Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH net 0/2] mlxsw: Various fixes
@ 2020-05-21 12:11 Ido Schimmel
  2020-05-21 12:11 ` [PATCH net 1/2] mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails Ido Schimmel
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Ido Schimmel @ 2020-05-21 12:11 UTC (permalink / raw)
  To: netdev; +Cc: davem, kuba, jiri, mlxsw, Ido Schimmel

From: Ido Schimmel <idosch@mellanox.com>

Patch #1 from Jiri fixes a use-after-free discovered while fuzzing mlxsw
/ devlink with syzkaller.

Patch #2 from Amit works around a limitation in new versions of arping,
which is used in several selftests.

Amit Cohen (1):
  selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer

Jiri Pirko (1):
  mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case
    reload fails

 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     | 14 ++++++++++++--
 drivers/net/ethernet/mellanox/mlxsw/switchx2.c     |  8 ++++++++
 .../selftests/drivers/net/mlxsw/qos_mc_aware.sh    |  2 +-
 3 files changed, 21 insertions(+), 3 deletions(-)

-- 
2.26.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH net 1/2] mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails
  2020-05-21 12:11 [PATCH net 0/2] mlxsw: Various fixes Ido Schimmel
@ 2020-05-21 12:11 ` Ido Schimmel
  2020-05-21 12:11 ` [PATCH net 2/2] selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer Ido Schimmel
  2020-05-22 23:08 ` [PATCH net 0/2] mlxsw: Various fixes David Miller
  2 siblings, 0 replies; 6+ messages in thread
From: Ido Schimmel @ 2020-05-21 12:11 UTC (permalink / raw)
  To: netdev; +Cc: davem, kuba, jiri, mlxsw, Ido Schimmel

From: Jiri Pirko <jiri@mellanox.com>

In case of reload fail, the mlxsw_sp->ports contains a pointer to a
freed memory (either by reload_down() or reload_up() error path).
Fix this by initializing the pointer to NULL and checking it before
dereferencing in split/unsplit/type_set callpaths.

Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload")
Reported-by: Danielle Ratson <danieller@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++++++++++++--
 drivers/net/ethernet/mellanox/mlxsw/switchx2.c |  8 ++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
index 24ca8d5bc564..6b39978acd07 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -3986,6 +3986,7 @@ static void mlxsw_sp_ports_remove(struct mlxsw_sp *mlxsw_sp)
 			mlxsw_sp_port_remove(mlxsw_sp, i);
 	mlxsw_sp_cpu_port_remove(mlxsw_sp);
 	kfree(mlxsw_sp->ports);
+	mlxsw_sp->ports = NULL;
 }
 
 static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp)
@@ -4022,6 +4023,7 @@ static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp)
 	mlxsw_sp_cpu_port_remove(mlxsw_sp);
 err_cpu_port_create:
 	kfree(mlxsw_sp->ports);
+	mlxsw_sp->ports = NULL;
 	return err;
 }
 
@@ -4143,6 +4145,14 @@ static int mlxsw_sp_local_ports_offset(struct mlxsw_core *mlxsw_core,
 	return mlxsw_core_res_get(mlxsw_core, local_ports_in_x_res_id);
 }
 
+static struct mlxsw_sp_port *
+mlxsw_sp_port_get_by_local_port(struct mlxsw_sp *mlxsw_sp, u8 local_port)
+{
+	if (mlxsw_sp->ports && mlxsw_sp->ports[local_port])
+		return mlxsw_sp->ports[local_port];
+	return NULL;
+}
+
 static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port,
 			       unsigned int count,
 			       struct netlink_ext_ack *extack)
@@ -4156,7 +4166,7 @@ static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port,
 	int i;
 	int err;
 
-	mlxsw_sp_port = mlxsw_sp->ports[local_port];
+	mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port);
 	if (!mlxsw_sp_port) {
 		dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n",
 			local_port);
@@ -4251,7 +4261,7 @@ static int mlxsw_sp_port_unsplit(struct mlxsw_core *mlxsw_core, u8 local_port,
 	int offset;
 	int i;
 
-	mlxsw_sp_port = mlxsw_sp->ports[local_port];
+	mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port);
 	if (!mlxsw_sp_port) {
 		dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n",
 			local_port);
diff --git a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
index 90535820b559..2503f61db5fb 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
@@ -1259,6 +1259,7 @@ static void mlxsw_sx_ports_remove(struct mlxsw_sx *mlxsw_sx)
 		if (mlxsw_sx_port_created(mlxsw_sx, i))
 			mlxsw_sx_port_remove(mlxsw_sx, i);
 	kfree(mlxsw_sx->ports);
+	mlxsw_sx->ports = NULL;
 }
 
 static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx)
@@ -1293,6 +1294,7 @@ static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx)
 		if (mlxsw_sx_port_created(mlxsw_sx, i))
 			mlxsw_sx_port_remove(mlxsw_sx, i);
 	kfree(mlxsw_sx->ports);
+	mlxsw_sx->ports = NULL;
 	return err;
 }
 
@@ -1376,6 +1378,12 @@ static int mlxsw_sx_port_type_set(struct mlxsw_core *mlxsw_core, u8 local_port,
 	u8 module, width;
 	int err;
 
+	if (!mlxsw_sx->ports || !mlxsw_sx->ports[local_port]) {
+		dev_err(mlxsw_sx->bus_info->dev, "Port number \"%d\" does not exist\n",
+			local_port);
+		return -EINVAL;
+	}
+
 	if (new_type == DEVLINK_PORT_TYPE_AUTO)
 		return -EOPNOTSUPP;
 
-- 
2.26.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH net 2/2] selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer
  2020-05-21 12:11 [PATCH net 0/2] mlxsw: Various fixes Ido Schimmel
  2020-05-21 12:11 ` [PATCH net 1/2] mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails Ido Schimmel
@ 2020-05-21 12:11 ` Ido Schimmel
  2020-05-22 23:08 ` [PATCH net 0/2] mlxsw: Various fixes David Miller
  2 siblings, 0 replies; 6+ messages in thread
From: Ido Schimmel @ 2020-05-21 12:11 UTC (permalink / raw)
  To: netdev; +Cc: davem, kuba, jiri, mlxsw, Amit Cohen, Ido Schimmel

From: Amit Cohen <amitc@mellanox.com>

Starting from iputils s20190709 (used in Fedora 31), arping does not
support timeout being specified as a decimal:

$ arping -c 1 -I swp1 -b 192.0.2.66 -q -w 0.1
arping: invalid argument: '0.1'

Previously, such timeouts were rounded to an integer.

Fix this by specifying the timeout as an integer.

Fixes: a5ee171d087e ("selftests: mlxsw: qos_mc_aware: Add a test for UC awareness")
Signed-off-by: Amit Cohen <amitc@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
---
 tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh b/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh
index 24dd8ed48580..b025daea062d 100755
--- a/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh
+++ b/tools/testing/selftests/drivers/net/mlxsw/qos_mc_aware.sh
@@ -300,7 +300,7 @@ test_uc_aware()
 	local i
 
 	for ((i = 0; i < attempts; ++i)); do
-		if $ARPING -c 1 -I $h1 -b 192.0.2.66 -q -w 0.1; then
+		if $ARPING -c 1 -I $h1 -b 192.0.2.66 -q -w 1; then
 			((passes++))
 		fi
 
-- 
2.26.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net 0/2] mlxsw: Various fixes
  2020-05-21 12:11 [PATCH net 0/2] mlxsw: Various fixes Ido Schimmel
  2020-05-21 12:11 ` [PATCH net 1/2] mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails Ido Schimmel
  2020-05-21 12:11 ` [PATCH net 2/2] selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer Ido Schimmel
@ 2020-05-22 23:08 ` David Miller
  2 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2020-05-22 23:08 UTC (permalink / raw)
  To: idosch; +Cc: netdev, kuba, jiri, mlxsw, idosch

From: Ido Schimmel <idosch@idosch.org>
Date: Thu, 21 May 2020 15:11:43 +0300

> From: Ido Schimmel <idosch@mellanox.com>
> 
> Patch #1 from Jiri fixes a use-after-free discovered while fuzzing mlxsw
> / devlink with syzkaller.
> 
> Patch #2 from Amit works around a limitation in new versions of arping,
> which is used in several selftests.

Series applied, thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net 0/2] mlxsw: Various fixes
  2019-03-12  8:40 Ido Schimmel
@ 2019-03-12 21:55 ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2019-03-12 21:55 UTC (permalink / raw)
  To: idosch; +Cc: netdev, jiri, mlxsw, vadimp

From: Ido Schimmel <idosch@mellanox.com>
Date: Tue, 12 Mar 2019 08:40:40 +0000

> Patch #1 fixes the recently introduced QSFP thermal zones to correctly
> work with split ports, where several ports are mapped to the same
> module.
> 
> Patch #2 initializes the base MAC in the minimal driver. The driver is
> using the base MAC as its parent ID and without initializing it, it is
> reported as all zeroes to user space.

Applied, thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH net 0/2] mlxsw: Various fixes
@ 2019-03-12  8:40 Ido Schimmel
  2019-03-12 21:55 ` David Miller
  0 siblings, 1 reply; 6+ messages in thread
From: Ido Schimmel @ 2019-03-12  8:40 UTC (permalink / raw)
  To: netdev; +Cc: davem, Jiri Pirko, mlxsw, Vadim Pasternak, Ido Schimmel

Patch #1 fixes the recently introduced QSFP thermal zones to correctly
work with split ports, where several ports are mapped to the same
module.

Patch #2 initializes the base MAC in the minimal driver. The driver is
using the base MAC as its parent ID and without initializing it, it is
reported as all zeroes to user space.

Jiri Pirko (1):
  mlxsw: minimal: Initialize base_mac

Vadim Pasternak (1):
  mlxsw: core: Prevent duplication during QSFP module initialization

 .../ethernet/mellanox/mlxsw/core_thermal.c    | 21 ++++++++++---------
 drivers/net/ethernet/mellanox/mlxsw/minimal.c | 18 ++++++++++++++++
 2 files changed, 29 insertions(+), 10 deletions(-)

-- 
2.20.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-21 12:11 [PATCH net 0/2] mlxsw: Various fixes Ido Schimmel
2020-05-21 12:11 ` [PATCH net 1/2] mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails Ido Schimmel
2020-05-21 12:11 ` [PATCH net 2/2] selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer Ido Schimmel
2020-05-22 23:08 ` [PATCH net 0/2] mlxsw: Various fixes David Miller
  -- strict thread matches above, loose matches on Subject: below --
2019-03-12  8:40 Ido Schimmel
2019-03-12 21:55 ` David Miller

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git