1. 10 Jun, 2021 3 commits
    • Huy Nguyen's avatar
      net/mlx5e: Remove dependency in IPsec initialization flows · 8ad893e5
      Huy Nguyen authored
      Currently, IPsec feature is disabled because mlx5e_build_nic_netdev
      is required to be called after mlx5e_ipsec_init. This requirement is
      invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize
      independent resources.
      
      Remove ipsec pointer check in mlx5e_build_nic_netdev so that the
      two functions can be called at any order.
      
      Fixes: 547eede0 ("net/mlx5e: IPSec, Innova IPSec offload infrastructure")
      Signed-off-by: default avatarHuy Nguyen <huyn@nvidia.com>
      Reviewed-by: default avatarRaed Salem <raeds@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8ad893e5
    • Vlad Buslov's avatar
      net/mlx5e: Fix use-after-free of encap entry in neigh update handler · fb1a3132
      Vlad Buslov authored
      Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock
      removal from TC filter update path and properly handle concurrent encap
      entry insertion/deletion which can lead to following use-after-free:
      
       [23827.464923] ==================================================================
       [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635
       [23827.472251]
       [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5
       [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
       [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]
       [23827.476731] Call Trace:
       [23827.477260]  dump_stack+0xbb/0x107
       [23827.477906]  print_address_description.constprop.0+0x18/0x140
       [23827.478896]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.479879]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.480905]  kasan_report.cold+0x7c/0xd8
       [23827.481701]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.482744]  kasan_check_range+0x145/0x1a0
       [23827.493112]  mlx5e_encap_take+0x72/0x140 [mlx5_core]
       [23827.494054]  ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]
       [23827.495296]  mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]
       [23827.496338]  ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]
       [23827.497486]  ? read_word_at_a_time+0xe/0x20
       [23827.498250]  ? strscpy+0xa0/0x2a0
       [23827.498889]  process_one_work+0x8ac/0x14e0
       [23827.499638]  ? lockdep_hardirqs_on_prepare+0x400/0x400
       [23827.500537]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
       [23827.501359]  ? rwlock_bug.part.0+0x90/0x90
       [23827.502116]  worker_thread+0x53b/0x1220
       [23827.502831]  ? process_one_work+0x14e0/0x14e0
       [23827.503627]  kthread+0x328/0x3f0
       [23827.504254]  ? _raw_spin_unlock_irq+0x24/0x40
       [23827.505065]  ? __kthread_bind_mask+0x90/0x90
       [23827.505912]  ret_from_fork+0x1f/0x30
       [23827.506621]
       [23827.506987] Allocated by task 28248:
       [23827.507694]  kasan_save_stack+0x1b/0x40
       [23827.508476]  __kasan_kmalloc+0x7c/0x90
       [23827.509197]  mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]
       [23827.510194]  mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]
       [23827.511218]  __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]
       [23827.512234]  mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]
       [23827.513298]  tc_setup_cb_add+0x1d5/0x420
       [23827.514023]  fl_hw_replace_filter+0x382/0x6a0 [cls_flower]
       [23827.514975]  fl_change+0x2ceb/0x4a51 [cls_flower]
       [23827.515821]  tc_new_tfilter+0x89a/0x2070
       [23827.516548]  rtnetlink_rcv_msg+0x644/0x8c0
       [23827.517300]  netlink_rcv_skb+0x11d/0x340
       [23827.518021]  netlink_unicast+0x42b/0x700
       [23827.518742]  netlink_sendmsg+0x743/0xc20
       [23827.519467]  sock_sendmsg+0xb2/0xe0
       [23827.520131]  ____sys_sendmsg+0x590/0x770
       [23827.520851]  ___sys_sendmsg+0xd8/0x160
       [23827.521552]  __sys_sendmsg+0xb7/0x140
       [23827.522238]  do_syscall_64+0x3a/0x70
       [23827.522907]  entry_SYSCALL_64_after_hwframe+0x44/0xae
       [23827.523797]
       [23827.524163] Freed by task 25948:
       [23827.524780]  kasan_save_stack+0x1b/0x40
       [23827.525488]  kasan_set_track+0x1c/0x30
       [23827.526187]  kasan_set_free_info+0x20/0x30
       [23827.526968]  __kasan_slab_free+0xed/0x130
       [23827.527709]  slab_free_freelist_hook+0xcf/0x1d0
       [23827.528528]  kmem_cache_free_bulk+0x33a/0x6e0
       [23827.529317]  kfree_rcu_work+0x55f/0xb70
       [23827.530024]  process_one_work+0x8ac/0x14e0
       [23827.530770]  worker_thread+0x53b/0x1220
       [23827.531480]  kthread+0x328/0x3f0
       [23827.532114]  ret_from_fork+0x1f/0x30
       [23827.532785]
       [23827.533147] Last potentially related work creation:
       [23827.534007]  kasan_save_stack+0x1b/0x40
       [23827.534710]  kasan_record_aux_stack+0xab/0xc0
       [23827.535492]  kvfree_call_rcu+0x31/0x7b0
       [23827.536206]  mlx5e_tc_del_fdb_flow+0x577/0xef0 [mlx5_core]
       [23827.537305]  mlx5e_flow_put+0x49/0x80 [mlx5_core]
       [23827.538290]  mlx5e_delete_flower+0x6d1/0xe60 [mlx5_core]
       [23827.539300]  tc_setup_cb_destroy+0x18e/0x2f0
       [23827.540144]  fl_hw_destroy_filter+0x1d2/0x310 [cls_flower]
       [23827.541148]  __fl_delete+0x4dc/0x660 [cls_flower]
       [23827.541985]  fl_delete+0x97/0x160 [cls_flower]
       [23827.542782]  tc_del_tfilter+0x7ab/0x13d0
       [23827.543503]  rtnetlink_rcv_msg+0x644/0x8c0
       [23827.544257]  netlink_rcv_skb+0x11d/0x340
       [23827.544981]  netlink_unicast+0x42b/0x700
       [23827.545700]  netlink_sendmsg+0x743/0xc20
       [23827.546424]  sock_sendmsg+0xb2/0xe0
       [23827.547084]  ____sys_sendmsg+0x590/0x770
       [23827.547850]  ___sys_sendmsg+0xd8/0x160
       [23827.548606]  __sys_sendmsg+0xb7/0x140
       [23827.549303]  do_syscall_64+0x3a/0x70
       [23827.549969]  entry_SYSCALL_64_after_hwframe+0x44/0xae
       [23827.550853]
       [23827.551217] The buggy address belongs to the object at ffff8881d1322200
       [23827.551217]  which belongs to the cache kmalloc-256 of size 256
       [23827.553341] The buggy address is located 140 bytes inside of
       [23827.553341]  256-byte region [ffff8881d1322200, ffff8881d1322300)
       [23827.555747] The buggy address belongs to the page:
       [23827.556847] page:00000000898762aa refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1320
       [23827.558651] head:00000000898762aa order:2 compound_mapcount:0 compound_pincount:0
       [23827.559961] flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)
       [23827.561243] raw: 002ffff800010200 dead000000000100 dead000000000122 ffff888100042b40
       [23827.562653] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
       [23827.564112] page dumped because: kasan: bad access detected
       [23827.565439]
       [23827.565932] Memory state around the buggy address:
       [23827.566917]  ffff8881d1322180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       [23827.568485]  ffff8881d1322200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       [23827.569818] >ffff8881d1322280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       [23827.571143]                       ^
       [23827.571879]  ffff8881d1322300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       [23827.573283]  ffff8881d1322380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       [23827.574654] ==================================================================
      
      Most of the necessary logic is already correctly implemented by
      mlx5e_get_next_valid_encap() helper that is used in neigh stats update
      handler. Make the handler generic by renaming it to
      mlx5e_get_next_matching_encap() and use callback to test whether flow is
      matching instead of hardcoded check for 'valid' flag value. Implement
      mlx5e_get_next_valid_encap() by calling mlx5e_get_next_matching_encap()
      with callback that tests encap MLX5_ENCAP_ENTRY_VALID flag. Implement new
      mlx5e_get_next_init_encap() helper by calling
      mlx5e_get_next_matching_encap() with callback that tests encap completion
      result to be non-error and use it in mlx5e_rep_neigh_update() to safely
      iterate over nhe->encap_list.
      
      Remove encap completion logic from mlx5e_rep_update_flows() since the encap
      entries passed to this function are already guaranteed to be properly
      initialized by similar code in mlx5e_get_next_init_encap().
      
      Fixes: 2a1f1768 ("net/mlx5e: Refactor neigh update for concurrent execution")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      fb1a3132
    • Yang Li's avatar
      net/mlx5e: Fix an error code in mlx5e_arfs_create_tables() · 2bf8d2ae
      Yang Li authored
      When the code execute 'if (!priv->fs.arfs->wq)', the value of err is 0.
      So, we use -ENOMEM to indicate that the function
      create_singlethread_workqueue() return NULL.
      
      Clean up smatch warning:
      drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c:373
      mlx5e_arfs_create_tables() warn: missing error code 'err'.
      Reported-by: default avatarAbaci Robot <abaci@linux.alibaba.com>
      Fixes: f6755b80 ("net/mlx5e: Dynamic alloc arfs table for netdev when needed")
      Signed-off-by: default avatarYang Li <yang.lee@linux.alibaba.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      2bf8d2ae
  2. 09 Jun, 2021 12 commits
  3. 08 Jun, 2021 9 commits
    • Shay Agroskin's avatar
      net: ena: fix DMA mapping function issues in XDP · 504fd6a5
      Shay Agroskin authored
      This patch fixes several bugs found when (DMA/LLQ) mapping a packet for
      transmission. The mapping procedure makes the transmitted packet
      accessible by the device.
      When using LLQ, this requires copying the packet's header to push header
      (which would be passed to LLQ) and creating DMA mapping for the payload
      (if the packet doesn't fit the maximum push length).
      When not using LLQ, we map the whole packet with DMA.
      
      The following bugs are fixed in the code:
          1. Add support for non-LLQ machines:
             The ena_xdp_tx_map_frame() function assumed that LLQ is
             supported, and never mapped the whole packet using DMA. On some
             instances, which don't support LLQ, this causes loss of traffic.
      
          2. Wrong DMA buffer length passed to device:
             When using LLQ, the first 'tx_max_header_size' bytes of the
             packet would be copied to push header. The rest of the packet
             would be copied to a DMA'd buffer.
      
          3. Freeing the XDP buffer twice in case of a mapping error:
             In case a buffer DMA mapping fails, the function uses
             xdp_return_frame_rx_napi() to free the RX buffer and returns from
             the function with an error. XDP frames that fail to xmit get
             freed by the kernel and so there is no need for this call.
      
      Fixes: 548c4940 ("net: ena: Implement XDP_TX action")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      504fd6a5
    • Vladimir Oltean's avatar
      net: dsa: felix: re-enable TX flow control in ocelot_port_flush() · 1650bdb1
      Vladimir Oltean authored
      Because flow control is set up statically in ocelot_init_port(), and not
      in phylink_mac_link_up(), what happens is that after the blamed commit,
      the flow control remains disabled after the port flushing procedure.
      
      Fixes: eb4733d7 ("net: dsa: felix: implement port flushing on .phylink_mac_link_down")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1650bdb1
    • Pavel Skripkin's avatar
      net: rds: fix memory leak in rds_recvmsg · 49bfcbfd
      Pavel Skripkin authored
      Syzbot reported memory leak in rds. The problem
      was in unputted refcount in case of error.
      
      int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
      		int msg_flags)
      {
      ...
      
      	if (!rds_next_incoming(rs, &inc)) {
      		...
      	}
      
      After this "if" inc refcount incremented and
      
      	if (rds_cmsg_recv(inc, msg, rs)) {
      		ret = -EFAULT;
      		goto out;
      	}
      ...
      out:
      	return ret;
      }
      
      in case of rds_cmsg_recv() fail the refcount won't be
      decremented. And it's easy to see from ftrace log, that
      rds_inc_addref() don't have rds_inc_put() pair in
      rds_recvmsg() after rds_cmsg_recv()
      
       1)               |  rds_recvmsg() {
       1)   3.721 us    |    rds_inc_addref();
       1)   3.853 us    |    rds_message_inc_copy_to_user();
       1) + 10.395 us   |    rds_cmsg_recv();
       1) + 34.260 us   |  }
      
      Fixes: bdbe6fbc ("RDS: recv.c")
      Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Reviewed-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49bfcbfd
    • David S. Miller's avatar
      Merge tag 'batadv-net-pullrequest-20210608' of git://git.open-mesh.org/linux-merge · df693f13
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here is a batman-adv bugfix:
      
       - Avoid WARN_ON timing related checks, by Sven Eckelmann
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df693f13
    • Nicolas Dichtel's avatar
      vrf: fix maximum MTU · 9bb392f6
      Nicolas Dichtel authored
      My initial goal was to fix the default MTU, which is set to 65536, ie above
      the maximum defined in the driver: 65535 (ETH_MAX_MTU).
      
      In fact, it's seems more consistent, wrt min_mtu, to set the max_mtu to
      IP6_MAX_MTU (65535 + sizeof(struct ipv6hdr)) and use it by default.
      
      Let's also, for consistency, set the mtu in vrf_setup(). This function
      calls ether_setup(), which set the mtu to 1500. Thus, the whole mtu config
      is done in the same function.
      
      Before the patch:
      $ ip link add blue type vrf table 1234
      $ ip link list blue
      9: blue: <NOARP,MASTER> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
          link/ether fa:f5:27:70:24:2a brd ff:ff:ff:ff:ff:ff
      $ ip link set dev blue mtu 65535
      $ ip link set dev blue mtu 65536
      Error: mtu greater than device maximum.
      
      Fixes: 5055376a ("net: vrf: Fix ping failed when vrf mtu is set to 0")
      CC: Miaohe Lin <linmiaohe@huawei.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bb392f6
    • gushengxian's avatar
      net: appletalk: fix the usage of preposition · d439aa33
      gushengxian authored
      The preposition "for" should be changed to preposition "of".
      Signed-off-by: default avatargushengxian <gushengxian@yulong.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d439aa33
    • Zheng Yongjun's avatar
      net: ipv4: Remove unneed BUG() function · 5ac6b198
      Zheng Yongjun authored
      When 'nla_parse_nested_deprecated' failed, it's no need to
      BUG() here, return -EINVAL is ok.
      Signed-off-by: default avatarZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ac6b198
    • Nanyong Sun's avatar
      net: ipv4: fix memory leak in netlbl_cipsov4_add_std · d612c3f3
      Nanyong Sun authored
      Reported by syzkaller:
      BUG: memory leak
      unreferenced object 0xffff888105df7000 (size 64):
      comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
      hex dump (first 32 bytes):
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      backtrace:
      [<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
      [<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
      [<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
      [<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
      [<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
      [<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
      [<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
      [<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
      [<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
      [<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
      [<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
      [<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
      [<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
      [<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
      [<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
      [<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
      [<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
      [<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
      [<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      The memory of doi_def->map.std pointing is allocated in
      netlbl_cipsov4_add_std, but no place has freed it. It should be
      freed in cipso_v4_doi_free which frees the cipso DOI resource.
      
      Fixes: 96cb8e33 ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarNanyong Sun <sunnanyong@huawei.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d612c3f3
    • Johannes Berg's avatar
      mac80211: fix deadlock in AP/VLAN handling · d5befb22
      Johannes Berg authored
      Syzbot reports that when you have AP_VLAN interfaces that are up
      and close the AP interface they belong to, we get a deadlock. No
      surprise - since we dev_close() them with the wiphy mutex held,
      which goes back into the netdev notifier in cfg80211 and tries to
      acquire the wiphy mutex there.
      
      To fix this, we need to do two things:
       1) prevent changing iftype while AP_VLANs are up, we can't
          easily fix this case since cfg80211 already calls us with
          the wiphy mutex held, but change_interface() is relatively
          rare in drivers anyway, so changing iftype isn't used much
          (and userspace has to fall back to down/change/up anyway)
       2) pull the dev_close() loop over VLANs out of the wiphy mutex
          section in the normal stop case
      
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+452ea4fbbef700ff0a56@syzkaller.appspotmail.com
      Fixes: a05829a7 ("cfg80211: avoid holding the RTNL when calling the driver")
      Link: https://lore.kernel.org/r/20210517160322.9b8f356c0222.I392cb0e2fa5a1a94cf2e637555d702c7e512c1ff@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      d5befb22
  4. 07 Jun, 2021 7 commits
  5. 04 Jun, 2021 9 commits
    • Rahul Lakkireddy's avatar
      cxgb4: avoid link re-train during TC-MQPRIO configuration · 3822d067
      Rahul Lakkireddy authored
      When configuring TC-MQPRIO offload, only turn off netdev carrier and
      don't bring physical link down in hardware. Otherwise, when the
      physical link is brought up again after configuration, it gets
      re-trained and stalls ongoing traffic.
      
      Also, when firmware is no longer accessible or crashed, avoid sending
      FLOWC and waiting for reply that will never come.
      
      Fix following hung_task_timeout_secs trace seen in these cases.
      
      INFO: task tc:20807 blocked for more than 122 seconds.
            Tainted: G S                5.13.0-rc3+ #122
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      task:tc   state:D stack:14768 pid:20807 ppid: 19366 flags:0x00000000
      Call Trace:
       __schedule+0x27b/0x6a0
       schedule+0x37/0xa0
       schedule_preempt_disabled+0x5/0x10
       __mutex_lock.isra.14+0x2a0/0x4a0
       ? netlink_lookup+0x120/0x1a0
       ? rtnl_fill_ifinfo+0x10f0/0x10f0
       __netlink_dump_start+0x70/0x250
       rtnetlink_rcv_msg+0x28b/0x380
       ? rtnl_fill_ifinfo+0x10f0/0x10f0
       ? rtnl_calcit.isra.42+0x120/0x120
       netlink_rcv_skb+0x4b/0xf0
       netlink_unicast+0x1a0/0x280
       netlink_sendmsg+0x216/0x440
       sock_sendmsg+0x56/0x60
       __sys_sendto+0xe9/0x150
       ? handle_mm_fault+0x6d/0x1b0
       ? do_user_addr_fault+0x1c5/0x620
       __x64_sys_sendto+0x1f/0x30
       do_syscall_64+0x3c/0x80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7f7f73218321
      RSP: 002b:00007ffd19626208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 000055b7c0a8b240 RCX: 00007f7f73218321
      RDX: 0000000000000028 RSI: 00007ffd19626210 RDI: 0000000000000003
      RBP: 000055b7c08680ff R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000055b7c085f5f6
      R13: 000055b7c085f60a R14: 00007ffd19636470 R15: 00007ffd196262a0
      
      Fixes: b1396c2b ("cxgb4: parse and configure TC-MQPRIO offload")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3822d067
    • Yunjian Wang's avatar
      sch_htb: fix refcount leak in htb_parent_to_leaf_offload · 944d671d
      Yunjian Wang authored
      The commit ae81feb7 ("sch_htb: fix null pointer dereference
      on a null new_q") fixes a NULL pointer dereference bug, but it
      is not correct.
      
      Because htb_graft_helper properly handles the case when new_q
      is NULL, and after the previous patch by skipping this call
      which creates an inconsistency : dev_queue->qdisc will still
      point to the old qdisc, but cl->parent->leaf.q will point to
      the new one (which will be noop_qdisc, because new_q was NULL).
      The code is based on an assumption that these two pointers are
      the same, so it can lead to refcount leaks.
      
      The correct fix is to add a NULL pointer check to protect
      qdisc_refcount_inc inside htb_parent_to_leaf_offload.
      
      Fixes: ae81feb7 ("sch_htb: fix null pointer dereference on a null new_q")
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Suggested-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      944d671d
    • David S. Miller's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 26821ecd
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-06-04
      
      This series contains updates to virtchnl header file and ice driver.
      
      Brett fixes VF being unable to request a different number of queues then
      allocated and adds clearing of VF_MBX_ATQLEN register for VF reset.
      
      Haiyue handles error of rebuilding VF VSI during reset.
      
      Paul fixes reporting of autoneg to use the PHY capabilities.
      
      Dave allows LLDP packets without priority of TC_PRIO_CONTROL to be
      transmitted.
      
      Geert Uytterhoeven adds explicit padding to virtchnl_proto_hdrs
      structure in the virtchnl header file.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26821ecd
    • David S. Miller's avatar
      Merge branch 'wireguard-fixes' · 6fd815bb
      David S. Miller authored
      Jason A. Donenfeld says:
      
      ====================
      wireguard fixes for 5.13-rc5
      
      Here are bug fixes to WireGuard for 5.13-rc5:
      
      1-2,6) These are small, trivial tweaks to our test harness.
      
      3) Linus thinks -O3 is still dangerous to enable. The code gen wasn't so
         much different with -O2 either.
      
      4) We were accidentally calling synchronize_rcu instead of
         synchronize_net while holding the rtnl_lock, resulting in some rather
         large stalls that hit production machines.
      
      5) Peer allocation was wasting literally hundreds of megabytes on real
         world deployments, due to oddly sized large objects not fitting
         nicely into a kmalloc slab.
      
      7-9) We move from an insanely expensive O(n) algorithm to a fast O(1)
           algorithm, and cleanup a massive memory leak in the process, in
           which allowed ips churn would leave danging nodes hanging around
           without cleanup until the interface was removed. The O(1) algorithm
           eliminates packet stalls and high latency issues, in addition to
           bringing operations that took as much as 10 minutes down to less
           than a second.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6fd815bb
    • Jason A. Donenfeld's avatar
      wireguard: allowedips: free empty intermediate nodes when removing single node · bf7b042d
      Jason A. Donenfeld authored
      When removing single nodes, it's possible that that node's parent is an
      empty intermediate node, in which case, it too should be removed.
      Otherwise the trie fills up and never is fully emptied, leading to
      gradual memory leaks over time for tries that are modified often. There
      was originally code to do this, but was removed during refactoring in
      2016 and never reworked. Now that we have proper parent pointers from
      the previous commits, we can implement this properly.
      
      In order to reduce branching and expensive comparisons, we want to keep
      the double pointer for parent assignment (which lets us easily chain up
      to the root), but we still need to actually get the parent's base
      address. So encode the bit number into the last two bits of the pointer,
      and pack and unpack it as needed. This is a little bit clumsy but is the
      fastest and less memory wasteful of the compromises. Note that we align
      the root struct here to a minimum of 4, because it's embedded into a
      larger struct, and we're relying on having the bottom two bits for our
      flag, which would only be 16-bit aligned on m68k.
      
      The existing macro-based helpers were a bit unwieldy for adding the bit
      packing to, so this commit replaces them with safer and clearer ordinary
      functions.
      
      We add a test to the randomized/fuzzer part of the selftests, to free
      the randomized tries by-peer, refuzz it, and repeat, until it's supposed
      to be empty, and then then see if that actually resulted in the whole
      thing being emptied. That combined with kmemcheck should hopefully make
      sure this commit is doing what it should. Along the way this resulted in
      various other cleanups of the tests and fixes for recent graphviz.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf7b042d
    • Jason A. Donenfeld's avatar
      wireguard: allowedips: allocate nodes in kmem_cache · dc680de2
      Jason A. Donenfeld authored
      The previous commit moved from O(n) to O(1) for removal, but in the
      process introduced an additional pointer member to a struct that
      increased the size from 60 to 68 bytes, putting nodes in the 128-byte
      slab. With deployed systems having as many as 2 million nodes, this
      represents a significant doubling in memory usage (128 MiB -> 256 MiB).
      Fix this by using our own kmem_cache, that's sized exactly right. This
      also makes wireguard's memory usage more transparent in tools like
      slabtop and /proc/slabinfo.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarMatthew Wilcox <willy@infradead.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc680de2
    • Jason A. Donenfeld's avatar
      wireguard: allowedips: remove nodes in O(1) · f634f418
      Jason A. Donenfeld authored
      Previously, deleting peers would require traversing the entire trie in
      order to rebalance nodes and safely free them. This meant that removing
      1000 peers from a trie with a half million nodes would take an extremely
      long time, during which we're holding the rtnl lock. Large-scale users
      were reporting 200ms latencies added to the networking stack as a whole
      every time their userspace software would queue up significant removals.
      That's a serious situation.
      
      This commit fixes that by maintaining a double pointer to the parent's
      bit pointer for each node, and then using the already existing node list
      belonging to each peer to go directly to the node, fix up its pointers,
      and free it with RCU. This means removal is O(1) instead of O(n), and we
      don't use gobs of stack.
      
      The removal algorithm has the same downside as the code that it fixes:
      it won't collapse needlessly long runs of fillers.  We can enhance that
      in the future if it ever becomes a problem. This commit documents that
      limitation with a TODO comment in code, a small but meaningful
      improvement over the prior situation.
      
      Currently the biggest flaw, which the next commit addresses, is that
      because this increases the node size on 64-bit machines from 60 bytes to
      68 bytes. 60 rounds up to 64, but 68 rounds up to 128. So we wind up
      using twice as much memory per node, because of power-of-two
      allocations, which is a big bummer. We'll need to figure something out
      there.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f634f418
    • Jason A. Donenfeld's avatar
      wireguard: allowedips: initialize list head in selftest · 46cfe8ee
      Jason A. Donenfeld authored
      The randomized trie tests weren't initializing the dummy peer list head,
      resulting in a NULL pointer dereference when used. Fix this by
      initializing it in the randomized trie test, just like we do for the
      static unit test.
      
      While we're at it, all of the other strings like this have the word
      "self-test", so add it to the missing place here.
      
      Fixes: e7096c13 ("net: WireGuard secure network tunnel")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46cfe8ee
    • Jason A. Donenfeld's avatar
      wireguard: peer: allocate in kmem_cache · a4e9f8e3
      Jason A. Donenfeld authored
      With deployments having upwards of 600k peers now, this somewhat heavy
      structure could benefit from more fine-grained allocations.
      Specifically, instead of using a 2048-byte slab for a 1544-byte object,
      we can now use 1544-byte objects directly, thus saving almost 25%
      per-peer, or with 600k peers, that's a savings of 303 MiB. This also
      makes wireguard's memory usage more transparent in tools like slabtop
      and /proc/slabinfo.
      
      Fixes: 8b5553ac ("wireguard: queueing: get rid of per-peer ring buffers")
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarMatthew Wilcox <willy@infradead.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4e9f8e3