1. 20 2月, 2018 3 次提交
    • S
      net: qualcomm: rmnet: Fix possible null dereference in command processing · f57bbaae
      Subash Abhinov Kasiviswanathan 提交于
      If a command packet with invalid mux id is received, the packet would
      not have a valid endpoint. This invalid endpoint maybe dereferenced
      leading to a crash. Identified by manual code inspection.
      
      Fixes: 3352e6c4 ("net: qualcomm: rmnet: Convert the muxed endpoint to hlist")
      Signed-off-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f57bbaae
    • S
      net: qualcomm: rmnet: Fix warning seen with 64 bit stats · 4dba8bbc
      Subash Abhinov Kasiviswanathan 提交于
      With CONFIG_DEBUG_PREEMPT enabled, a warning was seen on device
      creation. This occurs due to the incorrect cpu API usage in
      ndo_get_stats64 handler.
      
      BUG: using smp_processor_id() in preemptible [00000000] code: rmnetcli/5743
      caller is debug_smp_processor_id+0x1c/0x24
      Call trace:
      [<ffffff9d48c8967c>] dump_backtrace+0x0/0x2a8
      [<ffffff9d48c89bbc>] show_stack+0x20/0x28
      [<ffffff9d4901fff8>] dump_stack+0xa8/0xe0
      [<ffffff9d490421e0>] check_preemption_disabled+0x104/0x108
      [<ffffff9d49042200>] debug_smp_processor_id+0x1c/0x24
      [<ffffff9d494a36b0>] rmnet_get_stats64+0x64/0x13c
      [<ffffff9d49b014e0>] dev_get_stats+0x68/0xd8
      [<ffffff9d49d58df8>] rtnl_fill_stats+0x54/0x140
      [<ffffff9d49b1f0b8>] rtnl_fill_ifinfo+0x428/0x9cc
      [<ffffff9d49b23834>] rtmsg_ifinfo_build_skb+0x80/0xf4
      [<ffffff9d49b23930>] rtnetlink_event+0x88/0xb4
      [<ffffff9d48cd21b4>] raw_notifier_call_chain+0x58/0x78
      [<ffffff9d49b028a4>] call_netdevice_notifiers_info+0x48/0x78
      [<ffffff9d49b08bf8>] __netdev_upper_dev_link+0x290/0x5e8
      [<ffffff9d49b08fcc>] netdev_master_upper_dev_link+0x3c/0x48
      [<ffffff9d494a2e74>] rmnet_newlink+0xf0/0x1c8
      [<ffffff9d49b23360>] rtnl_newlink+0x57c/0x6c8
      [<ffffff9d49b2355c>] rtnetlink_rcv_msg+0xb0/0x244
      [<ffffff9d49b5230c>] netlink_rcv_skb+0xb4/0xdc
      [<ffffff9d49b204f4>] rtnetlink_rcv+0x34/0x44
      [<ffffff9d49b51af0>] netlink_unicast+0x1ec/0x294
      [<ffffff9d49b51fdc>] netlink_sendmsg+0x320/0x390
      [<ffffff9d49ae6858>] sock_sendmsg+0x54/0x60
      [<ffffff9d49ae91bc>] SyS_sendto+0x1a0/0x1e4
      [<ffffff9d48c83770>] el0_svc_naked+0x24/0x28
      
      Fixes: 192c4b5d ("net: qualcomm: rmnet: Add support for 64 bit stats")
      Signed-off-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4dba8bbc
    • S
      net: qualcomm: rmnet: Fix crash on real dev unregistration · b37f78f2
      Subash Abhinov Kasiviswanathan 提交于
      With CONFIG_DEBUG_PREEMPT enabled, a crash with the following call
      stack was observed when removing a real dev which had rmnet devices
      attached to it.
      To fix this, remove the netdev_upper link APIs and instead use the
      existing information in rmnet_port and rmnet_priv to get the
      association between real and rmnet devs.
      
      BUG: sleeping function called from invalid context
      in_atomic(): 0, irqs_disabled(): 0, pid: 5762, name: ip
      Preemption disabled at:
      [<ffffff9d49043564>] debug_object_active_state+0xa4/0x16c
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      Modules linked in:
      PC is at ___might_sleep+0x13c/0x180
      LR is at ___might_sleep+0x17c/0x180
      [<ffffff9d48ce0924>] ___might_sleep+0x13c/0x180
      [<ffffff9d48ce09c0>] __might_sleep+0x58/0x8c
      [<ffffff9d49d6253c>] mutex_lock+0x2c/0x48
      [<ffffff9d48ed4840>] kernfs_remove_by_name_ns+0x48/0xa8
      [<ffffff9d48ed6ec8>] sysfs_remove_link+0x30/0x58
      [<ffffff9d49b05840>] __netdev_adjacent_dev_remove+0x14c/0x1e0
      [<ffffff9d49b05914>] __netdev_adjacent_dev_unlink_lists+0x40/0x68
      [<ffffff9d49b08820>] netdev_upper_dev_unlink+0xb4/0x1fc
      [<ffffff9d494a29f0>] rmnet_dev_walk_unreg+0x6c/0xc8
      [<ffffff9d49b00b40>] netdev_walk_all_lower_dev_rcu+0x58/0xb4
      [<ffffff9d494a30fc>] rmnet_config_notify_cb+0xf4/0x134
      [<ffffff9d48cd21b4>] raw_notifier_call_chain+0x58/0x78
      [<ffffff9d49b028a4>] call_netdevice_notifiers_info+0x48/0x78
      [<ffffff9d49b0b568>] rollback_registered_many+0x230/0x3c8
      [<ffffff9d49b0b738>] unregister_netdevice_many+0x38/0x94
      [<ffffff9d49b1e110>] rtnl_delete_link+0x58/0x88
      [<ffffff9d49b201dc>] rtnl_dellink+0xbc/0x1cc
      [<ffffff9d49b2355c>] rtnetlink_rcv_msg+0xb0/0x244
      [<ffffff9d49b5230c>] netlink_rcv_skb+0xb4/0xdc
      [<ffffff9d49b204f4>] rtnetlink_rcv+0x34/0x44
      [<ffffff9d49b51af0>] netlink_unicast+0x1ec/0x294
      [<ffffff9d49b51fdc>] netlink_sendmsg+0x320/0x390
      [<ffffff9d49ae6858>] sock_sendmsg+0x54/0x60
      [<ffffff9d49ae6f94>] ___sys_sendmsg+0x298/0x2b0
      [<ffffff9d49ae98f8>] SyS_sendmsg+0xb4/0xf0
      [<ffffff9d48c83770>] el0_svc_naked+0x24/0x28
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Fixes: 60d58f97 ("net: qualcomm: rmnet: Implement bridge mode")
      Signed-off-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b37f78f2
  2. 17 2月, 2018 11 次提交
    • X
      sctp: remove the left unnecessary check for chunk in sctp_renege_events · 9ab2323c
      Xin Long 提交于
      Commit fb234035 ("sctp: remove the useless check in
      sctp_renege_events") forgot to remove another check for
      chunk in sctp_renege_events.
      
      Dan found this when doing a static check.
      
      This patch is to remove that check, and also to merge
      two checks into one 'if statement'.
      
      Fixes: fb234035 ("sctp: remove the useless check in sctp_renege_events")
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ab2323c
    • D
      rxrpc: Work around usercopy check · a16b8d0c
      David Howells 提交于
      Due to a check recently added to copy_to_user(), it's now not permitted to
      copy from slab-held data to userspace unless the slab is whitelisted.  This
      affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
      control message in the userspace control message buffer.  A warning is
      generated by usercopy_warn() because the source is the copy of the
      user_call_ID retained in the rxrpc_call struct.
      
      Work around the issue by copying the user_call_ID to a variable on the
      stack and passing that to put_cmsg().
      
      The warning generated looks like:
      
      	Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
      	WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      	...
      	RIP: 0010:usercopy_warn+0x7e/0xa0
      	...
      	Call Trace:
      	 __check_object_size+0x9c/0x1a0
      	 put_cmsg+0x98/0x120
      	 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
      	 ? finish_wait+0x80/0x80
      	 ___sys_recvmsg+0xf8/0x240
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? finish_task_switch+0xa6/0x2b0
      	 ? trace_hardirqs_on_caller+0xed/0x180
      	 ? _raw_spin_unlock_irq+0x29/0x40
      	 ? __sys_recvmsg+0x4e/0x90
      	 __sys_recvmsg+0x4e/0x90
      	 do_syscall_64+0x7a/0x220
      	 entry_SYSCALL_64_after_hwframe+0x26/0x9b
      Reported-by: NJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Tested-by: NJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a16b8d0c
    • E
      tun: fix tun_napi_alloc_frags() frag allocator · 43a08e0f
      Eric Dumazet 提交于
      <Mark Rutland reported>
          While fuzzing arm64 v4.16-rc1 with Syzkaller, I've been hitting a
          misaligned atomic in __skb_clone:
      
              atomic_inc(&(skb_shinfo(skb)->dataref));
      
         where dataref doesn't have the required natural alignment, and the
         atomic operation faults. e.g. i often see it aligned to a single
         byte boundary rather than a four byte boundary.
      
         AFAICT, the skb_shared_info is misaligned at the instant it's
         allocated in __napi_alloc_skb()  __napi_alloc_skb()
      </end of report>
      
      Problem is caused by tun_napi_alloc_frags() using
      napi_alloc_frag() with user provided seg sizes,
      leading to other users of this API getting unaligned
      page fragments.
      
      Since we would like to not necessarily add paddings or alignments to
      the frags that tun_napi_alloc_frags() attaches to the skb, switch to
      another page frag allocator.
      
      As a bonus skb_page_frag_refill() can use GFP_KERNEL allocations,
      meaning that we can not deplete memory reserves as easily.
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NMark Rutland <mark.rutland@arm.com>
      Tested-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43a08e0f
    • A
      udplite: fix partial checksum initialization · 15f35d49
      Alexey Kodanev 提交于
      Since UDP-Lite is always using checksum, the following path is
      triggered when calculating pseudo header for it:
      
        udp4_csum_init() or udp6_csum_init()
          skb_checksum_init_zero_check()
            __skb_checksum_validate_complete()
      
      The problem can appear if skb->len is less than CHECKSUM_BREAK. In
      this particular case __skb_checksum_validate_complete() also invokes
      __skb_checksum_complete(skb). If UDP-Lite is using partial checksum
      that covers only part of a packet, the function will return bad
      checksum and the packet will be dropped.
      
      It can be fixed if we skip skb_checksum_init_zero_check() and only
      set the required pseudo header checksum for UDP-Lite with partial
      checksum before udp4_csum_init()/udp6_csum_init() functions return.
      
      Fixes: ed70fcfc ("net: Call skb_checksum_init in IPv4")
      Fixes: e4f45b7f ("net: Call skb_checksum_init in IPv6")
      Signed-off-by: NAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      15f35d49
    • D
      skbuff: Fix comment mis-spelling. · da279887
      David S. Miller 提交于
      'peform' --> 'perform'
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      da279887
    • P
      dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock · dfec0914
      Paolo Abeni 提交于
      After commit 3f34cfae ("netfilter: on sockopt() acquire sock lock
      only in the required scope"), the caller of nf_{get/set}sockopt() must
      not hold any lock, but, in such changeset, I forgot to cope with DECnet.
      
      This commit addresses the issue moving the nf call outside the lock,
      in the dn_{get,set}sockopt() with the same schema currently used by
      ipv4 and ipv6. Also moves the unhandled sockopts of the end of the main
      switch statements, to improve code readability.
      Reported-by: NPetr Vandrovec <petr@vandrovec.name>
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198791#c2
      Fixes: 3f34cfae ("netfilter: on sockopt() acquire sock lock only in the required scope")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dfec0914
    • C
      PCI/cxgb4: Extend T3 PCI quirk to T4+ devices · 7dcf688d
      Casey Leedom 提交于
      We've run into a problem where our device is attached
      to a Virtual Machine and the use of the new pci_set_vpd_size()
      API doesn't help.  The VM kernel has been informed that
      the accesses are okay, but all of the actual VPD Capability
      Accesses are trapped down into the KVM Hypervisor where it
      goes ahead and imposes the silent denials.
      
      The right idea is to follow the kernel.org
      commit 1c7de2b4 ("PCI: Enable access to non-standard VPD for
      Chelsio devices (cxgb3)") which Alexey Kardashevskiy authored
      to establish a PCI Quirk for our T3-based adapters. This commit
      extends that PCI Quirk to cover Chelsio T4 devices and later.
      
      The advantage of this approach is that the VPD Size gets set early
      in the Base OS/Hypervisor Boot and doesn't require that the cxgb4
      driver even be available in the Base OS/Hypervisor.  Thus PF4 can
      be exported to a Virtual Machine and everything should work.
      
      Fixes: 67e65879 ("cxgb4: Set VPD size so we can read both VPD structures")
      Cc: <stable@vger.kernel.org>  # v4.9+
      Signed-off-by: NCasey Leedom <leedom@chelsio.com>
      Signed-off-by: NArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: NGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7dcf688d
    • R
      cxgb4: fix trailing zero in CIM LA dump · e6f02a4d
      Rahul Lakkireddy 提交于
      Set correct size of the CIM LA dump for T6.
      
      Fixes: 27887bc7 ("cxgb4: collect hardware LA dumps")
      Signed-off-by: NRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: NGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e6f02a4d
    • G
      cxgb4: free up resources of pf 0-3 · c4e43e14
      Ganesh Goudar 提交于
      free pf 0-3 resources, commit baf50868 ("cxgb4:
      restructure VF mgmt code") erroneously removed the
      code which frees the pf 0-3 resources, causing the
      probe of pf 0-3 to fail in case of driver reload.
      
      Fixes: baf50868 ("cxgb4: restructure VF mgmt code")
      Signed-off-by: NGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c4e43e14
    • S
      fib_semantics: Don't match route with mismatching tclassid · a8c6db1d
      Stefano Brivio 提交于
      In fib_nh_match(), if output interface or gateway are passed in
      the FIB configuration, we don't have to check next hops of
      multipath routes to conclude whether we have a match or not.
      
      However, we might still have routes with different realms
      matching the same output interface and gateway configuration,
      and this needs to cause the match to fail. Otherwise the first
      route inserted in the FIB will match, regardless of the realms:
      
       # ip route add 1.1.1.1 dev eth0 table 1234 realms 1/2
       # ip route append 1.1.1.1 dev eth0 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev eth0 scope link realms 1/2
       1.1.1.1 dev eth0 scope link realms 3/4
       # ip route del 1.1.1.1 dev ens3 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev ens3 scope link realms 3/4
      
      whereas route with realms 3/4 should have been deleted instead.
      
      Explicitly check for fc_flow passed in the FIB configuration
      (this comes from RTA_FLOW extracted by rtm_to_fib_config()) and
      fail matching if it differs from nh_tclassid.
      
      The handling of RTA_FLOW for multipath routes later in
      fib_nh_match() is still needed, as we can have multiple RTA_FLOW
      attributes that need to be matched against the tclassid of each
      next hop.
      
      v2: Check that fc_flow is set before discarding the match, so
          that the user can still select the first matching rule by
          not specifying any realm, as suggested by David Ahern.
      Reported-by: NJianlin Shi <jishi@redhat.com>
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8c6db1d
    • K
      NFC: llcp: Limit size of SDP URI · fe9c8426
      Kees Cook 提交于
      The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
      this both in the NLA policy and in the code that performs the allocation
      and copy, to avoid writing past the end of the allocated buffer.
      
      Fixes: d9b8d8e1 ("NFC: llcp: Service Name Lookup netlink interface")
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fe9c8426
  3. 15 2月, 2018 24 次提交
  4. 14 2月, 2018 2 次提交