1. 30 Sep, 2017 1 commit
    • Jason A. Donenfeld's avatar
      netlink: do not proceed if dump's start() errs · fef0035c
      Jason A. Donenfeld authored
      Drivers that use the start method for netlink dumping rely on dumpit not
      being called if start fails. For example, ila_xlat.c allocates memory
      and assigns it to cb->args[0] in its start() function. It might fail to
      do that and return -ENOMEM instead. However, even when returning an
      error, dumpit will be called, which, in the example above, quickly
      dereferences the memory in cb->args[0], which will OOPS the kernel. This
      is but one example of how this goes wrong.
      
      Since start() has always been a function with an int return type, it
      therefore makes sense to use it properly, rather than ignoring it. This
      patch thus returns early and does not call dumpit() when start() fails.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Reviewed-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fef0035c
  2. 29 Sep, 2017 1 commit
  3. 28 Sep, 2017 25 commits
  4. 27 Sep, 2017 2 commits
    • Dan Carpenter's avatar
      sctp: Fix a big endian bug in sctp_diag_dump() · c2cc187e
      Dan Carpenter authored
      The sctp_for_each_transport() function takes an pointer to int.  The
      cb->args[] array holds longs so it's only using the high 32 bits.  It
      works on little endian system but will break on big endian 64 bit
      machines.
      
      Fixes: d25adbeb ("sctp: fix an use-after-free issue in sctp_sock_dump")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2cc187e
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-09-25' of... · 20c62c79
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-09-25' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.14
      
      Quite a lot of fixes this time. Most notable is the brcmfmac fix for a
      CVE issue.
      
      iwlwifi
      
      * a couple of bugzilla bugs related to multicast handling
      
      * two fixes for WoWLAN bugs that were causing queue hangs and
        re-initialization problems
      
      * two fixes for potential uninitialized variable use reported by Dan
        Carpenter in relation to a recently introduced patch
      
      * a fix for buffer reordering in the newly supported 9000 device
        family
      
      * fix a race when starting aggregation
      
      * small fix for a recent patch to wake mac80211 queues
      
      * send non-bufferable management frames in the generic queue so they
        are not sent on queues that are under power-save
      
      ath10k
      
      * fix a PCI PM related gcc warning
      
      brcmfmac
      
      * CVE-2017-0786: add length check scan results from firmware
      
      * respect passive scan requests from user space
      
      qtnfmac
      
      * fix race in tx path when using multiple interfaces
      
      * cancel ongoing scan when removing the wireless interface
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20c62c79
  5. 26 Sep, 2017 9 commits
    • David S. Miller's avatar
      Merge branch 'aquantia-fixes' · 2760f5a3
      David S. Miller authored
      Igor Russkikh says:
      
      ====================
      aquantia: Atlantic driver bugfixes und improvements
      
      This series contains bugfixes for aQuantia Atlantic driver.
      
      Changes in v2:
      Review comments applied:
      - min_mtu set removed
      - extra mtu range check is removed
      - err codes handling improved
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2760f5a3
    • Pavel Belous's avatar
      atlantic: fix iommu errors · c7545689
      Pavel Belous authored
      Call skb_frag_dma_map multiple times if tx length is greater than
      device max and avoid processing tx ring until entire packet has been
      sent.
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarPavel Belous <pavel.belous@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7545689
    • Igor Russkikh's avatar
      aquantia: Fix transient invalid link down/up indications · a7bb1bea
      Igor Russkikh authored
      Due to a bug in aquantia atlantic card firmware, it sometimes reports
      invalid link speed bits. That caused driver to report link down events,
      although link itself is totally fine.
      
      This patch ignores such out of blue readings.
      Signed-off-by: default avatarPavel Belous <Pavel.Belous@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7bb1bea
    • Igor Russkikh's avatar
      aquantia: Fix Tx queue hangups · 3aec6412
      Igor Russkikh authored
      Driver did a poor job in managing its Tx queues: Sometimes it could stop
      tx queues due to link down condition in aq_nic_xmit - but never waked up
      them. That led to Tx path total suspend.
      This patch fixes this and improves generic queue management:
      - introduces queue restart counter
      - uses generic netif_ interface to disable and enable tx path
      - refactors link up/down condition and introduces dmesg log event when
        link changes.
      - introduces new constant for minimum descriptors count required for queue
        wakeup
      Signed-off-by: default avatarPavel Belous <Pavel.Belous@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3aec6412
    • Igor Russkikh's avatar
      aquantia: Setup max_mtu in ndev to enable jumbo frames · d85fc17b
      Igor Russkikh authored
      Although hardware is capable for almost 16K MTU, without max_mtu field
      correctly set it only allows standard MTU to be used.
      This patch enables max MTU, calculating it from hardware maximum frame size
      of 16352 octets (including FCS).
      
      Fixes: 5513e164 ("net: ethernet: aquantia: Fixes for aq_ndev_change_mtu")
      Signed-off-by: default avatarPavel Belous <Pavel.Belous@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d85fc17b
    • Sabrina Dubroca's avatar
      l2tp: fix race condition in l2tp_tunnel_delete · 62b982ee
      Sabrina Dubroca authored
      If we try to delete the same tunnel twice, the first delete operation
      does a lookup (l2tp_tunnel_get), finds the tunnel, calls
      l2tp_tunnel_delete, which queues it for deletion by
      l2tp_tunnel_del_work.
      
      The second delete operation also finds the tunnel and calls
      l2tp_tunnel_delete. If the workqueue has already fired and started
      running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the
      same tunnel a second time, and try to free the socket again.
      
      Add a dead flag to prevent firing the workqueue twice. Then we can
      remove the check of queue_work's result that was meant to prevent that
      race but doesn't.
      
      Reproducer:
      
          ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000
          ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000
          ip link set l2tp1 up
          ip l2tp del tunnel tunnel_id 3000
          ip l2tp del tunnel tunnel_id 3000
      
      Fixes: f8ccac0e ("l2tp: put tunnel socket release on a workqueue")
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62b982ee
    • Alexey Kodanev's avatar
      vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit · 36f6ee22
      Alexey Kodanev authored
      When running LTP IPsec tests, KASan might report:
      
      BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
      Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0
      ...
      Call Trace:
        <IRQ>
        dump_stack+0x63/0x89
        print_address_description+0x7c/0x290
        kasan_report+0x28d/0x370
        ? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
        __asan_report_load4_noabort+0x19/0x20
        vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
        ? vti_init_net+0x190/0x190 [ip_vti]
        ? save_stack_trace+0x1b/0x20
        ? save_stack+0x46/0xd0
        dev_hard_start_xmit+0x147/0x510
        ? icmp_echo.part.24+0x1f0/0x210
        __dev_queue_xmit+0x1394/0x1c60
      ...
      Freed by task 0:
        save_stack_trace+0x1b/0x20
        save_stack+0x46/0xd0
        kasan_slab_free+0x70/0xc0
        kmem_cache_free+0x81/0x1e0
        kfree_skbmem+0xb1/0xe0
        kfree_skb+0x75/0x170
        kfree_skb_list+0x3e/0x60
        __dev_queue_xmit+0x1298/0x1c60
        dev_queue_xmit+0x10/0x20
        neigh_resolve_output+0x3a8/0x740
        ip_finish_output2+0x5c0/0xe70
        ip_finish_output+0x4ba/0x680
        ip_output+0x1c1/0x3a0
        xfrm_output_resume+0xc65/0x13d0
        xfrm_output+0x1e4/0x380
        xfrm4_output_finish+0x5c/0x70
      
      Can be fixed if we get skb->len before dst_output().
      
      Fixes: b9959fd3 ("vti: switch to new ip tunnel code")
      Fixes: 22e1b23d ("vti6: Support inter address family tunneling.")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36f6ee22
    • Arnd Bergmann's avatar
      netlink: fix nla_put_{u8,u16,u32} for KASAN · b4391db4
      Arnd Bergmann authored
      When CONFIG_KASAN is enabled, the "--param asan-stack=1" causes rather large
      stack frames in some functions. This goes unnoticed normally because
      CONFIG_FRAME_WARN is disabled with CONFIG_KASAN by default as of commit
      3f181b4d ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with
      KASAN=y").
      
      The kernelci.org build bot however has the warning enabled and that led
      me to investigate it a little further, as every build produces these warnings:
      
      net/wireless/nl80211.c:4389:1: warning: the frame size of 2240 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      net/wireless/nl80211.c:1895:1: warning: the frame size of 3776 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      net/wireless/nl80211.c:1410:1: warning: the frame size of 2208 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      net/bridge/br_netlink.c:1282:1: warning: the frame size of 2544 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      
      Most of this problem is now solved in gcc-8, which can consolidate
      the stack slots for the inline function arguments. On older compilers
      we can add a workaround by declaring a local variable in each function
      to pass the inline function argument.
      
      Cc: stable@vger.kernel.org
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4391db4
    • Arnd Bergmann's avatar
      rocker: fix rocker_tlv_put_* functions for KASAN · 6098d7dd
      Arnd Bergmann authored
      Inlining these functions creates lots of stack variables that each take
      64 bytes when KASAN is enabled, leading to this warning about potential
      stack overflow:
      
      drivers/net/ethernet/rocker/rocker_ofdpa.c: In function 'ofdpa_cmd_flow_tbl_add':
      drivers/net/ethernet/rocker/rocker_ofdpa.c:621:1: error: the frame size of 2752 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
      
      gcc-8 can now consolidate the stack slots itself, but on older versions
      we get the same behavior by using a temporary variable that holds a
      copy of the inline function argument.
      
      Cc: stable@vger.kernel.org
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6098d7dd
  6. 25 Sep, 2017 2 commits