1. 11 Feb, 2022 3 commits
    • Eric Dumazet's avatar
      drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit · dcd54265
      Eric Dumazet authored
      trace_napi_poll_hit() is reading stat->dev while another thread can write
      on it from dropmon_net_event()
      
      Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already,
      we only have to take care of load/store tearing.
      
      BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit
      
      write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1:
       dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579
       notifier_call_chain kernel/notifier.c:84 [inline]
       raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392
       call_netdevice_notifiers_info net/core/dev.c:1919 [inline]
       call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
       call_netdevice_notifiers net/core/dev.c:1945 [inline]
       unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415
       ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123
       vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515
       ops_exit_list net/core/net_namespace.c:173 [inline]
       cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597
       process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
       worker_thread+0x616/0xa70 kernel/workqueue.c:2454
       kthread+0x1bf/0x1e0 kernel/kthread.c:377
       ret_from_fork+0x1f/0x30
      
      read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0:
       trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292
       trace_napi_poll include/trace/events/napi.h:14 [inline]
       __napi_poll+0x36b/0x3f0 net/core/dev.c:6366
       napi_poll net/core/dev.c:6432 [inline]
       net_rx_action+0x29e/0x650 net/core/dev.c:6519
       __do_softirq+0x158/0x2de kernel/softirq.c:558
       do_softirq+0xb1/0xf0 kernel/softirq.c:459
       __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
       __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
       _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210
       spin_unlock_bh include/linux/spinlock.h:394 [inline]
       ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
       wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506
       process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
       worker_thread+0x616/0xa70 kernel/workqueue.c:2454
       kthread+0x1bf/0x1e0 kernel/kthread.c:377
       ret_from_fork+0x1f/0x30
      
      value changed: 0xffff88815883e000 -> 0x0000000000000000
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
      
      Fixes: 4ea7e386 ("dropmon: add ability to detect when hardware dropsrxpackets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dcd54265
    • Wen Gu's avatar
      net/smc: Avoid overwriting the copies of clcsock callback functions · 1de9770d
      Wen Gu authored
      The callback functions of clcsock will be saved and replaced during
      the fallback. But if the fallback happens more than once, then the
      copies of these callback functions will be overwritten incorrectly,
      resulting in a loop call issue:
      
      clcsk->sk_error_report
       |- smc_fback_error_report() <------------------------------|
           |- smc_fback_forward_wakeup()                          | (loop)
               |- clcsock_callback()  (incorrectly overwritten)   |
                   |- smc->clcsk_error_report() ------------------|
      
      So this patch fixes the issue by saving these function pointers only
      once in the fallback and avoiding overwriting.
      
      Reported-by: syzbot+4de3c0e8a263e1e499bc@syzkaller.appspotmail.com
      Fixes: 341adeec ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
      Link: https://lore.kernel.org/r/0000000000006d045e05d78776f6@google.comSigned-off-by: default avatarWen Gu <guwen@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1de9770d
    • Linus Torvalds's avatar
      Merge tag 'net-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f1baf68e
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter and can.
      
      Current release - new code bugs:
      
         - sparx5: fix get_stat64 out-of-bound access and crash
      
         - smc: fix netdev ref tracker misuse
      
        Previous releases - regressions:
      
         - eth: ixgbevf: require large buffers for build_skb on 82599VF, avoid
           overflows
      
         - eth: ocelot: fix all IP traffic getting trapped to CPU with PTP
           over IP
      
         - bonding: fix rare link activation misses in 802.3ad mode
      
        Previous releases - always broken:
      
         - tcp: fix tcp sock mem accounting in zero-copy corner cases
      
         - remove the cached dst when uncloning an skb dst and its metadata,
           since we only have one ref it'd lead to an UaF
      
         - netfilter:
            - conntrack: don't refresh sctp entries in closed state
            - conntrack: re-init state for retransmitted syn-ack, avoid
              connection establishment getting stuck with strange stacks
            - ctnetlink: disable helper autoassign, avoid it getting lost
            - nft_payload: don't allow transport header access for fragments
      
         - dsa: fix use of devres for mdio throughout drivers
      
         - eth: amd-xgbe: disable interrupts during pci removal
      
         - eth: dpaa2-eth: unregister netdev before disconnecting the PHY
      
         - eth: ice: fix IPIP and SIT TSO offload"
      
      * tag 'net-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (53 commits)
        net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
        net: mscc: ocelot: fix mutex lock error during ethtool stats read
        ice: Avoid RTNL lock when re-creating auxiliary device
        ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
        ice: fix IPIP and SIT TSO offload
        ice: fix an error code in ice_cfg_phy_fec()
        net: mpls: Fix GCC 12 warning
        dpaa2-eth: unregister the netdev before disconnecting from the PHY
        skbuff: cleanup double word in comment
        net: macb: Align the dma and coherent dma masks
        mptcp: netlink: process IPv6 addrs in creating listening sockets
        selftests: mptcp: add missing join check
        net: usb: qmi_wwan: Add support for Dell DW5829e
        vlan: move dev_put into vlan_dev_uninit
        vlan: introduce vlan_dev_free_egress_priority
        ax25: fix UAF bugs of net_device caused by rebinding operation
        net: dsa: fix panic when DSA master device unbinds on shutdown
        net: amd-xgbe: disable interrupts during pci removal
        tipc: rate limit warning for received illegal binding update
        net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE
        ...
      f1baf68e
  2. 10 Feb, 2022 20 commits
  3. 09 Feb, 2022 17 commits
    • Paul Moore's avatar
      audit: don't deref the syscall args when checking the openat2 open_how::flags · 7a82f89d
      Paul Moore authored
      As reported by Jeff, dereferencing the openat2 syscall argument in
      audit_match_perm() to obtain the open_how::flags can result in an
      oops/page-fault.  This patch fixes this by using the open_how struct
      that we store in the audit_context with audit_openat2_how().
      
      Independent of this patch, Richard Guy Briggs posted a similar patch
      to the audit mailing list roughly 40 minutes after this patch was
      posted.
      
      Cc: stable@vger.kernel.org
      Fixes: 1c30e3af ("audit: add support for the openat2 syscall")
      Reported-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      7a82f89d
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · f4bc5bbb
      Linus Torvalds authored
      Pull more nfsd fixes from Chuck Lever:
       "Ensure that NFS clients cannot send file size or offset values that
        can cause the NFS server to crash or to return incorrect or surprising
        results.
      
        In particular, fix how the NFS server handles values larger than
        OFFSET_MAX"
      
      * tag 'nfsd-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        NFSD: Deprecate NFS_OFFSET_MAX
        NFSD: Fix offset type in I/O trace points
        NFSD: COMMIT operations must not return NFS?ERR_INVAL
        NFSD: Clamp WRITE offsets
        NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
        NFSD: Fix ia_size underflow
        NFSD: Fix the behavior of READ near OFFSET_MAX
      f4bc5bbb
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · f9f94c9d
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "Fix two regressions:
      
         - Potential boot failure due to missing cryptomgr on initramfs
      
         - Stack overflow in octeontx2"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: api - Move cryptomgr soft dependency into algapi
        crypto: octeontx2 - Avoid stack variable overflow
      f9f94c9d
    • Domenico Andreoli's avatar
      Fix regression due to "fs: move binfmt_misc sysctl to its own file" · b42bc9a3
      Domenico Andreoli authored
      Commit 3ba442d5 ("fs: move binfmt_misc sysctl to its own file") did
      not go unnoticed, binfmt-support stopped to work on my Debian system
      since v5.17-rc2 (did not check with -rc1).
      
      The existance of the /proc/sys/fs/binfmt_misc is a precondition for
      attempting to mount the binfmt_misc fs, which in turn triggers the
      autoload of the binfmt_misc module.  Without it, no module is loaded and
      no binfmt is available at boot.
      
      Building as built-in or manually loading the module and mounting the fs
      works fine, it's therefore only a matter of interaction with user-space.
      I could try to improve the Debian systemd configuration but I can't say
      anything about the other distributions.
      
      This patch restores a working system right after boot.
      
      Fixes: 3ba442d5 ("fs: move binfmt_misc sysctl to its own file")
      Signed-off-by: default avatarDomenico Andreoli <domenico.andreoli@linux.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Reviewed-by: default avatarTong Zhang <ztong0001@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b42bc9a3
    • Linus Torvalds's avatar
      Merge tag 'kvm-s390-kernel-access' from emailed bundle · 09a93c1d
      Linus Torvalds authored
      Pull s390 kvm fix from Christian Borntraeger:
       "Add missing check for the MEMOP ioctl
      
        The SIDA MEMOPs must only be used for secure guests, otherwise
        userspace can do unwanted memory accesses"
      
      * tag 'kvm-s390-kernel-access' from emailed bundle:
        KVM: s390: Return error on SIDA memop on normal guest
      09a93c1d
    • Chuck Lever's avatar
      NFSD: Deprecate NFS_OFFSET_MAX · c306d737
      Chuck Lever authored
      NFS_OFFSET_MAX was introduced way back in Linux v2.3.y before there
      was a kernel-wide OFFSET_MAX value. As a clean up, replace the last
      few uses of it with its generic equivalent, and get rid of it.
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      c306d737
    • Chuck Lever's avatar
      NFSD: Fix offset type in I/O trace points · 6a4d333d
      Chuck Lever authored
      NFSv3 and NFSv4 use u64 offset values on the wire. Record these values
      verbatim without the implicit type case to loff_t.
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      6a4d333d
    • Chuck Lever's avatar
      NFSD: COMMIT operations must not return NFS?ERR_INVAL · 3f965021
      Chuck Lever authored
      Since, well, forever, the Linux NFS server's nfsd_commit() function
      has returned nfserr_inval when the passed-in byte range arguments
      were non-sensical.
      
      However, according to RFC 1813 section 3.3.21, NFSv3 COMMIT requests
      are permitted to return only the following non-zero status codes:
      
            NFS3ERR_IO
            NFS3ERR_STALE
            NFS3ERR_BADHANDLE
            NFS3ERR_SERVERFAULT
      
      NFS3ERR_INVAL is not included in that list. Likewise, NFS4ERR_INVAL
      is not listed in the COMMIT row of Table 6 in RFC 8881.
      
      RFC 7530 does permit COMMIT to return NFS4ERR_INVAL, but does not
      specify when it can or should be used.
      
      Instead of dropping or failing a COMMIT request in a byte range that
      is not supported, turn it into a valid request by treating one or
      both arguments as zero. Offset zero means start-of-file, count zero
      means until-end-of-file, so we only ever extend the commit range.
      NFS servers are always allowed to commit more and sooner than
      requested.
      
      The range check is no longer bounded by NFS_OFFSET_MAX, but rather
      by the value that is returned in the maxfilesize field of the NFSv3
      FSINFO procedure or the NFSv4 maxfilesize file attribute.
      
      Note that this change results in a new pynfs failure:
      
      CMT4     st_commit.testCommitOverflow                             : RUNNING
      CMT4     st_commit.testCommitOverflow                             : FAILURE
                 COMMIT with offset + count overflow should return
                 NFS4ERR_INVAL, instead got NFS4_OK
      
      IMO the test is not correct as written: RFC 8881 does not allow the
      COMMIT operation to return NFS4ERR_INVAL.
      Reported-by: default avatarDan Aloni <dan.aloni@vastdata.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Reviewed-by: default avatarBruce Fields <bfields@fieldses.org>
      3f965021
    • Chuck Lever's avatar
      NFSD: Clamp WRITE offsets · 6260d9a5
      Chuck Lever authored
      Ensure that a client cannot specify a WRITE range that falls in a
      byte range outside what the kernel's internal types (such as loff_t,
      which is signed) can represent. The kiocb iterators, invoked in
      nfsd_vfs_write(), should properly limit write operations to within
      the underlying file system's s_maxbytes.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      6260d9a5
    • Chuck Lever's avatar
      NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes · a648fdeb
      Chuck Lever authored
      iattr::ia_size is a loff_t, so these NFSv3 procedures must be
      careful to deal with incoming client size values that are larger
      than s64_max without corrupting the value.
      
      Silently capping the value results in storing a different value
      than the client passed in which is unexpected behavior, so remove
      the min_t() check in decode_sattr3().
      
      Note that RFC 1813 permits only the WRITE procedure to return
      NFS3ERR_FBIG. We believe that NFSv3 reference implementations
      also return NFS3ERR_FBIG when ia_size is too large.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      a648fdeb
    • Chuck Lever's avatar
      NFSD: Fix ia_size underflow · e6faac3f
      Chuck Lever authored
      iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and
      NFSv4 both define file size as an unsigned 64-bit type. Thus there
      is a range of valid file size values an NFS client can send that is
      already larger than Linux can handle.
      
      Currently decode_fattr4() dumps a full u64 value into ia_size. If
      that value happens to be larger than S64_MAX, then ia_size
      underflows. I'm about to fix up the NFSv3 behavior as well, so let's
      catch the underflow in the common code path: nfsd_setattr().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      e6faac3f
    • Chuck Lever's avatar
      NFSD: Fix the behavior of READ near OFFSET_MAX · 0cb4d23a
      Chuck Lever authored
      Dan Aloni reports:
      > Due to commit 8cfb9015 ("NFS: Always provide aligned buffers to
      > the RPC read layers") on the client, a read of 0xfff is aligned up
      > to server rsize of 0x1000.
      >
      > As a result, in a test where the server has a file of size
      > 0x7fffffffffffffff, and the client tries to read from the offset
      > 0x7ffffffffffff000, the read causes loff_t overflow in the server
      > and it returns an NFS code of EINVAL to the client. The client as
      > a result indefinitely retries the request.
      
      The Linux NFS client does not handle NFS?ERR_INVAL, even though all
      NFS specifications permit servers to return that status code for a
      READ.
      
      Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed
      and return a short result. Set the EOF flag in the result to prevent
      the client from retrying the READ request. This behavior appears to
      be consistent with Solaris NFS servers.
      
      Note that NFSv3 and NFSv4 use u64 offset values on the wire. These
      must be converted to loff_t internally before use -- an implicit
      type cast is not adequate for this purpose. Otherwise VFS checks
      against sb->s_maxbytes do not work properly.
      Reported-by: default avatarDan Aloni <dan.aloni@vastdata.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      0cb4d23a
    • David S. Miller's avatar
      Merge branch 'vlan-QinQ-leak-fix' · 3bed06e3
      David S. Miller authored
      Xin Long says:
      
      ====================
      vlan: fix a netdev refcnt leak for QinQ
      
      This issue can be simply reproduced by:
      
        # ip link add dummy0 type dummy
        # ip link add link dummy0 name dummy0.1 type vlan id 1
        # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
        # rmmod 8021q
      
       unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
      
      So as to fix it, adjust vlan_dev_uninit() in Patch 1/1 so that it won't
      be called twice for the same device, then do the fix in vlan_dev_uninit()
      in Patch 2/2.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bed06e3
    • Xin Long's avatar
      vlan: move dev_put into vlan_dev_uninit · d6ff94af
      Xin Long authored
      Shuang Li reported an QinQ issue by simply doing:
      
        # ip link add dummy0 type dummy
        # ip link add link dummy0 name dummy0.1 type vlan id 1
        # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
        # rmmod 8021q
      
       unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
      
      When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp
      and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered
      before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links().
      
      When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of
      NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However,
      due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in
      netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and
      release dummy0.1, as it delays dev_put until calling dev->priv_destructor,
      vlan_dev_free().
      
      This issue was introduced by Commit 563bcbae ("net: vlan: fix a UAF in
      vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into
      vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before
      netdev_wait_allrefs().
      
      Fixes: 563bcbae ("net: vlan: fix a UAF in vlan_dev_real_dev()")
      Reported-by: default avatarShuang Li <shuali@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d6ff94af
    • Xin Long's avatar
      vlan: introduce vlan_dev_free_egress_priority · 37aa50c5
      Xin Long authored
      This patch is to introduce vlan_dev_free_egress_priority() to
      free egress priority for vlan dev, and keep vlan_dev_uninit()
      static as .ndo_uninit. It makes the code more clear and safer
      when adding new code in vlan_dev_uninit() in the future.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37aa50c5
    • Duoming Zhou's avatar
      ax25: fix UAF bugs of net_device caused by rebinding operation · feef318c
      Duoming Zhou authored
      The ax25_kill_by_device() will set s->ax25_dev = NULL and
      call ax25_disconnect() to change states of ax25_cb and
      sock, if we call ax25_bind() before ax25_kill_by_device().
      
      However, if we call ax25_bind() again between the window of
      ax25_kill_by_device() and ax25_dev_device_down(), the values
      and states changed by ax25_kill_by_device() will be reassigned.
      
      Finally, ax25_dev_device_down() will deallocate net_device.
      If we dereference net_device in syscall functions such as
      ax25_release(), ax25_sendmsg(), ax25_getsockopt(), ax25_getname()
      and ax25_info_show(), a UAF bug will occur.
      
      One of the possible race conditions is shown below:
      
            (USE)                   |      (FREE)
      ax25_bind()                   |
                                    |  ax25_kill_by_device()
      ax25_bind()                   |
      ax25_connect()                |    ...
                                    |  ax25_dev_device_down()
                                    |    ...
                                    |    dev_put_track(dev, ...) //FREE
      ax25_release()                |    ...
        ax25_send_control()         |
          alloc_skb()      //USE    |
      
      the corresponding fail log is shown below:
      ===============================================================
      BUG: KASAN: use-after-free in ax25_send_control+0x43/0x210
      ...
      Call Trace:
        ...
        ax25_send_control+0x43/0x210
        ax25_release+0x2db/0x3b0
        __sock_release+0x6d/0x120
        sock_close+0xf/0x20
        __fput+0x11f/0x420
        ...
      Allocated by task 1283:
        ...
        __kasan_kmalloc+0x81/0xa0
        alloc_netdev_mqs+0x5a/0x680
        mkiss_open+0x6c/0x380
        tty_ldisc_open+0x55/0x90
        ...
      Freed by task 1969:
        ...
        kfree+0xa3/0x2c0
        device_release+0x54/0xe0
        kobject_put+0xa5/0x120
        tty_ldisc_kill+0x3e/0x80
        ...
      
      In order to fix these UAF bugs caused by rebinding operation,
      this patch adds dev_hold_track() into ax25_bind() and
      corresponding dev_put_track() into ax25_kill_by_device().
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      feef318c
    • Vladimir Oltean's avatar
      net: dsa: fix panic when DSA master device unbinds on shutdown · ee534378
      Vladimir Oltean authored
      Rafael reports that on a system with LX2160A and Marvell DSA switches,
      if a reboot occurs while the DSA master (dpaa2-eth) is up, the following
      panic can be seen:
      
      systemd-shutdown[1]: Rebooting.
      Unable to handle kernel paging request at virtual address 00a0000800000041
      [00a0000800000041] address between user and kernel address ranges
      Internal error: Oops: 96000004 [#1] PREEMPT SMP
      CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32
      pc : dsa_slave_netdevice_event+0x130/0x3e4
      lr : raw_notifier_call_chain+0x50/0x6c
      Call trace:
       dsa_slave_netdevice_event+0x130/0x3e4
       raw_notifier_call_chain+0x50/0x6c
       call_netdevice_notifiers_info+0x54/0xa0
       __dev_close_many+0x50/0x130
       dev_close_many+0x84/0x120
       unregister_netdevice_many+0x130/0x710
       unregister_netdevice_queue+0x8c/0xd0
       unregister_netdev+0x20/0x30
       dpaa2_eth_remove+0x68/0x190
       fsl_mc_driver_remove+0x20/0x5c
       __device_release_driver+0x21c/0x220
       device_release_driver_internal+0xac/0xb0
       device_links_unbind_consumers+0xd4/0x100
       __device_release_driver+0x94/0x220
       device_release_driver+0x28/0x40
       bus_remove_device+0x118/0x124
       device_del+0x174/0x420
       fsl_mc_device_remove+0x24/0x40
       __fsl_mc_device_remove+0xc/0x20
       device_for_each_child+0x58/0xa0
       dprc_remove+0x90/0xb0
       fsl_mc_driver_remove+0x20/0x5c
       __device_release_driver+0x21c/0x220
       device_release_driver+0x28/0x40
       bus_remove_device+0x118/0x124
       device_del+0x174/0x420
       fsl_mc_bus_remove+0x80/0x100
       fsl_mc_bus_shutdown+0xc/0x1c
       platform_shutdown+0x20/0x30
       device_shutdown+0x154/0x330
       __do_sys_reboot+0x1cc/0x250
       __arm64_sys_reboot+0x20/0x30
       invoke_syscall.constprop.0+0x4c/0xe0
       do_el0_svc+0x4c/0x150
       el0_svc+0x24/0xb0
       el0t_64_sync_handler+0xa8/0xb0
       el0t_64_sync+0x178/0x17c
      
      It can be seen from the stack trace that the problem is that the
      deregistration of the master causes a dev_close(), which gets notified
      as NETDEV_GOING_DOWN to dsa_slave_netdevice_event().
      But dsa_switch_shutdown() has already run, and this has unregistered the
      DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to
      call dev_close_many() on those slave interfaces, leading to the problem.
      
      The previous attempt to avoid the NETDEV_GOING_DOWN on the master after
      dsa_switch_shutdown() was called seems improper. Unregistering the slave
      interfaces is unnecessary and unhelpful. Instead, after the slaves have
      stopped being uppers of the DSA master, we can now reset to NULL the
      master->dsa_ptr pointer, which will make DSA start ignoring all future
      notifier events on the master.
      
      Fixes: 0650bf52 ("net: dsa: be compatible with masters which unregister on shutdown")
      Reported-by: default avatarRafael Richter <rafael.richter@gin.de>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee534378