1. 18 3月, 2018 7 次提交
    • D
      net/sched: fix NULL dereference in the error path of tunnel_key_init() · abdadd3c
      Davide Caratti 提交于
      when the following command
      
       # tc action add action tunnel_key unset index 100
      
      is run for the first time, and tunnel_key_init() fails to allocate struct
      tcf_tunnel_key_params, tunnel_key_release() dereferences NULL pointers.
      This causes the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
       IP: tunnel_key_release+0xd/0x40 [act_tunnel_key]
       PGD 8000000033787067 P4D 8000000033787067 PUD 74646067 PMD 0
       Oops: 0000 [#1] SMP PTI
       Modules linked in: act_tunnel_key(E) act_csum ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel pcbc snd_hda_codec snd_hda_core snd_hwdep snd_seq aesni_intel snd_seq_device crypto_simd glue_helper snd_pcm cryptd joydev snd_timer pcspkr virtio_balloon snd i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net virtio_blk drm virtio_console crc32c_intel ata_piix serio_raw i2c_core virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod
       CPU: 2 PID: 3101 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:tunnel_key_release+0xd/0x40 [act_tunnel_key]
       RSP: 0018:ffffba46803b7768 EFLAGS: 00010286
       RAX: ffffffffc09010a0 RBX: 0000000000000000 RCX: 0000000000000024
       RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99ee336d7480
       RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
       R10: 0000000000000220 R11: ffff99ee79d73131 R12: 0000000000000000
       R13: ffff99ee32d67610 R14: ffff99ee7671dc38 R15: 00000000fffffff4
       FS:  00007febcb2cd740(0000) GS:ffff99ee7fd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000010 CR3: 000000007c8e4005 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tunnel_key_init+0xd9/0x460 [act_tunnel_key]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7febca6deba0
       RSP: 002b:00007ffe7b0dd128 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007ffe7b0dd250 RCX: 00007febca6deba0
       RDX: 0000000000000000 RSI: 00007ffe7b0dd1a0 RDI: 0000000000000003
       RBP: 000000005aaa90cb R08: 0000000000000002 R09: 0000000000000000
       R10: 00007ffe7b0dcba0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007ffe7b0dd264 R14: 0000000000000001 R15: 0000000000669f60
       Code: 44 00 00 8b 0d b5 23 00 00 48 8b 87 48 10 00 00 48 8b 3c c8 e9 a5 e5 d8 c3 0f 1f 44 00 00 0f 1f 44 00 00 53 48 8b 9f b0 00 00 00 <83> 7b 10 01 74 0b 48 89 df 31 f6 5b e9 f2 fa 7f c3 48 8b 7b 18
       RIP: tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: ffffba46803b7768
       CR2: 0000000000000010
      
      Fix this in tunnel_key_release(), ensuring 'param' is not NULL before
      dereferencing it.
      
      Fixes: d0f6dd8a ("net/sched: Introduce act_tunnel_key")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      abdadd3c
    • D
      net/sched: fix NULL dereference in the error path of tcf_csum_init() · aab378a7
      Davide Caratti 提交于
      when the following command
      
       # tc action add action csum udp continue index 100
      
      is run for the first time, and tcf_csum_init() fails allocating struct
      tcf_csum, tcf_csum_cleanup() calls kfree_rcu(NULL,...). This causes the
      following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
       IP: __call_rcu+0x23/0x2b0
       PGD 80000000740b4067 P4D 80000000740b4067 PUD 32e7f067 PMD 0
       Oops: 0002 [#1] SMP PTI
       Modules linked in: act_csum(E) act_vlan ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer aesni_intel crypto_simd glue_helper cryptd snd joydev pcspkr virtio_balloon i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console ata_piix crc32c_intel libata virtio_pci serio_raw i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_vlan]
       CPU: 2 PID: 5763 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__call_rcu+0x23/0x2b0
       RSP: 0018:ffffb275803e77c0 EFLAGS: 00010246
       RAX: ffffffffc057b080 RBX: ffff9674bc6f5240 RCX: 00000000ffffffff
       RDX: ffffffff928a5f00 RSI: 0000000000000008 RDI: 0000000000000008
       RBP: 0000000000000008 R08: 0000000000000001 R09: 0000000000000044
       R10: 0000000000000220 R11: ffff9674b9ab4821 R12: 0000000000000000
       R13: ffffffff928a5f00 R14: 0000000000000000 R15: 0000000000000001
       FS:  00007fa6368d8740(0000) GS:ffff9674bfd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000010 CR3: 0000000073dec001 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tcf_csum_init+0xfb/0x180 [act_csum]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? filemap_map_pages+0x34a/0x3a0
        ? __handle_mm_fault+0xbfd/0xe20
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7fa635ce9ba0
       RSP: 002b:00007ffc185b0fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007ffc185b10f0 RCX: 00007fa635ce9ba0
       RDX: 0000000000000000 RSI: 00007ffc185b1040 RDI: 0000000000000003
       RBP: 000000005aaa85e0 R08: 0000000000000002 R09: 0000000000000000
       R10: 00007ffc185b0a20 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007ffc185b1104 R14: 0000000000000001 R15: 0000000000669f60
       Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
       RIP: __call_rcu+0x23/0x2b0 RSP: ffffb275803e77c0
       CR2: 0000000000000010
      
      fix this in tcf_csum_cleanup(), ensuring that kfree_rcu(param, ...) is
      called only when param is not NULL.
      
      Fixes: 9c5f69bb ("net/sched: act_csum: don't use spinlock in the fast path")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aab378a7
    • D
      net/sched: fix NULL dereference in the error path of tcf_vlan_init() · 1edf8abe
      Davide Caratti 提交于
      when the following command
      
       # tc actions replace action vlan pop index 100
      
      is run for the first time, and tcf_vlan_init() fails allocating struct
      tcf_vlan_params, tcf_vlan_cleanup() calls kfree_rcu(NULL, ...). This causes
      the following error:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
       IP: __call_rcu+0x23/0x2b0
       PGD 80000000760a2067 P4D 80000000760a2067 PUD 742c1067 PMD 0
       Oops: 0002 [#1] SMP PTI
       Modules linked in: act_vlan(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel mbcache snd_hda_codec jbd2 snd_hda_core crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev soundcore virtio_balloon pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_blk virtio_net ata_piix crc32c_intel libata virtio_pci i2c_core virtio_ring serio_raw virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_vlan]
       CPU: 3 PID: 3119 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__call_rcu+0x23/0x2b0
       RSP: 0018:ffffaac3005fb798 EFLAGS: 00010246
       RAX: ffffffffc0704080 RBX: ffff97f2b4bbe900 RCX: 00000000ffffffff
       RDX: ffffffffabca5f00 RSI: 0000000000000010 RDI: 0000000000000010
       RBP: 0000000000000010 R08: 0000000000000001 R09: 0000000000000044
       R10: 00000000fd003000 R11: ffff97f2faab5b91 R12: 0000000000000000
       R13: ffffffffabca5f00 R14: ffff97f2fb80202c R15: 00000000fffffff4
       FS:  00007f68f75b4740(0000) GS:ffff97f2ffd80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000018 CR3: 0000000072b52001 CR4: 00000000001606e0
       Call Trace:
        __tcf_idr_release+0x79/0xf0
        tcf_vlan_init+0x168/0x270 [act_vlan]
        tcf_action_init_1+0x2cc/0x430
        tcf_action_init+0xd3/0x1b0
        tc_ctl_action+0x18b/0x240
        rtnetlink_rcv_msg+0x29c/0x310
        ? _cond_resched+0x15/0x30
        ? __kmalloc_node_track_caller+0x1b9/0x270
        ? rtnl_calcit.isra.28+0x100/0x100
        netlink_rcv_skb+0xd2/0x110
        netlink_unicast+0x17c/0x230
        netlink_sendmsg+0x2cd/0x3c0
        sock_sendmsg+0x30/0x40
        ___sys_sendmsg+0x27a/0x290
        ? filemap_map_pages+0x34a/0x3a0
        ? __handle_mm_fault+0xbfd/0xe20
        __sys_sendmsg+0x51/0x90
        do_syscall_64+0x6e/0x1a0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
       RIP: 0033:0x7f68f69c5ba0
       RSP: 002b:00007fffd79c1118 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fffd79c1240 RCX: 00007f68f69c5ba0
       RDX: 0000000000000000 RSI: 00007fffd79c1190 RDI: 0000000000000003
       RBP: 000000005aaa708e R08: 0000000000000002 R09: 0000000000000000
       R10: 00007fffd79c0ba0 R11: 0000000000000246 R12: 0000000000000000
       R13: 00007fffd79c1254 R14: 0000000000000001 R15: 0000000000669f60
       Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
       RIP: __call_rcu+0x23/0x2b0 RSP: ffffaac3005fb798
       CR2: 0000000000000018
      
      fix this in tcf_vlan_cleanup(), ensuring that kfree_rcu(p, ...) is called
      only when p is not NULL.
      
      Fixes: 4c5b9d96 ("act_vlan: VLAN action rewrite to use RCU lock/unlock and update")
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NManish Kurup <manish.kurup@verizon.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1edf8abe
    • S
      net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface · f9db5069
      SZ Lin (林上智) 提交于
      According to AM335x TRM[1] 14.3.6.2, AM437x TRM[2] 15.3.6.2 and
      DRA7 TRM[3] 24.11.4.8.7.3.3, in-band mode in EXT_EN(bit18) register is only
      available when PHY is configured in RGMII mode with 10Mbps speed. It will
      cause some networking issues without RGMII mode, such as carrier sense
      errors and low throughput. TI also mentioned this issue in their forum[4].
      
      This patch adds the check mechanism for PHY interface with RGMII interface
      type, the in-band mode can only be set in RGMII mode with 10Mbps speed.
      
      References:
      [1]: https://www.ti.com/lit/ug/spruh73p/spruh73p.pdf
      [2]: http://www.ti.com/lit/ug/spruhl7h/spruhl7h.pdf
      [3]: http://www.ti.com/lit/ug/spruic2b/spruic2b.pdf
      [4]: https://e2e.ti.com/support/arm/sitara_arm/f/791/p/640765/2392155Suggested-by: NHolsety Chen (陳憲輝) <Holsety.Chen@moxa.com>
      Signed-off-by: NSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: NSchuyler Patton <spatton@ti.com>
      Reviewed-by: NGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f9db5069
    • M
      net: hns: Fix ethtool private flags · d61d263c
      Matthias Brugger 提交于
      The driver implementation returns support for private flags, while
      no private flags are present. When asked for the number of private
      flags it returns the number of statistic flag names.
      
      Fix this by returning EOPNOTSUPP for not implemented ethtool flags.
      Signed-off-by: NMatthias Brugger <mbrugger@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d61d263c
    • I
      mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic · bcdd5de8
      Ido Schimmel 提交于
      In commit 9ffcc372 ("mlxsw: spectrum: Allow packets to be trapped
      from any PG") I fixed a problem where packets could not be trapped to
      the CPU due to exceeded shared buffer quotas. The mentioned commit
      explains the problem in detail.
      
      The problem was fixed by assigning a minimum quota for the CPU port and
      the traffic class used for scheduling traffic to the CPU.
      
      However, commit 117b0dad ("mlxsw: Create a different trap group list
      for each device") assigned different traffic classes to different
      packet types and rendered the fix useless.
      
      Fix the problem by assigning a minimum quota for the CPU port and all
      the traffic classes that are currently in use.
      
      Fixes: 117b0dad ("mlxsw: Create a different trap group list for each device")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: NEddie Shklaer <eddies@mellanox.com>
      Tested-by: NEddie Shklaer <eddies@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bcdd5de8
    • E
      net: sched: fix uses after free · cce6294c
      Eric Dumazet 提交于
      syzbot reported one use-after-free in pfifo_fast_enqueue() [1]
      
      Issue here is that we can not reuse skb after a successful skb_array_produce()
      since another cpu might have consumed it already.
      
      I believe a similar problem exists in try_bulk_dequeue_skb_slow()
      in case we put an skb into qdisc_enqueue_skb_bad_txq() for lockless qdisc.
      
      [1]
      BUG: KASAN: use-after-free in qdisc_pkt_len include/net/sch_generic.h:610 [inline]
      BUG: KASAN: use-after-free in qdisc_qstats_cpu_backlog_inc include/net/sch_generic.h:712 [inline]
      BUG: KASAN: use-after-free in pfifo_fast_enqueue+0x4bc/0x5e0 net/sched/sch_generic.c:639
      Read of size 4 at addr ffff8801cede37e8 by task syzkaller717588/5543
      
      CPU: 1 PID: 5543 Comm: syzkaller717588 Not tainted 4.16.0-rc4+ #265
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x24d lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report+0x23c/0x360 mm/kasan/report.c:412
       __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
       qdisc_pkt_len include/net/sch_generic.h:610 [inline]
       qdisc_qstats_cpu_backlog_inc include/net/sch_generic.h:712 [inline]
       pfifo_fast_enqueue+0x4bc/0x5e0 net/sched/sch_generic.c:639
       __dev_xmit_skb net/core/dev.c:3216 [inline]
      
      Fixes: c5ad119f ("net: sched: pfifo_fast use skb_array")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: syzbot+ed43b6903ab968b16f54@syzkaller.appspotmail.com
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc:	Cong Wang <xiyou.wangcong@gmail.com>
      Cc:	Jiri Pirko <jiri@resnulli.us>
      Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cce6294c
  2. 17 3月, 2018 7 次提交
  3. 16 3月, 2018 7 次提交
    • A
      net/iucv: Free memory obtained by kzalloc · fa6a91e9
      Arvind Yadav 提交于
      Free memory by calling put_device(), if afiucv_iucv_init is not
      successful.
      Signed-off-by: NArvind Yadav <arvind.yadav.cs@gmail.com>
      Reviewed-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: NJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fa6a91e9
    • F
      net: systemport: Rewrite __bcm_sysport_tx_reclaim() · 484d802d
      Florian Fainelli 提交于
      There is no need for complex checking between the last consumed index
      and current consumed index, a simple subtraction will do.
      
      This also eliminates the possibility of a permanent transmit queue stall
      under the following conditions:
      
      - one CPU bursts ring->size worth of traffic (up to 256 buffers), to the
        point where we run out of free descriptors, so we stop the transmit
        queue at the end of bcm_sysport_xmit()
      
      - because of our locking, we have the transmit process disable
        interrupts which means we can be blocking the TX reclamation process
      
      - when TX reclamation finally runs, we will be computing the difference
        between ring->c_index (last consumed index by SW) and what the HW
        reports through its register
      
      - this register is masked with (ring->size - 1) = 0xff, which will lead
        to stripping the upper bits of the index (register is 16-bits wide)
      
      - we will be computing last_tx_cn as 0, which means there is no work to
        be done, and we never wake-up the transmit queue, leaving it
        permanently disabled
      
      A practical example is e.g: ring->c_index aka last_c_index = 12, we
      pushed 256 entries, HW consumer index = 268, we mask it with 0xff = 12,
      so last_tx_cn == 0, nothing happens.
      
      Fixes: 80105bef ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      484d802d
    • T
      kcm: lock lower socket in kcm_attach · 2cc683e8
      Tom Herbert 提交于
      Need to lock lower socket in order to provide mutual exclusion
      with kcm_unattach.
      
      v2: Add Reported-by for syzbot
      
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Reported-by: syzbot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com
      Signed-off-by: NTom Herbert <tom@quantonium.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2cc683e8
    • D
      Merge branch 'vlan-untag-and-insert-fixes' · e693be29
      David S. Miller 提交于
      Toshiaki Makita says:
      
      ====================
      Fix vlan untag and insertion for bridge and vlan with reorder_hdr off
      
      As Brandon Carpenter reported[1], sending non-vlan-offloaded packets from
      bridge devices ends up with corrupted packets. He narrowed down this problem
      and found that the root cause is in skb_reorder_vlan_header().
      
      While I was working on fixing this problem, I found that the function does
      not work properly for double tagged packets with reorder_hdr off as well.
      
      Patch 1 fixes these 2 problems in skb_reorder_vlan_header().
      
      And it turned out that fixing skb_reorder_vlan_header() is not sufficient
      to receive double tagged packets with reorder_hdr off while I was testing the
      fix. Vlan tags got out of order when vlan devices with reorder_hdr disabled
      were stacked. Patch 2 fixes this problem.
      
      [1] https://www.spinics.net/lists/linux-ethernet-bridging/msg07039.html
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e693be29
    • T
      vlan: Fix out of order vlan headers with reorder header off · cbe7128c
      Toshiaki Makita 提交于
      With reorder header off, received packets are untagged in skb_vlan_untag()
      called from within __netif_receive_skb_core(), and later the tag will be
      inserted back in vlan_do_receive().
      
      This caused out of order vlan headers when we create a vlan device on top
      of another vlan device, because vlan_do_receive() inserts a tag as the
      outermost vlan tag. E.g. the outer tag is first removed in skb_vlan_untag()
      and inserted back in vlan_do_receive(), then the inner tag is next removed
      and inserted back as the outermost tag.
      
      This patch fixes the behaviour by inserting the inner tag at the right
      position.
      Signed-off-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cbe7128c
    • T
      net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off · 4bbb3e0e
      Toshiaki Makita 提交于
      When we have a bridge with vlan_filtering on and a vlan device on top of
      it, packets would be corrupted in skb_vlan_untag() called from
      br_dev_xmit().
      
      The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(),
      which makes use of skb->mac_len. In this function mac_len is meant for
      handling rx path with vlan devices with reorder_header disabled, but in
      tx path mac_len is typically 0 and cannot be used, which is the problem
      in this case.
      
      The current code even does not properly handle rx path (skb_vlan_untag()
      called from __netif_receive_skb_core()) with reorder_header off actually.
      
      In rx path single tag case, it works as follows:
      
      - Before skb_reorder_vlan_header()
      
       mac_header                                data
         v                                        v
         +-------------------+-------------+------+----
         |        ETH        |    VLAN     | ETH  |
         |       ADDRS       | TPID | TCI  | TYPE |
         +-------------------+-------------+------+----
         <-------- mac_len --------->
                             <------------->
                              to be removed
      
      - After skb_reorder_vlan_header()
      
                  mac_header                     data
                       v                          v
                       +-------------------+------+----
                       |        ETH        | ETH  |
                       |       ADDRS       | TYPE |
                       +-------------------+------+----
                       <-------- mac_len --------->
      
      This is ok, but in rx double tag case, it corrupts packets:
      
      - Before skb_reorder_vlan_header()
      
       mac_header                                              data
         v                                                      v
         +-------------------+-------------+-------------+------+----
         |        ETH        |    VLAN     |    VLAN     | ETH  |
         |       ADDRS       | TPID | TCI  | TPID | TCI  | TYPE |
         +-------------------+-------------+-------------+------+----
         <--------------- mac_len ---------------->
                                           <------------->
                                          should be removed
                             <--------------------------->
                               actually will be removed
      
      - After skb_reorder_vlan_header()
      
                  mac_header                                   data
                       v                                        v
                                     +-------------------+------+----
                                     |        ETH        | ETH  |
                                     |       ADDRS       | TYPE |
                                     +-------------------+------+----
                       <--------------- mac_len ---------------->
      
      So, two of vlan tags are both removed while only inner one should be
      removed and mac_header (and mac_len) is broken.
      
      skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2),
      so use skb->data and skb->mac_header to calculate the right offset.
      Reported-by: NBrandon Carpenter <brandon.carpenter@cypherpath.com>
      Fixes: a6e18ff1 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off")
      Signed-off-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4bbb3e0e
    • R
      net sched actions: return explicit error when tunnel_key mode is not specified · 51d4740f
      Roman Mashak 提交于
      If set/unset mode of the tunnel_key action is not provided, ->init() still
      returns 0, and the caller proceeds with bogus 'struct tc_action *' object,
      this results in crash:
      
      % tc actions add action tunnel_key src_ip 1.1.1.1 dst_ip 2.2.2.1 id 7 index 1
      
      [   35.805515] general protection fault: 0000 [#1] SMP PTI
      [   35.806161] Modules linked in: act_tunnel_key kvm_intel kvm irqbypass
      crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64
      crypto_simd glue_helper cryptd serio_raw
      [   35.808233] CPU: 1 PID: 428 Comm: tc Not tainted 4.16.0-rc4+ #286
      [   35.808929] RIP: 0010:tcf_action_init+0x90/0x190
      [   35.809457] RSP: 0018:ffffb8edc068b9a0 EFLAGS: 00010206
      [   35.810053] RAX: 1320c000000a0003 RBX: 0000000000000001 RCX: 0000000000000000
      [   35.810866] RDX: 0000000000000070 RSI: 0000000000007965 RDI: ffffb8edc068b910
      [   35.811660] RBP: ffffb8edc068b9d0 R08: 0000000000000000 R09: ffffb8edc068b808
      [   35.812463] R10: ffffffffc02bf040 R11: 0000000000000040 R12: ffffb8edc068bb38
      [   35.813235] R13: 0000000000000000 R14: 0000000000000000 R15: ffffb8edc068b910
      [   35.814006] FS:  00007f3d0d8556c0(0000) GS:ffff91d1dbc40000(0000)
      knlGS:0000000000000000
      [   35.814881] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   35.815540] CR2: 000000000043f720 CR3: 0000000019248001 CR4: 00000000001606a0
      [   35.816457] Call Trace:
      [   35.817158]  tc_ctl_action+0x11a/0x220
      [   35.817795]  rtnetlink_rcv_msg+0x23d/0x2e0
      [   35.818457]  ? __slab_alloc+0x1c/0x30
      [   35.819079]  ? __kmalloc_node_track_caller+0xb1/0x2b0
      [   35.819544]  ? rtnl_calcit.isra.30+0xe0/0xe0
      [   35.820231]  netlink_rcv_skb+0xce/0x100
      [   35.820744]  netlink_unicast+0x164/0x220
      [   35.821500]  netlink_sendmsg+0x293/0x370
      [   35.822040]  sock_sendmsg+0x30/0x40
      [   35.822508]  ___sys_sendmsg+0x2c5/0x2e0
      [   35.823149]  ? pagecache_get_page+0x27/0x220
      [   35.823714]  ? filemap_fault+0xa2/0x640
      [   35.824423]  ? page_add_file_rmap+0x108/0x200
      [   35.825065]  ? alloc_set_pte+0x2aa/0x530
      [   35.825585]  ? finish_fault+0x4e/0x70
      [   35.826140]  ? __handle_mm_fault+0xbc1/0x10d0
      [   35.826723]  ? __sys_sendmsg+0x41/0x70
      [   35.827230]  __sys_sendmsg+0x41/0x70
      [   35.827710]  do_syscall_64+0x68/0x120
      [   35.828195]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      [   35.828859] RIP: 0033:0x7f3d0ca4da67
      [   35.829331] RSP: 002b:00007ffc9f284338 EFLAGS: 00000246 ORIG_RAX:
      000000000000002e
      [   35.830304] RAX: ffffffffffffffda RBX: 00007ffc9f284460 RCX: 00007f3d0ca4da67
      [   35.831247] RDX: 0000000000000000 RSI: 00007ffc9f2843b0 RDI: 0000000000000003
      [   35.832167] RBP: 000000005aa6a7a9 R08: 0000000000000001 R09: 0000000000000000
      [   35.833075] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
      [   35.833997] R13: 00007ffc9f2884c0 R14: 0000000000000001 R15: 0000000000674640
      [   35.834923] Code: 24 30 bb 01 00 00 00 45 31 f6 eb 5e 8b 50 08 83 c2 07 83 e2
      fc 83 c2 70 49 8b 07 48 8b 40 70 48 85 c0 74 10 48 89 14 24 4c 89 ff <ff> d0 48
      8b 14 24 48 01 c2 49 01 d6 45 85 ed 74 05 41 83 47 2c
      [   35.837442] RIP: tcf_action_init+0x90/0x190 RSP: ffffb8edc068b9a0
      [   35.838291] ---[ end trace a095c06ee4b97a26 ]---
      
      Fixes: d0f6dd8a ("net/sched: Introduce act_tunnel_key")
      Signed-off-by: NRoman Mashak <mrv@mojatatu.com>
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51d4740f
  4. 15 3月, 2018 12 次提交
  5. 14 3月, 2018 2 次提交
  6. 13 3月, 2018 5 次提交
    • D
      qed: Use after free in qed_rdma_free() · f89782c2
      Dan Carpenter 提交于
      We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
      before in qed_rdma_resc_free(p_hwfn).
      
      Fixes: 9de506a5 ("qed: Free RoCE ILT Memory on rmmod qedr")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f89782c2
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · d2ddf628
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2018-03-13
      
      1) Refuse to insert 32 bit userspace socket policies on 64
         bit systems like we do it for standard policies. We don't
         have a compat layer, so inserting socket policies from
         32 bit userspace will lead to a broken configuration.
      
      2) Make the policy hold queue work without the flowcache.
         Dummy bundles are not chached anymore, so we need to
         generate a new one on each lookup as long as the SAs
         are not yet in place.
      
      3) Fix the validation of the esn replay attribute. The
         The sanity check in verify_replay() is bypassed if
         the XFRM_STATE_ESN flag is not set. Fix this by doing
         the sanity check uncoditionally.
         From Florian Westphal.
      
      4) After most of the dst_entry garbage collection code
         is removed, we may leak xfrm_dst entries as they are
         neither cached nor tracked somewhere. Fix this by
         reusing the 'uncached_list' to track xfrm_dst entries
         too. From Xin Long.
      
      5) Fix a rcu_read_lock/rcu_read_unlock imbalance in
         xfrm_get_tos() From Xin Long.
      
      6) Fix an infinite loop in xfrm_get_dst_nexthop. On
         transport mode we fetch the child dst_entry after
         we continue, so this pointer is never updated.
         Fix this by fetching it before we continue.
      
      7) Fix ESN sequence number gap after IPsec GSO packets.
          We accidentally increment the sequence number counter
          on the xfrm_state by one packet too much in the ESN
          case. Fix this by setting the sequence number to the
          correct value.
      
      8) Reset the ethernet protocol after decapsulation only if a
         mac header was set. Otherwise it breaks configurations
         with TUN devices. From Yossi Kuperman.
      
      9) Fix __this_cpu_read() usage in preemptible code. Use
         this_cpu_read() instead in ipcomp_alloc_tfms().
         From Greg Hackmann.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d2ddf628
    • G
      net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() · 0dcd7876
      Greg Hackmann 提交于
      f7c83bcb ("net: xfrm: use __this_cpu_read per-cpu helper") added a
      __this_cpu_read() call inside ipcomp_alloc_tfms().
      
      At the time, __this_cpu_read() required the caller to either not care
      about races or to handle preemption/interrupt issues.  3.15 tightened
      the rules around some per-cpu operations, and now __this_cpu_read()
      should never be used in a preemptible context.  On 3.15 and later, we
      need to use this_cpu_read() instead.
      
      syzkaller reported this leading to the following kernel BUG while
      fuzzing sendmsg:
      
      BUG: using __this_cpu_read() in preemptible [00000000] code: repro/3101
      caller is ipcomp_init_state+0x185/0x990
      CPU: 3 PID: 3101 Comm: repro Not tainted 4.16.0-rc4-00123-g86f84779 #154
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      Call Trace:
       dump_stack+0xb9/0x115
       check_preemption_disabled+0x1cb/0x1f0
       ipcomp_init_state+0x185/0x990
       ? __xfrm_init_state+0x876/0xc20
       ? lock_downgrade+0x5e0/0x5e0
       ipcomp4_init_state+0xaa/0x7c0
       __xfrm_init_state+0x3eb/0xc20
       xfrm_init_state+0x19/0x60
       pfkey_add+0x20df/0x36f0
       ? pfkey_broadcast+0x3dd/0x600
       ? pfkey_sock_destruct+0x340/0x340
       ? pfkey_seq_stop+0x80/0x80
       ? __skb_clone+0x236/0x750
       ? kmem_cache_alloc+0x1f6/0x260
       ? pfkey_sock_destruct+0x340/0x340
       ? pfkey_process+0x62a/0x6f0
       pfkey_process+0x62a/0x6f0
       ? pfkey_send_new_mapping+0x11c0/0x11c0
       ? mutex_lock_io_nested+0x1390/0x1390
       pfkey_sendmsg+0x383/0x750
       ? dump_sp+0x430/0x430
       sock_sendmsg+0xc0/0x100
       ___sys_sendmsg+0x6c8/0x8b0
       ? copy_msghdr_from_user+0x3b0/0x3b0
       ? pagevec_lru_move_fn+0x144/0x1f0
       ? find_held_lock+0x32/0x1c0
       ? do_huge_pmd_anonymous_page+0xc43/0x11e0
       ? lock_downgrade+0x5e0/0x5e0
       ? get_kernel_page+0xb0/0xb0
       ? _raw_spin_unlock+0x29/0x40
       ? do_huge_pmd_anonymous_page+0x400/0x11e0
       ? __handle_mm_fault+0x553/0x2460
       ? __fget_light+0x163/0x1f0
       ? __sys_sendmsg+0xc7/0x170
       __sys_sendmsg+0xc7/0x170
       ? SyS_shutdown+0x1a0/0x1a0
       ? __do_page_fault+0x5a0/0xca0
       ? lock_downgrade+0x5e0/0x5e0
       SyS_sendmsg+0x27/0x40
       ? __sys_sendmsg+0x170/0x170
       do_syscall_64+0x19f/0x640
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x7f0ee73dfb79
      RSP: 002b:00007ffe14fc15a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ee73dfb79
      RDX: 0000000000000000 RSI: 00000000208befc8 RDI: 0000000000000004
      RBP: 00007ffe14fc15b0 R08: 00007ffe14fc15c0 R09: 00007ffe14fc15c0
      R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000400440
      R13: 00007ffe14fc16b0 R14: 0000000000000000 R15: 0000000000000000
      Signed-off-by: NGreg Hackmann <ghackmann@google.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      0dcd7876
    • F
      net: dsa: Fix dsa_is_user_port() test inversion · 5a9f8df6
      Florian Fainelli 提交于
      During the conversion to dsa_is_user_port(), a condition ended up being
      reversed, which would prevent the creation of any user port when using
      the legacy binding and/or platform data, fix that.
      
      Fixes: 4a5b85ff ("net: dsa: use dsa_is_user_port everywhere")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a9f8df6
    • D
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · 59bb8835
      David S. Miller 提交于
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2018-03-12
      
      This series contains fixes to e1000e only.
      
      Benjamin Poirier provides two fixes, first reverts commits that changed
      what happens to the link status when there is an error.  These commits
      were to resolve a race condition, but in the process of fixing the race
      condition, they changed the behavior when an error occurred.  Second fix
      resolves a race condition by not setting "get_link_status" to false
      after checking the link.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59bb8835