net: ar8216: address security vulnerabilities in swconfig & ar8216

[openwrt/staging/yousong.git] / target / linux / generic / files / drivers / net / phy / ar8216.c

diff --git a/target/linux/generic/files/drivers/net/phy/ar8216.c b/target/linux/generic/files/drivers/net/phy/ar8216.c
index 8d0afef7414ca7c1c3039b7ae4575d756eec3bd3..746d8e6c3dcc312b03f851901b0c4d9ec8edfa96 100644 (file)
--- a/target/linux/generic/files/drivers/net/phy/ar8216.c
+++ b/target/linux/generic/files/drivers/net/phy/ar8216.c
@@ -1,7 +1,7 @@
 /*
  * ar8216.c: AR8216 switch driver
  *
- * Copyright (C) 2009 Felix Fietkau <nbd@openwrt.org>
+ * Copyright (C) 2009 Felix Fietkau <nbd@nbd.name>
  * Copyright (C) 2011-2012 Gabor Juhos <juhosg@openwrt.org>
  *
  * This program is free software; you can redistribute it and/or
@@ -308,25 +308,33 @@ ar8xxx_phy_dbg_write(struct ar8xxx_priv *priv, int phy_addr,
        mutex_unlock(&bus->mdio_lock);
 }
 
+static inline void
+ar8xxx_phy_mmd_prep(struct mii_bus *bus, int phy_addr, u16 addr, u16 reg)
+{
+       bus->write(bus, phy_addr, MII_ATH_MMD_ADDR, addr);
+       bus->write(bus, phy_addr, MII_ATH_MMD_DATA, reg);
+       bus->write(bus, phy_addr, MII_ATH_MMD_ADDR, addr | 0x4000);
+}
+
 void
-ar8xxx_phy_mmd_write(struct ar8xxx_priv *priv, int phy_addr, u16 addr, u16 data)
+ar8xxx_phy_mmd_write(struct ar8xxx_priv *priv, int phy_addr, u16 addr, u16 reg, u16 data)
 {
        struct mii_bus *bus = priv->mii_bus;
 
        mutex_lock(&bus->mdio_lock);
-       bus->write(bus, phy_addr, MII_ATH_MMD_ADDR, addr);
+       ar8xxx_phy_mmd_prep(bus, phy_addr, addr, reg);
        bus->write(bus, phy_addr, MII_ATH_MMD_DATA, data);
        mutex_unlock(&bus->mdio_lock);
 }
 
 u16
-ar8xxx_phy_mmd_read(struct ar8xxx_priv *priv, int phy_addr, u16 addr)
+ar8xxx_phy_mmd_read(struct ar8xxx_priv *priv, int phy_addr, u16 addr, u16 reg)
 {
        struct mii_bus *bus = priv->mii_bus;
        u16 data;
 
        mutex_lock(&bus->mdio_lock);
-       bus->write(bus, phy_addr, MII_ATH_MMD_ADDR, addr);
+       ar8xxx_phy_mmd_prep(bus, phy_addr, addr, reg);
        data = bus->read(bus, phy_addr, MII_ATH_MMD_DATA);
        mutex_unlock(&bus->mdio_lock);
 
@@ -528,7 +536,7 @@ ar8216_mangle_rx(struct net_device *dev, struct sk_buff *skb)
        if ((buf[12 + 2] != 0x81) || (buf[13 + 2] != 0x00))
                return;
 
-       port = buf[0] & 0xf;
+       port = buf[0] & 0x7;
 
        /* no need to fix up packets coming from a tagged source */
        if (priv->vlan_tagged & (1 << port))
@@ -941,7 +949,8 @@ ar8xxx_sw_set_pvid(struct switch_dev *dev, int port, int vlan)
 
        /* make sure no invalid PVIDs get set */
 
-       if (vlan >= dev->vlans)
+       if (vlan < 0 || vlan >= dev->vlans ||
+           port < 0 || port >= AR8X16_MAX_PORTS)
                return -EINVAL;
 
        priv->pvid[port] = vlan;
@@ -952,6 +961,10 @@ int
 ar8xxx_sw_get_pvid(struct switch_dev *dev, int port, int *vlan)
 {
        struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+
+       if (port < 0 || port >= AR8X16_MAX_PORTS)
+               return -EINVAL;
+
        *vlan = priv->pvid[port];
        return 0;
 }
@@ -961,6 +974,10 @@ ar8xxx_sw_set_vid(struct switch_dev *dev, const struct switch_attr *attr,
                  struct switch_val *val)
 {
        struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+
+       if (val->port_vlan >= AR8X16_MAX_PORTS)
+               return -EINVAL;
+
        priv->vlan_id[val->port_vlan] = val->value.i;
        return 0;
 }
@@ -988,9 +1005,13 @@ static int
 ar8xxx_sw_get_ports(struct switch_dev *dev, struct switch_val *val)
 {
        struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
-       u8 ports = priv->vlan_table[val->port_vlan];
+       u8 ports;
        int i;
 
+       if (val->port_vlan >= AR8X16_MAX_VLANS)
+               return -EINVAL;
+
+       ports = priv->vlan_table[val->port_vlan];
        val->len = 0;
        for (i = 0; i < dev->ports; i++) {
                struct switch_port *p;
@@ -1076,10 +1097,25 @@ ar8216_set_mirror_regs(struct ar8xxx_priv *priv)
                           AR8216_PORT_CTRL_MIRROR_TX);
 }
 
+static inline u32
+ar8xxx_age_time_val(int age_time)
+{
+       return (age_time + AR8XXX_REG_ARL_CTRL_AGE_TIME_SECS / 2) /
+              AR8XXX_REG_ARL_CTRL_AGE_TIME_SECS;
+}
+
+static inline void
+ar8xxx_set_age_time(struct ar8xxx_priv *priv, int reg)
+{
+       u32 age_time = ar8xxx_age_time_val(priv->arl_age_time);
+       ar8xxx_rmw(priv, reg, AR8216_ATU_CTRL_AGE_TIME, age_time << AR8216_ATU_CTRL_AGE_TIME_S);
+}
+
 int
 ar8xxx_sw_hw_apply(struct switch_dev *dev)
 {
        struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+       const struct ar8xxx_chip *chip = priv->chip;
        u8 portmask[AR8X16_MAX_PORTS];
        int i, j;
 
@@ -1103,8 +1139,8 @@ ar8xxx_sw_hw_apply(struct switch_dev *dev)
                                        portmask[i] |= vp & ~mask;
                        }
 
-                       priv->chip->vtu_load_vlan(priv, priv->vlan_id[j],
-                                                priv->vlan_table[j]);
+                       chip->vtu_load_vlan(priv, priv->vlan_id[j],
+                                           priv->vlan_table[j]);
                }
        } else {
                /* vlan disabled:
@@ -1120,10 +1156,14 @@ ar8xxx_sw_hw_apply(struct switch_dev *dev)
 
        /* update the port destination mask registers and tag settings */
        for (i = 0; i < dev->ports; i++) {
-               priv->chip->setup_port(priv, i, portmask[i]);
+               chip->setup_port(priv, i, portmask[i]);
        }
 
-       priv->chip->set_mirror_regs(priv);
+       chip->set_mirror_regs(priv);
+
+       /* set age time */
+       if (chip->reg_arl_ctrl)
+               ar8xxx_set_age_time(priv, chip->reg_arl_ctrl);
 
        mutex_unlock(&priv->reg_mutex);
        return 0;
@@ -1151,6 +1191,7 @@ ar8xxx_sw_reset_switch(struct switch_dev *dev)
        priv->mirror_tx = false;
        priv->source_port = 0;
        priv->monitor_port = 0;
+       priv->arl_age_time = AR8XXX_DEFAULT_ARL_AGE_TIME;
 
        chip->init_globals(priv);
 
@@ -1350,7 +1391,7 @@ ar8xxx_sw_get_port_mib(struct switch_dev *dev,
        struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
        const struct ar8xxx_chip *chip = priv->chip;
        u64 *mib_stats, mib_data;
-       int port;
+       unsigned int port;
        int ret;
        char *buf = priv->buf;
        char buf1[64];
@@ -1373,8 +1414,7 @@ ar8xxx_sw_get_port_mib(struct switch_dev *dev,
        ar8xxx_mib_fetch_port_stat(priv, port, false);
 
        len += snprintf(buf + len, sizeof(priv->buf) - len,
-                       "Port %d MIB counters\n",
-                       port);
+                       "MIB counters\n");
 
        mib_stats = &priv->mib_stats[port * chip->num_mibs];
        for (i = 0; i < chip->num_mibs; i++) {
@@ -1407,6 +1447,34 @@ unlock:
        return ret;
 }
 
+int
+ar8xxx_sw_set_arl_age_time(struct switch_dev *dev, const struct switch_attr *attr,
+                          struct switch_val *val)
+{
+       struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+       int age_time = val->value.i;
+       u32 age_time_val;
+
+       if (age_time < 0)
+               return -EINVAL;
+
+       age_time_val = ar8xxx_age_time_val(age_time);
+       if (age_time_val == 0 || age_time_val > 0xffff)
+               return -EINVAL;
+
+       priv->arl_age_time = age_time;
+       return 0;
+}
+
+int
+ar8xxx_sw_get_arl_age_time(struct switch_dev *dev, const struct switch_attr *attr,
+                   struct switch_val *val)
+{
+       struct ar8xxx_priv *priv = swdev_to_ar8xxx(dev);
+       val->value.i = priv->arl_age_time;
+       return 0;
+}
+
 int
 ar8xxx_sw_get_arl_table(struct switch_dev *dev,
                        const struct switch_attr *attr,
@@ -1634,6 +1702,7 @@ static const struct ar8xxx_chip ar8216_chip = {
 
        .reg_port_stats_start = 0x19000,
        .reg_port_stats_length = 0xa0,
+       .reg_arl_ctrl = AR8216_REG_ATU_CTRL,
 
        .name = "Atheros AR8216",
        .ports = AR8216_NUM_PORTS,
@@ -1663,6 +1732,7 @@ static const struct ar8xxx_chip ar8236_chip = {
 
        .reg_port_stats_start = 0x20000,
        .reg_port_stats_length = 0x100,
+       .reg_arl_ctrl = AR8216_REG_ATU_CTRL,
 
        .name = "Atheros AR8236",
        .ports = AR8216_NUM_PORTS,
@@ -1692,6 +1762,7 @@ static const struct ar8xxx_chip ar8316_chip = {
 
        .reg_port_stats_start = 0x20000,
        .reg_port_stats_length = 0x100,
+       .reg_arl_ctrl = AR8216_REG_ATU_CTRL,
 
        .name = "Atheros AR8316",
        .ports = AR8216_NUM_PORTS,
@@ -1831,7 +1902,7 @@ ar8xxx_mib_stop(struct ar8xxx_priv *priv)
        if (!ar8xxx_has_mib_counters(priv))
                return;
 
-       cancel_delayed_work(&priv->mib_work);
+       cancel_delayed_work_sync(&priv->mib_work);
 }
 
 static struct ar8xxx_priv *
@@ -2055,21 +2126,21 @@ ar8xxx_phy_match(u32 phy_id)
 static bool
 ar8xxx_is_possible(struct mii_bus *bus)
 {
-       unsigned i;
+       unsigned int i, found_phys = 0;
 
-       for (i = 0; i < 4; i++) {
+       for (i = 0; i < 5; i++) {
                u32 phy_id;
 
                phy_id = mdiobus_read(bus, i, MII_PHYSID1) << 16;
                phy_id |= mdiobus_read(bus, i, MII_PHYSID2);
-               if (!ar8xxx_phy_match(phy_id)) {
+               if (ar8xxx_phy_match(phy_id)) {
+                       found_phys++;
+               } else if (phy_id) {
                        pr_debug("ar8xxx: unknown PHY at %s:%02x id:%08x\n",
                                 dev_name(&bus->dev), i, phy_id);
-                       return false;
                }
        }
-
-       return true;
+       return !!found_phys;
 }
 
 static int
@@ -2113,6 +2184,8 @@ ar8xxx_phy_probe(struct phy_device *phydev)
                swdev->devname, swdev->name, priv->chip_rev,
                dev_name(&priv->mii_bus->dev));
 
+       list_add(&priv->list, &ar8xxx_dev_list);
+
 found:
        priv->use_count++;
 
@@ -2141,8 +2214,6 @@ found:
 
        phydev->priv = priv;
 
-       list_add(&priv->list, &ar8xxx_dev_list);
-
        mutex_unlock(&ar8xxx_dev_list_lock);
 
        return 0;
@@ -2183,10 +2254,14 @@ ar8xxx_phy_remove(struct phy_device *phydev)
                return;
 
        phydev->priv = NULL;
-       if (--priv->use_count > 0)
-               return;
 
        mutex_lock(&ar8xxx_dev_list_lock);
+
+       if (--priv->use_count > 0) {
+               mutex_unlock(&ar8xxx_dev_list_lock);
+               return;
+       }
+
        list_del(&priv->list);
        mutex_unlock(&ar8xxx_dev_list_lock);
 
@@ -2236,4 +2311,3 @@ ar8xxx_exit(void)
 module_init(ar8xxx_init);
 module_exit(ar8xxx_exit);
 MODULE_LICENSE("GPL");
-