1. 24 Nov, 2016 13 commits
    • Florian Westphal's avatar
      netfilter: nat: switch to new rhlist interface · 7223ecd4
      Florian Westphal authored
      I got offlist bug report about failing connections and high cpu usage.
      This happens because we hit 'elasticity' checks in rhashtable that
      refuses bucket list exceeding 16 entries.
      
      The nat bysrc hash unfortunately needs to insert distinct objects that
      share same key and are identical (have same source tuple), this cannot
      be avoided.
      
      Switch to the rhlist interface which is designed for this.
      
      The nulls_base is removed here, I don't think its needed:
      
      A (unlikely) false positive results in unneeded port clash resolution,
      a false negative results in packet drop during conntrack confirmation,
      when we try to insert the duplicate into main conntrack hash table.
      
      Tested by adding multiple ip addresses to host, then adding
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      
      ... and then creating multiple connections, from same source port but
      different addresses:
      
      for i in $(seq 2000 2032);do nc -p 1234 192.168.7.1 $i > /dev/null  & done
      
      (all of these then get hashed to same bysource slot)
      
      Then, to test that nat conflict resultion is working:
      
      nc -s 10.0.0.1 -p 1234 192.168.7.1 2000
      nc -s 10.0.0.2 -p 1234 192.168.7.1 2000
      
      tcp  .. src=10.0.0.1 dst=192.168.7.1 sport=1234 dport=2000 src=192.168.7.1 dst=192.168.7.10 sport=2000 dport=1024 [ASSURED]
      tcp  .. src=10.0.0.2 dst=192.168.7.1 sport=1234 dport=2000 src=192.168.7.1 dst=192.168.7.10 sport=2000 dport=1025 [ASSURED]
      tcp  .. src=192.168.7.10 dst=192.168.7.1 sport=1234 dport=2000 src=192.168.7.1 dst=192.168.7.10 sport=2000 dport=1234 [ASSURED]
      tcp  .. src=192.168.7.10 dst=192.168.7.1 sport=1234 dport=2001 src=192.168.7.1 dst=192.168.7.10 sport=2001 dport=1234 [ASSURED]
      [..]
      
      -> nat altered source ports to 1024 and 1025, respectively.
      This can also be confirmed on destination host which shows
      ESTAB      0      0   192.168.7.1:2000      192.168.7.10:1024
      ESTAB      0      0   192.168.7.1:2000      192.168.7.10:1025
      ESTAB      0      0   192.168.7.1:2000      192.168.7.10:1234
      
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Fixes: 870190a9 ("netfilter: nat: convert nat bysrc hash to rhashtable")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7223ecd4
    • Florian Westphal's avatar
      netfilter: nat: fix cmp return value · 728e87b4
      Florian Westphal authored
      The comparator works like memcmp, i.e. 0 means objects are equal.
      In other words, when objects are distinct they are treated as identical,
      when they are distinct they are allegedly the same.
      
      The first case is rare (distinct objects are unlikely to get hashed to
      same bucket).
      
      The second case results in unneeded port conflict resolutions attempts.
      
      Fixes: 870190a9 ("netfilter: nat: convert nat bysrc hash to rhashtable")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      728e87b4
    • Laura Garcia Liebana's avatar
      netfilter: nft_hash: validate maximum value of u32 netlink hash attribute · abd66e9f
      Laura Garcia Liebana authored
      Use the function nft_parse_u32_check() to fetch the value and validate
      the u32 attribute into the hash len u8 field.
      
      This patch revisits 4da449ae ("netfilter: nft_exthdr: Add size check
      on u8 nft_exthdr attributes").
      
      Fixes: cb1b69b0 ("netfilter: nf_tables: add hash expression")
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      abd66e9f
    • Florian Westphal's avatar
      netfilter: fix nf_conntrack_helper documentation · 486dcf43
      Florian Westphal authored
      Since kernel 4.7 this defaults to off.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      486dcf43
    • David Ahern's avatar
      netfilter: Update nf_send_reset6 to consider L3 domain · 00b4422f
      David Ahern authored
      nf_send_reset6 is not considering the L3 domain and lookups are sent
      to the wrong table. For example consider the following output rule:
      
      ip6tables -A OUTPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
      
      using perf to analyze lookups via the fib6_table_lookup tracepoint shows:
      
      swapper     0 [001]   248.787816: fib6:fib6_table_lookup: table 255 oif 0 iif 1 src 2100:1::3 dst 2100:1:
              ffffffff81439cdc perf_trace_fib6_table_lookup ([kernel.kallsyms])
              ffffffff814c1ce3 trace_fib6_table_lookup ([kernel.kallsyms])
              ffffffff814c3e89 ip6_pol_route ([kernel.kallsyms])
              ffffffff814c40d5 ip6_pol_route_output ([kernel.kallsyms])
              ffffffff814e7b6f fib6_rule_action ([kernel.kallsyms])
              ffffffff81437f60 fib_rules_lookup ([kernel.kallsyms])
              ffffffff814e7c79 fib6_rule_lookup ([kernel.kallsyms])
              ffffffff814c2541 ip6_route_output_flags ([kernel.kallsyms])
                           528 nf_send_reset6 ([nf_reject_ipv6])
      
      The lookup is directed to table 255 rather than the table associated with
      the device via the L3 domain. Update nf_send_reset6 to pull the L3 domain
      from the dst currently attached to the skb.
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      00b4422f
    • David Ahern's avatar
      netfilter: Update ip_route_me_harder to consider L3 domain · 6d8b49c3
      David Ahern authored
      ip_route_me_harder is not considering the L3 domain and sending lookups
      to the wrong table. For example consider the following output rule:
      
      iptables -I OUTPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
      
      using perf to analyze lookups via the fib_table_lookup tracepoint shows:
      
      vrf-test  1187 [001] 46887.295927: fib:fib_table_lookup: table 255 oif 0 iif 0 src 0.0.0.0 dst 10.100.1.254 tos 0 scope 0 flags 0
              ffffffff8143922c perf_trace_fib_table_lookup ([kernel.kallsyms])
              ffffffff81493aac fib_table_lookup ([kernel.kallsyms])
              ffffffff8148dda3 __inet_dev_addr_type ([kernel.kallsyms])
              ffffffff8148ddf6 inet_addr_type ([kernel.kallsyms])
              ffffffff8149e344 ip_route_me_harder ([kernel.kallsyms])
      
      and
      
      vrf-test  1187 [001] 46887.295933: fib:fib_table_lookup: table 255 oif 0 iif 1 src 10.100.1.254 dst 10.100.1.2 tos 0 scope 0 flags
              ffffffff8143922c perf_trace_fib_table_lookup ([kernel.kallsyms])
              ffffffff81493aac fib_table_lookup ([kernel.kallsyms])
              ffffffff814998ff fib4_rule_action ([kernel.kallsyms])
              ffffffff81437f35 fib_rules_lookup ([kernel.kallsyms])
              ffffffff81499758 __fib_lookup ([kernel.kallsyms])
              ffffffff8144f010 fib_lookup.constprop.34 ([kernel.kallsyms])
              ffffffff8144f759 __ip_route_output_key_hash ([kernel.kallsyms])
              ffffffff8144fc6a ip_route_output_flow ([kernel.kallsyms])
              ffffffff8149e39b ip_route_me_harder ([kernel.kallsyms])
      
      In both cases the lookups are directed to table 255 rather than the
      table associated with the device via the L3 domain. Update both
      lookups to pull the L3 domain from the dst currently attached to the
      skb.
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6d8b49c3
    • Tariq Toukan's avatar
      net/mlx4_en: Free netdev resources under state lock · b6e01232
      Tariq Toukan authored
      Make sure mlx4_en_free_resources is called under the netdev state lock.
      This is needed since RCU dereference of XDP prog should be protected.
      
      Fixes: 326fe02d ("net/mlx4_en: protect ring->xdp_prog with rcu_read_lock")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reported-by: default avatarSagi Grimberg <sagi@grimberg.me>
      CC: Brenden Blanco <bblanco@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6e01232
    • WANG Cong's avatar
      net: revert "net: l2tp: Treat NET_XMIT_CN as success in l2tp_eth_dev_xmit" · a4cd0271
      WANG Cong authored
      This reverts commit 7c6ae610, because l2tp_xmit_skb() never
      returns NET_XMIT_CN, it ignores the return value of l2tp_xmit_core().
      
      Cc: Gao Feng <gfree.wind@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4cd0271
    • Zhang Shengju's avatar
      rtnetlink: fix the wrong minimal dump size getting from rtnl_calcit() · 93af2056
      Zhang Shengju authored
      For RT netlink, calcit() function should return the minimal size for
      netlink dump message. This will make sure that dump message for every
      network device can be stored.
      
      Currently, rtnl_calcit() function doesn't account the size of header of
      netlink message, this patch will fix it.
      Signed-off-by: default avatarZhang Shengju <zhangshengju@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93af2056
    • Christophe Jaillet's avatar
      bnxt_en: Fix a VXLAN vs GENEVE issue · 57aac71b
      Christophe Jaillet authored
      Knowing that:
        #define TUNNEL_DST_PORT_FREE_REQ_TUNNEL_TYPE_VXLAN        (0x1UL << 0)
        #define TUNNEL_DST_PORT_FREE_REQ_TUNNEL_TYPE_GENEVE       (0x5UL << 0)
      and that 'bnxt_hwrm_tunnel_dst_port_alloc()' is only called with one of
      these 2 constants, the TUNNEL_DST_PORT_ALLOC_REQ_TUNNEL_TYPE_GENEVE can not
      trigger.
      
      Replace the bit test that overlap by an equality test, just as in
      'bnxt_hwrm_tunnel_dst_port_free()' above.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Acked-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57aac71b
    • Randy Dunlap's avatar
      netdevice.h: fix kernel-doc warning · 920c1cd3
      Randy Dunlap authored
      Fix kernel-doc warning in <linux/netdevice.h> (missing ':'):
      
      ..//include/linux/netdevice.h:1904: warning: No description found for parameter 'prio_tc_map[TC_BITMASK + 1]'
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      920c1cd3
    • Gao Feng's avatar
      driver: macvlan: Check if need rollback multicast setting in macvlan_open · c3891fa2
      Gao Feng authored
      When dev_set_promiscuity failed in macvlan_open, it always invokes
      dev_set_allmulti without checking if necessary.
      Now check the IFF_ALLMULTI flag firstly before rollback the multicast
      setting in the error handler.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c3891fa2
    • Kirill Esipov's avatar
      net: phy: micrel: fix KSZ8041FTL supported value · ffa54a23
      Kirill Esipov authored
      Fix setting of SUPPORTED_FIBRE bit as it was not present in features
      of KSZ8041.
      Signed-off-by: default avatarKirill Esipov <yesipov@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffa54a23
  2. 22 Nov, 2016 1 commit
  3. 21 Nov, 2016 7 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 3b404a51
      Linus Torvalds authored
      Pull apparmor bugfix from James Morris:
       "This has a fix for a policy replacement bug that is fairly serious for
        apache mod_apparmor users, as it results in the wrong policy being
        applied on an network facing service"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        apparmor: fix change_hat not finding hat after policy replacement
      3b404a51
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 8d1a2408
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) With modern networking cards we can run out of 32-bit DMA space, so
          support 64-bit DMA addressing when possible on sparc64. From Dave
          Tushar.
      
       2) Some signal frame validation checks are inverted on sparc32, fix
          from Andreas Larsson.
      
       3) Lockdep tables can get too large in some circumstances on sparc64,
          add a way to adjust the size a bit. From Babu Moger.
      
       4) Fix NUMA node probing on some sun4v systems, from Thomas Tai.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: drop duplicate header scatterlist.h
        lockdep: Limit static allocations if PROVE_LOCKING_SMALL is defined
        config: Adding the new config parameter CONFIG_PROVE_LOCKING_SMALL for sparc
        sunbmac: Fix compiler warning
        sunqe: Fix compiler warnings
        sparc64: Enable 64-bit DMA
        sparc64: Enable sun4v dma ops to use IOMMU v2 APIs
        sparc64: Bind PCIe devices to use IOMMU v2 service
        sparc64: Initialize iommu_map_table and iommu_pool
        sparc64: Add ATU (new IOMMU) support
        sparc64: Add FORCE_MAX_ZONEORDER and default to 13
        sparc64: fix compile warning section mismatch in find_node()
        sparc32: Fix inverted invalid_frame_pointer checks on sigreturns
        sparc64: Fix find_node warning if numa node cannot be found
      8d1a2408
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 27e7ab99
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Clear congestion control state when changing algorithms on an
          existing socket, from Florian Westphal.
      
       2) Fix register bit values in altr_tse_pcs portion of stmmac driver,
          from Jia Jie Ho.
      
       3) Fix PTP handling in stammc driver for GMAC4, from Giuseppe
          CAVALLARO.
      
       4) Fix udplite multicast delivery handling, it ignores the udp_table
          parameter passed into the lookups, from Pablo Neira Ayuso.
      
       5) Synchronize the space estimated by rtnl_vfinfo_size and the space
          actually used by rtnl_fill_vfinfo. From Sabrina Dubroca.
      
       6) Fix memory leak in fib_info when splitting nodes, from Alexander
          Duyck.
      
       7) If a driver does a napi_hash_del() explicitily and not via
          netif_napi_del(), it must perform RCU synchronization as needed. Fix
          this in virtio-net and bnxt drivers, from Eric Dumazet.
      
       8) Likewise, it is not necessary to invoke napi_hash_del() is we are
          also doing neif_napi_del() in the same code path. Remove such calls
          from be2net and cxgb4 drivers, also from Eric Dumazet.
      
       9) Don't allocate an ID in peernet2id_alloc() if the netns is dead,
          from WANG Cong.
      
      10) Fix OF node and device struct leaks in of_mdio, from Johan Hovold.
      
      11) We cannot cache routes in ip6_tunnel when using inherited traffic
          classes, from Paolo Abeni.
      
      12) Fix several crashes and leaks in cpsw driver, from Johan Hovold.
      
      13) Splice operations cannot use freezable blocking calls in AF_UNIX,
          from WANG Cong.
      
      14) Link dump filtering by master device and kind support added an error
          in loop index updates during the dump if we actually do filter, fix
          from Zhang Shengju.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
        tcp: zero ca_priv area when switching cc algorithms
        net: l2tp: Treat NET_XMIT_CN as success in l2tp_eth_dev_xmit
        ethernet: stmmac: make DWMAC_STM32 depend on it's associated SoC
        tipc: eliminate obsolete socket locking policy description
        rtnl: fix the loop index update error in rtnl_dump_ifinfo()
        l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
        net: macb: add check for dma mapping error in start_xmit()
        rtnetlink: fix FDB size computation
        netns: fix get_net_ns_by_fd(int pid) typo
        af_unix: conditionally use freezable blocking calls in read
        net: ethernet: ti: cpsw: fix fixed-link phy probe deferral
        net: ethernet: ti: cpsw: add missing sanity check
        net: ethernet: ti: cpsw: fix secondary-emac probe error path
        net: ethernet: ti: cpsw: fix of_node and phydev leaks
        net: ethernet: ti: cpsw: fix deferred probe
        net: ethernet: ti: cpsw: fix mdio device reference leak
        net: ethernet: ti: cpsw: fix bad register access in probe error path
        net: sky2: Fix shutdown crash
        cfg80211: limit scan results cache size
        net sched filters: pass netlink message flags in event notification
        ...
      27e7ab99
    • Florian Westphal's avatar
      tcp: zero ca_priv area when switching cc algorithms · 7082c5c3
      Florian Westphal authored
      We need to zero out the private data area when application switches
      connection to different algorithm (TCP_CONGESTION setsockopt).
      
      When congestion ops get assigned at connect time everything is already
      zeroed because sk_alloc uses GFP_ZERO flag.  But in the setsockopt case
      this contains whatever previous cc placed there.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7082c5c3
    • Gao Feng's avatar
      net: l2tp: Treat NET_XMIT_CN as success in l2tp_eth_dev_xmit · 7c6ae610
      Gao Feng authored
      The tc could return NET_XMIT_CN as one congestion notification, but
      it does not mean the packe is lost. Other modules like ipvlan,
      macvlan, and others treat NET_XMIT_CN as success too.
      So l2tp_eth_dev_xmit should add the NET_XMIT_CN check.
      Signed-off-by: default avatarGao Feng <gfree.wind@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c6ae610
    • Peter Robinson's avatar
      ethernet: stmmac: make DWMAC_STM32 depend on it's associated SoC · 6bc5445c
      Peter Robinson authored
      There's not much point, except compile test, enabling the stmmac
      platform drivers unless the STM32 SoC is enabled. It's not
      useful without it.
      Signed-off-by: default avatarPeter Robinson <pbrobinson@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6bc5445c
    • John Johansen's avatar
      apparmor: fix change_hat not finding hat after policy replacement · 3d40658c
      John Johansen authored
      After a policy replacement, the task cred may be out of date and need
      to be updated. However change_hat is using the stale profiles from
      the out of date cred resulting in either: a stale profile being applied
      or, incorrect failure when searching for a hat profile as it has been
      migrated to the new parent profile.
      
      Fixes: 01e2b670 (failure to find hat)
      Fixes: 898127c3 (stale policy being applied)
      Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      3d40658c
  4. 20 Nov, 2016 10 commits
    • Linus Torvalds's avatar
      Linux 4.9-rc6 · 9c763584
      Linus Torvalds authored
      9c763584
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 697ed8d0
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A few more ARM fixes:
      
         - the assembly backtrace code suffers problems with the new printk()
           implementation which assumes that kernel messages without KERN_CONT
           should have newlines inserted between them. Fix this.
         - fix a section naming error - ".init.text" rather than ".text.init"
         - preallocate DMA debug memory at core_initcall() time rather than
           fs_initcall(), as we have some core drivers that need to use DMA
           mapping - and that triggers a kernel warning from the DMA debug
           code.
         - fix XIP kernels after the ro_after_init changes made this data
           permanently read-only"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: Fix XIP kernels
        ARM: 8628/1: dma-mapping: preallocate DMA-debug hash tables in core_initcall
        ARM: 8624/1: proc-v7m.S: fix init section name
        ARM: fix backtrace
      697ed8d0
    • Jon Paul Maloy's avatar
      tipc: eliminate obsolete socket locking policy description · 51b9a31c
      Jon Paul Maloy authored
      The comment block in socket.c describing the locking policy is
      obsolete, and does not reflect current reality. We remove it in this
      commit.
      
      Since the current locking policy is much simpler and follows a
      mainstream approach, we see no need to add a new description.
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51b9a31c
    • Zhang Shengju's avatar
      rtnl: fix the loop index update error in rtnl_dump_ifinfo() · 3f0ae05d
      Zhang Shengju authored
      If the link is filtered out, loop index should also be updated. If not,
      loop index will not be correct.
      
      Fixes: dc599f76 ("net: Add support for filtering link dump by master device and kind")
      Signed-off-by: default avatarZhang Shengju <zhangshengju@cmss.chinamobile.com>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f0ae05d
    • Guillaume Nault's avatar
      l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() · 32c23116
      Guillaume Nault authored
      Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
      Without lock, a concurrent call could modify the socket flags between
      the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
      a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
      would then leave a stale pointer there, generating use-after-free
      errors when walking through the list or modifying adjacent entries.
      
      BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
      Write of size 8 by task syz-executor/10987
      CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
       ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
       ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
       ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
      Call Trace:
       [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
       [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
       [<     inline     >] print_address_description mm/kasan/report.c:194
       [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
       [<     inline     >] kasan_report mm/kasan/report.c:303
       [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
       [<     inline     >] __write_once_size ./include/linux/compiler.h:249
       [<     inline     >] __hlist_del ./include/linux/list.h:622
       [<     inline     >] hlist_del_init ./include/linux/list.h:637
       [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
       [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
       [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
       [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
       [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
       [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
       [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
       [<ffffffff813774f9>] task_work_run+0xf9/0x170
       [<ffffffff81324aae>] do_exit+0x85e/0x2a00
       [<ffffffff81326dc8>] do_group_exit+0x108/0x330
       [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
       [<ffffffff811b49af>] do_signal+0x7f/0x18f0
       [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
       [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
       [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
       [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
      Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
      Allocated:
      PID = 10987
       [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
       [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
       [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
       [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
       [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417
       [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708
       [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716
       [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
       [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
       [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
       [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
       [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
       [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193
       [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223
       [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
       [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
      Freed:
      PID = 10987
       [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
       [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
       [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
       [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352
       [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374
       [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951
       [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
       [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369
       [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
       [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
       [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
       [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
       [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
       [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
       [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
       [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
       [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
       [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
       [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
       [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
       [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
       [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
       [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
       [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
       [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
       [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
       [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
       [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
       [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
      Memory state around the buggy address:
       ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                          ^
       ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      ==================================================================
      
      The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
      
      Fixes: c51ce497 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32c23116
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 77079b13
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "Again a set of smaller fixes across several platforms (OMAP, Marvell,
        Allwinner, i.MX, etc).
      
        A handful of typo fixes and smaller missing contents from device
        trees, with some tweaks to OMAP mach files to deal with CPU feature
        print misformatting, potential NULL ptr dereference and one setup
        issue with UARTs"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ipmi/bt-bmc: change compatible node to 'aspeed, ast2400-ibt-bmc'
        ARM: dts: STiH410-b2260: Fix typo in spi0 chipselect definition
        ARM: dts: omap5: board-common: fix wrong SMPS6 (VDD-DDR3) voltage
        ARM: omap3: Add missing memory node in SOM-LV
        arm64: dts: marvell: add unique identifiers for Armada A8k SPI controllers
        arm64: dts: marvell: fix clocksource for CP110 slave SPI0
        arm64: dts: marvell: Fix typo in label name on Armada 37xx
        ASoC: omap-abe-twl6040: fix typo in bindings documentation
        dts: omap5: board-common: enable twl6040 headset jack detection
        dts: omap5: board-common: add phandle to reference Palmas gpadc
        ARM: OMAP2+: avoid NULL pointer dereference
        ARM: OMAP2+: PRM: initialize en_uart4_mask and grpsel_uart4_mask
        ARM: dts: omap3: Fix memory node in Torpedo board
        ARM: AM43XX: Select OMAP_INTERCONNECT in Kconfig
        ARM: OMAP3: Fix formatting of features printed
        ARM: dts: imx53-qsb: Fix regulator constraints
        ARM: dts: sun8i: fix the pinmux for UART1
      77079b13
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · d117b9ac
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "A security fix (so a maliciously corrupted file system image won't
        panic the kernel) and some fixes for CONFIG_VMAP_STACK"
      
      * tag 'ext4_for_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: sanity check the block and cluster size at mount time
        fscrypto: don't use on-stack buffer for key derivation
        fscrypto: don't use on-stack buffer for filename encryption
      d117b9ac
    • Theodore Ts'o's avatar
      ext4: sanity check the block and cluster size at mount time · 8cdf3372
      Theodore Ts'o authored
      If the block size or cluster size is insane, reject the mount.  This
      is important for security reasons (although we shouldn't be just
      depending on this check).
      
      Ref: http://www.securityfocus.com/archive/1/539661
      Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506Reported-by: default avatarBorislav Petkov <bp@alien8.de>
      Reported-by: default avatarNikolay Borisov <kernel@kyup.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      8cdf3372
    • Eric Biggers's avatar
      fscrypto: don't use on-stack buffer for key derivation · 0f0909e2
      Eric Biggers authored
      With the new (in 4.9) option to use a virtually-mapped stack
      (CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
      the scatterlist crypto API because they may not be directly mappable to
      struct page.  get_crypt_info() was using a stack buffer to hold the
      output from the encryption operation used to derive the per-file key.
      Fix it by using a heap buffer.
      
      This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
      because this allowed the BUG in sg_set_buf() to be triggered.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      0f0909e2
    • Eric Biggers's avatar
      fscrypto: don't use on-stack buffer for filename encryption · 3c7018eb
      Eric Biggers authored
      With the new (in 4.9) option to use a virtually-mapped stack
      (CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
      the scatterlist crypto API because they may not be directly mappable to
      struct page.  For short filenames, fname_encrypt() was encrypting a
      stack buffer holding the padded filename.  Fix it by encrypting the
      filename in-place in the output buffer, thereby making the temporary
      buffer unnecessary.
      
      This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
      because this allowed the BUG in sg_set_buf() to be triggered.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      3c7018eb
  5. 19 Nov, 2016 9 commits