1. 26 May, 2023 7 commits
    • Jakub Kicinski's avatar
      tls: improve lockless access safety of tls_err_abort() · 8a0d57df
      Jakub Kicinski authored
      Most protos' poll() methods insert a memory barrier between
      writes to sk_err and sk_error_report(). This dates back to
      commit a4d25803 ("tcp: Fix race in tcp_poll").
      
      I guess we should do the same thing in TLS, tcp_poll() does
      not hold the socket lock.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a0d57df
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · aa866ee4
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-05-24
      
      This series includes bug fixes for the mlx5 driver.
      
      * tag 'mlx5-fixes-2023-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        Documentation: net/mlx5: Wrap notes in admonition blocks
        Documentation: net/mlx5: Add blank line separator before numbered lists
        Documentation: net/mlx5: Use bullet and definition lists for vnic counters description
        Documentation: net/mlx5: Wrap vnic reporter devlink commands in code blocks
        net/mlx5: Fix check for allocation failure in comp_irqs_request_pci()
        net/mlx5: DR, Add missing mutex init/destroy in pattern manager
        net/mlx5e: Move Ethernet driver debugfs to profile init callback
        net/mlx5e: Don't attach netdev profile while handling internal error
        net/mlx5: Fix post parse infra to only parse every action once
        net/mlx5e: Use query_special_contexts cmd only once per mdev
        net/mlx5: fw_tracer, Fix event handling
        net/mlx5: SF, Drain health before removing device
        net/mlx5: Drain health before unregistering devlink
        net/mlx5e: Do not update SBCM when prio2buffer command is invalid
        net/mlx5e: Consider internal buffers size in port buffer calculations
        net/mlx5e: Prevent encap offload when neigh update is running
        net/mlx5e: Extract remaining tunnel encap code to dedicated file
      ====================
      
      Link: https://lore.kernel.org/r/20230525034847.99268-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa866ee4
    • Kuniyuki Iwashima's avatar
      af_packet: Fix data-races of pkt_sk(sk)->num. · 822b5a1c
      Kuniyuki Iwashima authored
      syzkaller found a data race of pkt_sk(sk)->num.
      
      The value is changed under lock_sock() and po->bind_lock, so we
      need READ_ONCE() to access pkt_sk(sk)->num without these locks in
      packet_bind_spkt(), packet_bind(), and sk_diag_fill().
      
      Note that WRITE_ONCE() is already added by commit c7d2ef5d
      ("net/packet: annotate accesses to po->bind").
      
      BUG: KCSAN: data-race in packet_bind / packet_do_bind
      
      write (marked) to 0xffff88802ffd1cee of 2 bytes by task 7322 on cpu 0:
       packet_do_bind+0x446/0x640 net/packet/af_packet.c:3236
       packet_bind+0x99/0xe0 net/packet/af_packet.c:3321
       __sys_bind+0x19b/0x1e0 net/socket.c:1803
       __do_sys_bind net/socket.c:1814 [inline]
       __se_sys_bind net/socket.c:1812 [inline]
       __x64_sys_bind+0x40/0x50 net/socket.c:1812
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      read to 0xffff88802ffd1cee of 2 bytes by task 7318 on cpu 1:
       packet_bind+0xbf/0xe0 net/packet/af_packet.c:3322
       __sys_bind+0x19b/0x1e0 net/socket.c:1803
       __do_sys_bind net/socket.c:1814 [inline]
       __se_sys_bind net/socket.c:1812 [inline]
       __x64_sys_bind+0x40/0x50 net/socket.c:1812
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
      value changed: 0x0300 -> 0x0000
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 7318 Comm: syz-executor.4 Not tainted 6.3.0-13380-g7fddb5b5300c #4
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      
      Fixes: 96ec6327 ("packet: Diag core and basic socket info dumping")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20230524232934.50950-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      822b5a1c
    • Jakub Kicinski's avatar
      tools: ynl: avoid dict errors on older Python versions · 081e8df6
      Jakub Kicinski authored
      Python 3.9.0 or newer supports combining dicts() with |,
      but older versions of Python are still used in the wild
      (e.g. on CentOS 8, which goes EoL May 31, 2024).
      With Python 3.6.8 we get:
      
        TypeError: unsupported operand type(s) for |: 'dict' and 'dict'
      
      Use older syntax. Tested with non-legacy families only.
      
      Fixes: f036d936 ("tools: ynl: Add fixed-header support to ynl")
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Tested-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Link: https://lore.kernel.org/r/20230524170712.2036128-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      081e8df6
    • Eric Dumazet's avatar
      netrom: fix info-leak in nr_write_internal() · 31642e70
      Eric Dumazet authored
      Simon Kapadia reported the following issue:
      
      <quote>
      
      The Online Amateur Radio Community (OARC) has recently been experimenting
      with building a nationwide packet network in the UK.
      As part of our experimentation, we have been testing out packet on 300bps HF,
      and playing with net/rom.  For HF packet at this baud rate you really need
      to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60,
      and a net/rom PACLEN of 40 to go with that.
      However the Linux net/rom support didn't work with a low PACLEN;
      the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.:
      
      Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet!
      
      This didn't make any sense to me (if the packets are smaller why would they
      be truncated?) so I started investigating.
      I looked at the packets using ethereal, and found that many were just huge
      compared to what I would expect.
      A simple net/rom connection request packet had the request and then a bunch
      of what appeared to be random data following it:
      
      </quote>
      
      Simon provided a patch that I slightly revised:
      Not only we must not use skb_tailroom(), we also do
      not want to count NR_NETWORK_LEN twice.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Co-Developed-by: default avatarSimon Kapadia <szymon@kapadia.pl>
      Signed-off-by: default avatarSimon Kapadia <szymon@kapadia.pl>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarSimon Kapadia <szymon@kapadia.pl>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31642e70
    • Wei Fang's avatar
      net: stmmac: fix call trace when stmmac_xdp_xmit() is invoked · ffb33221
      Wei Fang authored
      We encountered a kernel call trace issue which was related to
      ndo_xdp_xmit callback on our i.MX8MP platform. The reproduce
      steps show as follows.
      1. The FEC port (eth0) connects to a PC port, and the PC uses
      pktgen_sample03_burst_single_flow.sh to generate packets and
      send these packets to the FEC port. Notice that the script must
      be executed before step 2.
      2. Run the "./xdp_redirect eth0 eth1" command on i.MX8MP, the
      eth1 interface is the dwmac. Then there will be a call trace
      issue soon. Please see the log for more details.
      The root cause is that the NETDEV_XDP_ACT_NDO_XMIT feature is
      enabled by default, so when the step 2 command is exexcuted
      and packets have already been sent to eth0, the stmmac_xdp_xmit()
      starts running before the stmmac_xdp_set_prog() finishes. To
      resolve this issue, we disable the NETDEV_XDP_ACT_NDO_XMIT
      feature by default and turn on/off this feature when the bpf
      program is installed/uninstalled which just like the other
      ethernet drivers.
      
      Call Trace log:
      [  306.311271] ------------[ cut here ]------------
      [  306.315910] WARNING: CPU: 0 PID: 15 at lib/timerqueue.c:55 timerqueue_del+0x68/0x70
      [  306.323590] Modules linked in:
      [  306.326654] CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.4.0-rc1+ #37
      [  306.333277] Hardware name: NXP i.MX8MPlus EVK board (DT)
      [  306.338591] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      [  306.345561] pc : timerqueue_del+0x68/0x70
      [  306.349577] lr : __remove_hrtimer+0x5c/0xa0
      [  306.353777] sp : ffff80000b7c3920
      [  306.357094] x29: ffff80000b7c3920 x28: 0000000000000000 x27: 0000000000000001
      [  306.364244] x26: ffff80000a763a40 x25: ffff0000d0285a00 x24: 0000000000000001
      [  306.371390] x23: 0000000000000001 x22: ffff000179389a40 x21: 0000000000000000
      [  306.378537] x20: ffff000179389aa0 x19: ffff0000d2951308 x18: 0000000000001000
      [  306.385686] x17: f1d3000000000000 x16: 00000000c39c1000 x15: 55e99bbe00001a00
      [  306.392835] x14: 09000900120aa8c0 x13: e49af1d300000000 x12: 000000000000c39c
      [  306.399987] x11: 100055e99bbe0000 x10: ffff8000090b1048 x9 : ffff8000081603fc
      [  306.407133] x8 : 000000000000003c x7 : 000000000000003c x6 : 0000000000000001
      [  306.414284] x5 : ffff0000d2950980 x4 : 0000000000000000 x3 : 0000000000000000
      [  306.421432] x2 : 0000000000000001 x1 : ffff0000d2951308 x0 : ffff0000d2951308
      [  306.428585] Call trace:
      [  306.431035]  timerqueue_del+0x68/0x70
      [  306.434706]  __remove_hrtimer+0x5c/0xa0
      [  306.438549]  hrtimer_start_range_ns+0x2bc/0x370
      [  306.443089]  stmmac_xdp_xmit+0x174/0x1b0
      [  306.447021]  bq_xmit_all+0x194/0x4b0
      [  306.450612]  __dev_flush+0x4c/0x98
      [  306.454024]  xdp_do_flush+0x18/0x38
      [  306.457522]  fec_enet_rx_napi+0x6c8/0xc68
      [  306.461539]  __napi_poll+0x40/0x220
      [  306.465038]  net_rx_action+0xf8/0x240
      [  306.468707]  __do_softirq+0x128/0x3a8
      [  306.472378]  run_ksoftirqd+0x40/0x58
      [  306.475961]  smpboot_thread_fn+0x1c4/0x288
      [  306.480068]  kthread+0x124/0x138
      [  306.483305]  ret_from_fork+0x10/0x20
      [  306.486889] ---[ end trace 0000000000000000 ]---
      
      Fixes: 66c0e13a ("drivers: net: turn on XDP features")
      Signed-off-by: default avatarWei Fang <wei.fang@nxp.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230524125714.357337-1-wei.fang@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ffb33221
    • Thomas Bogendoerfer's avatar
      net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure · d68cb7cf
      Thomas Bogendoerfer authored
      Do skb_put() after a new skb has been successfully allocated otherwise
      the reused skb leads to skb_panics or incorrect packet sizes.
      
      Fixes: f92e1869 ("Add Mellanox BlueField Gigabit Ethernet driver")
      Signed-off-by: default avatarThomas Bogendoerfer <tbogendoerfer@suse.de>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230524194908.147145-1-tbogendoerfer@suse.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d68cb7cf
  2. 25 May, 2023 33 commits