1. 20 Sep, 2023 5 commits
  2. 19 Sep, 2023 9 commits
    • Ziyang Xuan's avatar
      team: fix null-ptr-deref when team device type is changed · 49203276
      Ziyang Xuan authored
      Get a null-ptr-deref bug as follows with reproducer [1].
      
      BUG: kernel NULL pointer dereference, address: 0000000000000228
      ...
      RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]
      ...
      Call Trace:
       <TASK>
       ? __die+0x24/0x70
       ? page_fault_oops+0x82/0x150
       ? exc_page_fault+0x69/0x150
       ? asm_exc_page_fault+0x26/0x30
       ? vlan_dev_hard_header+0x35/0x140 [8021q]
       ? vlan_dev_hard_header+0x8e/0x140 [8021q]
       neigh_connected_output+0xb2/0x100
       ip6_finish_output2+0x1cb/0x520
       ? nf_hook_slow+0x43/0xc0
       ? ip6_mtu+0x46/0x80
       ip6_finish_output+0x2a/0xb0
       mld_sendpack+0x18f/0x250
       mld_ifc_work+0x39/0x160
       process_one_work+0x1e6/0x3f0
       worker_thread+0x4d/0x2f0
       ? __pfx_worker_thread+0x10/0x10
       kthread+0xe5/0x120
       ? __pfx_kthread+0x10/0x10
       ret_from_fork+0x34/0x50
       ? __pfx_kthread+0x10/0x10
       ret_from_fork_asm+0x1b/0x30
      
      [1]
      $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}'
      $ ip link add name t-dummy type dummy
      $ ip link add link t-dummy name t-dummy.100 type vlan id 100
      $ ip link add name t-nlmon type nlmon
      $ ip link set t-nlmon master team0
      $ ip link set t-nlmon nomaster
      $ ip link set t-dummy up
      $ ip link set team0 up
      $ ip link set t-dummy.100 down
      $ ip link set t-dummy.100 master team0
      
      When enslave a vlan device to team device and team device type is changed
      from non-ether to ether, header_ops of team device is changed to
      vlan_header_ops. That is incorrect and will trigger null-ptr-deref
      for vlan->real_dev in vlan_dev_hard_header() because team device is not
      a vlan device.
      
      Cache eth_header_ops in team_setup(), then assign cached header_ops to
      header_ops of team net device when its type is changed from non-ether
      to ether to fix the bug.
      
      Fixes: 1d76efe1 ("team: add support for non-ethernet devices")
      Suggested-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      49203276
    • Eric Dumazet's avatar
      net: bridge: use DEV_STATS_INC() · 44bdb313
      Eric Dumazet authored
      syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
      This function can run from multiple cpus without mutual exclusion.
      
      Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
      
      Handles updates to dev->stats.tx_dropped while we are at it.
      
      [1]
      BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
      
      read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
      br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
      br_nf_hook_thresh+0x1ed/0x220
      br_nf_pre_routing_finish_ipv6+0x50f/0x540
      NF_HOOK include/linux/netfilter.h:304 [inline]
      br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
      br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
      nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
      br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
      __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
      __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
      __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
      process_backlog+0x21f/0x380 net/core/dev.c:5965
      __napi_poll+0x60/0x3b0 net/core/dev.c:6527
      napi_poll net/core/dev.c:6594 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6727
      __do_softirq+0xc1/0x265 kernel/softirq.c:553
      run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
      smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
      kthread+0x1d7/0x210 kernel/kthread.c:388
      ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
      br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
      br_nf_hook_thresh+0x1ed/0x220
      br_nf_pre_routing_finish_ipv6+0x50f/0x540
      NF_HOOK include/linux/netfilter.h:304 [inline]
      br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
      br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
      nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
      br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
      __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
      __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
      __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
      process_backlog+0x21f/0x380 net/core/dev.c:5965
      __napi_poll+0x60/0x3b0 net/core/dev.c:6527
      napi_poll net/core/dev.c:6594 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6727
      __do_softirq+0xc1/0x265 kernel/softirq.c:553
      do_softirq+0x5e/0x90 kernel/softirq.c:454
      __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
      __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
      _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
      spin_unlock_bh include/linux/spinlock.h:396 [inline]
      batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
      batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
      process_one_work kernel/workqueue.c:2630 [inline]
      process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
      worker_thread+0x525/0x730 kernel/workqueue.c:2784
      kthread+0x1d7/0x210 kernel/kthread.c:388
      ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      value changed: 0x00000000000d7190 -> 0x00000000000d7191
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f3 #0
      
      Fixes: 1c29fc49 ("[BRIDGE]: keep track of received multicast packets")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Roopa Prabhu <roopa@nvidia.com>
      Cc: Nikolay Aleksandrov <razor@blackwall.org>
      Cc: bridge@lists.linux-foundation.org
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/20230918091351.1356153-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      44bdb313
    • Paolo Abeni's avatar
      Merge branch 'there-are-some-bugfix-for-the-hns3-ethernet-driver' · 5f8621c1
      Paolo Abeni authored
      Jijie Shao says:
      
      ====================
      There are some bugfix for the HNS3 ethernet driver
      ====================
      
      Link: https://lore.kernel.org/r/20230918074840.2650978-1-shaojijie@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5f8621c1
    • Jie Wang's avatar
      net: hns3: add 5ms delay before clear firmware reset irq source · 07700630
      Jie Wang authored
      Currently the reset process in hns3 and firmware watchdog init process is
      asynchronous. we think firmware watchdog initialization is completed
      before hns3 clear the firmware interrupt source. However, firmware
      initialization may not complete early.
      
      so we add delay before hns3 clear firmware interrupt source and 5 ms delay
      is enough to avoid second firmware reset interrupt.
      
      Fixes: c1a81619 ("net: hns3: Add mailbox interrupt handling to PF driver")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      07700630
    • Jijie Shao's avatar
      net: hns3: fix fail to delete tc flower rules during reset issue · 1a7be66e
      Jijie Shao authored
      Firmware does not respond driver commands during reset
      Therefore, rule will fail to delete while the firmware is resetting
      
      So, if failed to delete rule, set rule state to TO_DEL,
      and the rule will be deleted when periodic task being scheduled.
      
      Fixes: 0205ec04 ("net: hns3: add support for hw tc offload of tc flower")
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1a7be66e
    • Jian Shen's avatar
      net: hns3: only enable unicast promisc when mac table full · f2ed3049
      Jian Shen authored
      Currently, the driver will enable unicast promisc for the function
      once configure mac address fail. It's unreasonable when the failure
      is caused by using same mac address with other functions. So only
      enable unicast promisc when mac table full.
      
      Fixes: c631c696 ("net: hns3: refactor the promisc mode setting")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f2ed3049
    • Jie Wang's avatar
      net: hns3: fix GRE checksum offload issue · f9f65126
      Jie Wang authored
      The device_version V3 hardware can't offload the checksum for IP in GRE
      packets, but can do it for NvGRE. So default to disable the checksum and
      GSO offload for GRE, but keep the ability to enable it when only using
      NvGRE.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f9f65126
    • Jie Wang's avatar
      net: hns3: add cmdq check for vf periodic service task · bd3caddf
      Jie Wang authored
      When the vf cmdq is disabled, there is no need to keep these task running.
      So this patch skip these task when the cmdq is disabled.
      
      Fixes: ff200099 ("net: hns3: remove unnecessary work in hclgevf_main")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      bd3caddf
    • Jisheng Zhang's avatar
      net: stmmac: fix incorrect rxq|txq_stats reference · 8070274b
      Jisheng Zhang authored
      commit 133466c3 ("net: stmmac: use per-queue 64 bit statistics
      where necessary") caused one regression as found by Uwe, the backtrace
      looks like:
      
      	INFO: trying to register non-static key.
      	The code is fine but needs lockdep annotation, or maybe
      	you didn't initialize this object before use?
      	turning off the locking correctness validator.
      	CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc1-00449-g133466c3-dirty #21
      	Hardware name: STM32 (Device Tree Support)
      	 unwind_backtrace from show_stack+0x18/0x1c
      	 show_stack from dump_stack_lvl+0x60/0x90
      	 dump_stack_lvl from register_lock_class+0x98c/0x99c
      	 register_lock_class from __lock_acquire+0x74/0x293c
      	 __lock_acquire from lock_acquire+0x134/0x398
      	 lock_acquire from stmmac_get_stats64+0x2ac/0x2fc
      	 stmmac_get_stats64 from dev_get_stats+0x44/0x130
      	 dev_get_stats from rtnl_fill_stats+0x38/0x120
      	 rtnl_fill_stats from rtnl_fill_ifinfo+0x834/0x17f4
      	 rtnl_fill_ifinfo from rtmsg_ifinfo_build_skb+0xc0/0x144
      	 rtmsg_ifinfo_build_skb from rtmsg_ifinfo+0x50/0x88
      	 rtmsg_ifinfo from __dev_notify_flags+0xc0/0xec
      	 __dev_notify_flags from dev_change_flags+0x50/0x5c
      	 dev_change_flags from ip_auto_config+0x2f4/0x1260
      	 ip_auto_config from do_one_initcall+0x70/0x35c
      	 do_one_initcall from kernel_init_freeable+0x2ac/0x308
      	 kernel_init_freeable from kernel_init+0x1c/0x138
      	 kernel_init from ret_from_fork+0x14/0x2c
      
      The reason is the rxq|txq_stats structures are not what expected
      because stmmac_open() -> __stmmac_open() the structure is overwritten
      by "memcpy(&priv->dma_conf, dma_conf, sizeof(*dma_conf));"
      This causes the well initialized syncp member of rxq|txq_stats is
      overwritten unexpectedly as pointed out by Johannes and Uwe.
      
      Fix this issue by moving rxq|txq_stats back to stmmac_extra_stats. For
      SMP cache friendly, we also mark stmmac_txq_stats and stmmac_rxq_stats
      as ____cacheline_aligned_in_smp.
      
      Fixes: 133466c3 ("net: stmmac: use per-queue 64 bit statistics where necessary")
      Signed-off-by: default avatarJisheng Zhang <jszhang@kernel.org>
      Reported-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Tested-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Link: https://lore.kernel.org/r/20230917165328.3403-1-jszhang@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8070274b
  3. 18 Sep, 2023 22 commits
  4. 17 Sep, 2023 3 commits
  5. 16 Sep, 2023 1 commit