12 Jun, 2018

1 commit

  • [ Upstream commit eb7f54b90bd8f469834c5e86dcf72ebf9a629811 ]

    (resend for properly queueing in patchwork)

    kcm_clone() creates kernel socket, which does not take net counter.
    Thus, the net may die before the socket is completely destructed,
    i.e. kcm_exit_net() is executed before kcm_done().

    Reported-by: syzbot+5f1a04e374a635efc426@syzkaller.appspotmail.com
    Signed-off-by: Kirill Tkhai
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Kirill Tkhai
     

16 May, 2018

1 commit

  • commit dff8baa261174de689a44572d0ea182d7aa70598 upstream.

    In kcm_attach strp_done is called when sk_user_data is already
    set to fail the attach. strp_done needs the strp to be stopped and
    warns if it isn't. Call strp_stop in this case to eliminate the
    warning message.

    Reported-by: syzbot+88dfb55e4c8b770d86e3@syzkaller.appspotmail.com
    Fixes: e5571240236c5652f ("kcm: Check if sk_user_data already set in kcm_attach"
    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Tom Herbert
     

01 Apr, 2018

1 commit

  • [ Upstream commit 2cc683e88c0c993ac3721d9b702cb0630abe2879 ]

    Need to lock lower socket in order to provide mutual exclusion
    with kcm_unattach.

    v2: Add Reported-by for syzbot

    Fixes: ab7ac4eb9832e32a09f4e804 ("kcm: Kernel Connection Multiplexor module")
    Reported-by: syzbot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com
    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Tom Herbert
     

25 Feb, 2018

2 commits

  • commit 581e7226a5d43f629eb6399a121f85f6a15f81be upstream.

    TCP sockets for IPv4 and IPv6 that are not listeners or in closed
    stated are allowed to be attached to a KCM mux.

    Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
    Reported-by: syzbot+8865eaff7f9acd593945@syzkaller.appspotmail.com
    Signed-off-by: Tom Herbert
    Reviewed-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Tom Herbert
     
  • commit e5571240236c5652f3e079b1d5866716a7ad819c upstream.

    This is needed to prevent sk_user_data being overwritten.
    The check is done under the callback lock. This should prevent
    a socket from being attached twice to a KCM mux. It also prevents
    a socket from being attached for other use cases of sk_user_data
    as long as the other cases set sk_user_data under the lock.
    Followup work is needed to unify all the use cases of sk_user_data
    to use the same locking.

    Reported-by: syzbot+114b15f2be420a8886c3@syzkaller.appspotmail.com
    Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
    Signed-off-by: Tom Herbert
    Reviewed-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Tom Herbert
     

17 Dec, 2017

1 commit

  • commit a5739435b5a3b8c449f8844ecd71a3b1e89f0a33 upstream.

    1) it's fput() or sock_release(), not both
    2) don't do fd_install() until the last failure exit.
    3) not a bug per se, but... don't attach socket to struct file
    until it's set up.

    Take reserving descriptor into the caller, move fd_install() to the
    caller, sanitize failure exits and calling conventions.

    Acked-by: Tom Herbert
    Signed-off-by: Al Viro
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Al Viro
     

02 Nov, 2017

1 commit

  • Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

02 Sep, 2017

1 commit


31 Aug, 2017

1 commit

  • syzkaller had no problem to trigger a deadlock, attaching a KCM socket
    to another one (or itself). (original syzkaller report was a very
    confusing lockdep splat during a sendmsg())

    It seems KCM claims to only support TCP, but no enforcement is done,
    so we might need to add additional checks.

    Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
    Signed-off-by: Eric Dumazet
    Reported-by: Dmitry Vyukov
    Acked-by: Tom Herbert
    Signed-off-by: David S. Miller

    Eric Dumazet
     

25 Aug, 2017

1 commit

  • commit bbb03029a899 ("strparser: Generalize strparser") added more
    function pointers to 'struct strp_callbacks'; however, kcm_attach() was
    not updated to initialize them. This could cause the ->lock() and/or
    ->unlock() function pointers to be set to garbage values, causing a
    crash in strp_work().

    Fix the bug by moving the callback structs into static memory, so
    unspecified members are zeroed. Also constify them while we're at it.

    This bug was found by syzkaller, which encountered the following splat:

    IP: 0x55
    PGD 3b1ca067
    P4D 3b1ca067
    PUD 3b12f067
    PMD 0

    Oops: 0010 [#1] SMP KASAN
    Dumping ftrace buffer:
    (ftrace buffer empty)
    Modules linked in:
    CPU: 2 PID: 1194 Comm: kworker/u8:1 Not tainted 4.13.0-rc4-next-20170811 #2
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Workqueue: kstrp strp_work
    task: ffff88006bb0e480 task.stack: ffff88006bb10000
    RIP: 0010:0x55
    RSP: 0018:ffff88006bb17540 EFLAGS: 00010246
    RAX: dffffc0000000000 RBX: ffff88006ce4bd60 RCX: 0000000000000000
    RDX: 1ffff1000d9c97bd RSI: 0000000000000000 RDI: ffff88006ce4bc48
    RBP: ffff88006bb17558 R08: ffffffff81467ab2 R09: 0000000000000000
    R10: ffff88006bb17438 R11: ffff88006bb17940 R12: ffff88006ce4bc48
    R13: ffff88003c683018 R14: ffff88006bb17980 R15: ffff88003c683000
    FS: 0000000000000000(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000055 CR3: 000000003c145000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2098
    worker_thread+0x223/0x1860 kernel/workqueue.c:2233
    kthread+0x35e/0x430 kernel/kthread.c:231
    ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
    Code: Bad RIP value.
    RIP: 0x55 RSP: ffff88006bb17540
    CR2: 0000000000000055
    ---[ end trace f0e4920047069cee ]---

    Here is a C reproducer (requires CONFIG_BPF_SYSCALL=y and
    CONFIG_AF_KCM=y):

    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include

    static const struct bpf_insn bpf_insns[3] = {
    { .code = 0xb7 }, /* BPF_MOV64_IMM(0, 0) */
    { .code = 0x95 }, /* BPF_EXIT_INSN() */
    };

    static const union bpf_attr bpf_attr = {
    .prog_type = 1,
    .insn_cnt = 2,
    .insns = (uintptr_t)&bpf_insns,
    .license = (uintptr_t)"",
    };

    int main(void)
    {
    int bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD,
    &bpf_attr, sizeof(bpf_attr));
    int inet_fd = socket(AF_INET, SOCK_STREAM, 0);
    int kcm_fd = socket(AF_KCM, SOCK_DGRAM, 0);

    ioctl(kcm_fd, SIOCKCMATTACH,
    &(struct kcm_attach) { .fd = inet_fd, .bpf_fd = bpf_fd });
    }

    Fixes: bbb03029a899 ("strparser: Generalize strparser")
    Cc: Dmitry Vyukov
    Cc: Tom Herbert
    Signed-off-by: Eric Biggers
    Signed-off-by: David S. Miller

    Eric Biggers
     

02 Aug, 2017

1 commit

  • Generalize strparser from more than just being used in conjunction
    with read_sock. strparser will also be used in the send path with
    zero proxy. The primary change is to create strp_process function
    that performs the critical processing on skbs. The documentation
    is also updated to reflect the new uses.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     

01 Jul, 2017

1 commit

  • refcount_t type and corresponding API should be
    used instead of atomic_t when the variable is used as
    a reference counter. This allows to avoid accidental
    refcounter overflows that might lead to use-after-free
    situations.

    Signed-off-by: Elena Reshetova
    Signed-off-by: Hans Liljestrand
    Signed-off-by: Kees Cook
    Signed-off-by: David Windsor
    Signed-off-by: David S. Miller

    Reshetova, Elena
     

16 May, 2017

1 commit


18 Apr, 2017

1 commit


25 Mar, 2017

1 commit


02 Mar, 2017

1 commit


15 Feb, 2017

1 commit

  • In commit 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()")
    I tried to avoid skb allocation for 0-length case, but missed
    a check for NULL pointer in the non EOR case.

    Fixes: 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()")
    Reported-by: Dmitry Vyukov
    Cc: Tom Herbert
    Signed-off-by: Cong Wang
    Acked-by: Tom Herbert
    Signed-off-by: David S. Miller

    WANG Cong
     

10 Feb, 2017

1 commit

  • Dmitry reported a kernel warning:

    WARNING: CPU: 3 PID: 2936 at net/kcm/kcmsock.c:627
    kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
    CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0-rc6+ #209
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:15 [inline]
    dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
    panic+0x1fb/0x412 kernel/panic.c:179
    __warn+0x1c4/0x1e0 kernel/panic.c:539
    warn_slowpath_null+0x2c/0x40 kernel/panic.c:582
    kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
    kcm_sendmsg+0x163a/0x2200 net/kcm/kcmsock.c:1029
    sock_sendmsg_nosec net/socket.c:635 [inline]
    sock_sendmsg+0xca/0x110 net/socket.c:645
    sock_write_iter+0x326/0x600 net/socket.c:848
    new_sync_write fs/read_write.c:499 [inline]
    __vfs_write+0x483/0x740 fs/read_write.c:512
    vfs_write+0x187/0x530 fs/read_write.c:560
    SYSC_write fs/read_write.c:607 [inline]
    SyS_write+0xfb/0x230 fs/read_write.c:599
    entry_SYSCALL_64_fastpath+0x1f/0xc2

    when calling syscall(__NR_write, sock2, 0x208aaf27ul, 0x0ul) on a KCM
    seqpacket socket. It appears that kcm_sendmsg() does not handle len==0
    case correctly, which causes an empty skb is allocated and queued.
    Fix this by skipping the skb allocation for len==0 case.

    Reported-by: Dmitry Vyukov
    Cc: Tom Herbert
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller

    WANG Cong
     

08 Oct, 2016

1 commit

  • Pull VFS splice updates from Al Viro:
    "There's a bunch of branches this cycle, both mine and from other folks
    and I'd rather send pull requests separately.

    This one is the conversion of ->splice_read() to ITER_PIPE iov_iter
    (and introduction of such). Gets rid of a lot of code in fs/splice.c
    and elsewhere; there will be followups, but these are for the next
    cycle... Some pipe/splice-related cleanups from Miklos in the same
    branch as well"

    * 'work.splice_read' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
    pipe: fix comment in pipe_buf_operations
    pipe: add pipe_buf_steal() helper
    pipe: add pipe_buf_confirm() helper
    pipe: add pipe_buf_release() helper
    pipe: add pipe_buf_get() helper
    relay: simplify relay_file_read()
    switch default_file_splice_read() to use of pipe-backed iov_iter
    switch generic_file_splice_read() to use of ->read_iter()
    new iov_iter flavour: pipe-backed
    fuse_dev_splice_read(): switch to add_to_pipe()
    skb_splice_bits(): get rid of callback
    new helper: add_to_pipe()
    splice: lift pipe_lock out of splice_to_pipe()
    splice: switch get_iovec_page_array() to iov_iter
    splice_to_pipe(): don't open-code wakeup_pipe_readers()
    consistent treatment of EFAULT on O_DIRECT read/write

    Linus Torvalds
     

04 Oct, 2016

1 commit

  • since pipe_lock is the outermost now, we don't need to drop/regain
    socket locks around the call of splice_to_pipe() from skb_splice_bits(),
    which kills the need to have a socket-specific callback; we can just
    call splice_to_pipe() and be done with that.

    Signed-off-by: Al Viro

    Al Viro
     

13 Sep, 2016

1 commit


01 Sep, 2016

1 commit

  • Dmitry reported a double free on kcm socket, which could
    be easily reproduced by:

    #include
    #include

    int main()
    {
    int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
    syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
    return 0;
    }

    This is because on the error path, after we install
    the new socket file, we call sock_release() to clean
    up the socket, which leaves the fd pointing to a freed
    socket. Fix this by calling sys_close() on that fd
    directly.

    Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
    Reported-by: Dmitry Vyukov
    Cc: Tom Herbert
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller

    WANG Cong
     

29 Aug, 2016

1 commit


24 Aug, 2016

1 commit

  • Lock the lower socket in kcm_unattach. Release during call to strp_done
    since that function cancels the RX timers and work queue with sync.

    Also added some status information in psock reporting.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     

18 Aug, 2016

1 commit

  • Adapt KCM to use the stream parser. This mostly involves removing
    the RX handling and setting up the strparser using the interface.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     

26 Jul, 2016

1 commit


02 Jul, 2016

1 commit

  • Since bpf_prog_get() and program type check is used in a couple of places,
    refactor this into a small helper function that we can make use of. Since
    the non RO prog->aux part is not used in performance critical paths and a
    program destruction via RCU is rather very unlikley when doing the put, we
    shouldn't have an issue just doing the bpf_prog_get() + prog->type != type
    check, but actually not taking the ref at all (due to being in fdget() /
    fdput() section of the bpf fd) is even cleaner and makes the diff smaller
    as well, so just go for that. Callsites are changed to make use of the new
    helper where possible.

    Signed-off-by: Daniel Borkmann
    Acked-by: Alexei Starovoitov
    Signed-off-by: David S. Miller

    Daniel Borkmann
     

23 Jun, 2016

1 commit

  • Every open of /proc/net/kcm leaks 16 bytes of memory as is reported by
    kmemleak:
    unreferenced object 0xffff88059c0e3458 (size 192):
    comm "cat", pid 1401, jiffies 4294935742 (age 310.720s)
    hex dump (first 32 bytes):
    28 45 71 96 05 88 ff ff 00 10 00 00 00 00 00 00 (Eq.............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    backtrace:
    [] kmem_cache_alloc_trace+0x16e/0x230
    [] seq_open+0x79/0x1d0
    [] kcm_seq_open+0x0/0x30 [kcm]
    [] seq_open+0x79/0x1d0
    [] __seq_open_private+0x2f/0xa0
    [] seq_open_net+0x38/0xa0
    ...

    It is caused by a missing free in the ->release path. So fix it by
    providing seq_release_net as the ->release method.

    Signed-off-by: Jiri Slaby
    Fixes: cd6e111bf5 (kcm: Add statistics and proc interfaces)
    Cc: "David S. Miller"
    Cc: Tom Herbert
    Cc: netdev@vger.kernel.org
    Signed-off-by: David S. Miller

    Jiri Slaby
     

20 May, 2016

1 commit

  • skb_splice_bits() returns int, kcm_splice_read() returns ssize_t,
    both are signed.

    We may need another patch to make them all ssize_t, but that
    deserves a separated patch.

    Fixes: 91687355b927 ("kcm: Splice support")
    Reported-by: David Binderman
    Cc: Tom Herbert
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller

    WANG Cong
     

10 Mar, 2016

6 commits

  • This patch adds receive timeout for message assembly on the attached TCP
    sockets. The timeout is set when a new messages is started and the whole
    message has not been received by TCP (not in the receive queue). If the
    completely message is subsequently received the timer is cancelled, if the
    timer expires the RX side is aborted.

    The timeout value is taken from the socket timeout (SO_RCVTIMEO) that is
    set on a TCP socket (i.e. set by get sockopt before attaching a TCP socket
    to KCM.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     
  • Message assembly is performed on the TCP socket. This is logically
    equivalent of an application that performs a peek on the socket to find
    out how much memory is needed for a receive buffer. The receive socket
    buffer also provides the maximum message size which is checked.

    The receive algorithm is something like:

    1) Receive the first skbuf for a message (or skbufs if multiple are
    needed to determine message length).
    2) Check the message length against the number of bytes in the TCP
    receive queue (tcp_inq()).
    - If all the bytes of the message are in the queue (incluing the
    skbuf received), then proceed with message assembly (it should
    complete with the tcp_read_sock)
    - Else, mark the psock with the number of bytes needed to
    complete the message.
    3) In TCP data ready function, if the psock indicates that we are
    waiting for the rest of the bytes of a messages, check the number
    of queued bytes against that.
    - If there are still not enough bytes for the message, just
    return
    - Else, clear the waiting bytes and proceed to receive the
    skbufs. The message should now be received in one
    tcp_read_sock

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     
  • Implement kcm_sendpage. Set in sendpage to kcm_sendpage in both
    dgram and seqpacket ops.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     
  • Implement kcm_splice_read. This is supported only for seqpacket.
    Add kcm_seqpacket_ops and set splice read to kcm_splice_read.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     
  • This patch adds various counters for KCM. These include counters for
    messages and bytes received or sent, as well as counters for number of
    attached/unattached TCP sockets and other error or edge events.

    The statistics are exposed via a proc interface. /proc/net/kcm provides
    statistics per KCM socket and per psock (attached TCP sockets).
    /proc/net/kcm_stats provides aggregate statistics.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     
  • This module implements the Kernel Connection Multiplexor.

    Kernel Connection Multiplexor (KCM) is a facility that provides a
    message based interface over TCP for generic application protocols.
    With KCM an application can efficiently send and receive application
    protocol messages over TCP using datagram sockets.

    For more information see the included Documentation/networking/kcm.txt

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert