1. 02 7月, 2021 2 次提交
    • F
      xfrm: Fix RCU vs hash_resize_mutex lock inversion · 2580d3f4
      Frederic Weisbecker 提交于
      xfrm_bydst_resize() calls synchronize_rcu() while holding
      hash_resize_mutex. But then on PREEMPT_RT configurations,
      xfrm_policy_lookup_bytype() may acquire that mutex while running in an
      RCU read side critical section. This results in a deadlock.
      
      In fact the scope of hash_resize_mutex is way beyond the purpose of
      xfrm_policy_lookup_bytype() to just fetch a coherent and stable policy
      for a given destination/direction, along with other details.
      
      The lower level net->xfrm.xfrm_policy_lock, which among other things
      protects per destination/direction references to policy entries, is
      enough to serialize and benefit from priority inheritance against the
      write side. As a bonus, it makes it officially a per network namespace
      synchronization business where a policy table resize on namespace A
      shouldn't block a policy lookup on namespace B.
      
      Fixes: 77cc278f (xfrm: policy: Use sequence counters with associated lock)
      Cc: stable@vger.kernel.org
      Cc: Ahmed S. Darwish <a.darwish@linutronix.de>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Varad Gautam <varad.gautam@suse.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: NFrederic Weisbecker <frederic@kernel.org>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      2580d3f4
    • S
      Revert "xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype" · eaf22826
      Steffen Klassert 提交于
      This reverts commit d7b04089.
      
      This commit tried to fix a locking bug introduced by commit 77cc278f
      ("xfrm: policy: Use sequence counters with associated lock"). As it
      turned out, this patch did not really fix the bug. A proper fix
      for this bug is applied on top of this revert.
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      eaf22826
  2. 01 6月, 2021 1 次提交
    • V
      xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype · d7b04089
      Varad Gautam 提交于
      xfrm_policy_lookup_bytype loops on seqcount mutex xfrm_policy_hash_generation
      within an RCU read side critical section. Although ill advised, this is fine if
      the loop is bounded.
      
      xfrm_policy_hash_generation wraps mutex hash_resize_mutex, which is used to
      serialize writers (xfrm_hash_resize, xfrm_hash_rebuild). This is fine too.
      
      On PREEMPT_RT=y, the read_seqcount_begin call within xfrm_policy_lookup_bytype
      emits a mutex lock/unlock for hash_resize_mutex. Mutex locking is fine, since
      RCU read side critical sections are allowed to sleep with PREEMPT_RT.
      
      xfrm_hash_resize can, however, block on synchronize_rcu while holding
      hash_resize_mutex.
      
      This leads to the following situation on PREEMPT_RT, where the writer is
      blocked on RCU grace period expiry, while the reader is blocked on a lock held
      by the writer:
      
      Thead 1 (xfrm_hash_resize)	Thread 2 (xfrm_policy_lookup_bytype)
      
      				rcu_read_lock();
      mutex_lock(&hash_resize_mutex);
      				read_seqcount_begin(&xfrm_policy_hash_generation);
      				mutex_lock(&hash_resize_mutex); // block
      xfrm_bydst_resize();
      synchronize_rcu(); // block
      		<RCU stalls in xfrm_policy_lookup_bytype>
      
      Move the read_seqcount_begin call outside of the RCU read side critical section,
      and do an rcu_read_unlock/retry if we got stale data within the critical section.
      
      On non-PREEMPT_RT, this shortens the time spent within RCU read side critical
      section in case the seqcount needs a retry, and avoids unbounded looping.
      
      Fixes: 77cc278f ("xfrm: policy: Use sequence counters with associated lock")
      Signed-off-by: NVarad Gautam <varad.gautam@suse.com>
      Cc: linux-rt-users <linux-rt-users@vger.kernel.org>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.9
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: "Ahmed S. Darwish" <a.darwish@linutronix.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Acked-by: NAhmed S. Darwish <a.darwish@linutronix.de>
      d7b04089
  3. 19 4月, 2021 2 次提交
  4. 29 3月, 2021 1 次提交
  5. 04 1月, 2021 2 次提交
    • V
      xfrm: Fix wraparound in xfrm_policy_addr_delta() · da64ae2d
      Visa Hankala 提交于
      Use three-way comparison for address components to avoid integer
      wraparound in the result of xfrm_policy_addr_delta(). This ensures
      that the search trees are built and traversed correctly.
      
      Treat IPv4 and IPv6 similarly by returning 0 when prefixlen == 0.
      Prefix /0 has only one equivalence class.
      
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NVisa Hankala <visa@hankala.org>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      da64ae2d
    • E
      xfrm: fix disable_xfrm sysctl when used on xfrm interfaces · 9f8550e4
      Eyal Birger 提交于
      The disable_xfrm flag signals that xfrm should not be performed during
      routing towards a device before reaching device xmit.
      
      For xfrm interfaces this is usually desired as they perform the outbound
      policy lookup as part of their xmit using their if_id.
      
      Before this change enabling this flag on xfrm interfaces prevented them
      from xmitting as xfrm_lookup_with_ifid() would not perform a policy lookup
      in case the original dst had the DST_NOXFRM flag.
      
      This optimization is incorrect when the lookup is done by the xfrm
      interface xmit logic.
      
      Fix by performing policy lookup when invoked by xfrmi as if_id != 0.
      
      Similarly it's unlikely for the 'no policy exists on net' check to yield
      any performance benefits when invoked from xfrmi.
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Signed-off-by: NEyal Birger <eyal.birger@gmail.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      9f8550e4
  6. 24 8月, 2020 1 次提交
  7. 29 7月, 2020 1 次提交
  8. 21 7月, 2020 1 次提交
  9. 17 7月, 2020 1 次提交
  10. 24 6月, 2020 1 次提交
    • X
      xfrm: policy: match with both mark and mask on user interfaces · 4f47e8ab
      Xin Long 提交于
      In commit ed17b8d3 ("xfrm: fix a warning in xfrm_policy_insert_list"),
      it would take 'priority' to make a policy unique, and allow duplicated
      policies with different 'priority' to be added, which is not expected
      by userland, as Tobias reported in strongswan.
      
      To fix this duplicated policies issue, and also fix the issue in
      commit ed17b8d3 ("xfrm: fix a warning in xfrm_policy_insert_list"),
      when doing add/del/get/update on user interfaces, this patch is to change
      to look up a policy with both mark and mask by doing:
      
        mark.v == pol->mark.v && mark.m == pol->mark.m
      
      and leave the check:
      
        (mark & pol->mark.m) == pol->mark.v
      
      for tx/rx path only.
      
      As the userland expects an exact mark and mask match to manage policies.
      
      v1->v2:
        - make xfrm_policy_mark_match inline and fix the changelog as
          Tobias suggested.
      
      Fixes: 295fae56 ("xfrm: Allow user space manipulation of SPD mark")
      Fixes: ed17b8d3 ("xfrm: fix a warning in xfrm_policy_insert_list")
      Reported-by: NTobias Brunner <tobias@strongswan.org>
      Tested-by: NTobias Brunner <tobias@strongswan.org>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      4f47e8ab
  11. 25 5月, 2020 1 次提交
    • X
      xfrm: fix a warning in xfrm_policy_insert_list · ed17b8d3
      Xin Long 提交于
      This waring can be triggered simply by:
      
        # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
          priority 1 mark 0 mask 0x10  #[1]
        # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
          priority 2 mark 0 mask 0x1   #[2]
        # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
          priority 2 mark 0 mask 0x10  #[3]
      
      Then dmesg shows:
      
        [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548
        [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030
        [ ] Call Trace:
        [ ]  xfrm_policy_inexact_insert+0x85/0xe50
        [ ]  xfrm_policy_insert+0x4ba/0x680
        [ ]  xfrm_add_policy+0x246/0x4d0
        [ ]  xfrm_user_rcv_msg+0x331/0x5c0
        [ ]  netlink_rcv_skb+0x121/0x350
        [ ]  xfrm_netlink_rcv+0x66/0x80
        [ ]  netlink_unicast+0x439/0x630
        [ ]  netlink_sendmsg+0x714/0xbf0
        [ ]  sock_sendmsg+0xe2/0x110
      
      The issue was introduced by Commit 7cb8a939 ("xfrm: Allow inserting
      policies with matching mark and different priorities"). After that, the
      policies [1] and [2] would be able to be added with different priorities.
      
      However, policy [3] will actually match both [1] and [2]. Policy [1]
      was matched due to the 1st 'return true' in xfrm_policy_mark_match(),
      and policy [2] was matched due to the 2nd 'return true' in there. It
      caused WARN_ON() in xfrm_policy_insert_list().
      
      This patch is to fix it by only (the same value and priority) as the
      same policy in xfrm_policy_mark_match().
      
      Thanks to Yuehaibing, we could make this fix better.
      
      v1->v2:
        - check policy->mark.v == pol->mark.v only without mask.
      
      Fixes: 7cb8a939 ("xfrm: Allow inserting policies with matching mark and different priorities")
      Reported-by: NXiumei Mu <xmu@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      ed17b8d3
  12. 24 3月, 2020 2 次提交
  13. 04 2月, 2020 1 次提交
  14. 09 12月, 2019 1 次提交
  15. 02 10月, 2019 1 次提交
    • F
      netfilter: drop bridge nf reset from nf_reset · 895b5c9f
      Florian Westphal 提交于
      commit 174e2381
      ("sk_buff: drop all skb extensions on free and skb scrubbing") made napi
      recycle always drop skb extensions.  The additional skb_ext_del() that is
      performed via nf_reset on napi skb recycle is not needed anymore.
      
      Most nf_reset() calls in the stack are there so queued skb won't block
      'rmmod nf_conntrack' indefinitely.
      
      This removes the skb_ext_del from nf_reset, and renames it to a more
      fitting nf_reset_ct().
      
      In a few selected places, add a call to skb_ext_reset to make sure that
      no active extensions remain.
      
      I am submitting this for "net", because we're still early in the release
      cycle.  The patch applies to net-next too, but I think the rename causes
      needless divergence between those trees.
      Suggested-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      895b5c9f
  16. 25 8月, 2019 1 次提交
    • H
      xfrm/xfrm_policy: fix dst dev null pointer dereference in collect_md mode · c3b4c3a4
      Hangbin Liu 提交于
      In decode_session{4,6} there is a possibility that the skb dst dev is NULL,
      e,g, with tunnel collect_md mode, which will cause kernel crash.
      Here is what the code path looks like, for GRE:
      
      - ip6gre_tunnel_xmit
        - ip6gre_xmit_ipv6
          - __gre6_xmit
            - ip6_tnl_xmit
              - if skb->len - t->tun_hlen - eth_hlen > mtu; return -EMSGSIZE
          - icmpv6_send
            - icmpv6_route_lookup
              - xfrm_decode_session_reverse
                - decode_session4
                  - oif = skb_dst(skb)->dev->ifindex; <-- here
                - decode_session6
                  - oif = skb_dst(skb)->dev->ifindex; <-- here
      
      The reason is __metadata_dst_init() init dst->dev to NULL by default.
      We could not fix it in __metadata_dst_init() as there is no dev supplied.
      On the other hand, the skb_dst(skb)->dev is actually not needed as we
      called decode_session{4,6} via xfrm_decode_session_reverse(), so oif is not
      used by: fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
      
      So make a dst dev check here should be clean and safe.
      
      v4: No changes.
      
      v3: No changes.
      
      v2: fix the issue in decode_session{4,6} instead of updating shared dst dev
      in {ip_md, ip6}_tunnel_xmit.
      
      Fixes: 8d79266b ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
      Signed-off-by: NHangbin Liu <liuhangbin@gmail.com>
      Tested-by: NJonathan Lemon <jonathan.lemon@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c3b4c3a4
  17. 20 8月, 2019 1 次提交
    • F
      xfrm: policy: avoid warning splat when merging nodes · 769a807d
      Florian Westphal 提交于
      syzbot reported a splat:
       xfrm_policy_inexact_list_reinsert+0x625/0x6e0 net/xfrm/xfrm_policy.c:877
       CPU: 1 PID: 6756 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #57
       Call Trace:
        xfrm_policy_inexact_node_reinsert net/xfrm/xfrm_policy.c:922 [inline]
        xfrm_policy_inexact_node_merge net/xfrm/xfrm_policy.c:958 [inline]
        xfrm_policy_inexact_insert_node+0x537/0xb50 net/xfrm/xfrm_policy.c:1023
        xfrm_policy_inexact_alloc_chain+0x62b/0xbd0 net/xfrm/xfrm_policy.c:1139
        xfrm_policy_inexact_insert+0xe8/0x1540 net/xfrm/xfrm_policy.c:1182
        xfrm_policy_insert+0xdf/0xce0 net/xfrm/xfrm_policy.c:1574
        xfrm_add_policy+0x4cf/0x9b0 net/xfrm/xfrm_user.c:1670
        xfrm_user_rcv_msg+0x46b/0x720 net/xfrm/xfrm_user.c:2676
        netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2477
        xfrm_netlink_rcv+0x74/0x90 net/xfrm/xfrm_user.c:2684
        netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
        netlink_unicast+0x809/0x9a0 net/netlink/af_netlink.c:1328
        netlink_sendmsg+0xa70/0xd30 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:637 [inline]
        sock_sendmsg net/socket.c:657 [inline]
      
      There is no reproducer, however, the warning can be reproduced
      by adding rules with ever smaller prefixes.
      
      The sanity check ("does the policy match the node") uses the prefix value
      of the node before its updated to the smaller value.
      
      To fix this, update the prefix earlier.  The bug has no impact on tree
      correctness, this is only to prevent a false warning.
      
      Reported-by: syzbot+8cc27ace5f6972910b31@syzkaller.appspotmail.com
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      769a807d
  18. 03 7月, 2019 1 次提交
    • F
      xfrm: policy: fix bydst hlist corruption on hash rebuild · fd709721
      Florian Westphal 提交于
      syzbot reported following spat:
      
      BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:221
      BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:455
      BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xa0d/0x1000 net/xfrm/xfrm_policy.c:1318
      Write of size 8 at addr ffff888095e79c00 by task kworker/1:3/8066
      Workqueue: events xfrm_hash_rebuild
      Call Trace:
       __write_once_size include/linux/compiler.h:221 [inline]
       hlist_del_rcu include/linux/rculist.h:455 [inline]
       xfrm_hash_rebuild+0xa0d/0x1000 net/xfrm/xfrm_policy.c:1318
       process_one_work+0x814/0x1130 kernel/workqueue.c:2269
      Allocated by task 8064:
       __kmalloc+0x23c/0x310 mm/slab.c:3669
       kzalloc include/linux/slab.h:742 [inline]
       xfrm_hash_alloc+0x38/0xe0 net/xfrm/xfrm_hash.c:21
       xfrm_policy_init net/xfrm/xfrm_policy.c:4036 [inline]
       xfrm_net_init+0x269/0xd60 net/xfrm/xfrm_policy.c:4120
       ops_init+0x336/0x420 net/core/net_namespace.c:130
       setup_net+0x212/0x690 net/core/net_namespace.c:316
      
      The faulting address is the address of the old chain head,
      free'd by xfrm_hash_resize().
      
      In xfrm_hash_rehash(), chain heads get re-initialized without
      any hlist_del_rcu:
      
       for (i = hmask; i >= 0; i--)
          INIT_HLIST_HEAD(odst + i);
      
      Then, hlist_del_rcu() gets called on the about to-be-reinserted policy
      when iterating the per-net list of policies.
      
      hlist_del_rcu() will then make chain->first be nonzero again:
      
      static inline void __hlist_del(struct hlist_node *n)
      {
         struct hlist_node *next = n->next;   // address of next element in list
         struct hlist_node **pprev = n->pprev;// location of previous elem, this
                                              // can point at chain->first
              WRITE_ONCE(*pprev, next);       // chain->first points to next elem
              if (next)
                      next->pprev = pprev;
      
      Then, when we walk chainlist to find insertion point, we may find a
      non-empty list even though we're supposedly reinserting the first
      policy to an empty chain.
      
      To fix this first unlink all exact and inexact policies instead of
      zeroing the list heads.
      
      Add the commands equivalent to the syzbot reproducer to xfrm_policy.sh,
      without fix KASAN catches the corruption as it happens, SLUB poisoning
      detects it a bit later.
      
      Reported-by: syzbot+0165480d4ef07360eeda@syzkaller.appspotmail.com
      Fixes: 1548bc4e ("xfrm: policy: delete inexact policies from inexact list on hash rebuild")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      fd709721
  19. 02 7月, 2019 1 次提交
  20. 06 6月, 2019 1 次提交
  21. 21 5月, 2019 1 次提交
  22. 17 5月, 2019 1 次提交
  23. 23 4月, 2019 3 次提交
  24. 08 4月, 2019 3 次提交
    • F
      xfrm: store xfrm_mode directly, not its address · c9500d7b
      Florian Westphal 提交于
      This structure is now only 4 bytes, so its more efficient
      to cache a copy rather than its address.
      
      No significant size difference in allmodconfig vmlinux.
      
      With non-modular kernel that has all XFRM options enabled, this
      series reduces vmlinux image size by ~11kb. All xfrm_mode
      indirections are gone and all modes are built-in.
      
      before (ipsec-next master):
          text      data      bss         dec   filename
      21071494   7233140 11104324    39408958   vmlinux.master
      
      after this series:
      21066448   7226772 11104324    39397544   vmlinux.patched
      
      With allmodconfig kernel, the size increase is only 362 bytes,
      even all the xfrm config options removed in this series are
      modular.
      
      before:
          text      data     bss      dec   filename
      15731286   6936912 4046908 26715106   vmlinux.master
      
      after this series:
      15731492   6937068  4046908  26715468 vmlinux
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      c9500d7b
    • F
      xfrm: make xfrm modes builtin · 4c145dce
      Florian Westphal 提交于
      after previous changes, xfrm_mode contains no function pointers anymore
      and all modules defining such struct contain no code except an init/exit
      functions to register the xfrm_mode struct with the xfrm core.
      
      Just place the xfrm modes core and remove the modules,
      the run-time xfrm_mode register/unregister functionality is removed.
      
      Before:
      
          text    data     bss      dec filename
          7523     200    2364    10087 net/xfrm/xfrm_input.o
         40003     628     440    41071 net/xfrm/xfrm_state.o
      15730338 6937080 4046908 26714326 vmlinux
      
          7389     200    2364    9953  net/xfrm/xfrm_input.o
         40574     656     440   41670  net/xfrm/xfrm_state.o
      15730084 6937068 4046908 26714060 vmlinux
      
      The xfrm*_mode_{transport,tunnel,beet} modules are gone.
      
      v2: replace CONFIG_INET6_XFRM_MODE_* IS_ENABLED guards with CONFIG_IPV6
          ones rather than removing them.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      4c145dce
    • F
      xfrm: remove afinfo pointer from xfrm_mode · 733a5fac
      Florian Westphal 提交于
      Adds an EXPORT_SYMBOL for afinfo_get_rcu, as it will now be called from
      ipv6 in case of CONFIG_IPV6=m.
      
      This change has virtually no effect on vmlinux size, but it reduces
      afinfo size and allows followup patch to make xfrm modes const.
      
      v2: mark if (afinfo) tests as likely (Sabrina)
          re-fetch afinfo according to inner_mode in xfrm_prepare_input().
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      733a5fac
  25. 27 3月, 2019 1 次提交
  26. 18 2月, 2019 1 次提交
    • T
      xfrm: Fix inbound traffic via XFRM interfaces across network namespaces · 660899dd
      Tobias Brunner 提交于
      After moving an XFRM interface to another namespace it stays associated
      with the original namespace (net in `struct xfrm_if` and the list keyed
      with `xfrmi_net_id`), allowing processes in the new namespace to use
      SAs/policies that were created in the original namespace.  For instance,
      this allows a keying daemon in one namespace to establish IPsec SAs for
      other namespaces without processes there having access to the keys or IKE
      credentials.
      
      This worked fine for outbound traffic, however, for inbound traffic the
      lookup for the interfaces and the policies used the incorrect namespace
      (the one the XFRM interface was moved to).
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Signed-off-by: NTobias Brunner <tobias@strongswan.org>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      660899dd
  27. 16 1月, 2019 1 次提交
  28. 09 1月, 2019 5 次提交
    • F
      xfrm: policy: fix infinite loop when merging src-nodes · 12750aba
      Florian Westphal 提交于
      With very small change to test script we can trigger softlockup due to
      bogus assignment of 'p' (policy to be examined) on restart.
      
      Previously the two to-be-merged nodes had same address/prefixlength pair,
      so no erase/reinsert was necessary, we only had to append the list from
      node a to b.
      
      If prefix lengths are different, the node has to be deleted and re-inserted
      into the tree, with the updated prefix length.  This was broken; due to
      bogus update to 'p' this loops forever.
      
      Add a 'restart' label and use that instead.
      
      While at it, don't perform the unneeded reinserts of the policies that
      are already sorted into the 'new' node.
      
      A previous patch in this series made xfrm_policy_inexact_list_reinsert()
      use the relative position indicator to sort policies according to age in
      case priorities are identical.
      
      Fixes: 6ac098b2 ("xfrm: policy: add 2nd-level saddr trees for inexact policies")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      12750aba
    • F
      xfrm: policy: fix reinsertion on node merge · 1d38900c
      Florian Westphal 提交于
      "newpos" has wrong scope.  It must be NULL on each iteration of the loop.
      Otherwise, when policy is to be inserted at the start, we would instead
      insert at point found by the previous loop-iteration instead.
      
      Also, we need to unlink the policy before we reinsert it to the new node,
      else we can get next-points-to-self loops.
      
      Because policies are only ordered by priority it is irrelevant which policy
      is "more recent" except when two policies have same priority.
      (the more recent one is placed after the older one).
      
      In these cases, we can use the ->pos id number to know which one is the
      'older': the higher the id, the more recent the policy.
      
      So we only need to unlink all policies from the node that is about to be
      removed, and insert them to the replacement node.
      
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      1d38900c
    • F
      xfrm: policy: delete inexact policies from inexact list on hash rebuild · 1548bc4e
      Florian Westphal 提交于
      An xfrm hash rebuild has to reset the inexact policy list before the
      policies get re-inserted: A change of hash thresholds will result in
      policies to get moved from inexact tree to the policy hash table.
      
      If the thresholds are increased again later, they get moved from hash
      table to inexact tree.
      
      We must unlink all policies from the inexact tree before re-insertion.
      
      Otherwise 'migrate' may find policies that are in main hash table a
      second time, when it searches the inexact lists.
      
      Furthermore, re-insertion without deletion can cause elements ->next to
      point back to itself, causing soft lockups or double-frees.
      
      Reported-by: syzbot+9d971dd21eb26567036b@syzkaller.appspotmail.com
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      1548bc4e
    • F
      xfrm: policy: increment xfrm_hash_generation on hash rebuild · 7a474c36
      Florian Westphal 提交于
      Hash rebuild will re-set all the inexact entries, then re-insert them.
      Lookups that can occur in parallel will therefore not find any policies.
      
      This was safe when lookups were still guarded by rwlock.
      After rcu-ification, lookups check the hash_generation seqcount to detect
      when a hash resize takes place.  Hash rebuild missed the needed increment.
      
      Hash resizes and hash rebuilds cannot occur in parallel (both acquire
      hash_resize_mutex), so just increment xfrm_hash_generation, like resize.
      
      Fixes: a7c44247 ("xfrm: policy: make xfrm_policy_lookup_bytype lockless")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      7a474c36
    • F
      xfrm: policy: use hlist rcu variants on inexact insert, part 2 · 355b00d1
      Florian Westphal 提交于
      This function was modeled on the 'exact' insert one, which did not use
      the rcu variant either.
      
      When I fixed the 'exact' insert I forgot to propagate this to my
      development tree, so the inexact variant retained the bug.
      
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      355b00d1