1. 16 6月, 2018 11 次提交
    • D
      tls: fix use-after-free in tls_push_record · a447da7d
      Daniel Borkmann 提交于
      syzkaller managed to trigger a use-after-free in tls like the
      following:
      
        BUG: KASAN: use-after-free in tls_push_record.constprop.15+0x6a2/0x810 [tls]
        Write of size 1 at addr ffff88037aa08000 by task a.out/2317
      
        CPU: 3 PID: 2317 Comm: a.out Not tainted 4.17.0+ #144
        Hardware name: LENOVO 20FBCTO1WW/20FBCTO1WW, BIOS N1FET47W (1.21 ) 11/28/2016
        Call Trace:
         dump_stack+0x71/0xab
         print_address_description+0x6a/0x280
         kasan_report+0x258/0x380
         ? tls_push_record.constprop.15+0x6a2/0x810 [tls]
         tls_push_record.constprop.15+0x6a2/0x810 [tls]
         tls_sw_push_pending_record+0x2e/0x40 [tls]
         tls_sk_proto_close+0x3fe/0x710 [tls]
         ? tcp_check_oom+0x4c0/0x4c0
         ? tls_write_space+0x260/0x260 [tls]
         ? kmem_cache_free+0x88/0x1f0
         inet_release+0xd6/0x1b0
         __sock_release+0xc0/0x240
         sock_close+0x11/0x20
         __fput+0x22d/0x660
         task_work_run+0x114/0x1a0
         do_exit+0x71a/0x2780
         ? mm_update_next_owner+0x650/0x650
         ? handle_mm_fault+0x2f5/0x5f0
         ? __do_page_fault+0x44f/0xa50
         ? mm_fault_error+0x2d0/0x2d0
         do_group_exit+0xde/0x300
         __x64_sys_exit_group+0x3a/0x50
         do_syscall_64+0x9a/0x300
         ? page_fault+0x8/0x30
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      This happened through fault injection where aead_req allocation in
      tls_do_encryption() eventually failed and we returned -ENOMEM from
      the function. Turns out that the use-after-free is triggered from
      tls_sw_sendmsg() in the second tls_push_record(). The error then
      triggers a jump to waiting for memory in sk_stream_wait_memory()
      resp. returning immediately in case of MSG_DONTWAIT. What follows is
      the trim_both_sgl(sk, orig_size), which drops elements from the sg
      list added via tls_sw_sendmsg(). Now the use-after-free gets triggered
      when the socket is being closed, where tls_sk_proto_close() callback
      is invoked. The tls_complete_pending_work() will figure that there's
      a pending closed tls record to be flushed and thus calls into the
      tls_push_pending_closed_record() from there. ctx->push_pending_record()
      is called from the latter, which is the tls_sw_push_pending_record()
      from sw path. This again calls into tls_push_record(). And here the
      tls_fill_prepend() will panic since the buffer address has been freed
      earlier via trim_both_sgl(). One way to fix it is to move the aead
      request allocation out of tls_do_encryption() early into tls_push_record().
      This means we don't prep the tls header and advance state to the
      TLS_PENDING_CLOSED_RECORD before allocation which could potentially
      fail happened. That fixes the issue on my side.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Reported-by: syzbot+5c74af81c547738e1684@syzkaller.appspotmail.com
      Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NDave Watson <davejwatson@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a447da7d
    • D
      Merge branch 'l2tp-l2tp_ppp-must-ignore-non-PPP-sessions' · 695ad876
      David S. Miller 提交于
      Guillaume Nault says:
      
      ====================
      l2tp: l2tp_ppp must ignore non-PPP sessions
      
      The original L2TP code was written for version 2 of the protocol, which
      could only carry PPP sessions. Then L2TPv3 generalised the protocol so that
      it could transport different kinds of pseudo-wires. But parts of the
      l2tp_ppp module still break in presence of non-PPP sessions.
      
      Assuming L2TPv2 tunnels can only transport PPP sessions is right, but
      l2tp_netlink failed to ensure that (fixed in patch 1).
      When retrieving a session from an arbitrary tunnel, l2tp_ppp needs to
      filter out non-PPP sessions (last occurrence fixed in patch 2).
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      695ad876
    • G
      l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() · ecd012e4
      Guillaume Nault 提交于
      pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
      'session' may be an Ethernet pseudo-wire.
      
      However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
      assumes l2tp_session_priv() points to a pppol2tp_session structure. For
      an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
      structure instead, making pppol2tp_session_ioctl() access invalid
      memory.
      
      Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ecd012e4
    • G
      l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels · de9bada5
      Guillaume Nault 提交于
      The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
      L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
      found there. However, l2tp_netlink accepts creating Ethernet sessions
      regardless of the underlying tunnel version.
      
      This confuses pppol2tp_seq_session_show(), which expects that
      l2tp_session_priv() returns a pppol2tp_session structure. When the
      session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
      instead. This leads to invalid memory access when
      pppol2tp_session_get_sock() later tries to dereference ps->sk.
      
      Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      de9bada5
    • D
      Merge branch 'mlxsw-IPv6-and-reference-counting-fixes' · eab9a2d5
      David S. Miller 提交于
      Ido Schimmel says:
      
      ====================
      mlxsw: IPv6 and reference counting fixes
      
      The first three patches fix a mismatch between the new IPv6 behavior
      introduced in commit f34436a4 ("net/ipv6: Simplify route replace and
      appending into multipath route") and mlxsw. The patches allow the driver
      to support multipathing in IPv6 overlays with GRE tunnel devices. A
      selftest will be submitted when net-next opens.
      
      The last patch fixes a reference count problem of the port_vlan struct.
      I plan to simplify the code in net-next, so that reference counting is
      not necessary anymore.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eab9a2d5
    • P
      mlxsw: spectrum_switchdev: Fix port_vlan refcounting · 9e25826f
      Petr Machata 提交于
      Switchdev notifications for addition of SWITCHDEV_OBJ_ID_PORT_VLAN are
      distributed not only on clean addition, but also when flags on an
      existing VLAN are changed. mlxsw_sp_bridge_port_vlan_add() calls
      mlxsw_sp_port_vlan_get() to get at the port_vlan in question, which
      implicitly references the object. This then leads to discrepancies in
      reference counting when the VLAN is removed. spectrum.c warns about the
      problem when the module is removed:
      
      [13578.493090] WARNING: CPU: 0 PID: 2454 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2973 mlxsw_sp_port_remove+0xfd/0x110 [mlxsw_spectrum]
      [...]
      [13578.627106] Call Trace:
      [13578.629617]  mlxsw_sp_fini+0x2a/0xe0 [mlxsw_spectrum]
      [13578.634748]  mlxsw_core_bus_device_unregister+0x3e/0x130 [mlxsw_core]
      [13578.641290]  mlxsw_pci_remove+0x13/0x40 [mlxsw_pci]
      [13578.646238]  pci_device_remove+0x31/0xb0
      [13578.650244]  device_release_driver_internal+0x14f/0x220
      [13578.655562]  driver_detach+0x32/0x70
      [13578.659183]  bus_remove_driver+0x47/0xa0
      [13578.663134]  pci_unregister_driver+0x1e/0x80
      [13578.667486]  mlxsw_sp_module_exit+0xc/0x3fa [mlxsw_spectrum]
      [13578.673207]  __x64_sys_delete_module+0x13b/0x1e0
      [13578.677888]  ? exit_to_usermode_loop+0x78/0x80
      [13578.682374]  do_syscall_64+0x39/0xe0
      [13578.685976]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fix by putting the port_vlan when mlxsw_sp_port_vlan_bridge_join()
      determines it's a flag-only change.
      
      Fixes: b3529af6 ("spectrum: Reference count VLAN entries")
      Signed-off-by: NPetr Machata <petrm@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e25826f
    • I
      mlxsw: spectrum_router: Align with new route replace logic · ce45bded
      Ido Schimmel 提交于
      Commit f34436a4 ("net/ipv6: Simplify route replace and appending
      into multipath route") changed the IPv6 route replace logic so that the
      first matching route (i.e., same metric) is replaced.
      
      Have mlxsw replace the first matching route as well.
      
      Fixes: f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ce45bded
    • I
      mlxsw: spectrum_router: Allow appending to dev-only routes · 53b562df
      Ido Schimmel 提交于
      Commit f34436a4 ("net/ipv6: Simplify route replace and appending
      into multipath route") changed the IPv6 route append logic so that
      dev-only routes can be appended and not only gatewayed routes.
      
      Align mlxsw with the new behaviour.
      
      Fixes: f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      53b562df
    • I
      ipv6: Only emit append events for appended routes · 6eba08c3
      Ido Schimmel 提交于
      Current code will emit an append event in the FIB notification chain for
      any route added with NLM_F_APPEND set, even if the route was not
      appended to any existing route.
      
      This is inconsistent with IPv4 where such an event is only emitted when
      the new route is appended after an existing one.
      
      Align IPv6 behavior with IPv4, thereby allowing listeners to more easily
      handle these events.
      
      Fixes: f34436a4 ("net/ipv6: Simplify route replace and appending into multipath route")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6eba08c3
    • D
      Merge tag 'mac80211-for-davem-2018-06-15' of... · 41f9ba67
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2018-06-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A handful of fixes:
       * missing RCU grace period enforcement led to drivers freeing
         data structures before; fix from Dedy Lansky.
       * hwsim module init error paths were messed up; fixed it myself
         after a report from Colin King (who had sent a partial patch)
       * kernel-doc tag errors; fix from Luca Coelho
       * initialize the on-stack sinfo data structure when getting
         station information; fix from Sven Eckelmann
       * TXQ state dumping is now done from init, and when TXQs aren't
         initialized yet at that point, bad things happen, move the
         initialization; fix from Toke Høiland-Jørgensen.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      41f9ba67
    • E
      stmmac: added support for 802.1ad vlan stripping · ab188e8f
      Elad Nachman 提交于
      stmmac reception handler calls stmmac_rx_vlan() to strip the vlan before
      calling napi_gro_receive().
      
      The function assumes VLAN tagged frames are always tagged with
      802.1Q protocol, and assigns ETH_P_8021Q to the skb by hard-coding
      the parameter on call to __vlan_hwaccel_put_tag() .
      
      This causes packets not to be passed to the VLAN slave if it was created
      with 802.1AD protocol
      (ip link add link eth0 eth0.100 type vlan proto 802.1ad id 100).
      
      This fix passes the protocol from the VLAN header into
      __vlan_hwaccel_put_tag() instead of using the hard-coded value of
      ETH_P_8021Q.
      
      NETIF_F_HW_VLAN_STAG_RX check was added and the strip action is now
      dependent on the correct combination of features and the detected vlan tag.
      
      NETIF_F_HW_VLAN_STAG_RX feature was added to be in line with the driver
      actual abilities.
      Signed-off-by: NElad Nachman <eladn@gilat.com>
      Reviewed-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ab188e8f
  2. 15 6月, 2018 20 次提交
  3. 14 6月, 2018 1 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 60d061e3
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter patches for your net tree:
      
      1) Fix NULL pointer dereference from nf_nat_decode_session() if NAT is
         not loaded, from Prashant Bhole.
      
      2) Fix socket extension module autoload.
      
      3) Don't bogusly reject sets with the NFT_SET_EVAL flag set on from
         the dynset extension.
      
      4) Fix races with nf_tables module removal and netns exit path,
         patches from Florian Westphal.
      
      5) Don't hit BUG_ON if jumpstack goes too deep, instead hit
         WARN_ON_ONCE, from Taehee Yoo.
      
      6) Another NULL pointer dereference from ctnetlink, again if NAT is
         not loaded, from Florian Westphal.
      
      7) Fix x_tables match list corruption in xt_connmark module removal
         path, also from Florian.
      
      8) nf_conncount doesn't properly deal with conntrack zones, hence
         garbage collector may get rid of entries in a different zone.
         From Yi-Hung Wei.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      60d061e3
  4. 13 6月, 2018 8 次提交