1. 10 3月, 2017 24 次提交
    • D
      rxrpc: rxrpc_kernel_send_data() needs to handle failed call better · 6fc166d6
      David Howells 提交于
      If rxrpc_kernel_send_data() is asked to send data through a call that has
      already failed (due to a remote abort, received protocol error or network
      error), then return the associated error code saved in the call rather than
      ESHUTDOWN.
      
      This allows the caller to work out whether to ask for the abort code or not
      based on this.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6fc166d6
    • A
      udp: avoid ufo handling on IP payload compression packets · 4b3b45ed
      Alexey Kodanev 提交于
      commit c146066a ("ipv4: Don't use ufo handling on later transformed
      packets") and commit f89c56ce ("ipv6: Don't use ufo handling on
      later transformed packets") added a check that 'rt->dst.header_len' isn't
      zero in order to skip UFO, but it doesn't include IPcomp in transport mode
      where it equals zero.
      
      Packets, after payload compression, may not require further fragmentation,
      and if original length exceeds MTU, later compressed packets will be
      transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
      on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:
      
      * IPv4 case, offset is wrong + unnecessary fragmentation
          udp_ipsec.sh -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
            proto Compressed IP (108), length 49)
            10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
          IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
            proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17
      
      * IPv6 case, sending small fragments
          udp_ipsec.sh -6 -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)
      
      Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
      if xfrm is set. So the new check will include both cases: IPcomp and IPsec.
      
      Fixes: c146066a ("ipv4: Don't use ufo handling on later transformed packets")
      Fixes: f89c56ce ("ipv6: Don't use ufo handling on later transformed packets")
      Signed-off-by: NAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4b3b45ed
    • D
      net: Work around lockdep limitation in sockets that use sockets · cdfbabfb
      David Howells 提交于
      Lockdep issues a circular dependency warning when AFS issues an operation
      through AF_RXRPC from a context in which the VFS/VM holds the mmap_sem.
      
      The theory lockdep comes up with is as follows:
      
       (1) If the pagefault handler decides it needs to read pages from AFS, it
           calls AFS with mmap_sem held and AFS begins an AF_RXRPC call, but
           creating a call requires the socket lock:
      
      	mmap_sem must be taken before sk_lock-AF_RXRPC
      
       (2) afs_open_socket() opens an AF_RXRPC socket and binds it.  rxrpc_bind()
           binds the underlying UDP socket whilst holding its socket lock.
           inet_bind() takes its own socket lock:
      
      	sk_lock-AF_RXRPC must be taken before sk_lock-AF_INET
      
       (3) Reading from a TCP socket into a userspace buffer might cause a fault
           and thus cause the kernel to take the mmap_sem, but the TCP socket is
           locked whilst doing this:
      
      	sk_lock-AF_INET must be taken before mmap_sem
      
      However, lockdep's theory is wrong in this instance because it deals only
      with lock classes and not individual locks.  The AF_INET lock in (2) isn't
      really equivalent to the AF_INET lock in (3) as the former deals with a
      socket entirely internal to the kernel that never sees userspace.  This is
      a limitation in the design of lockdep.
      
      Fix the general case by:
      
       (1) Double up all the locking keys used in sockets so that one set are
           used if the socket is created by userspace and the other set is used
           if the socket is created by the kernel.
      
       (2) Store the kern parameter passed to sk_alloc() in a variable in the
           sock struct (sk_kern_sock).  This informs sock_lock_init(),
           sock_init_data() and sk_clone_lock() as to the lock keys to be used.
      
           Note that the child created by sk_clone_lock() inherits the parent's
           kern setting.
      
       (3) Add a 'kern' parameter to ->accept() that is analogous to the one
           passed in to ->create() that distinguishes whether kernel_accept() or
           sys_accept4() was the caller and can be passed to sk_alloc().
      
           Note that a lot of accept functions merely dequeue an already
           allocated socket.  I haven't touched these as the new socket already
           exists before we get the parameter.
      
           Note also that there are a couple of places where I've made the accepted
           socket unconditionally kernel-based:
      
      	irda_accept()
      	rds_rcp_accept_one()
      	tcp_accept_from_sock()
      
           because they follow a sock_create_kern() and accept off of that.
      
      Whilst creating this, I noticed that lustre and ocfs don't create sockets
      through sock_create_kern() and thus they aren't marked as for-kernel,
      though they appear to be internal.  I wonder if these should do that so
      that they use the new set of lock keys.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cdfbabfb
    • D
      Merge branch 'bnxt_en-misc-small-fixes' · 81dca07b
      David S. Miller 提交于
      Michael Chan says:
      
      ====================
      bnxt_en: Misc. small fixes.
      
      Fixes include moving the initial function reset, notifying the RDMA driver
      during tx timeout, setting dcbx_cap properly depending on whether the
      firmware agent is running or not, and an autoneg related improvement.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      81dca07b
    • M
      bnxt_en: Ignore 0 value in autoneg supported speed from firmware. · 520ad89a
      Michael Chan 提交于
      In some situations, the firmware will return 0 for autoneg supported
      speed.  This may happen if the firmware detects no SFP module, for
      example.  The driver should ignore this so that we don't end up with
      an invalid autoneg setting with nothing advertised.  When SFP module
      is inserted, we'll get the updated settings from firmware at that time.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      520ad89a
    • M
      bnxt_en: Check if firmware LLDP agent is running. · bc39f885
      Michael Chan 提交于
      Set DCB_CAP_DCBX_HOST capability flag only if the firmware LLDP agent
      is not running.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bc39f885
    • M
      bnxt_en: Call bnxt_ulp_stop() during tx timeout. · b386cd36
      Michael Chan 提交于
      If we call bnxt_reset_task() due to tx timeout, we should call
      bnxt_ulp_stop() to inform the RDMA driver about the error and the
      impending reset.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b386cd36
    • M
      bnxt_en: Perform function reset earlier during probe. · 3c2217a6
      Michael Chan 提交于
      The firmware call to do function reset is done too late.  It is causing
      the rings that have been reserved to be freed.  In NPAR mode, this bug
      is causing us to run out of rings.
      
      Fixes: 391be5c2 ("bnxt_en: Implement new scheme to reserve tx rings.")
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3c2217a6
    • L
      tun: remove copyright printing · 6cbac982
      LABBE Corentin 提交于
      Printing copyright does not give any useful information on the boot
      process.
      Furthermore, the email address printed is obsolete since
      commit ba57b6f2 ("MAINTAINERS: fix bouncing tun/tap entries")
      Signed-off-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6cbac982
    • A
      net: initialize msg.msg_flags in recvfrom · 9f138fa6
      Alexander Potapenko 提交于
      KMSAN reports a use of uninitialized memory in put_cmsg() because
      msg.msg_flags in recvfrom haven't been initialized properly.
      The flag values don't affect the result on this path, but it's still a
      good idea to initialize them explicitly.
      Signed-off-by: NAlexander Potapenko <glider@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9f138fa6
    • D
      Merge branch 'bpf-htab-fixes' · 8ddbb312
      David S. Miller 提交于
      Alexei Starovoitov says:
      
      ====================
      bpf: htab fixes
      
      Two bpf hashtable fixes. See individual patches for details.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8ddbb312
    • A
      bpf: convert htab map to hlist_nulls · 4fe84359
      Alexei Starovoitov 提交于
      when all map elements are pre-allocated one cpu can delete and reuse htab_elem
      while another cpu is still walking the hlist. In such case the lookup may
      miss the element. Convert hlist to hlist_nulls to avoid such scenario.
      When bucket lock is taken there is no need to take such precautions,
      so only convert map_lookup and map_get_next to nulls.
      The race window is extremely small and only reproducible with explicit
      udelay() inside lookup_nulls_elem_raw()
      
      Similar to hlist add hlist_nulls_for_each_entry_safe() and
      hlist_nulls_entry_safe() helpers.
      
      Fixes: 6c905981 ("bpf: pre-allocate hash map elements")
      Reported-by: NJonathan Perry <jonperry@fb.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4fe84359
    • A
      bpf: fix struct htab_elem layout · 9f691549
      Alexei Starovoitov 提交于
      when htab_elem is removed from the bucket list the htab_elem.hash_node.next
      field should not be overridden too early otherwise we have a tiny race window
      between lookup and delete.
      The bug was discovered by manual code analysis and reproducible
      only with explicit udelay() in lookup_elem_raw().
      
      Fixes: 6c905981 ("bpf: pre-allocate hash map elements")
      Reported-by: NJonathan Perry <jonperry@fb.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9f691549
    • D
      uapi: fix linux/packet_diag.h userspace compilation error · 745cb7f8
      Dmitry V. Levin 提交于
      Replace MAX_ADDR_LEN with its numeric value to fix the following
      linux/packet_diag.h userspace compilation error:
      
      /usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function)
        __u8 pdmc_addr[MAX_ADDR_LEN];
      
      This is not the first case in the UAPI where the numeric value
      of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h
      already does the same:
      
      $ grep MAX_ADDR_LEN include/uapi/linux/if_link.h
      	__u8 mac[32]; /* MAX_ADDR_LEN */
      
      There are no UAPI headers besides these two that use MAX_ADDR_LEN.
      Signed-off-by: NDmitry V. Levin <ldv@altlinux.org>
      Acked-by: NPavel Emelyanov <xemul@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      745cb7f8
    • P
      net/tunnel: set inner protocol in network gro hooks · 294acf1c
      Paolo Abeni 提交于
      The gso code of several tunnels type (gre and udp tunnels)
      takes for granted that the skb->inner_protocol is properly
      initialized and drops the packet elsewhere.
      
      On the forwarding path no one is initializing such field,
      so gro encapsulated packets are dropped on forward.
      
      Since commit 38720352 ("gre: Use inner_proto to obtain
      inner header protocol"), this can be reproduced when the
      encapsulated packets use gre as the tunneling protocol.
      
      The issue happens also with vxlan and geneve tunnels since
      commit 8bce6d7d ("udp: Generalize skb_udp_segment"), if the
      forwarding host's ingress nic has h/w offload for such tunnel
      and a vxlan/geneve device is configured on top of it, regardless
      of the configured peer address and vni.
      
      To address the issue, this change initialize the inner_protocol
      field for encapsulated packets in both ipv4 and ipv6 gro complete
      callbacks.
      
      Fixes: 38720352 ("gre: Use inner_proto to obtain inner header protocol")
      Fixes: 8bce6d7d ("udp: Generalize skb_udp_segment")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      294acf1c
    • R
      qed: Fix copy of uninitialized memory · 8aad6f14
      robert.foss@collabora.com 提交于
      In qed_ll2_start_ooo() the ll2_info variable is uninitialized and then
      passed to qed_ll2_acquire_connection() where it is copied into a new
      memory space.
      
      This shouldn't cause any issue as long as non of the copied memory is
      every read.
      But the potential for a bug being introduced by reading this memory
      is real.
      
      Detected by CoverityScan, CID#1399632 ("Uninitialized scalar variable")
      Signed-off-by: NRobert Foss <robert.foss@collabora.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8aad6f14
    • D
      Merge branch 'thunderx-misc-fixes' · c021aaca
      David S. Miller 提交于
      Sunil Goutham says:
      
      ====================
      net: thunderx: Miscellaneous fixes
      
      This patch set fixes multiple issues such as IOMMU
      translation faults when kernel is booted with IOMMU enabled
      on host, incorrect MAC ID reading from ACPI tables and IPv6
      UDP packet drop due to failure of checksum validation.
      
      Changes from v1:
      - As suggested by David Miller, got rid of conditional
        calling of DMA map/unmap APIs. Also updated commit message
        in 'IOMMU translation faults' patch.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c021aaca
    • T
      net: thunderx: Allow IPv6 frames with zero UDP checksum · 36fa35d2
      Thanneeru Srinivasulu 提交于
      Do not consider IPv6 frames with zero UDP checksum as frames
      with bad checksum and drop them.
      Signed-off-by: NThanneeru Srinivasulu <tsrinivasulu@cavium.com>
      Signed-off-by: NSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      36fa35d2
    • S
      net: thunderx: Fix invalid mac addresses for node1 interfaces · 78aacb6f
      Sunil Goutham 提交于
      When booted with ACPI, random mac addresses are being
      assigned to node1 interfaces due to mismatch of bgx_id
      in BGX driver and ACPI tables.
      
      This patch fixes this issue by setting maximum BGX devices
      per node based on platform/soc instead of a macro. This
      change will set the bgx_id appropriately.
      Signed-off-by: NSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78aacb6f
    • S
      net: thunderx: Fix LMAC mode debug prints for QSGMII mode · 18de7ba9
      Sunil Goutham 提交于
      When BGX/LMACs are in QSGMII mode, for some LMACs, mode info is
      not being printed. This patch will fix that. With changes already
      done to not do any sort of serdes 2 lane mapping config calculation
      in kernel driver, we can get rid of this logic.
      Signed-off-by: NSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      18de7ba9
    • S
      net: thunderx: Fix IOMMU translation faults · 83abb7d7
      Sunil Goutham 提交于
      ACPI support has been added to ARM IOMMU driver in 4.10 kernel
      and that has resulted in VNIC interfaces throwing translation
      faults when kernel is booted with ACPI as driver was not using
      DMA API. This patch fixes the issue by using DMA API which inturn
      will create translation tables when IOMMU is enabled.
      
      Also VNIC doesn't have a seperate receive buffer ring per receive
      queue, so there is no 1:1 descriptor index matching between CQE_RX
      and the index in buffer ring from where a buffer has been used for
      DMA'ing. Unlike other NICs, here it's not possible to maintain dma
      address to virt address mappings within the driver. This leaves us
      no other choice but to use IOMMU's IOVA address conversion API to
      get buffer's virtual address which can be given to network stack
      for processing.
      Signed-off-by: NSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      83abb7d7
    • Z
      rds: ib: add error handle · 3b12f73a
      Zhu Yanjun 提交于
      In the function rds_ib_setup_qp, the error handle is missing. When some
      error occurs, it is possible that memory leak occurs. As such, error
      handle is added.
      
      Cc: Joe Jin <joe.jin@oracle.com>
      Reviewed-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NGuanglei Li <guanglei.li@oracle.com>
      Signed-off-by: NZhu Yanjun <yanjun.zhu@oracle.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3b12f73a
    • V
      liquidio: improve UDP TX performance · 67e303e0
      VSR Burru 提交于
      Improve UDP TX performance by:
      * reducing the ring size from 2K to 512
      * replacing the numerous streaming DMA allocations for info buffers and
        gather lists with one large consistent DMA allocation per ring
      
      BQL is not effective here.  We reduced the ring size because there is heavy
      overhead with dma_map_single every so often.  With iommu=on, dma_map_single
      in PF Tx data path was taking longer time (~700usec) for every ~250
      packets.  Debugged intel_iommu code, and found that PF driver is utilizing
      too many static IO virtual address mapping entries (for gather list entries
      and info buffers): about 100K entries for two PF's each using 8 rings.
      Also, finding an empty entry (in rbtree of device domain's iova mapping in
      kernel) during Tx path becomes a bottleneck every so often; the loop to
      find the empty entry goes through over 40K iterations; this is too costly
      and was the major overhead.  Overhead is low when this loop quits quickly.
      
      Netperf benchmark numbers before and after patch:
      
      PF UDP TX
      +--------+--------+------------+------------+---------+
      |        |        |  Before    |  After     |         |
      | Number |        |  Patch     |  Patch     |         |
      |  of    | Packet | Throughput | Throughput | Percent |
      | Flows  |  Size  |  (Gbps)    |  (Gbps)    | Change  |
      +--------+--------+------------+------------+---------+
      |        |   360  |   0.52     |   0.93     |  +78.9  |
      |   1    |  1024  |   1.62     |   2.84     |  +75.3  |
      |        |  1518  |   2.44     |   4.21     |  +72.5  |
      +--------+--------+------------+------------+---------+
      |        |   360  |   0.45     |   1.59     | +253.3  |
      |   4    |  1024  |   1.34     |   5.48     | +308.9  |
      |        |  1518  |   2.27     |   8.31     | +266.1  |
      +--------+--------+------------+------------+---------+
      |        |   360  |   0.40     |   1.61     | +302.5  |
      |   8    |  1024  |   1.64     |   4.24     | +158.5  |
      |        |  1518  |   2.87     |   6.52     | +127.2  |
      +--------+--------+------------+------------+---------+
      
      VF UDP TX
      +--------+--------+------------+------------+---------+
      |        |        |  Before    |  After     |         |
      | Number |        |  Patch     |  Patch     |         |
      |  of    | Packet | Throughput | Throughput | Percent |
      | Flows  |  Size  |  (Gbps)    |  (Gbps)    | Change  |
      +--------+--------+------------+------------+---------+
      |        |   360  |   1.28     |   1.49     |  +16.4  |
      |   1    |  1024  |   4.44     |   4.39     |   -1.1  |
      |        |  1518  |   6.08     |   6.51     |   +7.1  |
      +--------+--------+------------+------------+---------+
      |        |   360  |   2.35     |   2.35     |    0.0  |
      |   4    |  1024  |   6.41     |   8.07     |  +25.9  |
      |        |  1518  |   9.56     |   9.54     |   -0.2  |
      +--------+--------+------------+------------+---------+
      |        |   360  |   3.41     |   3.65     |   +7.0  |
      |   8    |  1024  |   9.35     |   9.34     |   -0.1  |
      |        |  1518  |   9.56     |   9.57     |   +0.1  |
      +--------+--------+------------+------------+---------+
      Signed-off-by: NVSR Burru <veerasenareddy.burru@cavium.com>
      Signed-off-by: NFelix Manlunas <felix.manlunas@cavium.com>
      Signed-off-by: NDerek Chickles <derek.chickles@cavium.com>
      Signed-off-by: NRaghu Vatsavayi <raghu.vatsavayi@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      67e303e0
    • D
      net: ipv6: Remove redundant RTA_OIF in multipath routes · 5be083ce
      David Ahern 提交于
      Dinesh reported that RTA_MULTIPATH nexthops are 8-bytes larger with IPv6
      than IPv4. The recent refactoring for multipath support in netlink
      messages does discriminate between non-multipath which needs the OIF
      and multipath which adds a rtnexthop struct for each hop making the
      RTA_OIF attribute redundant. Resolve by adding a flag to the info
      function to skip the oif for multipath.
      
      Fixes: beb1afac ("net: ipv6: Add support to dump multipath routes
             via RTA_MULTIPATH attribute")
      Reported-by: NDinesh Dutt <ddutt@cumulusnetworks.com>
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5be083ce
  2. 09 3月, 2017 13 次提交
  3. 08 3月, 2017 3 次提交
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 8474c8ca
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2017-03-06
      
      1) Fix lockdep splat on xfrm policy subsystem initialization.
         From Florian Westphal.
      
      2) When using socket policies on IPv4-mapped IPv6 addresses,
         we access the flow informations of the wrong address family
         what leads to an out of bounds access. Fix this by using
         the family we get with the dst_entry, like we do it for the
         standard policy lookup.
      
      3) vti6 can report a PMTU below IPV6_MIN_MTU. Fix this by
         adding a check for that before sending a ICMPV6_PKT_TOOBIG
         message.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8474c8ca
    • W
      ipv6: reorder icmpv6_init() and ip6_mr_init() · 15e66807
      WANG Cong 提交于
      Andrey reported the following kernel crash:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      task: ffff88001f311700 task.stack: ffff88001f6e8000
      RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
      RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
      RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
      RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
      R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
      FS:  00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
      DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
      Call Trace:
       rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
       inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
       inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
       sock_release+0x8d/0x1e0 net/socket.c:597
       __sock_create+0x39d/0x880 net/socket.c:1226
       sock_create_kern+0x3f/0x50 net/socket.c:1243
       inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
       icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
       ops_init+0x10a/0x550 net/core/net_namespace.c:115
       setup_net+0x261/0x660 net/core/net_namespace.c:291
       copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
      9pnet_virtio: no channels available for device ./file1
       create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
       unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
       SYSC_unshare kernel/fork.c:2281 [inline]
       SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
       entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because net->ipv6.mr6_tables is not initialized at that point,
      ip6mr_rules_init() is not called yet, therefore on the error path when
      we iterator the list, we trigger this oops. Fix this by reordering
      ip6mr_rules_init() before icmpv6_sk_init().
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      15e66807
    • E
      dccp: fix use-after-free in dccp_feat_activate_values · 62f8f4d9
      Eric Dumazet 提交于
      Dmitry reported crashes in DCCP stack [1]
      
      Problem here is that when I got rid of listener spinlock, I missed the
      fact that DCCP stores a complex state in struct dccp_request_sock,
      while TCP does not.
      
      Since multiple cpus could access it at the same time, we need to add
      protection.
      
      [1]
      BUG: KASAN: use-after-free in dccp_feat_activate_values+0x967/0xab0
      net/dccp/feat.c:1541 at addr ffff88003713be68
      Read of size 8 by task syz-executor2/8457
      CPU: 2 PID: 8457 Comm: syz-executor2 Not tainted 4.10.0-rc7+ #127
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:15 [inline]
       dump_stack+0x292/0x398 lib/dump_stack.c:51
       kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
       print_address_description mm/kasan/report.c:200 [inline]
       kasan_report_error mm/kasan/report.c:289 [inline]
       kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
       kasan_report mm/kasan/report.c:332 [inline]
       __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332
       dccp_feat_activate_values+0x967/0xab0 net/dccp/feat.c:1541
       dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
       dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
       dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
       dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
       ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
       dst_input include/net/dst.h:507 [inline]
       ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
       __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
       __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
       process_backlog+0xe5/0x6c0 net/core/dev.c:4839
       napi_poll net/core/dev.c:5202 [inline]
       net_rx_action+0xe70/0x1900 net/core/dev.c:5267
       __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
       do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
       </IRQ>
       do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
       do_softirq kernel/softirq.c:176 [inline]
       __local_bh_enable_ip+0x1f2/0x200 kernel/softirq.c:181
       local_bh_enable include/linux/bottom_half.h:31 [inline]
       rcu_read_unlock_bh include/linux/rcupdate.h:971 [inline]
       ip6_finish_output2+0xbb0/0x23d0 net/ipv6/ip6_output.c:123
       ip6_finish_output+0x302/0x960 net/ipv6/ip6_output.c:148
       NF_HOOK_COND include/linux/netfilter.h:246 [inline]
       ip6_output+0x1cb/0x8d0 net/ipv6/ip6_output.c:162
       ip6_xmit+0xcdf/0x20d0 include/net/dst.h:501
       inet6_csk_xmit+0x320/0x5f0 net/ipv6/inet6_connection_sock.c:179
       dccp_transmit_skb+0xb09/0x1120 net/dccp/output.c:141
       dccp_xmit_packet+0x215/0x760 net/dccp/output.c:280
       dccp_write_xmit+0x168/0x1d0 net/dccp/output.c:362
       dccp_sendmsg+0x79c/0xb10 net/dccp/proto.c:796
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
       sock_sendmsg_nosec net/socket.c:635 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:645
       SYSC_sendto+0x660/0x810 net/socket.c:1687
       SyS_sendto+0x40/0x50 net/socket.c:1655
       entry_SYSCALL_64_fastpath+0x1f/0xc2
      RIP: 0033:0x4458b9
      RSP: 002b:00007f8ceb77bb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00000000004458b9
      RDX: 0000000000000023 RSI: 0000000020e60000 RDI: 0000000000000017
      RBP: 00000000006e1b90 R08: 00000000200f9fe1 R09: 0000000000000020
      R10: 0000000000008010 R11: 0000000000000282 R12: 00000000007080a8
      R13: 0000000000000000 R14: 00007f8ceb77c9c0 R15: 00007f8ceb77c700
      Object at ffff88003713be50, in cache kmalloc-64 size: 64
      Allocated:
      PID = 8446
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
       save_stack+0x43/0xd0 mm/kasan/kasan.c:502
       set_track mm/kasan/kasan.c:514 [inline]
       kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
       kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2738
       kmalloc include/linux/slab.h:490 [inline]
       dccp_feat_entry_new+0x214/0x410 net/dccp/feat.c:467
       dccp_feat_push_change+0x38/0x220 net/dccp/feat.c:487
       __feat_register_sp+0x223/0x2f0 net/dccp/feat.c:741
       dccp_feat_propagate_ccid+0x22b/0x2b0 net/dccp/feat.c:949
       dccp_feat_server_ccid_dependencies+0x1b3/0x250 net/dccp/feat.c:1012
       dccp_make_response+0x1f1/0xc90 net/dccp/output.c:423
       dccp_v6_send_response+0x4ec/0xc20 net/dccp/ipv6.c:217
       dccp_v6_conn_request+0xaba/0x11b0 net/dccp/ipv6.c:377
       dccp_rcv_state_process+0x51e/0x1650 net/dccp/input.c:606
       dccp_v6_do_rcv+0x213/0x350 net/dccp/ipv6.c:632
       sk_backlog_rcv include/net/sock.h:893 [inline]
       __sk_receive_skb+0x36f/0xcc0 net/core/sock.c:479
       dccp_v6_rcv+0xba5/0x1d00 net/dccp/ipv6.c:742
       ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
       dst_input include/net/dst.h:507 [inline]
       ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
       __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
       __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
       process_backlog+0xe5/0x6c0 net/core/dev.c:4839
       napi_poll net/core/dev.c:5202 [inline]
       net_rx_action+0xe70/0x1900 net/core/dev.c:5267
       __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
      Freed:
      PID = 15
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
       save_stack+0x43/0xd0 mm/kasan/kasan.c:502
       set_track mm/kasan/kasan.c:514 [inline]
       kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
       slab_free_hook mm/slub.c:1355 [inline]
       slab_free_freelist_hook mm/slub.c:1377 [inline]
       slab_free mm/slub.c:2954 [inline]
       kfree+0xe8/0x2b0 mm/slub.c:3874
       dccp_feat_entry_destructor.part.4+0x48/0x60 net/dccp/feat.c:418
       dccp_feat_entry_destructor net/dccp/feat.c:416 [inline]
       dccp_feat_list_pop net/dccp/feat.c:541 [inline]
       dccp_feat_activate_values+0x57f/0xab0 net/dccp/feat.c:1543
       dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
       dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
       dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
       dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
       ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
       dst_input include/net/dst.h:507 [inline]
       ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
       NF_HOOK include/linux/netfilter.h:257 [inline]
       ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
       __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
       __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
       process_backlog+0xe5/0x6c0 net/core/dev.c:4839
       napi_poll net/core/dev.c:5202 [inline]
       net_rx_action+0xe70/0x1900 net/core/dev.c:5267
       __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
      Memory state around the buggy address:
       ffff88003713bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88003713bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88003713be00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
                                                                ^
      
      Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Tested-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      62f8f4d9