Should check result of kstrndup() in case of memory allocation failure.
Signed-off-by: Chengguang Xu
---
net/ceph/ceph_common.c | 4
1 file changed, 4 insertions(+)
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 5c036d2..1e492ef 100644
--- a/net/ceph/ceph_common.c
+++ b
After checking all possible call chains to fs_send() here,
my tool finds that fs_send() is never called in atomic context.
And this function is assigned to a function pointer "dev->ops->send",
which is only called by vcc_sendmsg() (net/atm/common.c)
through vcc->dev->ops->send(), and vcc_sendmsg()
On Fri, Jan 26, 2018 at 4:24 AM, Jason Wang wrote:
>
>
> On 2018年01月25日 15:59, syzbot wrote:
>>
>> Hello,
>>
>> syzbot hit the following crash on net-next commit
>> 43df215d99e6049d4680309c54232689e16ddd6b (Wed Jan 24 01:24:32 2018 +)
>> Merge branch 'bpf-and-netdevsim-test-updates'
>>
>> So f
Hallo,
Sind Sie in einer schwierigen Situation, für die Sie sich für ein
Darlehen suchen? Benötigen Sie eine Finanzierung, um eine Schuld zu
begleichen oder eine Aktivität zu finanzieren? Haben Sie einen
Verbraucherkredit, eine Hypothek, einen persönlichen Kredit, eine
Hypothek, Investition Darleh
Hi, Timur && Andrew,
Please correct me if there is any problem with my understanding.
GPIO is a general property of devices, the property point to
an entity such as device tree or ACPI table, we also can directly
implement it in device node.
For ACPI, there is _DSD that should include GPIO prope
On Thu, Jan 25, 2018 at 7:14 PM, Eric Dumazet wrote:
> On Fri, 2018-01-26 at 02:09 +, Li,Rongqing wrote:
>
>>
>> crash> bt 8683
>> PID: 8683 TASK: 881faa088000 CPU: 10 COMMAND: "mynode"
>> #0 [881fff145e78] crash_nmi_callback at 81031712
>> #1 [881fff145e88] nmi_handl
On Thu, 2018-01-18 at 15:08 -0800, Yonghong Song wrote:
> +find_leftmost:
> + /* Find the leftmost non-intermediate node, all intermediate nodes
> + * have exact two children, so this function will never return NULL.
> + */
syzbot [1] disagrees violently with this comment.
> +
On Thu, Jan 25, 2018 at 2:00 AM, Pablo Neira Ayuso wrote:
> On Wed, Jan 24, 2018 at 04:37:16PM -0500, David Miller wrote:
>> From: Eyal Birger
>> Date: Tue, 23 Jan 2018 11:17:32 +0200
>>
>> > + network_offset = skb_network_offset(skb);
>> > + skb_pull(skb, network_offset);
>> > +
>> > + rcu
Unsolicited IPv6 neighbor advertisements should be sent after DAD
completes. Update ndisc_send_unsol_na to skip tentative, non-optimistic
addresses and have those sent by addrconf_dad_completed after DAD.
Fixes: 4a6e3c5def13c ("net: ipv6: send unsolicited NA on admin up")
Reported-by: Vivek Venkat
> -邮件原件-
> 发件人: Eric Dumazet [mailto:eric.duma...@gmail.com]
> 发送时间: 2018年1月26日 11:14
> 收件人: Li,Rongqing ; netdev@vger.kernel.org
> 抄送: eduma...@google.com
> 主题: Re: 答复: [PATCH] net: clean the sk_frag.page of new cloned socket
>
> On Fri, 2018-01-26 at 02:09 +, Li,Rongqing wrote:
>
> > my kernel is 3.10, I did not find the root cause, I guest all kind of
> > possibility
> >
>
> Have you backported 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ?
>
>
When I see this bug, I find this commit, and backport it,
But this seems to not related to my bug.
> > > I would rather move th
On Thu, Jan 25, 2018 at 7:57 PM, Jason Wang wrote:
>
>
> On 2018年01月26日 10:26, Cong Wang wrote:
>>
>> pfifo_fast used to drop based on qdisc_dev(qdisc)->tx_queue_len,
>> so we have to resize skb array when we change tx_queue_len.
>>
>> Other qdiscs which read tx_queue_len are fine because they
>>
On 2018年01月26日 10:26, Cong Wang wrote:
pfifo_fast used to drop based on qdisc_dev(qdisc)->tx_queue_len,
so we have to resize skb array when we change tx_queue_len.
Other qdiscs which read tx_queue_len are fine because they
all save it to sch->limit or somewhere else in qdisc during init.
They
On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
Offset 128 overlaps the last word of the redzone.
Use 132 which is always beyond that.
Signed-off-by: Michael S. Tsirkin
---
tools/virtio/ringtest/main.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/virtio/ringtes
After checking all possible call chains to atmtcp_v_send() here,
my tool finds that atmtcp_v_send() is never called in atomic context.
And this function is assigned to a function pointer "dev->ops->send",
which is only called by vcc_sendmsg() (net/atm/common.c)
through vcc->dev->ops->send(), and vc
When the frame check sequence (FCS) is split across the last two frames
of a fragmented packet, part of the FCS gets counted twice, once when
subtracting the FCS, and again when subtracting the previously received
data.
For example, if 1602 bytes are received, and the first fragment contains
the f
After checking all possible call chains to psend() here,
my tool finds that psend() is never called in atomic context.
And this function is assigned to a function pointer "dev->ops->send",
which is only called by vcc_sendmsg (net/atm/common.c)
through vcc->dev->ops->send(), and vcc_sendmsg calls sc
On 2018年01月26日 01:31, Michael S. Tsirkin wrote:
On Thu, Jan 25, 2018 at 10:17:38PM +0800, Jason Wang wrote:
On 2018年01月25日 21:45, Michael S. Tsirkin wrote:
On Thu, Jan 25, 2018 at 03:31:42PM +0800, Jason Wang wrote:
We try to allocate one more entry for lockless peeking. The adding
operatio
After checking all possible call chains to idt77252_preset() here,
my tool finds that idt77252_preset() is never called in atomic context,
namely never in an interrupt handler or holding a spinlock.
And idt77252_preset() calls deinit_card, which calls free_irq (can sleep),
so it indicates that idt7
On 2018年01月25日 15:59, syzbot wrote:
Hello,
syzbot hit the following crash on net-next commit
43df215d99e6049d4680309c54232689e16ddd6b (Wed Jan 24 01:24:32 2018 +)
Merge branch 'bpf-and-netdevsim-test-updates'
So far this crash happened 2 times on net-next.
Unfortunately, I don't have any
On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
This fixes a bunch of issues around ptr_ring use in net core.
One of these: "tap: fix use-after-free" is also needed on net,
but can't be backported cleanly.
I will post a net patch separately.
Lightly tested - Jason, could you pls confirm this
On 2018年01月26日 10:44, Michael S. Tsirkin wrote:
On Fri, Jan 26, 2018 at 10:37:58AM +0800, Jason Wang wrote:
On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
Lockless __ptr_ring_empty requires that consumer head is read and
written at once, atomically. Annotate accordingly to make sure compile
On Fri, 2018-01-26 at 02:09 +, Li,Rongqing wrote:
>
> crash> bt 8683
> PID: 8683 TASK: 881faa088000 CPU: 10 COMMAND: "mynode"
> #0 [881fff145e78] crash_nmi_callback at 81031712
> #1 [881fff145e88] nmi_handle at 816cafe9
> #2 [881fff145ec8] do_nmi at
On Fri, 2018-01-26 at 02:09 +, Li,Rongqing wrote:
> > > if (newsk->sk_prot->sockets_allocated)
> > > sk_sockets_allocated_inc(newsk);
> >
> > Good catch.
> >
> > I suspect this was discovered by some syzkaller/syzbot run ?
> >
>
>
> No.
>
> I am seeing a panic,
> > if (newsk->sk_prot->sockets_allocated)
> > sk_sockets_allocated_inc(newsk);
>
> Good catch.
>
> I suspect this was discovered by some syzkaller/syzbot run ?
>
No.
I am seeing a panic, a page is in both task.task_frag.page and buddy free list;
It should no
On Fri, Jan 26, 2018 at 10:38:12AM +0800, Jason Wang wrote:
>
>
> On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
> > In theory compiler could tear queue loads or stores in two. It does not
> > seem to be happening in practice but it seems easier to convert the
> > cases where this would be a pro
On Fri, Jan 26, 2018 at 10:38:05AM +0800, Jason Wang wrote:
>
>
> On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
> > Similar to bcecb4bbf88a ("net: ptr_ring: otherwise safe empty checks can
> > overrun array bounds") a lockless use of __ptr_ring_full might
> > cause an out of bounds access.
> >
On Fri, Jan 26, 2018 at 10:37:58AM +0800, Jason Wang wrote:
>
>
> On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
> > Lockless __ptr_ring_empty requires that consumer head is read and
> > written at once, atomically. Annotate accordingly to make sure compiler
> > does it correctly. Switch locked
From: William Tu
Date: Thu, 25 Jan 2018 13:20:08 -0800
> The first patch refactors the erspan header definitions.
> Originally, the erspan fields are defined as a group into a __be16 field,
> and use mask and offset to access each field. This is more costly due to
> calling ntohs/htons and erro
On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
In theory compiler could tear queue loads or stores in two. It does not
seem to be happening in practice but it seems easier to convert the
cases where this would be a problem to READ/WRITE_ONCE than worry about
it.
Signed-off-by: Michael S. Tsir
On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
Similar to bcecb4bbf88a ("net: ptr_ring: otherwise safe empty checks can
overrun array bounds") a lockless use of __ptr_ring_full might
cause an out of bounds access.
We can fix this, but it's easier to just disallow lockless
__ptr_ring_full for
On 2018年01月26日 07:36, Michael S. Tsirkin wrote:
Lockless __ptr_ring_empty requires that consumer head is read and
written at once, atomically. Annotate accordingly to make sure compiler
does it correctly. Switch locked callers to __ptr_ring_peek which does
not support the lockless operation.
On Thu, Jan 25, 2018 at 1:20 PM, William Tu wrote:
> The patch adds support for openvswitch to configure erspan
> v1 and v2. The OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS attr is added
> to uapi as a binary blob to support all ERSPAN v1 and v2's
> fields. Note that Previous commit "openvswitch: Add erspan
On Thu, Jan 25, 2018 at 1:20 PM, William Tu wrote:
> The patch adds a new uapi header file, erspan.h, and moves
> the 'struct erspan_metadata' from internal erspan.h to it.
>
> Signed-off-by: William Tu
Acked-by: Pravin B Shelar
Thanks.
On Thu, Jan 25, 2018 at 1:20 PM, William Tu wrote:
> Originally the erspan fields are defined as a group into a __be16 field,
> and use mask and offset to access each field. This is more costly due to
> calling ntohs/htons. The patch changes it to use bitfields.
>
> Signed-off-by: William Tu
A
From: Francois Romieu
Date: Fri, 26 Jan 2018 01:53:26 +0100
> Hardware statistics retrieval hurts in tight invocation loops.
>
> Avoid extraneous write and enforce strict ordering of writes targeted to
> the tally counters dump area address registers.
>
> Signed-off-by: Francois Romieu
> Teste
Introduce a new qdisc ops ->change_tx_queue_len() so that
each qdisc could decide how to implement this if it wants.
Previously we simply read dev->tx_queue_len, after pfifo_fast
switches to skb array, we need this API to resize the skb array
when we change dev->tx_queue_len.
To avoid handling rac
This patch promotes the local change_tx_queue_len() to a core
helper function, dev_change_tx_queue_len(), so that rtnetlink
and net-sysfs could share the code. This also prepares for the
following patch.
Note, the -EFAULT in the original code doesn't make sense,
we should propagate the errno from
This pathcset restores the pfifo_fast qdisc behavior of dropping
packets based on latest dev->tx_queue_len. Patch 1 introduces
a helper, patch 2 introduces a new Qdisc ops which is called when
we modify tx_queue_len, patch 3 implements this ops for pfifo_fast.
Please see each patch for details.
-
pfifo_fast used to drop based on qdisc_dev(qdisc)->tx_queue_len,
so we have to resize skb array when we change tx_queue_len.
Other qdiscs which read tx_queue_len are fine because they
all save it to sch->limit or somewhere else in qdisc during init.
They don't have to implement this, it is nicer i
From: David Ahern
Date: Thu, 25 Jan 2018 15:01:23 -0700
> On 1/25/18 2:23 PM, David Miller wrote:
>> From: David Ahern
>> Date: Wed, 24 Jan 2018 19:37:37 -0800
>>
>>> Sukumar reported that sends to the local broadcast address
>>> (255.255.255.255) are broken. Check for the address in vrf driver
From: Jakub Kicinski
Date: Thu, 25 Jan 2018 14:00:42 -0800
> This set makes all drivers use a new tc_cls_can_offload_and_chain0()
> helper which will set extack in case TC hw offload flag is disabled.
>
> I chose to keep the new helper which also looks at the chain but
> renamed it more appropri
On Fri, Jan 26, 2018 at 01:39:30AM +0100, Mickaël Salaün wrote:
> Do not build lib/bpf/bpf.o with this Makefile but use the one from the
> library directory. This avoid making a buggy bpf.o file (e.g. missing
> symbols).
could you provide an example?
What symbols will be missing?
I don't think th
On Wed, Jan 24, 2018 at 02:46:24PM -0800, Vinicius Costa Gomes wrote:
> The only robust way that we could think of about keeping the the packets
> in order for the device queue is re-ordering packets in the Qdisc.
Right, but you cannot afford the overhead of the timerqueue when using
HW offload, w
On Fri, Jan 26, 2018 at 12:54:02AM +0100, Mickaël Salaün wrote:
> Make the code more readable.
>
> Signed-off-by: Mickaël Salaün
> Cc: Alexei Starovoitov
> Cc: Daniel Borkmann
> ---
> kernel/bpf/syscall.c | 5 +
> 1 file changed, 1 insertion(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/
After checking all possible call chains to fore200e_send here,
my tool finds that fore200e_send is never called in atomic context.
And this function is assigned to a function pointer "dev->ops->send",
which is only called by vcc_sendmsg (net/atm/common.c)
through vcc->dev->ops->send, and vcc_sendm
After checking all possible call chains to fore200e_open here,
my tool finds that fore200e_open is never called in atomic context.
And fore200e_open calls mutex_lock which can sleep later,
thus it is supposed fore200e_open can call functions which may sleep.
Thus GFP_ATOMIC is not necessary, and it
tree: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
master
head: fdd6d771c7de9d351c6dbdbab5bdc83805c06955
commit: 1280c0f8aafc4c09c59c576c8d50f367070b2619 [1917/1931] sfc: support
second + quarter ns time format for receive datapath
reproduce:
# apt-get install sp
On 01/25/2018 04:26 PM, John Fastabend wrote:
> A set of fixes for sockmap to resolve map/prog not being cleaned
> up when maps are not cleaned up from the program side.
>
Well that first sentence is a bit confusing now that I read it again.
Here is a better version,
"
A set of fixes for sockmap
tree: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
master
head: fdd6d771c7de9d351c6dbdbab5bdc83805c06955
commit: 2935e3c38228ad9bf073eeb0eedff5849eea63db [1913/1931] sfc: on 8000
series use TX queues for TX timestamps
reproduce:
# apt-get install sparse
g
Fixes: 2935e3c38228 ("sfc: on 8000 series use TX queues for TX timestamps")
Signed-off-by: Fengguang Wu
---
efx.c |2 +-
ptp.c |4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c
index 456866b0..16757cf 1
Add support for RTNH_F_ONLINK with ipv6 routes.
First patch moves existing gateway validation into helper. The onlink
flag requires a different set of checks and the existing validation
makes ip6_route_info_create long enough.
Second patch makes the table id and lookup flag an option to
ip6_nh_l
onlink verification needs to do a lookup in potentially different
table than the table in fib6_config and without the RT6_LOOKUP_F_IFACE
flag. Change ip6_nh_lookup_table to take table id and flags as input
arguments. Both verifications want to ignore link state, so add that
flag can stay in the loo
Similar to IPv4 allow routes to be added with the RTNH_F_ONLINK flag.
The onlink option requires a gateway and a nexthop device. Any unicast
gateway is allowed (including IPv4 mapped addresses and unresolved
ones) as long as the gateway is not a local address and if it resolves
it must match the gi
Move existing code to validate nexthop into a helper. Follow on patch
adds support for nexthops marked with onlink, and this helper keeps
the complexity of ip6_route_info_create in check.
Signed-off-by: David Ahern
---
net/ipv6/route.c | 85 ---
On Thu, Jan 25, 2018 at 04:14:04PM -0800, Lawrence Brakmo wrote:
> This patchset adds support for:
>
> - direct R or R/W access to many tcp_sock fields
> - passing up to 4 arguments to sock_ops BPF functions
> - tcp_sock field bpf_sock_ops_cb_flags for controlling callbacks
> - optionally calling
Hardware statistics retrieval hurts in tight invocation loops.
Avoid extraneous write and enforce strict ordering of writes targeted to
the tally counters dump area address registers.
Signed-off-by: Francois Romieu
Tested-by: Oliver Freyermuth
---
drivers/net/ethernet/realtek/r8169.c | 9 ++---
Do not build lib/bpf/bpf.o with this Makefile but use the one from the
library directory. This avoid making a buggy bpf.o file (e.g. missing
symbols).
This patch is useful if some code (e.g. Landlock tests) needs both the
bpf.o (from tools/lib/bpf) and the bpf_load.o (from samples/bpf).
Signed-o
When a program is attached to a map we increment the program refcnt
to ensure that the program is not removed while it is potentially
being referenced from sockmap side. However, if this same program
also references the map (this is a reasonably common pattern in
my programs) then the verifier will
A set of fixes for sockmap to resolve map/prog not being cleaned
up when maps are not cleaned up from the program side.
For this we pull in the ULP infrastructure to hook into the close()
hook of the sock layer. This seemed natural because we have additional
sockmap features (to add support for TX
The selftests test_maps program was leaving dangling BPF sockmap
programs around because not all psock elements were removed from
the map. The elements in turn hold a reference on the BPF program
they are attached to causing BPF programs to stay open even after
test_maps has completed.
The origina
Create a UID field and enum that can be used to assign ULPs to
sockets. This saves a set of string comparisons if the ULP id
is known.
For sockmap, which is added in the next patches, a ULP is used to
hook into TCP sockets close state. In this case the ULP being added
is done at map insert time an
Adds direct write access to sk_txhash and access to tclass for ipv6
flows through getsockopt and setsockopt. Sample usage for tclass:
bpf_getsockopt(skops, SOL_IPV6, IPV6_TCLASS, &v, sizeof(v))
where skops is a pointer to the ctx (struct bpf_sock_ops).
Signed-off-by: Lawrence Brakmo
---
net/
This patchset adds support for:
- direct R or R/W access to many tcp_sock fields
- passing up to 4 arguments to sock_ops BPF functions
- tcp_sock field bpf_sock_ops_cb_flags for controlling callbacks
- optionally calling sock_ops BPF program when RTO fires
- optionally calling sock_ops BPF program
This patch adds a macro, SOCK_OPS_SET_FIELD, for writing to
struct tcp_sock or struct sock fields. This required adding a new
field "temp" to struct bpf_sock_ops_kern for temporary storage that
is used by sock_ops_convert_ctx_access. It is used to store and recover
the contents of a register, so th
Make SOCK_OPS_GET_TCP helper macro size independent (before only worked
with 4-byte fields.
Signed-off-by: Lawrence Brakmo
---
net/core/filter.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index bf9bb75..62e7874 100644
-
Changed SOCK_OPS_GET_TCP to SOCK_OPS_GET_FIELD and added 2
arguments so now it can also work with struct sock fields.
The first argument is the name of the field in the bpf_sock_ops
struct, the 2nd argument is the name of the field in the OBJ struct.
Previous: SOCK_OPS_GET_TCP(FIELD_NAME)
New:
Adds support for calling sock_ops BPF program when there is a TCP state
change. Two arguments are used; one for the old state and another for
the new state.
There is a new enum in include/uapi/linux/bpf.h that exports the TCP
states that prepends BPF_ to the current TCP state names. If it is ever
Adds support for passing up to 4 arguments to sock_ops bpf functions. It
reusues the reply union, so the bpf_sock_ops structures are not
increased in size.
Signed-off-by: Lawrence Brakmo
---
include/linux/filter.h | 1 +
include/net/tcp.h| 40 +++-
Added a selftest for tcpbpf (sock_ops) that checks that the appropriate
callbacks occured and that it can access tcp_sock fields and that their
values are correct.
Run with command: ./test_tcpbpf_user
Adding the flag "-d" will show why it did not pass.
Signed-off-by: Lawrence Brakmo
Acked-by: Al
Currently, a sock_ops BPF program can write the op field and all the
reply fields (reply and replylong). This is a bug. The op field should
not have been writeable and there is currently no way to use replylong
field for indices >= 1. This patch enforces that only the reply field
(which equals repl
Adds support for calling sock_ops BPF program when there is a
retransmission. Three arguments are used; one for the sequence number,
another for the number of segments retransmitted, and the last one for
the return value of tcp_transmit_skb (0 => success).
Does not include syn-ack retransmissions.
Adds field bpf_sock_ops_cb_flags to tcp_sock and bpf_sock_ops. Its primary
use is to determine if there should be calls to sock_ops bpf program at
various points in the TCP code. The field is initialized to zero,
disabling the calls. A sock_ops BPF program can set it, per connection and
as necessar
Add support for reading many more tcp_sock fields
state,same as sk->sk_state
rtt_min same as sk->rtt_min.s[0].v (current rtt_min)
snd_ssthresh
rcv_nxt
snd_nxt
snd_una
mss_cache
ecn_flags
rate_delivered
rate_interval_us
packets_out
retrans_out
total_retrans
Adds an optional call to sock_ops BPF program based on whether the
BPF_SOCK_OPS_RTO_CB_FLAG is set in bpf_sock_ops_flags.
The BPF program is passed 2 arguments: icsk_retransmits and whether the
RTO has expired.
Signed-off-by: Lawrence Brakmo
---
include/uapi/linux/bpf.h | 8 +++-
net/ipv4/tc
On 01/25/2018 03:36 PM, Michael S. Tsirkin wrote:
> This reverts commit bcecb4bbf88aa03171c30652bca761cf27755a6b.
>
> If we try to allocate an extra entry as the above commit did, and when
> the requested size is UINT_MAX, addition overflows causing zero size to
> be passed to kmalloc().
>
> kmal
On 01/25/2018 03:36 PM, Michael S. Tsirkin wrote:
> The comment near __ptr_ring_peek says:
>
> * If ring is never resized, and if the pointer is merely
> * tested, there's no need to take the lock - see e.g. __ptr_ring_empty.
>
> but this was in fact never possible since consumer_head would so
Make the code more readable.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
kernel/bpf/syscall.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5bdb0cc84ad2..e24aa3241387 100644
--- a/kerne
Lockless __ptr_ring_empty requires that consumer head is read and
written at once, atomically. Annotate accordingly to make sure compiler
does it correctly. Switch locked callers to __ptr_ring_peek which does
not support the lockless operation.
Signed-off-by: Michael S. Tsirkin
---
include/linu
This fixes a bunch of issues around ptr_ring use in net core.
One of these: "tap: fix use-after-free" is also needed on net,
but can't be backported cleanly.
I will post a net patch separately.
Lightly tested - Jason, could you pls confirm this
addresses the security issue you saw with ptr_ring?
The comment near __ptr_ring_peek says:
* If ring is never resized, and if the pointer is merely
* tested, there's no need to take the lock - see e.g. __ptr_ring_empty.
but this was in fact never possible since consumer_head would sometimes
point outside the ring. Refactor the code so that it's
The only function safe to call without locks
is __ptr_ring_empty. Move documentation about
lockless use there to make sure people do not
try to use __ptr_ring_peek outside locks.
Signed-off-by: Michael S. Tsirkin
---
include/linux/ptr_ring.h | 34 ++
1 file change
Lockless access to __ptr_ring_full is only legal if ring is
never resized, otherwise it might cause use-after free errors.
Simply drop the lockless test, we'll drop the packet
a bit later when produce fails.
Fixes: 362899b8 ("macvtap: switch to use skb array")
Signed-off-by: Michael S. Tsirkin
--
Similar to bcecb4bbf88a ("net: ptr_ring: otherwise safe empty checks can
overrun array bounds") a lockless use of __ptr_ring_full might
cause an out of bounds access.
We can fix this, but it's easier to just disallow lockless
__ptr_ring_full for now.
Signed-off-by: Michael S. Tsirkin
---
includ
In theory compiler could tear queue loads or stores in two. It does not
seem to be happening in practice but it seems easier to convert the
cases where this would be a problem to READ/WRITE_ONCE than worry about
it.
Signed-off-by: Michael S. Tsirkin
---
include/linux/ptr_ring.h | 4 ++--
1 file
__skb_array_empty should use __ptr_ring_empty since that's the only
legal lockless function.
Signed-off-by: Michael S. Tsirkin
---
include/linux/skb_array.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/skb_array.h b/include/linux/skb_array.h
index c7addf3..a6
Signed-off-by: Michael S. Tsirkin
---
tools/virtio/linux/kernel.h | 2 +-
tools/virtio/linux/thread_info.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
create mode 100644 tools/virtio/linux/thread_info.h
diff --git a/tools/virtio/linux/kernel.h b/tools/virtio/linux/kernel.h
index
Offset 128 overlaps the last word of the redzone.
Use 132 which is always beyond that.
Signed-off-by: Michael S. Tsirkin
---
tools/virtio/ringtest/main.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/virtio/ringtest/main.h b/tools/virtio/ringtest/main.h
index 593a328.
We don't rely on lockless guarantees, but it
seems cleaner than inverting __ptr_ring_peek.
Signed-off-by: Michael S. Tsirkin
---
tools/virtio/ringtest/ptr_ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/virtio/ringtest/ptr_ring.c b/tools/virtio/ringtest/ptr_ring.
This reverts commit bcecb4bbf88aa03171c30652bca761cf27755a6b.
If we try to allocate an extra entry as the above commit did, and when
the requested size is UINT_MAX, addition overflows causing zero size to
be passed to kmalloc().
kmalloc then returns ZERO_SIZE_PTR with a subsequent crash.
Reporte
This is to make ptr_ring test build again.
Signed-off-by: Michael S. Tsirkin
---
tools/virtio/ringtest/main.h | 57
1 file changed, 57 insertions(+)
diff --git a/tools/virtio/ringtest/main.h b/tools/virtio/ringtest/main.h
index 5706e07..593a328 10064
Le 25/01/2018 à 23:30, Jiri Benc a écrit :
> On Thu, 25 Jan 2018 15:20:59 +0100, Nicolas Dichtel wrote:
>> Hmm, I don't agree. For me, it would be the correct answer. If user has a
>> socket
>> in ns_a and targets a RTM_GETLINK in ns_b, the answer he gets should be like
>> if
>> it was done in ns
Le 25/01/2018 à 22:28, David Miller a écrit :
> From: Nicolas Dichtel
> Date: Thu, 25 Jan 2018 19:03:03 +0100
>
>> Some dst_ops (e.g. md_dst_ops)) doesn't set this handler. It may result to:
>> "BUG: unable to handle kernel NULL pointer dereference at (null)"
>>
>> Let's add a helper to
On Thu, 25 Jan 2018 13:11:57 -0200, Marcelo Ricardo Leitner wrote:
> On Wed, Jan 24, 2018 at 12:54:12PM -0800, Jakub Kicinski wrote:
> > Hi!
> >
> > This series some of Jiri's comments and the fact that today drivers
> > may produce extack even if there is no skip_sw flag (meaning the
> > driver f
On Thu, 25 Jan 2018 12:28:58 +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 24, 2018 at 05:31:36PM -0800, Jakub Kicinski wrote:
> > On Thu, 25 Jan 2018 01:09:41 +0100, Pablo Neira Ayuso wrote:
> > > This patch adds the infrastructure to offload flows to hardware, in case
> > > the nic/switch comes
tree: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
master
head: fdd6d771c7de9d351c6dbdbab5bdc83805c06955
commit: 1280c0f8aafc4c09c59c576c8d50f367070b2619 [1917/1931] sfc: support
second + quarter ns time format for receive datapath
config: i386-randconfig-s1-201803 (atta
On Thu, 25 Jan 2018 15:01:39 +0100, Nicolas Dichtel wrote:
> The goal is to let the user follow an interface that moves to another
> netns.
>
> CC: Jiri Benc
> CC: Christian Brauner
> Signed-off-by: Nicolas Dichtel
This is great, thanks, Nicolas!
Reviewed-by: Jiri Benc
On Thu, 25 Jan 2018 15:01:38 +0100, Nicolas Dichtel wrote:
> The user should be able to follow any interface that moves to another
> netns. There is no reason to hide physical interfaces.
>
> CC: Jiri Benc
> CC: Christian Brauner
> Signed-off-by: Nicolas Dichtel
Reviewed-by: Jiri Benc
On Thu, 25 Jan 2018 15:20:59 +0100, Nicolas Dichtel wrote:
> Hmm, I don't agree. For me, it would be the correct answer. If user has a
> socket
> in ns_a and targets a RTM_GETLINK in ns_b, the answer he gets should be like
> if
> it was done in ns_b.
But that information would be useless for the
On 01/25/2018 03:58 PM, Guillaume Nault wrote:
> Hi,
>
> Commit 6926e041a892 ("uapi/if_ether.h: prevent redefinition of struct
> ethhdr"),
> can break compilation of userspace programs (in my case, accel-ppp
> (https://accel-ppp.org)).
>
> This happens for userspace programs that end up includin
1 - 100 of 231 matches
Mail list logo
