1. 03 Apr, 2019 6 commits
  2. 02 Apr, 2019 6 commits
  3. 01 Apr, 2019 8 commits
    • Jiri Slaby's avatar
      kcm: switch order of device registration to fix a crash · 3c446e6f
      Jiri Slaby authored
      When kcm is loaded while many processes try to create a KCM socket, a
      crash occurs:
       BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
       IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
       PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
       Oops: 0002 [#1] SMP KASAN PTI
       CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
       RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
       RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
       ...
       CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
       Call Trace:
        kcm_create+0x600/0xbf0 [kcm]
        __sock_create+0x324/0x750 net/socket.c:1272
       ...
      
      This is due to race between sock_create and unfinished
      register_pernet_device. kcm_create tries to do "net_generic(net,
      kcm_net_id)". but kcm_net_id is not initialized yet.
      
      So switch the order of the two to close the race.
      
      This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
      and one process doing module removal.
      
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c446e6f
    • David S. Miller's avatar
      Merge branch 'net-sched-fix-stats-accounting-for-child-NOLOCK-qdiscs' · c4df1bdd
      David S. Miller authored
      Paolo Abeni says:
      
      ====================
      net: sched: fix stats accounting for child NOLOCK qdiscs
      
      Currently, stats accounting for NOLOCK qdisc enslaved to classful (lock)
      qdiscs is buggy. Per CPU values are ignored in most places, as a result,
      stats dump in the above scenario always report 0 length backlog and parent
      backlog len is not updated correctly on NOLOCK qdisc removal.
      
      The first patch address stats dumping, and the second one child qdisc removal.
      I'm targeting the net tree as this is a bugfix, but it could be moved to
      net-next due to the relatively large diffstat.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4df1bdd
    • Paolo Abeni's avatar
      net: sched: introduce and use qdisc tree flush/purge helpers · e5f0e8f8
      Paolo Abeni authored
      The same code to flush qdisc tree and purge the qdisc queue
      is duplicated in many places and in most cases it does not
      respect NOLOCK qdisc: the global backlog len is used and the
      per CPU values are ignored.
      
      This change addresses the above, factoring-out the relevant
      code and using the helpers introduced by the previous patch
      to fetch the correct backlog len.
      
      Fixes: c5ad119f ("net: sched: pfifo_fast use skb_array")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e5f0e8f8
    • Paolo Abeni's avatar
      net: sched: introduce and use qstats read helpers · 5dd431b6
      Paolo Abeni authored
      Classful qdiscs can't access directly the child qdiscs backlog
      length: if such qdisc is NOLOCK, per CPU values should be
      accounted instead.
      
      Most qdiscs no not respect the above. As a result, qstats fetching
      for most classful qdisc is currently incorrect: if the child qdisc is
      NOLOCK, it always reports 0 len backlog.
      
      This change introduces a pair of helpers to safely fetch
      both backlog and qlen and use them in stats class dumping
      functions, fixing the above issue and cleaning a bit the code.
      
      DRR needs also to access the child qdisc queue length, so it
      needs custom handling.
      
      Fixes: c5ad119f ("net: sched: pfifo_fast use skb_array")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dd431b6
    • Nicolas Dichtel's avatar
      net/sched: fix ->get helper of the matchall cls · 0db6f8be
      Nicolas Dichtel authored
      It returned always NULL, thus it was never possible to get the filter.
      
      Example:
      $ ip link add foo type dummy
      $ ip link add bar type dummy
      $ tc qdisc add dev foo clsact
      $ tc filter add dev foo protocol all pref 1 ingress handle 1234 \
      	matchall action mirred ingress mirror dev bar
      
      Before the patch:
      $ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
      Error: Specified filter handle not found.
      We have an error talking to the kernel
      
      After:
      $ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
      filter ingress protocol all pref 1 matchall chain 0 handle 0x4d2
        not_in_hw
              action order 1: mirred (Ingress Mirror to device bar) pipe
              index 1 ref 1 bind 1
      
      CC: Yotam Gigi <yotamg@mellanox.com>
      CC: Jiri Pirko <jiri@mellanox.com>
      Fixes: fd62d9f5 ("net/sched: matchall: Fix configuration race")
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0db6f8be
    • Stephen Suryaputra's avatar
      vrf: check accept_source_route on the original netdevice · 8c83f2df
      Stephen Suryaputra authored
      Configuration check to accept source route IP options should be made on
      the incoming netdevice when the skb->dev is an l3mdev master. The route
      lookup for the source route next hop also needs the incoming netdev.
      
      v2->v3:
      - Simplify by passing the original netdevice down the stack (per David
        Ahern).
      Signed-off-by: default avatarStephen Suryaputra <ssuryaextr@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c83f2df
    • Bert Kenward's avatar
      MAINTAINERS: net: update Solarflare maintainers · 8c1074f6
      Bert Kenward authored
      Cc: Martin Habets <mhabets@solarflare.com>
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Acked-by: default avatarMartin Habets <mhabets@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c1074f6
    • Dust Li's avatar
      tcp: fix a potential NULL pointer dereference in tcp_sk_exit · b506bc97
      Dust Li authored
       When tcp_sk_init() failed in inet_ctl_sock_create(),
       'net->ipv4.tcp_congestion_control' will be left
       uninitialized, but tcp_sk_exit() hasn't check for
       that.
      
       This patch add checking on 'net->ipv4.tcp_congestion_control'
       in tcp_sk_exit() to prevent NULL-ptr dereference.
      
      Fixes: 6670e152 ("tcp: Namespace-ify sysctl_tcp_default_congestion_control")
      Signed-off-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b506bc97
  4. 31 Mar, 2019 11 commits
    • David S. Miller's avatar
      Merge branch 'tipc-a-batch-of-uninit-value-fixes-for-netlink_compat' · 7ff0b608
      David S. Miller authored
      Xin Long says:
      
      ====================
      tipc: a batch of uninit-value fixes for netlink_compat
      
      These issues were all reported by syzbot, and exist since very beginning.
      See the details on each patch.
      ====================
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ff0b608
    • Xin Long's avatar
      tipc: handle the err returned from cmd header function · 2ac695d1
      Xin Long authored
      Syzbot found a crash:
      
        BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
        Call Trace:
          tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
          __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215
          tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280
          tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline]
          tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265
          genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
          genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
          netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
          genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
          netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
          netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
          netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
          sock_sendmsg_nosec net/socket.c:622 [inline]
          sock_sendmsg net/socket.c:632 [inline]
      
        Uninit was created at:
          __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
          alloc_skb include/linux/skbuff.h:1012 [inline]
          netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
          netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
          sock_sendmsg_nosec net/socket.c:622 [inline]
          sock_sendmsg net/socket.c:632 [inline]
      
      It was supposed to be fixed on commit 974cb0e3 ("tipc: fix uninit-value
      in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req)
      in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called
      ahead of tipc_nl_compat_name_table_dump().
      
      However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd
      header function. It means even when the check added in that fix fails, it
      won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be
      triggered again.
      
      So this patch is to add the process for the err returned from cmd header
      function in tipc_nl_compat_dumpit().
      
      Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2ac695d1
    • Xin Long's avatar
      tipc: check link name with right length in tipc_nl_compat_link_set · 8c63bf9a
      Xin Long authored
      A similar issue as fixed by Patch "tipc: check bearer name with right
      length in tipc_nl_compat_bearer_enable" was also found by syzbot in
      tipc_nl_compat_link_set().
      
      The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
      offsetof(struct tipc_link_config, name)'.
      
      Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c63bf9a
    • Xin Long's avatar
      tipc: check bearer name with right length in tipc_nl_compat_bearer_enable · 6f07e5f0
      Xin Long authored
      Syzbot reported the following crash:
      
      BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961
        memchr+0xce/0x110 lib/string.c:961
        string_is_valid net/tipc/netlink_compat.c:176 [inline]
        tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401
        __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline]
        tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline]
        tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265
        genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
        genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
        netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
        netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
        netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
        netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:622 [inline]
        sock_sendmsg net/socket.c:632 [inline]
      
      Uninit was created at:
        __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
        alloc_skb include/linux/skbuff.h:1012 [inline]
        netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
        netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
        sock_sendmsg_nosec net/socket.c:622 [inline]
        sock_sendmsg net/socket.c:632 [inline]
      
      It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
      it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
      also includes priority and disc_domain length.
      
      This patch is to fix it by checking it with a right length:
      'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.
      
      Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f07e5f0
    • David S. Miller's avatar
      Merge branch 'net-stmmac-fix-handling-of-oversized-frames' · d3de85a5
      David S. Miller authored
      Aaro Koskinen says:
      
      ====================
      net: stmmac: fix handling of oversized frames
      
      I accidentally had MTU size mismatch (9000 vs. 1500) in my network,
      and I noticed I could kill a system using stmmac & 1500 MTU simply
      by pinging it with "ping -s 2000 ...".
      
      While testing a fix I encountered also some other issues that need fixing.
      
      I have tested these only with enhanced descriptors, so the normal
      descriptor changes need a careful review.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3de85a5
    • Aaro Koskinen's avatar
      net: stmmac: don't log oversized frames · 057a0c56
      Aaro Koskinen authored
      This is log is harmful as it can trigger multiple times per packet. Delete
      it.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      057a0c56
    • Aaro Koskinen's avatar
      net: stmmac: fix dropping of multi-descriptor RX frames · 8ac0c24f
      Aaro Koskinen authored
      Packets without the last descriptor set should be dropped early. If we
      receive a frame larger than the DMA buffer, the HW will continue using the
      next descriptor. Driver mistakes these as individual frames, and sometimes
      a truncated frame (without the LD set) may look like a valid packet.
      
      This fixes a strange issue where the system replies to 4098-byte ping
      although the MTU/DMA buffer size is set to 4096, and yet at the same
      time it's logging an oversized packet.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ac0c24f
    • Aaro Koskinen's avatar
      net: stmmac: don't overwrite discard_frame status · 1b746ce8
      Aaro Koskinen authored
      If we have error bits set, the discard_frame status will get overwritten
      by checksum bit checks, which might set the status back to good one.
      Fix by checking the COE status only if the frame is good.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b746ce8
    • Aaro Koskinen's avatar
      net: stmmac: don't stop NAPI processing when dropping a packet · 07b39753
      Aaro Koskinen authored
      Currently, if we drop a packet, we exit from NAPI loop before the budget
      is consumed. In some situations this will make the RX processing stall
      e.g. when flood pinging the system with oversized packets, as the
      errorneous packets are not dropped efficiently.
      
      If we drop a packet, we should just continue to the next one as long as
      the budget allows.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      07b39753
    • Aaro Koskinen's avatar
      net: stmmac: ratelimit RX error logs · 972c9be7
      Aaro Koskinen authored
      Ratelimit RX error logs.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      972c9be7
    • Aaro Koskinen's avatar
      net: stmmac: use correct DMA buffer size in the RX descriptor · 583e6361
      Aaro Koskinen authored
      We always program the maximum DMA buffer size into the receive descriptor,
      although the allocated size may be less. E.g. with the default MTU size
      we allocate only 1536 bytes. If somebody sends us a bigger frame, then
      memory may get corrupted.
      
      Fix by using exact buffer sizes.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      583e6361
  5. 30 Mar, 2019 2 commits
  6. 29 Mar, 2019 7 commits