warning fixes in BPF code, from Mathieu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6436408e
    • Willem de Bruijn's avatar
      bpf: in __bpf_redirect_no_mac pull mac only if present · e7c87bd6
      Willem de Bruijn authored
      Syzkaller was able to construct a packet of negative length by
      redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:
      
          BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
          BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942
      
          kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
          check_memory_region_inline mm/kasan/kasan.c:260 [inline]
          check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
          memcpy+0x23/0x50 mm/kasan/kasan.c:302
          memcpy include/linux/string.h:345 [inline]
          skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          __pskb_copy include/linux/skbuff.h:1053 [inline]
          pskb_copy include/linux/skbuff.h:2904 [inline]
          skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
          ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
          sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
          __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
          netdev_start_xmit include/linux/netdevice.h:4334 [inline]
          xmit_one net/core/dev.c:3219 [inline]
          dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
          __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
          dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
          __bpf_tx_skb net/core/filter.c:2016 [inline]
          __bpf_redirect_common net/core/filter.c:2054 [inline]
          __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
          ____bpf_clone_redirect net/core/filter.c:2094 [inline]
          bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
          bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000
      
      The generated test constructs a packet with mac header, network
      header, skb->data pointing to network header and skb->len 0.
      
      Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
      mac length, even though skb->data already is at skb->network_header.
      bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.
      
      Update the offset calculation to pull only if skb->data differs
      from skb->network_header, which is not true in this case.
      
      The test itself can be run only from commit 1cf1cae9 ("bpf:
      introduce BPF_PROG_TEST_RUN command"), but the same type of packets
      with skb at network header could already be built from lwt xmit hooks,
      so this fix is more relevant to that commit.
      
      Also set the mac header on redirect from LWT_XMIT, as even after this
      change to __bpf_redirect_no_mac that field is expected to be set, but
      is not yet in ip_finish_output2.
      
      Fixes: 3a0af8fd
      
       ("bpf: BPF for lightweight tunnel infrastructure")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      e7c87bd6
    • Michael S. Tsirkin's avatar
      virtio_net: bulk free tx skbs · df133f3f
      Michael S. Tsirkin authored
      
      
      Use napi_consume_skb() to get bulk free.  Note that napi_consume_skb is
      safe to call in a non-napi context as long as the napi_budget flag is
      correct.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df133f3f
  2. 19 Jan, 2019 7 commits
  3. 18 Jan, 2019 25 commits
    • Thomas Gleixner's avatar
      tools: bpftool: Cleanup license mess · 64cf5481
      Thomas Gleixner authored
      Precise and non-ambiguous license information is important. The recent
      relicensing of the bpftools introduced a license conflict.
      
      The files have now:
      
           SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause
      
      and
      
           * This program is free software; you can redistribute it and/or
           * modify it under the terms of the GNU General Public License
           * as published by the Free Software Foundation; either version
           * 2 of the License, or (at your option) any later version
      
      Amazingly about 20 people acked that change and neither they nor the
      committer noticed. Oh well.
      
      Digging deeper: The files were imported from the iproute2 repository with
      the GPL V2 or later boiler plate text in commit b66e907c ("tools:
      bpftool: copy JSON writer from iproute2 repository")
      
      Looking at the iproute2 repository at
      
        git://git.kernel.org/pub/scm/network/iproute2/iproute2.git
      
      the following commit is the equivivalent:
      
        commit d9d8c839 ("json_writer: add SPDX Identifier (GPL-2/BSD-2)")
      
      That commit explicitly removes the boiler plate and relicenses the code
      uner GPL-2.0-only and BSD-2-Clause. As Steven wrote the original code and
      also the relicensing commit, it's assumed that the relicensing was intended
      to do exaclty that. Just the kernel side update failed to remove the boiler
      plate. Do so now.
      
      Fixes: 907b2236
      
       ("tools: bpftool: dual license all files")
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: YueHaibing <yuehaibing@huawei.com>
      Cc: Yonghong Song <yhs@fb.com>
      Cc: Stanislav Fomichev <sdf@google.com>
      Cc: Sean Young <sean@mess.org>
      Cc: Jiri Benc <jbenc@redhat.com>
      Cc: David Calavera <david.calavera@gmail.com>
      Cc: Andrey Ignatov <rdna@fb.com>
      Cc: Joe Stringer <joe@wand.net.nz>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
      Cc: Petar Penkov <ppenkov@stanford.edu>
      Cc: Sandipan Das <sandipan@linux.ibm.com>
      Cc: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Taeung Song <treeze.taeung@gmail.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Quentin Monnet <quentin.monnet@netronome.com>
      CC: okash.khawaja@gmail.com
      Cc: netdev@vger.kernel.org
      Acked-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      64cf5481
    • Daniel Borkmann's avatar
      bpf: fix inner map masking to prevent oob under speculation · 9d5564dd
      Daniel Borkmann authored
      During review I noticed that inner meta map setup for map in
      map is buggy in that it does not propagate all needed data
      from the reference map which the verifier is later accessing.
      
      In particular one such case is index masking to prevent out of
      bounds access under speculative execution due to missing the
      map's unpriv_array/index_mask field propagation. Fix this such
      that the verifier is generating the correct code for inlined
      lookups in case of unpriviledged use.
      
      Before patch (test_verifier's 'map in map access' dump):
      
        # bpftool prog dump xla id 3
           0: (62) *(u32 *)(r10 -4) = 0
           1: (bf) r2 = r10
           2: (07) r2 += -4
           3: (18) r1 = map[id:4]
           5: (07) r1 += 272                |
           6: (61) r0 = *(u32 *)(r2 +0)     |
           7: (35) if r0 >= 0x1 goto pc+6   | Inlined map in map lookup
           8: (54) (u32) r0 &= (u32) 0      | with index masking for
           9: (67) r0 <<= 3                 | map->unpriv_array.
          10: (0f) r0 += r1                 |
          11: (79) r0 = *(u64 *)(r0 +0)     |
          12: (15) if r0 == 0x0 goto pc+1   |
          13: (05) goto pc+1                |
          14: (b7) r0 = 0                   |
          15: (15) if r0 == 0x0 goto pc+11
          16: (62) *(u32 *)(r10 -4) = 0
          17: (bf) r2 = r10
          18: (07) r2 += -4
          19: (bf) r1 = r0
          20: (07) r1 += 272                |
          21: (61) r0 = *(u32 *)(r2 +0)     | Index masking missing (!)
          22: (35) if r0 >= 0x1 goto pc+3   | for inner map despite
          23: (67) r0 <<= 3                 | map->unpriv_array set.
          24: (0f) r0 += r1                 |
          25: (05) goto pc+1                |
          26: (b7) r0 = 0                   |
          27: (b7) r0 = 0
          28: (95) exit
      
      After patch:
      
        # bpftool prog dump xla id 1
           0: (62) *(u32 *)(r10 -4) = 0
           1: (bf) r2 = r10
           2: (07) r2 += -4
           3: (18) r1 = map[id:2]
           5: (07) r1 += 272                |
           6: (61) r0 = *(u32 *)(r2 +0)     |
           7: (35) if r0 >= 0x1 goto pc+6   | Same inlined map in map lookup
           8: (54) (u32) r0 &= (u32) 0      | with index masking due to
           9: (67) r0 <<= 3                 | map->unpriv_array.
          10: (0f) r0 += r1                 |
          11: (79) r0 = *(u64 *)(r0 +0)     |
          12: (15) if r0 == 0x0 goto pc+1   |
          13: (05) goto pc+1                |
          14: (b7) r0 = 0                   |
          15: (15) if r0 == 0x0 goto pc+12
          16: (62) *(u32 *)(r10 -4) = 0
          17: (bf) r2 = r10
          18: (07) r2 += -4
          19: (bf) r1 = r0
          20: (07) r1 += 272                |
          21: (61) r0 = *(u32 *)(r2 +0)     |
          22: (35) if r0 >= 0x1 goto pc+4   | Now fixed inlined inner map
          23: (54) (u32) r0 &= (u32) 0      | lookup with proper index masking
          24: (67) r0 <<= 3                 | for map->unpriv_array.
          25: (0f) r0 += r1                 |
          26: (05) goto pc+1                |
          27: (b7) r0 = 0                   |
          28: (b7) r0 = 0
          29: (95) exit
      
      Fixes: b2157399
      
       ("bpf: prevent out-of-bounds speculation")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      9d5564dd
    • Daniel Borkmann's avatar
      bpf: pull in pkt_sched.h header for tooling to fix bpftool build · ad6dd7a9
      Daniel Borkmann authored
      Dan reported that bpftool does not compile for him:
      
        $ make tools/bpf
          DESCEND  bpf
      
        Auto-detecting system features:
        ..                        libbfd: [ on  ]
        ..        disassembler-four-args: [ OFF ]
      
          DESCEND  bpftool
      
        Auto-detecting system features:
        ..                        libbfd: [ on  ]
        ..        disassembler-four-args: [ OFF ]
      
          CC       /opt/linux.git/tools/bpf/bpftool/net.o
        In file included from /opt/linux.git/tools/include/uapi/linux/pkt_cls.h:6:0,
                       from /opt/linux.git/tools/include/uapi/linux/tc_act/tc_bpf.h:14,
                       from net.c:13:
        net.c: In function 'show_dev_tc_bpf':
        net.c:164:21: error: 'TC_H_CLSACT' undeclared (first use in this function)
          handle = TC_H_MAKE(TC_H_CLSACT, TC_H_MIN_INGRESS);
        [...]
      
      Fix it by importing pkt_sched.h header copy into tooling
      infrastructure.
      
      Fixes: 49a249c3 ("tools/bpftool: copy a few net uapi headers to tools directory")
      Fixes: f6f3bac0
      
       ("tools/bpf: bpftool: add net support")
      Reported-by: default avatarDan Gilson <dan_gilson@yahoo.com>
      Reference: https://bugzilla.kernel.org/show_bug.cgi?id=202315
      
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      ad6dd7a9
    • David S. Miller's avatar
      Merge branch 'mlxsw-fixes' · efa8c819
      David S. Miller authored
      
      
      Ido Schimmel says:
      
      ====================
      mlxsw: Various fixes
      
      This patchset contains small fixes in mlxsw and one fix in the bridge
      driver.
      
      Patches #1-#4 perform small adjustments in PCI and FID code following
      recent tests that were performed on the Spectrum-2 ASIC.
      
      Patch #5 fixes the bridge driver to mark FDB entries that were added by
      user as such. Otherwise, these entries will be ignored by underlying
      switch drivers.
      
      Patch #6 fixes a long standing issue in mlxsw where the driver
      incorrectly programmed static FDB entries as both static and sticky.
      
      Patches #7-#8 add test cases for above mentioned bugs.
      
      Please consider patches #1, #2 and #4 for stable.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efa8c819
    • Ido Schimmel's avatar
      selftests: forwarding: Add a test case for externally learned FDB entries · 479a2b76
      Ido Schimmel authored
      
      
      Test that externally learned FDB entries can roam, but not age out.
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      479a2b76
    • Ido Schimmel's avatar
      selftests: mlxsw: Test FDB offload indication · 72159272
      Ido Schimmel authored
      
      
      Test that externally learned FDB entries added from user space are
      marked as offloaded.
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72159272
    • Ido Schimmel's avatar
      mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky · 64254a20
      Ido Schimmel authored
      The driver currently treats static FDB entries as both static and
      sticky. This is incorrect and prevents such entries from being roamed to
      a different port via learning.
      
      Fix this by configuring static entries with ageing disabled and roaming
      enabled.
      
      In net-next we can add proper support for the newly introduced 'sticky'
      flag.
      
      Fixes: 56ade8fe
      
       ("mlxsw: spectrum: Add initial support for Spectrum ASIC")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarAlexander Petrovskiy <alexpe@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      64254a20
    • Ido Schimmel's avatar
      net: bridge: Mark FDB entries that were added by user as such · 710ae728
      Ido Schimmel authored
      Externally learned entries can be added by a user or by a switch driver
      that is notifying the bridge driver about entries that were learned in
      hardware.
      
      In the first case, the entries are not marked with the 'added_by_user'
      flag, which causes switch drivers to ignore them and not offload them.
      
      The 'added_by_user' flag can be set on externally learned FDB entries
      based on the 'swdev_notify' parameter in br_fdb_external_learn_add(),
      which effectively means if the created / updated FDB entry was added by
      a user or not.
      
      Fixes: 816a3bed
      
       ("switchdev: Add fdb.added_by_user to switchdev notifications")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarAlexander Petrovskiy <alexpe@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
      Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Cc: bridge@lists.linux-foundation.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      710ae728
    • Nir Dotan's avatar
      mlxsw: spectrum_fid: Update dummy FID index · a11dcd64
      Nir Dotan authored
      When using a tc flower action of egress mirred redirect, the driver adds
      an implicit FID setting action. This implicit action sets a dummy FID to
      the packet and is used as part of a design for trapping unmatched flows
      in OVS.  While this implicit FID setting action is supposed to be a NOP
      when a redirect action is added, in Spectrum-2 the FID record is
      consulted as the dummy FID index is an 802.1D FID index and the packet
      is dropped instead of being redirected.
      
      Set the dummy FID index value to be within 802.1Q range. This satisfies
      both Spectrum-1 which ignores the FID and Spectrum-2 which identifies it
      as an 802.1Q FID and will then follow the redirect action.
      
      Fixes: c3ab4354
      
       ("mlxsw: spectrum: Extend to support Spectrum-2 ASIC")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a11dcd64
    • Nir Dotan's avatar
      mlxsw: pci: Return error on PCI reset timeout · 67c14cc9
      Nir Dotan authored
      Return an appropriate error in the case when the driver timeouts on waiting
      for firmware to go out of PCI reset.
      
      Fixes: 233fa44b
      
       ("mlxsw: pci: Implement reset done check")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67c14cc9
    • Nir Dotan's avatar
      mlxsw: pci: Increase PCI SW reset timeout · d2f372ba
      Nir Dotan authored
      Spectrum-2 PHY layer introduces a calibration period which is a part of the
      Spectrum-2 firmware boot process. Hence increase the SW timeout waiting for
      the firmware to come out of boot. This does not increase system boot time
      in cases where the firmware PHY calibration process is done quickly.
      
      Fixes: c3ab4354
      
       ("mlxsw: spectrum: Extend to support Spectrum-2 ASIC")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2f372ba
    • Ido Schimmel's avatar
      mlxsw: pci: Ring CQ's doorbell before RDQ's · c9ebea04
      Ido Schimmel authored
      When a packet should be trapped to the CPU the device consumes a WQE
      (work queue element) from an RDQ (receive descriptor queue) and copies
      the packet to the address specified in the WQE. The device then tries to
      post a CQE (completion queue element) that contains various metadata
      (e.g., ingress port) about the packet to a CQ (completion queue).
      
      In case the device managed to consume a WQE, but did not manage to post
      the corresponding CQE, it will get stuck. This unlikely situation can be
      triggered due to the scheme the driver is currently using to process
      CQEs.
      
      The driver will consume up to 512 CQEs at a time and after processing
      each corresponding WQE it will ring the RDQ's doorbell, letting the
      device know that a new WQE was posted for it to consume. Only after
      processing all the CQEs (up to 512), the driver will ring the CQ's
      doorbell, letting the device know that new ones can be posted.
      
      Fix this by having the driver ring the CQ's doorbell for every processed
      CQE, but before ringing the RDQ's doorbell. This guarantees that
      whenever we post a new WQE, there is a corresponding CQE available. Copy
      the currently processed CQE to prevent the device from overwriting it
      with a new CQE after ringing the doorbell.
      
      Note that the driver still arms the CQ only after processing all the
      pending CQEs, so that interrupts for this CQ will only be delivered
      after the driver finished its processing.
      
      Before commit 8404f6f2 ("mlxsw: pci: Allow to use CQEs of version 1
      and version 2") the issue was virtually impossible to trigger since the
      number of CQEs was twice the number of WQEs and the number of CQEs
      processed at a time was equal to the number of available WQEs.
      
      Fixes: 8404f6f2
      
       ("mlxsw: pci: Allow to use CQEs of version 1 and version 2")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarSemion Lisyansky <semionl@mellanox.com>
      Tested-by: default avatarSemion Lisyansky <semionl@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c9ebea04
    • Felix Manlunas's avatar
      MAINTAINERS: update email addresses of liquidio driver maintainers · 20f5248a
      Felix Manlunas authored
      
      
      Update email addresses of liquidio driver maintainers.  Also remove a
      former maintainer.
      Signed-off-by: default avatarFelix Manlunas <fmanlunas@marvell.com>
      Acked-by: default avatarDerek Chickles <dchickles@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20f5248a
    • Jonathan Neuschäfer's avatar
      net: Fix typo in NET_FAILOVER help text · 9437b629
      Jonathan Neuschäfer authored
      "also enables" should not be spelled as one word.
      
      Fixes: cfc80d9a
      
       ("net: Introduce net_failover driver")
      Signed-off-by: default avatarJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9437b629
    • Ross Lagerwall's avatar
      net: Fix usage of pskb_trim_rcsum · 6c57f045
      Ross Lagerwall authored
      
      
      In certain cases, pskb_trim_rcsum() may change skb pointers.
      Reinitialize header pointers afterwards to avoid potential
      use-after-frees. Add a note in the documentation of
      pskb_trim_rcsum(). Found by KASAN.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c57f045
    • Thomas Petazzoni's avatar
      net: phy: mdio_bus: add missing device_del() in mdiobus_register() error handling · e40e2a2e
      Thomas Petazzoni authored
      The current code in __mdiobus_register() doesn't properly handle
      failures returned by the devm_gpiod_get_optional() call: it returns
      immediately, without unregistering the device that was added by the
      call to device_register() earlier in the function.
      
      This leaves a stale device, which then causes a NULL pointer
      dereference in the code that handles deferred probing:
      
      [    1.489982] Unable to handle kernel NULL pointer dereference at virtual address 00000074
      [    1.498110] pgd = (ptrval)
      [    1.500838] [00000074] *pgd=00000000
      [    1.504432] Internal error: Oops: 17 [#1] SMP ARM
      [    1.509133] Modules linked in:
      [    1.512192] CPU: 1 PID: 51 Comm: kworker/1:3 Not tainted 4.20.0-00039-g3b73a4cc8b3e-dirty #99
      [    1.520708] Hardware name: Xilinx Zynq Platform
      [    1.525261] Workqueue: events deferred_probe_work_func
      [    1.530403] PC is at klist_next+0x10/0xfc
      [    1.534403] LR is at device_for_each_child+0x40/0x94
      [    1.539361] pc : [<c0683fbc>]    lr : [<c0455d90>]    psr: 200e0013
      [    1.545628] sp : ceeefe68  ip : 00000001  fp : ffffe000
      [    1.550863] r10: 00000000  r9 : c0c66790  r8 : 00000000
      [    1.556079] r7 : c0457d44  r6 : 00000000  r5 : ceeefe8c  r4 : cfa2ec78
      [    1.562604] r3 : 00000064  r2 : c0457d44  r1 : ceeefe8c  r0 : 00000064
      [    1.569129] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [    1.576263] Control: 18c5387d  Table: 0ed7804a  DAC: 00000051
      [    1.582013] Process kworker/1:3 (pid: 51, stack limit = 0x(ptrval))
      [    1.588280] Stack: (0xceeefe68 to 0xceef0000)
      [    1.592630] fe60:                   cfa2ec78 c0c03c08 00000000 c0457d44 00000000 c0c66790
      [    1.600814] fe80: 00000000 c0455d90 ceeefeac 00000064 00000000 0d7a542e cee9d494 cfa2ec78
      [    1.608998] fea0: cfa2ec78 00000000 c0457d44 c0457d7c cee9d494 c0c03c08 00000000 c0455dac
      [    1.617182] fec0: cf98ba44 cf926a00 cee9d494 0d7a542e 00000000 cf935a10 cf935a10 cf935a10
      [    1.625366] fee0: c0c4e9b8 c0457d7c c0c4e80c 00000001 cf935a10 c0457df4 cf935a10 c0c4e99c
      [    1.633550] ff00: c0c4e99c c045a27c c0c4e9c4 ced63f80 cfde8a80 cfdebc00 00000000 c013893c
      [    1.641734] ff20: cfde8a80 cfde8a80 c07bd354 ced63f80 ced63f94 cfde8a80 00000008 c0c02d00
      [    1.649936] ff40: cfde8a98 cfde8a80 ffffe000 c0139a30 ffffe000 c0c6624a c07bd354 00000000
      [    1.658120] ff60: ffffe000 cee9e780 ceebfe00 00000000 ceeee000 ced63f80 c0139788 cf8cdea4
      [    1.666304] ff80: cee9e79c c013e598 00000001 ceebfe00 c013e44c 00000000 00000000 00000000
      [    1.674488] ffa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
      [    1.682671] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    1.690855] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [    1.699058] [<c0683fbc>] (klist_next) from [<c0455d90>] (device_for_each_child+0x40/0x94)
      [    1.707241] [<c0455d90>] (device_for_each_child) from [<c0457d7c>] (device_reorder_to_tail+0x38/0x88)
      [    1.716476] [<c0457d7c>] (device_reorder_to_tail) from [<c0455dac>] (device_for_each_child+0x5c/0x94)
      [    1.725692] [<c0455dac>] (device_for_each_child) from [<c0457d7c>] (device_reorder_to_tail+0x38/0x88)
      [    1.734927] [<c0457d7c>] (device_reorder_to_tail) from [<c0457df4>] (device_pm_move_to_tail+0x28/0x40)
      [    1.744235] [<c0457df4>] (device_pm_move_to_tail) from [<c045a27c>] (deferred_probe_work_func+0x58/0x8c)
      [    1.753746] [<c045a27c>] (deferred_probe_work_func) from [<c013893c>] (process_one_work+0x210/0x4fc)
      [    1.762888] [<c013893c>] (process_one_work) from [<c0139a30>] (worker_thread+0x2a8/0x5c0)
      [    1.771072] [<c0139a30>] (worker_thread) from [<c013e598>] (kthread+0x14c/0x154)
      [    1.778482] [<c013e598>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
      [    1.785689] Exception stack(0xceeeffb0 to 0xceeefff8)
      [    1.790739] ffa0:                                     00000000 00000000 00000000 00000000
      [    1.798923] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    1.807107] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000
      [    1.813724] Code: e92d47f0 e1a05000 e8900048 e1a00003 (e5937010)
      [    1.819844] ---[ end trace 3c2c0c8b65399ec9 ]---
      
      The actual error that we had from devm_gpiod_get_optional() was
      -EPROBE_DEFER, due to the GPIO being provided by a driver that is
      probed later than the Ethernet controller driver.
      
      To fix this, we simply add the missing device_del() invocation in the
      error path.
      
      Fixes: 69226896
      
       ("mdio_bus: Issue GPIO RESET to PHYs")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e40e2a2e
    • Otto Sabart's avatar
      doc: net: fix bad references to network drivers · 0e78f389
      Otto Sabart authored
      Fix "reference to nonexisting document" warnings.
      
      Fixes: b255e500
      
       ("net: documentation: build a directory structure for drivers")
      Signed-off-by: default avatarOtto Sabart <ottosabart@seberm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e78f389
    • Yang Wei's avatar
      macvlan: replace kfree_skb by consume_skb for drop profiles · bf97403a
      Yang Wei authored
      
      
      Replace the kfree_skb() by consume_skb() to be drop monitor(dropwatch,
      perf) friendly.
      Signed-off-by: default avatarYang Wei <yang.wei9@zte.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf97403a
    • Yang Wei's avatar
      neighbour: Do not perturb drop profiles when neigh_probe · 87fff3ca
      Yang Wei authored
      
      
      Replace the kfree_skb() by consume_skb() to be drop monitor(dropwatch,
      perf) friendly.
      Signed-off-by: default avatarYang Wei <yang.wei9@zte.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87fff3ca
    • Lendacky, Thomas's avatar
      amd-xgbe: Fix mdio access for non-zero ports and clause 45 PHYs · 5ab3121b
      Lendacky, Thomas authored
      The XGBE hardware has support for performing MDIO operations using an
      MDIO command request. The driver mistakenly uses the mdio port address
      as the MDIO command request device address instead of the MDIO command
      request port address. Additionally, the driver does not properly check
      for and create a clause 45 MDIO command.
      
      Check the supplied MDIO register to determine if the request is a clause
      45 operation (MII_ADDR_C45). For a clause 45 operation, extract the device
      address and register number from the supplied MDIO register and use them
      to set the MDIO command request device address and register number fields.
      For a clause 22 operation, the MDIO request device address is set to zero
      and the MDIO command request register number is set to the supplied MDIO
      register. In either case, the supplied MDIO port address is used as the
      MDIO command request port address.
      
      Fixes: 732f2ab7
      
       ("amd-xgbe: Add support for MDIO attached PHYs")
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Tested-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ab3121b
    • Camelia Groza's avatar
      net: phy: add missing phy driver features · 40f89ebf
      Camelia Groza authored
      The phy drivers for CS4340 and TN2020 are missing their
      features attributes. Add them.
      
      Fixes: 719655a1
      
       ("net: phy: Replace phy driver features u32 with link_mode bitmap")
      Reported-by: default avatarScott Wood <oss@buserror.net>
      Signed-off-by: default avatarCamelia Groza <camelia.groza@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40f89ebf
    • Madalin Bucur's avatar
      dpaa_eth: NETIF_F_LLTX requires to do our own update of trans_start · c6ddfb9a
      Madalin Bucur authored
      
      
      As txq_trans_update() only updates trans_start when the lock is held,
      trans_start does not get updated if NETIF_F_LLTX is declared.
      Signed-off-by: default avatarMadalin Bucur <madalin.bucur@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6ddfb9a
    • Yunjian Wang's avatar
      net: bridge: Fix ethernet header pointer before check skb forwardable · 28c1382f
      Yunjian Wang authored
      The skb header should be set to ethernet header before using
      is_skb_forwardable. Because the ethernet header length has been
      considered in is_skb_forwardable(including dev->hard_header_len
      length).
      
      To reproduce the issue:
      1, add 2 ports on linux bridge br using following commands:
      $ brctl addbr br
      $ brctl addif br eth0
      $ brctl addif br eth1
      2, the MTU of eth0 and eth1 is 1500
      3, send a packet(Data 1480, UDP 8, IP 20, Ethernet 14, VLAN 4)
      from eth0 to eth1
      
      So the expect result is packet larger than 1500 cannot pass through
      eth0 and eth1. But currently, the packet passes through success, it
      means eth1's MTU limit doesn't take effect.
      
      Fixes: f6367b46
      
       ("bridge: use is_skb_forwardable in forward path")
      Cc: bridge@lists.linux-foundation.org
      Cc: Nkolay Aleksandrov <nikolay@cumulusnetworks.com>
      Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28c1382f
    • Jason Wang's avatar
      vhost: log dirty page correctly · cc5e7107
      Jason Wang authored
      Vhost dirty page logging API is designed to sync through GPA. But we
      try to log GIOVA when device IOTLB is enabled. This is wrong and may
      lead to missing data after migration.
      
      To solve this issue, when logging with device IOTLB enabled, we will:
      
      1) reuse the device IOTLB translation result of GIOVA->HVA mapping to
         get HVA, for writable descriptor, get HVA through iovec. For used
         ring update, translate its GIOVA to HVA
      2) traverse the GPA->HVA mapping to get the possible GPA and log
         through GPA. Pay attention this reverse mapping is not guaranteed
         to be unique, so we should log each possible GPA in this case.
      
      This fix the failure of scp to guest during migration. In -next, we
      will probably support passing GIOVA->GPA instead of GIOVA->HVA.
      
      Fixes: 6b1e6cc7
      
       ("vhost: new device IOTLB API")
      Reported-by: default avatarJintack Lim <jintack@cs.columbia.edu>
      Cc: Jintack Lim <jintack@cs.columbia.edu>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc5e7107
    • Jakub Kicinski's avatar
      Documentation: timestamping: correct path to net_tstamp.h · f655f8b8
      Jakub Kicinski authored
      
      
      net_tstamp.h is an UAPI header, so it was moved under include/uapi.
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f655f8b8
  4. 17 Jan, 2019 5 commits