* [PATCH AUTOSEL 5.4 02/10] cfg80211: initialize rekey_data
[not found] <20201220033457.2728519-1-sashal@kernel.org>
@ 2020-12-20 3:34 ` Sasha Levin
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 04/10] lwt: Disable BH too in run_lwt_bpf() Sasha Levin
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test Sasha Levin
2 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2020-12-20 3:34 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sara Sharon, Luca Coelho, Johannes Berg, Sasha Levin,
linux-wireless, netdev
From: Sara Sharon <sara.sharon@intel.com>
[ Upstream commit f495acd8851d7b345e5f0e521b2645b1e1f928a0 ]
In case we have old supplicant, the akm field is uninitialized.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20201129172929.930f0ab7ebee.Ic546e384efab3f4a89f318eafddc3eb7d556aecb@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index dbac5c0995a0f..5bb2316befb98 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -12033,7 +12033,7 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
struct net_device *dev = info->user_ptr[1];
struct wireless_dev *wdev = dev->ieee80211_ptr;
struct nlattr *tb[NUM_NL80211_REKEY_DATA];
- struct cfg80211_gtk_rekey_data rekey_data;
+ struct cfg80211_gtk_rekey_data rekey_data = {};
int err;
if (!info->attrs[NL80211_ATTR_REKEY_DATA])
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 5.4 04/10] lwt: Disable BH too in run_lwt_bpf()
[not found] <20201220033457.2728519-1-sashal@kernel.org>
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 02/10] cfg80211: initialize rekey_data Sasha Levin
@ 2020-12-20 3:34 ` Sasha Levin
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test Sasha Levin
2 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2020-12-20 3:34 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dongdong Wang, Alexei Starovoitov, Cong Wang, Sasha Levin, netdev, bpf
From: Dongdong Wang <wangdongdong.6@bytedance.com>
[ Upstream commit d9054a1ff585ba01029584ab730efc794603d68f ]
The per-cpu bpf_redirect_info is shared among all skb_do_redirect()
and BPF redirect helpers. Callers on RX path are all in BH context,
disabling preemption is not sufficient to prevent BH interruption.
In production, we observed strange packet drops because of the race
condition between LWT xmit and TC ingress, and we verified this issue
is fixed after we disable BH.
Although this bug was technically introduced from the beginning, that
is commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure"),
at that time call_rcu() had to be call_rcu_bh() to match the RCU context.
So this patch may not work well before RCU flavor consolidation has been
completed around v5.0.
Update the comments above the code too, as call_rcu() is now BH friendly.
Signed-off-by: Dongdong Wang <wangdongdong.6@bytedance.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Cong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/bpf/20201205075946.497763-1-xiyou.wangcong@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/lwt_bpf.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index 99a6de52b21da..a5502c5aa44e7 100644
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -39,12 +39,11 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt,
{
int ret;
- /* Preempt disable is needed to protect per-cpu redirect_info between
- * BPF prog and skb_do_redirect(). The call_rcu in bpf_prog_put() and
- * access to maps strictly require a rcu_read_lock() for protection,
- * mixing with BH RCU lock doesn't work.
+ /* Preempt disable and BH disable are needed to protect per-cpu
+ * redirect_info between BPF prog and skb_do_redirect().
*/
preempt_disable();
+ local_bh_disable();
bpf_compute_data_pointers(skb);
ret = bpf_prog_run_save_cb(lwt->prog, skb);
@@ -78,6 +77,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt,
break;
}
+ local_bh_enable();
preempt_enable();
return ret;
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test
[not found] <20201220033457.2728519-1-sashal@kernel.org>
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 02/10] cfg80211: initialize rekey_data Sasha Levin
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 04/10] lwt: Disable BH too in run_lwt_bpf() Sasha Levin
@ 2020-12-20 3:34 ` Sasha Levin
2020-12-20 12:05 ` Jean-Philippe Brucker
2 siblings, 1 reply; 5+ messages in thread
From: Sasha Levin @ 2020-12-20 3:34 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jean-Philippe Brucker, John Fastabend, Alexei Starovoitov,
Sasha Levin, linux-kselftest, netdev, bpf
From: Jean-Philippe Brucker <jean-philippe@linaro.org>
[ Upstream commit 77ce220c0549dcc3db8226c61c60e83fc59dfafc ]
The test fails because of a recent fix to the verifier, even though this
program is valid. In details what happens is:
7: (61) r1 = *(u32 *)(r0 +0)
Load a 32-bit value, with signed bounds [S32_MIN, S32_MAX]. The bounds
of the 64-bit value are [0, U32_MAX]...
8: (65) if r1 s> 0xffffffff goto pc+1
... therefore this is always true (the operand is sign-extended).
10: (b4) w2 = 11
11: (6d) if r2 s> r1 goto pc+1
When true, the 64-bit bounds become [0, 10]. The 32-bit bounds are still
[S32_MIN, 10].
13: (64) w1 <<= 2
Because this is a 32-bit operation, the verifier propagates the new
32-bit bounds to the 64-bit ones, and the knowledge gained from insn 11
is lost.
14: (0f) r0 += r1
15: (7a) *(u64 *)(r0 +0) = 4
Then the verifier considers r0 unbounded here, rejecting the test. To
make the test work, change insn 8 to check the sign of the 32-bit value.
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/verifier/array_access.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/verifier/array_access.c b/tools/testing/selftests/bpf/verifier/array_access.c
index f3c33e128709b..a80d806ead15f 100644
--- a/tools/testing/selftests/bpf/verifier/array_access.c
+++ b/tools/testing/selftests/bpf/verifier/array_access.c
@@ -68,7 +68,7 @@
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
- BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
+ BPF_JMP32_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
BPF_MOV32_IMM(BPF_REG_1, 0),
BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test Sasha Levin
@ 2020-12-20 12:05 ` Jean-Philippe Brucker
2020-12-21 19:09 ` Sasha Levin
0 siblings, 1 reply; 5+ messages in thread
From: Jean-Philippe Brucker @ 2020-12-20 12:05 UTC (permalink / raw)
To: Sasha Levin
Cc: linux-kernel, stable, John Fastabend, Alexei Starovoitov,
linux-kselftest, netdev, bpf
Hi,
On Sat, Dec 19, 2020 at 10:34:55PM -0500, Sasha Levin wrote:
> From: Jean-Philippe Brucker <jean-philippe@linaro.org>
>
> [ Upstream commit 77ce220c0549dcc3db8226c61c60e83fc59dfafc ]
>
> The test fails because of a recent fix to the verifier, even though this
That fix is commit b02709587ea3 ("bpf: Fix propagation of 32-bit signed
bounds from 64-bit bounds.") upstream, which only needed backport to 5.9.
So although backporting this patch to 5.4 shouldn't break anything, I
wouldn't bother.
Thanks,
Jean
> program is valid. In details what happens is:
>
> 7: (61) r1 = *(u32 *)(r0 +0)
>
> Load a 32-bit value, with signed bounds [S32_MIN, S32_MAX]. The bounds
> of the 64-bit value are [0, U32_MAX]...
>
> 8: (65) if r1 s> 0xffffffff goto pc+1
>
> ... therefore this is always true (the operand is sign-extended).
>
> 10: (b4) w2 = 11
> 11: (6d) if r2 s> r1 goto pc+1
>
> When true, the 64-bit bounds become [0, 10]. The 32-bit bounds are still
> [S32_MIN, 10].
>
> 13: (64) w1 <<= 2
>
> Because this is a 32-bit operation, the verifier propagates the new
> 32-bit bounds to the 64-bit ones, and the knowledge gained from insn 11
> is lost.
>
> 14: (0f) r0 += r1
> 15: (7a) *(u64 *)(r0 +0) = 4
>
> Then the verifier considers r0 unbounded here, rejecting the test. To
> make the test work, change insn 8 to check the sign of the 32-bit value.
>
> Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
> Acked-by: John Fastabend <john.fastabend@gmail.com>
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> tools/testing/selftests/bpf/verifier/array_access.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/verifier/array_access.c b/tools/testing/selftests/bpf/verifier/array_access.c
> index f3c33e128709b..a80d806ead15f 100644
> --- a/tools/testing/selftests/bpf/verifier/array_access.c
> +++ b/tools/testing/selftests/bpf/verifier/array_access.c
> @@ -68,7 +68,7 @@
> BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
> BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
> BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
> - BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
> + BPF_JMP32_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
> BPF_MOV32_IMM(BPF_REG_1, 0),
> BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
> BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
> --
> 2.27.0
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test
2020-12-20 12:05 ` Jean-Philippe Brucker
@ 2020-12-21 19:09 ` Sasha Levin
0 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2020-12-21 19:09 UTC (permalink / raw)
To: Jean-Philippe Brucker
Cc: linux-kernel, stable, John Fastabend, Alexei Starovoitov,
linux-kselftest, netdev, bpf
On Sun, Dec 20, 2020 at 01:05:19PM +0100, Jean-Philippe Brucker wrote:
>Hi,
>
>On Sat, Dec 19, 2020 at 10:34:55PM -0500, Sasha Levin wrote:
>> From: Jean-Philippe Brucker <jean-philippe@linaro.org>
>>
>> [ Upstream commit 77ce220c0549dcc3db8226c61c60e83fc59dfafc ]
>>
>> The test fails because of a recent fix to the verifier, even though this
>
>That fix is commit b02709587ea3 ("bpf: Fix propagation of 32-bit signed
>bounds from 64-bit bounds.") upstream, which only needed backport to 5.9.
>So although backporting this patch to 5.4 shouldn't break anything, I
>wouldn't bother.
I'll drop it from 5.4, thanks!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-21 19:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20201220033457.2728519-1-sashal@kernel.org>
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 02/10] cfg80211: initialize rekey_data Sasha Levin
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 04/10] lwt: Disable BH too in run_lwt_bpf() Sasha Levin
2020-12-20 3:34 ` [PATCH AUTOSEL 5.4 08/10] selftests/bpf: Fix array access with signed variable test Sasha Levin
2020-12-20 12:05 ` Jean-Philippe Brucker
2020-12-21 19:09 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).