* Re: [PATCH v2] net-fq: Add WARN_ON check for null flow.
From: Ben Greear @ 2018-06-11 13:18 UTC (permalink / raw)
To: Michał Kazior, Arend van Spriel
Cc: Cong Wang, Linux Kernel Network Developers,
linux-wireless@vger.kernel.org
In-Reply-To: <CABvG-CUUAQaWQuh1HqNmyM+wudBdAjZhSvHdsXEpwRyOwTg-fg@mail.gmail.com>
On 06/10/2018 10:10 AM, Michał Kazior wrote:
> Ben,
>
> The patch is symptomatic. fq_tin_dequeue() already checks if the list
> is empty before it tries to access first entry. I see no point in
> using the _or_null() + WARN_ON.
>
> The 0x3c deref is likely an offset off of NULL base pointer. Did you
> check gdb/addr2line of the ieee80211_tx_dequeue+0xfb? Where did it
> point to?
gdb pointed to one line above the flow dereference, which is why I was
going to put some debugging in there.
>
> I suspect there's not enough synchronization between quescing the
> device/ath10k after fw crashes and performing mac80211's reconfig
> procedure.
I am already running this patch which helps with some of that. That
patch never made it upstream, but it fixed problems for me earlier.
https://patchwork.kernel.org/patch/9457639/
Could easily be there are some more issues in that logic.
Someone else posted a patch to disable mac-80211 tx when FW crashes,
I think...I have not tried to backport that.
https://patchwork.kernel.org/patch/10411967/
Thanks,
Ben
>
>
> Michał
>
> On 8 June 2018 at 23:40, Arend van Spriel <arend.vanspriel@broadcom.com> wrote:
>> On 6/8/2018 5:17 PM, Ben Greear wrote:
>>
>> I recalled an email from Michał leaving tieto so adding his alternate email
>> he provided back then.
>>
>> Gr. AvS
>>
>>
>>> On 06/07/2018 04:59 PM, Cong Wang wrote:
>>>>
>>>> On Thu, Jun 7, 2018 at 4:48 PM, <greearb@candelatech.com> wrote:
>>>>>
>>>>> diff --git a/include/net/fq_impl.h b/include/net/fq_impl.h
>>>>> index be7c0fa..cb911f0 100644
>>>>> --- a/include/net/fq_impl.h
>>>>> +++ b/include/net/fq_impl.h
>>>>> @@ -78,7 +78,10 @@ static struct sk_buff *fq_tin_dequeue(struct fq *fq,
>>>>> return NULL;
>>>>> }
>>>>>
>>>>> - flow = list_first_entry(head, struct fq_flow, flowchain);
>>>>> + flow = list_first_entry_or_null(head, struct fq_flow,
>>>>> flowchain);
>>>>> +
>>>>> + if (WARN_ON_ONCE(!flow))
>>>>> + return NULL;
>>>>
>>>>
>>>> This does not make sense either. list_first_entry_or_null()
>>>> returns NULL only when the list is empty, but we already check
>>>> list_empty() right before this code, and it is protected by fq->lock.
>>>>
>>>
>>> Hello Michal,
>>>
>>> git blame shows you as the author of the fq_impl.h code.
>>>
>>> I saw a crash when debugging funky ath10k firmware in a 4.16 + hacks
>>> kernel. There was an apparent
>>> mostly-null deref in the fq_tin_dequeue method. According to gdb, it
>>> was within
>>> 1 line of the dereference of 'flow'.
>>>
>>> My hack above is probably not that useful. Cong thinks maybe the
>>> locking is bad.
>>>
>>> If you get a chance, please review this thread and see if you have any
>>> ideas for
>>> a better fix (or better debugging code).
>>>
>>> As always, if you would like me to generate you a buggy firmware that
>>> will crash
>>> in the tx path and cause all sorts of mayhem in the ath10k driver and
>>> wifi stack,
>>> I will be happy to do so.
>>>
>>> https://www.mail-archive.com/netdev@vger.kernel.org/msg239738.html
>>>
>>> Thanks,
>>> Ben
>>>
>>
>
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply
* [PATCH net] net: qcom/emac: Add missing of_node_put()
From: YueHaibing @ 2018-06-11 13:03 UTC (permalink / raw)
To: timur, davem; +Cc: linux-kernel, netdev, YueHaibing
Add missing of_node_put() call for device node returned by
of_parse_phandle().
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
---
drivers/net/ethernet/qualcomm/emac/emac-sgmii.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/qualcomm/emac/emac-sgmii.c b/drivers/net/ethernet/qualcomm/emac/emac-sgmii.c
index e78e5db..c694e34 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac-sgmii.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac-sgmii.c
@@ -384,6 +384,7 @@ int emac_sgmii_config(struct platform_device *pdev, struct emac_adapter *adpt)
}
sgmii_pdev = of_find_device_by_node(np);
+ of_node_put(np);
if (!sgmii_pdev) {
dev_err(&pdev->dev, "invalid internal-phy property\n");
return -ENODEV;
--
2.7.0
^ permalink raw reply related
* Re: [PATCH v2 15/24] net: qualcomm: MODULE_DEVICE_TABLE(serdev)
From: Marcel Holtmann @ 2018-06-11 13:01 UTC (permalink / raw)
To: Ricardo Ribalda Delgado
Cc: LKML, linux-serial, Lino Sanfilippo, David S. Miller,
Stefan Wahren, Rob Herring, Johan Hovold, netdev
In-Reply-To: <20180611115240.32606-16-ricardo.ribalda@gmail.com>
Hi Ricardo,
> Export serdev table to the module header, allowing module autoload via
> udev/modprobe.
>
> Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Stefan Wahren <stefan.wahren@i2se.com>
> Cc: Rob Herring <robh@kernel.org>
> Cc: Johan Hovold <johan@kernel.org>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
> ---
> drivers/net/ethernet/qualcomm/qca_uart.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/net/ethernet/qualcomm/qca_uart.c b/drivers/net/ethernet/qualcomm/qca_uart.c
> index db6068cd7a1f..6d2ac6cae63f 100644
> --- a/drivers/net/ethernet/qualcomm/qca_uart.c
> +++ b/drivers/net/ethernet/qualcomm/qca_uart.c
> @@ -405,6 +405,12 @@ static void qca_uart_remove(struct serdev_device *serdev)
> free_netdev(qca->net_dev);
> }
>
> +static struct serdev_device_id qca_uart_serdev_id[] = {
> + { QCAUART_DRV_NAME, },
> + {}
> +};
> +MODULE_DEVICE_TABLE(serdev, qca_uart_serdev_id);
> +
> static struct serdev_device_driver qca_uart_driver = {
> .probe = qca_uart_probe,
> .remove = qca_uart_remove,
> @@ -412,6 +418,7 @@ static struct serdev_device_driver qca_uart_driver = {
> .name = QCAUART_DRV_NAME,
> .of_match_table = of_match_ptr(qca_uart_of_match),
> },
> + .id_table = qca_uart_serdev_id,
> };
the commit message is misleading me. If I build something with ACPI or DT support, then modinfo will show all modalias information for ACPI and DT compatible strings. What else does udev/modprobe actually need? Is something broken with the modalias export?
Regards
Marcel
^ permalink raw reply
* [PATCH bpf] xsk: silence warning on memory allocation failure
From: Björn Töpel @ 2018-06-11 11:57 UTC (permalink / raw)
To: magnus.karlsson, magnus.karlsson, ast, daniel, netdev
Cc: Björn Töpel, penguin-kernel, syzkaller-bugs,
syzbot+4abadc5d69117b346506
From: Björn Töpel <bjorn.topel@intel.com>
syzkaller reported a warning from xdp_umem_pin_pages():
WARNING: CPU: 1 PID: 4537 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70 mm/slab_common.c:996
...
__do_kmalloc mm/slab.c:3713 [inline]
__kmalloc+0x25/0x760 mm/slab.c:3727
kmalloc_array include/linux/slab.h:634 [inline]
kcalloc include/linux/slab.h:645 [inline]
xdp_umem_pin_pages net/xdp/xdp_umem.c:205 [inline]
xdp_umem_reg net/xdp/xdp_umem.c:318 [inline]
xdp_umem_create+0x5c9/0x10f0 net/xdp/xdp_umem.c:349
xsk_setsockopt+0x443/0x550 net/xdp/xsk.c:531
__sys_setsockopt+0x1bd/0x390 net/socket.c:1935
__do_sys_setsockopt net/socket.c:1946 [inline]
__se_sys_setsockopt net/socket.c:1943 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1943
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
This is a warning about attempting to allocate more than
KMALLOC_MAX_SIZE memory. The request originates from userspace, and if
the request is too big, the kernel is free to deny its allocation. In
this patch, the failed allocation attempt is silenced with
__GFP_NOWARN.
Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt")
Reported-by: syzbot+4abadc5d69117b346506@syzkaller.appspotmail.com
Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
---
net/xdp/xdp_umem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
index b9ef487c4618..f47abb46c587 100644
--- a/net/xdp/xdp_umem.c
+++ b/net/xdp/xdp_umem.c
@@ -204,7 +204,8 @@ static int xdp_umem_pin_pages(struct xdp_umem *umem)
long npgs;
int err;
- umem->pgs = kcalloc(umem->npgs, sizeof(*umem->pgs), GFP_KERNEL);
+ umem->pgs = kcalloc(umem->npgs, sizeof(*umem->pgs),
+ GFP_KERNEL | __GFP_NOWARN);
if (!umem->pgs)
return -ENOMEM;
--
2.14.1
^ permalink raw reply related
* [PATCH 2/2] ktime: helpers to convert between ktime and jiffies
From: Tejaswi Tanikella @ 2018-06-11 11:52 UTC (permalink / raw)
To: netdev, f.fainelli; +Cc: andrew, davem
In-Reply-To: <20180611115058.GA12452@tejaswit-linux.qualcomm.com>
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
---
include/linux/ktime.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/ktime.h b/include/linux/ktime.h
index 5b9fddb..4881483 100644
--- a/include/linux/ktime.h
+++ b/include/linux/ktime.h
@@ -96,6 +96,10 @@ static inline ktime_t timeval_to_ktime(struct timeval tv)
/* Convert ktime_t to nanoseconds - NOP in the scalar storage format: */
#define ktime_to_ns(kt) (kt)
+/* ktime to jiffies and back */
+#define ktime_to_jiffies(kt) nsecs_to_jiffies(kt)
+#define jiffies_to_ktime(j) jiffies_to_nsecs(j)
+
/**
* ktime_compare - Compares two ktime_t variables for less, greater or equal
* @cmp1: comparable1
--
1.9.1
^ permalink raw reply related
* [PATCH v2 15/24] net: qualcomm: MODULE_DEVICE_TABLE(serdev)
From: Ricardo Ribalda Delgado @ 2018-06-11 11:52 UTC (permalink / raw)
To: linux-kernel, linux-serial
Cc: Ricardo Ribalda Delgado, Lino Sanfilippo, David S . Miller,
Stefan Wahren, Rob Herring, Johan Hovold, netdev
In-Reply-To: <20180611115240.32606-1-ricardo.ribalda@gmail.com>
Export serdev table to the module header, allowing module autoload via
udev/modprobe.
Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Stefan Wahren <stefan.wahren@i2se.com>
Cc: Rob Herring <robh@kernel.org>
Cc: Johan Hovold <johan@kernel.org>
Cc: netdev@vger.kernel.org
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
---
drivers/net/ethernet/qualcomm/qca_uart.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ethernet/qualcomm/qca_uart.c b/drivers/net/ethernet/qualcomm/qca_uart.c
index db6068cd7a1f..6d2ac6cae63f 100644
--- a/drivers/net/ethernet/qualcomm/qca_uart.c
+++ b/drivers/net/ethernet/qualcomm/qca_uart.c
@@ -405,6 +405,12 @@ static void qca_uart_remove(struct serdev_device *serdev)
free_netdev(qca->net_dev);
}
+static struct serdev_device_id qca_uart_serdev_id[] = {
+ { QCAUART_DRV_NAME, },
+ {}
+};
+MODULE_DEVICE_TABLE(serdev, qca_uart_serdev_id);
+
static struct serdev_device_driver qca_uart_driver = {
.probe = qca_uart_probe,
.remove = qca_uart_remove,
@@ -412,6 +418,7 @@ static struct serdev_device_driver qca_uart_driver = {
.name = QCAUART_DRV_NAME,
.of_match_table = of_match_ptr(qca_uart_of_match),
},
+ .id_table = qca_uart_serdev_id,
};
module_serdev_device_driver(qca_uart_driver);
--
2.17.1
^ permalink raw reply related
* [PATCH net 1/2] ipv4: igmp: use alarmtimer to prevent delayed reports
From: Tejaswi Tanikella @ 2018-06-11 11:51 UTC (permalink / raw)
To: netdev, f.fainelli; +Cc: andrew, davem
On receiving a IGMPv2/v3 query, based on max_delay set in the header a
timer is started to send out a response after a random time within
max_delay. If the system then moves into suspend state, Report is
delayed until system wakes up.
Use a alarmtimer instead of using a timer. Alarmtimer will wake the
system up from suspend to send out the IGMP report.
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
---
v2: use alarmtimer instead of wakelock.
---
If these changes are fine, I'll share similar patches for MLD and ARP.
---
include/linux/igmp.h | 7 ++++++-
net/ipv4/igmp.c | 27 ++++++++++++++++-----------
2 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/include/linux/igmp.h b/include/linux/igmp.h
index f823185..45852eb 100644
--- a/include/linux/igmp.h
+++ b/include/linux/igmp.h
@@ -20,6 +20,9 @@
#include <linux/in.h>
#include <linux/refcount.h>
#include <uapi/linux/igmp.h>
+#ifdef CONFIG_IP_MULTICAST
+#include <linux/alarmtimer.h>
+#endif
static inline struct igmphdr *igmp_hdr(const struct sk_buff *skb)
{
@@ -83,7 +86,9 @@ struct ip_mc_list {
struct ip_mc_list __rcu *next_rcu;
};
struct ip_mc_list __rcu *next_hash;
- struct timer_list timer;
+#ifdef CONFIG_IP_MULTICAST
+ struct alarm alarm;
+#endif
int users;
refcount_t refcnt;
spinlock_t lock;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 85b617b..c30b5c4 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -199,7 +199,7 @@ static void ip_ma_put(struct ip_mc_list *im)
static void igmp_stop_timer(struct ip_mc_list *im)
{
spin_lock_bh(&im->lock);
- if (del_timer(&im->timer))
+ if (alarm_cancel(&im->alarm))
refcount_dec(&im->refcnt);
im->tm_running = 0;
im->reporter = 0;
@@ -210,11 +210,11 @@ static void igmp_stop_timer(struct ip_mc_list *im)
/* It must be called with locked im->lock */
static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
{
- int tv = prandom_u32() % max_delay;
+ ktime_t expiry = jiffies_to_ktime(prandom_u32() % max_delay + 2);
im->tm_running = 1;
- if (!mod_timer(&im->timer, jiffies+tv+2))
- refcount_inc(&im->refcnt);
+ alarm_start_relative(&im->alarm, expiry);
+ refcount_inc(&im->refcnt);
}
static void igmp_gq_start_timer(struct in_device *in_dev)
@@ -241,11 +241,14 @@ static void igmp_ifc_start_timer(struct in_device *in_dev, int delay)
static void igmp_mod_timer(struct ip_mc_list *im, int max_delay)
{
+ ktime_t expiry;
+
spin_lock_bh(&im->lock);
im->unsolicit_count = 0;
- if (del_timer(&im->timer)) {
- if ((long)(im->timer.expires-jiffies) < max_delay) {
- add_timer(&im->timer);
+ expiry = alarm_expires_remaining(&im->alarm);
+ if (alarm_cancel(&im->alarm)) {
+ if (ktime_to_jiffies(expiry) < max_delay) {
+ alarm_start_relative(&im->alarm, expiry);
im->tm_running = 1;
spin_unlock_bh(&im->lock);
return;
@@ -812,9 +815,9 @@ static void igmp_ifc_event(struct in_device *in_dev)
}
-static void igmp_timer_expire(struct timer_list *t)
+enum alarmtimer_restart igmp_timer_expire(struct alarm *alarm, ktime_t now)
{
- struct ip_mc_list *im = from_timer(im, t, timer);
+ struct ip_mc_list *im = container_of(alarm, struct ip_mc_list, alarm);
struct in_device *in_dev = im->interface;
spin_lock(&im->lock);
@@ -835,6 +838,8 @@ static void igmp_timer_expire(struct timer_list *t)
igmp_send_report(in_dev, im, IGMPV3_HOST_MEMBERSHIP_REPORT);
ip_ma_put(im);
+
+ return ALARMTIMER_NORESTART;
}
/* mark EXCLUDE-mode sources */
@@ -1413,7 +1418,7 @@ void ip_mc_inc_group(struct in_device *in_dev, __be32 addr)
refcount_set(&im->refcnt, 1);
spin_lock_init(&im->lock);
#ifdef CONFIG_IP_MULTICAST
- timer_setup(&im->timer, igmp_timer_expire, 0);
+ alarm_init(&im->alarm, ALARM_BOOTTIME, igmp_timer_expire);
im->unsolicit_count = net->ipv4.sysctl_igmp_qrv;
#endif
@@ -2811,7 +2816,7 @@ static int igmp_mc_seq_show(struct seq_file *seq, void *v)
state->dev->ifindex, state->dev->name, state->in_dev->mc_count, querier);
}
- delta = im->timer.expires - jiffies;
+ delta = ktime_to_jiffies(alarm_expires_remaining(&im->alarm));
seq_printf(seq,
"\t\t\t\t%08X %5d %d:%08lX\t\t%d\n",
im->multiaddr, im->users,
--
1.9.1
^ permalink raw reply related
* Re: [PATCH] net: thunderx: prevent concurrent data re-writing by nicvf_set_rx_mode
From: Dean Nelson @ 2018-06-11 11:22 UTC (permalink / raw)
To: David Miller, Vadim.Lomovtsev
Cc: rric, sgoutham, linux-arm-kernel, netdev, linux-kernel,
Vadim.Lomovtsev
In-Reply-To: <20180610.123551.885190586229525170.davem@davemloft.net>
On 06/10/2018 02:35 PM, David Miller wrote:
> From: Vadim Lomovtsev <Vadim.Lomovtsev@caviumnetworks.com>
> Date: Fri, 8 Jun 2018 02:27:59 -0700
>
>> + /* Save message data locally to prevent them from
>> + * being overwritten by next ndo_set_rx_mode call().
>> + */
>> + spin_lock(&nic->rx_mode_wq_lock);
>> + mode = vf_work->mode;
>> + mc = vf_work->mc;
>> + vf_work->mc = NULL;
If I'm reading this code correctly, I believe nic->rx_mode_work.mc will
have been set to NULL before the lock is dropped by
nicvf_set_rx_mode_task() and acquired by nicvf_set_rx_mode().
>> + spin_unlock(&nic->rx_mode_wq_lock);
>
> At the moment you drop this lock, the memory behind 'mc' can be
> freed up by:
>
>> + spin_lock(&nic->rx_mode_wq_lock);
>> + kfree(nic->rx_mode_work.mc);
So the kfree() will be called with a NULL pointer and quickly return.
>
> And you'll crash when you dereference it above via
> __nicvf_set_rx_mode_task().
>
I believe the call to kfree() in nicvf_set_rx_mode() is there to free
up a mc_list that has been allocated by nicvf_set_rx_mode() during a
previous callback to the function, one that has not yet been processed
by nicvf_set_rx_mode_task().
In this way only the last 'unprocessed' callback to nicvf_set_rx_mode()
gets processed should there be multiple callbacks occurring between the
times the nicvf_set_rx_mode_task() runs.
In my testing with this patch, this is what I see happening.
^ permalink raw reply
* [PATCH] net: phy: mdio-gpio: Cut surplus includes
From: Linus Walleij @ 2018-06-11 11:19 UTC (permalink / raw)
To: Andrew Lunn, Florian Fainelli; +Cc: netdev, Linus Walleij
The GPIO MDIO driver now needs only <linux/gpio/consumer.h>
so cut the legacy <linux/gpio.h> and <linux/of_gpio.h>
includes that are no longer used.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
drivers/net/phy/mdio-gpio.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/net/phy/mdio-gpio.c b/drivers/net/phy/mdio-gpio.c
index 4e4c8daf44c3..33265747bf39 100644
--- a/drivers/net/phy/mdio-gpio.c
+++ b/drivers/net/phy/mdio-gpio.c
@@ -26,10 +26,7 @@
#include <linux/platform_device.h>
#include <linux/mdio-bitbang.h>
#include <linux/mdio-gpio.h>
-#include <linux/gpio.h>
#include <linux/gpio/consumer.h>
-
-#include <linux/of_gpio.h>
#include <linux/of_mdio.h>
struct mdio_gpio_info {
--
2.17.0
^ permalink raw reply related
* Re: [PATCH v2] selftests: bpf: fix urandom_read build issue
From: Daniel Borkmann @ 2018-06-11 10:58 UTC (permalink / raw)
To: Anders Roxell, ast, ys114321, shuah; +Cc: netdev, linux-kernel, linux-kselftest
In-Reply-To: <20180608065127.28115-1-anders.roxell@linaro.org>
On 06/08/2018 08:51 AM, Anders Roxell wrote:
> gcc complains that urandom_read gets built twice.
>
> gcc -o tools/testing/selftests/bpf/urandom_read
> -static urandom_read.c -Wl,--build-id
> gcc -Wall -O2 -I../../../include/uapi -I../../../lib -I../../../lib/bpf
> -I../../../../include/generated -I../../../include urandom_read.c
> urandom_read -lcap -lelf -lrt -lpthread -o
> tools/testing/selftests/bpf/urandom_read
> gcc: fatal error: input file
> ‘tools/testing/selftests/bpf/urandom_read’ is the
> same as output file
> compilation terminated.
> ../lib.mk:110: recipe for target
> 'tools/testing/selftests/bpf/urandom_read' failed
> To fix this issue remove the urandom_read target and so target
> TEST_CUSTOM_PROGS gets used.
>
> Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID")
> Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
> Acked-by: Yonghong Song <yhs@fb.com>
Applied to bpf, thanks Anders!
^ permalink raw reply
* 4.17.0-10146-gf0dc7f9c6dd9: hw csum failure on powerpc+sungem
From: Meelis Roos @ 2018-06-11 10:57 UTC (permalink / raw)
To: netdev, linuxppc-dev; +Cc: Linux Kernel list
I am seeing this on PowerMac G4 with sungem ethernet driver. 4.17 was
OK, 4.17.0-10146-gf0dc7f9c6dd9 is problematic.
[ 140.518664] eth0: hw csum failure
[ 140.518699] CPU: 0 PID: 1237 Comm: postconf Not tainted 4.17.0-10146-gf0dc7f9c6dd9 #83
[ 140.518707] Call Trace:
[ 140.518734] [effefd90] [c03d6db8] __skb_checksum_complete+0xd8/0xdc (unreliable)
[ 140.518759] [effefdb0] [c04c1284] icmpv6_rcv+0x248/0x4ec
[ 140.518775] [effefdd0] [c049a448] ip6_input_finish.constprop.0+0x11c/0x5f4
[ 140.518786] [effefe10] [c049b1c0] ip6_mc_input+0xcc/0x100
[ 140.518807] [effefe20] [c03e110c] __netif_receive_skb_core+0x310/0x944
[ 140.518820] [effefe70] [c03e76ec] napi_gro_receive+0xd0/0xe8
[ 140.518845] [effefe80] [f3e1f66c] gem_poll+0x618/0x1274 [sungem]
[ 140.518856] [effeff30] [c03e6f0c] net_rx_action+0x198/0x374
[ 140.518872] [effeff90] [c0501a88] __do_softirq+0x120/0x278
[ 140.518890] [effeffe0] [c0036188] irq_exit+0xd8/0xdc
[ 140.518908] [effefff0] [c000f478] call_do_irq+0x24/0x3c
[ 140.518925] [d05a5d30] [c0007120] do_IRQ+0x74/0xf0
[ 140.518941] [d05a5d50] [c0012474] ret_from_except+0x0/0x14
[ 140.518960] --- interrupt: 501 at copy_page+0x40/0x90
LR = copy_user_page+0x18/0x30
[ 140.518973] [d05a5e10] [d058cd80] 0xd058cd80 (unreliable)
[ 140.518989] [d05a5e20] [c00fa2bc] wp_page_copy+0xec/0x654
[ 140.519002] [d05a5e60] [c00fd3a4] do_wp_page+0xa8/0x5b4
[ 140.519013] [d05a5e90] [c00fe934] handle_mm_fault+0x564/0xa84
[ 140.519025] [d05a5f00] [c0016230] do_page_fault+0x1bc/0x7e8
[ 140.519037] [d05a5f40] [c0012300] handle_page_fault+0x14/0x40
[ 140.519048] --- interrupt: 301 at 0xb78b6864
LR = 0xb78b6c54
--
Meelis Roos (mroos@linux.ee)
^ permalink raw reply
* Re: [PATCH RFC v2 2/9] veth: Add driver XDP
From: Toshiaki Makita @ 2018-06-11 10:55 UTC (permalink / raw)
To: netdev
Cc: Toshiaki Makita, Jesper Dangaard Brouer, Alexei Starovoitov,
Daniel Borkmann
In-Reply-To: <20180610160217.3146-3-toshiaki.makita1@gmail.com>
On 2018/06/11 1:02, Toshiaki Makita wrote:
> From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
>
> This is basic implementation of veth driver XDP.
>
> Incoming packets are sent from the peer veth device in the form of skb,
> so this is generally doing the same thing as generic XDP.
>
> This itself is not so useful, but a starting point to implement other
> useful veth XDP features like TX and REDIRECT.
>
> This introduces NAPI when XDP is enabled, because XDP is now heavily
> relies on NAPI context. Use ptr_ring to emulate NIC ring. Tx function
> enqueues packets to the ring and peer NAPI handler drains the ring.
>
> Currently only one ring is allocated for each veth device, so it does
> not scale on multiqueue env. This can be resolved by allocating rings
> on the per-queue basis later.
>
> Note that NAPI is not used but netif_rx is used when XDP is not loaded,
> so this does not change the default behaviour.
>
> v2:
> - Squashed with the patch adding NAPI.
> - Implement adjust_tail.
> - Don't acquire consumer lock because it is guarded by NAPI.
> - Make poll_controller noop since it is unnecessary.
> - Register rxq_info on enabling XDP rather than on opening the device.
>
> Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
> ---
...
> @@ -203,6 +480,9 @@ static int veth_close(struct net_device *dev)
> if (peer)
> netif_carrier_off(peer);
>
> + if (rtnl_dereference(priv->xdp_prog))
> + veth_disable_xdp(dev);
Found that it is not safe to disable napi at this point, because packets
still can come from the peer and the ring may be filled after cleanup.
I'll fix the problem in v3, but wait for feedback some more.
--
Toshiaki Makita
^ permalink raw reply
* Dear Talented
From: Lisa Clement @ 2018-06-11 9:13 UTC (permalink / raw)
To: Recipients
Dear Talented,
I am Talent Scout For BLUE SKY FILM STUDIO, Present Blue sky Studio a
Film Corporation Located in the United State, is Soliciting for the
Right to use Your Photo/Face and Personality as One of the Semi -Major
Role/ Character in our Upcoming ANIMATED Stereoscope 3D Movie-The Story
of Spies in Disguise (Spies in Disguise 2019) The Movie is Currently Filming (In
Production) Please Note That There Will Be No Auditions, Traveling or
Any Special / Professional Acting Skills, Since the Production of This
Movie Will Be Done with our State of Art Computer -Generating Imagery
Equipment. We Are Prepared to Pay the Total Sum of $620,000.00 USD. For
More Information/Understanding, Please Write us on the E-Mail Below.
CONTACT EMAIL: bluesky.filmstudio@usa.com
All Reply to: bluesky.filmstudio@usa.com
Note: Only the Response send to this mail will be Given a Prior
Consideration.
Talent Scout
Lisa Clement
^ permalink raw reply
* Re: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto
From: Daniel Borkmann @ 2018-06-11 10:31 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: syzbot, Alexei Starovoitov, David Miller, LKML, netdev,
syzkaller-bugs
In-Reply-To: <CACT4Y+boO990R6a9kGtx-UZpZPeB2bwhgvyUjPvEFOpbzxJKrg@mail.gmail.com>
On 06/11/2018 11:52 AM, Dmitry Vyukov wrote:
> On Mon, Jun 11, 2018 at 11:42 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 06/10/2018 05:27 PM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+d2d729bdde65dee3eae6@syzkaller.appspotmail.com
>>
>> #syz fix: bpf: reject passing modified ctx to helper functions
>
> On a related note, it seems that it still can unwind past
> bpf_skb_change_proto. I think the "net.core.bpf_jit_kallsyms = 1"
> sysctl should have been reached syzbot by the time of crash. Are you
> sure that's the only thing requires? We are using frame pointer
> unwinder just in case.
Nah, I know what happened; just sent a PR fix for syzkaller.
Thanks,
Daniel
^ permalink raw reply
* Re: WARNING in smc_unhash_sk
From: Davide Caratti @ 2018-06-11 10:16 UTC (permalink / raw)
To: Dmitry Vyukov; +Cc: David Miller, netdev, syzkaller-bugs, ubraun
In-Reply-To: <CACT4Y+byLAh+RoGc-a_b446jMmR2kwkWcnDVzCB6msKeS1yZXA@mail.gmail.com>
On Fri, 2018-06-08 at 09:53 +0200, Dmitry Vyukov wrote:
> On Tue, Feb 27, 2018 at 1:23 PM, Davide Caratti <dcaratti@redhat.com> wrote:
> > On Fri, 2018-02-23 at 07:59 -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot hit the following crash on upstream commit
> > >
...
> >
> > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master
>
>
> Hi Davide,
>
> Any progress on this?
>
hi Dmitry,
I'm not working on this bug at all. The mail above was an attempt to test
commit a5dcb73b96a9 ("net/smc: fix NULL pointer dereference on
sock_create_kern() error path"), where I replied to the wrong syzbot
message. Since a single error was not enough, I also put netdev in CC:
sorry for the spam :)
regards,
--
davide
^ permalink raw reply
* Re: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto
From: Dmitry Vyukov @ 2018-06-11 9:52 UTC (permalink / raw)
To: Daniel Borkmann
Cc: syzbot, Alexei Starovoitov, David Miller, LKML, netdev,
syzkaller-bugs
In-Reply-To: <76483220-226b-bf3c-d529-ea839d6624c6@iogearbox.net>
On Mon, Jun 11, 2018 at 11:42 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> On 06/10/2018 05:27 PM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
>> dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+d2d729bdde65dee3eae6@syzkaller.appspotmail.com
>
> #syz fix: bpf: reject passing modified ctx to helper functions
On a related note, it seems that it still can unwind past
bpf_skb_change_proto. I think the "net.core.bpf_jit_kallsyms = 1"
sysctl should have been reached syzbot by the time of crash. Are you
sure that's the only thing requires? We are using frame pointer
unwinder just in case.
^ permalink raw reply
* Re: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto
From: Daniel Borkmann @ 2018-06-11 9:42 UTC (permalink / raw)
To: syzbot, ast, davem, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <000000000000c64842056e4b4326@google.com>
On 06/10/2018 05:27 PM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
> dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d2d729bdde65dee3eae6@syzkaller.appspotmail.com
#syz fix: bpf: reject passing modified ctx to helper functions
^ permalink raw reply
* Re: [PATCH net] KEYS: DNS: fix parsing multiple options
From: Simon Horman @ 2018-06-11 9:40 UTC (permalink / raw)
To: Eric Biggers
Cc: netdev, David S . Miller, keyrings, David Howells, Wang Lei,
Eric Biggers
In-Reply-To: <20180608162037.129802-1-ebiggers3@gmail.com>
On Fri, Jun 08, 2018 at 09:20:37AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> My recent fix for dns_resolver_preparse() printing very long strings was
> incomplete, as shown by syzbot which still managed to hit the
> WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:
>
> precision 50001 too large
> WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0
>
> The bug this time isn't just a printing bug, but also a logical error
> when multiple options ("#"-separated strings) are given in the key
> payload. Specifically, when separating an option string into name and
> value, if there is no value then the name is incorrectly considered to
> end at the end of the key payload, rather than the end of the current
> option. This bypasses validation of the option length, and also means
> that specifying multiple options is broken -- which presumably has gone
> unnoticed as there is currently only one valid option anyway.
>
> Fix it by correctly calculating the length of the option name.
>
> Reproducer:
>
> perl -e 'print "#A#", "\x00" x 50000' | keyctl padd dns_resolver desc @s
>
> Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> net/dns_resolver/dns_key.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
> index 40c851693f77e..d448823d4d2ed 100644
> --- a/net/dns_resolver/dns_key.c
> +++ b/net/dns_resolver/dns_key.c
> @@ -97,7 +97,7 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
> return -EINVAL;
> }
>
> - eq = memchr(opt, '=', opt_len) ?: end;
> + eq = memchr(opt, '=', opt_len) ?: next_opt;
> opt_nlen = eq - opt;
> eq++;
It seems risky to advance eq++ in the case there the value is empty.
Its not not pointing to the value but it may be accessed twice further on
in this loop.
> opt_vlen = next_opt - eq; /* will be -1 if no value */
> --
> 2.18.0.rc1.242.g61856ae69a-goog
>
^ permalink raw reply
* [PATCH 03/15] ipvs: register conntrack hooks for ftp
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Julian Anastasov <ja@ssi.bg>
ip_vs_ftp requires conntrack modules for mangling
of FTP command responses in passive mode.
Make sure the conntrack hooks are registered when
real servers use NAT method in FTP virtual service.
The hooks will be registered while the service is
present.
Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed by ruleset")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/ip_vs.h | 30 ++++++++++++++++++++++++++++++
net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++
2 files changed, 34 insertions(+)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index eb0bec043c96..ae72d9057eda 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -643,6 +643,7 @@ struct ip_vs_service {
/* alternate persistence engine */
struct ip_vs_pe __rcu *pe;
+ int conntrack_afmask;
struct rcu_head rcu_head;
};
@@ -1620,6 +1621,35 @@ static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp,
return false;
}
+static inline int ip_vs_register_conntrack(struct ip_vs_service *svc)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ int afmask = (svc->af == AF_INET6) ? 2 : 1;
+ int ret = 0;
+
+ if (!(svc->conntrack_afmask & afmask)) {
+ ret = nf_ct_netns_get(svc->ipvs->net, svc->af);
+ if (ret >= 0)
+ svc->conntrack_afmask |= afmask;
+ }
+ return ret;
+#else
+ return 0;
+#endif
+}
+
+static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ int afmask = (svc->af == AF_INET6) ? 2 : 1;
+
+ if (svc->conntrack_afmask & afmask) {
+ nf_ct_netns_put(svc->ipvs->net, svc->af);
+ svc->conntrack_afmask &= ~afmask;
+ }
+#endif
+}
+
static inline int
ip_vs_dest_conn_overhead(struct ip_vs_dest *dest)
{
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 3ecca0616d8c..ee0ab278f1f1 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -835,6 +835,9 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
* For now only for NAT!
*/
ip_vs_rs_hash(ipvs, dest);
+ /* FTP-NAT requires conntrack for mangling */
+ if (svc->port == FTPPORT)
+ ip_vs_register_conntrack(svc);
}
atomic_set(&dest->conn_flags, conn_flags);
@@ -1458,6 +1461,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup)
*/
static void ip_vs_unlink_service(struct ip_vs_service *svc, bool cleanup)
{
+ ip_vs_unregister_conntrack(svc);
/* Hold svc to avoid double release from dest_trash */
atomic_inc(&svc->refcnt);
/*
--
2.11.0
^ permalink raw reply related
* [PATCH 15/15] netfilter: remove include/net/netfilter/nft_dup.h
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Corentin Labbe <clabbe@baylibre.com>
include/net/netfilter/nft_dup.h was introduced in d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
but was never user since this date.
Furthermore, the only struct in this file is unused elsewhere.
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nft_dup.h | 10 ----------
1 file changed, 10 deletions(-)
delete mode 100644 include/net/netfilter/nft_dup.h
diff --git a/include/net/netfilter/nft_dup.h b/include/net/netfilter/nft_dup.h
deleted file mode 100644
index 4d9d512984b2..000000000000
--- a/include/net/netfilter/nft_dup.h
+++ /dev/null
@@ -1,10 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef _NFT_DUP_H_
-#define _NFT_DUP_H_
-
-struct nft_dup_inet {
- enum nft_registers sreg_addr:8;
- enum nft_registers sreg_dev:8;
-};
-
-#endif /* _NFT_DUP_H_ */
--
2.11.0
^ permalink raw reply related
* [PATCH 14/15] netfilter: x_tables: initialise match/target check parameter struct
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
syzbot reports following splat:
BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
net/bridge/netfilter/ebt_stp.c:162
ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
The uninitialised access is
xt_mtchk_param->nft_compat
... which should be set to 0.
Fix it by zeroing the struct beforehand, same for tgchk.
ip(6)tables targetinfo uses c99-style initialiser, so no change
needed there.
Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/netfilter/ebtables.c | 2 ++
net/ipv4/netfilter/ip_tables.c | 1 +
net/ipv6/netfilter/ip6_tables.c | 1 +
3 files changed, 4 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 08a65e4a77d0..ead123dab05e 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -700,6 +700,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
}
i = 0;
+ memset(&mtpar, 0, sizeof(mtpar));
+ memset(&tgpar, 0, sizeof(tgpar));
mtpar.net = tgpar.net = net;
mtpar.table = tgpar.table = name;
mtpar.entryinfo = tgpar.entryinfo = e;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index e85f35b89c49..f6130704f052 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -531,6 +531,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
return -ENOMEM;
j = 0;
+ memset(&mtpar, 0, sizeof(mtpar));
mtpar.net = net;
mtpar.table = name;
mtpar.entryinfo = &e->ip;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 97f79dc943d7..685c2168f524 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -551,6 +551,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
return -ENOMEM;
j = 0;
+ memset(&mtpar, 0, sizeof(mtpar));
mtpar.net = net;
mtpar.table = name;
mtpar.entryinfo = &e->ipv6;
--
2.11.0
^ permalink raw reply related
* [PATCH 13/15] netfilter: nf_conntrack: Increase __IPS_MAX_BIT with new bit IPS_OFFLOAD_BIT
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Gao Feng <gfree.wind@vip.163.com>
The __IPS_MAX_BIT is used in __ctnetlink_change_status as the max bit
value. When add new bit IPS_OFFLOAD_BIT whose value is 14, we should
increase the __IPS_MAX_BIT too, from 14 to 15.
There is no any bug in current codes, although it lost one loop in
__ctnetlink_change_status. Because the new bit IPS_OFFLOAD_BIT belongs
the IPS_UNCHANGEABLE_MASK.
Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_conntrack_common.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index c712eb6879f1..336014bf8868 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -112,7 +112,7 @@ enum ip_conntrack_status {
IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD),
- __IPS_MAX_BIT = 14,
+ __IPS_MAX_BIT = 15,
};
/* Connection tracking event types */
--
2.11.0
^ permalink raw reply related
* [PATCH 05/15] ipvs: fix check on xmit to non-local addresses
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Julian Anastasov <ja@ssi.bg>
There is mistake in the rt_mode_allow_non_local assignment.
It should be used to check if sending to non-local addresses is
allowed, now it checks if local addresses are allowed.
As local addresses are allowed for most of the cases, the only
places that are affected are for traffic to transparent cache
servers:
- bypass connections when cache server is not available
- related ICMP in FORWARD hook when sent to cache server
Fixes: 4a4739d56b00 ("ipvs: Pull out crosses_local_route_boundary logic")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 4527921b1c3a..8f7fff774283 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -168,7 +168,7 @@ static inline bool crosses_local_route_boundary(int skb_af, struct sk_buff *skb,
bool new_rt_is_local)
{
bool rt_mode_allow_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
- bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
+ bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_NON_LOCAL);
bool rt_mode_allow_redirect = !!(rt_mode & IP_VS_RT_MODE_RDR);
bool source_is_loopback;
bool old_rt_is_local;
--
2.11.0
^ permalink raw reply related
* [PATCH 09/15] netfilter: ipset: Limit max timeout value
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Due to the negative value condition in msecs_to_jiffies(), the real
max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC.
Neutron Soutmun proposed the proper fix, but an insufficient one was
applied, see https://patchwork.ozlabs.org/patch/400405/.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set_timeout.h | 10 ++++++----
net/netfilter/xt_set.c | 8 ++++----
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h
index 7ad8ddf9ca8a..8ce271e187b6 100644
--- a/include/linux/netfilter/ipset/ip_set_timeout.h
+++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -23,6 +23,9 @@
/* Set is defined with timeout support: timeout value may be 0 */
#define IPSET_NO_TIMEOUT UINT_MAX
+/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
+#define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC
+
#define ip_set_adt_opt_timeout(opt, set) \
((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
@@ -32,11 +35,10 @@ ip_set_timeout_uget(struct nlattr *tb)
unsigned int timeout = ip_set_get_h32(tb);
/* Normalize to fit into jiffies */
- if (timeout > UINT_MAX/MSEC_PER_SEC)
- timeout = UINT_MAX/MSEC_PER_SEC;
+ if (timeout > IPSET_MAX_TIMEOUT)
+ timeout = IPSET_MAX_TIMEOUT;
- /* Userspace supplied TIMEOUT parameter: adjust crazy size */
- return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
+ return timeout;
}
static inline bool
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 07af7dbf7a30..bf2890b13212 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -372,8 +372,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
/* Normalize to fit into jiffies */
if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
- add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)
- add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;
+ add_opt.ext.timeout > IPSET_MAX_TIMEOUT)
+ add_opt.ext.timeout = IPSET_MAX_TIMEOUT;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
if (info->del_set.index != IPSET_INVALID_ID)
@@ -407,8 +407,8 @@ set_target_v3(struct sk_buff *skb, const struct xt_action_param *par)
/* Normalize to fit into jiffies */
if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
- add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)
- add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;
+ add_opt.ext.timeout > IPSET_MAX_TIMEOUT)
+ add_opt.ext.timeout = IPSET_MAX_TIMEOUT;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
if (info->del_set.index != IPSET_INVALID_ID)
--
2.11.0
^ permalink raw reply related
* [PATCH 12/15] netfilter: nft_set_rbtree: fix parameter of __nft_rbtree_lookup()
From: Pablo Neira Ayuso @ 2018-06-11 9:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Taehee Yoo <ap420073@gmail.com>
The parameter this doesn't have a flags value. so that it can't be
used by nft_rbtree_interval_end().
test commands:
%nft add table ip filter
%nft add set ip filter s { type ipv4_addr \; flags interval \; }
%nft add element ip filter s {0-1}
%nft add element ip filter s {2-10}
%nft add chain ip filter input { type filter hook input priority 0\; }
%nft add rule ip filter input ip saddr @s
Splat looks like:
[ 246.752502] BUG: KASAN: slab-out-of-bounds in __nft_rbtree_lookup+0x677/0x6a0 [nft_set_rbtree]
[ 246.752502] Read of size 1 at addr ffff88010d9efa47 by task http/1092
[ 246.752502] CPU: 1 PID: 1092 Comm: http Not tainted 4.17.0-rc6+ #185
[ 246.752502] Call Trace:
[ 246.752502] <IRQ>
[ 246.752502] dump_stack+0x74/0xbb
[ 246.752502] ? __nft_rbtree_lookup+0x677/0x6a0 [nft_set_rbtree]
[ 246.752502] print_address_description+0xc7/0x290
[ 246.752502] ? __nft_rbtree_lookup+0x677/0x6a0 [nft_set_rbtree]
[ 246.752502] kasan_report+0x22c/0x350
[ 246.752502] __nft_rbtree_lookup+0x677/0x6a0 [nft_set_rbtree]
[ 246.752502] nft_rbtree_lookup+0xc9/0x2d2 [nft_set_rbtree]
[ 246.752502] ? sched_clock_cpu+0x144/0x180
[ 246.752502] nft_lookup_eval+0x149/0x3a0 [nf_tables]
[ 246.752502] ? __lock_acquire+0xcea/0x4ed0
[ 246.752502] ? nft_lookup_init+0x6b0/0x6b0 [nf_tables]
[ 246.752502] nft_do_chain+0x263/0xf50 [nf_tables]
[ 246.752502] ? __nft_trace_packet+0x1a0/0x1a0 [nf_tables]
[ 246.752502] ? sched_clock_cpu+0x144/0x180
[ ... ]
Fixes: f9121355eb6f ("netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_set_rbtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index e6f08bc5f359..26fa93b23805 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -65,7 +65,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
parent = rcu_dereference_raw(parent->rb_left);
if (interval &&
nft_rbtree_equal(set, this, interval) &&
- nft_rbtree_interval_end(this) &&
+ nft_rbtree_interval_end(rbe) &&
!nft_rbtree_interval_end(interval))
continue;
interval = rbe;
--
2.11.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox