1. 29 Oct, 2017 28 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 19e12196
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix route leak in xfrm_bundle_create().
      
       2) In mac80211, validate user rate mask before configuring it. From
          Johannes Berg.
      
       3) Properly enforce memory limits in fair queueing code, from Toke
          Hoiland-Jorgensen.
      
       4) Fix lockdep splat in inet_csk_route_req(), from Eric Dumazet.
      
       5) Fix TSO header allocation and management in mvpp2 driver, from Yan
          Markman.
      
       6) Don't take socket lock in BH handler in strparser code, from Tom
          Herbert.
      
       7) Don't show sockets from other namespaces in AF_UNIX code, from
          Andrei Vagin.
      
       8) Fix double free in error path of tap_open(), from Girish Moodalbail.
      
       9) Fix TX map failure path in igb and ixgbe, from Jean-Philippe Brucker
          and Alexander Duyck.
      
      10) Fix DCB mode programming in stmmac driver, from Jose Abreu.
      
      11) Fix err_count handling in various tunnels (ipip, ip6_gre). From Xin
          Long.
      
      12) Properly align SKB head before building SKB in tuntap, from Jason
          Wang.
      
      13) Avoid matching qdiscs with a zero handle during lookups, from Cong
          Wang.
      
      14) Fix various endianness bugs in sctp, from Xin Long.
      
      15) Fix tc filter callback races and add selftests which trigger the
          problem, from Cong Wang.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
        selftests: Introduce a new test case to tc testsuite
        selftests: Introduce a new script to generate tc batch file
        net_sched: fix call_rcu() race on act_sample module removal
        net_sched: add rtnl assertion to tcf_exts_destroy()
        net_sched: use tcf_queue_work() in tcindex filter
        net_sched: use tcf_queue_work() in rsvp filter
        net_sched: use tcf_queue_work() in route filter
        net_sched: use tcf_queue_work() in u32 filter
        net_sched: use tcf_queue_work() in matchall filter
        net_sched: use tcf_queue_work() in fw filter
        net_sched: use tcf_queue_work() in flower filter
        net_sched: use tcf_queue_work() in flow filter
        net_sched: use tcf_queue_work() in cgroup filter
        net_sched: use tcf_queue_work() in bpf filter
        net_sched: use tcf_queue_work() in basic filter
        net_sched: introduce a workqueue for RCU callbacks of tc filter
        sctp: fix some type cast warnings introduced since very beginning
        sctp: fix a type cast warnings that causes a_rwnd gets the wrong value
        sctp: fix some type cast warnings introduced by transport rhashtable
        sctp: fix some type cast warnings introduced by stream reconf
        ...
      19e12196
    • David S. Miller's avatar
      Merge branch 'net_sched-fix-races-with-RCU-callbacks' · 6c325f4e
      David S. Miller authored
      Cong Wang says:
      
      ====================
      net_sched: fix races with RCU callbacks
      
      Recently, the RCU callbacks used in TC filters and TC actions keep
      drawing my attention, they introduce at least 4 race condition bugs:
      
      1. A simple one fixed by Daniel:
      
      commit c78e1746
      Author: Daniel Borkmann <daniel@iogearbox.net>
      Date:   Wed May 20 17:13:33 2015 +0200
      
          net: sched: fix call_rcu() race on classifier module unloads
      
      2. A very nasty one fixed by me:
      
      commit 1697c4bb
      Author: Cong Wang <xiyou.wangcong@gmail.com>
      Date:   Mon Sep 11 16:33:32 2017 -0700
      
          net_sched: carefully handle tcf_block_put()
      
      3. Two more bugs found by Chris:
      https://patchwork.ozlabs.org/patch/826696/
      https://patchwork.ozlabs.org/patch/826695/
      
      Usually RCU callbacks are simple, however for TC filters and actions,
      they are complex because at least TC actions could be destroyed
      together with the TC filter in one callback. And RCU callbacks are
      invoked in BH context, without locking they are parallel too. All of
      these contribute to the cause of these nasty bugs.
      
      Alternatively, we could also:
      
      a) Introduce a spinlock to serialize these RCU callbacks. But as I
      said in commit 1697c4bb ("net_sched: carefully handle
      tcf_block_put()"), it is very hard to do because of tcf_chain_dump().
      Potentially we need to do a lot of work to make it possible (if not
      impossible).
      
      b) Just get rid of these RCU callbacks, because they are not
      necessary at all, callers of these call_rcu() are all on slow paths
      and holding RTNL lock, so blocking is allowed in their contexts.
      However, David and Eric dislike adding synchronize_rcu() here.
      
      As suggested by Paul, we could defer the work to a workqueue and
      gain the permission of holding RTNL again without any performance
      impact, however, in tcf_block_put() we could have a deadlock when
      flushing workqueue while hodling RTNL lock, the trick here is to
      defer the work itself in workqueue and make it queued after all
      other works so that we keep the same ordering to avoid any
      use-after-free. Please see the first patch for details.
      
      Patch 1 introduces the infrastructure, patch 2~12 move each
      tc filter to the new tc filter workqueue, patch 13 adds
      an assertion to catch potential bugs like this, patch 14
      closes another rcu callback race, patch 15 and patch 16 add
      new test cases.
      ====================
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c325f4e
    • Chris Mi's avatar
      selftests: Introduce a new test case to tc testsuite · 31c2611b
      Chris Mi authored
      In this patchset, we fixed a tc bug. This patch adds the test case
      that reproduces the bug. To run this test case, user should specify
      an existing NIC device:
        # sudo ./tdc.py -d enp4s0f0
      
      This test case belongs to category "flower". If user doesn't specify
      a NIC device, the test cases belong to "flower" will not be run.
      
      In this test case, we create 1M filters and all filters share the same
      action. When destroying all filters, kernel should not panic. It takes
      about 18s to run it.
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Acked-by: default avatarLucas Bates <lucasb@mojatatu.com>
      Signed-off-by: default avatarChris Mi <chrism@mellanox.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31c2611b
    • Chris Mi's avatar
      selftests: Introduce a new script to generate tc batch file · 7f071998
      Chris Mi authored
        # ./tdc_batch.py -h
        usage: tdc_batch.py [-h] [-n NUMBER] [-o] [-s] [-p] device file
      
        TC batch file generator
      
        positional arguments:
          device                device name
          file                  batch file name
      
        optional arguments:
          -h, --help            show this help message and exit
          -n NUMBER, --number NUMBER
                                how many lines in batch file
          -o, --skip_sw         skip_sw (offload), by default skip_hw
          -s, --share_action    all filters share the same action
          -p, --prio            all filters have different prio
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Acked-by: default avatarLucas Bates <lucasb@mojatatu.com>
      Signed-off-by: default avatarChris Mi <chrism@mellanox.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f071998
    • Cong Wang's avatar
      net_sched: fix call_rcu() race on act_sample module removal · 46e235c1
      Cong Wang authored
      Similar to commit c78e1746
      ("net: sched: fix call_rcu() race on classifier module unloads"),
      we need to wait for flying RCU callback tcf_sample_cleanup_rcu().
      
      Cc: Yotam Gigi <yotamg@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46e235c1
    • Cong Wang's avatar
      net_sched: add rtnl assertion to tcf_exts_destroy() · 2d132eba
      Cong Wang authored
      After previous patches, it is now safe to claim that
      tcf_exts_destroy() is always called with RTNL lock.
      
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d132eba
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in tcindex filter · 27ce4f05
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27ce4f05
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in rsvp filter · d4f84a41
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d4f84a41
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in route filter · c2f3f31d
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2f3f31d
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in u32 filter · c0d378ef
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0d378ef
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in matchall filter · df2735ee
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df2735ee
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in fw filter · e071dff2
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e071dff2
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in flower filter · 0552c8af
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0552c8af
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in flow filter · 94cdb475
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94cdb475
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in cgroup filter · b1b5b04f
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b1b5b04f
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in bpf filter · e910af67
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e910af67
    • Cong Wang's avatar
      net_sched: use tcf_queue_work() in basic filter · c96a4838
      Cong Wang authored
      Defer the tcf_exts_destroy() in RCU callback to
      tc filter workqueue and get RTNL lock.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c96a4838
    • Cong Wang's avatar
      net_sched: introduce a workqueue for RCU callbacks of tc filter · 7aa0045d
      Cong Wang authored
      This patch introduces a dedicated workqueue for tc filters
      so that each tc filter's RCU callback could defer their
      action destroy work to this workqueue. The helper
      tcf_queue_work() is introduced for them to use.
      
      Because we hold RTNL lock when calling tcf_block_put(), we
      can not simply flush works inside it, therefore we have to
      defer it again to this workqueue and make sure all flying RCU
      callbacks have already queued their work before this one, in
      other words, to ensure this is the last one to execute to
      prevent any use-after-free.
      
      On the other hand, this makes tcf_block_put() ugly and
      harder to understand. Since David and Eric strongly dislike
      adding synchronize_rcu(), this is probably the only
      solution that could make everyone happy.
      
      Please also see the code comments below.
      Reported-by: default avatarChris Mi <chrism@mellanox.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7aa0045d
    • David S. Miller's avatar
      Merge branch 'sctp-endianness-fixes' · 8c83c885
      David S. Miller authored
      Xin Long says:
      
      ====================
      sctp: a bunch of fixes for some sparse warnings
      
      As Eric noticed, when running 'make C=2 M=net/sctp/', a plenty of
      warnings or errors checked by sparse appear. They are all problems
      about Endian and type cast.
      
      Most of them are just warnings by which no issues could be caused
      while some might be bugs.
      
      This patchset fixes them with four patches basically according to
      how they are introduced.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c83c885
    • Xin Long's avatar
      sctp: fix some type cast warnings introduced since very beginning · 978aa047
      Xin Long authored
      These warnings were found by running 'make C=2 M=net/sctp/'.
      They are there since very beginning.
      
      Note after this patch, there still one warning left in
      sctp_outq_flush():
        sctp_chunk_fail(chunk, SCTP_ERROR_INV_STRM)
      
      Since it has been moved to sctp_stream_outq_migrate on net-next,
      to avoid the extra job when merging net-next to net, I will post
      the fix for it after the merging is done.
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      978aa047
    • Xin Long's avatar
      sctp: fix a type cast warnings that causes a_rwnd gets the wrong value · f6fc6bc0
      Xin Long authored
      These warnings were found by running 'make C=2 M=net/sctp/'.
      
      Commit d4d6fb57 ("sctp: Try not to change a_rwnd when faking a
      SACK from SHUTDOWN.") expected to use the peers old rwnd and add
      our flight size to the a_rwnd. But with the wrong Endian, it may
      not work as well as expected.
      
      So fix it by converting to the right value.
      
      Fixes: d4d6fb57 ("sctp: Try not to change a_rwnd when faking a SACK from SHUTDOWN.")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6fc6bc0
    • Xin Long's avatar
      sctp: fix some type cast warnings introduced by transport rhashtable · 8d32503e
      Xin Long authored
      These warnings were found by running 'make C=2 M=net/sctp/'.
      
      They are introduced by not aware of Endian for the port when
      coding transport rhashtable patches.
      
      Fixes: 7fda702f ("sctp: use new rhlist interface on sctp transport rhashtable")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d32503e
    • Xin Long's avatar
      sctp: fix some type cast warnings introduced by stream reconf · 1da4fc97
      Xin Long authored
      These warnings were found by running 'make C=2 M=net/sctp/'.
      
      They are introduced by not aware of Endian when coding stream
      reconf patches.
      
      Since commit c0d8bab6 ("sctp: add get and set sockopt for
      reconf_enable") enabled stream reconf feature for users, the
      Fixes tag below would use it.
      
      Fixes: c0d8bab6 ("sctp: add get and set sockopt for reconf_enable")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1da4fc97
    • Cong Wang's avatar
      net_sched: avoid matching qdisc with zero handle · 50317fce
      Cong Wang authored
      Davide found the following script triggers a NULL pointer
      dereference:
      
      ip l a name eth0 type dummy
      tc q a dev eth0 parent :1 handle 1: htb
      
      This is because for a freshly created netdevice noop_qdisc
      is attached and when passing 'parent :1', kernel actually
      tries to match the major handle which is 0 and noop_qdisc
      has handle 0 so is matched by mistake. Commit 69012ae4
      tries to fix a similar bug but still misses this case.
      
      Handle 0 is not a valid one, should be just skipped. In
      fact, kernel uses it as TC_H_UNSPEC.
      
      Fixes: 69012ae4 ("net: sched: fix handling of singleton qdiscs with qdisc_hash")
      Fixes: 59cc1f61 ("net: sched:convert qdisc linked list to hashtable")
      Reported-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50317fce
    • Xin Long's avatar
      sctp: reset owner sk for data chunks on out queues when migrating a sock · d04adf1b
      Xin Long authored
      Now when migrating sock to another one in sctp_sock_migrate(), it only
      resets owner sk for the data in receive queues, not the chunks on out
      queues.
      
      It would cause that data chunks length on the sock is not consistent
      with sk sk_wmem_alloc. When closing the sock or freeing these chunks,
      the old sk would never be freed, and the new sock may crash due to
      the overflow sk_wmem_alloc.
      
      syzbot found this issue with this series:
      
        r0 = socket$inet_sctp()
        sendto$inet(r0)
        listen(r0)
        accept4(r0)
        close(r0)
      
      Although listen() should have returned error when one TCP-style socket
      is in connecting (I may fix this one in another patch), it could also
      be reproduced by peeling off an assoc.
      
      This issue is there since very beginning.
      
      This patch is to reset owner sk for the chunks on out queues so that
      sk sk_wmem_alloc has correct value after accept one sock or peeloff
      an assoc to one sock.
      
      Note that when resetting owner sk for chunks on outqueue, it has to
      sctp_clear_owner_w/skb_orphan chunks before changing assoc->base.sk
      first and then sctp_set_owner_w them after changing assoc->base.sk,
      due to that sctp_wfree and it's callees are using assoc->base.sk.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d04adf1b
    • David S. Miller's avatar
      Merge branch 'sockmap-fixes' · 151516fa
      David S. Miller authored
      John Fastabend says:
      
      ====================
      net: sockmap fixes
      
      Last two fixes (as far as I know) for sockmap code this round.
      
      First, we are using the qdisc cb structure when making the data end
      calculation. This is really just wrong so, store it with the other
      metadata in the correct tcp_skb_cb sturct to avoid breaking things.
      
      Next, with recent work to attach multiple programs to a cgroup a
      specific enumeration of return codes was agreed upon. However,
      I wrote the sk_skb program types before seeing this work and used
      a different convention. Patch 2 in the series aligns the return
      codes to avoid breaking with this infrastructure and also aligns
      with other programming conventions to avoid being the odd duck out
      forcing programs to remember SK_SKB programs are different. Pusing
      to net because its a user visible change. With this SK_SKB program
      return codes are the same as other cgroup program types.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      151516fa
    • John Fastabend's avatar
      bpf: rename sk_actions to align with bpf infrastructure · bfa64075
      John Fastabend authored
      Recent additions to support multiple programs in cgroups impose
      a strict requirement, "all yes is yes, any no is no". To enforce
      this the infrastructure requires the 'no' return code, SK_DROP in
      this case, to be 0.
      
      To apply these rules to SK_SKB program types the sk_actions return
      codes need to be adjusted.
      
      This fix adds SK_PASS and makes 'SK_DROP = 0'. Finally, remove
      SK_ABORTED to remove any chance that the API may allow aborted
      program flows to be passed up the stack. This would be incorrect
      behavior and allow programs to break existing policies.
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfa64075
    • John Fastabend's avatar
      bpf: bpf_compute_data uses incorrect cb structure · 8108a775
      John Fastabend authored
      SK_SKB program types use bpf_compute_data to store the end of the
      packet data. However, bpf_compute_data assumes the cb is stored in the
      qdisc layer format. But, for SK_SKB this is the wrong layer of the
      stack for this type.
      
      It happens to work (sort of!) because in most cases nothing happens
      to be overwritten today. This is very fragile and error prone.
      Fortunately, we have another hole in tcp_skb_cb we can use so lets
      put the data_end value there.
      
      Note, SK_SKB program types do not use data_meta, they are failed by
      sk_skb_is_valid_access().
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8108a775
  2. 28 Oct, 2017 12 commits
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v4.14-2' of... · 25a5d23b
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - fix O= building on dash
      
       - remove unused dependency in Makefile
      
       - fix default of a choice in Kconfig
      
       - fix typos and documentation style
      
       - fix command options unrecognized by sparse
      
      * tag 'kbuild-fixes-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: clang: fix build failures with sparse check
        kbuild doc: a bundle of fixes on makefiles.txt
        Makefile: kselftest: fix grammar typo
        kbuild: Fix optimization level choice default
        kbuild: drop unused symverfile in Makefile.modpost
        kbuild: revert $(realpath ...) to $(shell cd ... && /bin/pwd)
      25a5d23b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · a7d3e63f
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - fix gtco tablet driver, tightening parsing of HID descriptors
      
       - add ACPI ID added to Elan driver to be able to handle touchpads found
         in Lenovo Ideapad 320/520
      
       - fix the Symaptics RMI4 driver to adjust handling of buttons
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - limit the range of what GPIOs are buttons
        Input: gtco - fix potential out-of-bound access
        Input: elan_i2c - add ELAN0611 to the ACPI table
      a7d3e63f
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.14-fixes-6' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 22450e03
      Linus Torvalds authored
      Pull PCI fix from Bjorn Helgaas:
       "Move alpha PCI IRQ map/swizzle functions out of initdata to fix
        regression from PCI core IRQ mapping changes (Lorenzo Pieralisi)"
      
      * tag 'pci-v4.14-fixes-6' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        alpha/PCI: Move pci_map_irq()/pci_swizzle() out of initdata
      22450e03
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.14-rc7' of git://people.freedesktop.org/~airlied/linux · b35f0ca7
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Two amd fixes, one i915 core and a few i915 GVT fixes, things seem
        fairly quiet"
      
      * tag 'drm-fixes-for-v4.14-rc7' of git://people.freedesktop.org/~airlied/linux:
        drm/i915/gvt: Adding ACTHD mmio read handler
        drm/i915/gvt: Extract mmio_read_from_hw() common function
        drm/i915/gvt: Refine MMIO_RING_F()
        drm/i915/gvt: properly check per_ctx bb valid state
        drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace
        drm/amd/amdgpu: Remove workaround check for UVD6 on APUs
        drm/amd/powerplay: fix uninitialized variable
      b35f0ca7
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 5345da89
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Six fixes for mostly minor issues, most of which have small race
        windows for occurring"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: Suppress a kernel warning in case the prep function returns BLKPREP_DEFER
        scsi: sg: Re-fix off by one in sg_fill_request_table()
        scsi: aacraid: Fix controller initialization failure
        scsi: hpsa: Fix configured_logical_drive_count·check
        scsi: qla2xxx: Initialize Work element before requesting IRQs
        scsi: zfcp: fix erp_action use-before-initialize in REC action trace
      5345da89
    • David Howells's avatar
      assoc_array: Fix a buggy node-splitting case · ea678998
      David Howells authored
      This fixes CVE-2017-12193.
      
      Fix a case in the assoc_array implementation in which a new leaf is
      added that needs to go into a node that happens to be full, where the
      existing leaves in that node cluster together at that level to the
      exclusion of new leaf.
      
      What needs to happen is that the existing leaves get moved out to a new
      node, N1, at level + 1 and the existing node needs replacing with one,
      N0, that has pointers to the new leaf and to N1.
      
      The code that tries to do this gets this wrong in two ways:
      
       (1) The pointer that should've pointed from N0 to N1 is set to point
           recursively to N0 instead.
      
       (2) The backpointer from N0 needs to be set correctly in the case N0 is
           either the root node or reached through a shortcut.
      
      Fix this by removing this path and using the split_node path instead,
      which achieves the same end, but in a more general way (thanks to Eric
      Biggers for spotting the redundancy).
      
      The problem manifests itself as:
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
        IP: assoc_array_apply_edit+0x59/0xe5
      
      Fixes: 3cb98950 ("Add a generic associative array implementation.")
      Reported-and-tested-by: default avatarWU Fan <u3536072@connect.hku.hk>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Cc: stable@vger.kernel.org [v3.13-rc1+]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ea678998
    • Linus Torvalds's avatar
      Merge tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6 · 78140234
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Various SMB3 fixes for 4.14 and stable"
      
      * tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6:
        SMB3: Validate negotiate request must always be signed
        SMB: fix validate negotiate info uninitialised memory use
        SMB: fix leak of validate negotiate info response buffer
        CIFS: Fix NULL pointer deref on SMB2_tcon() failure
        CIFS: do not send invalid input buffer on QUERY_INFO requests
        cifs: Select all required crypto modules
        CIFS: SMBD: Fix the definition for SMB2_CHANNEL_RDMA_V1_INVALIDATE
        cifs: handle large EA requests more gracefully in smb2+
        Fix encryption labels and lengths for SMB3.1.1
      78140234
    • Linus Torvalds's avatar
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · c9f27f9f
      Linus Torvalds authored
      Pull overlayfs fixes from Miklos Szeredi:
       "Fix several issues, most of them introduced in the last release"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: do not cleanup unsupported index entries
        ovl: handle ENOENT on index lookup
        ovl: fix EIO from lookup of non-indexed upper
        ovl: Return -ENOMEM if an allocation fails ovl_lookup()
        ovl: add NULL check in ovl_alloc_inode
      c9f27f9f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · a9af9835
      Linus Torvalds authored
      Pull fuse fix from Miklos Szeredi:
       "This fixes a longstanding bug, which can be triggered by interrupting
        a directory reading syscall"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: fix READDIRPLUS skipping an entry
      a9af9835
    • Girish Moodalbail's avatar
      tap: reference to KVA of an unloaded module causes kernel panic · dea6e19f
      Girish Moodalbail authored
      The commit 9a393b5d ("tap: tap as an independent module") created a
      separate tap module that implements tap functionality and exports
      interfaces that will be used by macvtap and ipvtap modules to create
      create respective tap devices.
      
      However, that patch introduced a regression wherein the modules macvtap
      and ipvtap can be removed (through modprobe -r) while there are
      applications using the respective /dev/tapX devices. These applications
      cause kernel to hold reference to /dev/tapX through 'struct cdev
      macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
      modules respectively. So,  when the application is later closed the
      kernel panics because we are referencing KVA that is present in the
      unloaded modules.
      
      ----------8<------- Example ----------8<----------
      $ sudo ip li add name mv0 link enp7s0 type macvtap
      $ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}'
        14:mv0@enp7s0:
      $ cat /dev/tap14 &
      $ lsmod |egrep -i 'tap|vlan'
      macvtap                16384  0
      macvlan                24576  1 macvtap
      tap                    24576  3 macvtap
      $ sudo modprobe -r macvtap
      $ fg
      cat /dev/tap14
      ^C
      
      <...system panics...>
      BUG: unable to handle kernel paging request at ffffffffa038c500
      IP: cdev_put+0xf/0x30
      ----------8<-----------------8<----------
      
      The fix is to set cdev.owner to the module that creates the tap device
      (either macvtap or ipvtap). With this set, the operations (in
      fs/char_dev.c) on char device holds and releases the module through
      cdev_get() and cdev_put() and will not allow the module to unload
      prematurely.
      
      Fixes: 9a393b5d (tap: tap as an independent module)
      Signed-off-by: default avatarGirish Moodalbail <girish.moodalbail@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dea6e19f
    • Eric Dumazet's avatar
      tcp: refresh tp timestamp before tcp_mtu_probe() · ee1836ae
      Eric Dumazet authored
      In the unlikely event tcp_mtu_probe() is sending a packet, we
      want tp->tcp_mstamp being as accurate as possible.
      
      This means we need to call tcp_mstamp_refresh() a bit earlier in
      tcp_write_xmit().
      
      Fixes: 385e2070 ("tcp: use tp->tcp_mstamp in output path")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee1836ae
    • Jason Wang's avatar
      tuntap: properly align skb->head before building skb · 63b9ab65
      Jason Wang authored
      An unaligned alloc_frag->offset caused by previous allocation will
      result an unaligned skb->head. This will lead unaligned
      skb_shared_info and then unaligned dataref which requires to be
      aligned for accessing on some architecture. Fix this by aligning
      alloc_frag->offset before the frag refilling.
      
      Fixes: 0bbd7dad ("tun: make tun_build_skb() thread safe")
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
      Cc: Wei Wei <dotweiba@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Reported-by: default avatarWei Wei <dotweiba@gmail.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63b9ab65