Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

+4 -2

arch/powerpc/net/bpf_jit_comp64.c

··· 763 763 func = (u8 *) __bpf_call_base + imm; 764 764 765 765 /* Save skb pointer if we need to re-cache skb data */ 766 - if (bpf_helper_changes_pkt_data(func)) 766 + if ((ctx->seen & SEEN_SKB) && 767 + bpf_helper_changes_pkt_data(func)) 767 768 PPC_BPF_STL(3, 1, bpf_jit_stack_local(ctx)); 768 769 769 770 bpf_jit_emit_func_call(image, ctx, (u64)func); ··· 773 772 PPC_MR(b2p[BPF_REG_0], 3); 774 773 775 774 /* refresh skb cache */ 776 - if (bpf_helper_changes_pkt_data(func)) { 775 + if ((ctx->seen & SEEN_SKB) && 776 + bpf_helper_changes_pkt_data(func)) { 777 777 /* reload skb pointer to r3 */ 778 778 PPC_BPF_LL(3, 1, bpf_jit_stack_local(ctx)); 779 779 bpf_jit_emit_skb_loads(image, ctx);

+5 -6

arch/s390/net/bpf_jit_comp.c

··· 55 55 #define SEEN_LITERAL 8 /* code uses literals */ 56 56 #define SEEN_FUNC 16 /* calls C functions */ 57 57 #define SEEN_TAIL_CALL 32 /* code uses tail calls */ 58 - #define SEEN_SKB_CHANGE 64 /* code changes skb data */ 59 - #define SEEN_REG_AX 128 /* code uses constant blinding */ 58 + #define SEEN_REG_AX 64 /* code uses constant blinding */ 60 59 #define SEEN_STACK (SEEN_FUNC | SEEN_MEM | SEEN_SKB) 61 60 62 61 /* ··· 447 448 EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, 448 449 REG_15, 152); 449 450 } 450 - if (jit->seen & SEEN_SKB) 451 + if (jit->seen & SEEN_SKB) { 451 452 emit_load_skb_data_hlen(jit); 452 - if (jit->seen & SEEN_SKB_CHANGE) 453 453 /* stg %b1,ST_OFF_SKBP(%r0,%r15) */ 454 454 EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15, 455 455 STK_OFF_SKBP); 456 + } 456 457 } 457 458 458 459 /* ··· 982 983 EMIT2(0x0d00, REG_14, REG_W1); 983 984 /* lgr %b0,%r2: load return value into %b0 */ 984 985 EMIT4(0xb9040000, BPF_REG_0, REG_2); 985 - if (bpf_helper_changes_pkt_data((void *)func)) { 986 - jit->seen |= SEEN_SKB_CHANGE; 986 + if ((jit->seen & SEEN_SKB) && 987 + bpf_helper_changes_pkt_data((void *)func)) { 987 988 /* lg %b1,ST_OFF_SKBP(%r15) */ 988 989 EMIT6_DISP_LH(0xe3000000, 0x0004, BPF_REG_1, REG_0, 989 990 REG_15, STK_OFF_SKBP);

+4 -2

arch/sparc/net/bpf_jit_comp_64.c

··· 1245 1245 u8 *func = ((u8 *)__bpf_call_base) + imm; 1246 1246 1247 1247 ctx->saw_call = true; 1248 + if (ctx->saw_ld_abs_ind && bpf_helper_changes_pkt_data(func)) 1249 + emit_reg_move(bpf2sparc[BPF_REG_1], L7, ctx); 1248 1250 1249 1251 emit_call((u32 *)func, ctx); 1250 1252 emit_nop(ctx); 1251 1253 1252 1254 emit_reg_move(O0, bpf2sparc[BPF_REG_0], ctx); 1253 1255 1254 - if (bpf_helper_changes_pkt_data(func) && ctx->saw_ld_abs_ind) 1255 - load_skb_regs(ctx, bpf2sparc[BPF_REG_6]); 1256 + if (ctx->saw_ld_abs_ind && bpf_helper_changes_pkt_data(func)) 1257 + load_skb_regs(ctx, L7); 1256 1258 break; 1257 1259 } 1258 1260

+2

drivers/net/ethernet/arc/emac.h

··· 159 159 unsigned int link; 160 160 unsigned int duplex; 161 161 unsigned int speed; 162 + 163 + unsigned int rx_missed_errors; 162 164 }; 163 165 164 166 /**

+142 -22

drivers/net/ethernet/arc/emac_main.c

··· 26 26 27 27 #include "emac.h" 28 28 29 + static void arc_emac_restart(struct net_device *ndev); 30 + 29 31 /** 30 32 * arc_emac_tx_avail - Return the number of available slots in the tx ring. 31 33 * @priv: Pointer to ARC EMAC private data structure. ··· 212 210 continue; 213 211 } 214 212 215 - pktlen = info & LEN_MASK; 216 - stats->rx_packets++; 217 - stats->rx_bytes += pktlen; 218 - skb = rx_buff->skb; 219 - skb_put(skb, pktlen); 220 - skb->dev = ndev; 221 - skb->protocol = eth_type_trans(skb, ndev); 222 - 223 - dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr), 224 - dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE); 225 - 226 - /* Prepare the BD for next cycle */ 227 - rx_buff->skb = netdev_alloc_skb_ip_align(ndev, 228 - EMAC_BUFFER_SIZE); 229 - if (unlikely(!rx_buff->skb)) { 213 + /* Prepare the BD for next cycle. netif_receive_skb() 214 + * only if new skb was allocated and mapped to avoid holes 215 + * in the RX fifo. 216 + */ 217 + skb = netdev_alloc_skb_ip_align(ndev, EMAC_BUFFER_SIZE); 218 + if (unlikely(!skb)) { 219 + if (net_ratelimit()) 220 + netdev_err(ndev, "cannot allocate skb\n"); 221 + /* Return ownership to EMAC */ 222 + rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); 230 223 stats->rx_errors++; 231 - /* Because receive_skb is below, increment rx_dropped */ 232 224 stats->rx_dropped++; 233 225 continue; 234 226 } 235 227 236 - /* receive_skb only if new skb was allocated to avoid holes */ 237 - netif_receive_skb(skb); 238 - 239 - addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data, 228 + addr = dma_map_single(&ndev->dev, (void *)skb->data, 240 229 EMAC_BUFFER_SIZE, DMA_FROM_DEVICE); 241 230 if (dma_mapping_error(&ndev->dev, addr)) { 242 231 if (net_ratelimit()) 243 - netdev_err(ndev, "cannot dma map\n"); 244 - dev_kfree_skb(rx_buff->skb); 232 + netdev_err(ndev, "cannot map dma buffer\n"); 233 + dev_kfree_skb(skb); 234 + /* Return ownership to EMAC */ 235 + rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); 245 236 stats->rx_errors++; 237 + stats->rx_dropped++; 246 238 continue; 247 239 } 240 + 241 + /* unmap previosly mapped skb */ 242 + dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr), 243 + dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE); 244 + 245 + pktlen = info & LEN_MASK; 246 + stats->rx_packets++; 247 + stats->rx_bytes += pktlen; 248 + skb_put(rx_buff->skb, pktlen); 249 + rx_buff->skb->dev = ndev; 250 + rx_buff->skb->protocol = eth_type_trans(rx_buff->skb, ndev); 251 + 252 + netif_receive_skb(rx_buff->skb); 253 + 254 + rx_buff->skb = skb; 248 255 dma_unmap_addr_set(rx_buff, addr, addr); 249 256 dma_unmap_len_set(rx_buff, len, EMAC_BUFFER_SIZE); 250 257 ··· 270 259 } 271 260 272 261 /** 262 + * arc_emac_rx_miss_handle - handle R_MISS register 263 + * @ndev: Pointer to the net_device structure. 264 + */ 265 + static void arc_emac_rx_miss_handle(struct net_device *ndev) 266 + { 267 + struct arc_emac_priv *priv = netdev_priv(ndev); 268 + struct net_device_stats *stats = &ndev->stats; 269 + unsigned int miss; 270 + 271 + miss = arc_reg_get(priv, R_MISS); 272 + if (miss) { 273 + stats->rx_errors += miss; 274 + stats->rx_missed_errors += miss; 275 + priv->rx_missed_errors += miss; 276 + } 277 + } 278 + 279 + /** 280 + * arc_emac_rx_stall_check - check RX stall 281 + * @ndev: Pointer to the net_device structure. 282 + * @budget: How many BDs requested to process on 1 call. 283 + * @work_done: How many BDs processed 284 + * 285 + * Under certain conditions EMAC stop reception of incoming packets and 286 + * continuously increment R_MISS register instead of saving data into 287 + * provided buffer. This function detect that condition and restart 288 + * EMAC. 289 + */ 290 + static void arc_emac_rx_stall_check(struct net_device *ndev, 291 + int budget, unsigned int work_done) 292 + { 293 + struct arc_emac_priv *priv = netdev_priv(ndev); 294 + struct arc_emac_bd *rxbd; 295 + 296 + if (work_done) 297 + priv->rx_missed_errors = 0; 298 + 299 + if (priv->rx_missed_errors && budget) { 300 + rxbd = &priv->rxbd[priv->last_rx_bd]; 301 + if (le32_to_cpu(rxbd->info) & FOR_EMAC) { 302 + arc_emac_restart(ndev); 303 + priv->rx_missed_errors = 0; 304 + } 305 + } 306 + } 307 + 308 + /** 273 309 * arc_emac_poll - NAPI poll handler. 274 310 * @napi: Pointer to napi_struct structure. 275 311 * @budget: How many BDs to process on 1 call. ··· 330 272 unsigned int work_done; 331 273 332 274 arc_emac_tx_clean(ndev); 275 + arc_emac_rx_miss_handle(ndev); 333 276 334 277 work_done = arc_emac_rx(ndev, budget); 335 278 if (work_done < budget) { 336 279 napi_complete_done(napi, work_done); 337 280 arc_reg_or(priv, R_ENABLE, RXINT_MASK | TXINT_MASK); 338 281 } 282 + 283 + arc_emac_rx_stall_check(ndev, budget, work_done); 339 284 340 285 return work_done; 341 286 } ··· 381 320 if (status & MSER_MASK) { 382 321 stats->rx_missed_errors += 0x100; 383 322 stats->rx_errors += 0x100; 323 + priv->rx_missed_errors += 0x100; 324 + napi_schedule(&priv->napi); 384 325 } 385 326 386 327 if (status & RXCR_MASK) { ··· 794 731 return phy_mii_ioctl(dev->phydev, rq, cmd); 795 732 } 796 733 734 + 735 + /** 736 + * arc_emac_restart - Restart EMAC 737 + * @ndev: Pointer to net_device structure. 738 + * 739 + * This function do hardware reset of EMAC in order to restore 740 + * network packets reception. 741 + */ 742 + static void arc_emac_restart(struct net_device *ndev) 743 + { 744 + struct arc_emac_priv *priv = netdev_priv(ndev); 745 + struct net_device_stats *stats = &ndev->stats; 746 + int i; 747 + 748 + if (net_ratelimit()) 749 + netdev_warn(ndev, "restarting stalled EMAC\n"); 750 + 751 + netif_stop_queue(ndev); 752 + 753 + /* Disable interrupts */ 754 + arc_reg_clr(priv, R_ENABLE, RXINT_MASK | TXINT_MASK | ERR_MASK); 755 + 756 + /* Disable EMAC */ 757 + arc_reg_clr(priv, R_CTRL, EN_MASK); 758 + 759 + /* Return the sk_buff to system */ 760 + arc_free_tx_queue(ndev); 761 + 762 + /* Clean Tx BD's */ 763 + priv->txbd_curr = 0; 764 + priv->txbd_dirty = 0; 765 + memset(priv->txbd, 0, TX_RING_SZ); 766 + 767 + for (i = 0; i < RX_BD_NUM; i++) { 768 + struct arc_emac_bd *rxbd = &priv->rxbd[i]; 769 + unsigned int info = le32_to_cpu(rxbd->info); 770 + 771 + if (!(info & FOR_EMAC)) { 772 + stats->rx_errors++; 773 + stats->rx_dropped++; 774 + } 775 + /* Return ownership to EMAC */ 776 + rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE); 777 + } 778 + priv->last_rx_bd = 0; 779 + 780 + /* Make sure info is visible to EMAC before enable */ 781 + wmb(); 782 + 783 + /* Enable interrupts */ 784 + arc_reg_set(priv, R_ENABLE, RXINT_MASK | TXINT_MASK | ERR_MASK); 785 + 786 + /* Enable EMAC */ 787 + arc_reg_or(priv, R_CTRL, EN_MASK); 788 + 789 + netif_start_queue(ndev); 790 + } 797 791 798 792 static const struct net_device_ops arc_emac_netdev_ops = { 799 793 .ndo_open = arc_emac_open,

+3 -1

drivers/net/ethernet/broadcom/tg3.c

··· 14225 14225 /* Reset PHY, otherwise the read DMA engine will be in a mode that 14226 14226 * breaks all requests to 256 bytes. 14227 14227 */ 14228 - if (tg3_asic_rev(tp) == ASIC_REV_57766) 14228 + if (tg3_asic_rev(tp) == ASIC_REV_57766 || 14229 + tg3_asic_rev(tp) == ASIC_REV_5717 || 14230 + tg3_asic_rev(tp) == ASIC_REV_5719) 14229 14231 reset_phy = true; 14230 14232 14231 14233 err = tg3_restart_hw(tp, reset_phy);

+6 -2

drivers/net/ethernet/marvell/mvneta.c

··· 1214 1214 val &= ~MVNETA_GMAC0_PORT_ENABLE; 1215 1215 mvreg_write(pp, MVNETA_GMAC_CTRL_0, val); 1216 1216 1217 + pp->link = 0; 1218 + pp->duplex = -1; 1219 + pp->speed = 0; 1220 + 1217 1221 udelay(200); 1218 1222 } 1219 1223 ··· 1962 1958 1963 1959 if (!mvneta_rxq_desc_is_first_last(rx_status) || 1964 1960 (rx_status & MVNETA_RXD_ERR_SUMMARY)) { 1961 + mvneta_rx_error(pp, rx_desc); 1965 1962 err_drop_frame: 1966 1963 dev->stats.rx_errors++; 1967 - mvneta_rx_error(pp, rx_desc); 1968 1964 /* leave the descriptor untouched */ 1969 1965 continue; 1970 1966 } ··· 3015 3011 { 3016 3012 int queue; 3017 3013 3018 - for (queue = 0; queue < txq_number; queue++) 3014 + for (queue = 0; queue < rxq_number; queue++) 3019 3015 mvneta_rxq_deinit(pp, &pp->rxqs[queue]); 3020 3016 } 3021 3017

+6 -5

drivers/net/ethernet/mediatek/mtk_eth_soc.c

··· 1961 1961 /* set GE2 TUNE */ 1962 1962 regmap_write(eth->pctl, GPIO_BIAS_CTRL, 0x0); 1963 1963 1964 - /* GE1, Force 1000M/FD, FC ON */ 1965 - mtk_w32(eth, MAC_MCR_FIXED_LINK, MTK_MAC_MCR(0)); 1966 - 1967 - /* GE2, Force 1000M/FD, FC ON */ 1968 - mtk_w32(eth, MAC_MCR_FIXED_LINK, MTK_MAC_MCR(1)); 1964 + /* Set linkdown as the default for each GMAC. Its own MCR would be set 1965 + * up with the more appropriate value when mtk_phy_link_adjust call is 1966 + * being invoked. 1967 + */ 1968 + for (i = 0; i < MTK_MAC_COUNT; i++) 1969 + mtk_w32(eth, 0, MTK_MAC_MCR(i)); 1969 1970 1970 1971 /* Indicates CDM to parse the MTK special tag from CPU 1971 1972 * which also is working out for untag packets.

+2 -2

drivers/net/ethernet/mellanox/mlx5/core/cmd.c

··· 362 362 case MLX5_CMD_OP_QUERY_VPORT_COUNTER: 363 363 case MLX5_CMD_OP_ALLOC_Q_COUNTER: 364 364 case MLX5_CMD_OP_QUERY_Q_COUNTER: 365 - case MLX5_CMD_OP_SET_RATE_LIMIT: 365 + case MLX5_CMD_OP_SET_PP_RATE_LIMIT: 366 366 case MLX5_CMD_OP_QUERY_RATE_LIMIT: 367 367 case MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT: 368 368 case MLX5_CMD_OP_QUERY_SCHEDULING_ELEMENT: ··· 505 505 MLX5_COMMAND_STR_CASE(ALLOC_Q_COUNTER); 506 506 MLX5_COMMAND_STR_CASE(DEALLOC_Q_COUNTER); 507 507 MLX5_COMMAND_STR_CASE(QUERY_Q_COUNTER); 508 - MLX5_COMMAND_STR_CASE(SET_RATE_LIMIT); 508 + MLX5_COMMAND_STR_CASE(SET_PP_RATE_LIMIT); 509 509 MLX5_COMMAND_STR_CASE(QUERY_RATE_LIMIT); 510 510 MLX5_COMMAND_STR_CASE(CREATE_SCHEDULING_ELEMENT); 511 511 MLX5_COMMAND_STR_CASE(DESTROY_SCHEDULING_ELEMENT);

+7 -2

drivers/net/ethernet/mellanox/mlx5/core/en.h

··· 82 82 max_t(u32, MLX5_MPWRQ_MIN_LOG_STRIDE_SZ(mdev), req) 83 83 #define MLX5_MPWRQ_DEF_LOG_STRIDE_SZ(mdev) MLX5_MPWRQ_LOG_STRIDE_SZ(mdev, 6) 84 84 #define MLX5_MPWRQ_CQE_CMPRS_LOG_STRIDE_SZ(mdev) MLX5_MPWRQ_LOG_STRIDE_SZ(mdev, 8) 85 + #define MLX5E_MPWQE_STRIDE_SZ(mdev, cqe_cmprs) \ 86 + (cqe_cmprs ? MLX5_MPWRQ_CQE_CMPRS_LOG_STRIDE_SZ(mdev) : \ 87 + MLX5_MPWRQ_DEF_LOG_STRIDE_SZ(mdev)) 85 88 86 89 #define MLX5_MPWRQ_LOG_WQE_SZ 18 87 90 #define MLX5_MPWRQ_WQE_PAGE_ORDER (MLX5_MPWRQ_LOG_WQE_SZ - PAGE_SHIFT > 0 ? \ ··· 593 590 struct mlx5_core_dev *mdev; 594 591 struct hwtstamp_config *tstamp; 595 592 int ix; 593 + int cpu; 596 594 }; 597 595 598 596 struct mlx5e_channels { ··· 939 935 u8 cq_period_mode); 940 936 void mlx5e_set_rx_cq_mode_params(struct mlx5e_params *params, 941 937 u8 cq_period_mode); 942 - void mlx5e_set_rq_type_params(struct mlx5_core_dev *mdev, 943 - struct mlx5e_params *params, u8 rq_type); 938 + void mlx5e_init_rq_type_params(struct mlx5_core_dev *mdev, 939 + struct mlx5e_params *params, 940 + u8 rq_type); 944 941 945 942 static inline bool mlx5e_tunnel_inner_ft_supported(struct mlx5_core_dev *mdev) 946 943 {

+7 -3

drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c

··· 274 274 static int mlx5e_dbcnl_validate_ets(struct net_device *netdev, 275 275 struct ieee_ets *ets) 276 276 { 277 + bool have_ets_tc = false; 277 278 int bw_sum = 0; 278 279 int i; 279 280 ··· 289 288 } 290 289 291 290 /* Validate Bandwidth Sum */ 292 - for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) 293 - if (ets->tc_tsa[i] == IEEE_8021QAZ_TSA_ETS) 291 + for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) { 292 + if (ets->tc_tsa[i] == IEEE_8021QAZ_TSA_ETS) { 293 + have_ets_tc = true; 294 294 bw_sum += ets->tc_tx_bw[i]; 295 + } 296 + } 295 297 296 - if (bw_sum != 0 && bw_sum != 100) { 298 + if (have_ets_tc && bw_sum != 100) { 297 299 netdev_err(netdev, 298 300 "Failed to validate ETS: BW sum is illegal\n"); 299 301 return -EINVAL;

+8 -2

drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c

··· 1523 1523 new_channels.params = priv->channels.params; 1524 1524 MLX5E_SET_PFLAG(&new_channels.params, MLX5E_PFLAG_RX_CQE_COMPRESS, new_val); 1525 1525 1526 - mlx5e_set_rq_type_params(priv->mdev, &new_channels.params, 1527 - new_channels.params.rq_wq_type); 1526 + new_channels.params.mpwqe_log_stride_sz = 1527 + MLX5E_MPWQE_STRIDE_SZ(priv->mdev, new_val); 1528 + new_channels.params.mpwqe_log_num_strides = 1529 + MLX5_MPWRQ_LOG_WQE_SZ - new_channels.params.mpwqe_log_stride_sz; 1528 1530 1529 1531 if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) { 1530 1532 priv->channels.params = new_channels.params; ··· 1538 1536 return err; 1539 1537 1540 1538 mlx5e_switch_priv_channels(priv, &new_channels, NULL); 1539 + mlx5e_dbg(DRV, priv, "MLX5E: RxCqeCmprss was turned %s\n", 1540 + MLX5E_GET_PFLAG(&priv->channels.params, 1541 + MLX5E_PFLAG_RX_CQE_COMPRESS) ? "ON" : "OFF"); 1542 + 1541 1543 return 0; 1542 1544 } 1543 1545

+31 -32

drivers/net/ethernet/mellanox/mlx5/core/en_main.c

··· 71 71 struct mlx5e_cq_param icosq_cq; 72 72 }; 73 73 74 - static int mlx5e_get_node(struct mlx5e_priv *priv, int ix) 75 - { 76 - return pci_irq_get_node(priv->mdev->pdev, MLX5_EQ_VEC_COMP_BASE + ix); 77 - } 78 - 79 74 static bool mlx5e_check_fragmented_striding_rq_cap(struct mlx5_core_dev *mdev) 80 75 { 81 76 return MLX5_CAP_GEN(mdev, striding_rq) && ··· 78 83 MLX5_CAP_ETH(mdev, reg_umr_sq); 79 84 } 80 85 81 - void mlx5e_set_rq_type_params(struct mlx5_core_dev *mdev, 82 - struct mlx5e_params *params, u8 rq_type) 86 + void mlx5e_init_rq_type_params(struct mlx5_core_dev *mdev, 87 + struct mlx5e_params *params, u8 rq_type) 83 88 { 84 89 params->rq_wq_type = rq_type; 85 90 params->lro_wqe_sz = MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ; ··· 88 93 params->log_rq_size = is_kdump_kernel() ? 89 94 MLX5E_PARAMS_MINIMUM_LOG_RQ_SIZE_MPW : 90 95 MLX5E_PARAMS_DEFAULT_LOG_RQ_SIZE_MPW; 91 - params->mpwqe_log_stride_sz = 92 - MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS) ? 93 - MLX5_MPWRQ_CQE_CMPRS_LOG_STRIDE_SZ(mdev) : 94 - MLX5_MPWRQ_DEF_LOG_STRIDE_SZ(mdev); 96 + params->mpwqe_log_stride_sz = MLX5E_MPWQE_STRIDE_SZ(mdev, 97 + MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)); 95 98 params->mpwqe_log_num_strides = MLX5_MPWRQ_LOG_WQE_SZ - 96 99 params->mpwqe_log_stride_sz; 97 100 break; ··· 113 120 MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)); 114 121 } 115 122 116 - static void mlx5e_set_rq_params(struct mlx5_core_dev *mdev, struct mlx5e_params *params) 123 + static void mlx5e_set_rq_params(struct mlx5_core_dev *mdev, 124 + struct mlx5e_params *params) 117 125 { 118 126 u8 rq_type = mlx5e_check_fragmented_striding_rq_cap(mdev) && 119 127 !params->xdp_prog && !MLX5_IPSEC_DEV(mdev) ? 120 128 MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ : 121 129 MLX5_WQ_TYPE_LINKED_LIST; 122 - mlx5e_set_rq_type_params(mdev, params, rq_type); 130 + mlx5e_init_rq_type_params(mdev, params, rq_type); 123 131 } 124 132 125 133 static void mlx5e_update_carrier(struct mlx5e_priv *priv) ··· 438 444 int wq_sz = mlx5_wq_ll_get_size(&rq->wq); 439 445 int mtt_sz = mlx5e_get_wqe_mtt_sz(); 440 446 int mtt_alloc = mtt_sz + MLX5_UMR_ALIGN - 1; 441 - int node = mlx5e_get_node(c->priv, c->ix); 442 447 int i; 443 448 444 449 rq->mpwqe.info = kzalloc_node(wq_sz * sizeof(*rq->mpwqe.info), 445 - GFP_KERNEL, node); 450 + GFP_KERNEL, cpu_to_node(c->cpu)); 446 451 if (!rq->mpwqe.info) 447 452 goto err_out; 448 453 449 454 /* We allocate more than mtt_sz as we will align the pointer */ 450 - rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz, 451 - GFP_KERNEL, node); 455 + rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz, GFP_KERNEL, 456 + cpu_to_node(c->cpu)); 452 457 if (unlikely(!rq->mpwqe.mtt_no_align)) 453 458 goto err_free_wqe_info; 454 459 ··· 555 562 int err; 556 563 int i; 557 564 558 - rqp->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); 565 + rqp->wq.db_numa_node = cpu_to_node(c->cpu); 559 566 560 567 err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->wq, 561 568 &rq->wq_ctrl); ··· 622 629 default: /* MLX5_WQ_TYPE_LINKED_LIST */ 623 630 rq->wqe.frag_info = 624 631 kzalloc_node(wq_sz * sizeof(*rq->wqe.frag_info), 625 - GFP_KERNEL, 626 - mlx5e_get_node(c->priv, c->ix)); 632 + GFP_KERNEL, cpu_to_node(c->cpu)); 627 633 if (!rq->wqe.frag_info) { 628 634 err = -ENOMEM; 629 635 goto err_rq_wq_destroy; ··· 992 1000 sq->uar_map = mdev->mlx5e_res.bfreg.map; 993 1001 sq->min_inline_mode = params->tx_min_inline_mode; 994 1002 995 - param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); 1003 + param->wq.db_numa_node = cpu_to_node(c->cpu); 996 1004 err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl); 997 1005 if (err) 998 1006 return err; 999 1007 sq->wq.db = &sq->wq.db[MLX5_SND_DBR]; 1000 1008 1001 - err = mlx5e_alloc_xdpsq_db(sq, mlx5e_get_node(c->priv, c->ix)); 1009 + err = mlx5e_alloc_xdpsq_db(sq, cpu_to_node(c->cpu)); 1002 1010 if (err) 1003 1011 goto err_sq_wq_destroy; 1004 1012 ··· 1045 1053 sq->channel = c; 1046 1054 sq->uar_map = mdev->mlx5e_res.bfreg.map; 1047 1055 1048 - param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); 1056 + param->wq.db_numa_node = cpu_to_node(c->cpu); 1049 1057 err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl); 1050 1058 if (err) 1051 1059 return err; 1052 1060 sq->wq.db = &sq->wq.db[MLX5_SND_DBR]; 1053 1061 1054 - err = mlx5e_alloc_icosq_db(sq, mlx5e_get_node(c->priv, c->ix)); 1062 + err = mlx5e_alloc_icosq_db(sq, cpu_to_node(c->cpu)); 1055 1063 if (err) 1056 1064 goto err_sq_wq_destroy; 1057 1065 ··· 1118 1126 if (MLX5_IPSEC_DEV(c->priv->mdev)) 1119 1127 set_bit(MLX5E_SQ_STATE_IPSEC, &sq->state); 1120 1128 1121 - param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); 1129 + param->wq.db_numa_node = cpu_to_node(c->cpu); 1122 1130 err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl); 1123 1131 if (err) 1124 1132 return err; 1125 1133 sq->wq.db = &sq->wq.db[MLX5_SND_DBR]; 1126 1134 1127 - err = mlx5e_alloc_txqsq_db(sq, mlx5e_get_node(c->priv, c->ix)); 1135 + err = mlx5e_alloc_txqsq_db(sq, cpu_to_node(c->cpu)); 1128 1136 if (err) 1129 1137 goto err_sq_wq_destroy; 1130 1138 ··· 1496 1504 struct mlx5_core_dev *mdev = c->priv->mdev; 1497 1505 int err; 1498 1506 1499 - param->wq.buf_numa_node = mlx5e_get_node(c->priv, c->ix); 1500 - param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); 1507 + param->wq.buf_numa_node = cpu_to_node(c->cpu); 1508 + param->wq.db_numa_node = cpu_to_node(c->cpu); 1501 1509 param->eq_ix = c->ix; 1502 1510 1503 1511 err = mlx5e_alloc_cq_common(mdev, param, cq); ··· 1594 1602 { 1595 1603 mlx5e_destroy_cq(cq); 1596 1604 mlx5e_free_cq(cq); 1605 + } 1606 + 1607 + static int mlx5e_get_cpu(struct mlx5e_priv *priv, int ix) 1608 + { 1609 + return cpumask_first(priv->mdev->priv.irq_info[ix].mask); 1597 1610 } 1598 1611 1599 1612 static int mlx5e_open_tx_cqs(struct mlx5e_channel *c, ··· 1749 1752 { 1750 1753 struct mlx5e_cq_moder icocq_moder = {0, 0}; 1751 1754 struct net_device *netdev = priv->netdev; 1755 + int cpu = mlx5e_get_cpu(priv, ix); 1752 1756 struct mlx5e_channel *c; 1753 1757 unsigned int irq; 1754 1758 int err; 1755 1759 int eqn; 1756 1760 1757 - c = kzalloc_node(sizeof(*c), GFP_KERNEL, mlx5e_get_node(priv, ix)); 1761 + c = kzalloc_node(sizeof(*c), GFP_KERNEL, cpu_to_node(cpu)); 1758 1762 if (!c) 1759 1763 return -ENOMEM; 1760 1764 ··· 1763 1765 c->mdev = priv->mdev; 1764 1766 c->tstamp = &priv->tstamp; 1765 1767 c->ix = ix; 1768 + c->cpu = cpu; 1766 1769 c->pdev = &priv->mdev->pdev->dev; 1767 1770 c->netdev = priv->netdev; 1768 1771 c->mkey_be = cpu_to_be32(priv->mdev->mlx5e_res.mkey.key); ··· 1852 1853 for (tc = 0; tc < c->num_tc; tc++) 1853 1854 mlx5e_activate_txqsq(&c->sq[tc]); 1854 1855 mlx5e_activate_rq(&c->rq); 1855 - netif_set_xps_queue(c->netdev, 1856 - mlx5_get_vector_affinity(c->priv->mdev, c->ix), c->ix); 1856 + netif_set_xps_queue(c->netdev, get_cpu_mask(c->cpu), c->ix); 1857 1857 } 1858 1858 1859 1859 static void mlx5e_deactivate_channel(struct mlx5e_channel *c) ··· 3677 3679 struct sk_buff *skb, 3678 3680 netdev_features_t features) 3679 3681 { 3682 + unsigned int offset = 0; 3680 3683 struct udphdr *udph; 3681 3684 u8 proto; 3682 3685 u16 port; ··· 3687 3688 proto = ip_hdr(skb)->protocol; 3688 3689 break; 3689 3690 case htons(ETH_P_IPV6): 3690 - proto = ipv6_hdr(skb)->nexthdr; 3691 + proto = ipv6_find_hdr(skb, &offset, -1, NULL, NULL); 3691 3692 break; 3692 3693 default: 3693 3694 goto out;

+12 -8

drivers/net/ethernet/mellanox/mlx5/core/eq.c

··· 466 466 break; 467 467 case MLX5_EVENT_TYPE_CQ_ERROR: 468 468 cqn = be32_to_cpu(eqe->data.cq_err.cqn) & 0xffffff; 469 - mlx5_core_warn(dev, "CQ error on CQN 0x%x, syndrom 0x%x\n", 469 + mlx5_core_warn(dev, "CQ error on CQN 0x%x, syndrome 0x%x\n", 470 470 cqn, eqe->data.cq_err.syndrome); 471 471 mlx5_cq_event(dev, cqn, eqe->type); 472 472 break; ··· 775 775 return err; 776 776 } 777 777 778 - int mlx5_stop_eqs(struct mlx5_core_dev *dev) 778 + void mlx5_stop_eqs(struct mlx5_core_dev *dev) 779 779 { 780 780 struct mlx5_eq_table *table = &dev->priv.eq_table; 781 781 int err; ··· 784 784 if (MLX5_CAP_GEN(dev, pg)) { 785 785 err = mlx5_destroy_unmap_eq(dev, &table->pfault_eq); 786 786 if (err) 787 - return err; 787 + mlx5_core_err(dev, "failed to destroy page fault eq, err(%d)\n", 788 + err); 788 789 } 789 790 #endif 790 791 791 792 err = mlx5_destroy_unmap_eq(dev, &table->pages_eq); 792 793 if (err) 793 - return err; 794 + mlx5_core_err(dev, "failed to destroy pages eq, err(%d)\n", 795 + err); 794 796 795 - mlx5_destroy_unmap_eq(dev, &table->async_eq); 797 + err = mlx5_destroy_unmap_eq(dev, &table->async_eq); 798 + if (err) 799 + mlx5_core_err(dev, "failed to destroy async eq, err(%d)\n", 800 + err); 796 801 mlx5_cmd_use_polling(dev); 797 802 798 803 err = mlx5_destroy_unmap_eq(dev, &table->cmd_eq); 799 804 if (err) 800 - mlx5_cmd_use_events(dev); 801 - 802 - return err; 805 + mlx5_core_err(dev, "failed to destroy command eq, err(%d)\n", 806 + err); 803 807 } 804 808 805 809 int mlx5_core_eq_query(struct mlx5_core_dev *dev, struct mlx5_eq *eq,

+6

drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c

··· 66 66 u8 actual_size; 67 67 int err; 68 68 69 + if (!size) 70 + return -EINVAL; 71 + 69 72 if (!fdev->mdev) 70 73 return -ENOTCONN; 71 74 ··· 97 94 size_t bytes_done = 0; 98 95 u8 actual_size; 99 96 int err; 97 + 98 + if (!size) 99 + return -EINVAL; 100 100 101 101 if (!fdev->mdev) 102 102 return -ENOTCONN;

+14 -2

drivers/net/ethernet/mellanox/mlx5/core/fs_core.c

··· 174 174 static void del_sw_flow_table(struct fs_node *node); 175 175 static void del_sw_flow_group(struct fs_node *node); 176 176 static void del_sw_fte(struct fs_node *node); 177 + static void del_sw_prio(struct fs_node *node); 178 + static void del_sw_ns(struct fs_node *node); 177 179 /* Delete rule (destination) is special case that 178 180 * requires to lock the FTE for all the deletion process. 179 181 */ ··· 408 406 if (root) 409 407 return root->dev; 410 408 return NULL; 409 + } 410 + 411 + static void del_sw_ns(struct fs_node *node) 412 + { 413 + kfree(node); 414 + } 415 + 416 + static void del_sw_prio(struct fs_node *node) 417 + { 418 + kfree(node); 411 419 } 412 420 413 421 static void del_hw_flow_table(struct fs_node *node) ··· 2076 2064 return ERR_PTR(-ENOMEM); 2077 2065 2078 2066 fs_prio->node.type = FS_TYPE_PRIO; 2079 - tree_init_node(&fs_prio->node, NULL, NULL); 2067 + tree_init_node(&fs_prio->node, NULL, del_sw_prio); 2080 2068 tree_add_node(&fs_prio->node, &ns->node); 2081 2069 fs_prio->num_levels = num_levels; 2082 2070 fs_prio->prio = prio; ··· 2102 2090 return ERR_PTR(-ENOMEM); 2103 2091 2104 2092 fs_init_namespace(ns); 2105 - tree_init_node(&ns->node, NULL, NULL); 2093 + tree_init_node(&ns->node, NULL, del_sw_ns); 2106 2094 tree_add_node(&ns->node, &prio->node); 2107 2095 list_add_tail(&ns->node.list, &prio->node.children); 2108 2096

+1 -1

drivers/net/ethernet/mellanox/mlx5/core/health.c

··· 241 241 u32 fw; 242 242 int i; 243 243 244 - /* If the syndrom is 0, the device is OK and no need to print buffer */ 244 + /* If the syndrome is 0, the device is OK and no need to print buffer */ 245 245 if (!ioread8(&h->synd)) 246 246 return; 247 247

+1 -1

drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c

··· 57 57 struct mlx5e_params *params) 58 58 { 59 59 /* Override RQ params as IPoIB supports only LINKED LIST RQ for now */ 60 - mlx5e_set_rq_type_params(mdev, params, MLX5_WQ_TYPE_LINKED_LIST); 60 + mlx5e_init_rq_type_params(mdev, params, MLX5_WQ_TYPE_LINKED_LIST); 61 61 62 62 /* RQ size in ipoib by default is 512 */ 63 63 params->log_rq_size = is_kdump_kernel() ?

+69 -6

drivers/net/ethernet/mellanox/mlx5/core/main.c

··· 317 317 { 318 318 struct mlx5_priv *priv = &dev->priv; 319 319 struct mlx5_eq_table *table = &priv->eq_table; 320 - struct irq_affinity irqdesc = { 321 - .pre_vectors = MLX5_EQ_VEC_COMP_BASE, 322 - }; 323 320 int num_eqs = 1 << MLX5_CAP_GEN(dev, log_max_eq); 324 321 int nvec; 325 322 ··· 330 333 if (!priv->irq_info) 331 334 goto err_free_msix; 332 335 333 - nvec = pci_alloc_irq_vectors_affinity(dev->pdev, 336 + nvec = pci_alloc_irq_vectors(dev->pdev, 334 337 MLX5_EQ_VEC_COMP_BASE + 1, nvec, 335 - PCI_IRQ_MSIX | PCI_IRQ_AFFINITY, 336 - &irqdesc); 338 + PCI_IRQ_MSIX); 337 339 if (nvec < 0) 338 340 return nvec; 339 341 ··· 616 620 timer_l = ioread32be(&dev->iseg->internal_timer_l); 617 621 618 622 return (u64)timer_l | (u64)timer_h1 << 32; 623 + } 624 + 625 + static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i) 626 + { 627 + struct mlx5_priv *priv = &mdev->priv; 628 + int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i); 629 + 630 + if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) { 631 + mlx5_core_warn(mdev, "zalloc_cpumask_var failed"); 632 + return -ENOMEM; 633 + } 634 + 635 + cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node), 636 + priv->irq_info[i].mask); 637 + 638 + if (IS_ENABLED(CONFIG_SMP) && 639 + irq_set_affinity_hint(irq, priv->irq_info[i].mask)) 640 + mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq); 641 + 642 + return 0; 643 + } 644 + 645 + static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i) 646 + { 647 + struct mlx5_priv *priv = &mdev->priv; 648 + int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i); 649 + 650 + irq_set_affinity_hint(irq, NULL); 651 + free_cpumask_var(priv->irq_info[i].mask); 652 + } 653 + 654 + static int mlx5_irq_set_affinity_hints(struct mlx5_core_dev *mdev) 655 + { 656 + int err; 657 + int i; 658 + 659 + for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++) { 660 + err = mlx5_irq_set_affinity_hint(mdev, i); 661 + if (err) 662 + goto err_out; 663 + } 664 + 665 + return 0; 666 + 667 + err_out: 668 + for (i--; i >= 0; i--) 669 + mlx5_irq_clear_affinity_hint(mdev, i); 670 + 671 + return err; 672 + } 673 + 674 + static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev) 675 + { 676 + int i; 677 + 678 + for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++) 679 + mlx5_irq_clear_affinity_hint(mdev, i); 619 680 } 620 681 621 682 int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, ··· 1150 1097 goto err_stop_eqs; 1151 1098 } 1152 1099 1100 + err = mlx5_irq_set_affinity_hints(dev); 1101 + if (err) { 1102 + dev_err(&pdev->dev, "Failed to alloc affinity hint cpumask\n"); 1103 + goto err_affinity_hints; 1104 + } 1105 + 1153 1106 err = mlx5_init_fs(dev); 1154 1107 if (err) { 1155 1108 dev_err(&pdev->dev, "Failed to init flow steering\n"); ··· 1213 1154 mlx5_cleanup_fs(dev); 1214 1155 1215 1156 err_fs: 1157 + mlx5_irq_clear_affinity_hints(dev); 1158 + 1159 + err_affinity_hints: 1216 1160 free_comp_eqs(dev); 1217 1161 1218 1162 err_stop_eqs: ··· 1284 1222 1285 1223 mlx5_sriov_detach(dev); 1286 1224 mlx5_cleanup_fs(dev); 1225 + mlx5_irq_clear_affinity_hints(dev); 1287 1226 free_comp_eqs(dev); 1288 1227 mlx5_stop_eqs(dev); 1289 1228 mlx5_put_uars_page(dev, priv->uar);

+2 -2

drivers/net/ethernet/mellanox/mlx5/core/qp.c

··· 213 213 err_cmd: 214 214 memset(din, 0, sizeof(din)); 215 215 memset(dout, 0, sizeof(dout)); 216 - MLX5_SET(destroy_qp_in, in, opcode, MLX5_CMD_OP_DESTROY_QP); 217 - MLX5_SET(destroy_qp_in, in, qpn, qp->qpn); 216 + MLX5_SET(destroy_qp_in, din, opcode, MLX5_CMD_OP_DESTROY_QP); 217 + MLX5_SET(destroy_qp_in, din, qpn, qp->qpn); 218 218 mlx5_cmd_exec(dev, din, sizeof(din), dout, sizeof(dout)); 219 219 return err; 220 220 }

+11 -11

drivers/net/ethernet/mellanox/mlx5/core/rl.c

··· 125 125 return ret_entry; 126 126 } 127 127 128 - static int mlx5_set_rate_limit_cmd(struct mlx5_core_dev *dev, 128 + static int mlx5_set_pp_rate_limit_cmd(struct mlx5_core_dev *dev, 129 129 u32 rate, u16 index) 130 130 { 131 - u32 in[MLX5_ST_SZ_DW(set_rate_limit_in)] = {0}; 132 - u32 out[MLX5_ST_SZ_DW(set_rate_limit_out)] = {0}; 131 + u32 in[MLX5_ST_SZ_DW(set_pp_rate_limit_in)] = {0}; 132 + u32 out[MLX5_ST_SZ_DW(set_pp_rate_limit_out)] = {0}; 133 133 134 - MLX5_SET(set_rate_limit_in, in, opcode, 135 - MLX5_CMD_OP_SET_RATE_LIMIT); 136 - MLX5_SET(set_rate_limit_in, in, rate_limit_index, index); 137 - MLX5_SET(set_rate_limit_in, in, rate_limit, rate); 134 + MLX5_SET(set_pp_rate_limit_in, in, opcode, 135 + MLX5_CMD_OP_SET_PP_RATE_LIMIT); 136 + MLX5_SET(set_pp_rate_limit_in, in, rate_limit_index, index); 137 + MLX5_SET(set_pp_rate_limit_in, in, rate_limit, rate); 138 138 return mlx5_cmd_exec(dev, in, sizeof(in), out, sizeof(out)); 139 139 } 140 140 ··· 173 173 entry->refcount++; 174 174 } else { 175 175 /* new rate limit */ 176 - err = mlx5_set_rate_limit_cmd(dev, rate, entry->index); 176 + err = mlx5_set_pp_rate_limit_cmd(dev, rate, entry->index); 177 177 if (err) { 178 178 mlx5_core_err(dev, "Failed configuring rate: %u (%d)\n", 179 179 rate, err); ··· 209 209 entry->refcount--; 210 210 if (!entry->refcount) { 211 211 /* need to remove rate */ 212 - mlx5_set_rate_limit_cmd(dev, 0, entry->index); 212 + mlx5_set_pp_rate_limit_cmd(dev, 0, entry->index); 213 213 entry->rate = 0; 214 214 } 215 215 ··· 262 262 /* Clear all configured rates */ 263 263 for (i = 0; i < table->max_size; i++) 264 264 if (table->rl_entry[i].rate) 265 - mlx5_set_rate_limit_cmd(dev, 0, 266 - table->rl_entry[i].index); 265 + mlx5_set_pp_rate_limit_cmd(dev, 0, 266 + table->rl_entry[i].index); 267 267 268 268 kfree(dev->priv.rl_table.rl_entry); 269 269 }

+37 -29

drivers/net/ethernet/mellanox/mlx5/core/vxlan.c

··· 71 71 struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan; 72 72 struct mlx5e_vxlan *vxlan; 73 73 74 - spin_lock(&vxlan_db->lock); 74 + spin_lock_bh(&vxlan_db->lock); 75 75 vxlan = radix_tree_lookup(&vxlan_db->tree, port); 76 - spin_unlock(&vxlan_db->lock); 76 + spin_unlock_bh(&vxlan_db->lock); 77 77 78 78 return vxlan; 79 79 } ··· 88 88 struct mlx5e_vxlan *vxlan; 89 89 int err; 90 90 91 - if (mlx5e_vxlan_lookup_port(priv, port)) 91 + mutex_lock(&priv->state_lock); 92 + vxlan = mlx5e_vxlan_lookup_port(priv, port); 93 + if (vxlan) { 94 + atomic_inc(&vxlan->refcount); 92 95 goto free_work; 96 + } 93 97 94 98 if (mlx5e_vxlan_core_add_port_cmd(priv->mdev, port)) 95 99 goto free_work; ··· 103 99 goto err_delete_port; 104 100 105 101 vxlan->udp_port = port; 102 + atomic_set(&vxlan->refcount, 1); 106 103 107 - spin_lock_irq(&vxlan_db->lock); 104 + spin_lock_bh(&vxlan_db->lock); 108 105 err = radix_tree_insert(&vxlan_db->tree, vxlan->udp_port, vxlan); 109 - spin_unlock_irq(&vxlan_db->lock); 106 + spin_unlock_bh(&vxlan_db->lock); 110 107 if (err) 111 108 goto err_free; 112 109 ··· 118 113 err_delete_port: 119 114 mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); 120 115 free_work: 116 + mutex_unlock(&priv->state_lock); 121 117 kfree(vxlan_work); 122 - } 123 - 124 - static void __mlx5e_vxlan_core_del_port(struct mlx5e_priv *priv, u16 port) 125 - { 126 - struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan; 127 - struct mlx5e_vxlan *vxlan; 128 - 129 - spin_lock_irq(&vxlan_db->lock); 130 - vxlan = radix_tree_delete(&vxlan_db->tree, port); 131 - spin_unlock_irq(&vxlan_db->lock); 132 - 133 - if (!vxlan) 134 - return; 135 - 136 - mlx5e_vxlan_core_del_port_cmd(priv->mdev, vxlan->udp_port); 137 - 138 - kfree(vxlan); 139 118 } 140 119 141 120 static void mlx5e_vxlan_del_port(struct work_struct *work) 142 121 { 143 122 struct mlx5e_vxlan_work *vxlan_work = 144 123 container_of(work, struct mlx5e_vxlan_work, work); 145 - struct mlx5e_priv *priv = vxlan_work->priv; 124 + struct mlx5e_priv *priv = vxlan_work->priv; 125 + struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan; 146 126 u16 port = vxlan_work->port; 127 + struct mlx5e_vxlan *vxlan; 128 + bool remove = false; 147 129 148 - __mlx5e_vxlan_core_del_port(priv, port); 130 + mutex_lock(&priv->state_lock); 131 + spin_lock_bh(&vxlan_db->lock); 132 + vxlan = radix_tree_lookup(&vxlan_db->tree, port); 133 + if (!vxlan) 134 + goto out_unlock; 149 135 136 + if (atomic_dec_and_test(&vxlan->refcount)) { 137 + radix_tree_delete(&vxlan_db->tree, port); 138 + remove = true; 139 + } 140 + 141 + out_unlock: 142 + spin_unlock_bh(&vxlan_db->lock); 143 + 144 + if (remove) { 145 + mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); 146 + kfree(vxlan); 147 + } 148 + mutex_unlock(&priv->state_lock); 150 149 kfree(vxlan_work); 151 150 } 152 151 ··· 180 171 struct mlx5e_vxlan *vxlan; 181 172 unsigned int port = 0; 182 173 183 - spin_lock_irq(&vxlan_db->lock); 174 + /* Lockless since we are the only radix-tree consumers, wq is disabled */ 184 175 while (radix_tree_gang_lookup(&vxlan_db->tree, (void **)&vxlan, port, 1)) { 185 176 port = vxlan->udp_port; 186 - spin_unlock_irq(&vxlan_db->lock); 187 - __mlx5e_vxlan_core_del_port(priv, (u16)port); 188 - spin_lock_irq(&vxlan_db->lock); 177 + radix_tree_delete(&vxlan_db->tree, port); 178 + mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); 179 + kfree(vxlan); 189 180 } 190 - spin_unlock_irq(&vxlan_db->lock); 191 181 }

+1

drivers/net/ethernet/mellanox/mlx5/core/vxlan.h

··· 36 36 #include "en.h" 37 37 38 38 struct mlx5e_vxlan { 39 + atomic_t refcount; 39 40 u16 udp_port; 40 41 }; 41 42

+3 -12

drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c

··· 2436 2436 rhashtable_destroy(&mlxsw_sp->router->neigh_ht); 2437 2437 } 2438 2438 2439 - static int mlxsw_sp_neigh_rif_flush(struct mlxsw_sp *mlxsw_sp, 2440 - const struct mlxsw_sp_rif *rif) 2441 - { 2442 - char rauht_pl[MLXSW_REG_RAUHT_LEN]; 2443 - 2444 - mlxsw_reg_rauht_pack(rauht_pl, MLXSW_REG_RAUHT_OP_WRITE_DELETE_ALL, 2445 - rif->rif_index, rif->addr); 2446 - return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(rauht), rauht_pl); 2447 - } 2448 - 2449 2439 static void mlxsw_sp_neigh_rif_gone_sync(struct mlxsw_sp *mlxsw_sp, 2450 2440 struct mlxsw_sp_rif *rif) 2451 2441 { 2452 2442 struct mlxsw_sp_neigh_entry *neigh_entry, *tmp; 2453 2443 2454 - mlxsw_sp_neigh_rif_flush(mlxsw_sp, rif); 2455 2444 list_for_each_entry_safe(neigh_entry, tmp, &rif->neigh_list, 2456 - rif_list_node) 2445 + rif_list_node) { 2446 + mlxsw_sp_neigh_entry_update(mlxsw_sp, neigh_entry, false); 2457 2447 mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry); 2448 + } 2458 2449 } 2459 2450 2460 2451 enum mlxsw_sp_nexthop_type {

+44 -11

drivers/net/ethernet/netronome/nfp/bpf/main.c

··· 82 82 return nfp_net_ebpf_capable(nn) ? "BPF" : ""; 83 83 } 84 84 85 + static int 86 + nfp_bpf_vnic_alloc(struct nfp_app *app, struct nfp_net *nn, unsigned int id) 87 + { 88 + int err; 89 + 90 + nn->app_priv = kzalloc(sizeof(struct nfp_bpf_vnic), GFP_KERNEL); 91 + if (!nn->app_priv) 92 + return -ENOMEM; 93 + 94 + err = nfp_app_nic_vnic_alloc(app, nn, id); 95 + if (err) 96 + goto err_free_priv; 97 + 98 + return 0; 99 + err_free_priv: 100 + kfree(nn->app_priv); 101 + return err; 102 + } 103 + 85 104 static void nfp_bpf_vnic_free(struct nfp_app *app, struct nfp_net *nn) 86 105 { 106 + struct nfp_bpf_vnic *bv = nn->app_priv; 107 + 87 108 if (nn->dp.bpf_offload_xdp) 88 109 nfp_bpf_xdp_offload(app, nn, NULL); 110 + WARN_ON(bv->tc_prog); 111 + kfree(bv); 89 112 } 90 113 91 114 static int nfp_bpf_setup_tc_block_cb(enum tc_setup_type type, ··· 116 93 { 117 94 struct tc_cls_bpf_offload *cls_bpf = type_data; 118 95 struct nfp_net *nn = cb_priv; 96 + struct bpf_prog *oldprog; 97 + struct nfp_bpf_vnic *bv; 98 + int err; 119 99 120 100 if (type != TC_SETUP_CLSBPF || 121 101 !tc_can_offload(nn->dp.netdev) || ··· 126 100 cls_bpf->common.protocol != htons(ETH_P_ALL) || 127 101 cls_bpf->common.chain_index) 128 102 return -EOPNOTSUPP; 129 - if (nn->dp.bpf_offload_xdp) 130 - return -EBUSY; 131 103 132 104 /* Only support TC direct action */ 133 105 if (!cls_bpf->exts_integrated || ··· 134 110 return -EOPNOTSUPP; 135 111 } 136 112 137 - switch (cls_bpf->command) { 138 - case TC_CLSBPF_REPLACE: 139 - return nfp_net_bpf_offload(nn, cls_bpf->prog, true); 140 - case TC_CLSBPF_ADD: 141 - return nfp_net_bpf_offload(nn, cls_bpf->prog, false); 142 - case TC_CLSBPF_DESTROY: 143 - return nfp_net_bpf_offload(nn, NULL, true); 144 - default: 113 + if (cls_bpf->command != TC_CLSBPF_OFFLOAD) 145 114 return -EOPNOTSUPP; 115 + 116 + bv = nn->app_priv; 117 + oldprog = cls_bpf->oldprog; 118 + 119 + /* Don't remove if oldprog doesn't match driver's state */ 120 + if (bv->tc_prog != oldprog) { 121 + oldprog = NULL; 122 + if (!cls_bpf->prog) 123 + return 0; 146 124 } 125 + 126 + err = nfp_net_bpf_offload(nn, cls_bpf->prog, oldprog); 127 + if (err) 128 + return err; 129 + 130 + bv->tc_prog = cls_bpf->prog; 131 + return 0; 147 132 } 148 133 149 134 static int nfp_bpf_setup_tc_block(struct net_device *netdev, ··· 200 167 201 168 .extra_cap = nfp_bpf_extra_cap, 202 169 203 - .vnic_alloc = nfp_app_nic_vnic_alloc, 170 + .vnic_alloc = nfp_bpf_vnic_alloc, 204 171 .vnic_free = nfp_bpf_vnic_free, 205 172 206 173 .setup_tc = nfp_bpf_setup_tc,

+8

drivers/net/ethernet/netronome/nfp/bpf/main.h

··· 172 172 struct list_head insns; 173 173 }; 174 174 175 + /** 176 + * struct nfp_bpf_vnic - per-vNIC BPF priv structure 177 + * @tc_prog: currently loaded cls_bpf program 178 + */ 179 + struct nfp_bpf_vnic { 180 + struct bpf_prog *tc_prog; 181 + }; 182 + 175 183 int nfp_bpf_jit(struct nfp_prog *prog); 176 184 177 185 extern const struct bpf_ext_analyzer_ops nfp_bpf_analyzer_ops;

+3 -3

drivers/net/ethernet/qualcomm/emac/emac.c

··· 253 253 return ret; 254 254 } 255 255 256 - ret = emac_mac_up(adpt); 256 + ret = adpt->phy.open(adpt); 257 257 if (ret) { 258 258 emac_mac_rx_tx_rings_free_all(adpt); 259 259 free_irq(irq->irq, irq); 260 260 return ret; 261 261 } 262 262 263 - ret = adpt->phy.open(adpt); 263 + ret = emac_mac_up(adpt); 264 264 if (ret) { 265 - emac_mac_down(adpt); 266 265 emac_mac_rx_tx_rings_free_all(adpt); 267 266 free_irq(irq->irq, irq); 267 + adpt->phy.close(adpt); 268 268 return ret; 269 269 } 270 270

+1 -1

drivers/net/ethernet/stmicro/stmmac/common.h

··· 409 409 /* get timestamp value */ 410 410 u64(*get_timestamp) (void *desc, u32 ats); 411 411 /* get rx timestamp status */ 412 - int (*get_rx_timestamp_status) (void *desc, u32 ats); 412 + int (*get_rx_timestamp_status)(void *desc, void *next_desc, u32 ats); 413 413 /* Display ring */ 414 414 void (*display_ring)(void *head, unsigned int size, bool rx); 415 415 /* set MSS via context descriptor */

+3 -2

drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c

··· 258 258 return ret; 259 259 } 260 260 261 - static int dwmac4_wrback_get_rx_timestamp_status(void *desc, u32 ats) 261 + static int dwmac4_wrback_get_rx_timestamp_status(void *desc, void *next_desc, 262 + u32 ats) 262 263 { 263 264 struct dma_desc *p = (struct dma_desc *)desc; 264 265 int ret = -EINVAL; ··· 271 270 272 271 /* Check if timestamp is OK from context descriptor */ 273 272 do { 274 - ret = dwmac4_rx_check_timestamp(desc); 273 + ret = dwmac4_rx_check_timestamp(next_desc); 275 274 if (ret < 0) 276 275 goto exit; 277 276 i++;

+2 -1

drivers/net/ethernet/stmicro/stmmac/enh_desc.c

··· 400 400 return ns; 401 401 } 402 402 403 - static int enh_desc_get_rx_timestamp_status(void *desc, u32 ats) 403 + static int enh_desc_get_rx_timestamp_status(void *desc, void *next_desc, 404 + u32 ats) 404 405 { 405 406 if (ats) { 406 407 struct dma_extended_desc *p = (struct dma_extended_desc *)desc;

+1 -1

drivers/net/ethernet/stmicro/stmmac/norm_desc.c

··· 265 265 return ns; 266 266 } 267 267 268 - static int ndesc_get_rx_timestamp_status(void *desc, u32 ats) 268 + static int ndesc_get_rx_timestamp_status(void *desc, void *next_desc, u32 ats) 269 269 { 270 270 struct dma_desc *p = (struct dma_desc *)desc; 271 271

+4 -2

drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c

··· 34 34 { 35 35 u32 value = readl(ioaddr + PTP_TCR); 36 36 unsigned long data; 37 + u32 reg_value; 37 38 38 39 /* For GMAC3.x, 4.x versions, convert the ptp_clock to nano second 39 40 * formula = (1/ptp_clock) * 1000000000 ··· 51 50 52 51 data &= PTP_SSIR_SSINC_MASK; 53 52 53 + reg_value = data; 54 54 if (gmac4) 55 - data = data << GMAC4_PTP_SSIR_SSINC_SHIFT; 55 + reg_value <<= GMAC4_PTP_SSIR_SSINC_SHIFT; 56 56 57 - writel(data, ioaddr + PTP_SSIR); 57 + writel(reg_value, ioaddr + PTP_SSIR); 58 58 59 59 return data; 60 60 }

+1 -1

drivers/net/ethernet/stmicro/stmmac/stmmac_main.c

··· 482 482 desc = np; 483 483 484 484 /* Check if timestamp is available */ 485 - if (priv->hw->desc->get_rx_timestamp_status(desc, priv->adv_ts)) { 485 + if (priv->hw->desc->get_rx_timestamp_status(p, np, priv->adv_ts)) { 486 486 ns = priv->hw->desc->get_timestamp(desc, priv->adv_ts); 487 487 netdev_dbg(priv->dev, "get valid RX hw timestamp %llu\n", ns); 488 488 shhwtstamp = skb_hwtstamps(skb);

+13 -1

drivers/net/phy/marvell.c

··· 879 879 880 880 /* SGMII-to-Copper mode initialization */ 881 881 if (phydev->interface == PHY_INTERFACE_MODE_SGMII) { 882 + u32 pause; 883 + 882 884 /* Select page 18 */ 883 885 err = marvell_set_page(phydev, 18); 884 886 if (err < 0) ··· 904 902 err = marvell_set_page(phydev, MII_MARVELL_COPPER_PAGE); 905 903 if (err < 0) 906 904 return err; 905 + 906 + /* There appears to be a bug in the 88e1512 when used in 907 + * SGMII to copper mode, where the AN advertisment register 908 + * clears the pause bits each time a negotiation occurs. 909 + * This means we can never be truely sure what was advertised, 910 + * so disable Pause support. 911 + */ 912 + pause = SUPPORTED_Pause | SUPPORTED_Asym_Pause; 913 + phydev->supported &= ~pause; 914 + phydev->advertising &= ~pause; 907 915 } 908 916 909 917 return m88e1121_config_init(phydev); ··· 2085 2073 .flags = PHY_HAS_INTERRUPT, 2086 2074 .probe = marvell_probe, 2087 2075 .config_init = &m88e1145_config_init, 2088 - .config_aneg = &marvell_config_aneg, 2076 + .config_aneg = &m88e1101_config_aneg, 2089 2077 .read_status = &genphy_read_status, 2090 2078 .ack_interrupt = &marvell_ack_interrupt, 2091 2079 .config_intr = &marvell_config_intr,

+15 -6

drivers/net/phy/mdio-xgene.c

··· 194 194 } 195 195 196 196 ret = xgene_enet_ecc_init(pdata); 197 - if (ret) 197 + if (ret) { 198 + if (pdata->dev->of_node) 199 + clk_disable_unprepare(pdata->clk); 198 200 return ret; 201 + } 199 202 xgene_gmac_reset(pdata); 200 203 201 204 return 0; ··· 391 388 return ret; 392 389 393 390 mdio_bus = mdiobus_alloc(); 394 - if (!mdio_bus) 395 - return -ENOMEM; 391 + if (!mdio_bus) { 392 + ret = -ENOMEM; 393 + goto out_clk; 394 + } 396 395 397 396 mdio_bus->name = "APM X-Gene MDIO bus"; 398 397 ··· 423 418 mdio_bus->phy_mask = ~0; 424 419 ret = mdiobus_register(mdio_bus); 425 420 if (ret) 426 - goto out; 421 + goto out_mdiobus; 427 422 428 423 acpi_walk_namespace(ACPI_TYPE_DEVICE, ACPI_HANDLE(dev), 1, 429 424 acpi_register_phy, NULL, mdio_bus, NULL); ··· 431 426 } 432 427 433 428 if (ret) 434 - goto out; 429 + goto out_mdiobus; 435 430 436 431 pdata->mdio_bus = mdio_bus; 437 432 xgene_mdio_status = true; 438 433 439 434 return 0; 440 435 441 - out: 436 + out_mdiobus: 442 437 mdiobus_free(mdio_bus); 438 + 439 + out_clk: 440 + if (dev->of_node) 441 + clk_disable_unprepare(pdata->clk); 443 442 444 443 return ret; 445 444 }

+19

drivers/net/vxlan.c

··· 2155 2155 } 2156 2156 2157 2157 ndst = &rt->dst; 2158 + if (skb_dst(skb)) { 2159 + int mtu = dst_mtu(ndst) - VXLAN_HEADROOM; 2160 + 2161 + skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, 2162 + skb, mtu); 2163 + } 2164 + 2158 2165 tos = ip_tunnel_ecn_encap(tos, old_iph, skb); 2159 2166 ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); 2160 2167 err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr), ··· 2195 2188 ndst, rt6i_flags); 2196 2189 if (err) 2197 2190 goto out_unlock; 2191 + } 2192 + 2193 + if (skb_dst(skb)) { 2194 + int mtu = dst_mtu(ndst) - VXLAN6_HEADROOM; 2195 + 2196 + skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, 2197 + skb, mtu); 2198 2198 } 2199 2199 2200 2200 tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ··· 3117 3103 3118 3104 max_mtu = lowerdev->mtu - (use_ipv6 ? VXLAN6_HEADROOM : 3119 3105 VXLAN_HEADROOM); 3106 + if (max_mtu < ETH_MIN_MTU) 3107 + max_mtu = ETH_MIN_MTU; 3108 + 3109 + if (!changelink && !conf->mtu) 3110 + dev->mtu = max_mtu; 3120 3111 } 3121 3112 3122 3113 if (dev->mtu > max_mtu)

+2 -1

drivers/net/wireless/mac80211_hwsim.c

··· 684 684 hdr = skb_put(skb, sizeof(*hdr) - ETH_ALEN); 685 685 hdr->frame_control = cpu_to_le16(IEEE80211_FTYPE_DATA | 686 686 IEEE80211_STYPE_NULLFUNC | 687 + IEEE80211_FCTL_TODS | 687 688 (ps ? IEEE80211_FCTL_PM : 0)); 688 689 hdr->duration_id = cpu_to_le16(0); 689 690 memcpy(hdr->addr1, vp->bssid, ETH_ALEN); ··· 3216 3215 if (!net_eq(wiphy_net(data->hw->wiphy), genl_info_net(info))) 3217 3216 continue; 3218 3217 3219 - skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3218 + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 3220 3219 if (!skb) { 3221 3220 res = -ENOMEM; 3222 3221 goto out_err;

+8 -1

drivers/s390/net/qeth_core_main.c

··· 5386 5386 } 5387 5387 EXPORT_SYMBOL_GPL(qeth_poll); 5388 5388 5389 + static int qeth_setassparms_inspect_rc(struct qeth_ipa_cmd *cmd) 5390 + { 5391 + if (!cmd->hdr.return_code) 5392 + cmd->hdr.return_code = cmd->data.setassparms.hdr.return_code; 5393 + return cmd->hdr.return_code; 5394 + } 5395 + 5389 5396 int qeth_setassparms_cb(struct qeth_card *card, 5390 5397 struct qeth_reply *reply, unsigned long data) 5391 5398 { ··· 6249 6242 (struct qeth_checksum_cmd *)reply->param; 6250 6243 6251 6244 QETH_CARD_TEXT(card, 4, "chkdoccb"); 6252 - if (cmd->hdr.return_code) 6245 + if (qeth_setassparms_inspect_rc(cmd)) 6253 6246 return 0; 6254 6247 6255 6248 memset(chksum_cb, 0, sizeof(*chksum_cb));

+2 -2

include/linux/bpf_verifier.h

··· 15 15 * In practice this is far bigger than any realistic pointer offset; this limit 16 16 * ensures that umax_value + (int)off + (int)size cannot overflow a u64. 17 17 */ 18 - #define BPF_MAX_VAR_OFF (1ULL << 31) 18 + #define BPF_MAX_VAR_OFF (1 << 29) 19 19 /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO]. This ensures 20 20 * that converting umax_value to int cannot overflow. 21 21 */ 22 - #define BPF_MAX_VAR_SIZ INT_MAX 22 + #define BPF_MAX_VAR_SIZ (1 << 29) 23 23 24 24 /* Liveness marks, used for registers and spilled-regs (in stack slots). 25 25 * Read marks propagate upwards until they find a write mark; they record that

+2 -1

include/linux/ipv6.h

··· 273 273 * 100: prefer care-of address 274 274 */ 275 275 dontfrag:1, 276 - autoflowlabel:1; 276 + autoflowlabel:1, 277 + autoflowlabel_set:1; 277 278 __u8 min_hopcount; 278 279 __u8 tclass; 279 280 __be32 rcv_flowinfo;

+2 -1

include/linux/mlx5/driver.h

··· 556 556 }; 557 557 558 558 struct mlx5_irq_info { 559 + cpumask_var_t mask; 559 560 char name[MLX5_MAX_IRQ_NAME]; 560 561 }; 561 562 ··· 1049 1048 enum mlx5_eq_type type); 1050 1049 int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq); 1051 1050 int mlx5_start_eqs(struct mlx5_core_dev *dev); 1052 - int mlx5_stop_eqs(struct mlx5_core_dev *dev); 1051 + void mlx5_stop_eqs(struct mlx5_core_dev *dev); 1053 1052 int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, 1054 1053 unsigned int *irqn); 1055 1054 int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);

+5 -3

include/linux/mlx5/mlx5_ifc.h

··· 147 147 MLX5_CMD_OP_ALLOC_Q_COUNTER = 0x771, 148 148 MLX5_CMD_OP_DEALLOC_Q_COUNTER = 0x772, 149 149 MLX5_CMD_OP_QUERY_Q_COUNTER = 0x773, 150 - MLX5_CMD_OP_SET_RATE_LIMIT = 0x780, 150 + MLX5_CMD_OP_SET_PP_RATE_LIMIT = 0x780, 151 151 MLX5_CMD_OP_QUERY_RATE_LIMIT = 0x781, 152 152 MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT = 0x782, 153 153 MLX5_CMD_OP_DESTROY_SCHEDULING_ELEMENT = 0x783, ··· 7239 7239 u8 vxlan_udp_port[0x10]; 7240 7240 }; 7241 7241 7242 - struct mlx5_ifc_set_rate_limit_out_bits { 7242 + struct mlx5_ifc_set_pp_rate_limit_out_bits { 7243 7243 u8 status[0x8]; 7244 7244 u8 reserved_at_8[0x18]; 7245 7245 ··· 7248 7248 u8 reserved_at_40[0x40]; 7249 7249 }; 7250 7250 7251 - struct mlx5_ifc_set_rate_limit_in_bits { 7251 + struct mlx5_ifc_set_pp_rate_limit_in_bits { 7252 7252 u8 opcode[0x10]; 7253 7253 u8 reserved_at_10[0x10]; 7254 7254 ··· 7261 7261 u8 reserved_at_60[0x20]; 7262 7262 7263 7263 u8 rate_limit[0x20]; 7264 + 7265 + u8 reserved_at_a0[0x160]; 7264 7266 }; 7265 7267 7266 7268 struct mlx5_ifc_access_register_out_bits {

-1

include/net/cfg80211.h

··· 3226 3226 * @WIPHY_FLAG_IBSS_RSN: The device supports IBSS RSN. 3227 3227 * @WIPHY_FLAG_MESH_AUTH: The device supports mesh authentication by routing 3228 3228 * auth frames to userspace. See @NL80211_MESH_SETUP_USERSPACE_AUTH. 3229 - * @WIPHY_FLAG_SUPPORTS_SCHED_SCAN: The device supports scheduled scans. 3230 3229 * @WIPHY_FLAG_SUPPORTS_FW_ROAM: The device supports roaming feature in the 3231 3230 * firmware. 3232 3231 * @WIPHY_FLAG_AP_UAPSD: The device supports uapsd on AP.

+2 -3

include/net/pkt_cls.h

··· 694 694 }; 695 695 696 696 enum tc_clsbpf_command { 697 - TC_CLSBPF_ADD, 698 - TC_CLSBPF_REPLACE, 699 - TC_CLSBPF_DESTROY, 697 + TC_CLSBPF_OFFLOAD, 700 698 TC_CLSBPF_STATS, 701 699 }; 702 700 ··· 703 705 enum tc_clsbpf_command command; 704 706 struct tcf_exts *exts; 705 707 struct bpf_prog *prog; 708 + struct bpf_prog *oldprog; 706 709 const char *name; 707 710 bool exts_integrated; 708 711 u32 gen_flags;

+166 -117

kernel/bpf/verifier.c

··· 1059 1059 break; 1060 1060 case PTR_TO_STACK: 1061 1061 pointer_desc = "stack "; 1062 + /* The stack spill tracking logic in check_stack_write() 1063 + * and check_stack_read() relies on stack accesses being 1064 + * aligned. 1065 + */ 1066 + strict = true; 1062 1067 break; 1063 1068 default: 1064 1069 break; 1065 1070 } 1066 1071 return check_generic_ptr_alignment(env, reg, pointer_desc, off, size, 1067 1072 strict); 1073 + } 1074 + 1075 + /* truncate register to smaller size (in bytes) 1076 + * must be called with size < BPF_REG_SIZE 1077 + */ 1078 + static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) 1079 + { 1080 + u64 mask; 1081 + 1082 + /* clear high bits in bit representation */ 1083 + reg->var_off = tnum_cast(reg->var_off, size); 1084 + 1085 + /* fix arithmetic bounds */ 1086 + mask = ((u64)1 << (size * 8)) - 1; 1087 + if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { 1088 + reg->umin_value &= mask; 1089 + reg->umax_value &= mask; 1090 + } else { 1091 + reg->umin_value = 0; 1092 + reg->umax_value = mask; 1093 + } 1094 + reg->smin_value = reg->umin_value; 1095 + reg->smax_value = reg->umax_value; 1068 1096 } 1069 1097 1070 1098 /* check whether memory at (regno + off) is accessible for t = (read | write) ··· 1228 1200 if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && 1229 1201 regs[value_regno].type == SCALAR_VALUE) { 1230 1202 /* b/h/w load zero-extends, mark upper bits as known 0 */ 1231 - regs[value_regno].var_off = 1232 - tnum_cast(regs[value_regno].var_off, size); 1233 - __update_reg_bounds(&regs[value_regno]); 1203 + coerce_reg_to_size(&regs[value_regno], size); 1234 1204 } 1235 1205 return err; 1236 1206 } ··· 1308 1282 tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); 1309 1283 verbose(env, "invalid variable stack read R%d var_off=%s\n", 1310 1284 regno, tn_buf); 1285 + return -EACCES; 1311 1286 } 1312 1287 off = regs[regno].off + regs[regno].var_off.value; 1313 1288 if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || ··· 1701 1674 return -EINVAL; 1702 1675 } 1703 1676 1677 + /* With LD_ABS/IND some JITs save/restore skb from r1. */ 1704 1678 changes_data = bpf_helper_changes_pkt_data(fn->func); 1679 + if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) { 1680 + verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n", 1681 + func_id_name(func_id), func_id); 1682 + return -EINVAL; 1683 + } 1705 1684 1706 1685 memset(&meta, 0, sizeof(meta)); 1707 1686 meta.pkt_access = fn->pkt_access; ··· 1799 1766 return 0; 1800 1767 } 1801 1768 1802 - static void coerce_reg_to_32(struct bpf_reg_state *reg) 1803 - { 1804 - /* clear high 32 bits */ 1805 - reg->var_off = tnum_cast(reg->var_off, 4); 1806 - /* Update bounds */ 1807 - __update_reg_bounds(reg); 1808 - } 1809 - 1810 1769 static bool signed_add_overflows(s64 a, s64 b) 1811 1770 { 1812 1771 /* Do the add in u64, where overflow is well-defined */ ··· 1817 1792 if (b < 0) 1818 1793 return res < a; 1819 1794 return res > a; 1795 + } 1796 + 1797 + static bool check_reg_sane_offset(struct bpf_verifier_env *env, 1798 + const struct bpf_reg_state *reg, 1799 + enum bpf_reg_type type) 1800 + { 1801 + bool known = tnum_is_const(reg->var_off); 1802 + s64 val = reg->var_off.value; 1803 + s64 smin = reg->smin_value; 1804 + 1805 + if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) { 1806 + verbose(env, "math between %s pointer and %lld is not allowed\n", 1807 + reg_type_str[type], val); 1808 + return false; 1809 + } 1810 + 1811 + if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) { 1812 + verbose(env, "%s pointer offset %d is not allowed\n", 1813 + reg_type_str[type], reg->off); 1814 + return false; 1815 + } 1816 + 1817 + if (smin == S64_MIN) { 1818 + verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n", 1819 + reg_type_str[type]); 1820 + return false; 1821 + } 1822 + 1823 + if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { 1824 + verbose(env, "value %lld makes %s pointer be out of bounds\n", 1825 + smin, reg_type_str[type]); 1826 + return false; 1827 + } 1828 + 1829 + return true; 1820 1830 } 1821 1831 1822 1832 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. ··· 1890 1830 1891 1831 if (BPF_CLASS(insn->code) != BPF_ALU64) { 1892 1832 /* 32-bit ALU ops on pointers produce (meaningless) scalars */ 1893 - if (!env->allow_ptr_leaks) 1894 - verbose(env, 1895 - "R%d 32-bit pointer arithmetic prohibited\n", 1896 - dst); 1833 + verbose(env, 1834 + "R%d 32-bit pointer arithmetic prohibited\n", 1835 + dst); 1897 1836 return -EACCES; 1898 1837 } 1899 1838 1900 1839 if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { 1901 - if (!env->allow_ptr_leaks) 1902 - verbose(env, "R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", 1903 - dst); 1840 + verbose(env, "R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", 1841 + dst); 1904 1842 return -EACCES; 1905 1843 } 1906 1844 if (ptr_reg->type == CONST_PTR_TO_MAP) { 1907 - if (!env->allow_ptr_leaks) 1908 - verbose(env, "R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", 1909 - dst); 1845 + verbose(env, "R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", 1846 + dst); 1910 1847 return -EACCES; 1911 1848 } 1912 1849 if (ptr_reg->type == PTR_TO_PACKET_END) { 1913 - if (!env->allow_ptr_leaks) 1914 - verbose(env, "R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", 1915 - dst); 1850 + verbose(env, "R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", 1851 + dst); 1916 1852 return -EACCES; 1917 1853 } 1918 1854 ··· 1917 1861 */ 1918 1862 dst_reg->type = ptr_reg->type; 1919 1863 dst_reg->id = ptr_reg->id; 1864 + 1865 + if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) || 1866 + !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) 1867 + return -EINVAL; 1920 1868 1921 1869 switch (opcode) { 1922 1870 case BPF_ADD: ··· 1975 1915 case BPF_SUB: 1976 1916 if (dst_reg == off_reg) { 1977 1917 /* scalar -= pointer. Creates an unknown scalar */ 1978 - if (!env->allow_ptr_leaks) 1979 - verbose(env, "R%d tried to subtract pointer from scalar\n", 1980 - dst); 1918 + verbose(env, "R%d tried to subtract pointer from scalar\n", 1919 + dst); 1981 1920 return -EACCES; 1982 1921 } 1983 1922 /* We don't allow subtraction from FP, because (according to ··· 1984 1925 * be able to deal with it. 1985 1926 */ 1986 1927 if (ptr_reg->type == PTR_TO_STACK) { 1987 - if (!env->allow_ptr_leaks) 1988 - verbose(env, "R%d subtraction from stack pointer prohibited\n", 1989 - dst); 1928 + verbose(env, "R%d subtraction from stack pointer prohibited\n", 1929 + dst); 1990 1930 return -EACCES; 1991 1931 } 1992 1932 if (known && (ptr_reg->off - smin_val == ··· 2034 1976 case BPF_AND: 2035 1977 case BPF_OR: 2036 1978 case BPF_XOR: 2037 - /* bitwise ops on pointers are troublesome, prohibit for now. 2038 - * (However, in principle we could allow some cases, e.g. 2039 - * ptr &= ~3 which would reduce min_value by 3.) 2040 - */ 2041 - if (!env->allow_ptr_leaks) 2042 - verbose(env, "R%d bitwise operator %s on pointer prohibited\n", 2043 - dst, bpf_alu_string[opcode >> 4]); 1979 + /* bitwise ops on pointers are troublesome, prohibit. */ 1980 + verbose(env, "R%d bitwise operator %s on pointer prohibited\n", 1981 + dst, bpf_alu_string[opcode >> 4]); 2044 1982 return -EACCES; 2045 1983 default: 2046 1984 /* other operators (e.g. MUL,LSH) produce non-pointer results */ 2047 - if (!env->allow_ptr_leaks) 2048 - verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", 2049 - dst, bpf_alu_string[opcode >> 4]); 1985 + verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", 1986 + dst, bpf_alu_string[opcode >> 4]); 2050 1987 return -EACCES; 2051 1988 } 1989 + 1990 + if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type)) 1991 + return -EINVAL; 2052 1992 2053 1993 __update_reg_bounds(dst_reg); 2054 1994 __reg_deduce_bounds(dst_reg); ··· 2054 1998 return 0; 2055 1999 } 2056 2000 2001 + /* WARNING: This function does calculations on 64-bit values, but the actual 2002 + * execution may occur on 32-bit values. Therefore, things like bitshifts 2003 + * need extra checks in the 32-bit case. 2004 + */ 2057 2005 static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, 2058 2006 struct bpf_insn *insn, 2059 2007 struct bpf_reg_state *dst_reg, ··· 2068 2008 bool src_known, dst_known; 2069 2009 s64 smin_val, smax_val; 2070 2010 u64 umin_val, umax_val; 2011 + u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; 2071 2012 2072 - if (BPF_CLASS(insn->code) != BPF_ALU64) { 2073 - /* 32-bit ALU ops are (32,32)->64 */ 2074 - coerce_reg_to_32(dst_reg); 2075 - coerce_reg_to_32(&src_reg); 2076 - } 2077 2013 smin_val = src_reg.smin_value; 2078 2014 smax_val = src_reg.smax_value; 2079 2015 umin_val = src_reg.umin_value; 2080 2016 umax_val = src_reg.umax_value; 2081 2017 src_known = tnum_is_const(src_reg.var_off); 2082 2018 dst_known = tnum_is_const(dst_reg->var_off); 2019 + 2020 + if (!src_known && 2021 + opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) { 2022 + __mark_reg_unknown(dst_reg); 2023 + return 0; 2024 + } 2083 2025 2084 2026 switch (opcode) { 2085 2027 case BPF_ADD: ··· 2211 2149 __update_reg_bounds(dst_reg); 2212 2150 break; 2213 2151 case BPF_LSH: 2214 - if (umax_val > 63) { 2215 - /* Shifts greater than 63 are undefined. This includes 2216 - * shifts by a negative number. 2152 + if (umax_val >= insn_bitness) { 2153 + /* Shifts greater than 31 or 63 are undefined. 2154 + * This includes shifts by a negative number. 2217 2155 */ 2218 2156 mark_reg_unknown(env, regs, insn->dst_reg); 2219 2157 break; ··· 2239 2177 __update_reg_bounds(dst_reg); 2240 2178 break; 2241 2179 case BPF_RSH: 2242 - if (umax_val > 63) { 2243 - /* Shifts greater than 63 are undefined. This includes 2244 - * shifts by a negative number. 2180 + if (umax_val >= insn_bitness) { 2181 + /* Shifts greater than 31 or 63 are undefined. 2182 + * This includes shifts by a negative number. 2245 2183 */ 2246 2184 mark_reg_unknown(env, regs, insn->dst_reg); 2247 2185 break; 2248 2186 } 2249 - /* BPF_RSH is an unsigned shift, so make the appropriate casts */ 2250 - if (dst_reg->smin_value < 0) { 2251 - if (umin_val) { 2252 - /* Sign bit will be cleared */ 2253 - dst_reg->smin_value = 0; 2254 - } else { 2255 - /* Lost sign bit information */ 2256 - dst_reg->smin_value = S64_MIN; 2257 - dst_reg->smax_value = S64_MAX; 2258 - } 2259 - } else { 2260 - dst_reg->smin_value = 2261 - (u64)(dst_reg->smin_value) >> umax_val; 2262 - } 2187 + /* BPF_RSH is an unsigned shift. If the value in dst_reg might 2188 + * be negative, then either: 2189 + * 1) src_reg might be zero, so the sign bit of the result is 2190 + * unknown, so we lose our signed bounds 2191 + * 2) it's known negative, thus the unsigned bounds capture the 2192 + * signed bounds 2193 + * 3) the signed bounds cross zero, so they tell us nothing 2194 + * about the result 2195 + * If the value in dst_reg is known nonnegative, then again the 2196 + * unsigned bounts capture the signed bounds. 2197 + * Thus, in all cases it suffices to blow away our signed bounds 2198 + * and rely on inferring new ones from the unsigned bounds and 2199 + * var_off of the result. 2200 + */ 2201 + dst_reg->smin_value = S64_MIN; 2202 + dst_reg->smax_value = S64_MAX; 2263 2203 if (src_known) 2264 2204 dst_reg->var_off = tnum_rshift(dst_reg->var_off, 2265 2205 umin_val); ··· 2275 2211 default: 2276 2212 mark_reg_unknown(env, regs, insn->dst_reg); 2277 2213 break; 2214 + } 2215 + 2216 + if (BPF_CLASS(insn->code) != BPF_ALU64) { 2217 + /* 32-bit ALU ops are (32,32)->32 */ 2218 + coerce_reg_to_size(dst_reg, 4); 2219 + coerce_reg_to_size(&src_reg, 4); 2278 2220 } 2279 2221 2280 2222 __reg_deduce_bounds(dst_reg); ··· 2297 2227 struct bpf_reg_state *regs = cur_regs(env), *dst_reg, *src_reg; 2298 2228 struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; 2299 2229 u8 opcode = BPF_OP(insn->code); 2300 - int rc; 2301 2230 2302 2231 dst_reg = &regs[insn->dst_reg]; 2303 2232 src_reg = NULL; ··· 2307 2238 if (src_reg->type != SCALAR_VALUE) { 2308 2239 if (dst_reg->type != SCALAR_VALUE) { 2309 2240 /* Combining two pointers by any ALU op yields 2310 - * an arbitrary scalar. 2241 + * an arbitrary scalar. Disallow all math except 2242 + * pointer subtraction 2311 2243 */ 2312 - if (!env->allow_ptr_leaks) { 2313 - verbose(env, "R%d pointer %s pointer prohibited\n", 2314 - insn->dst_reg, 2315 - bpf_alu_string[opcode >> 4]); 2316 - return -EACCES; 2244 + if (opcode == BPF_SUB){ 2245 + mark_reg_unknown(env, regs, insn->dst_reg); 2246 + return 0; 2317 2247 } 2318 - mark_reg_unknown(env, regs, insn->dst_reg); 2319 - return 0; 2248 + verbose(env, "R%d pointer %s pointer prohibited\n", 2249 + insn->dst_reg, 2250 + bpf_alu_string[opcode >> 4]); 2251 + return -EACCES; 2320 2252 } else { 2321 2253 /* scalar += pointer 2322 2254 * This is legal, but we have to reverse our 2323 2255 * src/dest handling in computing the range 2324 2256 */ 2325 - rc = adjust_ptr_min_max_vals(env, insn, 2326 - src_reg, dst_reg); 2327 - if (rc == -EACCES && env->allow_ptr_leaks) { 2328 - /* scalar += unknown scalar */ 2329 - __mark_reg_unknown(&off_reg); 2330 - return adjust_scalar_min_max_vals( 2331 - env, insn, 2332 - dst_reg, off_reg); 2333 - } 2334 - return rc; 2257 + return adjust_ptr_min_max_vals(env, insn, 2258 + src_reg, dst_reg); 2335 2259 } 2336 2260 } else if (ptr_reg) { 2337 2261 /* pointer += scalar */ 2338 - rc = adjust_ptr_min_max_vals(env, insn, 2339 - dst_reg, src_reg); 2340 - if (rc == -EACCES && env->allow_ptr_leaks) { 2341 - /* unknown scalar += scalar */ 2342 - __mark_reg_unknown(dst_reg); 2343 - return adjust_scalar_min_max_vals( 2344 - env, insn, dst_reg, *src_reg); 2345 - } 2346 - return rc; 2262 + return adjust_ptr_min_max_vals(env, insn, 2263 + dst_reg, src_reg); 2347 2264 } 2348 2265 } else { 2349 2266 /* Pretend the src is a reg with a known value, since we only ··· 2338 2283 off_reg.type = SCALAR_VALUE; 2339 2284 __mark_reg_known(&off_reg, insn->imm); 2340 2285 src_reg = &off_reg; 2341 - if (ptr_reg) { /* pointer += K */ 2342 - rc = adjust_ptr_min_max_vals(env, insn, 2343 - ptr_reg, src_reg); 2344 - if (rc == -EACCES && env->allow_ptr_leaks) { 2345 - /* unknown scalar += K */ 2346 - __mark_reg_unknown(dst_reg); 2347 - return adjust_scalar_min_max_vals( 2348 - env, insn, dst_reg, off_reg); 2349 - } 2350 - return rc; 2351 - } 2286 + if (ptr_reg) /* pointer += K */ 2287 + return adjust_ptr_min_max_vals(env, insn, 2288 + ptr_reg, src_reg); 2352 2289 } 2353 2290 2354 2291 /* Got here implies adding two SCALAR_VALUEs */ ··· 2437 2390 return -EACCES; 2438 2391 } 2439 2392 mark_reg_unknown(env, regs, insn->dst_reg); 2440 - /* high 32 bits are known zero. */ 2441 - regs[insn->dst_reg].var_off = tnum_cast( 2442 - regs[insn->dst_reg].var_off, 4); 2443 - __update_reg_bounds(&regs[insn->dst_reg]); 2393 + coerce_reg_to_size(&regs[insn->dst_reg], 4); 2444 2394 } 2445 2395 } else { 2446 2396 /* case: R = imm 2447 2397 * remember the value we stored into this reg 2448 2398 */ 2449 2399 regs[insn->dst_reg].type = SCALAR_VALUE; 2450 - __mark_reg_known(regs + insn->dst_reg, insn->imm); 2400 + if (BPF_CLASS(insn->code) == BPF_ALU64) { 2401 + __mark_reg_known(regs + insn->dst_reg, 2402 + insn->imm); 2403 + } else { 2404 + __mark_reg_known(regs + insn->dst_reg, 2405 + (u32)insn->imm); 2406 + } 2451 2407 } 2452 2408 2453 2409 } else if (opcode > BPF_END) { ··· 3481 3431 return range_within(rold, rcur) && 3482 3432 tnum_in(rold->var_off, rcur->var_off); 3483 3433 } else { 3484 - /* if we knew anything about the old value, we're not 3485 - * equal, because we can't know anything about the 3486 - * scalar value of the pointer in the new value. 3434 + /* We're trying to use a pointer in place of a scalar. 3435 + * Even if the scalar was unbounded, this could lead to 3436 + * pointer leaks because scalars are allowed to leak 3437 + * while pointers are not. We could make this safe in 3438 + * special cases if root is calling us, but it's 3439 + * probably not worth the hassle. 3487 3440 */ 3488 - return rold->umin_value == 0 && 3489 - rold->umax_value == U64_MAX && 3490 - rold->smin_value == S64_MIN && 3491 - rold->smax_value == S64_MAX && 3492 - tnum_is_unknown(rold->var_off); 3441 + return false; 3493 3442 } 3494 3443 case PTR_TO_MAP_VALUE: 3495 3444 /* If the new min/max/var_off satisfy the old ones and

+43

lib/test_bpf.c

··· 435 435 return 0; 436 436 } 437 437 438 + static int bpf_fill_ld_abs_vlan_push_pop2(struct bpf_test *self) 439 + { 440 + struct bpf_insn *insn; 441 + 442 + insn = kmalloc_array(16, sizeof(*insn), GFP_KERNEL); 443 + if (!insn) 444 + return -ENOMEM; 445 + 446 + /* Due to func address being non-const, we need to 447 + * assemble this here. 448 + */ 449 + insn[0] = BPF_MOV64_REG(R6, R1); 450 + insn[1] = BPF_LD_ABS(BPF_B, 0); 451 + insn[2] = BPF_LD_ABS(BPF_H, 0); 452 + insn[3] = BPF_LD_ABS(BPF_W, 0); 453 + insn[4] = BPF_MOV64_REG(R7, R6); 454 + insn[5] = BPF_MOV64_IMM(R6, 0); 455 + insn[6] = BPF_MOV64_REG(R1, R7); 456 + insn[7] = BPF_MOV64_IMM(R2, 1); 457 + insn[8] = BPF_MOV64_IMM(R3, 2); 458 + insn[9] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 459 + bpf_skb_vlan_push_proto.func - __bpf_call_base); 460 + insn[10] = BPF_MOV64_REG(R6, R7); 461 + insn[11] = BPF_LD_ABS(BPF_B, 0); 462 + insn[12] = BPF_LD_ABS(BPF_H, 0); 463 + insn[13] = BPF_LD_ABS(BPF_W, 0); 464 + insn[14] = BPF_MOV64_IMM(R0, 42); 465 + insn[15] = BPF_EXIT_INSN(); 466 + 467 + self->u.ptr.insns = insn; 468 + self->u.ptr.len = 16; 469 + 470 + return 0; 471 + } 472 + 438 473 static int bpf_fill_jump_around_ld_abs(struct bpf_test *self) 439 474 { 440 475 unsigned int len = BPF_MAXINSNS; ··· 6100 6065 CLASSIC | FLAG_NO_DATA, 6101 6066 {}, 6102 6067 { {0x1, 0x42 } }, 6068 + }, 6069 + { 6070 + "LD_ABS with helper changing skb data", 6071 + { }, 6072 + INTERNAL, 6073 + { 0x34 }, 6074 + { { ETH_HLEN, 42 } }, 6075 + .fill_helper = bpf_fill_ld_abs_vlan_push_pop2, 6103 6076 }, 6104 6077 }; 6105 6078

+6 -5

net/bridge/br_netlink.c

··· 1262 1262 struct net_bridge *br = netdev_priv(dev); 1263 1263 int err; 1264 1264 1265 + err = register_netdevice(dev); 1266 + if (err) 1267 + return err; 1268 + 1265 1269 if (tb[IFLA_ADDRESS]) { 1266 1270 spin_lock_bh(&br->lock); 1267 1271 br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS])); 1268 1272 spin_unlock_bh(&br->lock); 1269 1273 } 1270 1274 1271 - err = register_netdevice(dev); 1272 - if (err) 1273 - return err; 1274 - 1275 1275 err = br_changelink(dev, tb, data, extack); 1276 1276 if (err) 1277 - unregister_netdevice(dev); 1277 + br_dev_delete(dev, NULL); 1278 + 1278 1279 return err; 1279 1280 } 1280 1281

+1 -1

net/core/dev.c

··· 3904 3904 hroom > 0 ? ALIGN(hroom, NET_SKB_PAD) : 0, 3905 3905 troom > 0 ? troom + 128 : 0, GFP_ATOMIC)) 3906 3906 goto do_drop; 3907 - if (troom > 0 && __skb_linearize(skb)) 3907 + if (skb_linearize(skb)) 3908 3908 goto do_drop; 3909 3909 } 3910 3910

+1 -1

net/core/net_namespace.c

··· 267 267 spin_lock_bh(&net->nsid_lock); 268 268 peer = idr_find(&net->netns_ids, id); 269 269 if (peer) 270 - get_net(peer); 270 + peer = maybe_get_net(peer); 271 271 spin_unlock_bh(&net->nsid_lock); 272 272 rcu_read_unlock(); 273 273

+4 -3

net/core/skbuff.c

··· 1178 1178 u32 d_off; 1179 1179 1180 1180 if (!num_frags) 1181 - return 0; 1181 + goto release; 1182 1182 1183 1183 if (skb_shared(skb) || skb_unclone(skb, gfp_mask)) 1184 1184 return -EINVAL; ··· 1238 1238 __skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off); 1239 1239 skb_shinfo(skb)->nr_frags = new_frags; 1240 1240 1241 + release: 1241 1242 skb_zcopy_clear(skb, false); 1242 1243 return 0; 1243 1244 } ··· 3655 3654 3656 3655 skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags & 3657 3656 SKBTX_SHARED_FRAG; 3658 - if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC)) 3659 - goto err; 3660 3657 3661 3658 while (pos < offset + len) { 3662 3659 if (i >= nfrags) { ··· 3679 3680 } 3680 3681 3681 3682 if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC))) 3683 + goto err; 3684 + if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC)) 3682 3685 goto err; 3683 3686 3684 3687 *nskb_frag = *frag;

+7 -2

net/ipv4/fib_frontend.c

··· 1298 1298 1299 1299 static void ip_fib_net_exit(struct net *net) 1300 1300 { 1301 - unsigned int i; 1301 + int i; 1302 1302 1303 1303 rtnl_lock(); 1304 1304 #ifdef CONFIG_IP_MULTIPLE_TABLES 1305 1305 RCU_INIT_POINTER(net->ipv4.fib_main, NULL); 1306 1306 RCU_INIT_POINTER(net->ipv4.fib_default, NULL); 1307 1307 #endif 1308 - for (i = 0; i < FIB_TABLE_HASHSZ; i++) { 1308 + /* Destroy the tables in reverse order to guarantee that the 1309 + * local table, ID 255, is destroyed before the main table, ID 1310 + * 254. This is necessary as the local table may contain 1311 + * references to data contained in the main table. 1312 + */ 1313 + for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) { 1309 1314 struct hlist_head *head = &net->ipv4.fib_table_hash[i]; 1310 1315 struct hlist_node *tmp; 1311 1316 struct fib_table *tb;

+6 -2

net/ipv4/fib_semantics.c

··· 698 698 699 699 nla_for_each_attr(nla, cfg->fc_mx, cfg->fc_mx_len, remaining) { 700 700 int type = nla_type(nla); 701 - u32 val; 701 + u32 fi_val, val; 702 702 703 703 if (!type) 704 704 continue; ··· 715 715 val = nla_get_u32(nla); 716 716 } 717 717 718 - if (fi->fib_metrics->metrics[type - 1] != val) 718 + fi_val = fi->fib_metrics->metrics[type - 1]; 719 + if (type == RTAX_FEATURES) 720 + fi_val &= ~DST_FEATURE_ECN_CA; 721 + 722 + if (fi_val != val) 719 723 return false; 720 724 } 721 725

+1

net/ipv4/ip_gre.c

··· 1310 1310 static void ipgre_tap_setup(struct net_device *dev) 1311 1311 { 1312 1312 ether_setup(dev); 1313 + dev->max_mtu = 0; 1313 1314 dev->netdev_ops = &gre_tap_netdev_ops; 1314 1315 dev->priv_flags &= ~IFF_TX_SKB_SHARING; 1315 1316 dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;

-1

net/ipv6/af_inet6.c

··· 210 210 np->mcast_hops = IPV6_DEFAULT_MCASTHOPS; 211 211 np->mc_loop = 1; 212 212 np->pmtudisc = IPV6_PMTUDISC_WANT; 213 - np->autoflowlabel = ip6_default_np_autolabel(net); 214 213 np->repflow = net->ipv6.sysctl.flowlabel_reflect; 215 214 sk->sk_ipv6only = net->ipv6.sysctl.bindv6only; 216 215

+1

net/ipv6/ip6_gre.c

··· 1308 1308 1309 1309 ether_setup(dev); 1310 1310 1311 + dev->max_mtu = 0; 1311 1312 dev->netdev_ops = &ip6gre_tap_netdev_ops; 1312 1313 dev->needs_free_netdev = true; 1313 1314 dev->priv_destructor = ip6gre_dev_free;

+10 -2

net/ipv6/ip6_output.c

··· 166 166 !(IP6CB(skb)->flags & IP6SKB_REROUTED)); 167 167 } 168 168 169 + static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np) 170 + { 171 + if (!np->autoflowlabel_set) 172 + return ip6_default_np_autolabel(net); 173 + else 174 + return np->autoflowlabel; 175 + } 176 + 169 177 /* 170 178 * xmit an sk_buff (used by TCP, SCTP and DCCP) 171 179 * Note : socket lock is not held for SYNACK packets, but might be modified ··· 238 230 hlimit = ip6_dst_hoplimit(dst); 239 231 240 232 ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, 241 - np->autoflowlabel, fl6)); 233 + ip6_autoflowlabel(net, np), fl6)); 242 234 243 235 hdr->payload_len = htons(seg_len); 244 236 hdr->nexthdr = proto; ··· 1634 1626 1635 1627 ip6_flow_hdr(hdr, v6_cork->tclass, 1636 1628 ip6_make_flowlabel(net, skb, fl6->flowlabel, 1637 - np->autoflowlabel, fl6)); 1629 + ip6_autoflowlabel(net, np), fl6)); 1638 1630 hdr->hop_limit = v6_cork->hop_limit; 1639 1631 hdr->nexthdr = proto; 1640 1632 hdr->saddr = fl6->saddr;

+7 -2

net/ipv6/ip6_tunnel.c

··· 1123 1123 max_headroom += 8; 1124 1124 mtu -= 8; 1125 1125 } 1126 - if (mtu < IPV6_MIN_MTU) 1127 - mtu = IPV6_MIN_MTU; 1126 + if (skb->protocol == htons(ETH_P_IPV6)) { 1127 + if (mtu < IPV6_MIN_MTU) 1128 + mtu = IPV6_MIN_MTU; 1129 + } else if (mtu < 576) { 1130 + mtu = 576; 1131 + } 1132 + 1128 1133 if (skb_dst(skb) && !t->parms.collect_md) 1129 1134 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); 1130 1135 if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) {

+1

net/ipv6/ipv6_sockglue.c

··· 886 886 break; 887 887 case IPV6_AUTOFLOWLABEL: 888 888 np->autoflowlabel = valbool; 889 + np->autoflowlabel_set = 1; 889 890 retv = 0; 890 891 break; 891 892 case IPV6_RECVFRAGSIZE:

+12 -8

net/ipv6/route.c

··· 2336 2336 } 2337 2337 2338 2338 rt->dst.flags |= DST_HOST; 2339 + rt->dst.input = ip6_input; 2339 2340 rt->dst.output = ip6_output; 2340 2341 rt->rt6i_gateway = fl6->daddr; 2341 2342 rt->rt6i_dst.addr = fl6->daddr; ··· 4298 4297 if (!ipv6_addr_any(&fl6.saddr)) 4299 4298 flags |= RT6_LOOKUP_F_HAS_SADDR; 4300 4299 4301 - if (!fibmatch) 4302 - dst = ip6_route_input_lookup(net, dev, &fl6, flags); 4303 - else 4304 - dst = ip6_route_lookup(net, &fl6, 0); 4300 + dst = ip6_route_input_lookup(net, dev, &fl6, flags); 4305 4301 4306 4302 rcu_read_unlock(); 4307 4303 } else { 4308 4304 fl6.flowi6_oif = oif; 4309 4305 4310 - if (!fibmatch) 4311 - dst = ip6_route_output(net, NULL, &fl6); 4312 - else 4313 - dst = ip6_route_lookup(net, &fl6, 0); 4306 + dst = ip6_route_output(net, NULL, &fl6); 4314 4307 } 4315 4308 4316 4309 ··· 4319 4324 err = rt->dst.error; 4320 4325 ip6_rt_put(rt); 4321 4326 goto errout; 4327 + } 4328 + 4329 + if (fibmatch && rt->dst.from) { 4330 + struct rt6_info *ort = container_of(rt->dst.from, 4331 + struct rt6_info, dst); 4332 + 4333 + dst_hold(&ort->dst); 4334 + ip6_rt_put(rt); 4335 + rt = ort; 4322 4336 } 4323 4337 4324 4338 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);

+12 -3

net/openvswitch/flow.c

··· 579 579 return -EINVAL; 580 580 581 581 skb_reset_network_header(skb); 582 + key->eth.type = skb->protocol; 582 583 } else { 583 584 eth = eth_hdr(skb); 584 585 ether_addr_copy(key->eth.src, eth->h_source); ··· 593 592 if (unlikely(parse_vlan(skb, key))) 594 593 return -ENOMEM; 595 594 596 - skb->protocol = parse_ethertype(skb); 597 - if (unlikely(skb->protocol == htons(0))) 595 + key->eth.type = parse_ethertype(skb); 596 + if (unlikely(key->eth.type == htons(0))) 598 597 return -ENOMEM; 598 + 599 + /* Multiple tagged packets need to retain TPID to satisfy 600 + * skb_vlan_pop(), which will later shift the ethertype into 601 + * skb->protocol. 602 + */ 603 + if (key->eth.cvlan.tci & htons(VLAN_TAG_PRESENT)) 604 + skb->protocol = key->eth.cvlan.tpid; 605 + else 606 + skb->protocol = key->eth.type; 599 607 600 608 skb_reset_network_header(skb); 601 609 __skb_push(skb, skb->data - skb_mac_header(skb)); 602 610 } 603 611 skb_reset_mac_len(skb); 604 - key->eth.type = skb->protocol; 605 612 606 613 /* Network layer. */ 607 614 if (key->eth.type == htons(ETH_P_IP)) {

+38 -55

net/sched/cls_bpf.c

··· 42 42 struct list_head link; 43 43 struct tcf_result res; 44 44 bool exts_integrated; 45 - bool offloaded; 46 45 u32 gen_flags; 47 46 struct tcf_exts exts; 48 47 u32 handle; ··· 147 148 } 148 149 149 150 static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog, 150 - enum tc_clsbpf_command cmd) 151 + struct cls_bpf_prog *oldprog) 151 152 { 152 - bool addorrep = cmd == TC_CLSBPF_ADD || cmd == TC_CLSBPF_REPLACE; 153 153 struct tcf_block *block = tp->chain->block; 154 - bool skip_sw = tc_skip_sw(prog->gen_flags); 155 154 struct tc_cls_bpf_offload cls_bpf = {}; 155 + struct cls_bpf_prog *obj; 156 + bool skip_sw; 156 157 int err; 157 158 159 + skip_sw = prog && tc_skip_sw(prog->gen_flags); 160 + obj = prog ?: oldprog; 161 + 158 162 tc_cls_common_offload_init(&cls_bpf.common, tp); 159 - cls_bpf.command = cmd; 160 - cls_bpf.exts = &prog->exts; 161 - cls_bpf.prog = prog->filter; 162 - cls_bpf.name = prog->bpf_name; 163 - cls_bpf.exts_integrated = prog->exts_integrated; 164 - cls_bpf.gen_flags = prog->gen_flags; 163 + cls_bpf.command = TC_CLSBPF_OFFLOAD; 164 + cls_bpf.exts = &obj->exts; 165 + cls_bpf.prog = prog ? prog->filter : NULL; 166 + cls_bpf.oldprog = oldprog ? oldprog->filter : NULL; 167 + cls_bpf.name = obj->bpf_name; 168 + cls_bpf.exts_integrated = obj->exts_integrated; 169 + cls_bpf.gen_flags = obj->gen_flags; 165 170 166 171 err = tc_setup_cb_call(block, NULL, TC_SETUP_CLSBPF, &cls_bpf, skip_sw); 167 - if (addorrep) { 172 + if (prog) { 168 173 if (err < 0) { 169 - cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_DESTROY); 174 + cls_bpf_offload_cmd(tp, oldprog, prog); 170 175 return err; 171 176 } else if (err > 0) { 172 177 prog->gen_flags |= TCA_CLS_FLAGS_IN_HW; 173 178 } 174 179 } 175 180 176 - if (addorrep && skip_sw && !(prog->gen_flags & TCA_CLS_FLAGS_IN_HW)) 181 + if (prog && skip_sw && !(prog->gen_flags & TCA_CLS_FLAGS_IN_HW)) 177 182 return -EINVAL; 178 183 179 184 return 0; ··· 186 183 static int cls_bpf_offload(struct tcf_proto *tp, struct cls_bpf_prog *prog, 187 184 struct cls_bpf_prog *oldprog) 188 185 { 189 - struct cls_bpf_prog *obj = prog; 190 - enum tc_clsbpf_command cmd; 191 - bool skip_sw; 192 - int ret; 186 + if (prog && oldprog && prog->gen_flags != oldprog->gen_flags) 187 + return -EINVAL; 193 188 194 - skip_sw = tc_skip_sw(prog->gen_flags) || 195 - (oldprog && tc_skip_sw(oldprog->gen_flags)); 189 + if (prog && tc_skip_hw(prog->gen_flags)) 190 + prog = NULL; 191 + if (oldprog && tc_skip_hw(oldprog->gen_flags)) 192 + oldprog = NULL; 193 + if (!prog && !oldprog) 194 + return 0; 196 195 197 - if (oldprog && oldprog->offloaded) { 198 - if (!tc_skip_hw(prog->gen_flags)) { 199 - cmd = TC_CLSBPF_REPLACE; 200 - } else if (!tc_skip_sw(prog->gen_flags)) { 201 - obj = oldprog; 202 - cmd = TC_CLSBPF_DESTROY; 203 - } else { 204 - return -EINVAL; 205 - } 206 - } else { 207 - if (tc_skip_hw(prog->gen_flags)) 208 - return skip_sw ? -EINVAL : 0; 209 - cmd = TC_CLSBPF_ADD; 210 - } 211 - 212 - ret = cls_bpf_offload_cmd(tp, obj, cmd); 213 - if (ret) 214 - return ret; 215 - 216 - obj->offloaded = true; 217 - if (oldprog) 218 - oldprog->offloaded = false; 219 - 220 - return 0; 196 + return cls_bpf_offload_cmd(tp, prog, oldprog); 221 197 } 222 198 223 199 static void cls_bpf_stop_offload(struct tcf_proto *tp, ··· 204 222 { 205 223 int err; 206 224 207 - if (!prog->offloaded) 208 - return; 209 - 210 - err = cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_DESTROY); 211 - if (err) { 225 + err = cls_bpf_offload_cmd(tp, NULL, prog); 226 + if (err) 212 227 pr_err("Stopping hardware offload failed: %d\n", err); 213 - return; 214 - } 215 - 216 - prog->offloaded = false; 217 228 } 218 229 219 230 static void cls_bpf_offload_update_stats(struct tcf_proto *tp, 220 231 struct cls_bpf_prog *prog) 221 232 { 222 - if (!prog->offloaded) 223 - return; 233 + struct tcf_block *block = tp->chain->block; 234 + struct tc_cls_bpf_offload cls_bpf = {}; 224 235 225 - cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_STATS); 236 + tc_cls_common_offload_init(&cls_bpf.common, tp); 237 + cls_bpf.command = TC_CLSBPF_STATS; 238 + cls_bpf.exts = &prog->exts; 239 + cls_bpf.prog = prog->filter; 240 + cls_bpf.name = prog->bpf_name; 241 + cls_bpf.exts_integrated = prog->exts_integrated; 242 + cls_bpf.gen_flags = prog->gen_flags; 243 + 244 + tc_setup_cb_call(block, NULL, TC_SETUP_CLSBPF, &cls_bpf, false); 226 245 } 227 246 228 247 static int cls_bpf_init(struct tcf_proto *tp)

+3

net/sctp/debug.c

··· 78 78 case SCTP_CID_AUTH: 79 79 return "AUTH"; 80 80 81 + case SCTP_CID_RECONF: 82 + return "RECONF"; 83 + 81 84 default: 82 85 break; 83 86 }

+8 -16

net/sctp/ulpqueue.c

··· 1084 1084 void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk, 1085 1085 gfp_t gfp) 1086 1086 { 1087 - struct sctp_association *asoc; 1088 - __u16 needed, freed; 1087 + struct sctp_association *asoc = ulpq->asoc; 1088 + __u32 freed = 0; 1089 + __u16 needed; 1089 1090 1090 - asoc = ulpq->asoc; 1091 - 1092 - if (chunk) { 1093 - needed = ntohs(chunk->chunk_hdr->length); 1094 - needed -= sizeof(struct sctp_data_chunk); 1095 - } else 1096 - needed = SCTP_DEFAULT_MAXWINDOW; 1097 - 1098 - freed = 0; 1091 + needed = ntohs(chunk->chunk_hdr->length) - 1092 + sizeof(struct sctp_data_chunk); 1099 1093 1100 1094 if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) { 1101 1095 freed = sctp_ulpq_renege_order(ulpq, needed); 1102 - if (freed < needed) { 1096 + if (freed < needed) 1103 1097 freed += sctp_ulpq_renege_frags(ulpq, needed - freed); 1104 - } 1105 1098 } 1106 1099 /* If able to free enough room, accept this chunk. */ 1107 - if (chunk && (freed >= needed)) { 1108 - int retval; 1109 - retval = sctp_ulpq_tail_data(ulpq, chunk, gfp); 1100 + if (freed >= needed) { 1101 + int retval = sctp_ulpq_tail_data(ulpq, chunk, gfp); 1110 1102 /* 1111 1103 * Enter partial delivery if chunk has not been 1112 1104 * delivered; otherwise, drain the reassembly queue.

+8 -8

net/tipc/group.c

··· 351 351 if (m->window >= ADV_IDLE) 352 352 return; 353 353 354 - if (!list_empty(&m->congested)) 355 - return; 354 + list_del_init(&m->congested); 356 355 357 356 /* Sort member into congested members' list */ 358 357 list_for_each_entry_safe(_m, tmp, &grp->congested, congested) { ··· 647 648 } else if (mtyp == GRP_REMIT_MSG) { 648 649 msg_set_grp_remitted(hdr, m->window); 649 650 } 651 + msg_set_dest_droppable(hdr, true); 650 652 __skb_queue_tail(xmitq, skb); 651 653 } 652 654 ··· 689 689 msg_set_grp_bc_seqno(ehdr, m->bc_syncpt); 690 690 __skb_queue_tail(inputq, m->event_msg); 691 691 } 692 - if (m->window < ADV_IDLE) 693 - tipc_group_update_member(m, 0); 694 - else 695 - list_del_init(&m->congested); 692 + list_del_init(&m->congested); 693 + tipc_group_update_member(m, 0); 696 694 return; 697 695 case GRP_LEAVE_MSG: 698 696 if (!m) 699 697 return; 700 698 m->bc_syncpt = msg_grp_bc_syncpt(hdr); 699 + list_del_init(&m->list); 700 + list_del_init(&m->congested); 701 + *usr_wakeup = true; 701 702 702 703 /* Wait until WITHDRAW event is received */ 703 704 if (m->state != MBR_LEAVING) { ··· 710 709 ehdr = buf_msg(m->event_msg); 711 710 msg_set_grp_bc_seqno(ehdr, m->bc_syncpt); 712 711 __skb_queue_tail(inputq, m->event_msg); 713 - *usr_wakeup = true; 714 - list_del_init(&m->congested); 715 712 return; 716 713 case GRP_ADV_MSG: 717 714 if (!m) ··· 861 862 msg_set_grp_bc_seqno(hdr, m->bc_rcv_nxt); 862 863 __skb_queue_tail(inputq, skb); 863 864 } 865 + list_del_init(&m->list); 864 866 list_del_init(&m->congested); 865 867 } 866 868 *sk_rcvbuf = tipc_group_rcvbuf_limit(grp);

+10 -21

net/wireless/Makefile

··· 23 23 cfg80211-y += extra-certs.o 24 24 endif 25 25 26 - $(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.x509) 26 + $(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.hex) 27 27 @$(kecho) " GEN $@" 28 - @(set -e; \ 29 - allf=""; \ 30 - for f in $^ ; do \ 31 - # similar to hexdump -v -e '1/1 "0x%.2x," "\n"' \ 32 - thisf=$$(od -An -v -tx1 < $$f | \ 33 - sed -e 's/ /\n/g' | \ 34 - sed -e 's/^[0-9a-f]\+$$/\0/;t;d' | \ 35 - sed -e 's/^/0x/;s/$$/,/'); \ 36 - # file should not be empty - maybe command substitution failed? \ 37 - test ! -z "$$thisf";\ 38 - allf=$$allf$$thisf;\ 39 - done; \ 40 - ( \ 41 - echo '#include "reg.h"'; \ 42 - echo 'const u8 shipped_regdb_certs[] = {'; \ 43 - echo "$$allf"; \ 44 - echo '};'; \ 45 - echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \ 46 - ) >> $@) 28 + @(echo '#include "reg.h"'; \ 29 + echo 'const u8 shipped_regdb_certs[] = {'; \ 30 + cat $^ ; \ 31 + echo '};'; \ 32 + echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \ 33 + ) > $@ 47 34 48 35 $(obj)/extra-certs.c: $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%) \ 49 36 $(wildcard $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%)/*.x509) ··· 53 66 echo "$$allf"; \ 54 67 echo '};'; \ 55 68 echo 'unsigned int extra_regdb_certs_len = sizeof(extra_regdb_certs);'; \ 56 - ) >> $@) 69 + ) > $@) 70 + 71 + clean-files += shipped-certs.c extra-certs.c

+86

net/wireless/certs/sforshee.hex

··· 1 + /* Seth Forshee's regdb certificate */ 2 + 0x30, 0x82, 0x02, 0xa4, 0x30, 0x82, 0x01, 0x8c, 3 + 0x02, 0x09, 0x00, 0xb2, 0x8d, 0xdf, 0x47, 0xae, 4 + 0xf9, 0xce, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 5 + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 6 + 0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 7 + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x73, 8 + 0x66, 0x6f, 0x72, 0x73, 0x68, 0x65, 0x65, 0x30, 9 + 0x20, 0x17, 0x0d, 0x31, 0x37, 0x31, 0x30, 0x30, 10 + 0x36, 0x31, 0x39, 0x34, 0x30, 0x33, 0x35, 0x5a, 11 + 0x18, 0x0f, 0x32, 0x31, 0x31, 0x37, 0x30, 0x39, 12 + 0x31, 0x32, 0x31, 0x39, 0x34, 0x30, 0x33, 0x35, 13 + 0x5a, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 14 + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x73, 0x66, 15 + 0x6f, 0x72, 0x73, 0x68, 0x65, 0x65, 0x30, 0x82, 16 + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 17 + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 18 + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 19 + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb5, 20 + 0x40, 0xe3, 0x9c, 0x28, 0x84, 0x39, 0x03, 0xf2, 21 + 0x39, 0xd7, 0x66, 0x2c, 0x41, 0x38, 0x15, 0xac, 22 + 0x7e, 0xa5, 0x83, 0x71, 0x25, 0x7e, 0x90, 0x7c, 23 + 0x68, 0xdd, 0x6f, 0x3f, 0xd9, 0xd7, 0x59, 0x38, 24 + 0x9f, 0x7c, 0x6a, 0x52, 0xc2, 0x03, 0x2a, 0x2d, 25 + 0x7e, 0x66, 0xf4, 0x1e, 0xb3, 0x12, 0x70, 0x20, 26 + 0x5b, 0xd4, 0x97, 0x32, 0x3d, 0x71, 0x8b, 0x3b, 27 + 0x1b, 0x08, 0x17, 0x14, 0x6b, 0x61, 0xc4, 0x57, 28 + 0x8b, 0x96, 0x16, 0x1c, 0xfd, 0x24, 0xd5, 0x0b, 29 + 0x09, 0xf9, 0x68, 0x11, 0x84, 0xfb, 0xca, 0x51, 30 + 0x0c, 0xd1, 0x45, 0x19, 0xda, 0x10, 0x44, 0x8a, 31 + 0xd9, 0xfe, 0x76, 0xa9, 0xfd, 0x60, 0x2d, 0x18, 32 + 0x0b, 0x28, 0x95, 0xb2, 0x2d, 0xea, 0x88, 0x98, 33 + 0xb8, 0xd1, 0x56, 0x21, 0xf0, 0x53, 0x1f, 0xf1, 34 + 0x02, 0x6f, 0xe9, 0x46, 0x9b, 0x93, 0x5f, 0x28, 35 + 0x90, 0x0f, 0xac, 0x36, 0xfa, 0x68, 0x23, 0x71, 36 + 0x57, 0x56, 0xf6, 0xcc, 0xd3, 0xdf, 0x7d, 0x2a, 37 + 0xd9, 0x1b, 0x73, 0x45, 0xeb, 0xba, 0x27, 0x85, 38 + 0xef, 0x7a, 0x7f, 0xa5, 0xcb, 0x80, 0xc7, 0x30, 39 + 0x36, 0xd2, 0x53, 0xee, 0xec, 0xac, 0x1e, 0xe7, 40 + 0x31, 0xf1, 0x36, 0xa2, 0x9c, 0x63, 0xc6, 0x65, 41 + 0x5b, 0x7f, 0x25, 0x75, 0x68, 0xa1, 0xea, 0xd3, 42 + 0x7e, 0x00, 0x5c, 0x9a, 0x5e, 0xd8, 0x20, 0x18, 43 + 0x32, 0x77, 0x07, 0x29, 0x12, 0x66, 0x1e, 0x36, 44 + 0x73, 0xe7, 0x97, 0x04, 0x41, 0x37, 0xb1, 0xb1, 45 + 0x72, 0x2b, 0xf4, 0xa1, 0x29, 0x20, 0x7c, 0x96, 46 + 0x79, 0x0b, 0x2b, 0xd0, 0xd8, 0xde, 0xc8, 0x6c, 47 + 0x3f, 0x93, 0xfb, 0xc5, 0xee, 0x78, 0x52, 0x11, 48 + 0x15, 0x1b, 0x7a, 0xf6, 0xe2, 0x68, 0x99, 0xe7, 49 + 0xfb, 0x46, 0x16, 0x84, 0xe3, 0xc7, 0xa1, 0xe6, 50 + 0xe0, 0xd2, 0x46, 0xd5, 0xe1, 0xc4, 0x5f, 0xa0, 51 + 0x66, 0xf4, 0xda, 0xc4, 0xff, 0x95, 0x1d, 0x02, 52 + 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 53 + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 54 + 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 55 + 0x87, 0x03, 0xda, 0xf2, 0x82, 0xc2, 0xdd, 0xaf, 56 + 0x7c, 0x44, 0x2f, 0x86, 0xd3, 0x5f, 0x4c, 0x93, 57 + 0x48, 0xb9, 0xfe, 0x07, 0x17, 0xbb, 0x21, 0xf7, 58 + 0x25, 0x23, 0x4e, 0xaa, 0x22, 0x0c, 0x16, 0xb9, 59 + 0x73, 0xae, 0x9d, 0x46, 0x7c, 0x75, 0xd9, 0xc3, 60 + 0x49, 0x57, 0x47, 0xbf, 0x33, 0xb7, 0x97, 0xec, 61 + 0xf5, 0x40, 0x75, 0xc0, 0x46, 0x22, 0xf0, 0xa0, 62 + 0x5d, 0x9c, 0x79, 0x13, 0xa1, 0xff, 0xb8, 0xa3, 63 + 0x2f, 0x7b, 0x8e, 0x06, 0x3f, 0xc8, 0xb6, 0xe4, 64 + 0x6a, 0x28, 0xf2, 0x34, 0x5c, 0x23, 0x3f, 0x32, 65 + 0xc0, 0xe6, 0xad, 0x0f, 0xac, 0xcf, 0x55, 0x74, 66 + 0x47, 0x73, 0xd3, 0x01, 0x85, 0xb7, 0x0b, 0x22, 67 + 0x56, 0x24, 0x7d, 0x9f, 0x09, 0xa9, 0x0e, 0x86, 68 + 0x9e, 0x37, 0x5b, 0x9c, 0x6d, 0x02, 0xd9, 0x8c, 69 + 0xc8, 0x50, 0x6a, 0xe2, 0x59, 0xf3, 0x16, 0x06, 70 + 0xea, 0xb2, 0x42, 0xb5, 0x58, 0xfe, 0xba, 0xd1, 71 + 0x81, 0x57, 0x1a, 0xef, 0xb2, 0x38, 0x88, 0x58, 72 + 0xf6, 0xaa, 0xc4, 0x2e, 0x8b, 0x5a, 0x27, 0xe4, 73 + 0xa5, 0xe8, 0xa4, 0xca, 0x67, 0x5c, 0xac, 0x72, 74 + 0x67, 0xc3, 0x6f, 0x13, 0xc3, 0x2d, 0x35, 0x79, 75 + 0xd7, 0x8a, 0xe7, 0xf5, 0xd4, 0x21, 0x30, 0x4a, 76 + 0xd5, 0xf6, 0xa3, 0xd9, 0x79, 0x56, 0xf2, 0x0f, 77 + 0x10, 0xf7, 0x7d, 0xd0, 0x51, 0x93, 0x2f, 0x47, 78 + 0xf8, 0x7d, 0x4b, 0x0a, 0x84, 0x55, 0x12, 0x0a, 79 + 0x7d, 0x4e, 0x3b, 0x1f, 0x2b, 0x2f, 0xfc, 0x28, 80 + 0xb3, 0x69, 0x34, 0xe1, 0x80, 0x80, 0xbb, 0xe2, 81 + 0xaf, 0xb9, 0xd6, 0x30, 0xf1, 0x1d, 0x54, 0x87, 82 + 0x23, 0x99, 0x9f, 0x51, 0x03, 0x4c, 0x45, 0x7d, 83 + 0x02, 0x65, 0x73, 0xab, 0xfd, 0xcf, 0x94, 0xcc, 84 + 0x0d, 0x3a, 0x60, 0xfd, 0x3c, 0x14, 0x2f, 0x16, 85 + 0x33, 0xa9, 0x21, 0x1f, 0xcb, 0x50, 0xb1, 0x8f, 86 + 0x03, 0xee, 0xa0, 0x66, 0xa9, 0x16, 0x79, 0x14,

net/wireless/certs/sforshee.x509

This is a binary file and will not be displayed.

+4 -2

net/wireless/nl80211.c

··· 2610 2610 case NL80211_IFTYPE_AP: 2611 2611 if (wdev->ssid_len && 2612 2612 nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid)) 2613 - goto nla_put_failure; 2613 + goto nla_put_failure_locked; 2614 2614 break; 2615 2615 case NL80211_IFTYPE_STATION: 2616 2616 case NL80211_IFTYPE_P2P_CLIENT: ··· 2623 2623 if (!ssid_ie) 2624 2624 break; 2625 2625 if (nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2)) 2626 - goto nla_put_failure; 2626 + goto nla_put_failure_locked; 2627 2627 break; 2628 2628 } 2629 2629 default: ··· 2635 2635 genlmsg_end(msg, hdr); 2636 2636 return 0; 2637 2637 2638 + nla_put_failure_locked: 2639 + wdev_unlock(wdev); 2638 2640 nla_put_failure: 2639 2641 genlmsg_cancel(msg, hdr); 2640 2642 return -EMSGSIZE;

+1 -1

tools/arch/s390/include/uapi/asm/bpf_perf_event.h

··· 2 2 #ifndef _UAPI__ASM_BPF_PERF_EVENT_H__ 3 3 #define _UAPI__ASM_BPF_PERF_EVENT_H__ 4 4 5 - #include <asm/ptrace.h> 5 + #include "ptrace.h" 6 6 7 7 typedef user_pt_regs bpf_user_pt_regs_t; 8 8

+1 -1

tools/testing/selftests/bpf/Makefile

··· 11 11 endif 12 12 13 13 CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS) -I../../../include 14 - LDLIBS += -lcap -lelf 14 + LDLIBS += -lcap -lelf -lrt 15 15 16 16 TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \ 17 17 test_align test_verifier_log test_dev_cgroup

+4 -4

tools/testing/selftests/bpf/test_progs.c

··· 351 351 info_len != sizeof(struct bpf_map_info) || 352 352 strcmp((char *)map_infos[i].name, expected_map_name), 353 353 "get-map-info(fd)", 354 - "err %d errno %d type %d(%d) info_len %u(%lu) key_size %u value_size %u max_entries %u map_flags %X name %s(%s)\n", 354 + "err %d errno %d type %d(%d) info_len %u(%Zu) key_size %u value_size %u max_entries %u map_flags %X name %s(%s)\n", 355 355 err, errno, 356 356 map_infos[i].type, BPF_MAP_TYPE_ARRAY, 357 357 info_len, sizeof(struct bpf_map_info), ··· 395 395 *(int *)prog_infos[i].map_ids != map_infos[i].id || 396 396 strcmp((char *)prog_infos[i].name, expected_prog_name), 397 397 "get-prog-info(fd)", 398 - "err %d errno %d i %d type %d(%d) info_len %u(%lu) jit_enabled %d jited_prog_len %u xlated_prog_len %u jited_prog %d xlated_prog %d load_time %lu(%lu) uid %u(%u) nr_map_ids %u(%u) map_id %u(%u) name %s(%s)\n", 398 + "err %d errno %d i %d type %d(%d) info_len %u(%Zu) jit_enabled %d jited_prog_len %u xlated_prog_len %u jited_prog %d xlated_prog %d load_time %lu(%lu) uid %u(%u) nr_map_ids %u(%u) map_id %u(%u) name %s(%s)\n", 399 399 err, errno, i, 400 400 prog_infos[i].type, BPF_PROG_TYPE_SOCKET_FILTER, 401 401 info_len, sizeof(struct bpf_prog_info), ··· 463 463 memcmp(&prog_info, &prog_infos[i], info_len) || 464 464 *(int *)prog_info.map_ids != saved_map_id, 465 465 "get-prog-info(next_id->fd)", 466 - "err %d errno %d info_len %u(%lu) memcmp %d map_id %u(%u)\n", 466 + "err %d errno %d info_len %u(%Zu) memcmp %d map_id %u(%u)\n", 467 467 err, errno, info_len, sizeof(struct bpf_prog_info), 468 468 memcmp(&prog_info, &prog_infos[i], info_len), 469 469 *(int *)prog_info.map_ids, saved_map_id); ··· 509 509 memcmp(&map_info, &map_infos[i], info_len) || 510 510 array_value != array_magic_value, 511 511 "check get-map-info(next_id->fd)", 512 - "err %d errno %d info_len %u(%lu) memcmp %d array_value %llu(%llu)\n", 512 + "err %d errno %d info_len %u(%Zu) memcmp %d array_value %llu(%llu)\n", 513 513 err, errno, info_len, sizeof(struct bpf_map_info), 514 514 memcmp(&map_info, &map_infos[i], info_len), 515 515 array_value, array_magic_value);

+586 -43

tools/testing/selftests/bpf/test_verifier.c

··· 422 422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 423 423 BPF_EXIT_INSN(), 424 424 }, 425 - .errstr_unpriv = "R1 subtraction from stack pointer", 426 - .result_unpriv = REJECT, 427 - .errstr = "R1 invalid mem access", 425 + .errstr = "R1 subtraction from stack pointer", 428 426 .result = REJECT, 429 427 }, 430 428 { ··· 604 606 }, 605 607 .errstr = "misaligned stack access", 606 608 .result = REJECT, 607 - .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 608 609 }, 609 610 { 610 611 "invalid map_fd for function call", ··· 1794 1797 }, 1795 1798 .result = REJECT, 1796 1799 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8", 1797 - .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1798 1800 }, 1799 1801 { 1800 1802 "PTR_TO_STACK store/load - bad alignment on reg", ··· 1806 1810 }, 1807 1811 .result = REJECT, 1808 1812 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8", 1809 - .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1810 1813 }, 1811 1814 { 1812 1815 "PTR_TO_STACK store/load - out of bounds low", ··· 1857 1862 BPF_MOV64_IMM(BPF_REG_0, 0), 1858 1863 BPF_EXIT_INSN(), 1859 1864 }, 1860 - .result = ACCEPT, 1861 - .result_unpriv = REJECT, 1862 - .errstr_unpriv = "R1 pointer += pointer", 1865 + .result = REJECT, 1866 + .errstr = "R1 pointer += pointer", 1863 1867 }, 1864 1868 { 1865 1869 "unpriv: neg pointer", ··· 2586 2592 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2587 2593 offsetof(struct __sk_buff, data)), 2588 2594 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2589 - BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2595 + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2596 + offsetof(struct __sk_buff, len)), 2590 2597 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49), 2591 2598 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49), 2592 2599 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), ··· 2894 2899 BPF_MOV64_IMM(BPF_REG_0, 0), 2895 2900 BPF_EXIT_INSN(), 2896 2901 }, 2897 - .errstr = "invalid access to packet", 2902 + .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 2898 2903 .result = REJECT, 2899 2904 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2900 2905 }, ··· 3880 3885 BPF_EXIT_INSN(), 3881 3886 }, 3882 3887 .fixup_map2 = { 3, 11 }, 3883 - .errstr_unpriv = "R0 pointer += pointer", 3884 - .errstr = "R0 invalid mem access 'inv'", 3885 - .result_unpriv = REJECT, 3888 + .errstr = "R0 pointer += pointer", 3886 3889 .result = REJECT, 3887 3890 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3888 3891 }, ··· 3921 3928 BPF_EXIT_INSN(), 3922 3929 }, 3923 3930 .fixup_map1 = { 4 }, 3924 - .errstr = "R4 invalid mem access", 3931 + .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 3925 3932 .result = REJECT, 3926 3933 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3927 3934 }, ··· 3942 3949 BPF_EXIT_INSN(), 3943 3950 }, 3944 3951 .fixup_map1 = { 4 }, 3945 - .errstr = "R4 invalid mem access", 3952 + .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 3946 3953 .result = REJECT, 3947 3954 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3948 3955 }, ··· 3963 3970 BPF_EXIT_INSN(), 3964 3971 }, 3965 3972 .fixup_map1 = { 4 }, 3966 - .errstr = "R4 invalid mem access", 3973 + .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 3967 3974 .result = REJECT, 3968 3975 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3969 3976 }, ··· 5188 5195 BPF_EXIT_INSN(), 5189 5196 }, 5190 5197 .fixup_map2 = { 3 }, 5191 - .errstr_unpriv = "R0 bitwise operator &= on pointer", 5192 - .errstr = "invalid mem access 'inv'", 5198 + .errstr = "R0 bitwise operator &= on pointer", 5193 5199 .result = REJECT, 5194 - .result_unpriv = REJECT, 5195 5200 }, 5196 5201 { 5197 5202 "map element value illegal alu op, 2", ··· 5205 5214 BPF_EXIT_INSN(), 5206 5215 }, 5207 5216 .fixup_map2 = { 3 }, 5208 - .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited", 5209 - .errstr = "invalid mem access 'inv'", 5217 + .errstr = "R0 32-bit pointer arithmetic prohibited", 5210 5218 .result = REJECT, 5211 - .result_unpriv = REJECT, 5212 5219 }, 5213 5220 { 5214 5221 "map element value illegal alu op, 3", ··· 5222 5233 BPF_EXIT_INSN(), 5223 5234 }, 5224 5235 .fixup_map2 = { 3 }, 5225 - .errstr_unpriv = "R0 pointer arithmetic with /= operator", 5226 - .errstr = "invalid mem access 'inv'", 5236 + .errstr = "R0 pointer arithmetic with /= operator", 5227 5237 .result = REJECT, 5228 - .result_unpriv = REJECT, 5229 5238 }, 5230 5239 { 5231 5240 "map element value illegal alu op, 4", ··· 6006 6019 BPF_EXIT_INSN(), 6007 6020 }, 6008 6021 .fixup_map_in_map = { 3 }, 6009 - .errstr = "R1 type=inv expected=map_ptr", 6010 - .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", 6022 + .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", 6011 6023 .result = REJECT, 6012 6024 }, 6013 6025 { ··· 6100 6114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 6101 6115 BPF_EXIT_INSN(), 6102 6116 }, 6117 + .result = ACCEPT, 6118 + }, 6119 + { 6120 + "ld_abs: tests on r6 and skb data reload helper", 6121 + .insns = { 6122 + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6123 + BPF_LD_ABS(BPF_B, 0), 6124 + BPF_LD_ABS(BPF_H, 0), 6125 + BPF_LD_ABS(BPF_W, 0), 6126 + BPF_MOV64_REG(BPF_REG_7, BPF_REG_6), 6127 + BPF_MOV64_IMM(BPF_REG_6, 0), 6128 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 6129 + BPF_MOV64_IMM(BPF_REG_2, 1), 6130 + BPF_MOV64_IMM(BPF_REG_3, 2), 6131 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6132 + BPF_FUNC_skb_vlan_push), 6133 + BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 6134 + BPF_LD_ABS(BPF_B, 0), 6135 + BPF_LD_ABS(BPF_H, 0), 6136 + BPF_LD_ABS(BPF_W, 0), 6137 + BPF_MOV64_IMM(BPF_REG_0, 42), 6138 + BPF_EXIT_INSN(), 6139 + }, 6140 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6103 6141 .result = ACCEPT, 6104 6142 }, 6105 6143 { ··· 6310 6300 BPF_EXIT_INSN(), 6311 6301 }, 6312 6302 .fixup_map1 = { 3 }, 6313 - .errstr = "R0 min value is negative", 6303 + .errstr = "unbounded min value", 6314 6304 .result = REJECT, 6315 6305 }, 6316 6306 { ··· 6334 6324 BPF_EXIT_INSN(), 6335 6325 }, 6336 6326 .fixup_map1 = { 3 }, 6337 - .errstr = "R0 min value is negative", 6327 + .errstr = "unbounded min value", 6338 6328 .result = REJECT, 6339 6329 }, 6340 6330 { ··· 6360 6350 BPF_EXIT_INSN(), 6361 6351 }, 6362 6352 .fixup_map1 = { 3 }, 6363 - .errstr = "R8 invalid mem access 'inv'", 6353 + .errstr = "unbounded min value", 6364 6354 .result = REJECT, 6365 6355 }, 6366 6356 { ··· 6385 6375 BPF_EXIT_INSN(), 6386 6376 }, 6387 6377 .fixup_map1 = { 3 }, 6388 - .errstr = "R8 invalid mem access 'inv'", 6378 + .errstr = "unbounded min value", 6389 6379 .result = REJECT, 6390 6380 }, 6391 6381 { ··· 6433 6423 BPF_EXIT_INSN(), 6434 6424 }, 6435 6425 .fixup_map1 = { 3 }, 6436 - .errstr = "R0 min value is negative", 6426 + .errstr = "unbounded min value", 6437 6427 .result = REJECT, 6438 6428 }, 6439 6429 { ··· 6504 6494 BPF_EXIT_INSN(), 6505 6495 }, 6506 6496 .fixup_map1 = { 3 }, 6507 - .errstr = "R0 min value is negative", 6497 + .errstr = "unbounded min value", 6508 6498 .result = REJECT, 6509 6499 }, 6510 6500 { ··· 6555 6545 BPF_EXIT_INSN(), 6556 6546 }, 6557 6547 .fixup_map1 = { 3 }, 6558 - .errstr = "R0 min value is negative", 6548 + .errstr = "unbounded min value", 6559 6549 .result = REJECT, 6560 6550 }, 6561 6551 { ··· 6582 6572 BPF_EXIT_INSN(), 6583 6573 }, 6584 6574 .fixup_map1 = { 3 }, 6585 - .errstr = "R0 min value is negative", 6575 + .errstr = "unbounded min value", 6586 6576 .result = REJECT, 6587 6577 }, 6588 6578 { ··· 6608 6598 BPF_EXIT_INSN(), 6609 6599 }, 6610 6600 .fixup_map1 = { 3 }, 6611 - .errstr = "R0 min value is negative", 6601 + .errstr = "unbounded min value", 6612 6602 .result = REJECT, 6613 6603 }, 6614 6604 { ··· 6637 6627 BPF_EXIT_INSN(), 6638 6628 }, 6639 6629 .fixup_map1 = { 3 }, 6640 - .errstr = "R0 min value is negative", 6630 + .errstr = "unbounded min value", 6641 6631 .result = REJECT, 6642 6632 }, 6643 6633 { ··· 6667 6657 BPF_JMP_IMM(BPF_JA, 0, 0, -7), 6668 6658 }, 6669 6659 .fixup_map1 = { 4 }, 6670 - .errstr = "R0 min value is negative", 6660 + .errstr = "unbounded min value", 6671 6661 .result = REJECT, 6672 6662 }, 6673 6663 { ··· 6695 6685 BPF_EXIT_INSN(), 6696 6686 }, 6697 6687 .fixup_map1 = { 3 }, 6698 - .errstr_unpriv = "R0 pointer comparison prohibited", 6699 - .errstr = "R0 min value is negative", 6688 + .errstr = "unbounded min value", 6700 6689 .result = REJECT, 6701 6690 .result_unpriv = REJECT, 6702 6691 }, ··· 6751 6742 .result = REJECT, 6752 6743 }, 6753 6744 { 6745 + "bounds check based on zero-extended MOV", 6746 + .insns = { 6747 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6748 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6749 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6750 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6751 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6752 + BPF_FUNC_map_lookup_elem), 6753 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6754 + /* r2 = 0x0000'0000'ffff'ffff */ 6755 + BPF_MOV32_IMM(BPF_REG_2, 0xffffffff), 6756 + /* r2 = 0 */ 6757 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 6758 + /* no-op */ 6759 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 6760 + /* access at offset 0 */ 6761 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6762 + /* exit */ 6763 + BPF_MOV64_IMM(BPF_REG_0, 0), 6764 + BPF_EXIT_INSN(), 6765 + }, 6766 + .fixup_map1 = { 3 }, 6767 + .result = ACCEPT 6768 + }, 6769 + { 6770 + "bounds check based on sign-extended MOV. test1", 6771 + .insns = { 6772 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6773 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6774 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6775 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6776 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6777 + BPF_FUNC_map_lookup_elem), 6778 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6779 + /* r2 = 0xffff'ffff'ffff'ffff */ 6780 + BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 6781 + /* r2 = 0xffff'ffff */ 6782 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 6783 + /* r0 = <oob pointer> */ 6784 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 6785 + /* access to OOB pointer */ 6786 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6787 + /* exit */ 6788 + BPF_MOV64_IMM(BPF_REG_0, 0), 6789 + BPF_EXIT_INSN(), 6790 + }, 6791 + .fixup_map1 = { 3 }, 6792 + .errstr = "map_value pointer and 4294967295", 6793 + .result = REJECT 6794 + }, 6795 + { 6796 + "bounds check based on sign-extended MOV. test2", 6797 + .insns = { 6798 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6799 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6800 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6801 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6802 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6803 + BPF_FUNC_map_lookup_elem), 6804 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6805 + /* r2 = 0xffff'ffff'ffff'ffff */ 6806 + BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 6807 + /* r2 = 0xfff'ffff */ 6808 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36), 6809 + /* r0 = <oob pointer> */ 6810 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 6811 + /* access to OOB pointer */ 6812 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6813 + /* exit */ 6814 + BPF_MOV64_IMM(BPF_REG_0, 0), 6815 + BPF_EXIT_INSN(), 6816 + }, 6817 + .fixup_map1 = { 3 }, 6818 + .errstr = "R0 min value is outside of the array range", 6819 + .result = REJECT 6820 + }, 6821 + { 6822 + "bounds check based on reg_off + var_off + insn_off. test1", 6823 + .insns = { 6824 + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 6825 + offsetof(struct __sk_buff, mark)), 6826 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6827 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6828 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6829 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6830 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6831 + BPF_FUNC_map_lookup_elem), 6832 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6833 + BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 6834 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1), 6835 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 6836 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 6837 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 6838 + BPF_MOV64_IMM(BPF_REG_0, 0), 6839 + BPF_EXIT_INSN(), 6840 + }, 6841 + .fixup_map1 = { 4 }, 6842 + .errstr = "value_size=8 off=1073741825", 6843 + .result = REJECT, 6844 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6845 + }, 6846 + { 6847 + "bounds check based on reg_off + var_off + insn_off. test2", 6848 + .insns = { 6849 + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 6850 + offsetof(struct __sk_buff, mark)), 6851 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6852 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6853 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6854 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6855 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6856 + BPF_FUNC_map_lookup_elem), 6857 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6858 + BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 6859 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1), 6860 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 6861 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 6862 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 6863 + BPF_MOV64_IMM(BPF_REG_0, 0), 6864 + BPF_EXIT_INSN(), 6865 + }, 6866 + .fixup_map1 = { 4 }, 6867 + .errstr = "value 1073741823", 6868 + .result = REJECT, 6869 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6870 + }, 6871 + { 6872 + "bounds check after truncation of non-boundary-crossing range", 6873 + .insns = { 6874 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6875 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6876 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6877 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6878 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6879 + BPF_FUNC_map_lookup_elem), 6880 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6881 + /* r1 = [0x00, 0xff] */ 6882 + BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6883 + BPF_MOV64_IMM(BPF_REG_2, 1), 6884 + /* r2 = 0x10'0000'0000 */ 6885 + BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36), 6886 + /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */ 6887 + BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 6888 + /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */ 6889 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 6890 + /* r1 = [0x00, 0xff] */ 6891 + BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff), 6892 + /* r1 = 0 */ 6893 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 6894 + /* no-op */ 6895 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6896 + /* access at offset 0 */ 6897 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6898 + /* exit */ 6899 + BPF_MOV64_IMM(BPF_REG_0, 0), 6900 + BPF_EXIT_INSN(), 6901 + }, 6902 + .fixup_map1 = { 3 }, 6903 + .result = ACCEPT 6904 + }, 6905 + { 6906 + "bounds check after truncation of boundary-crossing range (1)", 6907 + .insns = { 6908 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6909 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6910 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6911 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6912 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6913 + BPF_FUNC_map_lookup_elem), 6914 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6915 + /* r1 = [0x00, 0xff] */ 6916 + BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6917 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6918 + /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 6919 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6920 + /* r1 = [0xffff'ff80, 0xffff'ffff] or 6921 + * [0x0000'0000, 0x0000'007f] 6922 + */ 6923 + BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0), 6924 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6925 + /* r1 = [0x00, 0xff] or 6926 + * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 6927 + */ 6928 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6929 + /* r1 = 0 or 6930 + * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff] 6931 + */ 6932 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 6933 + /* no-op or OOB pointer computation */ 6934 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6935 + /* potentially OOB access */ 6936 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6937 + /* exit */ 6938 + BPF_MOV64_IMM(BPF_REG_0, 0), 6939 + BPF_EXIT_INSN(), 6940 + }, 6941 + .fixup_map1 = { 3 }, 6942 + /* not actually fully unbounded, but the bound is very high */ 6943 + .errstr = "R0 unbounded memory access", 6944 + .result = REJECT 6945 + }, 6946 + { 6947 + "bounds check after truncation of boundary-crossing range (2)", 6948 + .insns = { 6949 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6950 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6951 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6952 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6953 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6954 + BPF_FUNC_map_lookup_elem), 6955 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6956 + /* r1 = [0x00, 0xff] */ 6957 + BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6958 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6959 + /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 6960 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6961 + /* r1 = [0xffff'ff80, 0xffff'ffff] or 6962 + * [0x0000'0000, 0x0000'007f] 6963 + * difference to previous test: truncation via MOV32 6964 + * instead of ALU32. 6965 + */ 6966 + BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), 6967 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6968 + /* r1 = [0x00, 0xff] or 6969 + * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 6970 + */ 6971 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6972 + /* r1 = 0 or 6973 + * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff] 6974 + */ 6975 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 6976 + /* no-op or OOB pointer computation */ 6977 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6978 + /* potentially OOB access */ 6979 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6980 + /* exit */ 6981 + BPF_MOV64_IMM(BPF_REG_0, 0), 6982 + BPF_EXIT_INSN(), 6983 + }, 6984 + .fixup_map1 = { 3 }, 6985 + /* not actually fully unbounded, but the bound is very high */ 6986 + .errstr = "R0 unbounded memory access", 6987 + .result = REJECT 6988 + }, 6989 + { 6990 + "bounds check after wrapping 32-bit addition", 6991 + .insns = { 6992 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6993 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6994 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6995 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6996 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6997 + BPF_FUNC_map_lookup_elem), 6998 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 6999 + /* r1 = 0x7fff'ffff */ 7000 + BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff), 7001 + /* r1 = 0xffff'fffe */ 7002 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 7003 + /* r1 = 0 */ 7004 + BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2), 7005 + /* no-op */ 7006 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7007 + /* access at offset 0 */ 7008 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7009 + /* exit */ 7010 + BPF_MOV64_IMM(BPF_REG_0, 0), 7011 + BPF_EXIT_INSN(), 7012 + }, 7013 + .fixup_map1 = { 3 }, 7014 + .result = ACCEPT 7015 + }, 7016 + { 7017 + "bounds check after shift with oversized count operand", 7018 + .insns = { 7019 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7020 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7021 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7022 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7023 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7024 + BPF_FUNC_map_lookup_elem), 7025 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 7026 + BPF_MOV64_IMM(BPF_REG_2, 32), 7027 + BPF_MOV64_IMM(BPF_REG_1, 1), 7028 + /* r1 = (u32)1 << (u32)32 = ? */ 7029 + BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2), 7030 + /* r1 = [0x0000, 0xffff] */ 7031 + BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff), 7032 + /* computes unknown pointer, potentially OOB */ 7033 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7034 + /* potentially OOB access */ 7035 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7036 + /* exit */ 7037 + BPF_MOV64_IMM(BPF_REG_0, 0), 7038 + BPF_EXIT_INSN(), 7039 + }, 7040 + .fixup_map1 = { 3 }, 7041 + .errstr = "R0 max value is outside of the array range", 7042 + .result = REJECT 7043 + }, 7044 + { 7045 + "bounds check after right shift of maybe-negative number", 7046 + .insns = { 7047 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7048 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7049 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7050 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7051 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7052 + BPF_FUNC_map_lookup_elem), 7053 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 7054 + /* r1 = [0x00, 0xff] */ 7055 + BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7056 + /* r1 = [-0x01, 0xfe] */ 7057 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1), 7058 + /* r1 = 0 or 0xff'ffff'ffff'ffff */ 7059 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7060 + /* r1 = 0 or 0xffff'ffff'ffff */ 7061 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7062 + /* computes unknown pointer, potentially OOB */ 7063 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7064 + /* potentially OOB access */ 7065 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7066 + /* exit */ 7067 + BPF_MOV64_IMM(BPF_REG_0, 0), 7068 + BPF_EXIT_INSN(), 7069 + }, 7070 + .fixup_map1 = { 3 }, 7071 + .errstr = "R0 unbounded memory access", 7072 + .result = REJECT 7073 + }, 7074 + { 7075 + "bounds check map access with off+size signed 32bit overflow. test1", 7076 + .insns = { 7077 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7078 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7079 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7080 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7081 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7082 + BPF_FUNC_map_lookup_elem), 7083 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7084 + BPF_EXIT_INSN(), 7085 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe), 7086 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7087 + BPF_JMP_A(0), 7088 + BPF_EXIT_INSN(), 7089 + }, 7090 + .fixup_map1 = { 3 }, 7091 + .errstr = "map_value pointer and 2147483646", 7092 + .result = REJECT 7093 + }, 7094 + { 7095 + "bounds check map access with off+size signed 32bit overflow. test2", 7096 + .insns = { 7097 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7098 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7099 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7100 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7101 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7102 + BPF_FUNC_map_lookup_elem), 7103 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7104 + BPF_EXIT_INSN(), 7105 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 7106 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 7107 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 7108 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7109 + BPF_JMP_A(0), 7110 + BPF_EXIT_INSN(), 7111 + }, 7112 + .fixup_map1 = { 3 }, 7113 + .errstr = "pointer offset 1073741822", 7114 + .result = REJECT 7115 + }, 7116 + { 7117 + "bounds check map access with off+size signed 32bit overflow. test3", 7118 + .insns = { 7119 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7120 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7121 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7122 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7123 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7124 + BPF_FUNC_map_lookup_elem), 7125 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7126 + BPF_EXIT_INSN(), 7127 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 7128 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 7129 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 7130 + BPF_JMP_A(0), 7131 + BPF_EXIT_INSN(), 7132 + }, 7133 + .fixup_map1 = { 3 }, 7134 + .errstr = "pointer offset -1073741822", 7135 + .result = REJECT 7136 + }, 7137 + { 7138 + "bounds check map access with off+size signed 32bit overflow. test4", 7139 + .insns = { 7140 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7141 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7142 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7143 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7144 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7145 + BPF_FUNC_map_lookup_elem), 7146 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7147 + BPF_EXIT_INSN(), 7148 + BPF_MOV64_IMM(BPF_REG_1, 1000000), 7149 + BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000), 7150 + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7151 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 7152 + BPF_JMP_A(0), 7153 + BPF_EXIT_INSN(), 7154 + }, 7155 + .fixup_map1 = { 3 }, 7156 + .errstr = "map_value pointer and 1000000000000", 7157 + .result = REJECT 7158 + }, 7159 + { 7160 + "pointer/scalar confusion in state equality check (way 1)", 7161 + .insns = { 7162 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7163 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7164 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7165 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7166 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7167 + BPF_FUNC_map_lookup_elem), 7168 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 7169 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7170 + BPF_JMP_A(1), 7171 + BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 7172 + BPF_JMP_A(0), 7173 + BPF_EXIT_INSN(), 7174 + }, 7175 + .fixup_map1 = { 3 }, 7176 + .result = ACCEPT, 7177 + .result_unpriv = REJECT, 7178 + .errstr_unpriv = "R0 leaks addr as return value" 7179 + }, 7180 + { 7181 + "pointer/scalar confusion in state equality check (way 2)", 7182 + .insns = { 7183 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7184 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7185 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7186 + BPF_LD_MAP_FD(BPF_REG_1, 0), 7187 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7188 + BPF_FUNC_map_lookup_elem), 7189 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 7190 + BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 7191 + BPF_JMP_A(1), 7192 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7193 + BPF_EXIT_INSN(), 7194 + }, 7195 + .fixup_map1 = { 3 }, 7196 + .result = ACCEPT, 7197 + .result_unpriv = REJECT, 7198 + .errstr_unpriv = "R0 leaks addr as return value" 7199 + }, 7200 + { 6754 7201 "variable-offset ctx access", 6755 7202 .insns = { 6756 7203 /* Get an unknown value */ ··· 7246 6781 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)", 7247 6782 .result = REJECT, 7248 6783 .prog_type = BPF_PROG_TYPE_LWT_IN, 6784 + }, 6785 + { 6786 + "indirect variable-offset stack access", 6787 + .insns = { 6788 + /* Fill the top 8 bytes of the stack */ 6789 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6790 + /* Get an unknown value */ 6791 + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 6792 + /* Make it small and 4-byte aligned */ 6793 + BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 6794 + BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8), 6795 + /* add it to fp. We now have either fp-4 or fp-8, but 6796 + * we don't know which 6797 + */ 6798 + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), 6799 + /* dereference it indirectly */ 6800 + BPF_LD_MAP_FD(BPF_REG_1, 0), 6801 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6802 + BPF_FUNC_map_lookup_elem), 6803 + BPF_MOV64_IMM(BPF_REG_0, 0), 6804 + BPF_EXIT_INSN(), 6805 + }, 6806 + .fixup_map1 = { 5 }, 6807 + .errstr = "variable stack read R2", 6808 + .result = REJECT, 6809 + .prog_type = BPF_PROG_TYPE_LWT_IN, 6810 + }, 6811 + { 6812 + "direct stack access with 32-bit wraparound. test1", 6813 + .insns = { 6814 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6815 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 6816 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 6817 + BPF_MOV32_IMM(BPF_REG_0, 0), 6818 + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6819 + BPF_EXIT_INSN() 6820 + }, 6821 + .errstr = "fp pointer and 2147483647", 6822 + .result = REJECT 6823 + }, 6824 + { 6825 + "direct stack access with 32-bit wraparound. test2", 6826 + .insns = { 6827 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6828 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff), 6829 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff), 6830 + BPF_MOV32_IMM(BPF_REG_0, 0), 6831 + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6832 + BPF_EXIT_INSN() 6833 + }, 6834 + .errstr = "fp pointer and 1073741823", 6835 + .result = REJECT 6836 + }, 6837 + { 6838 + "direct stack access with 32-bit wraparound. test3", 6839 + .insns = { 6840 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6841 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff), 6842 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff), 6843 + BPF_MOV32_IMM(BPF_REG_0, 0), 6844 + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6845 + BPF_EXIT_INSN() 6846 + }, 6847 + .errstr = "fp pointer offset 1073741822", 6848 + .result = REJECT 7249 6849 }, 7250 6850 { 7251 6851 "liveness pruning and write screening", ··· 7634 7104 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7635 7105 }, 7636 7106 { 7107 + "pkt_end - pkt_start is allowed", 7108 + .insns = { 7109 + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 7110 + offsetof(struct __sk_buff, data_end)), 7111 + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7112 + offsetof(struct __sk_buff, data)), 7113 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2), 7114 + BPF_EXIT_INSN(), 7115 + }, 7116 + .result = ACCEPT, 7117 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7118 + }, 7119 + { 7637 7120 "XDP pkt read, pkt_end mangling, bad access 1", 7638 7121 .insns = { 7639 7122 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ··· 7661 7118 BPF_MOV64_IMM(BPF_REG_0, 0), 7662 7119 BPF_EXIT_INSN(), 7663 7120 }, 7664 - .errstr = "R1 offset is outside of the packet", 7121 + .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 7665 7122 .result = REJECT, 7666 7123 .prog_type = BPF_PROG_TYPE_XDP, 7667 7124 }, ··· 7680 7137 BPF_MOV64_IMM(BPF_REG_0, 0), 7681 7138 BPF_EXIT_INSN(), 7682 7139 }, 7683 - .errstr = "R1 offset is outside of the packet", 7140 + .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 7684 7141 .result = REJECT, 7685 7142 .prog_type = BPF_PROG_TYPE_XDP, 7686 7143 },

+1

tools/testing/selftests/net/config

··· 1 1 CONFIG_USER_NS=y 2 2 CONFIG_BPF_SYSCALL=y 3 3 CONFIG_TEST_BPF=m 4 + CONFIG_NUMA=y

Configure Feed

Configure Feed