2019-05-27 09:55:01 +03:00
// SPDX-License-Identifier: GPL-2.0-or-later
2016-06-04 22:17:07 +03:00
/*
* net / dsa / dsa2 . c - Hardware switch handling , binding version 2
* Copyright ( c ) 2008 - 2009 Marvell Semiconductor
* Copyright ( c ) 2013 Florian Fainelli < florian @ openwrt . org >
* Copyright ( c ) 2016 Andrew Lunn < andrew @ lunn . ch >
*/
# include <linux/device.h>
# include <linux/err.h>
# include <linux/list.h>
2017-03-29 00:45:06 +03:00
# include <linux/netdevice.h>
2016-06-04 22:17:07 +03:00
# include <linux/slab.h>
# include <linux/rtnetlink.h>
# include <linux/of.h>
# include <linux/of_net.h>
2019-03-24 13:14:26 +03:00
# include <net/devlink.h>
2017-05-17 22:46:03 +03:00
2016-06-04 22:17:07 +03:00
# include "dsa_priv.h"
2017-11-04 02:05:24 +03:00
static LIST_HEAD ( dsa_tree_list ) ;
2016-06-04 22:17:07 +03:00
static DEFINE_MUTEX ( dsa2_mutex ) ;
2017-03-29 00:45:07 +03:00
static const struct devlink_ops dsa_devlink_ops = {
} ;
2017-11-04 02:05:24 +03:00
static struct dsa_switch_tree * dsa_tree_find ( int index )
2016-06-04 22:17:07 +03:00
{
struct dsa_switch_tree * dst ;
2017-11-04 02:05:24 +03:00
list_for_each_entry ( dst , & dsa_tree_list , list )
2017-11-04 02:05:22 +03:00
if ( dst - > index = = index )
2016-06-04 22:17:07 +03:00
return dst ;
2017-11-04 02:05:22 +03:00
2016-06-04 22:17:07 +03:00
return NULL ;
}
2017-11-04 02:05:24 +03:00
static struct dsa_switch_tree * dsa_tree_alloc ( int index )
2016-06-04 22:17:07 +03:00
{
struct dsa_switch_tree * dst ;
dst = kzalloc ( sizeof ( * dst ) , GFP_KERNEL ) ;
if ( ! dst )
return NULL ;
2017-11-04 02:05:24 +03:00
2017-11-04 02:05:21 +03:00
dst - > index = index ;
2017-11-04 02:05:24 +03:00
2019-10-31 05:09:13 +03:00
INIT_LIST_HEAD ( & dst - > rtable ) ;
2019-10-21 23:51:16 +03:00
INIT_LIST_HEAD ( & dst - > ports ) ;
2016-06-04 22:17:07 +03:00
INIT_LIST_HEAD ( & dst - > list ) ;
2019-10-19 00:02:46 +03:00
list_add_tail ( & dst - > list , & dsa_tree_list ) ;
2017-11-04 02:05:22 +03:00
2016-06-04 22:17:07 +03:00
kref_init ( & dst - > refcount ) ;
return dst ;
}
2017-11-04 02:05:23 +03:00
static void dsa_tree_free ( struct dsa_switch_tree * dst )
{
list_del ( & dst - > list ) ;
kfree ( dst ) ;
}
2017-11-24 19:36:06 +03:00
static struct dsa_switch_tree * dsa_tree_get ( struct dsa_switch_tree * dst )
2017-11-04 02:05:24 +03:00
{
2017-11-24 19:36:06 +03:00
if ( dst )
kref_get ( & dst - > refcount ) ;
2017-11-04 02:05:24 +03:00
return dst ;
}
2017-11-24 19:36:06 +03:00
static struct dsa_switch_tree * dsa_tree_touch ( int index )
2017-11-04 02:05:23 +03:00
{
2017-11-24 19:36:06 +03:00
struct dsa_switch_tree * dst ;
dst = dsa_tree_find ( index ) ;
if ( dst )
return dsa_tree_get ( dst ) ;
else
return dsa_tree_alloc ( index ) ;
2017-11-04 02:05:23 +03:00
}
static void dsa_tree_release ( struct kref * ref )
{
struct dsa_switch_tree * dst ;
dst = container_of ( ref , struct dsa_switch_tree , refcount ) ;
dsa_tree_free ( dst ) ;
}
static void dsa_tree_put ( struct dsa_switch_tree * dst )
{
2017-11-24 19:36:06 +03:00
if ( dst )
kref_put ( & dst - > refcount , dsa_tree_release ) ;
2017-11-04 02:05:23 +03:00
}
2017-01-26 21:45:52 +03:00
static bool dsa_port_is_dsa ( struct dsa_port * port )
2016-06-04 22:17:07 +03:00
{
2017-10-27 22:55:15 +03:00
return port - > type = = DSA_PORT_TYPE_DSA ;
2017-01-26 21:45:52 +03:00
}
static bool dsa_port_is_cpu ( struct dsa_port * port )
{
2017-10-27 22:55:15 +03:00
return port - > type = = DSA_PORT_TYPE_CPU ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:44 +03:00
static bool dsa_port_is_user ( struct dsa_port * dp )
{
return dp - > type = = DSA_PORT_TYPE_USER ;
}
2017-11-07 00:11:49 +03:00
static struct dsa_port * dsa_tree_find_port_by_node ( struct dsa_switch_tree * dst ,
struct device_node * dn )
2016-06-04 22:17:07 +03:00
{
2017-11-07 00:11:49 +03:00
struct dsa_port * dp ;
2016-06-04 22:17:07 +03:00
2019-10-21 23:51:21 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
if ( dp - > dn = = dn )
return dp ;
2016-06-04 22:17:07 +03:00
return NULL ;
}
2019-12-17 14:20:38 +03:00
static struct dsa_link * dsa_link_touch ( struct dsa_port * dp ,
struct dsa_port * link_dp )
2019-10-31 05:09:13 +03:00
{
struct dsa_switch * ds = dp - > ds ;
struct dsa_switch_tree * dst ;
struct dsa_link * dl ;
dst = ds - > dst ;
list_for_each_entry ( dl , & dst - > rtable , list )
if ( dl - > dp = = dp & & dl - > link_dp = = link_dp )
return dl ;
dl = kzalloc ( sizeof ( * dl ) , GFP_KERNEL ) ;
if ( ! dl )
return NULL ;
dl - > dp = dp ;
dl - > link_dp = link_dp ;
INIT_LIST_HEAD ( & dl - > list ) ;
list_add_tail ( & dl - > list , & dst - > rtable ) ;
return dl ;
}
2017-11-07 00:11:51 +03:00
static bool dsa_port_setup_routing_table ( struct dsa_port * dp )
2016-06-04 22:17:07 +03:00
{
2017-11-07 00:11:51 +03:00
struct dsa_switch * ds = dp - > ds ;
struct dsa_switch_tree * dst = ds - > dst ;
struct device_node * dn = dp - > dn ;
2017-11-07 00:11:50 +03:00
struct of_phandle_iterator it ;
2017-11-07 00:11:49 +03:00
struct dsa_port * link_dp ;
2019-10-31 05:09:13 +03:00
struct dsa_link * dl ;
2017-11-07 00:11:50 +03:00
int err ;
2016-06-04 22:17:07 +03:00
2017-11-07 00:11:50 +03:00
of_for_each_phandle ( & it , err , dn , " link " , NULL , 0 ) {
link_dp = dsa_tree_find_port_by_node ( dst , it . node ) ;
if ( ! link_dp ) {
of_node_put ( it . node ) ;
2017-11-07 00:11:51 +03:00
return false ;
2017-11-07 00:11:50 +03:00
}
2016-06-04 22:17:07 +03:00
2019-10-31 05:09:13 +03:00
dl = dsa_link_touch ( dp , link_dp ) ;
if ( ! dl ) {
of_node_put ( it . node ) ;
return false ;
}
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:51 +03:00
return true ;
2016-06-04 22:17:07 +03:00
}
2019-10-31 05:09:15 +03:00
static bool dsa_tree_setup_routing_table ( struct dsa_switch_tree * dst )
2016-06-04 22:17:07 +03:00
{
2017-11-07 00:11:51 +03:00
bool complete = true ;
struct dsa_port * dp ;
2016-06-04 22:17:07 +03:00
2019-10-21 23:51:20 +03:00
list_for_each_entry ( dp , & dst - > ports , list ) {
2019-10-31 05:09:15 +03:00
if ( dsa_port_is_dsa ( dp ) ) {
2017-11-07 00:11:51 +03:00
complete = dsa_port_setup_routing_table ( dp ) ;
if ( ! complete )
break ;
}
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:51 +03:00
return complete ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:44 +03:00
static struct dsa_port * dsa_tree_find_first_cpu ( struct dsa_switch_tree * dst )
{
struct dsa_port * dp ;
2019-10-21 23:51:23 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
if ( dsa_port_is_cpu ( dp ) )
return dp ;
2017-11-07 00:11:44 +03:00
return NULL ;
}
static int dsa_tree_setup_default_cpu ( struct dsa_switch_tree * dst )
{
2019-10-21 23:51:24 +03:00
struct dsa_port * cpu_dp , * dp ;
2017-11-07 00:11:44 +03:00
2019-10-21 23:51:24 +03:00
cpu_dp = dsa_tree_find_first_cpu ( dst ) ;
if ( ! cpu_dp ) {
pr_err ( " DSA: tree %d has no CPU port \n " , dst - > index ) ;
2017-11-07 00:11:44 +03:00
return - EINVAL ;
}
/* Assign the default CPU port to all ports of the fabric */
2019-10-21 23:51:24 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
if ( dsa_port_is_user ( dp ) | | dsa_port_is_dsa ( dp ) )
dp - > cpu_dp = cpu_dp ;
2017-11-07 00:11:44 +03:00
return 0 ;
}
static void dsa_tree_teardown_default_cpu ( struct dsa_switch_tree * dst )
{
2019-10-21 23:51:24 +03:00
struct dsa_port * dp ;
list_for_each_entry ( dp , & dst - > ports , list )
if ( dsa_port_is_user ( dp ) | | dsa_port_is_dsa ( dp ) )
dp - > cpu_dp = NULL ;
2017-11-07 00:11:44 +03:00
}
2017-11-07 00:11:48 +03:00
static int dsa_port_setup ( struct dsa_port * dp )
2016-06-04 22:17:07 +03:00
{
2017-11-07 00:11:48 +03:00
struct dsa_switch * ds = dp - > ds ;
2019-04-03 15:24:26 +03:00
struct dsa_switch_tree * dst = ds - > dst ;
2019-08-19 23:00:48 +03:00
const unsigned char * id = ( const unsigned char * ) & dst - > index ;
const unsigned char len = sizeof ( dst - > index ) ;
struct devlink_port * dlp = & dp - > devlink_port ;
2019-08-31 15:46:19 +03:00
bool dsa_port_link_registered = false ;
bool devlink_port_registered = false ;
2019-08-19 23:00:48 +03:00
struct devlink * dl = ds - > devlink ;
2019-08-31 15:46:19 +03:00
bool dsa_port_enabled = false ;
int err = 0 ;
2016-06-04 22:17:07 +03:00
2019-10-21 23:51:19 +03:00
if ( dp - > setup )
return 0 ;
2017-11-07 00:11:48 +03:00
switch ( dp - > type ) {
case DSA_PORT_TYPE_UNUSED :
2019-08-19 23:00:50 +03:00
dsa_port_disable ( dp ) ;
2017-11-07 00:11:48 +03:00
break ;
case DSA_PORT_TYPE_CPU :
2019-08-19 23:00:48 +03:00
memset ( dlp , 0 , sizeof ( * dlp ) ) ;
devlink_port_attrs_set ( dlp , DEVLINK_PORT_FLAVOUR_CPU ,
dp - > index , false , 0 , id , len ) ;
err = devlink_port_register ( dl , dlp , dp - > index ) ;
if ( err )
2019-08-31 15:46:19 +03:00
break ;
devlink_port_registered = true ;
2019-08-19 23:00:48 +03:00
2018-05-18 10:29:03 +03:00
err = dsa_port_link_register_of ( dp ) ;
2019-08-19 23:00:50 +03:00
if ( err )
2019-08-31 15:46:19 +03:00
break ;
dsa_port_link_registered = true ;
2019-08-19 23:00:50 +03:00
err = dsa_port_enable ( dp , NULL ) ;
2019-05-30 09:09:07 +03:00
if ( err )
2019-08-31 15:46:19 +03:00
break ;
dsa_port_enabled = true ;
2018-05-18 10:29:03 +03:00
break ;
2017-11-07 00:11:48 +03:00
case DSA_PORT_TYPE_DSA :
2019-08-19 23:00:48 +03:00
memset ( dlp , 0 , sizeof ( * dlp ) ) ;
devlink_port_attrs_set ( dlp , DEVLINK_PORT_FLAVOUR_DSA ,
dp - > index , false , 0 , id , len ) ;
err = devlink_port_register ( dl , dlp , dp - > index ) ;
if ( err )
2019-08-31 15:46:19 +03:00
break ;
devlink_port_registered = true ;
2019-08-19 23:00:48 +03:00
2018-01-23 18:03:46 +03:00
err = dsa_port_link_register_of ( dp ) ;
2019-08-19 23:00:50 +03:00
if ( err )
2019-08-31 15:46:19 +03:00
break ;
dsa_port_link_registered = true ;
2019-08-19 23:00:50 +03:00
err = dsa_port_enable ( dp , NULL ) ;
2019-05-30 09:09:07 +03:00
if ( err )
2019-08-31 15:46:19 +03:00
break ;
dsa_port_enabled = true ;
2017-11-07 00:11:48 +03:00
break ;
case DSA_PORT_TYPE_USER :
2019-08-19 23:00:48 +03:00
memset ( dlp , 0 , sizeof ( * dlp ) ) ;
devlink_port_attrs_set ( dlp , DEVLINK_PORT_FLAVOUR_PHYSICAL ,
dp - > index , false , 0 , id , len ) ;
err = devlink_port_register ( dl , dlp , dp - > index ) ;
if ( err )
2019-08-31 15:46:19 +03:00
break ;
devlink_port_registered = true ;
2019-08-19 23:00:48 +03:00
dp - > mac = of_get_mac_address ( dp - > dn ) ;
2017-11-07 00:11:48 +03:00
err = dsa_slave_create ( dp ) ;
if ( err )
2019-08-31 15:46:19 +03:00
break ;
2019-08-19 23:00:48 +03:00
devlink_port_type_eth_set ( dlp , dp - > slave ) ;
2017-11-07 00:11:48 +03:00
break ;
2016-06-04 22:17:07 +03:00
}
2019-08-31 15:46:19 +03:00
if ( err & & dsa_port_enabled )
dsa_port_disable ( dp ) ;
if ( err & & dsa_port_link_registered )
dsa_port_link_unregister_of ( dp ) ;
if ( err & & devlink_port_registered )
devlink_port_unregister ( dlp ) ;
2019-10-21 23:51:19 +03:00
if ( err )
return err ;
2019-08-31 15:46:19 +03:00
2019-10-21 23:51:19 +03:00
dp - > setup = true ;
return 0 ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:48 +03:00
static void dsa_port_teardown ( struct dsa_port * dp )
2016-06-04 22:17:07 +03:00
{
2019-08-19 23:00:48 +03:00
struct devlink_port * dlp = & dp - > devlink_port ;
2017-11-07 00:11:48 +03:00
2019-10-21 23:51:19 +03:00
if ( ! dp - > setup )
return ;
2017-11-07 00:11:48 +03:00
switch ( dp - > type ) {
case DSA_PORT_TYPE_UNUSED :
break ;
case DSA_PORT_TYPE_CPU :
2019-08-19 23:00:50 +03:00
dsa_port_disable ( dp ) ;
2019-04-28 20:37:19 +03:00
dsa_tag_driver_put ( dp - > tag_ops ) ;
2019-08-19 23:00:48 +03:00
devlink_port_unregister ( dlp ) ;
dsa_port_link_unregister_of ( dp ) ;
break ;
2017-11-07 00:11:48 +03:00
case DSA_PORT_TYPE_DSA :
2019-08-19 23:00:50 +03:00
dsa_port_disable ( dp ) ;
2019-08-19 23:00:48 +03:00
devlink_port_unregister ( dlp ) ;
2018-01-23 18:03:46 +03:00
dsa_port_link_unregister_of ( dp ) ;
2017-11-07 00:11:48 +03:00
break ;
case DSA_PORT_TYPE_USER :
2019-08-19 23:00:48 +03:00
devlink_port_unregister ( dlp ) ;
2017-11-07 00:11:48 +03:00
if ( dp - > slave ) {
dsa_slave_destroy ( dp - > slave ) ;
dp - > slave = NULL ;
}
break ;
2016-06-04 22:17:07 +03:00
}
2019-10-21 23:51:19 +03:00
dp - > setup = false ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:47 +03:00
static int dsa_switch_setup ( struct dsa_switch * ds )
2016-06-04 22:17:07 +03:00
{
2019-10-25 02:03:51 +03:00
struct dsa_devlink_priv * dl_priv ;
2019-10-21 23:51:19 +03:00
int err ;
if ( ds - > setup )
return 0 ;
2016-06-04 22:17:07 +03:00
2016-06-08 02:32:39 +03:00
/* Initialize ds->phys_mii_mask before registering the slave MDIO bus
2016-08-23 19:38:56 +03:00
* driver and before ops - > setup ( ) has run , since the switch drivers and
2016-06-08 02:32:39 +03:00
* the slave MDIO bus driver rely on these values for probing PHY
* devices or not
*/
2017-10-26 18:22:56 +03:00
ds - > phys_mii_mask | = dsa_user_ports ( ds ) ;
2016-06-08 02:32:39 +03:00
2017-03-29 00:45:07 +03:00
/* Add the switch to devlink before calling setup, so that setup can
* add dpipe tables
*/
2019-10-25 02:03:51 +03:00
ds - > devlink = devlink_alloc ( & dsa_devlink_ops , sizeof ( * dl_priv ) ) ;
2017-03-29 00:45:07 +03:00
if ( ! ds - > devlink )
return - ENOMEM ;
2019-10-25 02:03:51 +03:00
dl_priv = devlink_priv ( ds - > devlink ) ;
dl_priv - > ds = ds ;
2017-03-29 00:45:07 +03:00
err = devlink_register ( ds - > devlink , ds - > dev ) ;
if ( err )
2019-05-30 09:09:07 +03:00
goto free_devlink ;
2017-03-29 00:45:07 +03:00
2017-02-03 21:20:20 +03:00
err = dsa_switch_register_notifier ( ds ) ;
if ( err )
2019-05-30 09:09:07 +03:00
goto unregister_devlink ;
2017-02-03 21:20:20 +03:00
2019-05-05 13:19:20 +03:00
err = ds - > ops - > setup ( ds ) ;
if ( err < 0 )
2019-05-30 09:09:07 +03:00
goto unregister_notifier ;
2019-05-05 13:19:20 +03:00
2019-10-25 02:03:51 +03:00
devlink_params_publish ( ds - > devlink ) ;
2016-08-23 19:38:56 +03:00
if ( ! ds - > slave_mii_bus & & ds - > ops - > phy_read ) {
2016-06-08 02:32:40 +03:00
ds - > slave_mii_bus = devm_mdiobus_alloc ( ds - > dev ) ;
2019-05-30 09:09:07 +03:00
if ( ! ds - > slave_mii_bus ) {
err = - ENOMEM ;
goto unregister_notifier ;
}
2016-06-08 02:32:40 +03:00
dsa_slave_mii_bus_init ( ds ) ;
err = mdiobus_register ( ds - > slave_mii_bus ) ;
if ( err < 0 )
2019-05-30 09:09:07 +03:00
goto unregister_notifier ;
2016-06-08 02:32:40 +03:00
}
2019-10-21 23:51:19 +03:00
ds - > setup = true ;
2016-06-04 22:17:07 +03:00
return 0 ;
2019-05-30 09:09:07 +03:00
unregister_notifier :
dsa_switch_unregister_notifier ( ds ) ;
unregister_devlink :
devlink_unregister ( ds - > devlink ) ;
free_devlink :
devlink_free ( ds - > devlink ) ;
ds - > devlink = NULL ;
return err ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:47 +03:00
static void dsa_switch_teardown ( struct dsa_switch * ds )
2016-06-04 22:17:07 +03:00
{
2019-10-21 23:51:19 +03:00
if ( ! ds - > setup )
return ;
2016-08-23 19:38:56 +03:00
if ( ds - > slave_mii_bus & & ds - > ops - > phy_read )
2016-06-08 02:32:40 +03:00
mdiobus_unregister ( ds - > slave_mii_bus ) ;
2017-02-03 21:20:20 +03:00
dsa_switch_unregister_notifier ( ds ) ;
2017-03-29 00:45:07 +03:00
2019-06-08 15:04:28 +03:00
if ( ds - > ops - > teardown )
ds - > ops - > teardown ( ds ) ;
2017-03-29 00:45:07 +03:00
if ( ds - > devlink ) {
devlink_unregister ( ds - > devlink ) ;
devlink_free ( ds - > devlink ) ;
ds - > devlink = NULL ;
}
2019-10-21 23:51:19 +03:00
ds - > setup = false ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:47 +03:00
static int dsa_tree_setup_switches ( struct dsa_switch_tree * dst )
{
2017-11-07 00:11:48 +03:00
struct dsa_port * dp ;
2019-10-21 23:51:19 +03:00
int err ;
2017-11-07 00:11:47 +03:00
2019-10-21 23:51:19 +03:00
list_for_each_entry ( dp , & dst - > ports , list ) {
err = dsa_switch_setup ( dp - > ds ) ;
2017-11-07 00:11:47 +03:00
if ( err )
2019-10-21 23:51:19 +03:00
goto teardown ;
}
2017-11-07 00:11:48 +03:00
2019-10-21 23:51:19 +03:00
list_for_each_entry ( dp , & dst - > ports , list ) {
err = dsa_port_setup ( dp ) ;
if ( err )
goto teardown ;
2017-11-07 00:11:47 +03:00
}
return 0 ;
2019-05-30 09:09:07 +03:00
2019-10-21 23:51:19 +03:00
teardown :
list_for_each_entry ( dp , & dst - > ports , list )
dsa_port_teardown ( dp ) ;
2019-05-30 09:09:07 +03:00
2019-10-21 23:51:19 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
dsa_switch_teardown ( dp - > ds ) ;
2019-05-30 09:09:07 +03:00
return err ;
2017-11-07 00:11:47 +03:00
}
static void dsa_tree_teardown_switches ( struct dsa_switch_tree * dst )
{
2017-11-07 00:11:48 +03:00
struct dsa_port * dp ;
2019-10-21 23:51:19 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
dsa_port_teardown ( dp ) ;
2017-11-07 00:11:48 +03:00
2019-10-21 23:51:19 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
dsa_switch_teardown ( dp - > ds ) ;
2017-11-07 00:11:47 +03:00
}
2017-11-07 00:11:45 +03:00
static int dsa_tree_setup_master ( struct dsa_switch_tree * dst )
{
2019-10-21 23:51:22 +03:00
struct dsa_port * dp ;
int err ;
2017-11-07 00:11:45 +03:00
2019-10-21 23:51:22 +03:00
list_for_each_entry ( dp , & dst - > ports , list ) {
if ( dsa_port_is_cpu ( dp ) ) {
err = dsa_master_setup ( dp - > master , dp ) ;
if ( err )
return err ;
}
}
return 0 ;
2017-11-07 00:11:45 +03:00
}
static void dsa_tree_teardown_master ( struct dsa_switch_tree * dst )
{
2019-10-21 23:51:22 +03:00
struct dsa_port * dp ;
2017-11-07 00:11:45 +03:00
2019-10-21 23:51:22 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
if ( dsa_port_is_cpu ( dp ) )
dsa_master_teardown ( dp - > master ) ;
2017-11-07 00:11:45 +03:00
}
2017-11-07 00:11:46 +03:00
static int dsa_tree_setup ( struct dsa_switch_tree * dst )
2016-06-04 22:17:07 +03:00
{
2017-11-07 00:11:51 +03:00
bool complete ;
2016-06-04 22:17:07 +03:00
int err ;
2017-11-07 00:11:46 +03:00
if ( dst - > setup ) {
pr_err ( " DSA: tree %d already setup! Disjoint trees? \n " ,
dst - > index ) ;
return - EEXIST ;
}
2017-11-07 00:11:51 +03:00
complete = dsa_tree_setup_routing_table ( dst ) ;
if ( ! complete )
return 0 ;
2017-11-07 00:11:44 +03:00
err = dsa_tree_setup_default_cpu ( dst ) ;
if ( err )
return err ;
2017-11-07 00:11:47 +03:00
err = dsa_tree_setup_switches ( dst ) ;
if ( err )
2019-05-30 09:09:07 +03:00
goto teardown_default_cpu ;
2016-06-04 22:17:07 +03:00
2017-11-07 00:11:45 +03:00
err = dsa_tree_setup_master ( dst ) ;
2017-09-19 18:56:59 +03:00
if ( err )
2019-05-30 09:09:07 +03:00
goto teardown_switches ;
2017-09-19 18:56:59 +03:00
2017-11-07 00:11:46 +03:00
dst - > setup = true ;
pr_info ( " DSA: tree %d setup \n " , dst - > index ) ;
2016-06-04 22:17:07 +03:00
return 0 ;
2019-05-30 09:09:07 +03:00
teardown_switches :
dsa_tree_teardown_switches ( dst ) ;
teardown_default_cpu :
dsa_tree_teardown_default_cpu ( dst ) ;
return err ;
2016-06-04 22:17:07 +03:00
}
2017-11-07 00:11:46 +03:00
static void dsa_tree_teardown ( struct dsa_switch_tree * dst )
2016-06-04 22:17:07 +03:00
{
2019-10-31 05:09:13 +03:00
struct dsa_link * dl , * next ;
2017-11-07 00:11:46 +03:00
if ( ! dst - > setup )
2016-06-04 22:17:07 +03:00
return ;
2017-11-07 00:11:45 +03:00
dsa_tree_teardown_master ( dst ) ;
2016-06-04 22:17:07 +03:00
2017-11-07 00:11:47 +03:00
dsa_tree_teardown_switches ( dst ) ;
2016-06-04 22:17:07 +03:00
2017-11-07 00:11:44 +03:00
dsa_tree_teardown_default_cpu ( dst ) ;
2016-06-08 02:32:42 +03:00
2019-10-31 05:09:13 +03:00
list_for_each_entry_safe ( dl , next , & dst - > rtable , list ) {
list_del ( & dl - > list ) ;
kfree ( dl ) ;
}
2017-11-07 00:11:46 +03:00
pr_info ( " DSA: tree %d torn down \n " , dst - > index ) ;
dst - > setup = false ;
2016-06-04 22:17:07 +03:00
}
2019-10-21 23:51:16 +03:00
static struct dsa_port * dsa_port_touch ( struct dsa_switch * ds , int index )
{
struct dsa_switch_tree * dst = ds - > dst ;
struct dsa_port * dp ;
2019-10-21 23:51:29 +03:00
list_for_each_entry ( dp , & dst - > ports , list )
if ( dp - > ds = = ds & & dp - > index = = index )
return dp ;
dp = kzalloc ( sizeof ( * dp ) , GFP_KERNEL ) ;
if ( ! dp )
return NULL ;
2019-10-21 23:51:16 +03:00
dp - > ds = ds ;
dp - > index = index ;
INIT_LIST_HEAD ( & dp - > list ) ;
list_add_tail ( & dp - > list , & dst - > ports ) ;
return dp ;
}
2017-11-04 02:05:29 +03:00
static int dsa_port_parse_user ( struct dsa_port * dp , const char * name )
{
if ( ! name )
name = " eth%d " ;
dp - > type = DSA_PORT_TYPE_USER ;
dp - > name = name ;
return 0 ;
}
static int dsa_port_parse_dsa ( struct dsa_port * dp )
{
dp - > type = DSA_PORT_TYPE_DSA ;
return 0 ;
}
2020-01-08 08:06:05 +03:00
static enum dsa_tag_protocol dsa_get_tag_protocol ( struct dsa_port * dp ,
struct net_device * master )
{
enum dsa_tag_protocol tag_protocol = DSA_TAG_PROTO_NONE ;
struct dsa_switch * mds , * ds = dp - > ds ;
unsigned int mdp_upstream ;
struct dsa_port * mdp ;
/* It is possible to stack DSA switches onto one another when that
* happens the switch driver may want to know if its tagging protocol
* is going to work in such a configuration .
*/
if ( dsa_slave_dev_check ( master ) ) {
mdp = dsa_slave_to_port ( master ) ;
mds = mdp - > ds ;
mdp_upstream = dsa_upstream_port ( mds , mdp - > index ) ;
tag_protocol = mds - > ops - > get_tag_protocol ( mds , mdp_upstream ,
DSA_TAG_PROTO_NONE ) ;
}
/* If the master device is not itself a DSA slave in a disjoint DSA
* tree , then return immediately .
*/
return ds - > ops - > get_tag_protocol ( ds , dp - > index , tag_protocol ) ;
}
2017-11-04 02:05:29 +03:00
static int dsa_port_parse_cpu ( struct dsa_port * dp , struct net_device * master )
{
2017-11-04 02:05:30 +03:00
struct dsa_switch * ds = dp - > ds ;
struct dsa_switch_tree * dst = ds - > dst ;
const struct dsa_device_ops * tag_ops ;
enum dsa_tag_protocol tag_protocol ;
2020-01-08 08:06:05 +03:00
tag_protocol = dsa_get_tag_protocol ( dp , master ) ;
2019-04-28 20:37:18 +03:00
tag_ops = dsa_tag_driver_get ( tag_protocol ) ;
2017-11-04 02:05:30 +03:00
if ( IS_ERR ( tag_ops ) ) {
2019-09-12 16:16:45 +03:00
if ( PTR_ERR ( tag_ops ) = = - ENOPROTOOPT )
return - EPROBE_DEFER ;
2017-11-04 02:05:30 +03:00
dev_warn ( ds - > dev , " No tagger for this switch \n " ) ;
2020-01-08 08:06:05 +03:00
dp - > master = NULL ;
2017-11-04 02:05:30 +03:00
return PTR_ERR ( tag_ops ) ;
}
2020-01-08 08:06:05 +03:00
dp - > master = master ;
2017-11-04 02:05:29 +03:00
dp - > type = DSA_PORT_TYPE_CPU ;
net: dsa: Allow drivers to filter packets they can decode source port from
Frames get processed by DSA and redirected to switch port net devices
based on the ETH_P_XDSA multiplexed packet_type handler found by the
network stack when calling eth_type_trans().
The running assumption is that once the DSA .rcv function is called, DSA
is always able to decode the switch tag in order to change the skb->dev
from its master.
However there are tagging protocols (such as the new DSA_TAG_PROTO_SJA1105,
user of DSA_TAG_PROTO_8021Q) where this assumption is not completely
true, since switch tagging piggybacks on the absence of a vlan_filtering
bridge. Moreover, management traffic (BPDU, PTP) for this switch doesn't
rely on switch tagging, but on a different mechanism. So it would make
sense to at least be able to terminate that.
Having DSA receive traffic it can't decode would put it in an impossible
situation: the eth_type_trans() function would invoke the DSA .rcv(),
which could not change skb->dev, then eth_type_trans() would be invoked
again, which again would call the DSA .rcv, and the packet would never
be able to exit the DSA filter and would spiral in a loop until the
whole system dies.
This happens because eth_type_trans() doesn't actually look at the skb
(so as to identify a potential tag) when it deems it as being
ETH_P_XDSA. It just checks whether skb->dev has a DSA private pointer
installed (therefore it's a DSA master) and that there exists a .rcv
callback (everybody except DSA_TAG_PROTO_NONE has that). This is
understandable as there are many switch tags out there, and exhaustively
checking for all of them is far from ideal.
The solution lies in introducing a filtering function for each tagging
protocol. In the absence of a filtering function, all traffic is passed
to the .rcv DSA callback. The tagging protocol should see the filtering
function as a pre-validation that it can decode the incoming skb. The
traffic that doesn't match the filter will bypass the DSA .rcv callback
and be left on the master netdevice, which wasn't previously possible.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-05-05 13:19:23 +03:00
dp - > filter = tag_ops - > filter ;
2017-11-04 02:05:30 +03:00
dp - > rcv = tag_ops - > rcv ;
dp - > tag_ops = tag_ops ;
dp - > dst = dst ;
2017-11-04 02:05:29 +03:00
return 0 ;
}
2017-10-27 22:55:14 +03:00
static int dsa_port_parse_of ( struct dsa_port * dp , struct device_node * dn )
{
2017-10-27 22:55:15 +03:00
struct device_node * ethernet = of_parse_phandle ( dn , " ethernet " , 0 ) ;
2017-10-27 22:55:18 +03:00
const char * name = of_get_property ( dn , " label " , NULL ) ;
2017-11-04 02:05:28 +03:00
bool link = of_property_read_bool ( dn , " link " ) ;
2017-10-27 22:55:15 +03:00
2017-11-04 02:05:29 +03:00
dp - > dn = dn ;
2017-10-27 22:55:15 +03:00
if ( ethernet ) {
2017-10-27 22:55:17 +03:00
struct net_device * master ;
master = of_find_net_device_by_node ( ethernet ) ;
if ( ! master )
return - EPROBE_DEFER ;
2017-11-04 02:05:29 +03:00
return dsa_port_parse_cpu ( dp , master ) ;
2017-10-27 22:55:15 +03:00
}
2017-11-04 02:05:29 +03:00
if ( link )
return dsa_port_parse_dsa ( dp ) ;
2017-10-27 22:55:14 +03:00
2017-11-04 02:05:29 +03:00
return dsa_port_parse_user ( dp , name ) ;
2017-10-27 22:55:14 +03:00
}
2017-11-04 02:05:27 +03:00
static int dsa_switch_parse_ports_of ( struct dsa_switch * ds ,
struct device_node * dn )
2016-06-04 22:17:07 +03:00
{
2017-10-27 22:55:13 +03:00
struct device_node * ports , * port ;
2017-10-27 22:55:14 +03:00
struct dsa_port * dp ;
2019-02-25 10:22:19 +03:00
int err = 0 ;
2016-06-04 22:17:07 +03:00
u32 reg ;
2017-10-27 22:55:13 +03:00
ports = of_get_child_by_name ( dn , " ports " ) ;
if ( ! ports ) {
dev_err ( ds - > dev , " no ports child node found \n " ) ;
return - EINVAL ;
}
2016-06-04 22:17:07 +03:00
for_each_available_child_of_node ( ports , port ) {
err = of_property_read_u32 ( port , " reg " , & reg ) ;
if ( err )
2019-02-25 10:22:19 +03:00
goto out_put_node ;
2016-06-04 22:17:07 +03:00
2019-02-25 10:22:19 +03:00
if ( reg > = ds - > num_ports ) {
err = - EINVAL ;
goto out_put_node ;
}
2016-06-04 22:17:07 +03:00
2019-10-21 23:51:15 +03:00
dp = dsa_to_port ( ds , reg ) ;
2017-10-27 22:55:14 +03:00
err = dsa_port_parse_of ( dp , port ) ;
if ( err )
2019-02-25 10:22:19 +03:00
goto out_put_node ;
2016-06-04 22:17:07 +03:00
}
2019-02-25 10:22:19 +03:00
out_put_node :
of_node_put ( ports ) ;
return err ;
2016-06-04 22:17:07 +03:00
}
2017-11-04 02:05:27 +03:00
static int dsa_switch_parse_member_of ( struct dsa_switch * ds ,
struct device_node * dn )
{
u32 m [ 2 ] = { 0 , 0 } ;
int sz ;
/* Don't error out if this optional property isn't found */
sz = of_property_read_variable_u32_array ( dn , " dsa,member " , m , 2 , 2 ) ;
if ( sz < 0 & & sz ! = - EINVAL )
return sz ;
ds - > index = m [ 1 ] ;
ds - > dst = dsa_tree_touch ( m [ 0 ] ) ;
if ( ! ds - > dst )
return - ENOMEM ;
return 0 ;
}
2019-10-21 23:51:16 +03:00
static int dsa_switch_touch_ports ( struct dsa_switch * ds )
{
struct dsa_port * dp ;
int port ;
for ( port = 0 ; port < ds - > num_ports ; port + + ) {
dp = dsa_port_touch ( ds , port ) ;
if ( ! dp )
return - ENOMEM ;
}
return 0 ;
}
2017-11-04 02:05:27 +03:00
static int dsa_switch_parse_of ( struct dsa_switch * ds , struct device_node * dn )
{
int err ;
err = dsa_switch_parse_member_of ( ds , dn ) ;
if ( err )
return err ;
2019-10-21 23:51:16 +03:00
err = dsa_switch_touch_ports ( ds ) ;
if ( err )
return err ;
2017-11-04 02:05:27 +03:00
return dsa_switch_parse_ports_of ( ds , dn ) ;
}
2017-10-27 22:55:14 +03:00
static int dsa_port_parse ( struct dsa_port * dp , const char * name ,
struct device * dev )
{
2017-10-27 22:55:15 +03:00
if ( ! strcmp ( name , " cpu " ) ) {
2017-10-27 22:55:17 +03:00
struct net_device * master ;
master = dsa_dev_to_net_device ( dev ) ;
if ( ! master )
return - EPROBE_DEFER ;
dev_put ( master ) ;
2017-11-04 02:05:29 +03:00
return dsa_port_parse_cpu ( dp , master ) ;
2017-10-27 22:55:15 +03:00
}
2017-11-04 02:05:29 +03:00
if ( ! strcmp ( name , " dsa " ) )
return dsa_port_parse_dsa ( dp ) ;
2017-10-27 22:55:14 +03:00
2017-11-04 02:05:29 +03:00
return dsa_port_parse_user ( dp , name ) ;
2017-10-27 22:55:14 +03:00
}
2017-11-04 02:05:27 +03:00
static int dsa_switch_parse_ports ( struct dsa_switch * ds ,
struct dsa_chip_data * cd )
2017-02-05 00:02:43 +03:00
{
bool valid_name_found = false ;
2017-10-27 22:55:14 +03:00
struct dsa_port * dp ;
struct device * dev ;
const char * name ;
2017-02-05 00:02:43 +03:00
unsigned int i ;
2017-10-27 22:55:14 +03:00
int err ;
2017-02-05 00:02:43 +03:00
for ( i = 0 ; i < DSA_MAX_PORTS ; i + + ) {
2017-10-27 22:55:14 +03:00
name = cd - > port_names [ i ] ;
dev = cd - > netdev [ i ] ;
2019-10-21 23:51:15 +03:00
dp = dsa_to_port ( ds , i ) ;
2017-10-27 22:55:14 +03:00
if ( ! name )
2017-02-05 00:02:43 +03:00
continue ;
2017-10-27 22:55:14 +03:00
err = dsa_port_parse ( dp , name , dev ) ;
if ( err )
return err ;
2017-02-05 00:02:43 +03:00
valid_name_found = true ;
}
if ( ! valid_name_found & & i = = DSA_MAX_PORTS )
return - EINVAL ;
return 0 ;
}
2017-11-04 02:05:27 +03:00
static int dsa_switch_parse ( struct dsa_switch * ds , struct dsa_chip_data * cd )
2017-02-05 00:02:43 +03:00
{
2019-10-21 23:51:16 +03:00
int err ;
2017-11-04 02:05:27 +03:00
ds - > cd = cd ;
2017-02-05 00:02:43 +03:00
2017-11-04 02:05:27 +03:00
/* We don't support interconnected switches nor multiple trees via
* platform data , so this is the unique switch of the tree .
*/
ds - > index = 0 ;
ds - > dst = dsa_tree_touch ( 0 ) ;
if ( ! ds - > dst )
return - ENOMEM ;
2017-02-05 00:02:43 +03:00
2019-10-21 23:51:16 +03:00
err = dsa_switch_touch_ports ( ds ) ;
if ( err )
return err ;
2017-11-04 02:05:27 +03:00
return dsa_switch_parse_ports ( ds , cd ) ;
2017-02-05 00:02:43 +03:00
}
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
static void dsa_switch_release_ports ( struct dsa_switch * ds )
{
struct dsa_switch_tree * dst = ds - > dst ;
struct dsa_port * dp , * next ;
list_for_each_entry_safe ( dp , next , & dst - > ports , list ) {
if ( dp - > ds ! = ds )
continue ;
list_del ( & dp - > list ) ;
kfree ( dp ) ;
}
}
2017-11-07 00:11:53 +03:00
static int dsa_switch_probe ( struct dsa_switch * ds )
2016-06-04 22:17:07 +03:00
{
2019-10-31 05:09:17 +03:00
struct dsa_switch_tree * dst ;
2019-10-24 13:32:18 +03:00
struct dsa_chip_data * pdata ;
struct device_node * np ;
2017-11-07 00:11:51 +03:00
int err ;
2016-06-04 22:17:07 +03:00
2019-10-21 23:51:30 +03:00
if ( ! ds - > dev )
return - ENODEV ;
2019-10-24 13:32:18 +03:00
pdata = ds - > dev - > platform_data ;
np = ds - > dev - > of_node ;
2019-10-21 23:51:30 +03:00
if ( ! ds - > num_ports )
return - EINVAL ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
if ( np ) {
2017-11-04 02:05:27 +03:00
err = dsa_switch_parse_of ( ds , np ) ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
if ( err )
dsa_switch_release_ports ( ds ) ;
} else if ( pdata ) {
2017-11-04 02:05:27 +03:00
err = dsa_switch_parse ( ds , pdata ) ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
if ( err )
dsa_switch_release_ports ( ds ) ;
} else {
2017-11-04 02:05:27 +03:00
err = - ENODEV ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
}
2016-06-04 22:17:07 +03:00
2017-11-04 02:05:27 +03:00
if ( err )
return err ;
2016-07-07 03:03:54 +03:00
2019-10-31 05:09:17 +03:00
dst = ds - > dst ;
dsa_tree_get ( dst ) ;
err = dsa_tree_setup ( dst ) ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
if ( err ) {
dsa_switch_release_ports ( ds ) ;
2019-10-31 05:09:17 +03:00
dsa_tree_put ( dst ) ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
}
2019-10-31 05:09:17 +03:00
return err ;
2016-06-04 22:17:07 +03:00
}
2017-05-27 01:12:51 +03:00
int dsa_register_switch ( struct dsa_switch * ds )
2016-06-04 22:17:07 +03:00
{
int err ;
mutex_lock ( & dsa2_mutex ) ;
2017-11-07 00:11:53 +03:00
err = dsa_switch_probe ( ds ) ;
2017-11-24 19:36:06 +03:00
dsa_tree_put ( ds - > dst ) ;
2016-06-04 22:17:07 +03:00
mutex_unlock ( & dsa2_mutex ) ;
return err ;
}
EXPORT_SYMBOL_GPL ( dsa_register_switch ) ;
2017-11-07 00:11:53 +03:00
static void dsa_switch_remove ( struct dsa_switch * ds )
2016-06-04 22:17:07 +03:00
{
struct dsa_switch_tree * dst = ds - > dst ;
2019-10-21 23:51:29 +03:00
2019-11-03 06:13:26 +03:00
dsa_tree_teardown ( dst ) ;
net: dsa: Fix use-after-free in probing of DSA switch tree
DSA sets up a switch tree little by little. Every switch of the N
members of the tree calls dsa_register_switch, and (N - 1) will just
touch the dst->ports list with their ports and quickly exit. Only the
last switch that calls dsa_register_switch will find all DSA links
complete in dsa_tree_setup_routing_table, and not return zero as a
result but instead go ahead and set up the entire DSA switch tree
(practically on behalf of the other switches too).
The trouble is that the (N - 1) switches don't clean up after themselves
after they get an error such as EPROBE_DEFER. Their footprint left in
dst->ports by dsa_switch_touch_ports is still there. And switch N, the
one responsible with actually setting up the tree, is going to work with
those stale dp, dp->ds and dp->ds->dev pointers. In particular ds and
ds->dev might get freed by the device driver.
Be there a 2-switch tree and the following calling order:
- Switch 1 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Calls dsa_port_parse_cpu, gets -EPROBE_DEFER, exits.
- Switch 2 calls dsa_register_switch
- Calls dsa_switch_touch_ports, populates dst->ports
- Probe doesn't get deferred, so it goes ahead.
- Calls dsa_tree_setup_routing_table, which returns "complete == true"
due to Switch 1 having called dsa_switch_touch_ports before.
- Because the DSA links are complete, it calls dsa_tree_setup_switches
now.
- dsa_tree_setup_switches iterates through dst->ports, initializing
the Switch 1 ds structure (invalid) and the Switch 2 ds structure
(valid).
- Undefined behavior (use after free, sometimes NULL pointers, etc).
Real example below (debugging prints added by me, as well as guards
against NULL pointers):
[ 5.477947] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.313002] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.319932] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.329693] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.339458] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.349226] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.358991] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.368758] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.378524] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.388291] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.398057] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803df0b980 (dev ffffff803f775c00)
[ 6.407912] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.417682] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.427446] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.437212] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.446979] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.456744] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.466512] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.476277] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.486043] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.495810] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.505577] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803da02f80 (dev 0000000000000000)
[ 6.515433] dsa_tree_setup_switches: Setting up port 0 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.354120] dsa_tree_setup_switches: Setting up port 1 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.361045] dsa_tree_setup_switches: Setting up port 2 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.370805] dsa_tree_setup_switches: Setting up port 3 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.380571] dsa_tree_setup_switches: Setting up port 4 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.390337] dsa_tree_setup_switches: Setting up port 5 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.400104] dsa_tree_setup_switches: Setting up port 6 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.409872] dsa_tree_setup_switches: Setting up port 7 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.419637] dsa_tree_setup_switches: Setting up port 8 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.429403] dsa_tree_setup_switches: Setting up port 9 of switch ffffff803db15b80 (dev ffffff803d8e4800)
[ 7.439169] dsa_tree_setup_switches: Setting up port 10 of switch ffffff803db15b80 (dev ffffff803d8e4800)
The solution is to recognize that the functions that call
dsa_switch_touch_ports (dsa_switch_parse_of, dsa_switch_parse) have side
effects, and therefore one should clean up their side effects on error
path. The cleanup of dst->ports was taken from dsa_switch_remove and
moved into a dedicated dsa_switch_release_ports function, which should
really be per-switch (free only the members of dst->ports that are also
members of ds, instead of all switch ports).
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-26 00:01:11 +03:00
dsa_switch_release_ports ( ds ) ;
2019-10-31 05:09:17 +03:00
dsa_tree_put ( dst ) ;
2016-06-04 22:17:07 +03:00
}
void dsa_unregister_switch ( struct dsa_switch * ds )
{
mutex_lock ( & dsa2_mutex ) ;
2017-11-07 00:11:53 +03:00
dsa_switch_remove ( ds ) ;
2016-06-04 22:17:07 +03:00
mutex_unlock ( & dsa2_mutex ) ;
}
EXPORT_SYMBOL_GPL ( dsa_unregister_switch ) ;