1. 09 Nov, 2023 2 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 942b8b38
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-11-08
      
      We've added 16 non-merge commits during the last 6 day(s) which contain
      a total of 30 files changed, 341 insertions(+), 130 deletions(-).
      
      The main changes are:
      
      1) Fix a BPF verifier issue in precision tracking for BPF_ALU | BPF_TO_BE |
         BPF_END where the source register was incorrectly marked as precise,
         from Shung-Hsi Yu.
      
      2) Fix a concurrency issue in bpf_timer where the former could still have
         been alive after an application releases or unpins the map, from Hou Tao.
      
      3) Fix a BPF verifier issue where immediates are incorrectly cast to u32
         before being spilled and therefore losing sign information, from Hao Sun.
      
      4) Fix a misplaced BPF_TRACE_ITER in check_css_task_iter_allowlist which
         incorrectly compared bpf_prog_type with bpf_attach_type, from Chuyi Zhou.
      
      5) Add __bpf_hook_{start,end} as well as __bpf_kfunc_{start,end}_defs macros,
         migrate all BPF-related __diag callsites over to it, and add a new
         __diag_ignore_all for -Wmissing-declarations to the macros to address
         recent build warnings, from Dave Marchevsky.
      
      6) Fix broken BPF selftest build of xdp_hw_metadata test on architectures
         where char is not signed, from Björn Töpel.
      
      7) Fix test_maps selftest to properly use LIBBPF_OPTS() macro to initialize
         the bpf_map_create_opts, from Andrii Nakryiko.
      
      8) Fix bpffs selftest to avoid unmounting /sys/kernel/debug as it may have
         been mounted and used by other applications already, from Manu Bretelle.
      
      9) Fix a build issue without CONFIG_CGROUPS wrt css_task open-coded
         iterators, from Matthieu Baerts.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: get trusted cgrp from bpf_iter__cgroup directly
        bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg
        selftests/bpf: Fix broken build where char is unsigned
        selftests/bpf: precision tracking test for BPF_NEG and BPF_END
        bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
        selftests/bpf: Add test for using css_task iter in sleepable progs
        selftests/bpf: Add tests for css_task iter combining with cgroup iter
        bpf: Relax allowlist for css_task iter
        selftests/bpf: fix test_maps' use of bpf_map_create_opts
        bpf: Check map->usercnt after timer->timer is assigned
        bpf: Add __bpf_hook_{start,end} macros
        bpf: Add __bpf_kfunc_{start,end}_defs macros
        selftests/bpf: fix test_bpffs
        selftests/bpf: Add test for immediate spilled to stack
        bpf: Fix check_stack_write_fixed_off() to correctly spill imm
        bpf: fix compilation error without CGROUPS
      ====================
      
      Link: https://lore.kernel.org/r/20231108132448.1970-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      942b8b38
    • Vlad Buslov's avatar
      net/sched: act_ct: Always fill offloading tuple iifidx · 9bc64bd0
      Vlad Buslov authored
      Referenced commit doesn't always set iifidx when offloading the flow to
      hardware. Fix the following cases:
      
      - nf_conn_act_ct_ext_fill() is called before extension is created with
      nf_conn_act_ct_ext_add() in tcf_ct_act(). This can cause rule offload with
      unspecified iifidx when connection is offloaded after only single
      original-direction packet has been processed by tc data path. Always fill
      the new nf_conn_act_ct_ext instance after creating it in
      nf_conn_act_ct_ext_add().
      
      - Offloading of unidirectional UDP NEW connections is now supported, but ct
      flow iifidx field is not updated when connection is promoted to
      bidirectional which can result reply-direction iifidx to be zero when
      refreshing the connection. Fill in the extension and update flow iifidx
      before calling flow_offload_refresh().
      
      Fixes: 9795ded7 ("net/sched: act_ct: Fill offloading tuple iifidx")
      Reviewed-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Fixes: 6a9bad00 ("net/sched: act_ct: offload UDP NEW connections")
      Link: https://lore.kernel.org/r/20231103151410.764271-1-vladbu@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9bc64bd0
  2. 08 Nov, 2023 4 commits
    • Philipp Stanner's avatar
      drivers/net/ppp: use standard array-copy-function · caf31008
      Philipp Stanner authored
      In ppp_generic.c, memdup_user() is utilized to copy a userspace array.
      This is done without an overflow-check, which is, however, not critical
      because the multiplicands are an unsigned short and struct sock_filter,
      which is currently of size 8.
      
      Regardless, string.h now provides memdup_array_user(), a wrapper for
      copying userspace arrays in a standardized manner, which has the
      advantage of making it more obvious to the reader that an array is being
      copied.
      The wrapper additionally performs an obligatory overflow check, saving
      the reader the effort of analyzing the potential for overflow, and
      making the code a bit more robust in case of future changes to the
      multiplicands len * size.
      
      Replace memdup_user() with memdup_array_user().
      Suggested-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarPhilipp Stanner <pstanner@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caf31008
    • Vladimir Oltean's avatar
      net: enetc: shorten enetc_setup_xdp_prog() error message to fit NETLINK_MAX_FMTMSG_LEN · f968c564
      Vladimir Oltean authored
      NETLINK_MAX_FMTMSG_LEN is currently hardcoded to 80, and we provide an
      error printf-formatted string having 96 characters including the
      terminating \0. Assuming each %d (representing a queue) gets replaced by
      a number having at most 2 digits (a reasonable assumption), the final
      string is also 96 characters wide, which is too much.
      
      Reduce the verbiage a bit by removing some (partially) redundant words,
      which makes the new printf-formatted string be 73 characters wide with
      the trailing newline.
      
      Fixes: 800db2d1 ("net: enetc: ensure we always have a minimum number of TXQs for stack")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/lkml/202311061336.4dsWMT1h-lkp@intel.com/Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20231106160311.616118-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f968c564
    • Shigeru Yoshida's avatar
      virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() · 34c4effa
      Shigeru Yoshida authored
      KMSAN reported the following uninit-value access issue:
      
      =====================================================
      BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421
       virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421
       vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120
       process_one_work kernel/workqueue.c:2630 [inline]
       process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703
       worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784
       kthread+0x3cc/0x520 kernel/kthread.c:388
       ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      Uninit was stored to memory at:
       virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline]
       virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415
       vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120
       process_one_work kernel/workqueue.c:2630 [inline]
       process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703
       worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784
       kthread+0x3cc/0x520 kernel/kthread.c:388
       ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      Uninit was created at:
       slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767
       slab_alloc_node mm/slub.c:3478 [inline]
       kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523
       kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559
       __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650
       alloc_skb include/linux/skbuff.h:1286 [inline]
       virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]
       virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58
       virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline]
       virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387
       vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120
       process_one_work kernel/workqueue.c:2630 [inline]
       process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703
       worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784
       kthread+0x3cc/0x520 kernel/kthread.c:388
       ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
      Workqueue: vsock-loopback vsock_loopback_work
      =====================================================
      
      The following simple reproducer can cause the issue described above:
      
      int main(void)
      {
        int sock;
        struct sockaddr_vm addr = {
          .svm_family = AF_VSOCK,
          .svm_cid = VMADDR_CID_ANY,
          .svm_port = 1234,
        };
      
        sock = socket(AF_VSOCK, SOCK_STREAM, 0);
        connect(sock, (struct sockaddr *)&addr, sizeof(addr));
        return 0;
      }
      
      This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the
      `struct virtio_vsock_hdr` are not initialized when a new skb is allocated
      in `virtio_transport_init_hdr()`. This patch resolves the issue by
      initializing these fields during allocation.
      
      Fixes: 71dc9ec9 ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
      Reported-and-tested-by: syzbot+0c8ce1da0ac31abbadcd@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=0c8ce1da0ac31abbadcdSigned-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20231104150531.257952-1-syoshida@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      34c4effa
    • Heiner Kallweit's avatar
      r8169: respect userspace disabling IFF_MULTICAST · 8999ce4c
      Heiner Kallweit authored
      So far we ignore the setting of IFF_MULTICAST. Fix this and clear bit
      AcceptMulticast if IFF_MULTICAST isn't set.
      
      Note: Based on the implementations I've seen it doesn't seem to be 100% clear
      what a driver is supposed to do if IFF_ALLMULTI is set but IFF_MULTICAST
      is not. This patch is based on the understanding that IFF_MULTICAST has
      precedence.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/4a57ba02-d52d-4369-9f14-3565e6c1f7dc@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8999ce4c
  3. 07 Nov, 2023 14 commits
  4. 06 Nov, 2023 8 commits
    • David S. Miller's avatar
      Merge branch 'smc-fixes' · c1ed833e
      David S. Miller authored
      D. Wythe says
      
      ====================
      bugfixs for smc
      
      This patches includes bugfix following:
      
      1. hung state
      2. sock leak
      3. potential panic
      
      We have been testing these patches for some time, but
      if you have any questions, please let us know.
      
      --
      v1:
      Fix spelling errors and incorrect function names in descriptions
      
      v2->v1:
      Add fix tags for bugfix patch
      ====================
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1ed833e
    • D. Wythe's avatar
      net/smc: put sk reference if close work was canceled · aa96fbd6
      D. Wythe authored
      Note that we always hold a reference to sock when attempting
      to submit close_work. Therefore, if we have successfully
      canceled close_work from pending, we MUST release that reference
      to avoid potential leaks.
      
      Fixes: 42bfba9e ("net/smc: immediate termination for SMCD link groups")
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa96fbd6
    • D. Wythe's avatar
      net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc · c5bf605b
      D. Wythe authored
      This patch re-fix the issues mentioned by commit 22a825c5
      ("net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()").
      
      Blocking sending message do solve the issues though, but it also
      prevents the peer to receive the final message. Besides, in logic,
      whether the sndbuf_desc is NULL or not have no impact on the processing
      of cdc message sending.
      
      Hence that, this patch allows the cdc message sending but to check the
      sndbuf_desc with care in smc_cdc_tx_handler().
      
      Fixes: 22a825c5 ("net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()")
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5bf605b
    • D. Wythe's avatar
      net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT · 5211c972
      D. Wythe authored
      Considering scenario:
      
      				smc_cdc_rx_handler
      __smc_release
      				sock_set_flag
      smc_close_active()
      sock_set_flag
      
      __set_bit(DEAD)			__set_bit(DONE)
      
      Dues to __set_bit is not atomic, the DEAD or DONE might be lost.
      if the DEAD flag lost, the state SMC_CLOSED  will be never be reached
      in smc_close_passive_work:
      
      if (sock_flag(sk, SOCK_DEAD) &&
      	smc_close_sent_any_close(conn)) {
      	sk->sk_state = SMC_CLOSED;
      } else {
      	/* just shutdown, but not yet closed locally */
      	sk->sk_state = SMC_APPFINCLOSEWAIT;
      }
      
      Replace sock_set_flags or __set_bit to set_bit will fix this problem.
      Since set_bit is atomic.
      
      Fixes: b38d7324 ("smc: socket closing and linkgroup cleanup")
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5211c972
    • Jakub Kicinski's avatar
      nfsd: regenerate user space parsers after ynl-gen changes · d93f9528
      Jakub Kicinski authored
      Commit 8cea95b0 ("tools: ynl-gen: handle do ops with no input attrs")
      added support for some of the previously-skipped ops in nfsd.
      Regenerate the user space parsers to fill them in.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Acked-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d93f9528
    • Kuniyuki Iwashima's avatar
      tcp: Fix SYN option room calculation for TCP-AO. · 0a8e987d
      Kuniyuki Iwashima authored
      When building SYN packet in tcp_syn_options(), MSS, TS, WS, and
      SACKPERM are used without checking the remaining bytes in the
      options area.
      
      To keep that logic as is, we limit the TCP-AO MAC length in
      tcp_ao_parse_crypto().  Currently, the limit is calculated as below.
      
        MAX_TCP_OPTION_SPACE - TCPOLEN_TSTAMP_ALIGNED
                             - TCPOLEN_WSCALE_ALIGNED
                             - TCPOLEN_SACKPERM_ALIGNED
      
      This looks confusing as (1) we pack SACKPERM into the leading
      2-bytes of the aligned 12-bytes of TS and (2) TCPOLEN_MSS_ALIGNED
      is not used.  Fortunately, the calculated limit is not wrong as
      TCPOLEN_SACKPERM_ALIGNED and TCPOLEN_MSS_ALIGNED are the same value.
      
      However, we should use the proper constant in the formula.
      
        MAX_TCP_OPTION_SPACE - TCPOLEN_MSS_ALIGNED
                             - TCPOLEN_TSTAMP_ALIGNED
                             - TCPOLEN_WSCALE_ALIGNED
      
      Fixes: 4954f17d ("net/tcp: Introduce TCP_AO setsockopt()s")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a8e987d
    • Geetha sowjanya's avatar
      octeontx2-pf: Free pending and dropped SQEs · 3423ca23
      Geetha sowjanya authored
      On interface down, the pending SQEs in the NIX get dropped
      or drained out during SMQ flush. But skb's pointed by these
      SQEs never get free or updated to the stack as respective CQE
      never get added.
      This patch fixes the issue by freeing all valid skb's in SQ SG list.
      
      Fixes: b1bc8457 ("octeontx2-pf: Cleanup all receive buffers in SG descriptor")
      Signed-off-by: default avatarGeetha sowjanya <gakula@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3423ca23
    • Jamal Hadi Salim's avatar
      net, sched: Fix SKB_NOT_DROPPED_YET splat under debug config · 40cb2fdf
      Jamal Hadi Salim authored
      Getting the following splat [1] with CONFIG_DEBUG_NET=y and this
      reproducer [2]. Problem seems to be that classifiers clear 'struct
      tcf_result::drop_reason', thereby triggering the warning in
      __kfree_skb_reason() due to reason being 'SKB_NOT_DROPPED_YET' (0).
      
      Fixed by disambiguating a legit error from a verdict with a bogus drop_reason
      
      [1]
      WARNING: CPU: 0 PID: 181 at net/core/skbuff.c:1082 kfree_skb_reason+0x38/0x130
      Modules linked in:
      CPU: 0 PID: 181 Comm: mausezahn Not tainted 6.6.0-rc6-custom-ge43e6d95 #682
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
      RIP: 0010:kfree_skb_reason+0x38/0x130
      [...]
      Call Trace:
       <IRQ>
       __netif_receive_skb_core.constprop.0+0x837/0xdb0
       __netif_receive_skb_one_core+0x3c/0x70
       process_backlog+0x95/0x130
       __napi_poll+0x25/0x1b0
       net_rx_action+0x29b/0x310
       __do_softirq+0xc0/0x29b
       do_softirq+0x43/0x60
       </IRQ>
      
      [2]
      
      ip link add name veth0 type veth peer name veth1
      ip link set dev veth0 up
      ip link set dev veth1 up
      tc qdisc add dev veth1 clsact
      tc filter add dev veth1 ingress pref 1 proto all flower dst_mac 00:11:22:33:44:55 action drop
      mausezahn veth0 -a own -b 00:11:22:33:44:55 -q -c 1
      
      Ido reported:
      
        [...] getting the following splat [1] with CONFIG_DEBUG_NET=y and this
        reproducer [2]. Problem seems to be that classifiers clear 'struct
        tcf_result::drop_reason', thereby triggering the warning in
        __kfree_skb_reason() due to reason being 'SKB_NOT_DROPPED_YET' (0). [...]
      
        [1]
        WARNING: CPU: 0 PID: 181 at net/core/skbuff.c:1082 kfree_skb_reason+0x38/0x130
        Modules linked in:
        CPU: 0 PID: 181 Comm: mausezahn Not tainted 6.6.0-rc6-custom-ge43e6d95 #682
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
        RIP: 0010:kfree_skb_reason+0x38/0x130
        [...]
        Call Trace:
         <IRQ>
         __netif_receive_skb_core.constprop.0+0x837/0xdb0
         __netif_receive_skb_one_core+0x3c/0x70
         process_backlog+0x95/0x130
         __napi_poll+0x25/0x1b0
         net_rx_action+0x29b/0x310
         __do_softirq+0xc0/0x29b
         do_softirq+0x43/0x60
         </IRQ>
      
        [2]
        #!/bin/bash
      
        ip link add name veth0 type veth peer name veth1
        ip link set dev veth0 up
        ip link set dev veth1 up
        tc qdisc add dev veth1 clsact
        tc filter add dev veth1 ingress pref 1 proto all flower dst_mac 00:11:22:33:44:55 action drop
        mausezahn veth0 -a own -b 00:11:22:33:44:55 -q -c 1
      
      What happens is that inside most classifiers the tcf_result is copied over
      from a filter template e.g. *res = f->res which then implicitly overrides
      the prior SKB_DROP_REASON_TC_{INGRESS,EGRESS} default drop code which was
      set via sch_handle_{ingress,egress}() for kfree_skb_reason().
      
      Commit text above copied verbatim from Daniel. The general idea of the patch
      is not very different from what Ido originally posted but instead done at the
      cls_api codepath.
      
      Fixes: 54a59aed ("net, sched: Make tc-related drop reason more flexible")
      Reported-by: default avatarIdo Schimmel <idosch@idosch.org>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Link: https://lore.kernel.org/netdev/ZTjY959R+AFXf3Xy@shredderReviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40cb2fdf
  5. 03 Nov, 2023 7 commits
    • Jakub Kicinski's avatar
      netlink: fill in missing MODULE_DESCRIPTION() · 016b9332
      Jakub Kicinski authored
      W=1 builds now warn if a module is built without
      a MODULE_DESCRIPTION(). Fill it in for sock_diag.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      016b9332
    • Eric Dumazet's avatar
      net/tcp: fix possible out-of-bounds reads in tcp_hash_fail() · 02f0717e
      Eric Dumazet authored
      syzbot managed to trigger a fault by sending TCP packets
      with all flags being set.
      
      v2:
       - While fixing this bug, add PSH flag handling and represent
         flags the way tcpdump does : [S], [S.], [P.]
       - Print 4-tuples more consistently between families.
      
      BUG: KASAN: stack-out-of-bounds in string_nocheck lib/vsprintf.c:645 [inline]
      BUG: KASAN: stack-out-of-bounds in string+0x394/0x3d0 lib/vsprintf.c:727
      Read of size 1 at addr ffffc9000397f3f5 by task syz-executor299/5039
      
      CPU: 1 PID: 5039 Comm: syz-executor299 Not tainted 6.6.0-rc7-syzkaller-02075-g55c90047 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0xc4/0x620 mm/kasan/report.c:475
      kasan_report+0xda/0x110 mm/kasan/report.c:588
      string_nocheck lib/vsprintf.c:645 [inline]
      string+0x394/0x3d0 lib/vsprintf.c:727
      vsnprintf+0xc5f/0x1870 lib/vsprintf.c:2818
      vprintk_store+0x3a0/0xb80 kernel/printk/printk.c:2191
      vprintk_emit+0x14c/0x5f0 kernel/printk/printk.c:2288
      vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
      _printk+0xc8/0x100 kernel/printk/printk.c:2332
      tcp_inbound_hash.constprop.0+0xdb2/0x10d0 include/net/tcp.h:2760
      tcp_v6_rcv+0x2b31/0x34d0 net/ipv6/tcp_ipv6.c:1882
      ip6_protocol_deliver_rcu+0x33b/0x13d0 net/ipv6/ip6_input.c:438
      ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483
      NF_HOOK include/linux/netfilter.h:314 [inline]
      NF_HOOK include/linux/netfilter.h:308 [inline]
      ip6_input+0xce/0x440 net/ipv6/ip6_input.c:492
      dst_input include/net/dst.h:461 [inline]
      ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
      NF_HOOK include/linux/netfilter.h:314 [inline]
      NF_HOOK include/linux/netfilter.h:308 [inline]
      ipv6_rcv+0x563/0x720 net/ipv6/ip6_input.c:310
      __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5527
      __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5641
      netif_receive_skb_internal net/core/dev.c:5727 [inline]
      netif_receive_skb+0x133/0x700 net/core/dev.c:5786
      tun_rx_batched+0x429/0x780 drivers/net/tun.c:1579
      tun_get_user+0x29e7/0x3bc0 drivers/net/tun.c:2002
      tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2048
      call_write_iter include/linux/fs.h:1956 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x650/0xe40 fs/read_write.c:584
      ksys_write+0x12f/0x250 fs/read_write.c:637
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 2717b5ad ("net/tcp: Add tcp_hash_fail() ratelimited logs")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Dmitry Safonov <dima@arista.com>
      Cc: Francesco Ruggeri <fruggeri@arista.com>
      Cc: David Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02f0717e
    • Ronald Wahl's avatar
      net: ethernet: ti: am65-cpsw: rx_pause/tx_pause controls wrong direction · 153a58c6
      Ronald Wahl authored
      The rx_pause flag says that whether we support receiving Pause frames.
      When a Pause frame is received TX is delayed for some time. This is TX
      flow control. In the same manner tx_pause is actually RX flow control.
      Signed-off-by: default avatarRonald Wahl <ronald.wahl@raritan.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      153a58c6
    • Eric Dumazet's avatar
      tcp: fix fastopen code vs usec TS · cdbab623
      Eric Dumazet authored
      After blamed commit, TFO client-ack-dropped-then-recovery-ms-timestamps
      packetdrill test failed.
      
      David Morley and Neal Cardwell started investigating and Neal pointed
      that we had :
      
      tcp_conn_request()
        tcp_try_fastopen()
         -> tcp_fastopen_create_child
           -> child = inet_csk(sk)->icsk_af_ops->syn_recv_sock()
             -> tcp_create_openreq_child()
                -> copy req_usec_ts from req:
                newtp->tcp_usec_ts = treq->req_usec_ts;
                // now the new TFO server socket always does usec TS, no matter
                // what the route options are...
        send_synack()
          -> tcp_make_synack()
              // disable tcp_rsk(req)->req_usec_ts if route option is not present:
              if (tcp_rsk(req)->req_usec_ts < 0)
                      tcp_rsk(req)->req_usec_ts = dst_tcp_usec_ts(dst);
      
      tcp_conn_request() has the initial dst, we can initialize
      tcp_rsk(req)->req_usec_ts there instead of later in send_synack();
      
      This means tcp_rsk(req)->req_usec_ts can be a boolean.
      
      Many thanks to David an Neal for their help.
      
      Fixes: 614e8316 ("tcp: add support for usec resolution in TCP TS values")
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Closes: https://lore.kernel.org/oe-lkp/202310302216.f79d78bc-oliver.sang@intel.comSuggested-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: David Morley <morleyd@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cdbab623
    • Hangbin Liu's avatar
      selftests: pmtu.sh: fix result checking · 63e20191
      Hangbin Liu authored
      In the PMTU test, when all previous tests are skipped and the new test
      passes, the exit code is set to 0. However, the current check mistakenly
      treats this as an assignment, causing the check to pass every time.
      
      Consequently, regardless of how many tests have failed, if the latest test
      passes, the PMTU test will report a pass.
      
      Fixes: 2a9d3716 ("selftests: pmtu.sh: improve the test result processing")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarPo-Hsu Lin <po-hsu.lin@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63e20191
    • Furong Xu's avatar
      net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs · db456d90
      Furong Xu authored
      From XGMAC Core 3.20 and later, each Flexible PPS has individual PPSEN bit
      to select Fixed mode or Flexible mode. The PPSEN must be set, or it stays
      in Fixed PPS mode by default.
      XGMAC Core prior 3.20, only PPSEN0(bit 4) is writable. PPSEN{1,2,3} are
      read-only reserved, and they are already in Flexible mode by default, our
      new code always set PPSEN{1,2,3} do not make things worse ;-)
      
      Fixes: 95eaf3cd ("net: stmmac: dwxgmac: Add Flexible PPS support")
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarFurong Xu <0x1207@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db456d90
    • NeilBrown's avatar
      Fix termination state for idr_for_each_entry_ul() · e8ae8ad4
      NeilBrown authored
      The comment for idr_for_each_entry_ul() states
      
        after normal termination @entry is left with the value NULL
      
      This is not correct in the case where UINT_MAX has an entry in the idr.
      In that case @entry will be non-NULL after termination.
      No current code depends on the documentation being correct, but to
      save future code we should fix it.
      
      Also fix idr_for_each_entry_continue_ul().  While this is not documented
      as leaving @entry as NULL, the mellanox driver appears to depend on
      it doing so.  So make that explicit in the documentation as well as in
      the code.
      
      Fixes: e33d2b74 ("idr: fix overflow case for idr_for_each_entry_ul()")
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Chris Mi <chrism@mellanox.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e8ae8ad4
  6. 02 Nov, 2023 5 commits