1. 16 Feb, 2018 10 commits
    • David Howells's avatar
      rxrpc: Work around usercopy check · a16b8d0c
      David Howells authored
      Due to a check recently added to copy_to_user(), it's now not permitted to
      copy from slab-held data to userspace unless the slab is whitelisted.  This
      affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
      control message in the userspace control message buffer.  A warning is
      generated by usercopy_warn() because the source is the copy of the
      user_call_ID retained in the rxrpc_call struct.
      
      Work around the issue by copying the user_call_ID to a variable on the
      stack and passing that to put_cmsg().
      
      The warning generated looks like:
      
      	Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
      	WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      	...
      	RIP: 0010:usercopy_warn+0x7e/0xa0
      	...
      	Call Trace:
      	 __check_object_size+0x9c/0x1a0
      	 put_cmsg+0x98/0x120
      	 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
      	 ? finish_wait+0x80/0x80
      	 ___sys_recvmsg+0xf8/0x240
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? finish_task_switch+0xa6/0x2b0
      	 ? trace_hardirqs_on_caller+0xed/0x180
      	 ? _raw_spin_unlock_irq+0x29/0x40
      	 ? __sys_recvmsg+0x4e/0x90
      	 __sys_recvmsg+0x4e/0x90
      	 do_syscall_64+0x7a/0x220
      	 entry_SYSCALL_64_after_hwframe+0x26/0x9b
      Reported-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a16b8d0c
    • Eric Dumazet's avatar
      tun: fix tun_napi_alloc_frags() frag allocator · 43a08e0f
      Eric Dumazet authored
      <Mark Rutland reported>
          While fuzzing arm64 v4.16-rc1 with Syzkaller, I've been hitting a
          misaligned atomic in __skb_clone:
      
              atomic_inc(&(skb_shinfo(skb)->dataref));
      
         where dataref doesn't have the required natural alignment, and the
         atomic operation faults. e.g. i often see it aligned to a single
         byte boundary rather than a four byte boundary.
      
         AFAICT, the skb_shared_info is misaligned at the instant it's
         allocated in __napi_alloc_skb()  __napi_alloc_skb()
      </end of report>
      
      Problem is caused by tun_napi_alloc_frags() using
      napi_alloc_frag() with user provided seg sizes,
      leading to other users of this API getting unaligned
      page fragments.
      
      Since we would like to not necessarily add paddings or alignments to
      the frags that tun_napi_alloc_frags() attaches to the skb, switch to
      another page frag allocator.
      
      As a bonus skb_page_frag_refill() can use GFP_KERNEL allocations,
      meaning that we can not deplete memory reserves as easily.
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43a08e0f
    • Alexey Kodanev's avatar
      udplite: fix partial checksum initialization · 15f35d49
      Alexey Kodanev authored
      Since UDP-Lite is always using checksum, the following path is
      triggered when calculating pseudo header for it:
      
        udp4_csum_init() or udp6_csum_init()
          skb_checksum_init_zero_check()
            __skb_checksum_validate_complete()
      
      The problem can appear if skb->len is less than CHECKSUM_BREAK. In
      this particular case __skb_checksum_validate_complete() also invokes
      __skb_checksum_complete(skb). If UDP-Lite is using partial checksum
      that covers only part of a packet, the function will return bad
      checksum and the packet will be dropped.
      
      It can be fixed if we skip skb_checksum_init_zero_check() and only
      set the required pseudo header checksum for UDP-Lite with partial
      checksum before udp4_csum_init()/udp6_csum_init() functions return.
      
      Fixes: ed70fcfc ("net: Call skb_checksum_init in IPv4")
      Fixes: e4f45b7f ("net: Call skb_checksum_init in IPv6")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15f35d49
    • David S. Miller's avatar
      skbuff: Fix comment mis-spelling. · da279887
      David S. Miller authored
      'peform' --> 'perform'
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      da279887
    • Paolo Abeni's avatar
      dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock · dfec0914
      Paolo Abeni authored
      After commit 3f34cfae ("netfilter: on sockopt() acquire sock lock
      only in the required scope"), the caller of nf_{get/set}sockopt() must
      not hold any lock, but, in such changeset, I forgot to cope with DECnet.
      
      This commit addresses the issue moving the nf call outside the lock,
      in the dn_{get,set}sockopt() with the same schema currently used by
      ipv4 and ipv6. Also moves the unhandled sockopts of the end of the main
      switch statements, to improve code readability.
      Reported-by: default avatarPetr Vandrovec <petr@vandrovec.name>
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198791#c2
      Fixes: 3f34cfae ("netfilter: on sockopt() acquire sock lock only in the required scope")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfec0914
    • Casey Leedom's avatar
      PCI/cxgb4: Extend T3 PCI quirk to T4+ devices · 7dcf688d
      Casey Leedom authored
      We've run into a problem where our device is attached
      to a Virtual Machine and the use of the new pci_set_vpd_size()
      API doesn't help.  The VM kernel has been informed that
      the accesses are okay, but all of the actual VPD Capability
      Accesses are trapped down into the KVM Hypervisor where it
      goes ahead and imposes the silent denials.
      
      The right idea is to follow the kernel.org
      commit 1c7de2b4 ("PCI: Enable access to non-standard VPD for
      Chelsio devices (cxgb3)") which Alexey Kardashevskiy authored
      to establish a PCI Quirk for our T3-based adapters. This commit
      extends that PCI Quirk to cover Chelsio T4 devices and later.
      
      The advantage of this approach is that the VPD Size gets set early
      in the Base OS/Hypervisor Boot and doesn't require that the cxgb4
      driver even be available in the Base OS/Hypervisor.  Thus PF4 can
      be exported to a Virtual Machine and everything should work.
      
      Fixes: 67e65879 ("cxgb4: Set VPD size so we can read both VPD structures")
      Cc: <stable@vger.kernel.org>  # v4.9+
      Signed-off-by: default avatarCasey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7dcf688d
    • Rahul Lakkireddy's avatar
      cxgb4: fix trailing zero in CIM LA dump · e6f02a4d
      Rahul Lakkireddy authored
      Set correct size of the CIM LA dump for T6.
      
      Fixes: 27887bc7 ("cxgb4: collect hardware LA dumps")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6f02a4d
    • Ganesh Goudar's avatar
      cxgb4: free up resources of pf 0-3 · c4e43e14
      Ganesh Goudar authored
      free pf 0-3 resources, commit baf50868 ("cxgb4:
      restructure VF mgmt code") erroneously removed the
      code which frees the pf 0-3 resources, causing the
      probe of pf 0-3 to fail in case of driver reload.
      
      Fixes: baf50868 ("cxgb4: restructure VF mgmt code")
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4e43e14
    • Stefano Brivio's avatar
      fib_semantics: Don't match route with mismatching tclassid · a8c6db1d
      Stefano Brivio authored
      In fib_nh_match(), if output interface or gateway are passed in
      the FIB configuration, we don't have to check next hops of
      multipath routes to conclude whether we have a match or not.
      
      However, we might still have routes with different realms
      matching the same output interface and gateway configuration,
      and this needs to cause the match to fail. Otherwise the first
      route inserted in the FIB will match, regardless of the realms:
      
       # ip route add 1.1.1.1 dev eth0 table 1234 realms 1/2
       # ip route append 1.1.1.1 dev eth0 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev eth0 scope link realms 1/2
       1.1.1.1 dev eth0 scope link realms 3/4
       # ip route del 1.1.1.1 dev ens3 table 1234 realms 3/4
       # ip route list table 1234
       1.1.1.1 dev ens3 scope link realms 3/4
      
      whereas route with realms 3/4 should have been deleted instead.
      
      Explicitly check for fc_flow passed in the FIB configuration
      (this comes from RTA_FLOW extracted by rtm_to_fib_config()) and
      fail matching if it differs from nh_tclassid.
      
      The handling of RTA_FLOW for multipath routes later in
      fib_nh_match() is still needed, as we can have multiple RTA_FLOW
      attributes that need to be matched against the tclassid of each
      next hop.
      
      v2: Check that fc_flow is set before discarding the match, so
          that the user can still select the first matching rule by
          not specifying any realm, as suggested by David Ahern.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8c6db1d
    • Kees Cook's avatar
      NFC: llcp: Limit size of SDP URI · fe9c8426
      Kees Cook authored
      The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
      this both in the NLA policy and in the code that performs the allocation
      and copy, to avoid writing past the end of the allocated buffer.
      
      Fixes: d9b8d8e1 ("NFC: llcp: Service Name Lookup netlink interface")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fe9c8426
  2. 14 Feb, 2018 24 commits
  3. 13 Feb, 2018 6 commits