1. 20 Jul, 2018 5 commits
  2. 18 Jul, 2018 2 commits
    • Taehee Yoo's avatar
      netfilter: nft_set_rbtree: fix panic when destroying set by GC · c293ac95
      Taehee Yoo authored
      This patch fixes below.
      1. check null pointer of rb_next.
       rb_next can return null. so null check routine should be added.
      2. add rcu_barrier in destroy routine.
       GC uses call_rcu to remove elements. but all elements should be
       removed before destroying set and chains. so that rcu_barrier is added.
      
      test script:
         %cat test.nft
         table inet aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags interval, timeout;
      		   elements = {
      			   0-1 : jump a0,
      			   3-4 : jump a0,
      			   6-7 : jump a0,
      			   9-10 : jump a0,
      			   12-13 : jump a0,
      			   15-16 : jump a0,
      			   18-19 : jump a0,
      			   21-22 : jump a0,
      			   24-25 : jump a0,
      			   27-28 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
         table inet aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags interval, timeout;
      		   elements = {
      			   0-1 : jump a0,
      			   3-4 : jump a0,
      			   6-7 : jump a0,
      			   9-10 : jump a0,
      			   12-13 : jump a0,
      			   15-16 : jump a0,
      			   18-19 : jump a0,
      			   21-22 : jump a0,
      			   24-25 : jump a0,
      			   27-28 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
      
      splat looks like:
      [ 2402.419838] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [ 2402.428433] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [ 2402.429343] CPU: 1 PID: 1350 Comm: kworker/1:1 Not tainted 4.18.0-rc2+ #1
      [ 2402.429343] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 03/23/2017
      [ 2402.429343] Workqueue: events_power_efficient nft_rbtree_gc [nft_set_rbtree]
      [ 2402.429343] RIP: 0010:rb_next+0x1e/0x130
      [ 2402.429343] Code: e9 de f2 ff ff 0f 1f 80 00 00 00 00 41 55 48 89 fa 41 54 55 53 48 c1 ea 03 48 b8 00 00 00 0
      [ 2402.429343] RSP: 0018:ffff880105f77678 EFLAGS: 00010296
      [ 2402.429343] RAX: dffffc0000000000 RBX: ffff8801143e3428 RCX: 1ffff1002287c69c
      [ 2402.429343] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
      [ 2402.429343] RBP: 0000000000000000 R08: ffffed0016aabc24 R09: ffffed0016aabc24
      [ 2402.429343] R10: 0000000000000001 R11: ffffed0016aabc23 R12: 0000000000000000
      [ 2402.429343] R13: ffff8800b6933388 R14: dffffc0000000000 R15: ffff8801143e3440
      [ 2402.534486] kasan: CONFIG_KASAN_INLINE enabled
      [ 2402.534212] FS:  0000000000000000(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [ 2402.534212] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2402.534212] CR2: 0000000000863008 CR3: 00000000a3c16000 CR4: 00000000001006e0
      [ 2402.534212] Call Trace:
      [ 2402.534212]  nft_rbtree_gc+0x2b5/0x5f0 [nft_set_rbtree]
      [ 2402.534212]  process_one_work+0xc1b/0x1ee0
      [ 2402.540329] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [ 2402.534212]  ? _raw_spin_unlock_irq+0x29/0x40
      [ 2402.534212]  ? pwq_dec_nr_in_flight+0x3e0/0x3e0
      [ 2402.534212]  ? set_load_weight+0x270/0x270
      [ 2402.534212]  ? __schedule+0x6ea/0x1fb0
      [ 2402.534212]  ? __sched_text_start+0x8/0x8
      [ 2402.534212]  ? save_trace+0x320/0x320
      [ 2402.534212]  ? sched_clock_local+0xe2/0x150
      [ 2402.534212]  ? find_held_lock+0x39/0x1c0
      [ 2402.534212]  ? worker_thread+0x35f/0x1150
      [ 2402.534212]  ? lock_contended+0xe90/0xe90
      [ 2402.534212]  ? __lock_acquire+0x4520/0x4520
      [ 2402.534212]  ? do_raw_spin_unlock+0xb1/0x350
      [ 2402.534212]  ? do_raw_spin_trylock+0x111/0x1b0
      [ 2402.534212]  ? do_raw_spin_lock+0x1f0/0x1f0
      [ 2402.534212]  worker_thread+0x169/0x1150
      
      Fixes: 8d8540c4("netfilter: nft_set_rbtree: add timeout support")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c293ac95
    • Taehee Yoo's avatar
      netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy() · 9970a8e4
      Taehee Yoo authored
      GC of set uses call_rcu() to destroy elements.
      So that elements would be destroyed after destroying sets and chains.
      But, elements should be destroyed before destroying sets and chains.
      In order to wait calling call_rcu(), a rcu_barrier() is added.
      
      In order to test correctly, below patch should be applied.
      https://patchwork.ozlabs.org/patch/940883/
      
      test scripts:
         %cat test.nft
         table ip aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags timeout;
      		   elements = {
      			   0 : jump a0,
      			   1 : jump a0,
      			   2 : jump a0,
      			   3 : jump a0,
      			   4 : jump a0,
      			   5 : jump a0,
      			   6 : jump a0,
      			   7 : jump a0,
      			   8 : jump a0,
      			   9 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
      
         [ ... ]
      
         table ip aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags timeout;
      		   elements = {
      			   0 : jump a0,
      			   1 : jump a0,
      			   2 : jump a0,
      			   3 : jump a0,
      			   4 : jump a0,
      			   5 : jump a0,
      			   6 : jump a0,
      			   7 : jump a0,
      			   8 : jump a0,
      			   9 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
      
      Splat looks like:
      [  200.795603] kernel BUG at net/netfilter/nf_tables_api.c:1363!
      [  200.806944] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  200.812253] CPU: 1 PID: 1582 Comm: nft Not tainted 4.17.0+ #24
      [  200.820297] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  200.830309] RIP: 0010:nf_tables_chain_destroy.isra.34+0x62/0x240 [nf_tables]
      [  200.838317] Code: 43 50 85 c0 74 26 48 8b 45 00 48 8b 4d 08 ba 54 05 00 00 48 c7 c6 60 6d 29 c0 48 c7 c7 c0 65 29 c0
      4c 8b 40 08 e8 58 e5 fd f8 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff
      [  200.860366] RSP: 0000:ffff880118dbf4d0 EFLAGS: 00010282
      [  200.866354] RAX: 0000000000000061 RBX: ffff88010cdeaf08 RCX: 0000000000000000
      [  200.874355] RDX: 0000000000000061 RSI: 0000000000000008 RDI: ffffed00231b7e90
      [  200.882361] RBP: ffff880118dbf4e8 R08: ffffed002373bcfb R09: ffffed002373bcfa
      [  200.890354] R10: 0000000000000000 R11: ffffed002373bcfb R12: dead000000000200
      [  200.898356] R13: dead000000000100 R14: ffffffffbb62af38 R15: dffffc0000000000
      [  200.906354] FS:  00007fefc31fd700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  200.915533] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  200.922355] CR2: 0000557f1c8e9128 CR3: 0000000106880000 CR4: 00000000001006e0
      [  200.930353] Call Trace:
      [  200.932351]  ? nf_tables_commit+0x26f6/0x2c60 [nf_tables]
      [  200.939525]  ? nf_tables_setelem_notify.constprop.49+0x1a0/0x1a0 [nf_tables]
      [  200.947525]  ? nf_tables_delchain+0x6e0/0x6e0 [nf_tables]
      [  200.952383]  ? nft_add_set_elem+0x1700/0x1700 [nf_tables]
      [  200.959532]  ? nla_parse+0xab/0x230
      [  200.963529]  ? nfnetlink_rcv_batch+0xd06/0x10d0 [nfnetlink]
      [  200.968384]  ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
      [  200.975525]  ? debug_show_all_locks+0x290/0x290
      [  200.980363]  ? debug_show_all_locks+0x290/0x290
      [  200.986356]  ? sched_clock_cpu+0x132/0x170
      [  200.990352]  ? find_held_lock+0x39/0x1b0
      [  200.994355]  ? sched_clock_local+0x10d/0x130
      [  200.999531]  ? memset+0x1f/0x40
      
      Fixes: 9d098292 ("netfilter: nft_hash: add support for timeouts")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9970a8e4
  3. 17 Jul, 2018 1 commit
    • Taehee Yoo's avatar
      netfilter: nf_tables: fix jumpstack depth validation · 26b2f552
      Taehee Yoo authored
      The level of struct nft_ctx is updated by nf_tables_check_loops().  That
      is used to validate jumpstack depth. But jumpstack validation routine
      doesn't update and validate recursively.  So, in some cases, chain depth
      can be bigger than the NFT_JUMP_STACK_SIZE.
      
      After this patch, The jumpstack validation routine is located in the
      nft_chain_validate(). When new rules or new set elements are added, the
      nft_table_validate() is called by the nf_tables_newrule and the
      nf_tables_newsetelem. The nft_table_validate() calls the
      nft_chain_validate() that visit all their children chains recursively.
      So it can update depth of chain certainly.
      
      Reproducer:
         %cat ./test.sh
         #!/bin/bash
         nft add table ip filter
         nft add chain ip filter input { type filter hook input priority 0\; }
         for ((i=0;i<20;i++)); do
      	nft add chain ip filter a$i
         done
      
         nft add rule ip filter input jump a1
      
         for ((i=0;i<10;i++)); do
      	nft add rule ip filter a$i jump a$((i+1))
         done
      
         for ((i=11;i<19;i++)); do
      	nft add rule ip filter a$i jump a$((i+1))
         done
      
         nft add rule ip filter a10 jump a11
      
      Result:
      [  253.931782] WARNING: CPU: 1 PID: 0 at net/netfilter/nf_tables_core.c:186 nft_do_chain+0xacc/0xdf0 [nf_tables]
      [  253.931915] Modules linked in: nf_tables nfnetlink ip_tables x_tables
      [  253.932153] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.18.0-rc3+ #48
      [  253.932153] RIP: 0010:nft_do_chain+0xacc/0xdf0 [nf_tables]
      [  253.932153] Code: 83 f8 fb 0f 84 c7 00 00 00 e9 d0 00 00 00 83 f8 fd 74 0e 83 f8 ff 0f 84 b4 00 00 00 e9 bd 00 00 00 83 bd 64 fd ff ff 0f 76 09 <0f> 0b 31 c0 e9 bc 02 00 00 44 8b ad 64 fd
      [  253.933807] RSP: 0018:ffff88011b807570 EFLAGS: 00010212
      [  253.933807] RAX: 00000000fffffffd RBX: ffff88011b807660 RCX: 0000000000000000
      [  253.933807] RDX: 0000000000000010 RSI: ffff880112b39d78 RDI: ffff88011b807670
      [  253.933807] RBP: ffff88011b807850 R08: ffffed0023700ece R09: ffffed0023700ecd
      [  253.933807] R10: ffff88011b80766f R11: ffffed0023700ece R12: ffff88011b807898
      [  253.933807] R13: ffff880112b39d80 R14: ffff880112b39d60 R15: dffffc0000000000
      [  253.933807] FS:  0000000000000000(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  253.933807] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  253.933807] CR2: 00000000014f1008 CR3: 000000006b216000 CR4: 00000000001006e0
      [  253.933807] Call Trace:
      [  253.933807]  <IRQ>
      [  253.933807]  ? sched_clock_cpu+0x132/0x170
      [  253.933807]  ? __nft_trace_packet+0x180/0x180 [nf_tables]
      [  253.933807]  ? sched_clock_cpu+0x132/0x170
      [  253.933807]  ? debug_show_all_locks+0x290/0x290
      [  253.933807]  ? __lock_acquire+0x4835/0x4af0
      [  253.933807]  ? inet_ehash_locks_alloc+0x1a0/0x1a0
      [  253.933807]  ? unwind_next_frame+0x159e/0x1840
      [  253.933807]  ? __read_once_size_nocheck.constprop.4+0x5/0x10
      [  253.933807]  ? nft_do_chain_ipv4+0x197/0x1e0 [nf_tables]
      [  253.933807]  ? nft_do_chain+0x5/0xdf0 [nf_tables]
      [  253.933807]  nft_do_chain_ipv4+0x197/0x1e0 [nf_tables]
      [  253.933807]  ? nft_do_chain_arp+0xb0/0xb0 [nf_tables]
      [  253.933807]  ? __lock_is_held+0x9d/0x130
      [  253.933807]  nf_hook_slow+0xc4/0x150
      [  253.933807]  ip_local_deliver+0x28b/0x380
      [  253.933807]  ? ip_call_ra_chain+0x3e0/0x3e0
      [  253.933807]  ? ip_rcv_finish+0x1610/0x1610
      [  253.933807]  ip_rcv+0xbcc/0xcc0
      [  253.933807]  ? debug_show_all_locks+0x290/0x290
      [  253.933807]  ? ip_local_deliver+0x380/0x380
      [  253.933807]  ? __lock_is_held+0x9d/0x130
      [  253.933807]  ? ip_local_deliver+0x380/0x380
      [  253.933807]  __netif_receive_skb_core+0x1c9c/0x2240
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      26b2f552
  4. 16 Jul, 2018 24 commits
    • Ursula Braun's avatar
      net/smc: take sock lock in smc_ioctl() · 1992d998
      Ursula Braun authored
      SMC ioctl processing requires the sock lock to work properly in
      all thinkable scenarios.
      Problem has been found with RaceFuzzer and fixes:
         KASAN: null-ptr-deref Read in smc_ioctl
      Reported-by: default avatarByoungyoung Lee <lifeasageek@gmail.com>
      Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1992d998
    • David S. Miller's avatar
      Merge branch 'tg3-fixes' · bd598d20
      David S. Miller authored
      Siva Reddy Kallam says:
      
      ====================
      tg3: Update copyright and fix for tx timeout with 5762
      
      First patch:
              Update copyright
      
      Second patch:
              Add higher cpu clock for 5762
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd598d20
    • Sanjeev Bansal's avatar
      tg3: Add higher cpu clock for 5762. · 3a498606
      Sanjeev Bansal authored
      This patch has fix for TX timeout while running bi-directional
      traffic with 100 Mbps using 5762.
      Signed-off-by: default avatarSanjeev Bansal <sanjeevb.bansal@broadcom.com>
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a498606
    • Siva Reddy Kallam's avatar
      0f2605fb
    • John Allen's avatar
      ibmvnic: Fix error recovery on login failure · 3578a7ec
      John Allen authored
      Testing has uncovered a failure case that is not handled properly. In the
      event that a login fails and we are not able to recover on the spot, we
      return 0 from do_reset, preventing any error recovery code from being
      triggered.  Additionally, the state is set to "probed" meaning that when we
      are able to trigger the error recovery, the driver always comes up in the
      probed state. To handle the case properly, we need to return a failure code
      here and set the adapter state to the state that we entered the reset in
      indicating the state that we would like to come out of the recovery reset
      in.
      Signed-off-by: default avatarJohn Allen <jallen@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3578a7ec
    • Stefan Wahren's avatar
      net: lan78xx: Fix race in tx pending skb size calculation · dea39aca
      Stefan Wahren authored
      The skb size calculation in lan78xx_tx_bh is in race with the start_xmit,
      which could lead to rare kernel oopses. So protect the whole skb walk with
      a spin lock. As a benefit we can unlink the skb directly.
      
      This patch was tested on Raspberry Pi 3B+
      
      Link: https://github.com/raspberrypi/linux/issues/2608
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarFloris Bos <bos@je-eigen-domein.nl>
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dea39aca
    • David Ahern's avatar
      net/ipv6: Do not allow device only routes via the multipath API · b5d2d75e
      David Ahern authored
      Eric reported that reverting the patch that fixed and simplified IPv6
      multipath routes means reverting back to invalid userspace notifications.
      eg.,
      $ ip -6 route add 2001:db8:1::/64 nexthop dev eth0 nexthop dev eth1
      
      only generates a single notification:
      2001:db8:1::/64 dev eth0 metric 1024 pref medium
      
      While working on a fix for this problem I found another case that is just
      broken completely - a multipath route with a gateway followed by device
      followed by gateway:
          $ ip -6 ro add 2001:db8:103::/64
                nexthop via 2001:db8:1::64
                nexthop dev dummy2
                nexthop via 2001:db8:3::64
      
      In this case the device only route is dropped completely - no notification
      to userpsace but no addition to the FIB either:
      
      $ ip -6 ro ls
      2001:db8:1::/64 dev dummy1 proto kernel metric 256 pref medium
      2001:db8:2::/64 dev dummy2 proto kernel metric 256 pref medium
      2001:db8:3::/64 dev dummy3 proto kernel metric 256 pref medium
      2001:db8:103::/64 metric 1024
      	nexthop via 2001:db8:1::64 dev dummy1 weight 1
      	nexthop via 2001:db8:3::64 dev dummy3 weight 1 pref medium
      fe80::/64 dev dummy1 proto kernel metric 256 pref medium
      fe80::/64 dev dummy2 proto kernel metric 256 pref medium
      fe80::/64 dev dummy3 proto kernel metric 256 pref medium
      
      Really, IPv6 multipath is just FUBAR'ed beyond repair when it comes to
      device only routes, so do not allow it all.
      
      This change will break any scripts relying on the mpath api for insert,
      but I don't see any other way to handle the permutations. Besides, since
      the routes are added to the FIB as standalone (non-multipath) routes the
      kernel is not doing what the user requested, so it might as well tell the
      user that.
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5d2d75e
    • Stefan Baranoff's avatar
      tcp: Fix broken repair socket window probe patch · 31048d7a
      Stefan Baranoff authored
      Correct previous bad attempt at allowing sockets to come out of TCP
      repair without sending window probes. To avoid changing size of
      the repair variable in struct tcp_sock, this lets the decision for
      sending probes or not to be made when coming out of repair by
      introducing two ways to turn it off.
      
      v2:
      * Remove erroneous comment; defines now make behavior clear
      
      Fixes: 70b7ff13 ("tcp: allow user to create repair socket without window probes")
      Signed-off-by: default avatarStefan Baranoff <sbaranoff@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarAndrei Vagin <avagin@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31048d7a
    • Saeed Mahameed's avatar
      net/mlx4_en: Don't reuse RX page when XDP is set · 432e629e
      Saeed Mahameed authored
      When a new rx packet arrives, the rx path will decide whether to reuse
      the remainder of the page or not according to one of the below conditions:
      1. frag_info->frag_stride == PAGE_SIZE / 2
      2. frags->page_offset + frag_info->frag_size > PAGE_SIZE;
      
      The first condition is no met for when XDP is set.
      For XDP, page_offset is always set to priv->rx_headroom which is
      XDP_PACKET_HEADROOM and frag_info->frag_size is around mtu size + some
      padding, still the 2nd release condition will hold since
      XDP_PACKET_HEADROOM + 1536 < PAGE_SIZE, as a result the page will not
      be released and will be _wrongly_ reused for next free rx descriptor.
      
      In XDP there is an assumption to have a page per packet and reuse can
      break such assumption and might cause packet data corruptions.
      
      Fix this by adding an extra condition (!priv->rx_headroom) to the 2nd
      case to avoid page reuse when XDP is set, since rx_headroom is set to 0
      for non XDP setup and set to XDP_PACKET_HEADROOM for XDP setup.
      
      No additional cache line is required for the new condition.
      
      Fixes: 34db548b ("mlx4: add page recycling in receive path")
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Suggested-by: default avatarMartin KaFai Lau <kafai@fb.com>
      CC: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      432e629e
    • Randy Dunlap's avatar
      net/ethernet/freescale/fman: fix cross-build error · c1334597
      Randy Dunlap authored
        CC [M]  drivers/net/ethernet/freescale/fman/fman.o
      In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35:
      ../include/linux/fsl/guts.h: In function 'guts_set_dmacr':
      ../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration]
        clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift);
        ^~~~~~~~~~~~~~~
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Madalin Bucur <madalin.bucur@nxp.com>
      Cc: netdev@vger.kernel.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1334597
    • Stephen Hemminger's avatar
      hv/netvsc: fix handling of fallback to single queue mode · 916c5e14
      Stephen Hemminger authored
      The netvsc device may need to fallback to running in single queue
      mode if host side only wants to support single queue.
      
      Recent change for handling mtu broke this in setup logic.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 3ffe64f1 ("hv_netvsc: split sub-channel setup into async and sync")
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      916c5e14
    • Thomas Falcon's avatar
      ibmvnic: Revise RX/TX queue error messages · 2d14d379
      Thomas Falcon authored
      During a device failover, there may be latency between the loss
      of the current backing device and a notification from firmware that
      a failover has occurred. This latency can result in a large amount of
      error printouts as firmware returns outgoing traffic with a generic
      error code. These are not necessarily errors in this case as the
      firmware is busy swapping in a new backing adapter and is not ready
      to send packets yet. This patch reclassifies those error codes as
      warnings with an explanation that a failover may be pending. All
      other return codes will be considered errors.
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d14d379
    • Sabrina Dubroca's avatar
      ipv6: make DAD fail with enhanced DAD when nonce length differs · e6651599
      Sabrina Dubroca authored
      Commit adc176c5 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)")
      added enhanced DAD with a nonce length of 6 bytes. However, RFC7527
      doesn't specify the length of the nonce, other than being 6 + 8*k bytes,
      with integer k >= 0 (RFC3971 5.3.2). The current implementation simply
      assumes that the nonce will always be 6 bytes, but others systems are
      free to choose different sizes.
      
      If another system sends a nonce of different length but with the same 6
      bytes prefix, it shouldn't be considered as the same nonce. Thus, check
      that the length of the received nonce is the same as the length we sent.
      
      Ugly scapy test script running on veth0:
      
      def loop():
          pkt=sniff(iface="veth0", filter="icmp6", count=1)
          pkt = pkt[0]
          b = bytearray(pkt[Raw].load)
          b[1] += 1
          b += b'\xde\xad\xbe\xef\xde\xad\xbe\xef'
          pkt[Raw].load = bytes(b)
          pkt[IPv6].plen += 8
          # fixup checksum after modifying the payload
          pkt[IPv6].payload.cksum -= 0x3b44
          if pkt[IPv6].payload.cksum < 0:
              pkt[IPv6].payload.cksum += 0xffff
          sendp(pkt, iface="veth0")
      
      This should result in DAD failure for any address added to veth0's peer,
      but is currently ignored.
      
      Fixes: adc176c5 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6651599
    • Corentin Labbe's avatar
      net: ethernet: stmmac: fix documentation warning · 014dd768
      Corentin Labbe authored
      This patch remove the following documentation warning
      drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c:103: warning: Excess function parameter 'priv' description in 'stmmac_axi_setup'
      It was introduced in commit afea0365 ("stmmac: rework DMA bus setting and introduce new platform AXI structure")
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      014dd768
    • Corentin Labbe's avatar
      net: stmmac: dwmac-sun8i: fix typo descrive => describe · 56c266dc
      Corentin Labbe authored
      This patch fix a typo in the word Describe
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56c266dc
    • Prashant Bhole's avatar
      net: ip6_gre: get ipv6hdr after skb_cow_head() · b7ed8794
      Prashant Bhole authored
      A KASAN:use-after-free bug was found related to ip6-erspan
      while running selftests/net/ip6_gre_headroom.sh
      
      It happens because of following sequence:
      - ipv6hdr pointer is obtained from skb
      - skb_cow_head() is called, skb->head memory is reallocated
      - old data is accessed using ipv6hdr pointer
      
      skb_cow_head() call was added in e41c7c68 ("ip6erspan: make sure
      enough headroom at xmit."), but looking at the history there was a
      chance of similar bug because gre_handle_offloads() and pskb_trim()
      can also reallocate skb->head memory. Fixes tag points to commit
      which introduced possibility of this bug.
      
      This patch moves ipv6hdr pointer assignment after skb_cow_head() call.
      
      Fixes: 5a963eb6 ("ip6_gre: Add ERSPAN native tunnel support")
      Signed-off-by: default avatarPrashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
      Reviewed-by: default avatarGreg Rose <gvrose8192@gmail.com>
      Acked-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7ed8794
    • Toshiaki Makita's avatar
      tun: Fix use-after-free on XDP_TX · 6e8cfd6d
      Toshiaki Makita authored
      On XDP_TX we need to free up the frame only when tun_xdp_tx() returns a
      negative value. A positive value indicates that the packet is
      successfully enqueued to the ptr_ring, so freeing the page causes
      use-after-free.
      
      Fixes: 735fc405 ("xdp: change ndo_xdp_xmit API to support bulking")
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e8cfd6d
    • Masanari Iida's avatar
      bonding: Fix a typo in bonding.txt · 9f80a072
      Masanari Iida authored
      This patch fixes a spelling typo in bonding.txt
      Signed-off-by: default avatarMasanari Iida <standby24x7@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f80a072
    • Dave Watson's avatar
      tls: Stricter error checking in zerocopy sendmsg path · 32da1221
      Dave Watson authored
      In the zerocopy sendmsg() path, there are error checks to revert
      the zerocopy if we get any error code.  syzkaller has discovered
      that tls_push_record can return -ECONNRESET, which is fatal, and
      happens after the point at which it is safe to revert the iter,
      as we've already passed the memory to do_tcp_sendpages.
      
      Previously this code could return -ENOMEM and we would want to
      revert the iter, but AFAIK this no longer returns ENOMEM after
      a447da7d ("tls: fix waitall behavior in tls_sw_recvmsg"),
      so we fail for all error codes.
      
      Reported-by: syzbot+c226690f7b3126c5ee04@syzkaller.appspotmail.com
      Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
      Signed-off-by: default avatarDave Watson <davejwatson@fb.com>
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32da1221
    • Constantine Shulyupin's avatar
    • Eric Biggers's avatar
      KEYS: DNS: fix parsing multiple options · c604cb76
      Eric Biggers authored
      My recent fix for dns_resolver_preparse() printing very long strings was
      incomplete, as shown by syzbot which still managed to hit the
      WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:
      
          precision 50001 too large
          WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0
      
      The bug this time isn't just a printing bug, but also a logical error
      when multiple options ("#"-separated strings) are given in the key
      payload.  Specifically, when separating an option string into name and
      value, if there is no value then the name is incorrectly considered to
      end at the end of the key payload, rather than the end of the current
      option.  This bypasses validation of the option length, and also means
      that specifying multiple options is broken -- which presumably has gone
      unnoticed as there is currently only one valid option anyway.
      
      A similar problem also applied to option values, as the kstrtoul() when
      parsing the "dnserror" option will read past the end of the current
      option and into the next option.
      
      Fix these bugs by correctly computing the length of the option name and
      by copying the option value, null-terminated, into a temporary buffer.
      
      Reproducer for the WARN_ONCE() that syzbot hit:
      
          perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s
      
      Reproducer for "dnserror" option being parsed incorrectly (expected
      behavior is to fail when seeing the unknown option "foo", actual
      behavior was to read the dnserror value as "1#foo" and fail there):
      
          perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 4a2d7892 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c604cb76
    • David S. Miller's avatar
      Merge branch 'multicast-init-as-INCLUDE-when-join-SSM-INCLUDE-group' · 8e05fd83
      David S. Miller authored
      Hangbin Liu says:
      
      ====================
      multicast: init as INCLUDE when join SSM INCLUDE group
      
      Based on RFC3376 5.1 and RFC3810 6.1, we should init as INCLUDE when join SSM
      INCLUDE group. In my first version I only clear the group change record. But
      this is not enough as when a new group join, it will init as EXCLUDE and
      trigger an filter mode change in ip/ip6_mc_add_src(), which will clear all
      source addresses' sf_crcount. This will prevent early joined address sending
      state change records if multi source addresses joined at the same time.
      
      In this v2 patchset, I fixed it by directly initializing the mode to INCLUDE
      for SSM JOIN_SOURCE_GROUP. I also split the original patch into two separated
      patches for IPv4 and IPv6.
      
      Test: test by myself and customer.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e05fd83
    • Hangbin Liu's avatar
      ipv6/mcast: init as INCLUDE when join SSM INCLUDE group · c7ea20c9
      Hangbin Liu authored
      This an IPv6 version patch of "ipv4/igmp: init group mode as INCLUDE when
      join source group". From RFC3810, part 6.1:
      
         If no per-interface state existed for that
         multicast address before the change (i.e., the change consisted of
         creating a new per-interface record), or if no state exists after the
         change (i.e., the change consisted of deleting a per-interface
         record), then the "non-existent" state is considered to have an
         INCLUDE filter mode and an empty source list.
      
      Which means a new multicast group should start with state IN(). Currently,
      for MLDv2 SSM JOIN_SOURCE_GROUP mode, we first call ipv6_sock_mc_join(),
      then ip6_mc_source(), which will trigger a TO_IN() message instead of
      ALLOW().
      
      The issue was exposed by commit a052517a ("net/multicast: should not
      send source list records when have filter mode change"). Before this change,
      we sent both ALLOW(A) and TO_IN(A). Now, we only send TO_IN(A).
      
      Fix it by adding a new parameter to init group mode. Also add some wrapper
      functions to avoid changing too much code.
      
      v1 -> v2:
      In the first version I only cleared the group change record. But this is not
      enough. Because when a new group join, it will init as EXCLUDE and trigger
      a filter mode change in ip/ip6_mc_add_src(), which will clear all source
      addresses sf_crcount. This will prevent early joined address sending state
      change records if multi source addressed joined at the same time.
      
      In v2 patch, I fixed it by directly initializing the mode to INCLUDE for SSM
      JOIN_SOURCE_GROUP. I also split the original patch into two separated patches
      for IPv4 and IPv6.
      
      There is also a difference between v4 and v6 version. For IPv6, when the
      interface goes down and up, we will send correct state change record with
      unspecified IPv6 address (::) with function ipv6_mc_up(). But after DAD is
      completed, we resend the change record TO_IN() in mld_send_initial_cr().
      Fix it by sending ALLOW() for INCLUDE mode in mld_send_initial_cr().
      
      Fixes: a052517a ("net/multicast: should not send source list records when have filter mode change")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7ea20c9
    • Hangbin Liu's avatar
      ipv4/igmp: init group mode as INCLUDE when join source group · 6e2059b5
      Hangbin Liu authored
      Based on RFC3376 5.1
         If no interface
         state existed for that multicast address before the change (i.e., the
         change consisted of creating a new per-interface record), or if no
         state exists after the change (i.e., the change consisted of deleting
         a per-interface record), then the "non-existent" state is considered
         to have a filter mode of INCLUDE and an empty source list.
      
      Which means a new multicast group should start with state IN().
      
      Function ip_mc_join_group() works correctly for IGMP ASM(Any-Source Multicast)
      mode. It adds a group with state EX() and inits crcount to mc_qrv,
      so the kernel will send a TO_EX() report message after adding group.
      
      But for IGMPv3 SSM(Source-specific multicast) JOIN_SOURCE_GROUP mode, we
      split the group joining into two steps. First we join the group like ASM,
      i.e. via ip_mc_join_group(). So the state changes from IN() to EX().
      
      Then we add the source-specific address with INCLUDE mode. So the state
      changes from EX() to IN(A).
      
      Before the first step sends a group change record, we finished the second
      step. So we will only send the second change record. i.e. TO_IN(A).
      
      Regarding the RFC stands, we should actually send an ALLOW(A) message for
      SSM JOIN_SOURCE_GROUP as the state should mimic the 'IN() to IN(A)'
      transition.
      
      The issue was exposed by commit a052517a ("net/multicast: should not
      send source list records when have filter mode change"). Before this change,
      we used to send both ALLOW(A) and TO_IN(A). After this change we only send
      TO_IN(A).
      
      Fix it by adding a new parameter to init group mode. Also add new wrapper
      functions so we don't need to change too much code.
      
      v1 -> v2:
      In my first version I only cleared the group change record. But this is not
      enough. Because when a new group join, it will init as EXCLUDE and trigger
      an filter mode change in ip/ip6_mc_add_src(), which will clear all source
      addresses' sf_crcount. This will prevent early joined address sending state
      change records if multi source addressed joined at the same time.
      
      In v2 patch, I fixed it by directly initializing the mode to INCLUDE for SSM
      JOIN_SOURCE_GROUP. I also split the original patch into two separated patches
      for IPv4 and IPv6.
      
      Fixes: a052517a ("net/multicast: should not send source list records when have filter mode change")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e2059b5
  5. 14 Jul, 2018 5 commits
  6. 13 Jul, 2018 3 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · c849eb0d
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-07-13
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix AF_XDP TX error reporting before final kernel release such that it
         becomes consistent between copy mode and zero-copy, from Magnus.
      
      2) Fix three different syzkaller reported issues: oob due to ld_abs
         rewrite with too large offset, another oob in l3 based skb test run
         and a bug leaving mangled prog in subprog JITing error path, from Daniel.
      
      3) Fix BTF handling for bitfield extraction on big endian, from Okash.
      
      4) Fix a missing linux/errno.h include in cgroup/BPF found by kbuild bot,
         from Roman.
      
      5) Fix xdp2skb_meta.sh sample by using just command names instead of
         absolute paths for tc and ip and allow them to be redefined, from Taeung.
      
      6) Fix availability probing for BPF seg6 helpers before final kernel ships
         so they can be detected at prog load time, from Mathieu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c849eb0d
    • Stefano Brivio's avatar
      skbuff: Unconditionally copy pfmemalloc in __skb_clone() · e78bfb07
      Stefano Brivio authored
      Commit 8b700862 ("net: Don't copy pfmemalloc flag in
      __copy_skb_header()") introduced a different handling for the
      pfmemalloc flag in copy and clone paths.
      
      In __skb_clone(), now, the flag is set only if it was set in the
      original skb, but not cleared if it wasn't. This is wrong and
      might lead to socket buffers being flagged with pfmemalloc even
      if the skb data wasn't allocated from pfmemalloc reserves. Copy
      the flag instead of ORing it.
      Reported-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Fixes: 8b700862 ("net: Don't copy pfmemalloc flag in __copy_skb_header()")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Tested-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e78bfb07
    • Daniel Borkmann's avatar
      Merge branch 'bpf-af-xdp-consistent-err-reporting' · 5e3e6e83
      Daniel Borkmann authored
      Magnus Karlsson says:
      
      ====================
      This patch set adjusts the AF_XDP TX error reporting so that it becomes
      consistent between copy mode and zero-copy. First some background:
      
      Copy-mode for TX uses the SKB path in which the action of sending the
      packet is performed from process context using the sendmsg
      syscall. Completions are usually done asynchronously from NAPI mode by
      using a TX interrupt. In this mode, send errors can be returned back
      through the syscall.
      
      In zero-copy mode both the sending of the packet and the completions
      are done asynchronously from NAPI mode for performance reasons. In
      this mode, the sendmsg syscall only makes sure that the TX NAPI loop
      will be run that performs both the actions of sending and
      completing. In this mode it is therefore not possible to return errors
      through the sendmsg syscall as the sending is done from the NAPI
      loop. Note that it is possible to implement a synchronous send with
      our API, but in our benchmarks that made the TX performance drop by
      nearly half due to synchronization requirements and cache line
      bouncing. But for some netdevs this might be preferable so let us
      leave it up to the implementation to decide.
      
      The problem is that the current code base returns some errors in
      copy-mode that are not possible to return in zero-copy mode. This
      patch set aligns them so that the two modes always return the same
      error code. We achieve this by removing some of the errors returned by
      sendmsg in copy-mode (and in one case adding an error message for
      zero-copy mode) and offering alternative error detection methods that
      are consistent between the two modes.
      
      The structure of the patch set is as follows:
      
      Patch 1: removes the ENXIO return code from copy-mode when someone has
      forcefully changed the number of queues on the device so that the
      queue bound to the socket is no longer available. Just silently stop
      sending anything as in zero-copy mode.
      
      Patch 2: stop returning EAGAIN in copy mode when the completion queue
      is full as zero-copy does not do this. Instead this situation can be
      detected by comparing the head and tail pointers of the completion
      queue in both modes. In any case, EAGAIN was not the correct error code
      here since no amount of calling sendmsg will solve the problem. Only
      consuming one or more messages on the completion queue will fix this.
      
      Patch 3: Always return ENOBUFS from sendmsg if there is no TX queue
      configured. This was not the case for zero-copy mode.
      
      Patch 4: stop returning EMSGSIZE when the size of the packet is larger
      than the MTU. Just send it to the device so that it will drop it as in
      zero-copy mode.
      
      Note that copy-mode can still return EAGAIN in certain circumstances,
      but as these conditions cannot occur in zero-copy mode it is fine for
      copy-mode to return them.
      ====================
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      5e3e6e83