lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 4 Apr 2021 08:04:44 +0200
From:   Oleksij Rempel <linux@...pel-privat.de>
To:     Vladimir Oltean <olteanv@...il.com>,
        Oleksij Rempel <o.rempel@...gutronix.de>
Cc:     Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Russell King <linux@...linux.org.uk>,
        Pengutronix Kernel Team <kernel@...gutronix.de>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-mips@...r.kernel.org
Subject: Re: [PATCH net-next v1 4/9] net: dsa: qca: ar9331: make proper
 initial port defaults

Am 04.04.21 um 02:16 schrieb Vladimir Oltean:
> On Sat, Apr 03, 2021 at 01:48:43PM +0200, Oleksij Rempel wrote:
>> Make sure that all external port are actually isolated from each other,
>> so no packets are leaked.
>>
>> Signed-off-by: Oleksij Rempel <o.rempel@...gutronix.de>
>> ---
>>  drivers/net/dsa/qca/ar9331.c | 145 ++++++++++++++++++++++++++++++++++-
>>  1 file changed, 143 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/dsa/qca/ar9331.c b/drivers/net/dsa/qca/ar9331.c
>> index 9a5035b2f0ff..a3de3598fbf5 100644
>> --- a/drivers/net/dsa/qca/ar9331.c
>> +++ b/drivers/net/dsa/qca/ar9331.c
>> @@ -60,10 +60,19 @@
>>
>>  /* MIB registers */
>>  #define AR9331_MIB_COUNTER(x)			(0x20000 + ((x) * 0x100))
>>
>> @@ -229,6 +278,7 @@ struct ar9331_sw_priv {
>>  	struct regmap *regmap;
>>  	struct reset_control *sw_reset;
>>  	struct ar9331_sw_port port[AR9331_SW_PORTS];
>> +	int cpu_port;
>>  };
>>
>>  static struct ar9331_sw_priv *ar9331_sw_port_to_priv(struct ar9331_sw_port *port)
>> @@ -371,12 +421,72 @@ static int ar9331_sw_mbus_init(struct ar9331_sw_priv *priv)
>>  	return 0;
>>  }
>>
>> -static int ar9331_sw_setup(struct dsa_switch *ds)
>> +static int ar9331_sw_setup_port(struct dsa_switch *ds, int port)
>>  {
>>  	struct ar9331_sw_priv *priv = (struct ar9331_sw_priv *)ds->priv;
>>  	struct regmap *regmap = priv->regmap;
>> +	u32 port_mask, port_ctrl, val;
>>  	int ret;
>>
>> +	/* Generate default port settings */
>> +	port_ctrl = FIELD_PREP(AR9331_SW_PORT_CTRL_PORT_STATE,
>> +			       AR9331_SW_PORT_CTRL_PORT_STATE_DISABLED);
>> +
>> +	if (dsa_is_cpu_port(ds, port)) {
>> +		/*
>> +		 * CPU port should be allowed to communicate with all user
>> +		 * ports.
>> +		 */
>> +		//port_mask = dsa_user_ports(ds);
>
> Code commented out should ideally not be part of a submitted patch.

Sorry I overlooked this one

> And the networking comment style is:
>
> 		/* CPU port should be allowed to communicate with all user
> 		 * ports.
> 		 */

Aaa... networking part of kernel code...

>> +		port_mask = 0;
>> +		/*
>> +		 * Enable atheros header on CPU port. This will allow us
>> +		 * communicate with each port separately
>> +		 */
>> +		port_ctrl |= AR9331_SW_PORT_CTRL_HEAD_EN;
>> +		port_ctrl |= AR9331_SW_PORT_CTRL_LEARN_EN;
>> +	} else if (dsa_is_user_port(ds, port)) {
>> +		/*
>> +		 * User ports should communicate only with the CPU port.
>> +		 */
>> +		port_mask = BIT(priv->cpu_port);
>
> For all you care, the CPU port here is dsa_to_port(ds, port)->cpu_dp->index,
> no need to go to those lengths in order to find it. DSA does not have
> fixed number for the CPU port but a CPU port pointer per port in order
> to not close the door for the future support of multiple CPU ports.

ok.

>> +		/* Enable unicast address learning by default */
>> +		port_ctrl |= AR9331_SW_PORT_CTRL_LEARN_EN
>> +		/* IGMP snooping seems to work correctly, let's use it */
>> +			  | AR9331_SW_PORT_CTRL_IGMP_MLD_EN
>
> I don't really like this ad-hoc enablement of IGMP/MLD snooping from the driver,
> please add the pass-through in DSA for SWITCHDEV_ATTR_ID_BRIDGE_MC_DISABLED
> (dsa_slave_port_attr_set, dsa_port_switchdev_sync, dsa_port_switchdev_unsync
> should all call a dsa_switch_ops :: port_snoop_igmp_mld function) and then
> toggle this bit from there.

sounds good. Looks like there are few more driver need to be fixed:
drivers/net/dsa/lan9303-core.c
drivers/net/dsa/mv88e6xxx/chip.c


>
>> +			  | AR9331_SW_PORT_CTRL_SINGLE_VLAN_EN;
>> +	} else {
>> +		/* Other ports do not need to communicate at all */
>> +		port_mask = 0;
>> +	}
>> +
>> +	val = FIELD_PREP(AR9331_SW_PORT_VLAN_8021Q_MODE,
>> +			 AR9331_SW_8021Q_MODE_NONE) |
>> +		FIELD_PREP(AR9331_SW_PORT_VLAN_PORT_VID_MEMBER, port_mask) |
>> +		FIELD_PREP(AR9331_SW_PORT_VLAN_PORT_VID,
>> +			   AR9331_SW_PORT_VLAN_PORT_VID_DEF);
>> +
>> +	ret = regmap_write(regmap, AR9331_SW_REG_PORT_VLAN(port), val);
>> +	if (ret)
>> +		goto error;
>> +
>> +	ret = regmap_write(regmap, AR9331_SW_REG_PORT_CTRL(port), port_ctrl);
>> +	if (ret)
>> +		goto error;
>> +
>> +	return 0;
>> +error:
>> +	dev_err_ratelimited(priv->dev, "%s: error: %i\n", __func__, ret);
>> +
>> +	return ret;
>> +}
>> +
>> +static int ar9331_sw_setup(struct dsa_switch *ds)
>> +{
>> +	struct ar9331_sw_priv *priv = (struct ar9331_sw_priv *)ds->priv;
>> +	struct regmap *regmap = priv->regmap;
>> +	int ret, i;
>> +
>>  	ret = ar9331_sw_reset(priv);
>>  	if (ret)
>>  		return ret;
>> @@ -390,7 +500,8 @@ static int ar9331_sw_setup(struct dsa_switch *ds)
>>
>>  	/* Do not drop broadcast frames */
>>  	ret = regmap_write_bits(regmap, AR9331_SW_REG_FLOOD_MASK,
>> -				AR9331_SW_FLOOD_MASK_BROAD_TO_CPU,
>> +				AR9331_SW_FLOOD_MASK_BROAD_TO_CPU
>> +				| AR9331_SW_FLOOD_MASK_MULTI_FLOOD_DP,
>>  				AR9331_SW_FLOOD_MASK_BROAD_TO_CPU);
>>  	if (ret)
>>  		goto error;
>> @@ -402,6 +513,36 @@ static int ar9331_sw_setup(struct dsa_switch *ds)
>>  	if (ret)
>>  		goto error;
>>
>> +	/*
>> +	 * Configure the ARL:
>> +	 * AR9331_SW_AT_ARP_EN - why?
>> +	 * AR9331_SW_AT_LEARN_CHANGE_EN - why?
>> +	 */
>
> Good question, why?

I still do not know if it is a good idea. This bits are enabled by
default. May be you can help me understand it. Datasheet says:
ARP_EN:
ARP frame acknowledge enable. Setting this bit to 1 is an
acknowledgement by the hardware of a received ARP frame and allows it
to be copied to the CPU port.

LEARN_CHANGE_EN:
0 - If a hash violation occurs during learning, no new address will be
learned in the ARL
1 - Enables a new MAC address change if a hash violation occurs
during learning

--
Regards,
Oleksij

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ