1. 11 5月, 2018 3 次提交
  2. 10 5月, 2018 2 次提交
    • Y
      tipc: eliminate KMSAN uninit-value in strcmp complaint · 94f6a80c
      Ying Xue 提交于
      When we get link properties through netlink interface with
      tipc_nl_node_get_link(), we don't validate TIPC_NLA_LINK_NAME
      attribute at all, instead we directly use it. As a consequence,
      KMSAN detected the TIPC_NLA_LINK_NAME attribute was an uninitialized
      value, and then posted the following complaint:
      
      ==================================================================
      BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329
      CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x185/0x1d0 lib/dump_stack.c:53
        kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
        __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
        strcmp+0xf7/0x160 lib/string.c:329
        tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881
        genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
        genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
        netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
        netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
        netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
        netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg net/socket.c:640 [inline]
        ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
        __sys_sendmsg net/socket.c:2080 [inline]
        SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
        SyS_sendmsg+0x54/0x80 net/socket.c:2087
        do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x445589
      RSP: 002b:00007fb7ee66cdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445589
      RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003
      RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007fffa2bf3f3f R14: 00007fb7ee66d9c0 R15: 0000000000000001
      
      Uninit was created at:
        kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
        kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
        kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
        kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
        slab_post_alloc_hook mm/slab.h:445 [inline]
        slab_alloc_node mm/slub.c:2737 [inline]
        __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
        __kmalloc_reserve net/core/skbuff.c:138 [inline]
        __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
        alloc_skb include/linux/skbuff.h:984 [inline]
        netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
        netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
        sock_sendmsg_nosec net/socket.c:630 [inline]
        sock_sendmsg net/socket.c:640 [inline]
        ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
        __sys_sendmsg net/socket.c:2080 [inline]
        SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
        SyS_sendmsg+0x54/0x80 net/socket.c:2087
        do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      ==================================================================
      
      To quiet the complaint, TIPC_NLA_LINK_NAME attribute has been
      validated in tipc_nl_node_get_link() before it's used.
      
      Reported-by: syzbot+df0257c92ffd4fcc58cd@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      94f6a80c
    • S
      net/9p: correct some comment errors in 9p file system code · 4a026da9
      Sun Lianwen 提交于
      There are follow comment errors:
      1 The function name is wrong in p9_release_pages() comment.
      2 The function name and variable name is wrong in p9_poll_workfn() comment.
      3 There is no variable dm_mr and lkey in struct p9_trans_rdma.
      4 The function name is wrong in rdma_create_trans() comment.
      5 There is no variable initialized in struct virtio_chan.
      6 The variable name is wrong in p9_virtio_zc_request() comment.
      Signed-off-by: NSun Lianwen <sunlw.fnst@cn.fujitsu.com>
      Reviewed-by: NRandy Dunlap <rdunlap@infradead.org>
      Reviewed-by: NRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4a026da9
  3. 09 5月, 2018 1 次提交
    • H
      r8169: fix powering up RTL8168h · 3148dedf
      Heiner Kallweit 提交于
      Since commit a92a0849 "r8169: improve runtime pm in general and
      suspend unused ports" interfaces w/o link are runtime-suspended after
      10s. On systems where drivers take longer to load this can lead to the
      situation that the interface is runtime-suspended already when it's
      initially brought up.
      This shouldn't be a problem because rtl_open() resumes MAC/PHY.
      However with at least one chip version the interface doesn't properly
      come up, as reported here:
      https://bugzilla.kernel.org/show_bug.cgi?id=199549
      
      The vendor driver uses a delay to give certain chip versions some
      time to resume before starting the PHY configuration. So let's do
      the same. I don't know which chip versions may be affected,
      therefore apply this delay always.
      
      This patch was reported to fix the issue for RTL8168h.
      I was able to reproduce the issue on an Asus H310I-Plus which also
      uses a RTL8168h. Also in my case the patch fixed the issue.
      Reported-by: NSlava Kardakov <ojab@ojab.ru>
      Tested-by: NSlava Kardakov <ojab@ojab.ru>
      Signed-off-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3148dedf
  4. 08 5月, 2018 24 次提交
    • D
      Merge tag 'linux-can-fixes-for-4.17-20180508' of... · 42f02130
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-4.17-20180508' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-05-08
      
      this is a pull request for 7 patches for net/master.
      
      The first patch is by Jakob Unterwurzacher and increases the severity of
      bus-off messages in the generic CAN device infrastructure. The next two patches
      are by Uwe Kleine-König and fix the endianess detection in the flexcan driver.
      Jimmy Assarsson's patch for the kvaser driver corrects the stats counter for
      dropped tx-messages. Geert Uytterhoeven provides one patch and Sergei Shtylyov
      two patches for the rcan_canfd device tree binding description.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      42f02130
    • D
      Merge branch 'ieee802154-for-davem-2018-05-08' of... · 2dabf9f2
      David S. Miller 提交于
      Merge branch 'ieee802154-for-davem-2018-05-08' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan
      
      Stefan Schmidt says:
      
      ====================
      pull-request: ieee802154 2018-05-08
      
      An update from ieee802154 for your *net* tree.
      
      Two fixes for the mcr20a driver, which was being added in the 4.17 merge window,
      by Gustavo and myself.
      The atusb driver got a change to GFP_KERNEL where no GFP_ATOMIC is needed by
      Jia-Ju.
      
      The last and most important fix is from Alex to get IPv6 reassembly working
      again for the ieee802154 6lowpan adaptation. This got broken in 4.16 so please
      queue this one also up for the 4.16 stable tree.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2dabf9f2
    • S
      DT: net: can: rcar_canfd: document R8A77980 bindings · 7a25ac2f
      Sergei Shtylyov 提交于
      Document the R-Car V3H (R8A77980) SoC support in the R-Car CAN-FD bindings.
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      7a25ac2f
    • S
      DT: net: can: rcar_canfd: document R8A77970 bindings · 0a4fe40e
      Sergei Shtylyov 提交于
      Document the R-Car V3M (R8A77970) SoC support in the R-Car CAN-FD bindings.
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: NRamesh Shanmugasundaram <ramesh.shanmugasundaram@bp.renesas.com>
      Reviewed-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      0a4fe40e
    • G
      1469c5f0
    • J
      can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() · 6ee00865
      Jimmy Assarsson 提交于
      Increase rx_dropped, if alloc_can_skb() fails, not tx_dropped.
      Signed-off-by: NJimmy Assarsson <extja@kvaser.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      6ee00865
    • U
      arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25's flexcan · 9a62dcf4
      Uwe Kleine-König 提交于
      Commit d50f4630 ("arm: dts: Remove p1010-flexcan compatible from imx
      series dts") removed the fallback compatible "fsl,p1010-flexcan" from
      the imx device trees. As the flexcan cores on i.MX25, i.MX35 and i.MX53
      are identical, introduce the first as fallback for the two latter ones.
      
      Fixes: d50f4630 ("arm: dts: Remove p1010-flexcan compatible from imx series dts")
      Signed-off-by: NUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Cc: linux-stable <stable@vger.kernel.org> # >= v4.16
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      9a62dcf4
    • U
      can: flexcan: fix endianess detection · 0e030a37
      Uwe Kleine-König 提交于
      In commit 88462d2a ("can: flexcan: Remodel FlexCAN register r/w APIs
      for big endian FlexCAN controllers.") the following logic was
      implemented:
      
      	if the dt property "big-endian" is given or
      	   the device is compatible to "fsl,p1010-flexcan":
      		use big-endian mode;
      	else
      		use little-endian mode;
      
      This relies on commit d50f4630 ("arm: dts: Remove p1010-flexcan
      compatible from imx series dts") which was applied a few commits later.
      Without this commit (or an old device tree used for booting a new
      kernel) the flexcan devices on i.MX25, i.MX28, i.MX35 and i.MX53 match
      the 'the device is compatible to "fsl,p1010-flexcan"' test and so are
      switched erroneously to big endian mode.
      
      Instead of the check above put a quirk in devtype data and rely on
      of_match_device yielding the most compatible match
      
      Fixes: 88462d2a ("can: flexcan: Remodel FlexCAN register r/w APIs for big endian FlexCAN controllers.")
      Signed-off-by: NUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Tested-by: NGavin Schenk <g.schenk@eckelmann.de>
      Cc: linux-stable <stable@vger.kernel.org> # >= v4.16
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      0e030a37
    • J
      can: dev: increase bus-off message severity · 71c23a82
      Jakob Unterwurzacher 提交于
      bus-off is usually caused by hardware malfunction or configuration error
      (baud rate mismatch) and causes a complete loss of communication.
      
      Increase the "bus-off" message's severity from netdev_dbg() to
      netdev_info() to make it visible to the user.
      
      A can interface going into bus-off is similar in severity to ethernet's
      "Link is Down" message, which is also printed at info level.
      
      It is debatable whether the the "restarted" message should also be
      changed to netdev_info() to make the interface state changes
      comprehensible from the kernel log. I have chosen to keep the
      "restarted" message at dbg for now as the "bus-off" message should be
      enough for the user to notice and investigate the problem.
      Signed-off-by: NJakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
      Cc: linux-can@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      71c23a82
    • E
      llc: better deal with too small mtu · 2c5d5b13
      Eric Dumazet 提交于
      syzbot loves to set very small mtu on devices, since it brings joy.
      We must make llc_ui_sendmsg() fool proof.
      
      usercopy: Kernel memory overwrite attempt detected to wrapped address (offset 0, size 18446612139802320068)!
      
      kernel BUG at mm/usercopy.c:100!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 17464 Comm: syz-executor1 Not tainted 4.17.0-rc3+ #36
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:usercopy_abort+0xbb/0xbd mm/usercopy.c:88
      RSP: 0018:ffff8801868bf800 EFLAGS: 00010282
      RAX: 000000000000006c RBX: ffffffff87d2fb00 RCX: 0000000000000000
      RDX: 000000000000006c RSI: ffffffff81610731 RDI: ffffed0030d17ef6
      RBP: ffff8801868bf858 R08: ffff88018daa4200 R09: ffffed003b5c4fb0
      R10: ffffed003b5c4fb0 R11: ffff8801dae27d87 R12: ffffffff87d2f8e0
      R13: ffffffff87d2f7a0 R14: ffffffff87d2f7a0 R15: ffffffff87d2f7a0
      FS:  00007f56a14ac700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b2bc21000 CR3: 00000001abeb1000 CR4: 00000000001426f0
      DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000030602
      Call Trace:
       check_bogus_address mm/usercopy.c:153 [inline]
       __check_object_size+0x5d9/0x5d9 mm/usercopy.c:256
       check_object_size include/linux/thread_info.h:108 [inline]
       check_copy_size include/linux/thread_info.h:139 [inline]
       copy_from_iter_full include/linux/uio.h:121 [inline]
       memcpy_from_msg include/linux/skbuff.h:3305 [inline]
       llc_ui_sendmsg+0x4b1/0x1530 net/llc/af_llc.c:941
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:639
       __sys_sendto+0x3d7/0x670 net/socket.c:1789
       __do_sys_sendto net/socket.c:1801 [inline]
       __se_sys_sendto net/socket.c:1797 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x455979
      RSP: 002b:00007f56a14abc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007f56a14ac6d4 RCX: 0000000000455979
      RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000018
      RBP: 000000000072bea0 R08: 00000000200012c0 R09: 0000000000000010
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000548 R14: 00000000006fbf60 R15: 0000000000000000
      Code: 55 c0 e8 c0 55 bb ff ff 75 c8 48 8b 55 c0 4d 89 f9 ff 75 d0 4d 89 e8 48 89 d9 4c 89 e6 41 56 48 c7 c7 80 fa d2 87 e8 a0 0b a3 ff <0f> 0b e8 95 55 bb ff e8 c0 a8 f7 ff 8b 95 14 ff ff ff 4d 89 e8
      RIP: usercopy_abort+0xbb/0xbd mm/usercopy.c:88 RSP: ffff8801868bf800
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2c5d5b13
    • D
      Merge branch 'Aquantia-various-patches-2018-05' · 895b6176
      David S. Miller 提交于
      Igor Russkikh says:
      
      ====================
      Aquantia various patches 2018-05
      
      These are two patches covering issues found during test cycles:
      
      First is that driver should declare valid vlan_features
      Second fix is about correct allocation of MSI interrupts on some systems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      895b6176
    • I
      net: aquantia: Limit number of vectors to actually allocated irqs · a09bd81b
      Igor Russkikh 提交于
      Driver should use pci_alloc_irq_vectors return value to correct number
      of allocated vectors and napi instances. Otherwise it'll panic later
      in pci_irq_vector.
      
      Driver also should allow more than one MSI vectors to be allocated.
      
      Error return path from pci_alloc_irq_vectors is also fixed to revert
      resources in a correct sequence when error happens.
      Reported-by: NLong, Nicholas <nicholas.a.long@baesystems.com>
      Fixes: 23ee07ad ("net: aquantia: Cleanup pci functions module")
      Signed-off-by: NIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a09bd81b
    • I
      net: aquantia: driver should correctly declare vlan_features bits · 8c61ab7f
      Igor Russkikh 提交于
      In particular, not reporting SG forced skbs to be linear for vlan
      interfaces over atlantic NIC.
      
      With this fix it is possible to enable SG feature on device and
      therefore optimize performance.
      Reported-by: NMa Yuying <yuma@redhat.com>
      Signed-off-by: NIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8c61ab7f
    • G
      trivial: fix inconsistent help texts · a9f71d0d
      Georg Hofmann 提交于
      This patch removes "experimental" from the help text where depends on
      CONFIG_EXPERIMENTAL was already removed.
      Signed-off-by: NGeorg Hofmann <georg@hofmannsweb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a9f71d0d
    • S
      MAINTAINERS: Update the 3c59x network driver entry · 5ed3fde2
      Steffen Klassert 提交于
      Replace my old E-Mail address with a working one.
      While at it, change the maintainance status to
      'Odd Fixes'. I'm still around with some knowledge,
      but don't actively maintain it anymore.
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5ed3fde2
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 1822f638
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2018-05-07
      
      1) Always verify length of provided sadb_key to fix a
         slab-out-of-bounds read in pfkey_add. From Kevin Easton.
      
      2) Make sure that all states are really deleted
         before we check that the state lists are empty.
         Otherwise we trigger a warning.
      
      3) Fix MTU handling of the VTI6 interfaces on
         interfamily tunnels. From Stefano Brivio.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1822f638
    • A
      net/tls: Fix connection stall on partial tls record · 080324c3
      Andre Tomt 提交于
      In the case of writing a partial tls record we forgot to clear the
      ctx->in_tcp_sendpages flag, causing some connections to stall.
      
      Fixes: c212d2c7 ("net/tls: Don't recursively call push_record during tls_write_space callbacks")
      Signed-off-by: NAndre Tomt <andre@tomt.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      080324c3
    • W
    • A
      net: dsa: mv88e6xxx: Fix PHY interrupts by parameterising PHY base address · 9255bacd
      Andrew Lunn 提交于
      Most of the mv88e6xxx switches have the PHYs at address 0, 1, 2, ...
      The 6341 however has the PHYs at 0x10, 0x11, 0x12. Add a parameter to
      the info structure for this base address.
      
      Testing of 6f88284f ("net: dsa: mv88e6xxx: Add MDIO interrupts for
      internal PHYs") was performed on the 6341. So it works only on the
      6341. Use this base information to correctly set the interrupt.
      
      Fixes: 6f88284f ("net: dsa: mv88e6xxx: Add MDIO interrupts for internal PHYs")
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9255bacd
    • E
      tls: fix use after free in tls_sk_proto_close · 98f0a395
      Eric Dumazet 提交于
      syzbot reported a use-after-free in tls_sk_proto_close
      
      Add a boolean value to cleanup a bit this function.
      
      BUG: KASAN: use-after-free in tls_sk_proto_close+0x8ab/0x9c0 net/tls/tls_main.c:297
      Read of size 1 at addr ffff8801ae40a858 by task syz-executor363/4503
      
      CPU: 0 PID: 4503 Comm: syz-executor363 Not tainted 4.17.0-rc3+ #34
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
       tls_sk_proto_close+0x8ab/0x9c0 net/tls/tls_main.c:297
       inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
       inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
       sock_release+0x96/0x1b0 net/socket.c:594
       sock_close+0x16/0x20 net/socket.c:1149
       __fput+0x34d/0x890 fs/file_table.c:209
       ____fput+0x15/0x20 fs/file_table.c:243
       task_work_run+0x1e4/0x290 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x1aee/0x2730 kernel/exit.c:865
       do_group_exit+0x16f/0x430 kernel/exit.c:968
       get_signal+0x886/0x1960 kernel/signal.c:2469
       do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
       exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
       prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
       do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x4457b9
      RSP: 002b:00007fdf4d766da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
      RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004457b9
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac38
      R13: 3692738801137283 R14: 6bf92c39443c4c1d R15: 0000000000000006
      
      Allocated by task 4498:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
       kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
       kmalloc include/linux/slab.h:512 [inline]
       kzalloc include/linux/slab.h:701 [inline]
       create_ctx net/tls/tls_main.c:521 [inline]
       tls_init+0x1f9/0xb00 net/tls/tls_main.c:633
       tcp_set_ulp+0x1bc/0x520 net/ipv4/tcp_ulp.c:153
       do_tcp_setsockopt.isra.39+0x44a/0x2600 net/ipv4/tcp.c:2588
       tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2893
       sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
       __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
       __do_sys_setsockopt net/socket.c:1914 [inline]
       __se_sys_setsockopt net/socket.c:1911 [inline]
       __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4503:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
       kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
       __cache_free mm/slab.c:3498 [inline]
       kfree+0xd9/0x260 mm/slab.c:3813
       tls_sw_free_resources+0x2a3/0x360 net/tls/tls_sw.c:1037
       tls_sk_proto_close+0x67c/0x9c0 net/tls/tls_main.c:288
       inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
       inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
       sock_release+0x96/0x1b0 net/socket.c:594
       sock_close+0x16/0x20 net/socket.c:1149
       __fput+0x34d/0x890 fs/file_table.c:209
       ____fput+0x15/0x20 fs/file_table.c:243
       task_work_run+0x1e4/0x290 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x1aee/0x2730 kernel/exit.c:865
       do_group_exit+0x16f/0x430 kernel/exit.c:968
       get_signal+0x886/0x1960 kernel/signal.c:2469
       do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
       exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
       prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
       do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8801ae40a800
       which belongs to the cache kmalloc-256 of size 256
      The buggy address is located 88 bytes inside of
       256-byte region [ffff8801ae40a800, ffff8801ae40a900)
      The buggy address belongs to the page:
      page:ffffea0006b90280 count:1 mapcount:0 mapping:ffff8801ae40a080 index:0x0
      flags: 0x2fffc0000000100(slab)
      raw: 02fffc0000000100 ffff8801ae40a080 0000000000000000 000000010000000c
      raw: ffffea0006bea9e0 ffffea0006bc94a0 ffff8801da8007c0 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fixes: dd0bed16 ("tls: support for Inline tls record")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Atul Gupta <atul.gupta@chelsio.com>
      Cc: Steve Wise <swise@opengridcomputing.com>
      Cc: Ilya Lesokhin <ilyal@mellanox.com>
      Cc: Aviad Yehezkel <aviadye@mellanox.com>
      Cc: Dave Watson <davejwatson@fb.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      98f0a395
    • X
      sctp: delay the authentication for the duplicated cookie-echo chunk · 59d8d443
      Xin Long 提交于
      Now sctp only delays the authentication for the normal cookie-echo
      chunk by setting chunk->auth_chunk in sctp_endpoint_bh_rcv(). But
      for the duplicated one with auth, in sctp_assoc_bh_rcv(), it does
      authentication first based on the old asoc, which will definitely
      fail due to the different auth info in the old asoc.
      
      The duplicated cookie-echo chunk will create a new asoc with the
      auth info from this chunk, and the authentication should also be
      done with the new asoc's auth info for all of the collision 'A',
      'B' and 'D'. Otherwise, the duplicated cookie-echo chunk with auth
      will never pass the authentication and create the new connection.
      
      This issue exists since very beginning, and this fix is to make
      sctp_assoc_bh_rcv() follow the way sctp_endpoint_bh_rcv() does
      for the normal cookie-echo chunk to delay the authentication.
      
      While at it, remove the unused params from sctp_sf_authenticate()
      and define sctp_auth_chunk_verify() used for all the places that
      do the delayed authentication.
      
      v1->v2:
        fix the typo in changelog as Marcelo noticed.
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59d8d443
    • M
      net: nixge: Address compiler warnings about signedness · a86b74d3
      Moritz Fischer 提交于
      Fixes the following warnings:
      warning: pointer targets in passing argument 1 of
      ‘is_valid_ether_addr’ differ in signedness [-Wpointer-sign]
        if (mac_addr && is_valid_ether_addr(mac_addr)) {
                                            ^~~~~~~~
      expected ‘const u8 * {aka const unsigned char *}’ but argument
      is of type ‘const char *’
       static inline bool is_valid_ether_addr(const u8 *addr)
                          ^~~~~~~~~~~~~~~~~~~
      warning: pointer targets in passing argument 2 of
      ‘ether_addr_copy’ differ in signedness [-Wpointer-sign]
         ether_addr_copy(ndev->dev_addr, mac_addr);
                                         ^~~~~~~~
      expected ‘const u8 * {aka const unsigned char *}’ but argument
      is of type ‘const char *’
       static inline void ether_addr_copy(u8 *dst, const u8 *src)
      Signed-off-by: NMoritz Fischer <mdf@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a86b74d3
    • M
      net: nixge: Fix error path for obtaining mac address · abcd3d6f
      Moritz Fischer 提交于
      Fix issue where nixge_get_nvmem_address() returns a non-NULL
      return value on a failed nvmem_cell_get() that causes an invalid
      access when error value encoded in pointer is dereferenced.
      
      Furthermore ensure that buffer allocated by nvmem_cell_read()
      actually gets kfreed() if the function succeeds.
      
      Fixes commit 492caffa ("net: ethernet: nixge: Add support for
      National Instruments XGE netdev")
      Reported-by: NAlex Williams <alex.williams@ni.com>
      Signed-off-by: NMoritz Fischer <mdf@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      abcd3d6f
    • A
      selftests: net: use TEST_PROGS_EXTENDED · 1751eb42
      Anders Roxell 提交于
      When a script file that isn't generated uses the variable
      TEST_GEN_PROGS_EXTENDED and a 'make -C tools/testing/selftests clean' is
      performed the script file gets removed and git shows the file as
      deleted. For script files that isn't generated TEST_PROGS_EXTENDED
      should be used.
      
      Fixes: 9faedd64 ("selftests: net: add in_netns.sh TEST_GEN_PROGS_EXTENDED")
      Signed-off-by: NAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1751eb42
  5. 07 5月, 2018 1 次提交
  6. 05 5月, 2018 9 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 2ba5622f
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-05-05
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Sanitize attr->{prog,map}_type from bpf(2) since used as an array index
         to retrieve prog/map specific ops such that we prevent potential out of
         bounds value under speculation, from Mark and Daniel.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2ba5622f
    • A
      net: phy: sfp: fix the BR,min computation · 52c5cd1b
      Antoine Tenart 提交于
      In an SFP EEPROM values can be read to get information about a given SFP
      module. One of those is the bitrate, which can be determined using a
      nominal bitrate in addition with min and max values (in %). The SFP code
      currently compute both BR,min and BR,max values thanks to this nominal
      and min,max values.
      
      This patch fixes the BR,min computation as the min value should be
      subtracted to the nominal one, not added.
      
      Fixes: 9962acf7 ("sfp: add support for 1000Base-PX and 1000Base-BX10")
      Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      52c5cd1b
    • R
      net: ethernet: sun: niu set correct packet size in skb · 14224923
      Rob Taglang 提交于
      Currently, skb->len and skb->data_len are set to the page size, not
      the packet size. This causes the frame check sequence to not be
      located at the "end" of the packet resulting in ethernet frame check
      errors. The driver does work currently, but stricter kernel facing
      networking solutions like OpenVSwitch will drop these packets as
      invalid.
      
      These changes set the packet size correctly so that these errors no
      longer occur. The length does not include the frame check sequence, so
      that subtraction was removed.
      
      Tested on Oracle/SUN Multithreaded 10-Gigabit Ethernet Network
      Controller [108e:abcd] and validated in wireshark.
      Signed-off-by: NRob Taglang <rob@taglang.io>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      14224923
    • Y
      net/netlink: make sure the headers line up actual value output · ae552ac2
      YU Bo 提交于
      Making sure the headers line up properly with the actual value output of the command
      `cat /proc/net/netlink`
      
      Before the patch:
      <sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks     Drops     Inode
      <ffff8cd2c2f7b000 0   909    00000550 0        0        0 2        0        18946
      
      After the patch:
      >sk               Eth Pid        Groups   Rmem     Wmem     Dump  Locks    Drops    Inode
      >0000000033203952 0   897        00000113 0        0        0     2        0        14906
      Signed-off-by: NBo YU <tsu.yubo@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae552ac2
    • M
      tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). · d89a2adb
      Michael Chan 提交于
      tg3_free_consistent() calls dma_free_coherent() to free tp->hw_stats
      under spinlock and can trigger BUG_ON() in vunmap() because vunmap()
      may sleep.  Fix it by removing the spinlock and relying on the
      TG3_FLAG_INIT_COMPLETE flag to prevent race conditions between
      tg3_get_stats64() and tg3_free_consistent().  TG3_FLAG_INIT_COMPLETE
      is always cleared under tp->lock before tg3_free_consistent()
      and therefore tg3_get_stats64() can safely access tp->hw_stats
      under tp->lock if TG3_FLAG_INIT_COMPLETE is set.
      
      Fixes: f5992b72 ("tg3: Fix race condition in tg3_get_stats64().")
      Reported-by: NZumeng Chen <zumeng.chen@gmail.com>
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d89a2adb
    • E
      nsh: fix infinite loop · af50e4ba
      Eric Dumazet 提交于
      syzbot caught an infinite recursion in nsh_gso_segment().
      
      Problem here is that we need to make sure the NSH header is of
      reasonable length.
      
      BUG: MAX_LOCK_DEPTH too low!
      turning off the locking correctness validator.
      depth: 48  max: 48!
      48 locks held by syz-executor0/10189:
       #0:         (ptrval) (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x30f/0x34c0 net/core/dev.c:3517
       #1:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #1:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #2:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #2:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #3:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #3:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #4:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #4:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #5:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #5:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #6:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #6:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #7:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #7:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #8:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #8:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #9:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #9:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #10:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #10:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #11:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #11:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #12:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #12:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #13:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #13:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #14:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #14:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #15:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #15:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #16:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #16:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #17:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #17:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #18:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #18:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #19:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #19:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #20:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #20:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #21:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #21:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #22:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #22:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #23:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #23:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #24:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #24:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #25:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #25:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #26:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #26:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #27:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #27:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #28:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #28:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #29:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #29:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #30:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #30:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #31:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #31:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
      dccp_close: ABORT with 65423 bytes unread
       #32:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #32:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #33:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #33:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #34:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #34:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #35:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #35:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #36:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #36:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #37:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #37:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #38:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #38:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #39:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #39:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #40:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #40:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #41:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #41:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #42:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #42:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #43:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #43:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #44:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #44:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #45:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #45:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #46:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #46:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
       #47:         (ptrval) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline]
       #47:         (ptrval) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x221/0x720 net/core/dev.c:2787
      INFO: lockdep is turned off.
      CPU: 1 PID: 10189 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #26
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       __lock_acquire+0x1788/0x5140 kernel/locking/lockdep.c:3449
       lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
       rcu_lock_acquire include/linux/rcupdate.h:246 [inline]
       rcu_read_lock include/linux/rcupdate.h:632 [inline]
       skb_mac_gso_segment+0x25b/0x720 net/core/dev.c:2789
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       nsh_gso_segment+0x405/0xb60 net/nsh/nsh.c:107
       skb_mac_gso_segment+0x3ad/0x720 net/core/dev.c:2792
       __skb_gso_segment+0x3bb/0x870 net/core/dev.c:2865
       skb_gso_segment include/linux/netdevice.h:4025 [inline]
       validate_xmit_skb+0x54d/0xd90 net/core/dev.c:3118
       validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3168
       sch_direct_xmit+0x354/0x11e0 net/sched/sch_generic.c:312
       qdisc_restart net/sched/sch_generic.c:399 [inline]
       __qdisc_run+0x741/0x1af0 net/sched/sch_generic.c:410
       __dev_xmit_skb net/core/dev.c:3243 [inline]
       __dev_queue_xmit+0x28ea/0x34c0 net/core/dev.c:3551
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3616
       packet_snd net/packet/af_packet.c:2951 [inline]
       packet_sendmsg+0x40f8/0x6070 net/packet/af_packet.c:2976
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:639
       __sys_sendto+0x3d7/0x670 net/socket.c:1789
       __do_sys_sendto net/socket.c:1801 [inline]
       __se_sys_sendto net/socket.c:1797 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: c411ed85 ("nsh: add GSO support")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Jiri Benc <jbenc@redhat.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Acked-by: NJiri Benc <jbenc@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      af50e4ba
    • G
      net: atm: Fix potential Spectre v1 · acf784bd
      Gustavo A. R. Silva 提交于
      ioc_data.dev_num can be controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue
      'dev_lec'
      
      Fix this by sanitizing ioc_data.dev_num before using it to index
      dev_lec. Also, notice that there is another instance in which array
      dev_lec is being indexed using ioc_data.dev_num at line 705:
      lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]),
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      acf784bd
    • G
      atm: zatm: Fix potential Spectre v1 · 2be147f7
      Gustavo A. R. Silva 提交于
      pool can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/atm/zatm.c:1462 zatm_ioctl() warn: potential spectre issue
      'zatm_dev->pool_info' (local cap)
      
      Fix this by sanitizing pool before using it to index
      zatm_dev->pool_info
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2be147f7
    • S
      openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found · 72f17baf
      Stefano Brivio 提交于
      If an OVS_ATTR_NESTED attribute type is found while walking
      through netlink attributes, we call nlattr_set() recursively
      passing the length table for the following nested attributes, if
      different from the current one.
      
      However, once we're done with those sub-nested attributes, we
      should continue walking through attributes using the current
      table, instead of using the one related to the sub-nested
      attributes.
      
      For example, given this sequence:
      
      1  OVS_KEY_ATTR_PRIORITY
      2  OVS_KEY_ATTR_TUNNEL
      3	OVS_TUNNEL_KEY_ATTR_ID
      4	OVS_TUNNEL_KEY_ATTR_IPV4_SRC
      5	OVS_TUNNEL_KEY_ATTR_IPV4_DST
      6	OVS_TUNNEL_KEY_ATTR_TTL
      7	OVS_TUNNEL_KEY_ATTR_TP_SRC
      8	OVS_TUNNEL_KEY_ATTR_TP_DST
      9  OVS_KEY_ATTR_IN_PORT
      10 OVS_KEY_ATTR_SKB_MARK
      11 OVS_KEY_ATTR_MPLS
      
      we switch to the 'ovs_tunnel_key_lens' table on attribute #3,
      and we don't switch back to 'ovs_key_lens' while setting
      attributes #9 to #11 in the sequence. As OVS_KEY_ATTR_MPLS
      evaluates to 21, and the array size of 'ovs_tunnel_key_lens' is
      15, we also get this kind of KASan splat while accessing the
      wrong table:
      
      [ 7654.586496] ==================================================================
      [ 7654.594573] BUG: KASAN: global-out-of-bounds in nlattr_set+0x164/0xde9 [openvswitch]
      [ 7654.603214] Read of size 4 at addr ffffffffc169ecf0 by task handler29/87430
      [ 7654.610983]
      [ 7654.612644] CPU: 21 PID: 87430 Comm: handler29 Kdump: loaded Not tainted 3.10.0-866.el7.test.x86_64 #1
      [ 7654.623030] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
      [ 7654.631379] Call Trace:
      [ 7654.634108]  [<ffffffffb65a7c50>] dump_stack+0x19/0x1b
      [ 7654.639843]  [<ffffffffb53ff373>] print_address_description+0x33/0x290
      [ 7654.647129]  [<ffffffffc169b37b>] ? nlattr_set+0x164/0xde9 [openvswitch]
      [ 7654.654607]  [<ffffffffb53ff812>] kasan_report.part.3+0x242/0x330
      [ 7654.661406]  [<ffffffffb53ff9b4>] __asan_report_load4_noabort+0x34/0x40
      [ 7654.668789]  [<ffffffffc169b37b>] nlattr_set+0x164/0xde9 [openvswitch]
      [ 7654.676076]  [<ffffffffc167ef68>] ovs_nla_get_match+0x10c8/0x1900 [openvswitch]
      [ 7654.684234]  [<ffffffffb61e9cc8>] ? genl_rcv+0x28/0x40
      [ 7654.689968]  [<ffffffffb61e7733>] ? netlink_unicast+0x3f3/0x590
      [ 7654.696574]  [<ffffffffc167dea0>] ? ovs_nla_put_tunnel_info+0xb0/0xb0 [openvswitch]
      [ 7654.705122]  [<ffffffffb4f41b50>] ? unwind_get_return_address+0xb0/0xb0
      [ 7654.712503]  [<ffffffffb65d9355>] ? system_call_fastpath+0x1c/0x21
      [ 7654.719401]  [<ffffffffb4f41d79>] ? update_stack_state+0x229/0x370
      [ 7654.726298]  [<ffffffffb4f41d79>] ? update_stack_state+0x229/0x370
      [ 7654.733195]  [<ffffffffb53fe4b5>] ? kasan_unpoison_shadow+0x35/0x50
      [ 7654.740187]  [<ffffffffb53fe62a>] ? kasan_kmalloc+0xaa/0xe0
      [ 7654.746406]  [<ffffffffb53fec32>] ? kasan_slab_alloc+0x12/0x20
      [ 7654.752914]  [<ffffffffb53fe711>] ? memset+0x31/0x40
      [ 7654.758456]  [<ffffffffc165bf92>] ovs_flow_cmd_new+0x2b2/0xf00 [openvswitch]
      
      [snip]
      
      [ 7655.132484] The buggy address belongs to the variable:
      [ 7655.138226]  ovs_tunnel_key_lens+0xf0/0xffffffffffffd400 [openvswitch]
      [ 7655.145507]
      [ 7655.147166] Memory state around the buggy address:
      [ 7655.152514]  ffffffffc169eb80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
      [ 7655.160585]  ffffffffc169ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [ 7655.168644] >ffffffffc169ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
      [ 7655.176701]                                                              ^
      [ 7655.184372]  ffffffffc169ed00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 05
      [ 7655.192431]  ffffffffc169ed80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      [ 7655.200490] ==================================================================
      Reported-by: NHangbin Liu <liuhangbin@gmail.com>
      Fixes: 982b5270 ("openvswitch: Fix mask generation for nested attributes.")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      72f17baf