* Re: KMSAN: uninit-value in _copy_to_iter (2)
From: Al Viro @ 2018-06-07 17:43 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: syzbot, avagin, davem, dingtianhong, edumazet, elena.reshetova,
jasowang, kvm, linux-kernel, matthew, mingo, netdev, pabeni,
syzkaller-bugs, virtualization, willemb
In-Reply-To: <20180607183627-mutt-send-email-mst@kernel.org>
On Thu, Jun 07, 2018 at 06:38:48PM +0300, Michael S. Tsirkin wrote:
> #syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617
>
> Subject: vhost: fix info leak
>
> Fixes: CVE-2018-1118
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
> index f0be5f35ab28..9beefa6ed1ce 100644
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
> struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
> if (!node)
> return NULL;
> +
> + /* Make sure all padding within the structure is initialized. */
> + memset(&node->msg, 0, sizeof node->msg);
Umm... Maybe kzalloc(), then? You have
struct vhost_msg_node {
struct vhost_msg msg;
struct vhost_virtqueue *vq;
struct list_head node;
};
and that's what, 68 bytes in msg, then either 4 bytes pointer or
4 bytes padding + 8 bytes pointer, then two pointers? How much
does explicit partial memset() save you here?
> node->vq = vq;
> node->msg.type = type;
> return node;
^ permalink raw reply
* Re: [PATCH 2/3] net: phy: xgmiitorgmii: Use correct mdio bus
From: Brandon Maier @ 2018-06-07 17:37 UTC (permalink / raw)
To: Andrew Lunn
Cc: netdev, f.fainelli, davem, michal.simek, Clayton Shotwell,
Kristopher Cory, linux-kernel
In-Reply-To: <20180607164920.GC25513@lunn.ch>
On Thu, Jun 7, 2018 at 11:49 AM, Andrew Lunn <andrew@lunn.ch> wrote:
> I think the assumption was they are both on the same bus.
> However, they don't need to be.
That was my assumption as well. We ran into a scenario where they were
on separate buses.
> Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Thanks
^ permalink raw reply
* Re: [PATCH 1/3] net: phy: Check phy_driver ready before accessing
From: Brandon Maier @ 2018-06-07 17:34 UTC (permalink / raw)
To: Andrew Lunn
Cc: netdev, f.fainelli, davem, michal.simek, Clayton Shotwell,
Kristopher Cory, linux-kernel
In-Reply-To: <20180607165227.GD25513@lunn.ch>
On Thu, Jun 7, 2018 at 11:52 AM, Andrew Lunn <andrew@lunn.ch> wrote:
> FYI: net-next is closed at the moment. Please resubmit these in two
> weeks time.
Ah, I didn't see networking/netdev-FAQ.txt. I'll resubmit these then.
> I'm sure there are more issues like this in the code. e.g. there is
> no attempt made to hold a reference to the child phy. So it could be
> unbound. priv->phy_drv->read_status(phydev) is then going to do bad
> things.
>
Agreed. Another thing that looks suspicious to me is the driver
overrides the private data of the device it's attaching too, in the
`priv->phy_dev->priv = priv` bit. Seems like that could cause all
sorts of driver corruption problems.
But fixing that is going to require more drastic changes to how this
driver works. So it'd be worth applying this patch in the mean time.
^ permalink raw reply
* Re: KMSAN: uninit-value in ebt_stp_mt_check (2)
From: Dmitry Vyukov @ 2018-06-07 17:34 UTC (permalink / raw)
To: syzbot
Cc: bridge, coreteam, David Miller, Florian Westphal,
Jozsef Kadlecsik, LKML, netdev, netfilter-devel,
Pablo Neira Ayuso, stephen hemminger, syzkaller-bugs
In-Reply-To: <0000000000009a3b5b056e109e42@google.com>
On Thu, Jun 7, 2018 at 7:29 PM, syzbot
<syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c6a6aed994b6 kmsan: remove dead code to trigger syzbot build
> git tree: https://github.com/google/kmsan.git/master
> console output: https://syzkaller.appspot.com/x/log.txt?x=17bde74f800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
> dashboard link: https://syzkaller.appspot.com/bug?extid=da4494182233c23a5fcf
> compiler: clang version 7.0.0 (trunk 334104)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
Hi Stephen,
This strikes again.
The first part of the check is par->nft_compat. I don't see where
ebt_check_entry initializes it. Should it? Or matches should not look at it?
> ==================================================================
> BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
> net/bridge/netfilter/ebt_stp.c:162
> CPU: 0 PID: 12006 Comm: syz-executor7 Not tainted 4.17.0+ #3
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x185/0x1d0 lib/dump_stack.c:113
> kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
> __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:620
> ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
> xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
> ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
> ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
> translate_table+0x4e88/0x6120 net/bridge/netfilter/ebtables.c:943
> do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999
> do_replace+0x719/0x780 net/bridge/netfilter/ebtables.c:1138
> do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1517
> nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
> nf_setsockopt+0x47c/0x4e0 net/netfilter/nf_sockopt.c:115
> ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1251
> udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2416
> sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3039
> __sys_setsockopt+0x496/0x540 net/socket.c:1903
> __do_sys_setsockopt net/socket.c:1914 [inline]
> __se_sys_setsockopt net/socket.c:1911 [inline]
> __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911
> do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x4559f9
> RSP: 002b:00007f45b9246c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
> RAX: ffffffffffffffda RBX: 00007f45b92476d4 RCX: 00000000004559f9
> RDX: 0000000000000080 RSI: 0000000000000000 RDI: 0000000000000014
> RBP: 000000000072bea0 R08: 0000000000000300 R09: 0000000000000000
> R10: 0000000020000480 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 00000000004c0d6d R14: 00000000004d07c8 R15: 0000000000000000
>
> Local variable description: ----mtpar.i@translate_table
> Variable was created at:
> translate_table+0xbb/0x6120 net/bridge/netfilter/ebtables.c:831
> do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009a3b5b056e109e42%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* Re: KMSAN: uninit-value in _copy_to_iter (2)
From: syzbot @ 2018-06-07 17:31 UTC (permalink / raw)
To: avagin, davem, dingtianhong, edumazet, elena.reshetova, jasowang,
kvm, linux-kernel, matthew, mingo, mst, netdev, pabeni,
syzkaller-bugs, viro, virtualization, willemb
In-Reply-To: <20180607183629-mutt-send-email-mst@kernel.org>
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
Tested on:
commit: c6a6aed994b6 kmsan: remove dead code to trigger syzbot build
git tree: https://github.com/google/kmsan.git/master
kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
compiler: clang version 7.0.0 (trunk 334104)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1119eddf800000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply
* [PATCH net-next] bpfilter: fix OUTPUT_FORMAT
From: Alexei Starovoitov @ 2018-06-07 17:29 UTC (permalink / raw)
To: David S . Miller; +Cc: daniel, netdev, kernel-team
From: Alexei Starovoitov <ast@fb.com>
CONFIG_OUTPUT_FORMAT is x86 only macro.
Used objdump to extract elf file format.
Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module")
Reported-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
net/bpfilter/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile
index aafa72001fcd..e0bbe7583e58 100644
--- a/net/bpfilter/Makefile
+++ b/net/bpfilter/Makefile
@@ -21,7 +21,7 @@ endif
# which bpfilter_kern.c passes further into umh blob loader at run-time
quiet_cmd_copy_umh = GEN $@
cmd_copy_umh = echo ':' > $(obj)/.bpfilter_umh.o.cmd; \
- $(OBJCOPY) -I binary -O $(CONFIG_OUTPUT_FORMAT) \
+ $(OBJCOPY) -I binary -O `$(OBJDUMP) -f $<|grep format|cut -d' ' -f8` \
-B `$(OBJDUMP) -f $<|grep architecture|cut -d, -f1|cut -d' ' -f2` \
--rename-section .data=.init.rodata $< $@
--
2.9.5
^ permalink raw reply related
* KMSAN: uninit-value in ebt_stp_mt_check (2)
From: syzbot @ 2018-06-07 17:29 UTC (permalink / raw)
To: bridge, coreteam, davem, fw, kadlec, linux-kernel, netdev,
netfilter-devel, pablo, stephen, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: c6a6aed994b6 kmsan: remove dead code to trigger syzbot build
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=17bde74f800000
kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
dashboard link: https://syzkaller.appspot.com/bug?extid=da4494182233c23a5fcf
compiler: clang version 7.0.0 (trunk 334104)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
==================================================================
BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
net/bridge/netfilter/ebt_stp.c:162
CPU: 0 PID: 12006 Comm: syz-executor7 Not tainted 4.17.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
__msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:620
ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
translate_table+0x4e88/0x6120 net/bridge/netfilter/ebtables.c:943
do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999
do_replace+0x719/0x780 net/bridge/netfilter/ebtables.c:1138
do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1517
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x47c/0x4e0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1251
udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2416
sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3039
__sys_setsockopt+0x496/0x540 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911
do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4559f9
RSP: 002b:00007f45b9246c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f45b92476d4 RCX: 00000000004559f9
RDX: 0000000000000080 RSI: 0000000000000000 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000300 R09: 0000000000000000
R10: 0000000020000480 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c0d6d R14: 00000000004d07c8 R15: 0000000000000000
Local variable description: ----mtpar.i@translate_table
Variable was created at:
translate_table+0xbb/0x6120 net/bridge/netfilter/ebtables.c:831
do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply
* [PATCH net-next] umh: fix race condition
From: Alexei Starovoitov @ 2018-06-07 17:23 UTC (permalink / raw)
To: David S . Miller
Cc: daniel, mcgrof, netdev, dvyukov, linux-kernel, kernel-team
kasan reported use-after-free:
BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
Write of size 4 at addr ffff8801d9202370 by task kworker/u4:2/50
Workqueue: events_unbound call_usermodehelper_exec_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
The reason is that 'sub_info' cannot be accessed out of parent task
context, since it will be freed by the child.
Instead remember the pid in the child task.
Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper")
Reported-by: syzbot+2c73319c406f1987d156@syzkaller.appspotmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
kernel/umh.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/umh.c b/kernel/umh.c
index 30db93fd7e39..c449858946af 100644
--- a/kernel/umh.c
+++ b/kernel/umh.c
@@ -99,6 +99,7 @@ static int call_usermodehelper_exec_async(void *data)
commit_creds(new);
+ sub_info->pid = task_pid_nr(current);
if (sub_info->file)
retval = do_execve_file(sub_info->file,
sub_info->argv, sub_info->envp);
@@ -191,8 +192,6 @@ static void call_usermodehelper_exec_work(struct work_struct *work)
if (pid < 0) {
sub_info->retval = pid;
umh_complete(sub_info);
- } else {
- sub_info->pid = pid;
}
}
}
--
2.9.5
^ permalink raw reply related
* Re: [PATCH net] failover: eliminate callback hell
From: Michael S. Tsirkin @ 2018-06-07 17:22 UTC (permalink / raw)
To: Stephen Hemminger
Cc: Alexander Duyck, Samudrala, Sridhar, Jiri Pirko, KY Srinivasan,
Haiyang Zhang, David Miller, Netdev, Stephen Hemminger
In-Reply-To: <20180607091742.461dff83@xeon-e3>
On Thu, Jun 07, 2018 at 09:17:42AM -0700, Stephen Hemminger wrote:
> On Thu, 7 Jun 2018 18:41:31 +0300
> "Michael S. Tsirkin" <mst@redhat.com> wrote:
>
> > > > Why would DPDK care what we do in the kernel? Isn't it just slapping
> > > > vfio-pci on the netdevs it sees?
> > >
> > > Alex, you are correct for Intel devices; but DPDK on Azure is not Intel based.,.
> > > The DPDK support uses:
> > > * Mellanox MLX5 which uses the Infinband hooks to do DMA directly to
> > > userspace. This means VF netdev device must exist and be visible.
> > > * Slow path using kernel netvsc device, TAP and BPF to get exception
> > > path packets to userspace.
> > > * A autodiscovery mechanism that to set all this up that relies on
> > > 2 device model and sysfs.
> >
> > Could you describe what does it look for exactly? What will break if
> > instead of MLX5 being a child of the PV, it's a child of the failover
> > device?
>
> So in DPDK there is an internal four device model:
> 1. failsafe is like failover in your model
> 2. TAP is used like netvsc in kernel
> 3. MLX5 is the VF
> 4. vdev_netvsc is a pseudo device whose only reason to exist
> is to glue everything together.
>
> Digging deeper inside...
>
> Vdev_netvsc does:
> * driver is started in a convuluted way off device arguments
> * probe routine for driver runs
> - scans list of kernel interfaces in sysfs
> - matches those using VMBUS
Could you tell a bit more what does this step entail?
> - skip netvsc devices that have an IPV4 route
> * scan for PCI devices that have same MAC address as kernel netvsc
> devices discovered in previous step
> * add these interfaces to arguments to failsafe
>
> Then failsafe configures based on arguments on device
>
> The code works but is specific to the Azure hardware model, and exposes lots
> of things to application that it should not have to care about.
>
> If you try and walk through this code in DPDK, you will see why I have developed
> a dislike for high levels of indirection.
>
>
>
Thanks that was helpful! I'll try to poke at it next week. Just from
the description it seems the kernel is merely used to locate the MAC
address through sysfs and that for this DPDK code to keep working the
hidden device must be hidden from it in sysfs - is that a fair summary?
--
MST
^ permalink raw reply
* Re: [RFC PATCH 1/2] net: macb: Add CAP to disable hardware TX checksum offloading
From: Jennifer Dahm @ 2018-06-07 16:43 UTC (permalink / raw)
To: Nicolas Ferre, netdev, David S . Miller; +Cc: Nathan Sullivan
In-Reply-To: <ad25fd2b-a3a0-28d5-4dd1-a7ccc935fff2@microchip.com>
Hi Nicolas,
On 06/04/2018 10:13 AM, Nicolas Ferre wrote:
> On 25/05/2018 at 23:44, Jennifer Dahm wrote:
>> diff --git a/drivers/net/ethernet/cadence/macb_main.c
>> b/drivers/net/ethernet/cadence/macb_main.c
>> index 3e93df5..a5d564b 100644
>> --- a/drivers/net/ethernet/cadence/macb_main.c
>> +++ b/drivers/net/ethernet/cadence/macb_main.c
>> @@ -3360,8 +3360,12 @@ static int macb_init(struct platform_device
>> *pdev)
>> dev->hw_features |= MACB_NETIF_LSO;
>> /* Checksum offload is only available on gem with packet
>> buffer */
>> - if (macb_is_gem(bp) && !(bp->caps & MACB_CAPS_FIFO_MODE))
>> - dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_RXCSUM;
>> + if (macb_is_gem(bp) && !(bp->caps & MACB_CAPS_FIFO_MODE)) {
>> + if (!(bp->caps & MACB_CAPS_DISABLE_TX_HW_CSUM))
>
> Why not the other way around? negating a "disabled" feature is always
> challenge ;-)
>
>> + dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_RXCSUM;
>> + else
>> + dev->hw_features |= NETIF_F_RXCSUM;
>> + }
>> if (bp->caps & MACB_CAPS_SG_DISABLED)
>> dev->hw_features &= ~NETIF_F_SG;
>> dev->features = dev->hw_features;
I can switch the ordering of the if-else clauses if that's what you're
nitpicking. ;)
Alternatively, if you're asking why the flag is used to disable rather
than enable checksum offloading: I was working under the assumption that
this was an isolated bug, and so an opt-out would require less
maintainance than an opt-in. If we discover that this is a problem
across a wide variety of Cadence IP, it would definitely make sense to
replace it with an opt-in (i.e. MACB_CAPS_TX_HW_CSUM_ENABLED).
Best,
Jennifer Dahm
^ permalink raw reply
* Re: KMSAN: uninit-value in _copy_to_iter (2)
From: Michael S. Tsirkin @ 2018-06-07 17:10 UTC (permalink / raw)
To: syzbot
Cc: avagin, davem, dingtianhong, edumazet, elena.reshetova, jasowang,
kvm, linux-kernel, matthew, mingo, netdev, pabeni, syzkaller-bugs,
viro, virtualization, willemb
In-Reply-To: <000000000000cf4578056ab12452@google.com>
#syz test: https://github.com/google/kmsan.git master
Subject: vhost: fix info leak
Fixes: CVE-2018-1118
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index f0be5f35ab28..9beefa6ed1ce 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
if (!node)
return NULL;
+
+ /* Make sure all padding within the structure is initialized. */
+ memset(&node->msg, 0, sizeof node->msg);
node->vq = vq;
node->msg.type = type;
return node;
^ permalink raw reply related
* Re: KMSAN: uninit-value in _copy_to_iter (2)
From: syzbot @ 2018-06-07 17:04 UTC (permalink / raw)
To: avagin, davem, dingtianhong, dvyukov, edumazet, elena.reshetova,
jasowang, kvm, linux-kernel, matthew, mingo, mst, netdev, pabeni,
syzkaller-bugs, viro, virtualization, willemb
In-Reply-To: <CACT4Y+btyLi+z09EO0JU-7AS_OfRbWiZvGn-KP9fndevh+xFNw@mail.gmail.com>
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
Tested on:
commit: c6a6aed994b6 kmsan: remove dead code to trigger syzbot build
git tree: https://github.com/google/kmsan.git/master
kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
compiler: clang version 7.0.0 (trunk 334104)
patch: https://syzkaller.appspot.com/x/patch.diff?x=17dc3a8f800000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply
* Re: KASAN: use-after-free Write in bpf_tcp_close
From: Dmitry Vyukov @ 2018-06-07 16:58 UTC (permalink / raw)
To: Daniel Borkmann
Cc: syzbot, Alexei Starovoitov, LKML, netdev, syzkaller-bugs,
John Fastabend
In-Reply-To: <ca3eff64-adb0-6110-38ca-2e07b6ecc3d6@iogearbox.net>
On Mon, May 28, 2018 at 12:15 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> [ +John ]
>
> On 05/27/2018 10:06 PM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: ff4fb475cea8 Merge branch 'btf-uapi-cleanups'
>> git tree: bpf-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=12b3d577800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
>> dashboard link: https://syzkaller.appspot.com/bug?extid=31025a5f3f7650081204
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=109a2f37800000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171a727b800000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+31025a5f3f7650081204@syzkaller.appspotmail.com
>
> Should be fixed by: https://patchwork.ozlabs.org/patch/920695/
#syz fix: bpf: sockhash fix race with bpf_tcp_close and map delete
>> ==================================================================
>> BUG: KASAN: use-after-free in cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline]
>> BUG: KASAN: use-after-free in bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265
>> Write of size 8 at addr ffff8801ca277680 by task syz-executor749/9723
>>
>> CPU: 0 PID: 9723 Comm: syz-executor749 Not tainted 4.17.0-rc4+ #19
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x1b9/0x294 lib/dump_stack.c:113
>> print_address_description+0x6c/0x20b mm/kasan/report.c:256
>> kasan_report_error mm/kasan/report.c:354 [inline]
>> kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
>> check_memory_region_inline mm/kasan/kasan.c:260 [inline]
>> check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
>> kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
>> cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline]
>> bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265
>> inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
>> inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
>> sock_release+0x96/0x1b0 net/socket.c:594
>> sock_close+0x16/0x20 net/socket.c:1149
>> __fput+0x34d/0x890 fs/file_table.c:209
>> ____fput+0x15/0x20 fs/file_table.c:243
>> task_work_run+0x1e4/0x290 kernel/task_work.c:113
>> exit_task_work include/linux/task_work.h:22 [inline]
>> do_exit+0x1aee/0x2730 kernel/exit.c:865
>> do_group_exit+0x16f/0x430 kernel/exit.c:968
>> __do_sys_exit_group kernel/exit.c:979 [inline]
>> __se_sys_exit_group kernel/exit.c:977 [inline]
>> __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
>> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x440a59
>> RSP: 002b:00007ffdadf92488 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440a59
>> RDX: 0000000000440a59 RSI: 0000000000000020 RDI: 0000000000000000
>> RBP: 0000000000000000 R08: 00000000004002c8 R09: 0000000000401ea0
>> R10: 00000000004002c8 R11: 0000000000000206 R12: 000000000001b5ac
>> R13: 0000000000401ea0 R14: 0000000000000000 R15: 0000000000000000
>>
>> Allocated by task 9723:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>> set_track mm/kasan/kasan.c:460 [inline]
>> kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
>> __do_kmalloc_node mm/slab.c:3682 [inline]
>> __kmalloc_node+0x47/0x70 mm/slab.c:3689
>> kmalloc_node include/linux/slab.h:554 [inline]
>> bpf_map_area_alloc+0x3f/0x90 kernel/bpf/syscall.c:144
>> sock_map_alloc+0x376/0x410 kernel/bpf/sockmap.c:1555
>> find_and_alloc_map kernel/bpf/syscall.c:126 [inline]
>> map_create+0x393/0x1010 kernel/bpf/syscall.c:448
>> __do_sys_bpf kernel/bpf/syscall.c:2128 [inline]
>> __se_sys_bpf kernel/bpf/syscall.c:2105 [inline]
>> __x64_sys_bpf+0x300/0x4f0 kernel/bpf/syscall.c:2105
>> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Freed by task 4521:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>> set_track mm/kasan/kasan.c:460 [inline]
>> __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
>> kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
>> __cache_free mm/slab.c:3498 [inline]
>> kfree+0xd9/0x260 mm/slab.c:3813
>> kvfree+0x61/0x70 mm/util.c:440
>> bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:155
>> sock_map_remove_complete kernel/bpf/sockmap.c:1443 [inline]
>> sock_map_free+0x408/0x540 kernel/bpf/sockmap.c:1619
>> bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259
>> process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
>> worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
>> kthread+0x345/0x410 kernel/kthread.c:238
>> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
>>
>> The buggy address belongs to the object at ffff8801ca277680
>> which belongs to the cache kmalloc-1024 of size 1024
>> The buggy address is located 0 bytes inside of
>> 1024-byte region [ffff8801ca277680, ffff8801ca277a80)
>> The buggy address belongs to the page:
>> page:ffffea0007289d80 count:1 mapcount:0 mapping:ffff8801ca276000 index:0x0 compound_mapcount: 0
>> flags: 0x2fffc0000008100(slab|head)
>> raw: 02fffc0000008100 ffff8801ca276000 0000000000000000 0000000100000007
>> raw: ffffea0006d12b20 ffffea000763bba0 ffff8801da800ac0 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff8801ca277580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8801ca277600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff8801ca277680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff8801ca277700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8801ca277780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/ca3eff64-adb0-6110-38ca-2e07b6ecc3d6%40iogearbox.net.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* Re: general protection fault in bpf_tcp_close
From: Dmitry Vyukov @ 2018-06-07 16:58 UTC (permalink / raw)
To: Daniel Borkmann
Cc: syzbot, Alexei Starovoitov, LKML, netdev, syzkaller-bugs,
John Fastabend
In-Reply-To: <7257c52b-7632-e313-6e80-a4bc1f8a6bf0@iogearbox.net>
On Mon, May 28, 2018 at 12:15 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> [ +John ]
>
> On 05/26/2018 11:13 AM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: fd0bfa8d6e04 Merge branch 'bpf-af-xdp-cleanups'
>> git tree: bpf-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=11da9427800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
>> dashboard link: https://syzkaller.appspot.com/bug?extid=0ce137753c78f7b6acc1
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+0ce137753c78f7b6acc1@syzkaller.appspotmail.com
>
> Should be fixed by: https://patchwork.ozlabs.org/patch/920695/
#syz fix: bpf: sockhash fix race with bpf_tcp_close and map delete
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] SMP KASAN
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Modules linked in:
>> CPU: 0 PID: 12139 Comm: syz-executor2 Not tainted 4.17.0-rc4+ #17
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:__hlist_del include/linux/list.h:649 [inline]
>> RIP: 0010:hlist_del_rcu include/linux/rculist.h:427 [inline]
>> RIP: 0010:bpf_tcp_close+0x7d2/0xf80 kernel/bpf/sockmap.c:271
>> RSP: 0018:ffff8801a8f8ef70 EFLAGS: 00010a02
>> RAX: ffffed00351f1dfd RBX: dffffc0000000000 RCX: dead000000000200
>> RDX: 0000000000000000 RSI: 1bd5a00000000040 RDI: ffff8801cb710910
>> RBP: ffff8801a8f8f110 R08: ffffed003350ac9d R09: ffffed003350ac9c
>> R10: ffffed003350ac9c R11: ffff88019a8564e3 R12: ffff8801cb710380
>> R13: ffff8801b17ea6e0 R14: ffff8801cb710398 R15: ffff8801cb710900
>> FS: 00007f9890c43700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007fde1a668000 CR3: 000000019dca2000 CR4: 00000000001406f0
>> DR0: 00000000200001c0 DR1: 00000000200001c0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
>> Call Trace:
>> inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
>> inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
>> sock_release+0x96/0x1b0 net/socket.c:594
>> sock_close+0x16/0x20 net/socket.c:1149
>> __fput+0x34d/0x890 fs/file_table.c:209
>> ____fput+0x15/0x20 fs/file_table.c:243
>> task_work_run+0x1e4/0x290 kernel/task_work.c:113
>> exit_task_work include/linux/task_work.h:22 [inline]
>> do_exit+0x1aee/0x2730 kernel/exit.c:865
>> do_group_exit+0x16f/0x430 kernel/exit.c:968
>> get_signal+0x886/0x1960 kernel/signal.c:2469
>> do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
>> exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
>> prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
>> syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
>> do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x455a09
>> RSP: 002b:00007f9890c42ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
>> RAX: fffffffffffffe00 RBX: 000000000072bec8 RCX: 0000000000455a09
>> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8
>> RBP: 000000000072bec8 R08: 0000000000000000 R09: 000000000072bea0
>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
>> R13: 00007ffcb48ac3ff R14: 00007f9890c439c0 R15: 0000000000000000
>> Code: ff 48 c1 e9 03 80 3c 19 00 0f 85 a9 05 00 00 49 8b 4f 18 48 8b 85 98 fe ff ff 48 89 ce c6 00 00 48 c1 ee 03 48 89 95 d8 fe ff ff <80> 3c 1e 00 0f 85 c6 05 00 00 48 8b 85 98 fe ff ff 48 85 d2 48
>> RIP: __hlist_del include/linux/list.h:649 [inline] RSP: ffff8801a8f8ef70
>> RIP: hlist_del_rcu include/linux/rculist.h:427 [inline] RSP: ffff8801a8f8ef70
>> RIP: bpf_tcp_close+0x7d2/0xf80 kernel/bpf/sockmap.c:271 RSP: ffff8801a8f8ef70
>> ---[ end trace e81227e93c7e7b75 ]---
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/7257c52b-7632-e313-6e80-a4bc1f8a6bf0%40iogearbox.net.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply
* Re: [PATCH 1/3] net: phy: Check phy_driver ready before accessing
From: Andrew Lunn @ 2018-06-07 16:54 UTC (permalink / raw)
To: Brandon Maier
Cc: netdev, f.fainelli, davem, michal.simek, clayton.shotwell,
kristopher.cory, linux-kernel
In-Reply-To: <20180607155348.149665-1-brandon.maier@rockwellcollins.com>
On Thu, Jun 07, 2018 at 10:53:46AM -0500, Brandon Maier wrote:
> Since a phy_device is added to the global mdio_bus list during
> phy_device_register(), but a phy_device's phy_driver doesn't get
> attached until phy_probe(). It's possible of_phy_find_device() in
> xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to
> a NULL pointer access during the memcpy().
Hi Brandon
FYI: net-next is closed at the moment. Please resubmit these in two
weeks time.
Andrew
^ permalink raw reply
* Re: [PATCH 1/3] net: phy: Check phy_driver ready before accessing
From: Andrew Lunn @ 2018-06-07 16:52 UTC (permalink / raw)
To: Brandon Maier
Cc: netdev, f.fainelli, davem, michal.simek, clayton.shotwell,
kristopher.cory, linux-kernel
In-Reply-To: <20180607155348.149665-1-brandon.maier@rockwellcollins.com>
On Thu, Jun 07, 2018 at 10:53:46AM -0500, Brandon Maier wrote:
> Since a phy_device is added to the global mdio_bus list during
> phy_device_register(), but a phy_device's phy_driver doesn't get
> attached until phy_probe(). It's possible of_phy_find_device() in
> xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to
> a NULL pointer access during the memcpy().
I'm sure there are more issues like this in the code. e.g. there is
no attempt made to hold a reference to the child phy. So it could be
unbound. priv->phy_drv->read_status(phydev) is then going to do bad
things.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 2/3] net: phy: xgmiitorgmii: Use correct mdio bus
From: Andrew Lunn @ 2018-06-07 16:49 UTC (permalink / raw)
To: Brandon Maier
Cc: netdev, f.fainelli, davem, michal.simek, clayton.shotwell,
kristopher.cory, linux-kernel
In-Reply-To: <20180607155348.149665-2-brandon.maier@rockwellcollins.com>
On Thu, Jun 07, 2018 at 10:53:47AM -0500, Brandon Maier wrote:
> The xgmiitorgmii is using the mii_bus of the device it's attached too,
> instead of the bus it was given during probe.
Hi Brandon
I think the assumption was they are both on the same bus.
However, they don't need to be.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 3/3] net: phy: xgmiitorgmii: Check read_status results
From: Andrew Lunn @ 2018-06-07 16:43 UTC (permalink / raw)
To: Brandon Maier
Cc: netdev, f.fainelli, davem, michal.simek, clayton.shotwell,
kristopher.cory, linux-kernel
In-Reply-To: <20180607155348.149665-3-brandon.maier@rockwellcollins.com>
On Thu, Jun 07, 2018 at 10:53:48AM -0500, Brandon Maier wrote:
> We're ignoring the result of the attached phy device's read_status().
> Return it so we can detect errors.
>
> Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH] xsk: Fix umem fill/completion queue mmap on 32-bit
From: Björn Töpel @ 2018-06-07 16:34 UTC (permalink / raw)
To: geert
Cc: David Miller, Björn Töpel, Karlsson, Magnus, ast,
Arnd Bergmann, akpm, Netdev, linux-mm, LKML
In-Reply-To: <1528378654-1484-1-git-send-email-geert@linux-m68k.org>
Den tors 7 juni 2018 kl 15:37 skrev Geert Uytterhoeven <geert@linux-m68k.org>:
>
> With gcc-4.1.2 on 32-bit:
>
> net/xdp/xsk.c:663: warning: integer constant is too large for ‘long’ type
> net/xdp/xsk.c:665: warning: integer constant is too large for ‘long’ type
>
> Add the missing "ULL" suffixes to the large XDP_UMEM_PGOFF_*_RING values
> to fix this.
>
> net/xdp/xsk.c:663: warning: comparison is always false due to limited range of data type
> net/xdp/xsk.c:665: warning: comparison is always false due to limited range of data type
>
> "unsigned long" is 32-bit on 32-bit systems, hence the offset is
> truncated, and can never be equal to any of the XDP_UMEM_PGOFF_*_RING
> values. Use loff_t (and the required cast) to fix this.
>
> Fixes: 423f38329d267969 ("xsk: add umem fill queue support and mmap")
> Fixes: fe2308328cd2f26e ("xsk: add umem completion queue support and mmap")
> Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
> ---
> Compile-tested only.
> ---
> include/uapi/linux/if_xdp.h | 4 ++--
> net/xdp/xsk.c | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/include/uapi/linux/if_xdp.h b/include/uapi/linux/if_xdp.h
> index 1fa0e977ea8d0224..caed8b1614ffc0aa 100644
> --- a/include/uapi/linux/if_xdp.h
> +++ b/include/uapi/linux/if_xdp.h
> @@ -63,8 +63,8 @@ struct xdp_statistics {
> /* Pgoff for mmaping the rings */
> #define XDP_PGOFF_RX_RING 0
> #define XDP_PGOFF_TX_RING 0x80000000
> -#define XDP_UMEM_PGOFF_FILL_RING 0x100000000
> -#define XDP_UMEM_PGOFF_COMPLETION_RING 0x180000000
> +#define XDP_UMEM_PGOFF_FILL_RING 0x100000000ULL
> +#define XDP_UMEM_PGOFF_COMPLETION_RING 0x180000000ULL
>
> /* Rx/Tx descriptor */
> struct xdp_desc {
> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index c6ed2454f7ce55e8..36919a254ba370c3 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c
> @@ -643,7 +643,7 @@ static int xsk_getsockopt(struct socket *sock, int level, int optname,
> static int xsk_mmap(struct file *file, struct socket *sock,
> struct vm_area_struct *vma)
> {
> - unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> + loff_t offset = (loff_t)vma->vm_pgoff << PAGE_SHIFT;
> unsigned long size = vma->vm_end - vma->vm_start;
> struct xdp_sock *xs = xdp_sk(sock->sk);
> struct xsk_queue *q = NULL;
> --
> 2.7.4
>
Thanks Geert!
Acked-by: Björn Töpel <bjorn.topel@intel.com>
^ permalink raw reply
* Re: nfp: bpf: perf event output helpers support
From: Jakub Kicinski @ 2018-06-07 16:33 UTC (permalink / raw)
To: Kees Cook; +Cc: Quentin Monnet, Daniel Borkmann, Network Development, LKML
In-Reply-To: <CAGXu5jJq774LZY1xUCKxG3Z4MkJ_JBJP7veB5gUCy4meb_PtSA@mail.gmail.com>
On Wed, 6 Jun 2018 22:15:04 -0700, Kees Cook wrote:
> > + rcu_read_lock();
> > + if (!rhashtable_lookup_fast(&bpf->maps_neutral, &map,
> > + nfp_bpf_maps_neutral_params)) {
> > + rcu_read_unlock();
> > + pr_warn("perf event: dest map pointer %px not recognized, dropping event\n",
> > + map);
>
> Please don't use %px on kernel pointers unless you absolutely have
> to[1]. It seems like this value wouldn't be actionable here, so likely
> it's best to just remove its use entirely.
We're using kernel pointer as an opaque handle when communicating with
the device. We need the actual value to correlate things. Maybe I used
the %px slightly out of spite there, because I forgot %p is now useless
and wasted half an hour on debugging an endian issue :S
This message can only really trigger when root loads a specific BPF map
onto the device and FW is buggy. Can I fix it in -next? I'm making
changes to this part of the code anyway.
^ permalink raw reply
* Re: [PATCH] net-fq: Add WARN_ON check for null flow.
From: Ben Greear @ 2018-06-07 16:33 UTC (permalink / raw)
To: Eric Dumazet, netdev
In-Reply-To: <577ce32e-cbee-c5d8-da12-81075e924b23@gmail.com>
On 06/07/2018 09:17 AM, Eric Dumazet wrote:
>
>
> On 06/07/2018 09:06 AM, greearb@candelatech.com wrote:
>> From: Ben Greear <greearb@candelatech.com>
>>
>> While testing an ath10k firmware that often crashed under load,
>> I was seeing kernel crashes as well. One of them appeared to
>> be a dereference of a NULL flow object in fq_tin_dequeue.
>>
>> I have since fixed the firmware flaw, but I think it would be
>> worth adding the WARN_ON in case the problem appears again.
>>
>> common_interrupt+0xf/0xf
>> </IRQ>
>>
>
> Please find the exact commit that brought this bug,
> and add a corresponding Fixes: tag
It will be a total pain to bisect this problem since my test
case that causes this is running my modified firmware (and a buggy one at that),
modified ath10k driver (to work with this firmware and support my test case easily),
and the failure case appears to cause multiple different-but-probably-related
crashes and often hangs or reboots the test system.
Probably this is all caused by some nasty race or buggy logic related to
dealing with a crashed ath10k firmware tearing down txq logic from the
bottom up. There have been many such bugs in the past, I and others fixed a few,
and very likely more remain.
For what it is worth, I didn't see this crash in 4.13, and I spent some time
testing buggy firmware there occasionally.
If someone else has interest in debugging the ath10k driver, I will be happy to generate
a mostly-stock firmware image with ability to crash in the TX path and give it to them.
It will crash the stock upstream code reliably in my experience.
Thanks,
Ben
>
>> Signed-off-by: Ben Greear <greearb@candelatech.com>
>> ---
>> include/net/fq_impl.h | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/include/net/fq_impl.h b/include/net/fq_impl.h
>> index be7c0fa..e40354d 100644
>> --- a/include/net/fq_impl.h
>> +++ b/include/net/fq_impl.h
>> @@ -80,6 +80,9 @@ static struct sk_buff *fq_tin_dequeue(struct fq *fq,
>>
>> flow = list_first_entry(head, struct fq_flow, flowchain);
>>
>> + if (WARN_ON_ONCE(!flow))
>> + return NULL;
>> +
>> if (flow->deficit <= 0) {
>> flow->deficit += fq->quantum;
>> list_move_tail(&flow->flowchain,
>>
>
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply
* Re: [PATCH net] net: ipv6: ip6_output: alloc skb with tailroom
From: Willem de Bruijn @ 2018-06-07 16:28 UTC (permalink / raw)
To: Alexander Aring
Cc: David Miller, Network Development, Hideaki YOSHIFUJI, david.palma,
rabi narayan sahoo, Jamal Hadi Salim, stefan, linux-wpan, kernel,
sd
In-Reply-To: <20180607162233.hepodtvuo7ictel2@x220t>
On Thu, Jun 7, 2018 at 12:22 PM, Alexander Aring <aring@mojatatu.com> wrote:
> Hi,
>
> On Wed, Jun 06, 2018 at 04:26:19PM -0400, Willem de Bruijn wrote:
>> On Wed, Jun 6, 2018 at 2:11 PM, David Miller <davem@davemloft.net> wrote:
>> > From: Alexander Aring <aring@mojatatu.com>
>> > Date: Wed, 6 Jun 2018 14:09:20 -0400
>> >
>> >> okay, then you want to have this patch for net-next? As an optimization?
>> >>
>> >> Of course, when it's open again.
>> >
>> > Like you, I have questions about where this adjustment is applied and
>> > why. So I'm not sure yet.
>> >
>> > For example, only IPV6 really takes it into consideration and as you
>> > saw only really for the fragmentation path and not the normal output
>> > path.
>> >
>> > This needs more consideration and investigation.
>>
>> This is the unconditional skb_put in ieee802154_tx. In many cases
>> there is some tailroom due to SKB_DATA_ALIGN in __alloc_skb,
>> so it may take a specific case to not have even 2 bytes of tailroom
>> available.
>
> Yes it's in ieee802154_tx, but we need tailroom not just for checksum.
> The bugreport is related to the two bytes of tailroom, because virtual
> hardware doing checksum by software. The most real transceivers offload
> this feature, so zero tailroom is needed.
>
> I will of course add checks before adding L2 header for headroom and
> tailroom in related subsystem code.
>
> In IEEE 802.15.4 and secured enabled frames we need a MIC field at the
> end of the frame. In worst case this can be 16 bytes.
>
> I looked ethernet macsec feature and it seems they need to have a similar
> reseved tailroom which is 16 bytes by default (max 32 bytes).
Allocating with necessary tailroom to avoid a realloc in the path
sounds fine to me, too. Packet sockets also take needed_tailroom
into account, to give another example.
We just have to avoid papering over bugs. Fixing the locations that
unconditionally move the tail pointer beyond the allocated
region is more important.
^ permalink raw reply
* Re: Fw: [Bug 199963] New: UDP rx_queue incorrect calculation in /proc/net/udp
From: Paolo Abeni @ 2018-06-07 16:28 UTC (permalink / raw)
To: Stephen Hemminger, netdev
In-Reply-To: <20180607073918.5626370d@xeon-e3>
On Thu, 2018-06-07 at 07:39 -0700, Stephen Hemminger wrote:
>
> Begin forwarded message:
>
> Date: Thu, 07 Jun 2018 13:21:23 +0000
> From: bugzilla-daemon@bugzilla.kernel.org
> To: stephen@networkplumber.org
> Subject: [Bug 199963] New: UDP rx_queue incorrect calculation in /proc/net/udp
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199963
>
> Bug ID: 199963
> Summary: UDP rx_queue incorrect calculation in /proc/net/udp
> Product: Networking
> Version: 2.5
> Kernel Version: Kernels >= 4.15
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: IPV4
> Assignee: stephen@networkplumber.org
> Reporter: trevor.francis@46labs.com
> Regression: No
>
> since upgrading to any kernel >= 4.15 the rx_queue in /proc/net/udp is now
> reporting a queue, regardless of system load and regardless of what
> applications are running on it. The tx_queue is always 0, but rx_queue has
> seemingly random spikes of udp queueing. This is observed across hundreds of
> servers with either varying or no workload.
>
> netstat -nl|grep ^udp
> udp 4352 0 0.0.0.0:68 0.0.0.0:*
>
> sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid
> timeout inode ref pointer drops
> 14645: 3500007F:0035 00000000:0000 07 00000000:0000C900 00:00000000 00000000
> 101 0 3367 2 ffff8da177fdcc00 0
after:
commit 0d4a6608f68c7532dcbfec2ea1150c9761767d03
Author: Paolo Abeni <pabeni@redhat.com>
Date: Tue Sep 19 12:11:43 2017 +0200
udp: do rmem bulk free even if the rx sk queue is empty
rmem can be a non-0, small, value even if the rx queue is empty,
because it reports the (forward) allocated memory for this socket, not
the queue length in bytes.
I'll cook a patch to fix the above.
Cheers,
Paolo
^ permalink raw reply
* Re: KMSAN: uninit-value in _copy_to_iter (2)
From: Dmitry Vyukov via Virtualization @ 2018-06-07 16:25 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: Willem de Bruijn, avagin, KVM list, netdev, Matthew Dawson, LKML,
Ingo Molnar, syzkaller-bugs, Eric Dumazet, Al Viro, Ding Tianhong,
syzbot, Paolo Abeni, virtualization, David Miller,
Reshetova, Elena
In-Reply-To: <20180607183627-mutt-send-email-mst@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 1599 bytes --]
On Thu, Jun 7, 2018 at 5:38 PM, Michael S. Tsirkin <mst@redhat.com> wrote:
> #syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617
Hi Michael,
We need:
#syz test: https://github.com/google/kmsan.git master
here. Please see
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
for more info.
Please also add the Reported-by tag when mailing the patch for review.
Thanks
> Subject: vhost: fix info leak
>
> Fixes: CVE-2018-1118
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
> index f0be5f35ab28..9beefa6ed1ce 100644
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
> struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
> if (!node)
> return NULL;
> +
> + /* Make sure all padding within the structure is initialized. */
> + memset(&node->msg, 0, sizeof node->msg);
> node->vq = vq;
> node->msg.type = type;
> return node;
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20180607183627-mutt-send-email-mst%40kernel.org.
> For more options, visit https://groups.google.com/d/optout.
[-- Attachment #2: patch --]
[-- Type: application/octet-stream, Size: 518 bytes --]
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index f0be5f35ab28..9beefa6ed1ce 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
if (!node)
return NULL;
+
+ /* Make sure all padding within the structure is initialized. */
+ memset(&node->msg, 0, sizeof node->msg);
node->vq = vq;
node->msg.type = type;
return node;
[-- Attachment #3: Type: text/plain, Size: 183 bytes --]
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related
* Re: [PATCH net] net: ipv6: ip6_output: alloc skb with tailroom
From: Alexander Aring @ 2018-06-07 16:22 UTC (permalink / raw)
To: Willem de Bruijn
Cc: David Miller, Network Development, Hideaki YOSHIFUJI, david.palma,
rabinarayans0828, Jamal Hadi Salim, stefan, linux-wpan, kernel,
sd
In-Reply-To: <CAF=yD-L=OF+cBZ1zAeJYtYjR3Zb5jaYTZTk+o6uz+tcnT_-0+Q@mail.gmail.com>
Hi,
On Wed, Jun 06, 2018 at 04:26:19PM -0400, Willem de Bruijn wrote:
> On Wed, Jun 6, 2018 at 2:11 PM, David Miller <davem@davemloft.net> wrote:
> > From: Alexander Aring <aring@mojatatu.com>
> > Date: Wed, 6 Jun 2018 14:09:20 -0400
> >
> >> okay, then you want to have this patch for net-next? As an optimization?
> >>
> >> Of course, when it's open again.
> >
> > Like you, I have questions about where this adjustment is applied and
> > why. So I'm not sure yet.
> >
> > For example, only IPV6 really takes it into consideration and as you
> > saw only really for the fragmentation path and not the normal output
> > path.
> >
> > This needs more consideration and investigation.
>
> This is the unconditional skb_put in ieee802154_tx. In many cases
> there is some tailroom due to SKB_DATA_ALIGN in __alloc_skb,
> so it may take a specific case to not have even 2 bytes of tailroom
> available.
Yes it's in ieee802154_tx, but we need tailroom not just for checksum.
The bugreport is related to the two bytes of tailroom, because virtual
hardware doing checksum by software. The most real transceivers offload
this feature, so zero tailroom is needed.
I will of course add checks before adding L2 header for headroom and
tailroom in related subsystem code.
In IEEE 802.15.4 and secured enabled frames we need a MIC field at the
end of the frame. In worst case this can be 16 bytes.
I looked ethernet macsec feature and it seems they need to have a similar
reseved tailroom which is 16 bytes by default (max 32 bytes).
Maybe it's worth to take care for the tailroom in this path since it's
not just 2 bytes in some cases.
---
Meanwhile I think I found a bug in macsec, I cc Sabrina here:
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 7de88b33d5b9..687323c0caf5 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -522,7 +522,7 @@ static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
}
#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
-#define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN
+#define MACSEC_NEEDED_TAILROOM MACSEC_MAX_ICV_LEN
static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
{
---
MACSEC_NEEDED_TAILROOM is the define to check and run skb_copy_expand()
and should use the ?worst case? or the the value (icv_len + ?extra_foo?)
is set as runtime generation on newlink.
I see that in macsec_newlink() following code:
if (data && data[IFLA_MACSEC_ICV_LEN])
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
so the user can change it to (even a value above 32?, there is no check
for that). Anyway everything higher than MACSEC_STD_ICV_LEN could run
into a skb_over_panic().
- Alex
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox