1. 24 7月, 2018 1 次提交
  2. 20 7月, 2018 5 次提交
  3. 18 7月, 2018 3 次提交
    • T
      netfilter: nft_set_rbtree: fix panic when destroying set by GC · c293ac95
      Taehee Yoo 提交于
      This patch fixes below.
      1. check null pointer of rb_next.
       rb_next can return null. so null check routine should be added.
      2. add rcu_barrier in destroy routine.
       GC uses call_rcu to remove elements. but all elements should be
       removed before destroying set and chains. so that rcu_barrier is added.
      
      test script:
         %cat test.nft
         table inet aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags interval, timeout;
      		   elements = {
      			   0-1 : jump a0,
      			   3-4 : jump a0,
      			   6-7 : jump a0,
      			   9-10 : jump a0,
      			   12-13 : jump a0,
      			   15-16 : jump a0,
      			   18-19 : jump a0,
      			   21-22 : jump a0,
      			   24-25 : jump a0,
      			   27-28 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
         table inet aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags interval, timeout;
      		   elements = {
      			   0-1 : jump a0,
      			   3-4 : jump a0,
      			   6-7 : jump a0,
      			   9-10 : jump a0,
      			   12-13 : jump a0,
      			   15-16 : jump a0,
      			   18-19 : jump a0,
      			   21-22 : jump a0,
      			   24-25 : jump a0,
      			   27-28 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
      
      splat looks like:
      [ 2402.419838] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [ 2402.428433] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [ 2402.429343] CPU: 1 PID: 1350 Comm: kworker/1:1 Not tainted 4.18.0-rc2+ #1
      [ 2402.429343] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 03/23/2017
      [ 2402.429343] Workqueue: events_power_efficient nft_rbtree_gc [nft_set_rbtree]
      [ 2402.429343] RIP: 0010:rb_next+0x1e/0x130
      [ 2402.429343] Code: e9 de f2 ff ff 0f 1f 80 00 00 00 00 41 55 48 89 fa 41 54 55 53 48 c1 ea 03 48 b8 00 00 00 0
      [ 2402.429343] RSP: 0018:ffff880105f77678 EFLAGS: 00010296
      [ 2402.429343] RAX: dffffc0000000000 RBX: ffff8801143e3428 RCX: 1ffff1002287c69c
      [ 2402.429343] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
      [ 2402.429343] RBP: 0000000000000000 R08: ffffed0016aabc24 R09: ffffed0016aabc24
      [ 2402.429343] R10: 0000000000000001 R11: ffffed0016aabc23 R12: 0000000000000000
      [ 2402.429343] R13: ffff8800b6933388 R14: dffffc0000000000 R15: ffff8801143e3440
      [ 2402.534486] kasan: CONFIG_KASAN_INLINE enabled
      [ 2402.534212] FS:  0000000000000000(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [ 2402.534212] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2402.534212] CR2: 0000000000863008 CR3: 00000000a3c16000 CR4: 00000000001006e0
      [ 2402.534212] Call Trace:
      [ 2402.534212]  nft_rbtree_gc+0x2b5/0x5f0 [nft_set_rbtree]
      [ 2402.534212]  process_one_work+0xc1b/0x1ee0
      [ 2402.540329] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [ 2402.534212]  ? _raw_spin_unlock_irq+0x29/0x40
      [ 2402.534212]  ? pwq_dec_nr_in_flight+0x3e0/0x3e0
      [ 2402.534212]  ? set_load_weight+0x270/0x270
      [ 2402.534212]  ? __schedule+0x6ea/0x1fb0
      [ 2402.534212]  ? __sched_text_start+0x8/0x8
      [ 2402.534212]  ? save_trace+0x320/0x320
      [ 2402.534212]  ? sched_clock_local+0xe2/0x150
      [ 2402.534212]  ? find_held_lock+0x39/0x1c0
      [ 2402.534212]  ? worker_thread+0x35f/0x1150
      [ 2402.534212]  ? lock_contended+0xe90/0xe90
      [ 2402.534212]  ? __lock_acquire+0x4520/0x4520
      [ 2402.534212]  ? do_raw_spin_unlock+0xb1/0x350
      [ 2402.534212]  ? do_raw_spin_trylock+0x111/0x1b0
      [ 2402.534212]  ? do_raw_spin_lock+0x1f0/0x1f0
      [ 2402.534212]  worker_thread+0x169/0x1150
      
      Fixes: 8d8540c4("netfilter: nft_set_rbtree: add timeout support")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      c293ac95
    • T
      netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy() · 9970a8e4
      Taehee Yoo 提交于
      GC of set uses call_rcu() to destroy elements.
      So that elements would be destroyed after destroying sets and chains.
      But, elements should be destroyed before destroying sets and chains.
      In order to wait calling call_rcu(), a rcu_barrier() is added.
      
      In order to test correctly, below patch should be applied.
      https://patchwork.ozlabs.org/patch/940883/
      
      test scripts:
         %cat test.nft
         table ip aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags timeout;
      		   elements = {
      			   0 : jump a0,
      			   1 : jump a0,
      			   2 : jump a0,
      			   3 : jump a0,
      			   4 : jump a0,
      			   5 : jump a0,
      			   6 : jump a0,
      			   7 : jump a0,
      			   8 : jump a0,
      			   9 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
      
         [ ... ]
      
         table ip aa {
      	   map map1 {
      		   type ipv4_addr : verdict; flags timeout;
      		   elements = {
      			   0 : jump a0,
      			   1 : jump a0,
      			   2 : jump a0,
      			   3 : jump a0,
      			   4 : jump a0,
      			   5 : jump a0,
      			   6 : jump a0,
      			   7 : jump a0,
      			   8 : jump a0,
      			   9 : jump a0,
      		   }
      		   timeout 1s;
      	   }
      	   chain a0 {
      	   }
         }
         flush ruleset
      
      Splat looks like:
      [  200.795603] kernel BUG at net/netfilter/nf_tables_api.c:1363!
      [  200.806944] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  200.812253] CPU: 1 PID: 1582 Comm: nft Not tainted 4.17.0+ #24
      [  200.820297] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  200.830309] RIP: 0010:nf_tables_chain_destroy.isra.34+0x62/0x240 [nf_tables]
      [  200.838317] Code: 43 50 85 c0 74 26 48 8b 45 00 48 8b 4d 08 ba 54 05 00 00 48 c7 c6 60 6d 29 c0 48 c7 c7 c0 65 29 c0
      4c 8b 40 08 e8 58 e5 fd f8 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff
      [  200.860366] RSP: 0000:ffff880118dbf4d0 EFLAGS: 00010282
      [  200.866354] RAX: 0000000000000061 RBX: ffff88010cdeaf08 RCX: 0000000000000000
      [  200.874355] RDX: 0000000000000061 RSI: 0000000000000008 RDI: ffffed00231b7e90
      [  200.882361] RBP: ffff880118dbf4e8 R08: ffffed002373bcfb R09: ffffed002373bcfa
      [  200.890354] R10: 0000000000000000 R11: ffffed002373bcfb R12: dead000000000200
      [  200.898356] R13: dead000000000100 R14: ffffffffbb62af38 R15: dffffc0000000000
      [  200.906354] FS:  00007fefc31fd700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  200.915533] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  200.922355] CR2: 0000557f1c8e9128 CR3: 0000000106880000 CR4: 00000000001006e0
      [  200.930353] Call Trace:
      [  200.932351]  ? nf_tables_commit+0x26f6/0x2c60 [nf_tables]
      [  200.939525]  ? nf_tables_setelem_notify.constprop.49+0x1a0/0x1a0 [nf_tables]
      [  200.947525]  ? nf_tables_delchain+0x6e0/0x6e0 [nf_tables]
      [  200.952383]  ? nft_add_set_elem+0x1700/0x1700 [nf_tables]
      [  200.959532]  ? nla_parse+0xab/0x230
      [  200.963529]  ? nfnetlink_rcv_batch+0xd06/0x10d0 [nfnetlink]
      [  200.968384]  ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
      [  200.975525]  ? debug_show_all_locks+0x290/0x290
      [  200.980363]  ? debug_show_all_locks+0x290/0x290
      [  200.986356]  ? sched_clock_cpu+0x132/0x170
      [  200.990352]  ? find_held_lock+0x39/0x1b0
      [  200.994355]  ? sched_clock_local+0x10d/0x130
      [  200.999531]  ? memset+0x1f/0x40
      
      Fixes: 9d098292 ("netfilter: nft_hash: add support for timeouts")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      9970a8e4
    • T
      netfilter: nf_tables: fix jumpstack depth validation · 26b2f552
      Taehee Yoo 提交于
      The level of struct nft_ctx is updated by nf_tables_check_loops().  That
      is used to validate jumpstack depth. But jumpstack validation routine
      doesn't update and validate recursively.  So, in some cases, chain depth
      can be bigger than the NFT_JUMP_STACK_SIZE.
      
      After this patch, The jumpstack validation routine is located in the
      nft_chain_validate(). When new rules or new set elements are added, the
      nft_table_validate() is called by the nf_tables_newrule and the
      nf_tables_newsetelem. The nft_table_validate() calls the
      nft_chain_validate() that visit all their children chains recursively.
      So it can update depth of chain certainly.
      
      Reproducer:
         %cat ./test.sh
         #!/bin/bash
         nft add table ip filter
         nft add chain ip filter input { type filter hook input priority 0\; }
         for ((i=0;i<20;i++)); do
      	nft add chain ip filter a$i
         done
      
         nft add rule ip filter input jump a1
      
         for ((i=0;i<10;i++)); do
      	nft add rule ip filter a$i jump a$((i+1))
         done
      
         for ((i=11;i<19;i++)); do
      	nft add rule ip filter a$i jump a$((i+1))
         done
      
         nft add rule ip filter a10 jump a11
      
      Result:
      [  253.931782] WARNING: CPU: 1 PID: 0 at net/netfilter/nf_tables_core.c:186 nft_do_chain+0xacc/0xdf0 [nf_tables]
      [  253.931915] Modules linked in: nf_tables nfnetlink ip_tables x_tables
      [  253.932153] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.18.0-rc3+ #48
      [  253.932153] RIP: 0010:nft_do_chain+0xacc/0xdf0 [nf_tables]
      [  253.932153] Code: 83 f8 fb 0f 84 c7 00 00 00 e9 d0 00 00 00 83 f8 fd 74 0e 83 f8 ff 0f 84 b4 00 00 00 e9 bd 00 00 00 83 bd 64 fd ff ff 0f 76 09 <0f> 0b 31 c0 e9 bc 02 00 00 44 8b ad 64 fd
      [  253.933807] RSP: 0018:ffff88011b807570 EFLAGS: 00010212
      [  253.933807] RAX: 00000000fffffffd RBX: ffff88011b807660 RCX: 0000000000000000
      [  253.933807] RDX: 0000000000000010 RSI: ffff880112b39d78 RDI: ffff88011b807670
      [  253.933807] RBP: ffff88011b807850 R08: ffffed0023700ece R09: ffffed0023700ecd
      [  253.933807] R10: ffff88011b80766f R11: ffffed0023700ece R12: ffff88011b807898
      [  253.933807] R13: ffff880112b39d80 R14: ffff880112b39d60 R15: dffffc0000000000
      [  253.933807] FS:  0000000000000000(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  253.933807] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  253.933807] CR2: 00000000014f1008 CR3: 000000006b216000 CR4: 00000000001006e0
      [  253.933807] Call Trace:
      [  253.933807]  <IRQ>
      [  253.933807]  ? sched_clock_cpu+0x132/0x170
      [  253.933807]  ? __nft_trace_packet+0x180/0x180 [nf_tables]
      [  253.933807]  ? sched_clock_cpu+0x132/0x170
      [  253.933807]  ? debug_show_all_locks+0x290/0x290
      [  253.933807]  ? __lock_acquire+0x4835/0x4af0
      [  253.933807]  ? inet_ehash_locks_alloc+0x1a0/0x1a0
      [  253.933807]  ? unwind_next_frame+0x159e/0x1840
      [  253.933807]  ? __read_once_size_nocheck.constprop.4+0x5/0x10
      [  253.933807]  ? nft_do_chain_ipv4+0x197/0x1e0 [nf_tables]
      [  253.933807]  ? nft_do_chain+0x5/0xdf0 [nf_tables]
      [  253.933807]  nft_do_chain_ipv4+0x197/0x1e0 [nf_tables]
      [  253.933807]  ? nft_do_chain_arp+0xb0/0xb0 [nf_tables]
      [  253.933807]  ? __lock_is_held+0x9d/0x130
      [  253.933807]  nf_hook_slow+0xc4/0x150
      [  253.933807]  ip_local_deliver+0x28b/0x380
      [  253.933807]  ? ip_call_ra_chain+0x3e0/0x3e0
      [  253.933807]  ? ip_rcv_finish+0x1610/0x1610
      [  253.933807]  ip_rcv+0xbcc/0xcc0
      [  253.933807]  ? debug_show_all_locks+0x290/0x290
      [  253.933807]  ? ip_local_deliver+0x380/0x380
      [  253.933807]  ? __lock_is_held+0x9d/0x130
      [  253.933807]  ? ip_local_deliver+0x380/0x380
      [  253.933807]  __netif_receive_skb_core+0x1c9c/0x2240
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      26b2f552
  4. 17 7月, 2018 24 次提交
    • U
      net/smc: take sock lock in smc_ioctl() · 1992d998
      Ursula Braun 提交于
      SMC ioctl processing requires the sock lock to work properly in
      all thinkable scenarios.
      Problem has been found with RaceFuzzer and fixes:
         KASAN: null-ptr-deref Read in smc_ioctl
      Reported-by: NByoungyoung Lee <lifeasageek@gmail.com>
      Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1992d998
    • D
      Merge branch 'tg3-fixes' · bd598d20
      David S. Miller 提交于
      Siva Reddy Kallam says:
      
      ====================
      tg3: Update copyright and fix for tx timeout with 5762
      
      First patch:
              Update copyright
      
      Second patch:
              Add higher cpu clock for 5762
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bd598d20
    • S
      tg3: Add higher cpu clock for 5762. · 3a498606
      Sanjeev Bansal 提交于
      This patch has fix for TX timeout while running bi-directional
      traffic with 100 Mbps using 5762.
      Signed-off-by: NSanjeev Bansal <sanjeevb.bansal@broadcom.com>
      Signed-off-by: NSiva Reddy Kallam <siva.kallam@broadcom.com>
      Reviewed-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3a498606
    • S
      0f2605fb
    • J
      ibmvnic: Fix error recovery on login failure · 3578a7ec
      John Allen 提交于
      Testing has uncovered a failure case that is not handled properly. In the
      event that a login fails and we are not able to recover on the spot, we
      return 0 from do_reset, preventing any error recovery code from being
      triggered.  Additionally, the state is set to "probed" meaning that when we
      are able to trigger the error recovery, the driver always comes up in the
      probed state. To handle the case properly, we need to return a failure code
      here and set the adapter state to the state that we entered the reset in
      indicating the state that we would like to come out of the recovery reset
      in.
      Signed-off-by: NJohn Allen <jallen@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3578a7ec
    • S
      net: lan78xx: Fix race in tx pending skb size calculation · dea39aca
      Stefan Wahren 提交于
      The skb size calculation in lan78xx_tx_bh is in race with the start_xmit,
      which could lead to rare kernel oopses. So protect the whole skb walk with
      a spin lock. As a benefit we can unlink the skb directly.
      
      This patch was tested on Raspberry Pi 3B+
      
      Link: https://github.com/raspberrypi/linux/issues/2608
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NFloris Bos <bos@je-eigen-domein.nl>
      Signed-off-by: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dea39aca
    • D
      net/ipv6: Do not allow device only routes via the multipath API · b5d2d75e
      David Ahern 提交于
      Eric reported that reverting the patch that fixed and simplified IPv6
      multipath routes means reverting back to invalid userspace notifications.
      eg.,
      $ ip -6 route add 2001:db8:1::/64 nexthop dev eth0 nexthop dev eth1
      
      only generates a single notification:
      2001:db8:1::/64 dev eth0 metric 1024 pref medium
      
      While working on a fix for this problem I found another case that is just
      broken completely - a multipath route with a gateway followed by device
      followed by gateway:
          $ ip -6 ro add 2001:db8:103::/64
                nexthop via 2001:db8:1::64
                nexthop dev dummy2
                nexthop via 2001:db8:3::64
      
      In this case the device only route is dropped completely - no notification
      to userpsace but no addition to the FIB either:
      
      $ ip -6 ro ls
      2001:db8:1::/64 dev dummy1 proto kernel metric 256 pref medium
      2001:db8:2::/64 dev dummy2 proto kernel metric 256 pref medium
      2001:db8:3::/64 dev dummy3 proto kernel metric 256 pref medium
      2001:db8:103::/64 metric 1024
      	nexthop via 2001:db8:1::64 dev dummy1 weight 1
      	nexthop via 2001:db8:3::64 dev dummy3 weight 1 pref medium
      fe80::/64 dev dummy1 proto kernel metric 256 pref medium
      fe80::/64 dev dummy2 proto kernel metric 256 pref medium
      fe80::/64 dev dummy3 proto kernel metric 256 pref medium
      
      Really, IPv6 multipath is just FUBAR'ed beyond repair when it comes to
      device only routes, so do not allow it all.
      
      This change will break any scripts relying on the mpath api for insert,
      but I don't see any other way to handle the permutations. Besides, since
      the routes are added to the FIB as standalone (non-multipath) routes the
      kernel is not doing what the user requested, so it might as well tell the
      user that.
      Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5d2d75e
    • S
      tcp: Fix broken repair socket window probe patch · 31048d7a
      Stefan Baranoff 提交于
      Correct previous bad attempt at allowing sockets to come out of TCP
      repair without sending window probes. To avoid changing size of
      the repair variable in struct tcp_sock, this lets the decision for
      sending probes or not to be made when coming out of repair by
      introducing two ways to turn it off.
      
      v2:
      * Remove erroneous comment; defines now make behavior clear
      
      Fixes: 70b7ff13 ("tcp: allow user to create repair socket without window probes")
      Signed-off-by: NStefan Baranoff <sbaranoff@gmail.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NAndrei Vagin <avagin@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      31048d7a
    • S
      net/mlx4_en: Don't reuse RX page when XDP is set · 432e629e
      Saeed Mahameed 提交于
      When a new rx packet arrives, the rx path will decide whether to reuse
      the remainder of the page or not according to one of the below conditions:
      1. frag_info->frag_stride == PAGE_SIZE / 2
      2. frags->page_offset + frag_info->frag_size > PAGE_SIZE;
      
      The first condition is no met for when XDP is set.
      For XDP, page_offset is always set to priv->rx_headroom which is
      XDP_PACKET_HEADROOM and frag_info->frag_size is around mtu size + some
      padding, still the 2nd release condition will hold since
      XDP_PACKET_HEADROOM + 1536 < PAGE_SIZE, as a result the page will not
      be released and will be _wrongly_ reused for next free rx descriptor.
      
      In XDP there is an assumption to have a page per packet and reuse can
      break such assumption and might cause packet data corruptions.
      
      Fix this by adding an extra condition (!priv->rx_headroom) to the 2nd
      case to avoid page reuse when XDP is set, since rx_headroom is set to 0
      for non XDP setup and set to XDP_PACKET_HEADROOM for XDP setup.
      
      No additional cache line is required for the new condition.
      
      Fixes: 34db548b ("mlx4: add page recycling in receive path")
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Suggested-by: NMartin KaFai Lau <kafai@fb.com>
      CC: Eric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      432e629e
    • R
      net/ethernet/freescale/fman: fix cross-build error · c1334597
      Randy Dunlap 提交于
        CC [M]  drivers/net/ethernet/freescale/fman/fman.o
      In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35:
      ../include/linux/fsl/guts.h: In function 'guts_set_dmacr':
      ../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration]
        clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift);
        ^~~~~~~~~~~~~~~
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Madalin Bucur <madalin.bucur@nxp.com>
      Cc: netdev@vger.kernel.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c1334597
    • S
      hv/netvsc: fix handling of fallback to single queue mode · 916c5e14
      Stephen Hemminger 提交于
      The netvsc device may need to fallback to running in single queue
      mode if host side only wants to support single queue.
      
      Recent change for handling mtu broke this in setup logic.
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 3ffe64f1 ("hv_netvsc: split sub-channel setup into async and sync")
      Signed-off-by: NStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      916c5e14
    • T
      ibmvnic: Revise RX/TX queue error messages · 2d14d379
      Thomas Falcon 提交于
      During a device failover, there may be latency between the loss
      of the current backing device and a notification from firmware that
      a failover has occurred. This latency can result in a large amount of
      error printouts as firmware returns outgoing traffic with a generic
      error code. These are not necessarily errors in this case as the
      firmware is busy swapping in a new backing adapter and is not ready
      to send packets yet. This patch reclassifies those error codes as
      warnings with an explanation that a failover may be pending. All
      other return codes will be considered errors.
      Signed-off-by: NThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2d14d379
    • S
      ipv6: make DAD fail with enhanced DAD when nonce length differs · e6651599
      Sabrina Dubroca 提交于
      Commit adc176c5 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)")
      added enhanced DAD with a nonce length of 6 bytes. However, RFC7527
      doesn't specify the length of the nonce, other than being 6 + 8*k bytes,
      with integer k >= 0 (RFC3971 5.3.2). The current implementation simply
      assumes that the nonce will always be 6 bytes, but others systems are
      free to choose different sizes.
      
      If another system sends a nonce of different length but with the same 6
      bytes prefix, it shouldn't be considered as the same nonce. Thus, check
      that the length of the received nonce is the same as the length we sent.
      
      Ugly scapy test script running on veth0:
      
      def loop():
          pkt=sniff(iface="veth0", filter="icmp6", count=1)
          pkt = pkt[0]
          b = bytearray(pkt[Raw].load)
          b[1] += 1
          b += b'\xde\xad\xbe\xef\xde\xad\xbe\xef'
          pkt[Raw].load = bytes(b)
          pkt[IPv6].plen += 8
          # fixup checksum after modifying the payload
          pkt[IPv6].payload.cksum -= 0x3b44
          if pkt[IPv6].payload.cksum < 0:
              pkt[IPv6].payload.cksum += 0xffff
          sendp(pkt, iface="veth0")
      
      This should result in DAD failure for any address added to veth0's peer,
      but is currently ignored.
      
      Fixes: adc176c5 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e6651599
    • C
      net: ethernet: stmmac: fix documentation warning · 014dd768
      Corentin Labbe 提交于
      This patch remove the following documentation warning
      drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c:103: warning: Excess function parameter 'priv' description in 'stmmac_axi_setup'
      It was introduced in commit afea0365 ("stmmac: rework DMA bus setting and introduce new platform AXI structure")
      Signed-off-by: NCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      014dd768
    • C
      net: stmmac: dwmac-sun8i: fix typo descrive => describe · 56c266dc
      Corentin Labbe 提交于
      This patch fix a typo in the word Describe
      Signed-off-by: NCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      56c266dc
    • P
      net: ip6_gre: get ipv6hdr after skb_cow_head() · b7ed8794
      Prashant Bhole 提交于
      A KASAN:use-after-free bug was found related to ip6-erspan
      while running selftests/net/ip6_gre_headroom.sh
      
      It happens because of following sequence:
      - ipv6hdr pointer is obtained from skb
      - skb_cow_head() is called, skb->head memory is reallocated
      - old data is accessed using ipv6hdr pointer
      
      skb_cow_head() call was added in e41c7c68 ("ip6erspan: make sure
      enough headroom at xmit."), but looking at the history there was a
      chance of similar bug because gre_handle_offloads() and pskb_trim()
      can also reallocate skb->head memory. Fixes tag points to commit
      which introduced possibility of this bug.
      
      This patch moves ipv6hdr pointer assignment after skb_cow_head() call.
      
      Fixes: 5a963eb6 ("ip6_gre: Add ERSPAN native tunnel support")
      Signed-off-by: NPrashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
      Reviewed-by: NGreg Rose <gvrose8192@gmail.com>
      Acked-by: NWilliam Tu <u9012063@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b7ed8794
    • T
      tun: Fix use-after-free on XDP_TX · 6e8cfd6d
      Toshiaki Makita 提交于
      On XDP_TX we need to free up the frame only when tun_xdp_tx() returns a
      negative value. A positive value indicates that the packet is
      successfully enqueued to the ptr_ring, so freeing the page causes
      use-after-free.
      
      Fixes: 735fc405 ("xdp: change ndo_xdp_xmit API to support bulking")
      Signed-off-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Acked-by: NJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6e8cfd6d
    • M
      bonding: Fix a typo in bonding.txt · 9f80a072
      Masanari Iida 提交于
      This patch fixes a spelling typo in bonding.txt
      Signed-off-by: NMasanari Iida <standby24x7@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9f80a072
    • D
      tls: Stricter error checking in zerocopy sendmsg path · 32da1221
      Dave Watson 提交于
      In the zerocopy sendmsg() path, there are error checks to revert
      the zerocopy if we get any error code.  syzkaller has discovered
      that tls_push_record can return -ECONNRESET, which is fatal, and
      happens after the point at which it is safe to revert the iter,
      as we've already passed the memory to do_tcp_sendpages.
      
      Previously this code could return -ENOMEM and we would want to
      revert the iter, but AFAIK this no longer returns ENOMEM after
      a447da7d ("tls: fix waitall behavior in tls_sw_recvmsg"),
      so we fail for all error codes.
      
      Reported-by: syzbot+c226690f7b3126c5ee04@syzkaller.appspotmail.com
      Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
      Signed-off-by: NDave Watson <davejwatson@fb.com>
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      32da1221
    • C
    • E
      KEYS: DNS: fix parsing multiple options · c604cb76
      Eric Biggers 提交于
      My recent fix for dns_resolver_preparse() printing very long strings was
      incomplete, as shown by syzbot which still managed to hit the
      WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:
      
          precision 50001 too large
          WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0
      
      The bug this time isn't just a printing bug, but also a logical error
      when multiple options ("#"-separated strings) are given in the key
      payload.  Specifically, when separating an option string into name and
      value, if there is no value then the name is incorrectly considered to
      end at the end of the key payload, rather than the end of the current
      option.  This bypasses validation of the option length, and also means
      that specifying multiple options is broken -- which presumably has gone
      unnoticed as there is currently only one valid option anyway.
      
      A similar problem also applied to option values, as the kstrtoul() when
      parsing the "dnserror" option will read past the end of the current
      option and into the next option.
      
      Fix these bugs by correctly computing the length of the option name and
      by copying the option value, null-terminated, into a temporary buffer.
      
      Reproducer for the WARN_ONCE() that syzbot hit:
      
          perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s
      
      Reproducer for "dnserror" option being parsed incorrectly (expected
      behavior is to fail when seeing the unknown option "foo", actual
      behavior was to read the dnserror value as "1#foo" and fail there):
      
          perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Fixes: 4a2d7892 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c604cb76
    • D
      Merge branch 'multicast-init-as-INCLUDE-when-join-SSM-INCLUDE-group' · 8e05fd83
      David S. Miller 提交于
      Hangbin Liu says:
      
      ====================
      multicast: init as INCLUDE when join SSM INCLUDE group
      
      Based on RFC3376 5.1 and RFC3810 6.1, we should init as INCLUDE when join SSM
      INCLUDE group. In my first version I only clear the group change record. But
      this is not enough as when a new group join, it will init as EXCLUDE and
      trigger an filter mode change in ip/ip6_mc_add_src(), which will clear all
      source addresses' sf_crcount. This will prevent early joined address sending
      state change records if multi source addresses joined at the same time.
      
      In this v2 patchset, I fixed it by directly initializing the mode to INCLUDE
      for SSM JOIN_SOURCE_GROUP. I also split the original patch into two separated
      patches for IPv4 and IPv6.
      
      Test: test by myself and customer.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8e05fd83
    • H
      ipv6/mcast: init as INCLUDE when join SSM INCLUDE group · c7ea20c9
      Hangbin Liu 提交于
      This an IPv6 version patch of "ipv4/igmp: init group mode as INCLUDE when
      join source group". From RFC3810, part 6.1:
      
         If no per-interface state existed for that
         multicast address before the change (i.e., the change consisted of
         creating a new per-interface record), or if no state exists after the
         change (i.e., the change consisted of deleting a per-interface
         record), then the "non-existent" state is considered to have an
         INCLUDE filter mode and an empty source list.
      
      Which means a new multicast group should start with state IN(). Currently,
      for MLDv2 SSM JOIN_SOURCE_GROUP mode, we first call ipv6_sock_mc_join(),
      then ip6_mc_source(), which will trigger a TO_IN() message instead of
      ALLOW().
      
      The issue was exposed by commit a052517a ("net/multicast: should not
      send source list records when have filter mode change"). Before this change,
      we sent both ALLOW(A) and TO_IN(A). Now, we only send TO_IN(A).
      
      Fix it by adding a new parameter to init group mode. Also add some wrapper
      functions to avoid changing too much code.
      
      v1 -> v2:
      In the first version I only cleared the group change record. But this is not
      enough. Because when a new group join, it will init as EXCLUDE and trigger
      a filter mode change in ip/ip6_mc_add_src(), which will clear all source
      addresses sf_crcount. This will prevent early joined address sending state
      change records if multi source addressed joined at the same time.
      
      In v2 patch, I fixed it by directly initializing the mode to INCLUDE for SSM
      JOIN_SOURCE_GROUP. I also split the original patch into two separated patches
      for IPv4 and IPv6.
      
      There is also a difference between v4 and v6 version. For IPv6, when the
      interface goes down and up, we will send correct state change record with
      unspecified IPv6 address (::) with function ipv6_mc_up(). But after DAD is
      completed, we resend the change record TO_IN() in mld_send_initial_cr().
      Fix it by sending ALLOW() for INCLUDE mode in mld_send_initial_cr().
      
      Fixes: a052517a ("net/multicast: should not send source list records when have filter mode change")
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c7ea20c9
    • H
      ipv4/igmp: init group mode as INCLUDE when join source group · 6e2059b5
      Hangbin Liu 提交于
      Based on RFC3376 5.1
         If no interface
         state existed for that multicast address before the change (i.e., the
         change consisted of creating a new per-interface record), or if no
         state exists after the change (i.e., the change consisted of deleting
         a per-interface record), then the "non-existent" state is considered
         to have a filter mode of INCLUDE and an empty source list.
      
      Which means a new multicast group should start with state IN().
      
      Function ip_mc_join_group() works correctly for IGMP ASM(Any-Source Multicast)
      mode. It adds a group with state EX() and inits crcount to mc_qrv,
      so the kernel will send a TO_EX() report message after adding group.
      
      But for IGMPv3 SSM(Source-specific multicast) JOIN_SOURCE_GROUP mode, we
      split the group joining into two steps. First we join the group like ASM,
      i.e. via ip_mc_join_group(). So the state changes from IN() to EX().
      
      Then we add the source-specific address with INCLUDE mode. So the state
      changes from EX() to IN(A).
      
      Before the first step sends a group change record, we finished the second
      step. So we will only send the second change record. i.e. TO_IN(A).
      
      Regarding the RFC stands, we should actually send an ALLOW(A) message for
      SSM JOIN_SOURCE_GROUP as the state should mimic the 'IN() to IN(A)'
      transition.
      
      The issue was exposed by commit a052517a ("net/multicast: should not
      send source list records when have filter mode change"). Before this change,
      we used to send both ALLOW(A) and TO_IN(A). After this change we only send
      TO_IN(A).
      
      Fix it by adding a new parameter to init group mode. Also add new wrapper
      functions so we don't need to change too much code.
      
      v1 -> v2:
      In my first version I only cleared the group change record. But this is not
      enough. Because when a new group join, it will init as EXCLUDE and trigger
      an filter mode change in ip/ip6_mc_add_src(), which will clear all source
      addresses' sf_crcount. This will prevent early joined address sending state
      change records if multi source addressed joined at the same time.
      
      In v2 patch, I fixed it by directly initializing the mode to INCLUDE for SSM
      JOIN_SOURCE_GROUP. I also split the original patch into two separated patches
      for IPv4 and IPv6.
      
      Fixes: a052517a ("net/multicast: should not send source list records when have filter mode change")
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6e2059b5
  5. 14 7月, 2018 7 次提交
    • D
      Merge branch 'fix-DCTCP-delayed-ACK' · 6bed5e26
      David S. Miller 提交于
      Yuchung Cheng says:
      
      ====================
      fix DCTCP delayed ACK
      
      This patch series addresses the issue that sometimes DCTCP
      fail to acknowledge the latest sequence and result in sender timeout
      if inflight is small.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6bed5e26
    • Y
      tcp: remove DELAYED ACK events in DCTCP · a69258f7
      Yuchung Cheng 提交于
      After fixing the way DCTCP tracking delayed ACKs, the delayed-ACK
      related callbacks are no longer needed
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Acked-by: NLawrence Brakmo <brakmo@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a69258f7
    • Y
      tcp: fix dctcp delayed ACK schedule · b0c05d0e
      Yuchung Cheng 提交于
      Previously, when a data segment was sent an ACK was piggybacked
      on the data segment without generating a CA_EVENT_NON_DELAYED_ACK
      event to notify congestion control modules. So the DCTCP
      ca->delayed_ack_reserved flag could incorrectly stay set when
      in fact there were no delayed ACKs being reserved. This could result
      in sending a special ECN notification ACK that carries an older
      ACK sequence, when in fact there was no need for such an ACK.
      DCTCP keeps track of the delayed ACK status with its own separate
      state ca->delayed_ack_reserved. Previously it may accidentally cancel
      the delayed ACK without updating this field upon sending a special
      ACK that carries a older ACK sequence. This inconsistency would
      lead to DCTCP receiver never acknowledging the latest data until the
      sender times out and retry in some cases.
      
      Packetdrill script (provided by Larry Brakmo)
      
      0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
      0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
      0.000 setsockopt(3, SOL_TCP, TCP_CONGESTION, "dctcp", 5) = 0
      0.000 bind(3, ..., ...) = 0
      0.000 listen(3, 1) = 0
      
      0.100 < [ect0] SEW 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
      0.100 > SE. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 8>
      0.110 < [ect0] . 1:1(0) ack 1 win 257
      0.200 accept(3, ..., ...) = 4
      
      0.200 < [ect0] . 1:1001(1000) ack 1 win 257
      0.200 > [ect01] . 1:1(0) ack 1001
      
      0.200 write(4, ..., 1) = 1
      0.200 > [ect01] P. 1:2(1) ack 1001
      
      0.200 < [ect0] . 1001:2001(1000) ack 2 win 257
      0.200 write(4, ..., 1) = 1
      0.200 > [ect01] P. 2:3(1) ack 2001
      
      0.200 < [ect0] . 2001:3001(1000) ack 3 win 257
      0.200 < [ect0] . 3001:4001(1000) ack 3 win 257
      0.200 > [ect01] . 3:3(0) ack 4001
      
      0.210 < [ce] P. 4001:4501(500) ack 3 win 257
      
      +0.001 read(4, ..., 4500) = 4500
      +0 write(4, ..., 1) = 1
      +0 > [ect01] PE. 3:4(1) ack 4501
      
      +0.010 < [ect0] W. 4501:5501(1000) ack 4 win 257
      // Previously the ACK sequence below would be 4501, causing a long RTO
      +0.040~+0.045 > [ect01] . 4:4(0) ack 5501   // delayed ack
      
      +0.311 < [ect0] . 5501:6501(1000) ack 4 win 257  // More data
      +0 > [ect01] . 4:4(0) ack 6501     // now acks everything
      
      +0.500 < F. 9501:9501(0) ack 4 win 257
      Reported-by: NLarry Brakmo <brakmo@fb.com>
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Acked-by: NLawrence Brakmo <brakmo@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b0c05d0e
    • D
      qlogic: check kstrtoul() for errors · 5fc853cc
      Dan Carpenter 提交于
      We accidentally left out the error handling for kstrtoul().
      
      Fixes: a520030e ("qlcnic: Implement flash sysfs callback for 83xx adapter")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5fc853cc
    • M
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · c849eb0d
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-07-13
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix AF_XDP TX error reporting before final kernel release such that it
         becomes consistent between copy mode and zero-copy, from Magnus.
      
      2) Fix three different syzkaller reported issues: oob due to ld_abs
         rewrite with too large offset, another oob in l3 based skb test run
         and a bug leaving mangled prog in subprog JITing error path, from Daniel.
      
      3) Fix BTF handling for bitfield extraction on big endian, from Okash.
      
      4) Fix a missing linux/errno.h include in cgroup/BPF found by kbuild bot,
         from Roman.
      
      5) Fix xdp2skb_meta.sh sample by using just command names instead of
         absolute paths for tc and ip and allow them to be redefined, from Taeung.
      
      6) Fix availability probing for BPF seg6 helpers before final kernel ships
         so they can be detected at prog load time, from Mathieu.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c849eb0d
    • S
      skbuff: Unconditionally copy pfmemalloc in __skb_clone() · e78bfb07
      Stefano Brivio 提交于
      Commit 8b700862 ("net: Don't copy pfmemalloc flag in
      __copy_skb_header()") introduced a different handling for the
      pfmemalloc flag in copy and clone paths.
      
      In __skb_clone(), now, the flag is set only if it was set in the
      original skb, but not cleared if it wasn't. This is wrong and
      might lead to socket buffers being flagged with pfmemalloc even
      if the skb data wasn't allocated from pfmemalloc reserves. Copy
      the flag instead of ORing it.
      Reported-by: NSabrina Dubroca <sd@queasysnail.net>
      Fixes: 8b700862 ("net: Don't copy pfmemalloc flag in __copy_skb_header()")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Tested-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e78bfb07