1. 15 5月, 2014 4 次提交
    • H
      net: filter: s390: fix JIT address randomization · e84d2f8d
      Heiko Carstens 提交于
      This is the s390 variant of Alexei's JIT bug fix.
      (patch description below stolen from Alexei's patch)
      
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page.
      
      Fixes: aa2d2c73 ("s390/bpf,jit: address randomize and write protect jit code")
      Reported-by: NAlexei Starovoitov <ast@plumgrid.com>
      Cc: <stable@vger.kernel.org> # v3.11+
      Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e84d2f8d
    • U
      af_iucv: wrong mapping of sent and confirmed skbs · f5738e2e
      Ursula Braun 提交于
      When sending data through IUCV a MESSAGE COMPLETE interrupt
      signals that sent data memory can be freed or reused again.
      With commit f9c41a62
      "af_iucv: fix recvmsg by replacing skb_pull() function" the
      MESSAGE COMPLETE callback iucv_callback_txdone() identifies
      the wrong skb as being confirmed, which leads to data corruption.
      This patch fixes the skb mapping logic in iucv_callback_txdone().
      Signed-off-by: NUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: NFrank Blaschka <frank.blaschka@de.ibm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f5738e2e
    • K
      be2net: enable interrupts in EEH resume · 03a58baa
      Kalesh AP 提交于
      On some BE3 FW versions, after a HW reset, interrupts will remain disabled
      for each function. So, explicitly enable the interrupts in the eeh_resume
      handler, else after an eeh recovery interrupts wouldn't work.
      Signed-off-by: NKalesh AP <kalesh.purayil@emulex.com>
      Signed-off-by: NSathya Perla <sathya.perla@emulex.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      03a58baa
    • N
      jme: Fix unmap loop counting error: · c4b16068
      Neil Horman 提交于
      In my recent fix (76a691d0: fix dma unmap warning), Ben Hutchings noted that my
      loop count was incorrect.  Where j started at startidx, it should have started
      at zero, and gone on for count entries, not to endidx.  Additionally, a DMA
      resource exhaustion should drop the frame and (for now), return
      NETDEV_TX_OK, not NETEV_TX_BUSY.  This patch fixes both of those issues:
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      CC: Ben Hutchings <ben@decadent.org.uk>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: Guo-Fu Tseng <cooldavid@cooldavid.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c4b16068
  2. 14 5月, 2014 5 次提交
    • H
      ipv6: fix calculation of option len in ip6_append_data · 3a1cebe7
      Hannes Frederic Sowa 提交于
      tot_len does specify the size of struct ipv6_txoptions. We need opt_flen +
      opt_nflen to calculate the overall length of additional ipv6 extensions.
      
      I found this while auditing the ipv6 output path for a memory corruption
      reported by Alexey Preobrazhensky while he fuzzed an instrumented
      AddressSanitizer kernel with trinity. This may or may not be the cause
      of the original bug.
      
      Fixes: 4df98e76 ("ipv6: pmtudisc setting not respected with UFO/CORK")
      Reported-by: NAlexey Preobrazhensky <preobr@google.com>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3a1cebe7
    • H
      net: avoid dependency of net_get_random_once on nop patching · 3d440522
      Hannes Frederic Sowa 提交于
      net_get_random_once depends on the static keys infrastructure to patch up
      the branch to the slow path during boot. This was realized by abusing the
      static keys api and defining a new initializer to not enable the call
      site while still indicating that the branch point should get patched
      up. This was needed to have the fast path considered likely by gcc.
      
      The static key initialization during boot up normally walks through all
      the registered keys and either patches in ideal nops or enables the jump
      site but omitted that step on x86 if ideal nops where already placed at
      static_key branch points. Thus net_get_random_once branches not always
      became active.
      
      This patch switches net_get_random_once to the ordinary static_key
      api and thus places the kernel fast path in the - by gcc considered -
      unlikely path.  Microbenchmarks on Intel and AMD x86-64 showed that
      the unlikely path actually beats the likely path in terms of cycle cost
      and that different nop patterns did not make much difference, thus this
      switch should not be noticeable.
      
      Fixes: a48e4292 ("net: introduce new macro net_get_random_once")
      Reported-by: NTuomas Räsänen <tuomasjjrasanen@tjjr.fi>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d440522
    • A
      net: filter: x86: fix JIT address randomization · 773cd38f
      Alexei Starovoitov 提交于
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page
      
      Fixes: 314beb9b ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
      Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      773cd38f
    • D
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 6262971a
      David S. Miller 提交于
      Included changes:
      - properly release neigh_ifinfo in batadv_iv_ogm_process_per_outif()
      - properly release orig_ifinfo->router when freeing orig_ifinfo
      - properly release neigh_node objects during periodic check
      - properly release neigh_info objects when the related hard_iface
        is free'd
      
      These changes are all very important because they fix some
      reference counting imbalances that lead to the
      impossibility of releasing the netdev object used by
      batman-adv on shutdown.
      The consequence is that such object cannot be destroyed by
      the networking stack (the refcounter does not reach zero)
      thus bringing the system in hanging state during a normal
      reboot operation or a network reconfiguration.
      6262971a
    • D
      neigh: set nud_state to NUD_INCOMPLETE when probing router reachability · 2176d5d4
      Duan Jiong 提交于
      Since commit 7e980569("ipv6: router reachability probing"), a router falls
      into NUD_FAILED will be probed.
      
      Now if function rt6_select() selects a router which neighbour state is NUD_FAILED,
      and at the same time function rt6_probe() changes the neighbour state to NUD_PROBE,
      then function dst_neigh_output() can directly send packets, but actually the
      neighbour still is unreachable. If we set nud_state to NUD_INCOMPLETE instead
      NUD_PROBE, packets will not be sent out until the neihbour is reachable.
      
      In addition, because the route should be probes with a single NS, so we must
      set neigh->probes to neigh_max_probes(), then the neigh timer timeout and function
      neigh_timer_handler() will not send other NS Messages.
      Signed-off-by: NDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2176d5d4
  3. 13 5月, 2014 3 次提交
  4. 12 5月, 2014 1 次提交
    • R
      ptp: fix kconfig dependency warnings · 1a466ae9
      Randy Dunlap 提交于
      Fix kconfig warnings:
      
      PTP_1588_CLOCK selects NET_PTP_CLASSIFY, which depends on NET,
      so PTP_1588_CLOCK should also depend on NET.
      
      PTP_1588_CLOCK_PCH selects PTP_1588_CLOCK so the former should
      depend on NET.
      
      warning: (IXP4XX_ETH && PTP_1588_CLOCK) selects NET_PTP_CLASSIFY which has unmet direct dependencies (NET)
      
      warning: (SFC && TILE_NET && BFIN_MAC_USE_HWSTAMP && TIGON3 && FEC && E1000E && IGB && IXGBE && I40E && MLX4_EN && SXGBE_ETH && STMMAC_ETH && TI_CPTS && PTP_1588_CLOCK_GIANFAR && PTP_1588_CLOCK_IXP46X && DP83640_PHY && PTP_1588_CLOCK_PCH) selects PTP_1588_CLOCK which has unmet direct dependencies (NET)
      [This warning is caused by the new 'depends on NET' in PTP_1588_CLOCK.]
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Acked-by: NRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a466ae9
  5. 11 5月, 2014 1 次提交
  6. 10 5月, 2014 14 次提交
  7. 09 5月, 2014 4 次提交
  8. 08 5月, 2014 8 次提交