1. 21 7月, 2017 2 次提交
    • M
      ipv4: initialize fib_trie prior to register_netdev_notifier call. · 8799a221
      Mahesh Bandewar 提交于
      Net stack initialization currently initializes fib-trie after the
      first call to netdevice_notifier() call. In fact fib_trie initialization
      needs to happen before first rtnl_register(). It does not cause any problem
      since there are no devices UP at this moment, but trying to bring 'lo'
      UP at initialization would make this assumption wrong and exposes the issue.
      
      Fixes following crash
      
       Call Trace:
        ? alternate_node_alloc+0x76/0xa0
        fib_table_insert+0x1b7/0x4b0
        fib_magic.isra.17+0xea/0x120
        fib_add_ifaddr+0x7b/0x190
        fib_netdev_event+0xc0/0x130
        register_netdevice_notifier+0x1c1/0x1d0
        ip_fib_init+0x72/0x85
        ip_rt_init+0x187/0x1e9
        ip_init+0xe/0x1a
        inet_init+0x171/0x26c
        ? ipv4_offload_init+0x66/0x66
        do_one_initcall+0x43/0x160
        kernel_init_freeable+0x191/0x219
        ? rest_init+0x80/0x80
        kernel_init+0xe/0x150
        ret_from_fork+0x22/0x30
       Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08
       RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28
       CR2: 0000000000000014
      
      Fixes: 7b1a74fd ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.")
      Fixes: 7f9b8052 ("[IPV4]: fib hash|trie initialization")
      Signed-off-by: NMahesh Bandewar <maheshb@google.com>
      Acked-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8799a221
    • W
      rtnetlink: allocate more memory for dev_set_mac_address() · 153711f9
      WANG Cong 提交于
      virtnet_set_mac_address() interprets mac address as struct
      sockaddr, but upper layer only allocates dev->addr_len
      which is ETH_ALEN + sizeof(sa_family_t) in this case.
      
      We lack a unified definition for mac address, so just fix
      the upper layer, this also allows drivers to interpret it
      to struct sockaddr freely.
      Reported-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      153711f9
  2. 20 7月, 2017 4 次提交
  3. 19 7月, 2017 3 次提交
    • D
      netfilter: fix netfilter_net_init() return · 073dd5ad
      Dan Carpenter 提交于
      We accidentally return an uninitialized variable.
      
      Fixes: cf56c2f8 ("netfilter: remove old pre-netns era hook api")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      073dd5ad
    • P
      udp: preserve skb->dst if required for IP options processing · 0ddf3fb2
      Paolo Abeni 提交于
      Eric noticed that in udp_recvmsg() we still need to access
      skb->dst while processing the IP options.
      Since commit 0a463c78 ("udp: avoid a cache miss on dequeue")
      skb->dst is no more available at recvmsg() time and bad things
      will happen if we enter the relevant code path.
      
      This commit address the issue, avoid clearing skb->dst if
      any IP options are present into the relevant skb.
      Since the IP CB is contained in the first skb cacheline, we can
      test it to decide to leverage the consume_stateless_skb()
      optimization, without measurable additional cost in the faster
      path.
      
      v1 -> v2: updated commit message tags
      
      Fixes: 0a463c78 ("udp: avoid a cache miss on dequeue")
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Reported-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0ddf3fb2
    • A
      ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() · 18bcf290
      Alexander Potapenko 提交于
      KMSAN reported use of uninitialized memory in skb_set_hash_from_sk(),
      which originated from the TCP request socket created in
      cookie_v6_check():
      
       ==================================================================
       BUG: KMSAN: use of uninitialized memory in tcp_transmit_skb+0xf77/0x3ec0
       CPU: 1 PID: 2949 Comm: syz-execprog Not tainted 4.11.0-rc5+ #2931
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       TCP: request_sock_TCPv6: Possible SYN flooding on port 20028. Sending cookies.  Check SNMP counters.
       Call Trace:
        <IRQ>
        __dump_stack lib/dump_stack.c:16
        dump_stack+0x172/0x1c0 lib/dump_stack.c:52
        kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927
        __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469
        skb_set_hash_from_sk ./include/net/sock.h:2011
        tcp_transmit_skb+0xf77/0x3ec0 net/ipv4/tcp_output.c:983
        tcp_send_ack+0x75b/0x830 net/ipv4/tcp_output.c:3493
        tcp_delack_timer_handler+0x9a6/0xb90 net/ipv4/tcp_timer.c:284
        tcp_delack_timer+0x1b0/0x310 net/ipv4/tcp_timer.c:309
        call_timer_fn+0x240/0x520 kernel/time/timer.c:1268
        expire_timers kernel/time/timer.c:1307
        __run_timers+0xc13/0xf10 kernel/time/timer.c:1601
        run_timer_softirq+0x36/0xa0 kernel/time/timer.c:1614
        __do_softirq+0x485/0x942 kernel/softirq.c:284
        invoke_softirq kernel/softirq.c:364
        irq_exit+0x1fa/0x230 kernel/softirq.c:405
        exiting_irq+0xe/0x10 ./arch/x86/include/asm/apic.h:657
        smp_apic_timer_interrupt+0x5a/0x80 arch/x86/kernel/apic/apic.c:966
        apic_timer_interrupt+0x86/0x90 arch/x86/entry/entry_64.S:489
       RIP: 0010:native_restore_fl ./arch/x86/include/asm/irqflags.h:36
       RIP: 0010:arch_local_irq_restore ./arch/x86/include/asm/irqflags.h:77
       RIP: 0010:__msan_poison_alloca+0xed/0x120 mm/kmsan/kmsan_instr.c:440
       RSP: 0018:ffff880024917cd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
       RAX: 0000000000000246 RBX: ffff8800224c0000 RCX: 0000000000000005
       RDX: 0000000000000004 RSI: ffff880000000000 RDI: ffffea0000b6d770
       RBP: ffff880024917d58 R08: 0000000000000dd8 R09: 0000000000000004
       R10: 0000160000000000 R11: 0000000000000000 R12: ffffffff85abf810
       R13: ffff880024917dd8 R14: 0000000000000010 R15: ffffffff81cabde4
        </IRQ>
        poll_select_copy_remaining+0xac/0x6b0 fs/select.c:293
        SYSC_select+0x4b4/0x4e0 fs/select.c:653
        SyS_select+0x76/0xa0 fs/select.c:634
        entry_SYSCALL_64_fastpath+0x13/0x94 arch/x86/entry/entry_64.S:204
       RIP: 0033:0x4597e7
       RSP: 002b:000000c420037ee0 EFLAGS: 00000246 ORIG_RAX: 0000000000000017
       RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004597e7
       RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
       RBP: 000000c420037ef0 R08: 000000c420037ee0 R09: 0000000000000059
       R10: 0000000000000000 R11: 0000000000000246 R12: 000000000042dc20
       R13: 00000000000000f3 R14: 0000000000000030 R15: 0000000000000003
       chained origin:
        save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
        kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
        kmsan_save_stack mm/kmsan/kmsan.c:317
        kmsan_internal_chain_origin+0x12a/0x1f0 mm/kmsan/kmsan.c:547
        __msan_store_shadow_origin_4+0xac/0x110 mm/kmsan/kmsan_instr.c:259
        tcp_create_openreq_child+0x709/0x1ae0 net/ipv4/tcp_minisocks.c:472
        tcp_v6_syn_recv_sock+0x7eb/0x2a30 net/ipv6/tcp_ipv6.c:1103
        tcp_get_cookie_sock+0x136/0x5f0 net/ipv4/syncookies.c:212
        cookie_v6_check+0x17a9/0x1b50 net/ipv6/syncookies.c:245
        tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:989
        tcp_v6_do_rcv+0xdd8/0x1c60 net/ipv6/tcp_ipv6.c:1298
        tcp_v6_rcv+0x41a3/0x4f00 net/ipv6/tcp_ipv6.c:1487
        ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
        NF_HOOK ./include/linux/netfilter.h:257
        ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
        dst_input ./include/net/dst.h:492
        ip6_rcv_finish net/ipv6/ip6_input.c:69
        NF_HOOK ./include/linux/netfilter.h:257
        ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
        __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
        __netif_receive_skb net/core/dev.c:4246
        process_backlog+0x667/0xba0 net/core/dev.c:4866
        napi_poll net/core/dev.c:5268
        net_rx_action+0xc95/0x1590 net/core/dev.c:5333
        __do_softirq+0x485/0x942 kernel/softirq.c:284
       origin:
        save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
        kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
        kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198
        kmsan_kmalloc+0x7f/0xe0 mm/kmsan/kmsan.c:337
        kmem_cache_alloc+0x1c2/0x1e0 mm/slub.c:2766
        reqsk_alloc ./include/net/request_sock.h:87
        inet_reqsk_alloc+0xa4/0x5b0 net/ipv4/tcp_input.c:6200
        cookie_v6_check+0x4f4/0x1b50 net/ipv6/syncookies.c:169
        tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:989
        tcp_v6_do_rcv+0xdd8/0x1c60 net/ipv6/tcp_ipv6.c:1298
        tcp_v6_rcv+0x41a3/0x4f00 net/ipv6/tcp_ipv6.c:1487
        ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
        NF_HOOK ./include/linux/netfilter.h:257
        ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
        dst_input ./include/net/dst.h:492
        ip6_rcv_finish net/ipv6/ip6_input.c:69
        NF_HOOK ./include/linux/netfilter.h:257
        ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
        __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
        __netif_receive_skb net/core/dev.c:4246
        process_backlog+0x667/0xba0 net/core/dev.c:4866
        napi_poll net/core/dev.c:5268
        net_rx_action+0xc95/0x1590 net/core/dev.c:5333
        __do_softirq+0x485/0x942 kernel/softirq.c:284
       ==================================================================
      
      Similar error is reported for cookie_v4_check().
      
      Fixes: 58d607d3 ("tcp: provide skb->hash to synack packets")
      Signed-off-by: NAlexander Potapenko <glider@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      18bcf290
  4. 17 7月, 2017 5 次提交
  5. 16 7月, 2017 7 次提交
  6. 15 7月, 2017 1 次提交
    • X
      sctp: fix an array overflow when all ext chunks are set · 10b3bf54
      Xin Long 提交于
      Marcelo noticed an array overflow caused by commit c28445c3
      ("sctp: add reconf_enable in asoc ep and netns"), in which sctp
      would add SCTP_CID_RECONF into extensions when reconf_enable is
      set in sctp_make_init and sctp_make_init_ack.
      
      Then now when all ext chunks are set, 4 ext chunk ids can be put
      into extensions array while extensions array size is 3. It would
      cause a kernel panic because of this overflow.
      
      This patch is to fix it by defining extensions array size is 4 in
      both sctp_make_init and sctp_make_init_ack.
      
      Fixes: c28445c3 ("sctp: add reconf_enable in asoc ep and netns")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      10b3bf54
  7. 14 7月, 2017 7 次提交
  8. 13 7月, 2017 1 次提交
  9. 12 7月, 2017 2 次提交
    • D
      net: ipmr: ipmr_get_table() returns NULL · 2e3d232e
      Dan Carpenter 提交于
      The ipmr_get_table() function doesn't return error pointers it returns
      NULL on error.
      
      Fixes: 4f75ba69 ("net: ipmr: Add ipmr_rtm_getroute")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2e3d232e
    • E
      bridge: mdb: fix leak on complete_info ptr on fail path · 1bfb1596
      Eduardo Valentin 提交于
      We currently get the following kmemleak report:
      unreferenced object 0xffff8800039d9820 (size 32):
        comm "softirq", pid 0, jiffies 4295212383 (age 792.416s)
        hex dump (first 32 bytes):
          00 0c e0 03 00 88 ff ff ff 02 00 00 00 00 00 00  ................
          00 00 00 01 ff 11 00 02 86 dd 00 00 ff ff ff ff  ................
        backtrace:
          [<ffffffff8152b4aa>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff811d8ec8>] kmem_cache_alloc_trace+0xb8/0x1c0
          [<ffffffffa0389683>] __br_mdb_notify+0x2a3/0x300 [bridge]
          [<ffffffffa038a0ce>] br_mdb_notify+0x6e/0x70 [bridge]
          [<ffffffffa0386479>] br_multicast_add_group+0x109/0x150 [bridge]
          [<ffffffffa0386518>] br_ip6_multicast_add_group+0x58/0x60 [bridge]
          [<ffffffffa0387fb5>] br_multicast_rcv+0x1d5/0xdb0 [bridge]
          [<ffffffffa037d7cf>] br_handle_frame_finish+0xcf/0x510 [bridge]
          [<ffffffffa03a236b>] br_nf_hook_thresh.part.27+0xb/0x10 [br_netfilter]
          [<ffffffffa03a3738>] br_nf_hook_thresh+0x48/0xb0 [br_netfilter]
          [<ffffffffa03a3fb9>] br_nf_pre_routing_finish_ipv6+0x109/0x1d0 [br_netfilter]
          [<ffffffffa03a4400>] br_nf_pre_routing_ipv6+0xd0/0x14c [br_netfilter]
          [<ffffffffa03a3c27>] br_nf_pre_routing+0x197/0x3d0 [br_netfilter]
          [<ffffffff814a2952>] nf_iterate+0x52/0x60
          [<ffffffff814a29bc>] nf_hook_slow+0x5c/0xb0
          [<ffffffffa037ddf4>] br_handle_frame+0x1a4/0x2c0 [bridge]
      
      This happens when switchdev_port_obj_add() fails. This patch
      frees complete_info object in the fail path.
      Reviewed-by: NVallish Vaidyeshwara <vallish@amazon.com>
      Signed-off-by: NEduardo Valentin <eduval@amazon.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1bfb1596
  10. 08 7月, 2017 3 次提交
  11. 07 7月, 2017 5 次提交
    • I
      libceph: osd_state is 32 bits wide in luminous · 0bb05da2
      Ilya Dryomov 提交于
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      0bb05da2
    • I
      crush: remove an obsolete comment · 9eebe45c
      Ilya Dryomov 提交于
      Reflects ceph.git commit dca1ae1e0a6b02029c3a7f9dec4114972be26d50.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      9eebe45c
    • I
      crush: crush_init_workspace starts with struct crush_work · b88ed8d8
      Ilya Dryomov 提交于
      It is not just a pointer to crush_work, it is the whole structure.
      That is not a problem since it only contains a pointer. But it will
      be a problem if new data members are added to crush_work.
      
      Reflects ceph.git commit ee957dd431bfbeb6dadaf77764db8e0757417328.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      b88ed8d8
    • I
      libceph, crush: per-pool crush_choose_arg_map for crush_do_rule() · 5cf9c4a9
      Ilya Dryomov 提交于
      If there is no crush_choose_arg_map for a given pool, a NULL pointer is
      passed to preserve existing crush_do_rule() behavior.
      
      Reflects ceph.git commits 55fb91d64071552ea1bc65ab4ea84d3c8b73ab4b,
                                dbe36e08be00c6519a8c89718dd47b0219c20516.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      5cf9c4a9
    • I
      crush: implement weight and id overrides for straw2 · 069f3222
      Ilya Dryomov 提交于
      bucket_straw2_choose needs to use weights that may be different from
      weight_items. For instance to compensate for an uneven distribution
      caused by a low number of values. Or to fix the probability biais
      introduced by conditional probabilities (see
      http://tracker.ceph.com/issues/15653 for more information).
      
      We introduce a weight_set for each straw2 bucket to set the desired
      weight for a given item at a given position. The weight of a given item
      when picking the first replica (first position) may be different from
      the weight the second replica (second position). For instance the weight
      matrix for a given bucket containing items 3, 7 and 13 could be as
      follows:
      
                position 0   position 1
      
      item 3     0x10000      0x100000
      item 7     0x40000       0x10000
      item 13    0x40000       0x10000
      
      When crush_do_rule picks the first of two replicas (position 0), item 7,
      3 are four times more likely to be choosen by bucket_straw2_choose than
      item 13. When choosing the second replica (position 1), item 3 is ten
      times more likely to be choosen than item 7, 13.
      
      By default the weight_set of each bucket exactly matches the content of
      item_weights for each position to ensure backward compatibility.
      
      bucket_straw2_choose compares items by using their id. The same ids are
      also used to index buckets and they must be unique. For each item in a
      bucket an array of ids can be provided for placement purposes and they
      are used instead of the ids. If no replacement ids are provided, the
      legacy behavior is preserved.
      
      Reflects ceph.git commit 19537a450fd5c5a0bb8b7830947507a76db2ceca.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      069f3222