1. 18 Mar, 2020 7 commits
  2. 17 Mar, 2020 1 commit
  3. 16 Mar, 2020 23 commits
  4. 15 Mar, 2020 8 commits
    • Florian Westphal's avatar
      geneve: move debug check after netdev unregister · 0fda7600
      Florian Westphal authored
      The debug check must be done after unregister_netdevice_many() call --
      the list_del() for this is done inside .ndo_stop.
      
      Fixes: 2843a253 ("geneve: speedup geneve tunnels dismantle")
      Reported-and-tested-by: <syzbot+68a8ed58e3d17c700de5@syzkaller.appspotmail.com>
      Cc: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0fda7600
    • Willem de Bruijn's avatar
      net/packet: tpacket_rcv: avoid a producer race condition · 61fad681
      Willem de Bruijn authored
      PACKET_RX_RING can cause multiple writers to access the same slot if a
      fast writer wraps the ring while a slow writer is still copying. This
      is particularly likely with few, large, slots (e.g., GSO packets).
      
      Synchronize kernel thread ownership of rx ring slots with a bitmap.
      
      Writers acquire a slot race-free by testing tp_status TP_STATUS_KERNEL
      while holding the sk receive queue lock. They release this lock before
      copying and set tp_status to TP_STATUS_USER to release to userspace
      when done. During copying, another writer may take the lock, also see
      TP_STATUS_KERNEL, and start writing to the same slot.
      
      Introduce a new rx_owner_map bitmap with a bit per slot. To acquire a
      slot, test and set with the lock held. To release race-free, update
      tp_status and owner bit as a transaction, so take the lock again.
      
      This is the one of a variety of discussed options (see Link below):
      
      * instead of a shadow ring, embed the data in the slot itself, such as
      in tp_padding. But any test for this field may match a value left by
      userspace, causing deadlock.
      
      * avoid the lock on release. This leaves a small race if releasing the
      shadow slot before setting TP_STATUS_USER. The below reproducer showed
      that this race is not academic. If releasing the slot after tp_status,
      the race is more subtle. See the first link for details.
      
      * add a new tp_status TP_KERNEL_OWNED to avoid the transactional store
      of two fields. But, legacy applications may interpret all non-zero
      tp_status as owned by the user. As libpcap does. So this is possible
      only opt-in by newer processes. It can be added as an optional mode.
      
      * embed the struct at the tail of pg_vec to avoid extra allocation.
      The implementation proved no less complex than a separate field.
      
      The additional locking cost on release adds contention, no different
      than scaling on multicore or multiqueue h/w. In practice, below
      reproducer nor small packet tcpdump showed a noticeable change in
      perf report in cycles spent in spinlock. Where contention is
      problematic, packet sockets support mitigation through PACKET_FANOUT.
      And we can consider adding opt-in state TP_KERNEL_OWNED.
      
      Easy to reproduce by running multiple netperf or similar TCP_STREAM
      flows concurrently with `tcpdump -B 129 -n greater 60000`.
      
      Based on an earlier patchset by Jon Rosen. See links below.
      
      I believe this issue goes back to the introduction of tpacket_rcv,
      which predates git history.
      
      Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg237222.htmlSuggested-by: default avatarJon Rosen <jrosen@cisco.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarJon Rosen <jrosen@cisco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61fad681
    • Petr Machata's avatar
      net: ip_gre: Separate ERSPAN newlink / changelink callbacks · e1f8f78f
      Petr Machata authored
      ERSPAN shares most of the code path with GRE and gretap code. While that
      helps keep the code compact, it is also error prone. Currently a broken
      userspace can turn a gretap tunnel into a de facto ERSPAN one by passing
      IFLA_GRE_ERSPAN_VER. There has been a similar issue in ip6gretap in the
      past.
      
      To prevent these problems in future, split the newlink and changelink code
      paths. Split the ERSPAN code out of ipgre_netlink_parms() into a new
      function erspan_netlink_parms(). Extract a piece of common logic from
      ipgre_newlink() and ipgre_changelink() into ipgre_newlink_encap_setup().
      Add erspan_newlink() and erspan_changelink().
      
      Fixes: 84e54fe0 ("gre: introduce native tunnel support for ERSPAN")
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e1f8f78f
    • Shahjada Abul Husain's avatar
      cxgb4: fix delete filter entry fail in unload path · 46ea929b
      Shahjada Abul Husain authored
      Currently, the hardware TID index is assumed to start from index 0.
      However, with the following changeset,
      
      commit c2193999 ("cxgb4: add support for high priority filters")
      
      hardware TID index can start after the high priority region, which
      has introduced a regression resulting in remove filters entry
      failure for cxgb4 unload path. This patch fix that.
      
      Fixes: c2193999 ("cxgb4: add support for high priority filters")
      Signed-off-by: default avatarShahjada Abul Husain <shahjada@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46ea929b
    • Markus Fuchs's avatar
      net: stmmac: platform: Fix misleading interrupt error msg · fc191af1
      Markus Fuchs authored
      Not every stmmac based platform makes use of the eth_wake_irq or eth_lpi
      interrupts. Use the platform_get_irq_byname_optional variant for these
      interrupts, so no error message is displayed, if they can't be found.
      Rather print an information to hint something might be wrong to assist
      debugging on platforms which use these interrupts.
      Signed-off-by: default avatarMarkus Fuchs <mklntf@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc191af1
    • Bruno Meneguele's avatar
      net/bpfilter: fix dprintf usage for /dev/kmsg · 13d0f7b8
      Bruno Meneguele authored
      The bpfilter UMH code was recently changed to log its informative messages to
      /dev/kmsg, however this interface doesn't support SEEK_CUR yet, used by
      dprintf(). As result dprintf() returns -EINVAL and doesn't log anything.
      
      However there already had some discussions about supporting SEEK_CUR into
      /dev/kmsg interface in the past it wasn't concluded. Since the only user of
      that from userspace perspective inside the kernel is the bpfilter UMH
      (userspace) module it's better to correct it here instead waiting a conclusion
      on the interface.
      
      Fixes: 36c4357c ("net: bpfilter: print umh messages to /dev/kmsg")
      Signed-off-by: default avatarBruno Meneguele <bmeneg@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13d0f7b8
    • Cong Wang's avatar
      net_sched: keep alloc_hash updated after hash allocation · 0d1c3530
      Cong Wang authored
      In commit 599be01e ("net_sched: fix an OOB access in cls_tcindex")
      I moved cp->hash calculation before the first
      tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched.
      This difference could lead to another out of bound access.
      
      cp->alloc_hash should always be the size allocated, we should
      update it after this tcindex_alloc_perfect_hash().
      
      Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com
      Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com
      Fixes: 599be01e ("net_sched: fix an OOB access in cls_tcindex")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d1c3530
    • Cong Wang's avatar
      net_sched: hold rtnl lock in tcindex_partial_destroy_work() · b1be2e8c
      Cong Wang authored
      syzbot reported a use-after-free in tcindex_dump(). This is due to
      the lack of RTNL in the deferred rcu work. We queue this work with
      RTNL in tcindex_change(), later, tcindex_dump() is called:
      
              fh = tp->ops->get(tp, t->tcm_handle);
      	...
              err = tp->ops->change(..., &fh, ...);
              tfilter_notify(..., fh, ...);
      
      but there is nothing to serialize the pending
      tcindex_partial_destroy_work() with tcindex_dump().
      
      Fix this by simply holding RTNL in tcindex_partial_destroy_work(),
      so that it won't be called until RTNL is released after
      tc_new_tfilter() is completed.
      
      Reported-and-tested-by: syzbot+653090db2562495901dc@syzkaller.appspotmail.com
      Fixes: 3d210534 ("net_sched: fix a race condition in tcindex_destroy()")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b1be2e8c
  5. 13 Mar, 2020 1 commit
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2020-03-13' of... · 94b18a87
      David S. Miller authored
      Merge tag 'wireless-drivers-2020-03-13' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.6
      
      Third, and hopefully last, set of fixes for v5.6.
      
      iwlwifi
      
      * fix a locking issue in time events handling
      
      * a fix in rate-scaling
      
      * fix for a potential NULL pointer deref
      
      * enable antenna diversity in some devices that were erroneously not doing it
      
      * allow FW dumps to continue when the FW is stuck
      
      * a fix in the HE capabilities handling
      
      * another fix for FW dumps where we were reading wrong addresses
      
      * fix link in MAINTAINERS file
      
      rtlwifi
      
      * fix regression causing connect issues in v5.4
      
      wlcore
      
      * remove merge damage which luckily didn't have any impact on functionality
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94b18a87