All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB
@ 2021-06-21 17:55 Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 2/9] mac80211: drop multicast fragments Sasha Levin
                   ` (7 more replies)
  0 siblings, 8 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:55 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Du Cheng, syzbot+105896fac213f26056f9, Johannes Berg,
	Sasha Levin, linux-wireless, netdev

From: Du Cheng <ducheng2@gmail.com>

[ Upstream commit a64b6a25dd9f984ed05fade603a00e2eae787d2f ]

If the userland switches back-and-forth between NL80211_IFTYPE_OCB and
NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), there is a
chance where the cleanup cfg80211_leave_ocb() is not called. This leads
to initialization of in-use memory (e.g. init u.ibss while in-use by
u.ocb) due to a shared struct/union within ieee80211_sub_if_data:

struct ieee80211_sub_if_data {
    ...
    union {
        struct ieee80211_if_ap ap;
        struct ieee80211_if_vlan vlan;
        struct ieee80211_if_managed mgd;
        struct ieee80211_if_ibss ibss; // <- shares address
        struct ieee80211_if_mesh mesh;
        struct ieee80211_if_ocb ocb; // <- shares address
        struct ieee80211_if_mntr mntr;
        struct ieee80211_if_nan nan;
    } u;
    ...
}

Therefore add handling of otype == NL80211_IFTYPE_OCB, during
cfg80211_change_iface() to perform cleanup when leaving OCB mode.

link to syzkaller bug:
https://syzkaller.appspot.com/bug?id=0612dbfa595bf4b9b680ff7b4948257b8e3732d5

Reported-by: syzbot+105896fac213f26056f9@syzkaller.appspotmail.com
Signed-off-by: Du Cheng <ducheng2@gmail.com>
Link: https://lore.kernel.org/r/20210428063941.105161-1-ducheng2@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 915f1fa881e4..73c361fd4a16 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -978,6 +978,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
 		case NL80211_IFTYPE_MESH_POINT:
 			/* mesh should be handled? */
 			break;
+		case NL80211_IFTYPE_OCB:
+			cfg80211_leave_ocb(rdev, dev);
+			break;
 		default:
 			break;
 		}
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 2/9] mac80211: drop multicast fragments
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 3/9] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
                   ` (6 subsequent siblings)
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Johannes Berg, Sasha Levin, linux-wireless, netdev

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit a9799541ca34652d9996e45f80e8e03144c12949 ]

These are not permitted by the spec, just drop them.

Link: https://lore.kernel.org/r/20210609161305.23def022b750.Ibd6dd3cdce573dae262fcdc47f8ac52b883a9c50@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/rx.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index ae0fba044cd0..bde924968cd2 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1853,17 +1853,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
 	sc = le16_to_cpu(hdr->seq_ctrl);
 	frag = sc & IEEE80211_SCTL_FRAG;
 
-	if (is_multicast_ether_addr(hdr->addr1)) {
-		I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
-		goto out_no_led;
-	}
-
 	if (rx->sta)
 		cache = &rx->sta->frags;
 
 	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
 		goto out;
 
+	if (is_multicast_ether_addr(hdr->addr1))
+		return RX_DROP_MONITOR;
+
 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
 
 	if (skb_linearize(rx->skb))
@@ -1992,7 +1990,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
 
  out:
 	ieee80211_led_rx(rx->local);
- out_no_led:
 	if (rx->sta)
 		rx->sta->rx_stats.packets++;
 	return RX_CONTINUE;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 3/9] ping: Check return value of function 'ping_queue_rcv_skb'
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 2/9] mac80211: drop multicast fragments Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 4/9] inet: annotate date races around sk->sk_txhash Sasha Levin
                   ` (5 subsequent siblings)
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev

From: Zheng Yongjun <zhengyongjun3@huawei.com>

[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ]

Function 'ping_queue_rcv_skb' not always return success, which will
also return fail. If not check the wrong return value of it, lead to function
`ping_rcv` return success.

Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/ping.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index a3abd136b8e7..56d89dfd8831 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -978,6 +978,7 @@ bool ping_rcv(struct sk_buff *skb)
 	struct sock *sk;
 	struct net *net = dev_net(skb->dev);
 	struct icmphdr *icmph = icmp_hdr(skb);
+	bool rc = false;
 
 	/* We assume the packet has already been checked by icmp_rcv */
 
@@ -992,14 +993,15 @@ bool ping_rcv(struct sk_buff *skb)
 		struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
 
 		pr_debug("rcv on socket %p\n", sk);
-		if (skb2)
-			ping_queue_rcv_skb(sk, skb2);
+		if (skb2 && !ping_queue_rcv_skb(sk, skb2))
+			rc = true;
 		sock_put(sk);
-		return true;
 	}
-	pr_debug("no socket, dropping\n");
 
-	return false;
+	if (!rc)
+		pr_debug("no socket, dropping\n");
+
+	return rc;
 }
 EXPORT_SYMBOL_GPL(ping_rcv);
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 4/9] inet: annotate date races around sk->sk_txhash
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 2/9] mac80211: drop multicast fragments Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 3/9] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 5/9] net: caif: fix memory leak in ldisc_open Sasha Levin
                   ` (4 subsequent siblings)
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Eric Dumazet, syzbot, David S . Miller, Sasha Levin, netdev

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ]

UDP sendmsg() path can be lockless, it is possible for another
thread to re-connect an change sk->sk_txhash under us.

There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE()
pair to document the race.

BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w

write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1:
 sk_set_txhash include/net/sock.h:1937 [inline]
 __ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75
 __ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189
 ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272
 inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580
 __sys_connect_file net/socket.c:1837 [inline]
 __sys_connect+0x245/0x280 net/socket.c:1854
 __do_sys_connect net/socket.c:1864 [inline]
 __se_sys_connect net/socket.c:1861 [inline]
 __x64_sys_connect+0x3d/0x50 net/socket.c:1861
 do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0:
 skb_set_hash_from_sk include/net/sock.h:2211 [inline]
 skb_set_owner_w+0x118/0x220 net/core/sock.c:2101
 sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359
 sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373
 __ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621
 ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983
 udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527
 inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
 __do_sys_sendmmsg net/socket.c:2519 [inline]
 __se_sys_sendmmsg net/socket.c:2516 [inline]
 __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
 do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

value changed: 0xbca3c43d -> 0xfdb309e0

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/sock.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 31198b32d912..1b657a3a30b5 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1728,7 +1728,8 @@ static inline u32 net_tx_rndhash(void)
 
 static inline void sk_set_txhash(struct sock *sk)
 {
-	sk->sk_txhash = net_tx_rndhash();
+	/* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
+	WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
 }
 
 static inline void sk_rethink_txhash(struct sock *sk)
@@ -1980,9 +1981,12 @@ static inline void sock_poll_wait(struct file *filp,
 
 static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
 {
-	if (sk->sk_txhash) {
+	/* This pairs with WRITE_ONCE() in sk_set_txhash() */
+	u32 txhash = READ_ONCE(sk->sk_txhash);
+
+	if (txhash) {
 		skb->l4_hash = 1;
-		skb->hash = sk->sk_txhash;
+		skb->hash = txhash;
 	}
 }
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 5/9] net: caif: fix memory leak in ldisc_open
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
                   ` (2 preceding siblings ...)
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 4/9] inet: annotate date races around sk->sk_txhash Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 6/9] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
                   ` (3 subsequent siblings)
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Pavel Skripkin, syzbot+f303e045423e617d2cad, David S . Miller,
	Sasha Levin, netdev

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 58af3d3d54e87bfc1f936e16c04ade3369d34011 ]

Syzbot reported memory leak in tty_init_dev().
The problem was in unputted tty in ldisc_open()

static int ldisc_open(struct tty_struct *tty)
{
...
	ser->tty = tty_kref_get(tty);
...
	result = register_netdevice(dev);
	if (result) {
		rtnl_unlock();
		free_netdev(dev);
		return -ENODEV;
	}
...
}

Ser pointer is netdev private_data, so after free_netdev()
this pointer goes away with unputted tty reference. So, fix
it by adding tty_kref_put() before freeing netdev.

Reported-and-tested-by: syzbot+f303e045423e617d2cad@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/caif/caif_serial.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
index 32834dad0b83..1243c2e5a86a 100644
--- a/drivers/net/caif/caif_serial.c
+++ b/drivers/net/caif/caif_serial.c
@@ -362,6 +362,7 @@ static int ldisc_open(struct tty_struct *tty)
 	rtnl_lock();
 	result = register_netdevice(dev);
 	if (result) {
+		tty_kref_put(tty);
 		rtnl_unlock();
 		free_netdev(dev);
 		return -ENODEV;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 6/9] r8152: Avoid memcpy() over-reading of ETH_SS_STATS
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
                   ` (3 preceding siblings ...)
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 5/9] net: caif: fix memory leak in ldisc_open Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 7/9] sh_eth: " Sasha Levin
                   ` (2 subsequent siblings)
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Kees Cook, David S . Miller, Sasha Levin, linux-usb, netdev

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 99718abdc00e86e4f286dd836408e2834886c16e ]

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally reading across neighboring array fields.

The memcpy() is copying the entire structure, not just the first array.
Adjust the source argument so the compiler can do appropriate bounds
checking.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/r8152.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 27e9c089b2fc..5baaa8291624 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3820,7 +3820,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data)
 {
 	switch (stringset) {
 	case ETH_SS_STATS:
-		memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
+		memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
 		break;
 	}
 }
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 7/9] sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
                   ` (4 preceding siblings ...)
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 6/9] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 8/9] r8169: " Sasha Levin
  2021-06-21 17:56   ` Sasha Levin
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Kees Cook, David S . Miller, Sasha Levin, netdev, linux-renesas-soc

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 224004fbb033600715dbd626bceec10bfd9c58bc ]

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally reading across neighboring array fields.

The memcpy() is copying the entire structure, not just the first array.
Adjust the source argument so the compiler can do appropriate bounds
checking.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/renesas/sh_eth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index 614b83c7ce81..1942264b621b 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -2210,7 +2210,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
 {
 	switch (stringset) {
 	case ETH_SS_STATS:
-		memcpy(data, *sh_eth_gstrings_stats,
+		memcpy(data, sh_eth_gstrings_stats,
 		       sizeof(sh_eth_gstrings_stats));
 		break;
 	}
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 8/9] r8169: Avoid memcpy() over-reading of ETH_SS_STATS
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
                   ` (5 preceding siblings ...)
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 7/9] sh_eth: " Sasha Levin
@ 2021-06-21 17:56 ` Sasha Levin
  2021-06-21 17:56   ` Sasha Levin
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Kees Cook, David S . Miller, Sasha Levin, netdev

From: Kees Cook <keescook@chromium.org>

[ Upstream commit da5ac772cfe2a03058b0accfac03fad60c46c24d ]

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally reading across neighboring array fields.

The memcpy() is copying the entire structure, not just the first array.
Adjust the source argument so the compiler can do appropriate bounds
checking.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/realtek/r8169.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index f3a685d3f649..55b0f11bf2a0 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -2314,7 +2314,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
 {
 	switch(stringset) {
 	case ETH_SS_STATS:
-		memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
+		memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
 		break;
 	}
 }
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 9/9] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
  2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
@ 2021-06-21 17:56   ` Sasha Levin
  2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 3/9] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
                     ` (6 subsequent siblings)
  7 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Esben Haabendal, David S . Miller, Sasha Levin, netdev, linux-arm-kernel

From: Esben Haabendal <esben@geanix.com>

[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ]

As documented in Documentation/networking/driver.rst, the ndo_start_xmit
method must not return NETDEV_TX_BUSY under any normal circumstances, and
as recommended, we simply stop the tx queue in advance, when there is a
risk that the next xmit would cause a NETDEV_TX_BUSY return.

Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
index ed6a88cf3281..98a1c712b62a 100644
--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
+++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
@@ -735,6 +735,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
 	/* Kick off the transfer */
 	lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
 
+	if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
+		netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
+		netif_stop_queue(ndev);
+	}
+
 	return NETDEV_TX_OK;
 }
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH AUTOSEL 4.4 9/9] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
@ 2021-06-21 17:56   ` Sasha Levin
  0 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2021-06-21 17:56 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Esben Haabendal, David S . Miller, Sasha Levin, netdev, linux-arm-kernel

From: Esben Haabendal <esben@geanix.com>

[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ]

As documented in Documentation/networking/driver.rst, the ndo_start_xmit
method must not return NETDEV_TX_BUSY under any normal circumstances, and
as recommended, we simply stop the tx queue in advance, when there is a
risk that the next xmit would cause a NETDEV_TX_BUSY return.

Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
index ed6a88cf3281..98a1c712b62a 100644
--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
+++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
@@ -735,6 +735,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
 	/* Kick off the transfer */
 	lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
 
+	if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
+		netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
+		netif_stop_queue(ndev);
+	}
+
 	return NETDEV_TX_OK;
 }
 
-- 
2.30.2


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2021-06-21 18:16 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-21 17:55 [PATCH AUTOSEL 4.4 1/9] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 2/9] mac80211: drop multicast fragments Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 3/9] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 4/9] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 5/9] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 6/9] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 7/9] sh_eth: " Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 8/9] r8169: " Sasha Levin
2021-06-21 17:56 ` [PATCH AUTOSEL 4.4 9/9] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-21 17:56   ` Sasha Levin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.