1. 01 Dec, 2019 6 commits
    • Xin Long's avatar
      net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key · 13512a5e
      Xin Long authored
      [ Upstream commit 4f0e97d0 ]
      
      info->options_len is 'u8' type, and when opts_len with a value >
      IP_TUNNEL_OPTS_MAX, 'info->options_len = opts_len' will cast int
      to u8 and set a wrong value to info->options_len.
      
      Kernel crashed in my test when doing:
      
        # opts="0102:80:00800022"
        # for i in {1..99}; do opts="$opts,0102:80:00800022"; done
        # ip link add name geneve0 type geneve dstport 0 external
        # tc qdisc add dev eth0 ingress
        # tc filter add dev eth0 protocol ip parent ffff: \
             flower indev eth0 ip_proto udp action tunnel_key \
             set src_ip 10.0.99.192 dst_ip 10.0.99.193 \
             dst_port 6081 id 11 geneve_opts $opts \
             action mirred egress redirect dev geneve0
      
      So we should do the similar check as cls_flower does, return error
      when opts_len > IP_TUNNEL_OPTS_MAX in tunnel_key_copy_opts().
      
      Fixes: 0ed5269f ("net/sched: add tunnel option support to act_tunnel_key")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13512a5e
    • Davide Caratti's avatar
      net/sched: act_pedit: fix WARN() in the traffic path · 2ba6a4f5
      Davide Caratti authored
      [ Upstream commit f67169fe ]
      
      when configuring act_pedit rules, the number of keys is validated only on
      addition of a new entry. This is not sufficient to avoid hitting a WARN()
      in the traffic path: for example, it is possible to replace a valid entry
      with a new one having 0 extended keys, thus causing splats in dmesg like:
      
       pedit BUG: index 42
       WARNING: CPU: 2 PID: 4054 at net/sched/act_pedit.c:410 tcf_pedit_act+0xc84/0x1200 [act_pedit]
       [...]
       RIP: 0010:tcf_pedit_act+0xc84/0x1200 [act_pedit]
       Code: 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ac 00 00 00 48 8b 44 24 10 48 c7 c7 a0 c4 e4 c0 8b 70 18 e8 1c 30 95 ea <0f> 0b e9 a0 fa ff ff e8 00 03 f5 ea e9 14 f4 ff ff 48 89 58 40 e9
       RSP: 0018:ffff888077c9f320 EFLAGS: 00010286
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffac2983a2
       RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888053927bec
       RBP: dffffc0000000000 R08: ffffed100a726209 R09: ffffed100a726209
       R10: 0000000000000001 R11: ffffed100a726208 R12: ffff88804beea780
       R13: ffff888079a77400 R14: ffff88804beea780 R15: ffff888027ab2000
       FS:  00007fdeec9bd740(0000) GS:ffff888053900000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007ffdb3dfd000 CR3: 000000004adb4006 CR4: 00000000001606e0
       Call Trace:
        tcf_action_exec+0x105/0x3f0
        tcf_classify+0xf2/0x410
        __dev_queue_xmit+0xcbf/0x2ae0
        ip_finish_output2+0x711/0x1fb0
        ip_output+0x1bf/0x4b0
        ip_send_skb+0x37/0xa0
        raw_sendmsg+0x180c/0x2430
        sock_sendmsg+0xdb/0x110
        __sys_sendto+0x257/0x2b0
        __x64_sys_sendto+0xdd/0x1b0
        do_syscall_64+0xa5/0x4e0
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
       RIP: 0033:0x7fdeeb72e993
       Code: 48 8b 0d e0 74 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 0d d6 2c 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 4b cc 00 00 48 89 04 24
       RSP: 002b:00007ffdb3de8a18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
       RAX: ffffffffffffffda RBX: 000055c81972b700 RCX: 00007fdeeb72e993
       RDX: 0000000000000040 RSI: 000055c81972b700 RDI: 0000000000000003
       RBP: 00007ffdb3dea130 R08: 000055c819728510 R09: 0000000000000010
       R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
       R13: 000055c81972b6c0 R14: 000055c81972969c R15: 0000000000000080
      
      Fix this moving the check on 'nkeys' earlier in tcf_pedit_init(), so that
      attempts to install rules having 0 keys are always rejected with -EINVAL.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ba6a4f5
    • Dan Carpenter's avatar
      net: rtnetlink: prevent underflows in do_setvfinfo() · 9f6de5cf
      Dan Carpenter authored
      [ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ]
      
      The "ivm->vf" variable is a u32, but the problem is that a number of
      drivers cast it to an int and then forget to check for negatives.  An
      example of this is in the cxgb4 driver.
      
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
        2890  static int cxgb4_mgmt_get_vf_config(struct net_device *dev,
        2891                                      int vf, struct ifla_vf_info *ivi)
                                                  ^^^^^^
        2892  {
        2893          struct port_info *pi = netdev_priv(dev);
        2894          struct adapter *adap = pi->adapter;
        2895          struct vf_info *vfinfo;
        2896
        2897          if (vf >= adap->num_vfs)
                          ^^^^^^^^^^^^^^^^^^^
        2898                  return -EINVAL;
        2899          vfinfo = &adap->vfinfo[vf];
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^
      
      There are 48 functions affected.
      
      drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646'
      drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646'
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f6de5cf
    • Tariq Toukan's avatar
      net/mlx4_en: Fix wrong limitation for number of TX rings · ebcb0840
      Tariq Toukan authored
      [ Upstream commit 2744bf42 ]
      
      XDP_TX rings should not be limited by max_num_tx_rings_p_up.
      To make sure total number of TX rings never exceed MAX_TX_RINGS,
      add similar check in mlx4_en_alloc_tx_queue_per_tc(), where
      a new value is assigned for num_up.
      
      Fixes: 7e1dc5e9 ("net/mlx4_en: Limit the number of TX rings")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ebcb0840
    • Luigi Rizzo's avatar
      net/mlx4_en: fix mlx4 ethtool -N insertion · 5408138d
      Luigi Rizzo authored
      [ Upstream commit 34e59836 ]
      
      ethtool expects ETHTOOL_GRXCLSRLALL to set ethtool_rxnfc->data with the
      total number of entries in the rx classifier table.  Surprisingly, mlx4
      is missing this part (in principle ethtool could still move forward and
      try the insert).
      
      Tested: compiled and run command:
      	phh13:~# ethtool -N eth1 flow-type udp4  queue 4
      	Added rule with ID 255
      Signed-off-by: default avatarLuigi Rizzo <lrizzo@google.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5408138d
    • Petr Machata's avatar
      mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel · baa888ca
      Petr Machata authored
      [ Upstream commit 1fc16577 ]
      
      The helper mlxsw_sp_ipip_dev_ul_tb_id() determines the underlay VRF of a
      GRE tunnel. For a tunnel without a bound device, it uses the same VRF that
      the tunnel is in. However in Linux, a GRE tunnel without a bound device
      uses the main VRF as the underlay. Fix the function accordingly.
      
      mlxsw further assumed that moving a tunnel to a different VRF could cause
      conflict in local tunnel endpoint address, which cannot be offloaded.
      However, the only way that an underlay could be changed by moving the
      tunnel device itself is if the tunnel device does not have a bound device.
      But in that case the underlay is always the main VRF, so there is no
      opportunity to introduce a conflict by moving such device. Thus this check
      constitutes a dead code, and can be removed, which do.
      
      Fixes: 6ddb7426 ("mlxsw: spectrum_router: Introduce loopback RIFs")
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      baa888ca
  2. 24 Nov, 2019 34 commits