linux

History

Simon Horman 3098ac3963 rocker: do not delete fdb entries in rocker_port_fdb_flush() when preparing transactions rocker_port_fdb_flush() is called by rocker_port_stp_update() which in turn may be called with trans == SWITCHDEV_TRANS_PREPARE and then trans == SWITCHDEV_TRANS_COMMIT from switchdev_port_attr_set() via br_set_state(). When rocker_port_fdb_flush() is called with trans == SWITCHDEV_TRANS_PREPARE it calls rocker_port_fdb_learn() for each entry in the FDB table which in turn calls rocker_flow_tbl_bridge() which will allocate memory using rocker_port_kzalloc(). rocker_port_fdb_learn() will then remove the entry from the FDB table. Then when rocker_port_fdb_learn() is called with trans == SWITCHDEV_TRANS_PREPARE no calls are made to rocker_port_fdb_learn() because there are no longer any entries present in the FDB table. Thus the memory previously allocated by rocker_port_fdb_learn() is leaked resulting in the kernel BUG() below. Furthermore, it looks like the driver ends up with an incorrect view of the fdb table as the FDB entries are purged from the driver's table but not the hardware's table. ip link add br0 type bridge ip link set up dev eth0 sleep 1 ip link set dev eth0 master br0 [ 3.704360] ------------[ cut here ]------------ [ 3.704611] kernel BUG at drivers/net/ethernet/rocker/rocker.c:4289! [ 3.704962] invalid opcode: 0000 [#1] SMP [ 3.705537] Modules linked in: [ 3.705919] CPU: 0 PID: 63 Comm: ip Not tainted 4.1.0-rc3-01046-gb9fbe709de4d #1044 [ 3.706191] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.0-0-g4c59f5d-20150219_092859-nilsson.home.kraxel.org 04/01/2014 [ 3.706820] task: ffff880019f70150 ti: ffff88001f92c000 task.ti: ffff88001f92c000 [ 3.707138] RIP: 0010:[<ffffffff811f0080>] [<ffffffff811f0080>] rocker_port_attr_set+0xe0/0xf0 [ 3.707990] RSP: 0018:ffff88001f92f808 EFLAGS: 00000212 [ 3.708200] RAX: ffff880019d4fa68 RBX: ffff880019d4f000 RCX: 0000000000000000 [ 3.708471] RDX: 000000000000000c RSI: ffff88001f92f890 RDI: ffff880019d4f680 [ 3.708740] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000004 [ 3.708999] R10: ffff880000034024 R11: 0000000000000000 R12: ffff88001f92f890 [ 3.709276] R13: ffff88001f8f1c00 R14: 000000000000000b R15: 0000000000000000 [ 3.709303] FS: 00007f8ab66bd700(0000) GS:ffff88001b000000(0000) knlGS:0000000000000000 [ 3.709303] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.709303] CR2: 0000000000654988 CR3: 000000001f8f3000 CR4: 00000000000006b0 [ 3.709303] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.709303] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000 [ 3.709303] Stack: [ 3.709303] ffff88001f8f1c00 000000000000000b ffff88001f92f890 ffff880019d4f000 [ 3.709303] ffff88001f92f890 ffffffff813332f5 ffff88001f92f880 0000000000000000 [ 3.709303] ffff88001f92f890 0000000000000001 ffff880019d4f000 ffffffff81333627 [ 3.709303] Call Trace: [ 3.709303] [<ffffffff813332f5>] ? __switchdev_port_attr_set+0x25/0x90 [ 3.709303] [<ffffffff81333627>] ? switchdev_port_attr_set+0x27/0x120 [ 3.709303] [<ffffffff81318e86>] ? br_set_state+0x36/0x50 [ 3.709303] [<ffffffff8131795c>] ? br_add_if+0x37c/0x400 [ 3.709303] [<ffffffff81238ce1>] ? do_setlink+0x7e1/0x800 [ 3.709303] [<ffffffff8111f980>] ? radix_tree_lookup_slot+0x10/0x30 [ 3.709303] [<ffffffff81136fba>] ? nla_parse+0xaa/0x110 [ 3.709303] [<ffffffff81239c98>] ? rtnl_newlink+0x548/0x870 [ 3.709303] [<ffffffff8111f900>] ? __radix_tree_lookup+0x40/0xb0 [ 3.709303] [<ffffffff81136f3e>] ? nla_parse+0x2e/0x110 [ 3.709303] [<ffffffff81237d7e>] ? rtnetlink_rcv_msg+0x7e/0x250 [ 3.709303] [<ffffffff8121d1be>] ? __skb_recv_datagram+0xfe/0x4b0 [ 3.709303] [<ffffffff81237d00>] ? rtnetlink_rcv+0x30/0x30 [ 3.709303] [<ffffffff81247948>] ? netlink_rcv_skb+0xa8/0xd0 [ 3.709303] [<ffffffff81237cef>] ? rtnetlink_rcv+0x1f/0x30 [ 3.709303] [<ffffffff81247210>] ? netlink_unicast+0x150/0x200 [ 3.709303] [<ffffffff81247704>] ? netlink_sendmsg+0x374/0x3e0 [ 3.709303] [<ffffffff8120f8cf>] ? sock_sendmsg+0xf/0x30 [ 3.709303] [<ffffffff8120ffc3>] ? ___sys_sendmsg+0x1f3/0x200 [ 3.709303] [<ffffffff812100d5>] ? ___sys_recvmsg+0x105/0x140 [ 3.709303] [<ffffffff812228d9>] ? dev_get_by_name_rcu+0x69/0x90 [ 3.709303] [<ffffffff812228d9>] ? dev_get_by_name_rcu+0x69/0x90 [ 3.709303] [<ffffffff81217b7d>] ? skb_dequeue+0x4d/0x60 [ 3.709303] [<ffffffff81217bb0>] ? skb_queue_purge+0x20/0x30 [ 3.709303] [<ffffffff810ebdcf>] ? __inode_wait_for_writeback+0x5f/0xb0 [ 3.709303] [<ffffffff810648b0>] ? autoremove_wake_function+0x30/0x30 [ 3.709303] [<ffffffff81210ee9>] ? __sys_sendmsg+0x39/0x70 [ 3.709303] [<ffffffff8133e097>] ? system_call_fastpath+0x12/0x6a [ 3.709303] Code: bb 90 06 00 00 48 c7 04 24 00 00 00 00 45 31 c9 45 31 c0 48 c7 c1 c0 b7 1e 81 89 ea e8 da da ff ff eb 95 0f 1f 84 00 00 00 00 00 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 fe 15 75 [ 3.709303] RIP [<ffffffff811f0080>] rocker_port_attr_set+0xe0/0xf0 [ 3.709303] RSP <ffff88001f92f808> [ 3.721409] ---[ end trace b7481fcb7cb032aa ]--- Segmentation fault Fixes: `c4f20321d9` ("rocker: support prepare-commit transaction model") Acked-by: Scott Feldman <sfeldma@gmail.com> Acked-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Simon Horman <simon.horman@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2015-05-21 17:20:54 -04:00
..
appletalk
arcnet
bonding	switchdev: add support for fdb add/del/dump via switchdev_port_obj ops.	2015-05-17 22:49:09 -04:00
caif	caif: remove unused struct member	2015-04-01 12:43:09 -04:00
can	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-05-13 14:31:43 -04:00
cris
dsa	net: dsa: bcm_sf2: properly propagate carrier down state for MoCA	2015-05-17 23:40:24 -04:00
ethernet	rocker: do not delete fdb entries in rocker_port_fdb_flush() when preparing transactions	2015-05-21 17:20:54 -04:00
fddi
hamradio	ax25: remove unneeded NULL test in ax_xmit()	2015-03-06 21:50:42 -05:00
hippi
hyperv	hv_netvsc: change member name of struct netvsc_stats	2015-05-17 23:37:38 -04:00
ieee802154	at86rf230: add slp_tr support to start tx	2015-04-30 18:48:11 +02:00
ipvlan	ipvlan: Always set broadcast bit in multicast filter	2015-05-05 19:29:49 -04:00
irda
phy	net: phy: Add state machine state transitions debug prints	2015-05-16 16:47:13 -04:00
plip
ppp	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-05-13 14:31:43 -04:00
slip
team	switchdev: add support for fdb add/del/dump via switchdev_port_obj ops.	2015-05-17 22:49:09 -04:00
usb	usbnet: avoid integer overflow in start_xmit	2015-05-09 16:46:18 -04:00
vmxnet3	vmxnet3: spelling fixes	2015-04-01 22:52:29 -04:00
wan	cosa: fix error return code	2015-04-07 15:21:55 -04:00
wimax
wireless	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-05-13 14:31:43 -04:00
xen-netback	xen: features and fixes for 4.1-rc0	2015-04-16 14:01:03 -05:00
dummy.c
eql.c
geneve.c	geneve: add initial netdev driver for GENEVE tunnels	2015-05-13 15:59:13 -04:00
ifb.c	act_mirred: Fix bogus header when redirecting from VLAN	2015-04-17 13:29:28 -04:00
Kconfig	geneve: add initial netdev driver for GENEVE tunnels	2015-05-13 15:59:13 -04:00
LICENSE.SRC
loopback.c
macvlan.c	macvlan: Propagate promiscuity setting to lower devices.	2015-05-04 00:14:13 -04:00
macvtap.c	fix missing copy_from_user in macvtap	2015-05-13 14:21:36 -04:00
Makefile	geneve: add initial netdev driver for GENEVE tunnels	2015-05-13 15:59:13 -04:00
mdio.c
mii.c
netconsole.c	netconsole: Use eth_<foo>_addr instead of memset	2015-03-03 17:01:37 -05:00
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c	PNP: net/sb1000: Use module_pnp_driver to register driver	2015-03-18 22:39:17 +01:00
Space.c
sungem_phy.c
tun.c	net: Pass kern from net_proto_family.create to sk_alloc	2015-05-11 10:50:17 -04:00
veth.c	veth: set iflink to the peer veth	2015-04-02 14:05:01 -04:00
virtio_net.c	virtio: document queue state logic	2015-04-06 16:44:24 -04:00
vxlan.c	netns: rename peernet2id() to peernet2id_alloc()	2015-05-09 22:15:30 -04:00
xen-netfront.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-04-17 16:31:08 -04:00