1. 09 Jul, 2018 3 commits
  2. 05 Jul, 2018 4 commits
  3. 04 Jul, 2018 5 commits
  4. 03 Jul, 2018 4 commits
  5. 02 Jul, 2018 11 commits
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md · d0fbad0a
      Linus Torvalds authored
      Pull MD fixes from Shaohua Li:
       "Two small fixes for MD:
      
         - an error handling fix from me
      
         - a recover bug fix for raid10 from BingJing"
      
      * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
        md/raid10: fix that replacement cannot complete recovery after reassemble
        MD: cleanup resources in failure
      d0fbad0a
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://github.com/stffrdhrn/linux · 8d2b6f6b
      Linus Torvalds authored
      Pull OpenRISC fixes from Stafford Horne:
       "Two fixes for issues which were breaking OpenRISC boot:
      
         - Fix bug in __pte_free_tlb() exposed in 4.18 by Matthew Wilcox's
           page table flag addition.
      
         - Fix issue booting on real hardware if delay slot detection
           emulation is disabled"
      
      * tag 'for-linus' of git://github.com/stffrdhrn/linux:
        openrisc: entry: Fix delay slot exception detection
        openrisc: Call destructor during __pte_free_tlb
      8d2b6f6b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4e33d7d4
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Verify netlink attributes properly in nf_queue, from Eric Dumazet.
      
       2) Need to bump memory lock rlimit for test_sockmap bpf test, from
          Yonghong Song.
      
       3) Fix VLAN handling in lan78xx driver, from Dave Stevenson.
      
       4) Fix uninitialized read in nf_log, from Jann Horn.
      
       5) Fix raw command length parsing in mlx5, from Alex Vesker.
      
       6) Cleanup loopback RDS connections upon netns deletion, from Sowmini
          Varadhan.
      
       7) Fix regressions in FIB rule matching during create, from Jason A.
          Donenfeld and Roopa Prabhu.
      
       8) Fix mpls ether type detection in nfp, from Pieter Jansen van Vuuren.
      
       9) More bpfilter build fixes/adjustments from Masahiro Yamada.
      
      10) Fix XDP_{TX,REDIRECT} flushing in various drivers, from Jesper
          Dangaard Brouer.
      
      11) fib_tests.sh file permissions were broken, from Shuah Khan.
      
      12) Make sure BH/preemption is disabled in data path of mac80211, from
          Denis Kenzior.
      
      13) Don't ignore nla_parse_nested() return values in nl80211, from
          Johannes berg.
      
      14) Properly account sock objects ot kmemcg, from Shakeel Butt.
      
      15) Adjustments to setting bpf program permissions to read-only, from
          Daniel Borkmann.
      
      16) TCP Fast Open key endianness was broken, it always took on the host
          endiannness. Whoops. Explicitly make it little endian. From Yuching
          Cheng.
      
      17) Fix prefix route setting for link local addresses in ipv6, from
          David Ahern.
      
      18) Potential Spectre v1 in zatm driver, from Gustavo A. R. Silva.
      
      19) Various bpf sockmap fixes, from John Fastabend.
      
      20) Use after free for GRO with ESP, from Sabrina Dubroca.
      
      21) Passing bogus flags to crypto_alloc_shash() in ipv6 SR code, from
          Eric Biggers.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        qede: Adverstise software timestamp caps when PHC is not available.
        qed: Fix use of incorrect size in memcpy call.
        qed: Fix setting of incorrect eswitch mode.
        qed: Limit msix vectors in kdump kernel to the minimum required count.
        ipvlan: call dev_change_flags when ipvlan mode is reset
        ipv6: sr: fix passing wrong flags to crypto_alloc_shash()
        net: fix use-after-free in GRO with ESP
        tcp: prevent bogus FRTO undos with non-SACK flows
        bpf: sockhash, add release routine
        bpf: sockhash fix omitted bucket lock in sock_close
        bpf: sockmap, fix smap_list_map_remove when psock is in many maps
        bpf: sockmap, fix crash when ipv6 sock is added
        net: fib_rules: bring back rule_exists to match rule during add
        hv_netvsc: split sub-channel setup into async and sync
        net: use dev_change_tx_queue_len() for SIOCSIFTXQLEN
        atm: zatm: Fix potential Spectre v1
        s390/qeth: consistently re-enable device features
        s390/qeth: don't clobber buffer on async TX completion
        s390/qeth: avoid using is_multicast_ether_addr_64bits on (u8 *)[6]
        s390/qeth: fix race when setting MAC address
        ...
      4e33d7d4
    • David S. Miller's avatar
      Merge branch 'qed-fixes' · e48e0979
      David S. Miller authored
      Sudarsana Reddy Kalluru says:
      
      ====================
      qed*: Fix series.
      
      The patch series addresses few issues in the qed* drivers.
      
      Please consider applying it to 'net' branch.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e48e0979
    • Sudarsana Reddy Kalluru's avatar
      qede: Adverstise software timestamp caps when PHC is not available. · 82a4e71b
      Sudarsana Reddy Kalluru authored
      When ptp clock is not available for a PF (e.g., higher PFs in NPAR mode),
      get-tsinfo() callback should return the software timestamp capabilities
      instead of returning the error.
      
      Fixes: 4c55215c ("qede: Add driver support for PTP")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82a4e71b
    • Sudarsana Reddy Kalluru's avatar
      qed: Fix use of incorrect size in memcpy call. · cc9b27cd
      Sudarsana Reddy Kalluru authored
      Use the correct size value while copying chassis/port id values.
      
      Fixes: 6ad8c632 ("qed: Add support for query/config dcbx.")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc9b27cd
    • Sudarsana Reddy Kalluru's avatar
      qed: Fix setting of incorrect eswitch mode. · 538f8d00
      Sudarsana Reddy Kalluru authored
      By default, driver sets the eswitch mode incorrectly as VEB (virtual
      Ethernet bridging).
      Need to set VEB eswitch mode only when sriov is enabled, and it should be
      to set NONE by default. The patch incorporates this change.
      
      Fixes: 0fefbfba ("qed*: Management firmware - notifications and defaults")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      538f8d00
    • Sudarsana Reddy Kalluru's avatar
      qed: Limit msix vectors in kdump kernel to the minimum required count. · bb7858ba
      Sudarsana Reddy Kalluru authored
      Memory size is limited in the kdump kernel environment. Allocation of more
      msix-vectors (or queues) consumes few tens of MBs of memory, which might
      lead to the kdump kernel failure.
      This patch adds changes to limit the number of MSI-X vectors in kdump
      kernel to minimum required value (i.e., 2 per engine).
      
      Fixes: fe56b9e6 ("qed: Add module with basic common support")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb7858ba
    • Hangbin Liu's avatar
      ipvlan: call dev_change_flags when ipvlan mode is reset · 5dc2d399
      Hangbin Liu authored
      After we change the ipvlan mode from l3 to l2, or vice versa, we only
      reset IFF_NOARP flag, but don't flush the ARP table cache, which will
      cause eth->h_dest to be equal to eth->h_source in ipvlan_xmit_mode_l2().
      Then the message will not come out of host.
      
      Here is the reproducer on local host:
      
      ip link set eth1 up
      ip addr add 192.168.1.1/24 dev eth1
      ip link add link eth1 ipvlan1 type ipvlan mode l3
      
      ip netns add net1
      ip link set ipvlan1 netns net1
      ip netns exec net1 ip link set ipvlan1 up
      ip netns exec net1 ip addr add 192.168.2.1/24 dev ipvlan1
      
      ip route add 192.168.2.0/24 via 192.168.1.2
      ping 192.168.2.2 -c 2
      
      ip netns exec net1 ip link set ipvlan1 type ipvlan mode l2
      ping 192.168.2.2 -c 2
      
      Add the same configuration on remote host. After we set the mode to l2,
      we could find that the src/dst MAC addresses are the same on eth1:
      
      21:26:06.648565 00:b7:13:ad:d3:05 > 00:b7:13:ad:d3:05, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58356, offset 0, flags [DF], proto ICMP (1), length 84)
          192.168.2.1 > 192.168.2.2: ICMP echo request, id 22686, seq 1, length 64
      
      Fix this by calling dev_change_flags(), which will call netdevice notifier
      with flag change info.
      
      v2:
      a) As pointed out by Wang Cong, check return value for dev_change_flags() when
      change dev flags.
      b) As suggested by Stefano and Sabrina, move flags setting before l3mdev_ops.
      So we don't need to redo ipvlan_{, un}register_nf_hook() again in err path.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver.")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dc2d399
    • Eric Biggers's avatar
      ipv6: sr: fix passing wrong flags to crypto_alloc_shash() · fc9c2029
      Eric Biggers authored
      The 'mask' argument to crypto_alloc_shash() uses the CRYPTO_ALG_* flags,
      not 'gfp_t'.  So don't pass GFP_KERNEL to it.
      
      Fixes: bf355b8d ("ipv6: sr: add core files for SR HMAC support")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc9c2029
    • Sabrina Dubroca's avatar
      net: fix use-after-free in GRO with ESP · 603d4cf8
      Sabrina Dubroca authored
      Since the addition of GRO for ESP, gro_receive can consume the skb and
      return -EINPROGRESS. In that case, the lower layer GRO handler cannot
      touch the skb anymore.
      
      Commit 5f114163 ("net: Add a skb_gro_flush_final helper.") converted
      some of the gro_receive handlers that can lead to ESP's gro_receive so
      that they wouldn't access the skb when -EINPROGRESS is returned, but
      missed other spots, mainly in tunneling protocols.
      
      This patch finishes the conversion to using skb_gro_flush_final(), and
      adds a new helper, skb_gro_flush_final_remcsum(), used in VXLAN and
      GUE.
      
      Fixes: 5f114163 ("net: Add a skb_gro_flush_final helper.")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      603d4cf8
  6. 01 Jul, 2018 10 commits
    • Linus Torvalds's avatar
      Linux 4.18-rc3 · 021c9179
      Linus Torvalds authored
      021c9179
    • Linus Torvalds's avatar
      Merge tag 'for-4.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · d3bc0e67
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "We have a few regression fixes for qgroup rescan status tracking and
        the vm_fault_t conversion that mixed up the error values"
      
      * tag 'for-4.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Btrfs: fix mount failure when qgroup rescan is in progress
        Btrfs: fix regression in btrfs_page_mkwrite() from vm_fault_t conversion
        btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf
      d3bc0e67
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 4a770e63
      Linus Torvalds authored
      Pull vfs fix from Al Viro:
       "Followup to procfs-seq_file series this window"
      
      This fixes a memory leak by making sure that proc seq files release any
      private data on close.  The 'proc_seq_open' has to be properly paired
      with 'proc_seq_release' that releases the extra private data.
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        proc: add proc_seq_release
      4a770e63
    • Linus Torvalds's avatar
      Merge tag 'staging-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · d7563ca5
      Linus Torvalds authored
      Pull staging/IIO fixes from Greg KH:
       "Here are a few small staging and IIO driver fixes for 4.18-rc3.
      
        Nothing major or big, all just fixes for reported problems since
        4.18-rc1. All of these have been in linux-next this week with no
        reported problems"
      
      * tag 'staging-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: android: ion: Return an ERR_PTR in ion_map_kernel
        staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
        iio: imu: inv_mpu6050: Fix probe() failure on older ACPI based machines
        iio: buffer: fix the function signature to match implementation
        iio: mma8452: Fix ignoring MMA8452_INT_DRDY
        iio: tsl2x7x/tsl2772: avoid potential division by zero
        iio: pressure: bmp280: fix relative humidity unit
      d7563ca5
    • Linus Torvalds's avatar
      Merge tag 'tty-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 652788a9
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are five fixes for the tty core and some serial drivers.
      
        The tty core ones fix some security and other issues reported by the
        syzbot that I have taken too long in responding to (sorry Tetsuo!).
      
        The 8350 serial driver fix resolves an issue of devices that used to
        work properly stopping working as they shouldn't have been added to a
        blacklist.
      
        All of these have been in linux-next for a few days with no reported
        issues"
      
      * tag 'tty-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        vt: prevent leaking uninitialized data to userspace via /dev/vcs*
        serdev: fix memleak on module unload
        serial: 8250_pci: Remove stalled entries in blacklist
        n_tty: Access echo_* variables carefully.
        n_tty: Fix stall at n_tty_receive_char_special().
      652788a9
    • Linus Torvalds's avatar
      Merge tag 'usb-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c2aee376
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here is a number of USB gadget and other driver fixes for 4.18-rc3.
      
        There's a bunch of them here, most of them being gadget driver and
        xhci host controller fixes for reported issues (as normal), but there
        are also some new device ids, and some fixes for the typec code.
      
        There is an acpi core patch in here that was acked by the acpi
        maintainer as it is needed for the typec fixes in order to properly
        solve a problem in that driver.
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'usb-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (33 commits)
        usb: chipidea: host: fix disconnection detect issue
        usb: typec: tcpm: fix logbuffer index is wrong if _tcpm_log is re-entered
        typec: tcpm: Fix a msecs vs jiffies bug
        NFC: pn533: Fix wrong GFP flag usage
        usb: cdc_acm: Add quirk for Uniden UBC125 scanner
        staging/typec: fix tcpci_rt1711h build errors
        usb: typec: ucsi: Fix for incorrect status data issue
        usb: typec: ucsi: acpi: Workaround for cache mode issue
        acpi: Add helper for deactivating memory region
        usb: xhci: increase CRS timeout value
        usb: xhci: tegra: fix runtime PM error handling
        usb: xhci: remove the code build warning
        xhci: Fix kernel oops in trace_xhci_free_virt_device
        xhci: Fix perceived dead host due to runtime suspend race with event handler
        dwc2: gadget: Fix ISOC IN DDMA PID bitfield value calculation
        usb: gadget: dwc2: fix memory leak in gadget_init()
        usb: gadget: composite: fix delayed_status race condition when set_interface
        usb: dwc2: fix isoc split in transfer with no data
        usb: dwc2: alloc dma aligned buffer for isoc split in
        usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub
        ...
      c2aee376
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.18-2' of git://git.infradead.org/users/hch/dma-mapping · c350d6d1
      Linus Torvalds authored
      Pull dma mapping fixlet from Christoph Hellwig:
       "Add a missing export required by riscv and unicore"
      
      * tag 'dma-mapping-4.18-2' of git://git.infradead.org/users/hch/dma-mapping:
        swiotlb: export swiotlb_dma_ops
      c350d6d1
    • Ilpo Järvinen's avatar
      tcp: prevent bogus FRTO undos with non-SACK flows · 1236f22f
      Ilpo Järvinen authored
      If SACK is not enabled and the first cumulative ACK after the RTO
      retransmission covers more than the retransmitted skb, a spurious
      FRTO undo will trigger (assuming FRTO is enabled for that RTO).
      The reason is that any non-retransmitted segment acknowledged will
      set FLAG_ORIG_SACK_ACKED in tcp_clean_rtx_queue even if there is
      no indication that it would have been delivered for real (the
      scoreboard is not kept with TCPCB_SACKED_ACKED bits in the non-SACK
      case so the check for that bit won't help like it does with SACK).
      Having FLAG_ORIG_SACK_ACKED set results in the spurious FRTO undo
      in tcp_process_loss.
      
      We need to use more strict condition for non-SACK case and check
      that none of the cumulatively ACKed segments were retransmitted
      to prove that progress is due to original transmissions. Only then
      keep FLAG_ORIG_SACK_ACKED set, allowing FRTO undo to proceed in
      non-SACK case.
      
      (FLAG_ORIG_SACK_ACKED is planned to be renamed to FLAG_ORIG_PROGRESS
      to better indicate its purpose but to keep this change minimal, it
      will be done in another patch).
      
      Besides burstiness and congestion control violations, this problem
      can result in RTO loop: When the loss recovery is prematurely
      undoed, only new data will be transmitted (if available) and
      the next retransmission can occur only after a new RTO which in case
      of multiple losses (that are not for consecutive packets) requires
      one RTO per loss to recover.
      Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Tested-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1236f22f
    • Stafford Horne's avatar
      openrisc: entry: Fix delay slot exception detection · ae15a41a
      Stafford Horne authored
      Originally in patch e6d20c55 ("openrisc: entry: Fix delay slot
      detection") I fixed delay slot detection, but only for QEMU.  We missed
      that hardware delay slot detection using delay slot exception flag (DSX)
      was still broken.  This was because QEMU set the DSX flag in both
      pre-exception supervision register (ESR) and supervision register (SR)
      register, but on real hardware the DSX flag is only set on the SR
      register during exceptions.
      
      Fix this by carrying the DSX flag into the SR register during exception.
      We also update the DSX flag read locations to read the value from the SR
      register not the pt_regs SR register which represents ESR.  The ESR
      should never have the DSX flag set.
      
      In the process I updated/removed a few comments to match the current
      state.  Including removing a comment saying that the DSX detection logic
      was inefficient and needed to be rewritten.
      
      I have tested this on QEMU with a patch ensuring it matches the hardware
      specification.
      
      Link: https://lists.gnu.org/archive/html/qemu-devel/2018-07/msg00000.html
      Fixes: e6d20c55 ("openrisc: entry: Fix delay slot detection")
      Signed-off-by: default avatarStafford Horne <shorne@gmail.com>
      ae15a41a
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 271b955e
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-07-01
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) A bpf_fib_lookup() helper fix to change the API before freeze to
         return an encoding of the FIB lookup result and return the nexthop
         device index in the params struct (instead of device index as return
         code that we had before), from David.
      
      2) Various BPF JIT fixes to address syzkaller fallout, that is, do not
         reject progs when set_memory_*() fails since it could still be RO.
         Also arm32 JIT was not using bpf_jit_binary_lock_ro() API which was
         an issue, and a memory leak in s390 JIT found during review, from
         Daniel.
      
      3) Multiple fixes for sockmap/hash to address most of the syzkaller
         triggered bugs. Usage with IPv6 was crashing, a GPF in bpf_tcp_close(),
         a missing sock_map_release() routine to hook up to callbacks, and a
         fix for an omitted bucket lock in sock_close(), from John.
      
      4) Two bpftool fixes to remove duplicated error message on program load,
         and another one to close the libbpf object after program load. One
         additional fix for nfp driver's BPF offload to avoid stopping offload
         completely if replace of program failed, from Jakub.
      
      5) Couple of BPF selftest fixes that bail out in some of the test
         scripts if the user does not have the right privileges, from Jeffrin.
      
      6) Fixes in test_bpf for s390 when CONFIG_BPF_JIT_ALWAYS_ON is set
         where we need to set the flag that some of the test cases are expected
         to fail, from Kleber.
      
      7) Fix to detangle BPF_LIRC_MODE2 dependency from CONFIG_CGROUP_BPF
         since it has no relation to it and lirc2 users often have configs
         without cgroups enabled and thus would not be able to use it, from Sean.
      
      8) Fix a selftest failure in sockmap by removing a useless setrlimit()
         call that would set a too low limit where at the same time we are
         already including bpf_rlimit.h that does the job, from Yonghong.
      
      9) Fix BPF selftest config with missing missing NET_SCHED, from Anders.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      271b955e
  7. 30 Jun, 2018 3 commits
    • Daniel Borkmann's avatar
      Merge branch 'bpf-sockmap-fixes' · bf2b866a
      Daniel Borkmann authored
      John Fastabend says:
      
      ====================
      This addresses two syzbot issues that lead to identifying (by Eric and
      Wei) a class of bugs where we don't correctly check for IPv4/v6
      sockets and their associated state. The second issue was a locking
      omission in sockhash.
      
      The first patch addresses IPv6 socks and fixing an error where
      sockhash would overwrite the prot pointer with IPv4 prot. To fix
      this build similar solution to TLS ULP. Although we continue to
      allow socks in all states not just ESTABLISH in this patch set
      because as Martin points out there should be no issue with this
      on the sockmap ULP because we don't use the ctx in this code. Once
      multiple ULPs coexist we may need to revisit this. However we
      can do this in *next trees.
      
      The other issue syzbot found that the tcp_close() handler missed
      locking the hash bucket lock which could result in corrupting the
      sockhash bucket list if delete and close ran at the same time.
      And also the smap_list_remove() routine was not working correctly
      at all. This was not caught in my testing because in general my
      tests (to date at least lets add some more robust selftest in
      bpf-next) do things in the "expected" order, create map, add socks,
      delete socks, then tear down maps. The tests we have that do the
      ops out of this order where only working on single maps not multi-
      maps so we never saw the issue. Thanks syzbot. The fix is to
      restructure the tcp_close() lock handling. And fix the obvious
      bug in smap_list_remove().
      
      Finally, during review I noticed the release handler was omitted
      from the upstream code (patch 4) due to an incorrect merge conflict
      fix when I ported the code to latest bpf-next before submitting.
      This would leave references to the map around if the user never
      closes the map.
      
      v3: rework patches, dropping ESTABLISH check and adding rcu
          annotation along with the smap_list_remove fix
      
      v4: missed one more case where maps was being accessed without
          the sk_callback_lock, spoted by Martin as well.
      
      v5: changed to use a specific lock for maps and reduced callback
          lock so that it is only used to gaurd sk callbacks. I think
          this makes the logic a bit cleaner and avoids confusion
          ovoer what each lock is doing.
      
      Also big thanks to Martin for thorough review he caught at least
      one case where I missed a rcu_call().
      ====================
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      bf2b866a
    • John Fastabend's avatar
      bpf: sockhash, add release routine · caac76a5
      John Fastabend authored
      Add map_release_uref pointer to hashmap ops. This was dropped when
      original sockhash code was ported into bpf-next before initial
      commit.
      
      Fixes: 81110384 ("bpf: sockmap, add hash map support")
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      caac76a5
    • John Fastabend's avatar
      bpf: sockhash fix omitted bucket lock in sock_close · e9db4ef6
      John Fastabend authored
      First the sk_callback_lock() was being used to protect both the
      sock callback hooks and the psock->maps list. This got overly
      convoluted after the addition of sockhash (in sockmap it made
      some sense because masp and callbacks were tightly coupled) so
      lets split out a specific lock for maps and only use the callback
      lock for its intended purpose. This fixes a couple cases where
      we missed using maps lock when it was in fact needed. Also this
      makes it easier to follow the code because now we can put the
      locking closer to the actual code its serializing.
      
      Next, in sock_hash_delete_elem() the pattern was as follows,
      
        sock_hash_delete_elem()
           [...]
           spin_lock(bucket_lock)
           l = lookup_elem_raw()
           if (l)
              hlist_del_rcu()
              write_lock(sk_callback_lock)
               .... destroy psock ...
              write_unlock(sk_callback_lock)
           spin_unlock(bucket_lock)
      
      The ordering is necessary because we only know the {p}sock after
      dereferencing the hash table which we can't do unless we have the
      bucket lock held. Once we have the bucket lock and the psock element
      it is deleted from the hashmap to ensure any other path doing a lookup
      will fail. Finally, the refcnt is decremented and if zero the psock
      is destroyed.
      
      In parallel with the above (or free'ing the map) a tcp close event
      may trigger tcp_close(). Which at the moment omits the bucket lock
      altogether (oops!) where the flow looks like this,
      
        bpf_tcp_close()
           [...]
           write_lock(sk_callback_lock)
           for each psock->maps // list of maps this sock is part of
               hlist_del_rcu(ref_hash_node);
               .... destroy psock ...
           write_unlock(sk_callback_lock)
      
      Obviously, and demonstrated by syzbot, this is broken because
      we can have multiple threads deleting entries via hlist_del_rcu().
      
      To fix this we might be tempted to wrap the hlist operation in a
      bucket lock but that would create a lock inversion problem. In
      summary to follow locking rules the psocks maps list needs the
      sk_callback_lock (after this patch maps_lock) but we need the bucket
      lock to do the hlist_del_rcu.
      
      To resolve the lock inversion problem pop the head of the maps list
      repeatedly and remove the reference until no more are left. If a
      delete happens in parallel from the BPF API that is OK as well because
      it will do a similar action, lookup the lock in the map/hash, delete
      it from the map/hash, and dec the refcnt. We check for this case
      before doing a destroy on the psock to ensure we don't have two
      threads tearing down a psock. The new logic is as follows,
      
        bpf_tcp_close()
        e = psock_map_pop(psock->maps) // done with map lock
        bucket_lock() // lock hash list bucket
        l = lookup_elem_raw(head, hash, key, key_size);
        if (l) {
           //only get here if elmnt was not already removed
           hlist_del_rcu()
           ... destroy psock...
        }
        bucket_unlock()
      
      And finally for all the above to work add missing locking around  map
      operations per above. Then add RCU annotations and use
      rcu_dereference/rcu_assign_pointer to manage values relying on RCU so
      that the object is not free'd from sock_hash_free() while it is being
      referenced in bpf_tcp_close().
      
      Reported-by: syzbot+0ce137753c78f7b6acc1@syzkaller.appspotmail.com
      Fixes: 81110384 ("bpf: sockmap, add hash map support")
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      e9db4ef6