1. 14 2月, 2022 2 次提交
    • I
      ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() · 26394fc1
      Ignat Korchagin 提交于
      Some time ago 8965779d ("ipv6,mcast: always hold idev->lock before mca_lock")
      switched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe
      version. That was OK, because idev->lock was held for these codepaths.
      
      In 88e2ca30 ("mld: convert ifmcaddr6 to RCU") these external locks were
      removed, so we probably need to restore the original rcu-safe call.
      
      Otherwise, we occasionally get a machine crashed/stalled with the following
      in dmesg:
      
      [ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI
      [ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G           O      5.15.19-cloudflare-2022.2.1 #1
      [ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV
      [ 3406.009552][T230589] Workqueue: mld mld_ifc_work
      [ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60
      [ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b
      [ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202
      [ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040
      [ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008
      [ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000
      [ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100
      [ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000
      [ 3406.125730][T230589] FS:  0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000
      [ 3406.138992][T230589] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0
      [ 3406.162421][T230589] Call Trace:
      [ 3406.170235][T230589]  <TASK>
      [ 3406.177736][T230589]  mld_newpack+0xfe/0x1a0
      [ 3406.186686][T230589]  add_grhead+0x87/0xa0
      [ 3406.195498][T230589]  add_grec+0x485/0x4e0
      [ 3406.204310][T230589]  ? newidle_balance+0x126/0x3f0
      [ 3406.214024][T230589]  mld_ifc_work+0x15d/0x450
      [ 3406.223279][T230589]  process_one_work+0x1e6/0x380
      [ 3406.232982][T230589]  worker_thread+0x50/0x3a0
      [ 3406.242371][T230589]  ? rescuer_thread+0x360/0x360
      [ 3406.252175][T230589]  kthread+0x127/0x150
      [ 3406.261197][T230589]  ? set_kthread_struct+0x40/0x40
      [ 3406.271287][T230589]  ret_from_fork+0x22/0x30
      [ 3406.280812][T230589]  </TASK>
      [ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders]
      [ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---
      
      Fixes: 88e2ca30 ("mld: convert ifmcaddr6 to RCU")
      Reported-by: NDavid Pinilla Caparros <dpini@cloudflare.com>
      Signed-off-by: NIgnat Korchagin <ignat@cloudflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      26394fc1
    • J
      ice: enable parsing IPSEC SPI headers for RSS · 86006f99
      Jesse Brandeburg 提交于
      The COMMS package can enable the hardware parser to recognize IPSEC
      frames with ESP header and SPI identifier.  If this package is available
      and configured for loading in /lib/firmware, then the driver will
      succeed in enabling this protocol type for RSS.
      
      This in turn allows the hardware to hash over the SPI and use it to pick
      a consistent receive queue for the same secure flow. Without this all
      traffic is steered to the same queue for multiple traffic threads from
      the same IP address. For that reason this is marked as a fix, as the
      driver supports the model, but it wasn't enabled.
      
      If the package is not available, adding this type will fail, but the
      failure is ignored on purpose as it has no negative affect.
      
      Fixes: c90ed40c ("ice: Enable writing hardware filtering tables")
      Signed-off-by: NJesse Brandeburg <jesse.brandeburg@intel.com>
      Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      86006f99
  2. 13 2月, 2022 1 次提交
  3. 12 2月, 2022 3 次提交
  4. 11 2月, 2022 14 次提交
    • D
      Merge tag 'wireless-2022-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 85d24ad3
      David S. Miller 提交于
      wireless fixes for v5.17
      
      Second set of fixes for v5.17. This is the first pull request with
      both driver and stack patches.
      
      Most important here are a regression fix for brcmfmac USB devices and
      an iwlwifi fix for use after free when the firmware was missing. We
      have new maintainers for ath9k and wcn36xx as well as ath6kl is now
      orphaned. Also smaller fixes to iwlwifi and stack.
      85d24ad3
    • D
      Merge ra.kernel.org:/pub/scm/linux/kernel/git/netfilter/nf · 525de9a7
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Add selftest for nft_synproxy, from Florian Westphal.
      
      2) xt_socket destroy path incorrectly disables IPv4 defrag for
         IPv6 traffic (typo), from Eric Dumazet.
      
      3) Fix exit value selftest nft_concat_range.sh, from Hangbin Liu.
      
      4) nft_synproxy disables the IPv4 hooks if the IPv6 hooks fail
         to be registered.
      
      5) disable rp_filter on router in selftest nft_fib.sh, also
         from Hangbin Liu.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      525de9a7
    • E
      drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit · dcd54265
      Eric Dumazet 提交于
      trace_napi_poll_hit() is reading stat->dev while another thread can write
      on it from dropmon_net_event()
      
      Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already,
      we only have to take care of load/store tearing.
      
      BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit
      
      write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1:
       dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579
       notifier_call_chain kernel/notifier.c:84 [inline]
       raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392
       call_netdevice_notifiers_info net/core/dev.c:1919 [inline]
       call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
       call_netdevice_notifiers net/core/dev.c:1945 [inline]
       unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415
       ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123
       vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515
       ops_exit_list net/core/net_namespace.c:173 [inline]
       cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597
       process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
       worker_thread+0x616/0xa70 kernel/workqueue.c:2454
       kthread+0x1bf/0x1e0 kernel/kthread.c:377
       ret_from_fork+0x1f/0x30
      
      read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0:
       trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292
       trace_napi_poll include/trace/events/napi.h:14 [inline]
       __napi_poll+0x36b/0x3f0 net/core/dev.c:6366
       napi_poll net/core/dev.c:6432 [inline]
       net_rx_action+0x29e/0x650 net/core/dev.c:6519
       __do_softirq+0x158/0x2de kernel/softirq.c:558
       do_softirq+0xb1/0xf0 kernel/softirq.c:459
       __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
       __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
       _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210
       spin_unlock_bh include/linux/spinlock.h:394 [inline]
       ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
       wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506
       process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
       worker_thread+0x616/0xa70 kernel/workqueue.c:2454
       kthread+0x1bf/0x1e0 kernel/kthread.c:377
       ret_from_fork+0x1f/0x30
      
      value changed: 0xffff88815883e000 -> 0x0000000000000000
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
      
      Fixes: 4ea7e386 ("dropmon: add ability to detect when hardware dropsrxpackets")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dcd54265
    • W
      net/smc: Avoid overwriting the copies of clcsock callback functions · 1de9770d
      Wen Gu 提交于
      The callback functions of clcsock will be saved and replaced during
      the fallback. But if the fallback happens more than once, then the
      copies of these callback functions will be overwritten incorrectly,
      resulting in a loop call issue:
      
      clcsk->sk_error_report
       |- smc_fback_error_report() <------------------------------|
           |- smc_fback_forward_wakeup()                          | (loop)
               |- clcsock_callback()  (incorrectly overwritten)   |
                   |- smc->clcsk_error_report() ------------------|
      
      So this patch fixes the issue by saving these function pointers only
      once in the fallback and avoiding overwriting.
      
      Reported-by: syzbot+4de3c0e8a263e1e499bc@syzkaller.appspotmail.com
      Fixes: 341adeec ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
      Link: https://lore.kernel.org/r/0000000000006d045e05d78776f6@google.comSigned-off-by: NWen Gu <guwen@linux.alibaba.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1de9770d
    • L
      Merge tag 'net-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · f1baf68e
      Linus Torvalds 提交于
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter and can.
      
      Current release - new code bugs:
      
         - sparx5: fix get_stat64 out-of-bound access and crash
      
         - smc: fix netdev ref tracker misuse
      
        Previous releases - regressions:
      
         - eth: ixgbevf: require large buffers for build_skb on 82599VF, avoid
           overflows
      
         - eth: ocelot: fix all IP traffic getting trapped to CPU with PTP
           over IP
      
         - bonding: fix rare link activation misses in 802.3ad mode
      
        Previous releases - always broken:
      
         - tcp: fix tcp sock mem accounting in zero-copy corner cases
      
         - remove the cached dst when uncloning an skb dst and its metadata,
           since we only have one ref it'd lead to an UaF
      
         - netfilter:
            - conntrack: don't refresh sctp entries in closed state
            - conntrack: re-init state for retransmitted syn-ack, avoid
              connection establishment getting stuck with strange stacks
            - ctnetlink: disable helper autoassign, avoid it getting lost
            - nft_payload: don't allow transport header access for fragments
      
         - dsa: fix use of devres for mdio throughout drivers
      
         - eth: amd-xgbe: disable interrupts during pci removal
      
         - eth: dpaa2-eth: unregister netdev before disconnecting the PHY
      
         - eth: ice: fix IPIP and SIT TSO offload"
      
      * tag 'net-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (53 commits)
        net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
        net: mscc: ocelot: fix mutex lock error during ethtool stats read
        ice: Avoid RTNL lock when re-creating auxiliary device
        ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
        ice: fix IPIP and SIT TSO offload
        ice: fix an error code in ice_cfg_phy_fec()
        net: mpls: Fix GCC 12 warning
        dpaa2-eth: unregister the netdev before disconnecting from the PHY
        skbuff: cleanup double word in comment
        net: macb: Align the dma and coherent dma masks
        mptcp: netlink: process IPv6 addrs in creating listening sockets
        selftests: mptcp: add missing join check
        net: usb: qmi_wwan: Add support for Dell DW5829e
        vlan: move dev_put into vlan_dev_uninit
        vlan: introduce vlan_dev_free_egress_priority
        ax25: fix UAF bugs of net_device caused by rebinding operation
        net: dsa: fix panic when DSA master device unbinds on shutdown
        net: amd-xgbe: disable interrupts during pci removal
        tipc: rate limit warning for received illegal binding update
        net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE
        ...
      f1baf68e
    • L
      Merge tag 'linux-kselftest-fixes-5.17-rc4' of... · 16f7432c
      Linus Torvalds 提交于
      Merge tag 'linux-kselftest-fixes-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull Kselftest fixes from Shuah Khan:
       "Build and run-time fixes to pidfd, clone3, and ir tests"
      
      * tag 'linux-kselftest-fixes-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/ir: fix build with ancient kernel headers
        selftests: fixup build warnings in pidfd / clone3 tests
        pidfd: fix test failure due to stack overflow on some arches
      16f7432c
    • L
      Merge tag 'linux-kselftest-kunit-fixes-5.17-rc4' of... · ff008548
      Linus Torvalds 提交于
      Merge tag 'linux-kselftest-kunit-fixes-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull KUnit fixes from Shuah Khan:
       "Fixes to the test and usage documentation"
      
      * tag 'linux-kselftest-kunit-fixes-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        Documentation: KUnit: Fix usage bug
        kunit: fix missing f in f-string in run_checks.py
      ff008548
    • H
      selftests: netfilter: disable rp_filter on router · bbe4c089
      Hangbin Liu 提交于
      Some distros may enable rp_filter by default. After ns1 change addr to
      10.0.2.99 and set default router to 10.0.2.1, while the connected router
      address is still 10.0.1.1. The router will not reply the arp request
      from ns1. Fix it by setting the router's veth0 rp_filter to 0.
      
      Before the fix:
        # ./nft_fib.sh
        PASS: fib expression did not cause unwanted packet drops
        Netns nsrouter-HQkDORO2 fib counter doesn't match expected packet count of 1 for 1.1.1.1
        table inet filter {
                chain prerouting {
                        type filter hook prerouting priority filter; policy accept;
                        ip daddr 1.1.1.1 fib saddr . iif oif missing counter packets 0 bytes 0 drop
                        ip6 daddr 1c3::c01d fib saddr . iif oif missing counter packets 0 bytes 0 drop
                }
        }
      
      After the fix:
        # ./nft_fib.sh
        PASS: fib expression did not cause unwanted packet drops
        PASS: fib expression did drop packets for 1.1.1.1
        PASS: fib expression did drop packets for 1c3::c01d
      
      Fixes: 82944421 ("selftests: netfilter: add fib test case")
      Signed-off-by: NYi Chen <yiche@redhat.com>
      Signed-off-by: NHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      bbe4c089
    • V
      net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister · 51a04ebf
      Vladimir Oltean 提交于
      Since struct mv88e6xxx_mdio_bus *mdio_bus is the bus->priv of something
      allocated with mdiobus_alloc_size(), this means that mdiobus_free(bus)
      will free the memory backing the mdio_bus as well. Therefore, the
      mdio_bus->list element is freed memory, but we continue to iterate
      through the list of MDIO buses using that list element.
      
      To fix this, use the proper list iterator that handles element deletion
      by keeping a copy of the list element next pointer.
      
      Fixes: f53a2ce8 ("net: dsa: mv88e6xxx: don't use devres for mdiobus")
      Reported-by: NRafael Richter <rafael.richter@gin.de>
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20220210174017.3271099-1-vladimir.oltean@nxp.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      51a04ebf
    • J
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · a19f7d7d
      Jakub Kicinski 提交于
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-02-10
      
      Dan Carpenter propagates an error in FEC configuration.
      
      Jesse fixes TSO offloads of IPIP and SIT frames.
      
      Dave adds a dedicated LAG unregister function to resolve a KASAN error
      and moves auxiliary device re-creation after LAG removal to the service
      task to avoid issues with RTNL lock.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: Avoid RTNL lock when re-creating auxiliary device
        ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
        ice: fix IPIP and SIT TSO offload
        ice: fix an error code in ice_cfg_phy_fec()
      ====================
      
      Link: https://lore.kernel.org/r/20220210170515.2609656-1-anthony.l.nguyen@intel.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      a19f7d7d
    • C
      net: mscc: ocelot: fix mutex lock error during ethtool stats read · 7fbf6795
      Colin Foster 提交于
      An ongoing workqueue populates the stats buffer. At the same time, a user
      might query the statistics. While writing to the buffer is mutex-locked,
      reading from the buffer wasn't. This could lead to buggy reads by ethtool.
      
      This patch fixes the former blamed commit, but the bug was introduced in
      the latter.
      Signed-off-by: NColin Foster <colin.foster@in-advantage.com>
      Fixes: 1e1caa97 ("ocelot: Clean up stats update deferred work")
      Fixes: a556c76a ("net: mscc: Add initial Ocelot switch support")
      Reported-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/all/20220210150451.416845-2-colin.foster@in-advantage.com/Signed-off-by: NJakub Kicinski <kuba@kernel.org>
      7fbf6795
    • D
      ice: Avoid RTNL lock when re-creating auxiliary device · 5dbbbd01
      Dave Ertman 提交于
      If a call to re-create the auxiliary device happens in a context that has
      already taken the RTNL lock, then the call flow that recreates auxiliary
      device can hang if there is another attempt to claim the RTNL lock by the
      auxiliary driver.
      
      To avoid this, any call to re-create auxiliary devices that comes from
      an source that is holding the RTNL lock (e.g. netdev notifier when
      interface exits a bond) should execute in a separate thread.  To
      accomplish this, add a flag to the PF that will be evaluated in the
      service task and dealt with there.
      
      Fixes: f9f5301e ("ice: Register auxiliary device to provide RDMA")
      Signed-off-by: NDave Ertman <david.m.ertman@intel.com>
      Reviewed-by: NJonathan Toppins <jtoppins@redhat.com>
      Tested-by: NGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      5dbbbd01
    • D
      ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler · bea1898f
      Dave Ertman 提交于
      Currently, the same handler is called for both a NETDEV_BONDING_INFO
      LAG unlink notification as for a NETDEV_UNREGISTER call.  This is
      causing a problem though, since the netdev_notifier_info passed has
      a different structure depending on which event is passed.  The problem
      manifests as a call trace from a BUG: KASAN stack-out-of-bounds error.
      
      Fix this by creating a handler specific to NETDEV_UNREGISTER that only
      is passed valid elements in the netdev_notifier_info struct for the
      NETDEV_UNREGISTER event.
      
      Also included is the removal of an unbalanced dev_put on the peer_netdev
      and related braces.
      
      Fixes: 6a8b3572 ("ice: Respond to a NETDEV_UNREGISTER event for LAG")
      Signed-off-by: NDave Ertman <david.m.ertman@intel.com>
      Acked-by: NJonathan Toppins <jtoppins@redhat.com>
      Tested-by: NSunitha Mekala <sunithax.d.mekala@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      bea1898f
    • J
      ice: fix IPIP and SIT TSO offload · 46b699c5
      Jesse Brandeburg 提交于
      The driver was avoiding offload for IPIP (at least) frames due to
      parsing the inner header offsets incorrectly when trying to check
      lengths.
      
      This length check works for VXLAN frames but fails on IPIP frames
      because skb_transport_offset points to the inner header in IPIP
      frames, which meant the subtraction of transport_header from
      inner_network_header returns a negative value (-20).
      
      With the code before this patch, everything continued to work, but GSO
      was being used to segment, causing throughputs of 1.5Gb/s per thread.
      After this patch, throughput is more like 10Gb/s per thread for IPIP
      traffic.
      
      Fixes: e94d4478 ("ice: Implement filter sync, NDO operations and bump version")
      Signed-off-by: NJesse Brandeburg <jesse.brandeburg@intel.com>
      Reviewed-by: NPaul Menzel <pmenzel@molgen.mpg.de>
      Tested-by: NGurucharan G <gurucharanx.g@intel.com>
      Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
      46b699c5
  5. 10 2月, 2022 20 次提交