1. 14 Jun, 2023 10 commits
    • Paolo Abeni's avatar
      Merge branch 'net-sched-fix-race-conditions-in-mini_qdisc_pair_swap' · 3b0d2819
      Paolo Abeni authored
      Peilin Ye says:
      
      ====================
      net/sched: Fix race conditions in mini_qdisc_pair_swap()
      
      These 2 patches fix race conditions for ingress and clsact Qdiscs as
      reported [1] by syzbot, split out from another [2] series (last 2 patches
      of it).  Per-patch changelog omitted.
      
      Patch 1 hasn't been touched since last version; I just included
      everybody's tag.
      
      Patch 2 bases on patch 6 v1 of [2], with comments and commit log slightly
      changed.  We also need rtnl_dereference() to load ->qdisc_sleeping since
      commit d636fc5d ("net: sched: add rcu annotations around
      qdisc->qdisc_sleeping"), so I changed that; please take yet another look,
      thanks!
      
      Patch 2 has been tested with the new reproducer Pedro posted [3].
      
      [1] https://syzkaller.appspot.com/bug?extid=b53a9c0d1ea4ad62da8b
      [2] https://lore.kernel.org/r/cover.1684887977.git.peilin.ye@bytedance.com/
      [3] https://lore.kernel.org/r/7879f218-c712-e9cc-57ba-665990f5f4c9@mojatatu.com/
      ====================
      
      Link: https://lore.kernel.org/r/cover.1686355297.git.peilin.ye@bytedance.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      3b0d2819
    • Peilin Ye's avatar
      net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting · 84ad0af0
      Peilin Ye authored
      mini_Qdisc_pair::p_miniq is a double pointer to mini_Qdisc, initialized
      in ingress_init() to point to net_device::miniq_ingress.  ingress Qdiscs
      access this per-net_device pointer in mini_qdisc_pair_swap().  Similar
      for clsact Qdiscs and miniq_egress.
      
      Unfortunately, after introducing RTNL-unlocked RTM_{NEW,DEL,GET}TFILTER
      requests (thanks Hillf Danton for the hint), when replacing ingress or
      clsact Qdiscs, for example, the old Qdisc ("@old") could access the same
      miniq_{in,e}gress pointer(s) concurrently with the new Qdisc ("@new"),
      causing race conditions [1] including a use-after-free bug in
      mini_qdisc_pair_swap() reported by syzbot:
      
       BUG: KASAN: slab-use-after-free in mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573
       Write of size 8 at addr ffff888045b31308 by task syz-executor690/14901
      ...
       Call Trace:
        <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
        print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319
        print_report mm/kasan/report.c:430 [inline]
        kasan_report+0x11c/0x130 mm/kasan/report.c:536
        mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573
        tcf_chain_head_change_item net/sched/cls_api.c:495 [inline]
        tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:509
        tcf_chain_tp_insert net/sched/cls_api.c:1826 [inline]
        tcf_chain_tp_insert_unique net/sched/cls_api.c:1875 [inline]
        tc_new_tfilter+0x1de6/0x2290 net/sched/cls_api.c:2266
      ...
      
      @old and @new should not affect each other.  In other words, @old should
      never modify miniq_{in,e}gress after @new, and @new should not update
      @old's RCU state.
      
      Fixing without changing sch_api.c turned out to be difficult (please
      refer to Closes: for discussions).  Instead, make sure @new's first call
      always happen after @old's last call (in {ingress,clsact}_destroy()) has
      finished:
      
      In qdisc_graft(), return -EBUSY if @old has any ongoing filter requests,
      and call qdisc_destroy() for @old before grafting @new.
      
      Introduce qdisc_refcount_dec_if_one() as the counterpart of
      qdisc_refcount_inc_nz() used for filter requests.  Introduce a
      non-static version of qdisc_destroy() that does a TCQ_F_BUILTIN check,
      just like qdisc_put() etc.
      
      Depends on patch "net/sched: Refactor qdisc_graft() for ingress and
      clsact Qdiscs".
      
      [1] To illustrate, the syzkaller reproducer adds ingress Qdiscs under
      TC_H_ROOT (no longer possible after commit c7cfbd11 ("net/sched:
      sch_ingress: Only create under TC_H_INGRESS")) on eth0 that has 8
      transmission queues:
      
        Thread 1 creates ingress Qdisc A (containing mini Qdisc a1 and a2),
        then adds a flower filter X to A.
      
        Thread 2 creates another ingress Qdisc B (containing mini Qdisc b1 and
        b2) to replace A, then adds a flower filter Y to B.
      
       Thread 1               A's refcnt   Thread 2
        RTM_NEWQDISC (A, RTNL-locked)
         qdisc_create(A)               1
         qdisc_graft(A)                9
      
        RTM_NEWTFILTER (X, RTNL-unlocked)
         __tcf_qdisc_find(A)          10
         tcf_chain0_head_change(A)
         mini_qdisc_pair_swap(A) (1st)
                  |
                  |                         RTM_NEWQDISC (B, RTNL-locked)
               RCU sync                2     qdisc_graft(B)
                  |                    1     notify_and_destroy(A)
                  |
         tcf_block_release(A)          0    RTM_NEWTFILTER (Y, RTNL-unlocked)
         qdisc_destroy(A)                    tcf_chain0_head_change(B)
         tcf_chain0_head_change_cb_del(A)    mini_qdisc_pair_swap(B) (2nd)
         mini_qdisc_pair_swap(A) (3rd)                |
                 ...                                 ...
      
      Here, B calls mini_qdisc_pair_swap(), pointing eth0->miniq_ingress to
      its mini Qdisc, b1.  Then, A calls mini_qdisc_pair_swap() again during
      ingress_destroy(), setting eth0->miniq_ingress to NULL, so ingress
      packets on eth0 will not find filter Y in sch_handle_ingress().
      
      This is just one of the possible consequences of concurrently accessing
      miniq_{in,e}gress pointers.
      
      Fixes: 7a096d57 ("net: sched: ingress: set 'unlocked' flag for Qdisc ops")
      Fixes: 87f37392 ("net: sched: ingress: set 'unlocked' flag for clsact Qdisc ops")
      Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/
      Cc: Hillf Danton <hdanton@sina.com>
      Cc: Vlad Buslov <vladbu@mellanox.com>
      Signed-off-by: default avatarPeilin Ye <peilin.ye@bytedance.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      84ad0af0
    • Peilin Ye's avatar
      net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs · 2d5f6a8d
      Peilin Ye authored
      Grafting ingress and clsact Qdiscs does not need a for-loop in
      qdisc_graft().  Refactor it.  No functional changes intended.
      Tested-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Reviewed-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarPeilin Ye <peilin.ye@bytedance.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      2d5f6a8d
    • Paul Blakey's avatar
      net/sched: act_ct: Fix promotion of offloaded unreplied tuple · 41f2c7c3
      Paul Blakey authored
      Currently UNREPLIED and UNASSURED connections are added to the nf flow
      table. This causes the following connection packets to be processed
      by the flow table which then skips conntrack_in(), and thus such the
      connections will remain UNREPLIED and UNASSURED even if reply traffic
      is then seen. Even still, the unoffloaded reply packets are the ones
      triggering hardware update from new to established state, and if
      there aren't any to triger an update and/or previous update was
      missed, hardware can get out of sync with sw and still mark
      packets as new.
      
      Fix the above by:
      1) Not skipping conntrack_in() for UNASSURED packets, but still
         refresh for hardware, as before the cited patch.
      2) Try and force a refresh by reply-direction packets that update
         the hardware rules from new to established state.
      3) Remove any bidirectional flows that didn't failed to update in
         hardware for re-insertion as bidrectional once any new packet
         arrives.
      
      Fixes: 6a9bad00 ("net/sched: act_ct: offload UDP NEW connections")
      Co-developed-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Link: https://lore.kernel.org/r/1686313379-117663-1-git-send-email-paulb@nvidia.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      41f2c7c3
    • Jakub Kicinski's avatar
      Merge branch 'fix-small-bugs-and-annoyances-in-tc-testing' · 07b1cc84
      Jakub Kicinski authored
      Vlad Buslov says:
      
      ====================
      Fix small bugs and annoyances in tc-testing
      ====================
      
      Link: https://lore.kernel.org/r/20230612075712.2861848-1-vladbu@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      07b1cc84
    • Vlad Buslov's avatar
      selftests/tc-testing: Remove configs that no longer exist · 11b8b2e7
      Vlad Buslov authored
      Some qdiscs and classifiers have recently been retired from kernel.
      However, tc-testing config is still cluttered with them which causes noise
      when using merge_config.sh script to update existing config for tc-testing
      compatibility. Remove the config settings for affected qdiscs and
      classifiers.
      
      Fixes: fb38306c ("net/sched: Retire ATM qdisc")
      Fixes: 051d4420 ("net/sched: Retire CBQ qdisc")
      Fixes: bbe77c14 ("net/sched: Retire dsmark qdisc")
      Fixes: 265b4da8 ("net/sched: Retire rsvp classifier")
      Fixes: 8c710f75 ("net/sched: Retire tcindex classifier")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      11b8b2e7
    • Vlad Buslov's avatar
      selftests/tc-testing: Fix SFB db test · b39d8c41
      Vlad Buslov authored
      Setting very small value of db like 10ms introduces rounding errors when
      converting to/from jiffies on some kernel configs. For example, on 250hz
      the actual value will be set to 12ms which causes the test to fail:
      
       # $ sudo ./tdc.py  -d eth2 -e 3410
       #  -- ns/SubPlugin.__init__
       # Test 3410: Create SFB with db setting
       #
       # All test results:
       #
       # 1..1
       # not ok 1 3410 - Create SFB with db setting
       #         Could not match regex pattern. Verify command output:
       # qdisc sfb 1: root refcnt 2 rehash 600s db 12ms limit 1000p max 25p target 20p increment 0.000503548 decrement 4.57771e-05 penalty_rate 10pps penalty_burst 20p
      
      Set the value to 100ms instead which currently seem to work on 100hz,
      250hz, 300hz and 1000hz kernel configs.
      
      Fixes: 6ad92dc5 ("selftests/tc-testing: add selftests for sfb qdisc")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b39d8c41
    • Vlad Buslov's avatar
      selftests/tc-testing: Fix Error: failed to find target LOG · b849c566
      Vlad Buslov authored
      Add missing netfilter config dependency.
      
      Fixes following example error when running tests via tdc.sh for all XT
      tests:
      
       # $ sudo ./tdc.py -d eth2 -e 2029
       # Test 2029: Add xt action with log-prefix
       # exit: 255
       # exit: 0
       #  failed to find target LOG
       #
       # bad action parsing
       # parse_action: bad value (7:xt)!
       # Illegal "action"
       #
       # -----> teardown stage *** Could not execute: "$TC actions flush action xt"
       #
       # -----> teardown stage *** Error message: "Error: Cannot flush unknown TC action.
       # We have an error flushing
       # "
       # returncode 1; expected [0]
       #
       # -----> teardown stage *** Aborting test run.
       #
       # <_io.BufferedReader name=3> *** stdout ***
       #
       # <_io.BufferedReader name=5> *** stderr ***
       # "-----> teardown stage" did not complete successfully
       # Exception <class '__main__.PluginMgrTestFail'> ('teardown', ' failed to find target LOG\n\nbad action parsing\nparse_action: bad value (7:xt)!\nIllegal "action"\n', '"-----> teardown stage" did not complete successfully') (caught in test_runner, running test 2 2029 Add xt action with log-prefix stage teardown)
       # ---------------
       # traceback
       #   File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 495, in test_runner
       #     res = run_one_test(pm, args, index, tidx)
       #   File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 434, in run_one_test
       #     prepare_env(args, pm, 'teardown', '-----> teardown stage', tidx['teardown'], procout)
       #   File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 245, in prepare_env
       #     raise PluginMgrTestFail(
       # ---------------
       # accumulated output for this test:
       #  failed to find target LOG
       #
       # bad action parsing
       # parse_action: bad value (7:xt)!
       # Illegal "action"
       #
       # ---------------
       #
       # All test results:
       #
       # 1..1
       # ok 1 2029 - Add xt action with log-prefix # skipped - "-----> teardown stage" did not complete successfully
      
      Fixes: 910d504b ("selftests/tc-testings: add selftests for xt action")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b849c566
    • Vlad Buslov's avatar
      selftests/tc-testing: Fix Error: Specified qdisc kind is unknown. · aef6e908
      Vlad Buslov authored
      All TEQL tests assume that sch_teql module is loaded. Load module in tdc.sh
      before running qdisc tests.
      
      Fixes following example error when running tests via tdc.sh for all TEQL
      tests:
      
       # $ sudo ./tdc.py -d eth2 -e 84a0
       #  -- ns/SubPlugin.__init__
       # Test 84a0: Create TEQL with default setting
       # exit: 2
       # exit: 0
       # Error: Specified qdisc kind is unknown.
       #
       # -----> teardown stage *** Could not execute: "$TC qdisc del dev $DUMMY handle 1: root"
       #
       # -----> teardown stage *** Error message: "Error: Invalid handle.
       # "
       # returncode 2; expected [0]
       #
       # -----> teardown stage *** Aborting test run.
       #
       # <_io.BufferedReader name=3> *** stdout ***
       #
       # <_io.BufferedReader name=5> *** stderr ***
       # "-----> teardown stage" did not complete successfully
       # Exception <class '__main__.PluginMgrTestFail'> ('teardown', 'Error: Specified qdisc kind is unknown.\n', '"-----> teardown stage" did not complete successfully') (caught in test_runner, running test 2 84a0 Create TEQL with default setting stage teardown)
       # ---------------
       # traceback
       #   File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 495, in test_runner
       #     res = run_one_test(pm, args, index, tidx)
       #   File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 434, in run_one_test
       #     prepare_env(args, pm, 'teardown', '-----> teardown stage', tidx['teardown'], procout)
       #   File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 245, in prepare_env
       #     raise PluginMgrTestFail(
       # ---------------
       # accumulated output for this test:
       # Error: Specified qdisc kind is unknown.
       #
       # ---------------
       #
       # All test results:
       #
       # 1..1
       # ok 1 84a0 - Create TEQL with default setting # skipped - "-----> teardown stage" did not complete successfully
      
      Fixes: cc62fbe1 ("selftests/tc-testing: add selftests for teql qdisc")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarVictor Nogueira <victor@mojatatu.com>
      Reviewed-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aef6e908
    • Dan Carpenter's avatar
      net: ethernet: ti: am65-cpsw: Call of_node_put() on error path · 374283a1
      Dan Carpenter authored
      This code returns directly but it should instead call of_node_put()
      to drop some reference counts.
      
      Fixes: dab2b265 ("net: ethernet: ti: am65-cpsw: Add support for SERDES configuration")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarRoger Quadros <rogerq@kernel.org>
      Link: https://lore.kernel.org/r/e3012f0c-1621-40e6-bf7d-03c276f6e07f@kili.mountainSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      374283a1
  2. 12 Jun, 2023 25 commits
  3. 10 Jun, 2023 5 commits