- 11 Jan, 2016 10 commits
-
-
John Fastabend authored
Fix possible null pointer dereference that may occur when calling skb_reserve() on a null skb. Fixes: 879c7220 ("net: pktgen: Observe needed_headroom of the device") Signed-off-by:
John Fastabend <john.r.fastabend@intel.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Sergei Shtylyov says: ==================== Fix some dubious code in the Renesas Ethernet drivers Here's a set of 2 patches against DaveM's 'net.git' repo. While initializing EMAC the code tries to respect the duplex mode both programmed into ECMR and stored in its own private data -- this just can't be right. [1/2] ravb: stop reading ECMR in ravb_emac_init() [2/2] sh_eth: stop reading ECMR in sh_eth_dev_init() ==================== Signed-off-by: -
Sergei Shtylyov authored
The code in sh_eth_dev_init() twiddling the ECMR bits always looked a bit strange to me: if one intends to respect 'mdp->duplex', why save old value of the ECMR.DM bit? As all the other bits are zeroed anyway, we don't really need to read ECMR before writing to it. Signed-off-by:
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by:
-
Sergei Shtylyov authored
The code in ravb_emac_init() twiddling the ECMR bits always looked a bit strange to me: if one intends to respect 'priv->duplex', why save old value of the ECMR.DM bit? As all the other bits are zeroed anyway, we don't really need to read ECMR before writing to it. Signed-off-by:
-
Jamal Hadi Salim authored
only when user space passes the addresses should we consider their presence Signed-off-by:
Jamal Hadi Salim <jhs@mojatatu.com> Acked-by:
Jiri Pirko <jiri@resnulli.us> Signed-off-by:
-
Neal Cardwell authored
For tcp_yeah, use an ssthresh floor of 2, the same floor used by Reno and CUBIC, per RFC 5681 (equation 4). tcp_yeah_ssthresh() was sometimes returning a 0 or negative ssthresh value if the intended reduction is as big or bigger than the current cwnd. Congestion control modules should never return a zero or negative ssthresh. A zero ssthresh generally results in a zero cwnd, causing the connection to stall. A negative ssthresh value will be interpreted as a u32 and will set a target cwnd for PRR near 4 billion. Oleksandr Natalenko reported that a system using tcp_yeah with ECN could see a warning about a prior_cwnd of 0 in tcp_cwnd_reduction(). Testing verified that this was due to tcp_yeah_ssthresh() misbehaving in this way. Reported-by:
Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by:
Neal Cardwell <ncardwell@google.com> Signed-off-by:
Yuchung Cheng <ycheng@google.com> Signed-off-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Marcelo Ricardo Leitner authored
Dmitry Vyukov reported a use-after-free in the code expanded by the macro debug_post_sfx, which is caused by the use of the asoc pointer after it was freed within sctp_side_effect() scope. This patch fixes it by allowing sctp_side_effect to clear that asoc pointer when the TCB is freed. As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case because it will trigger DELETE_TCB too on that same loop. Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme above. Fix it by returning SCTP_DISPOSITION_ABORT instead. The macro is already prepared to handle such NULL pointer. Reported-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by:
Vlad Yasevich <vyasevich@gmail.com> Signed-off-by:
-
Ido Schimmel authored
Dumping the FDB (invoked with a process context) or handling FDB notifications (polled periodicly in delayed work) might each entail multiple EMAD transcations due to the number of entries. While we only allow one EMAD transaction at a time, there is nothing stopping the dump and notification processing sessions from interleaving. However, this is forbidden by the hardware, so we need to make sure only one of these sessions can run at a time. Solve this by adding a mutex ('fdb_lock'), as both kernel threads can sleep while waiting for the response EMAD. Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by:Ido Schimmel <idosch@mellanox.com> Signed-off-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
-
willy tarreau authored
It is possible for a process to allocate and accumulate far more FDs than the process' limit by sending them over a unix socket then closing them to keep the process' fd count low. This change addresses this problem by keeping track of the number of FDs in flight per user and preventing non-privileged processes from having more FDs in flight than their configured FD limit. Reported-by: socketpair@gmail.com Reported-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Mitigates: CVE-2013-4312 (Linux 2.0+) Suggested-by:
Linus Torvalds <torvalds@linux-foundation.org> Acked-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by:
Willy Tarreau <w@1wt.eu> Signed-off-by:
-
Eric Dumazet authored
When first SYNACK is sent, we already hold rcu_read_lock(), but this is not true if a SYNACK is retransmitted, as a timer (soft) interrupt does not hold rcu_read_lock() Fixes: 45f6fad8 ("ipv6: add complete rcu protection around np->opt") Reported-by:
Dave Jones <davej@codemonkey.org.uk> Signed-off-by:
-
- 10 Jan, 2016 5 commits
-
-
Sasha Levin authored
proc_dostring() needs an initialized destination string, while the one provided in proc_sctp_do_hmac_alg() contains stack garbage. Thus, writing to cookie_hmac_alg would strlen() that garbage and end up accessing invalid memory. Fixes: 3c68198e ("sctp: Make hmac algorithm selection for cookie generation dynamic") Signed-off-by:
Sasha Levin <sasha.levin@oracle.com> Signed-off-by:
-
Kristian Evensen authored
SIMCom 7230E is a QMI LTE module with support for most "normal" bands. Manual testing has showed that only interface five works. Cc: Bjørn Mork <bjorn@mork.no> Signed-off-by:
Kristian Evensen <kristian.evensen@gmail.com> Acked-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Hannes Frederic Sowa authored
udp tunnel offloads tend to aggregate datagrams based on inner headers. gro engine gets notified by tunnel implementations about possible offloads. The match is solely based on the port number. Imagine a tunnel bound to port 53, the offloading will look into all DNS packets and tries to aggregate them based on the inner data found within. This could lead to data corruption and malformed DNS packets. While this patch minimizes the problem and helps an administrator to find the issue by querying ip tunnel/fou, a better way would be to match on the specific destination ip address so if a user space socket is bound to the same address it will conflict. Cc: Tom Herbert <tom@herbertland.com> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Nicolas Dichtel authored
When a vxlan interface is created, the driver checks that there is not another vxlan interface with the same properties. To do this, it checks the existing vxlan udp socket. Since commit 1c51a915, the creation of the vxlan socket is done only when the interface is set up, thus it breaks that test. Example: $ ip l a vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0 $ ip l a vxlan11 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0 $ ip -br l | grep vxlan vxlan10 DOWN f2:55:1c:6a:fb:00 <BROADCAST,MULTICAST> vxlan11 DOWN 7a:cb:b9:38:59:0d <BROADCAST,MULTICAST> Instead of checking sockets, let's loop over the vxlan iface list. Fixes: 1c51a915 ("vxlan: fix race caused by dropping rtnl_unlock") Reported-by:
Thomas Faivre <thomas.faivre@6wind.com> Signed-off-by:
Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by:
-
Oliver Neukum authored
The union descriptor must be checked. Its usage was conditional before the parser was introduced. This is important, because many RNDIS device, which also use the common parser, have bogus extra descriptors. Signed-off-by:
Oliver Neukum <oneukum@suse.com> Tested-by:
Vasily Galkin <galkin-vv@yandex.ru> Signed-off-by:
-
- 09 Jan, 2016 3 commits
-
-
hayeswang authored
When the autosuspend is enabled and occurs before system suspend, we should wake the device before running system syspend. Then, we could change the wake event for system suspend. Otherwise, the device would resume the system when receiving any packet. Signed-off-by:
Hayes Wang <hayeswang@realtek.com> Signed-off-by:
-
Roosen Henri authored
Commit 651df218 ("phy: micrel: Fix finding PHY properties in MAC node.") only fixes finding PHY properties in MAC node for KSZ9021. This commit applies the same fix for KSZ9031. Fixes: 8b63ec18 ("phylib: Make PHYs children of their MDIO bus, not the bus' parent.") Acked-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
Henri Roosen <henri.roosen@ginzinger.com> Signed-off-by:
-
git://git.open-mesh.org/linux-mergeDavid S. Miller authored
Antonio Quartulli says: ==================== Included change: - Fix invalid read while copying bat_iv.bcast_own by Sven Eckelmann ==================== Signed-off-by:
-
- 08 Jan, 2016 2 commits
-
-
Dan Carpenter authored
I noticed this code because it has a typo in the module_param(), the "trs" at the end of "toim3232fliptrs" should be "rts". But it's dead code so instead of fixing it, I just deleted it. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Dan Carpenter authored
There is no "membase", it was "act_port" that was intended. Signed-off-by:
-
- 07 Jan, 2016 3 commits
-
-
Woojung.Huh@microchip.com authored
This patch fixes a bug writing to EEPROM in lan78xx_ethtool_set_eeprom() when asked to write to OTP. Signed-off-by:
Woojung Huh <woojung.huh@microchip.com> Signed-off-by:
-
Sven Eckelmann authored
batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously belonged to the now removed interface. This is done by copying all data which comes before the removed interface and then appending all the data which comes after the removed interface. The address calculation for the position of the data which comes after the removed interface assumed that the bat_iv.bcast_own is a pointer to a single byte datatype. But it is a pointer to unsigned long and thus the calculated position was wrong off factor sizeof(unsigned long). Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets / bitarray added)") Signed-off-by:Sven Eckelmann <sven@narfation.org> Signed-off-by:
Marek Lindner <mareklindner@neomailbox.ch> Signed-off-by:
Antonio Quartulli <a@unstable.cc>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: "As usual, there are a couple straggler bug fixes: 1) qlcnic_alloc_mbx_args() error returns are not checked in qlcnic driver. Fix from Insu Yun. 2) SKB refcounting bug in connector, from Florian Westphal. 3) vrf_get_saddr() has to propagate fib_lookup() errors to it's callers, from David Ahern. 4) Fix AF_UNIX splice/bind deadlock, from Rainer Weikusat. 5) qdisc_rcu_free() fails to free the per-cpu qstats. Fix from John Fastabend. 6) vmxnet3 driver passes wrong page to dma_map_page(), fix from Shrikrishna Khare. 7) Don't allow zero cwnd in tcp_cwnd_reduction(), from Yuchung Cheng" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: tcp: fix zero cwnd in tcp_cwnd_reduction Driver: Vmxnet3: Fix regression caused by 5738a09d net: qmi_wwan: Add WeTelecom-WPD600N mkiss: fix scribble on freed memory net: possible use after free in dst_release net: sched: fix missing free per cpu on qstats ARM: net: bpf: fix zero right shift 6pack: fix free memory scribbles net: filter: make JITs zero A for SKF_AD_ALU_XOR_X bridge: Only call /sbin/bridge-stp for the initial network namespace af_unix: Fix splice-bind deadlock net: Propagate lookup failure in l3mdev_get_saddr to caller r8152: add reset_resume function connector: bump skb->users before callback invocation cxgb4: correctly handling failed allocation qlcnic: correctly handle qlcnic_alloc_mbx_args
-
- 06 Jan, 2016 9 commits
-
-
Yuchung Cheng authored
Patch 3759824d ("tcp: PRR uses CRB mode by default and SS mode conditionally") introduced a bug that cwnd may become 0 when both inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead to a div-by-zero if the connection starts another cwnd reduction phase by setting tp->prior_cwnd to the current cwnd (0) in tcp_init_cwnd_reduction(). To prevent this we skip PRR operation when nothing is acked or sacked. Then cwnd must be positive in all cases as long as ssthresh is positive: 1) The proportional reduction mode inflight > ssthresh > 0 2) The reduction bound mode a) inflight == ssthresh > 0 b) inflight < ssthresh sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh Therefore in all cases inflight and sndcnt can not both be 0. We check invalid tp->prior_cwnd to avoid potential div0 bugs. In reality this bug is triggered only with a sequence of less common events. For example, the connection is terminating an ECN-triggered cwnd reduction with an inflight 0, then it receives reordered/old ACKs or DSACKs from prior transmission (which acks nothing). Or the connection is in fast recovery stage that marks everything lost, but fails to retransmit due to local issues, then receives data packets from other end which acks nothing. Fixes: 3759824d ("tcp: PRR uses CRB mode by default and SS mode conditionally") Reported-by:
-
Shrikrishna Khare authored
Reported-by:
Bingkuo Liu <bingkuol@vmware.com> Signed-off-by:
Shrikrishna Khare <skhare@vmware.com> Signed-off-by:
-
Kristian Evensen authored
The WeTelecom-WPD600N is an LTE module that, in addition to supporting most "normal" bands, also supports LTE over 450MHz. Manual testing showed that only interface number three replies to QMI messages. Cc: Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Alan authored
commit d79f16c0 fixed a user triggerable scribble on free memory but added a new one which allows the user to scribble even more and user controlled data into freed space. As with 6pack we need to halt the queue before we free the buffers, because the transmit logic is not protected by the semaphore. Signed-off-by:
Alan Cox <alan@linux.intel.com> Signed-off-by:
-
Francesco Ruggeri authored
dst_release should not access dst->flags after decrementing __refcnt to 0. The dst_entry may be in dst_busy_list and dst_gc_task may dst_destroy it before dst_release gets a chance to access dst->flags. Fixes: d69bbf88 ("net: fix a race in dst_release()") Fixes: 27b75c95 ("net: avoid RCU for NOCACHE dst") Signed-off-by:
Francesco Ruggeri <fruggeri@arista.com> Acked-by:
-
John Fastabend authored
When a qdisc is using per cpu stats (currently just the ingress qdisc) only the bstats are being freed. This also free's the qstats. Fixes: b0ab6f92 ("net: sched: enable per cpu qstats") Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Signed-off-by:
-
Rabin Vincent authored
The LSR instruction cannot be used to perform a zero right shift since a 0 as the immediate value (imm5) in the LSR instruction encoding means that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM. Make the JIT skip generation of the LSR if a zero-shift is requested. This was found using american fuzzy lop. Signed-off-by:
Rabin Vincent <rabin@rab.in> Acked-by:
Alexei Starovoitov <ast@kernel.org> Signed-off-by:
-
One Thousand Gnomes authored
commit acf673a3 fixed a user triggerable free memory scribble but in doing so replaced it with a different one that allows the user to control the data and scribble even more. sixpack_close is called by the tty layer in tty context. The tty context is protected by sp_get() and sp_put(). However network layer activity via sp_xmit() is not protected this way. We must therefore stop the queue otherwise the user gets to dump a buffer mostly of their choice into freed kernel pages. Signed-off-by:
-
Rabin Vincent authored
The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data instructions since it XORs A with X while all the others replace A with some loaded value. All the BPF JITs fail to clear A if this is used as the first instruction in a filter. This was found using american fuzzy lop. Add a helper to determine if A needs to be cleared given the first instruction in a filter, and use this in the JITs. Except for ARM, the rest have only been compile-tested. Fixes: 34805931 ("net: filter: get rid of BPF_S_* enum") Signed-off-by:
-
- 05 Jan, 2016 8 commits
-
-
Hannes Frederic Sowa authored
[I stole this patch from Eric Biederman. He wrote:] > There is no defined mechanism to pass network namespace information > into /sbin/bridge-stp therefore don't even try to invoke it except > for bridge devices in the initial network namespace. > > It is possible for unprivileged users to cause /sbin/bridge-stp to be > invoked for any network device name which if /sbin/bridge-stp does not > guard against unreasonable arguments or being invoked twice on the > same network device could cause problems. [Hannes: changed patch using netns_eq] Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by:
Eric W. Biederman <ebiederm@xmission.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-traceLinus Torvalds authored
Pull tracing fixes from Steven Rostedt: "Two more fixes: 1. The recordmcount change had an output that used sprintf() (incorrectly) when it should have been a fprintf() to stderr. 2. The printk_formats file could crash if someone added a trace_printk() in the core kernel, and also added one in a module. This does not affect production kernels. Only kernels where developers add trace_printk() for debugging can crash" * tag 'trace-v4.4-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Fix setting of start_index in find_next() ftrace/scripts: Fix incorrect use of sprintf in recordmcount -
git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tileLinus Torvalds authored
Pull tile bugfix from Chris Metcalf: "This fixes a bug that Sudip's buildbot found for tilepro allmodconfig. I've tagged it for stable only back to 3.19, which was when most of the other affected architectures added their support for working around this issue" * 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: tile: provide CONFIG_PAGE_SIZE_64KB etc for tilepro
-
Chris Metcalf authored
This allows the build system to know that it can't attempt to configure the Lustre virtual block device, for example, when tilepro is using 64KB pages (as it does by default). The tilegx build already provided those symbols. Previously we required that the tilepro hypervisor be rebuilt with a different hardcoded page size in its headers, and then Linux be rebuilt using the updated hypervisor header. Now we allow each of the hypervisor and Linux to be built independently. We still check at boot time to ensure that the page size provided by the hypervisor matches what Linux expects. Signed-off-by:Chris Metcalf <cmetcalf@ezchip.com> Cc: stable@vger.kernel.org [3.19+]
-
Rainer Weikusat authored
On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice system call and AF_UNIX sockets, http://lists.openwall.net/netdev/2015/11/06/24 The situation was analyzed as (a while ago) A: socketpair() B: splice() from a pipe to /mnt/regular_file does sb_start_write() on /mnt C: try to freeze /mnt wait for B to finish with /mnt A: bind() try to bind our socket to /mnt/new_socket_name lock our socket, see it not bound yet decide that it needs to create something in /mnt try to do sb_start_write() on /mnt, block (it's waiting for C). D: splice() from the same pipe to our socket lock the pipe, see that socket is connected try to lock the socket, block waiting for A B: get around to actually feeding a chunk from pipe to file, try to lock the pipe. Deadlock. on 2015/11/10 by Al Viro, http://lists.openwall.net/netdev/2015/11/10/4 The patch fixes this by removing the kern_path_create related code from unix_mknod and executing it as part of unix_bind prior acquiring the readlock of the socket in question. This means that A (as used above) will sb_start_write on /mnt before it acquires the readlock, hence, it won't indirectly block B which first did a sb_start_write and then waited for a thread trying to acquire the readlock. Consequently, A being blocked by C waiting for B won't cause a deadlock anymore (effectively, both A and B acquire two locks in opposite order in the situation described above). Dmitry Vyukov(<dvyukov@google.com>) tested the original patch. Signed-off-by:
Rainer Weikusat <rweikusat@mobileactivedefense.com> Signed-off-by:
-
David Ahern authored
Commands run in a vrf context are not failing as expected on a route lookup: root@kenny:~# ip ro ls table vrf-red unreachable default root@kenny:~# ping -I vrf-red -c1 -w1 10.100.1.254 ping: Warning: source address might be selected on device other than vrf-red. PING 10.100.1.254 (10.100.1.254) from 0.0.0.0 vrf-red: 56(84) bytes of data. --- 10.100.1.254 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms Since the vrf table does not have a route for 10.100.1.254 the ping should have failed. The saddr lookup causes a full VRF table lookup. Propogating a lookup failure to the user allows the command to fail as expected: root@kenny:~# ping -I vrf-red -c1 -w1 10.100.1.254 connect: No route to host Signed-off-by:David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
hayeswang authored
When the reset_resume() is called, the flag of SELECTIVE_SUSPEND should be cleared and reinitialize the device, whether the SELECTIVE_SUSPEND is set or not. If reset_resume() is called, it means the power supply is cut or the device is reset. That is, the device wouldn't be in runtime suspend state and the reinitialization is necessary. Signed-off-by:
-
Florian Westphal authored
Dmitry reports memleak with syskaller program. Problem is that connector bumps skb usecount but might not invoke callback. So move skb_get to where we invoke the callback. Reported-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
