* Re: [PATCH v2] net-fq: Add WARN_ON check for null flow.
From: Ben Greear @ 2018-06-08 14:08 UTC (permalink / raw)
To: Cong Wang; +Cc: Linux Kernel Network Developers
In-Reply-To: <CAM_iQpULrWMNtgDcrZkc-uLtB0XOVFeZxQ6cFgpXwv7DtA9jzA@mail.gmail.com>
On 06/07/2018 04:59 PM, Cong Wang wrote:
> On Thu, Jun 7, 2018 at 4:48 PM, <greearb@candelatech.com> wrote:
>> diff --git a/include/net/fq_impl.h b/include/net/fq_impl.h
>> index be7c0fa..cb911f0 100644
>> --- a/include/net/fq_impl.h
>> +++ b/include/net/fq_impl.h
>> @@ -78,7 +78,10 @@ static struct sk_buff *fq_tin_dequeue(struct fq *fq,
>> return NULL;
>> }
>>
>> - flow = list_first_entry(head, struct fq_flow, flowchain);
>> + flow = list_first_entry_or_null(head, struct fq_flow, flowchain);
>> +
>> + if (WARN_ON_ONCE(!flow))
>> + return NULL;
>
> This does not make sense either. list_first_entry_or_null()
> returns NULL only when the list is empty, but we already check
> list_empty() right before this code, and it is protected by fq->lock.
>
Nevermind then.
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply
* Re: BUG: unable to handle kernel NULL pointer dereference in corrupted
From: Tetsuo Handa @ 2018-06-08 14:08 UTC (permalink / raw)
To: Dmitry Vyukov, syzbot, ubraun, linux-s390
Cc: David Miller, LKML, netdev, syzkaller-bugs
In-Reply-To: <CACT4Y+Z9PL4m85TGBfoLLOrw3PtqiCf+vLgdXnLUMPmHcBC33A@mail.gmail.com>
On 2018/06/08 22:39, Dmitry Vyukov wrote:
> On Fri, Jun 8, 2018 at 3:11 PM, syzbot
> <syzbot+f5066e369b2d5fff630f@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 68abbe729567 Merge branch 'akpm' (patches from Andrew)
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=16f7cebf800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=e5a4673d4582131c
>> dashboard link: https://syzkaller.appspot.com/bug?extid=f5066e369b2d5fff630f
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1191756f800000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162236af800000
>
> The reproducer suggests that this is in smc.
> +smc maintainers
Yes, an unprivileged user can trigger this oops.
----------
#include <sys/socket.h>
#include <sys/epoll.h>
#define PF_SMC 43
int main(int argc, char *argv[])
{
struct epoll_event ev = { };
int sfd = socket(PF_SMC, SOCK_STREAM, 0);
int epfd = epoll_create(1);
epoll_ctl(epfd, EPOLL_CTL_ADD, sfd, &ev);
return 0;
}
----------
^ permalink raw reply
* Re: net-next boot error: KASAN: use-after-free Write in call_usermodehelper_exec_work
From: Dmitry Vyukov @ 2018-06-08 14:05 UTC (permalink / raw)
To: syzbot, netdev, David Miller, Alexei Starovoitov
Cc: LKML, Luis R. Rodriguez, syzkaller-bugs
In-Reply-To: <CACT4Y+Z-+Rw9GfX4Q0HJxJtpMcRGO5EFj15cqOhJiEGkntcOMg@mail.gmail.com>
On Sun, May 27, 2018 at 7:40 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, May 27, 2018 at 7:34 AM, syzbot
> <syzbot+9269ae80345087b898d0@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 5b79c2af667c Merge git://git.kernel.org/pub/scm/linux/kern..
>> git tree: net-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=16087fa7800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
>> dashboard link: https://syzkaller.appspot.com/bug?extid=9269ae80345087b898d0
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+9269ae80345087b898d0@syzkaller.appspotmail.com
>
>
> This first happened just now on net-next, so +net maintainers.
> This happened during boot, so no separate reproducer.
Could fix this before it reaches Linus tree...
#syz fix: umh: fix race condition
>> FS-Cache: Loaded
>> CacheFiles: Loaded
>> pnp: PnP ACPI init
>> pnp: PnP ACPI: found 7 devices
>> ==================================================================
>> BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x2d3/0x310
>> kernel/umh.c:195
>> Write of size 4 at addr ffff8801d63bd370 by task kworker/u4:0/6
>>
>> CPU: 0 PID: 6 Comm: kworker/u4:0 Not tainted 4.17.0-rc6+ #65
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Workqueue: events_unbound call_usermodehelper_exec_work
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x1b9/0x294 lib/dump_stack.c:113
>> print_address_description+0x6c/0x20b mm/kasan/report.c:256
>> kasan_report_error mm/kasan/report.c:354 [inline]
>> kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
>> __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
>> call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
>> process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
>> worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
>> kthread+0x345/0x410 kernel/kthread.c:240
>> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
>>
>> Allocated by task 1:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>> set_track mm/kasan/kasan.c:460 [inline]
>> kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
>> kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
>> kmalloc include/linux/slab.h:512 [inline]
>> kzalloc include/linux/slab.h:701 [inline]
>> call_usermodehelper_setup+0xe8/0x400 kernel/umh.c:382
>> clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns:
>> 2085701024 ns
>> kobject_uevent_env+0xb21/0x1110 lib/kobject_uevent.c:608
>> kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:636
>> device_add+0xb01/0x16d0 drivers/base/core.c:1843
>> device_create_groups_vargs+0x1ff/0x270 drivers/base/core.c:2439
>> device_create_vargs drivers/base/core.c:2479 [inline]
>> device_create+0xd3/0x100 drivers/base/core.c:2515
>> chr_dev_init+0x120/0x158 drivers/char/mem.c:938
>> do_one_initcall+0x127/0x913 init/main.c:884
>> do_initcall_level init/main.c:952 [inline]
>> do_initcalls init/main.c:960 [inline]
>> do_basic_setup init/main.c:978 [inline]
>> kernel_init_freeable+0x49b/0x58e init/main.c:1135
>> kernel_init+0x11/0x1b3 init/main.c:1061
>> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
>>
>> Freed by task 1296:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>> NET: Registered protocol family 2
>> set_track mm/kasan/kasan.c:460 [inline]
>> __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
>> kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
>> __cache_free mm/slab.c:3498 [inline]
>> kfree+0xd9/0x260 mm/slab.c:3813
>> call_usermodehelper_freeinfo kernel/umh.c:45 [inline]
>> umh_complete+0x7b/0x90 kernel/umh.c:59
>> call_usermodehelper_exec_async+0x6e8/0x9e0 kernel/umh.c:116
>> tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 294912 bytes)
>> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
>>
>> The buggy address belongs to the object at ffff8801d63bd300
>> which belongs to the cache kmalloc-192 of size 192
>> The buggy address is located 112 bytes inside of
>> 192-byte region [ffff8801d63bd300, ffff8801d63bd3c0)
>> The buggy address belongs to the page:
>> TCP established hash table entries: 65536 (order: 7, 524288 bytes)
>> page:ffffea000758ef40 count:1 mapcount:0 mapping:ffff8801d63bd000 index:0x0
>> flags: 0x2fffc0000000100(slab)
>> raw: 02fffc0000000100 ffff8801d63bd000 0000000000000000 0000000100000010
>> TCP bind hash table entries: 65536 (order: 10, 4194304 bytes)
>> raw: ffffea000759c2e0 ffffea0007521be0 ffff8801da800040 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff8801d63bd200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8801d63bd280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>>>
>>> ffff8801d63bd300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>
>> TCP: Hash tables configured (established 65536 bind 65536)
>> ^
>> ffff8801d63bd380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>> ffff8801d63bd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>> UDP hash table entries: 4096 (order: 7, 655360 bytes)
>> UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes)
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
>> syzbot.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000424989056d295959%40google.com.
>> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* Re: WARNING in do_dentry_open
From: Daniel Borkmann @ 2018-06-08 13:47 UTC (permalink / raw)
To: Dmitry Vyukov, syzbot, Alexei Starovoitov, netdev
Cc: linux-fsdevel, LKML, syzkaller-bugs, Al Viro
In-Reply-To: <CACT4Y+b+6XrNfHmZSBitOKqVHYaq-aOgMDnHhp3vKEVs117iJA@mail.gmail.com>
On 06/08/2018 03:34 PM, Dmitry Vyukov wrote:
> On Fri, Jun 8, 2018 at 3:11 PM, syzbot
> <syzbot+2e7fcab0f56fdbb330b8@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 68abbe729567 Merge branch 'akpm' (patches from Andrew)
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=130146af800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=e5a4673d4582131c
>> dashboard link: https://syzkaller.appspot.com/bug?extid=2e7fcab0f56fdbb330b8
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1591756f800000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152236af800000
>
> Looking at the reproducer this seems to be related to bpf.
> +bpf maintainers
Indeed, thanks! Already working on a fix right now.
^ permalink raw reply
* Re: [PATCH] net: phy: Add TJA1100 BroadR-Reach PHY driver.
From: Andrew Lunn @ 2018-06-08 13:40 UTC (permalink / raw)
To: Kirill Kranke; +Cc: f.fainelli, davem, netdev, Kirill Kranke
In-Reply-To: <1528451799-2481-1-git-send-email-kranke.kirill@gmail.com>
On Fri, Jun 08, 2018 at 12:56:39PM +0300, Kirill Kranke wrote:
> From: Kirill Kranke <kirill.kranke@gmail.com>
>
> Current generic PHY driver does not work with TJA1100 BroadR-REACH PHY
> properly. TJA1100 does not have any standard ability enabled at MII_BMSR
> register. Instead it has BroadR-REACH ability at MII_ESTATUS enabled, which
> is not handled by generic driver yet. Therefore generic driver is unable to
> guess required link speed, duplex etc. Device is started up with 10Mbps
> halfduplex which is incorrect.
>
> BroadR-REACH able flag is not specified in IEEE802.3-2015. Which is why I
> did not add BroadR-REACH able flag support at generic driver. Once
> BroadR-REACH able flag gets into IEEE802.3 it should be reasonable to
> support it in the generic PHY driver.
>
> Signed-off-by: Kirill Kranke <kirill.kranke@gmail.com>
>
> diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
> index 343989f..7014eb7 100644
> --- a/drivers/net/phy/Kconfig
> +++ b/drivers/net/phy/Kconfig
> @@ -422,6 +422,14 @@ config TERANETICS_PHY
> ---help---
> Currently supports the Teranetics TN2020
>
> +config TJA1100_PHY
> + tristate "NXP TJA1100 PHY"
> + help
> + Support of NXP TJA1100 BroadR-REACH ethernet PHY.
> + Generic driver is not suitable for TJA1100 PHY while the PHY does not
> + advertise any standard IEEE capabilities. It uses BroadR-REACH able
> + flag instead. This driver configures capabilities of the PHY properly.
> +
> config VITESSE_PHY
> tristate "Vitesse PHYs"
> ---help---
> diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
> index 5805c0b..4d2a69d 100644
> --- a/drivers/net/phy/Makefile
> +++ b/drivers/net/phy/Makefile
> @@ -83,5 +83,6 @@ obj-$(CONFIG_ROCKCHIP_PHY) += rockchip.o
> obj-$(CONFIG_SMSC_PHY) += smsc.o
> obj-$(CONFIG_STE10XP) += ste10Xp.o
> obj-$(CONFIG_TERANETICS_PHY) += teranetics.o
> +obj-$(CONFIG_TJA1100_PHY) += tja1100.o
> obj-$(CONFIG_VITESSE_PHY) += vitesse.o
> obj-$(CONFIG_XILINX_GMII2RGMII) += xilinx_gmii2rgmii.o
> diff --git a/drivers/net/phy/tja1100.c b/drivers/net/phy/tja1100.c
> new file mode 100644
> index 0000000..081b580
> --- /dev/null
> +++ b/drivers/net/phy/tja1100.c
> @@ -0,0 +1,215 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* tja1100.c: TJA1100 BoardR-REACH PHY driver.
> + *
> + * Copyright (c) 2017 Kirill Kranke <kirill.kranke@gmail.com>
> + * Author: Kirill Kranke <kirill.kranke@gmail.com>
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/module.h>
> +#include <linux/phy.h>
> +
> +/* TJA1100 specific registers */
> +#define TJA1100_ECTRL 0x11 /* Extended control register */
> +#define TJA1100_CFG1 0x12 /* Configuration register 1 */
> +#define TJA1100_CFG2 0x13 /* Configuration register 2 */
> +#define TJA1100_SERRCNT 0x14 /* Symbol error counter register 2 */
> +#define TJA1100_INTST 0x15 /* Interrupt status register */
> +#define TJA1100_INTEN 0x16 /* Interrupt enable register */
> +#define TJA1100_COMST 0x17 /* Communication status register */
> +#define TJA1100_GST 0x18 /* General status register */
> +#define TJA1100_EXTST 0x19 /* External status register */
> +#define TJA1100_LFCNT 0x1a /* Link fail counter register */
> +
> +/* Extended control register */
> +#define ECTRL_LC 0x8000 /* link control enable */
> +#define ECTRL_PM 0x7800 /* operating mode select */
> +#define ECTRL_PM_NOCNG 0x0000 /* PM == 0000: no change */
> +#define ECTRL_PM_NORMAL 0x1800 /* PM == 0011: Normal mode */
> +#define ECTRL_PM_STANBY 0x6000 /* PM == 1100: Standby mode */
> +#define ECTRL_PM_SREQ 0x5800 /* PM == 1011: Sleep Request mode */
> +#define ECTRL_SJ_TST 0x0400 /* enable/disable Slave jitter test */
> +#define ECTRL_TR_RST 0x0200 /* Autonegotiation process restart */
> +#define ECTRL_TST_MODE 0x01c0 /* test mode selection */
> +#define ECTRL_C_TST 0x0020 /* TDR-based cable test */
> +#define ECTRL_LOOPBACK 0x0018 /* loopback mode select */
> +#define ECTRL_CFGEN 0x0004 /* configuration register access */
> +#define ECTRL_CFGINH 0x0002 /* INH configuration */
> +#define ECTRL_WAKE_REQ 0x0001 /* wake-up request configuration */
> +
> +/* Configuration register 1 */
> +#define CFG1_MS 0x8000 /* PHY Master/Slave configuration */
> +#define CFG1_AUTO_OP 0x4000 /* managed/autonomous operation */
> +#define CFG1_LINKLEN 0x2000 /* cable length: 0 < 15 m; 1 > 15 m */
> +#define CFG1_TXAMP 0x0c00 /* nominal transmit amplitude */
> +#define CFG1_TXAMP_050 0x0000 /* TXAMP == 00: 500 mV */
> +#define CFG1_TXAMP_075 0x0200 /* TXAMP == 01: 750 mV */
> +#define CFG1_TXAMP_100 0x0400 /* TXAMP == 10: 1000 mV */
> +#define CFG1_TXAMP_125 0x0c00 /* TXAMP == 11: 1250 mV */
> +#define CFG1_MODE 0x0300 /* MII/RMII mode */
> +#define CFG1_DRIVER 0x0080 /* MII output driver strength */
> +#define CFG1_SC 0x0040 /* sleep confirmation setting */
> +#define CFG1_LED_MODE 0x0030 /* LED mode */
> +#define CFG1_LED_EN 0x0008 /* LED enable */
> +#define CFG1_CFG_WAKE 0x0004 /* local wake configuration */
> +#define CFG1_APWD 0x0002 /* autonomous power down */
> +#define CFG1_LPS 0x0001 /* LPS code group reception */
> +
> +/* Configuration register 2 */
> +#define CFG2_PHYAD_4_0 0xf800 /* PHY address used for the SMI addr */
> +#define CFG2_SNR_AVG 0x0600 /* signal-to-noise ratio averaging */
> +#define CFG2_SNR_WLIM 0x01c0 /* signal-to-noise ratio warning limit */
> +#define CFG2_SNR_FLIM 0x0038 /* signal-to-noise ratio fail limit */
> +#define CFG2_JUMBO_EN 0x0004 /* Jumbo packet support */
> +#define CFG2_SRTO 0x0003 /* sleep request time-out */
> +#define CFG2_SRTO_04 0x0000 /* SRTO == 00: 0.4 ms */
> +#define CFG2_SRTO_1 0x0001 /* SRTO == 01: 1 ms */
> +#define CFG2_SRTO_4 0x0002 /* SRTO == 10: 4 ms */
> +#define CFG2_SRTO_16 0x0003 /* SRTO == 11: 16 ms */
> +
> +/* Symbol error counter register 2 */
> +#define SERRCNT_SEC 0xffff /* The symbol error counter */
> +
> +/* Interrupt status register */
> +#define INTST_PWON 0x8000 /* power-on detected */
> +#define INTST_WAKEUP 0x4000 /* local or remote wake-up detected */
> +#define INTST_WUR 0x2000 /* dedicated wake-up request detected */
> +#define INTST_LPS 0x1000 /* LPS code groups received */
> +#define INTST_PIF 0x0800 /* PHY initialization error detected */
> +#define INTST_LINK_FAIL 0x0400 /* link status changed to ‘link fail’ */
> +#define INTST_LINK_UP 0x0200 /* link status changed to ‘link up’ */
> +#define INTST_SYM_ERR 0x0100 /* symbol error detected */
> +#define INTST_TF 0x0080 /* training phase failure detected */
> +#define INTST_SNRW 0x0040 /* SNR value above warning limit */
> +#define INTST_CTRL_ERR 0x0020 /* SMI control error detected */
> +#define INTST_TXENC 0x0010 /* TXEN clamping detected */
> +#define INTST_UV_ERR 0x0008 /* undervoltage detected */
> +#define INTST_UVR 0x0004 /* undervoltage recovery detected */
> +#define INTST_TEMP_ERR 0x0002 /* overtemperature error detected */
> +#define INTST_SA 0x0001 /* transition to Normal on timer expiring */
> +
> +/* Interrupt enable register */
> +#define INTEN_PWON 0x8000 /* PWON interrupt enable */
> +#define INTEN_WAKEUP 0x4000 /* WAKEUP interrupt enable */
> +#define INTEN_WUR 0x2000 /* WUR_RECEIVED interrupt enable */
> +#define INTEN_LPS 0x1000 /* LPS_RECEIVED interrupt enable */
> +#define INTEN_PIF 0x0800 /* PHY_INIT_FAIL interrupt enable */
> +#define INTEN_LINK_FAIL 0x0400 /* LINK_STATUS_FAIL interrupt enable */
> +#define INTEN_LINK_UP 0x0200 /* LINK_STATUS_UP interrupt enable */
> +#define INTEN_SYM_ERR 0x0100 /* SYM_ERR interrupt enable */
> +#define INTEN_TF 0x0080 /* TRAINING_FAILED interrupt enable */
> +#define INTEN_SNRW 0x0040 /* SNR_WARNING interrupt enable */
> +#define INTEN_CTRL_ERR 0x0020 /* CONTROL_ERR interrupt enable */
> +#define INTEN_TXENC 0x0010 /* TXEN_CLAMPED interrupt enable */
> +#define INTEN_UV_ERR 0x0008 /* UV_ERR interrupt enable */
> +#define INTEN_UVR 0x0004 /* UV_RECOVERY interrupt enable */
> +#define INTEN_TEMP_ERR 0x0002 /* TEMP_ERR interrupt enable */
> +#define INTEN_SA 0x0001 /* SLEEP_ABORT interrupt enable */
> +
> +/* Communication status register */
> +#define COMST_LINK_UP 0x8000 /* link OK */
> +#define COMST_TXM 0x6000 /* transmitter mode */
> +#define COMST_TXM_DIS 0x0000 /* TXM == 00: transmitter disabled */
> +#define COMST_TXM_DIS 0x0000 /* TXM == 01: transmitter in SEND_N mode */
> +#define COMST_TXM_DIS 0x0000 /* TXM == 10: transmitter in SEND_I mode */
> +#define COMST_TXM_DIS 0x0000 /* TXM == 11: transmitter in SEND_Z mode */
> +#define COMST_LR 0x1000 /* local receiver OK */
> +#define COMST_RR 0x0800 /* remote receiver OK */
> +#define COMST_SCRL 0x0400 /* descrambler locked */
> +#define COMST_SSD_ERR 0x0200 /* SSD error detected */
> +#define COMST_ESD_ERR 0x0100 /* ESD error detected */
> +#define COMST_SNR 0x00e0 /* SNR link status */
> +#define COMST_RX_ERR 0x0010 /* receive error detected since last read */
> +#define COMST_TX_ERR 0x0080 /* transmit error detected since last read */
> +#define COMST_PS 0x0007 /* PHY state */
> +
> +/* General status register */
> +#define GST_INTP 0x8000 /* unmasked interrupt pending */
> +#define GST_PLL_LOCKED 0x4000 /* PLL stable and locked */
> +#define GST_LWU 0x2000 /* local wake-up detected */
> +#define GST_RWU 0x1000 /* remote wake-up detected */
> +#define GST_DDWU 0x0800 /* data detected at MDI in Sleep Request mode */
> +#define GST_EN 0x0400 /* EN switched LOW since last read */
> +#define GST_RST 0x0200 /* hardware reset detected since last read */
> +#define GST_LF_CNT 0x00f8 /* number of link fails since last read */
> +
> +/* External status register */
> +#define EXTST_UVDDA_3V3 0x4000 /* undervoltage detected on pin VDDA(3V3) */
> +#define EXTST_UVDDD_1V8 0x2000 /* undervoltage detected on pin VDDD(1V8) */
> +#define EXTST_UVDDA_1V8 0x1000 /* undervoltage detected on pin VDDA(1V8) */
> +#define EXTST_UVDDIO 0x0800 /* undervoltage detected on pin VDD(IO) */
> +#define EXTST_TH 0x0400 /* temperature above high level */
> +#define EXTST_TW 0x0200 /* temperature above warning level */
> +#define EXTST_SD 0x0100 /* short circuit detected since last read */
> +#define EXTST_OD 0x0080 /* open circuit detected since last read */
> +#define EXTST_INTDET 0x0040 /* interleave order detection */
> +
> +/* Link fail counter register */
> +#define LFCNT_LRC 0xff00 /* incremented when local receiver is NOT_OK */
> +#define LFCNT_RRC 0x00ff /* incremented when remote receiver is NOT_OK */
Hi Kirill
You have a lot of #define here which you don't use. If you intend to
send more patches which make use of them, that is find. But if this is
going to be the only patch, please remove those which are not needed.
> +
> +static int tja1100_phy_config_init(struct phy_device *phydev)
> +{
> + u32 features;
> +
> + /* TJA1100 has only 100BASE-BroadR-REACH ability specified at
> + * MII_ESTATUS register. Standard modes are not supported. Therefore
> + * BroadR-REACH allow only 100Mbps full duplex without autoneg.
> + */
> + features = SUPPORTED_MII;
> + features |= SUPPORTED_100baseT_Full;
> +
> + phydev->supported &= features;
> + phydev->advertising &= features;
You should not need to play with these. They should come from
.features you set in the driver configuration below.
> + phydev->autoneg = AUTONEG_DISABLE;
> + phydev->speed = SPEED_100;
> + phydev->duplex = DUPLEX_FULL;
> +
> + return 0;
> +}
> +
> +static int tja1100_phy_config_aneg(struct phy_device *phydev)
> +{
> + if (phydev->autoneg == AUTONEG_ENABLE) {
> + pr_err("TJA1100: autonegotiation is not supported\n");
> + return -1;
> + }
Please use proper error code.
Also dev_err().
> +
> + if (phydev->speed != SPEED_100 || phydev->duplex != DUPLEX_FULL) {
> + pr_err("TJA1100: only 100MBps Full Duplex allowed\n");
Same here.
> + return -2;
> + }
> +
> + return 0;
> +}
> +
> +static struct phy_driver tja1100_phy_driver[] = {
> + {
> + .phy_id = 0x0180dc48,
> + .phy_id_mask = 0xfffffff0,
> + .name = "NXP TJA1100",
> +
> + .features = SUPPORTED_100baseT_Full | SUPPORTED_MII,
> +
> + .config_aneg = tja1100_phy_config_aneg,
> + .read_status = genphy_read_status,
> + .config_init = tja1100_phy_config_init,
> + .soft_reset = genphy_soft_reset,
There is no need to specify read_status and soft_reset. They will
default to the genphy if not specified.
Andrew
^ permalink raw reply
* Re: [PATCH net v2] net: bridge: Fix locking in br_fdb_find_port()
From: Nikolay Aleksandrov @ 2018-06-08 13:39 UTC (permalink / raw)
To: Petr Machata, bridge, netdev; +Cc: stephen, davem
In-Reply-To: <38d89430-32c4-8842-efd4-88e7d3912506@cumulusnetworks.com>
On 08/06/18 16:35, Nikolay Aleksandrov wrote:
> On 08/06/18 16:11, Petr Machata wrote:
>> Callers of br_fdb_find() need to hold the hash lock, which
>> br_fdb_find_port() doesn't do. However, since br_fdb_find_port() is not
>> doing any actual FDB manipulation, the hash lock is not really needed at
>> all. So convert to br_fdb_find_rcu(), surrounded by rcu_read_lock() /
>> _unlock() pair.
>>
>> The device pointer copied from inside the FDB entry is then kept alive
>> by the RTNL lock, which br_fdb_find_port() asserts.
>>
>> Fixes: 4d4fd36126d6 ("net: bridge: Publish bridge accessor functions")
>> Signed-off-by: Petr Machata <petrm@mellanox.com>
>> ---
>>
>> Notes:
>> Changes from v1 to v2:
>>
>> - Instead of taking hash lock, take RCU lock and call br_fdb_find_rcu().
>>
>> net/bridge/br_fdb.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
>> index b19e310..502f663 100644
>> --- a/net/bridge/br_fdb.c
>> +++ b/net/bridge/br_fdb.c
>> @@ -135,9 +135,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
>> return NULL;
>>
>> br = netdev_priv(br_dev);
>> - f = br_fdb_find(br, addr, vid);
>> + rcu_read_lock();
>> + f = br_fdb_find_rcu(br, addr, vid);
>> if (f && f->dst)
>> dev = f->dst->dev;
>> + rcu_read_unlock();
>>
>> return dev;
>> }
>>
>
> Important note: the only reason this will not dereference a NULL pointer
> when getting f->dst is because RTNL is held in all of its current
> callers. I missed the comments on the previous version, but using RCU
> here is dangerous if someone decides to use this without rtnl they will
> get a false sense of security, that is why I acked the previous version.
> I'd suggest to use READ_ONCE() for f->dst to avoid reading it again.
>
Nevermind the READ_ONCE part, I missed that there's ASSERT_RTNL() in the
beginning of this function, so it'll always be used with RTNL. :-)
It's good as it stands, I need to get some coffee.
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
^ permalink raw reply
* Re: BUG: unable to handle kernel NULL pointer dereference in corrupted
From: Dmitry Vyukov @ 2018-06-08 13:39 UTC (permalink / raw)
To: syzbot, ubraun, linux-s390; +Cc: David Miller, LKML, netdev, syzkaller-bugs
In-Reply-To: <000000000000b98577056e212120@google.com>
On Fri, Jun 8, 2018 at 3:11 PM, syzbot
<syzbot+f5066e369b2d5fff630f@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 68abbe729567 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16f7cebf800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e5a4673d4582131c
> dashboard link: https://syzkaller.appspot.com/bug?extid=f5066e369b2d5fff630f
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1191756f800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162236af800000
The reproducer suggests that this is in smc.
+smc maintainers
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+f5066e369b2d5fff630f@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> PGD 1b51e5067 P4D 1b51e5067 PUD 1b508f067 PMD 0
> Oops: 0010 [#1] SMP KASAN
> CPU: 1 PID: 4485 Comm: syz-executor452 Not tainted 4.17.0+ #90
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010: (null)
> Code: Bad RIP value.
> RSP: 0018:ffff8801b6f273a0 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff8801b629b800 RCX: 1ffffffff10ea805
> RDX: ffff8801b6f27c00 RSI: ffff8801ae67a100 RDI: ffff8801b51feac0
> RBP: ffff8801b6f27510 R08: ffff8801b563cf78 R09: 0000000000000006
> R10: ffff8801b563c740 R11: 0000000000000000 R12: 1ffff10036de4e79
> R13: ffff8801b6f27c00 R14: ffff8801b629b812 R15: ffff8801b629bc58
> FS: 0000000001c2b880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffffffffd6 CR3: 00000001b5625000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> sock_poll+0x1d1/0x710 net/socket.c:1156
> vfs_poll+0x77/0x2a0 fs/select.c:40
> ep_item_poll.isra.15+0x2c1/0x390 fs/eventpoll.c:887
> ep_insert+0x6b8/0x1c00 fs/eventpoll.c:1459
> __do_sys_epoll_ctl fs/eventpoll.c:2113 [inline]
> __se_sys_epoll_ctl fs/eventpoll.c:1999 [inline]
> __x64_sys_epoll_ctl+0xef1/0x10f0 fs/eventpoll.c:1999
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x43fcc9
> Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fff59e3a2f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000e9
> RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcc9
> RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
> RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
> R10: 0000000020000000 R11: 0000000000000217 R12: 00000000004015f0
> R13: 0000000000401680 R14: 0000000000000000 R15: 0000000000000000
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> CR2: 0000000000000000
> ---[ end trace 090a30b2125a99a3 ]---
> RIP: 0010: (null)
> Code: Bad RIP value.
> RSP: 0018:ffff8801b6f273a0 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff8801b629b800 RCX: 1ffffffff10ea805
> RDX: ffff8801b6f27c00 RSI: ffff8801ae67a100 RDI: ffff8801b51feac0
> RBP: ffff8801b6f27510 R08: ffff8801b563cf78 R09: 0000000000000006
> R10: ffff8801b563c740 R11: 0000000000000000 R12: 1ffff10036de4e79
> R13: ffff8801b6f27c00 R14: ffff8801b629b812 R15: ffff8801b629bc58
> FS: 0000000001c2b880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffffffffd6 CR3: 00000001b5625000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000b98577056e212120%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* Re: general protection fault in pipe_write
From: Dmitry Vyukov @ 2018-06-08 13:36 UTC (permalink / raw)
To: syzbot, Alexei Starovoitov, Daniel Borkmann, netdev
Cc: linux-fsdevel, LKML, syzkaller-bugs, Al Viro
In-Reply-To: <000000000000c109af056e2121a4@google.com>
On Fri, Jun 8, 2018 at 3:11 PM, syzbot
<syzbot+772c951c5f15d2f1df03@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 7170e6045a6a strparser: Add __strp_unpause and use it in k..
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b5c8cf800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a601a80fec461d44
> dashboard link: https://syzkaller.appspot.com/bug?extid=772c951c5f15d2f1df03
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ad0b6f800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+772c951c5f15d2f1df03@syzkaller.appspotmail.com
This seems to be same as the splash of other crashes in bpfilter:
#syz fix: bpfilter: fix race in pipe access
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> bpfilter: read fail -512
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 6572 Comm: syz-executor5 Not tainted 4.17.0-rc7+ #82
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:pipe_write+0xa49/0xeb0 fs/pipe.c:480
> RSP: 0000:ffff8801ac6b7858 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff81c22b3b
> RDX: 0000000000000005 RSI: ffffffff81c22b49 RDI: 0000000000000028
> RBP: ffff8801ac6b78d8 R08: ffff8801b3796080 R09: 0000000000000006
> R10: ffff8801b3796080 R11: 0000000000000000 R12: ffff8801cdbaa820
> R13: ffff8801cdb31a40 R14: 0000000000000000 R15: dffffc0000000000
> FS: 00007fe12b0e9700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fe01b0f9af0 CR3: 00000001c43e7000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> call_write_iter include/linux/fs.h:1784 [inline]
> new_sync_write fs/read_write.c:474 [inline]
> __vfs_write+0x64d/0x960 fs/read_write.c:487
> __kernel_write+0x10c/0x380 fs/read_write.c:506
> __bpfilter_process_sockopt+0x1d8/0x35b net/bpfilter/bpfilter_kern.c:66
> bpfilter_mbox_request+0x4d/0xb0 net/ipv4/bpfilter/sockopt.c:25
> bpfilter_ip_set_sockopt+0x33/0x40 net/ipv4/bpfilter/sockopt.c:31
> ip_setsockopt+0x124/0x140 net/ipv4/ip_sockglue.c:1250
> raw_setsockopt+0xe2/0x100 net/ipv4/raw.c:868
> sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3059
> __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
> __do_sys_setsockopt net/socket.c:1914 [inline]
> __se_sys_setsockopt net/socket.c:1911 [inline]
> __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4559f9
> RSP: 002b:00007fe12b0e8c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
> RAX: ffffffffffffffda RBX: 00007fe12b0e96d4 RCX: 00000000004559f9
> RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004
> RBP: 000000000072bf50 R08: 0000000000000370 R09: 0000000000000000
> R10: 00000000200003c0 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 00000000004c0d8b R14: 00000000004d0828 R15: 0000000000000001
> Code: 48 c1 ea 03 80 3c 02 00 0f 85 fc 03 00 00 48 8b 45 c8 48 8b 58 20 48
> b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
> 85 ef 03 00 00 48 8b 7b 28 31 d2 be 01 00 00 00
> RIP: pipe_write+0xa49/0xeb0 fs/pipe.c:480 RSP: ffff8801ac6b7858
> ---[ end trace 7e44f4b8135e2e72 ]---
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000c109af056e2121a4%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* Re: [PATCH net v2] net: bridge: Fix locking in br_fdb_find_port()
From: Nikolay Aleksandrov @ 2018-06-08 13:35 UTC (permalink / raw)
To: Petr Machata, bridge, netdev; +Cc: stephen, davem
In-Reply-To: <c41fffa00abb9a123039e5509886a0de85274291.1528450455.git.petrm@mellanox.com>
On 08/06/18 16:11, Petr Machata wrote:
> Callers of br_fdb_find() need to hold the hash lock, which
> br_fdb_find_port() doesn't do. However, since br_fdb_find_port() is not
> doing any actual FDB manipulation, the hash lock is not really needed at
> all. So convert to br_fdb_find_rcu(), surrounded by rcu_read_lock() /
> _unlock() pair.
>
> The device pointer copied from inside the FDB entry is then kept alive
> by the RTNL lock, which br_fdb_find_port() asserts.
>
> Fixes: 4d4fd36126d6 ("net: bridge: Publish bridge accessor functions")
> Signed-off-by: Petr Machata <petrm@mellanox.com>
> ---
>
> Notes:
> Changes from v1 to v2:
>
> - Instead of taking hash lock, take RCU lock and call br_fdb_find_rcu().
>
> net/bridge/br_fdb.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
> index b19e310..502f663 100644
> --- a/net/bridge/br_fdb.c
> +++ b/net/bridge/br_fdb.c
> @@ -135,9 +135,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
> return NULL;
>
> br = netdev_priv(br_dev);
> - f = br_fdb_find(br, addr, vid);
> + rcu_read_lock();
> + f = br_fdb_find_rcu(br, addr, vid);
> if (f && f->dst)
> dev = f->dst->dev;
> + rcu_read_unlock();
>
> return dev;
> }
>
Important note: the only reason this will not dereference a NULL pointer
when getting f->dst is because RTNL is held in all of its current
callers. I missed the comments on the previous version, but using RCU
here is dangerous if someone decides to use this without rtnl they will
get a false sense of security, that is why I acked the previous version.
I'd suggest to use READ_ONCE() for f->dst to avoid reading it again.
The way to reach a null dst is with fdbs pointing to the bridge which
currently can only be installed via user-space with RTNL held.
^ permalink raw reply
* Re: WARNING in do_dentry_open
From: Dmitry Vyukov @ 2018-06-08 13:34 UTC (permalink / raw)
To: syzbot, Alexei Starovoitov, Daniel Borkmann, netdev
Cc: linux-fsdevel, LKML, syzkaller-bugs, Al Viro
In-Reply-To: <000000000000bd54dd056e212189@google.com>
On Fri, Jun 8, 2018 at 3:11 PM, syzbot
<syzbot+2e7fcab0f56fdbb330b8@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 68abbe729567 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=130146af800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e5a4673d4582131c
> dashboard link: https://syzkaller.appspot.com/bug?extid=2e7fcab0f56fdbb330b8
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1591756f800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152236af800000
Looking at the reproducer this seems to be related to bpf.
+bpf maintainers
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2e7fcab0f56fdbb330b8@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> WARNING: CPU: 1 PID: 4508 at fs/open.c:778 do_dentry_open+0x4ad/0xe40
> fs/open.c:778
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 4508 Comm: syz-executor867 Not tainted 4.17.0+ #90
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1b9/0x294 lib/dump_stack.c:113
> panic+0x22f/0x4de kernel/panic.c:184
> __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
> report_bug+0x252/0x2d0 lib/bug.c:186
> fixup_bug arch/x86/kernel/traps.c:178 [inline]
> do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
> invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
> RIP: 0010:do_dentry_open+0x4ad/0xe40 fs/open.c:778
> Code: 7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00
> 0f 85 15 08 00 00 48 c7 43 28 00 00 00 00 e8 f3 6d ba ff <0f> 0b e8 ec 6d ba
> ff 48 8d 43 18 41 be ed ff ff ff 48 89 45 c0 e9
> RSP: 0018:ffff8801afcaf7c8 EFLAGS: 00010293
> RAX: ffff8801afe08400 RBX: ffff8801b099e0c0 RCX: ffffffff81bfccf6
> RDX: 0000000000000000 RSI: ffffffff81bfcf6d RDI: ffff8801b099e0e8
> RBP: ffff8801afcaf840 R08: ffff8801afe08400 R09: ffffed0036aa2afc
> R10: ffffed0036aa2afc R11: ffff8801b55157e3 R12: ffff8801ab28d4b0
> R13: ffff8801ab28d6a8 R14: 0000000000000000 R15: ffff8801b099e13c
> vfs_open+0x139/0x230 fs/open.c:908
> do_last fs/namei.c:3370 [inline]
> path_openat+0x1717/0x4dc0 fs/namei.c:3511
> do_filp_open+0x249/0x350 fs/namei.c:3545
> do_sys_open+0x56f/0x740 fs/open.c:1101
> __do_sys_openat fs/open.c:1128 [inline]
> __se_sys_openat fs/open.c:1122 [inline]
> __x64_sys_openat+0x9d/0x100 fs/open.c:1122
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x43ff09
> Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007ffe4eafe4f8 EFLAGS: 00000217 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 2f30656c69662f2e RCX: 000000000043ff09
> RDX: 0000000000000040 RSI: 0000000020000100 RDI: ffffffffffffff9c
> RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
> R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000401830
> R13: 00000000004018c0 R14: 0000000000000000 R15: 0000000000000000
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000bd54dd056e212189%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* [PATCH net v2] net: bridge: Fix locking in br_fdb_find_port()
From: Petr Machata @ 2018-06-08 13:11 UTC (permalink / raw)
To: bridge, netdev; +Cc: stephen, davem, stephen
Callers of br_fdb_find() need to hold the hash lock, which
br_fdb_find_port() doesn't do. However, since br_fdb_find_port() is not
doing any actual FDB manipulation, the hash lock is not really needed at
all. So convert to br_fdb_find_rcu(), surrounded by rcu_read_lock() /
_unlock() pair.
The device pointer copied from inside the FDB entry is then kept alive
by the RTNL lock, which br_fdb_find_port() asserts.
Fixes: 4d4fd36126d6 ("net: bridge: Publish bridge accessor functions")
Signed-off-by: Petr Machata <petrm@mellanox.com>
---
Notes:
Changes from v1 to v2:
- Instead of taking hash lock, take RCU lock and call br_fdb_find_rcu().
net/bridge/br_fdb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index b19e310..502f663 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -135,9 +135,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
return NULL;
br = netdev_priv(br_dev);
- f = br_fdb_find(br, addr, vid);
+ rcu_read_lock();
+ f = br_fdb_find_rcu(br, addr, vid);
if (f && f->dst)
dev = f->dst->dev;
+ rcu_read_unlock();
return dev;
}
--
2.4.11
^ permalink raw reply related
* kernel BUG at include/linux/mm.h:LINE! (2)
From: syzbot @ 2018-06-08 13:11 UTC (permalink / raw)
To: davem, edumazet, kuznet, linux-kernel, netdev, syzkaller-bugs,
yoshfuji
Hello,
syzbot found the following crash on:
HEAD commit: 7170e6045a6a strparser: Add __strp_unpause and use it in k..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=114236af800000
kernel config: https://syzkaller.appspot.com/x/.config?x=a601a80fec461d44
dashboard link: https://syzkaller.appspot.com/bug?extid=3225ce21c0e9929bb9cf
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10f44fdf800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110f636f800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3225ce21c0e9929bb9cf@syzkaller.appspotmail.com
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea0006b29220 ffff88021fffac18 0000000000000003 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) <= 0)
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:853!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4545 Comm: syz-executor492 Not tainted 4.17.0-rc7+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:get_page include/linux/mm.h:853 [inline]
RIP: 0010:do_tcp_sendpages+0x1879/0x1e60 net/ipv4/tcp.c:1002
RSP: 0018:ffff8801c2a06f88 EFLAGS: 00010203
RAX: 0000000000000000 RBX: ffff8801d972d580 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81a66c25 RDI: ffffed0038540de0
RBP: ffff8801c2a071e8 R08: ffff8801b11d2480 R09: 0000000000000006
R10: ffff8801b11d2480 R11: 0000000000000000 R12: 000000000000301d
R13: ffffea0006b2621c R14: ffff8801ae5a6040 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020008000 CR3: 0000000008c6a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tls_push_sg+0x25b/0x860 net/tls/tls_main.c:126
tls_push_record+0xae5/0x13e0 net/tls/tls_sw.c:266
tls_sw_push_pending_record+0x22/0x30 net/tls/tls_sw.c:276
tls_handle_open_record net/tls/tls_main.c:164 [inline]
tls_sk_proto_close+0x734/0xad0 net/tls/tls_main.c:264
inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
sock_release+0x96/0x1b0 net/socket.c:594
sock_close+0x16/0x20 net/socket.c:1149
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x1aee/0x2730 kernel/exit.c:865
do_group_exit+0x16f/0x430 kernel/exit.c:968
__do_sys_exit_group kernel/exit.c:979 [inline]
__se_sys_exit_group kernel/exit.c:977 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43f368
RSP: 002b:00007ffd03500578 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f368
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
Code: ff ff 41 89 86 cc 08 00 00 e8 e4 07 05 00 e9 2c eb ff ff e8 ca 4b 27
fb 48 8b bd b8 fd ff ff 48 c7 c6 40 0c 54 88 e8 77 72 54 fb <0f> 0b 48 89
85 b8 fd ff ff e8 a9 4b 27 fb 48 8b 85 b8 fd ff ff
RIP: get_page include/linux/mm.h:853 [inline] RSP: ffff8801c2a06f88
RIP: do_tcp_sendpages+0x1879/0x1e60 net/ipv4/tcp.c:1002 RSP:
ffff8801c2a06f88
---[ end trace 500a6e4fab99629c ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* BUG: unable to handle kernel NULL pointer dereference in corrupted
From: syzbot @ 2018-06-08 13:11 UTC (permalink / raw)
To: davem, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 68abbe729567 Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16f7cebf800000
kernel config: https://syzkaller.appspot.com/x/.config?x=e5a4673d4582131c
dashboard link: https://syzkaller.appspot.com/bug?extid=f5066e369b2d5fff630f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1191756f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162236af800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5066e369b2d5fff630f@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 1b51e5067 P4D 1b51e5067 PUD 1b508f067 PMD 0
Oops: 0010 [#1] SMP KASAN
CPU: 1 PID: 4485 Comm: syz-executor452 Not tainted 4.17.0+ #90
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff8801b6f273a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801b629b800 RCX: 1ffffffff10ea805
RDX: ffff8801b6f27c00 RSI: ffff8801ae67a100 RDI: ffff8801b51feac0
RBP: ffff8801b6f27510 R08: ffff8801b563cf78 R09: 0000000000000006
R10: ffff8801b563c740 R11: 0000000000000000 R12: 1ffff10036de4e79
R13: ffff8801b6f27c00 R14: ffff8801b629b812 R15: ffff8801b629bc58
FS: 0000000001c2b880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001b5625000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sock_poll+0x1d1/0x710 net/socket.c:1156
vfs_poll+0x77/0x2a0 fs/select.c:40
ep_item_poll.isra.15+0x2c1/0x390 fs/eventpoll.c:887
ep_insert+0x6b8/0x1c00 fs/eventpoll.c:1459
__do_sys_epoll_ctl fs/eventpoll.c:2113 [inline]
__se_sys_epoll_ctl fs/eventpoll.c:1999 [inline]
__x64_sys_epoll_ctl+0xef1/0x10f0 fs/eventpoll.c:1999
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fcc9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff59e3a2f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcc9
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000020000000 R11: 0000000000000217 R12: 00000000004015f0
R13: 0000000000401680 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: 0000000000000000
---[ end trace 090a30b2125a99a3 ]---
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff8801b6f273a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801b629b800 RCX: 1ffffffff10ea805
RDX: ffff8801b6f27c00 RSI: ffff8801ae67a100 RDI: ffff8801b51feac0
RBP: ffff8801b6f27510 R08: ffff8801b563cf78 R09: 0000000000000006
R10: ffff8801b563c740 R11: 0000000000000000 R12: 1ffff10036de4e79
R13: ffff8801b6f27c00 R14: ffff8801b629b812 R15: ffff8801b629bc58
FS: 0000000001c2b880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001b5625000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* [PATCH 2/2] iproute2: Remove leftover gated RT_PROT defines
From: Donald Sharp @ 2018-06-08 12:46 UTC (permalink / raw)
To: netdev, stephen, dsahern
These values are not being used nor maintained, so remove.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
etc/iproute2/rt_protos | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/etc/iproute2/rt_protos b/etc/iproute2/rt_protos
index 3ffe8a6c..a965ad16 100644
--- a/etc/iproute2/rt_protos
+++ b/etc/iproute2/rt_protos
@@ -21,16 +21,3 @@
188 ospf
189 rip
192 eigrp
-
-#
-# Used by me for gated
-#
-254 gated/aggr
-253 gated/bgp
-252 gated/ospf
-251 gated/ospfase
-250 gated/rip
-249 gated/static
-248 gated/conn
-247 gated/inet
-246 gated/default
--
2.14.4
^ permalink raw reply related
* [PATCH 1/2] iproute2: Add support for a few routing protocols
From: Donald Sharp @ 2018-06-08 12:46 UTC (permalink / raw)
To: netdev, stephen, dsahern
Add support for:
BGP
ISIS
OSPF
RIP
EIGRP
Routing protocols to iproute2.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
etc/iproute2/rt_protos | 5 +++++
include/linux/rtnetlink.h | 5 +++++
lib/rt_names.c | 5 +++++
3 files changed, 15 insertions(+)
diff --git a/etc/iproute2/rt_protos b/etc/iproute2/rt_protos
index 82cf9c46..3ffe8a6c 100644
--- a/etc/iproute2/rt_protos
+++ b/etc/iproute2/rt_protos
@@ -16,6 +16,11 @@
15 ntk
16 dhcp
42 babel
+186 bgp
+187 isis
+188 ospf
+189 rip
+192 eigrp
#
# Used by me for gated
diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h
index 742ba078..2e83a267 100644
--- a/include/linux/rtnetlink.h
+++ b/include/linux/rtnetlink.h
@@ -248,6 +248,11 @@ enum {
#define RTPROT_DHCP 16 /* DHCP client */
#define RTPROT_MROUTED 17 /* Multicast daemon */
#define RTPROT_BABEL 42 /* Babel daemon */
+#define RTPROT_BGP 186 /* BGP Routes */
+#define RTPROT_ISIS 187 /* ISIS Routes */
+#define RTPROT_OSPF 188 /* OSPF Routes */
+#define RTPROT_RIP 189 /* RIP Routes */
+#define RTPROT_EIGRP 192 /* EIGRP Routes */
/* rtm_scope
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 253389a6..d3562d2d 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -137,6 +137,11 @@ static char * rtnl_rtprot_tab[256] = {
[RTPROT_XORP] = "xorp",
[RTPROT_NTK] = "ntk",
[RTPROT_DHCP] = "dhcp",
+ [RTPROT_BGP] = "bgp",
+ [RTPROT_ISIS] = "isis",
+ [RTPROT_OSPF] = "ospf",
+ [RTPROT_RIP] = "rip",
+ [RTPROT_EIGRP] = "eigrp",
};
--
2.14.4
^ permalink raw reply related
* [PATCH 0/2] Addition of new routing protocols for iproute2
From: Donald Sharp @ 2018-06-08 12:46 UTC (permalink / raw)
To: netdev, stephen, dsahern
The linux kernel recently accepted some new RTPROT values for some
fairly standard routing protocols. This commit brings in support
for iproute2 to handle these new values.
Additionally clean up some long standing cruft in etc/iproute2/rt_protos
Donald Sharp (2):
iproute2: Add support for a few routing protocols
iproute2: Remove leftover gated RT_PROT defines
etc/iproute2/rt_protos | 18 +++++-------------
include/linux/rtnetlink.h | 5 +++++
lib/rt_names.c | 5 +++++
3 files changed, 15 insertions(+), 13 deletions(-)
--
2.14.4
^ permalink raw reply
* Re: [PATCH] netfilter: remove include/net/netfilter/nft_dup.h
From: Pablo Neira Ayuso @ 2018-06-08 10:42 UTC (permalink / raw)
To: Corentin Labbe
Cc: davem, fw, kadlec, coreteam, linux-kernel, netdev,
netfilter-devel
In-Reply-To: <1528400289-28004-1-git-send-email-clabbe@baylibre.com>
On Thu, Jun 07, 2018 at 07:38:09PM +0000, Corentin Labbe wrote:
> include/net/netfilter/nft_dup.h was introduced in d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
> but was never user since this date.
>
> Furthermore, the only struct in this file is unused elsewhere.
Applied.
^ permalink raw reply
* [PATCH] net: phy: dp83822: use BMCR_ANENABLE instead of BMSR_ANEGCAPABLE for DP83620
From: Alvaro Gamez Machado @ 2018-06-08 10:23 UTC (permalink / raw)
To: Andrew Lunn, Florian Fainelli, David S. Miller, netdev
Cc: Alvaro Gamez Machado
DP83620 register set is compatible with the DP83848, but it also supports
100base-FX. When the hardware is configured such as that fiber mode is
enabled, autonegotiation is not possible.
The chip, however, doesn't expose this information via BMSR_ANEGCAPABLE.
Instead, this bit is always set high, even if the particular hardware
configuration makes it so that auto negotiation is not possible [1]. Under
these circumstances, the phy subsystem keeps trying for autonegotiation to
happen, without success.
Hereby, we inspect BMCR_ANENABLE bit after genphy_config_init, which on
reset is set to 0 when auto negotiation is disabled, and so we use this
value instead of BMSR_ANEGCAPABLE.
[1] https://e2e.ti.com/support/interface/ethernet/f/903/p/697165/2571170
Signed-off-by: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
---
drivers/net/phy/dp83848.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/drivers/net/phy/dp83848.c b/drivers/net/phy/dp83848.c
index cd09c3af2117..6e8e42361fd5 100644
--- a/drivers/net/phy/dp83848.c
+++ b/drivers/net/phy/dp83848.c
@@ -74,6 +74,25 @@ static int dp83848_config_intr(struct phy_device *phydev)
return phy_write(phydev, DP83848_MICR, control);
}
+static int dp83848_config_init(struct phy_device *phydev)
+{
+ int err;
+ int val;
+
+ err = genphy_config_init(phydev);
+ if (err < 0)
+ return err;
+
+ /* DP83620 always reports Auto Negotiation Ability on BMSR. Instead,
+ * we check initial value of BMCR Auto negotiation enable bit
+ */
+ val = phy_read(phydev, MII_BMCR);
+ if (!(val & BMCR_ANENABLE))
+ phydev->autoneg = AUTONEG_DISABLE;
+
+ return 0;
+}
+
static struct mdio_device_id __maybe_unused dp83848_tbl[] = {
{ TI_DP83848C_PHY_ID, 0xfffffff0 },
{ NS_DP83848C_PHY_ID, 0xfffffff0 },
@@ -83,7 +102,7 @@ static struct mdio_device_id __maybe_unused dp83848_tbl[] = {
};
MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
-#define DP83848_PHY_DRIVER(_id, _name) \
+#define DP83848_PHY_DRIVER(_id, _name, _config_init) \
{ \
.phy_id = _id, \
.phy_id_mask = 0xfffffff0, \
@@ -92,7 +111,7 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
.flags = PHY_HAS_INTERRUPT, \
\
.soft_reset = genphy_soft_reset, \
- .config_init = genphy_config_init, \
+ .config_init = _config_init, \
.suspend = genphy_suspend, \
.resume = genphy_resume, \
\
@@ -102,10 +121,14 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
}
static struct phy_driver dp83848_driver[] = {
- DP83848_PHY_DRIVER(TI_DP83848C_PHY_ID, "TI DP83848C 10/100 Mbps PHY"),
- DP83848_PHY_DRIVER(NS_DP83848C_PHY_ID, "NS DP83848C 10/100 Mbps PHY"),
- DP83848_PHY_DRIVER(TI_DP83620_PHY_ID, "TI DP83620 10/100 Mbps PHY"),
- DP83848_PHY_DRIVER(TLK10X_PHY_ID, "TI TLK10X 10/100 Mbps PHY"),
+ DP83848_PHY_DRIVER(TI_DP83848C_PHY_ID, "TI DP83848C 10/100 Mbps PHY",
+ genphy_config_init),
+ DP83848_PHY_DRIVER(NS_DP83848C_PHY_ID, "NS DP83848C 10/100 Mbps PHY",
+ genphy_config_init),
+ DP83848_PHY_DRIVER(TI_DP83620_PHY_ID, "TI DP83620 10/100 Mbps PHY",
+ dp83848_config_init),
+ DP83848_PHY_DRIVER(TLK10X_PHY_ID, "TI TLK10X 10/100 Mbps PHY",
+ genphy_config_init),
};
module_phy_driver(dp83848_driver);
--
2.17.1
^ permalink raw reply related
* Re: Qualcomm rmnet driver and qmi_wwan
From: Daniele Palmas @ 2018-06-08 10:21 UTC (permalink / raw)
To: Subash Abhinov Kasiviswanathan, Bjørn Mork; +Cc: Dan Williams, netdev
In-Reply-To: <f923f0ee13ca18f7267431d3e9b4ff2c@codeaurora.org>
[-- Attachment #1: Type: text/plain, Size: 3868 bytes --]
Hi Dan and Subash,
2018-06-05 19:38 GMT+02:00 Subash Abhinov Kasiviswanathan
<subashab@codeaurora.org>:
> On 2018-06-05 08:54, Dan Williams wrote:
>>
>> On Tue, 2018-06-05 at 11:38 +0200, Daniele Palmas wrote:
>>>
>>> Hi,
>>>
>>> 2018-02-21 20:47 GMT+01:00 Subash Abhinov Kasiviswanathan
>>> <subashab@codeaurora.org>:
>>> > On 2018-02-21 04:38, Daniele Palmas wrote:
>>> > >
>>> > > Hello,
>>> > >
>>> > > in rmnet kernel documentation I read:
>>> > >
>>> > > "This driver can be used to register onto any physical network
>>> > > device in
>>> > > IP mode. Physical transports include USB, HSIC, PCIe and IP
>>> > > accelerator."
>>> > >
>>> > > Does this mean that it can be used in association with the
>>> > > qmi_wwan
>>> > > driver?
>>> > >
>>> > > If yes, can someone give me an hint on the steps to follow?
>>> > >
>>> > > If not, does anyone know if it is possible to modify qmi_wwan in
>>> > > order
>>> > > to take advantage of the features provided by the rmnet driver?
>>> > >
>>> > > In this case hint on the changes for modifying qmi_wwan are
>>> > > welcome.
>>> > >
>>> > > Thanks in advance,
>>> > > Daniele
>>> >
>>> >
>>> > Hi
>>> >
>>> > I havent used qmi_wwan so the following comment is based on code
>>> > inspection.
>>> > qmimux_register_device() is creating qmimux devices with usb net
>>> > device as
>>> > real_dev. The Multiplexing and aggregation header (qmimux_hdr) is
>>> > stripped
>>> > off
>>> > in qmimux_rx_fixup() and the packet is passed on to stack.
>>> >
>>> > You could instead create rmnet devices with the usb netdevice as
>>> > real dev.
>>> > The packets from the usb net driver can be queued to network stack
>>> > directly
>>> > as rmnet driver will setup a RX handler. rmnet driver will process
>>> > the
>>> > packets
>>> > further and then queue to network stack.
>>> >
>>>
>>> in kernel documentation I read that rmnet user space configuration is
>>> done through librmnetctl available at
>>>
>>> https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource
>>> /dataservices/tree/rmnetctl
>>>
>>> However it seems to me that this is a bit outdated (e.g. it does not
>>> properly build since it is looking for kernel header
>>> linux/rmnet_data.h that, as far as I understand, is no more present).
>>>
>>> Is there available a more recent version of the tool?
>
>
> Hi Daniele
>
> The attached patch should have an updated version of the tool.
> Usage -
>
> rmnetcli -n newlink wwan0 rmnet0 1 1
> where wwan0 is the physical device
> rmnet0 is the virtual device to be created
> 1 is the mux id
> the other 1 is the flag to configure DL de-aggregation by default
>
> To delete a device -
>
> ip link delete rmnet0
>
>>
>> I'd expect that somebody (Subash?) would add support for the
>> rmnet/qmimux options to iproute2 via 'ip link' like exists for most
>> other device types.
>
>
> Hi Dan
>
> Yes, I can do that and update the documentation to point to using iproute2.
>
I followed Dan's advice and prepared a very basic test patch
(attached) for testing it through ip link.
Basically things seem to be properly working with qmicli, but I needed
to modify a bit qmi_wwan, so I'm adding Bjørn that maybe can help.
Bjørn,
I'm trying to add support to rmnet in qmi_wwan: I had to modify the
code as in the attached test patch, but I'm not sure it is the right
way.
This is done under the assumption that the rmnet device would be the
only one to register an rx handler to qmi_wwan, but it is probably
wrong.
Basically I'm wondering if there is a more correct way to understand
if an rmnet device is linked to the real qmi_wwan device.
Thanks,
Daniele
>
> --
> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
> a Linux Foundation Collaborative Project
[-- Attachment #2: 0001-usb-net-qmi_wwan-add-support-for-rmnet-device.patch --]
[-- Type: text/x-patch, Size: 942 bytes --]
From 9c1777d4d93238703172c5e88aaeb9d8b3e372eb Mon Sep 17 00:00:00 2001
From: Daniele Palmas <dnlplm@gmail.com>
Date: Fri, 8 Jun 2018 12:02:49 +0200
Subject: [PATCH 1/1] usb: net: qmi_wwan: add support for rmnet device
This patch allows to use rmnet with qmi_wwan create network
interfaces.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
---
drivers/net/usb/qmi_wwan.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 0946808..dd5f278 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -479,6 +479,11 @@ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
if (info->flags & QMI_WWAN_FLAG_MUX)
return qmimux_rx_fixup(dev, skb);
+ if (rcu_access_pointer(dev->net->rx_handler)) {
+ skb->protocol = htons(ETH_P_MAP);
+ return 1;
+ }
+
switch (skb->data[0] & 0xf0) {
case 0x40:
proto = htons(ETH_P_IP);
--
2.7.4
[-- Attachment #3: 0001-ip-add-rmnet-initial-support.patch --]
[-- Type: text/x-patch, Size: 3606 bytes --]
From 88bdb27b6d535600c10ef446391a51fc56691350 Mon Sep 17 00:00:00 2001
From: Daniele Palmas <dnlplm@gmail.com>
Date: Fri, 8 Jun 2018 11:43:49 +0200
Subject: [PATCH 1/1] ip: add rmnet initial support
This patch adds basic support for rmnet devices.
Currently the only possible actions are creating a new link
with a specific mux id and removing a link.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
---
ip/Makefile | 2 +-
ip/iplink.c | 2 +-
ip/iplink_rmnet.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 76 insertions(+), 2 deletions(-)
create mode 100644 ip/iplink_rmnet.c
diff --git a/ip/Makefile b/ip/Makefile
index 77fadee..a88f936 100644
--- a/ip/Makefile
+++ b/ip/Makefile
@@ -10,7 +10,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
iplink_geneve.o iplink_vrf.o iproute_lwtunnel.o ipmacsec.o ipila.o \
- ipvrf.o iplink_xstats.o ipseg6.o iplink_netdevsim.o
+ ipvrf.o iplink_xstats.o ipseg6.o iplink_netdevsim.o iplink_rmnet.o
RTMONOBJ=rtmon.o
diff --git a/ip/iplink.c b/ip/iplink.c
index 9ff5f69..d678301 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -121,7 +121,7 @@ void iplink_usage(void)
" bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan |\n"
" gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |\n"
" vti | nlmon | team_slave | bond_slave | ipvlan | geneve |\n"
- " bridge_slave | vrf | macsec | netdevsim }\n");
+ " bridge_slave | vrf | macsec | netdevsim | rmnet}\n");
}
exit(-1);
}
diff --git a/ip/iplink_rmnet.c b/ip/iplink_rmnet.c
new file mode 100644
index 0000000..d3b0672
--- /dev/null
+++ b/ip/iplink_rmnet.c
@@ -0,0 +1,74 @@
+/*
+ * iplink_rmnet.c RMNET device support
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Daniele Palmas <dnlplm@gmail.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+
+static void print_explain(FILE *f)
+{
+ fprintf(f,
+ "Usage: ... rmnet mux_id MUXID\n"
+ "\n"
+ "MUXID := 1-127\n"
+ );
+}
+
+static void explain(void)
+{
+ print_explain(stderr);
+}
+
+static int rmnet_parse_opt(struct link_util *lu, int argc, char **argv,
+ struct nlmsghdr *n)
+{
+ struct ifla_rmnet_flags flags = { 0 };
+ __u16 mux_id;
+
+ while (argc > 0) {
+ if (matches(*argv, "mux_id") == 0) {
+ NEXT_ARG();
+ if (get_u16(&mux_id, *argv, 0))
+ invarg("mux_id is invalid", *argv);
+ addattr_l(n, 1024, IFLA_RMNET_MUX_ID, &mux_id, 2);
+ } else if (matches(*argv, "help") == 0) {
+ explain();
+ return -1;
+ } else {
+ fprintf(stderr, "rmnet: unknown command \"%s\"?\n", *argv);
+ explain();
+ return -1;
+ }
+ argc--, argv++;
+ }
+
+ if (flags.mask)
+ addattr_l(n, 1024, IFLA_RMNET_FLAGS, &flags, sizeof(flags));
+
+ return 0;
+}
+
+static void rmnet_print_help(struct link_util *lu, int argc, char **argv,
+ FILE *f)
+{
+ print_explain(f);
+}
+
+struct link_util rmnet_link_util = {
+ .id = "rmnet",
+ .maxattr = IFLA_RMNET_MAX,
+ .parse_opt = rmnet_parse_opt,
+ .print_help = rmnet_print_help,
+};
--
2.7.4
^ permalink raw reply related
* Re: net: do not allow changing SO_REUSEADDR/SO_REUSEPORT on bound sockets
From: Maciej Żenczykowski @ 2018-06-08 10:07 UTC (permalink / raw)
To: Andrei Vagin; +Cc: David S . Miller, Eric Dumazet, Linux NetDev
In-Reply-To: <20180607055113.GA14073@outlook.office365.com>
I think we probably need to make sk->sk_reuse back into a boolean.
(ie. eliminate SK_FORCE_REUSE)
Then add a new tcp/udp sk->ignore_bind_conflicts boolean setting...
(ie. not just for tcp, but sol_socket) [or perhaps SO_REPAIR,
sk->repair or something]
What I'm not certain of is exactly what sorts of conflicts it should ignore...
all? probably not, still seems utterly wrong to allow creation of 2 connected
tcp sockets with identical 5-tuples.
Would it only ignore conflicts against other i_b_c sockets?
ie. set it on all sockets as we're repairing, then clear it on them
all once we're done?
and ignore all the fast caching when checking conflicts for an i_b_c socket?
For CRIU is it safe to assume we're restoring an entire namespace into
a new namespace?
Could we perhaps instead allow a new namespace to ignore bind conflicts until
we flip it into enforcing mode?
^ permalink raw reply
* [PATCH] net: phy: Add TJA1100 BroadR-Reach PHY driver.
From: Kirill Kranke @ 2018-06-08 9:56 UTC (permalink / raw)
To: andrew, f.fainelli, davem, netdev; +Cc: Kirill Kranke
From: Kirill Kranke <kirill.kranke@gmail.com>
Current generic PHY driver does not work with TJA1100 BroadR-REACH PHY
properly. TJA1100 does not have any standard ability enabled at MII_BMSR
register. Instead it has BroadR-REACH ability at MII_ESTATUS enabled, which
is not handled by generic driver yet. Therefore generic driver is unable to
guess required link speed, duplex etc. Device is started up with 10Mbps
halfduplex which is incorrect.
BroadR-REACH able flag is not specified in IEEE802.3-2015. Which is why I
did not add BroadR-REACH able flag support at generic driver. Once
BroadR-REACH able flag gets into IEEE802.3 it should be reasonable to
support it in the generic PHY driver.
Signed-off-by: Kirill Kranke <kirill.kranke@gmail.com>
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index 343989f..7014eb7 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -422,6 +422,14 @@ config TERANETICS_PHY
---help---
Currently supports the Teranetics TN2020
+config TJA1100_PHY
+ tristate "NXP TJA1100 PHY"
+ help
+ Support of NXP TJA1100 BroadR-REACH ethernet PHY.
+ Generic driver is not suitable for TJA1100 PHY while the PHY does not
+ advertise any standard IEEE capabilities. It uses BroadR-REACH able
+ flag instead. This driver configures capabilities of the PHY properly.
+
config VITESSE_PHY
tristate "Vitesse PHYs"
---help---
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index 5805c0b..4d2a69d 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -83,5 +83,6 @@ obj-$(CONFIG_ROCKCHIP_PHY) += rockchip.o
obj-$(CONFIG_SMSC_PHY) += smsc.o
obj-$(CONFIG_STE10XP) += ste10Xp.o
obj-$(CONFIG_TERANETICS_PHY) += teranetics.o
+obj-$(CONFIG_TJA1100_PHY) += tja1100.o
obj-$(CONFIG_VITESSE_PHY) += vitesse.o
obj-$(CONFIG_XILINX_GMII2RGMII) += xilinx_gmii2rgmii.o
diff --git a/drivers/net/phy/tja1100.c b/drivers/net/phy/tja1100.c
new file mode 100644
index 0000000..081b580
--- /dev/null
+++ b/drivers/net/phy/tja1100.c
@@ -0,0 +1,215 @@
+// SPDX-License-Identifier: GPL-2.0
+/* tja1100.c: TJA1100 BoardR-REACH PHY driver.
+ *
+ * Copyright (c) 2017 Kirill Kranke <kirill.kranke@gmail.com>
+ * Author: Kirill Kranke <kirill.kranke@gmail.com>
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/phy.h>
+
+/* TJA1100 specific registers */
+#define TJA1100_ECTRL 0x11 /* Extended control register */
+#define TJA1100_CFG1 0x12 /* Configuration register 1 */
+#define TJA1100_CFG2 0x13 /* Configuration register 2 */
+#define TJA1100_SERRCNT 0x14 /* Symbol error counter register 2 */
+#define TJA1100_INTST 0x15 /* Interrupt status register */
+#define TJA1100_INTEN 0x16 /* Interrupt enable register */
+#define TJA1100_COMST 0x17 /* Communication status register */
+#define TJA1100_GST 0x18 /* General status register */
+#define TJA1100_EXTST 0x19 /* External status register */
+#define TJA1100_LFCNT 0x1a /* Link fail counter register */
+
+/* Extended control register */
+#define ECTRL_LC 0x8000 /* link control enable */
+#define ECTRL_PM 0x7800 /* operating mode select */
+#define ECTRL_PM_NOCNG 0x0000 /* PM == 0000: no change */
+#define ECTRL_PM_NORMAL 0x1800 /* PM == 0011: Normal mode */
+#define ECTRL_PM_STANBY 0x6000 /* PM == 1100: Standby mode */
+#define ECTRL_PM_SREQ 0x5800 /* PM == 1011: Sleep Request mode */
+#define ECTRL_SJ_TST 0x0400 /* enable/disable Slave jitter test */
+#define ECTRL_TR_RST 0x0200 /* Autonegotiation process restart */
+#define ECTRL_TST_MODE 0x01c0 /* test mode selection */
+#define ECTRL_C_TST 0x0020 /* TDR-based cable test */
+#define ECTRL_LOOPBACK 0x0018 /* loopback mode select */
+#define ECTRL_CFGEN 0x0004 /* configuration register access */
+#define ECTRL_CFGINH 0x0002 /* INH configuration */
+#define ECTRL_WAKE_REQ 0x0001 /* wake-up request configuration */
+
+/* Configuration register 1 */
+#define CFG1_MS 0x8000 /* PHY Master/Slave configuration */
+#define CFG1_AUTO_OP 0x4000 /* managed/autonomous operation */
+#define CFG1_LINKLEN 0x2000 /* cable length: 0 < 15 m; 1 > 15 m */
+#define CFG1_TXAMP 0x0c00 /* nominal transmit amplitude */
+#define CFG1_TXAMP_050 0x0000 /* TXAMP == 00: 500 mV */
+#define CFG1_TXAMP_075 0x0200 /* TXAMP == 01: 750 mV */
+#define CFG1_TXAMP_100 0x0400 /* TXAMP == 10: 1000 mV */
+#define CFG1_TXAMP_125 0x0c00 /* TXAMP == 11: 1250 mV */
+#define CFG1_MODE 0x0300 /* MII/RMII mode */
+#define CFG1_DRIVER 0x0080 /* MII output driver strength */
+#define CFG1_SC 0x0040 /* sleep confirmation setting */
+#define CFG1_LED_MODE 0x0030 /* LED mode */
+#define CFG1_LED_EN 0x0008 /* LED enable */
+#define CFG1_CFG_WAKE 0x0004 /* local wake configuration */
+#define CFG1_APWD 0x0002 /* autonomous power down */
+#define CFG1_LPS 0x0001 /* LPS code group reception */
+
+/* Configuration register 2 */
+#define CFG2_PHYAD_4_0 0xf800 /* PHY address used for the SMI addr */
+#define CFG2_SNR_AVG 0x0600 /* signal-to-noise ratio averaging */
+#define CFG2_SNR_WLIM 0x01c0 /* signal-to-noise ratio warning limit */
+#define CFG2_SNR_FLIM 0x0038 /* signal-to-noise ratio fail limit */
+#define CFG2_JUMBO_EN 0x0004 /* Jumbo packet support */
+#define CFG2_SRTO 0x0003 /* sleep request time-out */
+#define CFG2_SRTO_04 0x0000 /* SRTO == 00: 0.4 ms */
+#define CFG2_SRTO_1 0x0001 /* SRTO == 01: 1 ms */
+#define CFG2_SRTO_4 0x0002 /* SRTO == 10: 4 ms */
+#define CFG2_SRTO_16 0x0003 /* SRTO == 11: 16 ms */
+
+/* Symbol error counter register 2 */
+#define SERRCNT_SEC 0xffff /* The symbol error counter */
+
+/* Interrupt status register */
+#define INTST_PWON 0x8000 /* power-on detected */
+#define INTST_WAKEUP 0x4000 /* local or remote wake-up detected */
+#define INTST_WUR 0x2000 /* dedicated wake-up request detected */
+#define INTST_LPS 0x1000 /* LPS code groups received */
+#define INTST_PIF 0x0800 /* PHY initialization error detected */
+#define INTST_LINK_FAIL 0x0400 /* link status changed to ‘link fail’ */
+#define INTST_LINK_UP 0x0200 /* link status changed to ‘link up’ */
+#define INTST_SYM_ERR 0x0100 /* symbol error detected */
+#define INTST_TF 0x0080 /* training phase failure detected */
+#define INTST_SNRW 0x0040 /* SNR value above warning limit */
+#define INTST_CTRL_ERR 0x0020 /* SMI control error detected */
+#define INTST_TXENC 0x0010 /* TXEN clamping detected */
+#define INTST_UV_ERR 0x0008 /* undervoltage detected */
+#define INTST_UVR 0x0004 /* undervoltage recovery detected */
+#define INTST_TEMP_ERR 0x0002 /* overtemperature error detected */
+#define INTST_SA 0x0001 /* transition to Normal on timer expiring */
+
+/* Interrupt enable register */
+#define INTEN_PWON 0x8000 /* PWON interrupt enable */
+#define INTEN_WAKEUP 0x4000 /* WAKEUP interrupt enable */
+#define INTEN_WUR 0x2000 /* WUR_RECEIVED interrupt enable */
+#define INTEN_LPS 0x1000 /* LPS_RECEIVED interrupt enable */
+#define INTEN_PIF 0x0800 /* PHY_INIT_FAIL interrupt enable */
+#define INTEN_LINK_FAIL 0x0400 /* LINK_STATUS_FAIL interrupt enable */
+#define INTEN_LINK_UP 0x0200 /* LINK_STATUS_UP interrupt enable */
+#define INTEN_SYM_ERR 0x0100 /* SYM_ERR interrupt enable */
+#define INTEN_TF 0x0080 /* TRAINING_FAILED interrupt enable */
+#define INTEN_SNRW 0x0040 /* SNR_WARNING interrupt enable */
+#define INTEN_CTRL_ERR 0x0020 /* CONTROL_ERR interrupt enable */
+#define INTEN_TXENC 0x0010 /* TXEN_CLAMPED interrupt enable */
+#define INTEN_UV_ERR 0x0008 /* UV_ERR interrupt enable */
+#define INTEN_UVR 0x0004 /* UV_RECOVERY interrupt enable */
+#define INTEN_TEMP_ERR 0x0002 /* TEMP_ERR interrupt enable */
+#define INTEN_SA 0x0001 /* SLEEP_ABORT interrupt enable */
+
+/* Communication status register */
+#define COMST_LINK_UP 0x8000 /* link OK */
+#define COMST_TXM 0x6000 /* transmitter mode */
+#define COMST_TXM_DIS 0x0000 /* TXM == 00: transmitter disabled */
+#define COMST_TXM_DIS 0x0000 /* TXM == 01: transmitter in SEND_N mode */
+#define COMST_TXM_DIS 0x0000 /* TXM == 10: transmitter in SEND_I mode */
+#define COMST_TXM_DIS 0x0000 /* TXM == 11: transmitter in SEND_Z mode */
+#define COMST_LR 0x1000 /* local receiver OK */
+#define COMST_RR 0x0800 /* remote receiver OK */
+#define COMST_SCRL 0x0400 /* descrambler locked */
+#define COMST_SSD_ERR 0x0200 /* SSD error detected */
+#define COMST_ESD_ERR 0x0100 /* ESD error detected */
+#define COMST_SNR 0x00e0 /* SNR link status */
+#define COMST_RX_ERR 0x0010 /* receive error detected since last read */
+#define COMST_TX_ERR 0x0080 /* transmit error detected since last read */
+#define COMST_PS 0x0007 /* PHY state */
+
+/* General status register */
+#define GST_INTP 0x8000 /* unmasked interrupt pending */
+#define GST_PLL_LOCKED 0x4000 /* PLL stable and locked */
+#define GST_LWU 0x2000 /* local wake-up detected */
+#define GST_RWU 0x1000 /* remote wake-up detected */
+#define GST_DDWU 0x0800 /* data detected at MDI in Sleep Request mode */
+#define GST_EN 0x0400 /* EN switched LOW since last read */
+#define GST_RST 0x0200 /* hardware reset detected since last read */
+#define GST_LF_CNT 0x00f8 /* number of link fails since last read */
+
+/* External status register */
+#define EXTST_UVDDA_3V3 0x4000 /* undervoltage detected on pin VDDA(3V3) */
+#define EXTST_UVDDD_1V8 0x2000 /* undervoltage detected on pin VDDD(1V8) */
+#define EXTST_UVDDA_1V8 0x1000 /* undervoltage detected on pin VDDA(1V8) */
+#define EXTST_UVDDIO 0x0800 /* undervoltage detected on pin VDD(IO) */
+#define EXTST_TH 0x0400 /* temperature above high level */
+#define EXTST_TW 0x0200 /* temperature above warning level */
+#define EXTST_SD 0x0100 /* short circuit detected since last read */
+#define EXTST_OD 0x0080 /* open circuit detected since last read */
+#define EXTST_INTDET 0x0040 /* interleave order detection */
+
+/* Link fail counter register */
+#define LFCNT_LRC 0xff00 /* incremented when local receiver is NOT_OK */
+#define LFCNT_RRC 0x00ff /* incremented when remote receiver is NOT_OK */
+
+static int tja1100_phy_config_init(struct phy_device *phydev)
+{
+ u32 features;
+
+ /* TJA1100 has only 100BASE-BroadR-REACH ability specified at
+ * MII_ESTATUS register. Standard modes are not supported. Therefore
+ * BroadR-REACH allow only 100Mbps full duplex without autoneg.
+ */
+ features = SUPPORTED_MII;
+ features |= SUPPORTED_100baseT_Full;
+
+ phydev->supported &= features;
+ phydev->advertising &= features;
+ phydev->autoneg = AUTONEG_DISABLE;
+ phydev->speed = SPEED_100;
+ phydev->duplex = DUPLEX_FULL;
+
+ return 0;
+}
+
+static int tja1100_phy_config_aneg(struct phy_device *phydev)
+{
+ if (phydev->autoneg == AUTONEG_ENABLE) {
+ pr_err("TJA1100: autonegotiation is not supported\n");
+ return -1;
+ }
+
+ if (phydev->speed != SPEED_100 || phydev->duplex != DUPLEX_FULL) {
+ pr_err("TJA1100: only 100MBps Full Duplex allowed\n");
+ return -2;
+ }
+
+ return 0;
+}
+
+static struct phy_driver tja1100_phy_driver[] = {
+ {
+ .phy_id = 0x0180dc48,
+ .phy_id_mask = 0xfffffff0,
+ .name = "NXP TJA1100",
+
+ .features = SUPPORTED_100baseT_Full | SUPPORTED_MII,
+
+ .config_aneg = tja1100_phy_config_aneg,
+ .read_status = genphy_read_status,
+ .config_init = tja1100_phy_config_init,
+ .soft_reset = genphy_soft_reset,
+
+ .suspend = genphy_suspend,
+ .resume = genphy_resume,
+ }
+};
+
+module_phy_driver(tja1100_phy_driver);
+
+MODULE_DESCRIPTION("NXP TJA1100 driver");
+MODULE_AUTHOR("Kirill Kranke <kkranke@topcon.com>");
+MODULE_LICENSE("GPL");
+
+static struct mdio_device_id __maybe_unused nxp_tbl[] = {
+ { 0x0180dc48, 0xfffffff0 },
+ {}
+};
+
+MODULE_DEVICE_TABLE(mdio, nxp_tbl);
^ permalink raw reply related
* Re: KASAN: slab-out-of-bounds Read in skb_ensure_writable
From: Daniel Borkmann @ 2018-06-08 9:54 UTC (permalink / raw)
To: syzbot, ast, davem, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <000000000000b7be6e056dc547e8@google.com>
On 06/04/2018 01:36 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 0512e0134582 Merge tag 'xfs-4.17-fixes-3' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14956af7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=968b0b23c7854c0b
> dashboard link: https://syzkaller.appspot.com/bug?extid=e5190cb881d8660fb1a3
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=123d9d7b800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100329d7800000
#syz fix: bpf: reject passing modified ctx to helper functions
^ permalink raw reply
* Re: KASAN: slab-out-of-bounds Read in bpf_csum_update
From: Daniel Borkmann @ 2018-06-08 9:53 UTC (permalink / raw)
To: syzbot, ast, davem, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <000000000000b2a7ea056dc54779@google.com>
On 06/04/2018 01:36 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 0512e0134582 Merge tag 'xfs-4.17-fixes-3' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17eb2d7b800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=968b0b23c7854c0b
> dashboard link: https://syzkaller.appspot.com/bug?extid=efae31b384d5badbd620
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=162c6def800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fe3db7800000
#syz fix: bpf: reject passing modified ctx to helper functions
^ permalink raw reply
* Re: KASAN: use-after-free Read in skb_ensure_writable
From: Daniel Borkmann @ 2018-06-08 9:53 UTC (permalink / raw)
To: syzbot, ast, davem, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <000000000000bab429056dc547be@google.com>
On 06/04/2018 01:36 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: bcece5dc40b9 bpf: Change bpf_fib_lookup to return -EAFNOSU..
> git tree: bpf-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=10ee76b7800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
> dashboard link: https://syzkaller.appspot.com/bug?extid=c8504affd4fdd0c1b626
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10d926df800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1778c26f800000
#syz fix: bpf: reject passing modified ctx to helper functions
^ permalink raw reply
* Re: KASAN: use-after-free Read in bpf_csum_update
From: Daniel Borkmann @ 2018-06-08 9:52 UTC (permalink / raw)
To: syzbot, ast, davem, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <000000000000bec587056dc547ba@google.com>
On 06/04/2018 01:36 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: bcece5dc40b9 bpf: Change bpf_fib_lookup to return -EAFNOSU..
> git tree: bpf-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=161e2c6f800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
> dashboard link: https://syzkaller.appspot.com/bug?extid=3d0b2441dbb71751615e
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17cb5adf800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ebf19f800000
#syz fix: bpf: reject passing modified ctx to helper functions
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox