1. 13 Sep, 2023 13 commits
  2. 12 Sep, 2023 10 commits
  3. 11 Sep, 2023 17 commits
    • Brett Creeley's avatar
      iavf: Fix promiscuous mode configuration flow messages · 221465de
      Brett Creeley authored
      Currently when configuring promiscuous mode on the AVF we detect a
      change in the netdev->flags. We use IFF_PROMISC and IFF_ALLMULTI to
      determine whether or not we need to request/release promiscuous mode
      and/or multicast promiscuous mode. The problem is that the AQ calls for
      setting/clearing promiscuous/multicast mode are treated separately. This
      leads to a case where we can trigger two promiscuous mode AQ calls in
      a row with the incorrect state. To fix this make a few changes.
      
      Use IAVF_FLAG_AQ_CONFIGURE_PROMISC_MODE instead of the previous
      IAVF_FLAG_AQ_[REQUEST|RELEASE]_[PROMISC|ALLMULTI] flags.
      
      In iavf_set_rx_mode() detect if there is a change in the
      netdev->flags in comparison with adapter->flags and set the
      IAVF_FLAG_AQ_CONFIGURE_PROMISC_MODE aq_required bit. Then in
      iavf_process_aq_command() only check for IAVF_FLAG_CONFIGURE_PROMISC_MODE
      and call iavf_set_promiscuous() if it's set.
      
      In iavf_set_promiscuous() check again to see which (if any) promiscuous
      mode bits have changed when comparing the netdev->flags with the
      adapter->flags. Use this to set the flags which get sent to the PF
      driver.
      
      Add a spinlock that is used for updating current_netdev_promisc_flags
      and only allows one promiscuous mode AQ at a time.
      
      [1] Fixes the fact that we will only have one AQ call in the aq_required
      queue at any one time.
      
      [2] Streamlines the change in promiscuous mode to only set one AQ
      required bit.
      
      [3] This allows us to keep track of the current state of the flags and
      also makes it so we can take the most recent netdev->flags promiscuous
      mode state.
      
      [4] This fixes the problem where a change in the netdev->flags can cause
      IAVF_FLAG_AQ_CONFIGURE_PROMISC_MODE to be set in iavf_set_rx_mode(),
      but cleared in iavf_set_promiscuous() before the change is ever made via
      AQ call.
      
      Fixes: 47d34839 ("i40evf: Add driver support for promiscuous mode")
      Signed-off-by: default avatarBrett Creeley <brett.creeley@intel.com>
      Signed-off-by: default avatarAhmed Zaki <ahmed.zaki@intel.com>
      Tested-by: default avatarRafal Romanowski <rafal.romanowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      221465de
    • Andrii Staikov's avatar
      i40e: fix potential memory leaks in i40e_remove() · 5ca636d9
      Andrii Staikov authored
      Instead of freeing memory of a single VSI, make sure
      the memory for all VSIs is cleared before releasing VSIs.
      Add releasing of their resources in a loop with the iteration
      number equal to the number of allocated VSIs.
      
      Fixes: 41c445ff ("i40e: main driver core")
      Signed-off-by: default avatarAndrii Staikov <andrii.staikov@intel.com>
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      5ca636d9
    • Lorenzo Bianconi's avatar
      net: ethernet: mtk_eth_soc: fix pse_port configuration for MT7988 · 5a124b1f
      Lorenzo Bianconi authored
      MT7988 SoC support 3 NICs. Fix pse_port configuration in
      mtk_flow_set_output_device routine if the traffic is offloaded to eth2.
      Rely on mtk_pse_port definitions.
      
      Fixes: 88efedf5 ("net: ethernet: mtk_eth_soc: enable nft hw flowtable_offload for MT7988 SoC")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a124b1f
    • Daniel Golle's avatar
      net: ethernet: mtk_eth_soc: fix uninitialized variable · e10a35ab
      Daniel Golle authored
      Variable dma_addr in function mtk_poll_rx can be uninitialized on
      some of the error paths. In practise this doesn't matter, even random
      data present in uninitialized stack memory can safely be used in the
      way it happens in the error path.
      
      However, in order to make Smatch happy make sure the variable is
      always initialized.
      Signed-off-by: default avatarDaniel Golle <daniel@makrotopia.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e10a35ab
    • Shigeru Yoshida's avatar
      kcm: Fix memory leak in error path of kcm_sendmsg() · c821a88b
      Shigeru Yoshida authored
      syzbot reported a memory leak like below:
      
      BUG: memory leak
      unreferenced object 0xffff88810b088c00 (size 240):
        comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s)
        hex dump (first 32 bytes):
          00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634
          [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline]
          [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815
          [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline]
          [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748
          [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494
          [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548
          [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577
          [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
          [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append
      newly allocated skbs to 'head'. If some bytes are copied, an error occurred,
      and jumped to out_error label, 'last_skb' is left unmodified. A later
      kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the
      'head' frag_list and causing the leak.
      
      This patch fixes this issue by properly updating the last allocated skb in
      'last_skb'.
      
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Reported-and-tested-by: syzbot+6f98de741f7dbbfc4ccb@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=6f98de741f7dbbfc4ccbSigned-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c821a88b
    • Hayes Wang's avatar
      r8152: check budget for r8152_poll() · a7b8d60b
      Hayes Wang authored
      According to the document of napi, there is no rx process when the
      budget is 0. Therefore, r8152_poll() has to return 0 directly when the
      budget is equal to 0.
      
      Fixes: d2187f8e ("r8152: divide the tx and rx bottom functions")
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7b8d60b
    • David S. Miller's avatar
      Merge branch 'sha1105-regressions' · 904de985
      David S. Miller authored
      Vladimir Oltean says:
      
      ====================
      Fixes for SJA1105 DSA FDB regressions
      
      A report by Yanan Yang has prompted an investigation into the sja1105
      driver's behavior w.r.t. multicast. The report states that when adding
      multicast L2 addresses with "bridge mdb add", only the most recently
      added address works - the others seem to be overwritten. This is solved
      by patch 3/5 (with patch 2/5 as a dependency for it).
      
      Patches 4/5 and 5/5 fix a series of race conditions introduced during
      the same patch set as the bug above, namely this one:
      https://patchwork.kernel.org/project/netdevbpf/cover/20211024171757.3753288-1-vladimir.oltean@nxp.com/
      
      Finally, patch 1/5 fixes an issue found ever since the introduction of
      multicast forwarding offload in sja1105, which is that the multicast
      addresses are visible (with the "self" flag) in "bridge fdb show".
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      904de985
    • Vladimir Oltean's avatar
      net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset · 86899e9e
      Vladimir Oltean authored
      Currently, when we add the first sja1105 port to a bridge with
      vlan_filtering 1, then we sometimes see this output:
      
      sja1105 spi2.2: port 4 failed to read back entry for be:79:b4:9e:9e:96 vid 3088: -ENOENT
      sja1105 spi2.2: Reset switch and programmed static config. Reason: VLAN filtering
      sja1105 spi2.2: port 0 failed to add be:79:b4:9e:9e:96 vid 0 to fdb: -2
      
      It is because sja1105_fdb_add() runs from the dsa_owq which is no longer
      serialized with switch resets since it dropped the rtnl_lock() in the
      blamed commit.
      
      Either performing the FDB accesses before the reset, or after the reset,
      is equally fine, because sja1105_static_fdb_change() backs up those
      changes in the static config, but FDB access during reset isn't ok.
      
      Make sja1105_static_config_reload() take the fdb_lock to fix that.
      
      Fixes: 0faf890f ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86899e9e
    • Vladimir Oltean's avatar
      net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses · ea32690d
      Vladimir Oltean authored
      sja1105_fdb_add() runs from the dsa_owq, and sja1105_port_mcast_flood()
      runs from switchdev_deferred_process_work(). Prior to the blamed commit,
      they used to be indirectly serialized through the rtnl_lock(), which
      no longer holds true because dsa_owq dropped that.
      
      So, it is now possible that we traverse the static config BLK_IDX_L2_LOOKUP
      elements concurrently compared to when we change them, in
      sja1105_static_fdb_change(). That is not ideal, since it might result in
      data corruption.
      
      Introduce a mutex which serializes accesses to the hardware FDB and to
      the static config elements for the L2 Address Lookup table.
      
      I can't find a good reason to add locking around sja1105_fdb_dump().
      I'll add it later if needed.
      
      Fixes: 0faf890f ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea32690d
    • Vladimir Oltean's avatar
      net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry · 7cef293b
      Vladimir Oltean authored
      The commit cited in Fixes: did 2 things: it refactored the read-back
      polling from sja1105_dynamic_config_read() into a new function,
      sja1105_dynamic_config_wait_complete(), and it called that from
      sja1105_dynamic_config_write() too.
      
      What is problematic is the refactoring.
      
      The refactored code from sja1105_dynamic_config_poll_valid() works like
      the previous one, but the problem is that it uses another packed_buf[]
      SPI buffer, and there was code at the end of sja1105_dynamic_config_read()
      which was relying on the read-back packed_buf[]:
      
      	/* Don't dereference possibly NULL pointer - maybe caller
      	 * only wanted to see whether the entry existed or not.
      	 */
      	if (entry)
      		ops->entry_packing(packed_buf, entry, UNPACK);
      
      After the change, the packed_buf[] that this code sees is no longer the
      entry read back from hardware, but the original entry that the caller
      passed to the sja1105_dynamic_config_read(), packed into this buffer.
      
      This difference is the most notable with the SJA1105_SEARCH uses from
      sja1105pqrs_fdb_add() - used for both fdb and mdb. There, we have logic
      added by commit 728db843 ("net: dsa: sja1105: ignore the FDB entry
      for unknown multicast when adding a new address") to figure out whether
      the address we're trying to add matches on any existing hardware entry,
      with the exception of the catch-all multicast address.
      
      That logic was broken, because with sja1105_dynamic_config_read() not
      working properly, it doesn't return us the entry read back from
      hardware, but the entry that we passed to it. And, since for multicast,
      a match will always exist, it will tell us that any mdb entry already
      exists at index=0 L2 Address Lookup table. It is index=0 because the
      caller doesn't know the index - it wants to find it out, and
      sja1105_dynamic_config_read() does:
      
      	if (index < 0) { // SJA1105_SEARCH
      		/* Avoid copying a signed negative number to an u64 */
      		cmd.index = 0; // <- this
      		cmd.search = true;
      	} else {
      		cmd.index = index;
      		cmd.search = false;
      	}
      
      So, to the caller of sja1105_dynamic_config_read(), the returned info
      looks entirely legit, and it will add all mdb entries to FDB index 0.
      There, they will always overwrite each other (not to mention,
      potentially they can also overwrite a pre-existing bridge fdb entry),
      and the user-visible impact will be that only the last mdb entry will be
      forwarded as it should. The others won't (will be flooded or dropped,
      depending on the egress flood settings).
      
      Fixing is a bit more complicated, and involves either passing the same
      packed_buf[] to sja1105_dynamic_config_wait_complete(), or moving all
      the extra processing on the packed_buf[] to
      sja1105_dynamic_config_wait_complete(). I've opted for the latter,
      because it makes sja1105_dynamic_config_wait_complete() a bit more
      self-contained.
      
      Fixes: df405910 ("net: dsa: sja1105: wait for dynamic config command completion on writes too")
      Reported-by: default avatarYanan Yang <yanan.yang@nxp.com>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cef293b
    • Vladimir Oltean's avatar
      net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid() · c9567980
      Vladimir Oltean authored
      Currently, sja1105_dynamic_config_wait_complete() returns either 0 or
      -ETIMEDOUT, because it just looks at the read_poll_timeout() return code.
      
      There will be future changes which move some more checks to
      sja1105_dynamic_config_poll_valid(). It is important that we propagate
      their exact return code (-ENOENT, -EINVAL), because callers of
      sja1105_dynamic_config_read() depend on them.
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c9567980
    • Vladimir Oltean's avatar
      net: dsa: sja1105: hide all multicast addresses from "bridge fdb show" · 02c652f5
      Vladimir Oltean authored
      Commit 4d942354 ("net: dsa: sja1105: offload bridge port flags to
      device") has partially hidden some multicast entries from showing up in
      the "bridge fdb show" output, but it wasn't enough. Addresses which are
      added through "bridge mdb add" still show up. Hide them all.
      
      Fixes: 291d1e72 ("net: dsa: sja1105: Add support for FDB and MDB management")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02c652f5
    • Ciprian Regus's avatar
      net:ethernet:adi:adin1110: Fix forwarding offload · 32530dba
      Ciprian Regus authored
      Currently, when a new fdb entry is added (with both ports of the
      ADIN2111 bridged), the driver configures the MAC filters for the wrong
      port, which results in the forwarding being done by the host, and not
      actually hardware offloaded.
      
      The ADIN2111 offloads the forwarding by setting filters on the
      destination MAC address of incoming frames. Based on these, they may be
      routed to the other port. Thus, if a frame has to be forwarded from port
      1 to port 2, the required configuration for the ADDR_FILT_UPRn register
      should set the APPLY2PORT1 bit (instead of APPLY2PORT2, as it's
      currently the case).
      
      Fixes: bc93e19d ("net: ethernet: adi: Add ADIN1110 support")
      Signed-off-by: default avatarCiprian Regus <ciprian.regus@analog.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32530dba
    • Ziyang Xuan's avatar
      hsr: Fix uninit-value access in fill_frame_info() · 484b4833
      Ziyang Xuan authored
      Syzbot reports the following uninit-value access problem.
      
      =====================================================
      BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]
      BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
       fill_frame_info net/hsr/hsr_forward.c:601 [inline]
       hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
       hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223
       __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
       netdev_start_xmit include/linux/netdevice.h:4903 [inline]
       xmit_one net/core/dev.c:3544 [inline]
       dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560
       __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340
       dev_queue_xmit include/linux/netdevice.h:3082 [inline]
       packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
       packet_snd net/packet/af_packet.c:3087 [inline]
       packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
       sock_sendmsg_nosec net/socket.c:730 [inline]
       sock_sendmsg net/socket.c:753 [inline]
       __sys_sendto+0x781/0xa30 net/socket.c:2176
       __do_sys_sendto net/socket.c:2188 [inline]
       __se_sys_sendto net/socket.c:2184 [inline]
       __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
       do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
       __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
       do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
       do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
       entry_SYSENTER_compat_after_hwframe+0x70/0x82
      
      Uninit was created at:
       slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
       slab_alloc_node mm/slub.c:3478 [inline]
       kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
       kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
       __alloc_skb+0x318/0x740 net/core/skbuff.c:644
       alloc_skb include/linux/skbuff.h:1286 [inline]
       alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299
       sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794
       packet_alloc_skb net/packet/af_packet.c:2936 [inline]
       packet_snd net/packet/af_packet.c:3030 [inline]
       packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
       sock_sendmsg_nosec net/socket.c:730 [inline]
       sock_sendmsg net/socket.c:753 [inline]
       __sys_sendto+0x781/0xa30 net/socket.c:2176
       __do_sys_sendto net/socket.c:2188 [inline]
       __se_sys_sendto net/socket.c:2184 [inline]
       __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
       do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
       __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
       do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
       do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
       entry_SYSENTER_compat_after_hwframe+0x70/0x82
      
      It is because VLAN not yet supported in hsr driver. Return error
      when protocol is ETH_P_8021Q in fill_frame_info() now to fix it.
      
      Fixes: 451d8123 ("net: prp: add packet handling support")
      Reported-by: syzbot+bf7e6250c7ce248f3ec9@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=bf7e6250c7ce248f3ec9Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      484b4833
    • David S. Miller's avatar
      Merge branch 'rule_buf-OOB' · 0b9c3914
      David S. Miller authored
      Hangyu Hua says:
      
      ====================
      Fix possible OOB write when using rule_buf
      
      ADD bounds checks in bcmasp_netfilt_get_all_active and
      mvpp2_ethtool_get_rxnfc and mtk_hwlro_get_fdir_all when
      using rule_buf from ethtool_get_rxnfc.
      
      v2:
      [PATCH v2 1/3]: use -EMSGSIZE instead of truncating the list sliently.
      [PATCH v2 3/3]: drop the brackets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b9c3914
    • Hangyu Hua's avatar
      net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() · e4c79810
      Hangyu Hua authored
      rule_locs is allocated in ethtool_get_rxnfc and the size is determined by
      rule_cnt from user space. So rule_cnt needs to be check before using
      rule_locs to avoid NULL pointer dereference.
      
      Fixes: 7aab747e ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
      Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4c79810
    • Hangyu Hua's avatar
      net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() · 51fe0a47
      Hangyu Hua authored
      rules is allocated in ethtool_get_rxnfc and the size is determined by
      rule_cnt from user space. So rule_cnt needs to be check before using
      rules to avoid OOB writing or NULL pointer dereference.
      
      Fixes: 90b509b3 ("net: mvpp2: cls: Add Classification offload support")
      Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
      Reviewed-by: default avatarMarcin Wojtas <mw@semihalf.com>
      Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51fe0a47