1. 12 Apr, 2022 11 commits
  2. 11 Apr, 2022 5 commits
  3. 09 Apr, 2022 2 commits
  4. 08 Apr, 2022 14 commits
    • Marcelo Ricardo Leitner's avatar
      net/sched: fix initialization order when updating chain 0 head · e65812fd
      Marcelo Ricardo Leitner authored
      Currently, when inserting a new filter that needs to sit at the head
      of chain 0, it will first update the heads pointer on all devices using
      the (shared) block, and only then complete the initialization of the new
      element so that it has a "next" element.
      
      This can lead to a situation that the chain 0 head is propagated to
      another CPU before the "next" initialization is done. When this race
      condition is triggered, packets being matched on that CPU will simply
      miss all other filters, and will flow through the stack as if there were
      no other filters installed. If the system is using OVS + TC, such
      packets will get handled by vswitchd via upcall, which results in much
      higher latency and reordering. For other applications it may result in
      packet drops.
      
      This is reproducible with a tc only setup, but it varies from system to
      system. It could be reproduced with a shared block amongst 10 veth
      tunnels, and an ingress filter mirroring packets to another veth.
      That's because using the last added veth tunnel to the shared block to
      do the actual traffic, it makes the race window bigger and easier to
      trigger.
      
      The fix is rather simple, to just initialize the next pointer of the new
      filter instance (tp) before propagating the head change.
      
      The fixes tag is pointing to the original code though this issue should
      only be observed when using it unlocked.
      
      Fixes: 2190d1d0 ("net: sched: introduce helpers to work with filter chains")
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Link: https://lore.kernel.org/r/b97d5f4eaffeeb9d058155bcab63347527261abf.1649341369.git.marcelo.leitner@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e65812fd
    • Xin Long's avatar
      sctp: use the correct skb for security_sctp_assoc_request · e2d88f9c
      Xin Long authored
      Yi Chen reported an unexpected sctp connection abort, and it occurred when
      COOKIE_ECHO is bundled with DATA Fragment by SCTP HW GSO. As the IP header
      is included in chunk->head_skb instead of chunk->skb, it failed to check
      IP header version in security_sctp_assoc_request().
      
      According to Ondrej, SELinux only looks at IP header (address and IPsec
      options) and XFRM state data, and these are all included in head_skb for
      SCTP HW GSO packets. So fix it by using head_skb when calling
      security_sctp_assoc_request() in processing COOKIE_ECHO.
      
      v1->v2:
        - As Ondrej noticed, chunk->head_skb should also be used for
          security_sctp_assoc_established() in sctp_sf_do_5_1E_ca().
      
      Fixes: e215dab1 ("security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce")
      Reported-by: default avatarYi Chen <yiche@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Link: https://lore.kernel.org/r/71becb489e51284edf0c11fc15246f4ed4cef5b6.1649337862.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e2d88f9c
    • Vadim Pasternak's avatar
      mlxsw: i2c: Fix initialization error flow · d452088c
      Vadim Pasternak authored
      Add mutex_destroy() call in driver initialization error flow.
      
      Fixes: 6882b0ae ("mlxsw: Introduce support for I2C bus")
      Signed-off-by: default avatarVadim Pasternak <vadimp@nvidia.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Link: https://lore.kernel.org/r/20220407070703.2421076-1-idosch@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d452088c
    • Vladimir Oltean's avatar
      net: mdio: don't defer probe forever if PHY IRQ provider is missing · 74befa44
      Vladimir Oltean authored
      When a driver for an interrupt controller is missing, of_irq_get()
      returns -EPROBE_DEFER ad infinitum, causing
      fwnode_mdiobus_phy_device_register(), and ultimately, the entire
      of_mdiobus_register() call, to fail. In turn, any phy_connect() call
      towards a PHY on this MDIO bus will also fail.
      
      This is not what is expected to happen, because the PHY library falls
      back to poll mode when of_irq_get() returns a hard error code, and the
      MDIO bus, PHY and attached Ethernet controller work fine, albeit
      suboptimally, when the PHY library polls for link status. However,
      -EPROBE_DEFER has special handling given the assumption that at some
      point probe deferral will stop, and the driver for the supplier will
      kick in and create the IRQ domain.
      
      Reasons for which the interrupt controller may be missing:
      
      - It is not yet written. This may happen if a more recent DT blob (with
        an interrupt-parent for the PHY) is used to boot an old kernel where
        the driver didn't exist, and that kernel worked with the
        vintage-correct DT blob using poll mode.
      
      - It is compiled out. Behavior is the same as above.
      
      - It is compiled as a module. The kernel will wait for a number of
        seconds specified in the "deferred_probe_timeout" boot parameter for
        user space to load the required module. The current default is 0,
        which times out at the end of initcalls. It is possible that this
        might cause regressions unless users adjust this boot parameter.
      
      The proposed solution is to use the driver_deferred_probe_check_state()
      helper function provided by the driver core, which gives up after some
      -EPROBE_DEFER attempts, taking "deferred_probe_timeout" into consideration.
      The return code is changed from -EPROBE_DEFER into -ENODEV or
      -ETIMEDOUT, depending on whether the kernel is compiled with support for
      modules or not.
      
      Fixes: 66bdede4 ("of_mdio: Fix broken PHY IRQ in case of probe deferral")
      Suggested-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20220407165538.4084809-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      74befa44
    • Mateusz Palczewski's avatar
      Revert "iavf: Fix deadlock occurrence during resetting VF interface" · 7d59706d
      Mateusz Palczewski authored
      This change caused a regression with resetting while changing network
      namespaces. By clearing the IFF_UP flag, the kernel now thinks it has
      fully closed the device.
      
      This reverts commit 0cc318d2.
      
      Fixes: 0cc318d2 ("iavf: Fix deadlock occurrence during resetting VF interface")
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      7d59706d
    • Alexander Lobakin's avatar
      ice: arfs: fix use-after-free when freeing @rx_cpu_rmap · d7442f51
      Alexander Lobakin authored
      The CI testing bots triggered the following splat:
      
      [  718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80
      [  718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834
      [  718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S      W IOE     5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1
      [  718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020
      [  718.223418] Call Trace:
      [  718.227139]
      [  718.230783]  dump_stack_lvl+0x33/0x42
      [  718.234431]  print_address_description.constprop.9+0x21/0x170
      [  718.238177]  ? free_irq_cpu_rmap+0x53/0x80
      [  718.241885]  ? free_irq_cpu_rmap+0x53/0x80
      [  718.245539]  kasan_report.cold.18+0x7f/0x11b
      [  718.249197]  ? free_irq_cpu_rmap+0x53/0x80
      [  718.252852]  free_irq_cpu_rmap+0x53/0x80
      [  718.256471]  ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]
      [  718.260174]  ice_remove_arfs+0x5f/0x70 [ice]
      [  718.263810]  ice_rebuild_arfs+0x3b/0x70 [ice]
      [  718.267419]  ice_rebuild+0x39c/0xb60 [ice]
      [  718.270974]  ? asm_sysvec_apic_timer_interrupt+0x12/0x20
      [  718.274472]  ? ice_init_phy_user_cfg+0x360/0x360 [ice]
      [  718.278033]  ? delay_tsc+0x4a/0xb0
      [  718.281513]  ? preempt_count_sub+0x14/0xc0
      [  718.284984]  ? delay_tsc+0x8f/0xb0
      [  718.288463]  ice_do_reset+0x92/0xf0 [ice]
      [  718.292014]  ice_pci_err_resume+0x91/0xf0 [ice]
      [  718.295561]  pci_reset_function+0x53/0x80
      <...>
      [  718.393035] Allocated by task 690:
      [  718.433497] Freed by task 20834:
      [  718.495688] Last potentially related work creation:
      [  718.568966] The buggy address belongs to the object at ffff8881bd127e00
                      which belongs to the cache kmalloc-96 of size 96
      [  718.574085] The buggy address is located 0 bytes inside of
                      96-byte region [ffff8881bd127e00, ffff8881bd127e60)
      [  718.579265] The buggy address belongs to the page:
      [  718.598905] Memory state around the buggy address:
      [  718.601809]  ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  718.604796]  ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
      [  718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      [  718.610811]                    ^
      [  718.613819]  ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
      [  718.617107]  ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
      
      This is due to that free_irq_cpu_rmap() is always being called
      *after* (devm_)free_irq() and thus it tries to work with IRQ descs
      already freed. For example, on device reset the driver frees the
      rmap right before allocating a new one (the splat above).
      Make rmap creation and freeing function symmetrical with
      {request,free}_irq() calls i.e. do that on ifup/ifdown instead
      of device probe/remove/resume. These operations can be performed
      independently from the actual device aRFS configuration.
      Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers
      only when aRFS is disabled -- otherwise, CPU rmap sets and clears
      its own and they must not be touched manually.
      
      Fixes: 28bf2672 ("ice: Implement aRFS")
      Co-developed-by: default avatarIvan Vecera <ivecera@redhat.com>
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Signed-off-by: default avatarAlexander Lobakin <alexandr.lobakin@intel.com>
      Tested-by: default avatarIvan Vecera <ivecera@redhat.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      d7442f51
    • Hongbin Wang's avatar
      vxlan: fix error return code in vxlan_fdb_append · 7cea5560
      Hongbin Wang authored
      When kmalloc and dst_cache_init failed,
      should return ENOMEM rather than ENOBUFS.
      Signed-off-by: default avatarHongbin Wang <wh_bin@126.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cea5560
    • Jakub Kicinski's avatar
      flow_dissector: fix false-positive __read_overflow2_field() warning · 1b808993
      Jakub Kicinski authored
      Bounds checking is unhappy that we try to copy both Ethernet
      addresses but pass pointer to the first one. Luckily destination
      address is the first field so pass the pointer to the entire header,
      whatever.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b808993
    • Guillaume Nault's avatar
      veth: Ensure eth header is in skb's linear part · 726e2c59
      Guillaume Nault authored
      After feeding a decapsulated packet to a veth device with act_mirred,
      skb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(),
      which expects at least ETH_HLEN byte of linear data (as
      __dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes
      unconditionally).
      
      Use pskb_may_pull() to ensure veth_xmit() respects this constraint.
      
      kernel BUG at include/linux/skbuff.h:2328!
      RIP: 0010:eth_type_trans+0xcf/0x140
      Call Trace:
       <IRQ>
       __dev_forward_skb2+0xe3/0x160
       veth_xmit+0x6e/0x250 [veth]
       dev_hard_start_xmit+0xc7/0x200
       __dev_queue_xmit+0x47f/0x520
       ? skb_ensure_writable+0x85/0xa0
       ? skb_mpls_pop+0x98/0x1c0
       tcf_mirred_act+0x442/0x47e [act_mirred]
       tcf_action_exec+0x86/0x140
       fl_classify+0x1d8/0x1e0 [cls_flower]
       ? dma_pte_clear_level+0x129/0x1a0
       ? dma_pte_clear_level+0x129/0x1a0
       ? prb_fill_curr_block+0x2f/0xc0
       ? skb_copy_bits+0x11a/0x220
       __tcf_classify+0x58/0x110
       tcf_classify_ingress+0x6b/0x140
       __netif_receive_skb_core.constprop.0+0x47d/0xfd0
       ? __iommu_dma_unmap_swiotlb+0x44/0x90
       __netif_receive_skb_one_core+0x3d/0xa0
       netif_receive_skb+0x116/0x170
       be_process_rx+0x22f/0x330 [be2net]
       be_poll+0x13c/0x370 [be2net]
       __napi_poll+0x2a/0x170
       net_rx_action+0x22f/0x2f0
       __do_softirq+0xca/0x2a8
       __irq_exit_rcu+0xc1/0xe0
       common_interrupt+0x83/0xa0
      
      Fixes: e314dbdc ("[NET]: Virtual ethernet device driver.")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      726e2c59
    • Gal Pressman's avatar
      bonding: Update layer2 and layer2+3 hash formula documentation · 2cd1881b
      Gal Pressman authored
      When using layer2 or layer2+3 hash, only the 5th byte of the MAC
      addresses is used.
      Signed-off-by: default avatarGal Pressman <gal@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2cd1881b
    • Vlad Buslov's avatar
      net/sched: flower: fix parsing of ethertype following VLAN header · 2105f700
      Vlad Buslov authored
      A tc flower filter matching TCA_FLOWER_KEY_VLAN_ETH_TYPE is expected to
      match the L2 ethertype following the first VLAN header, as confirmed by
      linked discussion with the maintainer. However, such rule also matches
      packets that have additional second VLAN header, even though filter has
      both eth_type and vlan_ethtype set to "ipv4". Looking at the code this
      seems to be mostly an artifact of the way flower uses flow dissector.
      First, even though looking at the uAPI eth_type and vlan_ethtype appear
      like a distinct fields, in flower they are all mapped to the same
      key->basic.n_proto. Second, flow dissector skips following VLAN header as
      no keys for FLOW_DISSECTOR_KEY_CVLAN are set and eventually assigns the
      value of n_proto to last parsed header. With these, such filters ignore any
      headers present between first VLAN header and first "non magic"
      header (ipv4 in this case) that doesn't result
      FLOW_DISSECT_RET_PROTO_AGAIN.
      
      Fix the issue by extending flow dissector VLAN key structure with new
      'vlan_eth_type' field that matches first ethertype following previously
      parsed VLAN header. Modify flower classifier to set the new
      flow_dissector_key_vlan->vlan_eth_type with value obtained from
      TCA_FLOWER_KEY_VLAN_ETH_TYPE/TCA_FLOWER_KEY_CVLAN_ETH_TYPE uAPIs.
      
      Link: https://lore.kernel.org/all/Yjhgi48BpTGh6dig@nanopsycho/
      Fixes: 9399ae9a ("net_sched: flower: Add vlan support")
      Fixes: d64efd09 ("net/sched: flower: Add supprt for matching on QinQ vlan headers")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2105f700
    • Kunihiko Hayashi's avatar
      dt-bindings: net: ave: Use unevaluatedProperties · 5a80059d
      Kunihiko Hayashi authored
      This refers common bindings, so this is preferred for
      unevaluatedProperties instead of additionalProperties.
      Signed-off-by: default avatarKunihiko Hayashi <hayashi.kunihiko@socionext.com>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a80059d
    • Kunihiko Hayashi's avatar
      dt-bindings: net: ave: Clean up clocks, resets, and their names using compatible string · 2610bd72
      Kunihiko Hayashi authored
      Instead of "oneOf:" choices, use "allOf:" and "if:" to define clocks,
      resets, and their names that can be taken by the compatible string.
      
      The order of clock-names and reset-names doesn't change here.
      Signed-off-by: default avatarKunihiko Hayashi <hayashi.kunihiko@socionext.com>
      Reviewed-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2610bd72
    • Linus Torvalds's avatar
      Merge tag 'net-5.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 73b193f2
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf and netfilter.
      
        Current release - new code bugs:
      
         - mctp: correct mctp_i2c_header_create result
      
         - eth: fungible: fix reference to __udivdi3 on 32b builds
      
         - eth: micrel: remove latencies support lan8814
      
        Previous releases - regressions:
      
         - bpf: resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT
      
         - vrf: fix packet sniffing for traffic originating from ip tunnels
      
         - rxrpc: fix a race in rxrpc_exit_net()
      
         - dsa: revert "net: dsa: stop updating master MTU from master.c"
      
         - eth: ice: fix MAC address setting
      
        Previous releases - always broken:
      
         - tls: fix slab-out-of-bounds bug in decrypt_internal
      
         - bpf: support dual-stack sockets in bpf_tcp_check_syncookie
      
         - xdp: fix coalescing for page_pool fragment recycling
      
         - ovs: fix leak of nested actions
      
         - eth: sfc:
            - add missing xdp queue reinitialization
            - fix using uninitialized xdp tx_queue
      
         - eth: ice:
            - clear default forwarding VSI during VSI release
            - fix broken IFF_ALLMULTI handling
            - synchronize_rcu() when terminating rings
      
         - eth: qede: confirm skb is allocated before using
      
         - eth: aqc111: fix out-of-bounds accesses in RX fixup
      
         - eth: slip: fix NPD bug in sl_tx_timeout()"
      
      * tag 'net-5.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (61 commits)
        drivers: net: slip: fix NPD bug in sl_tx_timeout()
        bpf: Adjust bpf_tcp_check_syncookie selftest to test dual-stack sockets
        bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
        myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
        net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
        qede: confirm skb is allocated before using
        net: ipv6mr: fix unused variable warning with CONFIG_IPV6_PIMSM_V2=n
        net: phy: mscc-miim: reject clause 45 register accesses
        net: axiemac: use a phandle to reference pcs_phy
        dt-bindings: net: add pcs-handle attribute
        net: axienet: factor out phy_node in struct axienet_local
        net: axienet: setup mdio unconditionally
        net: sfc: fix using uninitialized xdp tx_queue
        rxrpc: fix a race in rxrpc_exit_net()
        net: openvswitch: fix leak of nested actions
        net: ethernet: mv643xx: Fix over zealous checking of_get_mac_address()
        net: openvswitch: don't send internal clone attribute to the userspace.
        net: micrel: Fix KS8851 Kconfig
        ice: clear cmd_type_offset_bsz for TX rings
        ice: xsk: fix VSI state check in ice_xsk_wakeup()
        ...
      73b193f2
  5. 07 Apr, 2022 5 commits
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20220407' of... · 42e7a03d
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20220407' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyperv fixes from Wei Liu:
      
       - Correctly propagate coherence information for VMbus devices (Michael
         Kelley)
      
       - Disable balloon and memory hot-add on ARM64 temporarily (Boqun Feng)
      
       - Use barrier to prevent reording when reading ring buffer (Michael
         Kelley)
      
       - Use virt_store_mb in favour of smp_store_mb (Andrea Parri)
      
       - Fix VMbus device object initialization (Andrea Parri)
      
       - Deactivate sysctl_record_panic_msg on isolated guest (Andrea Parri)
      
       - Fix a crash when unloading VMbus module (Guilherme G. Piccoli)
      
      * tag 'hyperv-fixes-signed-20220407' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb()
        Drivers: hv: balloon: Disable balloon and hot-add accordingly
        Drivers: hv: balloon: Support status report for larger page sizes
        Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
        PCI: hv: Propagate coherence from VMbus device to PCI device
        Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus device
        Drivers: hv: vmbus: Fix potential crash on module unload
        Drivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()
        Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests
      42e7a03d
    • Linus Torvalds's avatar
      Merge tag 'random-5.18-rc2-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random · 3638bd90
      Linus Torvalds authored
      Pull random number generator fixes from Jason Donenfeld:
      
       - Another fixup to the fast_init/crng_init split, this time in how much
         entropy is being credited, from Jan Varho.
      
       - As discussed, we now opportunistically call try_to_generate_entropy()
         in /dev/urandom reads, as a replacement for the reverted commit. I
         opted to not do the more invasive wait_for_random_bytes() change at
         least for now, preferring to do something smaller and more obvious
         for the time being, but maybe that can be revisited as things evolve
         later.
      
       - Userspace can use FUSE or userfaultfd or simply move a process to
         idle priority in order to make a read from the random device never
         complete, which breaks forward secrecy, fixed by overwriting
         sensitive bytes early on in the function.
      
       - Jann Horn noticed that /dev/urandom reads were only checking for
         pending signals if need_resched() was true, a bug going back to the
         genesis commit, now fixed by always checking for signal_pending() and
         calling cond_resched(). This explains various noticeable signal
         delivery delays I've seen in programs over the years that do long
         reads from /dev/urandom.
      
       - In order to be more like other devices (e.g. /dev/zero) and to
         mitigate the impact of fixing the above bug, which has been around
         forever (users have never really needed to check the return value of
         read() for medium-sized reads and so perhaps many didn't), we now
         move signal checking to the bottom part of the loop, and do so every
         PAGE_SIZE-bytes.
      
      * tag 'random-5.18-rc2-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
        random: check for signals every PAGE_SIZE chunk of /dev/[u]random
        random: check for signal_pending() outside of need_resched() check
        random: do not allow user to keep crng key around on stack
        random: opportunistically initialize on /dev/urandom reads
        random: do not split fast init input in add_hwgenerator_randomness()
      3638bd90
    • Linus Torvalds's avatar
      Merge tag 'ata-5.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 640b5037
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
      
       - Fix a compilation warning due to an uninitialized variable in
         ata_sff_lost_interrupt(), from me.
      
       - Fix invalid internal command tag handling in the sata_dwc_460ex
         driver, from Christian.
      
       - Disable READ LOG DMA EXT with Samsung 840 EVO SSDs as this command
         causes the drives to hang, from Christian.
      
       - Change the config option CONFIG_SATA_LPM_POLICY back to its original
         name CONFIG_SATA_LPM_MOBILE_POLICY to avoid potential problems with
         users losing their configuration (as discussed during the merge
         window), from Mario.
      
      * tag 'ata-5.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: ahci: Rename CONFIG_SATA_LPM_POLICY configuration item back
        ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
        ata: sata_dwc_460ex: Fix crash due to OOB write
        ata: libata-sff: Fix compilation warning in ata_sff_lost_interrupt()
      640b5037
    • Duoming Zhou's avatar
      drivers: net: slip: fix NPD bug in sl_tx_timeout() · ec4eb8a8
      Duoming Zhou authored
      When a slip driver is detaching, the slip_close() will act to
      cleanup necessary resources and sl->tty is set to NULL in
      slip_close(). Meanwhile, the packet we transmit is blocked,
      sl_tx_timeout() will be called. Although slip_close() and
      sl_tx_timeout() use sl->lock to synchronize, we don`t judge
      whether sl->tty equals to NULL in sl_tx_timeout() and the
      null pointer dereference bug will happen.
      
         (Thread 1)                 |      (Thread 2)
                                    | slip_close()
                                    |   spin_lock_bh(&sl->lock)
                                    |   ...
      ...                           |   sl->tty = NULL //(1)
      sl_tx_timeout()               |   spin_unlock_bh(&sl->lock)
        spin_lock(&sl->lock);       |
        ...                         |   ...
        tty_chars_in_buffer(sl->tty)|
          if (tty->ops->..) //(2)   |
          ...                       |   synchronize_rcu()
      
      We set NULL to sl->tty in position (1) and dereference sl->tty
      in position (2).
      
      This patch adds check in sl_tx_timeout(). If sl->tty equals to
      NULL, sl_tx_timeout() will goto out.
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Reviewed-by: default avatarJiri Slaby <jirislaby@kernel.org>
      Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ec4eb8a8
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8e9d0d7a
      Jakub Kicinski authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2022-04-06
      
      We've added 8 non-merge commits during the last 8 day(s) which contain
      a total of 9 files changed, 139 insertions(+), 36 deletions(-).
      
      The main changes are:
      
      1) rethook related fixes, from Jiri and Masami.
      
      2) Fix the case when tracing bpf prog is attached to struct_ops, from Martin.
      
      3) Support dual-stack sockets in bpf_tcp_check_syncookie, from Maxim.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Adjust bpf_tcp_check_syncookie selftest to test dual-stack sockets
        bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
        bpf: selftests: Test fentry tracing a struct_ops program
        bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT
        rethook: Fix to use WRITE_ONCE() for rethook:: Handler
        selftests/bpf: Fix warning comparing pointer to 0
        bpf: Fix sparse warnings in kprobe_multi_resolve_syms
        bpftool: Explicit errno handling in skeletons
      ====================
      
      Link: https://lore.kernel.org/r/20220407031245.73026-1-alexei.starovoitov@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8e9d0d7a
  6. 06 Apr, 2022 3 commits
    • Jason A. Donenfeld's avatar
      random: check for signals every PAGE_SIZE chunk of /dev/[u]random · e3c1c4fd
      Jason A. Donenfeld authored
      In 1448769c ("random: check for signal_pending() outside of
      need_resched() check"), Jann pointed out that we previously were only
      checking the TIF_NOTIFY_SIGNAL and TIF_SIGPENDING flags if the process
      had TIF_NEED_RESCHED set, which meant in practice, super long reads to
      /dev/[u]random would delay signal handling by a long time. I tried this
      using the below program, and indeed I wasn't able to interrupt a
      /dev/urandom read until after several megabytes had been read. The bug
      he fixed has always been there, and so code that reads from /dev/urandom
      without checking the return value of read() has mostly worked for a long
      time, for most sizes, not just for <= 256.
      
      Maybe it makes sense to keep that code working. The reason it was so
      small prior, ignoring the fact that it didn't work anyway, was likely
      because /dev/random used to block, and that could happen for pretty
      large lengths of time while entropy was gathered. But now, it's just a
      chacha20 call, which is extremely fast and is just operating on pure
      data, without having to wait for some external event. In that sense,
      /dev/[u]random is a lot more like /dev/zero.
      
      Taking a page out of /dev/zero's read_zero() function, it always returns
      at least one chunk, and then checks for signals after each chunk. Chunk
      sizes there are of length PAGE_SIZE. Let's just copy the same thing for
      /dev/[u]random, and check for signals and cond_resched() for every
      PAGE_SIZE amount of data. This makes the behavior more consistent with
      expectations, and should mitigate the impact of Jann's fix for the
      age-old signal check bug.
      
      ---- test program ----
      
        #include <unistd.h>
        #include <signal.h>
        #include <stdio.h>
        #include <sys/random.h>
      
        static unsigned char x[~0U];
      
        static void handle(int) { }
      
        int main(int argc, char *argv[])
        {
          pid_t pid = getpid(), child;
          signal(SIGUSR1, handle);
          if (!(child = fork())) {
            for (;;)
              kill(pid, SIGUSR1);
          }
          pause();
          printf("interrupted after reading %zd bytes\n", getrandom(x, sizeof(x), 0));
          kill(child, SIGTERM);
          return 0;
        }
      
      Cc: Jann Horn <jannh@google.com>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      e3c1c4fd
    • Maxim Mikityanskiy's avatar
      bpf: Adjust bpf_tcp_check_syncookie selftest to test dual-stack sockets · 53968daf
      Maxim Mikityanskiy authored
      The previous commit fixed support for dual-stack sockets in
      bpf_tcp_check_syncookie. This commit adjusts the selftest to verify the
      fixed functionality.
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarArthur Fabre <afabre@cloudflare.com>
      Link: https://lore.kernel.org/bpf/20220406124113.2795730-2-maximmi@nvidia.com
      53968daf
    • Maxim Mikityanskiy's avatar
      bpf: Support dual-stack sockets in bpf_tcp_check_syncookie · 2e8702cc
      Maxim Mikityanskiy authored
      bpf_tcp_gen_syncookie looks at the IP version in the IP header and
      validates the address family of the socket. It supports IPv4 packets in
      AF_INET6 dual-stack sockets.
      
      On the other hand, bpf_tcp_check_syncookie looks only at the address
      family of the socket, ignoring the real IP version in headers, and
      validates only the packet size. This implementation has some drawbacks:
      
      1. Packets are not validated properly, allowing a BPF program to trick
         bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4
         socket.
      
      2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end
         up receiving a SYNACK with the cookie, but the following ACK gets
         dropped.
      
      This patch fixes these issues by changing the checks in
      bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP
      version from the header is taken into account, and it is validated
      properly with address family.
      
      Fixes: 39904084 ("bpf: add helper to check for a valid SYN cookie")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Acked-by: default avatarArthur Fabre <afabre@cloudflare.com>
      Link: https://lore.kernel.org/bpf/20220406124113.2795730-1-maximmi@nvidia.com
      2e8702cc