1. 31 Jan, 2018 4 commits
    • Paolo Abeni's avatar
      netfilter: on sockopt() acquire sock lock only in the required scope · 3f34cfae
      Paolo Abeni authored
      Syzbot reported several deadlocks in the netfilter area caused by
      rtnl lock and socket lock being acquired with a different order on
      different code paths, leading to backtraces like the following one:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.15.0-rc9+ #212 Not tainted
      ------------------------------------------------------
      syzkaller041579/3682 is trying to acquire lock:
        (sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>] lock_sock
      include/net/sock.h:1463 [inline]
        (sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>]
      do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
      
      but task is already holding lock:
        (rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (rtnl_mutex){+.+.}:
              __mutex_lock_common kernel/locking/mutex.c:756 [inline]
              __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
              mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
              rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
              register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607
              tee_tg_check+0x1a0/0x280 net/netfilter/xt_TEE.c:106
              xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845
              check_target net/ipv6/netfilter/ip6_tables.c:538 [inline]
              find_check_entry.isra.7+0x935/0xcf0
      net/ipv6/netfilter/ip6_tables.c:580
              translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749
              do_replace net/ipv6/netfilter/ip6_tables.c:1165 [inline]
              do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1691
              nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
              nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
              ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928
              udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
              sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
              SYSC_setsockopt net/socket.c:1849 [inline]
              SyS_setsockopt+0x189/0x360 net/socket.c:1828
              entry_SYSCALL_64_fastpath+0x29/0xa0
      
      -> #0 (sk_lock-AF_INET6){+.+.}:
              lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
              lock_sock_nested+0xc2/0x110 net/core/sock.c:2780
              lock_sock include/net/sock.h:1463 [inline]
              do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
              ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922
              udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
              sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
              SYSC_setsockopt net/socket.c:1849 [inline]
              SyS_setsockopt+0x189/0x360 net/socket.c:1828
              entry_SYSCALL_64_fastpath+0x29/0xa0
      
      other info that might help us debug this:
      
        Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(rtnl_mutex);
                                      lock(sk_lock-AF_INET6);
                                      lock(rtnl_mutex);
         lock(sk_lock-AF_INET6);
      
        *** DEADLOCK ***
      
      1 lock held by syzkaller041579/3682:
        #0:  (rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20
      net/core/rtnetlink.c:74
      
      The problem, as Florian noted, is that nf_setsockopt() is always
      called with the socket held, even if the lock itself is required only
      for very tight scopes and only for some operation.
      
      This patch addresses the issues moving the lock_sock() call only
      where really needed, namely in ipv*_getorigdst(), so that nf_setsockopt()
      does not need anymore to acquire both locks.
      
      Fixes: 22265a5c ("netfilter: xt_TEE: resolve oif using netdevice notifiers")
      Reported-by: syzbot+a4c2dc980ac1af699b36@syzkaller.appspotmail.com
      Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3f34cfae
    • Dmitry Vyukov's avatar
      netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() · 1a38956c
      Dmitry Vyukov authored
      Commit 136e92bb switched local_nodes from an array to a bitmask
      but did not add proper bounds checks. As the result
      clusterip_config_init_nodelist() can both over-read
      ipt_clusterip_tgt_info.local_nodes and over-write
      clusterip_config.local_nodes.
      
      Add bounds checks for both.
      
      Fixes: 136e92bb ("[NETFILTER] CLUSTERIP: use a bitmap to store node responsibility data")
      Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1a38956c
    • Dmitry Vyukov's avatar
      netfilter: x_tables: fix pointer leaks to userspace · 1e98ffea
      Dmitry Vyukov authored
      Several netfilter matches and targets put kernel pointers into
      info objects, but don't set usersize in descriptors.
      This leads to kernel pointer leaks if a match/target is set
      and then read back to userspace.
      
      Properly set usersize for these matches/targets.
      
      Found with manual code inspection.
      
      Fixes: ec231890 ("xtables: extend matches and targets with .usersize")
      Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1e98ffea
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Fix wraparound in hash:*net* types · 0b8d9073
      Jozsef Kadlecsik authored
      Fix wraparound bug which could lead to memory exhaustion when adding an
      x.x.x.x-255.255.255.255 range to any hash:*net* types.
      
      Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark.
      
      Fixes: 48596a8d ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0b8d9073
  2. 25 Jan, 2018 1 commit
  3. 06 Jan, 2018 1 commit
  4. 05 Jan, 2018 2 commits
  5. 04 Jan, 2018 11 commits
    • Hauke Mehrtens's avatar
      uapi/if_ether.h: prevent redefinition of struct ethhdr · 6926e041
      Hauke Mehrtens authored
      Musl provides its own ethhdr struct definition. Add a guard to prevent
      its definition of the appropriate musl header has already been included.
      
      glibc does not implement this header, but when glibc will implement this
      they can just define __UAPI_DEF_ETHHDR 0 to make it work with the
      kernel.
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6926e041
    • Wei Wang's avatar
      ipv6: fix general protection fault in fib6_add() · 7bbfe00e
      Wei Wang authored
      In fib6_add(), pn could be NULL if fib6_add_1() failed to return a fib6
      node. Checking pn != fn before accessing pn->leaf makes sure pn is not
      NULL.
      This fixes the following GPF reported by syzkaller:
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 3201 Comm: syzkaller001778 Not tainted 4.15.0-rc5+ #151
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:fib6_add+0x736/0x15a0 net/ipv6/ip6_fib.c:1244
      RSP: 0018:ffff8801c7626a70 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000000020 RCX: ffffffff84794465
      RDX: 0000000000000004 RSI: ffff8801d38935f0 RDI: 0000000000000282
      RBP: ffff8801c7626da0 R08: 1ffff10038ec4c35 R09: 0000000000000000
      R10: ffff8801c7626c68 R11: 0000000000000000 R12: 00000000fffffffe
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000009
      FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:0000000009b70840
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 0000000020be1000 CR3: 00000001d585a006 CR4: 00000000001606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       __ip6_ins_rt+0x6c/0x90 net/ipv6/route.c:1006
       ip6_route_multipath_add+0xd14/0x16c0 net/ipv6/route.c:3833
       inet6_rtm_newroute+0xdc/0x160 net/ipv6/route.c:3957
       rtnetlink_rcv_msg+0x733/0x1020 net/core/rtnetlink.c:4411
       netlink_rcv_skb+0x21e/0x460 net/netlink/af_netlink.c:2408
       rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4423
       netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
       netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1301
       netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864
       sock_sendmsg_nosec net/socket.c:636 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:646
       sock_write_iter+0x31a/0x5d0 net/socket.c:915
       call_write_iter include/linux/fs.h:1772 [inline]
       do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
       do_iter_write+0x154/0x540 fs/read_write.c:932
       compat_writev+0x225/0x420 fs/read_write.c:1246
       do_compat_writev+0x115/0x220 fs/read_write.c:1267
       C_SYSC_writev fs/read_write.c:1278 [inline]
       compat_SyS_writev+0x26/0x30 fs/read_write.c:1274
       do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
       do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
       entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:125
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 66f5d6ce ("ipv6: replace rwlock with rcu and spinlock in fib6_table")
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7bbfe00e
    • Mohamed Ghannam's avatar
      RDS: null pointer dereference in rds_atomic_free_op · 7d11f77f
      Mohamed Ghannam authored
      set rm->atomic.op_active to 0 when rds_pin_pages() fails
      or the user supplied address is invalid,
      this prevents a NULL pointer usage in rds_atomic_free_op()
      Signed-off-by: default avatarMohamed Ghannam <simo.ghannam@gmail.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d11f77f
    • Sergei Shtylyov's avatar
      sh_eth: fix TSU resource handling · dfe8266b
      Sergei Shtylyov authored
      When switching  the driver to the managed device API,  I managed to break
      the  case of a  dual Ether devices sharing a single TSU: the 2nd Ether port
      wouldn't probe. Iwamatsu-san has tried to fix this but his patch was buggy
      and he then dropped the ball...
      
      The solution is to  limit calling devm_request_mem_region() to the first
      of  the two  ports  sharing the same TSU, so devm_ioremap_resource() can't
      be used anymore for the TSU resource...
      
      Fixes: d5e07e69 ("sh_eth: use managed device API")
      Reported-by: default avatarNobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfe8266b
    • Jerome Brunet's avatar
      net: stmmac: enable EEE in MII, GMII or RGMII only · 879626e3
      Jerome Brunet authored
      Note in the databook - Section 4.4 - EEE :
      " The EEE feature is not supported when the MAC is configured to use the
      TBI, RTBI, SMII, RMII or SGMII single PHY interface. Even if the MAC
      supports multiple PHY interfaces, you should activate the EEE mode only
      when the MAC is operating with GMII, MII, or RGMII interface."
      
      Applying this restriction solves a stability issue observed on Amlogic
      gxl platforms operating with RMII interface and the internal PHY.
      
      Fixes: 83bf79b6 ("stmmac: disable at run-time the EEE if not supported")
      Signed-off-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Tested-by: default avatarArnaud Patard <arnaud.patard@rtp-net.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      879626e3
    • Andrei Vagin's avatar
      rtnetlink: give a user socket to get_target_net() · f428fe4a
      Andrei Vagin authored
      This function is used from two places: rtnl_dump_ifinfo and
      rtnl_getlink. In rtnl_getlink(), we give a request skb into
      get_target_net(), but in rtnl_dump_ifinfo, we give a response skb
      into get_target_net().
      The problem here is that NETLINK_CB() isn't initialized for the response
      skb. In both cases we can get a user socket and give it instead of skb
      into get_target_net().
      
      This bug was found by syzkaller with this call-trace:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Modules linked in:
      CPU: 1 PID: 3149 Comm: syzkaller140561 Not tainted 4.15.0-rc4-mm1+ #47
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:__netlink_ns_capable+0x8b/0x120 net/netlink/af_netlink.c:868
      RSP: 0018:ffff8801c880f348 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8443f900
      RDX: 000000000000007b RSI: ffffffff86510f40 RDI: 00000000000003d8
      RBP: ffff8801c880f360 R08: 0000000000000000 R09: 1ffff10039101e4f
      R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86510f40
      R13: 000000000000000c R14: 0000000000000004 R15: 0000000000000011
      FS:  0000000001a1a880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020151000 CR3: 00000001c9511005 CR4: 00000000001606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        netlink_ns_capable+0x26/0x30 net/netlink/af_netlink.c:886
        get_target_net+0x9d/0x120 net/core/rtnetlink.c:1765
        rtnl_dump_ifinfo+0x2e5/0xee0 net/core/rtnetlink.c:1806
        netlink_dump+0x48c/0xce0 net/netlink/af_netlink.c:2222
        __netlink_dump_start+0x4f0/0x6d0 net/netlink/af_netlink.c:2319
        netlink_dump_start include/linux/netlink.h:214 [inline]
        rtnetlink_rcv_msg+0x7f0/0xb10 net/core/rtnetlink.c:4485
        netlink_rcv_skb+0x21e/0x460 net/netlink/af_netlink.c:2441
        rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4540
        netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
        netlink_unicast+0x4be/0x6a0 net/netlink/af_netlink.c:1334
        netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
      
      Cc: Jiri Benc <jbenc@redhat.com>
      Fixes: 79e1ad14 ("rtnetlink: use netnsid to query interface")
      Signed-off-by: default avatarAndrei Vagin <avagin@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f428fe4a
    • Pravin B Shelar's avatar
      fb32dd3a
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2018-01-04' of... · af8530cb
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2018-01-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Two fixes:
       * drop mesh frames appearing to be from ourselves
       * check another netlink attribute for existence
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af8530cb
    • Florian Fainelli's avatar
      net: dsa: b53: Turn off Broadcom tags for more switches · 54e98b5d
      Florian Fainelli authored
      Models such as BCM5395/97/98 and BCM53125/24/53115 and compatible require that
      we turn on managed mode to actually act on Broadcom tags, otherwise they just
      pass them through on ingress (host -> switch) and don't insert them in egress
      (switch -> host). Turning on managed mode is simple, but requires us to
      properly support ARL misses on multicast addresses which is a much more
      involved set of changes not suitable for a bug fix for this release.
      Reported-by: default avatarJochen Friedrich <jochen@scram.de>
      Fixes: 7edc58d6 ("net: dsa: b53: Turn on Broadcom tags")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54e98b5d
    • Johannes Berg's avatar
      mac80211: mesh: drop frames appearing to be from us · 736a80bb
      Johannes Berg authored
      If there are multiple mesh stations with the same MAC address,
      they will both get confused and start throwing warnings.
      
      Obviously in this case nothing can actually work anyway, so just
      drop frames that look like they're from ourselves early on.
      Reported-by: default avatarGui Iribarren <gui@altermundi.net>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      736a80bb
    • Hao Chen's avatar
      nl80211: Check for the required netlink attribute presence · 3ea15452
      Hao Chen authored
      nl80211_nan_add_func() does not check if the required attribute
      NL80211_NAN_FUNC_FOLLOW_UP_DEST is present when processing
      NL80211_CMD_ADD_NAN_FUNCTION request. This request can be issued
      by users with CAP_NET_ADMIN privilege and may result in NULL dereference
      and a system crash. Add a check for the required attribute presence.
      Signed-off-by: default avatarHao Chen <flank3rsky@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3ea15452
  6. 03 Jan, 2018 20 commits
  7. 02 Jan, 2018 1 commit