From: zijianzhang@bytedance.com To: netdev@vger.kernel.org Cc: willemdebruijn.kernel@gmail.com, cong.wang@bytedance.com, xiaochun.lu@bytedance.com, Zijian Zhang Subject: [PATCH net 0/2] fix OOM and order check in msg_zerocopy selftest Date: Mon, 1 Jul 2024 22:53:47 +0000 Message-Id: <20240701225349.3395580-1-zijianzhang@bytedance.com> X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Xref: photonic.trudheim.com org.kernel.vger.netdev:355439 Newsgroups: org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail From: Zijian Zhang In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg on a socket with MSG_ZEROCOPY flag, and it will recv the notifications until the socket is not writable. Typically, it will start the receiving process after around 30+ sendmsgs. However, as the introduction of commit dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is always writable and does not get any chance to run recv notifications. The selftest always exits with OUT_OF_MEMORY because the memory used by opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a different value to trigger OOM on older kernels too. Thus, we introduce "cfg_notification_limit" to force sender to receive notifications after some number of sendmsgs. And, we find that when lock debugging is on, notifications may not come in order. Thus, we have order checking outputs managed by cfg_verbose, to avoid too many outputs in this case. Zijian Zhang (2): selftests: fix OOM in msg_zerocopy selftest selftests: make order checking verbose in msg_zerocopy selftest tools/testing/selftests/net/msg_zerocopy.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) -- 2.20.1 . Date: Tue, 2 Jul 2024 16:44:47 +0800 X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Message-ID: <20240702084452.2259237-1-yumike@google.com> Subject: [PATCH ipsec 0/4] Support IPsec crypto offload for IPv6 ESP and IPv4 UDP-encapsulated ESP data paths From: Mike Yu To: netdev@vger.kernel.org, steffen.klassert@secunet.com Cc: stanleyjhu@google.com, martinwu@google.com, chiachangwang@google.com, yumike@google.com Content-Type: text/plain; charset="UTF-8" Xref: photonic.trudheim.com org.kernel.vger.netdev:355449 Newsgroups: org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail Currently, IPsec crypto offload is enabled for GRO code path. However, there are other code paths where the XFRM stack is involved; for example, IPv6 ESP packets handled by xfrm6_esp_rcv() in ESP layer, and IPv4 UDP-encapsulated ESP packets handled by udp_rcv() in UDP layer. This patchset extends the crypto offload support to cover these two cases. This is useful for devices with traffic accounting (e.g., Android), where GRO can lead to inaccurate accounting on the underlying network. For example, VPN traffic might not be counted on the wifi network interface wlan0 if the packets are handled in GRO code path before entering the network stack for accounting. Below is the RX data path scenario the crypto offload can be applied to. +-----------+ +-------+ | HW Driver |-->| wlan0 |--------+ +-----------+ +-------+ | v +---------------+ +------+ +------>| Network Stack |-->| Apps | | +---------------+ +------+ | | | v +--------+ +------------+ | ipsec1 |<--| XFRM Stack | +--------+ +------------+ Mike Yu (4): xfrm: Support crypto offload for inbound IPv6 ESP packets not in GRO path xfrm: Allow UDP encapsulation in crypto offload control path xfrm: Support crypto offload for inbound IPv4 UDP-encapsulated ESP packet xfrm: Support crypto offload for outbound IPv4 UDP-encapsulated ESP packet net/ipv4/esp4.c | 7 ++++++- net/ipv4/esp4_offload.c | 14 +++++++++++++- net/xfrm/xfrm_device.c | 6 +++--- net/xfrm/xfrm_input.c | 3 ++- net/xfrm/xfrm_policy.c | 5 ++++- 5 files changed, 28 insertions(+), 7 deletions(-) -- 2.45.2.803.g4e1b14247a-goog . From: Aleksandr Mishin To: Samuel Ortiz CC: Aleksandr Mishin , Krzysztof Kozlowski , , , Subject: [PATCH] nfc: pn533: Add poll mod list filling check Date: Tue, 2 Jul 2024 12:39:24 +0300 Message-ID: <20240702093924.12092-1-amishin@t-argos.ru> X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-KSMG-Rule-ID: 1 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Lua-Profiles: 186273 [Jul 02 2024] X-KSMG-AntiSpam-Version: 6.1.0.4 X-KSMG-AntiSpam-Envelope-From: amishin@t-argos.ru X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Info: LuaCore: 21 0.3.21 ebee5449fc125b2da45f1a6a6bc2c5c0c3ad0e05, {Tracking_from_domain_doesnt_match_to}, 127.0.0.199:7.1.2;t-argos.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;mx1.t-argos.ru.ru:7.1.1, FromAlignment: s X-MS-Exchange-Organization-SCL: -1 X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiPhishing: Clean, bases: 2024/07/02 08:55:00 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2024/07/02 07:20:00 #25796017 X-KSMG-AntiVirus-Status: Clean, skipped Xref: photonic.trudheim.com org.kernel.vger.linux-kernel:1265051 org.kernel.vger.netdev:355455 Newsgroups: org.kernel.vger.linux-kernel,org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail In case of im_protocols value is 1 and tm_protocols value is 0 this combination successfully passes the check 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). But then after pn533_poll_create_mod_list() call in pn533_start_poll() poll mod list will remain empty and dev->poll_mod_count will remain 0 which lead to division by zero. Add poll mod list filling check. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: dfccd0f58044 ("NFC: pn533: Add some polling entropy") Signed-off-by: Aleksandr Mishin --- drivers/nfc/pn533/pn533.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c index b19c39dcfbd9..e2bc67300a91 100644 --- a/drivers/nfc/pn533/pn533.c +++ b/drivers/nfc/pn533/pn533.c @@ -1723,6 +1723,11 @@ static int pn533_start_poll(struct nfc_dev *nfc_dev, } pn533_poll_create_mod_list(dev, im_protocols, tm_protocols); + if (!dev->poll_mod_count) { + nfc_err(dev->dev, + "Poll mod list is empty\n"); + return -EINVAL; + } /* Do not always start polling from the same modulation */ get_random_bytes(&rand_mod, sizeof(rand_mod)); -- 2.30.2 . From: Aleksandr Mishin To: Igal Liberman CC: Aleksandr Mishin , Madalin Bucur , Sean Anderson , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , , , Subject: [PATCH] fsl/fman: Validate cell-index value obtained from Device Tree Date: Tue, 2 Jul 2024 12:50:34 +0300 Message-ID: <20240702095034.12371-1-amishin@t-argos.ru> X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-KSMG-Rule-ID: 1 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Lua-Profiles: 186273 [Jul 02 2024] X-KSMG-AntiSpam-Version: 6.1.0.4 X-KSMG-AntiSpam-Envelope-From: amishin@t-argos.ru X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Info: LuaCore: 21 0.3.21 ebee5449fc125b2da45f1a6a6bc2c5c0c3ad0e05, {Tracking_from_domain_doesnt_match_to}, t-argos.ru:7.1.1;127.0.0.199:7.1.2;mx1.t-argos.ru.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1, FromAlignment: s X-MS-Exchange-Organization-SCL: -1 X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiPhishing: Clean, bases: 2024/07/02 08:55:00 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2024/07/02 07:20:00 #25796017 X-KSMG-AntiVirus-Status: Clean, skipped Xref: photonic.trudheim.com org.kernel.vger.linux-kernel:1265066 org.kernel.vger.netdev:355456 Newsgroups: org.kernel.vger.linux-kernel,org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail Cell-index value is obtained from Device Tree and then used to calculate the index for accessing arrays port_mfl[], mac_mfl[] and intr_mng[]. In case of broken DT due to any error cell-index can contain any value and it is possible to go beyond the array boundaries which can lead at least to memory corruption. Validate cell-index value obtained from Device Tree. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") Signed-off-by: Aleksandr Mishin --- drivers/net/ethernet/freescale/fman/fman.c | 7 +++++++ drivers/net/ethernet/freescale/fman/fman.h | 2 ++ drivers/net/ethernet/freescale/fman/mac.c | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c index d96028f01770..6929bca3f768 100644 --- a/drivers/net/ethernet/freescale/fman/fman.c +++ b/drivers/net/ethernet/freescale/fman/fman.c @@ -2933,3 +2933,10 @@ module_exit(fman_unload); MODULE_LICENSE("Dual BSD/GPL"); MODULE_DESCRIPTION("Freescale DPAA Frame Manager driver"); + +int check_mac_id(u32 mac_id) +{ + if (mac_id >= MAX_NUM_OF_MACS) + return -EINVAL; + return 0; +} diff --git a/drivers/net/ethernet/freescale/fman/fman.h b/drivers/net/ethernet/freescale/fman/fman.h index 2ea575a46675..3cedde4851e1 100644 --- a/drivers/net/ethernet/freescale/fman/fman.h +++ b/drivers/net/ethernet/freescale/fman/fman.h @@ -372,6 +372,8 @@ u16 fman_get_max_frm(void); int fman_get_rx_extra_headroom(void); +int check_mac_id(u32 mac_id); + #ifdef CONFIG_DPAA_ERRATUM_A050385 bool fman_has_errata_a050385(void); #endif diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c index 9767586b4eb3..7a67b4c887e2 100644 --- a/drivers/net/ethernet/freescale/fman/mac.c +++ b/drivers/net/ethernet/freescale/fman/mac.c @@ -247,6 +247,11 @@ static int mac_probe(struct platform_device *_of_dev) dev_err(dev, "failed to read cell-index for %pOF\n", mac_node); return -EINVAL; } + err = check_mac_id(val); + if (err) { + dev_err(dev, "cell-index value is out of range for %pOF\n", mac_node); + return err; + } priv->cell_index = (u8)val; /* Get the MAC address */ -- 2.30.2 . From: Aleksandr Mishin To: Jiri Pirko CC: Aleksandr Mishin , Ido Schimmel , Petr Machata , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , , , Subject: [PATCH net] mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file Date: Tue, 2 Jul 2024 13:33:52 +0300 Message-ID: <20240702103352.15315-1-amishin@t-argos.ru> X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-KSMG-Rule-ID: 1 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Lua-Profiles: 186273 [Jul 02 2024] X-KSMG-AntiSpam-Version: 6.1.0.4 X-KSMG-AntiSpam-Envelope-From: amishin@t-argos.ru X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Info: LuaCore: 21 0.3.21 ebee5449fc125b2da45f1a6a6bc2c5c0c3ad0e05, {Tracking_from_domain_doesnt_match_to}, d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;t-argos.ru:7.1.1;127.0.0.199:7.1.2;mx1.t-argos.ru.ru:7.1.1, FromAlignment: s X-MS-Exchange-Organization-SCL: -1 X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiPhishing: Clean, bases: 2024/07/02 10:26:00 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2024/07/02 07:20:00 #25796017 X-KSMG-AntiVirus-Status: Clean, skipped Xref: photonic.trudheim.com org.kernel.vger.linux-kernel:1265110 org.kernel.vger.netdev:355458 Newsgroups: org.kernel.vger.linux-kernel,org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail In case of invalid INI file mlxsw_linecard_types_init() deallocates memory but doesn't reset pointer to NULL and returns 0. In case of any error occured after mlxsw_linecard_types_init() call, mlxsw_linecards_init() calls mlxsw_linecard_types_fini() which perform memory deallocation again. Add pointer reset to NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b217127e5e4e ("mlxsw: core_linecards: Add line card objects and implement provisioning") Signed-off-by: Aleksandr Mishin --- drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c index 025e0db983fe..b032d5a4b3b8 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c @@ -1484,6 +1484,7 @@ static int mlxsw_linecard_types_init(struct mlxsw_core *mlxsw_core, vfree(types_info->data); err_data_alloc: kfree(types_info); + linecards->types_info = NULL; return err; } -- 2.30.2 . From: Aleksandr Mishin To: Michael Walle CC: Aleksandr Mishin , Andrew Lunn , Heiner Kallweit , Russell King , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , , , Subject: [PATCH net] net: phy: mscc-miim: Validate bus frequency obtained from Device Tree Date: Tue, 2 Jul 2024 14:06:50 +0300 Message-ID: <20240702110650.17563-1-amishin@t-argos.ru> X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-KSMG-Rule-ID: 1 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Lua-Profiles: 186273 [Jul 02 2024] X-KSMG-AntiSpam-Version: 6.1.0.4 X-KSMG-AntiSpam-Envelope-From: amishin@t-argos.ru X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Info: LuaCore: 21 0.3.21 ebee5449fc125b2da45f1a6a6bc2c5c0c3ad0e05, {Tracking_from_domain_doesnt_match_to}, d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;mx1.t-argos.ru.ru:7.1.1;t-argos.ru:7.1.1;127.0.0.199:7.1.2, FromAlignment: s X-MS-Exchange-Organization-SCL: -1 X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiPhishing: Clean, bases: 2024/07/02 10:26:00 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2024/07/02 07:20:00 #25796017 X-KSMG-AntiVirus-Status: Clean, skipped Xref: photonic.trudheim.com org.kernel.vger.linux-kernel:1265133 org.kernel.vger.netdev:355460 Newsgroups: org.kernel.vger.linux-kernel,org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail In mscc_miim_clk_set() miim->bus_freq is taken from Device Tree and can contain any value in case of any error or broken DT. A value of 2147483648 multiplied by 2 will result in an overflow and division by 0. Add bus frequency value check to avoid overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: bb2a1934ca01 ("net: phy: mscc-miim: add support to set MDIO bus frequency") Signed-off-by: Aleksandr Mishin --- drivers/net/mdio/mdio-mscc-miim.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/mdio/mdio-mscc-miim.c b/drivers/net/mdio/mdio-mscc-miim.c index c29377c85307..6380c22567ea 100644 --- a/drivers/net/mdio/mdio-mscc-miim.c +++ b/drivers/net/mdio/mdio-mscc-miim.c @@ -254,6 +254,11 @@ static int mscc_miim_clk_set(struct mii_bus *bus) if (!miim->bus_freq) return 0; + if (miim->bus_freq == 2147483648) { + dev_err(&bus->dev, "Incorrect bus frequency\n"); + return -EINVAL; + } + rate = clk_get_rate(miim->clk); div = DIV_ROUND_UP(rate, 2 * miim->bus_freq) - 1; -- 2.30.2 . Subject: [net-next PATCH v3 00/15] eth: fbnic: Add network driver for Meta Platforms Host Network Interface From: Alexander Duyck To: netdev@vger.kernel.org Cc: Andrew Lunn , Russell King , linux-pci@vger.kernel.org, Alexander Duyck , Bjorn Helgaas , kuba@kernel.org, davem@davemloft.net, pabeni@redhat.com, edumazet@google.com, kernel-team@meta.com Date: Tue, 02 Jul 2024 07:59:39 -0700 Message-ID: <171993231020.3697648.2741754761742678186.stgit@ahduyck-xeon-server.home.arpa> X-Mailing-List: linux-pci@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Xref: photonic.trudheim.com org.kernel.vger.linux-pci:144791 org.kernel.vger.netdev:355483 Newsgroups: org.kernel.vger.linux-pci,org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail This patchest includes the necessary patches to enable basic Tx and Rx over the Meta Platforms Host Network Interface. To do this we introduce a new driver and driver directories in the form of "drivers/net/ethernet/meta/fbnic". The NIC itself is fairly simplistic. As far as speeds we support 25Gb, 50Gb, and 100Gb and we are mostly focused on speeds and feeds. As far as future patch sets we will be supporting the basic Rx/Tx offloads such as header/payload data split, TSO, checksum, and timestamp offloads. We have access to the MAC and PCS from the NIC, however the PHY and QSFP are hidden behind a FW layer as it is shared between 4 slices and the BMC. Due to submission limits the the general plan to submit a minimal driver for now almost equivilent to a UEFI driver in functionality, and then follow up over the coming months enabling additional offloads and enabling more features for the device. v2: - Pulled out most of the link logic leaving minimal phylink link interface - Added support for up to 64K pages by spanning multiple descriptors - Limited driver load message to only display on successful loading - Removed LED configuration, will add back in follow-on patch - Replaced pci_enable_msix_range with pci_alloc_irq_vectors - Updated comments to start with a capital letter - Limited architectures to x86_64 for now - Updated to "Return:" tag for kernel-doc - Added fbd to read/write CSR macros v3: - Fixed resource issues due to not calling pci_disable_device - Addressed sparse errors for !x | y - CCed Eric Dumazet and Kernel Team at meta to submission - Cleaned up kdoc to include missing Return: and formatting issues - Removed unneeded inlines from fbnic_txrx.c - Added support for setting queue to NAPI mapping - Added support for setting NAPI to IRQ mapping - Updated phylink to make use of rx_pause, tx_pause in mac_link_up function --- Alexander Duyck (15): PCI: Add Meta Platforms vendor ID eth: fbnic: Add scaffolding for Meta's NIC driver eth: fbnic: Allocate core device specific structures and devlink interface eth: fbnic: Add register init to set PCIe/Ethernet device config eth: fbnic: Add message parsing for FW messages eth: fbnic: Add FW communication mechanism eth: fbnic: Allocate a netdevice and napi vectors with queues eth: fbnic: Implement Tx queue alloc/start/stop/free eth: fbnic: Implement Rx queue alloc/start/stop/free eth: fbnic: Add initial messaging to notify FW of our presence eth: fbnic: Add link detection eth: fbnic: Add basic Tx handling eth: fbnic: Add basic Rx handling eth: fbnic: Add L2 address programming eth: fbnic: Write the TCAM tables used for RSS control and Rx to host MAINTAINERS | 7 + drivers/net/ethernet/Kconfig | 1 + drivers/net/ethernet/Makefile | 1 + drivers/net/ethernet/meta/Kconfig | 31 + drivers/net/ethernet/meta/Makefile | 6 + drivers/net/ethernet/meta/fbnic/Makefile | 19 + drivers/net/ethernet/meta/fbnic/fbnic.h | 156 ++ drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 838 ++++++++ .../net/ethernet/meta/fbnic/fbnic_devlink.c | 88 + .../net/ethernet/meta/fbnic/fbnic_drvinfo.h | 5 + drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 791 +++++++ drivers/net/ethernet/meta/fbnic/fbnic_fw.h | 124 ++ drivers/net/ethernet/meta/fbnic/fbnic_irq.c | 229 ++ drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 698 ++++++ drivers/net/ethernet/meta/fbnic/fbnic_mac.h | 87 + .../net/ethernet/meta/fbnic/fbnic_netdev.c | 483 +++++ .../net/ethernet/meta/fbnic/fbnic_netdev.h | 64 + drivers/net/ethernet/meta/fbnic/fbnic_pci.c | 564 +++++ .../net/ethernet/meta/fbnic/fbnic_phylink.c | 166 ++ drivers/net/ethernet/meta/fbnic/fbnic_rpc.c | 709 ++++++ drivers/net/ethernet/meta/fbnic/fbnic_rpc.h | 189 ++ drivers/net/ethernet/meta/fbnic/fbnic_tlv.c | 529 +++++ drivers/net/ethernet/meta/fbnic/fbnic_tlv.h | 175 ++ drivers/net/ethernet/meta/fbnic/fbnic_txrx.c | 1913 +++++++++++++++++ drivers/net/ethernet/meta/fbnic/fbnic_txrx.h | 127 ++ include/linux/pci_ids.h | 2 + 26 files changed, 8002 insertions(+) create mode 100644 drivers/net/ethernet/meta/Kconfig create mode 100644 drivers/net/ethernet/meta/Makefile create mode 100644 drivers/net/ethernet/meta/fbnic/Makefile create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_csr.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_devlink.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_drvinfo.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_fw.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_fw.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_irq.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_mac.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_mac.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_netdev.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_netdev.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_pci.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_phylink.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_rpc.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_rpc.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_tlv.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_tlv.h create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c create mode 100644 drivers/net/ethernet/meta/fbnic/fbnic_txrx.h -- . From: Jay Vosburgh To: 'Simon Horman' cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Andy Gospodarek , Ding Tianhong , Hangbin Liu , Sam Sun , netdev@vger.kernel.org Subject: Re: [PATCH net v6] bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In-reply-to: <20240702-bond-oob-v6-1-2dfdba195c19@kernel.org> References: <20240702-bond-oob-v6-1-2dfdba195c19@kernel.org> X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 02 Jul 2024 11:45:11 -0700 Message-ID: <1645938.1719945911@famine> Xref: photonic.trudheim.com org.kernel.vger.netdev:355502 Newsgroups: org.kernel.vger.netdev Path: photonic.trudheim.com!nntp.lore.kernel.org!not-for-mail 'Simon Horman' wrote: >From: Sam Sun > >In function bond_option_arp_ip_targets_set(), if newval->string is an >empty string, newval->string+1 will point to the byte after the >string, causing an out-of-bound read. > >BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 >Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 >CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 >Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/0= 1/2014 >Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:364 [inline] > print_report+0xc1/0x5e0 mm/kasan/report.c:475 > kasan_report+0xbe/0xf0 mm/kasan/report.c:588 > strlen+0x7d/0xa0 lib/string.c:418 > __fortify_strlen include/linux/fortify-string.h:210 [inline] > in4_pton+0xa3/0x3f0 net/core/utils.c:130 > bond_option_arp_ip_targets_set+0xc2/0x910 >drivers/net/bonding/bond_options.c:1201 > __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 > __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 > bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 > bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:1= 56 > dev_attr_store+0x54/0x80 drivers/base/core.c:2366 > sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 > kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 > call_write_iter include/linux/fs.h:2020 [inline] > new_sync_write fs/read_write.c:491 [inline] > vfs_write+0x96a/0xd80 fs/read_write.c:584 > ksys_write+0x122/0x250 fs/read_write.c:637 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x63/0x6b >---[ end trace ]--- > >Fix it by adding a check of string length before using it. > >Fixes: f9de11a16594 ("bonding: add ip checks when store ip target") >Signed-off-by: Yue Sun >Signed-off-by: Simon Horman Acked-by: Jay Vosburgh >--- >Changes in v6 (Simon): >- Update check to strlen(...) < 1, as suggested by Jakub >- Not accumulating tags due to above change, > which is material given the size of this patch >- Link to v5: https://lore.kernel.org/r/20240630-bond-oob-v5-1-7d7996e0a0= 77@kernel.org > >Changes in v5 (Simon): >- Remove stray 'I4' from netdev_err() string. Thanks to Hangbin Liu. >- Sorry for the long delay between v4 and v5, this completely slipped my > mind. >- Link to v4: https://lore.kernel.org/r/20240419-bond-oob-v4-1-69dd1a66db= 20@kernel.org > >Changes in v4 (Simon): >- Correct whitespace mangled patch; posting as requested by Sam Sun >- Link to v3: https://lore.kernel.org/r/CAEkJfYOnsLLiCrtgOpq2Upr+_W0dViYV= HU8YdjJOi-mxD8H9oQ@mail.gmail.com > >Changes in v3 (Sam Sun): >- According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2 > ("bonding: convert arp_ip_target to use the new option API") to > f9de11a16594 ("bonding: add ip checks when store ip target"). >- Link to v2: https://lore.kernel.org/r/CAEkJfYMdDQKY1C-wBZLiaJ=3DdCqfM9r= =3Drykwwf+J-XHsFp7D9Ag@mail.gmail.com/ > >Changes in v2 (Sam Sun): >- According to Jay and Hangbin's opinion, remove target address in > netdev_err message since target is not initialized in error path and > will not provide useful information. >- Link to v1: https://lore.kernel.org/r/CAEkJfYPYF-nNB2oiXfXwjPG0VVB2Bd8Q= 8kAq+74J=3DR+4HkngWw@mail.gmail.com/ >--- > drivers/net/bonding/bond_options.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bon= d_options.c >index 0cacd7027e35..bc80fb6397dc 100644 >--- a/drivers/net/bonding/bond_options.c >+++ b/drivers/net/bonding/bond_options.c >@@ -1214,9 +1214,9 @@ static int bond_option_arp_ip_targets_set(struct bo= nding *bond, > __be32 target; > = > if (newval->string) { >- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) { >- netdev_err(bond->dev, "invalid ARP target %pI4 specified\n", >- &target); >+ if (strlen(newval->string) < 1 || >+ !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) { >+ netdev_err(bond->dev, "invalid ARP target specified\n"); > return ret; > } > if (newval->string[0] =3D=3D '+') > .