1. 22 Jul, 2020 5 commits
    • Xin Long's avatar
      l2tp: remove skb_dst_set() from l2tp_xmit_skb() · a0400bbe
      Xin Long authored
      [ Upstream commit 27d53323 ]
      
      In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set
      skb's dst. However, it will eventually call inet6_csk_xmit() or
      ip_queue_xmit() where skb's dst will be overwritten by:
      
         skb_dst_set_noref(skb, dst);
      
      without releasing the old dst in skb. Then it causes dst/dev refcnt leak:
      
        unregister_netdevice: waiting for eth0 to become free. Usage count = 1
      
      This can be reproduced by simply running:
      
        # modprobe l2tp_eth && modprobe l2tp_ip
        # sh ./tools/testing/selftests/net/l2tp.sh
      
      So before going to inet6_csk_xmit() or ip_queue_xmit(), skb's dst
      should be dropped. This patch is to fix it by removing skb_dst_set()
      from l2tp_xmit_skb() and moving skb_dst_drop() into l2tp_xmit_core().
      
      Fixes: 3557baab ("[L2TP]: PPP over L2TP driver core")
      Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Tested-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0400bbe
    • Sabrina Dubroca's avatar
      ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg · 5e8f49ed
      Sabrina Dubroca authored
      [ Upstream commit 5eff0690 ]
      
      IPv4 ping sockets don't set fl4.fl4_icmp_{type,code}, which leads to
      incomplete IPsec ACQUIRE messages being sent to userspace. Currently,
      both raw sockets and IPv6 ping sockets set those fields.
      
      Expected output of "ip xfrm monitor":
          acquire proto esp
            sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 8 code 0 dev ens4
            policy src 10.0.2.15/32 dst 8.8.8.8/32
              <snip>
      
      Currently with ping sockets:
          acquire proto esp
            sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 0 code 0 dev ens4
            policy src 10.0.2.15/32 dst 8.8.8.8/32
              <snip>
      
      The Libreswan test suite found this problem after Fedora changed the
      value for the sysctl net.ipv4.ping_group_range.
      
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Reported-by: default avatarPaul Wouters <pwouters@redhat.com>
      Tested-by: default avatarPaul Wouters <pwouters@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8f49ed
    • Sean Tranchetti's avatar
      genetlink: remove genl_bind · 0845447d
      Sean Tranchetti authored
      [ Upstream commit 1e82a62f ]
      
      A potential deadlock can occur during registering or unregistering a
      new generic netlink family between the main nl_table_lock and the
      cb_lock where each thread wants the lock held by the other, as
      demonstrated below.
      
      1) Thread 1 is performing a netlink_bind() operation on a socket. As part
         of this call, it will call netlink_lock_table(), incrementing the
         nl_table_users count to 1.
      2) Thread 2 is registering (or unregistering) a genl_family via the
         genl_(un)register_family() API. The cb_lock semaphore will be taken for
         writing.
      3) Thread 1 will call genl_bind() as part of the bind operation to handle
         subscribing to GENL multicast groups at the request of the user. It will
         attempt to take the cb_lock semaphore for reading, but it will fail and
         be scheduled away, waiting for Thread 2 to finish the write.
      4) Thread 2 will call netlink_table_grab() during the (un)registration
         call. However, as Thread 1 has incremented nl_table_users, it will not
         be able to proceed, and both threads will be stuck waiting for the
         other.
      
      genl_bind() is a noop, unless a genl_family implements the mcast_bind()
      function to handle setting up family-specific multicast operations. Since
      no one in-tree uses this functionality as Cong pointed out, simply removing
      the genl_bind() function will remove the possibility for deadlock, as there
      is no attempt by Thread 1 above to take the cb_lock semaphore.
      
      Fixes: c380d9a7 ("genetlink: pass multicast bind/unbind to families")
      Suggested-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0845447d
    • Taehee Yoo's avatar
      net: rmnet: fix lower interface leak · cf7318b7
      Taehee Yoo authored
      commit 2a762e9e upstream.
      
      There are two types of the lower interface of rmnet that are VND
      and BRIDGE.
      Each lower interface can have only one type either VND or BRIDGE.
      But, there is a case, which uses both lower interface types.
      Due to this unexpected behavior, lower interface leak occurs.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add dummy1 type dummy
          ip link add rmnet0 link dummy0 type rmnet mux_id 1
          ip link set dummy1 master rmnet0
          ip link add rmnet1 link dummy1 type rmnet mux_id 2
          ip link del rmnet0
      
      The dummy1 was attached as BRIDGE interface of rmnet0.
      Then, it also was attached as VND interface of rmnet1.
      This is unexpected behavior and there is no code for handling this case.
      So that below splat occurs when the rmnet0 interface is deleted.
      
      Splat looks like:
      [   53.254112][    C1] WARNING: CPU: 1 PID: 1192 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0
      [   53.254117][    C1] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nfx
      [   53.254182][    C1] CPU: 1 PID: 1192 Comm: ip Not tainted 5.8.0-rc1+ #620
      [   53.254188][    C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   53.254192][    C1] RIP: 0010:rollback_registered_many+0x986/0xcf0
      [   53.254200][    C1] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 0f 0b e5
      [   53.254205][    C1] RSP: 0018:ffff888050a5f2e0 EFLAGS: 00010287
      [   53.254214][    C1] RAX: ffff88805756d658 RBX: ffff88804d99c000 RCX: ffffffff8329d323
      [   53.254219][    C1] RDX: 1ffffffff0be6410 RSI: 0000000000000008 RDI: ffffffff85f32080
      [   53.254223][    C1] RBP: dffffc0000000000 R08: fffffbfff0be6411 R09: fffffbfff0be6411
      [   53.254228][    C1] R10: ffffffff85f32087 R11: 0000000000000001 R12: ffff888050a5f480
      [   53.254233][    C1] R13: ffff88804d99c0b8 R14: ffff888050a5f400 R15: ffff8880548ebe40
      [   53.254238][    C1] FS:  00007f6b86b370c0(0000) GS:ffff88806c200000(0000) knlGS:0000000000000000
      [   53.254243][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   53.254248][    C1] CR2: 0000562c62438758 CR3: 000000003f600005 CR4: 00000000000606e0
      [   53.254253][    C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   53.254257][    C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   53.254261][    C1] Call Trace:
      [   53.254266][    C1]  ? lockdep_hardirqs_on_prepare+0x379/0x540
      [   53.254270][    C1]  ? netif_set_real_num_tx_queues+0x780/0x780
      [   53.254275][    C1]  ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
      [   53.254279][    C1]  ? __kasan_slab_free+0x126/0x150
      [   53.254283][    C1]  ? kfree+0xdc/0x320
      [   53.254288][    C1]  ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
      [   53.254293][    C1]  unregister_netdevice_many.part.135+0x13/0x1b0
      [   53.254297][    C1]  rtnl_delete_link+0xbc/0x100
      [   53.254301][    C1]  ? rtnl_af_register+0xc0/0xc0
      [   53.254305][    C1]  rtnl_dellink+0x2dc/0x840
      [   53.254309][    C1]  ? find_held_lock+0x39/0x1d0
      [   53.254314][    C1]  ? valid_fdb_dump_strict+0x620/0x620
      [   53.254318][    C1]  ? rtnetlink_rcv_msg+0x457/0x890
      [   53.254322][    C1]  ? lock_contended+0xd20/0xd20
      [   53.254326][    C1]  rtnetlink_rcv_msg+0x4a8/0x890
      [ ... ]
      [   73.813696][ T1192] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1
      
      Fixes: 037f9cdf ("net: rmnet: use upper/lower device infrastructure")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf7318b7
    • Changbin Du's avatar
      perf: Make perf able to build with latest libbfd · 0753b05c
      Changbin Du authored
      commit 0ada120c upstream.
      
      libbfd has changed the bfd_section_* macros to inline functions
      bfd_section_<field> since 2019-09-18. See below two commits:
        o http://www.sourceware.org/ml/gdb-cvs/2019-09/msg00064.html
        o https://www.sourceware.org/ml/gdb-cvs/2019-09/msg00072.html
      
      This fix make perf able to build with both old and new libbfd.
      Signed-off-by: default avatarChangbin Du <changbin.du@gmail.com>
      Acked-by: default avatarJiri Olsa <jolsa@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lore.kernel.org/lkml/20200128152938.31413-1-changbin.du@gmail.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jianmin Wang <jianmin@iscas.ac.cn>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0753b05c
  2. 16 Jul, 2020 35 commits