1. 12 4月, 2017 4 次提交
    • J
      net: xdp: don't export dev_change_xdp_fd() · df7dd8fc
      Johannes Berg 提交于
      Since dev_change_xdp_fd() is only used in rtnetlink, which must
      be built-in, there's no reason to export dev_change_xdp_fd().
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df7dd8fc
    • D
      Merge branch 'bridge-register-netdev-before-changelink' · fc9c89b1
      David S. Miller 提交于
      Ido Schimmel says:
      
      ====================
      bridge: Fix kernel oops during bridge creation
      
      First patch adds a missing ndo_uninit() in the bridge driver, which is a
      prerequisite for the second patch that actually fixes the oops.
      
      Please consider both patches for 4.4.y, 4.9.y and 4.10.y
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fc9c89b1
    • I
      bridge: netlink: register netdevice before executing changelink · 5b8d5429
      Ido Schimmel 提交于
      Peter reported a kernel oops when executing the following command:
      
      $ ip link add name test type bridge vlan_default_pvid 1
      
      [13634.939408] BUG: unable to handle kernel NULL pointer dereference at
      0000000000000190
      [13634.939436] IP: __vlan_add+0x73/0x5f0
      [...]
      [13634.939783] Call Trace:
      [13634.939791]  ? pcpu_next_unpop+0x3b/0x50
      [13634.939801]  ? pcpu_alloc+0x3d2/0x680
      [13634.939810]  ? br_vlan_add+0x135/0x1b0
      [13634.939820]  ? __br_vlan_set_default_pvid.part.28+0x204/0x2b0
      [13634.939834]  ? br_changelink+0x120/0x4e0
      [13634.939844]  ? br_dev_newlink+0x50/0x70
      [13634.939854]  ? rtnl_newlink+0x5f5/0x8a0
      [13634.939864]  ? rtnl_newlink+0x176/0x8a0
      [13634.939874]  ? mem_cgroup_commit_charge+0x7c/0x4e0
      [13634.939886]  ? rtnetlink_rcv_msg+0xe1/0x220
      [13634.939896]  ? lookup_fast+0x52/0x370
      [13634.939905]  ? rtnl_newlink+0x8a0/0x8a0
      [13634.939915]  ? netlink_rcv_skb+0xa1/0xc0
      [13634.939925]  ? rtnetlink_rcv+0x24/0x30
      [13634.939934]  ? netlink_unicast+0x177/0x220
      [13634.939944]  ? netlink_sendmsg+0x2fe/0x3b0
      [13634.939954]  ? _copy_from_user+0x39/0x40
      [13634.939964]  ? sock_sendmsg+0x30/0x40
      [13634.940159]  ? ___sys_sendmsg+0x29d/0x2b0
      [13634.940326]  ? __alloc_pages_nodemask+0xdf/0x230
      [13634.940478]  ? mem_cgroup_commit_charge+0x7c/0x4e0
      [13634.940592]  ? mem_cgroup_try_charge+0x76/0x1a0
      [13634.940701]  ? __handle_mm_fault+0xdb9/0x10b0
      [13634.940809]  ? __sys_sendmsg+0x51/0x90
      [13634.940917]  ? entry_SYSCALL_64_fastpath+0x1e/0xad
      
      The problem is that the bridge's VLAN group is created after setting the
      default PVID, when registering the netdevice and executing its
      ndo_init().
      
      Fix this by changing the order of both operations, so that
      br_changelink() is only processed after the netdevice is registered,
      when the VLAN group is already initialized.
      
      Fixes: b6677449 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: NPeter V. Saveliev <peter@svinota.eu>
      Tested-by: NPeter V. Saveliev <peter@svinota.eu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5b8d5429
    • I
      bridge: implement missing ndo_uninit() · b6fe0440
      Ido Schimmel 提交于
      While the bridge driver implements an ndo_init(), it was missing a
      symmetric ndo_uninit(), causing the different de-initialization
      operations to be scattered around its dellink() and destructor().
      
      Implement a symmetric ndo_uninit() and remove the overlapping operations
      from its dellink() and destructor().
      
      This is a prerequisite for the next patch, as it allows us to have a
      proper cleanup upon changelink() failure during the bridge's newlink().
      
      Fixes: b6677449 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6fe0440
  2. 11 4月, 2017 1 次提交
  3. 10 4月, 2017 1 次提交
    • E
      tcp: clear saved_syn in tcp_disconnect() · 17c3060b
      Eric Dumazet 提交于
      In the (very unlikely) case a passive socket becomes a listener,
      we do not want to duplicate its saved SYN headers.
      
      This would lead to double frees, use after free, and please hackers and
      various fuzzers
      
      Tested:
          0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
         +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0
         +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
      
         +0 bind(3, ..., ...) = 0
         +0 listen(3, 5) = 0
      
         +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
         +0 > S. 0:0(0) ack 1 <...>
        +.1 < . 1:1(0) ack 1 win 257
         +0 accept(3, ..., ...) = 4
      
         +0 connect(4, AF_UNSPEC, ...) = 0
         +0 close(3) = 0
         +0 bind(4, ..., ...) = 0
         +0 listen(4, 5) = 0
      
         +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
         +0 > S. 0:0(0) ack 1 <...>
        +.1 < . 1:1(0) ack 1 win 257
      
      Fixes: cd8ae852 ("tcp: provide SYN headers for passive connections")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      17c3060b
  4. 08 4月, 2017 6 次提交
  5. 07 4月, 2017 6 次提交
    • X
      team: call netdev_change_features out of team lock · 16cf72bb
      Xin Long 提交于
      Commit f6988cb6 ("team: don't call netdev_change_features under
      team->lock") fixed the issue calling netdev_change_features under
      team->lock for team_compute_features.
      
      But there are still two places where it calls netdev_change_features
      under team->lock, team_port_add and team_port_del. It may cause a
      dead lock when the slave port with LRO enabled is added.
      
      This patch is to fix this dead lock by moving netdev_change_features
      out of team_port_add and team_port_del, and call it after unlocking
      the team lock.
      Reported-by: NPatrick Talbert <ptalbert@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      16cf72bb
    • X
      sctp: listen on the sock only when it's state is listening or closed · 34b2789f
      Xin Long 提交于
      Now sctp doesn't check sock's state before listening on it. It could
      even cause changing a sock with any state to become a listening sock
      when doing sctp_listen.
      
      This patch is to fix it by checking sock's state in sctp_listen, so
      that it will listen on the sock with right state.
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      34b2789f
    • O
      usbnet: make sure no NULL pointer is passed through · 6c22fce0
      Oliver Neukum 提交于
      Coverity reports:
      
      ** CID 751368:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd()
      
      ________________________________________________________________________________________________________
      *** CID 751368:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd()
      1919     EXPORT_SYMBOL(usbnet_link_change);
      1920
      1921     /*-------------------------------------------------------------------------*/
      1922     static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
      1923                                 u16 value, u16 index, void *data, u16 size)
      1924     {
      >>>     CID 751368:  Null pointer dereferences  (FORWARD_NULL)
      >>>     Assigning: "buf" = "NULL".
      1925            void *buf = NULL;
      1926            int err = -ENOMEM;
      1927
      1928            netdev_dbg(dev->net, "usbnet_read_cmd cmd=0x%02x reqtype=%02x"
      1929                       " value=0x%04x index=0x%04x size=%d\n",
      1930                       cmd, reqtype, value, index, size);
      
      ** CID 751370:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1952 in __usbnet_write_cmd()
      
      ________________________________________________________________________________________________________
      *** CID 751370:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1952 in __usbnet_write_cmd()
      1946     }
      1947
      1948     static int __usbnet_write_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
      1949                                  u16 value, u16 index, const void *data,
      1950                                  u16 size)
      1951     {
      >>>     CID 751370:  Null pointer dereferences  (FORWARD_NULL)
      >>>     Assigning: "buf" = "NULL".
      1952            void *buf = NULL;
      1953            int err = -ENOMEM;
      1954
      1955            netdev_dbg(dev->net, "usbnet_write_cmd cmd=0x%02x reqtype=%02x"
      1956                       " value=0x%04x index=0x%04x size=%d\n",
      1957                       cmd, reqtype, value, index, size);
      
      ** CID 1325026:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/ch9200.c: 143 in control_write()
      
      It is valid to offer commands without a buffer, but then you need a size
      of zero. This should actually be checked.
      Signed-off-by: NOliver Neukum <oneukum@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6c22fce0
    • W
      net_sched: check noop_qdisc before qdisc_hash_add() · 92f91706
      WANG Cong 提交于
      Dmitry reported a crash when injecting faults in
      attach_one_default_qdisc() and dev->qdisc is still
      a noop_disc, the check before qdisc_hash_add() fails
      to catch it because it tests NULL. We should test
      against noop_qdisc since it is the default qdisc
      at this point.
      
      Fixes: 59cc1f61 ("net: sched: convert qdisc linked list to hashtable")
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92f91706
    • F
      net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given · a8801799
      Florian Larysch 提交于
      inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
      ip_route_input when iif is given. If a multipath route is present for
      the designated destination, ip_multipath_icmp_hash ends up being called,
      which uses the source/destination addresses within the skb to calculate
      a hash. However, those are not set in the synthetic skb, causing it to
      return an arbitrary and incorrect result.
      
      Instead, use UDP, which gets no such special treatment.
      Signed-off-by: NFlorian Larysch <fl@n621.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8801799
    • D
  6. 06 4月, 2017 5 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ea6b1720
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Reject invalid updates to netfilter expectation policies, from Pablo
          Neira Ayuso.
      
       2) Fix memory leak in nfnl_cthelper, from Jeffy Chen.
      
       3) Don't do stupid things if we get a neigh_probe() on a neigh entry
          whose ops lack a solicit method. From Eric Dumazet.
      
       4) Don't transmit packets in r8152 driver when the carrier is off, from
          Hayes Wang.
      
       5) Fix ipv6 packet type detection in aquantia driver, from Pavel
          Belous.
      
       6) Don't write uninitialized data into hw registers in bna driver, from
          Arnd Bergmann.
      
       7) Fix locking in ping_unhash(), from Eric Dumazet.
      
       8) Make BPF verifier range checks able to understand certain sequences
          emitted by LLVM, from Alexei Starovoitov.
      
       9) Fix use after free in ipconfig, from Mark Rutland.
      
      10) Fix refcount leak on force commit in openvswitch, from Jarno
          Rajahalme.
      
      11) Fix various overflow checks in AF_PACKET, from Andrey Konovalov.
      
      12) Fix endianness bug in be2net driver, from Suresh Reddy.
      
      13) Don't forget to wake TX queues when processing a timeout, from
          Grygorii Strashko.
      
      14) ARP header on-stack storage is wrong in flow dissector, from Simon
          Horman.
      
      15) Lost retransmit and reordering SNMP stats in TCP can be
          underreported. From Yuchung Cheng.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (82 commits)
        nfp: fix potential use after free on xdp prog
        tcp: fix reordering SNMP under-counting
        tcp: fix lost retransmit SNMP under-counting
        sctp: get sock from transport in sctp_transport_update_pmtu
        net: ethernet: ti: cpsw: fix race condition during open()
        l2tp: fix PPP pseudo-wire auto-loading
        bnx2x: fix spelling mistake in macros HW_INTERRUT_ASSERT_SET_*
        l2tp: take reference on sessions being dumped
        tcp: minimize false-positives on TCP/GRO check
        sctp: check for dst and pathmtu update in sctp_packet_config
        flow dissector: correct size of storage for ARP
        net: ethernet: ti: cpsw: wake tx queues on ndo_tx_timeout
        l2tp: take a reference on sessions used in genetlink handlers
        l2tp: hold session while sending creation notifications
        l2tp: fix duplicate session creation
        l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
        l2tp: fix race in l2tp_recv_common()
        sctp: use right in and out stream cnt
        bpf: add various verifier test cases for self-tests
        bpf, verifier: fix rejection of unaligned access checks for map_value_adj
        ...
      ea6b1720
    • J
      nfp: fix potential use after free on xdp prog · c383bdd1
      Jakub Kicinski 提交于
      We should unregister the net_device first, before we give back
      our reference on xdp_prog.  Otherwise xdp_prog may be freed
      before .ndo_stop() disabled the datapath.  Found by code inspection.
      
      Fixes: ecd63a02 ("nfp: add XDP support in the driver")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c383bdd1
    • Y
      tcp: fix reordering SNMP under-counting · 2d2517ee
      Yuchung Cheng 提交于
      Currently the reordering SNMP counters only increase if a connection
      sees a higher degree then it has previously seen. It ignores if the
      reordering degree is not greater than the default system threshold.
      This significantly under-counts the number of reordering events
      and falsely convey that reordering is rare on the network.
      
      This patch properly and faithfully records the number of reordering
      events detected by the TCP stack, just like the comment says "this
      exciting event is worth to be remembered". Note that even so TCP
      still under-estimate the actual reordering events because TCP
      requires TS options or certain packet sequences to detect reordering
      (i.e. ACKing never-retransmitted sequence in recovery or disordered
       state).
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2d2517ee
    • Y
      tcp: fix lost retransmit SNMP under-counting · ecde8f36
      Yuchung Cheng 提交于
      The lost retransmit SNMP stat is under-counting retransmission
      that uses segment offloading. This patch fixes that so all
      retransmission related SNMP counters are consistent.
      
      Fixes: 10d3be56 ("tcp-tso: do not split TSO packets at retransmit time")
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ecde8f36
    • L
      Merge tag 'mfd-fixes-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · aeb4a576
      Linus Torvalds 提交于
      Pull MFD bug fix from Lee Jones:
       "Increase buffer size om cros-ec to allow for SPI messages"
      
      * tag 'mfd-fixes-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
        mfd: cros-ec: Fix host command buffer size
      aeb4a576
  7. 05 4月, 2017 11 次提交
  8. 04 4月, 2017 6 次提交