1. 13 Oct, 2019 2 commits
    • Eric Dumazet's avatar
      tcp: annotate tp->rcv_nxt lockless reads · dba7d9b8
      Eric Dumazet authored
      There are few places where we fetch tp->rcv_nxt while
      this field can change from IRQ or other cpu.
      
      We need to add READ_ONCE() annotations, and also make
      sure write sides use corresponding WRITE_ONCE() to avoid
      store-tearing.
      
      Note that tcp_inq_hint() was already using READ_ONCE(tp->rcv_nxt)
      
      syzbot reported :
      
      BUG: KCSAN: data-race in tcp_poll / tcp_queue_rcv
      
      write to 0xffff888120425770 of 4 bytes by interrupt on cpu 0:
       tcp_rcv_nxt_update net/ipv4/tcp_input.c:3365 [inline]
       tcp_queue_rcv+0x180/0x380 net/ipv4/tcp_input.c:4638
       tcp_rcv_established+0xbf1/0xf50 net/ipv4/tcp_input.c:5616
       tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1542
       tcp_v4_rcv+0x1a03/0x1bf0 net/ipv4/tcp_ipv4.c:1923
       ip_protocol_deliver_rcu+0x51/0x470 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118
       netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208
       napi_skb_finish net/core/dev.c:5671 [inline]
       napi_gro_receive+0x28f/0x330 net/core/dev.c:5704
       receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061
      
      read to 0xffff888120425770 of 4 bytes by task 7254 on cpu 1:
       tcp_stream_is_readable net/ipv4/tcp.c:480 [inline]
       tcp_poll+0x204/0x6b0 net/ipv4/tcp.c:554
       sock_poll+0xed/0x250 net/socket.c:1256
       vfs_poll include/linux/poll.h:90 [inline]
       ep_item_poll.isra.0+0x90/0x190 fs/eventpoll.c:892
       ep_send_events_proc+0x113/0x5c0 fs/eventpoll.c:1749
       ep_scan_ready_list.constprop.0+0x189/0x500 fs/eventpoll.c:704
       ep_send_events fs/eventpoll.c:1793 [inline]
       ep_poll+0xe3/0x900 fs/eventpoll.c:1930
       do_epoll_wait+0x162/0x180 fs/eventpoll.c:2294
       __do_sys_epoll_pwait fs/eventpoll.c:2325 [inline]
       __se_sys_epoll_pwait fs/eventpoll.c:2311 [inline]
       __x64_sys_epoll_pwait+0xcd/0x170 fs/eventpoll.c:2311
       do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 7254 Comm: syz-fuzzer Not tainted 5.3.0+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dba7d9b8
    • Eric Dumazet's avatar
      tcp: add rcu protection around tp->fastopen_rsk · d983ea6f
      Eric Dumazet authored
      Both tcp_v4_err() and tcp_v6_err() do the following operations
      while they do not own the socket lock :
      
      	fastopen = tp->fastopen_rsk;
       	snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;
      
      The problem is that without appropriate barrier, the compiler
      might reload tp->fastopen_rsk and trigger a NULL deref.
      
      request sockets are protected by RCU, we can simply add
      the missing annotations and barriers to solve the issue.
      
      Fixes: 168a8f58 ("tcp: TCP Fast Open Server - main code path")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d983ea6f
  2. 12 Oct, 2019 2 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8caf8a91
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2019-10-12
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) a bunch of small fixes. Nothing critical.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8caf8a91
    • David Howells's avatar
      rxrpc: Fix possible NULL pointer access in ICMP handling · f0308fb0
      David Howells authored
      If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
      the UDP socket is being shut down, rxrpc_error_report() may get called to
      deal with it after sk_user_data on the UDP socket has been cleared, leading
      to a NULL pointer access when this local endpoint record gets accessed.
      
      Fix this by just returning immediately if sk_user_data was NULL.
      
      The oops looks like the following:
      
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      ...
      RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
      ...
      Call Trace:
       ? sock_queue_err_skb+0xbd/0xde
       ? __udp4_lib_err+0x313/0x34d
       __udp4_lib_err+0x313/0x34d
       icmp_unreach+0x1ee/0x207
       icmp_rcv+0x25b/0x28f
       ip_protocol_deliver_rcu+0x95/0x10e
       ip_local_deliver+0xe9/0x148
       __netif_receive_skb_one_core+0x52/0x6e
       process_backlog+0xdc/0x177
       net_rx_action+0xf9/0x270
       __do_softirq+0x1b6/0x39a
       ? smpboot_register_percpu_thread+0xce/0xce
       run_ksoftirqd+0x1d/0x42
       smpboot_thread_fn+0x19e/0x1b3
       kthread+0xf1/0xf6
       ? kthread_delayed_work_timer_fn+0x83/0x83
       ret_from_fork+0x24/0x30
      
      Fixes: 17926a79 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
      Reported-by: syzbot+611164843bd48cc2190c@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0308fb0
  3. 11 Oct, 2019 4 commits
  4. 10 Oct, 2019 18 commits
    • Jacob Keller's avatar
      net: update net_dim documentation after rename · 2168da45
      Jacob Keller authored
      Commit 8960b389 ("linux/dim: Rename externally used net_dim
      members") renamed the net_dim API, removing the "net_" prefix from the
      structures and functions. The patch didn't update the net_dim.txt
      documentation file.
      
      Fix the documentation so that its examples match the current code.
      
      Fixes: 8960b389 ("linux/dim: Rename externally used net_dim members", 2019-06-25)
      Fixes: c002bd52 ("linux/dim: Rename externally exposed macros", 2019-06-25)
      Fixes: 4f75da36 ("linux/dim: Move implementation to .c files")
      Cc: Tal Gilboa <talgi@mellanox.com>
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      2168da45
    • Heiner Kallweit's avatar
      r8169: fix jumbo packet handling on resume from suspend · 4ebcb113
      Heiner Kallweit authored
      Mariusz reported that invalid packets are sent after resume from
      suspend if jumbo packets are active. It turned out that his BIOS
      resets chip settings to non-jumbo on resume. Most chip settings are
      re-initialized on resume from suspend by calling rtl_hw_start(),
      so let's add configuring jumbo to this function.
      There's nothing wrong with the commit marked as fixed, it's just
      the first one where the patch applies cleanly.
      
      Fixes: 7366016d ("r8169: read common register for PCI commit")
      Reported-by: default avatarMariusz Bialonczyk <manio@skyboo.net>
      Tested-by: default avatarMariusz Bialonczyk <manio@skyboo.net>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4ebcb113
    • Eric Dumazet's avatar
      net: silence KCSAN warnings about sk->sk_backlog.len reads · 70c26558
      Eric Dumazet authored
      sk->sk_backlog.len can be written by BH handlers, and read
      from process contexts in a lockless way.
      
      Note the write side should also use WRITE_ONCE() or a variant.
      We need some agreement about the best way to do this.
      
      syzbot reported :
      
      BUG: KCSAN: data-race in tcp_add_backlog / tcp_grow_window.isra.0
      
      write to 0xffff88812665f32c of 4 bytes by interrupt on cpu 1:
       sk_add_backlog include/net/sock.h:934 [inline]
       tcp_add_backlog+0x4a0/0xcc0 net/ipv4/tcp_ipv4.c:1737
       tcp_v4_rcv+0x1aba/0x1bf0 net/ipv4/tcp_ipv4.c:1925
       ip_protocol_deliver_rcu+0x51/0x470 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118
       netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208
       napi_skb_finish net/core/dev.c:5671 [inline]
       napi_gro_receive+0x28f/0x330 net/core/dev.c:5704
       receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061
       virtnet_receive drivers/net/virtio_net.c:1323 [inline]
       virtnet_poll+0x436/0x7d0 drivers/net/virtio_net.c:1428
       napi_poll net/core/dev.c:6352 [inline]
       net_rx_action+0x3ae/0xa50 net/core/dev.c:6418
      
      read to 0xffff88812665f32c of 4 bytes by task 7292 on cpu 0:
       tcp_space include/net/tcp.h:1373 [inline]
       tcp_grow_window.isra.0+0x6b/0x480 net/ipv4/tcp_input.c:413
       tcp_event_data_recv+0x68f/0x990 net/ipv4/tcp_input.c:717
       tcp_rcv_established+0xbfe/0xf50 net/ipv4/tcp_input.c:5618
       tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1542
       sk_backlog_rcv include/net/sock.h:945 [inline]
       __release_sock+0x135/0x1e0 net/core/sock.c:2427
       release_sock+0x61/0x160 net/core/sock.c:2943
       tcp_recvmsg+0x63b/0x1a30 net/ipv4/tcp.c:2181
       inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
       sock_recvmsg_nosec net/socket.c:871 [inline]
       sock_recvmsg net/socket.c:889 [inline]
       sock_recvmsg+0x92/0xb0 net/socket.c:885
       sock_read_iter+0x15f/0x1e0 net/socket.c:967
       call_read_iter include/linux/fs.h:1864 [inline]
       new_sync_read+0x389/0x4f0 fs/read_write.c:414
       __vfs_read+0xb1/0xc0 fs/read_write.c:427
       vfs_read fs/read_write.c:461 [inline]
       vfs_read+0x143/0x2c0 fs/read_write.c:446
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 7292 Comm: syz-fuzzer Not tainted 5.3.0+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      70c26558
    • Eric Dumazet's avatar
      net: annotate sk->sk_rcvlowat lockless reads · eac66402
      Eric Dumazet authored
      sock_rcvlowat() or int_sk_rcvlowat() might be called without the socket
      lock for example from tcp_poll().
      
      Use READ_ONCE() to document the fact that other cpus might change
      sk->sk_rcvlowat under us and avoid KCSAN splats.
      
      Use WRITE_ONCE() on write sides too.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      eac66402
    • Eric Dumazet's avatar
      net: silence KCSAN warnings around sk_add_backlog() calls · 8265792b
      Eric Dumazet authored
      sk_add_backlog() callers usually read sk->sk_rcvbuf without
      owning the socket lock. This means sk_rcvbuf value can
      be changed by other cpus, and KCSAN complains.
      
      Add READ_ONCE() annotations to document the lockless nature
      of these reads.
      
      Note that writes over sk_rcvbuf should also use WRITE_ONCE(),
      but this will be done in separate patches to ease stable
      backports (if we decide this is relevant for stable trees).
      
      BUG: KCSAN: data-race in tcp_add_backlog / tcp_recvmsg
      
      write to 0xffff88812ab369f8 of 8 bytes by interrupt on cpu 1:
       __sk_add_backlog include/net/sock.h:902 [inline]
       sk_add_backlog include/net/sock.h:933 [inline]
       tcp_add_backlog+0x45a/0xcc0 net/ipv4/tcp_ipv4.c:1737
       tcp_v4_rcv+0x1aba/0x1bf0 net/ipv4/tcp_ipv4.c:1925
       ip_protocol_deliver_rcu+0x51/0x470 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
       NF_HOOK include/linux/netfilter.h:305 [inline]
       NF_HOOK include/linux/netfilter.h:299 [inline]
       ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118
       netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208
       napi_skb_finish net/core/dev.c:5671 [inline]
       napi_gro_receive+0x28f/0x330 net/core/dev.c:5704
       receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061
       virtnet_receive drivers/net/virtio_net.c:1323 [inline]
       virtnet_poll+0x436/0x7d0 drivers/net/virtio_net.c:1428
       napi_poll net/core/dev.c:6352 [inline]
       net_rx_action+0x3ae/0xa50 net/core/dev.c:6418
      
      read to 0xffff88812ab369f8 of 8 bytes by task 7271 on cpu 0:
       tcp_recvmsg+0x470/0x1a30 net/ipv4/tcp.c:2047
       inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
       sock_recvmsg_nosec net/socket.c:871 [inline]
       sock_recvmsg net/socket.c:889 [inline]
       sock_recvmsg+0x92/0xb0 net/socket.c:885
       sock_read_iter+0x15f/0x1e0 net/socket.c:967
       call_read_iter include/linux/fs.h:1864 [inline]
       new_sync_read+0x389/0x4f0 fs/read_write.c:414
       __vfs_read+0xb1/0xc0 fs/read_write.c:427
       vfs_read fs/read_write.c:461 [inline]
       vfs_read+0x143/0x2c0 fs/read_write.c:446
       ksys_read+0xd5/0x1b0 fs/read_write.c:587
       __do_sys_read fs/read_write.c:597 [inline]
       __se_sys_read fs/read_write.c:595 [inline]
       __x64_sys_read+0x4c/0x60 fs/read_write.c:595
       do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 7271 Comm: syz-fuzzer Not tainted 5.3.0+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      8265792b
    • Eric Dumazet's avatar
      tcp: annotate lockless access to tcp_memory_pressure · 1f142c17
      Eric Dumazet authored
      tcp_memory_pressure is read without holding any lock,
      and its value could be changed on other cpus.
      
      Use READ_ONCE() to annotate these lockless reads.
      
      The write side is already using atomic ops.
      
      Fixes: b8da51eb ("tcp: introduce tcp_under_memory_pressure()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      1f142c17
    • Eric Dumazet's avatar
      net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head · 60b173ca
      Eric Dumazet authored
      reqsk_queue_empty() is called from inet_csk_listen_poll() while
      other cpus might write ->rskq_accept_head value.
      
      Use {READ|WRITE}_ONCE() to avoid compiler tricks
      and potential KCSAN splats.
      
      Fixes: fff1f300 ("tcp: add a spinlock to protect struct request_sock_queue")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      60b173ca
    • Eric Dumazet's avatar
      net: avoid possible false sharing in sk_leave_memory_pressure() · 503978ac
      Eric Dumazet authored
      As mentioned in https://github.com/google/ktsan/wiki/READ_ONCE-and-WRITE_ONCE#it-may-improve-performance
      a C compiler can legally transform :
      
      if (memory_pressure && *memory_pressure)
              *memory_pressure = 0;
      
      to :
      
      if (memory_pressure)
              *memory_pressure = 0;
      
      Fixes: 06044751 ("tcp: add TCPMemoryPressuresChrono counter")
      Fixes: 180d8cd9 ("foundations of per-cgroup memory pressure controlling.")
      Fixes: 3ab224be ("[NET] CORE: Introducing new memory accounting interface.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      503978ac
    • Eric Dumazet's avatar
      tun: remove possible false sharing in tun_flow_update() · 4ffdd22e
      Eric Dumazet authored
      As mentioned in https://github.com/google/ktsan/wiki/READ_ONCE-and-WRITE_ONCE#it-may-improve-performance
      a C compiler can legally transform
      
      if (e->queue_index != queue_index)
      	e->queue_index = queue_index;
      
      to :
      
      	e->queue_index = queue_index;
      
      Note that the code using jiffies has no issue, since jiffies
      has volatile attribute.
      
      if (e->updated != jiffies)
          e->updated = jiffies;
      
      Fixes: 83b1bc12 ("tun: align write-heavy flow entry members to a cache line")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Zhang Yu <zhangyu31@baidu.com>
      Cc: Wang Li <wangli39@baidu.com>
      Cc: Li RongQing <lirongqing@baidu.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4ffdd22e
    • Eric Dumazet's avatar
      netfilter: conntrack: avoid possible false sharing · e37542ba
      Eric Dumazet authored
      As hinted by KCSAN, we need at least one READ_ONCE()
      to prevent a compiler optimization.
      
      More details on :
      https://github.com/google/ktsan/wiki/READ_ONCE-and-WRITE_ONCE#it-may-improve-performance
      
      sysbot report :
      BUG: KCSAN: data-race in __nf_ct_refresh_acct / __nf_ct_refresh_acct
      
      read to 0xffff888123eb4f08 of 4 bytes by interrupt on cpu 0:
       __nf_ct_refresh_acct+0xd4/0x1b0 net/netfilter/nf_conntrack_core.c:1796
       nf_ct_refresh_acct include/net/netfilter/nf_conntrack.h:201 [inline]
       nf_conntrack_tcp_packet+0xd40/0x3390 net/netfilter/nf_conntrack_proto_tcp.c:1161
       nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1633 [inline]
       nf_conntrack_in+0x410/0xaa0 net/netfilter/nf_conntrack_core.c:1727
       ipv4_conntrack_in+0x27/0x40 net/netfilter/nf_conntrack_proto.c:178
       nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
       nf_hook_slow+0x83/0x160 net/netfilter/core.c:512
       nf_hook include/linux/netfilter.h:260 [inline]
       NF_HOOK include/linux/netfilter.h:303 [inline]
       ip_rcv+0x12f/0x1a0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004
       __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118
       netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208
       napi_skb_finish net/core/dev.c:5671 [inline]
       napi_gro_receive+0x28f/0x330 net/core/dev.c:5704
       receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061
       virtnet_receive drivers/net/virtio_net.c:1323 [inline]
       virtnet_poll+0x436/0x7d0 drivers/net/virtio_net.c:1428
       napi_poll net/core/dev.c:6352 [inline]
       net_rx_action+0x3ae/0xa50 net/core/dev.c:6418
       __do_softirq+0x115/0x33f kernel/softirq.c:292
      
      write to 0xffff888123eb4f08 of 4 bytes by task 7191 on cpu 1:
       __nf_ct_refresh_acct+0xfb/0x1b0 net/netfilter/nf_conntrack_core.c:1797
       nf_ct_refresh_acct include/net/netfilter/nf_conntrack.h:201 [inline]
       nf_conntrack_tcp_packet+0xd40/0x3390 net/netfilter/nf_conntrack_proto_tcp.c:1161
       nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1633 [inline]
       nf_conntrack_in+0x410/0xaa0 net/netfilter/nf_conntrack_core.c:1727
       ipv4_conntrack_local+0xbe/0x130 net/netfilter/nf_conntrack_proto.c:200
       nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
       nf_hook_slow+0x83/0x160 net/netfilter/core.c:512
       nf_hook include/linux/netfilter.h:260 [inline]
       __ip_local_out+0x1f7/0x2b0 net/ipv4/ip_output.c:114
       ip_local_out+0x31/0x90 net/ipv4/ip_output.c:123
       __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
       ip_queue_xmit+0x45/0x60 include/net/ip.h:236
       __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158
       __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685
       tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691
       tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 7191 Comm: syz-fuzzer Not tainted 5.3.0+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: cc169213 ("netfilter: conntrack: avoid same-timeout update")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
      Cc: Florian Westphal <fw@strlen.de>
      Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      e37542ba
    • Nicolas Dichtel's avatar
      netns: fix NLM_F_ECHO mechanism for RTM_NEWNSID · 993e4c92
      Nicolas Dichtel authored
      The flag NLM_F_ECHO aims to reply to the user the message notified to all
      listeners.
      It was not the case with the command RTM_NEWNSID, let's fix this.
      
      Fixes: 0c7aecd4 ("netns: add rtnl cmd to add and get peer netns ids")
      Reported-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Tested-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      993e4c92
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit 0x1050 composition · e0ae2c57
      Daniele Palmas authored
      This patch adds support for Telit FN980 0x1050 composition
      
      0x1050: tty, adb, rmnet, tty, tty, tty, tty
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      e0ae2c57
    • YueHaibing's avatar
      act_mirred: Fix mirred_init_module error handling · 11c9a7d3
      YueHaibing authored
      If tcf_register_action failed, mirred_device_notifier
      should be unregistered.
      
      Fixes: 3b87956e ("net sched: fix race in mirred device removal")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      11c9a7d3
    • Vinicius Costa Gomes's avatar
      net: taprio: Fix returning EINVAL when configuring without flags · a954380a
      Vinicius Costa Gomes authored
      When configuring a taprio instance if "flags" is not specified (or
      it's zero), taprio currently replies with an "Invalid argument" error.
      
      So, set the return value to zero after we are done with all the
      checks.
      
      Fixes: 9c66d156 ("taprio: Add support for hardware offloading")
      Signed-off-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Acked-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a954380a
    • Jakub Kicinski's avatar
      Merge branch 's390-qeth-fixes' · 8cd6f4fe
      Jakub Kicinski authored
      Julian Wiedmann says:
      
      ====================
      s390/qeth: fixes 2019-10-08
      
      Alexandra fixes two issues in the initialization code for vnicc cmds.
      One is an uninitialized variable when a cmd fails, the other that we
      wouldn't recover correctly if the device's supported features changed.
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      8cd6f4fe
    • Alexandra Winter's avatar
      s390/qeth: Fix initialization of vnicc cmd masks during set online · be40a86c
      Alexandra Winter authored
      Without this patch, a command bit in the supported commands mask is only
      ever set to unsupported during set online. If a command is ever marked as
      unsupported (e.g. because of error during qeth_l2_vnicc_query_cmds),
      subsequent successful initialization (offline/online) would not bring it
      back.
      
      Fixes: caa1f0b1 ("s390/qeth: add VNICC enable/disable support")
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      be40a86c
    • Alexandra Winter's avatar
      s390/qeth: Fix error handling during VNICC initialization · b528965b
      Alexandra Winter authored
      Smatch discovered the use of uninitialized variable sup_cmds
      in error paths.
      
      Fixes: caa1f0b1 ("s390/qeth: add VNICC enable/disable support")
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b528965b
    • Randy Dunlap's avatar
      phylink: fix kernel-doc warnings · 9db74e51
      Randy Dunlap authored
      Fix kernel-doc warnings in phylink.c:
      
      ../drivers/net/phy/phylink.c:595: warning: Function parameter or member 'config' not described in 'phylink_create'
      ../drivers/net/phy/phylink.c:595: warning: Excess function parameter 'ndev' description in 'phylink_create'
      
      Fixes: 8796c892 ("phylink: add documentation for kernel APIs")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Russell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      9db74e51
  5. 09 Oct, 2019 7 commits
    • Xin Long's avatar
      sctp: add chunks to sk_backlog when the newsk sk_socket is not set · 819be810
      Xin Long authored
      This patch is to fix a NULL-ptr deref in selinux_socket_connect_helper:
      
        [...] kasan: GPF could be caused by NULL-ptr deref or user memory access
        [...] RIP: 0010:selinux_socket_connect_helper+0x94/0x460
        [...] Call Trace:
        [...]  selinux_sctp_bind_connect+0x16a/0x1d0
        [...]  security_sctp_bind_connect+0x58/0x90
        [...]  sctp_process_asconf+0xa52/0xfd0 [sctp]
        [...]  sctp_sf_do_asconf+0x785/0x980 [sctp]
        [...]  sctp_do_sm+0x175/0x5a0 [sctp]
        [...]  sctp_assoc_bh_rcv+0x285/0x5b0 [sctp]
        [...]  sctp_backlog_rcv+0x482/0x910 [sctp]
        [...]  __release_sock+0x11e/0x310
        [...]  release_sock+0x4f/0x180
        [...]  sctp_accept+0x3f9/0x5a0 [sctp]
        [...]  inet_accept+0xe7/0x720
      
      It was caused by that the 'newsk' sk_socket was not set before going to
      security sctp hook when processing asconf chunk with SCTP_PARAM_ADD_IP
      or SCTP_PARAM_SET_PRIMARY:
      
        inet_accept()->
          sctp_accept():
            lock_sock():
                lock listening 'sk'
                                                do_softirq():
                                                  sctp_rcv():  <-- [1]
                                                      asconf chunk arrives and
                                                      enqueued in 'sk' backlog
            sctp_sock_migrate():
                set asoc's sk to 'newsk'
            release_sock():
                sctp_backlog_rcv():
                  lock 'newsk'
                  sctp_process_asconf()  <-- [2]
                  unlock 'newsk'
          sock_graft():
              set sk_socket  <-- [3]
      
      As it shows, at [1] the asconf chunk would be put into the listening 'sk'
      backlog, as accept() was holding its sock lock. Then at [2] asconf would
      get processed with 'newsk' as asoc's sk had been set to 'newsk'. However,
      'newsk' sk_socket is not set until [3], while selinux_sctp_bind_connect()
      would deref it, then kernel crashed.
      
      Here to fix it by adding the chunk to sk_backlog until newsk sk_socket is
      set when .accept() is done.
      
      Note that sk->sk_socket can be NULL when the sock is closed, so SOCK_DEAD
      flag is also needed to check in sctp_newsk_ready().
      
      Thanks to Ondrej for reviewing the code.
      
      Fixes: d452930f ("selinux: Add SCTP support")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      819be810
    • Eric Dumazet's avatar
      bonding: fix potential NULL deref in bond_update_slave_arr · a7137534
      Eric Dumazet authored
      syzbot got a NULL dereference in bond_update_slave_arr() [1],
      happening after a failure to allocate bond->slave_arr
      
      A workqueue (bond_slave_arr_handler) is supposed to retry
      the allocation later, but if the slave is removed before
      the workqueue had a chance to complete, bond->slave_arr
      can still be NULL.
      
      [1]
      
      Failed to build slave-array.
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      Modules linked in:
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
      RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
      RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
      RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
      FS:  00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
       [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
       [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
       [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
       [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
       [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
       [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
       [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
       [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
       [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
       [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
       [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
       [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
       [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: ee637714 ("bonding: Simplify the xmit function for modes that use xmit_hash")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a7137534
    • Antonio Borneo's avatar
      net: stmmac: fix disabling flexible PPS output · 520cf600
      Antonio Borneo authored
      Accordingly to Synopsys documentation [1] and [2], when bit PPSEN0
      in register MAC_PPS_CONTROL is set it selects the functionality
      command in the same register, otherwise selects the functionality
      control.
      Command functionality is required to either enable (command 0x2)
      and disable (command 0x5) the flexible PPS output, but the bit
      PPSEN0 is currently set only for enabling.
      
      Set the bit PPSEN0 to properly disable flexible PPS output.
      
      Tested on STM32MP15x, based on dwmac 4.10a.
      
      [1] DWC Ethernet QoS Databook 4.10a October 2014
      [2] DWC Ethernet QoS Databook 5.00a September 2017
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Fixes: 9a8a02c9 ("net: stmmac: Add Flexible PPS support")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      520cf600
    • Antonio Borneo's avatar
      net: stmmac: fix length of PTP clock's name string · 5da202c8
      Antonio Borneo authored
      The field "name" in struct ptp_clock_info has a fixed size of 16
      chars and is used as zero terminated string by clock_name_show()
      in drivers/ptp/ptp_sysfs.c
      The current initialization value requires 17 chars to fit also the
      null termination, and this causes overflow to the next bytes in
      the struct when the string is read as null terminated:
      	hexdump -C /sys/class/ptp/ptp0/clock_name
      	00000000  73 74 6d 6d 61 63 5f 70  74 70 5f 63 6c 6f 63 6b  |stmmac_ptp_clock|
      	00000010  a0 ac b9 03 0a                                    |.....|
      where the extra 4 bytes (excluding the newline) after the string
      represent the integer 0x03b9aca0 = 62500000 assigned to the field
      "max_adj" that follows "name" in the same struct.
      
      There is no strict requirement for the "name" content and in the
      comment in ptp_clock_kernel.h it's reported it should just be 'A
      short "friendly name" to identify the clock'.
      Replace it with "stmmac ptp".
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Fixes: 92ba6888 ("stmmac: add the support for PTP hw clock driver")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      5da202c8
    • Haishuang Yan's avatar
      ip6erspan: remove the incorrect mtu limit for ip6erspan · 4123f637
      Haishuang Yan authored
      ip6erspan driver calls ether_setup(), after commit 61e84623
      ("net: centralize net_device min/max MTU checking"), the range
      of mtu is [min_mtu, max_mtu], which is [68, 1500] by default.
      
      It causes the dev mtu of the erspan device to not be greater
      than 1500, this limit value is not correct for ip6erspan tap
      device.
      
      Fixes: 61e84623 ("net: centralize net_device min/max MTU checking")
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Acked-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4123f637
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-davem-2019-10-08' of... · a17fd2cf
      Jakub Kicinski authored
      Merge tag 'mac80211-for-davem-2019-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A number of fixes:
       * allow scanning when operating on radar channels in
         ETSI regdomains
       * accept deauth frames in IBSS - we have code to parse
         and handle them, but were dropping them early
       * fix an allocation failure path in hwsim
       * fix a failure path memory leak in nl80211 FTM code
       * fix RCU handling & locking in multi-BSSID parsing
       * reject malformed SSID in mac80211 (this shouldn't
         really be able to happen, but defense in depth)
       * avoid userspace buffer overrun in ancient wext code
         if SSID was too long
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a17fd2cf
    • Randy Dunlap's avatar
      Doc: networking/device_drivers/pensando: fix ionic.rst warnings · b82316d2
      Randy Dunlap authored
      Fix documentation build warnings for Pensando ionic:
      
      Documentation/networking/device_drivers/pensando/ionic.rst:39: WARNING: Unexpected indentation.
      Documentation/networking/device_drivers/pensando/ionic.rst:43: WARNING: Unexpected indentation.
      
      Fixes: df69ba43 ("ionic: Add basic framework for IONIC Network device driver")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b82316d2
  6. 08 Oct, 2019 7 commits