1. 01 Jun, 2021 9 commits
    • Maxim Mikityanskiy's avatar
      net/tls: Fix use-after-free after the TLS device goes down and up · c55dcdd4
      Maxim Mikityanskiy authored
      When a netdev with active TLS offload goes down, tls_device_down is
      called to stop the offload and tear down the TLS context. However, the
      socket stays alive, and it still points to the TLS context, which is now
      deallocated. If a netdev goes up, while the connection is still active,
      and the data flow resumes after a number of TCP retransmissions, it will
      lead to a use-after-free of the TLS context.
      
      This commit addresses this bug by keeping the context alive until its
      normal destruction, and implements the necessary fallbacks, so that the
      connection can resume in software (non-offloaded) kTLS mode.
      
      On the TX side tls_sw_fallback is used to encrypt all packets. The RX
      side already has all the necessary fallbacks, because receiving
      non-decrypted packets is supported. The thing needed on the RX side is
      to block resync requests, which are normally produced after receiving
      non-decrypted packets.
      
      The necessary synchronization is implemented for a graceful teardown:
      first the fallbacks are deployed, then the driver resources are released
      (it used to be possible to have a tls_dev_resync after tls_dev_del).
      
      A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback
      mode. It's used to skip the RX resync logic completely, as it becomes
      useless, and some objects may be released (for example, resync_async,
      which is allocated and freed by the driver).
      
      Fixes: e8f69799 ("net/tls: Add generic NIC offload infrastructure")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c55dcdd4
    • Maxim Mikityanskiy's avatar
      net/tls: Replace TLS_RX_SYNC_RUNNING with RCU · 05fc8b6c
      Maxim Mikityanskiy authored
      RCU synchronization is guaranteed to finish in finite time, unlike a
      busy loop that polls a flag. This patch is a preparation for the bugfix
      in the next patch, where the same synchronize_net() call will also be
      used to sync with the TX datapath.
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05fc8b6c
    • Jiapeng Chong's avatar
      ethernet: myri10ge: Fix missing error code in myri10ge_probe() · f336d0b9
      Jiapeng Chong authored
      The error code is missing in this code scenario, add the error code
      '-EINVAL' to the return value 'status'.
      
      Eliminate the follow smatch warning:
      
      drivers/net/ethernet/myricom/myri10ge/myri10ge.c:3818 myri10ge_probe()
      warn: missing error code 'status'.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: default avatarJiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f336d0b9
    • David S. Miller's avatar
      Merge branch 'virtio_net-build_skb-fixes' · 53d5fa9b
      David S. Miller authored
      Xuan Zhuo says:
      
      ====================
      virtio-net: fix for build_skb()
      
      The logic of this piece is really messy. Fortunately, my refactored patch can be
      completed with a small amount of testing.
      ====================
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      53d5fa9b
    • Xuan Zhuo's avatar
      virtio_net: get build_skb() buf by data ptr · 8fb7da9e
      Xuan Zhuo authored
      In the case of merge, the page passed into page_to_skb() may be a head
      page, not the page where the current data is located. So when trying to
      get the buf where the data is located, we should get buf based on
      headroom instead of offset.
      
      This patch solves this problem. But if you don't use this patch, the
      original code can also run, because if the page is not the page of the
      current data, the calculated tailroom will be less than 0, and will not
      enter the logic of build_skb() . The significance of this patch is to
      modify this logical problem, allowing more situations to use
      build_skb().
      Signed-off-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8fb7da9e
    • Xuan Zhuo's avatar
      virtio-net: fix for unable to handle page fault for address · 5c37711d
      Xuan Zhuo authored
      In merge mode, when xdp is enabled, if the headroom of buf is smaller
      than virtnet_get_headroom(), xdp_linearize_page() will be called but the
      variable of "headroom" is still 0, which leads to wrong logic after
      entering page_to_skb().
      
      [   16.600944] BUG: unable to handle page fault for address: ffffecbfff7b43c8[   16.602175] #PF: supervisor read access in kernel mode
      [   16.603350] #PF: error_code(0x0000) - not-present page
      [   16.604200] PGD 0 P4D 0
      [   16.604686] Oops: 0000 [#1] SMP PTI
      [   16.605306] CPU: 4 PID: 715 Comm: sh Tainted: G    B             5.12.0+ #312
      [   16.606429] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/04
      [   16.608217] RIP: 0010:unmap_page_range+0x947/0xde0
      [   16.609014] Code: 00 00 08 00 48 83 f8 01 45 19 e4 41 f7 d4 41 83 e4 03 e9 a4 fd ff ff e8 b7 63 ed ff 4c 89 e0 48 c1 e0 065
      [   16.611863] RSP: 0018:ffffc90002503c58 EFLAGS: 00010286
      [   16.612720] RAX: ffffecbfff7b43c0 RBX: 00007f19f7203000 RCX: ffffffff812ff359
      [   16.613853] RDX: ffff888107778000 RSI: 0000000000000000 RDI: 0000000000000005
      [   16.614976] RBP: ffffea000425e000 R08: 0000000000000000 R09: 3030303030303030
      [   16.616124] R10: ffffffff82ed7d94 R11: 6637303030302052 R12: 7c00000afffded0f
      [   16.617276] R13: 0000000000000001 R14: ffff888119ee7010 R15: 00007f19f7202000
      [   16.618423] FS:  0000000000000000(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
      [   16.619738] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   16.620670] CR2: ffffecbfff7b43c8 CR3: 0000000103220005 CR4: 0000000000370ee0
      [   16.621792] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   16.622920] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   16.624047] Call Trace:
      [   16.624525]  ? release_pages+0x24d/0x730
      [   16.625209]  unmap_single_vma+0xa9/0x130
      [   16.625885]  unmap_vmas+0x76/0xf0
      [   16.626480]  exit_mmap+0xa0/0x210
      [   16.627129]  mmput+0x67/0x180
      [   16.627673]  do_exit+0x3d1/0xf10
      [   16.628259]  ? do_user_addr_fault+0x231/0x840
      [   16.629000]  do_group_exit+0x53/0xd0
      [   16.629631]  __x64_sys_exit_group+0x1d/0x20
      [   16.630354]  do_syscall_64+0x3c/0x80
      [   16.630988]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [   16.631828] RIP: 0033:0x7f1a043d0191
      [   16.632464] Code: Unable to access opcode bytes at RIP 0x7f1a043d0167.
      [   16.633502] RSP: 002b:00007ffe3d993308 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      [   16.634737] RAX: ffffffffffffffda RBX: 00007f1a044c9490 RCX: 00007f1a043d0191
      [   16.635857] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
      [   16.636986] RBP: 0000000000000000 R08: ffffffffffffff88 R09: 0000000000000001
      [   16.638120] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f1a044c9490
      [   16.639245] R13: 0000000000000001 R14: 00007f1a044c9968 R15: 0000000000000000
      [   16.640408] Modules linked in:
      [   16.640958] CR2: ffffecbfff7b43c8
      [   16.641557] ---[ end trace bc4891c6ce46354c ]---
      [   16.642335] RIP: 0010:unmap_page_range+0x947/0xde0
      [   16.643135] Code: 00 00 08 00 48 83 f8 01 45 19 e4 41 f7 d4 41 83 e4 03 e9 a4 fd ff ff e8 b7 63 ed ff 4c 89 e0 48 c1 e0 065
      [   16.645983] RSP: 0018:ffffc90002503c58 EFLAGS: 00010286
      [   16.646845] RAX: ffffecbfff7b43c0 RBX: 00007f19f7203000 RCX: ffffffff812ff359
      [   16.647970] RDX: ffff888107778000 RSI: 0000000000000000 RDI: 0000000000000005
      [   16.649091] RBP: ffffea000425e000 R08: 0000000000000000 R09: 3030303030303030
      [   16.650250] R10: ffffffff82ed7d94 R11: 6637303030302052 R12: 7c00000afffded0f
      [   16.651394] R13: 0000000000000001 R14: ffff888119ee7010 R15: 00007f19f7202000
      [   16.652529] FS:  0000000000000000(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
      [   16.653887] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   16.654841] CR2: ffffecbfff7b43c8 CR3: 0000000103220005 CR4: 0000000000370ee0
      [   16.655992] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   16.657150] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   16.658290] Kernel panic - not syncing: Fatal exception
      [   16.659613] Kernel Offset: disabled
      [   16.660234] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      Fixes: fb32856b ("virtio-net: page_to_skb() use build_skb when there's sufficient tailroom")
      Signed-off-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c37711d
    • Alexander Aring's avatar
      net: sock: fix in-kernel mark setting · dd9082f4
      Alexander Aring authored
      This patch fixes the in-kernel mark setting by doing an additional
      sk_dst_reset() which was introduced by commit 50254256 ("sock: Reset
      dst when changing sk_mark via setsockopt"). The code is now shared to
      avoid any further suprises when changing the socket mark value.
      
      Fixes: 84d1c617 ("net: sock: add sock_set_mark")
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarAlexander Aring <aahringo@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dd9082f4
    • Vladimir Oltean's avatar
      net: dsa: tag_8021q: fix the VLAN IDs used for encoding sub-VLANs · 4ef8d857
      Vladimir Oltean authored
      When using sub-VLANs in the range of 1-7, the resulting value from:
      
      	rx_vid = dsa_8021q_rx_vid_subvlan(ds, port, subvlan);
      
      is wrong according to the description from tag_8021q.c:
      
       | 11  | 10  |  9  |  8  |  7  |  6  |  5  |  4  |  3  |  2  |  1  |  0  |
       +-----------+-----+-----------------+-----------+-----------------------+
       |    DIR    | SVL |    SWITCH_ID    |  SUBVLAN  |          PORT         |
       +-----------+-----+-----------------+-----------+-----------------------+
      
      For example, when ds->index == 0, port == 3 and subvlan == 1,
      dsa_8021q_rx_vid_subvlan() returns 1027, same as it returns for
      subvlan == 0, but it should have returned 1043.
      
      This is because the low portion of the subvlan bits are not masked
      properly when writing into the 12-bit VLAN value. They are masked into
      bits 4:3, but they should be masked into bits 5:4.
      
      Fixes: 3eaae1d0 ("net: dsa: tag_8021q: support up to 8 VLANs per port using sub-VLANs")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ef8d857
    • Krzysztof Kozlowski's avatar
      nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect · 4ac06a1e
      Krzysztof Kozlowski authored
      It's possible to trigger NULL pointer dereference by local unprivileged
      user, when calling getsockname() after failed bind() (e.g. the bind
      fails because LLCP_SAP_MAX used as SAP):
      
        BUG: kernel NULL pointer dereference, address: 0000000000000000
        CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014
        Call Trace:
         llcp_sock_getname+0xb1/0xe0
         __sys_getpeername+0x95/0xc0
         ? lockdep_hardirqs_on_prepare+0xd5/0x180
         ? syscall_enter_from_user_mode+0x1c/0x40
         __x64_sys_getpeername+0x11/0x20
         do_syscall_64+0x36/0x70
         entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      This can be reproduced with Syzkaller C repro (bind followed by
      getpeername):
      https://syzkaller.appspot.com/x/repro.c?x=14def446e00000
      
      Cc: <stable@vger.kernel.org>
      Fixes: d646960f ("NFC: Initial LLCP support")
      Reported-by: syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com
      Reported-by: default avatarbutt3rflyh4ck <butterflyhuangxx@gmail.com>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Link: https://lore.kernel.org/r/20210531072138.5219-1-krzysztof.kozlowski@canonical.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4ac06a1e
  2. 30 May, 2021 1 commit
    • Sriranjani P's avatar
      net: stmmac: fix kernel panic due to NULL pointer dereference of mdio_bus_data · 593f555f
      Sriranjani P authored
      Fixed link does not need mdio bus and in that case mdio_bus_data will
      not be allocated. Before using mdio_bus_data we should check for NULL.
      
      This patch fix the kernel panic due to NULL pointer dereference of
      mdio_bus_data when it is not allocated.
      
      Without this patch we do see following kernel crash caused due to kernel
      NULL pointer dereference.
      
      Call trace:
      stmmac_dvr_probe+0x3c/0x10b0
      dwc_eth_dwmac_probe+0x224/0x378
      platform_probe+0x68/0xe0
      really_probe+0x130/0x3d8
      driver_probe_device+0x68/0xd0
      device_driver_attach+0x74/0x80
      __driver_attach+0x58/0xf8
      bus_for_each_dev+0x7c/0xd8
      driver_attach+0x24/0x30
      bus_add_driver+0x148/0x1f0
      driver_register+0x64/0x120
      __platform_driver_register+0x28/0x38
      dwc_eth_dwmac_driver_init+0x1c/0x28
      do_one_initcall+0x78/0x158
      kernel_init_freeable+0x1f0/0x244
      kernel_init+0x14/0x118
      ret_from_fork+0x10/0x30
      Code: f9002bfb 9113e2d9 910e6273 aa0003f7 (f9405c78)
      ---[ end trace 32d9d41562ddc081 ]---
      
      Fixes: e5e5b771 ("net: stmmac: make in-band AN mode parsing is supported for non-DT")
      Signed-off-by: default avatarSriranjani P <sriranjani.p@samsung.com>
      Signed-off-by: default avatarPankaj Dubey <pankaj.dubey@samsung.com>
      Link: https://lore.kernel.org/r/20210528071056.35252-1-sriranjani.p@samsung.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      593f555f
  3. 28 May, 2021 5 commits
  4. 27 May, 2021 6 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 44991d61
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for net:
      
      1) Fix incorrect sockopts unregistration from error path,
         from Florian Westphal.
      
      2) A few patches to provide better error reporting when missing kernel
         netfilter options are missing in .config.
      
      3) Fix dormant table flag updates.
      
      4) Memleak in IPVS  when adding service with IP_VS_SVC_F_HASHED flag.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
        ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service
        netfilter: nf_tables: fix table flag updates
        netfilter: nf_tables: extended netlink error reporting for chain type
        netfilter: nf_tables: missing error reporting for not selected expressions
        netfilter: conntrack: unregister ipv4 sockopts on error unwind
      ====================
      
      Link: https://lore.kernel.org/r/20210527190115.98503-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      44991d61
    • Ariel Levkovich's avatar
      net/sched: act_ct: Fix ct template allocation for zone 0 · fb91702b
      Ariel Levkovich authored
      Fix current behavior of skipping template allocation in case the
      ct action is in zone 0.
      
      Skipping the allocation may cause the datapath ct code to ignore the
      entire ct action with all its attributes (commit, nat) in case the ct
      action in zone 0 was preceded by a ct clear action.
      
      The ct clear action sets the ct_state to untracked and resets the
      skb->_nfct pointer. Under these conditions and without an allocated
      ct template, the skb->_nfct pointer will remain NULL which will
      cause the tc ct action handler to exit without handling commit and nat
      actions, if such exist.
      
      For example, the following rule in OVS dp:
      recirc_id(0x2),ct_state(+new-est-rel-rpl+trk),ct_label(0/0x1), \
      in_port(eth0),actions:ct_clear,ct(commit,nat(src=10.11.0.12)), \
      recirc(0x37a)
      
      Will result in act_ct skipping the commit and nat actions in zone 0.
      
      The change removes the skipping of template allocation for zone 0 and
      treats it the same as any other zone.
      
      Fixes: b57dc7c1 ("net/sched: Introduce action ct")
      Signed-off-by: default avatarAriel Levkovich <lariel@nvidia.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Link: https://lore.kernel.org/r/20210526170110.54864-1-lariel@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fb91702b
    • Paul Blakey's avatar
      net/sched: act_ct: Offload connections with commit action · 0cc254e5
      Paul Blakey authored
      Currently established connections are not offloaded if the filter has a
      "ct commit" action. This behavior will not offload connections of the
      following scenario:
      
      $ tc_filter add dev $DEV ingress protocol ip prio 1 flower \
        ct_state -trk \
        action ct commit action goto chain 1
      
      $ tc_filter add dev $DEV ingress protocol ip chain 1 prio 1 flower \
        action mirred egress redirect dev $DEV2
      
      $ tc_filter add dev $DEV2 ingress protocol ip prio 1 flower \
        action ct commit action goto chain 1
      
      $ tc_filter add dev $DEV2 ingress protocol ip prio 1 chain 1 flower \
        ct_state +trk+est \
        action mirred egress redirect dev $DEV
      
      Offload established connections, regardless of the commit flag.
      
      Fixes: 46475bb2 ("net/sched: act_ct: Software offload of established flows")
      Reviewed-by: default avatarOz Shlomo <ozsh@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Link: https://lore.kernel.org/r/1622029449-27060-1-git-send-email-paulb@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0cc254e5
    • Parav Pandit's avatar
      devlink: Correct VIRTUAL port to not have phys_port attributes · b28d8f0c
      Parav Pandit authored
      Physical port name, port number attributes do not belong to virtual port
      flavour. When VF or SF virtual ports are registered they incorrectly
      append "np0" string in the netdevice name of the VF/SF.
      
      Before this fix, VF netdevice name were ens2f0np0v0, ens2f0np0v1 for VF
      0 and 1 respectively.
      
      After the fix, they are ens2f0v0, ens2f0v1.
      
      With this fix, reading /sys/class/net/ens2f0v0/phys_port_name returns
      -EOPNOTSUPP.
      
      Also devlink port show example for 2 VFs on one PF to ensure that any
      physical port attributes are not exposed.
      
      $ devlink port show
      pci/0000:06:00.0/65535: type eth netdev ens2f0np0 flavour physical port 0 splittable false
      pci/0000:06:00.3/196608: type eth netdev ens2f0v0 flavour virtual splittable false
      pci/0000:06:00.4/262144: type eth netdev ens2f0v1 flavour virtual splittable false
      
      This change introduces a netdevice name change on systemd/udev
      version 245 and higher which honors phys_port_name sysfs file for
      generation of netdevice name.
      
      This also aligns to phys_port_name usage which is limited to switchdev
      ports as described in [1].
      
      [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/tree/Documentation/networking/switchdev.rst
      
      Fixes: acf1ee44 ("devlink: Introduce devlink port flavour virtual")
      Signed-off-by: default avatarParav Pandit <parav@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20210526200027.14008-1-parav@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b28d8f0c
    • Julian Anastasov's avatar
      ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service · 56e4ee82
      Julian Anastasov authored
      syzbot reported memory leak [1] when adding service with
      HASHED flag. We should ignore this flag both from sockopt
      and netlink provided data, otherwise the service is not
      hashed and not visible while releasing resources.
      
      [1]
      BUG: memory leak
      unreferenced object 0xffff888115227800 (size 512):
        comm "syz-executor263", pid 8658, jiffies 4294951882 (age 12.560s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff83977188>] kmalloc include/linux/slab.h:556 [inline]
          [<ffffffff83977188>] kzalloc include/linux/slab.h:686 [inline]
          [<ffffffff83977188>] ip_vs_add_service+0x598/0x7c0 net/netfilter/ipvs/ip_vs_ctl.c:1343
          [<ffffffff8397d770>] do_ip_vs_set_ctl+0x810/0xa40 net/netfilter/ipvs/ip_vs_ctl.c:2570
          [<ffffffff838449a8>] nf_setsockopt+0x68/0xa0 net/netfilter/nf_sockopt.c:101
          [<ffffffff839ae4e9>] ip_setsockopt+0x259/0x1ff0 net/ipv4/ip_sockglue.c:1435
          [<ffffffff839fa03c>] raw_setsockopt+0x18c/0x1b0 net/ipv4/raw.c:857
          [<ffffffff83691f20>] __sys_setsockopt+0x1b0/0x360 net/socket.c:2117
          [<ffffffff836920f2>] __do_sys_setsockopt net/socket.c:2128 [inline]
          [<ffffffff836920f2>] __se_sys_setsockopt net/socket.c:2125 [inline]
          [<ffffffff836920f2>] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2125
          [<ffffffff84350efa>] do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
          [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Reported-and-tested-by: syzbot+e562383183e4b1766930@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Reviewed-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      56e4ee82
    • Linus Torvalds's avatar
      Merge tag 'net-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · d7c5303f
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.13-rc4, including fixes from bpf, netfilter,
        can and wireless trees. Notably including fixes for the recently
        announced "FragAttacks" WiFi vulnerabilities. Rather large batch,
        touching some core parts of the stack, too, but nothing hair-raising.
      
        Current release - regressions:
      
         - tipc: make node link identity publish thread safe
      
         - dsa: felix: re-enable TAS guard band mode
      
         - stmmac: correct clocks enabled in stmmac_vlan_rx_kill_vid()
      
         - stmmac: fix system hang if change mac address after interface
           ifdown
      
        Current release - new code bugs:
      
         - mptcp: avoid OOB access in setsockopt()
      
         - bpf: Fix nested bpf_bprintf_prepare with more per-cpu buffers
      
         - ethtool: stats: fix a copy-paste error - init correct array size
      
        Previous releases - regressions:
      
         - sched: fix packet stuck problem for lockless qdisc
      
         - net: really orphan skbs tied to closing sk
      
         - mlx4: fix EEPROM dump support
      
         - bpf: fix alu32 const subreg bound tracking on bitwise operations
      
         - bpf: fix mask direction swap upon off reg sign change
      
         - bpf, offload: reorder offload callback 'prepare' in verifier
      
         - stmmac: Fix MAC WoL not working if PHY does not support WoL
      
         - packetmmap: fix only tx timestamp on request
      
         - tipc: skb_linearize the head skb when reassembling msgs
      
        Previous releases - always broken:
      
         - mac80211: address recent "FragAttacks" vulnerabilities
      
         - mac80211: do not accept/forward invalid EAPOL frames
      
         - mptcp: avoid potential error message floods
      
         - bpf, ringbuf: deny reserve of buffers larger than ringbuf to
           prevent out of buffer writes
      
         - bpf: forbid trampoline attach for functions with variable arguments
      
         - bpf: add deny list of functions to prevent inf recursion of tracing
           programs
      
         - tls splice: check SPLICE_F_NONBLOCK instead of MSG_DONTWAIT
      
         - can: isotp: prevent race between isotp_bind() and
           isotp_setsockopt()
      
         - netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check,
           fallback to non-AVX2 version
      
        Misc:
      
         - bpf: add kconfig knob for disabling unpriv bpf by default"
      
      * tag 'net-5.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (172 commits)
        net: phy: Document phydev::dev_flags bits allocation
        mptcp: validate 'id' when stopping the ADD_ADDR retransmit timer
        mptcp: avoid error message on infinite mapping
        mptcp: drop unconditional pr_warn on bad opt
        mptcp: avoid OOB access in setsockopt()
        nfp: update maintainer and mailing list addresses
        net: mvpp2: add buffer header handling in RX
        bnx2x: Fix missing error code in bnx2x_iov_init_one()
        net: zero-initialize tc skb extension on allocation
        net: hns: Fix kernel-doc
        sctp: fix the proc_handler for sysctl encap_port
        sctp: add the missing setting for asoc encap_port
        bpf, selftests: Adjust few selftest result_unpriv outcomes
        bpf: No need to simulate speculative domain for immediates
        bpf: Fix mask direction swap upon off reg sign change
        bpf: Wrap aux data inside bpf_sanitize_info container
        bpf: Fix BPF_LSM kconfig symbol dependency
        selftests/bpf: Add test for l3 use of bpf_redirect_peer
        bpftool: Add sock_release help info for cgroup attach/prog load command
        net: dsa: microchip: enable phy errata workaround on 9567
        ...
      d7c5303f
  5. 26 May, 2021 2 commits
  6. 25 May, 2021 17 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · f5d28712
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-05-26
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 14 non-merge commits during the last 14 day(s) which contain
      a total of 17 files changed, 513 insertions(+), 231 deletions(-).
      
      The main changes are:
      
      1) Fix bpf_skb_change_head() helper to reset mac_len, from Jussi Maki.
      
      2) Fix masking direction swap upon off-reg sign change, from Daniel Borkmann.
      
      3) Fix BPF offloads in verifier by reordering driver callback, from Yinjun Zhang.
      
      4) BPF selftest for ringbuf mmap ro/rw restrictions, from Andrii Nakryiko.
      
      5) Follow-up fixes to nested bprintf per-cpu buffers, from Florent Revest.
      
      6) Fix bpftool sock_release attach point help info, from Liu Jian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5d28712
    • David S. Miller's avatar
      Merge branch 'mptcp-fixes' · 6dfa87b4
      David S. Miller authored
      Mat Martineau says:
      
      ====================
      MPTCP fixes
      
      Here are a few fixes for the -net tree.
      
      Patch 1 fixes an attempt to access a tcp-specific field that does not
      exist in mptcp sockets.
      
      Patches 2 and 3 remove warning/error log output that could be flooded.
      
      Patch 4 performs more validation on address advertisement echo packets
      to improve RFC 8684 compliance.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dfa87b4
    • Davide Caratti's avatar
      mptcp: validate 'id' when stopping the ADD_ADDR retransmit timer · d58300c3
      Davide Caratti authored
      when Linux receives an echo-ed ADD_ADDR, it checks the IP address against
      the list of "announced" addresses. In case of a positive match, the timer
      that handles retransmissions is stopped regardless of the 'Address Id' in
      the received packet: this behaviour does not comply with RFC8684 3.4.1.
      
      Fix it by validating the 'Address Id' in received echo-ed ADD_ADDRs.
      Tested using packetdrill, with the following captured output:
      
       unpatched kernel:
      
       Out <...> Flags [.], ack 1, win 256, options [mptcp add-addr v1 id 1 198.51.100.2 hmac 0xfd2e62517888fe29,mptcp dss ack 3007449509], length 0
       In  <...> Flags [.], ack 1, win 257, options [mptcp add-addr v1-echo id 1 1.2.3.4,mptcp dss ack 3013740213], length 0
       Out <...> Flags [.], ack 1, win 256, options [mptcp add-addr v1 id 1 198.51.100.2 hmac 0xfd2e62517888fe29,mptcp dss ack 3007449509], length 0
       In  <...> Flags [.], ack 1, win 257, options [mptcp add-addr v1-echo id 90 198.51.100.2,mptcp dss ack 3013740213], length 0
              ^^^ retransmission is stopped here, but 'Address Id' is 90
      
       patched kernel:
      
       Out <...> Flags [.], ack 1, win 256, options [mptcp add-addr v1 id 1 198.51.100.2 hmac 0x1cf372d59e05f4b8,mptcp dss ack 3007449509], length 0
       In  <...> Flags [.], ack 1, win 257, options [mptcp add-addr v1-echo id 1 1.2.3.4,mptcp dss ack 1672384568], length 0
       Out <...> Flags [.], ack 1, win 256, options [mptcp add-addr v1 id 1 198.51.100.2 hmac 0x1cf372d59e05f4b8,mptcp dss ack 3007449509], length 0
       In  <...> Flags [.], ack 1, win 257, options [mptcp add-addr v1-echo id 90 198.51.100.2,mptcp dss ack 1672384568], length 0
       Out <...> Flags [.], ack 1, win 256, options [mptcp add-addr v1 id 1 198.51.100.2 hmac 0x1cf372d59e05f4b8,mptcp dss ack 3007449509], length 0
       In  <...> Flags [.], ack 1, win 257, options [mptcp add-addr v1-echo id 1 198.51.100.2,mptcp dss ack 1672384568], length 0
              ^^^ retransmission is stopped here, only when both 'Address Id' and 'IP Address' match
      
      Fixes: 00cfd77b ("mptcp: retransmit ADD_ADDR when timeout")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d58300c3
    • Paolo Abeni's avatar
      mptcp: avoid error message on infinite mapping · 3ed0a585
      Paolo Abeni authored
      Another left-over. Avoid flooding dmesg with useless text,
      we already have a MIB for that event.
      
      Fixes: 648ef4b8 ("mptcp: Implement MPTCP receive path")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ed0a585
    • Paolo Abeni's avatar
      mptcp: drop unconditional pr_warn on bad opt · 3812ce89
      Paolo Abeni authored
      This is a left-over of early day. A malicious peer can flood
      the kernel logs with useless messages, just drop it.
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3812ce89
    • Paolo Abeni's avatar
      mptcp: avoid OOB access in setsockopt() · 20b5759f
      Paolo Abeni authored
      We can't use tcp_set_congestion_control() on an mptcp socket, as
      such function can end-up accessing a tcp-specific field -
      prior_ssthresh - causing an OOB access.
      
      To allow propagating the correct ca algo on subflow, cache the ca
      name at initialization time.
      
      Additionally avoid overriding the user-selected CA (if any) at
      clone time.
      
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/182
      Fixes: aa1fbd94 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO")
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20b5759f
    • Simon Horman's avatar
      nfp: update maintainer and mailing list addresses · bab09fe2
      Simon Horman authored
      Some of Netronome's activities and people have moved over to Corigine,
      including NFP driver maintenance and myself.
      Signed-off-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarLouis Peens <louis.peens@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bab09fe2
    • Stefan Chulski's avatar
      net: mvpp2: add buffer header handling in RX · 17f9c1b6
      Stefan Chulski authored
      If Link Partner sends frames larger than RX buffer size, MAC mark it
      as oversize but still would pass it to the Packet Processor.
      In this scenario, Packet Processor scatter frame between multiple buffers,
      but only a single buffer would be returned to the Buffer Manager pool and
      it would not refill the poll.
      
      Patch add handling of oversize error with buffer header handling, so all
      buffers would be returned to the Buffer Manager pool.
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Reported-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarStefan Chulski <stefanc@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      17f9c1b6
    • Jiapeng Chong's avatar
      bnx2x: Fix missing error code in bnx2x_iov_init_one() · 65161c35
      Jiapeng Chong authored
      Eliminate the follow smatch warning:
      
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1227
      bnx2x_iov_init_one() warn: missing error code 'err'.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Signed-off-by: default avatarJiapeng Chong <jiapeng.chong@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65161c35
    • Vlad Buslov's avatar
      net: zero-initialize tc skb extension on allocation · 9453d45e
      Vlad Buslov authored
      Function skb_ext_add() doesn't initialize created skb extension with any
      value and leaves it up to the user. However, since extension of type
      TC_SKB_EXT originally contained only single value tc_skb_ext->chain its
      users used to just assign the chain value without setting whole extension
      memory to zero first. This assumption changed when TC_SKB_EXT extension was
      extended with additional fields but not all users were updated to
      initialize the new fields which leads to use of uninitialized memory
      afterwards. UBSAN log:
      
      [  778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28
      [  778.301495] load of value 107 is not a valid value for type '_Bool'
      [  778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2
      [  778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [  778.307901] Call Trace:
      [  778.308680]  <IRQ>
      [  778.309358]  dump_stack+0xbb/0x107
      [  778.310307]  ubsan_epilogue+0x5/0x40
      [  778.311167]  __ubsan_handle_load_invalid_value.cold+0x43/0x48
      [  778.312454]  ? memset+0x20/0x40
      [  778.313230]  ovs_flow_key_extract.cold+0xf/0x14 [openvswitch]
      [  778.314532]  ovs_vport_receive+0x19e/0x2e0 [openvswitch]
      [  778.315749]  ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch]
      [  778.317188]  ? create_prof_cpu_mask+0x20/0x20
      [  778.318220]  ? arch_stack_walk+0x82/0xf0
      [  778.319153]  ? secondary_startup_64_no_verify+0xb0/0xbb
      [  778.320399]  ? stack_trace_save+0x91/0xc0
      [  778.321362]  ? stack_trace_consume_entry+0x160/0x160
      [  778.322517]  ? lock_release+0x52e/0x760
      [  778.323444]  netdev_frame_hook+0x323/0x610 [openvswitch]
      [  778.324668]  ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch]
      [  778.325950]  __netif_receive_skb_core+0x771/0x2db0
      [  778.327067]  ? lock_downgrade+0x6e0/0x6f0
      [  778.328021]  ? lock_acquire+0x565/0x720
      [  778.328940]  ? generic_xdp_tx+0x4f0/0x4f0
      [  778.329902]  ? inet_gro_receive+0x2a7/0x10a0
      [  778.330914]  ? lock_downgrade+0x6f0/0x6f0
      [  778.331867]  ? udp4_gro_receive+0x4c4/0x13e0
      [  778.332876]  ? lock_release+0x52e/0x760
      [  778.333808]  ? dev_gro_receive+0xcc8/0x2380
      [  778.334810]  ? lock_downgrade+0x6f0/0x6f0
      [  778.335769]  __netif_receive_skb_list_core+0x295/0x820
      [  778.336955]  ? process_backlog+0x780/0x780
      [  778.337941]  ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core]
      [  778.339613]  ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0
      [  778.341033]  ? kvm_clock_get_cycles+0x14/0x20
      [  778.342072]  netif_receive_skb_list_internal+0x5f5/0xcb0
      [  778.343288]  ? __kasan_kmalloc+0x7a/0x90
      [  778.344234]  ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core]
      [  778.345676]  ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core]
      [  778.347140]  ? __netif_receive_skb_list_core+0x820/0x820
      [  778.348351]  ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core]
      [  778.349688]  ? napi_gro_flush+0x26c/0x3c0
      [  778.350641]  napi_complete_done+0x188/0x6b0
      [  778.351627]  mlx5e_napi_poll+0x373/0x1b80 [mlx5_core]
      [  778.352853]  __napi_poll+0x9f/0x510
      [  778.353704]  ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core]
      [  778.355158]  net_rx_action+0x34c/0xa40
      [  778.356060]  ? napi_threaded_poll+0x3d0/0x3d0
      [  778.357083]  ? sched_clock_cpu+0x18/0x190
      [  778.358041]  ? __common_interrupt+0x8e/0x1a0
      [  778.359045]  __do_softirq+0x1ce/0x984
      [  778.359938]  __irq_exit_rcu+0x137/0x1d0
      [  778.360865]  irq_exit_rcu+0xa/0x20
      [  778.361708]  common_interrupt+0x80/0xa0
      [  778.362640]  </IRQ>
      [  778.363212]  asm_common_interrupt+0x1e/0x40
      [  778.364204] RIP: 0010:native_safe_halt+0xe/0x10
      [  778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00
      [  778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246
      [  778.370570] RAX: ffff88842de46a80 RBX: ffffffff84425840 RCX: ffffffff83418468
      [  778.372143] RDX: 000000000026f1da RSI: 0000000000000004 RDI: ffffffff8343af5e
      [  778.373722] RBP: fffffbfff0884b08 R08: 0000000000000000 R09: ffff88842de46bcb
      [  778.375292] R10: ffffed1085bc8d79 R11: 0000000000000001 R12: 0000000000000000
      [  778.376860] R13: ffffffff851124a0 R14: 0000000000000000 R15: dffffc0000000000
      [  778.378491]  ? rcu_eqs_enter.constprop.0+0xb8/0xe0
      [  778.379606]  ? default_idle_call+0x5e/0xe0
      [  778.380578]  default_idle+0xa/0x10
      [  778.381406]  default_idle_call+0x96/0xe0
      [  778.382350]  do_idle+0x3d4/0x550
      [  778.383153]  ? arch_cpu_idle_exit+0x40/0x40
      [  778.384143]  cpu_startup_entry+0x19/0x20
      [  778.385078]  start_kernel+0x3c7/0x3e5
      [  778.385978]  secondary_startup_64_no_verify+0xb0/0xbb
      
      Fix the issue by providing new function tc_skb_ext_alloc() that allocates
      tc skb extension and initializes its memory to 0 before returning it to the
      caller. Change all existing users to use new API instead of calling
      skb_ext_add() directly.
      
      Fixes: 038ebb1a ("net/sched: act_ct: fix miss set mru for ovs after defrag in act_ct")
      Fixes: d29334c1 ("net/sched: act_api: fix miss set post_ct for ovs after do conntrack in act_ct")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Acked-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9453d45e
    • Yang Li's avatar
      net: hns: Fix kernel-doc · c1cf1afd
      Yang Li authored
      Fix function name in hns_ethtool.c kernel-doc comment
      to remove these warnings found by clang_w1.
      
      drivers/net/ethernet/hisilicon/hns/hns_ethtool.c:202: warning: expecting
      prototype for hns_nic_set_link_settings(). Prototype was for
      hns_nic_set_link_ksettings() instead.
      drivers/net/ethernet/hisilicon/hns/hns_ethtool.c:837: warning: expecting
      prototype for get_ethtool_stats(). Prototype was for
      hns_get_ethtool_stats() instead.
      drivers/net/ethernet/hisilicon/hns/hns_ethtool.c:894: warning:
      expecting prototype for get_strings(). Prototype was for
      hns_get_strings() instead.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Fixes: 'commit 262b38cd ("net: ethernet: hisilicon: hns: use phydev
      from struct net_device")'
      Signed-off-by: default avatarYang Li <yang.lee@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1cf1afd
    • Xin Long's avatar
      sctp: fix the proc_handler for sysctl encap_port · b2540cdc
      Xin Long authored
      proc_dointvec() cannot do min and max check for setting a value
      when extra1/extra2 is set, so change it to proc_dointvec_minmax()
      for sysctl encap_port.
      
      Fixes: e8a3001c ("sctp: add encap_port for netns sock asoc and transport")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2540cdc
    • Xin Long's avatar
      sctp: add the missing setting for asoc encap_port · 297739bd
      Xin Long authored
      This patch is to add the missing setting back for asoc encap_port.
      
      Fixes: 8dba2960 ("sctp: add SCTP_REMOTE_UDP_ENCAPS_PORT sockopt")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      297739bd
    • Kees Cook's avatar
      proc: Check /proc/$pid/attr/ writes against file opener · bfb819ea
      Kees Cook authored
      Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/
      files need to check the opener credentials, since these fds do not
      transition state across execve(). Without this, it is possible to
      trick another process (which may have different credentials) to write
      to its own /proc/$pid/attr/ files, leading to unexpected and possibly
      exploitable behaviors.
      
      [1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bfb819ea
    • Daniel Borkmann's avatar
      bpf, selftests: Adjust few selftest result_unpriv outcomes · 1bad6fd5
      Daniel Borkmann authored
      Given we don't need to simulate the speculative domain for registers with
      immediates anymore since the verifier uses direct imm-based rewrites instead
      of having to mask, we can also lift a few cases that were previously rejected.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      1bad6fd5
    • Daniel Borkmann's avatar
      bpf: No need to simulate speculative domain for immediates · a7036191
      Daniel Borkmann authored
      In 801c6058 ("bpf: Fix leakage of uninitialized bpf stack under
      speculation") we replaced masking logic with direct loads of immediates
      if the register is a known constant. Given in this case we do not apply
      any masking, there is also no reason for the operation to be truncated
      under the speculative domain.
      
      Therefore, there is also zero reason for the verifier to branch-off and
      simulate this case, it only needs to do it for unknown but bounded scalars.
      As a side-effect, this also enables few test cases that were previously
      rejected due to simulation under zero truncation.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarPiotr Krysiuk <piotras@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a7036191
    • Daniel Borkmann's avatar
      bpf: Fix mask direction swap upon off reg sign change · bb01a1bb
      Daniel Borkmann authored
      Masking direction as indicated via mask_to_left is considered to be
      calculated once and then used to derive pointer limits. Thus, this
      needs to be placed into bpf_sanitize_info instead so we can pass it
      to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
      corner case where the off reg causes masking direction change which
      then results in an incorrect final aux->alu_limit.
      
      Fixes: 7fedb63a ("bpf: Tighten speculative pointer arithmetic mask")
      Reported-by: default avatarPiotr Krysiuk <piotras@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarPiotr Krysiuk <piotras@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      bb01a1bb