mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include/net
History
Maciej Fijalkowski 9f0c8a9d4e xsk: Fix possible crash when multiple sockets are created 
commit ba3beec2ec upstream.

Fix a crash that happens if an Rx only socket is created first, then a
second socket is created that is Tx only and bound to the same umem as
the first socket and also the same netdev and queue_id together with the
XDP_SHARED_UMEM flag. In this specific case, the tx_descs array page
pool was not created by the first socket as it was an Rx only socket.
When the second socket is bound it needs this tx_descs array of this
shared page pool as it has a Tx component, but unfortunately it was
never allocated, leading to a crash. Note that this array is only used
for zero-copy drivers using the batched Tx APIs, currently only ice and
i40e.

[ 5511.150360] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 5511.158419] #PF: supervisor write access in kernel mode
[ 5511.164472] #PF: error_code(0x0002) - not-present page
[ 5511.170416] PGD 0 P4D 0
[ 5511.173347] Oops: 0002 [#1] PREEMPT SMP PTI
[ 5511.178186] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G            E     5.18.0-rc1+ #97
[ 5511.187245] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016
[ 5511.198418] RIP: 0010:xsk_tx_peek_release_desc_batch+0x198/0x310
[ 5511.205375] Code: c0 83 c6 01 84 c2 74 6d 8d 46 ff 23 07 44 89 e1 48 83 c0 14 48 c1 e1 04 48 c1 e0 04 48 03 47 10 4c 01 c1 48 8b 50 08 48 8b 00 <48> 89 51 08 48 89 01 41 80 bd d7 00 00 00 00 75 82 48 8b 19 49 8b
[ 5511.227091] RSP: 0018:ffffc90000003dd0 EFLAGS: 00010246
[ 5511.233135] RAX: 0000000000000000 RBX: ffff88810c8da600 RCX: 0000000000000000
[ 5511.241384] RDX: 000000000000003c RSI: 0000000000000001 RDI: ffff888115f555c0
[ 5511.249634] RBP: ffffc90000003e08 R08: 0000000000000000 R09: ffff889092296b48
[ 5511.257886] R10: 0000ffffffffffff R11: ffff889092296800 R12: 0000000000000000
[ 5511.266138] R13: ffff88810c8db500 R14: 0000000000000040 R15: 0000000000000100
[ 5511.274387] FS:  0000000000000000(0000) GS:ffff88903f800000(0000) knlGS:0000000000000000
[ 5511.283746] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5511.290389] CR2: 0000000000000008 CR3: 00000001046e2001 CR4: 00000000003706f0
[ 5511.298640] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5511.306892] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5511.315142] Call Trace:
[ 5511.317972]  <IRQ>
[ 5511.320301]  ice_xmit_zc+0x68/0x2f0 [ice]
[ 5511.324977]  ? ktime_get+0x38/0xa0
[ 5511.328913]  ice_napi_poll+0x7a/0x6a0 [ice]
[ 5511.333784]  __napi_poll+0x2c/0x160
[ 5511.337821]  net_rx_action+0xdd/0x200
[ 5511.342058]  __do_softirq+0xe6/0x2dd
[ 5511.346198]  irq_exit_rcu+0xb5/0x100
[ 5511.350339]  common_interrupt+0xa4/0xc0
[ 5511.354777]  </IRQ>
[ 5511.357201]  <TASK>
[ 5511.359625]  asm_common_interrupt+0x1e/0x40
[ 5511.364466] RIP: 0010:cpuidle_enter_state+0xd2/0x360
[ 5511.370211] Code: 49 89 c5 0f 1f 44 00 00 31 ff e8 e9 00 7b ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 72 02 00 00 31 ff e8 02 0c 80 ff fb 45 85 f6 <0f> 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d 14 90 49
[ 5511.391921] RSP: 0018:ffffffff82a03e60 EFLAGS: 00000202
[ 5511.397962] RAX: ffff88903f800000 RBX: 0000000000000001 RCX: 000000000000001f
[ 5511.406214] RDX: 0000000000000000 RSI: ffffffff823400b9 RDI: ffffffff8234c046
[ 5511.424646] RBP: ffff88810a384800 R08: 000005032a28c046 R09: 0000000000000008
[ 5511.443233] R10: 000000000000000b R11: 0000000000000006 R12: ffffffff82bcf700
[ 5511.461922] R13: 000005032a28c046 R14: 0000000000000001 R15: 0000000000000000
[ 5511.480300]  cpuidle_enter+0x29/0x40
[ 5511.494329]  do_idle+0x1c7/0x250
[ 5511.507610]  cpu_startup_entry+0x19/0x20
[ 5511.521394]  start_kernel+0x649/0x66e
[ 5511.534626]  secondary_startup_64_no_verify+0xc3/0xcb
[ 5511.549230]  </TASK>

Detect such case during bind() and allocate this memory region via newly
introduced xp_alloc_tx_descs(). Also, use kvcalloc instead of kcalloc as
for other buffer pool allocations, so that it matches the kvfree() from
xp_destroy().

Fixes: d1bc532e99 ("i40e: xsk: Move tmp desc array from driver to pool")
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
Link: https://lore.kernel.org/bpf/20220425153745.481322-1-maciej.fijalkowski@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-06-14 18:41:54 +02:00
..
9p net/p9: load default transports 2022-01-10 10:00:09 +09:00
bluetooth bluetooth: don't use bitmaps for random flag accesses 2022-06-14 18:41:26 +02:00
caif net: remove the caif_hsi driver 2021-07-01 13:19:48 -07:00
iucv net/af_iucv: Use struct_group() to zero struct iucv_sock region 2021-11-19 11:52:25 +00:00
netfilter netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-14 18:41:30 +02:00
netns xfrm: rework default policy structure 2022-05-25 09:59:06 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-11-17 20:17:05 -08:00
phonet
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
tc_act net/sched: act_pedit: really ensure the skb is writable 2022-05-18 10:28:15 +02:00
6lowpan.h
Space.h wan: remove sbni/granch driver 2021-08-03 13:05:26 +01:00
act_api.h flow_offload: validate flags of filter and actions 2021-12-19 14:08:48 +00:00
addrconf.h ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() 2022-02-14 13:30:37 +00:00
af_ieee802154.h
af_rxrpc.h afs: Don't truncate iter during data fetch 2021-04-23 10:17:26 +01:00
af_unix.h af_unix: Replace the big lock with small locks. 2021-11-26 18:01:58 -08:00
af_vsock.h vsock: each transport cycles only on its own sockets 2022-03-11 23:14:19 -08:00
ah.h
amt.h amt: add mld report message handler 2021-11-01 13:36:09 +00:00
arp.h ipv4: Invalidate neighbour for broadcast address upon address addition 2022-04-13 19:27:16 +02:00
atmclip.h
ax25.h ax25: Fix ax25 session cleanup problems 2022-06-14 18:41:25 +02:00
ax88796.h ax88796: export ax_NS8390_init() hook 2021-08-03 13:05:25 +01:00
bareudp.h bareudp: Move definition of struct bareudp_conf to bareudp.c 2021-12-13 12:34:09 +00:00
bond_3ad.h bonding: fix data-races around agg_select_timer 2022-02-15 14:35:18 +00:00
bond_alb.h bonding: make tx_rebalance_counter an atomic 2021-12-03 14:16:48 +00:00
bond_options.h Bonding: add arp_missed_max option 2021-11-30 12:15:58 +00:00
bonding.h bonding: use rcu_dereference_rtnl when get bonding active slave 2022-01-24 11:57:38 +00:00
bpf_sk_storage.h bpf: struct sock is declared twice in bpf_sk_storage header 2021-03-26 17:43:55 +01:00
busy_poll.h tcp: fix another uninit-value (sk_rx_queue_mapping) 2021-12-03 14:15:49 +00:00
calipso.h
cfg80211-wext.h
cfg80211.h nl80211: Add support to set AP settings flags with single attribute 2021-12-20 10:41:26 +01:00
cfg802154.h
checksum.h openvswitch: Fix setting ipv6 fields causing hw csum failure 2022-02-24 09:16:21 -08:00
cipso_ipv4.h
cls_cgroup.h
codel.h codel: remove unnecessary pkt_sched.h include 2021-12-22 15:03:51 -08:00
codel_impl.h codel: remove unnecessary sock.h include 2021-12-22 15:03:47 -08:00
codel_qdisc.h codel: remove unnecessary pkt_sched.h include 2021-12-22 15:03:51 -08:00
compat.h net/ipv4/ipv6: Replace one-element arraya with flexible-array members 2021-08-05 11:46:42 +01:00
datalink.h llc/snap: constify dev_addr passing 2021-10-13 09:40:46 -07:00
dcbevent.h
dcbnl.h
devlink.h devlink: Add new "event_eq_size" generic device param 2021-12-21 19:08:54 -08:00
dn.h decnet: constify dev_addr passing 2021-10-13 09:40:46 -07:00
dn_dev.h
dn_fib.h net: convert fib_treeref from int to refcount_t 2021-07-30 15:33:24 +02:00
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h net: dsa: mv88e6xxx: flush switchdev FDB workqueue before removing VLAN 2022-02-14 13:31:12 +00:00
dsfield.h
dst.h net: dst: add net device refcount tracking to dst_entry 2021-12-06 16:05:10 -08:00
dst_cache.h wireguard: device: reset peer src endpoint when netns exits 2021-11-29 19:50:45 -08:00
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-09 11:41:47 +00:00
dst_ops.h
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-04-27 14:40:58 +02:00
espintcp.h
ethoc.h
failover.h net: failover: add net device refcount tracker 2021-12-06 16:06:02 -08:00
fib_notifier.h
fib_rules.h fib: expand fib_rule_policy 2021-12-16 07:18:35 -08:00
firewire.h
flow.h flow: fix object-size-mismatch warning in flowi{4,6}_to_flowi_common() 2021-09-02 11:44:19 +01:00
flow_dissector.h net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:36:12 +02:00
flow_offload.h netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-14 18:41:30 +02:00
fou.h
fq.h
fq_impl.h
garp.h
gen_stats.h net: sched: Remove Qdisc::running sequence counter 2021-10-18 12:54:41 +01:00
genetlink.h
geneve.h
gre.h
gro.h net: fix recent csum changes 2021-12-06 16:26:46 -08:00
gro_cells.h
gtp.h
gue.h
hwbm.h
icmp.h ipv6: ICMPV6: add response to ICMPV6 RFC 8335 PROBE messages 2021-06-28 14:29:45 -07:00
ieee80211_radiotap.h mac80211: Use flex-array for radiotap header bitmap 2021-08-13 09:58:25 +02:00
ieee802154_netdev.h
if_inet6.h ipv6: fix locking issues with loops over idev->addr_list 2022-06-09 10:25:18 +02:00
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h dccp/tcp: Remove an unused argument in inet_csk_listen_start(). 2021-11-23 20:16:18 -08:00
inet_ecn.h net: add skb_get_dsfield() helper 2021-10-15 11:33:08 +01:00
inet_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-13 13:06:05 +00:00
inet_hashtables.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-18 10:28:17 +02:00
inet_sock.h ipv4/raw: support binding to nonlocal addresses 2021-11-17 20:21:52 -08:00
inet_timewait_sock.h
inetpeer.h
ioam6.h ipv6: ioam: Distinguish input and output for hop-limit 2021-10-04 12:53:35 +01:00
ip.h xfrm: fix "disable_policy" flag use when arriving from different devices 2022-05-25 09:59:06 +02:00
ip6_checksum.h net: move gro definitions to include/net/gro.h 2021-11-16 13:16:54 +00:00
ip6_fib.h ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt 2022-02-17 09:48:24 -08:00
ip6_route.h ipv6: ip6_skb_dst_mtu() cleanups 2021-11-19 20:09:55 -08:00
ip6_tunnel.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:16:23 +02:00
ip_fib.h inet: add net device refcount tracker to struct fib_nh_common 2021-12-07 20:44:59 -08:00
ip_tunnels.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:16:23 +02:00
ip_vs.h ipvs: add sysctl_run_estimation to support disable estimation 2021-10-07 19:52:58 +02:00
ipcomp.h
ipconfig.h
ipv6.h ipv6: per-netns exclusive flowlabel checks 2022-02-16 20:37:47 -08:00
ipv6_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-13 13:06:05 +00:00
ipv6_stubs.h net: ipv6: add fib6_nh_release_dsts stub 2021-11-22 15:44:49 +00:00
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h net: lapb: Make "lapb_t1timer_running" able to detect an already running timer 2021-03-23 14:14:50 -07:00
lib80211.h
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-07 19:25:29 +00:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: add net device refcount tracker 2021-12-07 20:44:59 -08:00
llc_if.h llc/snap: constify dev_addr passing 2021-10-13 09:40:46 -07:00
llc_pdu.h net: llc: fix skb_over_panic 2021-07-27 13:05:56 +01:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
mac80211.h mac80211: Add stations iterator where the iterator function may sleep 2022-01-04 15:47:15 +01:00
mac802154.h
macsec.h net: macsec: fix the length used to copy the key for offloading 2021-06-24 12:41:12 -07:00
mctp.h mctp: Use output netdev to allocate skb headroom 2022-04-13 19:27:29 +02:00
mctpdevice.h mctp: Pass flow data & flow release events to drivers 2021-10-29 13:23:51 +01:00
mip6.h
mld.h mld: add new workqueues for process mld events 2021-03-26 15:14:56 -07:00
mpls.h
mpls_iptunnel.h
mptcp.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
mrp.h
ncsi.h
ndisc.h ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report() 2022-03-03 09:47:06 -08:00
neighbour.h net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work 2022-02-02 20:30:18 -08:00
net_failover.h
net_namespace.h net: initialize init_net earlier 2022-04-13 19:27:12 +02:00
net_ratelimit.h
net_trackers.h net: add networking namespace refcount tracker 2021-12-10 06:38:26 -08:00
netevent.h
netlabel.h
netlink.h net: netlink: add the case when nlh is NULL 2021-07-27 11:43:50 +01:00
netprio_cgroup.h
netrom.h
nexthop.h net: ipv4: Fix rtnexthop len when RTA_FLOW is present 2021-09-24 14:07:10 +01:00
nl802154.h net: ieee802154: handle iftypes as u32 2021-11-16 18:02:46 +01:00
nsh.h
p8022.h
page_pool.h page_pool: Store the XDP mem id 2022-01-05 19:46:32 -08:00
pie.h
ping.h
pkt_cls.h net: sched: do not allocate a tracker in tcf_exts_init() 2022-01-11 20:40:16 -08:00
pkt_sched.h net: openvswitch: Fix ct_state nat flags for conns arriving from tc 2022-01-09 16:24:12 -08:00
pptp.h
protocol.h net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
psample.h psample: Add a fwd declaration for skbuff 2021-08-09 15:34:21 -07:00
psnap.h
raw.h
rawv6.h
red.h sch_red: fix off-by-one checks in red_check_params() 2021-03-25 17:40:43 -07:00
regulatory.h
request_sock.h
rose.h rose: constify dev_addr passing 2021-10-13 09:40:45 -07:00
route.h ipv4: remove sparse error in ip_neigh_gw4() 2022-01-27 08:38:33 -08:00
rpl.h
rsi_91x.h
rtnetlink.h net: add extack arg for link ops 2021-08-04 10:01:26 +01:00
rtnh.h
sch_generic.h net: sched: add barrier to fix packet stuck problem for lockless qdisc 2022-06-14 18:41:24 +02:00
scm.h
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-18 10:28:17 +02:00
seg6.h udp6: Use Segment Routing Header for dest address if present 2022-01-04 12:17:35 +00:00
seg6_hmac.h
seg6_local.h
selftests.h net: selftest: fix build issue if INET is disabled 2021-04-28 14:06:45 -07:00
slhc_vj.h
smc.h
snmp.h
sock.h net-timestamp: convert sk->sk_tskey to atomic_t 2022-02-18 11:14:52 +00:00
sock_reuseport.h tcp: Add reuseport_migrate_sock() to select a new listener. 2021-06-15 18:01:05 +02:00
stp.h
strparser.h bpf, sockmap: sk_skb data_end access incorrect when src_reg = dst_reg 2021-11-09 01:05:34 +01:00
switchdev.h net: switchdev: merge switchdev_handle_fdb_{add,del}_to_device 2021-10-27 14:54:02 +01:00
tcp.h tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:41:22 +02:00
tcp_states.h
timewait_sock.h
tipc.h
tls.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
tls_toe.h
transp_v6.h
tso.h
tun_proto.h
udp.h net: move gro definitions to include/net/gro.h 2021-11-16 13:16:54 +00:00
udp_tunnel.h
udplite.h
vsock_addr.h
vxlan.h net: vxlan: add macro definition for number of IANA VXLAN-GPE port 2021-11-29 12:19:53 +00:00
wext.h
x25.h
x25device.h
xdp.h xdp: Allow registering memory model without rxq reference 2022-01-05 19:46:32 -08:00
xdp_priv.h xsk: Wipe out dead zero_copy_allocator declarations 2021-12-14 00:24:24 +01:00
xdp_sock.h net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
xdp_sock_drv.h i40e: xsk: Move tmp desc array from driver to pool 2022-06-14 18:41:31 +02:00
xfrm.h xfrm: fix "disable_policy" flag use when arriving from different devices 2022-05-25 09:59:06 +02:00
xsk_buff_pool.h xsk: Fix possible crash when multiple sockets are created 2022-06-14 18:41:54 +02:00