1. 04 Jun, 2024 4 commits
    • Eric Dumazet's avatar
      ipv6: sr: block BH in seg6_output_core() and seg6_input_core() · c0b98ac1
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      Disabling preemption in seg6_output_core() is not good enough,
      because seg6_output_core() is called from process context,
      lwtunnel_output() only uses rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter seg6_output_core()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable() instead of
      preempt_disable().
      
      Apply a similar change in seg6_input_core().
      
      Fixes: fa79581e ("ipv6: sr: fix several BUGs when preemption is enabled")
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: David Lebrun <dlebrun@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c0b98ac1
    • Eric Dumazet's avatar
      net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() · db0090c6
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      Disabling preemption in rpl_output() is not good enough,
      because rpl_output() is called from process context,
      lwtunnel_output() only uses rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter rpl_output()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable() instead of
      preempt_disable().
      
      Apply a similar change in rpl_input().
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Alexander Aring <aahringo@redhat.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-3-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      db0090c6
    • Eric Dumazet's avatar
      ipv6: ioam: block BH from ioam6_output() · 2fe40483
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      Disabling preemption in ioam6_output() is not good enough,
      because ioam6_output() is called from process context,
      lwtunnel_output() only uses rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter ioam6_output()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable() instead of
      preempt_disable().
      
      Fixes: 8cb3bf8b ("ipv6: ioam: Add support for the ip6ip6 encapsulation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Justin Iurman <justin.iurman@uliege.be>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-2-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2fe40483
    • Matthias Stocker's avatar
      vmxnet3: disable rx data ring on dma allocation failure · ffbe335b
      Matthias Stocker authored
      When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,
      the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset
      rq->data_ring.desc_size for the data ring that failed, which presumably
      causes the hypervisor to reference it on packet reception.
      
      To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell
      the hypervisor to disable this feature.
      
      [   95.436876] kernel BUG at net/core/skbuff.c:207!
      [   95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      [   95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1
      [   95.441558] Hardware name: VMware, Inc. VMware Virtual
      Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
      [   95.443481] RIP: 0010:skb_panic+0x4d/0x4f
      [   95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50
      ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9
      ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24
      [   95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246
      [   95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f
      [   95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f
      [   95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60
      [   95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000
      [   95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0
      [   95.455682] FS:  0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000
      [   95.457178] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0
      [   95.459791] Call Trace:
      [   95.460515]  <IRQ>
      [   95.461180]  ? __die_body.cold+0x19/0x27
      [   95.462150]  ? die+0x2e/0x50
      [   95.462976]  ? do_trap+0xca/0x110
      [   95.463973]  ? do_error_trap+0x6a/0x90
      [   95.464966]  ? skb_panic+0x4d/0x4f
      [   95.465901]  ? exc_invalid_op+0x50/0x70
      [   95.466849]  ? skb_panic+0x4d/0x4f
      [   95.467718]  ? asm_exc_invalid_op+0x1a/0x20
      [   95.468758]  ? skb_panic+0x4d/0x4f
      [   95.469655]  skb_put.cold+0x10/0x10
      [   95.470573]  vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]
      [   95.471853]  vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]
      [   95.473185]  __napi_poll+0x2b/0x160
      [   95.474145]  net_rx_action+0x2c6/0x3b0
      [   95.475115]  handle_softirqs+0xe7/0x2a0
      [   95.476122]  __irq_exit_rcu+0x97/0xb0
      [   95.477109]  common_interrupt+0x85/0xa0
      [   95.478102]  </IRQ>
      [   95.478846]  <TASK>
      [   95.479603]  asm_common_interrupt+0x26/0x40
      [   95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20
      [   95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
      [   95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246
      [   95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000
      [   95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001
      [   95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3
      [   95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260
      [   95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000
      [   95.495035]  acpi_safe_halt+0x14/0x20
      [   95.496127]  acpi_idle_do_entry+0x2f/0x50
      [   95.497221]  acpi_idle_enter+0x7f/0xd0
      [   95.498272]  cpuidle_enter_state+0x81/0x420
      [   95.499375]  cpuidle_enter+0x2d/0x40
      [   95.500400]  do_idle+0x1e5/0x240
      [   95.501385]  cpu_startup_entry+0x29/0x30
      [   95.502422]  start_secondary+0x11c/0x140
      [   95.503454]  common_startup_64+0x13e/0x141
      [   95.504466]  </TASK>
      [   95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4
      nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
      nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
      nf_defrag_ipv4 rfkill ip_set nf_tables vsock_loopback
      vmw_vsock_virtio_transport_common qrtr vmw_vsock_vmci_transport vsock
      sunrpc binfmt_misc pktcdvd vmw_balloon pcspkr vmw_vmci i2c_piix4 joydev
      loop dm_multipath nfnetlink zram crct10dif_pclmul crc32_pclmul vmwgfx
      crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel
      sha512_ssse3 sha256_ssse3 vmxnet3 sha1_ssse3 drm_ttm_helper vmw_pvscsi
      ttm ata_generic pata_acpi serio_raw scsi_dh_rdac scsi_dh_emc
      scsi_dh_alua ip6_tables ip_tables fuse
      [   95.516536] ---[ end trace 0000000000000000 ]---
      
      Fixes: 6f483338 ("net: vmxnet3: Fix NULL pointer dereference in vmxnet3_rq_rx_complete()")
      Signed-off-by: default avatarMatthias Stocker <mstocker@barracuda.com>
      Reviewed-by: default avatarSubbaraya Sundeep <sbhatta@marvell.com>
      Reviewed-by: default avatarRonak Doshi <ronak.doshi@broadcom.com>
      Link: https://lore.kernel.org/r/20240531103711.101961-1-mstocker@barracuda.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ffbe335b
  2. 03 Jun, 2024 1 commit
  3. 01 Jun, 2024 11 commits
  4. 30 May, 2024 14 commits
  5. 29 May, 2024 7 commits
  6. 28 May, 2024 3 commits
    • Eric Garver's avatar
      netfilter: nft_fib: allow from forward/input without iif selector · e8ded22e
      Eric Garver authored
      This removes the restriction of needing iif selector in the
      forward/input hooks for fib lookups when requested result is
      oif/oifname.
      
      Removing this restriction allows "loose" lookups from the forward hooks.
      
      Fixes: be8be04e ("netfilter: nft_fib: reverse path filter for policy-based routing on iif")
      Signed-off-by: default avatarEric Garver <eric@garver.life>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e8ded22e
    • Florian Westphal's avatar
      netfilter: tproxy: bail out if IP has been disabled on the device · 21a673bd
      Florian Westphal authored
      syzbot reports:
      general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
      KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
      [..]
      RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62
      Call Trace:
       nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]
       nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168
      
      __in_dev_get_rcu() can return NULL, so check for this.
      
      Reported-and-tested-by: syzbot+b94a6818504ea90d7661@syzkaller.appspotmail.com
      Fixes: cc6eb433 ("tproxy: use the interface primary IP address as a default value for --on-ip")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      21a673bd
    • Pablo Neira Ayuso's avatar
      netfilter: nft_payload: skbuff vlan metadata mangle support · 33c563eb
      Pablo Neira Ayuso authored
      Userspace assumes vlan header is present at a given offset, but vlan
      offload allows to store this in metadata fields of the skbuff. Hence
      mangling vlan results in a garbled packet. Handle this transparently by
      adding a parser to the kernel.
      
      If vlan metadata is present and payload offset is over 12 bytes (source
      and destination mac address fields), then subtract vlan header present
      in vlan metadata, otherwise mangle vlan metadata based on offset and
      length, extracting data from the source register.
      
      This is similar to:
      
        8cfd23e6 ("netfilter: nft_payload: work around vlan header stripping")
      
      to deal with vlan payload mangling.
      
      Fixes: 7ec3f7b4 ("netfilter: nft_payload: add packet mangling support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      33c563eb