1. 15 Nov, 2019 4 commits
  2. 12 Nov, 2019 1 commit
  3. 10 Nov, 2019 1 commit
  4. 06 Nov, 2019 5 commits
  5. 30 Oct, 2019 1 commit
    • Jiri Pirko's avatar
      mlxsw: core: Unpublish devlink parameters during reload · b7265a0d
      Jiri Pirko authored
      The devlink parameter "acl_region_rehash_interval" is a runtime
      parameter whose value is stored in a dynamically allocated memory. While
      reloading the driver, this memory is freed and then allocated again. A
      use-after-free might happen if during this time frame someone tries to
      retrieve its value.
      
      Since commit 070c63f2 ("net: devlink: allow to change namespaces
      during reload") the use-after-free can be reliably triggered when
      reloading the driver into a namespace, as after freeing the memory (via
      reload_down() callback) all the parameters are notified.
      
      Fix this by unpublishing and then re-publishing the parameters during
      reload.
      
      Fixes: 98bbf70c ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param")
      Fixes: 7c62cfb8
      
       ("devlink: publish params only after driver init is done")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7265a0d
  6. 29 Oct, 2019 11 commits
    • Eran Ben Elisha's avatar
      net/mlx4_core: Dynamically set guaranteed amount of counters per VF · e19868ef
      Eran Ben Elisha authored
      Prior to this patch, the amount of counters guaranteed per VF in the
      resource tracker was MLX4_VF_COUNTERS_PER_PORT * MLX4_MAX_PORTS. It was
      set regardless if the VF was single or dual port.
      This caused several VFs to have no guaranteed counters although the
      system could satisfy their request.
      
      The fix is to dynamically guarantee counters, based on each VF
      specification.
      
      Fixes: 9de92c60
      
       ("net/mlx4_core: Adjust counter grant policy in the resource tracker")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e19868ef
    • Aya Levin's avatar
      net/mlx5e: Initialize on stack link modes bitmap · 926b37f7
      Aya Levin authored
      Initialize link modes bitmap on stack before using it, otherwise the
      outcome of ethtool set link ksettings might have unexpected values.
      
      Fixes: 4b95840a
      
       ("net/mlx5e: Fix matching of speed to PRM link modes")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      926b37f7
    • Aya Levin's avatar
      net/mlx5e: Fix ethtool self test: link speed · 534e7366
      Aya Levin authored
      Ethtool self test contains a test for link speed. This test reads the
      PTYS register and determines whether the current speed is valid or not.
      Change current implementation to use the function mlx5e_port_linkspeed()
      that does the same check and fails when speed is invalid. This code
      redundancy lead to a bug when mlx5e_port_linkspeed() was updated with
      expended speeds and the self test was not.
      
      Fixes: 2c81bfd5
      
       ("net/mlx5e: Move port speed code from en_ethtool.c to en/port.c")
      Signed-off-by: default avatarAya Levin <ayal@mellanox.com>
      Reviewed-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      534e7366
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget · 9df86bdb
      Maxim Mikityanskiy authored
      When CQE compression is enabled, compressed CQEs use the following
      structure: a title is followed by one or many blocks, each containing 8
      mini CQEs (except the last, which may contain fewer mini CQEs).
      
      Due to NAPI budget restriction, a complete structure is not always
      parsed in one NAPI run, and some blocks with mini CQEs may be deferred
      to the next NAPI poll call - we have the mlx5e_decompress_cqes_cont call
      in the beginning of mlx5e_poll_rx_cq. However, if the budget is
      extremely low, some blocks may be left even after that, but the code
      that follows the mlx5e_decompress_cqes_cont call doesn't check it and
      assumes that a new CQE begins, which may not be the case. In such cases,
      random memory corruptions occur.
      
      An extremely low NAPI budget of 8 is used when busy_poll or busy_read is
      active.
      
      This commit adds a check to make sure that the previous compressed CQE
      has been completely parsed after mlx5e_decompress_cqes_cont, otherwise
      it prevents a new CQE from being fetched in the middle of a compressed
      CQE.
      
      This commit fixes random crashes in __build_skb, __page_pool_put_page
      and other not-related-directly places, that used to happen when both CQE
      compression and busy_poll/busy_read were enabled.
      
      Fixes: 7219ab34
      
       ("net/mlx5e: CQE compression")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      9df86bdb
    • Vlad Buslov's avatar
      net/mlx5e: Don't store direct pointer to action's tunnel info · 2a4b6526
      Vlad Buslov authored
      Geneve implementation changed mlx5 tc to user direct pointer to tunnel_key
      action's internal struct ip_tunnel_info instance. However, this leads to
      use-after-free error when initial filter that caused creation of new encap
      entry is deleted or when tunnel_key action is manually overwritten through
      action API. Moreover, with recent TC offloads API unlocking change struct
      flow_action_entry->tunnel point to temporal copy of tunnel info that is
      deallocated after filter is offloaded to hardware which causes bug to
      reproduce every time new filter is attached to existing encap entry with
      following KASAN bug:
      
      [  314.885555] ==================================================================
      [  314.886641] BUG: KASAN: use-after-free in memcmp+0x2c/0x60
      [  314.886864] Read of size 1 at addr ffff88886c746280 by task tc/2682
      
      [  314.887179] CPU: 22 PID: 2682 Comm: tc Not tainted 5.3.0-rc7+ #703
      [  314.887188] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
      [  314.887195] Call Trace:
      [  314.887215]  dump_stack+0x9a/0xf0
      [  314.887236]  print_address_description+0x67/0x323
      [  314.887248]  ? memcmp+0x2c/0x60
      [  314.887257]  ? memcmp+0x2c/0x60
      [  314.887272]  __kasan_report.cold+0x1a/0x3d
      [  314.887474]  ? __mlx5e_tc_del_fdb_peer_flow+0x100/0x1b0 [mlx5_core]
      [  314.887484]  ? memcmp+0x2c/0x60
      [  314.887509]  kasan_report+0xe/0x12
      [  314.887521]  memcmp+0x2c/0x60
      [  314.887662]  mlx5e_tc_add_fdb_flow+0x51b/0xbe0 [mlx5_core]
      [  314.887838]  ? mlx5e_encap_take+0x110/0x110 [mlx5_core]
      [  314.887902]  ? lockdep_init_map+0x87/0x2c0
      [  314.887924]  ? __init_waitqueue_head+0x4f/0x60
      [  314.888062]  ? mlx5e_alloc_flow.isra.0+0x18c/0x1c0 [mlx5_core]
      [  314.888207]  __mlx5e_add_fdb_flow+0x2d7/0x440 [mlx5_core]
      [  314.888359]  ? mlx5e_tc_update_neigh_used_value+0x6f0/0x6f0 [mlx5_core]
      [  314.888374]  ? match_held_lock+0x2e/0x240
      [  314.888537]  mlx5e_configure_flower+0x830/0x16a0 [mlx5_core]
      [  314.888702]  ? __mlx5e_add_fdb_flow+0x440/0x440 [mlx5_core]
      [  314.888713]  ? down_read+0x118/0x2c0
      [  314.888728]  ? down_read_killable+0x300/0x300
      [  314.888882]  ? mlx5e_rep_get_ethtool_stats+0x180/0x180 [mlx5_core]
      [  314.888899]  tc_setup_cb_add+0x127/0x270
      [  314.888937]  fl_hw_replace_filter+0x2ac/0x380 [cls_flower]
      [  314.888976]  ? fl_hw_destroy_filter+0x1b0/0x1b0 [cls_flower]
      [  314.888990]  ? fl_change+0xbcf/0x27ef [cls_flower]
      [  314.889030]  ? fl_change+0xa57/0x27ef [cls_flower]
      [  314.889069]  fl_change+0x16bd/0x27ef [cls_flower]
      [  314.889135]  ? __rhashtable_insert_fast.constprop.0+0xa00/0xa00 [cls_flower]
      [  314.889167]  ? __radix_tree_lookup+0xa4/0x130
      [  314.889200]  ? fl_get+0x169/0x240 [cls_flower]
      [  314.889218]  ? fl_walk+0x230/0x230 [cls_flower]
      [  314.889249]  tc_new_tfilter+0x5e1/0xd40
      [  314.889281]  ? __rhashtable_insert_fast.constprop.0+0xa00/0xa00 [cls_flower]
      [  314.889309]  ? tc_del_tfilter+0xa30/0xa30
      [  314.889335]  ? __lock_acquire+0x5b5/0x2460
      [  314.889378]  ? find_held_lock+0x85/0xa0
      [  314.889442]  ? tc_del_tfilter+0xa30/0xa30
      [  314.889465]  rtnetlink_rcv_msg+0x4ab/0x5f0
      [  314.889488]  ? rtnl_dellink+0x490/0x490
      [  314.889518]  ? lockdep_hardirqs_on+0x260/0x260
      [  314.889538]  ? netlink_deliver_tap+0xab/0x5a0
      [  314.889550]  ? match_held_lock+0x1b/0x240
      [  314.889575]  netlink_rcv_skb+0xd0/0x200
      [  314.889588]  ? rtnl_dellink+0x490/0x490
      [  314.889605]  ? netlink_ack+0x440/0x440
      [  314.889635]  ? netlink_deliver_tap+0x161/0x5a0
      [  314.889648]  ? lock_downgrade+0x360/0x360
      [  314.889657]  ? lock_acquire+0xe5/0x210
      [  314.889686]  netlink_unicast+0x296/0x350
      [  314.889707]  ? netlink_attachskb+0x390/0x390
      [  314.889726]  ? _copy_from_iter_full+0xe0/0x3a0
      [  314.889738]  ? __virt_addr_valid+0xbb/0x130
      [  314.889771]  netlink_sendmsg+0x394/0x600
      [  314.889800]  ? netlink_unicast+0x350/0x350
      [  314.889817]  ? move_addr_to_kernel.part.0+0x90/0x90
      [  314.889852]  ? netlink_unicast+0x350/0x350
      [  314.889872]  sock_sendmsg+0x96/0xa0
      [  314.889891]  ___sys_sendmsg+0x482/0x520
      [  314.889919]  ? copy_msghdr_from_user+0x250/0x250
      [  314.889930]  ? __fput+0x1fa/0x390
      [  314.889941]  ? task_work_run+0xb7/0xf0
      [  314.889957]  ? exit_to_usermode_loop+0x117/0x120
      [  314.889972]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  314.889982]  ? do_syscall_64+0x74/0xe0
      [  314.889992]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  314.890012]  ? mark_lock+0xac/0x9a0
      [  314.890028]  ? __lock_acquire+0x5b5/0x2460
      [  314.890053]  ? mark_lock+0xac/0x9a0
      [  314.890083]  ? __lock_acquire+0x5b5/0x2460
      [  314.890112]  ? match_held_lock+0x1b/0x240
      [  314.890144]  ? __fget_light+0xa1/0xf0
      [  314.890166]  ? sockfd_lookup_light+0x91/0xb0
      [  314.890187]  __sys_sendmsg+0xba/0x130
      [  314.890201]  ? __sys_sendmsg_sock+0xb0/0xb0
      [  314.890225]  ? __blkcg_punt_bio_submit+0xd0/0xd0
      [  314.890264]  ? lockdep_hardirqs_off+0xbe/0x100
      [  314.890274]  ? mark_held_locks+0x24/0x90
      [  314.890286]  ? do_syscall_64+0x1e/0xe0
      [  314.890308]  do_syscall_64+0x74/0xe0
      [  314.890325]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  314.890336] RIP: 0033:0x7f00ca33d7b8
      [  314.890348] Code: 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 8f 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 89 5
      4
      [  314.890356] RSP: 002b:00007ffea2983928 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  314.890369] RAX: ffffffffffffffda RBX: 000000005d777d5b RCX: 00007f00ca33d7b8
      [  314.890377] RDX: 0000000000000000 RSI: 00007ffea2983990 RDI: 0000000000000003
      [  314.890384] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000006
      [  314.890392] R10: 0000000000404eda R11: 0000000000000246 R12: 0000000000000001
      [  314.890400] R13: 000000000047f640 R14: 00007ffea2987b58 R15: 0000000000000021
      
      [  314.890529] Allocated by task 2687:
      [  314.890684]  save_stack+0x1b/0x80
      [  314.890694]  __kasan_kmalloc.constprop.0+0xc2/0xd0
      [  314.890705]  __kmalloc_track_caller+0x102/0x340
      [  314.890721]  kmemdup+0x1d/0x40
      [  314.890730]  tc_setup_flow_action+0x731/0x2c27
      [  314.890743]  fl_hw_replace_filter+0x23b/0x380 [cls_flower]
      [  314.890756]  fl_change+0x16bd/0x27ef [cls_flower]
      [  314.890765]  tc_new_tfilter+0x5e1/0xd40
      [  314.890776]  rtnetlink_rcv_msg+0x4ab/0x5f0
      [  314.890786]  netlink_rcv_skb+0xd0/0x200
      [  314.890796]  netlink_unicast+0x296/0x350
      [  314.890805]  netlink_sendmsg+0x394/0x600
      [  314.890815]  sock_sendmsg+0x96/0xa0
      [  314.890825]  ___sys_sendmsg+0x482/0x520
      [  314.890834]  __sys_sendmsg+0xba/0x130
      [  314.890844]  do_syscall_64+0x74/0xe0
      [  314.890854]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  314.890937] Freed by task 2687:
      [  314.891076]  save_stack+0x1b/0x80
      [  314.891086]  __kasan_slab_free+0x12c/0x170
      [  314.891095]  kfree+0xeb/0x2f0
      [  314.891106]  tc_cleanup_flow_action+0x69/0xa0
      [  314.891119]  fl_hw_replace_filter+0x2c5/0x380 [cls_flower]
      [  314.891132]  fl_change+0x16bd/0x27ef [cls_flower]
      [  314.891140]  tc_new_tfilter+0x5e1/0xd40
      [  314.891151]  rtnetlink_rcv_msg+0x4ab/0x5f0
      [  314.891161]  netlink_rcv_skb+0xd0/0x200
      [  314.891170]  netlink_unicast+0x296/0x350
      [  314.891180]  netlink_sendmsg+0x394/0x600
      [  314.891190]  sock_sendmsg+0x96/0xa0
      [  314.891200]  ___sys_sendmsg+0x482/0x520
      [  314.891208]  __sys_sendmsg+0xba/0x130
      [  314.891218]  do_syscall_64+0x74/0xe0
      [  314.891228]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  314.891315] The buggy address belongs to the object at ffff88886c746280
                      which belongs to the cache kmalloc-96 of size 96
      [  314.891762] The buggy address is located 0 bytes inside of
                      96-byte region [ffff88886c746280, ffff88886c7462e0)
      [  314.892196] The buggy address belongs to the page:
      [  314.892387] page:ffffea0021b1d180 refcount:1 mapcount:0 mapping:ffff88835d00ef80 index:0x0
      [  314.892398] flags: 0x57ffffc0000200(slab)
      [  314.892413] raw: 0057ffffc0000200 ffffea00219e0340 0000000800000008 ffff88835d00ef80
      [  314.892423] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
      [  314.892430] page dumped because: kasan: bad access detected
      
      [  314.892515] Memory state around the buggy address:
      [  314.892707]  ffff88886c746180: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.892976]  ffff88886c746200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.893251] >ffff88886c746280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.893522]                    ^
      [  314.893657]  ffff88886c746300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  314.893924]  ffff88886c746380: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
      [  314.894189] ==================================================================
      
      Fix the issue by duplicating tunnel info into per-encap copy that is
      deallocated with encap structure. Also, duplicate tunnel info in flow parse
      attribute to support cases when flow might be attached asynchronously.
      
      Fixes: 1f6da306
      
       ("net/mlx5e: Geneve, Keep tunnel info as pointer to the original struct")
      Signed-off-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: default avatarYevgeny Kliteynik <kliteyn@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      2a4b6526
    • Eli Britstein's avatar
      net/mlx5: Fix NULL pointer dereference in extended destination · 0fd79b1e
      Eli Britstein authored
      The cited commit refactored the encap id into a struct pointed from the
      destination.
      Bug fix for the case there is no encap for one of the destinations.
      
      Fixes: 2b688ea5
      
       ("net/mlx5: Add flow steering actions to fs_cmd shim layer")
      Signed-off-by: default avatarEli Britstein <elibr@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      0fd79b1e
    • Parav Pandit's avatar
      net/mlx5: Fix rtable reference leak · 2347cee8
      Parav Pandit authored
      If the rt entry gateway family is not AF_INET for multipath device,
      rtable reference is leaked.
      Hence, fix it by releasing the reference.
      
      Fixes: 5fb091e8 ("net/mlx5e: Use hint to resolve route when in HW multipath mode")
      Fixes: e32ee6c7
      
       ("net/mlx5e: Support tunnel encap over tagged Ethernet")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      2347cee8
    • Vlad Buslov's avatar
      net/mlx5e: Only skip encap flows update when encap init failed · 64d7b685
      Vlad Buslov authored
      When encap entry initialization completes successfully e->compl_result is
      set to positive value and not zero, like mlx5e_rep_update_flows() assumes
      at the moment. Fix the conditional to only skip encap flows update when
      e->compl_result < 0.
      
      Fixes: 2a1f1768
      
       ("net/mlx5e: Refactor neigh update for concurrent execution")
      Signed-off-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      64d7b685
    • Maor Gottlieb's avatar
      net/mlx5e: Replace kfree with kvfree when free vhca stats · 5dfb6335
      Maor Gottlieb authored
      Memory allocated by kvzalloc should be freed by kvfree.
      
      Fixes: cef35af3
      
       ("net/mlx5e: Add mlx5e HV VHCA stats agent")
      Signed-off-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      5dfb6335
    • Dmytro Linkin's avatar
      net/mlx5e: Remove incorrect match criteria assignment line · 752d3dc0
      Dmytro Linkin authored
      Driver have function, which enable match criteria for misc parameters
      in dependence of eswitch capabilities.
      
      Fixes: 4f5d1bea ("Merge branch 'mlx5-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux"
      
      )
      Signed-off-by: default avatarDmytro Linkin <dmitrolin@mellanox.com>
      Reviewed-by: default avatarJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Reviewed-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      752d3dc0
    • Dmytro Linkin's avatar
      net/mlx5e: Determine source port properly for vlan push action · d5dbcc4e
      Dmytro Linkin authored
      Termination tables are used for vlan push actions on uplink ports.
      To support RoCE dual port the source port value was placed in a register.
      Fix the code to use an API method returning the source port according to
      the FW capabilities.
      
      Fixes: 10caabda
      
       ("net/mlx5e: Use termination table for VLAN push actions")
      Signed-off-by: default avatarDmytro Linkin <dmitrolin@mellanox.com>
      Reviewed-by: default avatarJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: default avatarOz Shlomo <ozsh@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      d5dbcc4e
  7. 24 Oct, 2019 1 commit
    • Taehee Yoo's avatar
      net: remove unnecessary variables and callback · f3b0a18b
      Taehee Yoo authored
      
      
      This patch removes variables and callback these are related to the nested
      device structure.
      devices that can be nested have their own nest_level variable that
      represents the depth of nested devices.
      In the previous patch, new {lower/upper}_level variables are added and
      they replace old private nest_level variable.
      So, this patch removes all 'nest_level' variables.
      
      In order to avoid lockdep warning, ->ndo_get_lock_subclass() was added
      to get lockdep subclass value, which is actually lower nested depth value.
      But now, they use the dynamic lockdep key to avoid lockdep warning instead
      of the subclass.
      So, this patch removes ->ndo_get_lock_subclass() callback.
      
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3b0a18b
  8. 18 Oct, 2019 16 commits