1. 24 Jan, 2020 19 commits
    • Tariq Toukan's avatar
      net/mlx5e: kTLS, Fix corner-case checks in TX resync flow · ffbd9ca9
      Tariq Toukan authored
      There are the following cases:
      
      1. Packet ends before start marker: bypass offload.
      2. Packet starts before start marker and ends after it: drop,
         not supported, breaks contract with kernel.
      3. packet ends before tls record info starts: drop,
         this packet was already acknowledged and its record info
         was released.
      
      Add the above as comment in code.
      
      Mind possible wraparounds of the TCP seq, replace the simple comparison
      with a call to the TCP before() method.
      
      In addition, remove logic that handles negative sync_len values,
      as it became impossible.
      
      Fixes: d2ead1f3 ("net/mlx5e: Add kTLS TX HW offload support")
      Fixes: 46a3ea98 ("net/mlx5e: kTLS, Enhance TX resync flow")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      ffbd9ca9
    • Dmytro Linkin's avatar
      net/mlx5e: Clear VF config when switching modes · 3b83b6c2
      Dmytro Linkin authored
      Currently VF in LEGACY mode are not able to go up. Also in OFFLOADS
      mode, when switching to it first time, VF can go up independently to
      his representor, which is not expected.
      Perform clearing of VF config when switching modes and set link state
      to AUTO as default value. Also, when switching to OFFLOADS mode set
      link state to DOWN, which allow VF link state to be controlled by its
      REP.
      
      Fixes: 1ab2068a ("net/mlx5: Implement vports admin state backup/restore")
      Fixes: 556b9d16 ("net/mlx5: Clear VF's configuration on disabling SRIOV")
      Signed-off-by: default avatarDmytro Linkin <dmitrolin@mellanox.com>
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      3b83b6c2
    • Erez Shitrit's avatar
      net/mlx5: DR, use non preemptible call to get the current cpu number · c0702a4b
      Erez Shitrit authored
      Use raw_smp_processor_id instead of smp_processor_id() otherwise we will
      get the following trace in debug-kernel:
      	BUG: using smp_processor_id() in preemptible [00000000] code: devlink
      	caller is dr_create_cq.constprop.2+0x31d/0x970 [mlx5_core]
      	Call Trace:
      	dump_stack+0x9a/0xf0
      	debug_smp_processor_id+0x1f3/0x200
      	dr_create_cq.constprop.2+0x31d/0x970
      	genl_family_rcv_msg+0x5fd/0x1170
      	genl_rcv_msg+0xb8/0x160
      	netlink_rcv_skb+0x11e/0x340
      
      Fixes: 297ccceb ("net/mlx5: DR, Expose an internal API to issue RDMA operations")
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      c0702a4b
    • Eli Cohen's avatar
      net/mlx5: E-Switch, Prevent ingress rate configuration of uplink rep · e401a184
      Eli Cohen authored
      Since the implementation relies on limiting the VF transmit rate to
      simulate ingress rate limiting, and since either uplink representor or
      ecpf are not associated with a VF, we limit the rate limit configuration
      for those ports.
      
      Fixes: fcb64c0f ("net/mlx5: E-Switch, add ingress rate support")
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e401a184
    • Erez Shitrit's avatar
      net/mlx5: DR, Enable counter on non-fwd-dest objects · b850a821
      Erez Shitrit authored
      The current code handles only counters that attached to dest, we still
      have the cases where we have counter on non-dest, like over drop etc.
      
      Fixes: 6a48faee ("net/mlx5: Add direct rule fs_cmd implementation")
      Signed-off-by: default avatarHamdan Igbaria <hamdani@mellanox.com>
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      b850a821
    • Meir Lichtinger's avatar
      net/mlx5: Update the list of the PCI supported devices · 505a7f54
      Meir Lichtinger authored
      Add the upcoming ConnectX-7 device ID.
      
      Fixes: 85327a9c ("net/mlx5: Update the list of the PCI supported devices")
      Signed-off-by: default avatarMeir Lichtinger <meirl@mellanox.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      505a7f54
    • Paul Blakey's avatar
      net/mlx5: Fix lowest FDB pool size · 93b8a7ec
      Paul Blakey authored
      The pool sizes represent the pool sizes in the fw. when we request
      a pool size from fw, it will return the next possible group.
      We track how many pools the fw has left and start requesting groups
      from the big to the small.
      When we start request 4k group, which doesn't exists in fw, fw
      wants to allocate the next possible size, 64k, but will fail since
      its exhausted. The correct smallest pool size in fw is 128 and not 4k.
      
      Fixes: e52c2802 ("net/mlx5: E-Switch, Add chains and priorities")
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      93b8a7ec
    • David S. Miller's avatar
      Merge branch 'netdev-seq_file-next-functions-should-increase-position-index' · 623c8d5c
      David S. Miller authored
      Vasily Averin says:
      
      ====================
      netdev: seq_file .next functions should increase position index
      
      In Aug 2018 NeilBrown noticed
      commit 1f4aace6 ("fs/seq_file.c: simplify seq_file iteration code and interface")
      "Some ->next functions do not increment *pos when they return NULL...
      Note that such ->next functions are buggy and should be fixed.
      A simple demonstration is
      
      dd if=/proc/swaps bs=1000 skip=1
      
      Choose any block size larger than the size of /proc/swaps.  This will
      always show the whole last line of /proc/swaps"
      
      Described problem is still actual. If you make lseek into middle of last output line
      following read will output end of last line and whole last line once again.
      
      $ dd if=/proc/swaps bs=1  # usual output
      Filename				Type		Size	Used	Priority
      /dev/dm-0                               partition	4194812	97536	-2
      104+0 records in
      104+0 records out
      104 bytes copied
      
      $ dd if=/proc/swaps bs=40 skip=1    # last line was generated twice
      dd: /proc/swaps: cannot skip to specified offset
      v/dm-0                               partition	4194812	97536	-2
      /dev/dm-0                               partition	4194812	97536	-2
      3+1 records in
      3+1 records out
      131 bytes copied
      
      There are lot of other affected files, I've found 30+ including
      /proc/net/ip_tables_matches and /proc/sysvipc/*
      
      This patch-set fixes files related to netdev@
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      623c8d5c
    • Vasily Averin's avatar
      ipv6_route_seq_next should increase position index · 4fc427e0
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fc427e0
    • Vasily Averin's avatar
      rt_cpu_seq_next should increase position index · a3ea8673
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3ea8673
    • Vasily Averin's avatar
      neigh_stat_seq_next() should increase position index · 1e3f9f07
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e3f9f07
    • Vasily Averin's avatar
      vcc_seq_next should increase position index · 8bf70920
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8bf70920
    • Vasily Averin's avatar
      l2t_seq_next should increase position index · 66018a10
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66018a10
    • Vasily Averin's avatar
      seq_tab_next() should increase position index · 70a87287
      Vasily Averin authored
      if seq_file .next fuction does not change position index,
      read after some lseek can generate unexpected output.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=206283Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70a87287
    • Eric Dumazet's avatar
      tcp: do not leave dangling pointers in tp->highest_sack · 2bec445f
      Eric Dumazet authored
      Latest commit 85369750 ("tcp: Fix highest_sack and highest_sack_seq")
      apparently allowed syzbot to trigger various crashes in TCP stack [1]
      
      I believe this commit only made things easier for syzbot to find
      its way into triggering use-after-frees. But really the bugs
      could lead to bad TCP behavior or even plain crashes even for
      non malicious peers.
      
      I have audited all calls to tcp_rtx_queue_unlink() and
      tcp_rtx_queue_unlink_and_free() and made sure tp->highest_sack would be updated
      if we are removing from rtx queue the skb that tp->highest_sack points to.
      
      These updates were missing in three locations :
      
      1) tcp_clean_rtx_queue() [This one seems quite serious,
                                I have no idea why this was not caught earlier]
      
      2) tcp_rtx_queue_purge() [Probably not a big deal for normal operations]
      
      3) tcp_send_synack()     [Probably not a big deal for normal operations]
      
      [1]
      BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1864 [inline]
      BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1856 [inline]
      BUG: KASAN: use-after-free in tcp_check_sack_reordering+0x33c/0x3a0 net/ipv4/tcp_input.c:891
      Read of size 4 at addr ffff8880a488d068 by task ksoftirqd/1/16
      
      CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
       tcp_highest_sack_seq include/net/tcp.h:1864 [inline]
       tcp_highest_sack_seq include/net/tcp.h:1856 [inline]
       tcp_check_sack_reordering+0x33c/0x3a0 net/ipv4/tcp_input.c:891
       tcp_try_undo_partial net/ipv4/tcp_input.c:2730 [inline]
       tcp_fastretrans_alert+0xf74/0x23f0 net/ipv4/tcp_input.c:2847
       tcp_ack+0x2577/0x5bf0 net/ipv4/tcp_input.c:3710
       tcp_rcv_established+0x6dd/0x1e90 net/ipv4/tcp_input.c:5706
       tcp_v4_do_rcv+0x619/0x8d0 net/ipv4/tcp_ipv4.c:1619
       tcp_v4_rcv+0x307f/0x3b40 net/ipv4/tcp_ipv4.c:2001
       ip_protocol_deliver_rcu+0x5a/0x880 net/ipv4/ip_input.c:204
       ip_local_deliver_finish+0x23b/0x380 net/ipv4/ip_input.c:231
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:442 [inline]
       ip_rcv_finish+0x1db/0x2f0 net/ipv4/ip_input.c:428
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:538
       __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:5148
       __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5262
       process_backlog+0x206/0x750 net/core/dev.c:6093
       napi_poll net/core/dev.c:6530 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6598
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:603 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
       smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 10091:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
       slab_post_alloc_hook mm/slab.h:584 [inline]
       slab_alloc_node mm/slab.c:3263 [inline]
       kmem_cache_alloc_node+0x138/0x740 mm/slab.c:3575
       __alloc_skb+0xd5/0x5e0 net/core/skbuff.c:198
       alloc_skb_fclone include/linux/skbuff.h:1099 [inline]
       sk_stream_alloc_skb net/ipv4/tcp.c:875 [inline]
       sk_stream_alloc_skb+0x113/0xc90 net/ipv4/tcp.c:852
       tcp_sendmsg_locked+0xcf9/0x3470 net/ipv4/tcp.c:1282
       tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1432
       inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:672
       __sys_sendto+0x262/0x380 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto net/socket.c:2006 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:2006
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 10095:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kmem_cache_free+0x86/0x320 mm/slab.c:3694
       kfree_skbmem+0x178/0x1c0 net/core/skbuff.c:645
       __kfree_skb+0x1e/0x30 net/core/skbuff.c:681
       sk_eat_skb include/net/sock.h:2453 [inline]
       tcp_recvmsg+0x1252/0x2930 net/ipv4/tcp.c:2166
       inet_recvmsg+0x136/0x610 net/ipv4/af_inet.c:838
       sock_recvmsg_nosec net/socket.c:886 [inline]
       sock_recvmsg net/socket.c:904 [inline]
       sock_recvmsg+0xce/0x110 net/socket.c:900
       __sys_recvfrom+0x1ff/0x350 net/socket.c:2055
       __do_sys_recvfrom net/socket.c:2073 [inline]
       __se_sys_recvfrom net/socket.c:2069 [inline]
       __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:2069
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8880a488d040
       which belongs to the cache skbuff_fclone_cache of size 456
      The buggy address is located 40 bytes inside of
       456-byte region [ffff8880a488d040, ffff8880a488d208)
      The buggy address belongs to the page:
      page:ffffea0002922340 refcount:1 mapcount:0 mapping:ffff88821b057000 index:0x0
      raw: 00fffe0000000200 ffffea00022a5788 ffffea0002624a48 ffff88821b057000
      raw: 0000000000000000 ffff8880a488d040 0000000100000006 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8880a488cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8880a488cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff8880a488d000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
       ffff8880a488d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880a488d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 85369750 ("tcp: Fix highest_sack and highest_sack_seq")
      Fixes: 50895b9d ("tcp: highest_sack fix")
      Fixes: 737ff314 ("tcp: use sequence distance to detect reordering")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Cambda Zhu <cambda@linux.alibaba.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2bec445f
    • Colin Ian King's avatar
      net/rose: fix spelling mistake "to" -> "too" · 4d299f18
      Colin Ian King authored
      There is a spelling mistake in a printk message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d299f18
    • Colin Ian King's avatar
      caif_usb: fix spelling mistake "to" -> "too" · 43d88774
      Colin Ian King authored
      There is a spelling mistake in a pr_warn message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43d88774
    • Colin Ian King's avatar
      ipvs: fix spelling mistake "to" -> "too" · 971485a0
      Colin Ian King authored
      There is a spelling mistake in a IP_VS_ERR_RL message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      971485a0
    • Colin Ian King's avatar
      i40e: fix spelling mistake "to" -> "too" · 959b1825
      Colin Ian King authored
      There is a spelling mistake in a hw_dbg message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      959b1825
  2. 23 Jan, 2020 21 commits