1. 04 Oct, 2017 1 commit
    • Peng Xu's avatar
      nl80211: Define policy for packet pattern attributes · ad670233
      Peng Xu authored
      Define a policy for packet pattern attributes in order to fix a
      potential read over the end of the buffer during nla_get_u32()
      of the NL80211_PKTPAT_OFFSET attribute.
      
      Note that the data there can always be read due to SKB allocation
      (with alignment and struct skb_shared_info at the end), but the
      data might be uninitialized. This could be used to leak some data
      from uninitialized vmalloc() memory, but most drivers don't allow
      an offset (so you'd just get -EINVAL if the data is non-zero) or
      just allow it with a fixed value - 100 or 128 bytes, so anything
      above that would get -EINVAL. With brcmfmac the limit is 1500 so
      (at least) one byte could be obtained.
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarPeng Xu <pxu@qti.qualcomm.com>
      Signed-off-by: default avatarJouni Malinen <jouni@qca.qualcomm.com>
      [rewrite description based on SKB allocation knowledge]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      ad670233
  2. 02 Oct, 2017 6 commits
  3. 01 Oct, 2017 8 commits
    • Parthasarathy Bhuvaragan's avatar
      tipc: use only positive error codes in messages · aad06212
      Parthasarathy Bhuvaragan authored
      In commit e3a77561 ("tipc: split up function tipc_msg_eval()"),
      we have updated the function tipc_msg_lookup_dest() to set the error
      codes to negative values at destination lookup failures. Thus when
      the function sets the error code to -TIPC_ERR_NO_NAME, its inserted
      into the 4 bit error field of the message header as 0xf instead of
      TIPC_ERR_NO_NAME (1). The value 0xf is an unknown error code.
      
      In this commit, we set only positive error code.
      
      Fixes: e3a77561 ("tipc: split up function tipc_msg_eval()")
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aad06212
    • Guillaume Nault's avatar
      ppp: fix __percpu annotation · 5a59a3a0
      Guillaume Nault authored
      Move sparse annotation right after pointer type.
      
      Fixes sparse warning:
          drivers/net/ppp/ppp_generic.c:1422:13: warning: incorrect type in initializer (different address spaces)
          drivers/net/ppp/ppp_generic.c:1422:13:    expected void const [noderef] <asn:3>*__vpp_verify
          drivers/net/ppp/ppp_generic.c:1422:13:    got int *<noident>
          ...
      
      Fixes: e5dadc65 ("ppp: Fix false xmit recursion detect with two ppp devices")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a59a3a0
    • David S. Miller's avatar
      Merge branch 'udp-fix-early-demux-for-mcast-packets' · 230583c1
      David S. Miller authored
      Paolo Abeni says:
      
      ====================
      udp: fix early demux for mcast packets
      
      Currently the early demux callbacks do not perform source address validation.
      This is not an issue for TCP or UDP unicast, where the early demux
      is only allowed for connected sockets and the source address is validated
      for the first packet and never change.
      
      The UDP protocol currently allows early demux also for unconnected multicast
      sockets, and we are not currently doing any validation for them, after that
      the first packet lands on the socket: beyond ignoring the rp_filter - if
      enabled - any kind of martian sources are also allowed.
      
      This series addresses the issue allowing the early demux callback to return an
      error code, and performing the proper checks for unconnected UDP multicast
      sockets before leveraging the rx dst cache.
      
      Alternatively we could disable the early demux for unconnected mcast sockets,
      but that would cause relevant performance regression - around 50% - while with
      this series, with full rp_filter in place, we keep the regression to a more
      moderate level.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      230583c1
    • Paolo Abeni's avatar
      udp: perform source validation for mcast early demux · bc044e8d
      Paolo Abeni authored
      The UDP early demux can leverate the rx dst cache even for
      multicast unconnected sockets.
      
      In such scenario the ipv4 source address is validated only on
      the first packet in the given flow. After that, when we fetch
      the dst entry  from the socket rx cache, we stop enforcing
      the rp_filter and we even start accepting any kind of martian
      addresses.
      
      Disabling the dst cache for unconnected multicast socket will
      cause large performace regression, nearly reducing by half the
      max ingress tput.
      
      Instead we factor out a route helper to completely validate an
      skb source address for multicast packets and we call it from
      the UDP early demux for mcast packets landing on unconnected
      sockets, after successful fetching the related cached dst entry.
      
      This still gives a measurable, but limited performance
      regression:
      
      		rp_filter = 0		rp_filter = 1
      edmux disabled:	1182 Kpps		1127 Kpps
      edmux before:	2238 Kpps		2238 Kpps
      edmux after:	2037 Kpps		2019 Kpps
      
      The above figures are on top of current net tree.
      Applying the net-next commit 6e617de8 ("net: avoid a full
      fib lookup when rp_filter is disabled.") the delta with
      rp_filter == 0 will decrease even more.
      
      Fixes: 421b3885 ("udp: ipv4: Add udp early demux")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc044e8d
    • Paolo Abeni's avatar
      IPv4: early demux can return an error code · 7487449c
      Paolo Abeni authored
      Currently no error is emitted, but this infrastructure will
      used by the next patch to allow source address validation
      for mcast sockets.
      Since early demux can do a route lookup and an ipv4 route
      lookup can return an error code this is consistent with the
      current ipv4 route infrastructure.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7487449c
    • Xin Long's avatar
      ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path · d41bb33b
      Xin Long authored
      Now when updating mtu in tx path, it doesn't consider ARPHRD_ETHER tunnel
      device, like ip6gre_tap tunnel, for which it should also subtract ether
      header to get the correct mtu.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d41bb33b
    • Xin Long's avatar
      ip6_gre: ip6gre_tap device should keep dst · 2d40557c
      Xin Long authored
      The patch 'ip_gre: ipgre_tap device should keep dst' fixed
      a issue that ipgre_tap mtu couldn't be updated in tx path.
      
      The same fix is needed for ip6gre_tap as well.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d40557c
    • Xin Long's avatar
      ip_gre: ipgre_tap device should keep dst · d51711c0
      Xin Long authored
      Without keeping dst, the tunnel will not update any mtu/pmtu info,
      since it does not have a dst on the skb.
      
      Reproducer:
        client(ipgre_tap1 - eth1) <-----> (eth1 - ipgre_tap1)server
      
      After reducing eth1's mtu on client, then perforamnce became 0.
      
      This patch is to netif_keep_dst in gre_tap_init, as ipgre does.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d51711c0
  4. 30 Sep, 2017 1 commit
    • Jason A. Donenfeld's avatar
      netlink: do not proceed if dump's start() errs · fef0035c
      Jason A. Donenfeld authored
      Drivers that use the start method for netlink dumping rely on dumpit not
      being called if start fails. For example, ila_xlat.c allocates memory
      and assigns it to cb->args[0] in its start() function. It might fail to
      do that and return -ENOMEM instead. However, even when returning an
      error, dumpit will be called, which, in the example above, quickly
      dereferences the memory in cb->args[0], which will OOPS the kernel. This
      is but one example of how this goes wrong.
      
      Since start() has always been a function with an int return type, it
      therefore makes sense to use it properly, rather than ignoring it. This
      patch thus returns early and does not call dumpit() when start() fails.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Reviewed-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fef0035c
  5. 29 Sep, 2017 1 commit
  6. 28 Sep, 2017 23 commits