1. 25 3月, 2019 2 次提交
  2. 13 2月, 2019 1 次提交
    • E
      batman-adv: fix uninit-value in batadv_interface_tx() · 4ffcbfac
      Eric Dumazet 提交于
      KMSAN reported batadv_interface_tx() was possibly using a
      garbage value [1]
      
      batadv_get_vid() does have a pskb_may_pull() call
      but batadv_interface_tx() does not actually make sure
      this did not fail.
      
      [1]
      BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
      CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
       __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
       batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
       __netdev_start_xmit include/linux/netdevice.h:4356 [inline]
       netdev_start_xmit include/linux/netdevice.h:4365 [inline]
       xmit_one net/core/dev.c:3257 [inline]
       dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273
       __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876
       packet_snd net/packet/af_packet.c:2928 [inline]
       packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       __sys_sendto+0x8c4/0xac0 net/socket.c:1788
       __do_sys_sendto net/socket.c:1800 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1796
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x441889
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889
      RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0
      R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
       kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
       kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
       kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2759 [inline]
       __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
       __kmalloc_reserve net/core/skbuff.c:137 [inline]
       __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
       alloc_skb include/linux/skbuff.h:998 [inline]
       alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220
       sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083
       packet_alloc_skb net/packet/af_packet.c:2781 [inline]
       packet_snd net/packet/af_packet.c:2872 [inline]
       packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       __sys_sendto+0x8c4/0xac0 net/socket.c:1788
       __do_sys_sendto net/socket.c:1800 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1796
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc:	Marek Lindner <mareklindner@neomailbox.ch>
      Cc:	Simon Wunderlich <sw@simonwunderlich.de>
      Cc:	Antonio Quartulli <a@unstable.cc>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4ffcbfac
  3. 09 2月, 2019 1 次提交
    • S
      batman-adv: Add gateway mesh genl configuration · e2d0d35b
      Sven Eckelmann 提交于
      The mesh/soft-interface can optimize the handling of DHCP packets. Instead
      of flooding them through the whole mesh, it can be forwarded as unicast to
      a specific gateway server. The originator which injects the packets in the
      mesh has to select (based on sel_class thresholds) a responsible gateway
      server. This is done by switching this originator to the gw_mode client.
      The servers announce their forwarding bandwidth (download/upload) when the
      gw_mode server was selected.
      
      The BATADV_CMD_SET_MESH/BATADV_CMD_GET_MESH commands allow to set/get the
      configuration of this feature using the attributes:
      
      * u8 BATADV_ATTR_GW_MODE (0 == off, 1 == client, 2 == server)
      * u32 BATADV_ATTR_GW_BANDWIDTH_DOWN (in 100 kbit/s steps)
      * u32 BATADV_ATTR_GW_BANDWIDTH_UP (in 100 kbit/s steps)
      * u32 BATADV_ATTR_GW_SEL_CLASS
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      e2d0d35b
  4. 04 1月, 2019 1 次提交
  5. 01 1月, 2019 1 次提交
    • S
      batman-adv: Force mac header to start of data on xmit · 9114daa8
      Sven Eckelmann 提交于
      The caller of ndo_start_xmit may not already have called
      skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
      therefore can be in the wrong position and even outside the current skbuff.
      This for example happens when the user binds to the device using a
      PF_PACKET-SOCK_RAW with enabled qdisc-bypass:
      
        int opt = 4;
        setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));
      
      Since eth_hdr is used all over the codebase, the batadv_interface_tx
      function must always take care of resetting it.
      
      Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol")
      Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
      Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      9114daa8
  6. 31 12月, 2018 1 次提交
    • L
      batman-adv: Snoop DHCPACKs for DAT · b61ec31c
      Linus Lüssing 提交于
      In a 1000 nodes mesh network (Freifunk Hamburg) we can still see
      30KBit/s of ARP traffic (equalling about 25% of all layer two
      specific overhead, remaining after some filtering) flooded through
      the mesh. These 30KBit/s are mainly ARP Requests from the
      gateways / DHCP servers.
      
      By snooping DHCPACKs we can learn about MAC/IP address pairs
      in the DHCP range without relying on ARP. This patch is in preparation
      to eliminate the need for mesh wide message flooding for IPv4 address
      resolution.
      
      Also this allows to quickly update a MAC/IP pair at least in the DHT when
      DHCP reassigns an IP address to a new host.
      Signed-off-by: NLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      b61ec31c
  7. 15 9月, 2018 2 次提交
    • S
      batman-adv: Enable LockLess TX for softif · a7ea49af
      Sven Eckelmann 提交于
      The batadv interfaces are virtual interfaces which just tunnel the traffic
      over other ethernet compatible interfaces. It doesn't need serialization
      during the tx phase and is using RCU for most of its internal
      datastructures. Since it doesn't have actual queues which could be locked
      independently, the throughput gets significantly reduced by the extra lock
      in the core net code.
      
      8 parallel TCP connections forwarded by an IPQ4019 based hardware over
      5GHz could reach:
      
      * without LLTX: 349 Mibit/s
      * with LLTX:    563 Mibit/s
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      a7ea49af
    • S
      batman-adv: Move OGM rebroadcast stats to orig_ifinfo · dee222c7
      Sven Eckelmann 提交于
      B.A.T.M.A.N. IV requires the number of rebroadcast from a neighboring
      originator. These statistics are gathered per interface which transmitted
      the OGM (and then received it again). Since an originator is not interface
      specific, a resizable array was used in each originator.
      
      This resizable array had an entry for each interface and had to be resizes
      (for all OGMs) when the number of active interface was modified. This could
      cause problems when a large number of interface is added and not enough
      continuous memory is available to allocate the array.
      
      There is already a per interface originator structure "batadv_orig_ifinfo"
      which can be used to store this information.
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      dee222c7
  8. 06 9月, 2018 1 次提交
    • S
      batman-adv: Prevent duplicated softif_vlan entry · 94cb82f5
      Sven Eckelmann 提交于
      The function batadv_softif_vlan_get is responsible for adding new
      softif_vlan to the softif_vlan_list. It first checks whether the entry
      already is in the list or not. If it is, then the creation of a new entry
      is aborted.
      
      But the lock for the list is only held when the list is really modified.
      This could lead to duplicated entries because another context could create
      an entry with the same key between the check and the list manipulation.
      
      The check and the manipulation of the list must therefore be in the same
      locked code section.
      
      Fixes: 5d2c05b2 ("batman-adv: add per VLAN interface attribute framework")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      94cb82f5
  9. 26 4月, 2018 1 次提交
  10. 22 4月, 2018 1 次提交
  11. 27 2月, 2018 1 次提交
  12. 26 2月, 2018 1 次提交
  13. 22 12月, 2017 1 次提交
  14. 16 12月, 2017 4 次提交
  15. 12 10月, 2017 1 次提交
  16. 05 10月, 2017 1 次提交
  17. 28 9月, 2017 2 次提交
  18. 23 9月, 2017 1 次提交
  19. 08 6月, 2017 1 次提交
    • D
      net: Fix inconsistent teardown and release of private netdev state. · cf124db5
      David S. Miller 提交于
      Network devices can allocate reasources and private memory using
      netdev_ops->ndo_init().  However, the release of these resources
      can occur in one of two different places.
      
      Either netdev_ops->ndo_uninit() or netdev->destructor().
      
      The decision of which operation frees the resources depends upon
      whether it is necessary for all netdev refs to be released before it
      is safe to perform the freeing.
      
      netdev_ops->ndo_uninit() presumably can occur right after the
      NETDEV_UNREGISTER notifier completes and the unicast and multicast
      address lists are flushed.
      
      netdev->destructor(), on the other hand, does not run until the
      netdev references all go away.
      
      Further complicating the situation is that netdev->destructor()
      almost universally does also a free_netdev().
      
      This creates a problem for the logic in register_netdevice().
      Because all callers of register_netdevice() manage the freeing
      of the netdev, and invoke free_netdev(dev) if register_netdevice()
      fails.
      
      If netdev_ops->ndo_init() succeeds, but something else fails inside
      of register_netdevice(), it does call ndo_ops->ndo_uninit().  But
      it is not able to invoke netdev->destructor().
      
      This is because netdev->destructor() will do a free_netdev() and
      then the caller of register_netdevice() will do the same.
      
      However, this means that the resources that would normally be released
      by netdev->destructor() will not be.
      
      Over the years drivers have added local hacks to deal with this, by
      invoking their destructor parts by hand when register_netdevice()
      fails.
      
      Many drivers do not try to deal with this, and instead we have leaks.
      
      Let's close this hole by formalizing the distinction between what
      private things need to be freed up by netdev->destructor() and whether
      the driver needs unregister_netdevice() to perform the free_netdev().
      
      netdev->priv_destructor() performs all actions to free up the private
      resources that used to be freed by netdev->destructor(), except for
      free_netdev().
      
      netdev->needs_free_netdev is a boolean that indicates whether
      free_netdev() should be done at the end of unregister_netdevice().
      
      Now, register_netdevice() can sanely release all resources after
      ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit()
      and netdev->priv_destructor().
      
      And at the end of unregister_netdevice(), we invoke
      netdev->priv_destructor() and optionally call free_netdev().
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cf124db5
  20. 05 4月, 2017 1 次提交
  21. 03 4月, 2017 4 次提交
  22. 26 3月, 2017 1 次提交
  23. 17 3月, 2017 1 次提交
  24. 05 3月, 2017 1 次提交
    • S
      batman-adv: Initialize gw sel_class via batadv_algo · 1a9070ec
      Sven Eckelmann 提交于
      The gateway selection class variable is shared between different algorithm
      versions. But the interpretation of the content is algorithm specific. The
      initialization is therefore also algorithm specific.
      
      But this was implemented incorrectly and the initialization for BATMAN_V
      always overwrote the value previously written for BATMAN_IV. This could
      only be avoided when BATMAN_V was disabled during compile time.
      
      Using a special batadv_algo hook for this initialization avoids this
      problem.
      
      Fixes: 50164d8f ("batman-adv: B.A.T.M.A.N. V - implement GW selection logic")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      1a9070ec
  25. 26 1月, 2017 2 次提交
  26. 19 1月, 2017 1 次提交
    • T
      net: Remove usage of net_device last_rx member · 4a7c9726
      Tobias Klauser 提交于
      The network stack no longer uses the last_rx member of struct net_device
      since the bonding driver switched to use its own private last_rx in
      commit 9f242738 ("bonding: use last_arp_rx in slave_last_rx()").
      
      However, some drivers still (ab)use the field for their own purposes and
      some driver just update it without actually using it.
      
      Previously, there was an accompanying comment for the last_rx member
      added in commit 4dc89133 ("net: add a comment on netdev->last_rx")
      which asked drivers not to update is, unless really needed. However,
      this commend was removed in commit f8ff080d ("bonding: remove
      useless updating of slave->dev->last_rx"), so some drivers added later
      on still did update last_rx.
      
      Remove all usage of last_rx and switch three drivers (sky2, atp and
      smc91c92_cs) which actually read and write it to use their own private
      copy in netdev_priv.
      
      Compile-tested with allyesconfig and allmodconfig on x86 and arm.
      
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Cc: Mirko Lindner <mlindner@marvell.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: NTobias Klauser <tklauser@distanz.ch>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Reviewed-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4a7c9726
  27. 30 10月, 2016 3 次提交
  28. 27 10月, 2016 1 次提交
    • S
      batman-adv: Revert "use core MTU range checking in misc drivers" · 701470ba
      Sven Eckelmann 提交于
      The maximum MTU is defined via the slave devices of an batman-adv
      interface. Thus it is not possible to calculate the max_mtu during the
      creation of the batman-adv device when no slave devices are attached. Doing
      so would for example break non-fragmentation setups which then
      (incorrectly) allow an MTU of 1500 even when underlying device cannot
      transport 1500 bytes + batman-adv headers.
      
      Checking the dynamically calculated max_mtu via the minimum of the slave
      devices MTU during .ndo_change_mtu is also used by the bridge interface.
      
      Cc: Jarod Wilson <jarod@redhat.com>
      Fixes: b3e3893e ("net: use core MTU range checking in misc drivers")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      701470ba