1. 09 3月, 2019 19 次提交
    • L
      connector: fix unsafe usage of ->real_parent · 6d2b0f02
      Li RongQing 提交于
      proc_exit_connector() uses ->real_parent lockless. This is not
      safe that its parent can go away at any moment, so use RCU to
      protect it, and ensure that this task is not released.
      
      [  747.624551] ==================================================================
      [  747.632946] BUG: KASAN: use-after-free in proc_exit_connector+0x1f7/0x310
      [  747.640686] Read of size 4 at addr ffff88a0276988e0 by task sshd/2882
      [  747.648032]
      [  747.649804] CPU: 11 PID: 2882 Comm: sshd Tainted: G            E     4.19.26-rc2 #11
      [  747.658629] Hardware name: IBM x3550M4 -[7914OFV]-/00AM544, BIOS -[D7E142BUS-1.71]- 07/31/2014
      [  747.668419] Call Trace:
      [  747.671269]  dump_stack+0xf0/0x19b
      [  747.675186]  ? show_regs_print_info+0x5/0x5
      [  747.679988]  ? kmsg_dump_rewind_nolock+0x59/0x59
      [  747.685302]  print_address_description+0x6a/0x270
      [  747.691162]  kasan_report+0x258/0x380
      [  747.695835]  ? proc_exit_connector+0x1f7/0x310
      [  747.701402]  proc_exit_connector+0x1f7/0x310
      [  747.706767]  ? proc_coredump_connector+0x2d0/0x2d0
      [  747.712715]  ? _raw_write_unlock_irq+0x29/0x50
      [  747.718270]  ? _raw_write_unlock_irq+0x29/0x50
      [  747.723820]  ? ___preempt_schedule+0x16/0x18
      [  747.729193]  ? ___preempt_schedule+0x16/0x18
      [  747.734574]  do_exit+0xa11/0x14f0
      [  747.738880]  ? mm_update_next_owner+0x590/0x590
      [  747.744525]  ? debug_show_all_locks+0x3c0/0x3c0
      [  747.761448]  ? ktime_get_coarse_real_ts64+0xeb/0x1c0
      [  747.767589]  ? lockdep_hardirqs_on+0x1a6/0x290
      [  747.773154]  ? check_chain_key+0x139/0x1f0
      [  747.778345]  ? check_flags.part.35+0x240/0x240
      [  747.783908]  ? __lock_acquire+0x2300/0x2300
      [  747.789171]  ? _raw_spin_unlock_irqrestore+0x59/0x70
      [  747.795316]  ? _raw_spin_unlock_irqrestore+0x59/0x70
      [  747.801457]  ? do_raw_spin_unlock+0x10f/0x1e0
      [  747.806914]  ? do_raw_spin_trylock+0x120/0x120
      [  747.812481]  ? preempt_count_sub+0x14/0xc0
      [  747.817645]  ? _raw_spin_unlock+0x2e/0x50
      [  747.822708]  ? __handle_mm_fault+0x12db/0x1fa0
      [  747.828367]  ? __pmd_alloc+0x2d0/0x2d0
      [  747.833143]  ? check_noncircular+0x50/0x50
      [  747.838309]  ? match_held_lock+0x7f/0x340
      [  747.843380]  ? check_noncircular+0x50/0x50
      [  747.848561]  ? handle_mm_fault+0x21a/0x5f0
      [  747.853730]  ? check_flags.part.35+0x240/0x240
      [  747.859290]  ? check_chain_key+0x139/0x1f0
      [  747.864474]  ? __do_page_fault+0x40f/0x760
      [  747.869655]  ? __audit_syscall_entry+0x4b/0x1f0
      [  747.875319]  ? syscall_trace_enter+0x1d5/0x7b0
      [  747.880877]  ? trace_raw_output_preemptirq_template+0x90/0x90
      [  747.887895]  ? trace_raw_output_sys_exit+0x80/0x80
      [  747.893860]  ? up_read+0x3b/0x90
      [  747.898142]  ? stop_critical_timings+0x260/0x260
      [  747.903909]  do_group_exit+0xe0/0x1c0
      [  747.908591]  ? __x64_sys_exit+0x30/0x30
      [  747.913460]  ? trace_raw_output_preemptirq_template+0x90/0x90
      [  747.920485]  ? tracer_hardirqs_on+0x270/0x270
      [  747.925956]  __x64_sys_exit_group+0x28/0x30
      [  747.931214]  do_syscall_64+0x117/0x400
      [  747.935988]  ? syscall_return_slowpath+0x2f0/0x2f0
      [  747.941931]  ? trace_hardirqs_off_thunk+0x1a/0x1c
      [  747.947788]  ? trace_hardirqs_on_caller+0x1d0/0x1d0
      [  747.953838]  ? lockdep_sys_exit+0x16/0x8e
      [  747.958915]  ? trace_hardirqs_off_thunk+0x1a/0x1c
      [  747.964784]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  747.971021] RIP: 0033:0x7f572f154c68
      [  747.975606] Code: Bad RIP value.
      [  747.979791] RSP: 002b:00007ffed2dfaa58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      [  747.989324] RAX: ffffffffffffffda RBX: 00007f572f431840 RCX: 00007f572f154c68
      [  747.997910] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
      [  748.006495] RBP: 0000000000000001 R08: 00000000000000e7 R09: fffffffffffffee0
      [  748.015079] R10: 00007f572f4387e8 R11: 0000000000000246 R12: 00007f572f431840
      [  748.023664] R13: 000055a7f90f2c50 R14: 000055a7f96e2310 R15: 000055a7f96e2310
      [  748.032287]
      [  748.034509] Allocated by task 2300:
      [  748.038982]  kasan_kmalloc+0xa0/0xd0
      [  748.043562]  kmem_cache_alloc_node+0xf5/0x2e0
      [  748.049018]  copy_process+0x1781/0x4790
      [  748.053884]  _do_fork+0x166/0x9a0
      [  748.058163]  do_syscall_64+0x117/0x400
      [  748.062943]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  748.069180]
      [  748.071405] Freed by task 15395:
      [  748.075591]  __kasan_slab_free+0x130/0x180
      [  748.080752]  kmem_cache_free+0xc2/0x310
      [  748.085619]  free_task+0xea/0x130
      [  748.089901]  __put_task_struct+0x177/0x230
      [  748.095063]  finish_task_switch+0x51b/0x5d0
      [  748.100315]  __schedule+0x506/0xfa0
      [  748.104791]  schedule+0xca/0x260
      [  748.108978]  futex_wait_queue_me+0x27e/0x420
      [  748.114333]  futex_wait+0x251/0x550
      [  748.118814]  do_futex+0x75b/0xf80
      [  748.123097]  __x64_sys_futex+0x231/0x2a0
      [  748.128065]  do_syscall_64+0x117/0x400
      [  748.132835]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  748.139066]
      [  748.141289] The buggy address belongs to the object at ffff88a027698000
      [  748.141289]  which belongs to the cache task_struct of size 12160
      [  748.156589] The buggy address is located 2272 bytes inside of
      [  748.156589]  12160-byte region [ffff88a027698000, ffff88a02769af80)
      [  748.171114] The buggy address belongs to the page:
      [  748.177055] page:ffffea00809da600 count:1 mapcount:0 mapping:ffff888107d01e00 index:0x0 compound_mapcount: 0
      [  748.189136] flags: 0x57ffffc0008100(slab|head)
      [  748.194688] raw: 0057ffffc0008100 ffffea00809a3200 0000000300000003 ffff888107d01e00
      [  748.204424] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
      [  748.214146] page dumped because: kasan: bad access detected
      [  748.220976]
      [  748.223197] Memory state around the buggy address:
      [  748.229128]  ffff88a027698780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  748.238271]  ffff88a027698800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  748.247414] >ffff88a027698880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  748.256564]                                                        ^
      [  748.264267]  ffff88a027698900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  748.273493]  ffff88a027698980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  748.282630] ==================================================================
      
      Fixes: b086ff87 ("connector: add parent pid and tgid to coredump and exit events")
      Signed-off-by: NZhang Yu <zhangyu31@baidu.com>
      Signed-off-by: NLi RongQing <lirongqing@baidu.com>
      Acked-by: NEvgeniy Polyakov <zbr@ioremap.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6d2b0f02
    • L
      vxlan: do not need BH again in vxlan_cleanup() · f98ec788
      Litao Jiao 提交于
      vxlan_cleanup() is a timer callback, it is already
      and only running in BH context.
      Signed-off-by: NLitao Jiao <jiaolitao@raisecom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f98ec788
    • J
      net: hns3: add dma_rmb() for rx description · d394d33b
      Jian Shen 提交于
      HW can not guarantee complete write desc->rx.size, even though
      HNS3_RXD_VLD_B has been set. Driver needs to add dma_rmb()
      instruction to make sure desc->rx.size is always valid.
      
      Fixes: e5597095 ("net: hns3: Add handling of GRO Pkts not fully RX'ed in NAPI poll")
      Signed-off-by: NJian Shen <shenjian15@huawei.com>
      Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d394d33b
    • P
      net: add missing documentation in linux/skbuff.h · 161e6137
      Pedro Tammela 提交于
      This patch adds missing documentation for some inline functions on
      linux/skbuff.h. The patch is incomplete and a lot more can be added,
      just wondering if it's of interest of the netdev developers.
      
      Also fixed some whitespaces.
      Signed-off-by: NPedro Tammela <pctammela@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      161e6137
    • D
      Merge branch 'stmmac-add-some-fixes-for-stm32' · ffb3016b
      David S. Miller 提交于
      Christophe Roullier says:
      
      ====================
      stmmac: add some fixes for stm32
      
      For common stmmac:
      	- Add support to set CSR Clock range selection in DT
      For stm32mpu:
      	- Glue codes to support magic packet
      	- Glue codes to support all PHY config :
      		PHY_MODE (MII,GMII, RMII, RGMII) and in normal,
      		PHY wo crystal (25Mhz),
      		PHY wo crystal (50Mhz), No 125Mhz from PHY config
      For stm32mcu:
      	- Add Ethernet support for stm32h7
      
      Changes in V3:
      	- Reverse for syscfg management because it is manage by these patches
      	  https://lkml.org/lkml/2018/12/12/133
      	  https://lkml.org/lkml/2018/12/12/134
      	  https://lkml.org/lkml/2018/12/12/131
      	  https://lkml.org/lkml/2018/12/12/132
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ffb3016b
    • C
      ARM: dts: stm32: Add Ethernet support on stm32h7 SOC and activate it for eval and disco boards · 5473f1be
      Christophe Roullier 提交于
      Synopsys GMAC 4.10 is used. And Phy mode for eval and disco is RMII
      with PHY SMSC LAN8742
      Signed-off-by: NChristophe Roullier <christophe.roullier@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5473f1be
    • C
      dt-bindings: net: stmmac: remove syscfg clock property · 83566799
      Christophe Roullier 提交于
      Syscfg clock is no more needed.
      Signed-off-by: NChristophe Roullier <christophe.roullier@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      83566799
    • C
      net: ethernet: stmmac: add management of clk_csr property · 81311c03
      Christophe Roullier 提交于
      In Documentation stmmac.txt there is possibility to
      fixed CSR Clock range selection with property clk_csr.
      This patch add the management of this property
      For example to use it, add in your ethernet node DT:
      	clk_csr = <3>;
      Signed-off-by: NChristophe Roullier <christophe.roullier@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      81311c03
    • C
      dt-bindings: net: stmmac: add phys config properties · 830133da
      Christophe Roullier 提交于
      Add properties to support all Phy config
       PHY_MODE	(MII,GMII, RMII, RGMII) and in normal, PHY wo crystal (25Mhz),
       PHY wo crystal (50Mhz), No 125Mhz from PHY config.
      Signed-off-by: NChristophe Roullier <christophe.roullier@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      830133da
    • C
      net: ethernet: stmmac: update to support all PHY config for stm32mp157c. · 22947335
      Christophe Roullier 提交于
      Update glue codes to support all PHY config on stm32mp157c
       PHY_MODE	(MII,GMII, RMII, RGMII) and in normal, PHY wo crystal (25Mhz),
      PHY wo crystal (50Mhz), No 125Mhz from PHY config.
      Signed-off-by: NChristophe Roullier <christophe.roullier@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      22947335
    • C
      net: ethernet: stmmac: manage Ethernet WoL for stm32mp157c. · 634565f8
      Christophe Roullier 提交于
      Add glue codes to support magic packet on stm32mp157c
      Signed-off-by: NChristophe Roullier <christophe.roullier@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      634565f8
    • D
      Merge branch 'sctp-process-the-error-returned-from-sctp_sock_migrate' · f1a16705
      David S. Miller 提交于
      Xin Long says:
      
      ====================
      sctp: process the error returned from sctp_sock_migrate()
      
      This patchset is to process the errs returned by sctp_auth_init_hmacs()
      and sctp_bind_addr_dup() from sctp_sock_migrate(). And also fix a panic
      caused by new ep->auth_hmacs was not set due to net->sctp.auth_enable
      changed by sysctl before accepting an assoc.
      ====================
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f1a16705
    • X
      sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate() · c6f33e05
      Xin Long 提交于
      New ep's auth_hmacs should be set if old ep's is set, in case that
      net->sctp.auth_enable has been changed to 0 by users and new ep's
      auth_hmacs couldn't be set in sctp_endpoint_init().
      
      It can even crash kernel by doing:
      
        1. on server: sysctl -w net.sctp.auth_enable=1,
                      sysctl -w net.sctp.addip_enable=1,
                      sysctl -w net.sctp.addip_noauth_enable=0,
                      listen() on server,
                      sysctl -w net.sctp.auth_enable=0.
        2. on client: connect() to server.
        3. on server: accept() the asoc,
                      sysctl -w net.sctp.auth_enable=1.
        4. on client: send() asconf packet to server.
      
      The call trace:
      
        [  245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        [  245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp]
        [  245.304572] Call Trace:
        [  245.305091]  <IRQ>
        [  245.311287]  sctp_sf_authenticate+0x110/0x160 [sctp]
        [  245.312311]  sctp_sf_eat_auth+0xf2/0x230 [sctp]
        [  245.313249]  sctp_do_sm+0x9a/0x2d0 [sctp]
        [  245.321483]  sctp_assoc_bh_rcv+0xed/0x1a0 [sctp]
        [  245.322495]  sctp_rcv+0xa66/0xc70 [sctp]
      
      It's because the old ep->auth_hmacs wasn't copied to the new ep while
      ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing
      the incoming auth chunks, and it should have been done when migrating
      sock.
      Reported-by: NYing Xu <yinxu@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c6f33e05
    • X
      sctp: move up sctp_auth_init_hmacs() in sctp_endpoint_init() · 60208f79
      Xin Long 提交于
      sctp_auth_init_hmacs() is called only when ep->auth_enable is set.
      It better to move up sctp_auth_init_hmacs() and remove auth_enable
      check in it and check auth_enable only once in sctp_endpoint_init().
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      60208f79
    • X
      sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails · 89664c62
      Xin Long 提交于
      It should fail to create the new sk if sctp_bind_addr_dup() fails
      when accepting or peeloff an association.
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      89664c62
    • S
      vxlan: Fix GRO cells race condition between receive and link delete · ad6c9986
      Stefano Brivio 提交于
      If we receive a packet while deleting a VXLAN device, there's a chance
      vxlan_rcv() is called at the same time as vxlan_dellink(). This is fine,
      except that vxlan_dellink() should never ever touch stuff that's still in
      use, such as the GRO cells list.
      
      Otherwise, vxlan_rcv() crashes while queueing packets via
      gro_cells_receive().
      
      Move the gro_cells_destroy() to vxlan_uninit(), which runs after the RCU
      grace period is elapsed and nothing needs the gro_cells anymore.
      
      This is now done in the same way as commit 8e816df8 ("geneve: Use GRO
      cells infrastructure.") originally implemented for GENEVE.
      Reported-by: NJianlin Shi <jishi@redhat.com>
      Fixes: 58ce31cc ("vxlan: GRO support at tunnel layer")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ad6c9986
    • D
      rxrpc: Fix client call connect/disconnect race · 930c9f91
      David Howells 提交于
      rxrpc_disconnect_client_call() reads the call's connection ID protocol
      value (call->cid) as part of that function's variable declarations.  This
      is bad because it's not inside the locked section and so may race with
      someone granting use of the channel to the call.
      
      This manifests as an assertion failure (see below) where the call in the
      presumed channel (0 because call->cid wasn't set when we read it) doesn't
      match the call attached to the channel we were actually granted (if 1, 2 or
      3).
      
      Fix this by moving the read and dependent calculations inside of the
      channel_lock section.  Also, only set the channel number and pointer
      variables if cid is not zero (ie. unset).
      
      This problem can be induced by injecting an occasional error in
      rxrpc_wait_for_channel() before the call to schedule().
      
      Make two further changes also:
      
       (1) Add a trace for wait failure in rxrpc_connect_call().
      
       (2) Drop channel_lock before BUG'ing in the case of the assertion failure.
      
      The failure causes a trace akin to the following:
      
      rxrpc: Assertion failed - 18446612685268945920(0xffff8880beab8c00) == 18446612685268621312(0xffff8880bea69800) is false
      ------------[ cut here ]------------
      kernel BUG at net/rxrpc/conn_client.c:824!
      ...
      RIP: 0010:rxrpc_disconnect_client_call+0x2bf/0x99d
      ...
      Call Trace:
       rxrpc_connect_call+0x902/0x9b3
       ? wake_up_q+0x54/0x54
       rxrpc_new_client_call+0x3a0/0x751
       ? rxrpc_kernel_begin_call+0x141/0x1bc
       ? afs_alloc_call+0x1b5/0x1b5
       rxrpc_kernel_begin_call+0x141/0x1bc
       afs_make_call+0x20c/0x525
       ? afs_alloc_call+0x1b5/0x1b5
       ? __lock_is_held+0x40/0x71
       ? lockdep_init_map+0xaf/0x193
       ? lockdep_init_map+0xaf/0x193
       ? __lock_is_held+0x40/0x71
       ? yfs_fs_fetch_data+0x33b/0x34a
       yfs_fs_fetch_data+0x33b/0x34a
       afs_fetch_data+0xdc/0x3b7
       afs_read_dir+0x52d/0x97f
       afs_dir_iterate+0xa0/0x661
       ? iterate_dir+0x63/0x141
       iterate_dir+0xa2/0x141
       ksys_getdents64+0x9f/0x11b
       ? filldir+0x111/0x111
       ? do_syscall_64+0x3e/0x1a0
       __x64_sys_getdents64+0x16/0x19
       do_syscall_64+0x7d/0x1a0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 45025bce ("rxrpc: Improve management and caching of client connection objects")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      930c9f91
    • X
      sctp: remove sched init from sctp_stream_init · 2e990dfd
      Xin Long 提交于
      syzbot reported a NULL-ptr deref caused by that sched->init() in
      sctp_stream_init() set stream->rr_next = NULL.
      
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        RIP: 0010:sctp_sched_rr_dequeue+0xd3/0x170 net/sctp/stream_sched_rr.c:141
        Call Trace:
          sctp_outq_dequeue_data net/sctp/outqueue.c:90 [inline]
          sctp_outq_flush_data net/sctp/outqueue.c:1079 [inline]
          sctp_outq_flush+0xba2/0x2790 net/sctp/outqueue.c:1205
      
      All sched info is saved in sout->ext now, in sctp_stream_init()
      sctp_stream_alloc_out() will not change it, there's no need to
      call sched->init() again, since sctp_outq_init() has already
      done it.
      
      Fixes: 5bbbbe32 ("sctp: introduce stream scheduler foundations")
      Reported-by: syzbot+4c9934f20522c0efd657@syzkaller.appspotmail.com
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2e990dfd
    • X
      route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race · ee60ad21
      Xin Long 提交于
      The race occurs in __mkroute_output() when 2 threads lookup a dst:
      
        CPU A                 CPU B
        find_exception()
                              find_exception() [fnhe expires]
                              ip_del_fnhe() [fnhe is deleted]
        rt_bind_exception()
      
      In rt_bind_exception() it will bind a deleted fnhe with the new dst, and
      this dst will get no chance to be freed. It causes a dev defcnt leak and
      consecutive dmesg warnings:
      
        unregister_netdevice: waiting for ethX to become free. Usage count = 1
      
      Especially thanks Jon to identify the issue.
      
      This patch fixes it by setting fnhe_daddr to 0 in ip_del_fnhe() to stop
      binding the deleted fnhe with a new dst when checking fnhe's fnhe_daddr
      and daddr in rt_bind_exception().
      
      It works as both ip_del_fnhe() and rt_bind_exception() are protected by
      fnhe_lock and the fhne is freed by kfree_rcu().
      
      Fixes: deed49df ("route: check and remove route cache when we get route")
      Signed-off-by: NJon Maxwell <jmaxwell37@gmail.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Reviewed-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee60ad21
  2. 08 3月, 2019 12 次提交
    • E
      net/hsr: fix possible crash in add_timer() · 1e027960
      Eric Dumazet 提交于
      syzbot found another add_timer() issue, this time in net/hsr [1]
      
      Let's use mod_timer() which is safe.
      
      [1]
      kernel BUG at kernel/time/timer.c:1136!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 15909 Comm: syz-executor.3 Not tainted 5.0.0+ #97
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      kobject: 'loop2' (00000000f5629718): kobject_uevent_env
      RIP: 0010:add_timer kernel/time/timer.c:1136 [inline]
      RIP: 0010:add_timer+0x654/0xbe0 kernel/time/timer.c:1134
      Code: 0f 94 c5 31 ff 44 89 ee e8 09 61 0f 00 45 84 ed 0f 84 77 fd ff ff e8 bb 5f 0f 00 e8 07 10 a0 ff e9 68 fd ff ff e8 ac 5f 0f 00 <0f> 0b e8 a5 5f 0f 00 0f 0b e8 9e 5f 0f 00 4c 89 b5 58 ff ff ff e9
      RSP: 0018:ffff8880656eeca0 EFLAGS: 00010246
      kobject: 'loop2' (00000000f5629718): fill_kobj_path: path = '/devices/virtual/block/loop2'
      RAX: 0000000000040000 RBX: 1ffff1100caddd9a RCX: ffffc9000c436000
      RDX: 0000000000040000 RSI: ffffffff816056c4 RDI: ffff88806a2f6cc8
      RBP: ffff8880656eed58 R08: ffff888067f4a300 R09: ffff888067f4abc8
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88806a2f6cc0
      R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880656eed30
      FS:  00007fc2019bf700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000738000 CR3: 0000000067e8e000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       hsr_check_announce net/hsr/hsr_device.c:99 [inline]
       hsr_check_carrier_and_operstate+0x567/0x6f0 net/hsr/hsr_device.c:120
       hsr_netdev_notify+0x297/0xa00 net/hsr/hsr_main.c:51
       notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
       call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
       call_netdevice_notifiers net/core/dev.c:1765 [inline]
       dev_open net/core/dev.c:1436 [inline]
       dev_open+0x143/0x160 net/core/dev.c:1424
       team_port_add drivers/net/team/team.c:1203 [inline]
       team_add_slave+0xa07/0x15d0 drivers/net/team/team.c:1933
       do_set_master net/core/rtnetlink.c:2358 [inline]
       do_set_master+0x1d4/0x230 net/core/rtnetlink.c:2332
       do_setlink+0x966/0x3510 net/core/rtnetlink.c:2493
       rtnl_setlink+0x271/0x3b0 net/core/rtnetlink.c:2747
       rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
       netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
       rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg+0xdd/0x130 net/socket.c:632
       sock_write_iter+0x27c/0x3e0 net/socket.c:923
       call_write_iter include/linux/fs.h:1869 [inline]
       do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680
       do_iter_write fs/read_write.c:956 [inline]
       do_iter_write+0x184/0x610 fs/read_write.c:937
       vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001
       do_writev+0xf6/0x290 fs/read_write.c:1036
       __do_sys_writev fs/read_write.c:1109 [inline]
       __se_sys_writev fs/read_write.c:1106 [inline]
       __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x457f29
      Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc2019bec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29
      RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc2019bf6d4
      R13: 00000000004c4a60 R14: 00000000004dd218 R15: 00000000ffffffff
      
      Fixes: f421436a ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc: Arvid Brodin <arvid.brodin@alten.se>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1e027960
    • D
      nfp: fix simple vNIC mailbox length · eaab2d2d
      Dirk van der Merwe 提交于
      The simple vNIC mailbox length should be 12 decimal and not 0x12.
      Using a decimal also makes it clear this is a length value and not
      another field within the simple mailbox defines.
      
      Found by code inspection, there are no known firmware configurations
      where this would cause issues.
      
      Fixes: 527d7d1b ("nfp: read mailbox address from TLV caps")
      Signed-off-by: NDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eaab2d2d
    • N
      net: atm: Add another IS_ENABLED(CONFIG_COMPAT) in atm_dev_ioctl · 0805a4b8
      Nathan Chancellor 提交于
      I removed compat's universal assignment to 0, which allows this if
      statement to fall through when compat is passed with a value other
      than 0.
      
      Fixes: f9d19a74 ("net: atm: Use IS_ENABLED in atm_dev_ioctl")
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0805a4b8
    • N
      net: stmmac: Avoid sometimes uninitialized Clang warnings · df103170
      Nathan Chancellor 提交于
      When building with -Wsometimes-uninitialized, Clang warns:
      
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:495:3: warning: variable 'ns' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:495:3: warning: variable 'ns' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:532:3: warning: variable 'ns' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:532:3: warning: variable 'ns' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:741:3: warning: variable 'sec_inc' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:741:3: warning: variable 'sec_inc' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      
      Clang is concerned with the use of stmmac_do_void_callback (which
      stmmac_get_timestamp and stmmac_config_sub_second_increment wrap),
      as it may fail to initialize these values if the if condition was ever
      false (meaning the callbacks don't exist). It's not wrong because the
      callbacks (get_timestamp and config_sub_second_increment respectively)
      are the ones that initialize the variables. While it's unlikely that the
      callbacks are ever going to disappear and make that condition false, we
      can easily avoid this warning by zero initialize the variables.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/384Suggested-by: NNick Desaulniers <ndesaulniers@google.com>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df103170
    • N
      net: atm: Use IS_ENABLED in atm_dev_ioctl · f9d19a74
      Nathan Chancellor 提交于
      When building with -Wsometimes-uninitialized, Clang warns:
      
      net/atm/resources.c:256:6: warning: variable 'number' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
      net/atm/resources.c:212:7: warning: variable 'iobuf_len' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
      
      Clang won't realize that compat is 0 when CONFIG_COMPAT is not set until
      the constant folding stage, which happens after this semantic analysis.
      Use IS_ENABLED instead so that the zero is present at the semantic
      analysis stage, which eliminates this warning.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/386Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f9d19a74
    • A
      ethtool: reduce stack usage with clang · 3499e87e
      Arnd Bergmann 提交于
      clang inlines the dev_ethtool() more aggressively than gcc does, leading
      to a larger amount of used stack space:
      
      net/core/ethtool.c:2536:24: error: stack frame size of 1216 bytes in function 'dev_ethtool' [-Werror,-Wframe-larger-than=]
      
      Marking the sub-functions that require the most stack space as
      noinline_for_stack gives us reasonable behavior on all compilers.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3499e87e
    • S
      qede: Fix internal loopback failure with jumbo mtu configuration · b89869da
      Sudarsana Reddy Kalluru 提交于
      Driver uses port-mtu as packet-size for the loopback traffic. This patch
      limits the max packet size to 1.5K to avoid data being split over multiple
      buffer descriptors (BDs) in cases where MTU > PAGE_SIZE.
      Signed-off-by: NSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b89869da
    • A
      enic: fix build warning without CONFIG_CPUMASK_OFFSTACK · 43d28166
      Arnd Bergmann 提交于
      The enic driver relies on the CONFIG_CPUMASK_OFFSTACK feature to
      dynamically allocate a struct member, but this is normally intended for
      local variables.
      
      Building with clang, I get a warning for a few locations that check the
      address of the cpumask_var_t:
      
      drivers/net/ethernet/cisco/enic/enic_main.c:122:22: error: address of array 'enic->msix[i].affinity_mask' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]
      
      As far as I can tell, the code is still correct, as the truth value of
      the pointer is what we need in this configuration. To get rid of
      the warning, use cpumask_available() instead of checking the
      pointer directly.
      
      Fixes: 322cf7e3 ("enic: assign affinity hint to interrupts")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43d28166
    • A
      peak_usb: fix clang build warning · a2ae6da0
      Arnd Bergmann 提交于
      Clang points out undefined behavior when building the pcan_usb_pro driver:
      
      drivers/net/can/usb/peak_usb/pcan_usb_pro.c:136:15: error: passing an object that undergoes default argument promotion to 'va_start' has undefined behavior [-Werror,-Wvarargs]
      
      Changing the function prototype to avoid argument promotion in the
      varargs call avoids the warning, and should make this well-defined.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a2ae6da0
    • M
      ravb: Decrease TxFIFO depth of Q3 and Q2 to one · ae9819e3
      Masaru Nagai 提交于
      Hardware has the CBS (Credit Based Shaper) which affects only Q3
      and Q2. When updating the CBS settings, even if the driver does so
      after waiting for Tx DMA finished, there is a possibility that frame
      data still remains in TxFIFO.
      
      To avoid this, decrease TxFIFO depth of Q3 and Q2 to one.
      
      This patch has been exercised this using netperf TCP_MAERTS, TCP_STREAM
      and UDP_STREAM tests run on an Ebisu board. No performance change was
      detected, outside of noise in the tests, both in terms of throughput and
      CPU utilisation.
      
      Fixes: c156633f ("Renesas Ethernet AVB driver proper")
      Signed-off-by: NMasaru Nagai <masaru.nagai.vx@renesas.com>
      Signed-off-by: NKazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
      [simon: updated changelog]
      Signed-off-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae9819e3
    • A
      isdn: isdnloop: fix pointer dereference bug · 8a72b81e
      Arnd Bergmann 提交于
      clang has spotted an ancient code bug and warns about it with:
      
      drivers/isdn/isdnloop/isdnloop.c:573:12: error: address of array 'card->rcard' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]
      
      This is an array of pointers, so we should check if a specific
      pointer exists in the array before using it, not whether the
      array itself exists.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8a72b81e
    • A
      davinci_emac: always build in CONFIG_OF code · f096ca63
      Arnd Bergmann 提交于
      clang warns about what seems to be an unintended use of an obscure C
      language feature where a forward declaration of an array remains usable
      when the final definition is never seen:
      
      drivers/net/ethernet/ti/davinci_emac.c:1694:34: error: tentative array definition assumed to have one element [-Werror]
      static const struct of_device_id davinci_emac_of_match[];
      
      There is no harm in always enabling the device tree matching code here,
      and it makes the code behave in a more conventional way aside from
      avoiding the warning.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f096ca63
  3. 07 3月, 2019 9 次提交
    • S
      tcp: do not report TCP_CM_INQ of 0 for closed connections · 6466e715
      Soheil Hassas Yeganeh 提交于
      Returning 0 as inq to userspace indicates there is no more data to
      read, and the application needs to wait for EPOLLIN. For a connection
      that has received FIN from the remote peer, however, the application
      must continue reading until getting EOF (return value of 0
      from tcp_recvmsg) or an error, if edge-triggered epoll (EPOLLET) is
      being used. Otherwise, the application will never receive a new
      EPOLLIN, since there is no epoll edge after the FIN.
      
      Return 1 when there is no data left on the queue but the
      connection has received FIN, so that the applications continue
      reading.
      
      Fixes: b75eba76 (tcp: send in-queue bytes in cmsg upon read)
      Signed-off-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6466e715
    • M
      net: hsr: fix memory leak in hsr_dev_finalize() · 6caabe7f
      Mao Wenan 提交于
      If hsr_add_port(hsr, hsr_dev, HSR_PT_MASTER) failed to
      add port, it directly returns res and forgets to free the node
      that allocated in hsr_create_self_node(), and forgets to delete
      the node->mac_list linked in hsr->self_node_db.
      
      BUG: memory leak
      unreferenced object 0xffff8881cfa0c780 (size 64):
        comm "syz-executor.0", pid 2077, jiffies 4294717969 (age 2415.377s)
        hex dump (first 32 bytes):
          e0 c7 a0 cf 81 88 ff ff 00 02 00 00 00 00 ad de  ................
          00 e6 49 cd 81 88 ff ff c0 9b 87 d0 81 88 ff ff  ..I.............
        backtrace:
          [<00000000e2ff5070>] hsr_dev_finalize+0x736/0x960 [hsr]
          [<000000003ed2e597>] hsr_newlink+0x2b2/0x3e0 [hsr]
          [<000000003fa8c6b6>] __rtnl_newlink+0xf1f/0x1600 net/core/rtnetlink.c:3182
          [<000000001247a7ad>] rtnl_newlink+0x66/0x90 net/core/rtnetlink.c:3240
          [<00000000e7d1b61d>] rtnetlink_rcv_msg+0x54e/0xb90 net/core/rtnetlink.c:5130
          [<000000005556bd3a>] netlink_rcv_skb+0x129/0x340 net/netlink/af_netlink.c:2477
          [<00000000741d5ee6>] netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
          [<00000000741d5ee6>] netlink_unicast+0x49a/0x650 net/netlink/af_netlink.c:1336
          [<000000009d56f9b7>] netlink_sendmsg+0x88b/0xdf0 net/netlink/af_netlink.c:1917
          [<0000000046b35c59>] sock_sendmsg_nosec net/socket.c:621 [inline]
          [<0000000046b35c59>] sock_sendmsg+0xc3/0x100 net/socket.c:631
          [<00000000d208adc9>] __sys_sendto+0x33e/0x560 net/socket.c:1786
          [<00000000b582837a>] __do_sys_sendto net/socket.c:1798 [inline]
          [<00000000b582837a>] __se_sys_sendto net/socket.c:1794 [inline]
          [<00000000b582837a>] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1794
          [<00000000c866801d>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
          [<00000000fea382d9>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
          [<00000000e01dacb3>] 0xffffffffffffffff
      
      Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Signed-off-by: NMao Wenan <maowenan@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6caabe7f
    • V
      net: sched: flower: insert new filter to idr after setting its mask · ecb3dea4
      Vlad Buslov 提交于
      When adding new filter to flower classifier, fl_change() inserts it to
      handle_idr before initializing filter extensions and assigning it a mask.
      Normally this ordering doesn't matter because all flower classifier ops
      callbacks assume rtnl lock protection. However, when filter has an action
      that doesn't have its kernel module loaded, rtnl lock is released before
      call to request_module(). During this time the filter can be accessed bu
      concurrent task before its initialization is completed, which can lead to a
      crash.
      
      Example case of NULL pointer dereference in concurrent dump:
      
      Task 1                           Task 2
      
      tc_new_tfilter()
       fl_change()
        idr_alloc_u32(fnew)
        fl_set_parms()
         tcf_exts_validate()
          tcf_action_init()
           tcf_action_init_1()
            rtnl_unlock()
            request_module()
            ...                        rtnl_lock()
            				 tc_dump_tfilter()
            				  tcf_chain_dump()
      				   fl_walk()
      				    idr_get_next_ul()
      				    tcf_node_dump()
      				     tcf_fill_node()
      				      fl_dump()
      				       mask = &f->mask->key; <- NULL ptr
            rtnl_lock()
      
      Extension initialization and mask assignment don't depend on fnew->handle
      that is allocated by idr_alloc_u32(). Move idr allocation code after action
      creation and mask assignment in fl_change() to prevent concurrent access
      to not fully initialized filter when rtnl lock is released to load action
      module.
      
      Fixes: 01683a14 ("net: sched: refactor flower walk to iterate over idr")
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ecb3dea4
    • V
      tcp: detecting the misuse of .sendpage for Slab objects · a10674bf
      Vasily Averin 提交于
      sendpage was not designed for processing of the Slab pages,
      in some situations it can trigger BUG_ON on receiving side.
      Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a10674bf
    • A
      appletalk: Add atalk.h header files to MAINTAINERS file · 7b837623
      Arnd Bergmann 提交于
      Add the path names here so that git-send-email can pick up the
      netdev@vger.kernel.org Cc line automatically for a patch that
      only touches the headers.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7b837623
    • A
      appletalk: Fix compile regression · 27da0d2e
      Arnd Bergmann 提交于
      A bugfix just broke compilation of appletalk when CONFIG_SYSCTL
      is disabled:
      
      In file included from net/appletalk/ddp.c:65:
      net/appletalk/ddp.c: In function 'atalk_init':
      include/linux/atalk.h:164:34: error: expected expression before 'do'
       #define atalk_register_sysctl()  do { } while(0)
                                        ^~
      net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl'
        rc = atalk_register_sysctl();
      
      This is easier to avoid by using conventional inline functions
      as stubs rather than macros. The header already has inline
      functions for other purposes, so I'm changing over all the
      macros for consistency.
      
      Fixes: 6377f787 ("appletalk: Fix use-after-free in atalk_proc_exit")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      27da0d2e
    • A
      iptunnel: NULL pointer deref for ip_md_tunnel_xmit · f4b3ec4e
      Alan Maguire 提交于
      Naresh Kamboju noted the following oops during execution of selftest
      tools/testing/selftests/bpf/test_tunnel.sh on x86_64:
      
      [  274.120445] BUG: unable to handle kernel NULL pointer dereference
      at 0000000000000000
      [  274.128285] #PF error: [INSTR]
      [  274.131351] PGD 8000000414a0e067 P4D 8000000414a0e067 PUD 3b6334067 PMD 0
      [  274.138241] Oops: 0010 [#1] SMP PTI
      [  274.141734] CPU: 1 PID: 11464 Comm: ping Not tainted
      5.0.0-rc4-next-20190129 #1
      [  274.149046] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
      2.0b 07/27/2017
      [  274.156526] RIP: 0010:          (null)
      [  274.160280] Code: Bad RIP value.
      [  274.163509] RSP: 0018:ffffbc9681f83540 EFLAGS: 00010286
      [  274.168726] RAX: 0000000000000000 RBX: ffffdc967fa80a18 RCX: 0000000000000000
      [  274.175851] RDX: ffff9db2ee08b540 RSI: 000000000000000e RDI: ffffdc967fa809a0
      [  274.182974] RBP: ffffbc9681f83580 R08: ffff9db2c4d62690 R09: 000000000000000c
      [  274.190098] R10: 0000000000000000 R11: ffff9db2ee08b540 R12: ffff9db31ce7c000
      [  274.197222] R13: 0000000000000001 R14: 000000000000000c R15: ffff9db3179cf400
      [  274.204346] FS:  00007ff4ae7c5740(0000) GS:ffff9db31fa80000(0000)
      knlGS:0000000000000000
      [  274.212424] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  274.218162] CR2: ffffffffffffffd6 CR3: 00000004574da004 CR4: 00000000003606e0
      [  274.225292] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  274.232416] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  274.239541] Call Trace:
      [  274.241988]  ? tnl_update_pmtu+0x296/0x3b0
      [  274.246085]  ip_md_tunnel_xmit+0x1bc/0x520
      [  274.250176]  gre_fb_xmit+0x330/0x390
      [  274.253754]  gre_tap_xmit+0x128/0x180
      [  274.257414]  dev_hard_start_xmit+0xb7/0x300
      [  274.261598]  sch_direct_xmit+0xf6/0x290
      [  274.265430]  __qdisc_run+0x15d/0x5e0
      [  274.269007]  __dev_queue_xmit+0x2c5/0xc00
      [  274.273011]  ? dev_queue_xmit+0x10/0x20
      [  274.276842]  ? eth_header+0x2b/0xc0
      [  274.280326]  dev_queue_xmit+0x10/0x20
      [  274.283984]  ? dev_queue_xmit+0x10/0x20
      [  274.287813]  arp_xmit+0x1a/0xf0
      [  274.290952]  arp_send_dst.part.19+0x46/0x60
      [  274.295138]  arp_solicit+0x177/0x6b0
      [  274.298708]  ? mod_timer+0x18e/0x440
      [  274.302281]  neigh_probe+0x57/0x70
      [  274.305684]  __neigh_event_send+0x197/0x2d0
      [  274.309862]  neigh_resolve_output+0x18c/0x210
      [  274.314212]  ip_finish_output2+0x257/0x690
      [  274.318304]  ip_finish_output+0x219/0x340
      [  274.322314]  ? ip_finish_output+0x219/0x340
      [  274.326493]  ip_output+0x76/0x240
      [  274.329805]  ? ip_fragment.constprop.53+0x80/0x80
      [  274.334510]  ip_local_out+0x3f/0x70
      [  274.337992]  ip_send_skb+0x19/0x40
      [  274.341391]  ip_push_pending_frames+0x33/0x40
      [  274.345740]  raw_sendmsg+0xc15/0x11d0
      [  274.349403]  ? __might_fault+0x85/0x90
      [  274.353151]  ? _copy_from_user+0x6b/0xa0
      [  274.357070]  ? rw_copy_check_uvector+0x54/0x130
      [  274.361604]  inet_sendmsg+0x42/0x1c0
      [  274.365179]  ? inet_sendmsg+0x42/0x1c0
      [  274.368937]  sock_sendmsg+0x3e/0x50
      [  274.372460]  ___sys_sendmsg+0x26f/0x2d0
      [  274.376293]  ? lock_acquire+0x95/0x190
      [  274.380043]  ? __handle_mm_fault+0x7ce/0xb70
      [  274.384307]  ? lock_acquire+0x95/0x190
      [  274.388053]  ? __audit_syscall_entry+0xdd/0x130
      [  274.392586]  ? ktime_get_coarse_real_ts64+0x64/0xc0
      [  274.397461]  ? __audit_syscall_entry+0xdd/0x130
      [  274.401989]  ? trace_hardirqs_on+0x4c/0x100
      [  274.406173]  __sys_sendmsg+0x63/0xa0
      [  274.409744]  ? __sys_sendmsg+0x63/0xa0
      [  274.413488]  __x64_sys_sendmsg+0x1f/0x30
      [  274.417405]  do_syscall_64+0x55/0x190
      [  274.421064]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  274.426113] RIP: 0033:0x7ff4ae0e6e87
      [  274.429686] Code: 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 80 00
      00 00 00 8b 05 ca d9 2b 00 48 63 d2 48 63 ff 85 c0 75 10 b8 2e 00 00
      00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 53 48 89 f3 48 83 ec 10 48 89 7c
      24 08
      [  274.448422] RSP: 002b:00007ffcd9b76db8 EFLAGS: 00000246 ORIG_RAX:
      000000000000002e
      [  274.455978] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007ff4ae0e6e87
      [  274.463104] RDX: 0000000000000000 RSI: 00000000006092e0 RDI: 0000000000000003
      [  274.470228] RBP: 0000000000000000 R08: 00007ffcd9bc40a0 R09: 00007ffcd9bc4080
      [  274.477349] R10: 000000000000060a R11: 0000000000000246 R12: 0000000000000003
      [  274.484475] R13: 0000000000000016 R14: 00007ffcd9b77fa0 R15: 00007ffcd9b78da4
      [  274.491602] Modules linked in: cls_bpf sch_ingress iptable_filter
      ip_tables algif_hash af_alg x86_pkg_temp_thermal fuse [last unloaded:
      test_bpf]
      [  274.504634] CR2: 0000000000000000
      [  274.507976] ---[ end trace 196d18386545eae1 ]---
      [  274.512588] RIP: 0010:          (null)
      [  274.516334] Code: Bad RIP value.
      [  274.519557] RSP: 0018:ffffbc9681f83540 EFLAGS: 00010286
      [  274.524775] RAX: 0000000000000000 RBX: ffffdc967fa80a18 RCX: 0000000000000000
      [  274.531921] RDX: ffff9db2ee08b540 RSI: 000000000000000e RDI: ffffdc967fa809a0
      [  274.539082] RBP: ffffbc9681f83580 R08: ffff9db2c4d62690 R09: 000000000000000c
      [  274.546205] R10: 0000000000000000 R11: ffff9db2ee08b540 R12: ffff9db31ce7c000
      [  274.553329] R13: 0000000000000001 R14: 000000000000000c R15: ffff9db3179cf400
      [  274.560456] FS:  00007ff4ae7c5740(0000) GS:ffff9db31fa80000(0000)
      knlGS:0000000000000000
      [  274.568541] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  274.574277] CR2: ffffffffffffffd6 CR3: 00000004574da004 CR4: 00000000003606e0
      [  274.581403] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  274.588535] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  274.595658] Kernel panic - not syncing: Fatal exception in interrupt
      [  274.602046] Kernel Offset: 0x14400000 from 0xffffffff81000000
      (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [  274.612827] ---[ end Kernel panic - not syncing: Fatal exception in
      interrupt ]---
      [  274.620387] ------------[ cut here ]------------
      
      I'm also seeing the same failure on x86_64, and it reproduces
      consistently.
      
      >From poking around it looks like the skb's dst entry is being used
      to calculate the mtu in:
      
      mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
      
      ...but because that dst_entry  has an "ops" value set to md_dst_ops,
      the various ops (including mtu) are not set:
      
      crash> struct sk_buff._skb_refdst ffff928f87447700 -x
            _skb_refdst = 0xffffcd6fbf5ea590
      crash> struct dst_entry.ops 0xffffcd6fbf5ea590
        ops = 0xffffffffa0193800
      crash> struct dst_ops.mtu 0xffffffffa0193800
        mtu = 0x0
      crash>
      
      I confirmed that the dst entry also has dst->input set to
      dst_md_discard, so it looks like it's an entry that's been
      initialized via __metadata_dst_init alright.
      
      I think the fix here is to use skb_valid_dst(skb) - it checks
      for  DST_METADATA also, and with that fix in place, the
      problem - which was previously 100% reproducible - disappears.
      
      The below patch resolves the panic and all bpf tunnel tests pass
      without incident.
      
      Fixes: c8b34e68 ("ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit")
      Reported-by: NNaresh Kamboju <naresh.kamboju@linaro.org>
      Signed-off-by: NAlan Maguire <alan.maguire@oracle.com>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Tested-by: NAnders Roxell <anders.roxell@linaro.org>
      Reported-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4b3ec4e
    • P
      ipv4/route: fail early when inet dev is missing · 22c74764
      Paolo Abeni 提交于
      If a non local multicast packet reaches ip_route_input_rcu() while
      the ingress device IPv4 private data (in_dev) is NULL, we end up
      doing a NULL pointer dereference in IN_DEV_MFORWARD().
      
      Since the later call to ip_route_input_mc() is going to fail if
      !in_dev, we can fail early in such scenario and avoid the dangerous
      code path.
      
      v1 -> v2:
       - clarified the commit message, no code changes
      Reported-by: NTianhao Zhao <tizhao@redhat.com>
      Fixes: e58e4159 ("net: Enable support for VRF with ipv4 multicast")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      22c74764
    • D
      net: hns3: Fix a logical vs bitwise typo · f4772dee
      Dan Carpenter 提交于
      There were a couple logical ORs accidentally mixed in with the bitwise
      ORs.
      
      Fixes: e8149933 ("net: hns3: remove hnae3_get_bit in data path")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4772dee