1. 07 Aug, 2021 5 commits
  2. 06 Aug, 2021 14 commits
    • Tatsuhiko Yasumatsu's avatar
      bpf: Fix integer overflow involving bucket_size · c4eb1f40
      Tatsuhiko Yasumatsu authored
      In __htab_map_lookup_and_delete_batch(), hash buckets are iterated
      over to count the number of elements in each bucket (bucket_size).
      If bucket_size is large enough, the multiplication to calculate
      kvmalloc() size could overflow, resulting in out-of-bounds write
      as reported by KASAN:
      
        [...]
        [  104.986052] BUG: KASAN: vmalloc-out-of-bounds in __htab_map_lookup_and_delete_batch+0x5ce/0xb60
        [  104.986489] Write of size 4194224 at addr ffffc9010503be70 by task crash/112
        [  104.986889]
        [  104.987193] CPU: 0 PID: 112 Comm: crash Not tainted 5.14.0-rc4 #13
        [  104.987552] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
        [  104.988104] Call Trace:
        [  104.988410]  dump_stack_lvl+0x34/0x44
        [  104.988706]  print_address_description.constprop.0+0x21/0x140
        [  104.988991]  ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
        [  104.989327]  ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
        [  104.989622]  kasan_report.cold+0x7f/0x11b
        [  104.989881]  ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
        [  104.990239]  kasan_check_range+0x17c/0x1e0
        [  104.990467]  memcpy+0x39/0x60
        [  104.990670]  __htab_map_lookup_and_delete_batch+0x5ce/0xb60
        [  104.990982]  ? __wake_up_common+0x4d/0x230
        [  104.991256]  ? htab_of_map_free+0x130/0x130
        [  104.991541]  bpf_map_do_batch+0x1fb/0x220
        [...]
      
      In hashtable, if the elements' keys have the same jhash() value, the
      elements will be put into the same bucket. By putting a lot of elements
      into a single bucket, the value of bucket_size can be increased to
      trigger the integer overflow.
      
      Triggering the overflow is possible for both callers with CAP_SYS_ADMIN
      and callers without CAP_SYS_ADMIN.
      
      It will be trivial for a caller with CAP_SYS_ADMIN to intentionally
      reach this overflow by enabling BPF_F_ZERO_SEED. As this flag will set
      the random seed passed to jhash() to 0, it will be easy for the caller
      to prepare keys which will be hashed into the same value, and thus put
      all the elements into the same bucket.
      
      If the caller does not have CAP_SYS_ADMIN, BPF_F_ZERO_SEED cannot be
      used. However, it will be still technically possible to trigger the
      overflow, by guessing the random seed value passed to jhash() (32bit)
      and repeating the attempt to trigger the overflow. In this case,
      the probability to trigger the overflow will be low and will take
      a very long time.
      
      Fix the integer overflow by calling kvmalloc_array() instead of
      kvmalloc() to allocate memory.
      
      Fixes: 05799638 ("bpf: Add batch ops to all htab bpf map")
      Signed-off-by: default avatarTatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20210806150419.109658-1-th.yasumatsu@gmail.com
      c4eb1f40
    • Randy Dunlap's avatar
      libbpf, doc: Eliminate warnings in libbpf_naming_convention · 7c4a2233
      Randy Dunlap authored
      Use "code-block: none" instead of "c" for non-C-language code blocks.
      Removes these warnings:
      
        lnx-514-rc4/Documentation/bpf/libbpf/libbpf_naming_convention.rst:111: WARNING: Could not lex literal_block as "c". Highlighting skipped.
        lnx-514-rc4/Documentation/bpf/libbpf/libbpf_naming_convention.rst:124: WARNING: Could not lex literal_block as "c". Highlighting skipped.
      
      Fixes: f42cfb46 ("bpf: Add documentation for libbpf including API autogen")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20210802015037.787-1-rdunlap@infradead.org
      7c4a2233
    • Daniel Xu's avatar
      libbpf: Do not close un-owned FD 0 on errors · c34c338a
      Daniel Xu authored
      Before this patch, btf_new() was liable to close an arbitrary FD 0 if
      BTF parsing failed. This was because:
      
      * btf->fd was initialized to 0 through the calloc()
      * btf__free() (in the `done` label) closed any FDs >= 0
      * btf->fd is left at 0 if parsing fails
      
      This issue was discovered on a system using libbpf v0.3 (without
      BTF_KIND_FLOAT support) but with a kernel that had BTF_KIND_FLOAT types
      in BTF. Thus, parsing fails.
      
      While this patch technically doesn't fix any issues b/c upstream libbpf
      has BTF_KIND_FLOAT support, it'll help prevent issues in the future if
      more BTF types are added. It also allow the fix to be backported to
      older libbpf's.
      
      Fixes: 3289959b ("libbpf: Support BTF loading and raw data output in both endianness")
      Signed-off-by: default avatarDaniel Xu <dxu@dxuuu.xyz>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/5969bb991adedb03c6ae93e051fd2a00d293cf25.1627513670.git.dxu@dxuuu.xyz
      c34c338a
    • Robin Gögge's avatar
      libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT · 78d14bda
      Robin Gögge authored
      This patch fixes the probe for BPF_PROG_TYPE_CGROUP_SOCKOPT,
      so the probe reports accurate results when used by e.g.
      bpftool.
      
      Fixes: 4cdbfb59 ("libbpf: support sockopt hooks")
      Signed-off-by: default avatarRobin Gögge <r.goegge@gmail.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarQuentin Monnet <quentin@isovalent.com>
      Link: https://lore.kernel.org/bpf/20210728225825.2357586-1-r.goegge@gmail.com
      78d14bda
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · cc4e5eec
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Restrict range element expansion in ipset to avoid soft lockup,
         from Jozsef Kadlecsik.
      
      2) Memleak in error path for nf_conntrack_bridge for IPv4 packets,
         from Yajun Deng.
      
      3) Simplify conntrack garbage collection strategy to avoid frequent
         wake-ups, from Florian Westphal.
      
      4) Fix NFNLA_HOOK_FUNCTION_NAME string, do not include module name.
      
      5) Missing chain family netlink attribute in chain description
         in nfnetlink_hook.
      
      6) Incorrect sequence number on nfnetlink_hook dumps.
      
      7) Use netlink request family in reply message for consistency.
      
      8) Remove offload_pickup sysctl, use conntrack for established state
         instead, from Florian Westphal.
      
      9) Translate NFPROTO_INET/ingress to NFPROTO_NETDEV/ingress, since
         NFPROTO_INET is not exposed through nfnetlink_hook.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
        netfilter: nfnetlink_hook: translate inet ingress to netdev
        netfilter: conntrack: remove offload_pickup sysctl again
        netfilter: nfnetlink_hook: Use same family as request message
        netfilter: nfnetlink_hook: use the sequence number of the request message
        netfilter: nfnetlink_hook: missing chain family
        netfilter: nfnetlink_hook: strip off module name from hookfn
        netfilter: conntrack: collect all entries in one cycle
        netfilter: nf_conntrack_bridge: Fix memory leak when error
        netfilter: ipset: Limit the maximal range of consecutive elements to add/delete
      ====================
      
      Link: https://lore.kernel.org/r/20210806151149.6356-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cc4e5eec
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_hook: translate inet ingress to netdev · 269fc695
      Pablo Neira Ayuso authored
      The NFPROTO_INET pseudofamily is not exposed through this new netlink
      interface. The netlink dump either shows NFPROTO_IPV4 or NFPROTO_IPV6
      for NFPROTO_INET prerouting/input/forward/output/postrouting hooks.
      The NFNLA_CHAIN_FAMILY attribute provides the family chain, which
      specifies if this hook applies to inet traffic only (either IPv4 or
      IPv6).
      
      Translate the inet/ingress hook to netdev/ingress to fully hide the
      NFPROTO_INET implementation details.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      269fc695
    • Florian Westphal's avatar
      netfilter: conntrack: remove offload_pickup sysctl again · 4592ee7f
      Florian Westphal authored
      These two sysctls were added because the hardcoded defaults (2 minutes,
      tcp, 30 seconds, udp) turned out to be too low for some setups.
      
      They appeared in 5.14-rc1 so it should be fine to remove it again.
      
      Marcelo convinced me that there should be no difference between a flow
      that was offloaded vs. a flow that was not wrt. timeout handling.
      Thus the default is changed to those for TCP established and UDP stream,
      5 days and 120 seconds, respectively.
      
      Marcelo also suggested to account for the timeout value used for the
      offloading, this avoids increase beyond the value in the conntrack-sysctl
      and will also instantly expire the conntrack entry with altered sysctls.
      
      Example:
         nf_conntrack_udp_timeout_stream=60
         nf_flowtable_udp_timeout=60
      
      This will remove offloaded udp flows after one minute, rather than two.
      
      An earlier version of this patch also cleared the ASSURED bit to
      allow nf_conntrack to evict the entry via early_drop (i.e., table full).
      However, it looks like we can safely assume that connection timed out
      via HW is still in established state, so this isn't needed.
      
      Quoting Oz:
       [..] the hardware sends all packets with a set FIN flags to sw.
       [..] Connections that are aged in hardware are expected to be in the
       established state.
      
      In case it turns out that back-to-sw-path transition can occur for
      'dodgy' connections too (e.g., one side disappeared while software-path
      would have been in RETRANS timeout), we can adjust this later.
      
      Cc: Oz Shlomo <ozsh@nvidia.com>
      Cc: Paul Blakey <paulb@nvidia.com>
      Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarOz Shlomo <ozsh@nvidia.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4592ee7f
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_hook: Use same family as request message · 69311e7c
      Pablo Neira Ayuso authored
      Use the same family as the request message, for consistency. The
      netlink payload provides sufficient information to describe the hook
      object, including the family.
      
      This makes it easier to userspace to correlate the hooks are that
      visited by the packets for a certain family.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      69311e7c
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_hook: use the sequence number of the request message · 3d9bbaf6
      Pablo Neira Ayuso authored
      The sequence number allows to correlate the netlink reply message (as
      part of the dump) with the original request message.
      
      The cb->seq field is internally used to detect an interference (update)
      of the hook list during the netlink dump, do not use it as sequence
      number in the netlink dump header.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3d9bbaf6
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_hook: missing chain family · a6e57c4a
      Pablo Neira Ayuso authored
      The family is relevant for pseudo-families like NFPROTO_INET
      otherwise the user needs to rely on the hook function name to
      differentiate it from NFPROTO_IPV4 and NFPROTO_IPV6 names.
      
      Add nfnl_hook_chain_desc_attributes instead of using the existing
      NFTA_CHAIN_* attributes, since these do not provide a family number.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a6e57c4a
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_hook: strip off module name from hookfn · 61e0c2bc
      Pablo Neira Ayuso authored
      NFNLA_HOOK_FUNCTION_NAME should include the hook function name only,
      the module name is already provided by NFNLA_HOOK_MODULE_NAME.
      
      Fixes: e2cf17d3 ("netfilter: add new hook nfnl subsystem")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      61e0c2bc
    • Florian Westphal's avatar
      netfilter: conntrack: collect all entries in one cycle · 4608fdfc
      Florian Westphal authored
      Michal Kubecek reports that conntrack gc is responsible for frequent
      wakeups (every 125ms) on idle systems.
      
      On busy systems, timed out entries are evicted during lookup.
      The gc worker is only needed to remove entries after system becomes idle
      after a busy period.
      
      To resolve this, always scan the entire table.
      If the scan is taking too long, reschedule so other work_structs can run
      and resume from next bucket.
      
      After a completed scan, wait for 2 minutes before the next cycle.
      Heuristics for faster re-schedule are removed.
      
      GC_SCAN_INTERVAL could be exposed as a sysctl in the future to allow
      tuning this as-needed or even turn the gc worker off.
      Reported-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4608fdfc
    • John Hubbard's avatar
      net: mvvp2: fix short frame size on s390 · 704e624f
      John Hubbard authored
      On s390, the following build warning occurs:
      
      drivers/net/ethernet/marvell/mvpp2/mvpp2.h:844:2: warning: overflow in
      conversion from 'long unsigned int' to 'int' changes value from
      '18446744073709551584' to '-32' [-Woverflow]
      844 |  ((total_size) - MVPP2_SKB_HEADROOM - MVPP2_SKB_SHINFO_SIZE)
      
      This happens because MVPP2_SKB_SHINFO_SIZE, which is 320 bytes (which is
      already 64-byte aligned) on some architectures, actually gets ALIGN'd up
      to 512 bytes in the s390 case.
      
      So then, when this is invoked:
      
          MVPP2_RX_MAX_PKT_SIZE(MVPP2_BM_SHORT_FRAME_SIZE)
      
      ...that turns into:
      
           704 - 224 - 512 == -32
      
      ...which is not a good frame size to end up with! The warning above is a
      bit lucky: it notices a signed/unsigned bad behavior here, which leads
      to the real problem of a frame that is too short for its contents.
      
      Increase MVPP2_BM_SHORT_FRAME_SIZE by 32 (from 704 to 736), which is
      just exactly big enough. (The other values can't readily be changed
      without causing a lot of other problems.)
      
      Fixes: 07dd0a7a ("mvpp2: add basic XDP support")
      Cc: Sven Auhagen <sven.auhagen@voleatech.de>
      Cc: Matteo Croce <mcroce@microsoft.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      704e624f
    • DENG Qingfang's avatar
      net: dsa: mt7530: add the missing RxUnicast MIB counter · aff51c5d
      DENG Qingfang authored
      Add the missing RxUnicast counter.
      
      Fixes: b8f126a8 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
      Signed-off-by: default avatarDENG Qingfang <dqfext@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aff51c5d
  3. 05 Aug, 2021 21 commits