1. 07 4月, 2018 19 次提交
    • T
      MAINTAINERS: Update LEAKING_ADDRESSES · e875d33d
      Tobin C. Harding 提交于
      MAINTAINERS is out of date for leaking_addresses.pl. There is now a tree on
      kernel.org for development of this script.  We have a second maintainer now,
      thanks Tycho.  Development of this scripts was started on kernel-hardening
      mailing list so let's keep it there.
      
      Update maintainer details; Add mailing list, kernel.org hosted tree, and second
      maintainer.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      e875d33d
    • T
      leaking_addresses: check if file name contains address · c73dff59
      Tobin C. Harding 提交于
      Sometimes files may be created by using output from printk.  As the scan
      traverses the directory tree we should parse each path name and check if
      it is leaking an address.
      
      Add check for leaking address on each path name.
      Suggested-by: NTycho Andersen <tycho@tycho.ws>
      Acked-by: NTycho Andersen <tycho@tycho.ws>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      c73dff59
    • T
      leaking_addresses: explicitly name variable used in regex · 2306a677
      Tobin C. Harding 提交于
      Currently sub routine may_leak_address() is checking regex against Perl
      special variable $_ which is _fortunately_ being set correctly in a loop
      before this sub routine is called.  We already have declared a variable
      to hold this value '$line' we should use it.
      
      Use $line in regex match instead of implicit $_
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      2306a677
    • T
      leaking_addresses: remove version number · 34827374
      Tobin C. Harding 提交于
      We have git now, we don't need a version number.  This was originally
      added because leaking_addresses.pl shamelessly (and mindlessly) copied
      checkpatch.pl
      
      Remove version number from script.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      34827374
    • T
      leaking_addresses: skip '/proc/1/syscall' · 2ad74293
      Tobin C. Harding 提交于
      The pointers listed in /proc/1/syscall are user pointers, and negative
      syscall args will show up like kernel addresses.
      
      For example
      
      /proc/31808/syscall: 0 0x3 0x55b107a38180 0x2000 0xffffffffffffffb0 \
      0x55b107a302d0 0x55b107a38180 0x7fffa313b8e8 0x7ff098560d11
      
      Skip parsing /proc/1/syscall
      Suggested-by: NTycho Andersen <tycho@tycho.ws>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      2ad74293
    • T
      leaking_addresses: skip all /proc/PID except /proc/1 · 472c9e10
      Tobin C. Harding 提交于
      When the system is idle it is likely that most files under /proc/PID
      will be identical for various processes.  Scanning _all_ the PIDs under
      /proc is unnecessary and implies that we are thoroughly scanning /proc.
      This is _not_ the case because there may be ways userspace can trigger
      creation of /proc files that leak addresses but were not present during
      a scan.  For these two reasons we should exclude all PID directories
      under /proc except '1/'
      
      Exclude all /proc/PID except /proc/1.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      472c9e10
    • T
      leaking_addresses: cache architecture name · 5e4bac34
      Tobin C. Harding 提交于
      Currently we are repeatedly calling `uname -m`.  This is causing the
      script to take a long time to run (more than 10 seconds to parse
      /proc/kallsyms).  We can use Perl state variables to cache the result of
      the first call to `uname -m`.  With this change in place the script
      scans the whole kernel in under a minute.
      
      Cache machine architecture in state variable.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      5e4bac34
    • T
      leaking_addresses: simplify path skipping · b401f56f
      Tobin C. Harding 提交于
      Currently script has multiple configuration arrays.  This is confusing,
      evident by the fact that a bunch of the entries are in the wrong place.
      We can simplify the code by just having a single array for absolute
      paths to skip and a single array for file names to skip wherever they
      appear in the scanned directory tree.  There are also currently multiple
      subroutines to handle the different arrays, we can reduce these to a
      single subroutine also.
      
      Simplify the path skipping code.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      b401f56f
    • T
      leaking_addresses: do not parse binary files · e2858cad
      Tobin C. Harding 提交于
      Currently script parses binary files.  Since we are scanning for
      readable kernel addresses there is no need to parse binary files.  We
      can use Perl to check if file is binary and skip parsing it if so.
      
      Do not parse binary files.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      e2858cad
    • T
      leaking_addresses: add 32-bit support · 1410fe4e
      Tobin C. Harding 提交于
      Currently script only supports x86_64 and ppc64.  It would be nice to be
      able to scan 32-bit machines also.  We can add support for 32-bit
      architectures by modifying how we check for false positives, taking
      advantage of the page offset used by the kernel, and using the correct
      regular expression.
      
      Support for 32-bit machines is enabled by the observation that the kernel
      addresses on 32-bit machines are larger [in value] than the page offset.
      We can use this to filter false positives when scanning the kernel for
      leaking addresses.
      
      Programmatic determination of the running architecture is not
      immediately obvious (current 32-bit machines return various strings from
      `uname -m`).  We therefore provide a flag to enable scanning of 32-bit
      kernels.  Also we can check the kernel config file for the offset and if
      not found default to 0xc0000000.  A command line option to parse in the
      page offset is also provided.  We do automatically detect architecture
      if running on ix86.
      
      Add support for 32-bit kernels.  Add a command line option for page
      offset.
      Suggested-by: NKaiwan N Billimoria <kaiwan.billimoria@gmail.com>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      1410fe4e
    • T
      leaking_addresses: add is_arch() wrapper subroutine · 5eb0da05
      Tobin C. Harding 提交于
      Currently there is duplicate code when checking the architecture type.
      We can remove the duplication by implementing a wrapper function
      is_arch().
      
      Implement and use wrapper function is_arch().
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      5eb0da05
    • T
      leaking_addresses: use system command to get arch · 6efb7458
      Tobin C. Harding 提交于
      Currently script uses Perl to get the machine architecture. This can be
      erroneous since Perl uses the architecture of the machine that Perl was
      compiled on not the architecture of the running machine. We should use
      the systems `uname` command instead.
      
      Use `uname -m` instead of Perl to get the machine architecture.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      6efb7458
    • T
      leaking_addresses: add support for 5 page table levels · 2f042c93
      Tobin C. Harding 提交于
      Currently script only supports 4 page table levels because of the way
      the kernel address regular expression is crafted. We can do better than
      this. Using previously added support for kernel configuration options we
      can get the number of page table levels defined by
      CONFIG_PGTABLE_LEVELS. Using this value a correct regular expression can
      be crafted. This only supports 5 page tables on x86_64.
      
      Add support for 5 page table levels on x86_64.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      2f042c93
    • T
      leaking_addresses: add support for kernel config file · f9d2a42d
      Tobin C. Harding 提交于
      Features that rely on the ability to get kernel configuration options
      are ready to be implemented in script. In preparation for this we can
      add support for kernel config options as a separate patch to ease
      review.
      
      Add support for locating and parsing kernel configuration file.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      f9d2a42d
    • T
      leaking_addresses: add range check for vsyscall memory · 87e37588
      Tobin C. Harding 提交于
      Currently script checks only first and last address in the vsyscall
      memory range. We can do better than this. When checking for false
      positives against $match, we can convert $match to a hexadecimal value
      then check if it lies within the range of vsyscall addresses.
      
      Check whole range of vsyscall addresses when checking for false
      positive.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      87e37588
    • T
      leaking_addresses: indent dependant options · 15d60a35
      Tobin C. Harding 提交于
      A number of the command line options to script are dependant on the
      option --input-raw being set. If we indent these options it makes
      explicit this dependency.
      
      Indent options dependant on --input-raw.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      15d60a35
    • T
      leaking_addresses: remove command examples · 6145de83
      Tobin C. Harding 提交于
      Currently help output includes command examples. These were cute when we
      first started development of this script but are unnecessary.
      
      Remove command examples.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      6145de83
    • T
      leaking_addresses: remove mention of kptr_restrict · 20cdfb5f
      Tobin C. Harding 提交于
      leaking_addresses.pl can be run with kptr_restrict==0 now, we don't need
      the comment about setting kptr_restrict any more.
      
      Remove comment suggesting setting kptr_restrict.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      20cdfb5f
    • T
      leaking_addresses: fix typo function not called · 6d23dd9b
      Tobin C. Harding 提交于
      Currently code uses a check against an undefined variable because the
      variable is a sub routine name and is not evaluated.
      
      Evaluate subroutine; add parenthesis to sub routine name.
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      6d23dd9b
  2. 02 4月, 2018 1 次提交
  3. 01 4月, 2018 3 次提交
  4. 31 3月, 2018 14 次提交
    • L
      Merge tag 'kbuild-fixes-v4.16-3' of... · b5dbc287
      Linus Torvalds 提交于
      Merge tag 'kbuild-fixes-v4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - fix missed rebuild of TRIM_UNUSED_KSYMS
      
       - fix rpm-pkg for GNU tar >= 1.29
      
       - include scripts/dtc/include-prefixes/* to kernel header deb-pkg
      
       - add -no-integrated-as option ealier to fix building with Clang
      
       - fix netfilter Makefile for parallel building
      
      * tag 'kbuild-fixes-v4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        netfilter: nf_nat_snmp_basic: add correct dependency to Makefile
        kbuild: rpm-pkg: Support GNU tar >= 1.29
        builddeb: Fix header package regarding dtc source links
        kbuild: set no-integrated-as before incl. arch Makefile
        kbuild: make scripts/adjust_autoksyms.sh robust against timestamp races
      b5dbc287
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a44406ec
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix RCU locking in xfrm_local_error(), from Taehee Yoo.
      
       2) Fix return value assignments and thus error checking in
          iwl_mvm_start_ap_ibss(), from Johannes Berg.
      
       3) Don't count header length twice in vti4, from Stefano Brivio.
      
       4) Fix deadlock in rt6_age_examine_exception, from Eric Dumazet.
      
       5) Fix out-of-bounds access in nf_sk_lookup_slow{v4,v6}() from Subash
          Abhinov.
      
       6) Check nladdr size in netlink_connect(), from Alexander Potapenko.
      
       7) VF representor SQ numbers are 32 not 16 bits, in mlx5 driver, from
          Or Gerlitz.
      
       8) Out of bounds read in skb_network_protocol(), from Eric Dumazet.
      
       9) r8169 driver sets driver data pointer after register_netdev() which
          is too late. Fix from Heiner Kallweit.
      
      10) Fix memory leak in mlx4 driver, from Moshe Shemesh.
      
      11) The multi-VLAN decap fix added a regression when dealing with device
          that lack a MAC header, such as tun. Fix from Toshiaki Makita.
      
      12) Fix integer overflow in dynamic interrupt coalescing code. From Tal
          Gilboa.
      
      13) Use after free in vrf code, from David Ahern.
      
      14) IPV6 route leak between VRFs fix, also from David Ahern.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (81 commits)
        net: mvneta: fix enable of all initialized RXQs
        net/ipv6: Fix route leaking between VRFs
        vrf: Fix use after free and double free in vrf_finish_output
        ipv6: sr: fix seg6 encap performances with TSO enabled
        net/dim: Fix int overflow
        vlan: Fix vlan insertion for packets without ethernet header
        net: Fix untag for vlan packets without ethernet header
        atm: iphase: fix spelling mistake: "Receiverd" -> "Received"
        vhost: validate log when IOTLB is enabled
        qede: Do not drop rx-checksum invalidated packets.
        hv_netvsc: enable multicast if necessary
        ip_tunnel: Resolve ipsec merge conflict properly.
        lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
        qede: Fix barrier usage after tx doorbell write.
        vhost: correctly remove wait queue during poll failure
        net/mlx4_core: Fix memory leak while delete slave's resources
        net/mlx4_en: Fix mixed PFC and Global pause user control requests
        net/smc: use announced length in sock_recvmsg()
        llc: properly handle dev_queue_xmit() return value
        strparser: Fix sign of err codes
        ...
      a44406ec
    • Y
      net: mvneta: fix enable of all initialized RXQs · e81b5e01
      Yelena Krivosheev 提交于
      In mvneta_port_up() we enable relevant RX and TX port queues by write
      queues bit map to an appropriate register.
      
      q_map must be ZERO in the beginning of this process.
      Signed-off-by: NYelena Krivosheev <yelena@marvell.com>
      Signed-off-by: NGregory CLEMENT <gregory.clement@bootlin.com>
      Acked-by: NThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e81b5e01
    • D
      net/ipv6: Fix route leaking between VRFs · b6cdbc85
      David Ahern 提交于
      Donald reported that IPv6 route leaking between VRFs is not working.
      The root cause is the strict argument in the call to rt6_lookup when
      validating the nexthop spec.
      
      ip6_route_check_nh validates the gateway and device (if given) of a
      route spec. It in turn could call rt6_lookup (e.g., lookup in a given
      table did not succeed so it falls back to a full lookup) and if so
      sets the strict argument to 1. That means if the egress device is given,
      the route lookup needs to return a result with the same device. This
      strict requirement does not work with VRFs (IPv4 or IPv6) because the
      oif in the flow struct is overridden with the index of the VRF device
      to trigger a match on the l3mdev rule and force the lookup to its table.
      
      The right long term solution is to add an l3mdev index to the flow
      struct such that the oif is not overridden. That solution will not
      backport well, so this patch aims for a simpler solution to relax the
      strict argument if the route spec device is an l3mdev slave. As done
      in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
      RT6_LOOKUP_F_IFACE flag needs to be removed.
      
      Fixes: ca254490 ("net: Add VRF support to IPv6 stack")
      Reported-by: NDonald Sharp <sharpd@cumulusnetworks.com>
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6cdbc85
    • D
      vrf: Fix use after free and double free in vrf_finish_output · 82dd0d2a
      David Ahern 提交于
      Miguel reported an skb use after free / double free in vrf_finish_output
      when neigh_output returns an error. The vrf driver should return after
      the call to neigh_output as it takes over the skb on error path as well.
      
      Patch is a simplified version of Miguel's patch which was written for 4.9,
      and updated to top of tree.
      
      Fixes: 8f58336d ("net: Add ethernet header for pass through VRF device")
      Signed-off-by: NMiguel Fadon Perlines <mfadon@teldat.com>
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      82dd0d2a
    • D
      ipv6: sr: fix seg6 encap performances with TSO enabled · 5807b22c
      David Lebrun 提交于
      Enabling TSO can lead to abysmal performances when using seg6 in
      encap mode, such as with the ixgbe driver. This patch adds a call to
      iptunnel_handle_offloads() to remove the encapsulation bit if needed.
      
      Before:
      root@comp4-seg6bpf:~# iperf3 -c fc00::55
      Connecting to host fc00::55, port 5201
      [  4] local fc45::4 port 36592 connected to fc00::55 port 5201
      [ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
      [  4]   0.00-1.00   sec   196 KBytes  1.60 Mbits/sec   47   6.66 KBytes
      [  4]   1.00-2.00   sec   304 KBytes  2.49 Mbits/sec  100   5.33 KBytes
      [  4]   2.00-3.00   sec   284 KBytes  2.32 Mbits/sec   92   5.33 KBytes
      
      After:
      root@comp4-seg6bpf:~# iperf3 -c fc00::55
      Connecting to host fc00::55, port 5201
      [  4] local fc45::4 port 43062 connected to fc00::55 port 5201
      [ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
      [  4]   0.00-1.00   sec  1.03 GBytes  8.89 Gbits/sec    0    743 KBytes
      [  4]   1.00-2.00   sec  1.03 GBytes  8.87 Gbits/sec    0    743 KBytes
      [  4]   2.00-3.00   sec  1.03 GBytes  8.87 Gbits/sec    0    743 KBytes
      Reported-by: NTom Herbert <tom@quantonium.net>
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: NDavid Lebrun <dlebrun@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5807b22c
    • L
      Merge tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client · 9dd23268
      Linus Torvalds 提交于
      Pull ceph fix from Ilya Dryomov:
       "A fix for a dio-enabled loop on ceph deadlock from Zheng, marked for
        stable"
      
      * tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client:
        ceph: only dirty ITER_IOVEC pages for direct read
      9dd23268
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 72573481
      Linus Torvalds 提交于
      Pull KVM fixes from Radim Krčmář:
       "PPC:
         - Fix a bug causing occasional machine check exceptions on POWER8
           hosts (introduced in 4.16-rc1)
      
        x86:
         - Fix a guest crashing regression with nested VMX and restricted
           guest (introduced in 4.16-rc1)
      
         - Fix dependency check for pv tlb flush (the wrong dependency that
           effectively disabled the feature was added in 4.16-rc4, the
           original feature in 4.16-rc1, so it got decent testing)"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix pv tlb flush dependencies
        KVM: nVMX: sync vmcs02 segment regs prior to vmx_set_cr0
        KVM: PPC: Book3S HV: Fix duplication of host SLB entries
      72573481
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · bd886137
      Linus Torvalds 提交于
      Pull i2c fix from Wolfram Sang:
       "A simple but worthwhile I2C driver fix for 4.16"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: i2c-stm32f7: fix no check on returned setup
      bd886137
    • L
      Merge tag 'sound-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · ef82f598
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Very small fixes (all one-liners) at this time.
      
        One fix is for a PCM core stuff to correct the mmap behavior on
        non-x86. It doesn't show on most machines but mostly only for exotic
        non-interleaved formats"
      
      * tag 'sound-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: pcm: potential uninitialized return values
        ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
        ALSA: usb-audio: Add native DSD support for TEAC UD-301
      ef82f598
    • T
      net/dim: Fix int overflow · f97c3dc3
      Tal Gilboa 提交于
      When calculating difference between samples, the values
      are multiplied by 100. Large values may cause int overflow
      when multiplied (usually on first iteration).
      Fixed by forcing 100 to be of type unsigned long.
      
      Fixes: 4c4dbb4a ("net/mlx5e: Move dynamic interrupt coalescing code to include/linux")
      Signed-off-by: NTal Gilboa <talgi@mellanox.com>
      Reviewed-by: NAndy Gospodarek <gospo@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f97c3dc3
    • D
      Merge branch 'vlan-fix' · 52a9692a
      David S. Miller 提交于
      Toshiaki Makita says:
      
      ====================
      Fix vlan tag handling for vlan packets without ethernet headers
      
      Eric Dumazet reported syzbot found a new bug which leads to underflow of
      size argument of memmove(), causing crash[1]. This can be triggered by tun
      devices.
      
      The underflow happened because skb_vlan_untag() did not expect vlan packets
      without ethernet headers, and tun can produce such packets.
      I also checked vlan_insert_inner_tag() and found a similar bug.
      
      This series fixes these problems.
      
      [1] https://marc.info/?l=linux-netdev&m=152221753920510&w=2
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      52a9692a
    • T
      vlan: Fix vlan insertion for packets without ethernet header · c769accd
      Toshiaki Makita 提交于
      In some situation vlan packets do not have ethernet headers. One example
      is packets from tun devices. Users can specify vlan protocol in tun_pi
      field instead of IP protocol. When we have a vlan device with reorder_hdr
      disabled on top of the tun device, such packets from tun devices are
      untagged in skb_vlan_untag() and vlan headers will be inserted back in
      vlan_insert_inner_tag().
      
      vlan_insert_inner_tag() however did not expect packets without ethernet
      headers, so in such a case size argument for memmove() underflowed.
      
      We don't need to copy headers for packets which do not have preceding
      headers of vlan headers, so skip memmove() in that case.
      Also don't write vlan protocol in skb->data when it does not have enough
      room for it.
      
      Fixes: cbe7128c ("vlan: Fix out of order vlan headers with reorder header off")
      Signed-off-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c769accd
    • T
      net: Fix untag for vlan packets without ethernet header · ae474573
      Toshiaki Makita 提交于
      In some situation vlan packets do not have ethernet headers. One example
      is packets from tun devices. Users can specify vlan protocol in tun_pi
      field instead of IP protocol, and skb_vlan_untag() attempts to untag such
      packets.
      
      skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
      however did not expect packets without ethernet headers, so in such a case
      size argument for memmove() underflowed and triggered crash.
      
      ====
      BUG: unable to handle kernel paging request at ffff8801cccb8000
      IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
      PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
      Oops: 000b [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
      RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
      RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
      RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
      RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
      R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
      R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
      FS:  00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
      DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
      Call Trace:
       memmove include/linux/string.h:360 [inline]
       skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
       skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
       __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
       __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
       netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
       netif_receive_skb+0xae/0x390 net/core/dev.c:4725
       tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
       tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
       tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
       call_write_iter include/linux/fs.h:1782 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x684/0x970 fs/read_write.c:482
       vfs_write+0x189/0x510 fs/read_write.c:544
       SYSC_write fs/read_write.c:589 [inline]
       SyS_write+0xef/0x220 fs/read_write.c:581
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x454879
      RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
      RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
      RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
      Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
      RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
      CR2: ffff8801cccb8000
      ====
      
      We don't need to copy headers for packets which do not have preceding
      headers of vlan headers, so skip memmove() in that case.
      
      Fixes: 4bbb3e0e ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
      Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae474573
  5. 30 3月, 2018 3 次提交