1. 18 1月, 2018 9 次提交
    • R
      Net: ethernet: ti: netcp: Fix inbound ping crash if MTU size is greater than 1500 · 5a717843
      Rex Chang 提交于
      In the receive queue for 4096 bytes fragments, the page address
      set in the SW data0 field of the descriptor is not the one we got
      when doing the reassembly in receive. The page structure was retrieved
      from the wrong descriptor into SW data0 which is then causing a
      page fault when UDP checksum is accessing data above 1500.
      Signed-off-by: NRex Chang <rchang@ti.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a717843
    • S
      tls: reset crypto_info when do_tls_setsockopt_tx fails · 6db959c8
      Sabrina Dubroca 提交于
      The current code copies directly from userspace to ctx->crypto_send, but
      doesn't always reinitialize it to 0 on failure. This causes any
      subsequent attempt to use this setsockopt to fail because of the
      TLS_CRYPTO_INFO_READY check, eventhough crypto_info is not actually
      ready.
      
      This should result in a correctly set up socket after the 3rd call, but
      currently it does not:
      
          size_t s = sizeof(struct tls12_crypto_info_aes_gcm_128);
          struct tls12_crypto_info_aes_gcm_128 crypto_good = {
              .info.version = TLS_1_2_VERSION,
              .info.cipher_type = TLS_CIPHER_AES_GCM_128,
          };
      
          struct tls12_crypto_info_aes_gcm_128 crypto_bad_type = crypto_good;
          crypto_bad_type.info.cipher_type = 42;
      
          setsockopt(sock, SOL_TLS, TLS_TX, &crypto_bad_type, s);
          setsockopt(sock, SOL_TLS, TLS_TX, &crypto_good, s - 1);
          setsockopt(sock, SOL_TLS, TLS_TX, &crypto_good, s);
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6db959c8
    • S
      tls: return -EBUSY if crypto_info is already set · 877d17c7
      Sabrina Dubroca 提交于
      do_tls_setsockopt_tx returns 0 without doing anything when crypto_info
      is already set. Silent failure is confusing for users.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      877d17c7
    • S
      tls: fix sw_ctx leak · cf6d43ef
      Sabrina Dubroca 提交于
      During setsockopt(SOL_TCP, TLS_TX), if initialization of the software
      context fails in tls_set_sw_offload(), we leak sw_ctx. We also don't
      reassign ctx->priv_ctx to NULL, so we can't even do another attempt to
      set it up on the same socket, as it will fail with -EEXIST.
      
      Fixes: 3c4d7559 ('tls: kernel TLS support')
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cf6d43ef
    • D
      Merge tag 'linux-can-fixes-for-4.15-20180116' of... · 6ab6dd9e
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-4.15-20180116' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-01-16
      
      this is a pull reqeust of a single patch for net/master:
      
      This patch by Stephane Grosjean fixes a potential bug in the packet
      fragmentation in the peak USB driver.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6ab6dd9e
    • I
      net/tls: Only attach to sockets in ESTABLISHED state · d91c3e17
      Ilya Lesokhin 提交于
      Calling accept on a TCP socket with a TLS ulp attached results
      in two sockets that share the same ulp context.
      The ulp context is freed while a socket is destroyed, so
      after one of the sockets is released, the second second will
      trigger a use after free when it tries to access the ulp context
      attached to it.
      We restrict the TLS ulp to sockets in ESTABLISHED state
      to prevent the scenario above.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Reported-by: syzbot+904e7cd6c5c741609228@syzkaller.appspotmail.com
      Signed-off-by: NIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d91c3e17
    • C
      net: fs_enet: do not call phy_stop() in interrupts · f8b39039
      Christophe Leroy 提交于
      In case of TX timeout, fs_timeout() calls phy_stop(), which
      triggers the following BUG_ON() as we are in interrupt.
      
      [92708.199889] kernel BUG at drivers/net/phy/mdio_bus.c:482!
      [92708.204985] Oops: Exception in kernel mode, sig: 5 [#1]
      [92708.210119] PREEMPT
      [92708.212107] CMPC885
      [92708.214216] CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G        W       4.9.61 #39
      [92708.223227] task: c60f0a40 task.stack: c6104000
      [92708.227697] NIP: c02a84bc LR: c02a947c CTR: c02a93d8
      [92708.232614] REGS: c6105c70 TRAP: 0700   Tainted: G        W        (4.9.61)
      [92708.241193] MSR: 00021032 <ME,IR,DR,RI>[92708.244818]   CR: 24000822  XER: 20000000
      [92708.248767]
      GPR00: c02a947c c6105d20 c60f0a40 c62b4c00 00000005 0000001f c069aad8 0001a688
      GPR08: 00000007 00000100 c02a93d8 00000000 000005fc 00000000 c6213240 c06338e4
      GPR16: 00000001 c06330d4 c0633094 00000000 c0680000 c6104000 c6104000 00000000
      GPR24: 00000200 00000000 ffffffff 00000004 00000078 00009032 00000000 c62b4c00
      NIP [c02a84bc] mdiobus_read+0x20/0x74
      [92708.281517] LR [c02a947c] kszphy_config_intr+0xa4/0xc4
      [92708.286547] Call Trace:
      [92708.288980] [c6105d20] [c6104000] 0xc6104000 (unreliable)
      [92708.294339] [c6105d40] [c02a947c] kszphy_config_intr+0xa4/0xc4
      [92708.300098] [c6105d50] [c02a5330] phy_stop+0x60/0x9c
      [92708.305007] [c6105d60] [c02c84d0] fs_timeout+0xdc/0x110
      [92708.310197] [c6105d80] [c035cd48] dev_watchdog+0x268/0x2a0
      [92708.315593] [c6105db0] [c0060288] call_timer_fn+0x34/0x17c
      [92708.321014] [c6105dd0] [c00605f0] run_timer_softirq+0x21c/0x2e4
      [92708.326887] [c6105e50] [c001e19c] __do_softirq+0xf4/0x2f4
      [92708.332207] [c6105eb0] [c001e3c8] run_ksoftirqd+0x2c/0x40
      [92708.337560] [c6105ec0] [c003b420] smpboot_thread_fn+0x1f0/0x258
      [92708.343405] [c6105ef0] [c003745c] kthread+0xbc/0xd0
      [92708.348217] [c6105f40] [c000c400] ret_from_kernel_thread+0x5c/0x64
      [92708.354275] Instruction dump:
      [92708.357207] 7c0803a6 bbc10018 38210020 4e800020 7c0802a6 9421ffe0 54290024 bfc10018
      [92708.364865] 90010024 7c7f1b78 81290008 552902ee <0f090000> 3bc3002c 7fc3f378 90810008
      [92708.372711] ---[ end trace 42b05441616fafd7 ]---
      
      This patch moves fs_timeout() actions into an async worker.
      
      Fixes: commit 48257c4f ("Add fs_enet ethernet network driver, for several embedded platforms")
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8b39039
    • K
      r8152: disable RX aggregation on Dell TB16 dock · 0b165514
      Kai-Heng Feng 提交于
      r8153 on Dell TB15/16 dock corrupts rx packets.
      
      This change is suggested by Realtek. They guess that the XHCI controller
      doesn't have enough buffer, and their guesswork is correct, once the RX
      aggregation gets disabled, the issue is gone.
      
      ASMedia is currently working on a real sulotion for this issue.
      
      Dell and ODM confirm the bcdDevice and iSerialNumber is unique for TB16.
      
      Note that TB15 has different bcdDevice and iSerialNumber, which are not
      unique values. If you still have TB15, please contact Dell to replace it
      with TB16.
      
      BugLink: https://bugs.launchpad.net/bugs/1729674
      Cc: Mario Limonciello <mario.limonciello@dell.com>
      Signed-off-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0b165514
    • C
      tun: fix a memory leak for tfile->tx_array · 4df0bfc7
      Cong Wang 提交于
      tfile->tun could be detached before we close the tun fd,
      via tun_detach_all(), so it should not be used to check for
      tfile->tx_array.
      
      As Jason suggested, we probably have to clean it up
      unconditionally both in __tun_deatch() and tun_detach_all(),
      but this requires to check if it is initialized or not.
      Currently skb_array_cleanup() doesn't have such a check,
      so I check it in the caller and introduce a helper function,
      it is a bit ugly but we can always improve it in net-next.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Fixes: 1576d986 ("tun: switch to use skb array for tx")
      Cc: Jason Wang <jasowang@redhat.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4df0bfc7
  2. 17 1月, 2018 13 次提交
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 8cbab92d
      Linus Torvalds 提交于
      Pull rdma fixes from Doug Ledford:
       "We had a few more items creep up over the last week. Given we are in
        -rc8, these are obviously limited to bugs that have a big downside and
        for which we are certain of the fix.
      
        The first is a straight up oops bug that all you have to do is read
        the code to see it's a guaranteed 100% oops bug.
      
        The second is a use-after-free issue. We get away lucky if the queue
        we are shutting down is empty, but if it isn't, we can end up oopsing.
        We really need to drain the queue before destroying it.
      
        The final one is an issue with bad user input causing us to access our
        port array out of bounds. While fixing the array out of bounds issue,
        it was noticed that the original code did the same thing twice (the
        call to rdma_ah_set_port_num()), so its removal is not balanced by a
        readd elsewhere, it was already where it needed to be in addition to
        where it didn't need to be.
      
        Summary:
      
         - Oops fix in hfi1 driver
      
         - use-after-free issue in iser-target
      
         - use of user supplied array index without proper checking"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/mlx5: Fix out-of-bound access while querying AH
        IB/hfi1: Prevent a NULL dereference
        iser-target: Fix possible use-after-free in connection establishment error
      8cbab92d
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b45a53be
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Two read past end of buffer fixes in AF_KEY, from Eric Biggers.
      
       2) Memory leak in key_notify_policy(), from Steffen Klassert.
      
       3) Fix overflow with bpf arrays, from Daniel Borkmann.
      
       4) Fix RDMA regression with mlx5 due to mlx5 no longer using
          pci_irq_get_affinity(), from Saeed Mahameed.
      
       5) Missing RCU read locking in nl80211_send_iface() when it calls
          ieee80211_bss_get_ie(), from Dominik Brodowski.
      
       6) cfg80211 should check dev_set_name()'s return value, from Johannes
          Berg.
      
       7) Missing module license tag in 9p protocol, from Stephen Hemminger.
      
       8) Fix crash due to too small MTU in udp ipv6 sendmsg, from Mike
          Maloney.
      
       9) Fix endless loop in netlink extack code, from David Ahern.
      
      10) TLS socket layer sets inverted error codes, resulting in an endless
          loop. From Robert Hering.
      
      11) Revert openvswitch erspan tunnel support, it's mis-designed and we
          need to kill it before it goes into a real release. From William Tu.
      
      12) Fix lan78xx failures in full speed USB mode, from Yuiko Oshino.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
        net, sched: fix panic when updating miniq {b,q}stats
        qed: Fix potential use-after-free in qed_spq_post()
        nfp: use the correct index for link speed table
        lan78xx: Fix failure in USB Full Speed
        sctp: do not allow the v4 socket to bind a v4mapped v6 address
        sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
        sctp: reinit stream if stream outcnt has been change by sinit in sendmsg
        ibmvnic: Fix pending MAC address changes
        netlink: extack: avoid parenthesized string constant warning
        ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
        net: Allow neigh contructor functions ability to modify the primary_key
        sh_eth: fix dumping ARSTR
        Revert "openvswitch: Add erspan tunnel support."
        net/tls: Fix inverted error codes to avoid endless loop
        ipv6: ip6_make_skb() needs to clear cork.base.dst
        sctp: avoid compiler warning on implicit fallthru
        net: ipv4: Make "ip route get" match iif lo rules again.
        netlink: extack needs to be reset each time through loop
        tipc: fix a memory leak in tipc_nl_node_get_link()
        ipv6: fix udpv6 sendmsg crash caused by too small MTU
        ...
      b45a53be
    • L
      Merge tag 'sound-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 41aa5e5d
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "A few small last-minute fixes that should sneak into 4.15:
      
         - remove a spurious WARN_ON() triggered by syzkaller
      
         - fix for ioctl races in ALSA sequencer
      
         - two trivial HD-audio fixup entries"
      
      * tag 'sound-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: seq: Make ioctls race-free
        ALSA: pcm: Remove yet superfluous WARN_ON()
        ALSA: hda - Apply the existing quirk to iMac 14,1
        ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
      41aa5e5d
    • L
      Merge tag 'trace-v4.15-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 921d4f67
      Linus Torvalds 提交于
      Pull tracing fixes from Steven Rostedt:
      
       - Bring back context level recursive protection in ring buffer.
      
         The simpler counter protection failed, due to a path when tracing
         with trace_clock_global() as it could not be reentrant and depended
         on the ring buffer recursive protection to keep that from happening.
      
       - Prevent branch profiling when FORTIFY_SOURCE is enabled.
      
         It causes 50 - 60 MB in warning messages. Branch profiling should
         never be run on production systems, so there's no reason that it
         needs to be enabled with FORTIFY_SOURCE.
      
      * tag 'trace-v4.15-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Prevent PROFILE_ALL_BRANCHES when FORTIFY_SOURCE=y
        ring-buffer: Bring back context level recursive checks
      921d4f67
    • D
      net, sched: fix panic when updating miniq {b,q}stats · 81d947e2
      Daniel Borkmann 提交于
      While working on fixing another bug, I ran into the following panic
      on arm64 by simply attaching clsact qdisc, adding a filter and running
      traffic on ingress to it:
      
        [...]
        [  178.188591] Unable to handle kernel read from unreadable memory at virtual address 810fb501f000
        [  178.197314] Mem abort info:
        [  178.200121]   ESR = 0x96000004
        [  178.203168]   Exception class = DABT (current EL), IL = 32 bits
        [  178.209095]   SET = 0, FnV = 0
        [  178.212157]   EA = 0, S1PTW = 0
        [  178.215288] Data abort info:
        [  178.218175]   ISV = 0, ISS = 0x00000004
        [  178.222019]   CM = 0, WnR = 0
        [  178.224997] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000023cb3f33
        [  178.231531] [0000810fb501f000] *pgd=0000000000000000
        [  178.236508] Internal error: Oops: 96000004 [#1] SMP
        [...]
        [  178.311855] CPU: 73 PID: 2497 Comm: ping Tainted: G        W        4.15.0-rc7+ #5
        [  178.319413] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB18A 03/31/2017
        [  178.326887] pstate: 60400005 (nZCv daif +PAN -UAO)
        [  178.331685] pc : __netif_receive_skb_core+0x49c/0xac8
        [  178.336728] lr : __netif_receive_skb+0x28/0x78
        [  178.341161] sp : ffff00002344b750
        [  178.344465] x29: ffff00002344b750 x28: ffff810fbdfd0580
        [  178.349769] x27: 0000000000000000 x26: ffff000009378000
        [...]
        [  178.418715] x1 : 0000000000000054 x0 : 0000000000000000
        [  178.424020] Process ping (pid: 2497, stack limit = 0x000000009f0a3ff4)
        [  178.430537] Call trace:
        [  178.432976]  __netif_receive_skb_core+0x49c/0xac8
        [  178.437670]  __netif_receive_skb+0x28/0x78
        [  178.441757]  process_backlog+0x9c/0x160
        [  178.445584]  net_rx_action+0x2f8/0x3f0
        [...]
      
      Reason is that sch_ingress and sch_clsact are doing mini_qdisc_pair_init()
      which sets up miniq pointers to cpu_{b,q}stats from the underlying qdisc.
      Problem is that this cannot work since they are actually set up right after
      the qdisc ->init() callback in qdisc_create(), so first packet going into
      sch_handle_ingress() tries to call mini_qdisc_bstats_cpu_update() and we
      therefore panic.
      
      In order to fix this, allocation of {b,q}stats needs to happen before we
      call into ->init(). In net-next, there's already such option through commit
      d59f5ffa ("net: sched: a dflt qdisc may be used with per cpu stats").
      However, the bug needs to be fixed in net still for 4.15. Thus, include
      these bits to reduce any merge churn and reuse the static_flags field to
      set TCQ_F_CPUSTATS, and remove the allocation from qdisc_create() since
      there is no other user left. Prashant Bhole ran into the same issue but
      for net-next, thus adding him below as well as co-author. Same issue was
      also reported by Sandipan Das when using bcc.
      
      Fixes: 46209401 ("net: core: introduce mini_Qdisc and eliminate usage of tp->q for clsact fastpath")
      Reference: https://lists.iovisor.org/pipermail/iovisor-dev/2018-January/001190.htmlReported-by: NSandipan Das <sandipan@linux.vnet.ibm.com>
      Co-authored-by: NPrashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
      Co-authored-by: NJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      81d947e2
    • R
      qed: Fix potential use-after-free in qed_spq_post() · 70eeff66
      Roland Dreier 提交于
      We need to check if p_ent->comp_mode is QED_SPQ_MODE_EBLOCK before
      calling qed_spq_add_entry().  The test is fine is the mode is EBLOCK,
      but if it isn't then qed_spq_add_entry() might kfree(p_ent).
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      70eeff66
    • J
      nfp: use the correct index for link speed table · 0d9c9f0f
      Jakub Kicinski 提交于
      sts variable is holding link speed as well as state.  We should
      be using ls to index into ls_to_ethtool.
      
      Fixes: 265aeb51 ("nfp: add support for .get_link_ksettings()")
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0d9c9f0f
    • Y
      lan78xx: Fix failure in USB Full Speed · a5b1379a
      Yuiko Oshino 提交于
      Fix initialize the uninitialized tx_qlen to an appropriate value when USB
      Full Speed is used.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Signed-off-by: NYuiko Oshino <yuiko.oshino@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a5b1379a
    • D
      Merge tag 'mac80211-for-davem-2018-01-15' of... · 161f72ed
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2018-01-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      More fixes:
       * hwsim:
          - properly flush deletion works at module unload
          - validate # of channels passed from userspace
       * cfg80211:
          - fix RCU locking regression
          - initialize on-stack channel data for nl80211 event
          - check dev_set_name() return value
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      161f72ed
    • X
      sctp: do not allow the v4 socket to bind a v4mapped v6 address · c5006b8a
      Xin Long 提交于
      The check in sctp_sockaddr_af is not robust enough to forbid binding a
      v4mapped v6 addr on a v4 socket.
      
      The worse thing is that v4 socket's bind_verify would not convert this
      v4mapped v6 addr to a v4 addr. syzbot even reported a crash as the v4
      socket bound a v6 addr.
      
      This patch is to fix it by doing the common sa.sa_family check first,
      then AF_INET check for v4mapped v6 addrs.
      
      Fixes: 7dab83de ("sctp: Support ipv6only AF_INET6 sockets.")
      Reported-by: syzbot+7b7b518b1228d2743963@syzkaller.appspotmail.com
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5006b8a
    • X
      sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf · a0ff6600
      Xin Long 提交于
      After commit cea0cc80 ("sctp: use the right sk after waking up from
      wait_buf sleep"), it may change to lock another sk if the asoc has been
      peeled off in sctp_wait_for_sndbuf.
      
      However, the asoc's new sk could be already closed elsewhere, as it's in
      the sendmsg context of the old sk that can't avoid the new sk's closing.
      If the sk's last one refcnt is held by this asoc, later on after putting
      this asoc, the new sk will be freed, while under it's own lock.
      
      This patch is to revert that commit, but fix the old issue by returning
      error under the old sk's lock.
      
      Fixes: cea0cc80 ("sctp: use the right sk after waking up from wait_buf sleep")
      Reported-by: syzbot+ac6ea7baa4432811eb50@syzkaller.appspotmail.com
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a0ff6600
    • X
      sctp: reinit stream if stream outcnt has been change by sinit in sendmsg · 625637bf
      Xin Long 提交于
      After introducing sctp_stream structure, sctp uses stream->outcnt as the
      out stream nums instead of c.sinit_num_ostreams.
      
      However when users use sinit in cmsg, it only updates c.sinit_num_ostreams
      in sctp_sendmsg. At that moment, stream->outcnt is still using previous
      value. If it's value is not updated, the sinit_num_ostreams of sinit could
      not really work.
      
      This patch is to fix it by updating stream->outcnt and reiniting stream
      if stream outcnt has been change by sinit in sendmsg.
      
      Fixes: a8386317 ("sctp: prepare asoc stream for stream reconf")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      625637bf
    • T
      ibmvnic: Fix pending MAC address changes · 3d166130
      Thomas Falcon 提交于
      Due to architecture limitations, the IBM VNIC client driver is unable
      to perform MAC address changes unless the device has "logged in" to
      its backing device. Currently, pending MAC changes are handled before
      login, resulting in an error and failure to change the MAC address.
      Moving that chunk to the end of the ibmvnic_login function, when we are
      sure that it was successful, fixes that.
      
      The MAC address can be changed when the device is up or down, so
      only check if the device is in a "PROBED" state before setting the
      MAC address.
      
      Fixes: c26eba03 ("ibmvnic: Update reset infrastructure to support tunable parameters")
      Signed-off-by: NThomas Falcon <tlfalcon@linux.vnet.ibm.com>
      Reviewed-by: NJohn Allen <jallen@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d166130
  3. 16 1月, 2018 18 次提交
    • S
      can: peak: fix potential bug in packet fragmentation · d8a243af
      Stephane Grosjean 提交于
      In some rare conditions when running one PEAK USB-FD interface over
      a non high-speed USB controller, one useless USB fragment might be sent.
      This patch fixes the way a USB command is fragmented when its length is
      greater than 64 bytes and when the underlying USB controller is not a
      high-speed one.
      Signed-off-by: NStephane Grosjean <s.grosjean@peak-system.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      d8a243af
    • L
      RDMA/mlx5: Fix out-of-bound access while querying AH · ae59c3f0
      Leon Romanovsky 提交于
      The rdma_ah_find_type() accesses the port array based on an index
      controlled by userspace. The existing bounds check is after the first use
      of the index, so userspace can generate an out of bounds access, as shown
      by the KASN report below.
      
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in to_rdma_ah_attr+0xa8/0x3b0
      Read of size 4 at addr ffff880019ae2268 by task ibv_rc_pingpong/409
      
      CPU: 0 PID: 409 Comm: ibv_rc_pingpong Not tainted 4.15.0-rc2-00031-gb60a3faf5b83-dirty #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xe9/0x18f
       print_address_description+0xa2/0x350
       kasan_report+0x3a5/0x400
       to_rdma_ah_attr+0xa8/0x3b0
       mlx5_ib_query_qp+0xd35/0x1330
       ib_query_qp+0x8a/0xb0
       ib_uverbs_query_qp+0x237/0x7f0
       ib_uverbs_write+0x617/0xd80
       __vfs_write+0xf7/0x500
       vfs_write+0x149/0x310
       SyS_write+0xca/0x190
       entry_SYSCALL_64_fastpath+0x18/0x85
      RIP: 0033:0x7fe9c7a275a0
      RSP: 002b:00007ffee5498738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 00007fe9c7ce4b00 RCX: 00007fe9c7a275a0
      RDX: 0000000000000018 RSI: 00007ffee5498800 RDI: 0000000000000003
      RBP: 000055d0c8d3f010 R08: 00007ffee5498800 R09: 0000000000000018
      R10: 00000000000000ba R11: 0000000000000246 R12: 0000000000008000
      R13: 0000000000004fb0 R14: 000055d0c8d3f050 R15: 00007ffee5498560
      
      Allocated by task 1:
       __kmalloc+0x3f9/0x430
       alloc_mad_private+0x25/0x50
       ib_mad_post_receive_mads+0x204/0xa60
       ib_mad_init_device+0xa59/0x1020
       ib_register_device+0x83a/0xbc0
       mlx5_ib_add+0x50e/0x5c0
       mlx5_add_device+0x142/0x410
       mlx5_register_interface+0x18f/0x210
       mlx5_ib_init+0x56/0x63
       do_one_initcall+0x15b/0x270
       kernel_init_freeable+0x2d8/0x3d0
       kernel_init+0x14/0x190
       ret_from_fork+0x24/0x30
      
      Freed by task 0:
      (stack is not available)
      
      The buggy address belongs to the object at ffff880019ae2000
       which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 104 bytes to the right of
       512-byte region [ffff880019ae2000, ffff880019ae2200)
      The buggy address belongs to the page:
      page:000000005d674e18 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
      flags: 0x4000000000008100(slab|head)
      raw: 4000000000008100 0000000000000000 0000000000000000 00000001000c000c
      raw: dead000000000100 dead000000000200 ffff88001a402000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff880019ae2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff880019ae2180: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
      >ffff880019ae2200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
       ffff880019ae2280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff880019ae2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ==================================================================
      Disabling lock debugging due to kernel taint
      
      Cc: <stable@vger.kernel.org>
      Fixes: 44c58487 ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types")
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      ae59c3f0
    • J
      netlink: extack: avoid parenthesized string constant warning · 6311b7ce
      Johannes Berg 提交于
      NL_SET_ERR_MSG() and NL_SET_ERR_MSG_ATTR() lead to the following warning
      in newer versions of gcc:
        warning: array initialized from parenthesized string constant
      
      Just remove the parentheses, they're not needed in this context since
      anyway since there can be no operator precendence issues or similar.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6311b7ce
    • D
      Merge branch 'ipv4-Make-neigh-lookup-keys-for-loopback-point-to-point-devices-be-INADDR_ANY' · db9ca5ca
      David S. Miller 提交于
      Jim Westfall says:
      
      ====================
      ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
      
      This used to be the previous behavior in older kernels but became broken in
      a263b309 (ipv4: Make neigh lookups directly in output packet path)
      and then later removed because it was broken in 0bb4087c (ipv4: Fix neigh
      lookup keying over loopback/point-to-point devices)
      
      Not having this results in there being an arp entry for every remote ip
      address that the device talks to.  Given a fairly active device it can
      cause the arp table to become huge and/or having to add/purge large number
      of entires to keep within table size thresholds.
      
      $ ip -4 neigh show nud noarp | grep tun | wc -l
      55850
      
      $ lnstat -k arp_cache:entries,arp_cache:allocs,arp_cache:destroys -c 10
      arp_cach|arp_cach|arp_cach|
       entries|  allocs|destroys|
         81493|620166816|620126069|
        101867|   10186|       0|
        113854|    5993|       0|
        118773|    2459|       0|
         27937|   18579|   63998|
         39256|    5659|       0|
         56231|    8487|       0|
         65602|    4685|       0|
         79697|    7047|       0|
         90733|    5517|       0|
      
      v2:
       - fixes coding style issues
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db9ca5ca
    • J
      ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY · cd9ff4de
      Jim Westfall 提交于
      Map all lookup neigh keys to INADDR_ANY for loopback/point-to-point devices
      to avoid making an entry for every remote ip the device needs to talk to.
      
      This used the be the old behavior but became broken in a263b309
      (ipv4: Make neigh lookups directly in output packet path) and later removed
      in 0bb4087c (ipv4: Fix neigh lookup keying over loopback/point-to-point
      devices) because it was broken.
      Signed-off-by: NJim Westfall <jwestfall@surrealistic.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cd9ff4de
    • J
      net: Allow neigh contructor functions ability to modify the primary_key · 096b9854
      Jim Westfall 提交于
      Use n->primary_key instead of pkey to account for the possibility that a neigh
      constructor function may have modified the primary_key value.
      Signed-off-by: NJim Westfall <jwestfall@surrealistic.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      096b9854
    • S
      sh_eth: fix dumping ARSTR · 17d0fb0c
      Sergei Shtylyov 提交于
      ARSTR  is always located at the start of the TSU register region, thus
      using add_reg()  instead of add_tsu_reg() in __sh_eth_get_regs() to dump it
      causes EDMR or EDSR (depending on the register layout) to be dumped instead
      of ARSTR.  Use the correct condition/macro there...
      
      Fixes: 6b4b4fea ("sh_eth: Implement ethtool register dump operations")
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      17d0fb0c
    • W
      Revert "openvswitch: Add erspan tunnel support." · 95a33208
      William Tu 提交于
      This reverts commit ceaa001a.
      
      The OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS attr should be designed
      as a nested attribute to support all ERSPAN v1 and v2's fields.
      The current attr is a be32 supporting only one field.  Thus, this
      patch reverts it and later patch will redo it using nested attr.
      Signed-off-by: NWilliam Tu <u9012063@gmail.com>
      Cc: Jiri Benc <jbenc@redhat.com>
      Cc: Pravin Shelar <pshelar@ovn.org>
      Acked-by: NJiri Benc <jbenc@redhat.com>
      Acked-by: NPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      95a33208
    • R
      net/tls: Fix inverted error codes to avoid endless loop · 30be8f8d
      r.hering@avm.de 提交于
      sendfile() calls can hang endless with using Kernel TLS if a socket error occurs.
      Socket error codes must be inverted by Kernel TLS before returning because
      they are stored with positive sign. If returned non-inverted they are
      interpreted as number of bytes sent, causing endless looping of the
      splice mechanic behind sendfile().
      Signed-off-by: NRobert Hering <r.hering@avm.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      30be8f8d
    • E
      ipv6: ip6_make_skb() needs to clear cork.base.dst · 95ef498d
      Eric Dumazet 提交于
      In my last patch, I missed fact that cork.base.dst was not initialized
      in ip6_make_skb() :
      
      If ip6_setup_cork() returns an error, we might attempt a dst_release()
      on some random pointer.
      
      Fixes: 862c03ee ("ipv6: fix possible mem leaks in ipv6_make_skb()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      95ef498d
    • R
      tracing: Prevent PROFILE_ALL_BRANCHES when FORTIFY_SOURCE=y · 68e76e03
      Randy Dunlap 提交于
      I regularly get 50 MB - 60 MB files during kernel randconfig builds.
      These large files mostly contain (many repeats of; e.g., 124,594):
      
      In file included from ../include/linux/string.h:6:0,
                       from ../include/linux/uuid.h:20,
                       from ../include/linux/mod_devicetable.h:13,
                       from ../scripts/mod/devicetable-offsets.c:3:
      ../include/linux/compiler.h:64:4: warning: '______f' is static but declared in inline function 'strcpy' which is not static [enabled by default]
          ______f = {     \
          ^
      ../include/linux/compiler.h:56:23: note: in expansion of macro '__trace_if'
                             ^
      ../include/linux/string.h:425:2: note: in expansion of macro 'if'
        if (p_size == (size_t)-1 && q_size == (size_t)-1)
        ^
      
      This only happens when CONFIG_FORTIFY_SOURCE=y and
      CONFIG_PROFILE_ALL_BRANCHES=y, so prevent PROFILE_ALL_BRANCHES if
      FORTIFY_SOURCE=y.
      
      Link: http://lkml.kernel.org/r/9199446b-a141-c0c3-9678-a3f9107f2750@infradead.orgSigned-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      68e76e03
    • M
      37f47bc9
    • L
      net: ipv4: Make "ip route get" match iif lo rules again. · 6503a304
      Lorenzo Colitti 提交于
      Commit 3765d35e ("net: ipv4: Convert inet_rtm_getroute to rcu
      versions of route lookup") broke "ip route get" in the presence
      of rules that specify iif lo.
      
      Host-originated traffic always has iif lo, because
      ip_route_output_key_hash and ip6_route_output_flags set the flow
      iif to LOOPBACK_IFINDEX. Thus, putting "iif lo" in an ip rule is a
      convenient way to select only originated traffic and not forwarded
      traffic.
      
      inet_rtm_getroute used to match these rules correctly because
      even though it sets the flow iif to 0, it called
      ip_route_output_key which overwrites iif with LOOPBACK_IFINDEX.
      But now that it calls ip_route_output_key_hash_rcu, the ifindex
      will remain 0 and not match the iif lo in the rule. As a result,
      "ip route get" will return ENETUNREACH.
      
      Fixes: 3765d35e ("net: ipv4: Convert inet_rtm_getroute to rcu versions of route lookup")
      Tested: https://android.googlesource.com/kernel/tests/+/master/net/test/multinetwork_test.py passes again
      Signed-off-by: NLorenzo Colitti <lorenzo@google.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6503a304
    • D
      netlink: extack needs to be reset each time through loop · cbbdf843
      David Ahern 提交于
      syzbot triggered the WARN_ON in netlink_ack testing the bad_attr value.
      The problem is that netlink_rcv_skb loops over the skb repeatedly invoking
      the callback and without resetting the extack leaving potentially stale
      data. Initializing each time through avoids the WARN_ON.
      
      Fixes: 2d4bc933 ("netlink: extended ACK reporting")
      Reported-by: syzbot+315fa6766d0f7c359327@syzkaller.appspotmail.com
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cbbdf843
    • C
      tipc: fix a memory leak in tipc_nl_node_get_link() · 59b36613
      Cong Wang 提交于
      When tipc_node_find_by_name() fails, the nlmsg is not
      freed.
      
      While on it, switch to a goto label to properly
      free it.
      
      Fixes: be9c086715c ("tipc: narrow down exposure of struct tipc_node")
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: Jon Maloy <jon.maloy@ericsson.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59b36613
    • M
      ipv6: fix udpv6 sendmsg crash caused by too small MTU · 749439bf
      Mike Maloney 提交于
      The logic in __ip6_append_data() assumes that the MTU is at least large
      enough for the headers.  A device's MTU may be adjusted after being
      added while sendmsg() is processing data, resulting in
      __ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
      the fragmentation header, the math results in a negative 'maxfraglen',
      which causes problems when refragmenting any previous skb in the
      skb_write_queue, leaving it possibly malformed.
      
      Instead sendmsg returns EINVAL when the mtu is calculated to be less
      than IPV6_MIN_MTU.
      
      Found by syzkaller:
      kernel BUG at ./include/linux/skbuff.h:2064!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff8801d0b68580 task.stack: ffff8801ac6b8000
      RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline]
      RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617
      RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216
      RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000
      RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0
      RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000
      R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8
      R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000
      FS:  00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ip6_finish_skb include/net/ipv6.h:911 [inline]
       udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093
       udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363
       inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:643
       SYSC_sendto+0x352/0x5a0 net/socket.c:1750
       SyS_sendto+0x40/0x50 net/socket.c:1718
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      RIP: 0033:0x4512e9
      RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9
      RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005
      RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c
      R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69
      R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000
      Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba
      RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570
      RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NMike Maloney <maloney@google.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      749439bf
    • A
      net: cs89x0: add MODULE_LICENSE · 6200b430
      Arnd Bergmann 提交于
      This driver lacks a MODULE_LICENSE tag, leading to a Kbuild warning:
      
      WARNING: modpost: missing MODULE_LICENSE() in drivers/net/ethernet/cirrus/cs89x0.o
      
      This adds license, author, and description according to the
      comment block at the start of the file.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6200b430
    • G
      ppp: unlock all_ppp_mutex before registering device · 0171c418
      Guillaume Nault 提交于
      ppp_dev_uninit(), which is the .ndo_uninit() handler of PPP devices,
      needs to lock pn->all_ppp_mutex. Therefore we mustn't call
      register_netdevice() with pn->all_ppp_mutex already locked, or we'd
      deadlock in case register_netdevice() fails and calls .ndo_uninit().
      
      Fortunately, we can unlock pn->all_ppp_mutex before calling
      register_netdevice(). This lock protects pn->units_idr, which isn't
      used in the device registration process.
      
      However, keeping pn->all_ppp_mutex locked during device registration
      did ensure that no device in transient state would be published in
      pn->units_idr. In practice, unlocking it before calling
      register_netdevice() doesn't change this property: ppp_unit_register()
      is called with 'ppp_mutex' locked and all searches done in
      pn->units_idr hold this lock too.
      
      Fixes: 8cb775bc ("ppp: fix device unregistration upon netns deletion")
      Reported-and-tested-by: syzbot+367889b9c9e279219175@syzkaller.appspotmail.com
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0171c418