1. 04 3月, 2014 11 次提交
    • D
      net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable · ec0223ec
      Daniel Borkmann 提交于
      RFC4895 introduced AUTH chunks for SCTP; during the SCTP
      handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
      being optional though):
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
      
      A special case is when an endpoint requires COOKIE-ECHO
      chunks to be authenticated:
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        ------------------ AUTH; COOKIE-ECHO ---------------->
        <-------------------- COOKIE-ACK ---------------------
      
      RFC4895, section 6.3. Receiving Authenticated Chunks says:
      
        The receiver MUST use the HMAC algorithm indicated in
        the HMAC Identifier field. If this algorithm was not
        specified by the receiver in the HMAC-ALGO parameter in
        the INIT or INIT-ACK chunk during association setup, the
        AUTH chunk and all the chunks after it MUST be discarded
        and an ERROR chunk SHOULD be sent with the error cause
        defined in Section 4.1. [...] If no endpoint pair shared
        key has been configured for that Shared Key Identifier,
        all authenticated chunks MUST be silently discarded. [...]
      
        When an endpoint requires COOKIE-ECHO chunks to be
        authenticated, some special procedures have to be followed
        because the reception of a COOKIE-ECHO chunk might result
        in the creation of an SCTP association. If a packet arrives
        containing an AUTH chunk as a first chunk, a COOKIE-ECHO
        chunk as the second chunk, and possibly more chunks after
        them, and the receiver does not have an STCB for that
        packet, then authentication is based on the contents of
        the COOKIE-ECHO chunk. In this situation, the receiver MUST
        authenticate the chunks in the packet by using the RANDOM
        parameters, CHUNKS parameters and HMAC_ALGO parameters
        obtained from the COOKIE-ECHO chunk, and possibly a local
        shared secret as inputs to the authentication procedure
        specified in Section 6.3. If authentication fails, then
        the packet is discarded. If the authentication is successful,
        the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
        MUST be processed. If the receiver has an STCB, it MUST
        process the AUTH chunk as described above using the STCB
        from the existing association to authenticate the
        COOKIE-ECHO chunk and all the chunks after it. [...]
      
      Commit bbd0d598 introduced the possibility to receive
      and verification of AUTH chunk, including the edge case for
      authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
      the function sctp_sf_do_5_1D_ce() handles processing,
      unpacks and creates a new association if it passed sanity
      checks and also tests for authentication chunks being
      present. After a new association has been processed, it
      invokes sctp_process_init() on the new association and
      walks through the parameter list it received from the INIT
      chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
      and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
      meta data (peer_random, peer_hmacs, peer_chunks) in case
      sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
      SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
      peer_random != NULL and peer_hmacs != NULL the peer is to be
      assumed asoc->peer.auth_capable=1, in any other case
      asoc->peer.auth_capable=0.
      
      Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
      available, we set up a fake auth chunk and pass that on to
      sctp_sf_authenticate(), which at latest in
      sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
      at position 0..0008 when setting up the crypto key in
      crypto_hash_setkey() by using asoc->asoc_shared_key that is
      NULL as condition key_id == asoc->active_key_id is true if
      the AUTH chunk was injected correctly from remote. This
      happens no matter what net.sctp.auth_enable sysctl says.
      
      The fix is to check for net->sctp.auth_enable and for
      asoc->peer.auth_capable before doing any operations like
      sctp_sf_authenticate() as no key is activated in
      sctp_auth_asoc_init_active_key() for each case.
      
      Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
      passed from the INIT chunk was not used in the AUTH chunk, we
      SHOULD send an error; however in this case it would be better
      to just silently discard such a maliciously prepared handshake
      as we didn't even receive a parameter at all. Also, as our
      endpoint has no shared key configured, section 6.3 says that
      MUST silently discard, which we are doing from now onwards.
      
      Before calling sctp_sf_pdiscard(), we need not only to free
      the association, but also the chunk->auth_chunk skb, as
      commit bbd0d598 created a skb clone in that case.
      
      I have tested this locally by using netfilter's nfqueue and
      re-injecting packets into the local stack after maliciously
      modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
      and the SCTP packet containing the COOKIE_ECHO (injecting
      AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
      
      Fixes: bbd0d598 ("[SCTP]: Implement the receive and verification of AUTH chunk")
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <yasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Acked-by: NVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ec0223ec
    • D
      Merge tag 'linux-can-fixes-for-3.14-20140303' of git://gitorious.org/linux-can/linux-can · 82f19183
      David S. Miller 提交于
      linux-can-fixes-for-3.14-20140303
      
      Marc Kleine-Budde says:
      
      ====================
      this is a pull request of 8 patches. Oliver Hartkopp contributes a patch which
      removes the CAN FD compatibility for CAN 2.0 sockets, as it turns out that this
      compatibility has some conceptual cornercases. The remaining 7 patches are by
      me, they address a problem in the flexcan driver. When shutting down the
      interface ("ifconfig can0 down") under heavy network load the whole system will
      hang. This series reworks the actual sequence in close() and the transition
      from and to the low power modes of the CAN controller.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      82f19183
    • X
      ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL pointer · 10ddceb2
      Xin Long 提交于
      when ip_tunnel process multicast packets, it may check if the packet is looped
      back packet though 'rt_is_output_route(skb_rtable(skb))' in ip_tunnel_rcv(),
      but before that , skb->_skb_refdst has been dropped in iptunnel_pull_header(),
      so which leads to a panic.
      
      fix the bug: https://bugzilla.kernel.org/show_bug.cgi?id=70681Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      10ddceb2
    • S
      net: cpsw: fix cpdma rx descriptor leak on down interface · 3995d265
      Schuyler Patton 提交于
      This patch fixes a CPDMA RX Descriptor leak that occurs after taking
      the interface down when the CPSW is in Dual MAC mode. Previously
      the CPSW_ALE port was left open up which causes packets to be received
      and processed by the RX interrupt handler and were passed to the
      non active network interface where they were ignored.
      
      The fix is for the slave_stop function of the selected interface
      to disable the respective CPSW_ALE Port from forwarding packets. This
      blocks traffic from being received on the inactive interface.
      Signed-off-by: NSchuyler Patton <spatton@ti.com>
      Reviewed-by: NFelipe Balbi <balbi@ti.com>
      Signed-off-by: NMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3995d265
    • V
      be2net: isolate TX workarounds not applicable to Skyhawk-R · ec495fac
      Vasundhara Volam 提交于
      Some of TX workarounds in be_xmit_workarounds() routine
      are not applicable (and result in HW errors) to Skyhawk-R chip.
      Isolate BE3-R/Lancer specific workarounds to a separate routine.
      Signed-off-by: NVasundhara Volam <vasundhara.volam@emulex.com>
      Signed-off-by: NSathya Perla <sathya.perla@emulex.com>
      Signed-off-by: NSomnath Kotur <somnath.kotur@emulex.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ec495fac
    • V
      be2net: Fix skb double free in be_xmit_wrokarounds() failure path · c9128951
      Vasundhara Volam 提交于
      skb_padto(), skb_share_check() and __vlan_put_tag() routines free
      skb when they return an error. This patch fixes be_xmit_workarounds()
      to not free skb again in such cases.
      Signed-off-by: NVasundhara Volam <vasundhara.volam@emulex.com>
      Signed-off-by: NSathya Perla <sathya.perla@emulex.com>
      Signed-off-by: NSomnath Kotur <somnath.kotur@emulex.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c9128951
    • S
      be2net: clear promiscuous bits in adapter->flags while disabling promiscuous mode · 7ad09458
      Somnath kotur 提交于
      We should clear promiscuous bits in adapter->flags while disabling promiscuous
      mode. Else we will not put interface back into VLAN promisc mode if the vlans
      already added exceeds the maximum limit.
      Signed-off-by: NKalesh AP <kalesh.purayil@emulex.com>
      Signed-off-by: NSomnath Kotur <somnath.kotur@emulex.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ad09458
    • S
      be2net: Fix to reset transparent vlan tagging · c502224e
      Somnath Kotur 提交于
      For disabling transparent tagging issue SET_HSW_CONFIG with pvid_valid=1
      and pvid=0xFFFF and not with the default pvid as this case would fail in Lancer.
      Hence removing the get_hsw_config call from be_vf_setup() as it's
      only use of getting default pvid is no longer needed.
      
      Also do proper housekeeping only if the FW command succeeds.
      Signed-off-by: NKalesh AP <kalesh.purayil@emulex.com>
      Signed-off-by: NSomnath Kotur <somnath.kotur@emulex.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c502224e
    • D
      qlcnic: dcb: a couple off by one bugs · e842b068
      Dan Carpenter 提交于
      The ->tc_cfg[] array has QLC_DCB_MAX_TC (8) elements so the check is
      off by one.  These functions are always called with valid values though
      so it doesn't affect how the code works.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NSucheta Chakraborty <sucheta.chakraborty@qlogic.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e842b068
    • Y
      tcp: fix bogus RTT on special retransmission · c84a5711
      Yuchung Cheng 提交于
      RTT may be bogus with tall loss probe (TLP) when a packet
      is retransmitted and latter (s)acked without TCPCB_SACKED_RETRANS flag.
      
      For example, TLP calls __tcp_retransmit_skb() instead of
      tcp_retransmit_skb(). The skb timestamps are updated but the sacked
      flag is not marked with TCPCB_SACKED_RETRANS. As a result we'll
      get bogus RTT in tcp_clean_rtx_queue() or in tcp_sacktag_one() on
      spurious retransmission.
      
      The fix is to apply the sticky flag TCP_EVER_RETRANS to enforce Karn's
      check on RTT sampling. However this will disable F-RTO if timeout occurs
      after TLP, by resetting undo_marker in tcp_enter_loss(). We relax this
      check to only if any pending retransmists are still in-flight.
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Acked-by: NNandita Dukkipati <nanditad@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c84a5711
    • D
      hsr: off by one sanity check in hsr_register_frame_in() · de39d7a4
      Dan Carpenter 提交于
      This is a sanity check and we never pass invalid values so this patch
      doesn't change anything.  However the node->time_in[] array has
      HSR_MAX_SLAVE (2) elements and not HSR_MAX_DEV (3).
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      de39d7a4
  2. 03 3月, 2014 11 次提交
  3. 01 3月, 2014 2 次提交
  4. 28 2月, 2014 8 次提交
  5. 27 2月, 2014 8 次提交
    • J
      bonding: disallow enslaving a bond to itself · 09a89c21
      Jiri Bohac 提交于
      Enslaving a bond to itself leads to an endless loop and hangs the kernel.
      Signed-off-by: NJiri Bohac <jbohac@suse.cz>
      Tested-by: NDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      09a89c21
    • N
      bonding: fix a div error caused by the slave release path · ee6154e1
      Nikolay Aleksandrov 提交于
      There's a bug in the slave release function which leads the transmit
      functions which use the bond->slave_cnt to a div by 0 because we might
      just have released our last slave and made slave_cnt == 0 but at the same
      time we may have a transmitter after the check for an empty list which will
      fetch it and use it in the slave id calculation.
      Fix it by moving the slave_cnt after synchronize_rcu so if this was our
      last slave any new transmitters will see an empty slave list which is
      checked after rcu lock but before calling the mode transmit functions
      which rely on bond->slave_cnt.
      
      Fixes: 278b2083 ("bonding: initial RCU conversion")
      
      CC: Veaceslav Falico <vfalico@redhat.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: Jay Vosburgh <fubar@us.ibm.com>
      CC: David S. Miller <davem@davemloft.net>
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Acked-by: NVeaceslav Falico <vfalico@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee6154e1
    • F
      AX88179_178A: Add VID:DID for Lenovo OneLinkDock Gigabit LAN · e5fe0cd4
      Freddy Xin 提交于
      Add VID:DID for Lenovo OneLinkDock Gigabit LAN
      Signed-off-by: NFreddy Xin <freddy@asix.com.tw>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e5fe0cd4
    • D
      Merge branch 'bonding_rtnl' · 5d6dd5bf
      David S. Miller 提交于
      Ding Tianhong says:
      
      ====================
      Fix RTNL: assertion failed at net/core/rtnetlink.c
      
      The commit 1d3ee88a
      (bonding: add netlink attributes to slave link dev)
      make the bond_set_active_slave() and bond_set_backup_slave()
      use rtmsg_ifinfo to send slave's states and this functions
      should be called in RTNL.
      
      But the 902.3ad and ARP monitor did not hold the RTNL when calling
      thses two functions, so fix them.
      
      v1->v2: Add new micro to indicate that the notification should be send
              later, not never.
              And add a new patch to fix the same problem for ARP mode.
      
      v2->v3: modify the bond_should_notify to should_notify_rtnl, it is more
      	reasonable, and	use bool for should_notify_rtnl.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5d6dd5bf
    • D
      bonding: Fix RTNL: assertion failed at net/core/rtnetlink.c for ab arp monitor · b0929915
      dingtianhong 提交于
      Veaceslav has reported and fix this problem by commit f2ebd477
      (bonding: restructure locking of bond_ab_arp_probe()). According Jay's
      opinion, the current solution is not very well, because the notification
      is to indicate that the interface has actually changed state in a meaningful
      way, but these calls in the ab ARP monitor are internal settings of the flags
      to allow the ARP monitor to search for a slave to become active when there are
      no active slaves. The flag setting to active or backup is to permit the ARP
      monitor's response logic to do the right thing when deciding if the test
      slave (current_arp_slave) is up or not.
      
      So the best way to fix the problem is that we should not send a notification
      when the slave is in testing state, and check the state at the end of the
      monitor, if the slave's state recover, avoid to send pointless notification
      twice. And RTNL is really a big lock, hold it regardless the slave's state
      changed or not when the current_active_slave is null will loss performance
      (every 100ms), so we should hold it only when the slave's state changed and
      need to notify.
      
      I revert the old commit and add new modifications.
      
      Cc: Jay Vosburgh <fubar@us.ibm.com>
      Cc: Veaceslav Falico <vfalico@redhat.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: NDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b0929915
    • D
      bonding: Fix RTNL: assertion failed at net/core/rtnetlink.c for 802.3ad mode · 5e5b0665
      dingtianhong 提交于
      The problem was introduced by the commit 1d3ee88a
      (bonding: add netlink attributes to slave link dev).
      The bond_set_active_slave() and bond_set_backup_slave()
      will use rtmsg_ifinfo to send slave's states, so these
      two functions should be called in RTNL.
      
      In 802.3ad mode, acquiring RTNL for the __enable_port and
      __disable_port cases is difficult, as those calls generally
      already hold the state machine lock, and cannot unconditionally
      call rtnl_lock because either they already hold RTNL (for calls
      via bond_3ad_unbind_slave) or due to the potential for deadlock
      with bond_3ad_adapter_speed_changed, bond_3ad_adapter_duplex_changed,
      bond_3ad_link_change, or bond_3ad_update_lacp_rate.  All four of
      those are called with RTNL held, and acquire the state machine lock
      second.  The calling contexts for __enable_port and __disable_port
      already hold the state machine lock, and may or may not need RTNL.
      
      According to the Jay's opinion, I don't think it is a problem that
      the slave don't send notify message synchronously when the status
      changed, normally the state machine is running every 100 ms, send
      the notify message at the end of the state machine if the slave's
      state changed should be better.
      
      I fix the problem through these steps:
      
      1). add a new function bond_set_slave_state() which could change
          the slave's state and call rtmsg_ifinfo() according to the input
          parameters called notify.
      
      2). Add a new slave parameter which called should_notify, if the slave's state
          changed and don't notify yet, the parameter will be set to 1, and then if
          the slave's state changed again, the param will be set to 0, it indicate that
          the slave's state has been restored, no need to notify any one.
      
      3). the __enable_port and __disable_port should not call rtmsg_ifinfo
          in the state machine lock, any change in the state of slave could
          set a flag in the slave, it will indicated that an rtmsg_ifinfo
          should be called at the end of the state machine.
      
      Cc: Jay Vosburgh <fubar@us.ibm.com>
      Cc: Veaceslav Falico <vfalico@redhat.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: NDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5e5b0665
    • J
      MAINTAINERS: Intel nic drivers · bc90d291
      Joe Perches 提交于
      Add a new F: line for the intel subdirectories.
      
      This allows get_maintainers to avoid using git log
      and cc'ing people that have submitted clean-up style
      patches for all first level directories under
      drivers/net/ethernet/intel/
      
      This does not make e100.c maintained.
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bc90d291
    • E
      sfc: check for NULL efx->ptp_data in efx_ptp_event · 8f355e5c
      Edward Cree 提交于
      If we receive a PTP event from the NIC when we haven't set up PTP state
      in the driver, we attempt to read through a NULL pointer efx->ptp_data,
      triggering a panic.
      Signed-off-by: NEdward Cree <ecree@solarflare.com>
      Acked-by: NShradha Shah <sshah@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8f355e5c