1. 04 Jan, 2021 2 commits
    • Cong Wang's avatar
      af_key: relax availability checks for skb size calculation · afbc293a
      Cong Wang authored
      xfrm_probe_algs() probes kernel crypto modules and changes the
      availability of struct xfrm_algo_desc. But there is a small window
      where ealg->available and aalg->available get changed between
      count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(),
      in this case we may allocate a smaller skb but later put a larger
      amount of data and trigger the panic in skb_put().
      
      Fix this by relaxing the checks when counting the size, that is,
      skipping the test of ->available. We may waste some memory for a few
      of sizeof(struct sadb_comb), but it is still much better than a panic.
      
      Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      afbc293a
    • Eyal Birger's avatar
      xfrm: fix disable_xfrm sysctl when used on xfrm interfaces · 9f8550e4
      Eyal Birger authored
      The disable_xfrm flag signals that xfrm should not be performed during
      routing towards a device before reaching device xmit.
      
      For xfrm interfaces this is usually desired as they perform the outbound
      policy lookup as part of their xmit using their if_id.
      
      Before this change enabling this flag on xfrm interfaces prevented them
      from xmitting as xfrm_lookup_with_ifid() would not perform a policy lookup
      in case the original dst had the DST_NOXFRM flag.
      
      This optimization is incorrect when the lookup is done by the xfrm
      interface xmit logic.
      
      Fix by performing policy lookup when invoked by xfrmi as if_id != 0.
      
      Similarly it's unlikely for the 'no policy exists on net' check to yield
      any performance benefits when invoked from xfrmi.
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Signed-off-by: default avatarEyal Birger <eyal.birger@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      9f8550e4
  2. 19 Dec, 2020 1 commit
    • Shmulik Ladkani's avatar
      xfrm: Fix oops in xfrm_replay_advance_bmp · 56ce7c25
      Shmulik Ladkani authored
      When setting xfrm replay_window to values higher than 32, a rare
      page-fault occurs in xfrm_replay_advance_bmp:
      
        BUG: unable to handle page fault for address: ffff8af350ad7920
        #PF: supervisor write access in kernel mode
        #PF: error_code(0x0002) - not-present page
        PGD ad001067 P4D ad001067 PUD 0
        Oops: 0002 [#1] SMP PTI
        CPU: 3 PID: 30 Comm: ksoftirqd/3 Kdump: loaded Not tainted 5.4.52-050452-generic #202007160732
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
        RIP: 0010:xfrm_replay_advance_bmp+0xbb/0x130
        RSP: 0018:ffffa1304013ba40 EFLAGS: 00010206
        RAX: 000000000000010d RBX: 0000000000000002 RCX: 00000000ffffff4b
        RDX: 0000000000000018 RSI: 00000000004c234c RDI: 00000000ffb3dbff
        RBP: ffffa1304013ba50 R08: ffff8af330ad7920 R09: 0000000007fffffa
        R10: 0000000000000800 R11: 0000000000000010 R12: ffff8af29d6258c0
        R13: ffff8af28b95c700 R14: 0000000000000000 R15: ffff8af29d6258fc
        FS:  0000000000000000(0000) GS:ffff8af339ac0000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: ffff8af350ad7920 CR3: 0000000015ee4000 CR4: 00000000001406e0
        Call Trace:
         xfrm_input+0x4e5/0xa10
         xfrm4_rcv_encap+0xb5/0xe0
         xfrm4_udp_encap_rcv+0x140/0x1c0
      
      Analysis revealed offending code is when accessing:
      
      	replay_esn->bmp[nr] |= (1U << bitnr);
      
      with 'nr' being 0x07fffffa.
      
      This happened in an SMP system when reordering of packets was present;
      A packet arrived with a "too old" sequence number (outside the window,
      i.e 'diff > replay_window'), and therefore the following calculation:
      
      			bitnr = replay_esn->replay_window - (diff - pos);
      
      yields a negative result, but since bitnr is u32 we get a large unsigned
      quantity (in crash dump above: 0xffffff4b seen in ecx).
      
      This was supposed to be protected by xfrm_input()'s former call to:
      
      		if (x->repl->check(x, skb, seq)) {
      
      However, the state's spinlock x->lock is *released* after '->check()'
      is performed, and gets re-acquired before '->advance()' - which gives a
      chance for a different core to update the xfrm state, e.g. by advancing
      'replay_esn->seq' when it encounters more packets - leading to a
      'diff > replay_window' situation when original core continues to
      xfrm_replay_advance_bmp().
      
      An attempt to fix this issue was suggested in commit bcf66bf5
      ("xfrm: Perform a replay check after return from async codepaths"),
      by calling 'x->repl->recheck()' after lock is re-acquired, but fix
      applied only to asyncronous crypto algorithms.
      
      Augment the fix, by *always* calling 'recheck()' - irrespective if we're
      using async crypto.
      
      Fixes: 0ebea8ef ("[IPSEC]: Move state lock into x->type->input")
      Signed-off-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      56ce7c25
  3. 11 Dec, 2020 29 commits
  4. 10 Dec, 2020 8 commits
    • Chris Wilson's avatar
      drm/i915/display: Go softly softly on initial modeset failure · b1f195fc
      Chris Wilson authored
      Reduce the module/device probe error into a mere debug to hide issues
      where the initial modeset is failing (after lies told by hw probe) and
      the system hangs with a livelock in cleaning up the failed commit.
      Reported-by: default avatarH.J. Lu <hjl.tools@gmail.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=210619
      Fixes: b3bf99da ("drm/i915/display: Defer initial modeset until after GGTT is initialised")
      Fixes: ccc9e67a ("drm/i915/display: Defer initial modeset until after GGTT is initialised")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: H.J. Lu <hjl.tools@gmail.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Reviewed-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20201210230741.17140-1-chris@chris-wilson.co.uk
      b1f195fc
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-12-09' of... · de2df164
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-12-09' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      Fixes for VDSC/DP, selftests, shmem_utils, preemption, submission, and gt reset:
      
      - Check the correct variable in selftest (Dan)
      - Propagate error from canceled submit due to context closure (Chris)
      - Ignore repeated attempts to suspend request flow across reset (Chris)
      - Cancel the preemption timeout on responding to it (Chris)
      - Fix unsigned compared against 0 (Colin)
      - Compute the correct slice count for VDSC on DP (Manasi)
      - Declar gen9 has 64 mocs entries (Chris)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20201209235010.GA10554@intel.com
      de2df164
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.10-2020-12-09' of... · a81ac299
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.10-2020-12-09' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
      
      amd-drm-fixes-5.10-2020-12-09:
      
      amdgpu:
      - Fan fix for CI asics
      - Fix a warning in possible_crtcs
      - Build fix for when debugfs is disabled
      - Display overflow fix
      - Display watermark fixes for Renoir
      - SDMA 5.2 fix
      - Stolen vga memory regression fix
      - Power profile fixes
      - Fix a regression from removal of GEM and PRIME callbacks
      
      amdkfd:
      - Fix a memory leak in dmabuf import
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20201210034848.18108-1-alexander.deucher@amd.com
      a81ac299
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.10-3' of git://git.linux-nfs.org/projects/anna/linux-nfs · 6840a3dc
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
       "Here are a handful more bugfixes for 5.10.
      
        Unfortunately, we found some problems with the new READ_PLUS operation
        that aren't easy to fix. We've decided to disable this codepath
        through a Kconfig option for now, but a series of patches going into
        5.11 will clean up the code and fix the issues at the same time. This
        seemed like the best way to go about it.
      
        Summary:
      
         - Fix array overflow when flexfiles mirroring is enabled
      
         - Fix rpcrdma_inline_fixup() crash with new LISTXATTRS
      
         - Fix 5 second delay when doing inter-server copy
      
         - Disable READ_PLUS by default"
      
      * tag 'nfs-for-5.10-3' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        NFS: Disable READ_PLUS by default
        NFSv4.2: Fix 5 seconds delay when doing inter server copy
        NFS: Fix rpcrdma_inline_fixup() crash with new LISTXATTRS operation
        pNFS/flexfiles: Fix array overflow when flexfiles mirroring is enabled
      6840a3dc
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 4d31058b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) IPsec compat fixes, from Dmitry Safonov.
      
       2) Fix memory leak in xfrm_user_policy(). Fix from Yu Kuai.
      
       3) Fix polling in xsk sockets by using sk_poll_wait() instead of
          datagram_poll() which keys off of sk_wmem_alloc and such which xsk
          sockets do not update. From Xuan Zhuo.
      
       4) Missing init of rekey_data in cfgh80211, from Sara Sharon.
      
       5) Fix destroy of timer before init, from Davide Caratti.
      
       6) Missing CRYPTO_CRC32 selects in ethernet driver Kconfigs, from Arnd
          Bergmann.
      
       7) Missing error return in rtm_to_fib_config() switch case, from Zhang
          Changzhong.
      
       8) Fix some src/dest address handling in vrf and add a testcase. From
          Stephen Suryaputra.
      
       9) Fix multicast handling in Seville switches driven by mscc-ocelot
          driver. From Vladimir Oltean.
      
      10) Fix proto value passed to skb delivery demux in udp, from Xin Long.
      
      11) HW pkt counters not reported correctly in enetc driver, from Claudiu
          Manoil.
      
      12) Fix deadlock in bridge, from Joseph Huang.
      
      13) Missing of_node_pur() in dpaa2 driver, fromn Christophe JAILLET.
      
      14) Fix pid fetching in bpftool when there are a lot of results, from
          Andrii Nakryiko.
      
      15) Fix long timeouts in nft_dynset, from Pablo Neira Ayuso.
      
      16) Various stymmac fixes, from Fugang Duan.
      
      17) Fix null deref in tipc, from Cengiz Can.
      
      18) When mss is biog, coose more resonable rcvq_space in tcp, fromn Eric
          Dumazet.
      
      19) Revert a geneve change that likely isnt necessary, from Jakub
          Kicinski.
      
      20) Avoid premature rx buffer reuse in various Intel driversm from Björn
          Töpel.
      
      21) retain EcT bits during TIS reflection in tcp, from Wei Wang.
      
      22) Fix Tso deferral wrt. cwnd limiting in tcp, from Neal Cardwell.
      
      23) MPLS_OPT_LSE_LABEL attribute is 342 ot 8 bits, from Guillaume Nault
      
      24) Fix propagation of 32-bit signed bounds in bpf verifier and add test
          cases, from Alexei Starovoitov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (81 commits)
        selftests: fix poll error in udpgro.sh
        selftests/bpf: Fix "dubious pointer arithmetic" test
        selftests/bpf: Fix array access with signed variable test
        selftests/bpf: Add test for signed 32-bit bound check bug
        bpf: Fix propagation of 32-bit signed bounds from 64-bit bounds.
        MAINTAINERS: Add entry for Marvell Prestera Ethernet Switch driver
        net: sched: Fix dump of MPLS_OPT_LSE_LABEL attribute in cls_flower
        net/mlx4_en: Handle TX error CQE
        net/mlx4_en: Avoid scheduling restart task if it is already running
        tcp: fix cwnd-limited bug for TSO deferral where we send nothing
        net: flow_offload: Fix memory leak for indirect flow block
        tcp: Retain ECT bits for tos reflection
        ethtool: fix stack overflow in ethnl_parse_bitset()
        e1000e: fix S0ix flow to allow S0i3.2 subset entry
        ice: avoid premature Rx buffer reuse
        ixgbe: avoid premature Rx buffer reuse
        i40e: avoid premature Rx buffer reuse
        igb: avoid transmit queue timeout in xdp path
        igb: use xdp_do_flush
        igb: skb add metasize for xdp
        ...
      4d31058b
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · d9838b1d
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-12-10
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 21 non-merge commits during the last 12 day(s) which contain
      a total of 21 files changed, 163 insertions(+), 88 deletions(-).
      
      The main changes are:
      
      1) Fix propagation of 32-bit signed bounds from 64-bit bounds, from Alexei.
      
      2) Fix ring_buffer__poll() return value, from Andrii.
      
      3) Fix race in lwt_bpf, from Cong.
      
      4) Fix test_offload, from Toke.
      
      5) Various xsk fixes.
      
      Please consider pulling these changes from:
      
        git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
      
      Thanks a lot!
      
      Also thanks to reporters, reviewers and testers of commits in this pull-request:
      
      Cong Wang, Hulk Robot, Jakub Kicinski, Jean-Philippe Brucker, John
      Fastabend, Magnus Karlsson, Maxim Mikityanskiy, Yonghong Song
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9838b1d
    • Anna Schumaker's avatar
      NFS: Disable READ_PLUS by default · 21e31401
      Anna Schumaker authored
      We've been seeing failures with xfstests generic/091 and generic/263
      when using READ_PLUS. I've made some progress on these issues, and the
      tests fail later on but still don't pass. Let's disable READ_PLUS by
      default until we can work out what is going on.
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      21e31401
    • Dai Ngo's avatar
      NFSv4.2: Fix 5 seconds delay when doing inter server copy · fe8eb820
      Dai Ngo authored
      Since commit b4868b44 ("NFSv4: Wait for stateid updates after
      CLOSE/OPEN_DOWNGRADE"), every inter server copy operation suffers 5
      seconds delay regardless of the size of the copy. The delay is from
      nfs_set_open_stateid_locked when the check by nfs_stateid_is_sequential
      fails because the seqid in both nfs4_state and nfs4_stateid are 0.
      
      Fix __nfs42_ssc_open to delay setting of NFS_OPEN_STATE in nfs4_state,
      until after the call to update_open_stateid, to indicate this is the 1st
      open. This fix is part of a 2 patches, the other patch is the fix in the
      source server to return the stateid for COPY_NOTIFY request with seqid 1
      instead of 0.
      
      Fixes: ce0887ac ("NFSD add nfs4 inter ssc to nfsd4_copy")
      Signed-off-by: default avatarDai Ngo <dai.ngo@oracle.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      fe8eb820