1. 16 May, 2018 11 commits
    • Jiri Olsa's avatar
      perf: Remove superfluous allocation error check · 68447d69
      Jiri Olsa authored
      commit bfb3d7b8 upstream.
      
      If the get_callchain_buffers fails to allocate the buffer it will
      decrease the nr_callchain_events right away.
      
      There's no point of checking the allocation error for
      nr_callchain_events > 1. Removing that check.
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: syzkaller-bugs@googlegroups.com
      Cc: x86@kernel.org
      Link: http://lkml.kernel.org/r/20180415092352.12403-3-jolsa@kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68447d69
    • Eric Dumazet's avatar
      soreuseport: initialise timewait reuseport field · e68fb962
      Eric Dumazet authored
      commit 3099a529 upstream.
      
      syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
      
      It turns out we never propagated sk->sk_reuseport into timewait socket.
      
      [1]
      BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
      CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
       inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
       inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
       SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
       SyS_bind+0x54/0x80 net/socket.c:1460
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x4416e9
      RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
      RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
      RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
      RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
      R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
      R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
       tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
       tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
       inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
       inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
       sock_release net/socket.c:595 [inline]
       sock_close+0xe0/0x300 net/socket.c:1149
       __fput+0x49e/0xa10 fs/file_table.c:209
       ____fput+0x37/0x40 fs/file_table.c:243
       task_work_run+0x243/0x2c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x10e1/0x38d0 kernel/exit.c:867
       do_group_exit+0x1a0/0x360 kernel/exit.c:970
       SYSC_exit_group+0x21/0x30 kernel/exit.c:981
       SyS_exit_group+0x25/0x30 kernel/exit.c:979
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
       tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
       tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
       tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
       inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
       inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
       sock_release net/socket.c:595 [inline]
       sock_close+0xe0/0x300 net/socket.c:1149
       __fput+0x49e/0xa10 fs/file_table.c:209
       ____fput+0x37/0x40 fs/file_table.c:243
       task_work_run+0x243/0x2c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x10e1/0x38d0 kernel/exit.c:867
       do_group_exit+0x1a0/0x360 kernel/exit.c:970
       SYSC_exit_group+0x21/0x30 kernel/exit.c:981
       SyS_exit_group+0x25/0x30 kernel/exit.c:979
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
       inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
       tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
       tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
       tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __release_sock+0x2d6/0x680 net/core/sock.c:2271
       release_sock+0x97/0x2a0 net/core/sock.c:2786
       tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
       inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
       inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
       sock_release net/socket.c:595 [inline]
       sock_close+0xe0/0x300 net/socket.c:1149
       __fput+0x49e/0xa10 fs/file_table.c:209
       ____fput+0x37/0x40 fs/file_table.c:243
       task_work_run+0x243/0x2c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x10e1/0x38d0 kernel/exit.c:867
       do_group_exit+0x1a0/0x360 kernel/exit.c:970
       SYSC_exit_group+0x21/0x30 kernel/exit.c:981
       SyS_exit_group+0x25/0x30 kernel/exit.c:979
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: da5e3630 ("soreuseport: TCP/IPv4 implementation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e68fb962
    • Eric Dumazet's avatar
      dccp: initialize ireq->ir_mark · 543cb05d
      Eric Dumazet authored
      commit b855ff82 upstream.
      
      syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook()
      
      Thanks to the nice report, I tracked the problem to dccp not caring
      of ireq->ir_mark for passive sessions.
      
      BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
      BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
      CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
       iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
       nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
       nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483
       nf_hook include/linux/netfilter.h:243 [inline]
       __ip_local_out net/ipv4/ip_output.c:113 [inline]
       ip_local_out net/ipv4/ip_output.c:122 [inline]
       ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504
       dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
       dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
       dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
       dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x455259
      RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259
      RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015
      RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502
       dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
       dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
       dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
       dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
       inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
       inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797
       dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92
       dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408
       dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414
       dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197
       dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840
       ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:449 [inline]
       ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
       __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       process_backlog+0x62d/0xe20 net/core/dev.c:5307
       napi_poll net/core/dev.c:5705 [inline]
       net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
       __do_softirq+0x56d/0x93d kernel/softirq.c:285
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
       reqsk_alloc include/net/request_sock.h:88 [inline]
       inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145
       dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600
       dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317
       dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612
       dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682
       dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578
       sk_backlog_rcv include/net/sock.h:908 [inline]
       __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513
       dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874
       ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
       dst_input include/net/dst.h:449 [inline]
       ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
       __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       process_backlog+0x62d/0xe20 net/core/dev.c:5307
       napi_poll net/core/dev.c:5705 [inline]
       net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
       __do_softirq+0x56d/0x93d kernel/softirq.c:285
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      543cb05d
    • Eric Dumazet's avatar
      net: fix uninit-value in __hw_addr_add_ex() · 45227db4
      Eric Dumazet authored
      commit 77d36398 upstream.
      
      syzbot complained :
      
      BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
      CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: ipv6_addrconf addrconf_dad_work
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
       memcmp+0x119/0x180 lib/string.c:861
       __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
       __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
       dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
       igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
       ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
       addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
       addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
       addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
       process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
       worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
       kthread+0x539/0x720 kernel/kthread.c:239
      
      Fixes: f001fde5 ("net: introduce a list of device addresses dev_addr_list (v6)")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45227db4
    • Eric Dumazet's avatar
      net: initialize skb->peeked when cloning · ec98618c
      Eric Dumazet authored
      commit b13dda9f upstream.
      
      syzbot reported __skb_try_recv_from_queue() was using skb->peeked
      while it was potentially unitialized.
      
      We need to clear it in __skb_clone()
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec98618c
    • Eric Dumazet's avatar
      net: fix rtnh_ok() · a3cac7e2
      Eric Dumazet authored
      commit b1993a2d upstream.
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
      BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
      BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
      
      @remaining is an integer, coming from user space.
      If it is negative we want rtnh_ok() to return false.
      
      Fixes: 4e902c57 ("[IPv4]: FIB configuration using struct fib_config")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3cac7e2
    • Eric Dumazet's avatar
      netlink: fix uninit-value in netlink_sendmsg · 473ac55c
      Eric Dumazet authored
      commit 6091f09c upstream.
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
      BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      473ac55c
    • Eric Dumazet's avatar
      crypto: af_alg - fix possible uninit-value in alg_bind() · 7b38b6dd
      Eric Dumazet authored
      commit a466856e upstream.
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
      
      We need to check addr_len before dereferencing sa (or uaddr)
      
      Fixes: bb30b884 ("crypto: af_alg - whitelist mask and type")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Stephan Mueller <smueller@chronox.de>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b38b6dd
    • Tom Herbert's avatar
      kcm: Call strp_stop before strp_done in kcm_attach · 38325036
      Tom Herbert authored
      commit dff8baa2 upstream.
      
      In kcm_attach strp_done is called when sk_user_data is already
      set to fail the attach. strp_done needs the strp to be stopped and
      warns if it isn't. Call strp_stop in this case to eliminate the
      warning message.
      
      Reported-by: syzbot+88dfb55e4c8b770d86e3@syzkaller.appspotmail.com
      Fixes: e5571240 ("kcm: Check if sk_user_data already set in kcm_attach"
      Signed-off-by: default avatarTom Herbert <tom@quantonium.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38325036
    • Sagi Grimberg's avatar
      IB/device: Convert ib-comp-wq to be CPU-bound · 1899f679
      Sagi Grimberg authored
      commit b7363e67 upstream.
      
      This workqueue is used by our storage target mode ULPs
      via the new CQ API. Recent observations when working
      with very high-end flash storage devices reveal that
      UNBOUND workqueue threads can migrate between cpu cores
      and even numa nodes (although some numa locality is accounted
      for).
      
      While this attribute can be useful in some workloads,
      it does not fit in very nicely with the normal
      run-to-completion model we usually use in our target-mode
      ULPs and the block-mq irq<->cpu affinity facilities.
      
      The whole block-mq concept is that the completion will
      land on the same cpu where the submission was performed.
      The fact that our submitter thread is migrating cpus
      can break this locality.
      
      We assume that as a target mode ULP, we will serve multiple
      initiators/clients and we can spread the load enough without
      having to use unbound kworkers.
      
      Also, while we're at it, expose this workqueue via sysfs which
      is harmless and can be useful for debug.
      Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>--
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Cc: Raju  Rangoju <rajur@chelsio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1899f679
    • Julian Anastasov's avatar
      ipvs: fix rtnl_lock lockups caused by start_sync_thread · 83797a77
      Julian Anastasov authored
      commit 5c64576a upstream.
      
      syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2]
      
      We have 2 problems in start_sync_thread if error path is
      taken, eg. on memory allocation error or failure to configure
      sockets for mcast group or addr/port binding:
      
      1. recursive locking: holding rtnl_lock while calling sock_release
      which in turn calls again rtnl_lock in ip_mc_drop_socket to leave
      the mcast group, as noticed by Florian Westphal. Additionally,
      sock_release can not be called while holding sync_mutex (ABBA
      deadlock).
      
      2. task hung: holding rtnl_lock while calling kthread_stop to
      stop the running kthreads. As the kthreads do the same to leave
      the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock)
      they hang.
      
      Fix the problems by calling rtnl_unlock early in the error path,
      now sock_release is called after unlocking both mutexes.
      
      Problem 3 (task hung reported by syzkaller [2]) is variant of
      problem 2: use _trylock to prevent one user to call rtnl_lock and
      then while waiting for sync_mutex to block kthreads that execute
      sock_release when they are stopped by stop_sync_thread.
      
      [1]
      IPVS: stopping backup sync thread 4500 ...
      WARNING: possible recursive locking detected
      4.16.0-rc7+ #3 Not tainted
      --------------------------------------------
      syzkaller688027/4497 is trying to acquire lock:
        (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      
      but task is already holding lock:
      IPVS: stopping backup sync thread 4495 ...
        (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      
      other info that might help us debug this:
        Possible unsafe locking scenario:
      
              CPU0
              ----
         lock(rtnl_mutex);
         lock(rtnl_mutex);
      
        *** DEADLOCK ***
      
        May be due to missing lock nesting notation
      
      2 locks held by syzkaller688027/4497:
        #0:  (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
        #1:  (ipvs->sync_mutex){+.+.}, at: [<00000000703f78e3>]
      do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
      
      stack backtrace:
      CPU: 1 PID: 4497 Comm: syzkaller688027 Not tainted 4.16.0-rc7+ #3
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x194/0x24d lib/dump_stack.c:53
        print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
        check_deadlock kernel/locking/lockdep.c:1805 [inline]
        validate_chain kernel/locking/lockdep.c:2401 [inline]
        __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3431
        lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
        __mutex_lock_common kernel/locking/mutex.c:756 [inline]
        __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
        rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
        ip_mc_drop_socket+0x88/0x230 net/ipv4/igmp.c:2643
        inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:413
        sock_release+0x8d/0x1e0 net/socket.c:595
        start_sync_thread+0x2213/0x2b70 net/netfilter/ipvs/ip_vs_sync.c:1924
        do_ip_vs_set_ctl+0x1139/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2389
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261
        udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2406
        sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
        SYSC_setsockopt net/socket.c:1849 [inline]
        SyS_setsockopt+0x189/0x360 net/socket.c:1828
        do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x446a69
      RSP: 002b:00007fa1c3a64da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a69
      RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 00000000006e29fc R08: 0000000000000018 R09: 0000000000000000
      R10: 00000000200000c0 R11: 0000000000000246 R12: 00000000006e29f8
      R13: 00676e697279656b R14: 00007fa1c3a659c0 R15: 00000000006e2b60
      
      [2]
      IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4,
      id = 0
      IPVS: stopping backup sync thread 25415 ...
      INFO: task syz-executor7:25421 blocked for more than 120 seconds.
             Not tainted 4.16.0-rc6+ #284
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      syz-executor7   D23688 25421   4408 0x00000004
      Call Trace:
        context_switch kernel/sched/core.c:2862 [inline]
        __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440
        schedule+0xf5/0x430 kernel/sched/core.c:3499
        schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777
        do_wait_for_common kernel/sched/completion.c:86 [inline]
        __wait_for_common kernel/sched/completion.c:107 [inline]
        wait_for_common kernel/sched/completion.c:118 [inline]
        wait_for_completion+0x415/0x770 kernel/sched/completion.c:139
        kthread_stop+0x14a/0x7a0 kernel/kthread.c:530
        stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996
        do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253
        sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154
        sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039
        SYSC_setsockopt net/socket.c:1850 [inline]
        SyS_setsockopt+0x189/0x360 net/socket.c:1829
        do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x454889
      RSP: 002b:00007fc927626c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00007fc9276276d4 RCX: 0000000000454889
      RDX: 000000000000048c RSI: 0000000000000000 RDI: 0000000000000017
      RBP: 000000000072bf58 R08: 0000000000000018 R09: 0000000000000000
      R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 000000000000051c R14: 00000000006f9b40 R15: 0000000000000001
      
      Showing all locks held in the system:
      2 locks held by khungtaskd/868:
        #0:  (rcu_read_lock){....}, at: [<00000000a1a8f002>]
      check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
        #0:  (rcu_read_lock){....}, at: [<00000000a1a8f002>] watchdog+0x1c5/0xd60
      kernel/hung_task.c:249
        #1:  (tasklist_lock){.+.+}, at: [<0000000037c2f8f9>]
      debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
      1 lock held by rsyslogd/4247:
        #0:  (&f->f_pos_lock){+.+.}, at: [<000000000d8d6983>]
      __fdget_pos+0x12b/0x190 fs/file.c:765
      2 locks held by getty/4338:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      2 locks held by getty/4339:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      2 locks held by getty/4340:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      2 locks held by getty/4341:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      2 locks held by getty/4342:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      2 locks held by getty/4343:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      2 locks held by getty/4344:
        #0:  (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
      ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
        #1:  (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
      n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
      3 locks held by kworker/0:5/6494:
        #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
      [<00000000a062b18e>] work_static include/linux/workqueue.h:198 [inline]
        #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
      [<00000000a062b18e>] set_work_data kernel/workqueue.c:619 [inline]
        #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
      [<00000000a062b18e>] set_work_pool_and_clear_pending kernel/workqueue.c:646
      [inline]
        #0:  ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
      [<00000000a062b18e>] process_one_work+0xb12/0x1bb0 kernel/workqueue.c:2084
        #1:  ((addr_chk_work).work){+.+.}, at: [<00000000278427d5>]
      process_one_work+0xb89/0x1bb0 kernel/workqueue.c:2088
        #2:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      1 lock held by syz-executor7/25421:
        #0:  (ipvs->sync_mutex){+.+.}, at: [<00000000d414a689>]
      do_ip_vs_set_ctl+0x277/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2393
      2 locks held by syz-executor7/25427:
        #0:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
        #1:  (ipvs->sync_mutex){+.+.}, at: [<00000000e6d48489>]
      do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
      1 lock held by syz-executor7/25435:
        #0:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      1 lock held by ipvs-b:2:0/25415:
        #0:  (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      
      Reported-and-tested-by: syzbot+a46d6abf9d56b1365a72@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+5fe074c01b2032ce9618@syzkaller.appspotmail.com
      Fixes: e0b26cc9 ("ipvs: call rtnl_lock early")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Cc: Zubin Mithra <zsm@chromium.org>
      Cc: Guenter Roeck <groeck@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83797a77
  2. 09 May, 2018 29 commits