1. 21 Jun, 2021 1 commit
    • Antoine Tenart's avatar
      vrf: do not push non-ND strict packets with a source LLA through packet taps again · 603113c5
      Antoine Tenart authored
      Non-ND strict packets with a source LLA go through the packet taps
      again, while non-ND strict packets with other source addresses do not,
      and we can see a clone of those packets on the vrf interface (we should
      not). This is due to a series of changes:
      
      Commit 6f12fa77[1] made non-ND strict packets not being pushed again
      in the packet taps. This changed with commit 205704c6[2] for those
      packets having a source LLA, as they need a lookup with the orig_iif.
      
      The issue now is those packets do not skip the 'vrf_ip6_rcv' function to
      the end (as the ones without a source LLA) and go through the check to
      call packet taps again. This check was changed by commit 6f12fa77[1]
      and do not exclude non-strict packets anymore. Packets matching
      'need_strict && !is_ndisc && is_ll_src' are now being sent through the
      packet taps again. This can be seen by dumping packets on the vrf
      interface.
      
      Fix this by having the same code path for all non-ND strict packets and
      selectively lookup with the orig_iif for those with a source LLA. This
      has the effect to revert to the pre-205704c6[2] condition, which
      should also be easier to maintain.
      
      [1] 6f12fa77 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
      [2] 205704c6 ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
      
      Fixes: 205704c6 ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
      Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
      Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarAntoine Tenart <atenart@kernel.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      603113c5
  2. 19 Jun, 2021 6 commits
    • David S. Miller's avatar
      Merge branch 'ezchip-fixes' · dda2626b
      David S. Miller authored
      Pavel Skripkin says:
      
      ====================
      net: ethernat: ezchip: bug fixing and code improvments
      
      While manual code reviewing, I found some error in ezchip driver.
      Two of them looks very dangerous:
        1. use-after-free in nps_enet_remove
            Accessing netdev private data after free_netdev()
      
        2. wrong error handling of platform_get_irq()
            It can cause passing negative irq to request_irq()
      
      Also, in 2nd patch I removed redundant check to increase execution
      speed and make code more straightforward.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dda2626b
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: fix error handling · 0de449d5
      Pavel Skripkin authored
      As documented at drivers/base/platform.c for platform_get_irq:
      
       * Gets an IRQ for a platform device and prints an error message if finding the
       * IRQ fails. Device drivers should check the return value for errors so as to
       * not pass a negative integer value to the request_irq() APIs.
      
      So, the driver should check that platform_get_irq() return value
      is _negative_, not that it's equal to zero, because -ENXIO (return
      value from request_irq() if irq was not found) will
      pass this check and it leads to passing negative irq to request_irq()
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0de449d5
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: remove redundant check · 4ae85b23
      Pavel Skripkin authored
      err varibale will be set everytime, when code gets
      into this path. This check will just slowdown the execution
      and that's all.
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ae85b23
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: fix UAF in nps_enet_remove · e4b8700e
      Pavel Skripkin authored
      priv is netdev private data, but it is used
      after free_netdev(). It can cause use-after-free when accessing priv
      pointer. So, fix it by moving free_netdev() after netif_napi_del()
      call.
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4b8700e
    • Pavel Skripkin's avatar
      net: ethernet: aeroflex: fix UAF in greth_of_remove · e3a5de6d
      Pavel Skripkin authored
      static int greth_of_remove(struct platform_device *of_dev)
      {
      ...
      	struct greth_private *greth = netdev_priv(ndev);
      ...
      	unregister_netdev(ndev);
      	free_netdev(ndev);
      
      	of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
      ...
      }
      
      greth is netdev private data, but it is used
      after free_netdev(). It can cause use-after-free when accessing greth
      pointer. So, fix it by moving free_netdev() after of_iounmap()
      call.
      
      Fixes: d4c41139 ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3a5de6d
    • Linus Torvalds's avatar
      Merge tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9ed13a17
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.13-rc7, including fixes from wireless, bpf,
        bluetooth, netfilter and can.
      
        Current release - regressions:
      
         - mlxsw: spectrum_qdisc: Pass handle, not band number to find_class()
           to fix modifying offloaded qdiscs
      
         - lantiq: net: fix duplicated skb in rx descriptor ring
      
         - rtnetlink: fix regression in bridge VLAN configuration, empty info
           is not an error, bot-generated "fix" was not needed
      
         - libbpf: s/rx/tx/ typo on umem->rx_ring_setup_done to fix umem
           creation
      
        Current release - new code bugs:
      
         - ethtool: fix NULL pointer dereference during module EEPROM dump via
           the new netlink API
      
         - mlx5e: don't update netdev RQs with PTP-RQ, the special purpose
           queue should not be visible to the stack
      
         - mlx5e: select special PTP queue only for SKBTX_HW_TSTAMP skbs
      
         - mlx5e: verify dev is present in get devlink port ndo, avoid a panic
      
        Previous releases - regressions:
      
         - neighbour: allow NUD_NOARP entries to be force GCed
      
         - further fixes for fallout from reorg of WiFi locking (staging:
           rtl8723bs, mac80211, cfg80211)
      
         - skbuff: fix incorrect msg_zerocopy copy notifications
      
         - mac80211: fix NULL ptr deref for injected rate info
      
         - Revert "net/mlx5: Arm only EQs with EQEs" it may cause missed IRQs
      
        Previous releases - always broken:
      
         - bpf: more speculative execution fixes
      
         - netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local
      
         - udp: fix race between close() and udp_abort() resulting in a panic
      
         - fix out of bounds when parsing TCP options before packets are
           validated (in netfilter: synproxy, tc: sch_cake and mptcp)
      
         - mptcp: improve operation under memory pressure, add missing
           wake-ups
      
         - mptcp: fix double-lock/soft lookup in subflow_error_report()
      
         - bridge: fix races (null pointer deref and UAF) in vlan tunnel
           egress
      
         - ena: fix DMA mapping function issues in XDP
      
         - rds: fix memory leak in rds_recvmsg
      
        Misc:
      
         - vrf: allow larger MTUs
      
         - icmp: don't send out ICMP messages with a source address of 0.0.0.0
      
         - cdc_ncm: switch to eth%d interface naming"
      
      * tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (139 commits)
        net: ethernet: fix potential use-after-free in ec_bhf_remove
        selftests/net: Add icmp.sh for testing ICMP dummy address responses
        icmp: don't send out ICMP messages with a source address of 0.0.0.0
        net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
        net: ll_temac: Fix TX BD buffer overwrite
        net: ll_temac: Add memory-barriers for TX BD access
        net: ll_temac: Make sure to free skb when it is completely used
        MAINTAINERS: add Guvenc as SMC maintainer
        bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path
        bnxt_en: Fix TQM fastpath ring backing store computation
        bnxt_en: Rediscover PHY capabilities after firmware reset
        cxgb4: fix wrong shift.
        mac80211: handle various extensible elements correctly
        mac80211: reset profile_periodicity/ema_ap
        cfg80211: avoid double free of PMSR request
        cfg80211: make certificate generation more robust
        mac80211: minstrel_ht: fix sample time check
        net: qed: Fix memcpy() overflow of qed_dcbx_params()
        net: cdc_eem: fix tx fixup skb leak
        net: hamradio: fix memory leak in mkiss_close
        ...
      9ed13a17
  3. 18 Jun, 2021 33 commits