1. 17 1月, 2018 3 次提交
  2. 16 1月, 2018 17 次提交
  3. 15 1月, 2018 1 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8155aedf
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-01-13
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Follow-up fix to the recent BPF out-of-bounds speculation
         fix that prevents max_entries overflows and an undefined
         behavior on 32 bit archs on index_mask calculation, from
         Daniel.
      
      2) Reject unsupported BPF_ARSH opcode in 32 bit ALU mode that
         was otherwise throwing an unknown opcode warning in the
         interpreter, from Daniel.
      
      3) Typo fix in one of the user facing verbose() messages that
         was added during the BPF out-of-bounds speculation fix,
         from Colin.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8155aedf
  4. 12 1月, 2018 15 次提交
  5. 11 1月, 2018 4 次提交
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · cbd0a6a2
      Linus Torvalds 提交于
      Pull vfs regression fix from Al Viro/
      
      Fix a leak in socket() introduced by commit 8e1611e2 ("make
      sock_alloc_file() do sock_release() on failures").
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        Fix a leak in socket(2) when we fail to allocate a file descriptor.
      cbd0a6a2
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 64fce444
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) BPF speculation prevention and BPF_JIT_ALWAYS_ON, from Alexei
          Starovoitov.
      
       2) Revert dev_get_random_name() changes as adjust the error code
          returns seen by userspace definitely breaks stuff.
      
       3) Fix TX DMA map/unmap on older iwlwifi devices, from Emmanuel
          Grumbach.
      
       4) From wrong AF family when requesting sock diag modules, from Andrii
          Vladyka.
      
       5) Don't add new ipv6 routes attached to the null_entry, from Wei Wang.
      
       6) Some SCTP sockopt length fixes from Marcelo Ricardo Leitner.
      
       7) Don't leak when removing VLAN ID 0, from Cong Wang.
      
       8) Hey there's a potential leak in ipv6_make_skb() too, from Eric
          Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
        ipv6: sr: fix TLVs not being copied using setsockopt
        ipv6: fix possible mem leaks in ipv6_make_skb()
        mlxsw: spectrum_qdisc: Don't use variable array in mlxsw_sp_tclass_congestion_enable
        mlxsw: pci: Wait after reset before accessing HW
        nfp: always unmask aux interrupts at init
        8021q: fix a memory leak for VLAN 0 device
        of_mdio: avoid MDIO bus removal when a PHY is missing
        caif_usb: use strlcpy() instead of strncpy()
        doc: clarification about setting SO_ZEROCOPY
        net: gianfar_ptp: move set_fipers() to spinlock protecting area
        sctp: make use of pre-calculated len
        sctp: add a ceiling to optlen in some sockopts
        sctp: GFP_ATOMIC is not needed in sctp_setsockopt_events
        bpf: introduce BPF_JIT_ALWAYS_ON config
        bpf: avoid false sharing of map refcount with max_entries
        ipv6: remove null_entry before adding default route
        SolutionEngine771x: add Ether TSU resource
        SolutionEngine771x: fix Ether platform data
        docs-rst: networking: wire up msg_zerocopy
        net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()
        ...
      64fce444
    • A
      Fix a leak in socket(2) when we fail to allocate a file descriptor. · ce4bb04c
      Al Viro 提交于
      Got broken by "make sock_alloc_file() do sock_release() on failures" -
      cleanup after sock_map_fd() failure got pulled all the way into
      sock_alloc_file(), but it used to serve the case when sock_map_fd()
      failed *before* getting to sock_alloc_file() as well, and that got
      lost.  Trivial to fix, fortunately.
      
      Fixes: 8e1611e2 (make sock_alloc_file() do sock_release() on failures)
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      ce4bb04c
    • D
      bpf, array: fix overflow in max_entries and undefined behavior in index_mask · bbeb6e43
      Daniel Borkmann 提交于
      syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
      and thus unprivileged. With the recently added logic in b2157399
      ("bpf: prevent out-of-bounds speculation") we round this up to the next
      power of two value for max_entries for unprivileged such that we can
      apply proper masking into potentially zeroed out map slots.
      
      However, this will generate an index_mask of 0xffffffff, and therefore
      a + 1 will let this overflow into new max_entries of 0. This will pass
      allocation, etc, and later on map access we still enforce on the original
      attr->max_entries value which was 0xfffffffd, therefore triggering GPF
      all over the place. Thus bail out on overflow in such case.
      
      Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
      since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
      space is undefined. Therefore, do this by hand in a 64 bit variable.
      
      This fixes all the issues triggered by syzkaller's reproducers.
      
      Fixes: b2157399 ("bpf: prevent out-of-bounds speculation")
      Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
      Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
      Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
      Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
      Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      bbeb6e43