1. 14 Apr, 2020 2 commits
    • Andrii Nakryiko's avatar
      bpf: Prevent re-mmap()'ing BPF map as writable for initially r/o mapping · 1f6cb19b
      Andrii Nakryiko authored
      VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed
      pages can be later remapped as writable ones through mprotect() call. To
      prevent user application to rewrite contents of memory-mapped as read-only and
      subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially
      read-only mapping.
      
      Alternatively, we could treat any memory-mapping on unfrozen map as writable
      and bump writecnt instead. But there is little legitimate reason to map
      BPF map as read-only and then re-mmap() it as writable through mprotect(),
      instead of just mmap()'ing it as read/write from the very beginning.
      
      Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap
      operations. We can just rely on VMA holding reference to BPF map's file
      properly.
      
      Fixes: fc970227 ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJann Horn <jannh@google.com>
      Link: https://lore.kernel.org/bpf/20200410202613.3679837-1-andriin@fb.com
      1f6cb19b
    • Luke Nelson's avatar
      arm, bpf: Fix offset overflow for BPF_MEM BPF_DW · 4178417c
      Luke Nelson authored
      This patch fixes an incorrect check in how immediate memory offsets are
      computed for BPF_DW on arm.
      
      For BPF_LDX/ST/STX + BPF_DW, the 32-bit arm JIT breaks down an 8-byte
      access into two separate 4-byte accesses using off+0 and off+4. If off
      fits in imm12, the JIT emits a ldr/str instruction with the immediate
      and avoids the use of a temporary register. While the current check off
      <= 0xfff ensures that the first immediate off+0 doesn't overflow imm12,
      it's not sufficient for the second immediate off+4, which may cause the
      second access of BPF_DW to read/write the wrong address.
      
      This patch fixes the problem by changing the check to
      off <= 0xfff - 4 for BPF_DW, ensuring off+4 will never overflow.
      
      A side effect of simplifying the check is that it now allows using
      negative immediate offsets in ldr/str. This means that small negative
      offsets can also avoid the use of a temporary register.
      
      This patch introduces no new failures in test_verifier or test_bpf.c.
      
      Fixes: c5eae692 ("ARM: net: bpf: improve 64-bit store implementation")
      Fixes: ec19e02b ("ARM: net: bpf: fix LDX instructions")
      Co-developed-by: default avatarXi Wang <xi.wang@gmail.com>
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Signed-off-by: default avatarLuke Nelson <luke.r.nels@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20200409221752.28448-1-luke.r.nels@gmail.com
      4178417c
  2. 13 Apr, 2020 2 commits
    • Florian Westphal's avatar
      mptcp: fix double-unlock in mptcp_poll · e154659b
      Florian Westphal authored
      mptcp_connect/28740 is trying to release lock (sk_lock-AF_INET) at:
      [<ffffffff82c15869>] mptcp_poll+0xb9/0x550
      but there are no more locks to release!
      Call Trace:
       lock_release+0x50f/0x750
       release_sock+0x171/0x1b0
       mptcp_poll+0xb9/0x550
       sock_poll+0x157/0x470
       ? get_net_ns+0xb0/0xb0
       do_sys_poll+0x63c/0xdd0
      
      Problem is that __mptcp_tcp_fallback() releases the mptcp socket lock,
      but after recent change it doesn't do this in all of its return paths.
      
      To fix this, remove the unlock from __mptcp_tcp_fallback() and
      always do the unlock in the caller.
      
      Also add a small comment as to why we have this
      __mptcp_needs_tcp_fallback().
      
      Fixes: 0b4f33de ("mptcp: fix tcp fallback crash")
      Reported-by: syzbot+e56606435b7bfeea8cf5@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e154659b
    • Gilberto Bertin's avatar
      net: tun: record RX queue in skb before do_xdp_generic() · 3fe260e0
      Gilberto Bertin authored
      This allows netif_receive_generic_xdp() to correctly determine the RX
      queue from which the skb is coming, so that the context passed to the
      XDP program will contain the correct RX queue index.
      Signed-off-by: default avatarGilberto Bertin <me@jibi.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3fe260e0
  3. 12 Apr, 2020 3 commits
  4. 11 Apr, 2020 3 commits
  5. 10 Apr, 2020 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 40fc7ad2
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2020-04-10
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 13 non-merge commits during the last 7 day(s) which contain
      a total of 13 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) JIT code emission fixes for riscv and arm32, from Luke Nelson and Xi Wang.
      
      2) Disable vmlinux BTF info if GCC_PLUGIN_RANDSTRUCT is used, from Slava Bacherikov.
      
      3) Fix oob write in AF_XDP when meta data is used, from Li RongQing.
      
      4) Fix bpf_get_link_xdp_id() handling on single prog when flags are specified,
         from Andrey Ignatov.
      
      5) Fix sk_assign() BPF helper for request sockets that can have sk_reuseport
         field uninitialized, from Joe Stringer.
      
      6) Fix mprotect() test case for the BPF LSM, from KP Singh.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40fc7ad2
  6. 09 Apr, 2020 8 commits
    • Taras Chornyi's avatar
      net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin · 690cc863
      Taras Chornyi authored
      When CONFIG_IP_MULTICAST is not set and multicast ip is added to the device
      with autojoin flag or when multicast ip is deleted kernel will crash.
      
      steps to reproduce:
      
      ip addr add 224.0.0.0/32 dev eth0
      ip addr del 224.0.0.0/32 dev eth0
      
      or
      
      ip addr add 224.0.0.0/32 dev eth0 autojoin
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
       pc : _raw_write_lock_irqsave+0x1e0/0x2ac
       lr : lock_sock_nested+0x1c/0x60
       Call trace:
        _raw_write_lock_irqsave+0x1e0/0x2ac
        lock_sock_nested+0x1c/0x60
        ip_mc_config.isra.28+0x50/0xe0
        inet_rtm_deladdr+0x1a8/0x1f0
        rtnetlink_rcv_msg+0x120/0x350
        netlink_rcv_skb+0x58/0x120
        rtnetlink_rcv+0x14/0x20
        netlink_unicast+0x1b8/0x270
        netlink_sendmsg+0x1a0/0x3b0
        ____sys_sendmsg+0x248/0x290
        ___sys_sendmsg+0x80/0xc0
        __sys_sendmsg+0x68/0xc0
        __arm64_sys_sendmsg+0x20/0x30
        el0_svc_common.constprop.2+0x88/0x150
        do_el0_svc+0x20/0x80
       el0_sync_handler+0x118/0x190
        el0_sync+0x140/0x180
      
      Fixes: 93a714d6 ("multicast: Extend ip address command to enable multicast group join/leave on")
      Signed-off-by: default avatarTaras Chornyi <taras.chornyi@plvision.eu>
      Signed-off-by: default avatarVadym Kochan <vadym.kochan@plvision.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      690cc863
    • Ka-Cheong Poon's avatar
      net/rds: Fix MR reference counting problem · 2fabef4f
      Ka-Cheong Poon authored
      In rds_free_mr(), it calls rds_destroy_mr(mr) directly.  But this
      defeats the purpose of reference counting and makes MR free handling
      impossible.  It means that holding a reference does not guarantee that
      it is safe to access some fields.  For example, In
      rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
      calls mr->r_trans->sync_mr().  But if rds_free_mr() (and
      rds_destroy_mr()) is called in between (there is no lock preventing
      this to happen), r_trans_private is set to NULL, causing a panic.
      Similar issue is in rds_rdma_unuse().
      Reported-by: default avatarzerons <sironhide0null@gmail.com>
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fabef4f
    • Ka-Cheong Poon's avatar
    • Taehee Yoo's avatar
      net: macsec: fix using wrong structure in macsec_changelink() · 022e9d60
      Taehee Yoo authored
      In the macsec_changelink(), "struct macsec_tx_sa tx_sc" is used to
      store "macsec_secy.tx_sc".
      But, the struct type of tx_sc is macsec_tx_sc, not macsec_tx_sa.
      So, the macsec_tx_sc should be used instead.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add macsec0 link dummy0 type macsec
          ip link set macsec0 type macsec encrypt off
      
      Splat looks like:
      [61119.963483][ T9335] ==================================================================
      [61119.964709][ T9335] BUG: KASAN: slab-out-of-bounds in macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.965787][ T9335] Read of size 160 at addr ffff888020d69c68 by task ip/9335
      [61119.966699][ T9335]
      [61119.966979][ T9335] CPU: 0 PID: 9335 Comm: ip Not tainted 5.6.0+ #503
      [61119.967791][ T9335] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [61119.968914][ T9335] Call Trace:
      [61119.969324][ T9335]  dump_stack+0x96/0xdb
      [61119.969809][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.970554][ T9335]  print_address_description.constprop.5+0x1be/0x360
      [61119.971294][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.971973][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.972703][ T9335]  __kasan_report+0x12a/0x170
      [61119.973323][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.973942][ T9335]  kasan_report+0xe/0x20
      [61119.974397][ T9335]  check_memory_region+0x149/0x1a0
      [61119.974866][ T9335]  memcpy+0x1f/0x50
      [61119.975209][ T9335]  macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.975825][ T9335]  ? macsec_get_stats64+0x3e0/0x3e0 [macsec]
      [61119.976451][ T9335]  ? kernel_text_address+0x111/0x120
      [61119.976990][ T9335]  ? pskb_expand_head+0x25f/0xe10
      [61119.977503][ T9335]  ? stack_trace_save+0x82/0xb0
      [61119.977986][ T9335]  ? memset+0x1f/0x40
      [61119.978397][ T9335]  ? __nla_validate_parse+0x98/0x1ab0
      [61119.978936][ T9335]  ? macsec_alloc_tfm+0x90/0x90 [macsec]
      [61119.979511][ T9335]  ? __kasan_slab_free+0x111/0x150
      [61119.980021][ T9335]  ? kfree+0xce/0x2f0
      [61119.980700][ T9335]  ? netlink_trim+0x196/0x1f0
      [61119.981420][ T9335]  ? nla_memcpy+0x90/0x90
      [61119.982036][ T9335]  ? register_lock_class+0x19e0/0x19e0
      [61119.982776][ T9335]  ? memcpy+0x34/0x50
      [61119.983327][ T9335]  __rtnl_newlink+0x922/0x1270
      [ ... ]
      
      Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      022e9d60
    • Colin Ian King's avatar
      net-sysfs: remove redundant assignment to variable ret · 5f0224a6
      Colin Ian King authored
      The variable ret is being initialized with a value that is never read
      and it is being updated later with a new value.  The initialization is
      redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f0224a6
    • Wang Wenhu's avatar
      net: qrtr: send msgs from local of same id as broadcast · 6dbf02ac
      Wang Wenhu authored
      If the local node id(qrtr_local_nid) is not modified after its
      initialization, it equals to the broadcast node id(QRTR_NODE_BCAST).
      So the messages from local node should not be taken as broadcast
      and keep the process going to send them out anyway.
      
      The definitions are as follow:
      static unsigned int qrtr_local_nid = NUMA_NO_NODE;
      
      Fixes: fdf5fd39 ("net: qrtr: Broadcast messages only from control port")
      Signed-off-by: default avatarWang Wenhu <wenhu.wang@vivo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dbf02ac
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 3d61a39d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2020-04-08
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v5.3
       ('net/mlx5: Fix frequent ioread PCI access during recovery')
       ('net/mlx5e: Add missing release firmware call')
      
      For -stable v5.4
       ('net/mlx5e: Fix nest_level for vlan pop action')
       ('net/mlx5e: Fix pfnum in devlink port attribute')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d61a39d
    • Lothar Rubusch's avatar
      Documentation: devlink: fix broken link warning · e750b84d
      Lothar Rubusch authored
      At 'make htmldocs' the following warning is thrown:
      
      Documentation/networking/devlink/devlink-trap.rst:302:
      WARNING: undefined label: generic-packet-trap-groups
      
      Fixes the warning by setting the label to the specified header,
      within the same document.
      Signed-off-by: default avatarLothar Rubusch <l.rubusch@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e750b84d
  7. 08 Apr, 2020 21 commits