1. 17 May, 2014 3 commits
  2. 16 May, 2014 17 commits
    • Eric Dumazet's avatar
      net: gro: make sure skb->cb[] initial content has not to be zero · 29e98242
      Eric Dumazet authored
      Starting from linux-3.13, GRO attempts to build full size skbs.
      
      Problem is the commit assumed one particular field in skb->cb[]
      was clean, but it is not the case on some stacked devices.
      
      Timo reported a crash in case traffic is decrypted before
      reaching a GRE device.
      
      Fix this by initializing NAPI_GRO_CB(skb)->last at the right place,
      this also removes one conditional.
      
      Thanks a lot to Timo for providing full reports and bisecting this.
      
      Fixes: 8a29111c ("net: gro: allow to build full sized skb")
      Bisected-by: default avatarTimo Teras <timo.teras@iki.fi>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarTimo Teräs <timo.teras@iki.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      29e98242
    • Timo Teräs's avatar
      ipv4: ip_tunnels: disable cache for nbma gre tunnels · 22fb22ea
      Timo Teräs authored
      The connected check fails to check for ip_gre nbma mode tunnels
      properly. ip_gre creates temporary tnl_params with daddr specified
      to pass-in the actual target on per-packet basis from neighbor
      layer. Detect these tunnels by inspecting the actual tunnel
      configuration.
      
      Minimal test case:
       ip route add 192.168.1.1/32 via 10.0.0.1
       ip route add 192.168.1.2/32 via 10.0.0.2
       ip tunnel add nbma0 mode gre key 1 tos c0
       ip addr add 172.17.0.0/16 dev nbma0
       ip link set nbma0 up
       ip neigh add 172.17.0.1 lladdr 192.168.1.1 dev nbma0
       ip neigh add 172.17.0.2 lladdr 192.168.1.2 dev nbma0
       ping 172.17.0.1
       ping 172.17.0.2
      
      The second ping should be going to 192.168.1.2 and head 10.0.0.2;
      but cached gre tunnel level route is used and it's actually going
      to 192.168.1.1 via 10.0.0.1.
      
      The lladdr's need to go to separate dst for the bug to trigger.
      Test case uses separate route entries, but this can also happen
      when the route entry is same: if there is a nexthop exception or
      the GRE tunnel is IPsec'ed in which case the dst points to xfrm
      bundle unique to the gre lladdr.
      
      Fixes: 7d442fab ("ipv4: Cache dst in tunnels")
      Signed-off-by: default avatarTimo Teräs <timo.teras@iki.fi>
      Cc: Tom Herbert <therbert@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22fb22ea
    • Fabian Godehardt's avatar
      net/dsa/dsa.c: increment chip_index during of_node handling on dsa_of_probe() · d1c0b471
      Fabian Godehardt authored
      Adding more than one chip on device-tree currently causes the probing
      routine to always use the first chips data pointer.
      Signed-off-by: default avatarFabian Godehardt <fg@emlix.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d1c0b471
    • Lorenzo Colitti's avatar
      net: ipv6: make "ip -6 route get mark xyz" work. · 2e47b291
      Lorenzo Colitti authored
      Currently, "ip -6 route get mark xyz" ignores the mark passed in
      by userspace. Make it honour the mark, just like IPv4 does.
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e47b291
    • David S. Miller's avatar
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 2f67cc87
      David S. Miller authored
      Include changes:
      - fix NULL dereference in batadv_orig_hardif_seq_print_text()
      - fix reference counting imbalance when using fragmentation
      - avoid access to orig_node objects after they have been free'd
      - fix local TT check for outgoing arp requests in DAT
      2f67cc87
    • David Vrabel's avatar
      xen-netback: fix race between napi_complete() and interrupt handler · 0d08fceb
      David Vrabel authored
      When the NAPI budget was not all used, xenvif_poll() would call
      napi_complete() /after/ enabling the interrupt.  This resulted in a
      race between the napi_complete() and the napi_schedule() in the
      interrupt handler.  The use of local_irq_save/restore() avoided by
      race iff the handler is running on the same CPU but not if it was
      running on a different CPU.
      
      Fix this properly by calling napi_complete() before reenabling
      interrupts (in the xenvif_napi_schedule_or_enable_irq() call).
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: default avatarWei Liu <wei.liu2@citrix.com>
      Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d08fceb
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 202630b4
      David S. Miller authored
      John W. Linville says:
      
      ====================
      pull request: wireless 2014-05-15
      
      Please pull this batch of fixes for the 3.15 stream...
      
      For the mac80211 bits, Johannes says:
      
      "One fix is to get better VHT performance and the other fixes tracing
      garbage or other potential issues with the interface name tracing."
      
      And...
      
      "This has a fix from Emmanuel for a problem I failed to fix - when
      association is in progress then it needs to be cancelled while
      suspending (I had fixed the same for authentication). Also included a
      fix from myself for a userspace API problem that hit the iw tool and a
      fix to the remain-on-channel framework."
      
      For the iwlwifi bits, Emmanuel says:
      
      "Alex fixes the scan by disabling the fragmented scan. David prevents
      scan offload while associated, the firmware seems not to like it. I
      fix a stupid bug I made in BT Coex, and fix a bad #ifdef clause in rate
      scaling.  Along with that there is a fix for a NULL pointer exception
      that can happen if we load the driver and our ISR gets called because
      the interrupt line is shared. The fix has been tested by the reporter."
      
      And...
      
      "We have here a fix from David Spinadel that makes a previous fix more
      complete, and an off-by-one issue fixed by Eliad in the same area.
      I fix the monitor that broke on the way."
      
      Beyond that...
      
      Daniel Kim's one-liner fixes a brcmfmac regression caused by a typo
      in an earlier commit..
      
      Rajkumar Manoharan fixes an ath9k oops reported by David Herrmann.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      202630b4
    • Nathaniel W Filardo's avatar
      af_rxrpc: Fix XDR length check in rxrpc key demarshalling. · fde0133b
      Nathaniel W Filardo authored
      There may be padding on the ticket contained in the key payload, so just ensure
      that the claimed token length is large enough, rather than exactly the right
      size.
      Signed-off-by: default avatarNathaniel Wesley Filardo <nwf@cs.jhu.edu>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fde0133b
    • Zhangfei Gao's avatar
      net: phy: resume phydev when going to RESUMING · 6e14a5ee
      Zhangfei Gao authored
      With commit be9dad1f ("net: phy: suspend phydev when going
      to HALTED"), an unused PHY device will be put in a low-power mode
      using BMCR_PDOWN. Some Ethernet drivers might be calling phy_start()
      and phy_stop() from ndo_open and ndo_close() respectively, while
      calling phy_connect() and phy_disconnect() from probe and remove.
      In such a case, the PHY will be powered down during the phy_stop()
      call, but will fail to be powered up in phy_start().
      This patch fixes this scenario.
      Signed-off-by: default avatarJiancheng Xue <xuejiancheng@huawei.com>
      Signed-off-by: default avatarZhangfei Gao <zhangfei.gao@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e14a5ee
    • David S. Miller's avatar
      Merge branch 'mlx4-net' · 0c2e3fa9
      David S. Miller authored
      Or Gerlitz says:
      
      ====================
      mlx4: Fix VF MAC address change under RoCE usage
      
      This short series provides proper handling for the case where a
      VF netdevice change their MAC address under a RoCE use case. The code
      it deals with was introduced in 3.15-rc1
      
      Prior to this series the source MAC used for the VM RoCE CM
      packets remains as before the MAC modification. Hence RoCE CM
      packets sent by the VF will not carry the same source MAC
      address as the non-CM packets.
      
      Earlier 3.15-rc commit f24f790f "net/mlx4_core: Load the Eth driver
      first" handled just one instance of the problem, but this one
      provides a more generic and proper solution which covers all
      cases of VF mac change.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c2e3fa9
    • Matan Barak's avatar
      IB/mlx4: Invoke UPDATE_QP for proxy QP1 on MAC changes · 9433c188
      Matan Barak authored
      When we receive a netdev event indicating a netdev change and/or
      a netdev address change, we must change the MAC index used by the
      proxy QP1 (in the QP context), otherwise RoCE CM packets sent by the
      VF will not carry the same source MAC address as the non-CM packets.
      
      We use the UPDATE_QP command to perform this change.
      
      In order to avoid modifying a QP context based on netdev event,
      while the driver attempts to destroy this QP (e.g either the mlx4_ib
      or ib_mad modules are unloaded), we use mutex locking in both flows.
      
      Since the relevant mlx4 proxy GSI QP is created indirectly by the
      mad module when they create their GSI QP, the mlx4 didn't need to
      keep track on that QP prior to this change.
      
      Now, when QP modifications are needed to this QP from within the
      driver, we added refernece to it.
      Signed-off-by: default avatarMatan Barak <matanb@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9433c188
    • Matan Barak's avatar
      net/mlx4_core: Add UPDATE_QP SRIOV wrapper support · ce8d9e0d
      Matan Barak authored
      This patch adds UPDATE_QP SRIOV wrapper support.
      
      The mechanism is a general one, but currently only source MAC
      index changes are allowed for VFs.
      Signed-off-by: default avatarMatan Barak <matanb@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce8d9e0d
    • Nikolay Aleksandrov's avatar
      bonding: fix out of range parameters for bond_intmax_tbl · 81c70806
      Nikolay Aleksandrov authored
      I've missed to add a NULL entry to the bond_intmax_tbl when I introduced
      it with the conversion of arp_interval so add it now.
      
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      
      Fixes: 7bdb04ed ("bonding: convert arp_interval to use the new option API")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Acked-by: default avatarVeaceslav Falico <vfalico@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81c70806
    • Zoltan Kiss's avatar
      xen-netback: Fix grant ref resolution in RX path · 58375744
      Zoltan Kiss authored
      The original series for reintroducing grant mapping for netback had a patch [1]
      to handle receiving of packets from an another VIF. Grant copy on the receiving
      side needs the grant ref of the page to set up the op.
      The original patch assumed (wrongly) that the frags array haven't changed. In
      the case reported by Sander, the sending guest sent a packet where the linear
      buffer and the first frag were under PKT_PROT_LEN (=128) bytes.
      xenvif_tx_submit() then pulled up the linear area to 128 bytes, and ditched the
      first frag. The receiving side had an off-by-one problem when gathered the grant
      refs.
      This patch fixes that by checking whether the actual frag's page pointer is the
      same as the page in the original frag list. It can handle any kind of changes on
      the original frags array, like:
      - removing granted frags from the array at any point
      - adding local pages to the frags list anywhere
      - reordering the frags
      It's optimized to the most common case, when there is 1:1 relation between the
      frags and the list, plus works optimal when frags are removed from the end or
      the beginning.
      
      [1]: 3e2234: xen-netback: Handle foreign mapped pages on the guest RX path
      Reported-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarZoltan Kiss <zoltan.kiss@citrix.com>
      Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58375744
    • Duan Jiong's avatar
      ipv6: update Destination Cache entries when gateway turn into host · be7a010d
      Duan Jiong authored
      RFC 4861 states in 7.2.5:
      
      	The IsRouter flag in the cache entry MUST be set based on the
               Router flag in the received advertisement.  In those cases
               where the IsRouter flag changes from TRUE to FALSE as a result
               of this update, the node MUST remove that router from the
               Default Router List and update the Destination Cache entries
               for all destinations using that neighbor as a router as
               specified in Section 7.3.3.  This is needed to detect when a
               node that is used as a router stops forwarding packets due to
               being configured as a host.
      
      Currently, when dealing with NA Message which IsRouter flag changes from
      TRUE to FALSE, the kernel only removes router from the Default Router List,
      and don't update the Destination Cache entries.
      
      Now in order to update those Destination Cache entries, i introduce
      function rt6_clean_tohost().
      Signed-off-by: default avatarDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be7a010d
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · f895f0cf
      David S. Miller authored
      Conflicts:
      	net/ipv4/ip_vti.c
      
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2014-05-15
      
      This pull request has a merge conflict in net/ipv4/ip_vti.c
      between commit 8d89dcdf ("vti: don't allow to add the same
      tunnel twice") and commit a3245236  ("vti4:Don't count header
      length twice"). It can be solved like it is done in linux-next.
      
      1) Fix a ipv6 xfrm output crash when a packet is rerouted
         by netfilter to not use IPsec.
      
      2) vti4 counts some header lengths twice leading to an incorrect
         device mtu. Fix this by counting these headers only once.
      
      3) We don't catch the case if an unsupported protocol is submitted
         to the xfrm protocol handlers, this can lead to NULL pointer
         dereferences. Fix this by adding the appropriate checks.
      
      4) vti6 may unregister pernet ops twice on init errors.
         Fix this by removing one of the calls to do it only once.
         From Mathias Krause.
      
      5) Set the vti tunnel mark before doing a lookup in the error
         handlers. Otherwise we don't find the correct xfrm state.
      ====================
      
      The conflict in ip_vti.c was simple, 'net' had a commit
      removing a line from vti_tunnel_init() and this tree
      being merged had a commit adding a line to the same
      location.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f895f0cf
    • Guenter Roeck's avatar
      net: phy: Don't call phy_resume if phy_init_hw failed · b394745d
      Guenter Roeck authored
      After the call to phy_init_hw failed in phy_attach_direct, phy_detach is called
      to detach the phy device from its network device. If the attached driver is a
      generic phy driver, this also detaches the driver. Subsequently phy_resume
      is called, which assumes without checking that a driver is attached to the
      device. This will result in a crash such as
      
      Unable to handle kernel paging request for data at address 0xffffffffffffff90
      Faulting instruction address: 0xc0000000003a0e18
      Oops: Kernel access of bad area, sig: 11 [#1]
      ...
      NIP [c0000000003a0e18] .phy_attach_direct+0x68/0x17c
      LR [c0000000003a0e6c] .phy_attach_direct+0xbc/0x17c
      Call Trace:
      [c0000003fc0475d0] [c0000000003a0e6c] .phy_attach_direct+0xbc/0x17c (unreliable)
      [c0000003fc047670] [c0000000003a0ff8] .phy_connect_direct+0x28/0x98
      [c0000003fc047700] [c0000000003f0074] .of_phy_connect+0x4c/0xa4
      
      Only call phy_resume if phy_init_hw was successful.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b394745d
  3. 15 May, 2014 9 commits
  4. 14 May, 2014 9 commits
    • Heiko Carstens's avatar
      net: filter: s390: fix JIT address randomization · e84d2f8d
      Heiko Carstens authored
      This is the s390 variant of Alexei's JIT bug fix.
      (patch description below stolen from Alexei's patch)
      
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page.
      
      Fixes: aa2d2c73 ("s390/bpf,jit: address randomize and write protect jit code")
      Reported-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Cc: <stable@vger.kernel.org> # v3.11+
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e84d2f8d
    • Rajkumar Manoharan's avatar
      ath9k_htc: Stop ANI before doing hw_reset · faf1dc64
      Rajkumar Manoharan authored
      During remain on channel request, ANI worker thread is not stopped
      before doing hw reset. This is causing kernel crash in
      hw_per_calibration. This change ensures that ANI is stopped before
      doing chip reset and it will be rescheduled later when the chip is
      configured back to home channel and having valid bss.
      Reported-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Tested-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarRajkumar Manoharan <rmanohar@qti.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      faf1dc64
    • John W. Linville's avatar
    • Ursula Braun's avatar
      af_iucv: wrong mapping of sent and confirmed skbs · f5738e2e
      Ursula Braun authored
      When sending data through IUCV a MESSAGE COMPLETE interrupt
      signals that sent data memory can be freed or reused again.
      With commit f9c41a62
      "af_iucv: fix recvmsg by replacing skb_pull() function" the
      MESSAGE COMPLETE callback iucv_callback_txdone() identifies
      the wrong skb as being confirmed, which leads to data corruption.
      This patch fixes the skb mapping logic in iucv_callback_txdone().
      Signed-off-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: default avatarFrank Blaschka <frank.blaschka@de.ibm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5738e2e
    • Kalesh AP's avatar
      be2net: enable interrupts in EEH resume · 03a58baa
      Kalesh AP authored
      On some BE3 FW versions, after a HW reset, interrupts will remain disabled
      for each function. So, explicitly enable the interrupts in the eeh_resume
      handler, else after an eeh recovery interrupts wouldn't work.
      Signed-off-by: default avatarKalesh AP <kalesh.purayil@emulex.com>
      Signed-off-by: default avatarSathya Perla <sathya.perla@emulex.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03a58baa
    • Neil Horman's avatar
      jme: Fix unmap loop counting error: · c4b16068
      Neil Horman authored
      In my recent fix (76a691d0: fix dma unmap warning), Ben Hutchings noted that my
      loop count was incorrect.  Where j started at startidx, it should have started
      at zero, and gone on for count entries, not to endidx.  Additionally, a DMA
      resource exhaustion should drop the frame and (for now), return
      NETDEV_TX_OK, not NETEV_TX_BUSY.  This patch fixes both of those issues:
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      CC: Ben Hutchings <ben@decadent.org.uk>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: Guo-Fu Tseng <cooldavid@cooldavid.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4b16068
    • Johannes Berg's avatar
      mac80211: fix on-channel remain-on-channel · b4b177a5
      Johannes Berg authored
      Jouni reported that if a remain-on-channel was active on the
      same channel as the current operating channel, then the ROC
      would start, but any frames transmitted using mgmt-tx on the
      same channel would get delayed until after the ROC.
      
      The reason for this is that the ROC starts, but doesn't have
      any handling for "remain on the same channel", so it stops
      the interface queues. The later mgmt-tx then puts the frame
      on the interface queues (since it's on the current operating
      channel) and thus they get delayed until after the ROC.
      
      To fix this, add some logic to handle remaining on the same
      channel specially and not stop the queues etc. in this case.
      This not only fixes the bug but also improves behaviour in
      this case as data frames etc. can continue to flow.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Tested-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b4b177a5
    • Hannes Frederic Sowa's avatar
      ipv6: fix calculation of option len in ip6_append_data · 3a1cebe7
      Hannes Frederic Sowa authored
      tot_len does specify the size of struct ipv6_txoptions. We need opt_flen +
      opt_nflen to calculate the overall length of additional ipv6 extensions.
      
      I found this while auditing the ipv6 output path for a memory corruption
      reported by Alexey Preobrazhensky while he fuzzed an instrumented
      AddressSanitizer kernel with trinity. This may or may not be the cause
      of the original bug.
      
      Fixes: 4df98e76 ("ipv6: pmtudisc setting not respected with UFO/CORK")
      Reported-by: default avatarAlexey Preobrazhensky <preobr@google.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a1cebe7
    • Hannes Frederic Sowa's avatar
      net: avoid dependency of net_get_random_once on nop patching · 3d440522
      Hannes Frederic Sowa authored
      net_get_random_once depends on the static keys infrastructure to patch up
      the branch to the slow path during boot. This was realized by abusing the
      static keys api and defining a new initializer to not enable the call
      site while still indicating that the branch point should get patched
      up. This was needed to have the fast path considered likely by gcc.
      
      The static key initialization during boot up normally walks through all
      the registered keys and either patches in ideal nops or enables the jump
      site but omitted that step on x86 if ideal nops where already placed at
      static_key branch points. Thus net_get_random_once branches not always
      became active.
      
      This patch switches net_get_random_once to the ordinary static_key
      api and thus places the kernel fast path in the - by gcc considered -
      unlikely path.  Microbenchmarks on Intel and AMD x86-64 showed that
      the unlikely path actually beats the likely path in terms of cycle cost
      and that different nop patterns did not make much difference, thus this
      switch should not be noticeable.
      
      Fixes: a48e4292 ("net: introduce new macro net_get_random_once")
      Reported-by: default avatarTuomas Räsänen <tuomasjjrasanen@tjjr.fi>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d440522
  5. 13 May, 2014 2 commits
    • Alexei Starovoitov's avatar
      net: filter: x86: fix JIT address randomization · 773cd38f
      Alexei Starovoitov authored
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page
      
      Fixes: 314beb9b ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      773cd38f
    • John W. Linville's avatar