1. 10 Jun, 2021 7 commits
    • Chris Mi's avatar
      net/mlx5e: Verify dev is present in get devlink port ndo · 11f5ac3e
      Chris Mi authored
      When changing eswitch mode, the netdev is detached from the
      hardware resources. So verify dev is present in get devlink
      port ndo. Otherwise, we will hit the following panic:
      
      [241535.973539] RIP: 0010:__devlink_port_phys_port_name_get+0x13/0x1b0
      [241535.976471] RSP: 0018:ffff9eaf0ae1b7c8 EFLAGS: 00010292
      [241535.977471] RAX: 000000000002d370 RBX: 000000000002d370 RCX: 0000000000000000
      [241535.978479] RDX: 0000000000000010 RSI: ffff9eaf0ae1b858 RDI: 000000000002d370
      [241535.979482] RBP: ffff9eaf0ae1b7e0 R08: 000000000000002a R09: ffff8888d54d13da
      [241535.980486] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8888e6700000
      [241535.981491] R13: ffff9eaf0ae1b858 R14: 0000000000000010 R15: 0000000000000000
      [241535.982489] FS:  00007fd374ef3740(0000) GS:ffff88909ea00000(0000) knlGS:0000000000000000
      [241535.983494] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [241535.984487] CR2: 000000000002d444 CR3: 000000089fd26006 CR4: 00000000003706e0
      [241535.985502] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [241535.986499] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [241535.987477] Call Trace:
      [241535.988426]  ? nla_put_64bit+0x71/0xa0
      [241535.989368]  devlink_compat_phys_port_name_get+0x50/0xa0
      [241535.990312]  dev_get_phys_port_name+0x4b/0x60
      [241535.991252]  rtnl_fill_ifinfo+0x57b/0xcb0
      [241535.992192]  rtnl_dump_ifinfo+0x58f/0x6d0
      [241535.993123]  ? ksize+0x14/0x20
      [241535.994033]  ? __alloc_skb+0xe8/0x250
      [241535.994935]  netlink_dump+0x17c/0x300
      [241535.995821]  netlink_recvmsg+0x1de/0x2c0
      [241535.996677]  sock_recvmsg+0x70/0x80
      [241535.997518]  ____sys_recvmsg+0x9b/0x1b0
      [241535.998360]  ? iovec_from_user+0x82/0x120
      [241535.999202]  ? __import_iovec+0x2c/0x130
      [241536.000031]  ___sys_recvmsg+0x94/0x130
      [241536.000850]  ? __handle_mm_fault+0x56d/0x6e0
      [241536.001668]  __sys_recvmsg+0x5f/0xb0
      [241536.002464]  ? syscall_enter_from_user_mode+0x2b/0x80
      [241536.003242]  __x64_sys_recvmsg+0x1f/0x30
      [241536.004008]  do_syscall_64+0x38/0x50
      [241536.004767]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [241536.005532] RIP: 0033:0x7fd375014f47
      
      Fixes: 2ff349c5 ("net/mlx5e: Verify dev is present in some ndos")
      Signed-off-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarChris Mi <cmi@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      11f5ac3e
    • Maor Gottlieb's avatar
      net/mlx5: DR, Don't use SW steering when RoCE is not supported · 4aaf96ac
      Maor Gottlieb authored
      SW steering uses RC QP to write/read to/from ICM, hence it's not
      supported when RoCE is not supported as well.
      
      Fixes: 70605ea5 ("net/mlx5: DR, Expose APIs for direct rule managing")
      Signed-off-by: default avatarMaor Gottlieb <maorg@nvidia.com>
      Reviewed-by: default avatarAlex Vesker <valex@nvidia.com>
      Reviewed-by: default avatarYevgeny Kliteynik <kliteyn@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      4aaf96ac
    • Maor Gottlieb's avatar
      net/mlx5: Consider RoCE cap before init RDMA resources · c189716b
      Maor Gottlieb authored
      Check if RoCE is supported by the device before enable it in
      the vport context and create all the RDMA steering objects.
      
      Fixes: 80f09dfc ("net/mlx5: Eswitch, enable RoCE loopback traffic")
      Signed-off-by: default avatarMaor Gottlieb <maorg@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      c189716b
    • Dima Chumak's avatar
      net/mlx5e: Fix page reclaim for dead peer hairpin · a3e5fd93
      Dima Chumak authored
      When adding a hairpin flow, a firmware-side send queue is created for
      the peer net device, which claims some host memory pages for its
      internal ring buffer. If the peer net device is removed/unbound before
      the hairpin flow is deleted, then the send queue is not destroyed which
      leads to a stack trace on pci device remove:
      
      [ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource
      [ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110
      [ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0
      [ 748.002171] ------------[ cut here ]------------
      [ 748.001177] FW pages counter is 4 after reclaiming all pages
      [ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core]                      [  +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core]
      [ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1
      [ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core]
      [ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9
      [ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286
      [ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000
      [ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51
      [ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8
      [ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30
      [ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000
      [ 748.001429] FS:  00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000
      [ 748.001695] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0
      [ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 748.001654] Call Trace:
      [ 748.000576]  ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core]
      [ 748.001416]  ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core]
      [ 748.001354]  ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core]
      [ 748.001203]  mlx5_function_teardown+0x30/0x60 [mlx5_core]
      [ 748.001275]  mlx5_uninit_one+0xa7/0xc0 [mlx5_core]
      [ 748.001200]  remove_one+0x5f/0xc0 [mlx5_core]
      [ 748.001075]  pci_device_remove+0x9f/0x1d0
      [ 748.000833]  device_release_driver_internal+0x1e0/0x490
      [ 748.001207]  unbind_store+0x19f/0x200
      [ 748.000942]  ? sysfs_file_ops+0x170/0x170
      [ 748.001000]  kernfs_fop_write_iter+0x2bc/0x450
      [ 748.000970]  new_sync_write+0x373/0x610
      [ 748.001124]  ? new_sync_read+0x600/0x600
      [ 748.001057]  ? lock_acquire+0x4d6/0x700
      [ 748.000908]  ? lockdep_hardirqs_on_prepare+0x400/0x400
      [ 748.001126]  ? fd_install+0x1c9/0x4d0
      [ 748.000951]  vfs_write+0x4d0/0x800
      [ 748.000804]  ksys_write+0xf9/0x1d0
      [ 748.000868]  ? __x64_sys_read+0xb0/0xb0
      [ 748.000811]  ? filp_open+0x50/0x50
      [ 748.000919]  ? syscall_enter_from_user_mode+0x1d/0x50
      [ 748.001223]  do_syscall_64+0x3f/0x80
      [ 748.000892]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [ 748.001026] RIP: 0033:0x7f58bcfb22f7
      [ 748.000944] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
      [ 748.003925] RSP: 002b:00007fffd7f2aaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [ 748.001732] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f58bcfb22f7
      [ 748.001426] RDX: 000000000000000d RSI: 00007fffd7f2abc0 RDI: 0000000000000003
      [ 748.001746] RBP: 00007fffd7f2abc0 R08: 0000000000000000 R09: 0000000000000001
      [ 748.001631] R10: 00000000000001b6 R11: 0000000000000246 R12: 000000000000000d
      [ 748.001537] R13: 00005597ac2c24a0 R14: 000000000000000d R15: 00007f58bd084700
      [ 748.001564] irq event stamp: 0
      [ 748.000787] hardirqs last  enabled at (0): [<0000000000000000>] 0x0
      [ 748.001399] hardirqs last disabled at (0): [<ffffffff813132cf>] copy_process+0x146f/0x5eb0
      [ 748.001854] softirqs last  enabled at (0): [<ffffffff8131330e>] copy_process+0x14ae/0x5eb0
      [ 748.013431] softirqs last disabled at (0): [<0000000000000000>] 0x0
      [ 748.001492] ---[ end trace a6fabd773d1c51ae ]---
      
      Fix by destroying the send queue of a hairpin peer net device that is
      being removed/unbound, which returns the allocated ring buffer pages to
      the host.
      
      Fixes: 4d8fcf21 ("net/mlx5e: Avoid unbounded peer devices when unpairing TC hairpin rules")
      Signed-off-by: default avatarDima Chumak <dchumak@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      a3e5fd93
    • Huy Nguyen's avatar
      net/mlx5e: Remove dependency in IPsec initialization flows · 8ad893e5
      Huy Nguyen authored
      Currently, IPsec feature is disabled because mlx5e_build_nic_netdev
      is required to be called after mlx5e_ipsec_init. This requirement is
      invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize
      independent resources.
      
      Remove ipsec pointer check in mlx5e_build_nic_netdev so that the
      two functions can be called at any order.
      
      Fixes: 547eede0 ("net/mlx5e: IPSec, Innova IPSec offload infrastructure")
      Signed-off-by: default avatarHuy Nguyen <huyn@nvidia.com>
      Reviewed-by: default avatarRaed Salem <raeds@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8ad893e5
    • Vlad Buslov's avatar
      net/mlx5e: Fix use-after-free of encap entry in neigh update handler · fb1a3132
      Vlad Buslov authored
      Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock
      removal from TC filter update path and properly handle concurrent encap
      entry insertion/deletion which can lead to following use-after-free:
      
       [23827.464923] ==================================================================
       [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635
       [23827.472251]
       [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5
       [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
       [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]
       [23827.476731] Call Trace:
       [23827.477260]  dump_stack+0xbb/0x107
       [23827.477906]  print_address_description.constprop.0+0x18/0x140
       [23827.478896]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.479879]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.480905]  kasan_report.cold+0x7c/0xd8
       [23827.481701]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.482744]  kasan_check_range+0x145/0x1a0
       [23827.493112]  mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.494054]  ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]
       [23827.495296]  mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]
       [23827.496338]  ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]
       [23827.497486]  ? read_word_at_a_time+0xe/0x20
       [23827.498250]  ? strscpy+0xa0/0x2a0
       [23827.498889]  process_one_work+0x8ac/0x14e0
       [23827.499638]  ? lockdep_hardirqs_on_prepare+0x400/0x400
       [23827.500537]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
       [23827.501359]  ? rwlock_bug.part.0+0x90/0x90
       [23827.502116]  worker_thread+0x53b/0x1220
       [23827.502831]  ? process_one_work+0x14e0/0x14e0
       [23827.503627]  kthread+0x328/0x3f0
       [23827.504254]  ? _raw_spin_unlock_irq+0x24/0x40
       [23827.505065]  ? __kthread_bind_mask+0x90/0x90
       [23827.505912]  ret_from_fork+0x1f/0x30
       [23827.506621]
       [23827.506987] Allocated by task 28248:
       [23827.507694]  kasan_save_stack+0x1b/0x40
       [23827.508476]  __kasan_kmalloc+0x7c/0x90
       [23827.509197]  mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]
       [23827.510194]  mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]
       [23827.511218]  __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]
       [23827.512234]  mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]
       [23827.513298]  tc_setup_cb_add+0x1d5/0x420
       [23827.514023]  fl_hw_replace_filter+0x382/0x6a0 [cls_flower]
       [23827.514975]  fl_change+0x2ceb/0x4a51 [cls_flower]
       [23827.515821]  tc_new_tfilter+0x89a/0x2070
       [23827.516548]  rtnetlink_rcv_msg+0x644/0x8c0
       [23827.517300]  netlink_rcv_skb+0x11d/0x340
       [23827.518021]  netlink_unicast+0x42b/0x700
       [23827.518742]  netlink_sendmsg+0x743/0xc20
       [23827.519467]  sock_sendmsg+0xb2/0xe0
       [23827.520131]  ____sys_sendmsg+0x590/0x770
       [23827.520851]  ___sys_sendmsg+0xd8/0x160
       [23827.521552]  __sys_sendmsg+0xb7/0x140
       [23827.522238]  do_syscall_64+0x3a/0x70
       [23827.522907]  entry_SYSCALL_64_after_hwframe+0x44/0xae
       [23827.523797]
       [23827.524163] Freed by task 25948:
       [23827.524780]  kasan_save_stack+0x1b/0x40
       [23827.525488]  kasan_set_track+0x1c/0x30
       [23827.526187]  kasan_set_free_info+0x20/0x30
       [23827.526968]  __kasan_slab_free+0xed/0x130
       [23827.527709]  slab_free_freelist_hook+0xcf/0x1d0
       [23827.528528]  kmem_cache_free_bulk+0x33a/0x6e0
       [23827.529317]  kfree_rcu_work+0x55f/0xb70
       [23827.530024]  process_one_work+0x8ac/0x14e0
       [23827.530770]  worker_thread+0x53b/0x1220
       [23827.531480]  kthread+0x328/0x3f0
       [23827.532114]  ret_from_fork+0x1f/0x30
       [23827.532785]
       [23827.533147] Last potentially related work creation:
       [23827.534007]  kasan_save_stack+0x1b/0x40
       [23827.534710]  kasan_record_aux_stack+0xab/0xc0
       [23827.535492]  kvfree_call_rcu+0x31/0x7b0
       [23827.536206]  mlx5e_tc_del_fdb_flow+0x577/0xef0 [mlx5_core]
       [23827.537305]  mlx5e_flow_put+0x49/0x80 [mlx5_core]
       [23827.538290]  mlx5e_delete_flower+0x6d1/0xe60 [mlx5_core]
       [23827.539300]  tc_setup_cb_destroy+0x18e/0x2f0
       [23827.540144]  fl_hw_destroy_filter+0x1d2/0x310 [cls_flower]
       [23827.541148]  __fl_delete+0x4dc/0x660 [cls_flower]
       [23827.541985]  fl_delete+0x97/0x160 [cls_flower]
       [23827.542782]  tc_del_tfilter+0x7ab/0x13d0
       [23827.543503]  rtnetlink_rcv_msg+0x644/0x8c0
       [23827.544257]  netlink_rcv_skb+0x11d/0x340
       [23827.544981]  netlink_unicast+0x42b/0x700
       [23827.545700]  netlink_sendmsg+0x743/0xc20
       [23827.546424]  sock_sendmsg+0xb2/0xe0
       [23827.547084]  ____sys_sendmsg+0x590/0x770
       [23827.547850]  ___sys_sendmsg+0xd8/0x160
       [23827.548606]  __sys_sendmsg+0xb7/0x140
       [23827.549303]  do_syscall_64+0x3a/0x70
       [23827.549969]  entry_SYSCALL_64_after_hwframe+0x44/0xae
       [23827.550853]
       [23827.551217] The buggy address belongs to the object at ffff8881d1322200
       [23827.551217]  which belongs to the cache kmalloc-256 of size 256
       [23827.553341] The buggy address is located 140 bytes inside of
       [23827.553341]  256-byte region [ffff8881d1322200, ffff8881d1322300)
       [23827.555747] The buggy address belongs to the page:
       [23827.556847] page:00000000898762aa refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1320
       [23827.558651] head:00000000898762aa order:2 compound_mapcount:0 compound_pincount:0
       [23827.559961] flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)
       [23827.561243] raw: 002ffff800010200 dead000000000100 dead000000000122 ffff888100042b40
       [23827.562653] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
       [23827.564112] page dumped because: kasan: bad access detected
       [23827.565439]
       [23827.565932] Memory state around the buggy address:
       [23827.566917]  ffff8881d1322180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       [23827.568485]  ffff8881d1322200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       [23827.569818] >ffff8881d1322280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       [23827.571143]                       ^
       [23827.571879]  ffff8881d1322300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       [23827.573283]  ffff8881d1322380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       [23827.574654] ==================================================================
      
      Most of the necessary logic is already correctly implemented by
      mlx5e_get_next_valid_encap() helper that is used in neigh stats update
      handler. Make the handler generic by renaming it to
      mlx5e_get_next_matching_encap() and use callback to test whether flow is
      matching instead of hardcoded check for 'valid' flag value. Implement
      mlx5e_get_next_valid_encap() by calling mlx5e_get_next_matching_encap()
      with callback that tests encap MLX5_ENCAP_ENTRY_VALID flag. Implement new
      mlx5e_get_next_init_encap() helper by calling
      mlx5e_get_next_matching_encap() with callback that tests encap completion
      result to be non-error and use it in mlx5e_rep_neigh_update() to safely
      iterate over nhe->encap_list.
      
      Remove encap completion logic from mlx5e_rep_update_flows() since the encap
      entries passed to this function are already guaranteed to be properly
      initialized by similar code in mlx5e_get_next_init_encap().
      
      Fixes: 2a1f1768 ("net/mlx5e: Refactor neigh update for concurrent execution")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      fb1a3132
    • Yang Li's avatar
      net/mlx5e: Fix an error code in mlx5e_arfs_create_tables() · 2bf8d2ae
      Yang Li authored
      When the code execute 'if (!priv->fs.arfs->wq)', the value of err is 0.
      So, we use -ENOMEM to indicate that the function
      create_singlethread_workqueue() return NULL.
      
      Clean up smatch warning:
      drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c:373
      mlx5e_arfs_create_tables() warn: missing error code 'err'.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Fixes: f6755b80 ("net/mlx5e: Dynamic alloc arfs table for netdev when needed")
      Signed-off-by: default avatarYang Li <yang.lee@linux.alibaba.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      2bf8d2ae
  2. 09 Jun, 2021 12 commits
  3. 08 Jun, 2021 9 commits
    • Shay Agroskin's avatar
      net: ena: fix DMA mapping function issues in XDP · 504fd6a5
      Shay Agroskin authored
      This patch fixes several bugs found when (DMA/LLQ) mapping a packet for
      transmission. The mapping procedure makes the transmitted packet
      accessible by the device.
      When using LLQ, this requires copying the packet's header to push header
      (which would be passed to LLQ) and creating DMA mapping for the payload
      (if the packet doesn't fit the maximum push length).
      When not using LLQ, we map the whole packet with DMA.
      
      The following bugs are fixed in the code:
          1. Add support for non-LLQ machines:
             The ena_xdp_tx_map_frame() function assumed that LLQ is
             supported, and never mapped the whole packet using DMA. On some
             instances, which don't support LLQ, this causes loss of traffic.
      
          2. Wrong DMA buffer length passed to device:
             When using LLQ, the first 'tx_max_header_size' bytes of the
             packet would be copied to push header. The rest of the packet
             would be copied to a DMA'd buffer.
      
          3. Freeing the XDP buffer twice in case of a mapping error:
             In case a buffer DMA mapping fails, the function uses
             xdp_return_frame_rx_napi() to free the RX buffer and returns from
             the function with an error. XDP frames that fail to xmit get
             freed by the kernel and so there is no need for this call.
      
      Fixes: 548c4940 ("net: ena: Implement XDP_TX action")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      504fd6a5
    • Vladimir Oltean's avatar
      net: dsa: felix: re-enable TX flow control in ocelot_port_flush() · 1650bdb1
      Vladimir Oltean authored
      Because flow control is set up statically in ocelot_init_port(), and not
      in phylink_mac_link_up(), what happens is that after the blamed commit,
      the flow control remains disabled after the port flushing procedure.
      
      Fixes: eb4733d7 ("net: dsa: felix: implement port flushing on .phylink_mac_link_down")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1650bdb1
    • Pavel Skripkin's avatar
      net: rds: fix memory leak in rds_recvmsg · 49bfcbfd
      Pavel Skripkin authored
      Syzbot reported memory leak in rds. The problem
      was in unputted refcount in case of error.
      
      int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
      		int msg_flags)
      {
      ...
      
      	if (!rds_next_incoming(rs, &inc)) {
      		...
      	}
      
      After this "if" inc refcount incremented and
      
      	if (rds_cmsg_recv(inc, msg, rs)) {
      		ret = -EFAULT;
      		goto out;
      	}
      ...
      out:
      	return ret;
      }
      
      in case of rds_cmsg_recv() fail the refcount won't be
      decremented. And it's easy to see from ftrace log, that
      rds_inc_addref() don't have rds_inc_put() pair in
      rds_recvmsg() after rds_cmsg_recv()
      
       1)               |  rds_recvmsg() {
       1)   3.721 us    |    rds_inc_addref();
       1)   3.853 us    |    rds_message_inc_copy_to_user();
       1) + 10.395 us   |    rds_cmsg_recv();
       1) + 34.260 us   |  }
      
      Fixes: bdbe6fbc ("RDS: recv.c")
      Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Reviewed-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49bfcbfd
    • David S. Miller's avatar
      Merge tag 'batadv-net-pullrequest-20210608' of git://git.open-mesh.org/linux-merge · df693f13
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here is a batman-adv bugfix:
      
       - Avoid WARN_ON timing related checks, by Sven Eckelmann
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df693f13
    • Nicolas Dichtel's avatar
      vrf: fix maximum MTU · 9bb392f6
      Nicolas Dichtel authored
      My initial goal was to fix the default MTU, which is set to 65536, ie above
      the maximum defined in the driver: 65535 (ETH_MAX_MTU).
      
      In fact, it's seems more consistent, wrt min_mtu, to set the max_mtu to
      IP6_MAX_MTU (65535 + sizeof(struct ipv6hdr)) and use it by default.
      
      Let's also, for consistency, set the mtu in vrf_setup(). This function
      calls ether_setup(), which set the mtu to 1500. Thus, the whole mtu config
      is done in the same function.
      
      Before the patch:
      $ ip link add blue type vrf table 1234
      $ ip link list blue
      9: blue: <NOARP,MASTER> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
          link/ether fa:f5:27:70:24:2a brd ff:ff:ff:ff:ff:ff
      $ ip link set dev blue mtu 65535
      $ ip link set dev blue mtu 65536
      Error: mtu greater than device maximum.
      
      Fixes: 5055376a ("net: vrf: Fix ping failed when vrf mtu is set to 0")
      CC: Miaohe Lin <linmiaohe@huawei.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bb392f6
    • gushengxian's avatar
      net: appletalk: fix the usage of preposition · d439aa33
      gushengxian authored
      The preposition "for" should be changed to preposition "of".
      Signed-off-by: default avatargushengxian <gushengxian@yulong.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d439aa33
    • Zheng Yongjun's avatar
      net: ipv4: Remove unneed BUG() function · 5ac6b198
      Zheng Yongjun authored
      When 'nla_parse_nested_deprecated' failed, it's no need to
      BUG() here, return -EINVAL is ok.
      Signed-off-by: default avatarZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ac6b198
    • Nanyong Sun's avatar
      net: ipv4: fix memory leak in netlbl_cipsov4_add_std · d612c3f3
      Nanyong Sun authored
      Reported by syzkaller:
      BUG: memory leak
      unreferenced object 0xffff888105df7000 (size 64):
      comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
      hex dump (first 32 bytes):
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      backtrace:
      [<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
      [<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
      [<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
      [<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
      [<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
      [<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
      [<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
      [<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
      [<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
      [<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
      [<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
      [<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
      [<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
      [<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
      [<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
      [<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
      [<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
      [<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
      [<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      The memory of doi_def->map.std pointing is allocated in
      netlbl_cipsov4_add_std, but no place has freed it. It should be
      freed in cipso_v4_doi_free which frees the cipso DOI resource.
      
      Fixes: 96cb8e33 ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarNanyong Sun <sunnanyong@huawei.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d612c3f3
    • Johannes Berg's avatar
      mac80211: fix deadlock in AP/VLAN handling · d5befb22
      Johannes Berg authored
      Syzbot reports that when you have AP_VLAN interfaces that are up
      and close the AP interface they belong to, we get a deadlock. No
      surprise - since we dev_close() them with the wiphy mutex held,
      which goes back into the netdev notifier in cfg80211 and tries to
      acquire the wiphy mutex there.
      
      To fix this, we need to do two things:
       1) prevent changing iftype while AP_VLANs are up, we can't
          easily fix this case since cfg80211 already calls us with
          the wiphy mutex held, but change_interface() is relatively
          rare in drivers anyway, so changing iftype isn't used much
          (and userspace has to fall back to down/change/up anyway)
       2) pull the dev_close() loop over VLANs out of the wiphy mutex
          section in the normal stop case
      
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+452ea4fbbef700ff0a56@syzkaller.appspotmail.com
      Fixes: a05829a7 ("cfg80211: avoid holding the RTNL when calling the driver")
      Link: https://lore.kernel.org/r/20210517160322.9b8f356c0222.I392cb0e2fa5a1a94cf2e637555d702c7e512c1ff@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      d5befb22
  4. 07 Jun, 2021 7 commits
  5. 04 Jun, 2021 5 commits
    • Rahul Lakkireddy's avatar
      cxgb4: avoid link re-train during TC-MQPRIO configuration · 3822d067
      Rahul Lakkireddy authored
      When configuring TC-MQPRIO offload, only turn off netdev carrier and
      don't bring physical link down in hardware. Otherwise, when the
      physical link is brought up again after configuration, it gets
      re-trained and stalls ongoing traffic.
      
      Also, when firmware is no longer accessible or crashed, avoid sending
      FLOWC and waiting for reply that will never come.
      
      Fix following hung_task_timeout_secs trace seen in these cases.
      
      INFO: task tc:20807 blocked for more than 122 seconds.
            Tainted: G S                5.13.0-rc3+ #122
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      task:tc   state:D stack:14768 pid:20807 ppid: 19366 flags:0x00000000
      Call Trace:
       __schedule+0x27b/0x6a0
       schedule+0x37/0xa0
       schedule_preempt_disabled+0x5/0x10
       __mutex_lock.isra.14+0x2a0/0x4a0
       ? netlink_lookup+0x120/0x1a0
       ? rtnl_fill_ifinfo+0x10f0/0x10f0
       __netlink_dump_start+0x70/0x250
       rtnetlink_rcv_msg+0x28b/0x380
       ? rtnl_fill_ifinfo+0x10f0/0x10f0
       ? rtnl_calcit.isra.42+0x120/0x120
       netlink_rcv_skb+0x4b/0xf0
       netlink_unicast+0x1a0/0x280
       netlink_sendmsg+0x216/0x440
       sock_sendmsg+0x56/0x60
       __sys_sendto+0xe9/0x150
       ? handle_mm_fault+0x6d/0x1b0
       ? do_user_addr_fault+0x1c5/0x620
       __x64_sys_sendto+0x1f/0x30
       do_syscall_64+0x3c/0x80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7f7f73218321
      RSP: 002b:00007ffd19626208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 000055b7c0a8b240 RCX: 00007f7f73218321
      RDX: 0000000000000028 RSI: 00007ffd19626210 RDI: 0000000000000003
      RBP: 000055b7c08680ff R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000055b7c085f5f6
      R13: 000055b7c085f60a R14: 00007ffd19636470 R15: 00007ffd196262a0
      
      Fixes: b1396c2b ("cxgb4: parse and configure TC-MQPRIO offload")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3822d067
    • Yunjian Wang's avatar
      sch_htb: fix refcount leak in htb_parent_to_leaf_offload · 944d671d
      Yunjian Wang authored
      The commit ae81feb7 ("sch_htb: fix null pointer dereference
      on a null new_q") fixes a NULL pointer dereference bug, but it
      is not correct.
      
      Because htb_graft_helper properly handles the case when new_q
      is NULL, and after the previous patch by skipping this call
      which creates an inconsistency : dev_queue->qdisc will still
      point to the old qdisc, but cl->parent->leaf.q will point to
      the new one (which will be noop_qdisc, because new_q was NULL).
      The code is based on an assumption that these two pointers are
      the same, so it can lead to refcount leaks.
      
      The correct fix is to add a NULL pointer check to protect
      qdisc_refcount_inc inside htb_parent_to_leaf_offload.
      
      Fixes: ae81feb7 ("sch_htb: fix null pointer dereference on a null new_q")
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Suggested-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      944d671d
    • David S. Miller's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 26821ecd
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-06-04
      
      This series contains updates to virtchnl header file and ice driver.
      
      Brett fixes VF being unable to request a different number of queues then
      allocated and adds clearing of VF_MBX_ATQLEN register for VF reset.
      
      Haiyue handles error of rebuilding VF VSI during reset.
      
      Paul fixes reporting of autoneg to use the PHY capabilities.
      
      Dave allows LLDP packets without priority of TC_PRIO_CONTROL to be
      transmitted.
      
      Geert Uytterhoeven adds explicit padding to virtchnl_proto_hdrs
      structure in the virtchnl header file.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26821ecd
    • David S. Miller's avatar
      Merge branch 'wireguard-fixes' · 6fd815bb
      David S. Miller authored
      Jason A. Donenfeld says:
      
      ====================
      wireguard fixes for 5.13-rc5
      
      Here are bug fixes to WireGuard for 5.13-rc5:
      
      1-2,6) These are small, trivial tweaks to our test harness.
      
      3) Linus thinks -O3 is still dangerous to enable. The code gen wasn't so
         much different with -O2 either.
      
      4) We were accidentally calling synchronize_rcu instead of
         synchronize_net while holding the rtnl_lock, resulting in some rather
         large stalls that hit production machines.
      
      5) Peer allocation was wasting literally hundreds of megabytes on real
         world deployments, due to oddly sized large objects not fitting
         nicely into a kmalloc slab.
      
      7-9) We move from an insanely expensive O(n) algorithm to a fast O(1)
           algorithm, and cleanup a massive memory leak in the process, in
           which allowed ips churn would leave danging nodes hanging around
           without cleanup until the interface was removed. The O(1) algorithm
           eliminates packet stalls and high latency issues, in addition to
           bringing operations that took as much as 10 minutes down to less
           than a second.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6fd815bb
    • Jason A. Donenfeld's avatar
      wireguard: allowedips: free empty intermediate nodes when removing single node · bf7b042d
      Jason A. Donenfeld authored
      When removing single nodes, it's possible that that node's parent is an
      empty intermediate node, in which case, it too should be removed.
      Otherwise the trie fills up and never is fully emptied, leading to
      gradual memory leaks over time for tries that are modified often. There
      was originally code to do this, but was removed during refactoring in
      2016 and never reworked. Now that we have proper parent pointers from
      the previous commits, we can implement this properly.
      
      In order to reduce branching and expensive comparisons, we want to keep
      the double pointer for parent assignment (which lets us easily chain up
      to the root), but we still need to actually get the parent's base
      address. So encode the bit number into the last two bits of the pointer,
      and pack and unpack it as needed. This is a little bit clumsy but is the
      fastest and less memory wasteful of the compromises. Note that we align
      the root struct here to a minimum of 4, because it's embedded into a
      larger struct, and we're relying on having the bottom two bits for our
      flag, which would only be 16-bit aligned on m68k.
      
      The existing macro-based helpers were a bit unwieldy for adding the bit
      packing to, so this commit replaces them with safer and clearer ordinary
      functions.
      
      We add a test to the randomized/fuzzer part of the selftests, to free
      the randomized tries by-peer, refuzz it, and repeat, until it's supposed
      to be empty, and then then see if that actually resulted in the whole
      thing being emptied. That combined with kmemcheck should hopefully make
      sure this commit is doing what it should. Along the way this resulted in
      various other cleanups of the tests and fixes for recent graphviz.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf7b042d