1. 26 Jul, 2021 1 commit
  2. 22 Jul, 2021 1 commit
  3. 21 Jul, 2021 2 commits
    • Dmitry Safonov's avatar
      selftests/net/ipsec: Add test for xfrm_spdattr_type_t · 70bfdf62
      Dmitry Safonov authored
      Set hthresh, dump it again and verify thresh.lbits && thresh.rbits.
      They are passed as attributes of xfrm_spdattr_type_t, different from
      other message attributes that use xfrm_attr_type_t.
      Also, test attribute that is bigger than XFRMA_SPD_MAX, currently it
      should be silently ignored.
      
      Cc: Shuah Khan <shuah@kernel.org>
      Cc: linux-kselftest@vger.kernel.org
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      70bfdf62
    • Dmitry Safonov's avatar
      net/xfrm/compat: Copy xfrm_spdattr_type_t atributes · 4e950506
      Dmitry Safonov authored
      The attribute-translator has to take in mind maxtype, that is
      xfrm_link::nla_max. When it is set, attributes are not of xfrm_attr_type_t.
      Currently, they can be only XFRMA_SPD_MAX (message XFRM_MSG_NEWSPDINFO),
      their UABI is the same for 64/32-bit, so just copy them.
      
      Thanks to YueHaibing for reporting this:
      In xfrm_user_rcv_msg_compat() if maxtype is not zero and less than
      XFRMA_MAX, nlmsg_parse_deprecated() do not initialize attrs array fully.
      xfrm_xlate32() will access uninit 'attrs[i]' while iterating all attrs
      array.
      
      KASAN: probably user-memory-access in range [0x0000000041b58ab0-0x0000000041b58ab7]
      CPU: 0 PID: 15799 Comm: syz-executor.2 Tainted: G        W         5.14.0-rc1-syzkaller #0
      RIP: 0010:nla_type include/net/netlink.h:1130 [inline]
      RIP: 0010:xfrm_xlate32_attr net/xfrm/xfrm_compat.c:410 [inline]
      RIP: 0010:xfrm_xlate32 net/xfrm/xfrm_compat.c:532 [inline]
      RIP: 0010:xfrm_user_rcv_msg_compat+0x5e5/0x1070 net/xfrm/xfrm_compat.c:577
      [...]
      Call Trace:
       xfrm_user_rcv_msg+0x556/0x8b0 net/xfrm/xfrm_user.c:2774
       netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
       xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2824
       netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
       netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
       netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
       sock_sendmsg_nosec net/socket.c:702 [inline]
      
      Fixes: 5106f4a8 ("xfrm/compat: Add 32=>64-bit messages translator")
      Cc: <stable@kernel.org>
      Reported-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      4e950506
  4. 02 Jul, 2021 2 commits
    • Frederic Weisbecker's avatar
      xfrm: Fix RCU vs hash_resize_mutex lock inversion · 2580d3f4
      Frederic Weisbecker authored
      xfrm_bydst_resize() calls synchronize_rcu() while holding
      hash_resize_mutex. But then on PREEMPT_RT configurations,
      xfrm_policy_lookup_bytype() may acquire that mutex while running in an
      RCU read side critical section. This results in a deadlock.
      
      In fact the scope of hash_resize_mutex is way beyond the purpose of
      xfrm_policy_lookup_bytype() to just fetch a coherent and stable policy
      for a given destination/direction, along with other details.
      
      The lower level net->xfrm.xfrm_policy_lock, which among other things
      protects per destination/direction references to policy entries, is
      enough to serialize and benefit from priority inheritance against the
      write side. As a bonus, it makes it officially a per network namespace
      synchronization business where a policy table resize on namespace A
      shouldn't block a policy lookup on namespace B.
      
      Fixes: 77cc278f (xfrm: policy: Use sequence counters with associated lock)
      Cc: stable@vger.kernel.org
      Cc: Ahmed S. Darwish <a.darwish@linutronix.de>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Varad Gautam <varad.gautam@suse.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarFrederic Weisbecker <frederic@kernel.org>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      2580d3f4
    • Steffen Klassert's avatar
      Revert "xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype" · eaf22826
      Steffen Klassert authored
      This reverts commit d7b04089.
      
      This commit tried to fix a locking bug introduced by commit 77cc278f
      ("xfrm: policy: Use sequence counters with associated lock"). As it
      turned out, this patch did not really fix the bug. A proper fix
      for this bug is applied on top of this revert.
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      eaf22826
  5. 29 Jun, 2021 1 commit
  6. 28 Jun, 2021 10 commits
  7. 25 Jun, 2021 3 commits
    • Petr Oros's avatar
      Revert "be2net: disable bh with spin_lock in be_process_mcc" · d6765985
      Petr Oros authored
      Patch was based on wrong presumption that be_poll can be called only
      from bh context. It reintroducing old regression (also reverted) and
      causing deadlock when we use netconsole with benet in bonding.
      
      Old revert: commit 072a9c48 ("netpoll: revert 6bdb7fe3 and fix
      be_poll() instead")
      
      [  331.269715] bond0: (slave enp0s7f0): Releasing backup interface
      [  331.270121] CPU: 4 PID: 1479 Comm: ifenslave Not tainted 5.13.0-rc7+ #2
      [  331.270122] Call Trace:
      [  331.270122] [c00000001789f200] [c0000000008c505c] dump_stack+0x100/0x174 (unreliable)
      [  331.270124] [c00000001789f240] [c008000001238b9c] be_poll+0x64/0xe90 [be2net]
      [  331.270125] [c00000001789f330] [c000000000d1e6e4] netpoll_poll_dev+0x174/0x3d0
      [  331.270127] [c00000001789f400] [c008000001bc167c] bond_poll_controller+0xb4/0x130 [bonding]
      [  331.270128] [c00000001789f450] [c000000000d1e624] netpoll_poll_dev+0xb4/0x3d0
      [  331.270129] [c00000001789f520] [c000000000d1ed88] netpoll_send_skb+0x448/0x470
      [  331.270130] [c00000001789f5d0] [c0080000011f14f8] write_msg+0x180/0x1b0 [netconsole]
      [  331.270131] [c00000001789f640] [c000000000230c0c] console_unlock+0x54c/0x790
      [  331.270132] [c00000001789f7b0] [c000000000233098] vprintk_emit+0x2d8/0x450
      [  331.270133] [c00000001789f810] [c000000000234758] vprintk+0xc8/0x270
      [  331.270134] [c00000001789f850] [c000000000233c28] printk+0x40/0x54
      [  331.270135] [c00000001789f870] [c000000000ccf908] __netdev_printk+0x150/0x198
      [  331.270136] [c00000001789f910] [c000000000ccfdb4] netdev_info+0x68/0x94
      [  331.270137] [c00000001789f950] [c008000001bcbd70] __bond_release_one+0x188/0x6b0 [bonding]
      [  331.270138] [c00000001789faa0] [c008000001bcc6f4] bond_do_ioctl+0x42c/0x490 [bonding]
      [  331.270139] [c00000001789fb60] [c000000000d0d17c] dev_ifsioc+0x17c/0x400
      [  331.270140] [c00000001789fbc0] [c000000000d0db70] dev_ioctl+0x390/0x890
      [  331.270141] [c00000001789fc10] [c000000000c7c76c] sock_do_ioctl+0xac/0x1b0
      [  331.270142] [c00000001789fc90] [c000000000c7ffac] sock_ioctl+0x31c/0x6e0
      [  331.270143] [c00000001789fd60] [c0000000005b9728] sys_ioctl+0xf8/0x150
      [  331.270145] [c00000001789fdb0] [c0000000000336c0] system_call_exception+0x160/0x2f0
      [  331.270146] [c00000001789fe10] [c00000000000d35c] system_call_common+0xec/0x278
      [  331.270147] --- interrupt: c00 at 0x7fffa6c6ec00
      [  331.270147] NIP:  00007fffa6c6ec00 LR: 0000000105c4185c CTR: 0000000000000000
      [  331.270148] REGS: c00000001789fe80 TRAP: 0c00   Not tainted  (5.13.0-rc7+)
      [  331.270148] MSR:  800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 28000428  XER: 00000000
      [  331.270155] IRQMASK: 0
      [  331.270156] GPR00: 0000000000000036 00007fffd494d5b0 00007fffa6d57100 0000000000000003
      [  331.270158] GPR04: 0000000000008991 00007fffd494d6d0 0000000000000008 00007fffd494f28c
      [  331.270161] GPR08: 0000000000000003 0000000000000000 0000000000000000 0000000000000000
      [  331.270164] GPR12: 0000000000000000 00007fffa6dfa220 0000000000000000 0000000000000000
      [  331.270167] GPR16: 0000000105c44880 0000000000000000 0000000105c60088 0000000105c60318
      [  331.270170] GPR20: 0000000105c602c0 0000000105c44560 0000000000000000 0000000000000000
      [  331.270172] GPR24: 00007fffd494dc50 00007fffd494d6a8 0000000105c60008 00007fffd494d6d0
      [  331.270175] GPR28: 00007fffd494f27e 0000000105c6026c 00007fffd494f284 0000000000000000
      [  331.270178] NIP [00007fffa6c6ec00] 0x7fffa6c6ec00
      [  331.270178] LR [0000000105c4185c] 0x105c4185c
      [  331.270179] --- interrupt: c00
      
      This reverts commit d0d006a4.
      
      Fixes: d0d006a4 ("be2net: disable bh with spin_lock in be_process_mcc")
      Signed-off-by: default avatarPetr Oros <poros@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d6765985
    • Bailey Forrest's avatar
      gve: Fix swapped vars when fetching max queues · 1db1a862
      Bailey Forrest authored
      Fixes: 893ce44d ("gve: Add basic driver framework for Compute Engine Virtual NIC")
      Signed-off-by: default avatarBailey Forrest <bcf@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1db1a862
    • Nicolas Dichtel's avatar
      dev_forward_skb: do not scrub skb mark within the same name space · ff70202b
      Nicolas Dichtel authored
      The goal is to keep the mark during a bpf_redirect(), like it is done for
      legacy encapsulation / decapsulation, when there is no x-netns.
      This was initially done in commit 213dd74a ("skbuff: Do not scrub skb
      mark within the same name space").
      
      When the call to skb_scrub_packet() was added in dev_forward_skb() (commit
      8b27f277 ("skb: allow skb_scrub_packet() to be used by tunnels")), the
      second argument (xnet) was set to true to force a call to skb_orphan(). At
      this time, the mark was always cleanned up by skb_scrub_packet(), whatever
      xnet value was.
      This call to skb_orphan() was removed later in commit
      9c4c3252 ("skbuff: preserve sock reference when scrubbing the skb.").
      But this 'true' stayed here without any real reason.
      
      Let's correctly set xnet in ____dev_forward_skb(), this function has access
      to the previous interface and to the new interface.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ff70202b
  8. 24 Jun, 2021 20 commits