1. 27 Apr, 2020 9 commits
    • Eric Dumazet's avatar
      sch_choke: avoid potential panic in choke_reset() · 8738c85c
      Eric Dumazet authored
      If choke_init() could not allocate q->tab, we would crash later
      in choke_reset().
      
      BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
      BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
      Write of size 8 at addr 0000000000000000 by task syz-executor822/7022
      
      CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x188/0x20d lib/dump_stack.c:118
       __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
       kasan_report+0x33/0x50 mm/kasan/common.c:625
       check_memory_region_inline mm/kasan/generic.c:187 [inline]
       check_memory_region+0x141/0x190 mm/kasan/generic.c:193
       memset+0x20/0x40 mm/kasan/common.c:85
       memset include/linux/string.h:366 [inline]
       choke_reset+0x208/0x340 net/sched/sch_choke.c:326
       qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
       dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
       netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
       dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
       dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
       qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
       tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
       rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
       netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
       netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
       netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
       netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:672
       ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
       ___sys_sendmsg+0x100/0x170 net/socket.c:2416
       __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
      
      Fixes: 77e62da6 ("sch_choke: drop all packets in queue during reset")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8738c85c
    • Eric Dumazet's avatar
      fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks · 14695212
      Eric Dumazet authored
      My intent was to not let users set a zero drop_batch_size,
      it seems I once again messed with min()/max().
      
      Fixes: 9d18562a ("fq_codel: add batch ability to fq_codel_drop()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14695212
    • Xiyu Yang's avatar
      net/tls: Fix sk_psock refcnt leak when in tls_data_ready() · 62b4011f
      Xiyu Yang authored
      tls_data_ready() invokes sk_psock_get(), which returns a reference of
      the specified sk_psock object to "psock" with increased refcnt.
      
      When tls_data_ready() returns, local variable "psock" becomes invalid,
      so the refcount should be decreased to keep refcount balanced.
      
      The reference counting issue happens in one exception handling path of
      tls_data_ready(). When "psock->ingress_msg" is empty but "psock" is not
      NULL, the function forgets to decrease the refcnt increased by
      sk_psock_get(), causing a refcnt leak.
      
      Fix this issue by calling sk_psock_put() on all paths when "psock" is
      not NULL.
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62b4011f
    • Xiyu Yang's avatar
      net/x25: Fix x25_neigh refcnt leak when x25 disconnect · 4becb7ee
      Xiyu Yang authored
      x25_connect() invokes x25_get_neigh(), which returns a reference of the
      specified x25_neigh object to "x25->neighbour" with increased refcnt.
      
      When x25 connect success and returns, the reference still be hold by
      "x25->neighbour", so the refcount should be decreased in
      x25_disconnect() to keep refcount balanced.
      
      The reference counting issue happens in x25_disconnect(), which forgets
      to decrease the refcnt increased by x25_get_neigh() in x25_connect(),
      causing a refcnt leak.
      
      Fix this issue by calling x25_neigh_put() before x25_disconnect()
      returns.
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4becb7ee
    • Xiyu Yang's avatar
      net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() · 095f5614
      Xiyu Yang authored
      bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference
      of the specified sk_psock object to "psock" with increased refcnt.
      
      When bpf_exec_tx_verdict() returns, local variable "psock" becomes
      invalid, so the refcount should be decreased to keep refcount balanced.
      
      The reference counting issue happens in one exception handling path of
      bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not
      NULL, the function forgets to decrease the refcnt increased by
      sk_psock_get(), causing a refcnt leak.
      
      Fix this issue by calling sk_psock_put() on this error path before
      bpf_exec_tx_verdict() returns.
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      095f5614
    • Richard Clark's avatar
      aquantia: Fix the media type of AQC100 ethernet controller in the driver · 6de556c3
      Richard Clark authored
      The Aquantia AQC100 controller enables a SFP+ port, so the driver should
      configure the media type as '_TYPE_FIBRE' instead of '_TYPE_TP'.
      Signed-off-by: default avatarRichard Clark <richard.xnu.clark@gmail.com>
      Cc: Igor Russkikh <irusskikh@marvell.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Acked-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6de556c3
    • David S. Miller's avatar
      Merge branch 'vsock-virtio-fixes-about-packet-delivery-to-monitoring-devices' · 18e6719c
      David S. Miller authored
      Stefano Garzarella says:
      
      ====================
      vsock/virtio: fixes about packet delivery to monitoring devices
      
      During the review of v1, Stefan pointed out an issue introduced by
      that patch, where replies can appear in the packet capture before
      the transmitted packet.
      
      While fixing my patch, reverting it and adding a new flag in
      'struct virtio_vsock_pkt' (patch 2/2), I found that we already had
      that issue in vhost-vsock, so I fixed it (patch 1/2).
      
      v1 -> v2:
      - reverted the v1 patch, to avoid that replies can appear in the
        packet capture before the transmitted packet [Stefan]
      - added patch to fix packet delivering to monitoring devices in
        vhost-vsock
      - added patch to check if the packet is already delivered to
        monitoring devices
      
      v1: https://patchwork.ozlabs.org/project/netdev/patch/20200421092527.41651-1-sgarzare@redhat.com/
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      18e6719c
    • Stefano Garzarella's avatar
      vsock/virtio: fix multiple packet delivery to monitoring devices · a78d1639
      Stefano Garzarella authored
      In virtio_transport.c, if the virtqueue is full, the transmitting
      packet is queued up and it will be sent in the next iteration.
      This causes the same packet to be delivered multiple times to
      monitoring devices.
      
      We want to continue to deliver packets to monitoring devices before
      it is put in the virtqueue, to avoid that replies can appear in the
      packet capture before the transmitted packet.
      
      This patch fixes the issue, adding a new flag (tap_delivered) in
      struct virtio_vsock_pkt, to check if the packet is already delivered
      to monitoring devices.
      
      In vhost/vsock.c, we are splitting packets, so we must set
      'tap_delivered' to false when we queue up the same virtio_vsock_pkt
      to handle the remaining bytes.
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a78d1639
    • Stefano Garzarella's avatar
      vhost/vsock: fix packet delivery order to monitoring devices · 107bc076
      Stefano Garzarella authored
      We want to deliver packets to monitoring devices before it is
      put in the virtqueue, to avoid that replies can appear in the
      packet capture before the transmitted packet.
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      107bc076
  2. 26 Apr, 2020 2 commits
  3. 25 Apr, 2020 18 commits
  4. 24 Apr, 2020 11 commits