1. 11 Jul, 2016 5 commits
    • Julian Anastasov's avatar
      ipv4: reject RTNH_F_DEAD and RTNH_F_LINKDOWN from user space · 80610229
      Julian Anastasov authored
      Vegard Nossum is reporting for a crash in fib_dump_info
      when nh_dev = NULL and fib_nhs == 1:
      
      Pid: 50, comm: netlink.exe Not tainted 4.7.0-rc5+
      RIP: 0033:[<00000000602b3d18>]
      RSP: 0000000062623890  EFLAGS: 00010202
      RAX: 0000000000000000 RBX: 000000006261b800 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000024 RDI: 000000006245ba00
      RBP: 00000000626238f0 R08: 000000000000029c R09: 0000000000000000
      R10: 0000000062468038 R11: 000000006245ba00 R12: 000000006245ba00
      R13: 00000000625f96c0 R14: 00000000601e16f0 R15: 0000000000000000
      Kernel panic - not syncing: Kernel mode fault at addr 0x2e0, ip 0x602b3d18
      CPU: 0 PID: 50 Comm: netlink.exe Not tainted 4.7.0-rc5+ #581
      Stack:
       626238f0 960226a02 00000400 000000fe
       62623910 600afca7 62623970 62623a48
       62468038 00000018 00000000 00000000
      Call Trace:
       [<602b3e93>] rtmsg_fib+0xd3/0x190
       [<602b6680>] fib_table_insert+0x260/0x500
       [<602b0e5d>] inet_rtm_newroute+0x4d/0x60
       [<60250def>] rtnetlink_rcv_msg+0x8f/0x270
       [<60267079>] netlink_rcv_skb+0xc9/0xe0
       [<60250d4b>] rtnetlink_rcv+0x3b/0x50
       [<60265400>] netlink_unicast+0x1a0/0x2c0
       [<60265e47>] netlink_sendmsg+0x3f7/0x470
       [<6021dc9a>] sock_sendmsg+0x3a/0x90
       [<6021e0d0>] ___sys_sendmsg+0x300/0x360
       [<6021fa64>] __sys_sendmsg+0x54/0xa0
       [<6021fac0>] SyS_sendmsg+0x10/0x20
       [<6001ea68>] handle_syscall+0x88/0x90
       [<600295fd>] userspace+0x3fd/0x500
       [<6001ac55>] fork_handler+0x85/0x90
      
      $ addr2line -e vmlinux -i 0x602b3d18
      include/linux/inetdevice.h:222
      net/ipv4/fib_semantics.c:1264
      
      Problem happens when RTNH_F_LINKDOWN is provided from user space
      when creating routes that do not use the flag, catched with
      netlink fuzzer.
      
      Currently, the kernel allows user space to set both flags
      to nh_flags and fib_flags but this is not intentional, the
      assumption was that they are not set. Fix this by rejecting
      both flags with EINVAL.
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Fixes: 0eeb075f ("net: ipv4 sysctl option to ignore routes when nexthop link is down")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Cc: Dinesh Dutt <ddutt@cumulusnetworks.com>
      Cc: Scott Feldman <sfeldma@gmail.com>
      Reviewed-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80610229
    • Eric Dumazet's avatar
      tcp: make challenge acks less predictable · 75ff39cc
      Eric Dumazet authored
      Yue Cao claims that current host rate limiting of challenge ACKS
      (RFC 5961) could leak enough information to allow a patient attacker
      to hijack TCP sessions. He will soon provide details in an academic
      paper.
      
      This patch increases the default limit from 100 to 1000, and adds
      some randomization so that the attacker can no longer hijack
      sessions without spending a considerable amount of probes.
      
      Based on initial analysis and patch from Linus.
      
      Note that we also have per socket rate limiting, so it is tempting
      to remove the host limit in the future.
      
      v2: randomize the count of challenge acks per second, not the period.
      
      Fixes: 282f23c6 ("tcp: implement RFC 5961 3.2")
      Reported-by: default avatarYue Cao <ycao009@ucr.edu>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75ff39cc
    • Michal Kubeček's avatar
      udp: prevent bugcheck if filter truncates packet too much · a6127697
      Michal Kubeček authored
      If socket filter truncates an udp packet below the length of UDP header
      in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
      BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
      kernel is configured that way) can be easily enforced by an unprivileged
      user which was reported as CVE-2016-6162. For a reproducer, see
      http://seclists.org/oss-sec/2016/q3/8
      
      Fixes: e6afc8ac ("udp: remove headers from UDP packets before queueing")
      Reported-by: default avatarMarco Grassi <marco.gra@gmail.com>
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6127697
    • Colin Ian King's avatar
      bnxt_en: initialize rc to zero to avoid returning garbage · f3ea3119
      Colin Ian King authored
      rc is not initialized so it can contain garbage if it is not
      set by the call to bnxt_read_sfp_module_eeprom_info. Ensure
      garbage is not returned by initializing rc to 0.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3ea3119
    • David S. Miller's avatar
      Merge tag 'batadv-net-for-davem-20160708' of git://git.open-mesh.org/linux-merge · 7d32eb87
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here are a couple batman-adv bugfix patches, all by Sven Eckelmann:
      
       - Fix possible NULL pointer dereference for vlan_insert_tag (two patches)
      
       - Fix reference handling in some features, which may lead to reference
         leaks or invalid memory access (four patches)
      
       - Fix speedy join: DHCP packets handled by the gateway feature should
         be sent with 4-address unicast instead of 3-address unicast to make
         speedy join work. This fixes/speeds up DHCP assignment for clients
         which join a mesh for the first time. (one patch)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d32eb87
  2. 09 Jul, 2016 10 commits
  3. 06 Jul, 2016 6 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · bc867651
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) All users of AF_PACKET's fanout feature want a symmetric packet
          header hash for load balancing purposes, so give it to them.
      
       2) Fix vlan state synchronization in e1000e, from Jarod Wilson.
      
       3) Use correct socket pointer in ip_skb_dst_mtu(), from Shmulik
          Ladkani.
      
       4) mlx5 bug fixes from Mohamad Haj Yahia, Daniel Jurgens, Matthew
          Finlay, Rana Shahout, and Shaker Daibes.  Mostly to do with
          operation timeouts and PCI error handling.
      
       5) Fix checksum handling in mirred packet action, from WANG Cong.
      
       6) Set skb->dev correctly when transmitting in !protect_frames case of
          macsec driver, from Daniel Borkmann.
      
       7) Fix MTU calculation in geneve driver, from Haishuang Yan.
      
       8) Missing netif_napi_del() in unregister path of qeth driver, from
          Ursula Braun.
      
       9) Handle malformed route netlink messages in decnet properly, from
          Vergard Nossum.
      
      10) Memory leak of percpu data in ipv6 routing code, from Martin KaFai
          Lau.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        ipv6: Fix mem leak in rt6i_pcpu
        net: fix decnet rtnexthop parsing
        cxgb4: update latest firmware version supported
        net/mlx5: Avoid setting unused var when modifying vport node GUID
        bonding: fix enslavement slave link notifications
        r8152: fix runtime function for RTL8152
        qeth: delete napi struct when removing a qeth device
        Revert "fsl/fman: fix error handling"
        fsl/fman: fix error handling
        cdc_ncm: workaround for EM7455 "silent" data interface
        RDS: fix rds_tcp_init() error path
        geneve: fix max_mtu setting
        net: phy: dp83867: Fix initialization of PHYCR register
        enc28j60: Fix race condition in enc28j60 driver
        net: stmmac: Fix null-function call in ISR on stmmac1000
        tipc: fix nl compat regression for link statistics
        net: bcmsysport: Device stats are unsigned long
        macsec: set actual real device for xmit when !protect_frames
        net_sched: fix mirrored packets checksum
        packet: Use symmetric hash for PACKET_FANOUT_HASH.
        ...
      bc867651
    • Linus Torvalds's avatar
      Merge tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 4cdbbbd1
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a collection of small fixes: at this time, we've got a
        slightly high amount, but all small and trivial fixes, and nothing
        scary can be seen there"
      
      * tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (21 commits)
        ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
        ALSA: timer: Fix negative queue usage by racy accesses
        ASoC: rt5645: fix reg-2f default value.
        ASoC: fsl_ssi: Fix number of words per frame for I2S-slave mode
        ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
        ALSA: hda - Add PCI ID for Kabylake-H
        ALSA: echoaudio: Fix memory allocation
        ASoC: Intel: atom: fix missing breaks that would cause the wrong operation to execute
        ALSA: hda - fix read before array start
        ASoC: cx20442: set tty->receiver_room in v253_open
        ASoC: ak4613: Enable cache usage to fix crashes on resume
        ASoC: wm8940: Enable cache usage to fix crashes on resume
        ASoC: Intel: Skylake: Initialize module list for Broxton
        ASoC: wm5102: Correct supported channels on trace compressed DAI
        ASoC: wm5110: Add missing route from OUT3R to SYSCLK
        ASoC: rt5670: fix HP Playback Volume control
        ASoC: hdmi-codec: select CONFIG_HDMI
        ASoC: davinci-mcasp: Fix dra7 DMA offset when using CFG port
        ASoC: hdac_hdmi: Fix potential NULL dereference
        ASoC: ak4613: Remove owner assignment from platform_driver
        ...
      4cdbbbd1
    • Linus Torvalds's avatar
      Merge tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform · 4d0a279c
      Linus Torvalds authored
      Pull chrome platform fix from Olof Johansson:
       "A single fix this time, closing a window where ioctl args are fetched
        twice"
      
      * tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform:
        platform/chrome: cros_ec_dev - double fetch bug in ioctl
      4d0a279c
    • Sven Eckelmann's avatar
      batman-adv: Fix speedy join in gateway client mode · d1fe176c
      Sven Eckelmann authored
      Speedy join only works when the received packet is either broadcast or an
      4addr unicast packet. Thus packets converted from broadcast to unicast via
      the gateway handling code have to be converted to 4addr packets to allow
      the receiving gateway server to add the sender address as temporary entry
      to the translation table.
      
      Not doing it will make the batman-adv gateway server drop the DHCP response
      in many situations because it doesn't yet have the TT entry for the
      destination of the DHCP response.
      
      Fixes: 37135173 ("batman-adv: change interface_rx to get orig node")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      d1fe176c
    • Gregory Greenman's avatar
      cfg80211: handle failed skb allocation · 16a910a6
      Gregory Greenman authored
      Handle the case when dev_alloc_skb returns NULL.
      
      Cc: stable@vger.kernel.org
      Fixes: 2b67f944 ("cfg80211: reuse existing page fragments in A-MSDU rx")
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      16a910a6
    • Purushottam Kushwaha's avatar
      nl80211: Move ACL parsing later to avoid a possible memory leak · 6e8ef842
      Purushottam Kushwaha authored
      No support for pbss results in a memory leak for the acl_data
      (if parse_acl_data succeeds). Fix this by moving the ACL parsing later.
      
      Cc: stable@vger.kernel.org
      Fixes: 34d50519 ("cfg80211: basic support for PBSS network type")
      Signed-off-by: default avatarPurushottam Kushwaha <pkushwah@qti.qualcomm.com>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      6e8ef842
  4. 05 Jul, 2016 17 commits
  5. 04 Jul, 2016 2 commits