user/sven/linux.git/include/linux/ptr_ring.h, branch v4.19.207 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.19.207 2019-01-09T16:38:33Z ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() 2019-01-09T16:38:33Z Cong Wang xiyou.wangcong@gmail.com 2018-12-30T20:43:42Z urn:sha1:6e36567284cf05217d67dfeb49161bb33ce16363 [ Upstream commit aff6db454599d62191aabc208930e891748e4322 ] __ptr_ring_swap_queue() tries to move pointers from the old ring to the new one, but it forgets to check if ->producer is beyond the new size at the end of the operation. This leads to an out-of-bound access in __ptr_ring_produce() as reported by syzbot. Reported-by: syzbot+8993c0fa96d57c399735@syzkaller.appspotmail.com Fixes: 5d49de532002 ("ptr_ring: resize support") Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-02-19T23:46:11Z David S. Miller davem@davemloft.net 2018-02-19T23:46:11Z urn:sha1:f5c0c6f4299f870f074235fbf552ecf957fc249c ptr_ring: Remove now-redundant smp_read_barrier_depends() 2018-02-19T16:11:16Z Andrea Parri parri.andrea@gmail.com 2018-02-16T11:06:13Z urn:sha1:e3f9f41757f5ce1e95ef3bc3bfb72bbcdb23ece2 Because READ_ONCE() now implies smp_read_barrier_depends(), the smp_read_barrier_depends() in __ptr_ring_consume() is redundant; this commit removes it and updates the comments. Signed-off-by: Andrea Parri <parri.andrea@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: Eric Dumazet <edumazet@google.com> Cc: <linux-kernel@vger.kernel.org> Cc: <netdev@vger.kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> ptr_ring: prevent integer overflow when calculating size 2018-02-12T03:33:22Z Jason Wang jasowang@redhat.com 2018-02-11T03:28:12Z urn:sha1:54e02162d4454a99227f520948bf4494c3d972d0 Switch to use dividing to prevent integer overflow when size is too big to calculate allocation size properly. Reported-by: Eric Biggers <ebiggers3@gmail.com> Fixes: 6e6e41c31122 ("ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE") Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> ptr_ring: try vmalloc() when kmalloc() fails 2018-02-09T19:28:57Z Jason Wang jasowang@redhat.com 2018-02-09T09:45:50Z urn:sha1:0bf7800f1799b5b1fd7d4f024e9ece53ac489011 This patch switch to use kvmalloc_array() for using a vmalloc() fallback to help in case kmalloc() fails. Reported-by: syzbot+e4d4f9ddd4295539735d@syzkaller.appspotmail.com Fixes: 2e0ab8ca83c12 ("ptr_ring: array based FIFO for pointers") Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE 2018-02-09T19:28:57Z Jason Wang jasowang@redhat.com 2018-02-09T09:45:49Z urn:sha1:6e6e41c3112276288ccaf80c70916779b84bb276 To avoid slab to warn about exceeded size, fail early if queue occupies more than KMALLOC_MAX_SIZE. Reported-by: syzbot+e4d4f9ddd4295539735d@syzkaller.appspotmail.com Fixes: 2e0ab8ca83c12 ("ptr_ring: array based FIFO for pointers") Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> ptr_ring: prevent queue load/store tearing 2018-01-29T17:02:54Z Michael S. Tsirkin mst@redhat.com 2018-01-25T23:36:38Z urn:sha1:a07d29c6724a19eab120b7a74a9bfd107d20f69a In theory compiler could tear queue loads or stores in two. It does not seem to be happening in practice but it seems easier to convert the cases where this would be a problem to READ/WRITE_ONCE than worry about it. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Revert "net: ptr_ring: otherwise safe empty checks can overrun array bounds" 2018-01-29T17:02:54Z Michael S. Tsirkin mst@redhat.com 2018-01-25T23:36:35Z urn:sha1:9fb582b67072bea6cbfe1aefc2be13c62c7681bf This reverts commit bcecb4bbf88aa03171c30652bca761cf27755a6b. If we try to allocate an extra entry as the above commit did, and when the requested size is UINT_MAX, addition overflows causing zero size to be passed to kmalloc(). kmalloc then returns ZERO_SIZE_PTR with a subsequent crash. Reported-by: syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com Cc: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> ptr_ring: disallow lockless __ptr_ring_full 2018-01-29T17:02:54Z Michael S. Tsirkin mst@redhat.com 2018-01-25T23:36:32Z urn:sha1:84328342a70a44379dd73011a44c5f5e00481a42 Similar to bcecb4bbf88a ("net: ptr_ring: otherwise safe empty checks can overrun array bounds") a lockless use of __ptr_ring_full might cause an out of bounds access. We can fix this, but it's easier to just disallow lockless __ptr_ring_full for now. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> ptr_ring: READ/WRITE_ONCE for __ptr_ring_empty 2018-01-29T17:02:53Z Michael S. Tsirkin mst@redhat.com 2018-01-25T23:36:29Z urn:sha1:a259df36d1fbf25f0e4f649fdb84e4527e5640ed Lockless __ptr_ring_empty requires that consumer head is read and written at once, atomically. Annotate accordingly to make sure compiler does it correctly. Switch locked callers to __ptr_ring_peek which does not support the lockless operation. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>