1. 27 Aug, 2019 7 commits
    • David Howells's avatar
      rxrpc: Use skb_unshare() rather than skb_cow_data() · d0d5c0cd
      David Howells authored
      The in-place decryption routines in AF_RXRPC's rxkad security module
      currently call skb_cow_data() to make sure the data isn't shared and that
      the skb can be written over.  This has a problem, however, as the softirq
      handler may be still holding a ref or the Rx ring may be holding multiple
      refs when skb_cow_data() is called in rxkad_verify_packet() - and so
      skb_shared() returns true and __pskb_pull_tail() dislikes that.  If this
      occurs, something like the following report will be generated.
      
      	kernel BUG at net/core/skbuff.c:1463!
      	...
      	RIP: 0010:pskb_expand_head+0x253/0x2b0
      	...
      	Call Trace:
      	 __pskb_pull_tail+0x49/0x460
      	 skb_cow_data+0x6f/0x300
      	 rxkad_verify_packet+0x18b/0xb10 [rxrpc]
      	 rxrpc_recvmsg_data.isra.11+0x4a8/0xa10 [rxrpc]
      	 rxrpc_kernel_recv_data+0x126/0x240 [rxrpc]
      	 afs_extract_data+0x51/0x2d0 [kafs]
      	 afs_deliver_fs_fetch_data+0x188/0x400 [kafs]
      	 afs_deliver_to_call+0xac/0x430 [kafs]
      	 afs_wait_for_call_to_complete+0x22f/0x3d0 [kafs]
      	 afs_make_call+0x282/0x3f0 [kafs]
      	 afs_fs_fetch_data+0x164/0x300 [kafs]
      	 afs_fetch_data+0x54/0x130 [kafs]
      	 afs_readpages+0x20d/0x340 [kafs]
      	 read_pages+0x66/0x180
      	 __do_page_cache_readahead+0x188/0x1a0
      	 ondemand_readahead+0x17d/0x2e0
      	 generic_file_read_iter+0x740/0xc10
      	 __vfs_read+0x145/0x1a0
      	 vfs_read+0x8c/0x140
      	 ksys_read+0x4a/0xb0
      	 do_syscall_64+0x43/0xf0
      	 entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fix this by using skb_unshare() instead in the input path for DATA packets
      that have a security index != 0.  Non-DATA packets don't need in-place
      encryption and neither do unencrypted DATA packets.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Reported-by: default avatarJulian Wollrath <jwollrath@web.de>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d0d5c0cd
    • David Howells's avatar
      rxrpc: Use the tx-phase skb flag to simplify tracing · 987db9f7
      David Howells authored
      Use the previously-added transmit-phase skbuff private flag to simplify the
      socket buffer tracing a bit.  Which phase the skbuff comes from can now be
      divined from the skb rather than having to be guessed from the call state.
      
      We can also reduce the number of rxrpc_skb_trace values by eliminating the
      difference between Tx and Rx in the symbols.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      987db9f7
    • David Howells's avatar
      rxrpc: Add a private skb flag to indicate transmission-phase skbs · b311e684
      David Howells authored
          
      Add a flag in the private data on an skbuff to indicate that this is a
      transmission-phase buffer rather than a receive-phase buffer.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      b311e684
    • David Howells's avatar
      rxrpc: Abstract out rxtx ring cleanup · a641fd00
      David Howells authored
      Abstract out rxtx ring cleanup into its own function from its two callers.
      This makes it easier to apply the same changes to both.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a641fd00
    • David Howells's avatar
      rxrpc: Pass the input handler's data skb reference to the Rx ring · 4858e403
      David Howells authored
      Pass the reference held on a DATA skb in the rxrpc input handler into the
      Rx ring rather than getting an additional ref for this and then dropping
      the original ref at the end.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      4858e403
    • David Howells's avatar
      rxrpc: Use info in skbuff instead of reparsing a jumbo packet · e2de6c40
      David Howells authored
      Use the information now cached in the skbuff private data to avoid the need
      to reparse a jumbo packet.  We can find all the subpackets by dead
      reckoning, so it's only necessary to note how many there are, whether the
      last one is flagged as LAST_PACKET and whether any have the REQUEST_ACK
      flag set.
      
      This is necessary as once recvmsg() can see the packet, it can start
      modifying it, such as doing in-place decryption.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      e2de6c40
    • David Howells's avatar
      rxrpc: Improve jumbo packet counting · c3c9e3df
      David Howells authored
      Improve the information stored about jumbo packets so that we don't need to
      reparse them so much later.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeffrey Altman <jaltman@auristor.com>
      c3c9e3df
  2. 18 Aug, 2019 17 commits
  3. 17 Aug, 2019 2 commits
  4. 16 Aug, 2019 4 commits
  5. 15 Aug, 2019 10 commits
    • David S. Miller's avatar
      Merge tag 'rxrpc-fixes-20190814' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 480fd998
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fix local endpoint handling
      
      Here's a pair of patches that fix two issues in the handling of local
      endpoints (rxrpc_local structs):
      
       (1) Use list_replace_init() rather than list_replace() if we're going to
           unconditionally delete the replaced item later, lest the list get
           corrupted.
      
       (2) Don't access the rxrpc_local object after passing our ref to the
           workqueue, not even to illuminate tracepoints, as the work function
           may cause the object to be freed.  We have to cache the information
           beforehand.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      480fd998
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 12ed6015
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      This patchset contains Netfilter fixes for net:
      
      1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
      
      2) Fix interaction of ipsec with flowtable, also from Florian.
      
      3) User-after-free with bound set to rule that fails to load.
      
      4) Adjust state and timeout for flows that expire.
      
      5) Timeout update race with flows in teardown state.
      
      6) Ensure conntrack id hash calculation use invariants as input,
         from Dirk Morris.
      
      7) Do not push flows into flowtable for TCP fin/rst packets.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12ed6015
    • Eric Dumazet's avatar
      net/packet: fix race in tpacket_snd() · 32d3182c
      Eric Dumazet authored
      packet_sendmsg() checks tx_ring.pg_vec to decide
      if it must call tpacket_snd().
      
      Problem is that the check is lockless, meaning another thread
      can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
      tx_ring.pg_vec back to NULL.
      
      Given that tpacket_snd() grabs pg_vec_lock mutex, we can
      perform the check again to solve the race.
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
      Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
      RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
      RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
      R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
      FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       packet_current_frame net/packet/af_packet.c:487 [inline]
       tpacket_snd net/packet/af_packet.c:2667 [inline]
       packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 69e3c75f ("net: TX_RING and packet mmap")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32d3182c
    • Wenwen Wang's avatar
      net: myri10ge: fix memory leaks · 20fb7c7a
      Wenwen Wang authored
      In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
      related structures. Later on, myri10ge_request_irq() is used to get an irq.
      However, if this process fails, the allocated slices related structures are
      not deallocated, leading to memory leaks. To fix this issue, revise the
      target label of the goto statement to 'abort_with_slices'.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20fb7c7a
    • John Fastabend's avatar
      net: tls, fix sk_write_space NULL write when tx disabled · d85f0177
      John Fastabend authored
      The ctx->sk_write_space pointer is only set when TLS tx mode is enabled.
      When running without TX mode its a null pointer but we still set the
      sk sk_write_space pointer on close().
      
      Fix the close path to only overwrite sk->sk_write_space when the current
      pointer is to the tls_write_space function indicating the tls module should
      clean it up properly as well.
      Reported-by: default avatarHillf Danton <hdanton@sina.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Fixes: 57c722e9 ("net/tls: swap sk_write_space on close")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85f0177
    • Wenwen Wang's avatar
      liquidio: add cleanup in octeon_setup_iq() · 6f967f8b
      Wenwen Wang authored
      If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
      to memory/resource leaks. To fix this issue, invoke
      octeon_delete_instr_queue() before returning from the function.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f967f8b
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 0b24a441
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-08-15
      
      This series introduces two fixes to mlx5 driver.
      
      1) Eran fixes a compatibility issue with ethtool flash.
      2) Maxim fixes a race in XSK wakeup flow.
      
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b24a441
    • Eran Ben Elisha's avatar
      net/mlx5e: Fix compatibility issue with ethtool flash device · f43d48d1
      Eran Ben Elisha authored
      Cited patch deleted ethtool flash device support, as ethtool core can
      fallback into devlink flash callback. However, this is supported only if
      there is a devlink port registered over the corresponding netdevice.
      
      As mlx5e do not have devlink port support over native netdevice, it broke
      the ability to flash device via ethtool.
      
      This patch re-add the ethtool callback to avoid user functionality breakage
      when trying to flash device via ethtool.
      
      Fixes: 9c8bca26 ("mlx5: Move firmware flash implementation to devlink")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      f43d48d1
    • Maxim Mikityanskiy's avatar
      net/mlx5e: Fix a race with XSKICOSQ in XSK wakeup flow · e0d57d9c
      Maxim Mikityanskiy authored
      Add a missing spinlock around XSKICOSQ usage at the activation stage,
      because there is a race between a configuration change and the
      application calling sendto().
      
      Fixes: db05815b ("net/mlx5e: Add XSK zero-copy support")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e0d57d9c
    • Anders Roxell's avatar
      selftests: net: tcp_fastopen_backup_key.sh: fix shellcheck issue · 2aafdf5a
      Anders Roxell authored
      When running tcp_fastopen_backup_key.sh the following issue was seen in
      a busybox environment.
      ./tcp_fastopen_backup_key.sh: line 33: [: -ne: unary operator expected
      
      Shellcheck showed the following issue.
      $ shellcheck tools/testing/selftests/net/tcp_fastopen_backup_key.sh
      
      In tools/testing/selftests/net/tcp_fastopen_backup_key.sh line 33:
              if [ $val -ne 0 ]; then
                   ^-- SC2086: Double quote to prevent globbing and word splitting.
      
      Rework to do a string comparison instead.
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2aafdf5a