1. 29 Mar, 2021 4 commits
    • David S. Miller's avatar
      Merge branch 'mlxsw-ecn-marking' · 2dce6987
      David S. Miller authored
      Ido Schimmel says:
      
      ====================
      mlxsw: spectrum: Fix ECN marking in tunnel decapsulation
      
      Patch #1 fixes a discrepancy between the software and hardware data
      paths with regards to ECN marking after decapsulation. See the changelog
      for a detailed description.
      
      Patch #2 extends the ECN decap test to cover all possible combinations
      of inner and outer ECN markings. The test passes over both data paths.
      
      v2:
      * Only set ECT(1) if inner is ECT(0)
      * Introduce a new helper to determine inner ECN. Share it between NVE
        and IP-in-IP tunnels
      * Extend the selftest
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2dce6987
    • Ido Schimmel's avatar
      selftests: forwarding: vxlan_bridge_1d: Add more ECN decap test cases · 4bfd0de5
      Ido Schimmel authored
      Test that all possible combinations of inner and outer ECN bits result
      in the correct inner ECN marking according to RFC 6040 4.2.
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4bfd0de5
    • Ido Schimmel's avatar
      mlxsw: spectrum: Fix ECN marking in tunnel decapsulation · 66167c31
      Ido Schimmel authored
      Cited commit changed the behavior of the software data path with regards
      to the ECN marking of decapsulated packets. However, the commit did not
      change other callers of __INET_ECN_decapsulate(), namely mlxsw. The
      driver is using the function in order to ensure that the hardware and
      software data paths act the same with regards to the ECN marking of
      decapsulated packets.
      
      The discrepancy was uncovered by commit 5aa3c334 ("selftests:
      forwarding: vxlan_bridge_1d: Fix vxlan ecn decapsulate value") that
      aligned the selftest to the new behavior. Without this patch the
      selftest passes when used with veth pairs, but fails when used with
      mlxsw netdevs.
      
      Fix this by instructing the device to propagate the ECT(1) mark from the
      outer header to the inner header when the inner header is ECT(0), for
      both NVE and IP-in-IP tunnels.
      
      A helper is added in order not to duplicate the code between both tunnel
      types.
      
      Fixes: b7237487 ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040")
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarPetr Machata <petrm@nvidia.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66167c31
    • Lv Yunlong's avatar
      drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit · 1b479fb8
      Lv Yunlong authored
      In pvc_xmit, if __skb_pad(skb, pad, false) failed, it will free
      the skb in the first time and goto drop. But the same skb is freed
      by kfree_skb(skb) in the second time in drop.
      
      Maintaining the original function unchanged, my patch adds a new
      label out to avoid the double free if __skb_pad() failed.
      
      Fixes: f5083d0c ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit")
      Signed-off-by: default avatarLv Yunlong <lyl2019@mail.ustc.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b479fb8
  2. 26 Mar, 2021 10 commits
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 75887e88
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2021-03-25
      
      This series contains updates to virtchnl header file and i40e driver.
      
      Norbert removes added padding from virtchnl RSS structures as this
      causes issues when iterating over the arrays.
      
      Mateusz adds Asym_Pause as supported to allow these settings to be set
      as the hardware supports it.
      
      Eryk fixes an issue where encountering a VF reset alongside releasing
      VFs could cause a call trace.
      
      Arkadiusz moves TC setup before resource setup as previously it was
      possible to enter with a null q_vector causing a kernel oops.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75887e88
    • Eric Dumazet's avatar
      sch_red: fix off-by-one checks in red_check_params() · 3a87571f
      Eric Dumazet authored
      This fixes following syzbot report:
      
      UBSAN: shift-out-of-bounds in ./include/net/red.h:237:23
      shift exponent 32 is too large for 32-bit type 'unsigned int'
      CPU: 1 PID: 8418 Comm: syz-executor170 Not tainted 5.12.0-rc4-next-20210324-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x141/0x1d7 lib/dump_stack.c:120
       ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
       __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
       red_set_parms include/net/red.h:237 [inline]
       choke_change.cold+0x3c/0xc8 net/sched/sch_choke.c:414
       qdisc_create+0x475/0x12f0 net/sched/sch_api.c:1247
       tc_modify_qdisc+0x4c8/0x1a50 net/sched/sch_api.c:1663
       rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
       netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
       netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
       netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
       netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
       sock_sendmsg_nosec net/socket.c:654 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:674
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x43f039
      Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007ffdfa725168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f039
      RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
      RBP: 0000000000403020 R08: 0000000000400488 R09: 0000000000400488
      R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004030b0
      R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
      
      Fixes: 8afa10cb ("net_sched: red: Avoid illegal values")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a87571f
    • David S. Miller's avatar
      Merge branch 'tunnel-shinfo' · 3cec1921
      David S. Miller authored
      Antoine Tenart says:
      
      ====================
      net: do not modify the shared tunnel info when PMTU triggers an ICMP reply
      
      The series fixes an issue were a shared ip_tunnel_info is modified when
      PMTU triggers an ICMP reply in vxlan and geneve, making following
      packets in that flow to have a wrong destination address if the flow
      isn't updated. A detailled information is given in each of the two
      commits.
      
      This was tested manually with OVS and I ran the PTMU selftests with
      kmemleak enabled (all OK, none was skipped).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3cec1921
    • Antoine Tenart's avatar
      geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply · 68c1a943
      Antoine Tenart authored
      When the interface is part of a bridge or an Open vSwitch port and a
      packet exceed a PMTU estimate, an ICMP reply is sent to the sender. When
      using the external mode (collect metadata) the source and destination
      addresses are reversed, so that Open vSwitch can match the packet
      against an existing (reverse) flow.
      
      But inverting the source and destination addresses in the shared
      ip_tunnel_info will make following packets of the flow to use a wrong
      destination address (packets will be tunnelled to itself), if the flow
      isn't updated. Which happens with Open vSwitch, until the flow times
      out.
      
      Fixes this by uncloning the skb's ip_tunnel_info before inverting its
      source and destination addresses, so that the modification will only be
      made for the PTMU packet, not the following ones.
      
      Fixes: c1a800e8 ("geneve: Support for PMTU discovery on directly bridged links")
      Tested-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Reviewed-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Signed-off-by: default avatarAntoine Tenart <atenart@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68c1a943
    • Antoine Tenart's avatar
      vxlan: do not modify the shared tunnel info when PMTU triggers an ICMP reply · 30a93d2b
      Antoine Tenart authored
      When the interface is part of a bridge or an Open vSwitch port and a
      packet exceed a PMTU estimate, an ICMP reply is sent to the sender. When
      using the external mode (collect metadata) the source and destination
      addresses are reversed, so that Open vSwitch can match the packet
      against an existing (reverse) flow.
      
      But inverting the source and destination addresses in the shared
      ip_tunnel_info will make following packets of the flow to use a wrong
      destination address (packets will be tunnelled to itself), if the flow
      isn't updated. Which happens with Open vSwitch, until the flow times
      out.
      
      Fixes this by uncloning the skb's ip_tunnel_info before inverting its
      source and destination addresses, so that the modification will only be
      made for the PTMU packet, not the following ones.
      
      Fixes: fc68c995 ("vxlan: Support for PMTU discovery on directly bridged links")
      Tested-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Reviewed-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Signed-off-by: default avatarAntoine Tenart <atenart@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30a93d2b
    • David S. Miller's avatar
      Merge branch 'nfc-fixes' · aa5a5b7a
      David S. Miller authored
      Xiaoming Ni says:
      
      ====================
      nfc: fix Resource leakage and endless loop
      
      fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
       reported by "kiyin(尹亮)".
      
      Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
      ====================
      math: Export mul_u64_u64_div_u64
      
      Fixes: f51d7bf1 ("ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa5a5b7a
    • Xiaoming Ni's avatar
      nfc: Avoid endless loops caused by repeated llcp_sock_connect() · 4b5db93e
      Xiaoming Ni authored
      When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
       LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
       nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
       sk->sk_node->next will point to itself, that will make an endless loop
       and hang-up the system.
      To fix it, check whether sk->sk_state is LLCP_CONNECTING in
       llcp_sock_connect() to avoid repeated invoking.
      
      Fixes: b4011239 ("NFC: llcp: Fix non blocking sockets connections")
      Reported-by: default avatar"kiyin(尹亮)" <kiyin@tencent.com>
      Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
      Cc: <stable@vger.kernel.org> #v3.11
      Signed-off-by: default avatarXiaoming Ni <nixiaoming@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b5db93e
    • Xiaoming Ni's avatar
      nfc: fix memory leak in llcp_sock_connect() · 7574fcdb
      Xiaoming Ni authored
      In llcp_sock_connect(), use kmemdup to allocate memory for
       "llcp_sock->service_name". The memory is not released in the sock_unlink
      label of the subsequent failure branch.
      As a result, memory leakage occurs.
      
      fix CVE-2020-25672
      
      Fixes: d646960f ("NFC: Initial LLCP support")
      Reported-by: default avatar"kiyin(尹亮)" <kiyin@tencent.com>
      Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
      Cc: <stable@vger.kernel.org> #v3.3
      Signed-off-by: default avatarXiaoming Ni <nixiaoming@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7574fcdb
    • Xiaoming Ni's avatar
      nfc: fix refcount leak in llcp_sock_connect() · 8a4cd82d
      Xiaoming Ni authored
      nfc_llcp_local_get() is invoked in llcp_sock_connect(),
      but nfc_llcp_local_put() is not invoked in subsequent failure branches.
      As a result, refcount leakage occurs.
      To fix it, add calling nfc_llcp_local_put().
      
      fix CVE-2020-25671
      Fixes: c7aa1225 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
      Reported-by: default avatar"kiyin(尹亮)" <kiyin@tencent.com>
      Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
      Cc: <stable@vger.kernel.org> #v3.6
      Signed-off-by: default avatarXiaoming Ni <nixiaoming@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a4cd82d
    • Xiaoming Ni's avatar
      nfc: fix refcount leak in llcp_sock_bind() · c33b1cc6
      Xiaoming Ni authored
      nfc_llcp_local_get() is invoked in llcp_sock_bind(),
      but nfc_llcp_local_put() is not invoked in subsequent failure branches.
      As a result, refcount leakage occurs.
      To fix it, add calling nfc_llcp_local_put().
      
      fix CVE-2020-25670
      Fixes: c7aa1225 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
      Reported-by: default avatar"kiyin(尹亮)" <kiyin@tencent.com>
      Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
      Cc: <stable@vger.kernel.org> #v3.6
      Signed-off-by: default avatarXiaoming Ni <nixiaoming@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c33b1cc6
  3. 25 Mar, 2021 26 commits