1. 06 Jun, 2016 1 commit
    • Marco Angaroni's avatar
      ipvs: update real-server binding of outgoing connections in SIP-pe · 3ec10d3a
      Marco Angaroni authored
      Previous patch that introduced handling of outgoing packets in SIP
      persistent-engine did not call ip_vs_check_template() in case packet was
      matching a connection template. Assumption was that real-server was
      healthy, since it was sending a packet just in that moment.
      
      There are however real-server fault conditions requiring that association
      between call-id and real-server (represented by connection template)
      gets updated. Here is an example of the sequence of events:
        1) RS1 is a back2back user agent that handled call-id1 and call-id2
        2) RS1 is down and was marked as unavailable
        3) new message from outside comes to IPVS with call-id1
        4) IPVS reschedules the message to RS2, which becomes new call handler
        5) RS2 forwards the message outside, translating call-id1 to call-id2
        6) inside pe->conn_out() IPVS matches call-id2 with existing template
        7) IPVS does not change association call-id2 <-> RS1
        8) new message comes from client with call-id2
        9) IPVS reschedules the message to a real-server potentially different
           from RS2, which is now the correct destination
      
      This patch introduces ip_vs_check_template() call in the handling of
      outgoing packets for SIP-pe. And also introduces a second optional
      argument for ip_vs_check_template() that allows to check if dest
      associated to a connection template is the same dest that was identified
      as the source of the packet. This is to change the real-server bound to a
      particular call-id independently from its availability status: the idea
      is that it's more reliable, for in->out direction (where internal
      network can be considered trusted), to always associate a call-id with
      the last real-server that used it in one of its messages. Think about
      above sequence of events where, just after step 5, RS1 returns instead
      to be available.
      
      Comparison of dests is done by simply comparing pointers to struct
      ip_vs_dest; there should be no cases where struct ip_vs_dest keeps its
      memory address, but represent a different real-server in terms of
      ip-address / port.
      
      Fixes: 39b97223 ("ipvs: handle connections started by real-servers")
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      3ec10d3a
  2. 02 Jun, 2016 5 commits
    • Florian Westphal's avatar
      netfilter: x_tables: don't reject valid target size on some architectures · 7b7eba0f
      Florian Westphal authored
      Quoting John Stultz:
        In updating a 32bit arm device from 4.6 to Linus' current HEAD, I
        noticed I was having some trouble with networking, and realized that
        /proc/net/ip_tables_names was suddenly empty.
        Digging through the registration process, it seems we're catching on the:
      
         if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
             target_offset + sizeof(struct xt_standard_target) != next_offset)
               return -EINVAL;
      
        Where next_offset seems to be 4 bytes larger then the
        offset + standard_target struct size.
      
      next_offset needs to be aligned via XT_ALIGN (so we can access all members
      of ip(6)t_entry struct).
      
      This problem didn't show up on i686 as it only needs 4-byte alignment for
      u64, but iptables userspace on other 32bit arches does insert extra padding.
      Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Tested-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Fixes: 7ed2abdd ("netfilter: x_tables: check standard target size too")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7b7eba0f
    • Arnd Bergmann's avatar
      qed: fix qed_fill_link() error handling · 14b84e86
      Arnd Bergmann authored
      gcc warns about qed_fill_link possibly accessing uninitialized data:
      
      drivers/net/ethernet/qlogic/qed/qed_main.c: In function 'qed_fill_link':
      drivers/net/ethernet/qlogic/qed/qed_main.c:1170:35: error: 'link_caps' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      While this warning is only about the specific case of CONFIG_QED_SRIOV
      being disabled but the function getting called for a VF (which should
      never happen), another possibility is that qed_mcp_get_*() fails without
      returning data.
      
      This rearranges the code so we bail out in either of the two cases
      and print a warning instead of accessing the uninitialized data.
      
      The qed_link_output structure remains untouched in this case, but
      all callers first call memset() on it, so at least we are not leaking
      stack data then.
      
      As discussed, we also use a compile-time check to ensure we never
      use any of the VF code if CONFIG_QED_SRIOV is disabled, and the
      PCI device table is updated to no longer bind to virtual functions
      in that configuration.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarYuval Mintz <Yuval.Mintz@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14b84e86
    • Colin Ian King's avatar
      net/ethoc: fix null dereference on error exit path · bfa49cfc
      Colin Ian King authored
      priv is assigned to NULL however some of the early error exit paths to
      label 'free' dereference priv, causing a null pointer dereference.
      
      Move the label 'free' to just the free_netdev statement, and add a new
      exit path 'free2' for the error cases were clk_disable_unprepare needs
      calling before the final free.
      
      Fixes issue found by CoverityScan, CID#113260
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfa49cfc
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · fc14963f
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
         y2038 safe timestamp, from Florian Westphal.
      
      2) Get rid of leftover conntrack definition from the previous merge
         window, oneliner from Florian.
      
      3) Make nf_queue handler pernet to resolve race on dereferencing the
         hook state structure with netns removal, from Eric Biederman.
      
      4) Ensure clean exit on unregistered helper ports, from Taehee Yoo.
      
      5) Restore FLOWI_FLAG_KNOWN_NH in nf_dup_ipv6. This got lost while
         generalizing xt_TEE to add packet duplication support in nf_tables,
         from Paolo Abeni.
      
      6) Insufficient netlink NFTA_SET_TABLE attribute check in
         nf_tables_getset(), from Phil Turnbull.
      
      7) Reject helper registration on duplicated ports via modparams.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc14963f
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2016-06-01' of... · 31843af4
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2016-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Three small fixes for the current cycle:
       * missing netlink attribute check in hwsim wmediumd (Martin)
       * fast xmit structure alignment fix (Felix)
       * mesh path flush/synchronisation fix (Bob)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31843af4
  3. 01 Jun, 2016 3 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 6b15d665
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix negative error code usage in ATM layer, from Stefan Hajnoczi.
      
       2) If CONFIG_SYSCTL is disabled, the default TTL is not initialized
          properly.  From Ezequiel Garcia.
      
       3) Missing spinlock init in mvneta driver, from Gregory CLEMENT.
      
       4) Missing unlocks in hwmb error paths, also from Gregory CLEMENT.
      
       5) Fix deadlock on team->lock when propagating features, from Ivan
          Vecera.
      
       6) Work around buffer offset hw bug in alx chips, from Feng Tang.
      
       7) Fix double listing of SCTP entries in sctp_diag dumps, from Xin
          Long.
      
       8) Various statistics bug fixes in mlx4 from Eric Dumazet.
      
       9) Fix some randconfig build errors wrt fou ipv6 from Arnd Bergmann.
      
      10) All of l2tp was namespace aware, but the ipv6 support code was not
          doing so.  From Shmulik Ladkani.
      
      11) Handle on-stack hrtimers properly in pktgen, from Guenter Roeck.
      
      12) Propagate MAC changes properly through VLAN devices, from Mike
          Manning.
      
      13) Fix memory leak in bnx2x_init_one(), from Vitaly Kuznetsov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (62 commits)
        sfc: Track RPS flow IDs per channel instead of per function
        usbnet: smsc95xx: fix link detection for disabled autonegotiation
        virtio_net: fix virtnet_open and virtnet_probe competing for try_fill_recv
        bnx2x: avoid leaking memory on bnx2x_init_one() failures
        fou: fix IPv6 Kconfig options
        openvswitch: update checksum in {push,pop}_mpls
        sctp: sctp_diag should dump sctp socket type
        net: fec: update dirty_tx even if no skb
        vlan: Propagate MAC address to VLANs
        atm: iphase: off by one in rx_pkt()
        atm: firestream: add more reserved strings
        vxlan: Accept user specified MTU value when create new vxlan link
        net: pktgen: Call destroy_hrtimer_on_stack()
        timer: Export destroy_hrtimer_on_stack()
        net: l2tp: Make l2tp_ip6 namespace aware
        Documentation: ip-sysctl.txt: clarify secure_redirects
        sfc: use flow dissector helpers for aRFS
        ieee802154: fix logic error in ieee802154_llsec_parse_dev_addr
        net: nps_enet: Disable interrupts before napi reschedule
        net/lapb: tuse %*ph to dump buffers
        ...
      6b15d665
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 58c1f995
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "sparc64 mmu context allocation and trap return bug fixes"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix return from trap window fill crashes.
        sparc: Harden signal return frame checks.
        sparc64: Take ctx_alloc_lock properly in hugetlb_setup().
      58c1f995
    • Jon Cooper's avatar
      sfc: Track RPS flow IDs per channel instead of per function · faf8dcc1
      Jon Cooper authored
      Otherwise we get confused when two flows on different channels get the
       same flow ID.
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      faf8dcc1
  4. 31 May, 2016 19 commits
    • Christoph Fritz's avatar
      usbnet: smsc95xx: fix link detection for disabled autonegotiation · d69d1694
      Christoph Fritz authored
      To detect link status up/down for connections where autonegotiation is
      explicitly disabled, we don't get an irq but need to poll the status
      register for link up/down detection.
      This patch adds a workqueue to poll for link status.
      Signed-off-by: default avatarChristoph Fritz <chf.fritz@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d69d1694
    • wangyunjian's avatar
      virtio_net: fix virtnet_open and virtnet_probe competing for try_fill_recv · f00e35e2
      wangyunjian authored
      In function virtnet_open() and virtnet_probe(), func try_fill_recv() may
      be executed at the same time. VQ in virtqueue_add() has not been protected
      well and BUG_ON will be triggered when virito_net.ko being removed.
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f00e35e2
    • Vitaly Kuznetsov's avatar
      bnx2x: avoid leaking memory on bnx2x_init_one() failures · bae5499c
      Vitaly Kuznetsov authored
      bnx2x_init_bp() allocates memory with bnx2x_alloc_mem_bp() so if we
      fail later in bnx2x_init_one() we need to free this memory
      with bnx2x_free_mem_bp() to avoid leakages. E.g. I'm observing memory
      leaks reported by kmemleak when a failure (unrelated) happens in
      bnx2x_vfpf_acquire().
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Acked-by: default avatarYuval Mintz <Yuval.Mintz@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bae5499c
    • Arnd Bergmann's avatar
      fou: fix IPv6 Kconfig options · 95e4daa8
      Arnd Bergmann authored
      The Kconfig options I added to work around broken compilation ended
      up screwing up things more, as I used the wrong symbol to control
      compilation of the file, resulting in IPv6 fou support to never be built
      into the kernel.
      
      Changing CONFIG_NET_FOU_IPV6_TUNNELS to CONFIG_IPV6_FOU fixes that
      problem, I had renamed the symbol in one location but not the other,
      and as the file is never being used by other kernel code, this did not
      lead to a build failure that I would have caught.
      
      After that fix, another issue with the same patch becomes obvious, as we
      'select INET6_TUNNEL', which is related to IPV6_TUNNEL, but not the same,
      and this can still cause the original build failure when IPV6_TUNNEL is
      not built-in but IPV6_FOU is. The fix is equally trivial, we just need
      to select the right symbol.
      
      I have successfully build 350 randconfig kernels with this patch
      and verified that the driver is now being built.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reported-by: default avatarValentin Rothberg <valentinrothberg@gmail.com>
      Fixes: fabb13db ("fou: add Kconfig options for IPv6 support")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95e4daa8
    • Simon Horman's avatar
      openvswitch: update checksum in {push,pop}_mpls · bc7cc599
      Simon Horman authored
      In the case of CHECKSUM_COMPLETE the skb checksum should be updated in
      {push,pop}_mpls() as they the type in the ethernet header.
      
      As suggested by Pravin Shelar.
      
      Cc: Pravin Shelar <pshelar@nicira.com>
      Fixes: 25cd9ba0 ("openvswitch: Add basic MPLS support to kernel")
      Signed-off-by: default avatarSimon Horman <simon.horman@netronome.com>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc7cc599
    • Xin Long's avatar
      sctp: sctp_diag should dump sctp socket type · 40eb90e9
      Xin Long authored
      Now we cannot distinguish that one sk is a udp or sctp style when
      we use ss to dump sctp_info. it's necessary to dump it as well.
      
      For sctp_diag, ss support is not officially available, thus there
      are no official users of this yet, so we can add this field in the
      middle of sctp_info without breaking user API.
      
      v1->v2:
        - move 'sctpi_s_type' field to the end of struct sctp_info, so
          that it won't cause incompatibility with applications already
          built.
        - add __reserved3 in sctp_info to make sure sctp_info is 8-byte
          alignment.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40eb90e9
    • Troy Kisky's avatar
      net: fec: update dirty_tx even if no skb · 7fafe803
      Troy Kisky authored
      If dirty_tx isn't updated, then dma_unmap_single
      can be called twice.
      
      This fixes a
      [   58.420980] ------------[ cut here ]------------
      [   58.425667] WARNING: CPU: 0 PID: 377 at /home/schurig/d/mkarm/linux-4.5/lib/dma-debug.c:1096 check_unmap+0x9d0/0xab8()
      [   58.436405] fec 2188000.ethernet: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=66 bytes]
      
      encountered by Holger
      Signed-off-by: default avatarTroy Kisky <troy.kisky@boundarydevices.com>
      Tested-by: <holgerschurig@gmail.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7fafe803
    • Mike Manning's avatar
      vlan: Propagate MAC address to VLANs · 308453aa
      Mike Manning authored
      The MAC address of the physical interface is only copied to the VLAN
      when it is first created, resulting in an inconsistency after MAC
      address changes of only newly created VLANs having an up-to-date MAC.
      
      The VLANs should continue inheriting the MAC address of the physical
      interface until the VLAN MAC address is explicitly set to any value.
      This allows IPv6 EUI64 addresses for the VLAN to reflect any changes
      to the MAC of the physical interface and thus for DAD to behave as
      expected.
      Signed-off-by: default avatarMike Manning <mmanning@brocade.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      308453aa
    • Dan Carpenter's avatar
      atm: iphase: off by one in rx_pkt() · f2633d2e
      Dan Carpenter authored
      The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code
      assumes that pointers are 32 bits).  So the > here should be >= or else
      we could end up reading a garbage pointer from one element beyond the
      end of the array.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2633d2e
    • Dan Carpenter's avatar
      atm: firestream: add more reserved strings · 86f04396
      Dan Carpenter authored
      This bug was there when the driver was first added in back in year 2000.
      It causes a Smatch warning:
      
          drivers/atm/firestream.c:849 process_incoming()
          error: buffer overflow 'res_strings' 60 <= 63
      
      There are supposed to be 64 entries in this array and the missing
      strings are clearly in the 30 40 range.  I added them as reserved 37 to
      reserved 40.  It's possible that strings are really supposed to be added
      in the middle instead of at the end, but this approach is safe, in that
      it fixes the bug and doesn't break anything that wasn't already broken.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86f04396
    • Chen Haiquan's avatar
      vxlan: Accept user specified MTU value when create new vxlan link · ce577668
      Chen Haiquan authored
      When create a new vxlan link, example:
        ip link add vtap mtu 1440 type vxlan vni 1 dev eth0
      
      The argument "mtu" has no effect, because it is not set to conf->mtu. The
      default value is used in vxlan_dev_configure function.
      
      This problem was introduced by commit 0dfbdf41 (vxlan: Factor out device
      configuration).
      
      Fixes: 0dfbdf41 (vxlan: Factor out device configuration)
      Signed-off-by: default avatarChen Haiquan <oc@yunify.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce577668
    • Guenter Roeck's avatar
      net: pktgen: Call destroy_hrtimer_on_stack() · bcf91bdb
      Guenter Roeck authored
      If CONFIG_DEBUG_OBJECTS_TIMERS=y, hrtimer_init_on_stack() requires
      a matching call to destroy_hrtimer_on_stack() to clean up timer
      debug objects.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bcf91bdb
    • Guenter Roeck's avatar
      timer: Export destroy_hrtimer_on_stack() · c08376ac
      Guenter Roeck authored
      hrtimer_init_on_stack() needs a matching call to
      destroy_hrtimer_on_stack(), so both need to be exported.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c08376ac
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 367d3fd5
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "Three bugs fixes and an update for the default configuration"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: fix info leak in do_sigsegv
        s390/config: update default configuration
        s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop
        s390/bpf: reduce maximum program size to 64 KB
      367d3fd5
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 5eca8317
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "A bunch of GPIO fixes for the v4.7 series:
      
         - Drop the lock before reading out the GPIO direction setting in
           drivers supporting the .get_direction() callback: some of them may
           be slowpath.
      
         - Flush GPIO direction setting before locking a GPIO as an IRQ: some
           electronics or other poking around in the registers behind our back
           may have happened, so flush the direction status before trying to
           lock the line for use by IRQs.
      
         - Bail out silently when asked to perform operations on NULL GPIO
           descriptors.  That is what all the get_*_optional() is about: we
           get optional GPIO handles, if they are not there, we get NULL.
      
         - Handle compatible ioctl() correctly: we need to convert the ioctl()
           pointer using compat_ptr() here like everyone else.
      
         - Disable the broken .to_irq() on the LPC32xx platform.  The whole
           irqchip infrastructure was replaced in the last merge window, and a
           new implementation will be needed"
      
      * tag 'gpio-v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: drop lock before reading GPIO direction
        gpio: bail out silently on NULL descriptors
        gpio: handle compatible ioctl() pointers
        gpio: flush direction status in gpiochip_lock_as_irq()
        gpio: lpc32xx: disable broken to_irq support
      5eca8317
    • Felix Fietkau's avatar
      mac80211: fix fast_tx header alignment · 6fe04128
      Felix Fietkau authored
      The header field is defined as u8[] but also accessed as struct
      ieee80211_hdr. Enforce an alignment of 2 to prevent unnecessary
      unaligned accesses, which can be very harmful for performance on many
      platforms.
      
      Fixes: e495c247 ("mac80211: extend fast-xmit for more ciphers")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6fe04128
    • Bob Copeland's avatar
      mac80211: mesh: flush mesh paths unconditionally · fe7a7c57
      Bob Copeland authored
      Currently, the mesh paths associated with a nexthop station are cleaned
      up in the following code path:
      
          __sta_info_destroy_part1
          synchronize_net()
          __sta_info_destroy_part2
           -> cleanup_single_sta
             -> mesh_sta_cleanup
               -> mesh_plink_deactivate
                 -> mesh_path_flush_by_nexthop
      
      However, there are a couple of problems here:
      
      1) the paths aren't flushed at all if the MPM is running in userspace
         (e.g. when using wpa_supplicant or authsae)
      
      2) there is no synchronize_rcu between removing the path and readers
         accessing the nexthop, which means the following race is possible:
      
      CPU0                            CPU1
      ~~~~                            ~~~~
                                      sta_info_destroy_part1()
                                      synchronize_net()
      rcu_read_lock()
      mesh_nexthop_resolve()
        mpath = mesh_path_lookup()
                                      [...] -> mesh_path_flush_by_nexthop()
        sta = rcu_dereference(
          mpath->next_hop)
                                      kfree(sta)
        access sta <-- CRASH
      
      Fix both of these by unconditionally flushing paths before destroying
      the sta, and by adding a synchronize_net() after path flush to ensure
      no active readers can still dereference the sta.
      
      Fixes this crash:
      
      [  348.529295] BUG: unable to handle kernel paging request at 00020040
      [  348.530014] IP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
      [  348.530014] *pde = 00000000
      [  348.530014] Oops: 0000 [#1] PREEMPT
      [  348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
      [  348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G           O 4.6.0-rc5-wt=V1 #1
      [  348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014
      [  348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
      [  348.530014] EIP: 0060:[<f929245d>] EFLAGS: 00010246 CPU: 0
      [  348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
      [  348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
      [  348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
      [  348.530014]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
      [  348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
      [  348.530014] Stack:
      [  348.530014]  00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
      [  348.530014]  f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
      [  348.530014]  f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
      [  348.530014] Call Trace:
      [  348.530014]  [<f9291d80>] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
      [  348.530014]  [<f9291dc1>] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
      [  348.530014]  [<f9277f6f>] ieee80211_xmit+0x92/0xc1 [mac80211]
      [  348.530014]  [<f9278dd1>] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
      [  348.530014]  [<c04df012>] ? sch_direct_xmit+0xd7/0x1b3
      [  348.530014]  [<c022a8c6>] ? __local_bh_enable_ip+0x5d/0x7b
      [  348.530014]  [<f956870c>] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
      [  348.530014]  [<f957e036>] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
      [  348.530014]  [<c04c6f45>] ? netif_skb_features+0x14d/0x30a
      [  348.530014]  [<f9278e10>] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
      [  348.530014]  [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
      [  348.530014]  [<c04c7261>] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
      [  348.530014]  [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
      [  348.530014]  [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
      [  348.530014]  [<c04c7cfb>] dev_queue_xmit+0xa/0xc
      [  348.530014]  [<f91bfc7a>] batadv_send_skb_packet+0xd6/0xec [batman_adv]
      [  348.530014]  [<f91bfdc4>] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
      [  348.530014]  [<f91b5938>] batadv_dat_send_data+0x27e/0x310 [batman_adv]
      [  348.530014]  [<f91c30b5>] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
      [  348.530014]  [<f91b63f3>] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
      [  348.530014]  [<f91c0cd9>] batadv_interface_tx+0x206/0x385 [batman_adv]
      [  348.530014]  [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
      [  348.530014]  [<c04c7261>] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
      [  348.530014]  [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
      [  348.530014]  [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
      [  348.530014]  [<f80cbd2a>] ? igb_xmit_frame+0x57/0x72 [igb]
      [  348.530014]  [<c04c7cfb>] dev_queue_xmit+0xa/0xc
      [  348.530014]  [<f843a326>] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
      [  348.530014]  [<f843a35f>] br_forward_finish+0x29/0x74 [bridge]
      [  348.530014]  [<f843a23b>] ? deliver_clone+0x3b/0x3b [bridge]
      [  348.530014]  [<f843a714>] __br_forward+0x89/0xe7 [bridge]
      [  348.530014]  [<f843a336>] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
      [  348.530014]  [<f843a234>] deliver_clone+0x34/0x3b [bridge]
      [  348.530014]  [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
      [  348.530014]  [<f843a66d>] br_flood+0x77/0x95 [bridge]
      [  348.530014]  [<f843a809>] br_flood_forward+0x13/0x1a [bridge]
      [  348.530014]  [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
      [  348.530014]  [<f843b877>] br_handle_frame_finish+0x392/0x3db [bridge]
      [  348.530014]  [<c04e9b2b>] ? nf_iterate+0x2b/0x6b
      [  348.530014]  [<f843baa6>] br_handle_frame+0x1e6/0x240 [bridge]
      [  348.530014]  [<f843b4e5>] ? br_handle_local_finish+0x6a/0x6a [bridge]
      [  348.530014]  [<c04c4ba0>] __netif_receive_skb_core+0x43a/0x66b
      [  348.530014]  [<f843b8c0>] ? br_handle_frame_finish+0x3db/0x3db [bridge]
      [  348.530014]  [<c023cea4>] ? resched_curr+0x19/0x37
      [  348.530014]  [<c0240707>] ? check_preempt_wakeup+0xbf/0xfe
      [  348.530014]  [<c0255dec>] ? ktime_get_with_offset+0x5c/0xfc
      [  348.530014]  [<c04c4fc1>] __netif_receive_skb+0x47/0x55
      [  348.530014]  [<c04c57ba>] netif_receive_skb_internal+0x40/0x5a
      [  348.530014]  [<c04c61ef>] napi_gro_receive+0x3a/0x94
      [  348.530014]  [<f80ce8d5>] igb_poll+0x6fd/0x9ad [igb]
      [  348.530014]  [<c0242bd8>] ? swake_up_locked+0x14/0x26
      [  348.530014]  [<c04c5d29>] net_rx_action+0xde/0x250
      [  348.530014]  [<c022a743>] __do_softirq+0x8a/0x163
      [  348.530014]  [<c022a6b9>] ? __hrtimer_tasklet_trampoline+0x19/0x19
      [  348.530014]  [<c021100f>] do_softirq_own_stack+0x26/0x2c
      [  348.530014]  <IRQ>
      [  348.530014]  [<c022a957>] irq_exit+0x31/0x6f
      [  348.530014]  [<c0210eb2>] do_IRQ+0x8d/0xa0
      [  348.530014]  [<c058152c>] common_interrupt+0x2c/0x40
      [  348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
      [  348.530014] EIP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
      [  348.530014] CR2: 0000000000020040
      [  348.530014] ---[ end trace 48556ac26779732e ]---
      [  348.530014] Kernel panic - not syncing: Fatal exception in interrupt
      [  348.530014] Kernel Offset: disabled
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Tested-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      fe7a7c57
    • Martin Willi's avatar
      mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL · 62397da5
      Martin Willi authored
      A wmediumd that does not send this attribute causes a NULL pointer
      dereference, as the attribute is accessed even if it does not exist.
      
      The attribute was required but never checked ever since userspace frame
      forwarding has been introduced. The issue gets more problematic once we
      allow wmediumd registration from user namespaces.
      
      Cc: stable@vger.kernel.org
      Fixes: 7882513b ("mac80211_hwsim driver support userspace frame tx/rx")
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      62397da5
    • Pablo Neira Ayuso's avatar
      netfilter: nf_ct_helper: bail out on duplicated helpers · 893e093c
      Pablo Neira Ayuso authored
      Don't allow registration of helpers using the same tuple:
      
      	{ l3proto, l4proto, src-port }
      
      We lookup for the helper from the packet path using this tuple through
      __nf_ct_helper_find(). Therefore, we have to avoid having two helpers
      with the same tuple to ensure predictible behaviour.
      
      Don't compare the helper string names anymore since it is valid to
      register two helpers with the same name, but using different tuples.
      This is also implicitly fixing up duplicated helper registration via
      ports= modparam since the name comparison was defeating the tuple
      duplication validation.
      Reported-by: default avatarFeng Gao <gfree.wind@gmail.com>
      Reported-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      893e093c
  5. 30 May, 2016 12 commits