1. 15 3月, 2016 10 次提交
    • F
      bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict · 8626c56c
      Florian Westphal 提交于
      Zefir Kurtisi reported kernel panic with an openwrt specific patch.
      However, it turns out that mainline has a similar bug waiting to happen.
      
      Once NF_HOOK() returns the skb is in undefined state and must not be
      used.   Moreover, the okfn must consume the skb to support async
      processing (NF_QUEUE).
      
      Current okfn in this spot doesn't consume it and caller assumes that
      NF_HOOK return value tells us if skb was freed or not, but thats wrong.
      
      It "works" because no in-tree user registers a NFPROTO_BRIDGE hook at
      LOCAL_IN that returns STOLEN or NF_QUEUE verdicts.
      
      Once we add NF_QUEUE support for nftables bridge this will break --
      NF_QUEUE holds the skb for async processing, caller will erronoulsy
      return RX_HANDLER_PASS and on reinject netfilter will access free'd skb.
      
      Fix this by pushing skb up the stack in the okfn instead.
      
      NB: It also seems dubious to use LOCAL_IN while bypassing PRE_ROUTING
      completely in this case but this is how its been forever so it seems
      preferable to not change this.
      
      Cc: Felix Fietkau <nbd@openwrt.org>
      Cc: Zefir Kurtisi <zefir.kurtisi@neratec.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Tested-by: NZefir Kurtisi <zefir.kurtisi@neratec.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8626c56c
    • A
      phy: fixed: Fix removal of phys. · 5bcbe0f3
      Andrew Lunn 提交于
      The fixed phys delete function simply removed the fixed phy from the
      internal linked list and freed the memory. It however did not
      unregister the associated phy device. This meant it was still possible
      to find the phy device on the mdio bus.
      
      Make fixed_phy_del() an internal function and add a
      fixed_phy_unregister() to unregisters the phy device and then uses
      fixed_phy_del() to free resources.
      
      Modify DSA to use this new API function, so we don't leak phys.
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5bcbe0f3
    • A
      dsa: dsa: Fix freeing of fixed-phys from user ports. · ec777e6b
      Andrew Lunn 提交于
      All ports types can have a fixed PHY associated with it. Remove the
      check which limits removal to only CPU and DSA ports.
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ec777e6b
    • A
      dsa: Destroy fixed link phys after the phy has been disconnected · 3a44514f
      Andrew Lunn 提交于
      The phy is disconnected from the slave in dsa_slave_destroy(). Don't
      destroy fixed link phys until after this, since there can be fixed
      linked phys connected to ports.
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3a44514f
    • A
      dsa: slave: Don't reference NULL pointer during phy_disconnect · b71be352
      Andrew Lunn 提交于
      When the phy is disconnected, the parent pointer to the netdev it was
      attached to is set to NULL. The code then tries to suspend the phy,
      but dsa_slave_fixed_link_update needs the parent pointer to determine
      which switch the phy is connected to. So it dereferenced a NULL
      pointer. Check for this condition.
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b71be352
    • M
      tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In · a44d6eac
      Martin KaFai Lau 提交于
      Per RFC4898, they count segments sent/received
      containing a positive length data segment (that includes
      retransmission segments carrying data).  Unlike
      tcpi_segs_out/in, tcpi_data_segs_out/in excludes segments
      carrying no data (e.g. pure ack).
      
      The patch also updates the segs_in in tcp_fastopen_add_skb()
      so that segs_in >= data_segs_in property is kept.
      
      Together with retransmission data, tcpi_data_segs_out
      gives a better signal on the rxmit rate.
      
      v6: Rebase on the latest net-next
      
      v5: Eric pointed out that checking skb->len is still needed in
      tcp_fastopen_add_skb() because skb can carry a FIN without data.
      Hence, instead of open coding segs_in and data_segs_in, tcp_segs_in()
      helper is used.  Comment is added to the fastopen case to explain why
      segs_in has to be reset and tcp_segs_in() has to be called before
      __skb_pull().
      
      v4: Add comment to the changes in tcp_fastopen_add_skb()
      and also add remark on this case in the commit message.
      
      v3: Add const modifier to the skb parameter in tcp_segs_in()
      
      v2: Rework based on recent fix by Eric:
      commit a9d99ce2 ("tcp: fix tcpi_segs_in after connection establishment")
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Cc: Chris Rapier <rapier@psc.edu>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a44d6eac
    • A
      net: caif: fix misleading indentation · 8e0cc8c3
      Arnd Bergmann 提交于
      gcc points out code that is not indented the way it is
      interpreted:
      
      net/caif/cfpkt_skbuff.c: In function 'cfpkt_setlen':
      net/caif/cfpkt_skbuff.c:289:4: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]
          return cfpkt_getlen(pkt);
          ^~~~~~
      net/caif/cfpkt_skbuff.c:286:3: note: ...this 'else' clause, but it is not
         else
         ^~~~
      
      It is clear from the context that not returning here would be
      a bug, as we'd end up passing a negative length into a function
      that takes a u16 length, so it is not missing curly braces
      here, and I'm assuming that the indentation is the only part
      that's wrong about it.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8e0cc8c3
    • A
      net: Fix use after free in the recvmmsg exit path · 34b88a68
      Arnaldo Carvalho de Melo 提交于
      The syzkaller fuzzer hit the following use-after-free:
      
        Call Trace:
         [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
         [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
         [<     inline     >] SYSC_recvmmsg net/socket.c:2281
         [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
         [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
        arch/x86/entry/entry_64.S:185
      
      And, as Dmitry rightly assessed, that is because we can drop the
      reference and then touch it when the underlying recvmsg calls return
      some packets and then hit an error, which will make recvmmsg to set
      sock->sk->sk_err, oops, fix it.
      Reported-and-Tested-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Fixes: a2e27255 ("net: Introduce recvmmsg socket syscall")
      http://lkml.kernel.org/r/20160122211644.GC2470@redhat.comSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      34b88a68
    • R
      tipc: make sure IPv6 header fits in skb headroom · 9bd160bf
      Richard Alpe 提交于
      Expand headroom further in order to be able to fit the larger IPv6
      header. Prior to this patch this caused a skb under panic for certain
      tipc packets when using IPv6 UDP bearer(s).
      Signed-off-by: NRichard Alpe <richard.alpe@ericsson.com>
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9bd160bf
    • G
      net: add a hardware buffer management helper API · 8cb2d8bf
      Gregory CLEMENT 提交于
      This basic implementation allows to share code between driver using
      hardware buffer management. As the code is hardware agnostic, there is
      few helpers, most of the optimization brought by the an HW BM has to be
      done at driver level.
      Tested-by: NSebastian Careba <nitroshift@yahoo.com>
      Signed-off-by: NGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8cb2d8bf
  2. 14 3月, 2016 11 次提交
  3. 12 3月, 2016 4 次提交
  4. 11 3月, 2016 11 次提交
  5. 10 3月, 2016 4 次提交
    • W
      packet: validate variable length ll headers · 9ed988cd
      Willem de Bruijn 提交于
      Replace link layer header validation check ll_header_truncate with
      more generic dev_validate_header.
      
      Validation based on hard_header_len incorrectly drops valid packets
      in variable length protocols, such as AX25. dev_validate_header
      calls header_ops.validate for such protocols to ensure correctness
      below hard_header_len.
      
      See also http://comments.gmane.org/gmane.linux.network/401064
      
      Fixes 9c707762 ("packet: make packet_snd fail on len smaller than l2 header")
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ed988cd
    • W
      ax25: add link layer header validation function · ea47781c
      Willem de Bruijn 提交于
      As variable length protocol, AX25 fails link layer header validation
      tests based on a minimum length. header_ops.validate allows protocols
      to validate headers that are shorter than hard_header_len. Implement
      this callback for AX25.
      
      See also http://comments.gmane.org/gmane.linux.network/401064Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ea47781c
    • T
      kcm: Add receive message timeout · 29152a34
      Tom Herbert 提交于
      This patch adds receive timeout for message assembly on the attached TCP
      sockets. The timeout is set when a new messages is started and the whole
      message has not been received by TCP (not in the receive queue). If the
      completely message is subsequently received the timer is cancelled, if the
      timer expires the RX side is aborted.
      
      The timeout value is taken from the socket timeout (SO_RCVTIMEO) that is
      set on a TCP socket (i.e. set by get sockopt before attaching a TCP socket
      to KCM.
      Signed-off-by: NTom Herbert <tom@herbertland.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29152a34
    • T
      kcm: Add memory limit for receive message construction · 7ced95ef
      Tom Herbert 提交于
      Message assembly is performed on the TCP socket. This is logically
      equivalent of an application that performs a peek on the socket to find
      out how much memory is needed for a receive buffer. The receive socket
      buffer also provides the maximum message size which is checked.
      
      The receive algorithm is something like:
      
         1) Receive the first skbuf for a message (or skbufs if multiple are
            needed to determine message length).
         2) Check the message length against the number of bytes in the TCP
            receive queue (tcp_inq()).
      	- If all the bytes of the message are in the queue (incluing the
      	  skbuf received), then proceed with message assembly (it should
      	  complete with the tcp_read_sock)
              - Else, mark the psock with the number of bytes needed to
      	  complete the message.
         3) In TCP data ready function, if the psock indicates that we are
            waiting for the rest of the bytes of a messages, check the number
            of queued bytes against that.
              - If there are still not enough bytes for the message, just
      	  return
              - Else, clear the waiting bytes and proceed to receive the
      	  skbufs.  The message should now be received in one
      	  tcp_read_sock
      Signed-off-by: NTom Herbert <tom@herbertland.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ced95ef