1. 29 8月, 2017 1 次提交
  2. 28 8月, 2017 1 次提交
  3. 26 8月, 2017 31 次提交
  4. 25 8月, 2017 7 次提交
    • E
      strparser: initialize all callbacks · 3fd87127
      Eric Biggers 提交于
      commit bbb03029 ("strparser: Generalize strparser") added more
      function pointers to 'struct strp_callbacks'; however, kcm_attach() was
      not updated to initialize them.  This could cause the ->lock() and/or
      ->unlock() function pointers to be set to garbage values, causing a
      crash in strp_work().
      
      Fix the bug by moving the callback structs into static memory, so
      unspecified members are zeroed.  Also constify them while we're at it.
      
      This bug was found by syzkaller, which encountered the following splat:
      
          IP: 0x55
          PGD 3b1ca067
          P4D 3b1ca067
          PUD 3b12f067
          PMD 0
      
          Oops: 0010 [#1] SMP KASAN
          Dumping ftrace buffer:
             (ftrace buffer empty)
          Modules linked in:
          CPU: 2 PID: 1194 Comm: kworker/u8:1 Not tainted 4.13.0-rc4-next-20170811 #2
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
          Workqueue: kstrp strp_work
          task: ffff88006bb0e480 task.stack: ffff88006bb10000
          RIP: 0010:0x55
          RSP: 0018:ffff88006bb17540 EFLAGS: 00010246
          RAX: dffffc0000000000 RBX: ffff88006ce4bd60 RCX: 0000000000000000
          RDX: 1ffff1000d9c97bd RSI: 0000000000000000 RDI: ffff88006ce4bc48
          RBP: ffff88006bb17558 R08: ffffffff81467ab2 R09: 0000000000000000
          R10: ffff88006bb17438 R11: ffff88006bb17940 R12: ffff88006ce4bc48
          R13: ffff88003c683018 R14: ffff88006bb17980 R15: ffff88003c683000
          FS:  0000000000000000(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000000055 CR3: 000000003c145000 CR4: 00000000000006e0
          DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
          DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
          Call Trace:
           process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2098
           worker_thread+0x223/0x1860 kernel/workqueue.c:2233
           kthread+0x35e/0x430 kernel/kthread.c:231
           ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
          Code:  Bad RIP value.
          RIP: 0x55 RSP: ffff88006bb17540
          CR2: 0000000000000055
          ---[ end trace f0e4920047069cee ]---
      
      Here is a C reproducer (requires CONFIG_BPF_SYSCALL=y and
      CONFIG_AF_KCM=y):
      
          #include <linux/bpf.h>
          #include <linux/kcm.h>
          #include <linux/types.h>
          #include <stdint.h>
          #include <sys/ioctl.h>
          #include <sys/socket.h>
          #include <sys/syscall.h>
          #include <unistd.h>
      
          static const struct bpf_insn bpf_insns[3] = {
              { .code = 0xb7 }, /* BPF_MOV64_IMM(0, 0) */
              { .code = 0x95 }, /* BPF_EXIT_INSN() */
          };
      
          static const union bpf_attr bpf_attr = {
              .prog_type = 1,
              .insn_cnt = 2,
              .insns = (uintptr_t)&bpf_insns,
              .license = (uintptr_t)"",
          };
      
          int main(void)
          {
              int bpf_fd = syscall(__NR_bpf, BPF_PROG_LOAD,
                                   &bpf_attr, sizeof(bpf_attr));
              int inet_fd = socket(AF_INET, SOCK_STREAM, 0);
              int kcm_fd = socket(AF_KCM, SOCK_DGRAM, 0);
      
              ioctl(kcm_fd, SIOCKCMATTACH,
                    &(struct kcm_attach) { .fd = inet_fd, .bpf_fd = bpf_fd });
          }
      
      Fixes: bbb03029 ("strparser: Generalize strparser")
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Tom Herbert <tom@quantonium.net>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3fd87127
    • H
      hv_netvsc: Fix rndis_filter_close error during netvsc_remove · c6f71c41
      Haiyang Zhang 提交于
      We now remove rndis filter before unregister_netdev(), which calls
      device close. It involves closing rndis filter already removed.
      
      This patch fixes this error.
      Signed-off-by: NHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c6f71c41
    • D
      Merge tag 'mlx5-updates-2017-08-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 0cf3f4c3
      David S. Miller 提交于
      Saeed Mahameed says:
      
      ====================
      mlx5-updates-2017-08-24
      
      This series includes updates to mlx5 core driver.
      
      From Gal and Saeed, three cleanup patches.
      From Matan, Low level flow steering improvements and optimizations,
       - Use more efficient data structures for flow steering objects handling.
       - Add tracepoints to flow steering operations.
       - Overall these patches improve flow steering rule insertion rate by a
         factor of seven in large scales (~50K rules or more).
      
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0cf3f4c3
    • D
      hinic: uninitialized variable in hinic_api_cmd_init() · 256fbe11
      Dan Carpenter 提交于
      We never set the error code in this function.
      
      Fixes: eabf0fad ("net-next/hinic: Initialize api cmd resources")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      256fbe11
    • F
      net: mv643xx_eth: Be drop monitor friendly · 43cee2d2
      Florian Fainelli 提交于
      txq_reclaim() does the normal transmit queue reclamation and
      rxq_deinit() does the RX ring cleanup, none of these are packet drops,
      so use dev_consume_skb() for both locations.
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43cee2d2
    • F
      tg3: Be drop monitor friendly · 1e9d8e7a
      Florian Fainelli 提交于
      tg3_tx() does the normal packet TX completion,
      tigon3_dma_hwbug_workaround() and tg3_tso_bug() both need to allocate a
      new SKB that is suitable to workaround HW bugs, and finally
      tg3_free_rings() is doing ring cleanup. Use dev_consume_skb_any() for
      these 3 locations to be SKB drop monitor friendly.
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1e9d8e7a
    • D
      Merge branch 'ipv6-Route-ICMPv6-errors-with-the-flow-when-ECMP-in-use' · 45c7ec9d
      David S. Miller 提交于
      Jakub Sitnicki says:
      
      ====================
      ipv6: Route ICMPv6 errors with the flow when ECMP in use
      
      This patch set is another take at making Path MTU Discovery work when
      server nodes are behind a router employing multipath routing in a
      load-balance or anycast setup (that is, when not every end-node can be
      reached by every path). The problem has been well described in RFC 7690
      [1], but in short - in such setups ICMPv6 PTB errors are not guaranteed
      to be routed back to the server node that sent a reply that exceeds path
      MTU.
      
      The proposed solution is two-fold:
      
       (1) on the server side - reflect the Flow Label [2]. This can be done
           without modifying the application using a new per-netns sysctl knob
           that has been proposed independently of this patchset in the patch
           entitled "ipv6: Add sysctl for per namespace flow label
           reflection" [3].
      
       (2) on the ECMP router - make the ipv6 routing subsystem look into the
           ICMPv6 error packets and compute the flow-hash from its payload,
           i.e. the offending packet that triggered the error. This is the
           same behavior as ipv4 stack has already.
      
      With both parts in place Path MTU Discovery can work past the ECMP
      router when using IPv6.
      
      [1] https://tools.ietf.org/html/rfc7690
      [2] https://tools.ietf.org/html/draft-wang-6man-flow-label-reflection-01
      [3] http://patchwork.ozlabs.org/patch/804870/
      
      v1 -> v2:
       - don't use "extern" in external function declaration in header file
       - style change, put as many arguments as possible on the first line of
         a function call, and align consecutive lines to the first argument
       - expand the cover letter based on the feedback
      
      v2 -> v3:
       - switch to computing flow-hash using flow dissector to align with
         recent changes to multipath routing in ipv4 stack
       - add a sysctl knob for enabling flow label reflection per netns
      
      ---
      
      Testing has covered multipath routing of ICMPv6 PTB errors in forward
      and local output path in a simple use-case of an HTTP server sending a
      reply which is over the path MTU size [3]. I have also checked if the
      flows get evenly spread over multiple paths (i.e. if there are no
      regressions) [4].
      
      [3] https://github.com/jsitnicki/tools/tree/master/net/tests/ecmp/pmtud
      [4] https://github.com/jsitnicki/tools/tree/master/net/tests/ecmp/load-balance
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      45c7ec9d