1. 06 8月, 2018 10 次提交
  2. 05 8月, 2018 15 次提交
  3. 04 8月, 2018 15 次提交
    • K
      jfs: Fix usercopy whitelist for inline inode data · 961b33c2
      Kees Cook 提交于
      Bart Massey reported what turned out to be a usercopy whitelist false
      positive in JFS when symlink contents exceeded 128 bytes. The inline
      inode data (i_inline) is actually designed to overflow into the "extended
      area" following it (i_inline_ea) when needed. So the whitelist needed to
      be expanded to include both i_inline and i_inline_ea (the whole size
      of which is calculated internally using IDATASIZE, 256, instead of
      sizeof(i_inline), 128).
      
      $ cd /mnt/jfs
      $ touch $(perl -e 'print "B" x 250')
      $ ln -s B* b
      $ ls -l >/dev/null
      
      [  249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)!
      Reported-by: NBart Massey <bart.massey@gmail.com>
      Fixes: 8d2704d3 ("jfs: Define usercopy region in jfs_ip slab cache")
      Cc: Dave Kleikamp <shaggy@kernel.org>
      Cc: jfs-discussion@lists.sourceforge.net
      Cc: stable@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      961b33c2
    • Y
      tcp: remove unneeded variable 'err' · a01512b1
      YueHaibing 提交于
      variable 'err' is unmodified after initalization,
      so simply cleans up it and returns 0.
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a01512b1
    • J
      af_unix: ensure POLLOUT on remote close() for connected dgram socket · 51f7e951
      Jason Baron 提交于
      Applications use -ECONNREFUSED as returned from write() in order to
      determine that a socket should be closed. However, when using connected
      dgram unix sockets in a poll/write loop, a final POLLOUT event can be
      missed when the remote end closes. Thus, the poll is stuck forever:
      
                thread 1 (client)                   thread 2 (server)
      
      connect() to server
      write() returns -EAGAIN
      unix_dgram_poll()
       -> unix_recvq_full() is true
                                             close()
                                              ->unix_release_sock()
                                               ->wake_up_interruptible_all()
      unix_dgram_poll() (due to the
           wake_up_interruptible_all)
       -> unix_recvq_full() still is true
                                               ->free all skbs
      
      Now thread 1 is stuck and will not receive anymore wakeups. In this
      case, when thread 1 gets the -EAGAIN, it has not queued any skbs
      otherwise the 'free all skbs' step would in fact cause a wakeup and
      a POLLOUT return. So the race here is probably fairly rare because
      it means there are no skbs that thread 1 queued and that thread 1
      schedules before the 'free all skbs' step.
      
      This issue was reported as a hang when /dev/log is closed.
      
      The fix is to signal POLLOUT if the socket is marked as SOCK_DEAD, which
      means a subsequent write() will get -ECONNREFUSED.
      Reported-by: NIan Lance Taylor <iant@golang.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: NJason Baron <jbaron@akamai.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51f7e951
    • P
      netfilter: nft_tunnel: fix sparse errors · 483f3fdc
      Pablo Neira Ayuso 提交于
      [...]
      net/netfilter/nft_tunnel.c:117:25:    expected unsigned int [unsigned] [usertype] flags
      net/netfilter/nft_tunnel.c:117:25:    got restricted __be16 [usertype] <noident>
      [...]
      net/netfilter/nft_tunnel.c:246:33:    expected restricted __be16 [addressable] [assigned] [usertype] tp_dst
      net/netfilter/nft_tunnel.c:246:33:    got int
      
      Fixes: af308b94 ("netfilter: nf_tables: add tunnel support")
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      483f3fdc
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 0b5b1f9a
      Linus Torvalds 提交于
      Pull KVM fixes from Paolo Bonzini:
       "Two vmx bugfixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: vmx: fix vpid leak
        KVM: vmx: use local variable for current_vmptr when emulating VMPTRST
      0b5b1f9a
    • K
      ppp: mppe: Remove VLA usage · a394b3af
      Kees Cook 提交于
      In the quest to remove all stack VLA usage from the kernel[1], this
      removes the discouraged use of AHASH_REQUEST_ON_STACK (and associated
      VLA) by switching to shash directly and keeping the associated descriptor
      allocated with the regular state on the heap.
      
      [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.comSigned-off-by: NKees Cook <keescook@chromium.org>
      Acked-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a394b3af
    • D
      rxrpc: Push iov_iter up from rxrpc_kernel_recv_data() to caller · eb9950eb
      David Howells 提交于
      Push iov_iter up from rxrpc_kernel_recv_data() to its caller to allow
      non-contiguous iovs to be passed down, thereby permitting file reading to
      be simplified in the AFS filesystem in a future patch.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eb9950eb
    • G
      l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() · f664e37d
      Guillaume Nault 提交于
      If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
      drop the reference taken by l2tp_session_get().
      
      Fixes: ecd012e4 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f664e37d
    • D
      Merge branch 'mlxsw-Fix-ACL-actions-error-condition-handling' · 60a01828
      David S. Miller 提交于
      Ido Schimmel says:
      
      ====================
      mlxsw: Fix ACL actions error condition handling
      
      Nir says:
      
      Two issues were lately noticed within mlxsw ACL actions error condition
      handling. The first patch deals with conflicting actions such as:
      
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 \
         action goto chain 100 \
         action mirred egress redirect dev swp4
      
      The second action will never execute, however SW model allows this
      configuration, while the mlxsw driver cannot allow for it as it
      implements actions in sets of up to three actions per set with a single
      termination marking. Conflicting actions create a contradiction over
      this single marking and thus cannot be configured. The fix replaces a
      misplaced warning with an error code to be returned.
      
      Patches 2-4 fix a condition of duplicate destruction of resources. Some
      actions require allocation of specific resource prior to setting the
      action itself. On error condition this resource was destroyed twice,
      leading to a crash when using mirror action, and to a redundant
      destruction in other cases, since for error condition rule destruction
      also takes care of resource destruction. In order to fix this state a
      symmetry in behavior is added and resource destruction also takes care
      of removing the resource from rule's resource list.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      60a01828
    • N
      mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction · caebd1b3
      Nir Dotan 提交于
      In previous patch mlxsw_afa_resource_del() was added to avoid a duplicate
      resource detruction scenario.
      For mirror actions, such duplicate destruction leads to a crash as in:
      
       # tc qdisc add dev swp49 ingress
       # tc filter add dev swp49 parent ffff: \
         protocol ip chain 100 pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action drop
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Therefore add a call to mlxsw_afa_resource_del() in
      mlxsw_afa_mirror_destroy() in order to clear that resource
      from rule's resources.
      
      Fixes: d0d13c18 ("mlxsw: spectrum_acl: Add support for mirror action")
      Signed-off-by: NNir Dotan <nird@mellanox.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      caebd1b3
    • N
      mlxsw: core_acl_flex_actions: Remove redundant counter destruction · 7cc61694
      Nir Dotan 提交于
      Each tc flower rule uses a hidden count action. As counter resource may
      not be available due to limited HW resources, update _counter_create()
      and _counter_destroy() pair to follow previously introduced symmetric
      error condition handling, add a call to mlxsw_afa_resource_del() as part
      of the counter resource destruction.
      
      Fixes: c18c1e18 ("mlxsw: core: Make counter index allocated inside the action append")
      Signed-off-by: NNir Dotan <nird@mellanox.com>
      Reviewed-by: NPetr Machata <petrm@mellanox.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7cc61694
    • N
      mlxsw: core_acl_flex_actions: Remove redundant resource destruction · dda0a3a3
      Nir Dotan 提交于
      Some ACL actions require the allocation of a separate resource
      prior to applying the action itself. When facing an error condition
      during the setup phase of the action, resource should be destroyed.
      For such actions the destruction was done twice which is dangerous
      and lead to a potential crash.
      The destruction took place first upon error on action setup phase
      and then as the rule was destroyed.
      
      The following sequence generated a crash:
      
       # tc qdisc add dev swp49 ingress
       # tc filter add dev swp49 parent ffff: \
         protocol ip chain 100 pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action drop
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Therefore add mlxsw_afa_resource_del() as a complement of
      mlxsw_afa_resource_add() to add symmetry to resource_list membership
      handling. Call this from mlxsw_afa_fwd_entry_ref_destroy() to make the
      _fwd_entry_ref_create() and _fwd_entry_ref_destroy() pair of calls a
      NOP.
      
      Fixes: 140ce421 ("mlxsw: core: Convert fwd_entry_ref list to be generic per-block resource list")
      Signed-off-by: NNir Dotan <nird@mellanox.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dda0a3a3
    • N
      mlxsw: core_acl_flex_actions: Return error for conflicting actions · 3757b255
      Nir Dotan 提交于
      Spectrum switch ACL action set is built in groups of three actions
      which may point to additional actions. A group holds a single record
      which can be set as goto record for pointing at a following group
      or can be set to mark the termination of the lookup. This is perfectly
      adequate for handling a series of actions to be executed on a packet.
      While the SW model allows configuration of conflicting actions
      where it is clear that some actions will never execute, the mlxsw
      driver must block such configurations as it creates a conflict
      over the single terminate/goto record value.
      
      For a conflicting actions configuration such as:
      
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 \
         action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Where it is clear that the last action will never execute, the
      mlxsw driver was issuing a warning instead of returning an error.
      Therefore replace that warning with an error for this specific
      case.
      
      Fixes: 4cda7d8d ("mlxsw: core: Introduce flexible actions support")
      Signed-off-by: NNir Dotan <nird@mellanox.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3757b255
    • F
      netfilter: conntrack: avoid use-after free on rmmod · 020f6cc5
      Florian Westphal 提交于
      When the conntrack module is removed, we call nf_ct_iterate_destroy via
      nf_ct_l4proto_unregister().
      
      Problem is that nf_conntrack_proto_fini() gets called after the
      conntrack hash table has already been freed.
      
      Just remove the l4proto unregister call, its unecessary as the
      nf_ct_protos[] array gets free'd right after anyway.
      
      v2: add comment wrt. missing unreg call.
      
      Fixes: a0ae2562 ("netfilter: conntrack: remove l3proto abstraction")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      020f6cc5
    • F
      netfilter: kconfig: remove ct zone/label dependencies · 7bdfcea8
      Florian Westphal 提交于
      connection tracking zones currently depend on the xtables CT target.
      The reasoning was that it makes no sense to support zones if they can't
      be configured (which needed CT target).
      
      Nowadays zones can also be used by OVS and configured via nftables,
      so remove the dependency.
      
      connection tracking labels are handled via hidden dependency that gets
      auto-selected by the connlabel match.
      Make it a visible knob, as labels can be attached via ctnetlink
      or via nftables rules (nft_ct expression) too.
      
      This allows to use conntrack labels and zones with nftables-only build.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      7bdfcea8