1. 05 Feb, 2020 1 commit
    • Eric Dumazet's avatar
      bonding/alb: properly access headers in bond_alb_xmit() · 38f88c45
      Eric Dumazet authored
      syzbot managed to send an IPX packet through bond_alb_xmit()
      and af_packet and triggered a use-after-free.
      First, bond_alb_xmit() was using ipx_hdr() helper to reach
      the IPX header, but ipx_hdr() was using the transport offset
      instead of the network offset. In the particular syzbot
      report transport offset was 0xFFFF
      This patch removes ipx_hdr() since it was only (mis)used from bonding.
      Then we need to make sure IPv4/IPv6/IPX headers are pulled
      in skb->head before dereferencing anything.
      BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
      Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
       (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
       [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
       [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
       [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
       [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
       [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
       [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
       [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
       [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
       [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
       [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
       [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
       [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
       [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
       [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
       [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
       [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
       [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
       [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
       [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
       [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
       [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
       [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004
      Fixes: 1da177e4
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  2. 24 Oct, 2019 1 commit
    • Taehee Yoo's avatar
      net: remove unnecessary variables and callback · f3b0a18b
      Taehee Yoo authored
      This patch removes variables and callback these are related to the nested
      device structure.
      devices that can be nested have their own nest_level variable that
      represents the depth of nested devices.
      In the previous patch, new {lower/upper}_level variables are added and
      they replace old private nest_level variable.
      So, this patch removes all 'nest_level' variables.
      In order to avoid lockdep warning, ->ndo_get_lock_subclass() was added
      to get lockdep subclass value, which is actually lower nested depth value.
      But now, they use the dynamic lockdep key to avoid lockdep warning instead
      of the subclass.
      So, this patch removes ->ndo_get_lock_subclass() callback.
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  3. 09 Jun, 2019 1 commit
  4. 21 May, 2019 1 commit
  5. 14 Dec, 2018 1 commit
  6. 16 May, 2018 3 commits
  7. 11 May, 2018 3 commits
  8. 25 Oct, 2017 1 commit
    • Mark Rutland's avatar
      locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns... · 6aa7de05
      Mark Rutland authored
      locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE()
      Please do not apply this to mainline directly, instead please re-run the
      coccinelle script shown below and apply its output.
      For several reasons, it is desirable to use {READ,WRITE}_ONCE() in
      preference to ACCESS_ONCE(), and new code is expected to use one of the
      former. So far, there's been no reason to change most existing uses of
      ACCESS_ONCE(), as these aren't harmful, and changing them results in
      However, for some features, the read/write distinction is critical to
      correct operation. To distinguish these cases, separate read/write
      accessors must be used. This patch migrates (most) remaining
      ACCESS_ONCE() instances to {READ,WRITE}_ONCE(), using the following
      coccinelle script:
      // Convert trivial ACCESS_ONCE() uses to equivalent READ_ONCE() and
      // WRITE_ONCE()
      // $ make coccicheck COCCI=/home/mark/once.cocci SPFLAGS="--include-headers" MODE=patch
      virtual patch
      @ depends on patch @
      expression E1, E2;
      - ACCESS_ONCE(E1) = E2
      + WRITE_ONCE(E1, E2)
      @ depends on patch @
      expression E;
      - ACCESS_ONCE(E)
      + READ_ONCE(E)
      Signed-off-by: Mark Rutland's avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: davem@davemloft.net
      Cc: linux-arch@vger.kernel.org
      Cc: mpe@ellerman.id.au
      Cc: shuah@kernel.org
      Cc: snitzer@redhat.com
      Cc: thor.thayer@linux.intel.com
      Cc: tj@kernel.org
      Cc: viro@zeniv.linux.org.uk
      Cc: will.deacon@arm.com
      Link: http://lkml.kernel.org/r/1508792849-3115-19-git-send-email-paulmck@linux.vnet.ibm.com
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
  9. 20 Jun, 2017 1 commit
  10. 16 Jun, 2017 1 commit
    • Johannes Berg's avatar
      networking: introduce and use skb_put_data() · 59ae1d12
      Johannes Berg authored
      A common pattern with skb_put() is to just want to memcpy()
      some data into the new space, introduce skb_put_data() for
      An spatch similar to the one for skb_put_zero() converts many
      of the places using it:
          identifier p, p2;
          expression len, skb, data;
          type t, t2;
          -p = skb_put(skb, len);
          +p = skb_put_data(skb, data, len);
          -p = (t)skb_put(skb, len);
          +p = skb_put_data(skb, data, len);
          p2 = (t2)p;
          -memcpy(p2, data, len);
          -memcpy(p, data, len);
          type t, t2;
          identifier p, p2;
          expression skb, data;
          t *p;
          -p = skb_put(skb, sizeof(t));
          +p = skb_put_data(skb, data, sizeof(t));
          -p = (t *)skb_put(skb, sizeof(t));
          +p = skb_put_data(skb, data, sizeof(t));
          p2 = (t2)p;
          -memcpy(p2, data, sizeof(*p));
          -memcpy(p, data, sizeof(*p));
          expression skb, len, data;
          -memcpy(skb_put(skb, len), data, len);
          +skb_put_data(skb, data, len);
      (again, manually post-processed to retain some comments)
      Reviewed-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  11. 06 Apr, 2017 1 commit
    • Jarod Wilson's avatar
      bonding: attempt to better support longer hw addresses · faeeb317
      Jarod Wilson authored
      People are using bonding over Infiniband IPoIB connections, and who knows
      what else. Infiniband has a hardware address length of 20 octets
      (INFINIBAND_ALEN), and the network core defines a MAX_ADDR_LEN of 32.
      Various places in the bonding code are currently hard-wired to 6 octets
      (ETH_ALEN), such as the 3ad code, which I've left untouched here. Besides,
      only alb is currently possible on Infiniband links right now anyway, due
      to commit 1533e773
      , so the alb code is where most of the changes are.
      One major component of this change is the addition of a bond_hw_addr_copy
      function that takes a length argument, instead of using ether_addr_copy
      everywhere that hardware addresses need to be copied about. The other
      major component of this change is converting the bonding code from using
      struct sockaddr for address storage to struct sockaddr_storage, as the
      former has an address storage space of only 14, while the latter is 128
      minus a few, which is necessary to support bonding over device with up to
      MAX_ADDR_LEN octet hardware addresses. Additionally, this probably fixes
      up some memory corruption issues with the current code, where it's
      possible to write an infiniband hardware address into a sockaddr declared
      on the stack.
      Lightly tested on a dual mlx4 IPoIB setup, which properly shows a 20-octet
      hardware address now:
      $ cat /proc/net/bonding/bond0
      Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
      Bonding Mode: fault-tolerance (active-backup) (fail_over_mac active)
      Primary Slave: mlx4_ib0 (primary_reselect always)
      Currently Active Slave: mlx4_ib0
      MII Status: up
      MII Polling Interval (ms): 100
      Up Delay (ms): 100
      Down Delay (ms): 100
      Slave Interface: mlx4_ib0
      MII Status: up
      Speed: Unknown
      Duplex: Unknown
      Link Failure Count: 0
      Permanent HW addr:
      Slave queue ID: 0
      Slave Interface: mlx4_ib1
      MII Status: up
      Speed: Unknown
      Duplex: Unknown
      Link Failure Count: 0
      Permanent HW addr:
      Slave queue ID: 0
      Also tested with a standard 1Gbps NIC bonding setup (with a mix of
      e1000 and e1000e cards), running LNST's bonding tests.
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: netdev@vger.kernel.org
      Signed-off-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  12. 18 Oct, 2016 1 commit
  13. 01 Jul, 2016 1 commit
  14. 11 Feb, 2016 1 commit
  15. 21 Nov, 2014 1 commit
  16. 10 Nov, 2014 1 commit
  17. 31 Oct, 2014 1 commit
  18. 06 Oct, 2014 1 commit
    • Mahesh Bandewar's avatar
      bonding: Simplify the xmit function for modes that use xmit_hash · ee637714
      Mahesh Bandewar authored
      Earlier change to use usable slave array for TLB mode had an additional
      performance advantage. So extending the same logic to all other modes
      that use xmit-hash for slave selection (viz 802.3AD, and XOR modes).
      Also consolidating this with the earlier TLB change.
      The main idea is to build the usable slaves array in the control path
      and use that array for slave selection during xmit operation.
      Measured performance in a setup with a bond of 4x1G NICs with 200
      instances of netperf for the modes involved (3ad, xor, tlb)
      cmd: netperf -t TCP_RR -H <TargetHost> -l 60 -s 5
      Mode        TPS-Before   TPS-After
      802.3ad   : 468,694      493,101
      TLB (lb=0): 392,583      392,965
      XOR       : 475,696      484,517
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  19. 15 Sep, 2014 2 commits
  20. 13 Sep, 2014 4 commits
    • Nikolay Aleksandrov's avatar
      bonding: adjust locking comments · 8c0bc550
      Nikolay Aleksandrov authored
      Now that locks have been removed, remove some unnecessary comments and
      adjust others to reflect reality. Also add a comment to "mode_lock" to
      describe its current users and give a brief summary why they need it.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Nikolay Aleksandrov's avatar
      bonding: alb: convert to bond->mode_lock · 4bab16d7
      Nikolay Aleksandrov authored
      The ALB/TLB specific spinlocks are no longer necessary as we now have
      bond->mode_lock for this purpose, so convert them and remove them from
      struct alb_bond_info.
      Also remove the unneeded lock/unlock functions and use spin_lock/unlock
      Suggested-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Nikolay Aleksandrov's avatar
      bonding: clean curr_slave_lock use · 1c72cfdc
      Nikolay Aleksandrov authored
      Mostly all users of curr_slave_lock already have RTNL as we've discussed
      previously so there's no point in using it, the one case where the lock
      must stay is the 3ad code, in fact it's the only one.
      It's okay to remove it from bond_do_fail_over_mac() as it's called with
      RTNL and drops the curr_slave_lock anyway.
      bond_change_active_slave() is one of the main places where
      curr_slave_lock was used, it's okay to remove it as all callers use RTNL
      these days before calling it, that's why we move the ASSERT_RTNL() in
      the beginning to catch any potential offenders to this rule.
      The RTNL argument actually applies to all of the places where
      curr_slave_lock has been removed from in this patch.
      Also remove the unnecessary bond_deref_active_protected() macro and use
      rtnl_dereference() instead.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Nikolay Aleksandrov's avatar
      bonding: alb: remove curr_slave_lock · 62c5f518
      Nikolay Aleksandrov authored
      First in rlb_teach_disabled_mac_on_primary() it's okay to remove
      curr_slave_lock as all callers except bond_alb_monitor() already hold
      RTNL, and in case bond_alb_monitor() is executing we can at most have a
      period with bad throughput (very unlikely though).
      In bond_alb_monitor() it's okay to remove the read_lock as the slave
      list is walked with RCU and the worst that could happen is another
      transmitter at the same time and thus for a period which currently is 10
      seconds (bond_alb.h: BOND_ALB_LP_TICKS).
      And bond_alb_handle_active_change() is okay because it's always called
      with RTNL. Removed the ASSERT_RTNL() because it'll be inserted in the
      parent function in a following patch.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  21. 10 Sep, 2014 1 commit
  22. 22 Aug, 2014 1 commit
  23. 21 Jul, 2014 1 commit
  24. 17 Jul, 2014 1 commit
    • Mahesh Bandewar's avatar
      bonding: Do not try to send packets over dead link in TLB mode. · 6b794c1c
      Mahesh Bandewar authored
      In TLB mode if tlb_dynamic_lb is NOT set, slaves from the bond
      group are selected based on the hash distribution. This does not
      exclude dead links which are part of the bond. Also if there is a
      temporary link event which brings down the interface, packets
      hashed on that interface would be dropped too.
      This patch fixes these issues and distributes flows across the
      UP links only. Also the array construction of links which are
      capable of sending packets happen in the control path leaving
      only link-selection during the data-path.
      One possible side effect of this is - at a link event; all
      flows will be shuffled to get good distribution. But impact of
      this should be minimum with the assumption that a member or
      members of the bond group are not available is a very temporary
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  25. 16 Jul, 2014 3 commits
  26. 04 Jun, 2014 1 commit
    • Vlad Yasevich's avatar
      bonding: Support macvlans on top of tlb/rlb mode bonds · 14af9963
      Vlad Yasevich authored
      To make TLB mode work, the patch allows learning packets
      to be sent using mac addresses assigned to macvlan devices,
      also taking into an account vlans that may be between the
      bond and macvlan device.
      To make RLB work, all we have to do is accept ARP packets
      for addresses added to the bond dev->uc list.  Since RLB
      mode will take care to update the peers directly with
      correct mac addresses, learning packets for these addresses
      do not have be send to switch.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  27. 22 May, 2014 2 commits
    • Vlad Yasevich's avatar
      bonding: Send ALB learning packets using the right source · d0c21d43
      Vlad Yasevich authored
      ALB learning packets are currentlyalways sent using the slave mac
      address for all vlans configured on top of bond.   This is not always
      correct, as vlans may change their mac address.
      This patch introduced a concept of strict matching where the
      source of learning packets can either strictly match the address
      passed in, or it can determine a more correct address to use.
      There are 3 casese to consider:
        1) Switchover.  In this case, we have a new active slave and we need
           tell the switch about all addresses available on the slave.
        2) Monitor.  We'll periodically refresh learning info for all slaves.
           In this case, we refresh all addresses for current active, and just
           the slave address for other slaves.
        3) Teaching of disabled adddress.  This happens as part of the
           failover and in this case, we alwyas to use just the address
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Vlad Yasevich's avatar
      bonding: Don't assume 802.1Q when sending alb learning packets. · d6b694c0
      Vlad Yasevich authored
      TLB/ALB learning packets always assume 802.1Q vlan protocol, but
      that is no longer the case since we now have support for Q-in-Q
      on top of bonding.  Pass the vlan protocol to alb_send_lp_vid()
      so that the packets are properly tagged.
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Acked-by: default avatarVeaceslav Falico <vfalico@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  28. 17 May, 2014 1 commit
  29. 16 May, 2014 1 commit