From aeb20b6b3f4e1f88ce6a2802dabc667b607412ef Mon Sep 17 00:00:00 2001
From: Iyappan Subramanian <isubramanian@apm.com>
Date: Mon, 23 Nov 2015 12:04:52 -0800
Subject: drivers: net: xgene: fix: ifconfig up/down crash

Fixing kernel crash when doing ifconfig down and up in a loop,

[ 124.028237] Call trace:
[ 124.030670] [<ffffffc000367ce0>] memcpy+0x20/0x180
[ 124.035436] [<ffffffc00053c250>] skb_clone+0x3c/0xa8
[ 124.040374] [<ffffffc00053ffa4>] __skb_tstamp_tx+0xc0/0x118
[ 124.045918] [<ffffffc00054000c>] skb_tstamp_tx+0x10/0x1c
[ 124.051203] [<ffffffc00049bc84>] xgene_enet_start_xmit+0x2e4/0x33c
[ 124.057352] [<ffffffc00054fc20>] dev_hard_start_xmit+0x2e8/0x400
[ 124.063327] [<ffffffc00056cb14>] sch_direct_xmit+0x90/0x1d4
[ 124.068870] [<ffffffc000550100>] __dev_queue_xmit+0x28c/0x498
[ 124.074585] [<ffffffc00055031c>] dev_queue_xmit_sk+0x10/0x1c
[ 124.080216] [<ffffffc0005c3f14>] ip_finish_output2+0x3d0/0x438
[ 124.086017] [<ffffffc0005c5794>] ip_finish_output+0x198/0x1ac
[ 124.091732] [<ffffffc0005c61d4>] ip_output+0xec/0x164
[ 124.096755] [<ffffffc0005c5910>] ip_local_out_sk+0x38/0x48
[ 124.102211] [<ffffffc0005c5d84>] ip_queue_xmit+0x288/0x330
[ 124.107668] [<ffffffc0005da8bc>] tcp_transmit_skb+0x908/0x964
[ 124.113383] [<ffffffc0005dc0d4>] tcp_send_ack+0x128/0x138
[ 124.118753] [<ffffffc0005d1580>] __tcp_ack_snd_check+0x5c/0x94
[ 124.124555] [<ffffffc0005d7a0c>] tcp_rcv_established+0x554/0x68c
[ 124.130530] [<ffffffc0005df0d4>] tcp_v4_do_rcv+0xa4/0x37c
[ 124.135900] [<ffffffc000539430>] release_sock+0xb4/0x150
[ 124.141184] [<ffffffc0005cdf88>] tcp_recvmsg+0x448/0x9e0
[ 124.146468] [<ffffffc0005f2f3c>] inet_recvmsg+0xa0/0xc0
[ 124.151666] [<ffffffc000533660>] sock_recvmsg+0x10/0x1c
[ 124.156863] [<ffffffc0005370d4>] SyS_recvfrom+0xa4/0xf8
[ 124.162061] Code: f2400c84 540001c0 cb040042 36000064 (38401423)
[ 124.168133] ---[ end trace 7ab2550372e8a65b ]---

The fix was to reorder napi_enable, napi_disable, request_irq and
free_irq calls, move register_netdev after dma_coerce_mask_and_coherent.

Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Tested-by: Khuong Dinh <kdinh@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 29 +++++++++++++-----------
 1 file changed, 16 insertions(+), 13 deletions(-)

(limited to 'drivers/net/ethernet/apm/xgene')

diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
index 991412ce6f48..1adfe7036843 100644
--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
@@ -688,10 +688,10 @@ static int xgene_enet_open(struct net_device *ndev)
 	mac_ops->tx_enable(pdata);
 	mac_ops->rx_enable(pdata);
 
+	xgene_enet_napi_enable(pdata);
 	ret = xgene_enet_register_irq(ndev);
 	if (ret)
 		return ret;
-	xgene_enet_napi_enable(pdata);
 
 	if (pdata->phy_mode == PHY_INTERFACE_MODE_RGMII)
 		phy_start(pdata->phy_dev);
@@ -715,13 +715,13 @@ static int xgene_enet_close(struct net_device *ndev)
 	else
 		cancel_delayed_work_sync(&pdata->link_work);
 
-	xgene_enet_napi_disable(pdata);
-	xgene_enet_free_irq(ndev);
-	xgene_enet_process_ring(pdata->rx_ring, -1);
-
 	mac_ops->tx_disable(pdata);
 	mac_ops->rx_disable(pdata);
 
+	xgene_enet_free_irq(ndev);
+	xgene_enet_napi_disable(pdata);
+	xgene_enet_process_ring(pdata->rx_ring, -1);
+
 	return 0;
 }
 
@@ -1474,15 +1474,15 @@ static int xgene_enet_probe(struct platform_device *pdev)
 	}
 	ndev->hw_features = ndev->features;
 
-	ret = register_netdev(ndev);
+	ret = dma_coerce_mask_and_coherent(dev, DMA_BIT_MASK(64));
 	if (ret) {
-		netdev_err(ndev, "Failed to register netdev\n");
+		netdev_err(ndev, "No usable DMA configuration\n");
 		goto err;
 	}
 
-	ret = dma_coerce_mask_and_coherent(dev, DMA_BIT_MASK(64));
+	ret = register_netdev(ndev);
 	if (ret) {
-		netdev_err(ndev, "No usable DMA configuration\n");
+		netdev_err(ndev, "Failed to register netdev\n");
 		goto err;
 	}
 
@@ -1490,14 +1490,17 @@ static int xgene_enet_probe(struct platform_device *pdev)
 	if (ret)
 		goto err;
 
-	xgene_enet_napi_add(pdata);
 	mac_ops = pdata->mac_ops;
-	if (pdata->phy_mode == PHY_INTERFACE_MODE_RGMII)
+	if (pdata->phy_mode == PHY_INTERFACE_MODE_RGMII) {
 		ret = xgene_enet_mdio_config(pdata);
-	else
+		if (ret)
+			goto err;
+	} else {
 		INIT_DELAYED_WORK(&pdata->link_work, mac_ops->link_state);
+	}
 
-	return ret;
+	xgene_enet_napi_add(pdata);
+	return 0;
 err:
 	unregister_netdev(ndev);
 	free_netdev(ndev);
-- 
cgit v1.2.3-59-g8ed1b


From 9ffad80a9c65d7c2ab5ad6cb8b4b0559b9ed8b8c Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 25 Nov 2015 09:02:10 -0800
Subject: drivers: net: xgene: fix possible use after free

Once TX has been enabled on a NIC, it is illegal to access skb,
as this skb might have been freed by another cpu, from TX completion
handler.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Cc: Iyappan Subramanian <isubramanian@apm.com>
Acked-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'drivers/net/ethernet/apm/xgene')

diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
index 1adfe7036843..9147a0107c44 100644
--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
@@ -450,12 +450,12 @@ static netdev_tx_t xgene_enet_start_xmit(struct sk_buff *skb,
 		return NETDEV_TX_OK;
 	}
 
-	pdata->ring_ops->wr_cmd(tx_ring, count);
 	skb_tx_timestamp(skb);
 
 	pdata->stats.tx_packets++;
 	pdata->stats.tx_bytes += skb->len;
 
+	pdata->ring_ops->wr_cmd(tx_ring, count);
 	return NETDEV_TX_OK;
 }
 
-- 
cgit v1.2.3-59-g8ed1b