1. 14 7月, 2020 1 次提交
  2. 13 6月, 2020 2 次提交
  3. 11 6月, 2020 1 次提交
  4. 10 6月, 2020 3 次提交
    • C
      net: change addr_list_lock back to static key · 845e0ebb
      Cong Wang 提交于
      The dynamic key update for addr_list_lock still causes troubles,
      for example the following race condition still exists:
      
      CPU 0:				CPU 1:
      (RCU read lock)			(RTNL lock)
      dev_mc_seq_show()		netdev_update_lockdep_key()
      				  -> lockdep_unregister_key()
       -> netif_addr_lock_bh()
      
      because lockdep doesn't provide an API to update it atomically.
      Therefore, we have to move it back to static keys and use subclass
      for nest locking like before.
      
      In commit 1a33e10e ("net: partially revert dynamic lockdep key
      changes"), I already reverted most parts of commit ab92d68f
      ("net: core: add generic lockdep keys").
      
      This patch reverts the rest and also part of commit f3b0a18b
      ("net: remove unnecessary variables and callback"). After this
      patch, addr_list_lock changes back to using static keys and
      subclasses to satisfy lockdep. Thanks to dev->lower_level, we do
      not have to change back to ->ndo_get_lock_subclass().
      
      And hopefully this reduces some syzbot lockdep noises too.
      
      Reported-by: syzbot+f3a0e80c34b3fc28ac5e@syzkaller.appspotmail.com
      Cc: Taehee Yoo <ap420073@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      845e0ebb
    • J
      bpf, sockhash: Synchronize delete from bucket list on map free · 75e68e5b
      Jakub Sitnicki 提交于
      We can end up modifying the sockhash bucket list from two CPUs when a
      sockhash is being destroyed (sock_hash_free) on one CPU, while a socket
      that is in the sockhash is unlinking itself from it on another CPU
      it (sock_hash_delete_from_link).
      
      This results in accessing a list element that is in an undefined state as
      reported by KASAN:
      
      | ==================================================================
      | BUG: KASAN: wild-memory-access in sock_hash_free+0x13c/0x280
      | Write of size 8 at addr dead000000000122 by task kworker/2:1/95
      |
      | CPU: 2 PID: 95 Comm: kworker/2:1 Not tainted 5.7.0-rc7-02961-ge22c35ab0038-dirty #691
      | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
      | Workqueue: events bpf_map_free_deferred
      | Call Trace:
      |  dump_stack+0x97/0xe0
      |  ? sock_hash_free+0x13c/0x280
      |  __kasan_report.cold+0x5/0x40
      |  ? mark_lock+0xbc1/0xc00
      |  ? sock_hash_free+0x13c/0x280
      |  kasan_report+0x38/0x50
      |  ? sock_hash_free+0x152/0x280
      |  sock_hash_free+0x13c/0x280
      |  bpf_map_free_deferred+0xb2/0xd0
      |  ? bpf_map_charge_finish+0x50/0x50
      |  ? rcu_read_lock_sched_held+0x81/0xb0
      |  ? rcu_read_lock_bh_held+0x90/0x90
      |  process_one_work+0x59a/0xac0
      |  ? lock_release+0x3b0/0x3b0
      |  ? pwq_dec_nr_in_flight+0x110/0x110
      |  ? rwlock_bug.part.0+0x60/0x60
      |  worker_thread+0x7a/0x680
      |  ? _raw_spin_unlock_irqrestore+0x4c/0x60
      |  kthread+0x1cc/0x220
      |  ? process_one_work+0xac0/0xac0
      |  ? kthread_create_on_node+0xa0/0xa0
      |  ret_from_fork+0x24/0x30
      | ==================================================================
      
      Fix it by reintroducing spin-lock protected critical section around the
      code that removes the elements from the bucket on sockhash free.
      
      To do that we also need to defer processing of removed elements, until out
      of atomic context so that we can unlink the socket from the map when
      holding the sock lock.
      
      Fixes: 90db6d77 ("bpf, sockmap: Remove bucket->lock from sock_{hash|map}_free")
      Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20200607205229.2389672-3-jakub@cloudflare.com
      75e68e5b
    • J
      bpf, sockhash: Fix memory leak when unlinking sockets in sock_hash_free · 33a7c831
      Jakub Sitnicki 提交于
      When sockhash gets destroyed while sockets are still linked to it, we will
      walk the bucket lists and delete the links. However, we are not freeing the
      list elements after processing them, leaking the memory.
      
      The leak can be triggered by close()'ing a sockhash map when it still
      contains sockets, and observed with kmemleak:
      
        unreferenced object 0xffff888116e86f00 (size 64):
          comm "race_sock_unlin", pid 223, jiffies 4294731063 (age 217.404s)
          hex dump (first 32 bytes):
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
            81 de e8 41 00 00 00 00 c0 69 2f 15 81 88 ff ff  ...A.....i/.....
          backtrace:
            [<00000000dd089ebb>] sock_hash_update_common+0x4ca/0x760
            [<00000000b8219bd5>] sock_hash_update_elem+0x1d2/0x200
            [<000000005e2c23de>] __do_sys_bpf+0x2046/0x2990
            [<00000000d0084618>] do_syscall_64+0xad/0x9a0
            [<000000000d96f263>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Fix it by freeing the list element when we're done with it.
      
      Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface")
      Signed-off-by: NJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20200607205229.2389672-2-jakub@cloudflare.com
      33a7c831
  5. 08 6月, 2020 1 次提交
  6. 05 6月, 2020 3 次提交
    • A
      net: core: device_rename: Use rwsem instead of a seqcount · 11d6011c
      Ahmed S. Darwish 提交于
      Sequence counters write paths are critical sections that must never be
      preempted, and blocking, even for CONFIG_PREEMPTION=n, is not allowed.
      
      Commit 5dbe7c17 ("net: fix kernel deadlock with interface rename and
      netdev name retrieval.") handled a deadlock, observed with
      CONFIG_PREEMPTION=n, where the devnet_rename seqcount read side was
      infinitely spinning: it got scheduled after the seqcount write side
      blocked inside its own critical section.
      
      To fix that deadlock, among other issues, the commit added a
      cond_resched() inside the read side section. While this will get the
      non-preemptible kernel eventually unstuck, the seqcount reader is fully
      exhausting its slice just spinning -- until TIF_NEED_RESCHED is set.
      
      The fix is also still broken: if the seqcount reader belongs to a
      real-time scheduling policy, it can spin forever and the kernel will
      livelock.
      
      Disabling preemption over the seqcount write side critical section will
      not work: inside it are a number of GFP_KERNEL allocations and mutex
      locking through the drivers/base/ :: device_rename() call chain.
      
      >From all the above, replace the seqcount with a rwsem.
      
      Fixes: 5dbe7c17 (net: fix kernel deadlock with interface rename and netdev name retrieval.)
      Fixes: 30e6c9fa (net: devnet_rename_seq should be a seqcount)
      Fixes: c91f6df2 (sockopt: Change getsockopt() of SO_BINDTODEVICE to return an interface name)
      Cc: <stable@vger.kernel.org>
      Reported-by: kbuild test robot <lkp@intel.com> [ v1 missing up_read() on error exit ]
      Reported-by: Dan Carpenter <dan.carpenter@oracle.com> [ v1 missing up_read() on error exit ]
      Signed-off-by: NAhmed S. Darwish <a.darwish@linutronix.de>
      Reviewed-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      11d6011c
    • A
      seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds · bb986a50
      Ahmed Abdelsalam 提交于
      The seg6_validate_srh() is used to validate SRH for three cases:
      
      case1: SRH of data-plane SRv6 packets to be processed by the Linux kernel.
      Case2: SRH of the netlink message received  from user-space (iproute2)
      Case3: SRH injected into packets through setsockopt
      
      In case1, the SRH can be encoded in the Reduced way (i.e., first SID is
      carried in DA only and not represented as SID in the SRH) and the
      seg6_validate_srh() now handles this case correctly.
      
      In case2 and case3, the SRH shouldn’t be encoded in the Reduced way
      otherwise we lose the first segment (i.e., the first hop).
      
      The current implementation of the seg6_validate_srh() allow SRH of case2
      and case3 to be encoded in the Reduced way. This leads a slab-out-of-bounds
      problem.
      
      This patch verifies SRH of case1, case2 and case3. Allowing case1 to be
      reduced while preventing SRH of case2 and case3 from being reduced .
      
      Reported-by: syzbot+e8c028b62439eac42073@syzkaller.appspotmail.com
      Reported-by: NYueHaibing <yuehaibing@huawei.com>
      Fixes: 0cb7498f ("seg6: fix SRH processing to comply with RFC8754")
      Signed-off-by: NAhmed Abdelsalam <ahabdels@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bb986a50
    • M
      bpf: Fix unused-var without NETDEVICES · 49b23575
      Matthieu Baerts 提交于
      A recent commit added new variables only used if CONFIG_NETDEVICES is
      set. A simple fix would be to only declare these variables if the same
      condition is valid but Alexei suggested an even simpler solution:
      
          since CONFIG_NETDEVICES doesn't change anything in .h I think the
          best is to remove #ifdef CONFIG_NETDEVICES from net/core/filter.c
          and rely on sock_bindtoindex() returning ENOPROTOOPT in the extreme
          case of oddly configured kernels.
      
      Fixes: 70c58997 ("bpf: Allow SO_BINDTODEVICE opt in bpf_setsockopt")
      Suggested-by: NAlexei Starovoitov <alexei.starovoitov@gmail.com>
      Signed-off-by: NMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NSong Liu <songliubraving@fb.com>
      Link: https://lore.kernel.org/bpf/20200603190347.2310320-1-matthieu.baerts@tessares.net
      49b23575
  7. 03 6月, 2020 2 次提交
  8. 02 6月, 2020 20 次提交
  9. 30 5月, 2020 2 次提交
  10. 29 5月, 2020 5 次提交