1. 31 Aug, 2020 1 commit
    • Johannes Berg's avatar
      netlink: policy: correct validation type check · c30a3c95
      Johannes Berg authored
      In the policy export for binary attributes I erroneously used
      a != NLA_VALIDATE_NONE comparison instead of checking for the
      two possible values, which meant that if a validation function
      pointer ended up aliasing the min/max as negatives, we'd hit
      a warning in nla_get_range_unsigned().
      
      Fix this to correctly check for only the two types that should
      be handled here, i.e. range with or without warn-too-long.
      
      Reported-by: syzbot+353df1490da781637624@syzkaller.appspotmail.com
      Fixes: 8aa26c57 ("netlink: make NLA_BINARY validation more flexible")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c30a3c95
  2. 28 Aug, 2020 23 commits
  3. 27 Aug, 2020 16 commits
    • Nicolas Dichtel's avatar
      gtp: add notification mechanism · 50aba46c
      Nicolas Dichtel authored
      Like all other network functions, let's notify gtp context on creation and
      deletion.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: default avatarGabriel Ganne <gabriel.ganne@6wind.com>
      Acked-by: default avatarHarald Welte <laforge@gnumonks.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50aba46c
    • David S. Miller's avatar
      Merge branch 's390-qeth-next' · 44771ea5
      David S. Miller authored
      Julian Wiedmann says:
      
      ====================
      s390/qeth: updates 2020-08-27
      
      please apply the following patch series for qeth to netdev's net-next tree.
      
      Patch 8 makes some improvements to how we handle HW address events,
      avoiding some uncertainty around processing stale events after we
      switched off the feature.
      Except for that it's all straight-forward cleanups.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44771ea5
    • Julian Wiedmann's avatar
      s390/qeth: strictly order bridge address events · 9d6a569a
      Julian Wiedmann authored
      The current code for bridge address events has two shortcomings in its
      control sequence:
      
      1. after disabling address events via PNSO, we don't flush the remaining
         events from the event_wq. So if the feature is re-enabled fast
         enough, stale events could leak over.
      2. PNSO and the events' arrival via the READ ccw device are unordered.
         So even if we flushed the workqueue, it's difficult to say whether
         the READ device might produce more events onto the workqueue
         afterwards.
      
      Fix this by
      1. explicitly fencing off the events when we no longer care, in the
         READ device's event handler. This ensures that once we flush the
         workqueue, it doesn't get additional address events.
      2. Flush the workqueue after disabling the events & fencing them off.
         As the code that triggers the flush will typically hold the sbp_lock,
         we need to rework the worker code to avoid a deadlock here in case
         of a 'notifications-stopped' event. In case of lock contention,
         requeue such an event with a delay. We'll eventually aquire the lock,
         or spot that the feature has been disabled and the event can thus be
         discarded.
      
      This leaves the theoretical race that a stale event could arrive
      _after_ we re-enabled ourselves to receive events again. Such an event
      would be impossible to distinguish from a 'good' event, nothing we can
      do about it.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d6a569a
    • Julian Wiedmann's avatar
      s390/qeth: unify structs for bridge port state · 65b0494e
      Julian Wiedmann authored
      The data returned from IPA_SBP_QUERY_BRIDGE_PORTS and
      IPA_SBP_BRIDGE_PORT_STATE_CHANGE has the same format. Use a single
      struct definition for it.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65b0494e
    • Julian Wiedmann's avatar
      s390/qeth: copy less data from bridge state events · 61c6f217
      Julian Wiedmann authored
      Current code copies _all_ entries from the event into a worker, when we
      later only need specific data from the first entry.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61c6f217
    • Julian Wiedmann's avatar
      s390/qeth: don't let HW override the configured port role · a04f0eca
      Julian Wiedmann authored
      The only time that our Bridgeport role should change is when we change
      the configuration ourselves. In which case we also adjust our internal
      state tracking, no need to do it again when we receive the corresponding
      event.
      
      Removing the locked section helps a subsequent patch that needs to flush
      the workqueue while under sbp_lock.
      
      It would be nice to raise a warning here in case HW does weird things
      after all, but this could end up generating false-positives when we
      change the configuration ourselves.
      Suggested-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a04f0eca
    • Julian Wiedmann's avatar
      s390/qeth: don't disable address events during initialization · 16379503
      Julian Wiedmann authored
      A newly initialized device is disabled for address events, there's no
      need to explicitly disable them.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16379503
    • Julian Wiedmann's avatar
      s390/qeth: make queue lock a proper spinlock · a1668474
      Julian Wiedmann authored
      queue->state is a ternary spinlock in disguise, used by
      OSA's TX completion path to lock the Output Queue and flush any pending
      packets on it to the device. If the Queue is already locked by our TX
      code, setting the lock word to QETH_OUT_Q_LOCKED_FLUSH lets the TX
      completion code move on - the TX path will later take care of things
      when it unlocks the Queue.
      
      This sort of DIY locking is a non-starter of course, just let the
      TX completion path block on the spinlock when necessary. If that ends up
      causing additional latency due to lock contention, then converting
      the OSA path to use xmit_more is the right way to go forward.
      
      Also slightly expand the locked section and capture all of
      qeth_do_send_packet(), so that the update for the 'bufs_pack' statistics
      is done race-free.
      
      While reworking the TX completion path's code, remove a barrier() that
      doesn't make any sense.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1668474
    • Julian Wiedmann's avatar
      s390/qeth: use to_delayed_work() · beaadcc6
      Julian Wiedmann authored
      Avoid poking around in the delayed_work struct's internals.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      beaadcc6
    • Julian Wiedmann's avatar
      s390/qeth: clean up qeth_l3_send_setdelmc()'s declaration · b14912eb
      Julian Wiedmann authored
      Clarify that the 'ipacmd' parameter is an enum, and thus compatible to
      what qeth_ipa_alloc_cmd() expects as input.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b14912eb
    • Hoang Huu Le's avatar
      tipc: fix use-after-free in tipc_bcast_get_mode · fdeba99b
      Hoang Huu Le authored
      Syzbot has reported those issues as:
      
      ==================================================================
      BUG: KASAN: use-after-free in tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759
      Read of size 1 at addr ffff88805e6b3571 by task kworker/0:6/3850
      
      CPU: 0 PID: 3850 Comm: kworker/0:6 Not tainted 5.8.0-rc7-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events tipc_net_finalize_work
      
      Thread 1's call trace:
      [...]
        kfree+0x103/0x2c0 mm/slab.c:3757 <- bcbase releasing
        tipc_bcast_stop+0x1b0/0x2f0 net/tipc/bcast.c:721
        tipc_exit_net+0x24/0x270 net/tipc/core.c:112
      [...]
      
      Thread 2's call trace:
      [...]
        tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759 <- bcbase
      has already been freed by Thread 1
      
        tipc_node_broadcast+0x9e/0xcc0 net/tipc/node.c:1744
        tipc_nametbl_publish+0x60b/0x970 net/tipc/name_table.c:752
        tipc_net_finalize net/tipc/net.c:141 [inline]
        tipc_net_finalize+0x1fa/0x310 net/tipc/net.c:131
        tipc_net_finalize_work+0x55/0x80 net/tipc/net.c:150
      [...]
      
      ==================================================================
      BUG: KASAN: use-after-free in tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
      Read of size 8 at addr ffff888052ab2000 by task kworker/0:13/30628
      CPU: 0 PID: 30628 Comm: kworker/0:13 Not tainted 5.8.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events tipc_net_finalize_work
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1f0/0x31e lib/dump_stack.c:118
       print_address_description+0x66/0x5a0 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report+0x132/0x1d0 mm/kasan/report.c:530
       tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
       tipc_net_finalize+0x85/0xe0 net/tipc/net.c:138
       tipc_net_finalize_work+0x50/0x70 net/tipc/net.c:150
       process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
       worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
       kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
      [...]
      Freed by task 14058:
       save_stack mm/kasan/common.c:48 [inline]
       set_track mm/kasan/common.c:56 [inline]
       kasan_set_free_info mm/kasan/common.c:316 [inline]
       __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x10a/0x220 mm/slab.c:3757
       tipc_exit_net+0x29/0x50 net/tipc/core.c:113
       ops_exit_list net/core/net_namespace.c:186 [inline]
       cleanup_net+0x708/0xba0 net/core/net_namespace.c:603
       process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
       worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
       kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
      
      Fix it by calling flush_scheduled_work() to make sure the
      tipc_net_finalize_work() stopped before releasing bcbase object.
      
      Reported-by: syzbot+6ea1f7a8df64596ef4d7@syzkaller.appspotmail.com
      Reported-by: syzbot+e9cc557752ab126c1b99@syzkaller.appspotmail.com
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarHoang Huu Le <hoang.h.le@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdeba99b
    • David S. Miller's avatar
      Merge branch 'Move-MDIO-drivers-into-their-own-directory' · ef734763
      David S. Miller authored
      Andrew Lunn says:
      
      ====================
      Move MDIO drivers into their own directory
      
      The phy subdirectory is getting cluttered. It has both PHY drivers and
      MDIO drivers, plus a stray switch driver. Soon more PCS drivers are
      likely to appear.
      
      Move MDIO and PCS drivers into new directories. This requires fixing
      up the xgene driver which uses a relative include path.
      
      v2:
      Move the subdirs to drivers/net, rather than drivers/net/phy.
      
      v3:
      Add subdirectories under include/linux for mdio and pcs
      
      v4:
      there->their
      include path fix
      No new kconfig prompts
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef734763
    • Andrew Lunn's avatar
      net: phy: Sort Kconfig and Makefile · 0457eb26
      Andrew Lunn authored
      Sort the Kconfig based on the text shown in make menuconfig and sort
      the Makefile by CONFIG symbol.
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0457eb26
    • Andrew Lunn's avatar
      net: mdio: Move MDIO drivers into a new subdirectory · a9770eac
      Andrew Lunn authored
      Move all the MDIO drivers and multiplexers into drivers/net/mdio.  The
      mdio core is however left in the phy directory, due to mutual
      dependencies between the MDIO core and the PHY core.
      
      Take this opportunity to sort the Kconfig based on the menuconfig
      strings, and move the multiplexers to the end with a separating
      comment.
      
      v2:
      Fix typo in commit message
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9770eac
    • Andrew Lunn's avatar
      net: xgene: Move shared header file into include/linux · 232e15e1
      Andrew Lunn authored
      This header file is currently included into the ethernet driver via a
      relative path into the PHY subsystem. This is bad practice, and causes
      issues for the upcoming move of the MDIO driver. Move the header file
      into include/linux to clean this up.
      
      v2:
      Move header to include/linux/mdio
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      232e15e1
    • Andrew Lunn's avatar
      net/phy/mdio-i2c: Move header file to include/linux/mdio · fcba68bd
      Andrew Lunn authored
      In preparation for moving all MDIO drivers into drivers/net/mdio, move
      the mdio-i2c header file into include/linux/mdio so it can be used by
      both the MDIO driver and the SFP code which instantiates I2C MDIO
      busses.
      
      v2:
      Add include/linux/mdio
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fcba68bd