1. 19 Jan, 2021 7 commits
  2. 18 Jan, 2021 3 commits
  3. 17 Jan, 2021 1 commit
  4. 16 Jan, 2021 4 commits
    • Eric Dumazet's avatar
      net_sched: avoid shift-out-of-bounds in tcindex_set_parms() · bcd0cf19
      Eric Dumazet authored
      tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT
      attribute is not silly.
      
      UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29
      shift exponent 255 is too large for 32-bit type 'int'
      CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x107/0x163 lib/dump_stack.c:120
       ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
       __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
       valid_perfect_hash net/sched/cls_tcindex.c:260 [inline]
       tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425
       tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546
       tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127
       rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555
       netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
       netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
       netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
       netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:672
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2390
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20210114185229.1742255-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bcd0cf19
    • Eric Dumazet's avatar
      net_sched: gen_estimator: support large ewma log · dd5e0733
      Eric Dumazet authored
      syzbot report reminded us that very big ewma_log were supported in the past,
      even if they made litle sense.
      
      tc qdisc replace dev xxx root est 1sec 131072sec ...
      
      While fixing the bug, also add boundary checks for ewma_log, in line
      with range supported by iproute2.
      
      UBSAN: shift-out-of-bounds in net/core/gen_estimator.c:83:38
      shift exponent -1 is negative
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x107/0x163 lib/dump_stack.c:120
       ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
       __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
       est_timer.cold+0xbb/0x12d net/core/gen_estimator.c:83
       call_timer_fn+0x1a5/0x710 kernel/time/timer.c:1417
       expire_timers kernel/time/timer.c:1462 [inline]
       __run_timers.part.0+0x692/0xa80 kernel/time/timer.c:1731
       __run_timers kernel/time/timer.c:1712 [inline]
       run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744
       __do_softirq+0x2bc/0xa77 kernel/softirq.c:343
       asm_call_irq_on_stack+0xf/0x20
       </IRQ>
       __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
       run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
       do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
       invoke_softirq kernel/softirq.c:226 [inline]
       __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420
       irq_exit_rcu+0x5/0x20 kernel/softirq.c:432
       sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628
      RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
      RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:79 [inline]
      RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:169 [inline]
      RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
      RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516
      
      Fixes: 1c0d32fd ("net_sched: gen_estimator: complete rewrite of rate estimators")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20210114181929.1717985-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dd5e0733
    • Eric Dumazet's avatar
      net_sched: reject silly cell_log in qdisc_get_rtab() · e4bedf48
      Eric Dumazet authored
      iproute2 probably never goes beyond 8 for the cell exponent,
      but stick to the max shift exponent for signed 32bit.
      
      UBSAN reported:
      UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22
      shift exponent 130 is too large for 32-bit type 'int'
      CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x183/0x22e lib/dump_stack.c:120
       ubsan_epilogue lib/ubsan.c:148 [inline]
       __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
       __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389
       qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435
       cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180
       qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246
       tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662
       rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564
       netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494
       netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
       netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330
       netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345
       ___sys_sendmsg net/socket.c:2399 [inline]
       __sys_sendmsg+0x319/0x400 net/socket.c:2432
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarCong Wang <cong.wang@bytedance.com>
      Link: https://lore.kernel.org/r/20210114160637.1660597-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e4bedf48
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · e23a8d00
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-01-16
      
      1) Fix a double bpf_prog_put() for BPF_PROG_{TYPE_EXT,TYPE_TRACING} types in
         link creation's error path causing a refcount underflow, from Jiri Olsa.
      
      2) Fix BTF validation errors for the case where kernel modules don't declare
         any new types and end up with an empty BTF, from Andrii Nakryiko.
      
      3) Fix BPF local storage helpers to first check their {task,inode} owners for
         being NULL before access, from KP Singh.
      
      4) Fix a memory leak in BPF setsockopt handling for the case where optlen is
         zero and thus temporary optval buffer should be freed, from Stanislav Fomichev.
      
      5) Fix a syzbot memory allocation splat in BPF_PROG_TEST_RUN infra for
         raw_tracepoint caused by too big ctx_size_in, from Song Liu.
      
      6) Fix LLVM code generation issues with verifier where PTR_TO_MEM{,_OR_NULL}
         registers were spilled to stack but not recognized, from Gilad Reti.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        MAINTAINERS: Update my email address
        selftests/bpf: Add verifier test for PTR_TO_MEM spill
        bpf: Support PTR_TO_MEM{,_OR_NULL} register spilling
        bpf: Reject too big ctx_size_in for raw_tp test run
        libbpf: Allow loading empty BTFs
        bpf: Allow empty module BTFs
        bpf: Don't leak memory in bpf getsockopt when optlen == 0
        bpf: Update local storage test to check handling of null ptrs
        bpf: Fix typo in bpf_inode_storage.c
        bpf: Local storage helpers should check nullness of owner ptr passed
        bpf: Prevent double bpf_prog_put call from bpf_tracing_prog_attach
      ====================
      
      Link: https://lore.kernel.org/r/20210116002025.15706-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e23a8d00
  5. 15 Jan, 2021 3 commits
  6. 14 Jan, 2021 22 commits