1. 05 6月, 2018 12 次提交
  2. 02 6月, 2018 2 次提交
  3. 01 6月, 2018 4 次提交
    • K
      kcm: Fix use-after-free caused by clonned sockets · eb7f54b9
      Kirill Tkhai 提交于
      (resend for properly queueing in patchwork)
      
      kcm_clone() creates kernel socket, which does not take net counter.
      Thus, the net may die before the socket is completely destructed,
      i.e. kcm_exit_net() is executed before kcm_done().
      
      Reported-by: syzbot+5f1a04e374a635efc426@syzkaller.appspotmail.com
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eb7f54b9
    • A
      net-sysfs: Fix memory leak in XPS configuration · 664088f8
      Alexander Duyck 提交于
      This patch reorders the error cases in showing the XPS configuration so
      that we hold off on memory allocation until after we have verified that we
      can support XPS on a given ring.
      
      Fixes: 184c449f ("net: Add support for XPS with QoS via traffic classes")
      Signed-off-by: NAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      664088f8
    • S
      net/ncsi: Fix array size in dumpit handler · 0f51f358
      Samuel Mendoza-Jonas 提交于
      With CONFIG_CC_STACKPROTECTOR enabled the kernel panics as below when
      parsing a NCSI_CMD_PKG_INFO command:
      
      [  150.149711] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 805cff08
      [  150.149711]
      [  150.159919] CPU: 0 PID: 1301 Comm: ncsi-netlink Not tainted 4.13.16-468cbec6d2c91239332cb91b1f0a73aafcb6f0c6 #1
      [  150.170004] Hardware name: Generic DT based system
      [  150.174852] [<80109930>] (unwind_backtrace) from [<80106bc4>] (show_stack+0x20/0x24)
      [  150.182641] [<80106bc4>] (show_stack) from [<805d36e4>] (dump_stack+0x20/0x28)
      [  150.189888] [<805d36e4>] (dump_stack) from [<801163ac>] (panic+0xdc/0x278)
      [  150.196780] [<801163ac>] (panic) from [<801162cc>] (__stack_chk_fail+0x20/0x24)
      [  150.204111] [<801162cc>] (__stack_chk_fail) from [<805cff08>] (ncsi_pkg_info_all_nl+0x244/0x258)
      [  150.212912] [<805cff08>] (ncsi_pkg_info_all_nl) from [<804f939c>] (genl_lock_dumpit+0x3c/0x54)
      [  150.221535] [<804f939c>] (genl_lock_dumpit) from [<804f873c>] (netlink_dump+0xf8/0x284)
      [  150.229550] [<804f873c>] (netlink_dump) from [<804f8d44>] (__netlink_dump_start+0x124/0x17c)
      [  150.237992] [<804f8d44>] (__netlink_dump_start) from [<804f9880>] (genl_rcv_msg+0x1c8/0x3d4)
      [  150.246440] [<804f9880>] (genl_rcv_msg) from [<804f9174>] (netlink_rcv_skb+0xd8/0x134)
      [  150.254361] [<804f9174>] (netlink_rcv_skb) from [<804f96a4>] (genl_rcv+0x30/0x44)
      [  150.261850] [<804f96a4>] (genl_rcv) from [<804f7790>] (netlink_unicast+0x198/0x234)
      [  150.269511] [<804f7790>] (netlink_unicast) from [<804f7ffc>] (netlink_sendmsg+0x368/0x3b0)
      [  150.277783] [<804f7ffc>] (netlink_sendmsg) from [<804abea4>] (sock_sendmsg+0x24/0x34)
      [  150.285625] [<804abea4>] (sock_sendmsg) from [<804ac1dc>] (___sys_sendmsg+0x244/0x260)
      [  150.293556] [<804ac1dc>] (___sys_sendmsg) from [<804ad98c>] (__sys_sendmsg+0x5c/0x9c)
      [  150.301400] [<804ad98c>] (__sys_sendmsg) from [<804ad9e4>] (SyS_sendmsg+0x18/0x1c)
      [  150.308984] [<804ad9e4>] (SyS_sendmsg) from [<80102640>] (ret_fast_syscall+0x0/0x3c)
      [  150.316743] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 805cff08
      
      This turns out to be because the attrs array in ncsi_pkg_info_all_nl()
      is initialised to a length of NCSI_ATTR_MAX which is the maximum
      attribute number, not the number of attributes.
      
      Fixes: 955dc68c ("net/ncsi: Add generic netlink family")
      Signed-off-by: NSamuel Mendoza-Jonas <sam@mendozajonas.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0f51f358
    • P
      cls_flower: Fix incorrect idr release when failing to modify rule · 8258d2da
      Paul Blakey 提交于
      When we fail to modify a rule, we incorrectly release the idr handle
      of the unmodified old rule.
      
      Fix that by checking if we need to release it.
      
      Fixes: fe2502e4 ("net_sched: remove cls_flower idr on failure")
      Reported-by: NVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: NRoi Dayan <roid@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NPaul Blakey <paulb@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8258d2da
  4. 31 5月, 2018 1 次提交
  5. 29 5月, 2018 5 次提交
    • M
      ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline · bbb40a0b
      Mathieu Xhonneux 提交于
      seg6_do_srh_encap and seg6_do_srh_inline can possibly do an
      out-of-bounds access when adding the SRH to the packet. This no longer
      happen when expanding the skb not only by the size of the SRH (+
      outer IPv6 header), but also by skb->mac_len.
      
      [   53.793056] BUG: KASAN: use-after-free in seg6_do_srh_encap+0x284/0x620
      [   53.794564] Write of size 14 at addr ffff88011975ecfa by task ping/674
      
      [   53.796665] CPU: 0 PID: 674 Comm: ping Not tainted 4.17.0-rc3-ARCH+ #90
      [   53.796670] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.11.0-20171110_100015-anatol 04/01/2014
      [   53.796673] Call Trace:
      [   53.796679]  <IRQ>
      [   53.796689]  dump_stack+0x71/0xab
      [   53.796700]  print_address_description+0x6a/0x270
      [   53.796707]  kasan_report+0x258/0x380
      [   53.796715]  ? seg6_do_srh_encap+0x284/0x620
      [   53.796722]  memmove+0x34/0x50
      [   53.796730]  seg6_do_srh_encap+0x284/0x620
      [   53.796741]  ? seg6_do_srh+0x29b/0x360
      [   53.796747]  seg6_do_srh+0x29b/0x360
      [   53.796756]  seg6_input+0x2e/0x2e0
      [   53.796765]  lwtunnel_input+0x93/0xd0
      [   53.796774]  ipv6_rcv+0x690/0x920
      [   53.796783]  ? ip6_input+0x170/0x170
      [   53.796791]  ? eth_gro_receive+0x2d0/0x2d0
      [   53.796800]  ? ip6_input+0x170/0x170
      [   53.796809]  __netif_receive_skb_core+0xcc0/0x13f0
      [   53.796820]  ? netdev_info+0x110/0x110
      [   53.796827]  ? napi_complete_done+0xb6/0x170
      [   53.796834]  ? e1000_clean+0x6da/0xf70
      [   53.796845]  ? process_backlog+0x129/0x2a0
      [   53.796853]  process_backlog+0x129/0x2a0
      [   53.796862]  net_rx_action+0x211/0x5c0
      [   53.796870]  ? napi_complete_done+0x170/0x170
      [   53.796887]  ? run_rebalance_domains+0x11f/0x150
      [   53.796891]  __do_softirq+0x10e/0x39e
      [   53.796894]  do_softirq_own_stack+0x2a/0x40
      [   53.796895]  </IRQ>
      [   53.796898]  do_softirq.part.16+0x54/0x60
      [   53.796900]  __local_bh_enable_ip+0x5b/0x60
      [   53.796903]  ip6_finish_output2+0x416/0x9f0
      [   53.796906]  ? ip6_dst_lookup_flow+0x110/0x110
      [   53.796909]  ? ip6_sk_dst_lookup_flow+0x390/0x390
      [   53.796911]  ? __rcu_read_unlock+0x66/0x80
      [   53.796913]  ? ip6_mtu+0x44/0xf0
      [   53.796916]  ? ip6_output+0xfc/0x220
      [   53.796918]  ip6_output+0xfc/0x220
      [   53.796921]  ? ip6_finish_output+0x2b0/0x2b0
      [   53.796923]  ? memcpy+0x34/0x50
      [   53.796926]  ip6_send_skb+0x43/0xc0
      [   53.796929]  rawv6_sendmsg+0x1216/0x1530
      [   53.796932]  ? __orc_find+0x6b/0xc0
      [   53.796934]  ? rawv6_rcv_skb+0x160/0x160
      [   53.796937]  ? __rcu_read_unlock+0x66/0x80
      [   53.796939]  ? __rcu_read_unlock+0x66/0x80
      [   53.796942]  ? is_bpf_text_address+0x1e/0x30
      [   53.796944]  ? kernel_text_address+0xec/0x100
      [   53.796946]  ? __kernel_text_address+0xe/0x30
      [   53.796948]  ? unwind_get_return_address+0x2f/0x50
      [   53.796950]  ? __save_stack_trace+0x92/0x100
      [   53.796954]  ? save_stack+0x89/0xb0
      [   53.796956]  ? kasan_kmalloc+0xa0/0xd0
      [   53.796958]  ? kmem_cache_alloc+0xd2/0x1f0
      [   53.796961]  ? prepare_creds+0x23/0x160
      [   53.796963]  ? __x64_sys_capset+0x252/0x3e0
      [   53.796966]  ? do_syscall_64+0x69/0x160
      [   53.796968]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.796971]  ? __alloc_pages_nodemask+0x170/0x380
      [   53.796973]  ? __alloc_pages_slowpath+0x12c0/0x12c0
      [   53.796977]  ? tty_vhangup+0x20/0x20
      [   53.796979]  ? policy_nodemask+0x1a/0x90
      [   53.796982]  ? __mod_node_page_state+0x8d/0xa0
      [   53.796986]  ? __check_object_size+0xe7/0x240
      [   53.796989]  ? __sys_sendto+0x229/0x290
      [   53.796991]  ? rawv6_rcv_skb+0x160/0x160
      [   53.796993]  __sys_sendto+0x229/0x290
      [   53.796996]  ? __ia32_sys_getpeername+0x50/0x50
      [   53.796999]  ? commit_creds+0x2de/0x520
      [   53.797002]  ? security_capset+0x57/0x70
      [   53.797004]  ? __x64_sys_capset+0x29f/0x3e0
      [   53.797007]  ? __x64_sys_rt_sigsuspend+0xe0/0xe0
      [   53.797011]  ? __do_page_fault+0x664/0x770
      [   53.797014]  __x64_sys_sendto+0x74/0x90
      [   53.797017]  do_syscall_64+0x69/0x160
      [   53.797019]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.797022] RIP: 0033:0x7f43b7a6714a
      [   53.797023] RSP: 002b:00007ffd891bd368 EFLAGS: 00000246 ORIG_RAX:
      000000000000002c
      [   53.797026] RAX: ffffffffffffffda RBX: 00000000006129c0 RCX: 00007f43b7a6714a
      [   53.797028] RDX: 0000000000000040 RSI: 00000000006129c0 RDI: 0000000000000004
      [   53.797029] RBP: 00007ffd891be640 R08: 0000000000610940 R09: 000000000000001c
      [   53.797030] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
      [   53.797032] R13: 000000000060e6a0 R14: 0000000000008004 R15: 000000000040b661
      
      [   53.797171] Allocated by task 642:
      [   53.797460]  kasan_kmalloc+0xa0/0xd0
      [   53.797463]  kmem_cache_alloc+0xd2/0x1f0
      [   53.797465]  getname_flags+0x40/0x210
      [   53.797467]  user_path_at_empty+0x1d/0x40
      [   53.797469]  do_faccessat+0x12a/0x320
      [   53.797471]  do_syscall_64+0x69/0x160
      [   53.797473]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [   53.797607] Freed by task 642:
      [   53.797869]  __kasan_slab_free+0x130/0x180
      [   53.797871]  kmem_cache_free+0xa8/0x230
      [   53.797872]  filename_lookup+0x15b/0x230
      [   53.797874]  do_faccessat+0x12a/0x320
      [   53.797876]  do_syscall_64+0x69/0x160
      [   53.797878]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [   53.798014] The buggy address belongs to the object at ffff88011975e600
                      which belongs to the cache names_cache of size 4096
      [   53.799043] The buggy address is located 1786 bytes inside of
                      4096-byte region [ffff88011975e600, ffff88011975f600)
      [   53.800013] The buggy address belongs to the page:
      [   53.800414] page:ffffea000465d600 count:1 mapcount:0
      mapping:0000000000000000 index:0x0 compound_mapcount: 0
      [   53.801259] flags: 0x17fff0000008100(slab|head)
      [   53.801640] raw: 017fff0000008100 0000000000000000 0000000000000000
      0000000100070007
      [   53.803147] raw: dead000000000100 dead000000000200 ffff88011b185a40
      0000000000000000
      [   53.803787] page dumped because: kasan: bad access detected
      
      [   53.804384] Memory state around the buggy address:
      [   53.804788]  ffff88011975eb80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.805384]  ffff88011975ec00: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.805979] >ffff88011975ec80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.806577]                                                                 ^
      [   53.807165]  ffff88011975ed00: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.807762]  ffff88011975ed80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.808356] ==================================================================
      [   53.808949] Disabling lock debugging due to kernel taint
      
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: NDavid Lebrun <dlebrun@google.com>
      Signed-off-by: NMathieu Xhonneux <m.xhonneux@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bbb40a0b
    • T
      netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace() · bbb8c61f
      Taehee Yoo 提交于
      When a chain is updated, a counter can be attached. if so,
      the nft_counters_enabled should be increased.
      
      test commands:
      
         %nft add table ip filter
         %nft add chain ip filter input { type filter hook input priority 4\; }
         %iptables-compat -Z input
         %nft delete chain ip filter input
      
      we can see below messages.
      
      [  286.443720] jump label: negative count!
      [  286.448278] WARNING: CPU: 0 PID: 1459 at kernel/jump_label.c:197 __static_key_slow_dec_cpuslocked+0x6f/0xf0
      [  286.449144] Modules linked in: nf_tables nfnetlink ip_tables x_tables
      [  286.449144] CPU: 0 PID: 1459 Comm: nft Tainted: G        W         4.17.0-rc2+ #12
      [  286.449144] RIP: 0010:__static_key_slow_dec_cpuslocked+0x6f/0xf0
      [  286.449144] RSP: 0018:ffff88010e5176f0 EFLAGS: 00010286
      [  286.449144] RAX: 000000000000001b RBX: ffffffffc0179500 RCX: ffffffffb8a82522
      [  286.449144] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88011b7e5eac
      [  286.449144] RBP: 0000000000000000 R08: ffffed00236fce5c R09: ffffed00236fce5b
      [  286.449144] R10: ffffffffc0179503 R11: ffffed00236fce5c R12: 0000000000000000
      [  286.449144] R13: ffff88011a28e448 R14: ffff88011a28e470 R15: dffffc0000000000
      [  286.449144] FS:  00007f0384328700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [  286.449144] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  286.449144] CR2: 00007f038394bf10 CR3: 0000000104a86000 CR4: 00000000001006f0
      [  286.449144] Call Trace:
      [  286.449144]  static_key_slow_dec+0x6a/0x70
      [  286.449144]  nf_tables_chain_destroy+0x19d/0x210 [nf_tables]
      [  286.449144]  nf_tables_commit+0x1891/0x1c50 [nf_tables]
      [  286.449144]  nfnetlink_rcv+0x1148/0x13d0 [nfnetlink]
      [ ... ]
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      bbb8c61f
    • T
      netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() · 360cc79d
      Taehee Yoo 提交于
      The table field in nft_obj_filter is not an array. In order to check
      tablename, we should check if the pointer is set.
      
      Test commands:
      
         %nft add table ip filter
         %nft add counter ip filter ct1
         %nft reset counters
      
      Splat looks like:
      
      [  306.510504] kasan: CONFIG_KASAN_INLINE enabled
      [  306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables
      [  306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17
      [  306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables]
      [  306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246
      [  306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000
      [  306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a
      [  306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b
      [  306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108
      [  306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860
      [  306.528284] FS:  00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [  306.528284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0
      [  306.528284] Call Trace:
      [  306.528284]  netlink_dump+0x470/0xa20
      [  306.528284]  __netlink_dump_start+0x5ae/0x690
      [  306.528284]  ? nf_tables_getobj+0x1b3/0x740 [nf_tables]
      [  306.528284]  nf_tables_getobj+0x2f5/0x740 [nf_tables]
      [  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  306.528284]  ? nf_tables_getobj+0x740/0x740 [nf_tables]
      [  306.528284]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
      [  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  306.528284]  nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink]
      [  306.528284]  ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink]
      [  306.528284]  netlink_rcv_skb+0x1c9/0x2f0
      [  306.528284]  ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
      [  306.528284]  ? debug_check_no_locks_freed+0x270/0x270
      [  306.528284]  ? netlink_ack+0x7a0/0x7a0
      [  306.528284]  ? ns_capable_common+0x6e/0x110
      [ ... ]
      
      Fixes: e46abbcc ("netfilter: nf_tables: Allow table names of up to 255 chars")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      360cc79d
    • P
      netfilter: nf_tables: disable preemption in nft_update_chain_stats() · ad9d9e85
      Pablo Neira Ayuso 提交于
      This patch fixes the following splat.
      
      [118709.054937] BUG: using smp_processor_id() in preemptible [00000000] code: test/1571
      [118709.054970] caller is nft_update_chain_stats.isra.4+0x53/0x97 [nf_tables]
      [118709.054980] CPU: 2 PID: 1571 Comm: test Not tainted 4.17.0-rc6+ #335
      [...]
      [118709.054992] Call Trace:
      [118709.055011]  dump_stack+0x5f/0x86
      [118709.055026]  check_preemption_disabled+0xd4/0xe4
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ad9d9e85
    • A
      IB: Revert "remove redundant INFINIBAND kconfig dependencies" · 533d1dae
      Arnd Bergmann 提交于
      Several subsystems depend on INFINIBAND_ADDR_TRANS, which in turn depends
      on INFINIBAND. However, when with CONFIG_INIFIBAND=m, this leads to a
      link error when another driver using it is built-in. The
      INFINIBAND_ADDR_TRANS dependency is insufficient here as this is
      a 'bool' symbol that does not force anything to be a module in turn.
      
      fs/cifs/smbdirect.o: In function `smbd_disconnect_rdma_work':
      smbdirect.c:(.text+0x1e4): undefined reference to `rdma_disconnect'
      net/9p/trans_rdma.o: In function `rdma_request':
      trans_rdma.c:(.text+0x7bc): undefined reference to `rdma_disconnect'
      net/9p/trans_rdma.o: In function `rdma_destroy_trans':
      trans_rdma.c:(.text+0x830): undefined reference to `ib_destroy_qp'
      trans_rdma.c:(.text+0x858): undefined reference to `ib_dealloc_pd'
      
      Fixes: 9533b292 ("IB: remove redundant INFINIBAND kconfig dependencies")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NGreg Thelen <gthelen@google.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      533d1dae
  6. 25 5月, 2018 3 次提交
    • W
      ipv4: remove warning in ip_recv_error · 730c54d5
      Willem de Bruijn 提交于
      A precondition check in ip_recv_error triggered on an otherwise benign
      race. Remove the warning.
      
      The warning triggers when passing an ipv6 socket to this ipv4 error
      handling function. RaceFuzzer was able to trigger it due to a race
      in setsockopt IPV6_ADDRFORM.
      
        ---
        CPU0
          do_ipv6_setsockopt
            sk->sk_socket->ops = &inet_dgram_ops;
      
        ---
        CPU1
          sk->sk_prot->recvmsg
            udp_recvmsg
              ip_recv_error
                WARN_ON_ONCE(sk->sk_family == AF_INET6);
      
        ---
        CPU0
          do_ipv6_setsockopt
            sk->sk_family = PF_INET;
      
      This socket option converts a v6 socket that is connected to a v4 peer
      to an v4 socket. It updates the socket on the fly, changing fields in
      sk as well as other structs. This is inherently non-atomic. It races
      with the lockless udp_recvmsg path.
      
      No other code makes an assumption that these fields are updated
      atomically. It is benign here, too, as ip_recv_error cares only about
      the protocol of the skbs enqueued on the error queue, for which
      sk_family is not a precise predictor (thanks to another isue with
      IPV6_ADDRFORM).
      
      Link: http://lkml.kernel.org/r/20180518120826.GA19515@dragonet.kaist.ac.kr
      Fixes: 7ce875e5 ("ipv4: warn once on passing AF_INET6 socket to ip_recv_error")
      Reported-by: NDaeRyong Jeong <threeearcat@gmail.com>
      Suggested-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      730c54d5
    • O
      net : sched: cls_api: deal with egdev path only if needed · f8f4bef3
      Or Gerlitz 提交于
      When dealing with ingress rule on a netdev, if we did fine through the
      conventional path, there's no need to continue into the egdev route,
      and we can stop right there.
      
      Not doing so may cause a 2nd rule to be added by the cls api layer
      with the ingress being the egdev.
      
      For example, under sriov switchdev scheme, a user rule of VFR A --> VFR B
      will end up with two HW rules (1) VF A --> VF B and (2) uplink --> VF B
      
      Fixes: 208c0f4b ('net: sched: use tc_setup_cb_call to call per-block callbacks')
      Signed-off-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8f4bef3
    • W
      packet: fix reserve calculation · 9aad13b0
      Willem de Bruijn 提交于
      Commit b84bbaf7 ("packet: in packet_snd start writing at link
      layer allocation") ensures that packet_snd always starts writing
      the link layer header in reserved headroom allocated for this
      purpose.
      
      This is needed because packets may be shorter than hard_header_len,
      in which case the space up to hard_header_len may be zeroed. But
      that necessary padding is not accounted for in skb->len.
      
      The fix, however, is buggy. It calls skb_push, which grows skb->len
      when moving skb->data back. But in this case packet length should not
      change.
      
      Instead, call skb_reserve, which moves both skb->data and skb->tail
      back, without changing length.
      
      Fixes: b84bbaf7 ("packet: in packet_snd start writing at link layer allocation")
      Reported-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9aad13b0
  7. 24 5月, 2018 2 次提交
    • E
      netfilter: provide correct argument to nla_strlcpy() · 4b83a904
      Eric Dumazet 提交于
      Recent patch forgot to remove nla_data(), upsetting syzkaller a bit.
      
      BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 lib/nlattr.c:314
      Read of size 1 at addr ffff8801ad1f4fdd by task syz-executor189/4509
      
      CPU: 1 PID: 4509 Comm: syz-executor189 Not tainted 4.17.0-rc6+ #62
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
       nla_strlcpy+0x13d/0x150 lib/nlattr.c:314
       nfnl_acct_new+0x574/0xc50 net/netfilter/nfnetlink_acct.c:118
       nfnetlink_rcv_msg+0xdb5/0xff0 net/netfilter/nfnetlink.c:212
       netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
       nfnetlink_rcv+0x1fe/0x1ba0 net/netfilter/nfnetlink.c:513
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:639
       sock_write_iter+0x35a/0x5a0 net/socket.c:908
       call_write_iter include/linux/fs.h:1784 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x64d/0x960 fs/read_write.c:487
       vfs_write+0x1f8/0x560 fs/read_write.c:549
       ksys_write+0xf9/0x250 fs/read_write.c:598
       __do_sys_write fs/read_write.c:610 [inline]
       __se_sys_write fs/read_write.c:607 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:607
      
      Fixes: 4e09fc87 ("netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      4b83a904
    • R
  8. 23 5月, 2018 6 次提交
    • J
      ipvs: fix buffer overflow with sync daemon and service · 52f96757
      Julian Anastasov 提交于
      syzkaller reports for buffer overflow for interface name
      when starting sync daemons [1]
      
      What we do is that we copy user structure into larger stack
      buffer but later we search NUL past the stack buffer.
      The same happens for sched_name when adding/editing virtual server.
      
      We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
      being used as size in include/uapi/linux/ip_vs.h, so they
      include the space for NUL.
      
      As using strlcpy is wrong for unsafe source, replace it with
      strscpy and add checks to return EINVAL if source string is not
      NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
      
      For the netlink interface reduce the len parameter for
      IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
      so that we get proper EINVAL.
      
      [1]
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
      RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
      RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
      R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
      R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
      FS:  00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        strlen include/linux/string.h:270 [inline]
        strlcpy include/linux/string.h:293 [inline]
        do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
        udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
        ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
        tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
        sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
        __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
        __do_sys_setsockopt net/socket.c:1914 [inline]
        __se_sys_setsockopt net/socket.c:1911 [inline]
        __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
        do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x447369
      RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
      RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
      R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
      de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
      90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
      
      Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
      Fixes: e4ff6751 ("ipvs: add sync_maxlen parameter for the sync daemon")
      Fixes: 4da62fc7 ("[IPVS]: Fix for overflows")
      Signed-off-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      52f96757
    • P
      netfilter: nft_limit: fix packet ratelimiting · 3e0f64b7
      Pablo Neira Ayuso 提交于
      Credit calculations for the packet ratelimiting are not correct, as per
      the applied ratelimit of 25/second and burst 8, a total of 33 packets
      should have been accepted.  This is true in iptables(33) but not in
      nftables (~65). For packet ratelimiting, use:
      
      	div_u64(limit->nsecs, limit->rate) * limit->burst;
      
      to calculate credit, just like in iptables' xt_limit does.
      
      Moreover, use default burst in iptables, users are expecting similar
      behaviour.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      3e0f64b7
    • T
      netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval · 97a0549b
      Taehee Yoo 提交于
      In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
      But correct type is u8. so that sometimes incorrect value is dereferenced.
      
      Steps to reproduce:
      
         %nft add table ip filter
         %nft add chain ip filter input { type filter hook input priority 4\; }
         %nft add rule ip filter input nftrace set 0
         %nft monitor
      
      Sometimes, we can see trace messages.
      
         trace id 16767227 ip filter input packet: iif "enp2s0"
         ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx
         ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0
         ip ecn not-ect ip
         trace id 16767227 ip filter input rule nftrace set 0 (verdict continue)
         trace id 16767227 ip filter input verdict continue
         trace id 16767227 ip filter input
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      97a0549b
    • E
      ipmr: properly check rhltable_init() return value · 66fb3325
      Eric Dumazet 提交于
      commit 8fb472c0 ("ipmr: improve hash scalability")
      added a call to rhltable_init() without checking its return value.
      
      This problem was then later copied to IPv6 and factorized in commit
      0bbbf0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 31552 Comm: syz-executor7 Not tainted 4.17.0-rc5+ #60
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:rht_key_hashfn include/linux/rhashtable.h:277 [inline]
      RIP: 0010:__rhashtable_lookup include/linux/rhashtable.h:630 [inline]
      RIP: 0010:rhltable_lookup include/linux/rhashtable.h:716 [inline]
      RIP: 0010:mr_mfc_find_parent+0x2ad/0xbb0 net/ipv4/ipmr_base.c:63
      RSP: 0018:ffff8801826aef70 EFLAGS: 00010203
      RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffc90001ea0000
      RDX: 0000000000000079 RSI: ffffffff8661e859 RDI: 000000000000000c
      RBP: ffff8801826af1c0 R08: ffff8801b2212000 R09: ffffed003b5e46c2
      R10: ffffed003b5e46c2 R11: ffff8801daf23613 R12: dffffc0000000000
      R13: ffff8801826af198 R14: ffff8801cf8225c0 R15: ffff8801826af658
      FS:  00007ff7fa732700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000003ffffff9c CR3: 00000001b0210000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ip6mr_cache_find_parent net/ipv6/ip6mr.c:981 [inline]
       ip6mr_mfc_delete+0x1fe/0x6b0 net/ipv6/ip6mr.c:1221
       ip6_mroute_setsockopt+0x15c6/0x1d70 net/ipv6/ip6mr.c:1698
       do_ipv6_setsockopt.isra.9+0x422/0x4660 net/ipv6/ipv6_sockglue.c:163
       ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:922
       rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1060
       sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
       __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
       __do_sys_setsockopt net/socket.c:1914 [inline]
       __se_sys_setsockopt net/socket.c:1911 [inline]
       __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 8fb472c0 ("ipmr: improve hash scalability")
      Fixes: 0bbbf0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Cc: Yuval Mintz <yuvalm@mellanox.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      66fb3325
    • A
      dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() · 2677d206
      Alexey Kodanev 提交于
      Syzbot reported the use-after-free in timer_is_static_object() [1].
      
      This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
      is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
      called after that.
      
      The report [1] is similar to the one in commit 120e9dab ("dccp:
      defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
      delay freeing ccid2_hc_tx_sock structure, so that it is freed in
      dccp_sk_destruct().
      
      [1]
      
      ==================================================================
      BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
      kernel/time/timer.c:607
      Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299
      
      CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        <IRQ>
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
        timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
        debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
        debug_timer_activate kernel/time/timer.c:709 [inline]
        debug_activate kernel/time/timer.c:764 [inline]
        __mod_timer kernel/time/timer.c:1041 [inline]
        mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
        sk_reset_timer+0x22/0x60 net/core/sock.c:2742
        ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
        call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
        expire_timers kernel/time/timer.c:1363 [inline]
        __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
        run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
        __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
        invoke_softirq kernel/softirq.c:365 [inline]
        irq_exit+0x1d1/0x200 kernel/softirq.c:405
        exiting_irq arch/x86/include/asm/apic.h:525 [inline]
        smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
        apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
        </IRQ>
      ...
      Allocated by task 25374:
        save_stack+0x43/0xd0 mm/kasan/kasan.c:448
        set_track mm/kasan/kasan.c:460 [inline]
        kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
        kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
        kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
        ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
        dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
        __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
        dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
        dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
        dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
        dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
        dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
        dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
        ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
        NF_HOOK include/linux/netfilter.h:288 [inline]
        ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
        dst_input include/net/dst.h:450 [inline]
        ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
        NF_HOOK include/linux/netfilter.h:288 [inline]
        ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
        __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
        __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
        process_backlog+0x219/0x760 net/core/dev.c:5337
        napi_poll net/core/dev.c:5735 [inline]
        net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
        __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
      
      Freed by task 25374:
        save_stack+0x43/0xd0 mm/kasan/kasan.c:448
        set_track mm/kasan/kasan.c:460 [inline]
        __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
        kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
        __cache_free mm/slab.c:3498 [inline]
        kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
        ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
        dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
        dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
        inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
        inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
        sock_release+0x96/0x1b0 net/socket.c:594
        sock_close+0x16/0x20 net/socket.c:1149
        __fput+0x34d/0x890 fs/file_table.c:209
        ____fput+0x15/0x20 fs/file_table.c:243
        task_work_run+0x1e4/0x290 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:191 [inline]
        exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
        prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
        do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8801bebb4cc0
        which belongs to the cache ccid2_hc_tx_sock of size 1240
      The buggy address is located 1112 bytes inside of
        1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198)
      The buggy address belongs to the page:
      page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0
      index:0xffff8801bebb5240 compound_mapcount: 0
      flags: 0x2fffc0000008100(slab|head)
      raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003
      raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000
      page dumped because: kasan: bad access detected
      ...
      ==================================================================
      
      Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com
      Signed-off-by: NAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2677d206
    • X
      sctp: fix the issue that flags are ignored when using kernel_connect · 644fbdea
      Xin Long 提交于
      Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags
      param can't be passed into its proto .connect where this flags is really
      needed.
      
      sctp works around it by getting flags from socket file in __sctp_connect.
      It works for connecting from userspace, as inherently the user sock has
      socket file and it passes f_flags as the flags param into the proto_ops
      .connect.
      
      However, the sock created by sock_create_kern doesn't have a socket file,
      and it passes the flags (like O_NONBLOCK) by using the flags param in
      kernel_connect, which calls proto_ops .connect later.
      
      So to fix it, this patch defines a new proto_ops .connect for sctp,
      sctp_inet_connect, which calls __sctp_connect() directly with this
      flags param. After this, the sctp's proto .connect can be removed.
      
      Note that sctp_inet_connect doesn't need to do some checks that are not
      needed for sctp, which makes thing better than with inet_dgram_connect.
      Suggested-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: NMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      644fbdea
  9. 22 5月, 2018 1 次提交
  10. 20 5月, 2018 1 次提交
    • W
      net: ip6_gre: fix tunnel metadata device sharing. · b80d0b93
      William Tu 提交于
      Currently ip6gre and ip6erspan share single metadata mode device,
      using 'collect_md_tun'.  Thus, when doing:
        ip link add dev ip6gre11 type ip6gretap external
        ip link add dev ip6erspan12 type ip6erspan external
        RTNETLINK answers: File exists
      simply fails due to the 2nd tries to create the same collect_md_tun.
      
      The patch fixes it by adding a separate collect md tunnel device
      for the ip6erspan, 'collect_md_tun_erspan'.  As a result, a couple
      of places need to refactor/split up in order to distinguish ip6gre
      and ip6erspan.
      
      First, move the collect_md check at ip6gre_tunnel_{unlink,link} and
      create separate function {ip6gre,ip6ersapn}_tunnel_{link_md,unlink_md}.
      Then before link/unlink, make sure the link_md/unlink_md is called.
      Finally, a separate ndo_uninit is created for ip6erspan.  Tested it
      using the samples/bpf/test_tunnel_bpf.sh.
      
      Fixes: ef7baf5e ("ip6_gre: add ip6 erspan collect_md mode")
      Signed-off-by: NWilliam Tu <u9012063@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b80d0b93
  11. 19 5月, 2018 3 次提交
    • P
      net: sched: red: avoid hashing NULL child · 44a63b13
      Paolo Abeni 提交于
      Hangbin reported an Oops triggered by the syzkaller qdisc rules:
      
       kasan: GPF could be caused by NULL-ptr deref or user memory access
       general protection fault: 0000 [#1] SMP KASAN PTI
       Modules linked in: sch_red
       CPU: 0 PID: 28699 Comm: syz-executor5 Not tainted 4.17.0-rc4.kcov #1
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:qdisc_hash_add+0x26/0xa0
       RSP: 0018:ffff8800589cf470 EFLAGS: 00010203
       RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff824ad971
       RDX: 0000000000000007 RSI: ffffc9000ce9f000 RDI: 000000000000003c
       RBP: 0000000000000001 R08: ffffed000b139ea2 R09: ffff8800589cf4f0
       R10: ffff8800589cf50f R11: ffffed000b139ea2 R12: ffff880054019fc0
       R13: ffff880054019fb4 R14: ffff88005c0af600 R15: ffff880054019fb0
       FS:  00007fa6edcb1700(0000) GS:ffff88005ce00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000020000740 CR3: 000000000fc16000 CR4: 00000000000006f0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        red_change+0x2d2/0xed0 [sch_red]
        qdisc_create+0x57e/0xef0
        tc_modify_qdisc+0x47f/0x14e0
        rtnetlink_rcv_msg+0x6a8/0x920
        netlink_rcv_skb+0x2a2/0x3c0
        netlink_unicast+0x511/0x740
        netlink_sendmsg+0x825/0xc30
        sock_sendmsg+0xc5/0x100
        ___sys_sendmsg+0x778/0x8e0
        __sys_sendmsg+0xf5/0x1b0
        do_syscall_64+0xbd/0x3b0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x450869
       RSP: 002b:00007fa6edcb0c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 00007fa6edcb16b4 RCX: 0000000000450869
       RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000013
       RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
       R13: 0000000000008778 R14: 0000000000702838 R15: 00007fa6edcb1700
       Code: e9 0b fe ff ff 0f 1f 44 00 00 55 53 48 89 fb 89 f5 e8 3f 07 f3 fe 48 8d 7b 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 51
       RIP: qdisc_hash_add+0x26/0xa0 RSP: ffff8800589cf470
      
      When a red qdisc is updated with a 0 limit, the child qdisc is left
      unmodified, no additional scheduler is created in red_change(),
      the 'child' local variable is rightfully NULL and must not add it
      to the hash table.
      
      This change addresses the above issue moving qdisc_hash_add() right
      after the child qdisc creation. It additionally removes unneeded checks
      for noop_qdisc.
      Reported-by: NHangbin Liu <liuhangbin@gmail.com>
      Fixes: 49b49971 ("net: sched: make default fifo qdiscs appear in the dump")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44a63b13
    • E
      sock_diag: fix use-after-free read in __sk_free · 9709020c
      Eric Dumazet 提交于
      We must not call sock_diag_has_destroy_listeners(sk) on a socket
      that has no reference on net structure.
      
      BUG: KASAN: use-after-free in sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline]
      BUG: KASAN: use-after-free in __sk_free+0x329/0x340 net/core/sock.c:1609
      Read of size 8 at addr ffff88018a02e3a0 by task swapper/1/0
      
      CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.17.0-rc5+ #54
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
       sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline]
       __sk_free+0x329/0x340 net/core/sock.c:1609
       sk_free+0x42/0x50 net/core/sock.c:1623
       sock_put include/net/sock.h:1664 [inline]
       reqsk_free include/net/request_sock.h:116 [inline]
       reqsk_put include/net/request_sock.h:124 [inline]
       inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:672 [inline]
       reqsk_timer_handler+0xe27/0x10e0 net/ipv4/inet_connection_sock.c:739
       call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
       expire_timers kernel/time/timer.c:1363 [inline]
       __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
       run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
       __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
       invoke_softirq kernel/softirq.c:365 [inline]
       irq_exit+0x1d1/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:525 [inline]
       smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
       </IRQ>
      RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
      RSP: 0018:ffff8801d9ae7c38 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
      RAX: dffffc0000000000 RBX: 1ffff1003b35cf8a RCX: 0000000000000000
      RDX: 1ffffffff11a30d0 RSI: 0000000000000001 RDI: ffffffff88d18680
      RBP: ffff8801d9ae7c38 R08: ffffed003b5e46c3 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
      R13: ffff8801d9ae7cf0 R14: ffffffff897bef20 R15: 0000000000000000
       arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
       default_idle+0xc2/0x440 arch/x86/kernel/process.c:354
       arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:345
       default_idle_call+0x6d/0x90 kernel/sched/idle.c:93
       cpuidle_idle_call kernel/sched/idle.c:153 [inline]
       do_idle+0x395/0x560 kernel/sched/idle.c:262
       cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:368
       start_secondary+0x426/0x5b0 arch/x86/kernel/smpboot.c:269
       secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
      
      Allocated by task 4557:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
       kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
       kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
       kmem_cache_zalloc include/linux/slab.h:691 [inline]
       net_alloc net/core/net_namespace.c:383 [inline]
       copy_net_ns+0x159/0x4c0 net/core/net_namespace.c:423
       create_new_namespaces+0x69d/0x8f0 kernel/nsproxy.c:107
       unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206
       ksys_unshare+0x708/0xf90 kernel/fork.c:2408
       __do_sys_unshare kernel/fork.c:2476 [inline]
       __se_sys_unshare kernel/fork.c:2474 [inline]
       __x64_sys_unshare+0x31/0x40 kernel/fork.c:2474
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 69:
       save_stack+0x43/0xd0 mm/kasan/kasan.c:448
       set_track mm/kasan/kasan.c:460 [inline]
       __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
       kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
       __cache_free mm/slab.c:3498 [inline]
       kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
       net_free net/core/net_namespace.c:399 [inline]
       net_drop_ns.part.14+0x11a/0x130 net/core/net_namespace.c:406
       net_drop_ns net/core/net_namespace.c:405 [inline]
       cleanup_net+0x6a1/0xb20 net/core/net_namespace.c:541
       process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
       worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
       kthread+0x345/0x410 kernel/kthread.c:240
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
      
      The buggy address belongs to the object at ffff88018a02c140
       which belongs to the cache net_namespace of size 8832
      The buggy address is located 8800 bytes inside of
       8832-byte region [ffff88018a02c140, ffff88018a02e3c0)
      The buggy address belongs to the page:
      page:ffffea0006280b00 count:1 mapcount:0 mapping:ffff88018a02c140 index:0x0 compound_mapcount: 0
      flags: 0x2fffc0000008100(slab|head)
      raw: 02fffc0000008100 ffff88018a02c140 0000000000000000 0000000100000001
      raw: ffffea00062a1320 ffffea0006268020 ffff8801d9bdde40 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fixes: b922622e ("sock_diag: don't broadcast kernel sockets")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Craig Gallek <kraig@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9709020c
    • F
      net: dsa: Do not register devlink for unused ports · 5447d786
      Florian Fainelli 提交于
      Even if commit 1d27732f ("net: dsa: setup and teardown ports") indicated
      that registering a devlink instance for unused ports is not a problem, and this
      is true, this can be confusing nonetheless, so let's not do it.
      
      Fixes: 1d27732f ("net: dsa: setup and teardown ports")
      Reported-by: NJiri Pirko <jiri@resnulli.us>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5447d786