From bdc76fd299600736e832f1525f4f23dd210b97cb Mon Sep 17 00:00:00 2001 From: Simon Wunderlich Date: Sun, 7 Apr 2019 09:00:57 +0200 Subject: [PATCH 01/34] batman-adv: Start new development cycle Signed-off-by: Simon Wunderlich --- net/batman-adv/main.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h index 3ed669d7dc6b..06880c650598 100644 --- a/net/batman-adv/main.h +++ b/net/batman-adv/main.h @@ -25,7 +25,7 @@ #define BATADV_DRIVER_DEVICE "batman-adv" #ifndef BATADV_SOURCE_VERSION -#define BATADV_SOURCE_VERSION "2019.1" +#define BATADV_SOURCE_VERSION "2019.2" #endif /* B.A.T.M.A.N. parameters */ From a3c7cd0cdf1107f891aff847ad481e34df727055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20L=C3=BCssing?= Date: Wed, 24 Apr 2019 03:19:14 +0200 Subject: [PATCH 02/34] batman-adv: mcast: fix multicast tt/tvlv worker locking MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Syzbot has reported some issues with the locking assumptions made for the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add(). While hard/not reproduceable for us so far it seems that the delayed_work_pending() we use might not be quite safe from reordering. Therefore this patch adds an explicit, new spinlock to protect the update of the mla_list and flags in bat_priv and then removes the WARN_ON(delayed_work_pending()). Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates") Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich --- net/batman-adv/main.c | 1 + net/batman-adv/multicast.c | 11 +++-------- net/batman-adv/types.h | 5 +++++ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c index 75750870cf04..f8725786b596 100644 --- a/net/batman-adv/main.c +++ b/net/batman-adv/main.c @@ -161,6 +161,7 @@ int batadv_mesh_init(struct net_device *soft_iface) spin_lock_init(&bat_priv->tt.commit_lock); spin_lock_init(&bat_priv->gw.list_lock); #ifdef CONFIG_BATMAN_ADV_MCAST + spin_lock_init(&bat_priv->mcast.mla_lock); spin_lock_init(&bat_priv->mcast.want_lists_lock); #endif spin_lock_init(&bat_priv->tvlv.container_list_lock); diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c index f91b1b6265cf..1b985ab89c08 100644 --- a/net/batman-adv/multicast.c +++ b/net/batman-adv/multicast.c @@ -325,8 +325,6 @@ static void batadv_mcast_mla_list_free(struct hlist_head *mcast_list) * translation table except the ones listed in the given mcast_list. * * If mcast_list is NULL then all are retracted. - * - * Do not call outside of the mcast worker! (or cancel mcast worker first) */ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv, struct hlist_head *mcast_list) @@ -334,8 +332,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv, struct batadv_hw_addr *mcast_entry; struct hlist_node *tmp; - WARN_ON(delayed_work_pending(&bat_priv->mcast.work)); - hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list, list) { if (mcast_list && @@ -359,8 +355,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv, * * Adds multicast listener announcements from the given mcast_list to the * translation table if they have not been added yet. - * - * Do not call outside of the mcast worker! (or cancel mcast worker first) */ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv, struct hlist_head *mcast_list) @@ -368,8 +362,6 @@ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv, struct batadv_hw_addr *mcast_entry; struct hlist_node *tmp; - WARN_ON(delayed_work_pending(&bat_priv->mcast.work)); - if (!mcast_list) return; @@ -658,7 +650,10 @@ static void batadv_mcast_mla_update(struct work_struct *work) priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work); bat_priv = container_of(priv_mcast, struct batadv_priv, mcast); + spin_lock(&bat_priv->mcast.mla_lock); __batadv_mcast_mla_update(bat_priv); + spin_unlock(&bat_priv->mcast.mla_lock); + batadv_mcast_start_timer(bat_priv); } diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h index a21b34ed6548..ed0f6a519de5 100644 --- a/net/batman-adv/types.h +++ b/net/batman-adv/types.h @@ -1223,6 +1223,11 @@ struct batadv_priv_mcast { /** @bridged: whether the soft interface has a bridge on top */ unsigned char bridged:1; + /** + * @mla_lock: a lock protecting mla_list and mla_flags + */ + spinlock_t mla_lock; + /** * @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP * traffic From e9919a24d3022f72bcadc407e73a6ef17093a849 Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Tue, 7 May 2019 17:11:18 +0800 Subject: [PATCH 03/34] fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied With commit 153380ec4b9 ("fib_rules: Added NLM_F_EXCL support to fib_nl_newrule") we now able to check if a rule already exists. But this only works with iproute2. For other tools like libnl, NetworkManager, it still could add duplicate rules with only NLM_F_CREATE flag, like [localhost ~ ]# ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default 100000: from 192.168.7.5 lookup 5 100000: from 192.168.7.5 lookup 5 As it doesn't make sense to create two duplicate rules, let's just return 0 if the rule exists. Fixes: 153380ec4b9 ("fib_rules: Added NLM_F_EXCL support to fib_nl_newrule") Reported-by: Thomas Haller Signed-off-by: Hangbin Liu Signed-off-by: David S. Miller --- net/core/fib_rules.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 18f8dd8329ed..43f0115cce9c 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c @@ -757,9 +757,9 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, if (err) goto errout; - if ((nlh->nlmsg_flags & NLM_F_EXCL) && - rule_exists(ops, frh, tb, rule)) { - err = -EEXIST; + if (rule_exists(ops, frh, tb, rule)) { + if (nlh->nlmsg_flags & NLM_F_EXCL) + err = -EEXIST; goto errout_free; } From 19e4e768064a87b073a4b4c138b55db70e0cfb9f Mon Sep 17 00:00:00 2001 From: David Ahern Date: Tue, 7 May 2019 20:44:59 -0700 Subject: [PATCH 04/34] ipv4: Fix raw socket lookup for local traffic inet_iif should be used for the raw socket lookup. inet_iif considers rt_iif which handles the case of local traffic. As it stands, ping to a local address with the '-I ' option fails ever since ping was changed to use SO_BINDTODEVICE instead of cmsg + IP_PKTINFO. IPv6 works fine. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: David Ahern Signed-off-by: David S. Miller --- net/ipv4/raw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index c55a5432cf37..dc91c27bb788 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -173,6 +173,7 @@ static int icmp_filter(const struct sock *sk, const struct sk_buff *skb) static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) { int sdif = inet_sdif(skb); + int dif = inet_iif(skb); struct sock *sk; struct hlist_head *head; int delivered = 0; @@ -185,8 +186,7 @@ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) net = dev_net(skb->dev); sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, - iph->saddr, iph->daddr, - skb->dev->ifindex, sdif); + iph->saddr, iph->daddr, dif, sdif); while (sk) { delivered = 1; From f319ca6557c10a711facc4dd60197470796d3ec1 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Wed, 8 May 2019 08:52:32 +0200 Subject: [PATCH 05/34] openvswitch: Replace removed NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT) Commit 4806e975729f99c7 ("netfilter: replace NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT)") removed CONFIG_NF_NAT_NEEDED, but a new user popped up afterwards. Fixes: fec9c271b8f1bde1 ("openvswitch: load and reference the NAT helper.") Signed-off-by: Geert Uytterhoeven Acked-by: Florian Westphal Acked-by: Flavio Leitner Signed-off-by: David S. Miller --- net/openvswitch/conntrack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 333ec5f298fe..4c597a0bb168 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1322,7 +1322,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return -ENOMEM; } -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT) if (info->nat) { ret = nf_nat_helper_try_module_get(name, info->family, key->ip.proto); @@ -1811,7 +1811,7 @@ void ovs_ct_free_action(const struct nlattr *a) static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) { if (ct_info->helper) { -#ifdef CONFIG_NF_NAT_NEEDED +#if IS_ENABLED(CONFIG_NF_NAT) if (ct_info->nat) nf_nat_helper_put(ct_info->helper); #endif From d6759172415ebd5daddb8d11f2d536a1235da063 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Wed, 8 May 2019 11:22:09 +0100 Subject: [PATCH 06/34] net: dsa: lantiq: fix spelling mistake "brigde" -> "bridge" There are several spelling mistakes in dev_err messages. Fix these. Signed-off-by: Colin Ian King Signed-off-by: David S. Miller --- drivers/net/dsa/lantiq_gswip.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c index 553831df58fe..4e64835deac2 100644 --- a/drivers/net/dsa/lantiq_gswip.c +++ b/drivers/net/dsa/lantiq_gswip.c @@ -1235,7 +1235,7 @@ static void gswip_port_fast_age(struct dsa_switch *ds, int port) err = gswip_pce_table_entry_read(priv, &mac_bridge); if (err) { - dev_err(priv->dev, "failed to read mac brigde: %d\n", + dev_err(priv->dev, "failed to read mac bridge: %d\n", err); return; } @@ -1252,7 +1252,7 @@ static void gswip_port_fast_age(struct dsa_switch *ds, int port) mac_bridge.valid = false; err = gswip_pce_table_entry_write(priv, &mac_bridge); if (err) { - dev_err(priv->dev, "failed to write mac brigde: %d\n", + dev_err(priv->dev, "failed to write mac bridge: %d\n", err); return; } @@ -1328,7 +1328,7 @@ static int gswip_port_fdb(struct dsa_switch *ds, int port, err = gswip_pce_table_entry_write(priv, &mac_bridge); if (err) - dev_err(priv->dev, "failed to write mac brigde: %d\n", err); + dev_err(priv->dev, "failed to write mac bridge: %d\n", err); return err; } @@ -1360,7 +1360,7 @@ static int gswip_port_fdb_dump(struct dsa_switch *ds, int port, err = gswip_pce_table_entry_read(priv, &mac_bridge); if (err) { - dev_err(priv->dev, "failed to write mac brigde: %d\n", + dev_err(priv->dev, "failed to write mac bridge: %d\n", err); return err; } From c264ed44d857c50f43be08572668afa374bf6a48 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Wed, 8 May 2019 11:51:35 +0100 Subject: [PATCH 07/34] net: hns3: remove redundant assignment of l2_hdr to itself The pointer l2_hdr is being assigned to itself, this is redundant and can be removed. Addresses-Coverity: ("Evaluation order violation") Signed-off-by: Colin Ian King Reviewed-by: Yunsheng Lin Signed-off-by: David S. Miller --- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c index 18711e0f9bdf..196a3d780dcf 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c @@ -810,7 +810,7 @@ static int hns3_set_l2l3l4(struct sk_buff *skb, u8 ol4_proto, u8 il4_proto, u32 *type_cs_vlan_tso, u32 *ol_type_vlan_len_msec) { - unsigned char *l2_hdr = l2_hdr = skb->data; + unsigned char *l2_hdr = skb->data; u32 l4_proto = ol4_proto; union l4_hdr_info l4; union l3_hdr_info l3; From c7e0d6cca86581092cbbf2cd868b3601495554cf Mon Sep 17 00:00:00 2001 From: Paolo Abeni Date: Wed, 8 May 2019 15:32:51 +0200 Subject: [PATCH 08/34] selinux: do not report error on connect(AF_UNSPEC) calling connect(AF_UNSPEC) on an already connected TCP socket is an established way to disconnect() such socket. After commit 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure") it no longer works and, in the above scenario connect() fails with EAFNOSUPPORT. Fix the above falling back to the generic/old code when the address family is not AF_INET{4,6}, but leave the SCTP code path untouched, as it has specific constraints. Fixes: 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure") Reported-by: Tom Deseyn Signed-off-by: Paolo Abeni Reviewed-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller --- security/selinux/hooks.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c61787b15f27..d82b87c16b0a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4649,7 +4649,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct lsm_network_audit net = {0,}; struct sockaddr_in *addr4 = NULL; struct sockaddr_in6 *addr6 = NULL; - unsigned short snum; + unsigned short snum = 0; u32 sid, perm; /* sctp_connectx(3) calls via selinux_sctp_bind_connect() @@ -4674,12 +4674,12 @@ static int selinux_socket_connect_helper(struct socket *sock, break; default: /* Note that SCTP services expect -EINVAL, whereas - * others expect -EAFNOSUPPORT. + * others must handle this at the protocol level: + * connect(AF_UNSPEC) on a connected socket is + * a documented way disconnect the socket. */ if (sksec->sclass == SECCLASS_SCTP_SOCKET) return -EINVAL; - else - return -EAFNOSUPPORT; } err = sel_netport_sid(sk->sk_protocol, snum, &sid); From 86dc59e39031fb0d366d5b1f92db015b24bef70b Mon Sep 17 00:00:00 2001 From: Wang Hai Date: Wed, 8 May 2019 21:43:26 +0800 Subject: [PATCH 09/34] net: dsa: sja1105: Make 'sja1105et_regs' and 'sja1105pqrs_regs' static drivers/net/dsa/sja1105/sja1105_spi.c:486:21: warning: symbol 'sja1105et_regs' was not declared. Should it be static? drivers/net/dsa/sja1105/sja1105_spi.c:511:21: warning: symbol 'sja1105pqrs_regs' was not declared. Should it be static? Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: David S. Miller --- drivers/net/dsa/sja1105/sja1105_spi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/sja1105/sja1105_spi.c b/drivers/net/dsa/sja1105/sja1105_spi.c index 244a94ccfc18..6848d82e423a 100644 --- a/drivers/net/dsa/sja1105/sja1105_spi.c +++ b/drivers/net/dsa/sja1105/sja1105_spi.c @@ -483,7 +483,7 @@ out: return rc; } -struct sja1105_regs sja1105et_regs = { +static struct sja1105_regs sja1105et_regs = { .device_id = 0x0, .prod_id = 0x100BC3, .status = 0x1, @@ -508,7 +508,7 @@ struct sja1105_regs sja1105et_regs = { .rmii_ext_tx_clk = {0x100018, 0x10001F, 0x100026, 0x10002D, 0x100034}, }; -struct sja1105_regs sja1105pqrs_regs = { +static struct sja1105_regs sja1105pqrs_regs = { .device_id = 0x0, .prod_id = 0x100BC3, .status = 0x1, From 5425711b6dd0f7283202729863d9210e7a1c7cd2 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Wed, 8 May 2019 14:30:41 +0100 Subject: [PATCH 10/34] net: dsa: sja1105: fix check on while loop exit The while-loop exit condition check is not correct; the loop should continue if the returns from the function calls are negative or the CRC status returns are invalid. Currently it is ignoring the returns from the function calls. Fix this by removing the status return checks and only break from the loop at the very end when we know that all the success condtions have been met. Kudos to Dan Carpenter for describing the correct fix and Vladimir Oltean for noting the change to the check on the number of retries. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch") Signed-off-by: Colin Ian King Tested-by: Vladimir Oltean Signed-off-by: David S. Miller --- drivers/net/dsa/sja1105/sja1105_spi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/dsa/sja1105/sja1105_spi.c b/drivers/net/dsa/sja1105/sja1105_spi.c index 6848d82e423a..2eb70b8acfc3 100644 --- a/drivers/net/dsa/sja1105/sja1105_spi.c +++ b/drivers/net/dsa/sja1105/sja1105_spi.c @@ -466,14 +466,15 @@ int sja1105_static_config_upload(struct sja1105_private *priv) "invalid, retrying...\n"); continue; } - } while (--retries && (status.crcchkl == 1 || status.crcchkg == 1 || - status.configs == 0 || status.ids == 1)); + /* Success! */ + break; + } while (--retries); if (!retries) { rc = -EIO; dev_err(dev, "Failed to upload config to device, giving up\n"); goto out; - } else if (retries != RETRIES - 1) { + } else if (retries != RETRIES) { dev_info(dev, "Succeeded after %d tried\n", RETRIES - retries); } From 3b2c4f4d63a554739a32dc709b617f2d2acc2ad0 Mon Sep 17 00:00:00 2001 From: Vladimir Oltean Date: Wed, 8 May 2019 23:32:25 +0300 Subject: [PATCH 11/34] net: dsa: sja1105: Don't return a negative in u8 sja1105_stp_state_get Dan Carpenter says: The patch 640f763f98c2: "net: dsa: sja1105: Add support for Spanning Tree Protocol" from May 5, 2019, leads to the following static checker warning: drivers/net/dsa/sja1105/sja1105_main.c:1073 sja1105_stp_state_get() warn: signedness bug returning '(-22)' The caller doesn't check for negative errors anyway. Fixes: 640f763f98c2: ("net: dsa: sja1105: Add support for Spanning Tree Protocol") Reported-by: Dan Carpenter Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller --- drivers/net/dsa/sja1105/sja1105_main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c index 50ff625c85d6..0663b78a2f6c 100644 --- a/drivers/net/dsa/sja1105/sja1105_main.c +++ b/drivers/net/dsa/sja1105/sja1105_main.c @@ -1070,7 +1070,11 @@ static u8 sja1105_stp_state_get(struct sja1105_private *priv, int port) return BR_STATE_LEARNING; if (mac[port].ingress && mac[port].egress && mac[port].dyn_learn) return BR_STATE_FORWARDING; - return -EINVAL; + /* This is really an error condition if the MAC was in none of the STP + * states above. But treating the port as disabled does nothing, which + * is adequate, and it also resets the MAC to a known state later on. + */ + return BR_STATE_DISABLED; } /* For situations where we need to change a setting at runtime that is only From f81dadbcf7fd067baf184b63c179fc392bdb226e Mon Sep 17 00:00:00 2001 From: Serge Semin Date: Thu, 9 May 2019 00:51:15 +0300 Subject: [PATCH 12/34] net: phy: realtek: Add rtl8211e rx/tx delays config There are two chip pins named TXDLY and RXDLY which actually adds the 2ns delays to TXC and RXC for TXD/RXD latching. Alas this is the only documented info regarding the RGMII timing control configurations the PHY provides. It turns out the same settings can be setup via MDIO registers hidden in the extension pages layout. Particularly the extension page 0xa4 provides a register 0x1c, which bits 1 and 2 control the described delays. They are used to implement the "rgmii-{id,rxid,txid}" phy-mode. The hidden RGMII configs register utilization was found in the rtl8211e U-boot driver: https://elixir.bootlin.com/u-boot/v2019.01/source/drivers/net/phy/realtek.c#L99 There is also a freebsd-folks discussion regarding this register: https://reviews.freebsd.org/D13591 It confirms that the register bits field must control the so called configuration pins described in the table 12-13 of the official PHY datasheet: 8:6 = PHY Address 5:4 = Auto-Negotiation 3 = Interface Mode Select 2 = RX Delay 1 = TX Delay 0 = SELRGV Reviewed-by: Andrew Lunn Signed-off-by: Serge Semin Signed-off-by: David S. Miller --- drivers/net/phy/realtek.c | 51 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c index d6a10f323117..cfbc0ca61123 100644 --- a/drivers/net/phy/realtek.c +++ b/drivers/net/phy/realtek.c @@ -23,11 +23,15 @@ #define RTL821x_INSR 0x13 +#define RTL821x_EXT_PAGE_SELECT 0x1e #define RTL821x_PAGE_SELECT 0x1f #define RTL8211F_INSR 0x1d #define RTL8211F_TX_DELAY BIT(8) +#define RTL8211E_TX_DELAY BIT(1) +#define RTL8211E_RX_DELAY BIT(2) +#define RTL8211E_MODE_MII_GMII BIT(3) #define RTL8201F_ISR 0x1e #define RTL8201F_IER 0x13 @@ -167,6 +171,52 @@ static int rtl8211f_config_init(struct phy_device *phydev) return phy_modify_paged(phydev, 0xd08, 0x11, RTL8211F_TX_DELAY, val); } +static int rtl8211e_config_init(struct phy_device *phydev) +{ + int ret = 0, oldpage; + u16 val; + + /* enable TX/RX delay for rgmii-* modes, and disable them for rgmii. */ + switch (phydev->interface) { + case PHY_INTERFACE_MODE_RGMII: + val = 0; + break; + case PHY_INTERFACE_MODE_RGMII_ID: + val = RTL8211E_TX_DELAY | RTL8211E_RX_DELAY; + break; + case PHY_INTERFACE_MODE_RGMII_RXID: + val = RTL8211E_RX_DELAY; + break; + case PHY_INTERFACE_MODE_RGMII_TXID: + val = RTL8211E_TX_DELAY; + break; + default: /* the rest of the modes imply leaving delays as is. */ + return 0; + } + + /* According to a sample driver there is a 0x1c config register on the + * 0xa4 extension page (0x7) layout. It can be used to disable/enable + * the RX/TX delays otherwise controlled by RXDLY/TXDLY pins. It can + * also be used to customize the whole configuration register: + * 8:6 = PHY Address, 5:4 = Auto-Negotiation, 3 = Interface Mode Select, + * 2 = RX Delay, 1 = TX Delay, 0 = SELRGV (see original PHY datasheet + * for details). + */ + oldpage = phy_select_page(phydev, 0x7); + if (oldpage < 0) + goto err_restore_page; + + ret = phy_write(phydev, RTL821x_EXT_PAGE_SELECT, 0xa4); + if (ret) + goto err_restore_page; + + ret = phy_modify(phydev, 0x1c, RTL8211E_TX_DELAY | RTL8211E_RX_DELAY, + val); + +err_restore_page: + return phy_restore_page(phydev, oldpage, ret); +} + static int rtl8211b_suspend(struct phy_device *phydev) { phy_write(phydev, MII_MMD_DATA, BIT(9)); @@ -239,6 +289,7 @@ static struct phy_driver realtek_drvs[] = { }, { PHY_ID_MATCH_EXACT(0x001cc915), .name = "RTL8211E Gigabit Ethernet", + .config_init = &rtl8211e_config_init, .ack_interrupt = &rtl821x_ack_interrupt, .config_intr = &rtl8211e_config_intr, .suspend = genphy_suspend, From 1da7756e6616c7795c8a104fde0a66f212ef659d Mon Sep 17 00:00:00 2001 From: Serge Semin Date: Thu, 9 May 2019 00:51:17 +0300 Subject: [PATCH 13/34] net: phy: realtek: Change TX-delay setting for RGMII modes only It's prone to problems if delay is cleared out for other than RGMII modes. So lets set/clear the TX-delay in the config register only if actually RGMII-like interface mode is requested. This only concerns rtl8211f chips. Signed-off-by: Serge Semin Signed-off-by: David S. Miller --- drivers/net/phy/realtek.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c index cfbc0ca61123..761ce3b1e7bd 100644 --- a/drivers/net/phy/realtek.c +++ b/drivers/net/phy/realtek.c @@ -161,12 +161,23 @@ static int rtl8211c_config_init(struct phy_device *phydev) static int rtl8211f_config_init(struct phy_device *phydev) { - u16 val = 0; + u16 val; - /* enable TX-delay for rgmii-id and rgmii-txid, otherwise disable it */ - if (phydev->interface == PHY_INTERFACE_MODE_RGMII_ID || - phydev->interface == PHY_INTERFACE_MODE_RGMII_TXID) + /* enable TX-delay for rgmii-{id,txid}, and disable it for rgmii and + * rgmii-rxid. The RX-delay can be enabled by the external RXDLY pin. + */ + switch (phydev->interface) { + case PHY_INTERFACE_MODE_RGMII: + case PHY_INTERFACE_MODE_RGMII_RXID: + val = 0; + break; + case PHY_INTERFACE_MODE_RGMII_ID: + case PHY_INTERFACE_MODE_RGMII_TXID: val = RTL8211F_TX_DELAY; + break; + default: /* the rest of the modes imply leaving delay as is. */ + return 0; + } return phy_modify_paged(phydev, 0xd08, 0x11, RTL8211F_TX_DELAY, val); } From 1e966763e256393965c78aa09b89027fac6b8bf1 Mon Sep 17 00:00:00 2001 From: Pieter Jansen van Vuuren Date: Wed, 8 May 2019 15:52:56 -0700 Subject: [PATCH 14/34] nfp: reintroduce ndo_get_port_parent_id for representor ports NFP does not register devlink ports for representors (without the "devlink: expose PF and VF representors as ports" series there are no port flavours to expose them as). Commit c25f08ac65e4 ("nfp: remove ndo_get_port_parent_id implementation") went to far in removing ndo_get_port_parent_id for representors. This causes redirection offloads to fail, and switch_id attribute missing. Reintroduce the ndo_get_port_parent_id callback for representor ports. Fixes: c25f08ac65e4 ("nfp: remove ndo_get_port_parent_id implementation") Signed-off-by: Pieter Jansen van Vuuren Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller --- .../net/ethernet/netronome/nfp/nfp_net_repr.c | 1 + drivers/net/ethernet/netronome/nfp/nfp_port.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c b/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c index 036edcc1fa18..1eef446036d6 100644 --- a/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c +++ b/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c @@ -273,6 +273,7 @@ const struct net_device_ops nfp_repr_netdev_ops = { .ndo_fix_features = nfp_repr_fix_features, .ndo_set_features = nfp_port_set_features, .ndo_set_mac_address = eth_mac_addr, + .ndo_get_port_parent_id = nfp_port_get_port_parent_id, .ndo_get_devlink_port = nfp_devlink_get_devlink_port, }; diff --git a/drivers/net/ethernet/netronome/nfp/nfp_port.c b/drivers/net/ethernet/netronome/nfp/nfp_port.c index fcd16877e6e0..93c5bfc0510b 100644 --- a/drivers/net/ethernet/netronome/nfp/nfp_port.c +++ b/drivers/net/ethernet/netronome/nfp/nfp_port.c @@ -30,6 +30,22 @@ struct nfp_port *nfp_port_from_netdev(struct net_device *netdev) return NULL; } +int nfp_port_get_port_parent_id(struct net_device *netdev, + struct netdev_phys_item_id *ppid) +{ + struct nfp_port *port; + const u8 *serial; + + port = nfp_port_from_netdev(netdev); + if (!port) + return -EOPNOTSUPP; + + ppid->id_len = nfp_cpp_serial(port->app->cpp, &serial); + memcpy(&ppid->id, serial, ppid->id_len); + + return 0; +} + int nfp_port_setup_tc(struct net_device *netdev, enum tc_setup_type type, void *type_data) { From 5f05836831f6142081e216f27e1ae8f4b26d3585 Mon Sep 17 00:00:00 2001 From: Pieter Jansen van Vuuren Date: Wed, 8 May 2019 15:56:07 -0700 Subject: [PATCH 15/34] net/sched: avoid double free on matchall reoffload Avoid freeing cls_mall.rule twice when failing to setup flow_action offload used in the hardware intermediate representation. This is achieved by returning 0 when the setup fails but the skip software flag has not been set. Fixes: f00cbf196814 ("net/sched: use the hardware intermediate representation for matchall") Reported-by: Dan Carpenter Signed-off-by: Pieter Jansen van Vuuren Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller --- net/sched/cls_matchall.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c index 1e98a517fb0b..db42d97a2006 100644 --- a/net/sched/cls_matchall.c +++ b/net/sched/cls_matchall.c @@ -308,6 +308,7 @@ static int mall_reoffload(struct tcf_proto *tp, bool add, tc_setup_cb_t *cb, NL_SET_ERR_MSG_MOD(extack, "Failed to setup flow action"); return err; } + return 0; } err = cb(TC_SETUP_CLSMATCHALL, &cls_mall, cb_priv); From 7f4399ba405b6201fb318b43091703a34b1489ab Mon Sep 17 00:00:00 2001 From: Claudiu Manoil Date: Thu, 9 May 2019 03:07:12 +0000 Subject: [PATCH 16/34] ptp_qoriq: fix NULL access if ptp dt node missing Make sure ptp dt node exists before accessing it in case of NULL pointer call trace. Signed-off-by: Claudiu Manoil Signed-off-by: Yangbo Lu Acked-by: Richard Cochran Signed-off-by: David S. Miller --- drivers/ptp/ptp_qoriq.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/ptp/ptp_qoriq.c b/drivers/ptp/ptp_qoriq.c index 53775362aac6..e10642403b25 100644 --- a/drivers/ptp/ptp_qoriq.c +++ b/drivers/ptp/ptp_qoriq.c @@ -467,6 +467,9 @@ int ptp_qoriq_init(struct ptp_qoriq *ptp_qoriq, void __iomem *base, unsigned long flags; u32 tmr_ctrl; + if (!node) + return -ENODEV; + ptp_qoriq->base = base; ptp_qoriq->caps = *caps; From 68a5cde9f02e690206e41c2d5aba88461a8829f1 Mon Sep 17 00:00:00 2001 From: Cheng Han Date: Thu, 9 May 2019 11:13:41 +0800 Subject: [PATCH 17/34] dwmac4_prog_mtl_tx_algorithms() missing write operation net: ethernet: stmmac: dwmac4_prog_mtl_tx_algorithms() missing write operation The value of MTL_OPERATION_MODE is not written back Signed-off-by: Cheng Han Signed-off-by: David S. Miller --- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c index 7e5d5db0d516..b4bb5629de38 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c @@ -192,6 +192,8 @@ static void dwmac4_prog_mtl_tx_algorithms(struct mac_device_info *hw, default: break; } + + writel(value, ioaddr + MTL_OPERATION_MODE); } static void dwmac4_set_mtl_tx_queue_weight(struct mac_device_info *hw, From a35d310f03a692bf4798eb309a1950a06a150620 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Wed, 8 May 2019 23:20:17 -0400 Subject: [PATCH 18/34] tuntap: fix dividing by zero in ebpf queue selection We need check if tun->numqueues is zero (e.g for the persist device) before trying to use it for modular arithmetic. Reported-by: Eric Dumazet Fixes: 96f84061620c6("tun: add eBPF based queue selection method") Signed-off-by: Jason Wang Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller --- drivers/net/tun.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 9d72f8c76c15..a52bd47e7aa2 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -596,13 +596,18 @@ static u16 tun_automq_select_queue(struct tun_struct *tun, struct sk_buff *skb) static u16 tun_ebpf_select_queue(struct tun_struct *tun, struct sk_buff *skb) { struct tun_prog *prog; + u32 numqueues; u16 ret = 0; + numqueues = READ_ONCE(tun->numqueues); + if (!numqueues) + return 0; + prog = rcu_dereference(tun->steering_prog); if (prog) ret = bpf_prog_run_clear_cb(prog->prog, skb); - return ret % tun->numqueues; + return ret % numqueues; } static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, From 9871a9e47a2646fe30ae7fd2e67668a8d30912f6 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Wed, 8 May 2019 23:20:18 -0400 Subject: [PATCH 19/34] tuntap: synchronize through tfiles array instead of tun->numqueues When a queue(tfile) is detached through __tun_detach(), we move the last enabled tfile to the position where detached one sit but don't NULL out last position. We expect to synchronize the datapath through tun->numqueues. Unfortunately, this won't work since we're lacking sufficient mechanism to order or synchronize the access to tun->numqueues. To fix this, NULL out the last position during detaching and check RCU protected tfile against NULL instead of checking tun->numqueues in datapath. Cc: YueHaibing Cc: Cong Wang Cc: weiyongjun (A) Cc: Eric Dumazet Fixes: c8d68e6be1c3b ("tuntap: multiqueue support") Signed-off-by: Jason Wang Reviewed-by: Wei Yongjun Signed-off-by: David S. Miller --- drivers/net/tun.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index a52bd47e7aa2..abae165dcca5 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -704,6 +704,8 @@ static void __tun_detach(struct tun_file *tfile, bool clean) tun->tfiles[tun->numqueues - 1]); ntfile = rtnl_dereference(tun->tfiles[index]); ntfile->queue_index = index; + rcu_assign_pointer(tun->tfiles[tun->numqueues - 1], + NULL); --tun->numqueues; if (clean) { @@ -1086,7 +1088,7 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) tfile = rcu_dereference(tun->tfiles[txq]); /* Drop packet if interface is not attached */ - if (txq >= tun->numqueues) + if (!tfile) goto drop; if (!rcu_dereference(tun->steering_prog)) @@ -1309,6 +1311,7 @@ static int tun_xdp_xmit(struct net_device *dev, int n, rcu_read_lock(); +resample: numqueues = READ_ONCE(tun->numqueues); if (!numqueues) { rcu_read_unlock(); @@ -1317,6 +1320,8 @@ static int tun_xdp_xmit(struct net_device *dev, int n, tfile = rcu_dereference(tun->tfiles[smp_processor_id() % numqueues]); + if (unlikely(!tfile)) + goto resample; spin_lock(&tfile->tx_ring.producer_lock); for (i = 0; i < n; i++) { From ff946833b70e0c7f93de9a3f5b329b5ae2287b38 Mon Sep 17 00:00:00 2001 From: Parthasarathy Bhuvaragan Date: Thu, 9 May 2019 07:13:42 +0200 Subject: [PATCH 20/34] tipc: fix hanging clients using poll with EPOLLOUT flag commit 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets") introduced a regression for clients using non-blocking sockets. After the commit, we send EPOLLOUT event to the client even in TIPC_CONNECTING state. This causes the subsequent send() to fail with ENOTCONN, as the socket is still not in TIPC_ESTABLISHED state. In this commit, we: - improve the fix for hanging poll() by replacing sk_data_ready() with sk_state_change() to wake up all clients. - revert the faulty updates introduced by commit 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets"). Fixes: 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets") Signed-off-by: Parthasarathy Bhuvaragan Acked-by: Jon Maloy Signed-off-by: David S. Miller --- net/tipc/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 145e4decb0c9..dd8537f988c4 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -736,11 +736,11 @@ static __poll_t tipc_poll(struct file *file, struct socket *sock, switch (sk->sk_state) { case TIPC_ESTABLISHED: - case TIPC_CONNECTING: if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk)) revents |= EPOLLOUT; /* fall through */ case TIPC_LISTEN: + case TIPC_CONNECTING: if (!skb_queue_empty(&sk->sk_receive_queue)) revents |= EPOLLIN | EPOLLRDNORM; break; @@ -2043,7 +2043,7 @@ static bool tipc_sk_filter_connect(struct tipc_sock *tsk, struct sk_buff *skb) if (msg_data_sz(hdr)) return true; /* Empty ACK-, - wake up sleeping connect() and drop */ - sk->sk_data_ready(sk); + sk->sk_state_change(sk); msg_set_dest_droppable(hdr, 1); return false; } From 6c2ea9ebafa79eea9098a134a422391638879f45 Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Thu, 9 May 2019 14:54:08 +0800 Subject: [PATCH 21/34] macvlan: disable SIOCSHWTSTAMP in container Miroslav pointed that with NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on macvlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: 254c0a2bfedb ("macvlan: pass get_ts_info and SIOC[SG]HWTSTAMP ioctl to real device") Signed-off-by: Hangbin Liu Acked-by: Richard Cochran Signed-off-by: David S. Miller --- drivers/net/macvlan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index b395423b19bc..92efa93649f0 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -836,6 +836,8 @@ static int macvlan_do_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) switch (cmd) { case SIOCSHWTSTAMP: + if (!net_eq(dev_net(dev), &init_net)) + break; case SIOCGHWTSTAMP: if (netif_device_present(real_dev) && ops->ndo_do_ioctl) err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd); From 873017af778439f2f8e3d87f28ddb1fcaf244a76 Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Thu, 9 May 2019 14:55:07 +0800 Subject: [PATCH 22/34] vlan: disable SIOCSHWTSTAMP in container With NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on vlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device") Signed-off-by: Hangbin Liu Acked-by: Richard Cochran Signed-off-by: David S. Miller --- net/8021q/vlan_dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c index f044ae56a313..2a9a60733594 100644 --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -370,10 +370,12 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) ifrr.ifr_ifru = ifr->ifr_ifru; switch (cmd) { + case SIOCSHWTSTAMP: + if (!net_eq(dev_net(dev), &init_net)) + break; case SIOCGMIIPHY: case SIOCGMIIREG: case SIOCSMIIREG: - case SIOCSHWTSTAMP: case SIOCGHWTSTAMP: if (netif_device_present(real_dev) && ops->ndo_do_ioctl) err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd); From b8b277525e9df2fd2dc3d1f4fe01c6796bb107fc Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Thu, 9 May 2019 11:08:16 +0200 Subject: [PATCH 23/34] aqc111: fix endianness issue in aqc111_change_mtu If the MTU is large enough, the first write to the device is just repeated. On BE architectures, however, the first word of the command will be swapped a second time and garbage will be written. Avoid that. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller --- drivers/net/usb/aqc111.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c index aff995be2a31..408df2d335e3 100644 --- a/drivers/net/usb/aqc111.c +++ b/drivers/net/usb/aqc111.c @@ -453,6 +453,8 @@ static int aqc111_change_mtu(struct net_device *net, int new_mtu) reg16 = 0x1420; else if (dev->net->mtu <= 16334) reg16 = 0x1A20; + else + return 0; aqc111_write16_cmd(dev, AQ_ACCESS_MAC, SFR_PAUSE_WATERLVL_LOW, 2, ®16); From 369b46e9fbcfa5136f2cb5f486c90e5f7fa92630 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Thu, 9 May 2019 11:08:17 +0200 Subject: [PATCH 24/34] aqc111: fix writing to the phy on BE When writing to the phy on BE architectures an internal data structure was directly given, leading to it being byte swapped in the wrong way for the CPU in 50% of all cases. A temporary buffer must be used. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller --- drivers/net/usb/aqc111.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c index 408df2d335e3..599d560a8450 100644 --- a/drivers/net/usb/aqc111.c +++ b/drivers/net/usb/aqc111.c @@ -320,6 +320,7 @@ static int aqc111_get_link_ksettings(struct net_device *net, static void aqc111_set_phy_speed(struct usbnet *dev, u8 autoneg, u16 speed) { struct aqc111_data *aqc111_data = dev->driver_priv; + u32 phy_on_the_wire; aqc111_data->phy_cfg &= ~AQ_ADV_MASK; aqc111_data->phy_cfg |= AQ_PAUSE; @@ -361,7 +362,8 @@ static void aqc111_set_phy_speed(struct usbnet *dev, u8 autoneg, u16 speed) } } - aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, &aqc111_data->phy_cfg); + phy_on_the_wire = aqc111_data->phy_cfg; + aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, &phy_on_the_wire); } static int aqc111_set_link_ksettings(struct net_device *net, @@ -755,6 +757,7 @@ static void aqc111_unbind(struct usbnet *dev, struct usb_interface *intf) { struct aqc111_data *aqc111_data = dev->driver_priv; u16 reg16; + u32 phy_on_the_wire; /* Force bz */ reg16 = SFR_PHYPWR_RSTCTL_BZ; @@ -768,8 +771,9 @@ static void aqc111_unbind(struct usbnet *dev, struct usb_interface *intf) aqc111_data->phy_cfg &= ~AQ_ADV_MASK; aqc111_data->phy_cfg |= AQ_LOW_POWER; aqc111_data->phy_cfg &= ~AQ_PHY_POWER_EN; + phy_on_the_wire = aqc111_data->phy_cfg; aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, - &aqc111_data->phy_cfg); + &phy_on_the_wire); kfree(aqc111_data); } @@ -992,6 +996,7 @@ static int aqc111_reset(struct usbnet *dev) { struct aqc111_data *aqc111_data = dev->driver_priv; u8 reg8 = 0; + u32 phy_on_the_wire; dev->rx_urb_size = URB_SIZE; @@ -1004,8 +1009,9 @@ static int aqc111_reset(struct usbnet *dev) /* Power up ethernet PHY */ aqc111_data->phy_cfg = AQ_PHY_POWER_EN; + phy_on_the_wire = aqc111_data->phy_cfg; aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, - &aqc111_data->phy_cfg); + &phy_on_the_wire); /* Set the MAC address */ aqc111_write_cmd(dev, AQ_ACCESS_MAC, SFR_NODE_ID, ETH_ALEN, @@ -1036,6 +1042,7 @@ static int aqc111_stop(struct usbnet *dev) { struct aqc111_data *aqc111_data = dev->driver_priv; u16 reg16 = 0; + u32 phy_on_the_wire; aqc111_read16_cmd(dev, AQ_ACCESS_MAC, SFR_MEDIUM_STATUS_MODE, 2, ®16); @@ -1047,8 +1054,9 @@ static int aqc111_stop(struct usbnet *dev) /* Put PHY to low power*/ aqc111_data->phy_cfg |= AQ_LOW_POWER; + phy_on_the_wire = aqc111_data->phy_cfg; aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, - &aqc111_data->phy_cfg); + &phy_on_the_wire); netif_carrier_off(dev->net); @@ -1324,6 +1332,7 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) u16 temp_rx_ctrl = 0x00; u16 reg16; u8 reg8; + u32 phy_on_the_wire; usbnet_suspend(intf, message); @@ -1395,12 +1404,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, WOL_CFG_SIZE, &wol_cfg); + phy_on_the_wire = aqc111_data->phy_cfg; aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, - &aqc111_data->phy_cfg); + &phy_on_the_wire); } else { aqc111_data->phy_cfg |= AQ_LOW_POWER; + phy_on_the_wire = aqc111_data->phy_cfg; aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, - &aqc111_data->phy_cfg); + &phy_on_the_wire); /* Disable RX path */ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, From 2cf672709beb005f6e90cb4edbed6f2218ba953e Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Thu, 9 May 2019 11:08:18 +0200 Subject: [PATCH 25/34] aqc111: fix double endianness swap on BE If you are using a function that does a swap in place, you cannot just reuse the buffer on the assumption that it has not been changed. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller --- drivers/net/usb/aqc111.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c index 599d560a8450..b86c5ce9a92a 100644 --- a/drivers/net/usb/aqc111.c +++ b/drivers/net/usb/aqc111.c @@ -1428,7 +1428,7 @@ static int aqc111_resume(struct usb_interface *intf) { struct usbnet *dev = usb_get_intfdata(intf); struct aqc111_data *aqc111_data = dev->driver_priv; - u16 reg16; + u16 reg16, oldreg16; u8 reg8; netif_carrier_off(dev->net); @@ -1444,9 +1444,11 @@ static int aqc111_resume(struct usb_interface *intf) /* Configure RX control register => start operation */ reg16 = aqc111_data->rxctl; reg16 &= ~SFR_RX_CTL_START; + /* needs to be saved in case endianness is swapped */ + oldreg16 = reg16; aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, SFR_RX_CTL, 2, ®16); - reg16 |= SFR_RX_CTL_START; + reg16 = oldreg16 | SFR_RX_CTL_START; aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, SFR_RX_CTL, 2, ®16); aqc111_set_phy_speed(dev, aqc111_data->autoneg, From 70610c922bae2f3f974eef955ef254defb7755ce Mon Sep 17 00:00:00 2001 From: Kefeng Wang Date: Thu, 9 May 2019 23:32:35 +0800 Subject: [PATCH 26/34] net: aquantia: fix undefined devm_hwmon_device_register_with_info reference drivers/net/ethernet/aquantia/atlantic/aq_drvinfo.o: In function `aq_drvinfo_init': aq_drvinfo.c:(.text+0xe8): undefined reference to `devm_hwmon_device_register_with_info' Fix it by using #if IS_REACHABLE(CONFIG_HWMON). Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: David S. Miller --- drivers/net/ethernet/aquantia/atlantic/aq_drvinfo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_drvinfo.c b/drivers/net/ethernet/aquantia/atlantic/aq_drvinfo.c index f5a92b2a5cd6..adad6a7acabe 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_drvinfo.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_drvinfo.c @@ -13,6 +13,7 @@ #include "aq_drvinfo.h" +#if IS_REACHABLE(CONFIG_HWMON) static int aq_hwmon_read(struct device *dev, enum hwmon_sensor_types type, u32 attr, int channel, long *value) { @@ -123,3 +124,7 @@ int aq_drvinfo_init(struct net_device *ndev) return err; } + +#else +int aq_drvinfo_init(struct net_device *ndev) { return 0; } +#endif From 494bc1d281b5a9f02a81249fa566d8c7e390c50c Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Wed, 8 May 2019 16:46:14 -0700 Subject: [PATCH 27/34] net/tcp: use deferred jump label for TCP acked data hook User space can flip the clean_acked_data_enabled static branch on and off with TLS offload when CONFIG_TLS_DEVICE is enabled. jump_label.h suggests we use the delayed version in this case. Deferred branches now also don't take the branch mutex on decrement, so we avoid potential locking issues. Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller --- include/net/tcp.h | 2 +- net/ipv4/tcp_input.c | 16 +++++++++++----- net/tls/tls_device.c | 1 + 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 7cf1181630a3..985aa5db570c 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2198,7 +2198,7 @@ extern struct static_key_false tcp_have_smc; void clean_acked_data_enable(struct inet_connection_sock *icsk, void (*cad)(struct sock *sk, u32 ack_seq)); void clean_acked_data_disable(struct inet_connection_sock *icsk); - +void clean_acked_data_flush(void); #endif #endif /* _TCP_H */ diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 077d9abdfcf5..20f6fac5882e 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -77,7 +77,7 @@ #include #include #include -#include +#include #include int sysctl_tcp_max_orphans __read_mostly = NR_FILE; @@ -113,22 +113,28 @@ int sysctl_tcp_max_orphans __read_mostly = NR_FILE; #define REXMIT_NEW 2 /* FRTO-style transmit of unsent/new packets */ #if IS_ENABLED(CONFIG_TLS_DEVICE) -static DEFINE_STATIC_KEY_FALSE(clean_acked_data_enabled); +static DEFINE_STATIC_KEY_DEFERRED_FALSE(clean_acked_data_enabled, HZ); void clean_acked_data_enable(struct inet_connection_sock *icsk, void (*cad)(struct sock *sk, u32 ack_seq)) { icsk->icsk_clean_acked = cad; - static_branch_inc(&clean_acked_data_enabled); + static_branch_inc(&clean_acked_data_enabled.key); } EXPORT_SYMBOL_GPL(clean_acked_data_enable); void clean_acked_data_disable(struct inet_connection_sock *icsk) { - static_branch_dec(&clean_acked_data_enabled); + static_branch_slow_dec_deferred(&clean_acked_data_enabled); icsk->icsk_clean_acked = NULL; } EXPORT_SYMBOL_GPL(clean_acked_data_disable); + +void clean_acked_data_flush(void) +{ + static_key_deferred_flush(&clean_acked_data_enabled); +} +EXPORT_SYMBOL_GPL(clean_acked_data_flush); #endif static void tcp_gro_dev_warn(struct sock *sk, const struct sk_buff *skb, @@ -3598,7 +3604,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) icsk->icsk_retransmits = 0; #if IS_ENABLED(CONFIG_TLS_DEVICE) - if (static_branch_unlikely(&clean_acked_data_enabled)) + if (static_branch_unlikely(&clean_acked_data_enabled.key)) if (icsk->icsk_clean_acked) icsk->icsk_clean_acked(sk, ack); #endif diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index e225c81e6b35..ad1580ac097a 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -1036,4 +1036,5 @@ void __exit tls_device_cleanup(void) { unregister_netdevice_notifier(&tls_dev_notifier); flush_work(&tls_device_gc_work); + clean_acked_data_flush(); } From 36096f2f4fa05f7678bc87397665491700bae757 Mon Sep 17 00:00:00 2001 From: YueHaibing Date: Thu, 9 May 2019 22:52:20 +0800 Subject: [PATCH 28/34] packet: Fix error path in packet_init kernel BUG at lib/list_debug.c:47! invalid opcode: 0000 [#1 CPU: 0 PID: 12914 Comm: rmmod Tainted: G W 5.1.0+ #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 RIP: 0010:__list_del_entry_valid+0x53/0x90 Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48 89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2 RSP: 0018:ffffc90001c2fe40 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffffffffa0184000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888237a17788 RDI: 00000000ffffffff RBP: ffffc90001c2fe40 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90001c2fe10 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90001c2fe50 R14: ffffffffa0184000 R15: 0000000000000000 FS: 00007f3d83634540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555c350ea818 CR3: 0000000231677000 CR4: 00000000000006f0 Call Trace: unregister_pernet_operations+0x34/0x120 unregister_pernet_subsys+0x1c/0x30 packet_exit+0x1c/0x369 [af_packet __x64_sys_delete_module+0x156/0x260 ? lockdep_hardirqs_on+0x133/0x1b0 ? do_syscall_64+0x12/0x1f0 do_syscall_64+0x6e/0x1f0 entry_SYSCALL_64_after_hwframe+0x49/0xbe When modprobe af_packet, register_pernet_subsys fails and does a cleanup, ops->list is set to LIST_POISON1, but the module init is considered to success, then while rmmod it, BUG() is triggered in __list_del_entry_valid which is called from unregister_pernet_subsys. This patch fix error handing path in packet_init to avoid possilbe issue if some error occur. Reported-by: Hulk Robot Signed-off-by: YueHaibing Signed-off-by: David S. Miller --- net/packet/af_packet.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 90d4e3ce00e5..fbc775fbf712 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4598,14 +4598,29 @@ static void __exit packet_exit(void) static int __init packet_init(void) { - int rc = proto_register(&packet_proto, 0); + int rc; - if (rc != 0) + rc = proto_register(&packet_proto, 0); + if (rc) goto out; + rc = sock_register(&packet_family_ops); + if (rc) + goto out_proto; + rc = register_pernet_subsys(&packet_net_ops); + if (rc) + goto out_sock; + rc = register_netdevice_notifier(&packet_netdev_notifier); + if (rc) + goto out_pernet; - sock_register(&packet_family_ops); - register_pernet_subsys(&packet_net_ops); - register_netdevice_notifier(&packet_netdev_notifier); + return 0; + +out_pernet: + unregister_pernet_subsys(&packet_net_ops); +out_sock: + sock_unregister(PF_PACKET); +out_proto: + proto_unregister(&packet_proto); out: return rc; } From 07b619919d3d5401adc9bc6b79dcf12cc2c6d485 Mon Sep 17 00:00:00 2001 From: Lorenz Bauer Date: Wed, 8 May 2019 17:49:32 +0100 Subject: [PATCH 29/34] selftests: bpf: initialize bpf_object pointers where needed There are a few tests which call bpf_object__close on uninitialized bpf_object*, which may segfault. Explicitly zero-initialise these pointers to avoid this. Signed-off-by: Lorenz Bauer Acked-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov --- tools/testing/selftests/bpf/prog_tests/bpf_verif_scale.c | 2 +- tools/testing/selftests/bpf/prog_tests/task_fd_query_tp.c | 2 +- tools/testing/selftests/bpf/prog_tests/tp_attach_query.c | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_verif_scale.c b/tools/testing/selftests/bpf/prog_tests/bpf_verif_scale.c index 23b159d95c3f..b74e2f6e96d0 100644 --- a/tools/testing/selftests/bpf/prog_tests/bpf_verif_scale.c +++ b/tools/testing/selftests/bpf/prog_tests/bpf_verif_scale.c @@ -15,7 +15,7 @@ static int libbpf_debug_print(enum libbpf_print_level level, static int check_load(const char *file) { struct bpf_prog_load_attr attr; - struct bpf_object *obj; + struct bpf_object *obj = NULL; int err, prog_fd; memset(&attr, 0, sizeof(struct bpf_prog_load_attr)); diff --git a/tools/testing/selftests/bpf/prog_tests/task_fd_query_tp.c b/tools/testing/selftests/bpf/prog_tests/task_fd_query_tp.c index d636a4f39476..f9b70e81682b 100644 --- a/tools/testing/selftests/bpf/prog_tests/task_fd_query_tp.c +++ b/tools/testing/selftests/bpf/prog_tests/task_fd_query_tp.c @@ -9,7 +9,7 @@ static void test_task_fd_query_tp_core(const char *probe_name, struct perf_event_attr attr = {}; __u64 probe_offset, probe_addr; __u32 len, prog_id, fd_type; - struct bpf_object *obj; + struct bpf_object *obj = NULL; __u32 duration = 0; char buf[256]; diff --git a/tools/testing/selftests/bpf/prog_tests/tp_attach_query.c b/tools/testing/selftests/bpf/prog_tests/tp_attach_query.c index a2f476f91637..fb095e5cd9af 100644 --- a/tools/testing/selftests/bpf/prog_tests/tp_attach_query.c +++ b/tools/testing/selftests/bpf/prog_tests/tp_attach_query.c @@ -13,6 +13,9 @@ void test_tp_attach_query(void) struct bpf_prog_info prog_info; char buf[256]; + for (i = 0; i < num_progs; i++) + obj[i] = NULL; + snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/sched/sched_switch/id"); efd = open(buf, O_RDONLY, 0); From 69e168ebdcfcb87ce7252d4857d570f99996fa27 Mon Sep 17 00:00:00 2001 From: Jiong Wang Date: Tue, 7 May 2019 17:41:30 +0100 Subject: [PATCH 30/34] nfp: bpf: fix static check error through tightening shift amount adjustment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NFP shift instruction has something special. If shift direction is left then shift amount of 1 to 31 is specified as 32 minus the amount to shift. But no need to do this for indirect shift which has shift amount be 0. Even after we do this subtraction, shift amount 0 will be turned into 32 which will eventually be encoded the same as 0 because only low 5 bits are encoded, but shift amount be 32 will fail the FIELD_PREP check done later on shift mask (0x1f), due to 32 is out of mask range. Such error has been observed when compiling nfp/bpf/jit.c using gcc 8.3 + O3. This issue has started when indirect shift support added after which the incoming shift amount to __emit_shf could be 0, therefore it is at that time shift amount adjustment inside __emit_shf should have been tightened. Fixes: 991f5b3651f6 ("nfp: bpf: support logic indirect shifts (BPF_[L|R]SH | BPF_X)") Reported-by: Oleksandr Natalenko Reported-by: Pablo Cascón Reviewed-by: Jakub Kicinski Signed-off-by: Jiong Wang Signed-off-by: Alexei Starovoitov --- drivers/net/ethernet/netronome/nfp/bpf/jit.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c index f272247d1708..d4bf0e694541 100644 --- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c +++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c @@ -328,7 +328,18 @@ __emit_shf(struct nfp_prog *nfp_prog, u16 dst, enum alu_dst_ab dst_ab, return; } - if (sc == SHF_SC_L_SHF) + /* NFP shift instruction has something special. If shift direction is + * left then shift amount of 1 to 31 is specified as 32 minus the amount + * to shift. + * + * But no need to do this for indirect shift which has shift amount be + * 0. Even after we do this subtraction, shift amount 0 will be turned + * into 32 which will eventually be encoded the same as 0 because only + * low 5 bits are encoded, but shift amount be 32 will fail the + * FIELD_PREP check done later on shift mask (0x1f), due to 32 is out of + * mask range. + */ + if (sc == SHF_SC_L_SHF && shift) shift = 32 - shift; insn = OP_SHF_BASE | From 3ef4641fbf870ee1ecd5f890a54881b7f0e20b90 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 8 May 2019 15:54:48 +0800 Subject: [PATCH 31/34] docs/btf: fix the missing section marks The section titles of 3.4 and 3.5 are not marked correctly. Signed-off-by: Gary Lin Signed-off-by: Alexei Starovoitov --- Documentation/bpf/btf.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Documentation/bpf/btf.rst b/Documentation/bpf/btf.rst index 29396e6943b0..8820360d00da 100644 --- a/Documentation/bpf/btf.rst +++ b/Documentation/bpf/btf.rst @@ -578,6 +578,7 @@ For line_info, the line number and column number are defined as below: #define BPF_LINE_INFO_LINE_COL(line_col) ((line_col) & 0x3ff) 3.4 BPF_{PROG,MAP}_GET_NEXT_ID +============================== In kernel, every loaded program, map or btf has a unique id. The id won't change during the lifetime of a program, map, or btf. @@ -587,6 +588,7 @@ each command, to user space, for bpf program or maps, respectively, so an inspection tool can inspect all programs and maps. 3.5 BPF_{PROG,MAP}_GET_FD_BY_ID +=============================== An introspection tool cannot use id to get details about program or maps. A file descriptor needs to be obtained first for reference-counting purpose. From 88c80bee883e7687d2672f84fd6d0fa1cee3d348 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Thu, 9 May 2019 16:14:06 -0700 Subject: [PATCH 32/34] net/tls: remove set but not used variables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 4504ab0e6eb8 ("net/tls: Inform user space about send buffer availability") made us report write_space regardless whether partial record push was successful or not. Remove the now unused return value to clean up the following W=1 warning: net/tls/tls_device.c: In function ‘tls_device_write_space’: net/tls/tls_device.c:546:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable] int rc = 0; ^~ CC: Vakul Garg CC: Boris Pismenny Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller --- net/tls/tls_device.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index ad1580ac097a..ca54a7c7ec81 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -541,14 +541,11 @@ static int tls_device_push_pending_record(struct sock *sk, int flags) void tls_device_write_space(struct sock *sk, struct tls_context *ctx) { - int rc = 0; - if (!sk->sk_write_pending && tls_is_partially_sent_record(ctx)) { gfp_t sk_allocation = sk->sk_allocation; sk->sk_allocation = GFP_ATOMIC; - rc = tls_push_partial_record(sk, ctx, - MSG_DONTWAIT | MSG_NOSIGNAL); + tls_push_partial_record(sk, ctx, MSG_DONTWAIT | MSG_NOSIGNAL); sk->sk_allocation = sk_allocation; } } From b53f4976fb1f738573b5b76e21d3c2652fffb46b Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Thu, 9 May 2019 16:14:07 -0700 Subject: [PATCH 33/34] net/tls: handle errors from padding_length() At the time padding_length() is called the record header is still part of the message. If malicious TLS 1.3 peer sends an all-zero record padding_length() will stop at the record header, and return full length of the data including the tail_size. Subsequent subtraction of prot->overhead_size from rxm->full_len will cause rxm->full_len to turn negative. skb accessors, however, will always catch resulting out-of-bounds operation, so in practice this fix comes down to returning the correct error code. It also fixes a set but not used warning. This code was added by commit 130b392c6cd6 ("net: tls: Add tls 1.3 support"). CC: Dave Watson Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller --- net/tls/tls_sw.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index c02293fb10e6..d93f83f77864 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -119,23 +119,25 @@ static int skb_nsg(struct sk_buff *skb, int offset, int len) } static int padding_length(struct tls_sw_context_rx *ctx, - struct tls_context *tls_ctx, struct sk_buff *skb) + struct tls_prot_info *prot, struct sk_buff *skb) { struct strp_msg *rxm = strp_msg(skb); int sub = 0; /* Determine zero-padding length */ - if (tls_ctx->prot_info.version == TLS_1_3_VERSION) { + if (prot->version == TLS_1_3_VERSION) { char content_type = 0; int err; int back = 17; while (content_type == 0) { - if (back > rxm->full_len) + if (back > rxm->full_len - prot->prepend_size) return -EBADMSG; err = skb_copy_bits(skb, rxm->offset + rxm->full_len - back, &content_type, 1); + if (err) + return err; if (content_type) break; sub++; @@ -170,9 +172,17 @@ static void tls_decrypt_done(struct crypto_async_request *req, int err) tls_err_abort(skb->sk, err); } else { struct strp_msg *rxm = strp_msg(skb); - rxm->full_len -= padding_length(ctx, tls_ctx, skb); - rxm->offset += prot->prepend_size; - rxm->full_len -= prot->overhead_size; + int pad; + + pad = padding_length(ctx, prot, skb); + if (pad < 0) { + ctx->async_wait.err = pad; + tls_err_abort(skb->sk, pad); + } else { + rxm->full_len -= pad; + rxm->offset += prot->prepend_size; + rxm->full_len -= prot->overhead_size; + } } /* After using skb->sk to propagate sk through crypto async callback @@ -1478,7 +1488,7 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb, struct tls_prot_info *prot = &tls_ctx->prot_info; int version = prot->version; struct strp_msg *rxm = strp_msg(skb); - int err = 0; + int pad, err = 0; if (!ctx->decrypted) { #ifdef CONFIG_TLS_DEVICE @@ -1501,7 +1511,11 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb, *zc = false; } - rxm->full_len -= padding_length(ctx, tls_ctx, skb); + pad = padding_length(ctx, prot, skb); + if (pad < 0) + return pad; + + rxm->full_len -= pad; rxm->offset += prot->prepend_size; rxm->full_len -= prot->overhead_size; tls_advance_record_sn(sk, &tls_ctx->rx, version); From 6c9f05441477e29783e8391d06c067e4a3b23d47 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Thu, 9 May 2019 16:19:34 -0700 Subject: [PATCH 34/34] nfp: add missing kdoc Add missing kdoc for app member. Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: David S. Miller --- drivers/net/ethernet/netronome/nfp/ccm.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/netronome/nfp/ccm.h b/drivers/net/ethernet/netronome/nfp/ccm.h index e2fe4b867958..ac963b128203 100644 --- a/drivers/net/ethernet/netronome/nfp/ccm.h +++ b/drivers/net/ethernet/netronome/nfp/ccm.h @@ -54,6 +54,8 @@ static inline unsigned int nfp_ccm_get_tag(struct sk_buff *skb) /** * struct nfp_ccm - common control message handling + * @app: APP handle + * * @tag_allocator: bitmap of control message tags in use * @tag_alloc_next: next tag bit to allocate * @tag_alloc_last: next tag bit to be freed