1. 15 12月, 2015 4 次提交
    • H
      net: add validation for the socket syscall protocol argument · 79462ad0
      Hannes Frederic Sowa 提交于
      郭永刚 reported that one could simply crash the kernel as root by
      using a simple program:
      
      	int socket_fd;
      	struct sockaddr_in addr;
      	addr.sin_port = 0;
      	addr.sin_addr.s_addr = INADDR_ANY;
      	addr.sin_family = 10;
      
      	socket_fd = socket(10,3,0x40000000);
      	connect(socket_fd , &addr,16);
      
      AF_INET, AF_INET6 sockets actually only support 8-bit protocol
      identifiers. inet_sock's skc_protocol field thus is sized accordingly,
      thus larger protocol identifiers simply cut off the higher bits and
      store a zero in the protocol fields.
      
      This could lead to e.g. NULL function pointer because as a result of
      the cut off inet_num is zero and we call down to inet_autobind, which
      is NULL for raw sockets.
      
      kernel: Call Trace:
      kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
      kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
      kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
      kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
      kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
      kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
      kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
      
      I found no particular commit which introduced this problem.
      
      CVE: CVE-2015-8543
      Cc: Cong Wang <cwang@twopensource.com>
      Reported-by: N郭永刚 <guoyonggang@360.cn>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      79462ad0
    • T
      net: phy: mdio-mux: Check return value of mdiobus_alloc() · 20b08e1a
      Tobias Klauser 提交于
      mdiobus_alloc() might return NULL, but its return value is not
      checked in mdio_mux_init(). This could potentially lead to a NULL
      pointer dereference. Fix it by checking the return value
      
      Fixes: 0ca2997d ("netdev/of/phy: Add MDIO bus multiplexer support.")
      Signed-off-by: NTobias Klauser <tklauser@distanz.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      20b08e1a
    • P
      openvswitch: fix trivial comment typo · e5f5d747
      Paolo Abeni 提交于
      The commit 33db4125 ("openvswitch: Rename LABEL->LABELS") left
      over an old OVS_CT_ATTR_LABEL instance, fix it.
      
      Fixes: 33db4125 ("openvswitch: Rename LABEL->LABELS")
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NJoe Stringer <joe@ovn.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e5f5d747
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 9e5be5bd
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      netfilter fixes for net
      
      The following patchset contains Netfilter fixes for you net tree,
      specifically for nf_tables and nfnetlink_queue, they are:
      
      1) Avoid a compilation warning in nfnetlink_queue that was introduced
         in the previous merge window with the simplification of the conntrack
         integration, from Arnd Bergmann.
      
      2) nfnetlink_queue is leaking the pernet subsystem registration from
         a failure path, patch from Nikolay Borisov.
      
      3) Pass down netns pointer to batch callback in nfnetlink, this is the
         largest patch and it is not a bugfix but it is a dependency to
         resolve a splat in the correct way.
      
      4) Fix a splat due to incorrect socket memory accounting with nfnetlink
         skbuff clones.
      
      5) Add missing conntrack dependencies to NFT_DUP_IPV4 and NFT_DUP_IPV6.
      
      6) Traverse the nftables commit list in reverse order from the commit
         path, otherwise we crash when the user applies an incremental update
         via 'nft -f' that deletes an object that was just introduced in this
         batch, from Xin Long.
      
      Regarding the compilation warning fix, many people have sent us (and
      keep sending us) patches to address this, that's why I'm including this
      batch even if this is not critical.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e5be5bd
  2. 14 12月, 2015 4 次提交
    • D
      net: Flush local routes when device changes vrf association · 7f49e7a3
      David Ahern 提交于
      The VRF driver cycles netdevs when an interface is enslaved or released:
      the down event is used to flush neighbor and route tables and the up
      event (if the interface was already up) effectively moves local and
      connected routes to the proper table.
      
      As of 4f823def the local route is left hanging around after a link
      down, so when a netdev is moved from one VRF to another (or released
      from a VRF altogether) local routes are left in the wrong table.
      
      Fix by handling the NETDEV_CHANGEUPPER event. When the upper dev is
      an L3mdev then call fib_disable_ip to flush all routes, local ones
      to.
      
      Fixes: 4f823def ("ipv4: fix to not remove local route on link down")
      Cc: Julian Anastasov <ja@ssi.bg>
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7f49e7a3
    • A
      net:hns: print MAC with %pM · 98900a80
      Andy Shevchenko 提交于
      printf() has a dedicated specifier to print MAC addresses. Use it instead of
      pushing each byte via stack.
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      98900a80
    • A
      net:hns: annotate IO address space properly · 946973a3
      Andy Shevchenko 提交于
      Mark address pointer with __iomem in the IO accessors.
      
      Otherwise we will get a sparse complain like following
      
      .../hns/hns_dsaf_reg.h:991:36: warning: incorrect type in argument 1 (different address spaces)
      .../hns/hns_dsaf_reg.h:991:36:    expected unsigned char [noderef] [usertype] <asn:2>*base
      .../hns/hns_dsaf_reg.h:991:36:    got void *base
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      946973a3
    • X
      netfilter: nf_tables: use reverse traversal commit_list in nf_tables_abort · a907e36d
      Xin Long 提交于
      When we use 'nft -f' to submit rules, it will build multiple rules into
      one netlink skb to send to kernel, kernel will process them one by one.
      meanwhile, it add the trans into commit_list to record every commit.
      if one of them's return value is -EAGAIN, status |= NFNL_BATCH_REPLAY
      will be marked. after all the process is done. it will roll back all the
      commits.
      
      now kernel use list_add_tail to add trans to commit, and use
      list_for_each_entry_safe to roll back. which means the order of adding
      and rollback is the same. that will cause some cases cannot work well,
      even trigger call trace, like:
      
      1. add a set into table foo  [return -EAGAIN]:
         commit_list = 'add set trans'
      2. del foo:
         commit_list = 'add set trans' -> 'del set trans' -> 'del tab trans'
      then nf_tables_abort will be called to roll back:
      firstly process 'add set trans':
                         case NFT_MSG_NEWSET:
                              trans->ctx.table->use--;
                              list_del_rcu(&nft_trans_set(trans)->list);
      
        it will del the set from the table foo, but it has removed when del
        table foo [step 2], then the kernel will panic.
      
      the right order of rollback should be:
        'del tab trans' -> 'del set trans' -> 'add set trans'.
      which is opposite with commit_list order.
      
      so fix it by rolling back commits with reverse order in nf_tables_abort.
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      a907e36d
  3. 12 12月, 2015 18 次提交
  4. 11 12月, 2015 2 次提交
    • P
      netfilter: nf_dup: add missing dependencies with NF_CONNTRACK · d3340b79
      Pablo Neira Ayuso 提交于
      CONFIG_NF_CONNTRACK=m
      CONFIG_NF_DUP_IPV4=y
      
      results in:
      
         net/built-in.o: In function `nf_dup_ipv4':
      >> (.text+0xd434f): undefined reference to `nf_conntrack_untracked'
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      d3340b79
    • P
      netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones · bd678e09
      Pablo Neira Ayuso 提交于
      If we attach the sk to the skb from nfnetlink_rcv_batch(), then
      netlink_skb_destructor() will underflow the socket receive memory
      counter and we get warning splat when releasing the socket.
      
      $ cat /proc/net/netlink
      sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks     Drops     Inode
      ffff8800ca903000 12  0      00000000 -54144   0        0 2        0        17942
                                           ^^^^^^
      
      Rmem above shows an underflow.
      
      And here below the warning splat:
      
      [ 1363.815976] WARNING: CPU: 2 PID: 1356 at net/netlink/af_netlink.c:958 netlink_sock_destruct+0x80/0xb9()
      [...]
      [ 1363.816152] CPU: 2 PID: 1356 Comm: kworker/u16:1 Tainted: G        W       4.4.0-rc1+ #153
      [ 1363.816155] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
      [ 1363.816160] Workqueue: netns cleanup_net
      [ 1363.816163]  0000000000000000 ffff880119203dd0 ffffffff81240204 0000000000000000
      [ 1363.816169]  ffff880119203e08 ffffffff8104db4b ffffffff813d49a1 ffff8800ca771000
      [ 1363.816174]  ffffffff81a42b00 0000000000000000 ffff8800c0afe1e0 ffff880119203e18
      [ 1363.816179] Call Trace:
      [ 1363.816181]  <IRQ>  [<ffffffff81240204>] dump_stack+0x4e/0x79
      [ 1363.816193]  [<ffffffff8104db4b>] warn_slowpath_common+0x9a/0xb3
      [ 1363.816197]  [<ffffffff813d49a1>] ? netlink_sock_destruct+0x80/0xb9
      
      skb->sk was only needed to lookup for the netns, however we don't need
      this anymore since 633c9a84 ("netfilter: nfnetlink: avoid recurrent
      netns lookups in call_batch") so this patch removes this manual socket
      assignment to resolve this problem.
      Reported-by: NArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      Reported-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: NArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      bd678e09
  5. 10 12月, 2015 1 次提交
  6. 09 12月, 2015 6 次提交
    • N
      netfilter: nfnetlink_queue: Unregister pernet subsys in case of init failure · 639e077b
      Nikolay Borisov 提交于
      Commit 3bfe0498 ("netfilter: nfnetlink_{log,queue}:
      Register pernet in first place") reorganised the initialisation
      order of the pernet_subsys to avoid "use-before-initialised"
      condition. However, in doing so the cleanup logic in nfnetlink_queue
      got botched in that the pernet_subsys wasn't cleaned in case
      nfnetlink_subsys_register failed. This patch adds the necessary
      cleanup routine call.
      
      Fixes: 3bfe0498 ("netfilter: nfnetlink_{log,queue}: Register pernet in first place")
      Signed-off-by: NNikolay Borisov <kernel@kyup.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      639e077b
    • A
      net: ezchip: fix address space confusion in nps_enet.c · b0a8d1a0
      Arnd Bergmann 提交于
      The nps_enet driver happily mixes virtual, physical and __iomem
      addresses, which are all different depending on the architecture
      and configuration.  That causes a warning when building the code
      on ARM with LPAE mode enabled:
      
      drivers/net/ethernet/ezchip/nps_enet.c: In function 'nps_enet_send_frame':
      drivers/net/ethernet/ezchip/nps_enet.c:370:13: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
      
      but will also fail to work for other reasons.
      
      In this patch, I'm trying to change the code to use only normal
      kernel pointers, which I assume is what the author actually meant:
      
      * For reading or writing a 32-bit word that may be unaligned when
        an SKB contains unaligned data, I'm using get_unaligned/put_unaligned()
        rather than memcpy_fromio/toio.
      
      * For converting a u8 pointer to a u32 pointer, I use a cast rather
        than the incorrect virt_to_phys.
      
      * For copying a couple of bytes from one place to another while respecting
        alignment, I use memcpy instead of memcpy_toio.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b0a8d1a0
    • A
      net: fsl: avoid 64-bit warning on pq_mdio · 8cde3e44
      Arnd Bergmann 提交于
      The pq_mdio driver can now be built for ARM64, where we get a format
      string warning:
      
      drivers/net/ethernet/freescale/fsl_pq_mdio.c: In function 'fsl_pq_mdio_probe':
      drivers/net/ethernet/freescale/fsl_pq_mdio.c:467:25: warning: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'long int' [-Wformat=]
      
      The argument is an implicit ptrdiff_t from the subtraction of two pointers,
      so we should use the %z format string modifier to make this work on 64-bit
      architectures.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Fixes: fe761bcb ("net: fsl: expands dependencies of NET_VENDOR_FREESCALE")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8cde3e44
    • P
      r8152: fix lockup when runtime PM is enabled · 90186af4
      Peter Wu 提交于
      When an interface is brought up which was previously suspended (via
      runtime PM), it would hang. This happens because napi_disable is called
      before napi_enable.
      
      Solve this by avoiding napi_enable in the resume during open function
      (netif_running is true when open is called, IFF_UP is set after a
      successful open; netif_running is false when close is called, but IFF_UP
      is then still set).
      
      While at it, remove WORK_ENABLE check from rtl8152_open (introduced with
      the original change) because it cannot happen:
      
       - After this patch, runtime resume will not set it during rtl8152_open.
       - When link is up, rtl8152_open is not called.
       - When link is down during system/auto suspend/resume, it is not set.
      
      Fixes: 41cec84c ("r8152: don't enable napi before rx ready")
      Link: https://lkml.kernel.org/r/20151205105912.GA1766@alSigned-off-by: NPeter Wu <peter@lekensteyn.nl>
      Acked-by: NHayes Wang <hayeswang@realtek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      90186af4
    • P
      net: thunderx: Correctly distinguish between VF and LMAC count · f406ce42
      Pavel Fedin 提交于
      Commit bc69fdfc
      ("net: thunderx: Enable BGX LMAC's RX/TX only after VF is up")
      introduces lmac_cnt member and starts verifying VF number against it.
      This is plain wrong, and works only because currently we have hardcoded
      1:1 mapping between VFs and LMACs, and in this case num_vf_en and
      lmac_cnt are always equal. However in future this may change, and the
      code will badly misbehave. The worst consequence of this is failure to
      deliver link status messages, causing VFs to go defunct because since
      commit 0b72a9a1 ("net: thunderx: Switchon carrier only upon
      interface link up") VF will not fully bring itself up without it.
      
      This patch fixes the potential problem by doing VF number checks against
      the num_vf_en. Since lmac_cnt is not used anywhere else, it is removed.
      
      Additionally some duplicated code is factored out into nic_enable_vf()
      Signed-off-by: NPavel Fedin <p.fedin@samsung.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f406ce42
    • P
      geneve: Fix IPv6 xmit stats update. · a322a1bc
      Pravin B Shelar 提交于
      Call to iptunnel_xmit_stats() is not required after udp-tunnel6-xmit.
      By calling iptunnel_xmit_stats() results in incorrect device stats.
      Following patch drops this call.
      Signed-off-by: NPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a322a1bc
  7. 08 12月, 2015 5 次提交