1. 29 8月, 2017 9 次提交
  2. 26 8月, 2017 8 次提交
  3. 25 8月, 2017 14 次提交
  4. 24 8月, 2017 9 次提交
    • A
      netfilter: nf_tables: Fix nft limit burst handling · c26844ed
      andy zhou 提交于
      Current implementation treats the burst configuration the same as
      rate configuration. This can cause the per packet cost to be lower
      than configured. In effect, this bug causes the token bucket to be
      refilled at a higher rate than what user has specified.
      
      This patch changes the implementation so that the token bucket size
      is controlled by "rate + burst", while maintain the token bucket
      refill rate the same as user specified.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Signed-off-by: NAndy Zhou <azhou@ovn.org>
      Acked-by: NJoe Stringer <joe@ovn.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      c26844ed
    • X
      netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info · ab6dd1be
      Xin Long 提交于
      Commit 4440a2ab ("netfilter: synproxy: Check oom when adding synproxy
      and seqadj ct extensions") wanted to drop the packet when it fails to add
      seqadj ext due to no memory by checking if nfct_seqadj_ext_add returns
      NULL.
      
      But that nfct_seqadj_ext_add returns NULL can also happen when seqadj ext
      already exists in a nf_conn. It will cause that userspace protocol doesn't
      work when both dnat and snat are configured.
      
      Li Shuang found this issue in the case:
      
      Topo:
         ftp client                   router                  ftp server
        10.167.131.2  <-> 10.167.131.254  10.167.141.254 <-> 10.167.141.1
      
      Rules:
        # iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j \
          DNAT --to-destination 10.167.141.1
        # iptables -t nat -A POSTROUTING -o eth2 -p tcp -m tcp --dport 21 -j \
          SNAT --to-source 10.167.141.254
      
      In router, when both dnat and snat are added, nf_nat_setup_info will be
      called twice. The packet can be dropped at the 2nd time for DNAT due to
      seqadj ext is already added at the 1st time for SNAT.
      
      This patch is to fix it by checking for seqadj ext existence before adding
      it, so that the packet will not be dropped if seqadj ext already exists.
      
      Note that as Florian mentioned, as a long term, we should review ext_add()
      behaviour, it's better to return a pointer to the existing ext instead.
      
      Fixes: 4440a2ab ("netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions")
      Reported-by: NLi Shuang <shuali@redhat.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ab6dd1be
    • L
      iwlwifi: pcie: move rx workqueue initialization to iwl_trans_pcie_alloc() · 10a54d81
      Luca Coelho 提交于
      Work queues cannot be allocated when a mutex is held because the mutex
      may be in use and that would make it sleep.  Doing so generates the
      following splat with 4.13+:
      
      [   19.513298] ======================================================
      [   19.513429] WARNING: possible circular locking dependency detected
      [   19.513557] 4.13.0-rc5+ #6 Not tainted
      [   19.513638] ------------------------------------------------------
      [   19.513767] cpuhp/0/12 is trying to acquire lock:
      [   19.513867]  (&tz->lock){+.+.+.}, at: [<ffffffff924afebb>] thermal_zone_get_temp+0x5b/0xb0
      [   19.514047]
      [   19.514047] but task is already holding lock:
      [   19.514166]  (cpuhp_state){+.+.+.}, at: [<ffffffff91cc4baa>] cpuhp_thread_fun+0x3a/0x210
      [   19.514338]
      [   19.514338] which lock already depends on the new lock.
      
      This lock dependency already existed with previous kernel versions,
      but it was not detected until commit 49dfe2a6 ("cpuhotplug: Link
      lock stacks for hotplug callbacks") was introduced.
      Reported-by: NDavid Weinehall <david.weinehall@intel.com>
      Reported-by: NJiri Kosina <jikos@kernel.org>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      10a54d81
    • D
      Merge branch 'bnxt_en-bug-fixes' · d0273ef3
      David S. Miller 提交于
      Michael Chan says:
      
      ====================
      bnxt_en: bug fixes.
      
      3 bug fixes related to XDP ring accounting in bnxt_setup_tc(), freeing
      MSIX vectors when bnxt_re unregisters, and preserving the user-administered
      PF MAC address when disabling SRIOV.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0273ef3
    • M
      bnxt_en: Do not setup MAC address in bnxt_hwrm_func_qcaps(). · a22a6ac2
      Michael Chan 提交于
      bnxt_hwrm_func_qcaps() is called during probe to get all device
      resources and it also sets up the factory MAC address.  The same function
      is called when SRIOV is disabled to reclaim all resources.  If
      the MAC address has been overridden by a user administered MAC
      address, calling this function will overwrite it.
      
      Separate the logic that sets up the default MAC address into a new
      function bnxt_init_mac_addr() that is only called during probe time.
      
      Fixes: 4a21b49b ("bnxt_en: Improve VF resource accounting.")
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a22a6ac2
    • M
      bnxt_en: Free MSIX vectors when unregistering the device from bnxt_re. · 146ed3c5
      Michael Chan 提交于
      Take back ownership of the MSIX vectors when unregistering the device
      from bnxt_re.
      
      Fixes: a588e458 ("bnxt_en: Add interface to support RDMA driver.")
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      146ed3c5
    • M
      bnxt_en: Fix .ndo_setup_tc() to include XDP rings. · 87e9b377
      Michael Chan 提交于
      When the number of TX rings is changed in bnxt_setup_tc(), we need to
      include the XDP rings in the total TX ring count.
      
      Fixes: 38413406 ("bnxt_en: Add support for XDP_TX action.")
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      87e9b377
    • J
      nfp: TX time stamp packets before HW doorbell is rung · 46f1c52e
      Jakub Kicinski 提交于
      TX completion may happen any time after HW queue was kicked.
      We can't access the skb afterwards.  Move the time stamping
      before ringing the doorbell.
      
      Fixes: 4c352362 ("net: add driver for Netronome NFP4000/NFP6000 NIC VFs")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      46f1c52e
    • S
      sctp: Avoid out-of-bounds reads from address storage · ee6c88bb
      Stefano Brivio 提交于
      inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
      sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
      to export diagnostic information to userspace.
      
      However, the memory allocated to store sockaddr information is
      smaller than that and depends on the address family, so we leak
      up to 100 uninitialized bytes to userspace. Just use the size of
      the source structs instead, in all the three cases this is what
      userspace expects. Zero out the remaining memory.
      
      Unused bytes (i.e. when IPv4 addresses are used) in source
      structs sctp_sockaddr_entry and sctp_transport are already
      cleared by sctp_add_bind_addr() and sctp_transport_new(),
      respectively.
      
      Noticed while testing KASAN-enabled kernel with 'ss':
      
      [ 2326.885243] BUG: KASAN: slab-out-of-bounds in inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag] at addr ffff881be8779800
      [ 2326.896800] Read of size 128 by task ss/9527
      [ 2326.901564] CPU: 0 PID: 9527 Comm: ss Not tainted 4.11.0-22.el7a.x86_64 #1
      [ 2326.909236] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
      [ 2326.917585] Call Trace:
      [ 2326.920312]  dump_stack+0x63/0x8d
      [ 2326.924014]  kasan_object_err+0x21/0x70
      [ 2326.928295]  kasan_report+0x288/0x540
      [ 2326.932380]  ? inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
      [ 2326.938500]  ? skb_put+0x8b/0xd0
      [ 2326.942098]  ? memset+0x31/0x40
      [ 2326.945599]  check_memory_region+0x13c/0x1a0
      [ 2326.950362]  memcpy+0x23/0x50
      [ 2326.953669]  inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
      [ 2326.959596]  ? inet_diag_msg_sctpasoc_fill+0x460/0x460 [sctp_diag]
      [ 2326.966495]  ? __lock_sock+0x102/0x150
      [ 2326.970671]  ? sock_def_wakeup+0x60/0x60
      [ 2326.975048]  ? remove_wait_queue+0xc0/0xc0
      [ 2326.979619]  sctp_diag_dump+0x44a/0x760 [sctp_diag]
      [ 2326.985063]  ? sctp_ep_dump+0x280/0x280 [sctp_diag]
      [ 2326.990504]  ? memset+0x31/0x40
      [ 2326.994007]  ? mutex_lock+0x12/0x40
      [ 2326.997900]  __inet_diag_dump+0x57/0xb0 [inet_diag]
      [ 2327.003340]  ? __sys_sendmsg+0x150/0x150
      [ 2327.007715]  inet_diag_dump+0x4d/0x80 [inet_diag]
      [ 2327.012979]  netlink_dump+0x1e6/0x490
      [ 2327.017064]  __netlink_dump_start+0x28e/0x2c0
      [ 2327.021924]  inet_diag_handler_cmd+0x189/0x1a0 [inet_diag]
      [ 2327.028045]  ? inet_diag_rcv_msg_compat+0x1b0/0x1b0 [inet_diag]
      [ 2327.034651]  ? inet_diag_dump_compat+0x190/0x190 [inet_diag]
      [ 2327.040965]  ? __netlink_lookup+0x1b9/0x260
      [ 2327.045631]  sock_diag_rcv_msg+0x18b/0x1e0
      [ 2327.050199]  netlink_rcv_skb+0x14b/0x180
      [ 2327.054574]  ? sock_diag_bind+0x60/0x60
      [ 2327.058850]  sock_diag_rcv+0x28/0x40
      [ 2327.062837]  netlink_unicast+0x2e7/0x3b0
      [ 2327.067212]  ? netlink_attachskb+0x330/0x330
      [ 2327.071975]  ? kasan_check_write+0x14/0x20
      [ 2327.076544]  netlink_sendmsg+0x5be/0x730
      [ 2327.080918]  ? netlink_unicast+0x3b0/0x3b0
      [ 2327.085486]  ? kasan_check_write+0x14/0x20
      [ 2327.090057]  ? selinux_socket_sendmsg+0x24/0x30
      [ 2327.095109]  ? netlink_unicast+0x3b0/0x3b0
      [ 2327.099678]  sock_sendmsg+0x74/0x80
      [ 2327.103567]  ___sys_sendmsg+0x520/0x530
      [ 2327.107844]  ? __get_locked_pte+0x178/0x200
      [ 2327.112510]  ? copy_msghdr_from_user+0x270/0x270
      [ 2327.117660]  ? vm_insert_page+0x360/0x360
      [ 2327.122133]  ? vm_insert_pfn_prot+0xb4/0x150
      [ 2327.126895]  ? vm_insert_pfn+0x32/0x40
      [ 2327.131077]  ? vvar_fault+0x71/0xd0
      [ 2327.134968]  ? special_mapping_fault+0x69/0x110
      [ 2327.140022]  ? __do_fault+0x42/0x120
      [ 2327.144008]  ? __handle_mm_fault+0x1062/0x17a0
      [ 2327.148965]  ? __fget_light+0xa7/0xc0
      [ 2327.153049]  __sys_sendmsg+0xcb/0x150
      [ 2327.157133]  ? __sys_sendmsg+0xcb/0x150
      [ 2327.161409]  ? SyS_shutdown+0x140/0x140
      [ 2327.165688]  ? exit_to_usermode_loop+0xd0/0xd0
      [ 2327.170646]  ? __do_page_fault+0x55d/0x620
      [ 2327.175216]  ? __sys_sendmsg+0x150/0x150
      [ 2327.179591]  SyS_sendmsg+0x12/0x20
      [ 2327.183384]  do_syscall_64+0xe3/0x230
      [ 2327.187471]  entry_SYSCALL64_slow_path+0x25/0x25
      [ 2327.192622] RIP: 0033:0x7f41d18fa3b0
      [ 2327.196608] RSP: 002b:00007ffc3b731218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [ 2327.205055] RAX: ffffffffffffffda RBX: 00007ffc3b731380 RCX: 00007f41d18fa3b0
      [ 2327.213017] RDX: 0000000000000000 RSI: 00007ffc3b731340 RDI: 0000000000000003
      [ 2327.220978] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000040
      [ 2327.228939] R10: 00007ffc3b730f30 R11: 0000000000000246 R12: 0000000000000003
      [ 2327.236901] R13: 00007ffc3b731340 R14: 00007ffc3b7313d0 R15: 0000000000000084
      [ 2327.244865] Object at ffff881be87797e0, in cache kmalloc-64 size: 64
      [ 2327.251953] Allocated:
      [ 2327.254581] PID = 9484
      [ 2327.257215]  save_stack_trace+0x1b/0x20
      [ 2327.261485]  save_stack+0x46/0xd0
      [ 2327.265179]  kasan_kmalloc+0xad/0xe0
      [ 2327.269165]  kmem_cache_alloc_trace+0xe6/0x1d0
      [ 2327.274138]  sctp_add_bind_addr+0x58/0x180 [sctp]
      [ 2327.279400]  sctp_do_bind+0x208/0x310 [sctp]
      [ 2327.284176]  sctp_bind+0x61/0xa0 [sctp]
      [ 2327.288455]  inet_bind+0x5f/0x3a0
      [ 2327.292151]  SYSC_bind+0x1a4/0x1e0
      [ 2327.295944]  SyS_bind+0xe/0x10
      [ 2327.299349]  do_syscall_64+0xe3/0x230
      [ 2327.303433]  return_from_SYSCALL_64+0x0/0x6a
      [ 2327.308194] Freed:
      [ 2327.310434] PID = 4131
      [ 2327.313065]  save_stack_trace+0x1b/0x20
      [ 2327.317344]  save_stack+0x46/0xd0
      [ 2327.321040]  kasan_slab_free+0x73/0xc0
      [ 2327.325220]  kfree+0x96/0x1a0
      [ 2327.328530]  dynamic_kobj_release+0x15/0x40
      [ 2327.333195]  kobject_release+0x99/0x1e0
      [ 2327.337472]  kobject_put+0x38/0x70
      [ 2327.341266]  free_notes_attrs+0x66/0x80
      [ 2327.345545]  mod_sysfs_teardown+0x1a5/0x270
      [ 2327.350211]  free_module+0x20/0x2a0
      [ 2327.354099]  SyS_delete_module+0x2cb/0x2f0
      [ 2327.358667]  do_syscall_64+0xe3/0x230
      [ 2327.362750]  return_from_SYSCALL_64+0x0/0x6a
      [ 2327.367510] Memory state around the buggy address:
      [ 2327.372855]  ffff881be8779700: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
      [ 2327.380914]  ffff881be8779780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
      [ 2327.388972] >ffff881be8779800: 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb fb
      [ 2327.397031]                                ^
      [ 2327.401792]  ffff881be8779880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
      [ 2327.409850]  ffff881be8779900: 00 00 00 00 00 04 fc fc fc fc fc fc 00 00 00 00
      [ 2327.417907] ==================================================================
      
      This fixes CVE-2017-7558.
      
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Cc: Xin Long <lucien.xin@gmail.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee6c88bb