1. 02 4月, 2017 13 次提交
    • G
      l2tp: fix duplicate session creation · dbdbc73b
      Guillaume Nault 提交于
      l2tp_session_create() relies on its caller for checking for duplicate
      sessions. This is racy since a session can be concurrently inserted
      after the caller's verification.
      
      Fix this by letting l2tp_session_create() verify sessions uniqueness
      upon insertion. Callers need to be adapted to check for
      l2tp_session_create()'s return code instead of calling
      l2tp_session_find().
      
      pppol2tp_connect() is a bit special because it has to work on existing
      sessions (if they're not connected) or to create a new session if none
      is found. When acting on a preexisting session, a reference must be
      held or it could go away on us. So we have to use l2tp_session_get()
      instead of l2tp_session_find() and drop the reference before exiting.
      
      Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dbdbc73b
    • G
      l2tp: ensure session can't get removed during pppol2tp_session_ioctl() · 57377d63
      Guillaume Nault 提交于
      Holding a reference on session is required before calling
      pppol2tp_session_ioctl(). The session could get freed while processing the
      ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
      we also need to take a reference on it in l2tp_session_get().
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      57377d63
    • G
      l2tp: fix race in l2tp_recv_common() · 61b9a047
      Guillaume Nault 提交于
      Taking a reference on sessions in l2tp_recv_common() is racy; this
      has to be done by the callers.
      
      To this end, a new function is required (l2tp_session_get()) to
      atomically lookup a session and take a reference on it. Callers then
      have to manually drop this reference.
      
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      61b9a047
    • X
      sctp: use right in and out stream cnt · afe89962
      Xin Long 提交于
      Since sctp reconf was added in sctp, the real cnt of in/out stream
      have not been c.sinit_max_instreams and c.sinit_num_ostreams any
      more.
      
      This patch is to replace them with stream->in/outcnt.
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      afe89962
    • D
      Merge tag 'mac80211-for-davem-2017-03-31' of... · 612307c6
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2017-03-31' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Two fixes:
       * don't block netdev queues (indefinitely!) if mac80211
         manages traffic queueing itself
       * check wiphy registration before checking for ops
         on resume, to avoid crash
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      612307c6
    • D
      Merge branch 'bpf-map_value_adj-reg-types-fixes' · 0989bd03
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      BPF fixes on map_value_adj reg types
      
      This set adds two fixes for map_value_adj register type in the
      verifier and user space tests along with them for the BPF self
      test suite. For details, please see individual patches.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0989bd03
    • D
      bpf: add various verifier test cases for self-tests · 02ea80b1
      Daniel Borkmann 提交于
      Add a couple of test cases, for example, probing for xadd on a spilled
      pointer to packet and map_value_adj register, various other map_value_adj
      tests including the unaligned load/store, and trying out pointer arithmetic
      on map_value_adj register itself. For the unaligned load/store, we need
      to figure out whether the architecture has efficient unaligned access and
      need to mark affected tests accordingly.
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      02ea80b1
    • D
      bpf, verifier: fix rejection of unaligned access checks for map_value_adj · 79adffcd
      Daniel Borkmann 提交于
      Currently, the verifier doesn't reject unaligned access for map_value_adj
      register types. Commit 48461135 ("bpf: allow access into map value
      arrays") added logic to check_ptr_alignment() extending it from PTR_TO_PACKET
      to also PTR_TO_MAP_VALUE_ADJ, but for PTR_TO_MAP_VALUE_ADJ no enforcement
      is in place, because reg->id for PTR_TO_MAP_VALUE_ADJ reg types is never
      non-zero, meaning, we can cause BPF_H/_W/_DW-based unaligned access for
      architectures not supporting efficient unaligned access, and thus worst
      case could raise exceptions on some archs that are unable to correct the
      unaligned access or perform a different memory access to the actual
      requested one and such.
      
      i) Unaligned load with !CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
         on r0 (map_value_adj):
      
         0: (bf) r2 = r10
         1: (07) r2 += -8
         2: (7a) *(u64 *)(r2 +0) = 0
         3: (18) r1 = 0x42533a00
         5: (85) call bpf_map_lookup_elem#1
         6: (15) if r0 == 0x0 goto pc+11
          R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
         7: (61) r1 = *(u32 *)(r0 +0)
         8: (35) if r1 >= 0xb goto pc+9
          R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R1=inv,min_value=0,max_value=10 R10=fp
         9: (07) r0 += 3
        10: (79) r7 = *(u64 *)(r0 +0)
          R0=map_value_adj(ks=8,vs=48,id=0),min_value=3,max_value=3 R1=inv,min_value=0,max_value=10 R10=fp
        11: (79) r7 = *(u64 *)(r0 +2)
          R0=map_value_adj(ks=8,vs=48,id=0),min_value=3,max_value=3 R1=inv,min_value=0,max_value=10 R7=inv R10=fp
        [...]
      
      ii) Unaligned store with !CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
          on r0 (map_value_adj):
      
         0: (bf) r2 = r10
         1: (07) r2 += -8
         2: (7a) *(u64 *)(r2 +0) = 0
         3: (18) r1 = 0x4df16a00
         5: (85) call bpf_map_lookup_elem#1
         6: (15) if r0 == 0x0 goto pc+19
          R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
         7: (07) r0 += 3
         8: (7a) *(u64 *)(r0 +0) = 42
          R0=map_value_adj(ks=8,vs=48,id=0),min_value=3,max_value=3 R10=fp
         9: (7a) *(u64 *)(r0 +2) = 43
          R0=map_value_adj(ks=8,vs=48,id=0),min_value=3,max_value=3 R10=fp
        10: (7a) *(u64 *)(r0 -2) = 44
          R0=map_value_adj(ks=8,vs=48,id=0),min_value=3,max_value=3 R10=fp
        [...]
      
      For the PTR_TO_PACKET type, reg->id is initially zero when skb->data
      was fetched, it later receives a reg->id from env->id_gen generator
      once another register with UNKNOWN_VALUE type was added to it via
      check_packet_ptr_add(). The purpose of this reg->id is twofold: i) it
      is used in find_good_pkt_pointers() for setting the allowed access
      range for regs with PTR_TO_PACKET of same id once verifier matched
      on data/data_end tests, and ii) for check_ptr_alignment() to determine
      that when not having efficient unaligned access and register with
      UNKNOWN_VALUE was added to PTR_TO_PACKET, that we're only allowed
      to access the content bytewise due to unknown unalignment. reg->id
      was never intended for PTR_TO_MAP_VALUE{,_ADJ} types and thus is
      always zero, the only marking is in PTR_TO_MAP_VALUE_OR_NULL that
      was added after 48461135 via 57a09bf0 ("bpf: Detect identical
      PTR_TO_MAP_VALUE_OR_NULL registers"). Above tests will fail for
      non-root environment due to prohibited pointer arithmetic.
      
      The fix splits register-type specific checks into their own helper
      instead of keeping them combined, so we don't run into a similar
      issue in future once we extend check_ptr_alignment() further and
      forget to add reg->type checks for some of the checks.
      
      Fixes: 48461135 ("bpf: allow access into map value arrays")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: NJosef Bacik <jbacik@fb.com>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      79adffcd
    • D
      bpf, verifier: fix alu ops against map_value{, _adj} register types · fce366a9
      Daniel Borkmann 提交于
      While looking into map_value_adj, I noticed that alu operations
      directly on the map_value() resp. map_value_adj() register (any
      alu operation on a map_value() register will turn it into a
      map_value_adj() typed register) are not sufficiently protected
      against some of the operations. Two non-exhaustive examples are
      provided that the verifier needs to reject:
      
       i) BPF_AND on r0 (map_value_adj):
      
        0: (bf) r2 = r10
        1: (07) r2 += -8
        2: (7a) *(u64 *)(r2 +0) = 0
        3: (18) r1 = 0xbf842a00
        5: (85) call bpf_map_lookup_elem#1
        6: (15) if r0 == 0x0 goto pc+2
         R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
        7: (57) r0 &= 8
        8: (7a) *(u64 *)(r0 +0) = 22
         R0=map_value_adj(ks=8,vs=48,id=0),min_value=0,max_value=8 R10=fp
        9: (95) exit
      
        from 6 to 9: R0=inv,min_value=0,max_value=0 R10=fp
        9: (95) exit
        processed 10 insns
      
      ii) BPF_ADD in 32 bit mode on r0 (map_value_adj):
      
        0: (bf) r2 = r10
        1: (07) r2 += -8
        2: (7a) *(u64 *)(r2 +0) = 0
        3: (18) r1 = 0xc24eee00
        5: (85) call bpf_map_lookup_elem#1
        6: (15) if r0 == 0x0 goto pc+2
         R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
        7: (04) (u32) r0 += (u32) 0
        8: (7a) *(u64 *)(r0 +0) = 22
         R0=map_value_adj(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
        9: (95) exit
      
        from 6 to 9: R0=inv,min_value=0,max_value=0 R10=fp
        9: (95) exit
        processed 10 insns
      
      Issue is, while min_value / max_value boundaries for the access
      are adjusted appropriately, we change the pointer value in a way
      that cannot be sufficiently tracked anymore from its origin.
      Operations like BPF_{AND,OR,DIV,MUL,etc} on a destination register
      that is PTR_TO_MAP_VALUE{,_ADJ} was probably unintended, in fact,
      all the test cases coming with 48461135 ("bpf: allow access
      into map value arrays") perform BPF_ADD only on the destination
      register that is PTR_TO_MAP_VALUE_ADJ.
      
      Only for UNKNOWN_VALUE register types such operations make sense,
      f.e. with unknown memory content fetched initially from a constant
      offset from the map value memory into a register. That register is
      then later tested against lower / upper bounds, so that the verifier
      can then do the tracking of min_value / max_value, and properly
      check once that UNKNOWN_VALUE register is added to the destination
      register with type PTR_TO_MAP_VALUE{,_ADJ}. This is also what the
      original use-case is solving. Note, tracking on what is being
      added is done through adjust_reg_min_max_vals() and later access
      to the map value enforced with these boundaries and the given offset
      from the insn through check_map_access_adj().
      
      Tests will fail for non-root environment due to prohibited pointer
      arithmetic, in particular in check_alu_op(), we bail out on the
      is_pointer_value() check on the dst_reg (which is false in root
      case as we allow for pointer arithmetic via env->allow_ptr_leaks).
      
      Similarly to PTR_TO_PACKET, one way to fix it is to restrict the
      allowed operations on PTR_TO_MAP_VALUE{,_ADJ} registers to 64 bit
      mode BPF_ADD. The test_verifier suite runs fine after the patch
      and it also rejects mentioned test cases.
      
      Fixes: 48461135 ("bpf: allow access into map value arrays")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: NJosef Bacik <jbacik@fb.com>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fce366a9
    • R
      r8152: The Microsoft Surface docks also use R8152 v2 · d5b07ccc
      René Rebe 提交于
      Without this the generic cdc_ether grabs the device,
      and does not really work.
      Signed-off-by: NRené Rebe <rene@exactcode.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d5b07ccc
    • Y
      openvswitch: Fix ovs_flow_key_update() · 6f56f618
      Yi-Hung Wei 提交于
      ovs_flow_key_update() is called when the flow key is invalid, and it is
      used to update and revalidate the flow key. Commit 329f45bc
      ("openvswitch: add mac_proto field to the flow key") introduces mac_proto
      field to flow key and use it to determine whether the flow key is valid.
      However, the commit does not update the code path in ovs_flow_key_update()
      to revalidate the flow key which may cause BUG_ON() on execute_recirc().
      This patch addresses the aforementioned issue.
      
      Fixes: 329f45bc ("openvswitch: add mac_proto field to the flow key")
      Signed-off-by: NYi-Hung Wei <yihung.wei@gmail.com>
      Acked-by: NJiri Benc <jbenc@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6f56f618
    • M
      net/faraday: Explicitly include linux/of.h and linux/property.h · 3af887c3
      Mark Brown 提交于
      This driver uses interfaces from linux/of.h and linux/property.h but
      relies on implict inclusion of those headers which means that changes in
      other headers could break the build, as happened in -next for arm today.
      Add a explicit includes.
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Acked-by: NJoel Stanley <joel@jms.id.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3af887c3
    • D
      net: hns: Add ACPI support to check SFP present · b917078c
      Daode Huang 提交于
      The current code only supports DT to check SFP present.
      This patch adds ACPI support as well.
      Signed-off-by: NDaode Huang <huangdaode@hisilicon.com>
      Reviewed-by: NYisen Zhuang <yisen.zhuang@huawei.com>
      Signed-off-by: NSalil Mehta <salil.mehta@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b917078c
  2. 31 3月, 2017 5 次提交
  3. 30 3月, 2017 8 次提交
  4. 29 3月, 2017 9 次提交
    • J
      mac80211: unconditionally start new netdev queues with iTXQ support · 7d65f829
      Johannes Berg 提交于
      When internal mac80211 TXQs aren't supported, netdev queues must
      always started out started even when driver queues are stopped
      while the interface is added. This is necessary because with the
      internal TXQ support netdev queues are never stopped and packet
      scheduling/dropping is done in mac80211.
      
      Cc: stable@vger.kernel.org # 4.9+
      Fixes: 80a83cfc ("mac80211: skip netdev queue control with software queuing")
      Reported-and-tested-by: NSven Eckelmann <sven.eckelmann@openmesh.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      7d65f829
    • L
      netfilter: nfnetlink_queue: fix secctx memory leak · 77c1c03c
      Liping Zhang 提交于
      We must call security_release_secctx to free the memory returned by
      security_secid_to_secctx, otherwise memory may be leaked forever.
      
      Fixes: ef493bd9 ("netfilter: nfnetlink_queue: add security context information")
      Signed-off-by: NLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      77c1c03c
    • A
      cfg80211: check rdev resume callback only for registered wiphy · b3ef5520
      Arend Van Spriel 提交于
      We got the following use-after-free KASAN report:
      
       BUG: KASAN: use-after-free in wiphy_resume+0x591/0x5a0 [cfg80211]
      	 at addr ffff8803fc244090
       Read of size 8 by task kworker/u16:24/2587
       CPU: 6 PID: 2587 Comm: kworker/u16:24 Tainted: G    B 4.9.13-debug+
       Hardware name: Dell Inc. XPS 15 9550/0N7TVV, BIOS 1.2.19 12/22/2016
       Workqueue: events_unbound async_run_entry_fn
        ffff880425d4f9d8 ffffffffaeedb541 ffff88042b80ef00 ffff8803fc244088
        ffff880425d4fa00 ffffffffae84d7a1 ffff880425d4fa98 ffff8803fc244080
        ffff88042b80ef00 ffff880425d4fa88 ffffffffae84da3a ffffffffc141f7d9
       Call Trace:
        [<ffffffffaeedb541>] dump_stack+0x85/0xc4
        [<ffffffffae84d7a1>] kasan_object_err+0x21/0x70
        [<ffffffffae84da3a>] kasan_report_error+0x1fa/0x500
        [<ffffffffc141f7d9>] ? cfg80211_bss_age+0x39/0xc0 [cfg80211]
        [<ffffffffc141f83a>] ? cfg80211_bss_age+0x9a/0xc0 [cfg80211]
        [<ffffffffae48d46d>] ? trace_hardirqs_on+0xd/0x10
        [<ffffffffc13fb1c0>] ? wiphy_suspend+0xc70/0xc70 [cfg80211]
        [<ffffffffae84def1>] __asan_report_load8_noabort+0x61/0x70
        [<ffffffffc13fb100>] ? wiphy_suspend+0xbb0/0xc70 [cfg80211]
        [<ffffffffc13fb751>] ? wiphy_resume+0x591/0x5a0 [cfg80211]
        [<ffffffffc13fb751>] wiphy_resume+0x591/0x5a0 [cfg80211]
        [<ffffffffc13fb1c0>] ? wiphy_suspend+0xc70/0xc70 [cfg80211]
        [<ffffffffaf3b206e>] dpm_run_callback+0x6e/0x4f0
        [<ffffffffaf3b31b2>] device_resume+0x1c2/0x670
        [<ffffffffaf3b367d>] async_resume+0x1d/0x50
        [<ffffffffae3ee84e>] async_run_entry_fn+0xfe/0x610
        [<ffffffffae3d0666>] process_one_work+0x716/0x1a50
        [<ffffffffae3d05c9>] ? process_one_work+0x679/0x1a50
        [<ffffffffafdd7b6d>] ? _raw_spin_unlock_irq+0x3d/0x60
        [<ffffffffae3cff50>] ? pwq_dec_nr_in_flight+0x2b0/0x2b0
        [<ffffffffae3d1a80>] worker_thread+0xe0/0x1460
        [<ffffffffae3d19a0>] ? process_one_work+0x1a50/0x1a50
        [<ffffffffae3e54c2>] kthread+0x222/0x2e0
        [<ffffffffae3e52a0>] ? kthread_park+0x80/0x80
        [<ffffffffae3e52a0>] ? kthread_park+0x80/0x80
        [<ffffffffae3e52a0>] ? kthread_park+0x80/0x80
        [<ffffffffafdd86aa>] ret_from_fork+0x2a/0x40
       Object at ffff8803fc244088, in cache kmalloc-1024 size: 1024
       Allocated:
       PID = 71
        save_stack_trace+0x1b/0x20
        save_stack+0x46/0xd0
        kasan_kmalloc+0xad/0xe0
        kasan_slab_alloc+0x12/0x20
        __kmalloc_track_caller+0x134/0x360
        kmemdup+0x20/0x50
        brcmf_cfg80211_attach+0x10b/0x3a90 [brcmfmac]
        brcmf_bus_start+0x19a/0x9a0 [brcmfmac]
        brcmf_pcie_setup+0x1f1a/0x3680 [brcmfmac]
        brcmf_fw_request_nvram_done+0x44c/0x11b0 [brcmfmac]
        request_firmware_work_func+0x135/0x280
        process_one_work+0x716/0x1a50
        worker_thread+0xe0/0x1460
        kthread+0x222/0x2e0
        ret_from_fork+0x2a/0x40
       Freed:
       PID = 2568
        save_stack_trace+0x1b/0x20
        save_stack+0x46/0xd0
        kasan_slab_free+0x71/0xb0
        kfree+0xe8/0x2e0
        brcmf_cfg80211_detach+0x62/0xf0 [brcmfmac]
        brcmf_detach+0x14a/0x2b0 [brcmfmac]
        brcmf_pcie_remove+0x140/0x5d0 [brcmfmac]
        brcmf_pcie_pm_leave_D3+0x198/0x2e0 [brcmfmac]
        pci_pm_resume+0x186/0x220
        dpm_run_callback+0x6e/0x4f0
        device_resume+0x1c2/0x670
        async_resume+0x1d/0x50
        async_run_entry_fn+0xfe/0x610
        process_one_work+0x716/0x1a50
        worker_thread+0xe0/0x1460
        kthread+0x222/0x2e0
        ret_from_fork+0x2a/0x40
       Memory state around the buggy address:
        ffff8803fc243f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff8803fc244000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       >ffff8803fc244080: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                ^
        ffff8803fc244100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8803fc244180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      What is happening is that brcmf_pcie_resume() detects a device that
      is no longer responsive and it decides to unbind resulting in a
      wiphy_unregister() and wiphy_free() call. Now the wiphy instance
      remains allocated, because PM needs to call wiphy_resume() for it.
      However, brcmfmac already does a kfree() for the struct
      cfg80211_registered_device::ops field. Change the checks in
      wiphy_resume() to only access the struct cfg80211_registered_device::ops
      if the wiphy instance is still registered at this time.
      
      Cc: stable@vger.kernel.org # 4.10.x, 4.9.x
      Reported-by: NDaniel J Blueman <daniel@quora.org>
      Reviewed-by: NHante Meuleman <hante.meuleman@broadcom.com>
      Reviewed-by: NPieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
      Reviewed-by: NFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: NArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      b3ef5520
    • J
      openvswitch: Fix refcount leak on force commit. · b768b16d
      Jarno Rajahalme 提交于
      The reference count held for skb needs to be released when the skb's
      nfct pointer is cleared regardless of if nf_ct_delete() is called or
      not.
      
      Failing to release the skb's reference cound led to deferred conntrack
      cleanup spinning forever within nf_conntrack_cleanup_net_list() when
      cleaning up a network namespace:
      
         kworker/u16:0-19025 [004] 45981067.173642: sched_switch: kworker/u16:0:19025 [120] R ==> rcu_preempt:7 [120]
         kworker/u16:0-19025 [004] 45981067.173651: kernel_stack: <stack trace>
      => ___preempt_schedule (ffffffffa001ed36)
      => _raw_spin_unlock_bh (ffffffffa0713290)
      => nf_ct_iterate_cleanup (ffffffffc00a4454)
      => nf_conntrack_cleanup_net_list (ffffffffc00a5e1e)
      => nf_conntrack_pernet_exit (ffffffffc00a63dd)
      => ops_exit_list.isra.1 (ffffffffa06075f3)
      => cleanup_net (ffffffffa0607df0)
      => process_one_work (ffffffffa0084c31)
      => worker_thread (ffffffffa008592b)
      => kthread (ffffffffa008bee2)
      => ret_from_fork (ffffffffa071b67c)
      
      Fixes: dd41d33f ("openvswitch: Add force commit.")
      Reported-by: NYang Song <yangsong@vmware.com>
      Signed-off-by: NJarno Rajahalme <jarno@ovn.org>
      Acked-by: NJoe Stringer <joe@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b768b16d
    • A
      rocker: fix Wmaybe-uninitialized false-positive · 16b8b6de
      Arnd Bergmann 提交于
      gcc-7 reports a warning that earlier versions did not have:
      
      drivers/net/ethernet/rocker/rocker_ofdpa.c: In function 'ofdpa_port_stp_update':
      arch/x86/include/asm/string_32.h:79:22: error: '*((void *)&prev_ctrls+4)' may be used uninitialized in this function [-Werror=maybe-uninitialized]
         *((short *)to + 2) = *((short *)from + 2);
         ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/rocker/rocker_ofdpa.c:2218:7: note: '*((void *)&prev_ctrls+4)' was declared here
      
      This is clearly a variation of the warning about 'prev_state' that
      was shut up using uninitialized_var().
      
      We can slightly simplify the code and get rid of the warning by unconditionally
      saving the prev_state and prev_ctrls variables. The inlined memcpy is not
      particularly expensive here, as it just has to read five bytes from one or
      two cache lines.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      16b8b6de
    • T
      net/mlx5: Avoid dereferencing uninitialized pointer · e497ec68
      Talat Batheesh 提交于
      In NETDEV_CHANGEUPPER event the upper_info field is valid
      only when linking is true. Otherwise it should be ignored.
      
      Fixes: 7907f23a (net/mlx5: Implement RoCE LAG feature)
      Signed-off-by: NTalat Batheesh <talatb@mellanox.com>
      Reviewed-by: NAviv Heller <avivh@mellanox.com>
      Reviewed-by: NMoni Shoua <monis@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e497ec68
    • J
      net: moxa: fix TX overrun memory leak · c2b341a6
      Jonas Jensen 提交于
      moxart_mac_start_xmit() doesn't care where tx_tail is, tx_head can
      catch and pass tx_tail, which is bad because moxart_tx_finished()
      isn't guaranteed to catch up on freeing resources from tx_tail.
      
      Add a check in moxart_mac_start_xmit() stopping the queue at the
      end of the circular buffer. Also add a check in moxart_tx_finished()
      waking the queue if the buffer has TX_WAKE_THRESHOLD or more
      free descriptors.
      
      While we're at it, move spin_lock_irq() to happen before our
      descriptor pointer is assigned in moxart_mac_start_xmit().
      
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=99451Signed-off-by: NJonas Jensen <jonas.jensen@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2b341a6
    • A
      isdn: kcapi: avoid uninitialized data · af109a2c
      Arnd Bergmann 提交于
      gcc-7 points out that the AVMB1_ADDCARD ioctl results in an unintialized
      value ending up in the cardnr parameter:
      
      drivers/isdn/capi/kcapi.c: In function 'old_capi_manufacturer':
      drivers/isdn/capi/kcapi.c:1042:24: error: 'cdef.cardnr' may be used uninitialized in this function [-Werror=maybe-uninitialized]
         cparams.cardnr = cdef.cardnr;
      
      This has been broken since before the start of the git history, so
      either the value is not used for anything important, or the ioctl
      command doesn't get called in practice.
      
      Setting the cardnr to zero avoids the warning and makes sure
      we have consistent behavior.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      af109a2c
    • X
      sctp: change to save MSG_MORE flag into assoc · f9ba3501
      Xin Long 提交于
      David Laight noticed the support for MSG_MORE with datamsg->force_delay
      didn't really work as we expected, as the first msg with MSG_MORE set
      would always block the following chunks' dequeuing.
      
      This Patch is to rewrite it by saving the MSG_MORE flag into assoc as
      David Laight suggested.
      
      asoc->force_delay is used to save MSG_MORE flag before a msg is sent.
      All chunks in queue would not be sent out if asoc->force_delay is set
      by the msg with MSG_MORE flag, until a new msg without MSG_MORE flag
      clears asoc->force_delay.
      
      Note that this change would not affect the flush is generated by other
      triggers, like asoc->state != ESTABLISHED, queue size > pmtu etc.
      
      v1->v2:
        Not clear asoc->force_delay after sending the msg with MSG_MORE flag.
      
      Fixes: 4ea0c32f ("sctp: add support for MSG_MORE")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NDavid Laight <david.laight@aculab.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f9ba3501
  5. 28 3月, 2017 2 次提交
    • M
      net: ipconfig: fix ic_close_devs() use-after-free · ffefb6f4
      Mark Rutland 提交于
      Our chosen ic_dev may be anywhere in our list of ic_devs, and we may
      free it before attempting to close others. When we compare d->dev and
      ic_dev->dev, we're potentially dereferencing memory returned to the
      allocator. This causes KASAN to scream for each subsequent ic_dev we
      check.
      
      As there's a 1-1 mapping between ic_devs and netdevs, we can instead
      compare d and ic_dev directly, which implicitly handles the !ic_dev
      case, and avoids the use-after-free. The ic_dev pointer may be stale,
      but we will not dereference it.
      
      Original splat:
      
      [    6.487446] ==================================================================
      [    6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr ffff800367efa708
      [    6.503013] Read of size 8 by task swapper/0/1
      [    6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-00002-gda42158 #8
      [    6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016
      [    6.523138] Call trace:
      [    6.525590] [<ffff200008094778>] dump_backtrace+0x0/0x570
      [    6.530976] [<ffff200008094d08>] show_stack+0x20/0x30
      [    6.536017] [<ffff200008bee928>] dump_stack+0x120/0x188
      [    6.541231] [<ffff20000856d5e4>] kasan_object_err+0x24/0xa0
      [    6.546790] [<ffff20000856d924>] kasan_report_error+0x244/0x738
      [    6.552695] [<ffff20000856dfec>] __asan_report_load8_noabort+0x54/0x80
      [    6.559204] [<ffff20000aae86ac>] ic_close_devs+0xc4/0x154
      [    6.564590] [<ffff20000aaedbac>] ip_auto_config+0x2ed4/0x2f1c
      [    6.570321] [<ffff200008084b04>] do_one_initcall+0xcc/0x370
      [    6.575882] [<ffff20000aa31de8>] kernel_init_freeable+0x5f8/0x6c4
      [    6.581959] [<ffff20000a16df00>] kernel_init+0x18/0x190
      [    6.587171] [<ffff200008084710>] ret_from_fork+0x10/0x40
      [    6.592468] Object at ffff800367efa700, in cache kmalloc-128 size: 128
      [    6.598969] Allocated:
      [    6.601324] PID = 1
      [    6.603427]  save_stack_trace_tsk+0x0/0x418
      [    6.607603]  save_stack_trace+0x20/0x30
      [    6.611430]  kasan_kmalloc+0xd8/0x188
      [    6.615087]  ip_auto_config+0x8c4/0x2f1c
      [    6.619002]  do_one_initcall+0xcc/0x370
      [    6.622832]  kernel_init_freeable+0x5f8/0x6c4
      [    6.627178]  kernel_init+0x18/0x190
      [    6.630660]  ret_from_fork+0x10/0x40
      [    6.634223] Freed:
      [    6.636233] PID = 1
      [    6.638334]  save_stack_trace_tsk+0x0/0x418
      [    6.642510]  save_stack_trace+0x20/0x30
      [    6.646337]  kasan_slab_free+0x88/0x178
      [    6.650167]  kfree+0xb8/0x478
      [    6.653131]  ic_close_devs+0x130/0x154
      [    6.656875]  ip_auto_config+0x2ed4/0x2f1c
      [    6.660875]  do_one_initcall+0xcc/0x370
      [    6.664705]  kernel_init_freeable+0x5f8/0x6c4
      [    6.669051]  kernel_init+0x18/0x190
      [    6.672534]  ret_from_fork+0x10/0x40
      [    6.676098] Memory state around the buggy address:
      [    6.680880]  ffff800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    6.688078]  ffff800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    6.695276] >ffff800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    6.702469]                       ^
      [    6.705952]  ffff800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    6.713149]  ffff800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    6.720343] ==================================================================
      [    6.727536] Disabling lock debugging due to kernel taint
      Signed-off-by: NMark Rutland <mark.rutland@arm.com>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: James Morris <jmorris@namei.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ffefb6f4
    • F
      MAINTAINERS: Add Andrew Lunn as co-maintainer of PHYLIB · 248ccd5e
      Florian Fainelli 提交于
      Andrew has been contributing a lot to PHYLIB over the past months and
      his feedback on patches is more than welcome.
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      248ccd5e
  6. 27 3月, 2017 3 次提交
    • G
      netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register · 75c689dc
      Gao Feng 提交于
      In the commit 93557f53 ("netfilter: nf_conntrack: nf_conntrack snmp
      helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
      snmp_helper is never registered. But it still tries to unregister the
      snmp_helper, it could cause the panic.
      
      Now remove the useless snmp_helper and the unregister call in the
      error handler.
      
      Fixes: 93557f53 ("netfilter: nf_conntrack: nf_conntrack snmp helper")
      Signed-off-by: NGao Feng <fgao@ikuai8.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      75c689dc
    • L
      netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister · 9c3f3794
      Liping Zhang 提交于
      If one cpu is doing nf_ct_extend_unregister while another cpu is doing
      __nf_ct_ext_add_length, then we may hit BUG_ON(t == NULL). Moreover,
      there's no synchronize_rcu invocation after set nf_ct_ext_types[id] to
      NULL, so it's possible that we may access invalid pointer.
      
      But actually, most of the ct extends are built-in, so the problem listed
      above will not happen. However, there are two exceptions: NF_CT_EXT_NAT
      and NF_CT_EXT_SYNPROXY.
      
      For _EXT_NAT, the panic will not happen, since adding the nat extend and
      unregistering the nat extend are located in the same file(nf_nat_core.c),
      this means that after the nat module is removed, we cannot add the nat
      extend too.
      
      For _EXT_SYNPROXY, synproxy extend may be added by init_conntrack, while
      synproxy extend unregister will be done by synproxy_core_exit. So after
      nf_synproxy_core.ko is removed, we may still try to add the synproxy
      extend, then kernel panic may happen.
      
      I know it's very hard to reproduce this issue, but I can play a tricky
      game to make it happen very easily :)
      
      Step 1. Enable SYNPROXY for tcp dport 1234 at FORWARD hook:
        # iptables -I FORWARD -p tcp --dport 1234 -j SYNPROXY
      Step 2. Queue the syn packet to the userspace at raw table OUTPUT hook.
              Also note, in the userspace we only add a 20s' delay, then
              reinject the syn packet to the kernel:
        # iptables -t raw -I OUTPUT -p tcp --syn -j NFQUEUE --queue-num 1
      Step 3. Using "nc 2.2.2.2 1234" to connect the server.
      Step 4. Now remove the nf_synproxy_core.ko quickly:
        # iptables -F FORWARD
        # rmmod ipt_SYNPROXY
        # rmmod nf_synproxy_core
      Step 5. After 20s' delay, the syn packet is reinjected to the kernel.
      
      Now you will see the panic like this:
        kernel BUG at net/netfilter/nf_conntrack_extend.c:91!
        Call Trace:
         ? __nf_ct_ext_add_length+0x53/0x3c0 [nf_conntrack]
         init_conntrack+0x12b/0x600 [nf_conntrack]
         nf_conntrack_in+0x4cc/0x580 [nf_conntrack]
         ipv4_conntrack_local+0x48/0x50 [nf_conntrack_ipv4]
         nf_reinject+0x104/0x270
         nfqnl_recv_verdict+0x3e1/0x5f9 [nfnetlink_queue]
         ? nfqnl_recv_verdict+0x5/0x5f9 [nfnetlink_queue]
         ? nla_parse+0xa0/0x100
         nfnetlink_rcv_msg+0x175/0x6a9 [nfnetlink]
         [...]
      
      One possible solution is to make NF_CT_EXT_SYNPROXY extend built-in, i.e.
      introduce nf_conntrack_synproxy.c and only do ct extend register and
      unregister in it, similar to nf_conntrack_timeout.c.
      
      But having such a obscure restriction of nf_ct_extend_unregister is not a
      good idea, so we should invoke synchronize_rcu after set nf_ct_ext_types
      to NULL, and check the NULL pointer when do __nf_ct_ext_add_length. Then
      it will be easier if we add new ct extend in the future.
      
      Last, we use kfree_rcu to free nf_ct_ext, so rcu_barrier() is unnecessary
      anymore, remove it too.
      Signed-off-by: NLiping Zhang <zlpnobody@gmail.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      9c3f3794
    • L
      netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table · 83d90219
      Liping Zhang 提交于
      The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while
      nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER).
      So it's possible that one CPU is walking the nf_ct_helper_hash for
      cthelper add/get/del, another cpu is doing nf_conntrack_helpers_unregister
      at the same time. This is dangrous, and may cause use after free error.
      
      Note, delete operation will flush all cthelpers added via nfnetlink, so
      using rcu to do protect is not easy.
      
      Now introduce a dummy list to record all the cthelpers added via
      nfnetlink, then we can walk the dummy list instead of walking the
      nf_ct_helper_hash. Also, keep nfnl_cthelper_dump_table unchanged, it
      may be invoked without nfnl_lock(NFNL_SUBSYS_CTHELPER) held.
      Signed-off-by: NLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      83d90219