1. 28 10月, 2016 7 次提交
    • A
      flow_dissector: fix vlan tag handling · bc72f3dd
      Arnd Bergmann 提交于
      gcc warns about an uninitialized pointer dereference in the vlan
      priority handling:
      
      net/core/flow_dissector.c: In function '__skb_flow_dissect':
      net/core/flow_dissector.c:281:61: error: 'vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      As pointed out by Jiri Pirko, the variable is never actually used
      without being initialized first as the only way it end up uninitialized
      is with skb_vlan_tag_present(skb)==true, and that means it does not
      get accessed.
      
      However, the warning hints at some related issues that I'm addressing
      here:
      
      - the second check for the vlan tag is different from the first one
        that tests the skb for being NULL first, causing both the warning
        and a possible NULL pointer dereference that was not entirely fixed.
      - The same patch that introduced the NULL pointer check dropped an
        earlier optimization that skipped the repeated check of the
        protocol type
      - The local '_vlan' variable is referenced through the 'vlan' pointer
        but the variable has gone out of scope by the time that it is
        accessed, causing undefined behavior
      
      Caching the result of the 'skb && skb_vlan_tag_present(skb)' check
      in a local variable allows the compiler to further optimize the
      later check. With those changes, the warning also disappears.
      
      Fixes: 3805a938 ("flow_dissector: Check skb for VLAN only if skb specified.")
      Fixes: d5709f7a ("flow_dissector: For stripped vlan, get vlan info from skb->vlan_tci")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NEric Garver <e@erig.me>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bc72f3dd
    • D
      net: ipv6: Do not consider link state for nexthop validation · d5d32e4b
      David Ahern 提交于
      Similar to IPv4, do not consider link state when validating next hops.
      
      Currently, if the link is down default routes can fail to insert:
       $ ip -6 ro add vrf blue default via 2100:2::64 dev eth2
       RTNETLINK answers: No route to host
      
      With this patch the command succeeds.
      
      Fixes: 8c14586f ("net: ipv6: Use passed in table for nexthop lookups")
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d5d32e4b
    • D
      net: ipv6: Fix processing of RAs in presence of VRF · 830218c1
      David Ahern 提交于
      rt6_add_route_info and rt6_add_dflt_router were updated to pull the FIB
      table from the device index, but the corresponding rt6_get_route_info
      and rt6_get_dflt_router functions were not leading to the failure to
      process RA's:
      
          ICMPv6: RA: ndisc_router_discovery failed to add default route
      
      Fix the 'get' functions by using the table id associated with the
      device when applicable.
      
      Also, now that default routes can be added to tables other than the
      default table, rt6_purge_dflt_routers needs to be updated as well to
      look at all tables. To handle that efficiently, add a flag to the table
      denoting if it is has a default route via RA.
      
      Fixes: ca254490 ("net: Add VRF support to IPv6 stack")
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      830218c1
    • A
      kalmia: avoid potential uninitialized variable use · e30520c2
      Arnd Bergmann 提交于
      The kalmia_send_init_packet() returns zero or a negative return
      code, but gcc has no way of knowing that there cannot be a
      positive return code, so it determines that copying the ethernet
      address at the end of kalmia_bind() will access uninitialized
      data:
      
      drivers/net/usb/kalmia.c: In function ‘kalmia_bind’:
      arch/x86/include/asm/string_32.h:78:22: error: ‘*((void *)&ethernet_addr+4)’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
         *((short *)to + 2) = *((short *)from + 2);
                            ^
      drivers/net/usb/kalmia.c:138:5: note: ‘*((void *)&ethernet_addr+4)’ was declared here
      
      This warning is harmless, but for consistency, we should make
      the check for the return code match what the driver does everywhere
      else and just progate it, which then gets rid of the warning.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e30520c2
    • T
      macsec: Fix header length if SCI is added if explicitly disabled · e0f841f5
      Tobias Brunner 提交于
      Even if sending SCIs is explicitly disabled, the code that creates the
      Security Tag might still decide to add it (e.g. if multiple RX SCs are
      defined on the MACsec interface).
      But because the header length so far only depended on the configuration
      option the SCI overwrote the original frame's contents (EtherType and
      e.g. the beginning of the IP header) and if encrypted did not visibly
      end up in the packet, while the SC flag in the TCI field of the Security
      Tag was still set, resulting in invalid MACsec frames.
      
      Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
      Signed-off-by: NTobias Brunner <tobias@strongswan.org>
      Acked-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e0f841f5
    • Z
      at803x: double check SGMII side autoneg · f62265b5
      Zefir Kurtisi 提交于
      In SGMII mode, we observed an autonegotiation issue
      after power-down-up cycles where the copper side
      reports successful link establishment but the
      SGMII side's link is down.
      
      This happened in a setup where the at8031 is
      connected over SGMII to a eTSEC (fsl gianfar),
      but so far could not be reproduced with other
      Ethernet device / driver combinations.
      
      This commit adds a wrapper function for at8031
      that in case of operating in SGMII mode double
      checks SGMII link state when generic aneg_done()
      succeeds. It prints a warning on failure but
      intentionally does not try to recover from this
      state. As a result, if you ever see a warning
      '803x_aneg_done: SGMII link is not ok' you will
      end up having an Ethernet link up but won't get
      any data through. This should not happen, if it
      does, please contact the module maintainer.
      Signed-off-by: NZefir Kurtisi <zefir.kurtisi@neratec.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f62265b5
    • Z
      Revert "at803x: fix suspend/resume for SGMII link" · 4fc6d239
      Zefir Kurtisi 提交于
      This reverts commit 98267311.
      
      Suspending the SGMII alongside the copper side
      made the at803x inaccessable while powered down,
      e.g. it can't be re-probed after suspend.
      Signed-off-by: NZefir Kurtisi <zefir.kurtisi@neratec.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4fc6d239
  2. 27 10月, 2016 6 次提交
  3. 24 10月, 2016 5 次提交
    • D
      Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 44060abe
      David S. Miller 提交于
      Johan Hedberg says:
      
      ====================
      pull request: bluetooth 2016-10-21
      
      Here are some more Bluetooth fixes for the 4.9 kernel:
      
       - Fix to btwilink driver probe function return value
       - Power management fix to hci_bcm
       - Fix to encoding name in scan response data
      
      Please let me know if there are any issues pulling. Thanks.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44060abe
    • J
      net: sctp, forbid negative length · a4b8e71b
      Jiri Slaby 提交于
      Most of getsockopt handlers in net/sctp/socket.c check len against
      sizeof some structure like:
              if (len < sizeof(int))
                      return -EINVAL;
      
      On the first look, the check seems to be correct. But since len is int
      and sizeof returns size_t, int gets promoted to unsigned size_t too. So
      the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is
      false.
      
      Fix this in sctp by explicitly checking len < 0 before any getsockopt
      handler is called.
      
      Note that sctp_getsockopt_events already handled the negative case.
      Since we added the < 0 check elsewhere, this one can be removed.
      
      If not checked, this is the result:
      UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19
      shift exponent 52 is too large for 32-bit type 'int'
      CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
       0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3
       ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270
       0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422
      Call Trace:
       [<ffffffffb3051498>] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300
      ...
       [<ffffffffb273f0e4>] ? kmalloc_order+0x24/0x90
       [<ffffffffb27416a4>] ? kmalloc_order_trace+0x24/0x220
       [<ffffffffb2819a30>] ? __kmalloc+0x330/0x540
       [<ffffffffc18c25f4>] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp]
       [<ffffffffc18d2bcd>] ? sctp_getsockopt+0x10d/0x1b0 [sctp]
       [<ffffffffb37c1219>] ? sock_common_getsockopt+0xb9/0x150
       [<ffffffffb37be2f5>] ? SyS_getsockopt+0x1a5/0x270
      Signed-off-by: NJiri Slaby <jslaby@suse.cz>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: linux-sctp@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a4b8e71b
    • F
      net: fec: Call swap_buffer() prior to IP header alignment · 235bde1e
      Fabio Estevam 提交于
      Commit 3ac72b7b ("net: fec: align IP header in hardware") breaks
      networking on mx28.
      
      There is an erratum on mx28 (ENGR121613 - ENET big endian mode
      not compatible with ARM little endian) that requires an additional
      byte-swap operation to workaround this problem.
      
      So call swap_buffer() prior to performing the IP header alignment
      to restore network functionality on mx28.
      
      Fixes: 3ac72b7b ("net: fec: align IP header in hardware")
      Reported-and-tested-by: NHenri Roosen <henri.roosen@ginzinger.com>
      Signed-off-by: NFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      235bde1e
    • J
      ipv6: do not increment mac header when it's unset · b678aa57
      Jason A. Donenfeld 提交于
      Otherwise we'll overflow the integer. This occurs when layer 3 tunneled
      packets are handed off to the IPv6 layer.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b678aa57
    • S
      bnx2x: Use the correct divisor value for PHC clock readings. · a6e2846c
      Sudarsana Reddy Kalluru 提交于
      Time Sync (PTP) implementation uses the divisor/shift value for converting
      the clock ticks to nanoseconds. Driver currently defines shift value as 1,
      this results in the nanoseconds value to be calculated as half the actual
      value. Hence the user application fails to synchronize the device clock
      value with the PTP master device clock. Need to use the 'shift' value of 0.
      Signed-off-by: NSony.Chacko <Sony.Chacko@cavium.com>
      Signed-off-by: NSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: NYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a6e2846c
  4. 23 10月, 2016 13 次提交
  5. 21 10月, 2016 9 次提交
    • W
      ipv6: fix a potential deadlock in do_ipv6_setsockopt() · 8651be8f
      WANG Cong 提交于
      Baozeng reported this deadlock case:
      
             CPU0                    CPU1
             ----                    ----
        lock([  165.136033] sk_lock-AF_INET6);
                                     lock([  165.136033] rtnl_mutex);
                                     lock([  165.136033] sk_lock-AF_INET6);
        lock([  165.136033] rtnl_mutex);
      
      Similar to commit 87e9f031
      ("ipv4: fix a potential deadlock in mcast getsockopt() path")
      this is due to we still have a case, ipv6_sock_mc_close(),
      where we acquire sk_lock before rtnl_lock. Close this deadlock
      with the similar solution, that is always acquire rtnl lock first.
      
      Fixes: baf606d9 ("ipv4,ipv6: grab rtnl before locking the socket")
      Reported-by: NBaozeng Ding <sploving1@gmail.com>
      Tested-by: NBaozeng Ding <sploving1@gmail.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8651be8f
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 8dbad1a8
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Fix compilation warning in xt_hashlimit on m68k 32-bits, from
         Geert Uytterhoeven.
      
      2) Fix wrong timeout in set elements added from packet path via
         nft_dynset, from Anders K. Pedersen.
      
      3) Remove obsolete nf_conntrack_events_retry_timeout sysctl
         documentation, from Nicolas Dichtel.
      
      4) Ensure proper initialization of log flags via xt_LOG, from
         Liping Zhang.
      
      5) Missing alias to autoload ipcomp, also from Liping Zhang.
      
      6) Missing NFTA_HASH_OFFSET attribute validation, again from Liping.
      
      7) Wrong integer type in the new nft_parse_u32_check() function,
         from Dan Carpenter.
      
      8) Another wrong integer type declaration in nft_exthdr_init, also
         from Dan Carpenter.
      
      9) Fix insufficient mode validation in nft_range.
      
      10) Fix compilation warning in nft_range due to possible uninitialized
          value, from Arnd Bergmann.
      
      11) Zero nf_hook_ops allocated via xt_hook_alloc() in x_tables to
          calm down kmemcheck, from Florian Westphal.
      
      12) Schedule gc_worker() to run again if GC_MAX_EVICTS quota is reached,
          from Nicolas Dichtel.
      
      13) Fix nf_queue() after conversion to single-linked hook list, related
          to incorrect bypass flag handling and incorrect hook point of
          reinjection.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8dbad1a8
    • F
      kexec: Export kexec_in_progress to modules · 97dcaa0f
      Florian Fainelli 提交于
      The bcm_sf2 driver uses kexec_in_progress to know whether it can power
      down an integrated PHY during shutdown, and can be built as a module.
      Other modules may be using this in the future, so export it.
      
      Fixes: 2399d614 ("net: dsa: bcm_sf2: Prevent GPHY shutdown for kexec'd kernels")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      97dcaa0f
    • E
      ipv4: disable BH in set_ping_group_range() · a681574c
      Eric Dumazet 提交于
      In commit 4ee3bd4a ("ipv4: disable BH when changing ip local port
      range") Cong added BH protection in set_local_port_range() but missed
      that same fix was needed in set_ping_group_range()
      
      Fixes: b8f1a556 ("udp: Add function to make source port for UDP tunnels")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NEric Salo <salo@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a681574c
    • E
      udp: must lock the socket in udp_disconnect() · 286c72de
      Eric Dumazet 提交于
      Baozeng Ding reported KASAN traces showing uses after free in
      udp_lib_get_port() and other related UDP functions.
      
      A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
      
      I could write a reproducer with two threads doing :
      
      static int sock_fd;
      static void *thr1(void *arg)
      {
      	for (;;) {
      		connect(sock_fd, (const struct sockaddr *)arg,
      			sizeof(struct sockaddr_in));
      	}
      }
      
      static void *thr2(void *arg)
      {
      	struct sockaddr_in unspec;
      
      	for (;;) {
      		memset(&unspec, 0, sizeof(unspec));
      	        connect(sock_fd, (const struct sockaddr *)&unspec,
      			sizeof(unspec));
              }
      }
      
      Problem is that udp_disconnect() could run without holding socket lock,
      and this was causing list corruptions.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      286c72de
    • F
      net: dsa: bcm_sf2: Prevent GPHY shutdown for kexec'd kernels · 2399d614
      Florian Fainelli 提交于
      For a kernel that is being kexec'd we re-enable the integrated GPHY in
      order for the subsequent MDIO bus scan to succeed and properly bind to
      the bcm7xxx PHY driver. If we did not do that, the GPHY would be shut
      down by the time the MDIO driver is probing the bus, and it would fail
      to read the correct PHY OUI and therefore bind to an appropriate PHY
      driver. Later on, this would cause DSA not to be able to successfully
      attach to the PHY, and the interface would not be created at all.
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2399d614
    • D
      bpf, test: fix ld_abs + vlan push/pop stress test · 0d906b1e
      Daniel Borkmann 提交于
      After commit 636c2628 ("net: skbuff: Remove errornous length
      validation in skb_vlan_pop()") mentioned test case stopped working,
      throwing a -12 (ENOMEM) return code. The issue however is not due to
      636c2628, but rather due to a buggy test case that got uncovered
      from the change in behaviour in 636c2628.
      
      The data_size of that test case for the skb was set to 1. In the
      bpf_fill_ld_abs_vlan_push_pop() handler bpf insns are generated that
      loop with: reading skb data, pushing 68 tags, reading skb data,
      popping 68 tags, reading skb data, etc, in order to force a skb
      expansion and thus trigger that JITs recache skb->data. Problem is
      that initial data_size is too small.
      
      While before 636c2628, the test silently bailed out due to the
      skb->len < VLAN_ETH_HLEN check with returning 0, and now throwing an
      error from failing skb_ensure_writable(). Set at least minimum of
      ETH_HLEN as an initial length so that on first push of data, equivalent
      pop will succeed.
      
      Fixes: 4d9c5c53 ("test_bpf: add bpf_skb_vlan_push/pop() tests")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0d906b1e
    • S
      net: add recursion limit to GRO · fcd91dd4
      Sabrina Dubroca 提交于
      Currently, GRO can do unlimited recursion through the gro_receive
      handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
      to one level with encap_mark, but both VLAN and TEB still have this
      problem.  Thus, the kernel is vulnerable to a stack overflow, if we
      receive a packet composed entirely of VLAN headers.
      
      This patch adds a recursion counter to the GRO layer to prevent stack
      overflow.  When a gro_receive function hits the recursion limit, GRO is
      aborted for this skb and it is processed normally.  This recursion
      counter is put in the GRO CB, but could be turned into a percpu counter
      if we run out of space in the CB.
      
      Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.
      
      Fixes: CVE-2016-7039
      Fixes: 9b174d88 ("net: Add Transparent Ethernet Bridging GRO support.")
      Fixes: 66e5133f ("vlan: Add GRO support for non hardware accelerated vlan")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NJiri Benc <jbenc@redhat.com>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: NTom Herbert <tom@herbertland.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fcd91dd4
    • J
      ipv6: properly prevent temp_prefered_lft sysctl race · 7aa8e63f
      Jiri Bohac 提交于
      The check for an underflow of tmp_prefered_lft is always false
      because tmp_prefered_lft is unsigned. The intention of the check
      was to guard against racing with an update of the
      temp_prefered_lft sysctl, potentially resulting in an underflow.
      
      As suggested by David Miller, the best way to prevent the race is
      by reading the sysctl variable using READ_ONCE.
      Signed-off-by: NJiri Bohac <jbohac@suse.cz>
      Reported-by: NJulia Lawall <julia.lawall@lip6.fr>
      Fixes: 76506a98 ("IPv6: fix DESYNC_FACTOR")
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7aa8e63f