1. 02 4月, 2016 1 次提交
    • D
      tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter · 5a5abb1f
      Daniel Borkmann 提交于
      Sasha Levin reported a suspicious rcu_dereference_protected() warning
      found while fuzzing with trinity that is similar to this one:
      
        [   52.765684] net/core/filter.c:2262 suspicious rcu_dereference_protected() usage!
        [   52.765688] other info that might help us debug this:
        [   52.765695] rcu_scheduler_active = 1, debug_locks = 1
        [   52.765701] 1 lock held by a.out/1525:
        [   52.765704]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff816a64b7>] rtnl_lock+0x17/0x20
        [   52.765721] stack backtrace:
        [   52.765728] CPU: 1 PID: 1525 Comm: a.out Not tainted 4.5.0+ #264
        [...]
        [   52.765768] Call Trace:
        [   52.765775]  [<ffffffff813e488d>] dump_stack+0x85/0xc8
        [   52.765784]  [<ffffffff810f2fa5>] lockdep_rcu_suspicious+0xd5/0x110
        [   52.765792]  [<ffffffff816afdc2>] sk_detach_filter+0x82/0x90
        [   52.765801]  [<ffffffffa0883425>] tun_detach_filter+0x35/0x90 [tun]
        [   52.765810]  [<ffffffffa0884ed4>] __tun_chr_ioctl+0x354/0x1130 [tun]
        [   52.765818]  [<ffffffff8136fed0>] ? selinux_file_ioctl+0x130/0x210
        [   52.765827]  [<ffffffffa0885ce3>] tun_chr_ioctl+0x13/0x20 [tun]
        [   52.765834]  [<ffffffff81260ea6>] do_vfs_ioctl+0x96/0x690
        [   52.765843]  [<ffffffff81364af3>] ? security_file_ioctl+0x43/0x60
        [   52.765850]  [<ffffffff81261519>] SyS_ioctl+0x79/0x90
        [   52.765858]  [<ffffffff81003ba2>] do_syscall_64+0x62/0x140
        [   52.765866]  [<ffffffff817d563f>] entry_SYSCALL64_slow_path+0x25/0x25
      
      Same can be triggered with PROVE_RCU (+ PROVE_RCU_REPEATEDLY) enabled
      from tun_attach_filter() when user space calls ioctl(tun_fd, TUN{ATTACH,
      DETACH}FILTER, ...) for adding/removing a BPF filter on tap devices.
      
      Since the fix in f91ff5b9 ("net: sk_{detach|attach}_filter() rcu
      fixes") sk_attach_filter()/sk_detach_filter() now dereferences the
      filter with rcu_dereference_protected(), checking whether socket lock
      is held in control path.
      
      Since its introduction in 99405162 ("tun: socket filter support"),
      tap filters are managed under RTNL lock from __tun_chr_ioctl(). Thus the
      sock_owned_by_user(sk) doesn't apply in this specific case and therefore
      triggers the false positive.
      
      Extend the BPF API with __sk_attach_filter()/__sk_detach_filter() pair
      that is used by tap filters and pass in lockdep_rtnl_is_held() for the
      rcu_dereference_protected() checks instead.
      Reported-by: NSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a5abb1f
  2. 01 4月, 2016 7 次提交
  3. 31 3月, 2016 12 次提交
  4. 30 3月, 2016 11 次提交
  5. 29 3月, 2016 2 次提交
    • B
      qmi_wwan: add "D-Link DWM-221 B1" device id · e84810c7
      Bjørn Mork 提交于
      Thomas reports:
      "Windows:
      
      00 diagnostics
      01 modem
      02 at-port
      03 nmea
      04 nic
      
      Linux:
      
      T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7e19 Rev=02.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
      Reported-by: NThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e84810c7
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 0c84ea17
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for you net tree,
      they are:
      
      1) There was a race condition between parallel save/swap and delete,
         which resulted a kernel crash due to the increase ref for save, swap,
         wrong ref decrease operations. Reported and fixed by Vishwanath Pai.
      
      2) OVS should call into CT NAT for packets of new expected connections only
         when the conntrack state is persisted with the 'commit' option to the
         OVS CT action. From Jarno Rajahalme.
      
      3) Resolve kconfig dependencies with new OVS NAT support. From Arnd Bergmann.
      
      4) Early validation of entry->target_offset to make sure it doesn't take us
         out from the blob, from Florian Westphal.
      
      5) Again early validation of entry->next_offset to make sure it doesn't take
         out from the blob, also from Florian.
      
      6) Check that entry->target_offset is always of of sizeof(struct xt_entry)
         for unconditional entries, when checking both from check_underflow()
         and when checking for loops in mark_source_chains(), again from
         Florian.
      
      7) Fix inconsistent behaviour in nfnetlink_queue when
         NFQA_CFG_F_FAIL_OPEN is set and netlink_unicast() fails due to buffer
         overrun, we have to reinject the packet as the user expects.
      
      8) Enforce nul-terminated table names from getsockopt GET_ENTRIES
         requests.
      
      9) Don't assume skb->sk is set from nft_bridge_reject and synproxy,
         this fixes a recent update of the code to namespaceify
         ip_default_ttl, patch from Liping Zhang.
      
      This batch comes with four patches to validate x_tables blobs coming
      from userspace. CONFIG_USERNS exposes the x_tables interface to
      unpriviledged users and to be honest this interface never received the
      attention for this move away from the CAP_NET_ADMIN domain. Florian is
      working on another round with more patches with more sanity checks, so
      expect a bit more Netfilter fixes in this development cycle than usual.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0c84ea17
  6. 28 3月, 2016 7 次提交