- 30 Nov, 2016 36 commits
-
-
Josef Bacik authored
If we have a branch that looks something like this int foo = map->value; if (condition) { foo += blah; } else { foo = bar; } map->array[foo] = baz; We will incorrectly assume that the !condition branch is equal to the condition branch as the register for foo will be UNKNOWN_VALUE in both cases. We need to adjust this logic to only do this if we didn't do a varlen access after we processed the !condition branch, otherwise we have different ranges and need to check the other branch as well. Fixes: 48461135 ("bpf: allow access into map value arrays") Reported-by:Jann Horn <jannh@google.com> Signed-off-by:
Josef Bacik <jbacik@fb.com> Acked-by:
Alexei Starovoitov <ast@kernel.org> Acked-by:
Daniel Borkmann <daniel@iogearbox.net> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Merge tag 'wireless-drivers-for-davem-2016-11-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.9 mwifiex * properly terminate SSIDs so that uninitalised memory is not printed ==================== Signed-off-by:
-
David S. Miller authored
Guillaume Nault says: ==================== l2tp: fixes for l2tp_ip and l2tp_ip6 socket handling This series addresses problems found while working on commit 32c23116 ("l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()"). The first three patches fix races in socket's connect, recv and bind operations. The last two ones fix scenarios where l2tp fails to correctly lookup its userspace sockets. Apart from the last patch, which is l2tp_ip6 specific, every patch fixes the same problem in the L2TP IPv4 and IPv6 code. All problems fixed by this series exist since the creation of the l2tp_ip and l2tp_ip6 modules. Changes since v1: * Patch #3: fix possible uninitialised use of 'ret' in l2tp_ip_bind(). ==================== Acked-by:
James Chapman <jchapman@katalix.com>
-
Guillaume Nault authored
The '!(addr && ipv6_addr_equal(addr, laddr))' part of the conditional matches if addr is NULL or if addr != laddr. But the intend of __l2tp_ip6_bind_lookup() is to find a sockets with the same address, so the ipv6_addr_equal() condition needs to be inverted. For better clarity and consistency with the rest of the expression, the (!X || X == Y) notation is used instead of !(X && X != Y). Signed-off-by:
Guillaume Nault <g.nault@alphalink.fr> Signed-off-by:
-
Guillaume Nault authored
When looking up an l2tp socket, we must consider a null netdevice id as wild card. There are currently two problems caused by __l2tp_ip_bind_lookup() not considering 'dif' as wild card when set to 0: * A socket bound to a device (i.e. with sk->sk_bound_dev_if != 0) never receives any packet. Since __l2tp_ip_bind_lookup() is called with dif == 0 in l2tp_ip_recv(), sk->sk_bound_dev_if is always different from 'dif' so the socket doesn't match. * Two sockets, one bound to a device but not the other, can be bound to the same address. If the first socket binding to the address is the one that is also bound to a device, the second socket can bind to the same address without __l2tp_ip_bind_lookup() noticing the overlap. To fix this issue, we need to consider that any null device index, be it 'sk->sk_bound_dev_if' or 'dif', matches with any other value. We also need to pass the input device index to __l2tp_ip_bind_lookup() on reception so that sockets bound to a device never receive packets from other devices. This patch fixes l2tp_ip6 in the same way. Signed-off-by: -
Guillaume Nault authored
It's not enough to check for sockets bound to same address at the beginning of l2tp_ip{,6}_bind(): even if no socket is found at that time, a socket with the same address could be bound before we take the l2tp lock again. This patch moves the lookup right before inserting the new socket, so that no change can ever happen to the list between address lookup and socket insertion. Care is taken to avoid side effects on the socket in case of failure. That is, modifications of the socket are done after the lookup, when binding is guaranteed to succeed, and before releasing the l2tp lock, so that concurrent lookups will always see fully initialised sockets. For l2tp_ip, 'ret' is set to -EINVAL before checking the SOCK_ZAPPED bit. Error code was mistakenly set to -EADDRINUSE on error by commit 32c23116 ("l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()"). Using -EINVAL restores original behaviour. For l2tp_ip6, the lookup is now always done with the correct bound device. Before this patch, when binding to a link-local address, the lookup was done with the original sk->sk_bound_dev_if, which was later overwritten with addr->l2tp_scope_id. Lookup is now performed with the final sk->sk_bound_dev_if value. Finally, the (addr_len >= sizeof(struct sockaddr_in6)) check has been dropped: addr is a sockaddr_l2tpip6 not sockaddr_in6 and addr_len has already been checked at this point (this part of the code seems to have been copy-pasted from net/ipv6/raw.c). Signed-off-by: -
Guillaume Nault authored
Socket must be held while under the protection of the l2tp lock; there is no guarantee that sk remains valid after the read_unlock_bh() call. Same issue for l2tp_ip and l2tp_ip6. Signed-off-by:
-
Guillaume Nault authored
Socket flags aren't updated atomically, so the socket must be locked while reading the SOCK_ZAPPED flag. This issue exists for both l2tp_ip and l2tp_ip6. For IPv6, this patch also brings error handling for __ip6_datagram_connect() failures. Signed-off-by:
-
Hariprasad Shenai authored
Signed-off-by:
Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by:
-
Nikita Yushchenko authored
Execution 'ethtool -S' on fec device that is down causes OOPS on Vybrid board: Unhandled fault: external abort on non-linefetch (0x1008) at 0xe0898200 pgd = ddecc000 [e0898200] *pgd=9e406811, *pte=400d1653, *ppte=400d1453 Internal error: : 1008 [#1] SMP ARM ... Reason of OOPS is that fec_enet_get_ethtool_stats() accesses fec registers while IPG clock is stopped by PM. Fix that by caching statistics in fec_enet_private. Cache is initialized at device probe time, and updated at statistics request time if device is up, and also just before turning device off on down path. Additional locking is not needed, since cached statistics is accessed either before device is registered, or under rtnl_lock(). Signed-off-by:
Nikita Yushchenko <nikita.yoush@cogentembedded.com> Signed-off-by:
-
Haishuang Yan authored
vxlan_fdb_append may return error, so add the proper check, otherwise it will cause memory leak. Signed-off-by:
Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Changes in v2: - Unnecessary to initialize rc to zero. Acked-by:
Jiri Benc <jbenc@redhat.com> Signed-off-by:
-
Daniele Di Proietto authored
If nf_ct_frag6_gather() returns an error other than -EINPROGRESS, it means that we still have a reference to the skb. We should free it before returning from handle_fragments, as stated in the comment above. Fixes: daaa7d64 ("netfilter: ipv6: avoid nf_iterate recursion") CC: Florian Westphal <fw@strlen.de> CC: Pravin B Shelar <pshelar@ovn.org> CC: Joe Stringer <joe@ovn.org> Signed-off-by:
Daniele Di Proietto <diproiettod@ovn.org> Acked-by:
Pravin B Shelar <pshelar@ovn.org> Signed-off-by:
-
David S. Miller authored
Johan Hovold says: ==================== net: fix fixed-link phydev leaks This series fixes failures to deregister and free fixed-link phydevs that have been registered using the of_phy_register_fixed_link() interface. All but two drivers currently fail to do this and this series fixes most of them with the exception of a staging driver and the stmmac drivers which will be fixed by follow-on patches. Included are also a couple of fixes for related of-node leaks. Note that all patches except the of_mdio one have been compile-tested only. Also note that the series is against net due to dependencies not yet in net-next. ==================== Signed-off-by: -
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on slave-setup errors and on slave destroy. Fixes: 0d8bcdd3 ("net: dsa: allow for more complex PHY setups") Signed-off-by:
Johan Hovold <johan@kernel.org> Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Also remember to put the of-node reference on probe errors. Fixes: 1bb6aa56 ("net: davinci_emac: Add support for fixed-link PHY") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: 077742da ("dwc_eth_qos: Add support for Synopsys DWC Ethernet QoS") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on initialisation errors and on device close after having disconnected the PHY. Fixes: b4bc88a8 ("ravb: Add fixed-link support") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on initialisation errors and on uninit. Fixes: 0c72c50f ("net-next: mediatek: add fixed-phy support") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: 83895bed ("net: mvneta: add support for fixed links") Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: 87009814 ("ucc_geth: use the new fixed PHY helpers") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: be403645 ("gianfar: use the new fixed PHY helpers") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: bb74d9a4 ("fs_enet: use the new fixed PHY helpers") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: 407066f8 ("net: fec: Support phys probed from devicetree and fixed-link") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Note that we're still leaking any fixed-link PHY registered in the non-OF probe path. Fixes: 9abf0c2b ("net: bcmgenet: use the new fixed PHY helpers") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: 186534a3 ("net: systemport: use the new fixed PHY helpers") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: c7dfe3ab ("net: ethernet: nb8800: support fixed-link DT node") Signed-off-by:
-
Johan Hovold authored
Make sure to deregister and free any fixed-link PHY registered using of_phy_register_fixed_link() on probe errors and on driver unbind. Fixes: 7cdbc6f7 ("altera tse: add support for fixed-links.") Signed-off-by:
-
Johan Hovold authored
Add helper to deregister fixed-link PHYs registered using of_phy_register_fixed_link(). Convert the two drivers that care to deregister their fixed-link PHYs to use the new helper, but note that most drivers currently fail to do so. Signed-off-by:
-
Johan Hovold authored
Make sure to drop the reference taken by of_parse_phandle() before returning from dsa_slave_phy_setup(). Note that this also modifies the PHY priority so that any fixed-link node is only parsed when no phy-handle is given, which is in accordance with the common scheme for this. Fixes: 0d8bcdd3 ("net: dsa: allow for more complex PHY setups") Signed-off-by:
-
Arnaldo Carvalho de Melo authored
As it may get stale and lead to use after free. Acked-by:
Eric Dumazet <eric.dumazet@gmail.com> Cc: Alexander Duyck <aduyck@mirantis.com> Cc: Andrey Konovalov <andreyknvl@google.com> Fixes: cbc53e08 ("GSO: Add GSO type for fixed IPv4 ID") Signed-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Acked-by:
Alexander Duyck <alexander.h.duyck@intel.com> Signed-off-by:
-
Jiri Pirko authored
Be symmetric to hashtable insert and remove filter from hashtable only in case skip sw flag is not set. Fixes: e69985c6 ("net/sched: cls_flower: Introduce support in SKIP SW flag") Signed-off-by:
Jiri Pirko <jiri@mellanox.com> Reviewed-by:
Amir Vadai <amir@vadai.me> Signed-off-by:
-
Eric Dumazet authored
pskb_may_pull() can reallocate skb->head, we need to reload dh pointer in dccp_invalid_packet() or risk use after free. Bug found by Andrey Konovalov using syzkaller. Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
-
Zumeng Chen authored
When a hardware issue happened as described by inline comments, the register write pattern looks like the following: <write ~MACB_BIT(RE)> + wmb(); <write MACB_BIT(RE)> There might be a memory barrier between these two write operations, so add wmb to ensure an flip from 0 to 1 for NCR. Signed-off-by:
Zumeng Chen <zumeng.chen@windriver.com> Acked-by:
Nicolas Ferre <nicolas.ferre@atmel.com> Signed-off-by:
-
Cyrille Pitchen authored
On macb only (not gem), when a RX queue corruption was detected from macb_rx(), the RX queue was reset: during this process the RX ring buffer descriptor was initialized by macb_init_rx_ring() but we forgot to also set bp->rx_tail to 0. Indeed, when processing the received frames, bp->rx_tail provides the macb driver with the index in the RX ring buffer of the next buffer to process. So when the whole ring buffer is reset we must also reset bp->rx_tail so the driver is synchronized again with the hardware. Since macb_init_rx_ring() is called from many locations, currently from macb_rx() and macb_init_rings(), we'd rather add the "bp->rx_tail = 0;" line inside macb_init_rx_ring() than add the very same line after each call of this function. Without this fix, the rx queue is not reset properly to recover from queue corruption and connection drop may occur. Signed-off-by:
Cyrille Pitchen <cyrille.pitchen@atmel.com> Fixes: 9ba723b0 ("net: macb: remove BUG_ON() and reset the queue to handle RX errors") Acked-by:
-
Herbert Xu authored
The cb->done interface expects to be called in process context. This was broken by the netlink RCU conversion. This patch fixes it by adding a worker struct to make the cb->done call where necessary. Fixes: 21e4902a ("netlink: Lockless lookup with RCU grace...") Reported-by:
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Acked-by:
Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by:
-
Amir Vadai authored
Add a validation function to make sure offset is valid: 1. Not below skb head (could happen when offset is negative). 2. Validate both 'offset' and 'at'. Signed-off-by:
-
- 28 Nov, 2016 4 commits
-
-
Michael Holzheu authored
The files "sampleip_kern.c" and "trace_event_kern.c" directly access "ctx->regs.ip" which is not available on s390x. Fix this and use the PT_REGS_IP() macro instead. Also fix the macro for s390x and use "psw.addr" from "pt_regs". Reported-by:
Zvonko Kosic <zvonko.kosic@de.ibm.com> Signed-off-by:
Michael Holzheu <holzheu@linux.vnet.ibm.com> Acked-by:
-
Nikita Yushchenko authored
_dsa_register_switch() gets a dsa_switch_tree object either via dsa_get_dst() or via dsa_add_dst(). Former path does not increase kref in returned object (resulting into caller not owning a reference), while later path does create a new object (resulting into caller owning a reference). The rest of _dsa_register_switch() assumes that it owns a reference, and calls dsa_put_dst(). This causes a memory breakage if first switch in the tree initialized successfully, but second failed to initialize. In particular, freed dsa_swith_tree object is left referenced by switch that was initialized, and later access to sysfs attributes of that switch cause OOPS. To fix, need to add kref_get() call to dsa_get_dst(). Fixes: 83c0afae ("net: dsa: Add new binding implementation") Signed-off-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
David Ahern authored
Andrey reported the following while fuzzing the kernel with syzkaller: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Modules linked in: CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff8800666d4200 task.stack: ffff880067348000 RIP: 0010:[<ffffffff833617ec>] [<ffffffff833617ec>] icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451 RSP: 0018:ffff88006734f2c0 EFLAGS: 00010206 RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018 RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003 R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000 R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0 FS: 00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0 Stack: ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460 ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046 ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000 Call Trace: [<ffffffff83364ddc>] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557 [< inline >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88 [<ffffffff83394405>] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157 [<ffffffff8339a759>] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663 [<ffffffff832ee773>] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191 ... icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both cases the dst->dev should be preferred for determining the L3 domain if the dst has been set on the skb. Fallback to the skb->dev if it has not. This covers the case reported here where icmp6_send is invoked on Rx before the route lookup. Fixes: 5d41ce29 ("net: icmp6_send should use dst dev to determine L3 domain") Reported-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
David S. Miller authored
Tariq Toukan says: ==================== mlx4 bug fixes for 4.9 This patchset includes 2 bug fixes: * In patch 1 we revert the commit that avoids invoking unregister_netdev in shutdown flow, as it introduces netdev presence issues where it can be accessed unsafely by ndo operations during the flow. * Patch 2 is a simple fix for a variable uninitialization issue. Series generated against net commit: 6998cc6e tipc: resolve connection flow control compatibility problem ==================== Signed-off-by:
-
