1. 04 11月, 2018 6 次提交
    • S
      net: udp: fix handling of CHECKSUM_COMPLETE packets · 4fb0dc97
      Sean Tranchetti 提交于
      [ Upstream commit db4f1be3ca9b0ef7330763d07bf4ace83ad6f913 ]
      
      Current handling of CHECKSUM_COMPLETE packets by the UDP stack is
      incorrect for any packet that has an incorrect checksum value.
      
      udp4/6_csum_init() will both make a call to
      __skb_checksum_validate_complete() to initialize/validate the csum
      field when receiving a CHECKSUM_COMPLETE packet. When this packet
      fails validation, skb->csum will be overwritten with the pseudoheader
      checksum so the packet can be fully validated by software, but the
      skb->ip_summed value will be left as CHECKSUM_COMPLETE so that way
      the stack can later warn the user about their hardware spewing bad
      checksums. Unfortunately, leaving the SKB in this state can cause
      problems later on in the checksum calculation.
      
      Since the the packet is still marked as CHECKSUM_COMPLETE,
      udp_csum_pull_header() will SUBTRACT the checksum of the UDP header
      from skb->csum instead of adding it, leaving us with a garbage value
      in that field. Once we try to copy the packet to userspace in the
      udp4/6_recvmsg(), we'll make a call to skb_copy_and_csum_datagram_msg()
      to checksum the packet data and add it in the garbage skb->csum value
      to perform our final validation check.
      
      Since the value we're validating is not the proper checksum, it's possible
      that the folded value could come out to 0, causing us not to drop the
      packet. Instead, we believe that the packet was checksummed incorrectly
      by hardware since skb->ip_summed is still CHECKSUM_COMPLETE, and we attempt
      to warn the user with netdev_rx_csum_fault(skb->dev);
      
      Unfortunately, since this is the UDP path, skb->dev has been overwritten
      by skb->dev_scratch and is no longer a valid pointer, so we end up
      reading invalid memory.
      
      This patch addresses this problem in two ways:
      	1) Do not use the dev pointer when calling netdev_rx_csum_fault()
      	   from skb_copy_and_csum_datagram_msg(). Since this gets called
      	   from the UDP path where skb->dev has been overwritten, we have
      	   no way of knowing if the pointer is still valid. Also for the
      	   sake of consistency with the other uses of
      	   netdev_rx_csum_fault(), don't attempt to call it if the
      	   packet was checksummed by software.
      
      	2) Add better CHECKSUM_COMPLETE handling to udp4/6_csum_init().
      	   If we receive a packet that's CHECKSUM_COMPLETE that fails
      	   verification (i.e. skb->csum_valid == 0), check who performed
      	   the calculation. It's possible that the checksum was done in
      	   software by the network stack earlier (such as Netfilter's
      	   CONNTRACK module), and if that says the checksum is bad,
      	   we can drop the packet immediately instead of waiting until
      	   we try and copy it to userspace. Otherwise, we need to
      	   mark the SKB as CHECKSUM_NONE, since the skb->csum field
      	   no longer contains the full packet checksum after the
      	   call to __skb_checksum_validate_complete().
      
      Fixes: e6afc8ac ("udp: remove headers from UDP packets before queueing")
      Fixes: c84d9490 ("udp: copy skb->truesize in the first cache line")
      Cc: Sam Kumar <samanthakumar@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: NSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fb0dc97
    • N
      net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules · b4f003cb
      Niklas Cassel 提交于
      [ Upstream commit 30549aab146ccb1275230c3b4b4bc6b4181fd54e ]
      
      When building stmmac, it is only possible to select CONFIG_DWMAC_GENERIC,
      or any of the glue drivers, when CONFIG_STMMAC_PLATFORM is set.
      The only exception is CONFIG_STMMAC_PCI.
      
      When calling of_mdiobus_register(), it will call our ->reset()
      callback, which is set to stmmac_mdio_reset().
      
      Most of the code in stmmac_mdio_reset() is protected by a
      "#if defined(CONFIG_STMMAC_PLATFORM)", which will evaluate
      to false when CONFIG_STMMAC_PLATFORM=m.
      
      Because of this, the phy reset gpio will only be pulled when
      stmmac is built as built-in, but not when built as modules.
      
      Fix this by using "#if IS_ENABLED()" instead of "#if defined()".
      Signed-off-by: NNiklas Cassel <niklas.cassel@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4f003cb
    • J
      net: sched: gred: pass the right attribute to gred_change_table_def() · 917629e6
      Jakub Kicinski 提交于
      [ Upstream commit 38b4f18d56372e1e21771ab7b0357b853330186c ]
      
      gred_change_table_def() takes a pointer to TCA_GRED_DPS attribute,
      and expects it will be able to interpret its contents as
      struct tc_gred_sopt.  Pass the correct gred attribute, instead of
      TCA_OPTIONS.
      
      This bug meant the table definition could never be changed after
      Qdisc was initialized (unless whatever TCA_OPTIONS contained both
      passed netlink validation and was a valid struct tc_gred_sopt...).
      
      Old behaviour:
      $ ip link add type dummy
      $ tc qdisc replace dev dummy0 parent root handle 7: \
           gred setup vqs 4 default 0
      $ tc qdisc replace dev dummy0 parent root handle 7: \
           gred setup vqs 4 default 0
      RTNETLINK answers: Invalid argument
      
      Now:
      $ ip link add type dummy
      $ tc qdisc replace dev dummy0 parent root handle 7: \
           gred setup vqs 4 default 0
      $ tc qdisc replace dev dummy0 parent root handle 7: \
           gred setup vqs 4 default 0
      $ tc qdisc replace dev dummy0 parent root handle 7: \
           gred setup vqs 4 default 0
      
      Fixes: f62d6b93 ("[PKT_SCHED]: GRED: Use central VQ change procedure")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      917629e6
    • E
      net/mlx5e: fix csum adjustments caused by RXFCS · c5eebcf0
      Eric Dumazet 提交于
      [ Upstream commit d48051c5b8376038c2b287c3b1bd55b8d391d567 ]
      
      As shown by Dmitris, we need to use csum_block_add() instead of csum_add()
      when adding the FCS contribution to skb csum.
      
      Before 4.18 (more exactly commit 88078d98 "net: pskb_trim_rcsum()
      and CHECKSUM_COMPLETE are friends"), the whole skb csum was thrown away,
      so RXFCS changes were ignored.
      
      Then before commit d55bef50 ("net: fix pskb_trim_rcsum_slow() with
      odd trim offset") both mlx5 and pskb_trim_rcsum_slow() bugs were canceling
      each other.
      
      Now we fixed pskb_trim_rcsum_slow() we need to fix mlx5.
      
      Note that this patch also rewrites mlx5e_get_fcs() to :
      
      - Use skb_header_pointer() instead of reinventing it.
      - Use __get_unaligned_cpu32() to avoid possible non aligned accesses
        as Dmitris pointed out.
      
      Fixes: 902a5459 ("net/mlx5e: When RXFCS is set, add FCS data into checksum calculation")
      Reported-by: NPaweł Staszewski <pstaszewski@itcare.pl>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Eran Ben Elisha <eranbe@mellanox.com>
      Cc: Saeed Mahameed <saeedm@mellanox.com>
      Cc: Dimitris Michailidis <dmichail@google.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Paweł Staszewski <pstaszewski@itcare.pl>
      Reviewed-by: NEran Ben Elisha <eranbe@mellanox.com>
      Tested-By: NMaria Pasechnik <mariap@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5eebcf0
    • S
      ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called · dc31623a
      Stefano Brivio 提交于
      [ Upstream commit ee1abcf689353f36d9322231b4320926096bdee0 ]
      
      Commit a61bbcf2 ("[NET]: Store skb->timestamp as offset to a base
      timestamp") introduces a neighbour control buffer and zeroes it out in
      ndisc_rcv(), as ndisc_recv_ns() uses it.
      
      Commit f2776ff0 ("[IPV6]: Fix address/interface handling in UDP and
      DCCP, according to the scoping architecture.") introduces the usage of the
      IPv6 control buffer in protocol error handlers (e.g. inet6_iif() in
      present-day __udp6_lib_err()).
      
      Now, with commit b94f1c09 ("ipv6: Use icmpv6_notify() to propagate
      redirect, instead of rt6_redirect()."), we call protocol error handlers
      from ndisc_redirect_rcv(), after the control buffer is already stolen and
      some parts are already zeroed out. This implies that inet6_iif() on this
      path will always return zero.
      
      This gives unexpected results on UDP socket lookup in __udp6_lib_err(), as
      we might actually need to match sockets for a given interface.
      
      Instead of always claiming the control buffer in ndisc_rcv(), do that only
      when needed.
      
      Fixes: b94f1c09 ("ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect().")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc31623a
    • H
      bridge: do not add port to router list when receives query with source 0.0.0.0 · 0f216d94
      Hangbin Liu 提交于
      [ Upstream commit 5a2de63fd1a59c30c02526d427bc014b98adf508 ]
      
      Based on RFC 4541, 2.1.1.  IGMP Forwarding Rules
      
        The switch supporting IGMP snooping must maintain a list of
        multicast routers and the ports on which they are attached.  This
        list can be constructed in any combination of the following ways:
      
        a) This list should be built by the snooping switch sending
           Multicast Router Solicitation messages as described in IGMP
           Multicast Router Discovery [MRDISC].  It may also snoop
           Multicast Router Advertisement messages sent by and to other
           nodes.
      
        b) The arrival port for IGMP Queries (sent by multicast routers)
           where the source address is not 0.0.0.0.
      
      We should not add the port to router list when receives query with source
      0.0.0.0.
      Reported-by: NYing Xu <yinxu@redhat.com>
      Signed-off-by: NHangbin Liu <liuhangbin@gmail.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Acked-by: NRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f216d94
  2. 22 10月, 2018 8 次提交
  3. 21 10月, 2018 4 次提交
  4. 20 10月, 2018 16 次提交
  5. 19 10月, 2018 6 次提交
    • B
      drm/sun4i: Fix an ulong overflow in the dotclock driver · e84cb605
      Boris Brezillon 提交于
      The calculated ideal rate can easily overflow an unsigned long, thus
      making the best div selection buggy as soon as no ideal match is found
      before the overflow occurs.
      
      Fixes: 4731a72d ("drm/sun4i: request exact rates to our parents")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NBoris Brezillon <boris.brezillon@bootlin.com>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181018100250.12565-1-boris.brezillon@bootlin.com
      e84cb605
    • G
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 91b15613
      Greg Kroah-Hartman 提交于
      David writes:
        "Networking
      
         1) Fix gro_cells leak in xfrm layer, from Li RongQing.
      
         2) BPF selftests change RLIMIT_MEMLOCK blindly, don't do that.  From
            Eric Dumazet.
      
         3) AF_XDP calls synchronize_net() under RCU lock, fix from Björn
            Töpel.
      
         4) Out of bounds packet access in _decode_session6(), from Alexei
            Starovoitov.
      
         5) Several ethtool bugs, where we copy a struct into the kernel twice
            and our validations of the values in the first copy can be
            invalidated by the second copy due to asynchronous updates to the
            memory by the user.  From Wenwen Wang.
      
         6) Missing netlink attribute validation in cls_api, from Davide
            Caratti.
      
         7) LLC SAP sockets neet to be SOCK_RCU FREE, from Cong Wang.
      
         8) rxrpc operates on wrong kvec, from Yue Haibing.
      
         9) A regression was introduced by the disassosciation of route
            neighbour references in rt6_probe(), causing probe for
            neighbourless routes to not be properly rate limited.  Fix from
            Sabrina Dubroca.
      
         10) Unsafe RCU locking in tipc, from Tung Nguyen.
      
         11) Use after free in inet6_mc_check(), from Eric Dumazet.
      
         12) PMTU from icmp packets should update the SCTP transport pathmtu,
             from Xin Long.
      
         13) Missing peer put on error in rxrpc, from David Howells.
      
         14) Fix pedit in nfp driver, from Pieter Jansen van Vuuren.
      
         15) Fix overflowing shift statement in qla3xxx driver, from Nathan
             Chancellor.
      
         16) Fix Spectre v1 in ptp code, from Gustavo A. R. Silva.
      
         17) udp6_unicast_rcv_skb() interprets udpv6_queue_rcv_skb() return
             value in an inverted manner, fix from Paolo Abeni.
      
         18) Fix missed unresolved entries in ipmr dumps, from Nikolay
             Aleksandrov.
      
         19) Fix NAPI handling under high load, we can completely miss events
             when NAPI has to loop more than one time in a cycle.  From Heiner
             Kallweit."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (49 commits)
        ip6_tunnel: Fix encapsulation layout
        tipc: fix info leak from kernel tipc_event
        net: socket: fix a missing-check bug
        net: sched: Fix for duplicate class dump
        r8169: fix NAPI handling under high load
        net: ipmr: fix unresolved entry dumps
        net: mscc: ocelot: Fix comment in ocelot_vlant_wait_for_completion()
        sctp: fix the data size calculation in sctp_data_size
        virtio_net: avoid using netif_tx_disable() for serializing tx routine
        udp6: fix encap return code for resubmitting
        mlxsw: core: Fix use-after-free when flashing firmware during init
        sctp: not free the new asoc when sctp_wait_for_connect returns err
        sctp: fix race on sctp_id2asoc
        r8169: re-enable MSI-X on RTL8168g
        net: bpfilter: use get_pid_task instead of pid_task
        ptp: fix Spectre v1 vulnerability
        net: qla3xxx: Remove overflowing shift statement
        geneve, vxlan: Don't set exceptions if skb->len < mtu
        geneve, vxlan: Don't check skb_dst() twice
        sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL instead
        ...
      91b15613
    • G
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 2a966610
      Greg Kroah-Hartman 提交于
      David writes:
        "Sparc fixes:
      
         The main bit here is fixing how fallback system calls are handled in
         the sparc vDSO.
      
         Unfortunately, I fat fingered the commit and some perf debugging
         hacks slipped into the vDSO fix, which I revert in the very next
         commit."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Revert unintended perf changes.
        sparc: vDSO: Silence an uninitialized variable warning
        sparc: Fix syscall fallback bugs in VDSO.
      2a966610
    • G
      Merge tag 'drm-fixes-2018-10-19' of git://anongit.freedesktop.org/drm/drm · 7555c5d5
      Greg Kroah-Hartman 提交于
      Dave writes:
        "drm fixes for 4.19 final
      
         Just a last set of misc core fixes for final.
      
         4 fixes, one use after free, one fb integration fix, one EDID fix,
         and one laptop panel quirk,"
      
      * tag 'drm-fixes-2018-10-19' of git://anongit.freedesktop.org/drm/drm:
        drm/edid: VSDB yCBCr420 Deep Color mode bit definitions
        drm: fix use of freed memory in drm_mode_setcrtc
        drm: fb-helper: Reject all pixel format changing requests
        drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl
      7555c5d5
    • G
      Merge tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · eb6d938f
      Greg Kroah-Hartman 提交于
      Doug writes:
        "Really final for-rc pull request for 4.19
      
         Ok, so last week I thought we had sent our final pull request for
         4.19.  Well, wouldn't ya know someone went and found a couple Spectre
         v1 fixes were needed :-/.  So, a couple *very* small specter patches
         for this (hopefully) final -rc week."
      
      * tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/ucma: Fix Spectre v1 vulnerability
        IB/ucm: Fix Spectre v1 vulnerability
      eb6d938f
    • C
      x86/swiotlb: Enable swiotlb for > 4GiG RAM on 32-bit kernels · 485734f3
      Christoph Hellwig 提交于
      We already build the swiotlb code for 32-bit kernels with PAE support,
      but the code to actually use swiotlb has only been enabled for 64-bit
      kernels for an unknown reason.
      
      Before Linux v4.18 we paper over this fact because the networking code,
      the SCSI layer and some random block drivers implemented their own
      bounce buffering scheme.
      
      [ mingo: Changelog fixes. ]
      
      Fixes: 21e07dba ("scsi: reduce use of block bounce buffers")
      Fixes: ab74cfeb ("net: remove the PCI_DMA_BUS_IS_PHYS check in illegal_highdma")
      Reported-by: NMatthew Whitehead <tedheadster@gmail.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Tested-by: NMatthew Whitehead <tedheadster@gmail.com>
      Cc: konrad.wilk@oracle.com
      Cc: iommu@lists.linux-foundation.org
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181014075208.2715-1-hch@lst.deSigned-off-by: NIngo Molnar <mingo@kernel.org>
      485734f3