1. 24 5月, 2018 1 次提交
    • E
      netfilter: provide correct argument to nla_strlcpy() · 4b83a904
      Eric Dumazet 提交于
      Recent patch forgot to remove nla_data(), upsetting syzkaller a bit.
      
      BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 lib/nlattr.c:314
      Read of size 1 at addr ffff8801ad1f4fdd by task syz-executor189/4509
      
      CPU: 1 PID: 4509 Comm: syz-executor189 Not tainted 4.17.0-rc6+ #62
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
       nla_strlcpy+0x13d/0x150 lib/nlattr.c:314
       nfnl_acct_new+0x574/0xc50 net/netfilter/nfnetlink_acct.c:118
       nfnetlink_rcv_msg+0xdb5/0xff0 net/netfilter/nfnetlink.c:212
       netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
       nfnetlink_rcv+0x1fe/0x1ba0 net/netfilter/nfnetlink.c:513
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:639
       sock_write_iter+0x35a/0x5a0 net/socket.c:908
       call_write_iter include/linux/fs.h:1784 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x64d/0x960 fs/read_write.c:487
       vfs_write+0x1f8/0x560 fs/read_write.c:549
       ksys_write+0xf9/0x250 fs/read_write.c:598
       __do_sys_write fs/read_write.c:610 [inline]
       __se_sys_write fs/read_write.c:607 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:607
      
      Fixes: 4e09fc87 ("netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      4b83a904
  2. 23 5月, 2018 3 次提交
    • J
      ipvs: fix buffer overflow with sync daemon and service · 52f96757
      Julian Anastasov 提交于
      syzkaller reports for buffer overflow for interface name
      when starting sync daemons [1]
      
      What we do is that we copy user structure into larger stack
      buffer but later we search NUL past the stack buffer.
      The same happens for sched_name when adding/editing virtual server.
      
      We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
      being used as size in include/uapi/linux/ip_vs.h, so they
      include the space for NUL.
      
      As using strlcpy is wrong for unsafe source, replace it with
      strscpy and add checks to return EINVAL if source string is not
      NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
      
      For the netlink interface reduce the len parameter for
      IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
      so that we get proper EINVAL.
      
      [1]
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
      RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
      RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
      R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
      R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
      FS:  00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        strlen include/linux/string.h:270 [inline]
        strlcpy include/linux/string.h:293 [inline]
        do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
        udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
        ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
        tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
        sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
        __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
        __do_sys_setsockopt net/socket.c:1914 [inline]
        __se_sys_setsockopt net/socket.c:1911 [inline]
        __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
        do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x447369
      RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
      RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
      R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
      de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
      90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
      
      Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
      Fixes: e4ff6751 ("ipvs: add sync_maxlen parameter for the sync daemon")
      Fixes: 4da62fc7 ("[IPVS]: Fix for overflows")
      Signed-off-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      52f96757
    • P
      netfilter: nft_limit: fix packet ratelimiting · 3e0f64b7
      Pablo Neira Ayuso 提交于
      Credit calculations for the packet ratelimiting are not correct, as per
      the applied ratelimit of 25/second and burst 8, a total of 33 packets
      should have been accepted.  This is true in iptables(33) but not in
      nftables (~65). For packet ratelimiting, use:
      
      	div_u64(limit->nsecs, limit->rate) * limit->burst;
      
      to calculate credit, just like in iptables' xt_limit does.
      
      Moreover, use default burst in iptables, users are expecting similar
      behaviour.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      3e0f64b7
    • T
      netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval · 97a0549b
      Taehee Yoo 提交于
      In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
      But correct type is u8. so that sometimes incorrect value is dereferenced.
      
      Steps to reproduce:
      
         %nft add table ip filter
         %nft add chain ip filter input { type filter hook input priority 4\; }
         %nft add rule ip filter input nftrace set 0
         %nft monitor
      
      Sometimes, we can see trace messages.
      
         trace id 16767227 ip filter input packet: iif "enp2s0"
         ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx
         ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0
         ip ecn not-ect ip
         trace id 16767227 ip filter input rule nftrace set 0 (verdict continue)
         trace id 16767227 ip filter input verdict continue
         trace id 16767227 ip filter input
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      97a0549b
  3. 17 5月, 2018 16 次提交
    • P
      netfilter: ebtables: handle string from userspace with care · 94c752f9
      Paolo Abeni 提交于
      strlcpy() can't be safely used on a user-space provided string,
      as it can try to read beyond the buffer's end, if the latter is
      not NULL terminated.
      
      Leveraging the above, syzbot has been able to trigger the following
      splat:
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
      [inline]
      BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
      net/bridge/netfilter/ebtables.c:1957 [inline]
      BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
      net/bridge/netfilter/ebtables.c:2059 [inline]
      BUG: KASAN: stack-out-of-bounds in size_entry_mwt
      net/bridge/netfilter/ebtables.c:2155 [inline]
      BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
      net/bridge/netfilter/ebtables.c:2194
      Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
      
      CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        check_memory_region_inline mm/kasan/kasan.c:260 [inline]
        check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
        memcpy+0x37/0x50 mm/kasan/kasan.c:303
        strlcpy include/linux/string.h:300 [inline]
        compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
        ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
        size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
        compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
        compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
        compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
        compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
        compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
        compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
        inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
        compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
        compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
        __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
        __do_compat_sys_setsockopt net/compat.c:416 [inline]
        __se_compat_sys_setsockopt net/compat.c:413 [inline]
        __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
        do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
        do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
        entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7fb3cb9
      RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x2fffc0000000000()
      raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fix the issue replacing the unsafe function with strscpy() and
      taking care of possible errors.
      
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      94c752f9
    • T
      netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump() · b7153458
      Taehee Yoo 提交于
      In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
      But if family is ipv6, priv->helper6 should be dereferenced.
      
      Steps to reproduces:
      
         #test.nft
         table ip6 filter {
      	   ct helper ftp {
      		   type "ftp" protocol tcp
      	   }
      	   chain input {
      		   type filter hook input priority 4;
      		   ct helper set "ftp"
      	   }
         }
      
         %nft -f test.nft
         %nft list ruleset
      
      we can see the below messages:
      
      [  916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink]
      [  916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181
      [  916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  916.338773] RIP: 0010:strlen+0x1a/0x90
      [  916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292
      [  916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038
      [  916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010
      [  916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c
      [  916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040
      [  916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110
      [  916.387265] FS:  00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  916.394785] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0
      [  916.410772] Call Trace:
      [  916.414787]  nft_ct_helper_obj_dump+0x94/0x200 [nft_ct]
      [  916.418779]  ? nft_ct_set_eval+0x560/0x560 [nft_ct]
      [  916.426771]  ? memset+0x1f/0x40
      [  916.426771]  ? __nla_reserve+0x92/0xb0
      [  916.434774]  ? memcpy+0x34/0x50
      [  916.434774]  nf_tables_fill_obj_info+0x484/0x860 [nf_tables]
      [  916.442773]  ? __nft_release_basechain+0x600/0x600 [nf_tables]
      [  916.450779]  ? lock_acquire+0x193/0x380
      [  916.454771]  ? lock_acquire+0x193/0x380
      [  916.458789]  ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables]
      [  916.462777]  nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables]
      [  916.470769]  ? __alloc_skb+0x30b/0x500
      [  916.474779]  netlink_dump+0x752/0xb50
      [  916.478775]  __netlink_dump_start+0x4d3/0x750
      [  916.482784]  nf_tables_getobj+0x27a/0x930 [nf_tables]
      [  916.490774]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  916.494772]  ? nf_tables_getobj+0x930/0x930 [nf_tables]
      [  916.502579]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
      [  916.506774]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  916.514808]  nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink]
      [  916.518771]  ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink]
      [  916.526782]  netlink_rcv_skb+0x23e/0x360
      [  916.530773]  ? nfnetlink_bind+0x200/0x200 [nfnetlink]
      [  916.534778]  ? debug_check_no_locks_freed+0x280/0x280
      [  916.542770]  ? netlink_ack+0x870/0x870
      [  916.546786]  ? ns_capable_common+0xf4/0x130
      [  916.550765]  nfnetlink_rcv+0x172/0x16c0 [nfnetlink]
      [  916.554771]  ? sched_clock_local+0xe2/0x150
      [  916.558774]  ? sched_clock_cpu+0x144/0x180
      [  916.566575]  ? lock_acquire+0x380/0x380
      [  916.570775]  ? sched_clock_local+0xe2/0x150
      [  916.574765]  ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
      [  916.578763]  ? sched_clock_cpu+0x144/0x180
      [  916.582770]  ? lock_acquire+0x193/0x380
      [  916.590771]  ? lock_acquire+0x193/0x380
      [  916.594766]  ? lock_acquire+0x380/0x380
      [  916.598760]  ? netlink_deliver_tap+0x262/0xa60
      [  916.602766]  ? lock_acquire+0x193/0x380
      [  916.606766]  netlink_unicast+0x3ef/0x5a0
      [  916.610771]  ? netlink_attachskb+0x630/0x630
      [  916.614763]  netlink_sendmsg+0x72a/0xb00
      [  916.618769]  ? netlink_unicast+0x5a0/0x5a0
      [  916.626766]  ? _copy_from_user+0x92/0xc0
      [  916.630773]  __sys_sendto+0x202/0x300
      [  916.634772]  ? __ia32_sys_getpeername+0xb0/0xb0
      [  916.638759]  ? lock_acquire+0x380/0x380
      [  916.642769]  ? lock_acquire+0x193/0x380
      [  916.646761]  ? finish_task_switch+0xf4/0x560
      [  916.650763]  ? __schedule+0x582/0x19a0
      [  916.655301]  ? __sched_text_start+0x8/0x8
      [  916.655301]  ? up_read+0x1c/0x110
      [  916.655301]  ? __do_page_fault+0x48b/0xaa0
      [  916.655301]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
      [  916.655301]  __x64_sys_sendto+0xdd/0x1b0
      [  916.655301]  do_syscall_64+0x96/0x3d0
      [  916.655301]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  916.655301] RIP: 0033:0x7f57a0ff5e03
      [  916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [  916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03
      [  916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003
      [  916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c
      [  916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110
      [  916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0
      [  916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f
      [  916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8
      [  916.771929] ---[ end trace 1065e048e72479fe ]---
      [  916.777204] Kernel panic - not syncing: Fatal exception
      [  916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      b7153458
    • J
      tuntap: fix use after free during release · 7063efd3
      Jason Wang 提交于
      After commit b196d88a ("tun: fix use after free for ptr_ring") we
      need clean up tx ring during release(). But unfortunately, it tries to
      do the cleanup blindly after socket were destroyed which will lead
      another use-after-free. Fix this by doing the cleanup before dropping
      the last reference of the socket in __tun_detach().
      Reported-by: NAndrei Vagin <avagin@virtuozzo.com>
      Acked-by: NAndrei Vagin <avagin@virtuozzo.com>
      Fixes: b196d88a ("tun: fix use after free for ptr_ring")
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7063efd3
    • D
      Merge branch 'qed-LL2-fixes' · fee8fb95
      David S. Miller 提交于
      Michal Kalderon says:
      
      ====================
      qed: LL2 fixes
      
      This series fixes some issues in ll2 related to synchronization
      and resource freeing
      ====================
      Signed-off-by: NAriel Elior <Ariel.Elior@cavium.com>
      Signed-off-by: NMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fee8fb95
    • M
      qed: Fix LL2 race during connection terminate · 490068de
      Michal Kalderon 提交于
      Stress on qedi/qedr load unload lead to list_del corruption.
      This is due to ll2 connection terminate freeing resources without
      verifying that no more ll2 processing will occur.
      
      This patch unregisters the ll2 status block before terminating
      the connection to assure this race does not occur.
      
      Fixes: 1d6cff4f ("qed: Add iSCSI out of order packet handling")
      Signed-off-by: NAriel Elior <Ariel.Elior@cavium.com>
      Signed-off-by: NMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      490068de
    • M
      qed: Fix possibility of list corruption during rmmod flows · ffd2c0d1
      Michal Kalderon 提交于
      The ll2 flows of flushing the txq/rxq need to be synchronized with the
      regular fp processing. Caused list corruption during load/unload stress
      tests.
      
      Fixes: 0a7fb11c ("qed: Add Light L2 support")
      Signed-off-by: NAriel Elior <Ariel.Elior@cavium.com>
      Signed-off-by: NMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ffd2c0d1
    • M
      qed: LL2 flush isles when connection is closed · f9bcd602
      Michal Kalderon 提交于
      Driver should free all pending isles once it gets a FLUSH cqe from FW.
      Part of iSCSI out of order flow.
      
      Fixes: 1d6cff4f ("qed: Add iSCSI out of order packet handling")
      Signed-off-by: NAriel Elior <Ariel.Elior@cavium.com>
      Signed-off-by: NMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f9bcd602
    • D
      net/sched: fix refcnt leak in the error path of tcf_vlan_init() · 5a4931ae
      Davide Caratti 提交于
      Similarly to what was done with commit a52956df ("net sched actions:
      fix refcnt leak in skbmod"), fix the error path of tcf_vlan_init() to avoid
      refcnt leaks when wrong value of TCA_VLAN_PUSH_VLAN_PROTOCOL is given.
      
      Fixes: 5026c9b1 ("net sched: vlan action fix late binding")
      CC: Roman Mashak <mrv@mojatatu.com>
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a4931ae
    • G
      net: 8390: ne: Fix accidentally removed RBTX4927 support · e49ac967
      Geert Uytterhoeven 提交于
      The configuration settings for RBTX4927 were accidentally removed,
      leading to a silently broken network interface.
      
      Re-add the missing settings to fix this.
      
      Fixes: 8eb97ff5 ("net: 8390: remove m32r specific bits")
      Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e49ac967
    • D
      Merge branch 'dsa-bcm_sf2-CFP-fixes' · ac22bfb1
      David S. Miller 提交于
      Florian Fainelli says:
      
      ====================
      net: dsa: bcm_sf2: CFP fixes
      
      This patch series fixes a number of usability issues with the SF2 Compact Field
      Processor code:
      
      - we would not be properly bound checking the location when we let the kernel
        automatically place rules with RX_CLS_LOC_ANY
      
      - when using IPv6 rules and user space specifies a location identifier we
        would be off by one in what the chain ID (within the Broadcom tag) indicates
      
      - it would be possible to delete one of the two slices of an IPv6 while leaving
        the other one programming leading to various problems
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ac22bfb1
    • F
      net: dsa: bcm_sf2: Fix IPv6 rule half deletion · 1942adf6
      Florian Fainelli 提交于
      It was possible to delete only one half of an IPv6, which would leave
      the second half still programmed and possibly in use. Instead of
      checking for the unused bitmap, we need to check the unique bitmap, and
      refuse any deletion that does not match that criteria. We also need to
      move that check from bcm_sf2_cfp_rule_del_one() into its caller:
      bcm_sf2_cfp_rule_del() otherwise we would not be able to delete second
      halves anymore that would not pass the first test.
      
      Fixes: ba0696c2 ("net: dsa: bcm_sf2: Add support for IPv6 CFP rules")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1942adf6
    • F
      net: dsa: bcm_sf2: Fix IPv6 rules and chain ID · 6c05561c
      Florian Fainelli 提交于
      We had several issues that would make the programming of IPv6 rules both
      inconsistent and error prone:
      
      - the chain ID that we would be asking the hardware to put in the
        packet's Broadcom tag would be off by one, it would return one of the
        two indexes, but not the one user-space specified
      
      - when an user specified a particular location to insert a CFP rule at,
        we would not be returning the same index, which would be confusing if
        nothing else
      
      - finally, like IPv4, it would be possible to overflow the last entry by
        re-programming it
      
      Fix this by swapping the usage of rule_index[0] and rule_index[1] where
      relevant in order to return a consistent and correct user-space
      experience.
      
      Fixes: ba0696c2 ("net: dsa: bcm_sf2: Add support for IPv6 CFP rules")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6c05561c
    • F
      net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule · 43a5e00f
      Florian Fainelli 提交于
      When we let the kernel pick up a rule location with RX_CLS_LOC_ANY, we
      would be able to overwrite the last rules because of a number of issues.
      
      The IPv4 code path would not be checking that rule_index is within
      bounds, and it would also only be allowed to pick up rules from range
      0..126 instead of the full 0..127 range. This would lead us to allow
      overwriting the last rule when we let the kernel pick-up the location.
      
      Fixes: 33061458 ("net: dsa: bcm_sf2: Move IPv4 CFP processing to specific functions")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43a5e00f
    • M
      net: phy: micrel: add 125MHz reference clock workaround · e1b505a6
      Markus Niebel 提交于
      The micrel KSZ9031 phy has a optional clock pin (CLK125_NDO) which can be
      used as reference clock for the MAC unit. The clock signal must meet the
      RGMII requirements to ensure the correct data transmission between the
      MAC and the PHY. The KSZ9031 phy does not fulfill the duty cycle
      requirement if the phy is configured as slave. For a complete
      describtion look at the errata sheets: DS80000691D or DS80000692D.
      
      The errata sheet recommends to force the phy into master mode whenever
      there is a 1000Base-T link-up as work around. Only set the
      "micrel,force-master" property if you use the phy reference clock provided
      by CLK125_NDO pin as MAC reference clock in your application.
      
      Attenation, this workaround is only usable if the link partner can
      be configured to slave mode for 1000Base-T.
      Signed-off-by: NMarkus Niebel <Markus.Niebel@tqs.de>
      [m.felsch@pengutronix.de: fix dt-binding documentation]
      [m.felsch@pengutronix.de: use already existing result var for read/write]
      [m.felsch@pengutronix.de: add error handling]
      [m.felsch@pengutronix.de: add more comments]
      Signed-off-by: NMarco Felsch <m.felsch@pengutronix.de>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e1b505a6
    • E
      tcp: purge write queue in tcp_connect_init() · 7f582b24
      Eric Dumazet 提交于
      syzkaller found a reliable way to crash the host, hitting a BUG()
      in __tcp_retransmit_skb()
      
      Malicous MSG_FASTOPEN is the root cause. We need to purge write queue
      in tcp_connect_init() at the point we init snd_una/write_seq.
      
      This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE()
      
      kernel BUG at net/ipv4/tcp_output.c:2837!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837
      RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206
      RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49
      RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005
      RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2
      R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad
      R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80
      FS:  0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923
       tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488
       tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
       tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593
       call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
       expire_timers kernel/time/timer.c:1363 [inline]
       __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
       run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
       __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
       invoke_softirq kernel/softirq.c:365 [inline]
       irq_exit+0x1d1/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:525 [inline]
       smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
      
      Fixes: cf60af03 ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7f582b24
    • S
      net/mlx5: Fix build break when CONFIG_SMP=n · e3ca3488
      Saeed Mahameed 提交于
      Avoid using the kernel's irq_descriptor and return IRQ vector affinity
      directly from the driver.
      
      This fixes the following build break when CONFIG_SMP=n
      
      include/linux/mlx5/driver.h: In function ‘mlx5_get_vector_affinity_hint’:
      include/linux/mlx5/driver.h:1299:13: error:
              ‘struct irq_desc’ has no member named ‘affinity_hint’
      
      Fixes: 6082d9c9 ("net/mlx5: Fix mlx5_get_vector_affinity function")
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      CC: Randy Dunlap <rdunlap@infradead.org>
      CC: Guenter Roeck <linux@roeck-us.net>
      CC: Thomas Gleixner <tglx@linutronix.de>
      Tested-by: NIsrael Rukshin <israelr@mellanox.com>
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Reported-by: NRandy Dunlap <rdunlap@infradead.org>
      Tested-by: NRandy Dunlap <rdunlap@infradead.org>
      Acked-by: NThomas Gleixner <tglx@linutronix.de>
      Tested-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3ca3488
  4. 16 5月, 2018 1 次提交
  5. 15 5月, 2018 6 次提交
  6. 14 5月, 2018 6 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 9d6b4bfb
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-05-14
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix nfp to allow zero-length BPF capabilities, meaning the nfp
         capability parsing loop will otherwise exit early if the last
         capability is zero length and therefore driver will fail to probe
         with an error such as:
      
           nfp: BPF capabilities left after parsing, parsed:92 total length:100
           nfp: invalid BPF capabilities at offset:92
      
         Fix from Jakub.
      
      2) libbpf's bpf_object__open() may return IS_ERR_OR_NULL() and not
         just an error. Fix libbpf's bpf_prog_load_xattr() to handle that
         case as well, also from Jakub.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d6b4bfb
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 4f6b15c3
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree,
      they are:
      
      1) Fix handling of simultaneous open TCP connection in conntrack,
         from Jozsef Kadlecsik.
      
      2) Insufficient sanitify check of xtables extension names, from
         Florian Westphal.
      
      3) Skip unnecessary synchronize_rcu() call when transaction log
         is already empty, from Florian Westphal.
      
      4) Incorrect destination mac validation in ebt_stp, from Stephen
         Hemminger.
      
      5) xtables module reference counter leak in nft_compat, from
         Florian Westphal.
      
      6) Incorrect connection reference counting logic in IPVS
         one-packet scheduler, from Julian Anastasov.
      
      7) Wrong stats for 32-bits CPU in IPVS, also from Julian.
      
      8) Calm down sparse error in netfilter core, also from Florian.
      
      9) Use nla_strlcpy to fix compilation warning in nfnetlink_acct
         and nfnetlink_cthelper, again from Florian.
      
      10) Missing module alias in icmp and icmp6 xtables extensions,
          from Florian Westphal.
      
      11) Base chain statistics in nf_tables may be unset/null, from Florian.
      
      12) Fix handling of large matchinfo size in nft_compat, this includes
          one preparation for before this fix. From Florian.
      
      13) Fix bogus EBUSY error when deleting chains due to incorrect reference
          counting from the preparation phase of the two-phase commit protocol.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4f6b15c3
    • M
      qede: Fix ref-cnt usage count · 91dfd02b
      Michal Kalderon 提交于
      Rebooting while qedr is loaded with a VLAN interface present
      results in unregister_netdevice waiting for the usage count
      to become free.
      The fix is that rdma devices should be removed before unregistering
      the netdevice, to assure all references to ndev are decreased.
      
      Fixes: cee9fbd8 ("qede: Add qedr framework")
      Signed-off-by: NAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: NMichal Kalderon <michal.kalderon@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      91dfd02b
    • C
      3c59x: convert to generic DMA API · 55c82617
      Christoph Hellwig 提交于
      This driver supports EISA devices in addition to PCI devices, and relied
      on the legacy behavior of the pci_dma* shims to pass on a NULL pointer
      to the DMA API, and the DMA API being able to handle that.  When the
      NULL forwarding broke the EISA support got broken.  Fix this by converting
      to the DMA API instead of the legacy PCI shims.
      
      Fixes: 4167b2ad ("PCI: Remove NULL device handling from PCI DMA API")
      Reported-by: Ntedheadster <tedheadster@gmail.com>
      Tested-by: Ntedheadster <tedheadster@gmail.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      55c82617
    • W
      packet: in packet_snd start writing at link layer allocation · b84bbaf7
      Willem de Bruijn 提交于
      Packet sockets allow construction of packets shorter than
      dev->hard_header_len to accommodate protocols with variable length
      link layer headers. These packets are padded to dev->hard_header_len,
      because some device drivers interpret that as a minimum packet size.
      
      packet_snd reserves dev->hard_header_len bytes on allocation.
      SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that
      link layer headers are stored in the reserved range. SOCK_RAW sockets
      do the same in tpacket_snd, but not in packet_snd.
      
      Syzbot was able to send a zero byte packet to a device with massive
      116B link layer header, causing padding to cross over into skb_shinfo.
      Fix this by writing from the start of the llheader reserved range also
      in the case of packet_snd/SOCK_RAW.
      
      Update skb_set_network_header to the new offset. This also corrects
      it for SOCK_DGRAM, where it incorrectly double counted reserve due to
      the skb_push in dev_hard_header.
      
      Fixes: 9ed988cd ("packet: validate variable length ll headers")
      Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b84bbaf7
    • C
      netfilter: nf_tables: fix memory leak on error exit return · f0dfd7a2
      Colin Ian King 提交于
      Currently the -EBUSY error return path is not free'ing resources
      allocated earlier, leaving a memory leak. Fix this by exiting via the
      error exit label err5 that performs the necessary resource clean
      up.
      
      Detected by CoverityScan, CID#1432975 ("Resource leak")
      
      Fixes: 9744a6fc ("netfilter: nf_tables: check if same extensions are set when adding elements")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      f0dfd7a2
  7. 12 5月, 2018 7 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4bc87198
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Verify lengths of keys provided by the user is AF_KEY, from Kevin
          Easton.
      
       2) Add device ID for BCM89610 PHY. Thanks to Bhadram Varka.
      
       3) Add Spectre guards to some ATM code, courtesy of Gustavo A. R.
          Silva.
      
       4) Fix infinite loop in NSH protocol code. To Eric Dumazet we are most
          grateful for this fix.
      
       5) Line up /proc/net/netlink headers properly. This fix from YU Bo, we
          do appreciate.
      
       6) Use after free in TLS code. Once again we are blessed by the
          honorable Eric Dumazet with this fix.
      
       7) Fix regression in TLS code causing stalls on partial TLS records.
          This fix is bestowed upon us by Andrew Tomt.
      
       8) Deal with too small MTUs properly in LLC code, another great gift
          from Eric Dumazet.
      
       9) Handle cached route flushing properly wrt. MTU locking in ipv4, to
          Hangbin Liu we give thanks for this.
      
      10) Fix regression in SO_BINDTODEVIC handling wrt. UDP socket demux.
          Paolo Abeni, he gave us this.
      
      11) Range check coalescing parameters in mlx4 driver, thank you Moshe
          Shemesh.
      
      12) Some ipv6 ICMP error handling fixes in rxrpc, from our good brother
          David Howells.
      
      13) Fix kexec on mlx5 by freeing IRQs in shutdown path. Daniel Juergens,
          you're the best!
      
      14) Don't send bonding RLB updates to invalid MAC addresses. Debabrata
          Benerjee saved us!
      
      15) Uh oh, we were leaking in udp_sendmsg and ping_v4_sendmsg. The ship
          is now water tight, thanks to Andrey Ignatov.
      
      16) IPSEC memory leak in ixgbe from Colin Ian King, man we've got holes
          everywhere!
      
      17) Fix error path in tcf_proto_create, Jiri Pirko what would we do
          without you!
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (92 commits)
        net sched actions: fix refcnt leak in skbmod
        net: sched: fix error path in tcf_proto_create() when modules are not configured
        net sched actions: fix invalid pointer dereferencing if skbedit flags missing
        ixgbe: fix memory leak on ipsec allocation
        ixgbevf: fix ixgbevf_xmit_frame()'s return type
        ixgbe: return error on unsupported SFP module when resetting
        ice: Set rq_last_status when cleaning rq
        ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
        mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()'
        bonding: send learning packets for vlans on slave
        bonding: do not allow rlb updates to invalid mac
        net/mlx5e: Err if asked to offload TC match on frag being first
        net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
        net/mlx5: Free IRQs in shutdown path
        rxrpc: Trace UDP transmission failure
        rxrpc: Add a tracepoint to log ICMP/ICMP6 and error messages
        rxrpc: Fix the min security level for kernel calls
        rxrpc: Fix error reception on AF_INET6 sockets
        rxrpc: Fix missing start of call timeout
        qed: fix spelling mistake: "taskelt" -> "tasklet"
        ...
      4bc87198
    • L
      Merge tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · a1f45efb
      Linus Torvalds 提交于
      Pull NFS client fixes from Anna Schumaker:
       "These patches fix both a possible corruption during NFSoRDMA MR
        recovery, and a sunrpc tracepoint crash.
      
        Additionally, Trond has a new email address to put in the MAINTAINERS
        file"
      
      * tag 'nfs-for-4.17-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        Change Trond's email address in MAINTAINERS
        sunrpc: Fix latency trace point crashes
        xprtrdma: Fix list corruption / DMAR errors during MR recovery
      a1f45efb
    • R
      net sched actions: fix refcnt leak in skbmod · a52956df
      Roman Mashak 提交于
      When application fails to pass flags in netlink TLV when replacing
      existing skbmod action, the kernel will leak refcnt:
      
      $ tc actions get action skbmod index 1
      total acts 0
      
              action order 0: skbmod pipe set smac 00:11:22:33:44:55
               index 1 ref 1 bind 0
      
      For example, at this point a buggy application replaces the action with
      index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags,
      however refcnt gets bumped:
      
      $ tc actions get actions skbmod index 1
      total acts 0
      
              action order 0: skbmod pipe set smac 00:11:22:33:44:55
               index 1 ref 2 bind 0
      $
      
      Tha patch fixes this by calling tcf_idr_release() on existing actions.
      
      Fixes: 86da71b5 ("net_sched: Introduce skbmod action")
      Signed-off-by: NRoman Mashak <mrv@mojatatu.com>
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a52956df
    • L
      Merge tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client · ac428036
      Linus Torvalds 提交于
      Pull ceph fixes from Ilya Dryomov:
       "These patches fix two long-standing bugs in the DIO code path, one of
        which is a crash trivially triggerable with splice()"
      
      * tag 'ceph-for-4.17-rc5' of git://github.com/ceph/ceph-client:
        ceph: fix iov_iter issues in ceph_direct_read_write()
        libceph: add osd_req_op_extent_osd_data_bvecs()
        ceph: fix rsize/wsize capping in ceph_direct_read_write()
      ac428036
    • J
      net: sched: fix error path in tcf_proto_create() when modules are not configured · d68d75fd
      Jiri Pirko 提交于
      In case modules are not configured, error out when tp->ops is null
      and prevent later null pointer dereference.
      
      Fixes: 33a48927 ("sched: push TC filter protocol creation into a separate function")
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d68d75fd
    • L
      Merge tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh · 3f5f8596
      Linus Torvalds 提交于
      Pull arch/sh fixes from Rich Felker:
       "Fixes for critical regressions and a build failure.
      
        The regressions were introduced in 4.15 and 4.17-rc1 and prevented
        booting on affected systems"
      
      * tag 'sh-for-4.17-fixes' of git://git.libc.org/linux-sh:
        sh: switch to NO_BOOTMEM
        sh: mm: Fix unprotected access to struct device
        sh: fix build failure for J2 cpu with SMP disabled
      3f5f8596
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 7404bc27
      Linus Torvalds 提交于
      Pull arm64 fixes from Will Deacon:
       "There's a small memblock accounting problem when freeing the initrd
        and a Spectre-v2 mitigation for NVIDIA Denver CPUs which just requires
        a match on the CPU ID register.
      
        Summary:
      
         - Mitigate Spectre-v2 for NVIDIA Denver CPUs
      
         - Free memblocks corresponding to freed initrd area"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list
        arm64: Add MIDR encoding for NVIDIA CPUs
        arm64: To remove initrd reserved area entry from memblock
      7404bc27