- 23 Oct, 2018 40 commits
-
-
Sunil Goutham authored
This patch adds support for a PF/VF driver to configure NIX transmit scheduler queues via mbox. Since PF/VF doesn't know the absolute HW index of the NIXLF attached to it, AF traps the register config and overwrites with the correct NIXLF index. HW supports shaping, colouring and policing of packets with these multilevel traffic scheduler queues. Instead of introducing different mbox message formats for different configurations and making both AF & PF/VF driver implementation cumbersome, access to the scheduler queue's CSRs is provided via mbox. AF checks whether the sender PF/VF has the corresponding queue allocated or not and dumps the config to HW. With a single mbox msg 20 registers can be configured. Signed-off-by: Sunil Goutham <sgoutham@marvell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Sunil Goutham authored
Added support for a PF/VF to allocate or free NIX transmit scheduler queues via mbox. For setting up pkt transmission priorities between queues, the scheduler queues have to be contiguous w.r.t their HW indices. So both contiguous and non-contiguous allocations are supported. Upon receiving NIX_TXSCH_FREE mbox msg all scheduler queues allocated to sending PFFUNC (PF/VF) will be freed. Selective free is not supported. Signed-off-by: Sunil Goutham <sgoutham@marvell.com> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
syzkaller triggered a use-after-free [1], caused by a combination of skb_get() in llc_conn_state_process() and usage of sk_eat_skb() sk_eat_skb() is assuming the skb about to be freed is only used by the current thread. TCP/DCCP stacks enforce this because current thread holds the socket lock. llc_conn_state_process() wants to make sure skb does not disappear, and holds a reference on the skb it manipulates. But as soon as this skb is added to socket receive queue, another thread can consume it. This means that llc must use regular skb_unlink() and kfree_skb() so that both producer and consumer can safely work on the same skb. [1] BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline] BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655 Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18 CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] refcount_read include/linux/refcount.h:43 [inline] skb_unref include/linux/skbuff.h:967 [inline] kfree_skb+0xb7/0x580 net/core/skbuff.c:655 llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224 llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297 llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438 llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 process_backlog+0x218/0x6f0 net/core/dev.c:5829 napi_poll net/core/dev.c:6249 [inline] net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 __do_softirq+0x30c/0xb03 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:653 smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164 kthread+0x35a/0x420 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 Allocated by task 18: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644 __alloc_skb+0x119/0x770 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:995 [inline] llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54 llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline] llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111 llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 process_backlog+0x218/0x6f0 net/core/dev.c:5829 napi_poll net/core/dev.c:6249 [inline] net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 __do_softirq+0x30c/0xb03 kernel/softirq.c:292 Freed by task 16383: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3756 kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 __kfree_skb+0x1d/0x20 net/core/skbuff.c:642 sk_eat_skb include/net/sock.h:2366 [inline] llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882 sock_recvmsg_nosec net/socket.c:794 [inline] sock_recvmsg+0xd0/0x110 net/socket.c:801 ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278 __sys_recvmmsg+0x303/0xb90 net/socket.c:2390 do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466 __do_sys_recvmmsg net/socket.c:2484 [inline] __se_sys_recvmmsg net/socket.c:2480 [inline] __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801d1f6fac0 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 228 bytes inside of 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8) The buggy address belongs to the page: page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680 raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc Fixes: 1da177e4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Mathias Thore authored
Extract error information from rx and tx buffer descriptors, and update error counters. Signed-off-by: Mathias Thore <mathias.thore@infinera.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Wolfram Sang authored
We should get 'driver_data' from 'struct device' directly. Going via platform_device is an unneeded step back and forth. Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Wolfram Sang authored
We should get 'driver_data' from 'struct device' directly. Going via platform_device is an unneeded step back and forth. Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Acked-by: Richard Cochran <richardcochran@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Arthur Kiyanovski authored
linux/prefetch.h is never explicitly included in ena_com, although functions from it, such as prefetchw(), are used throughout ena_com. This is an inclusion bug, and we fix it here by explicitly including linux/prefetch.h. The bug was exposed when the driver was compiled for the xtensa architecture. Fixes: 689b2bda ("net: ena: add functions for handling Low Latency Queues in ena_com") Fixes: 8c590f97 ("ena: Fix Kconfig dependency on X86") Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vito Caputo authored
Replace spurious spaces with a tab and remove superfluous tab from unix_sock struct. Signed-off-by: Vito Caputo <vcaputo@pengaru.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dan Carpenter authored
FDB_MAX_CHAIN is three. We wanted to allocate enough memory to hold four structs but there are missing parentheses so we only allocate enough memory for three structs and the first byte of the fourth one. Fixes: 328edb49 ("net/mlx5: Split FDB fast path prio to multiple namespaces") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Davide Caratti says: ==================== net/sched: forbid 'goto_chain' on fallback actions the following command: # tc actions add action police rate 1mbit burst 1k conform-exceed \ > pass / goto chain 42 generates a NULL pointer dereference when packets exceed the configured rate. Similarly, the following command: # tc actions add action pass random determ goto chain 42 2 makes the kernel crash with NULL dereference when the first packet does not match the 'pass' action. gact and police allow users to specify a fallback control action, that is stored in the action private data. 'goto chain x' never worked for these cases, since a->goto_chain handle was never initialized. There is only one goto_chain handle per TC action, and it is designed to be non-NULL only if tcf_action contains a 'goto chain' command. So, let's forbid 'goto chain' on fallback actions. Patch 1/4 and 2/4 change the .init() functions of police and gact, to let them return an error when users try to set 'goto chain x' in the fallback action. Patch 3/4 and 4/4 add TDC selftest coverage to this new behavior. ==================== Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Davide Caratti authored
add test to verify if act_police forbids 'goto chain' control actions for 'exceed' traffic. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Davide Caratti authored
add test to verify if act_gact forbids 'goto chain' control actions on 'random' traffic in gact.json. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Davide Caratti authored
in the following command: # tc action add action police rate <r> burst <b> conform-exceed <c1>/<c2> 'goto chain x' is allowed only for c1: setting it for c2 makes the kernel crash with NULL pointer dereference, since TC core doesn't initialize the chain handle. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Davide Caratti authored
in the following command: # tc action add action <c1> random <rand_type> <c2> <rand_param> 'goto chain x' is allowed only for c1: setting it for c2 makes the kernel crash with NULL pointer dereference, since TC core doesn't initialize the chain handle. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Andrew Lunn authored
When indicating the MAC supports Symmetric Pause, clear the Asymmetric Pause bit, which could of been already set is the PHY supports it. Reported-by: Labbe Corentin <clabbe@baylibre.com> Fixes: c306ad36 ("net: ethernet: Add helper for MACs which support pause") Signed-off-by: Andrew Lunn <andrew@lunn.ch> Tested-by: Corentin Labbe <clabbe@baylibre.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Olivier Brunel authored
Signed-off-by: Olivier Brunel <jjk@jjacky.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Olivier Brunel authored
User mode helpers were spawned without a command line, and because an empty command line is used by many tools to identify processes as kernel threads, this could cause some issues. Notably during killing spree on shutdown, since such helper would then be skipped (i.e. not killed) which would result in the process remaining alive, and thus preventing unmouting of the rootfs (as experienced with the bpfilter umh). Fixes: 449325b5 ("umh: introduce fork_usermode_blob() helper") Signed-off-by: Olivier Brunel <jjk@jjacky.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dan Carpenter authored
These functions are supposed to return one on failure and zero on success. Returning a zero here could cause uninitialized variable bugs in several of the callers. For example: drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1660 get_iscsi_dcb_priority() error: uninitialized symbol 'caps'. Fixes: 48365e48 ("qlcnic: dcb: Add support for CEE Netlink interface.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
David Ahern says: ==================== net: Add support for dumping addresses for a specific device Use the recently added kernel side filter infrastructure to add support for dumping addresses only for a specific device. Patch 1 creates an IPv4 version similar to IPv6's in6_dump_addrs function. Patch 2 simplifies in6_dump_addrs by moving index tracking of IP addresses from inet6_dump_addr to in6_dump_addrs. Patches 3 and 4 use the device-based address dump helpers to limit a dump to just the addresses on a specific device. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ahern authored
If an RTM_GETADDR dump request has ifa_index set in the ifaddrmsg header, then return only the addresses for that device. Since inet6_dump_addr is reused for multicast and anycast addresses, this adds support for device specfic dumps of RTM_GETMULTICAST and RTM_GETANYCAST as well. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ahern authored
If an RTM_GETADDR dump request has ifa_index set in the ifaddrmsg header, then return only the addresses for that device. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ahern authored
ip_idx is always 0 going into in6_dump_addrs; it is passed as a pointer to save the last good index into cb. Since cb is already argument to in6_dump_addrs, just save the value there. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ahern authored
Similar to IPv6 move the logic that walks over the ipv4 address list for a device into a helper. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Salil Mehta says: ==================== Adds support of RAS Error Handling in HNS3 Driver This patch-set adds support related to RAS Error handling to the HNS3 Ethernet PF Driver. Set of errors occurred in the HNS3 hardware are reported to the driver through the PCIe AER interface. The received error information is then used to classify the received errors and then decide the appropriate receovery action depending on the type of error. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
This patch enables and process hw errors of TM scheduler and QCN(Quantized Congestion Control). Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
This patch enables and process hw errors from the PPP(Programmable Packet Process) block. Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
This patch adds enable and processing of hw errors from IGU(Ingress Unit), EGU(Egress Unit) and NCSI(Network Controller Sideband Interface). Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
This patch adds enable and processing of ecc errors from common HNS blocks, CMDQ(Command Queue), IMP(Integrated Management Processor) and TQP(Task Queue Pair). Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
This patch adds functions to enable and disable hw errors. Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
This patch adds the error recovery for the HNS hw errors. Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shiju Jose authored
Set of hw errors occurred in the HNS3 are reported to the hns3 driver through PCIe AER and RAS.The error info will be processed and appropriately recovered. This patch adds error_detected callback and error processing. Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Salil Mehta <salil.mehta@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Nathan Chancellor authored
Clang warns (trimmed for brevity): drivers/isdn/mISDN/tei.c:1193:7: warning: overflow converting case value to switch condition type (2147764552 to 18446744071562348872) [-Wswitch] case IMHOLD_L1: ^ drivers/isdn/mISDN/tei.c:1187:7: warning: overflow converting case value to switch condition type (2147764550 to 18446744071562348870) [-Wswitch] case IMCLEAR_L2: ^ 2 warnings generated. The root cause is that the _IOC macro can generate really large numbers, which don't find into type int. My research into how GCC and Clang are handling this at a low level didn't prove fruitful and surveying the kernel tree shows that aside from here and a few places in the scsi subsystem, everything that uses _IOC is at least of type 'unsigned int'. Make that change here because as nothing in this function cares about the signedness of the variable and it removes ambiguity, which is never good when dealing with compilers. While we're here, remove the unnecessary local variable ret (just return -EINVAL and 0 directly). Link: https://github.com/ClangBuiltLinux/linux/issues/67Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jon Maloy authored
We have seen the following race scenario: 1) named_distribute() builds a "bulk" message, containing a PUBLISH item for a certain publication. This is based on the contents of the binding tables's 'cluster_scope' list. 2) tipc_named_withdraw() removes the same publication from the list, bulds a WITHDRAW message and distributes it to all cluster nodes. 3) tipc_named_node_up(), which was calling named_distribute(), sends out the bulk message built under 1) 4) The WITHDRAW message arrives at the just detected node, finds no corresponding publication, and is dropped. 5) The PUBLISH item arrives at the same node, is added to its binding table, and remains there forever. This arrival disordering was earlier taken care of by the backlog queue, originally added for a different purpose, which was removed in the commit referred to below, but we now need a different solution. In this commit, we replace the rcu lock protecting the 'cluster_scope' list with a regular RW lock which comprises even the sending of the bulk message. This both guarantees both the list integrity and the message sending order. We will later add a commit which cleans up this code further. Note that this commit needs recently added commit d3092b2e ("tipc: fix unsafe rcu locking when accessing publication list") to apply cleanly. Fixes: 37922ea4 ("tipc: permit overlapping service ranges in name table") Reported-by: Tuong Lien Tong <tuong.t.lien@dektech.com.au> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/net/ethernet/marvell/octeontx2/af/rvu.c: In function 'rvu_detach_rsrcs': drivers/net/ethernet/marvell/octeontx2/af/rvu.c:855:6: warning: variable 'devnum' set but not used [-Wunused-but-set-variable] drivers/net/ethernet/marvell/octeontx2/af/rvu.c:853:7: warning: variable 'is_pf' set but not used [-Wunused-but-set-variable] drivers/net/ethernet/marvell/octeontx2/af/rvu.c: In function 'rvu_mbox_handler_ATTACH_RESOURCES': drivers/net/ethernet/marvell/octeontx2/af/rvu.c:1054:7: warning: variable 'is_pf' set but not used [-Wunused-but-set-variable] drivers/net/ethernet/marvell/octeontx2/af/rvu.c:1053:6: warning: variable 'devnum' set but not used [-Wunused-but-set-variable] It never used since introduction in commit 746ea742 ("octeontx2-af: Add RVU block LF provisioning support") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c: In function 'rvu_npa_init': drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c:446:20: warning: variable 'block' set but not used [-Wunused-but-set-variable] It never used since introduction in commit 7a37245e ("octeontx2-af: NPA block admin queue init") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Gustavo A. R. Silva says: ==================== phy: ocelot-serdes: fix out-of-bounds read This patchset aims to fix an out-of-bounds bug in the phy-ocelot-serdes driver. Currently, there is an out-of-bounds read on array ctrl->phys, once variable i reaches the maximum array size of SERDES_MAX in the for loop. Quentin Schulz pointed out that SERDES_MAX is a valid value to index ctrl->phys. So, I updated SERDES_MAX to be SERDES6G_MAX + 1 in include/dt-bindings/phy/phy-ocelot-serdes.h. Then I changed the condition in the for loop from i <= SERDES_MAX to i < SERDES_MAX in order to complete the fix. The reason I'm sending this fix as series is because checkpatch reported an error when I first tried to integrate the whole solution into a singe patch. So, changes to dt-bindings should be sent as a separate patch. Changes in v3: - Post the series to netdev, so Dave can take it. Changes in v2: - Send the whole series to Kishon Vijay Abraham I, so it can be taken into the PHY tree. - Add Quentin's Reviewed-by to commit log in both patches. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Gustavo A. R. Silva authored
Currently, there is an out-of-bounds read on array ctrl->phys, once variable i reaches the maximum array size of SERDES_MAX in the for loop. Fix this by changing the condition in the for loop from i <= SERDES_MAX to i < SERDES_MAX. Addresses-Coverity-ID: 1473966 ("Out-of-bounds read") Addresses-Coverity-ID: 1473959 ("Out-of-bounds read") Fixes: 51f6b410 ("phy: add driver for Microsemi Ocelot SerDes muxing") Reviewed-by: Quentin Schulz <quentin.schulz@bootlin.com> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Gustavo A. R. Silva authored
SERDES_MAX is a valid value to index ctrl->phys in drivers/phy/mscc/phy-ocelot-serdes.c. But, currently, there is an out-of-bounds bug in the mentioned driver when reading from ctrl->phys, because the size of array ctrl->phys is SERDES_MAX. Partially fix this by updating SERDES_MAX to be SERDES6G_MAX + 1. Notice that this is the first part of the solution to the out-of-bounds bug mentioned above. Although this change is not dependent on any other one. Suggested-by: Quentin Schulz <quentin.schulz@bootlin.com> Reviewed-by: Quentin Schulz <quentin.schulz@bootlin.com> Acked-by: Rob Herring <robh@kernel.org> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Guoqing Jiang authored
Got below warning with gcc 8.2 compiler. net/tipc/topsrv.c: In function ‘tipc_topsrv_start’: net/tipc/topsrv.c:660:2: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(srv->name, name, strlen(name) + 1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/tipc/topsrv.c:660:27: note: length computed here strncpy(srv->name, name, strlen(name) + 1); ^~~~~~~~~~~~ So change it to correct length and use strscpy. Signed-off-by: Guoqing Jiang <gqjiang@suse.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Nathan Chancellor authored
Clang warns: drivers/isdn/hisax/hfc_pci.c:131:34: error: if statement has empty body [-Werror,-Wempty-body] if (Read_hfc(cs, HFCPCI_INT_S1)); ^ drivers/isdn/hisax/hfc_pci.c:131:34: note: put the semicolon on a separate line to silence this warning In my attempt to hide the warnings because I thought they didn't serve any purpose[1], Masahiro Yamada pointed out that {Read,Write}_hfc in hci_pci.c should be using a standard register access method; otherwise, the compiler will just remove the if statements. For hfc_pci, use the versions of {Read,Write}_hfc found in drivers/isdn/hardware/mISDN/hfc_pCI.h while converting pci_io to be 'void __iomem *' (and clean up ioremap) then remove the empty if statements. For hfc_sx, {Read,Write}_hfc are already use a proper register accessor (inb, outb) so just remove the unnecessary if statements. [1]: https://lore.kernel.org/lkml/20181016021454.11953-1-natechancellor@gmail.com/ Link: https://github.com/ClangBuiltLinux/linux/issues/66Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-