1. 29 Aug, 2017 10 commits
  2. 28 Aug, 2017 23 commits
    • Roopa Prabhu's avatar
      bridge: check for null fdb->dst before notifying switchdev drivers · ef9a5a62
      Roopa Prabhu authored
      current switchdev drivers dont seem to support offloading fdb
      entries pointing to the bridge device which have fdb->dst
      not set to any port. This patch adds a NULL fdb->dst check in
      the switchdev notifier code.
      
      This patch fixes the below NULL ptr dereference:
      $bridge fdb add 00:02:00:00:00:33 dev br0 self
      
      [   69.953374] BUG: unable to handle kernel NULL pointer dereference at
      0000000000000008
      [   69.954044] IP: br_switchdev_fdb_notify+0x29/0x80
      [   69.954044] PGD 66527067
      [   69.954044] P4D 66527067
      [   69.954044] PUD 7899c067
      [   69.954044] PMD 0
      [   69.954044]
      [   69.954044] Oops: 0000 [#1] SMP
      [   69.954044] Modules linked in:
      [   69.954044] CPU: 1 PID: 3074 Comm: bridge Not tainted 4.13.0-rc6+ #1
      [   69.954044] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org
      04/01/2014
      [   69.954044] task: ffff88007b827140 task.stack: ffffc90001564000
      [   69.954044] RIP: 0010:br_switchdev_fdb_notify+0x29/0x80
      [   69.954044] RSP: 0018:ffffc90001567918 EFLAGS: 00010246
      [   69.954044] RAX: 0000000000000000 RBX: ffff8800795e0880 RCX:
      00000000000000c0
      [   69.954044] RDX: ffffc90001567920 RSI: 000000000000001c RDI:
      ffff8800795d0600
      [   69.954044] RBP: ffffc90001567938 R08: ffff8800795d0600 R09:
      0000000000000000
      [   69.954044] R10: ffffc90001567a88 R11: ffff88007b849400 R12:
      ffff8800795e0880
      [   69.954044] R13: ffff8800795d0600 R14: ffffffff81ef8880 R15:
      000000000000001c
      [   69.954044] FS:  00007f93d3085700(0000) GS:ffff88007fd00000(0000)
      knlGS:0000000000000000
      [   69.954044] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   69.954044] CR2: 0000000000000008 CR3: 0000000066551000 CR4:
      00000000000006e0
      [   69.954044] Call Trace:
      [   69.954044]  fdb_notify+0x3f/0xf0
      [   69.954044]  __br_fdb_add.isra.12+0x1a7/0x370
      [   69.954044]  br_fdb_add+0x178/0x280
      [   69.954044]  rtnl_fdb_add+0x10a/0x200
      [   69.954044]  rtnetlink_rcv_msg+0x1b4/0x240
      [   69.954044]  ? skb_free_head+0x21/0x40
      [   69.954044]  ? rtnl_calcit.isra.18+0xf0/0xf0
      [   69.954044]  netlink_rcv_skb+0xed/0x120
      [   69.954044]  rtnetlink_rcv+0x15/0x20
      [   69.954044]  netlink_unicast+0x180/0x200
      [   69.954044]  netlink_sendmsg+0x291/0x370
      [   69.954044]  ___sys_sendmsg+0x180/0x2e0
      [   69.954044]  ? filemap_map_pages+0x2db/0x370
      [   69.954044]  ? do_wp_page+0x11d/0x420
      [   69.954044]  ? __handle_mm_fault+0x794/0xd80
      [   69.954044]  ? vma_link+0xcb/0xd0
      [   69.954044]  __sys_sendmsg+0x4c/0x90
      [   69.954044]  SyS_sendmsg+0x12/0x20
      [   69.954044]  do_syscall_64+0x63/0xe0
      [   69.954044]  entry_SYSCALL64_slow_path+0x25/0x25
      [   69.954044] RIP: 0033:0x7f93d2bad690
      [   69.954044] RSP: 002b:00007ffc7217a638 EFLAGS: 00000246 ORIG_RAX:
      000000000000002e
      [   69.954044] RAX: ffffffffffffffda RBX: 00007ffc72182eac RCX:
      00007f93d2bad690
      [   69.954044] RDX: 0000000000000000 RSI: 00007ffc7217a670 RDI:
      0000000000000003
      [   69.954044] RBP: 0000000059a1f7f8 R08: 0000000000000006 R09:
      000000000000000a
      [   69.954044] R10: 00007ffc7217a400 R11: 0000000000000246 R12:
      00007ffc7217a670
      [   69.954044] R13: 00007ffc72182a98 R14: 00000000006114c0 R15:
      00007ffc72182aa0
      [   69.954044] Code: 1f 00 66 66 66 66 90 55 48 89 e5 48 83 ec 20 f6 47
      20 04 74 0a 83 fe 1c 74 09 83 fe 1d 74 2c c9 66 90 c3 48 8b 47 10 48 8d
      55 e8 <48> 8b 70 08 0f b7 47 1e 48 83 c7 18 48 89 7d f0 bf 03 00 00 00
      [   69.954044] RIP: br_switchdev_fdb_notify+0x29/0x80 RSP:
      ffffc90001567918
      [   69.954044] CR2: 0000000000000008
      [   69.954044] ---[ end trace 03e9eec4a82c238b ]---
      
      Fixes: 6b26b51b ("net: bridge: Add support for notifying devices about FDB add/del")
      Signed-off-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef9a5a62
    • Xin Long's avatar
      ipv6: set dst.obsolete when a cached route has expired · 1e2ea8ad
      Xin Long authored
      Now it doesn't check for the cached route expiration in ipv6's
      dst_ops->check(), because it trusts dst_gc that would clean the
      cached route up when it's expired.
      
      The problem is in dst_gc, it would clean the cached route only
      when it's refcount is 1. If some other module (like xfrm) keeps
      holding it and the module only release it when dst_ops->check()
      fails.
      
      But without checking for the cached route expiration, .check()
      may always return true. Meanwhile, without releasing the cached
      route, dst_gc couldn't del it. It will cause this cached route
      never to expire.
      
      This patch is to set dst.obsolete with DST_OBSOLETE_KILL in .gc
      when it's expired, and check obsolete != DST_OBSOLETE_FORCE_CHK
      in .check.
      
      Note that this is even needed when ipv6 dst_gc timer is removed
      one day. It would set dst.obsolete in .redirect and .update_pmtu
      instead, and check for cached route expiration when getting it,
      just like what ipv4 route does.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e2ea8ad
    • Wei Wang's avatar
      ipv6: fix sparse warning on rt6i_node · 4e587ea7
      Wei Wang authored
      Commit c5cff856 adds rcu grace period before freeing fib6_node. This
      generates a new sparse warning on rt->rt6i_node related code:
        net/ipv6/route.c:1394:30: error: incompatible types in comparison
        expression (different address spaces)
        ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
        expression (different address spaces)
      
      This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
      rcu API is used for it.
      After this fix, sparse no longer generates the above warning.
      
      Fixes: c5cff856 ("ipv6: add rcu grace period before freeing fib6_node")
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e587ea7
    • Stefano Brivio's avatar
      cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() · 0f308686
      Stefano Brivio authored
      Passing commands for logging to t4_record_mbox() with size
      MBOX_LEN, when the actual command size is actually smaller,
      causes out-of-bounds stack accesses in t4_record_mbox() while
      copying command words here:
      
      	for (i = 0; i < size / 8; i++)
      		entry->cmd[i] = be64_to_cpu(cmd[i]);
      
      Up to 48 bytes from the stack are then leaked to debugfs.
      
      This happens whenever we send (and log) commands described by
      structs fw_sched_cmd (32 bytes leaked), fw_vi_rxmode_cmd (48),
      fw_hello_cmd (48), fw_bye_cmd (48), fw_initialize_cmd (48),
      fw_reset_cmd (48), fw_pfvf_cmd (32), fw_eq_eth_cmd (16),
      fw_eq_ctrl_cmd (32), fw_eq_ofld_cmd (32), fw_acl_mac_cmd(16),
      fw_rss_glb_config_cmd(32), fw_rss_vi_config_cmd(32),
      fw_devlog_cmd(32), fw_vi_enable_cmd(48), fw_port_cmd(32),
      fw_sched_cmd(32), fw_devlog_cmd(32).
      
      The cxgb4vf driver got this right instead.
      
      When we call t4_record_mbox() to log a command reply, a MBOX_LEN
      size can be used though, as get_mbox_rpl() will fill cmd_rpl up
      completely.
      
      Fixes: 7f080c3f ("cxgb4: Add support to enable logging of firmware mailbox commands")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f308686
    • Maxime Ripard's avatar
      net: stmmac: sun8i: Remove the compatibles · ad4540cc
      Maxime Ripard authored
      Since the bindings have been controversial, and we follow the DT stable ABI
      rule, we shouldn't let a driver with a DT binding that might change slip
      through in a stable release.
      
      Remove the compatibles to make sure the driver will not probe and no-one
      will start using the binding currently implemented. This commit will
      obviously need to be reverted in due time.
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad4540cc
    • David S. Miller's avatar
      Merge branch 'nfp-flow-dissector-layer' · c73c8a8e
      David S. Miller authored
      Pieter Jansen van Vuuren says:
      
      ====================
      nfp: fix layer calculation and flow dissector use
      
      Previously when calculating the supported key layers MPLS, IPv4/6
      TTL and TOS were not considered. Formerly flow dissectors were referenced
      without first checking that they are in use and correctly populated by TC.
      Additionally this patch set fixes the incorrect use of mask field for vlan
      matching.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c73c8a8e
    • Pieter Jansen van Vuuren's avatar
      nfp: remove incorrect mask check for vlan matching · 6afd33e4
      Pieter Jansen van Vuuren authored
      Previously the vlan tci field was incorrectly exact matched. This patch
      fixes this by using the flow dissector to populate the vlan tci field.
      
      Fixes: 5571e8c9 ("nfp: extend flower matching capabilities")
      Signed-off-by: default avatarPieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6afd33e4
    • Pieter Jansen van Vuuren's avatar
      nfp: fix supported key layers calculation · 74af5975
      Pieter Jansen van Vuuren authored
      Previously when calculating the supported key layers MPLS, IPv4/6
      TTL and TOS were not considered. This patch checks that the TTL and
      TOS fields are masked out before offloading. Additionally this patch
      checks that MPLS packets are correctly handled, by not offloading them.
      
      Fixes: af9d842c ("nfp: extend flower add flow offload")
      Signed-off-by: default avatarPieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74af5975
    • Pieter Jansen van Vuuren's avatar
      nfp: fix unchecked flow dissector use · a7cd39e0
      Pieter Jansen van Vuuren authored
      Previously flow dissectors were referenced without first checking that
      they are in use and correctly populated by TC. This patch fixes this by
      checking each flow dissector key before referencing them.
      
      Fixes: 5571e8c9 ("nfp: extend flower matching capabilities")
      Signed-off-by: default avatarPieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7cd39e0
    • David S. Miller's avatar
      Merge branch 'l2tp-tunnel-refs' · 77146b5d
      David S. Miller authored
      Guillaume Nault says:
      
      ====================
      l2tp: fix some l2tp_tunnel_find() issues in l2tp_netlink
      
      Since l2tp_tunnel_find() doesn't take a reference on the tunnel it
      returns, its users are almost guaranteed to be racy.
      
      This series defines l2tp_tunnel_get() which can be used as a safe
      replacement, and converts some of l2tp_tunnel_find() users in the
      l2tp_netlink module.
      
      Other users often combine this issue with other more or less subtle
      races. They will be fixed incrementally in followup series.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77146b5d
    • Guillaume Nault's avatar
      l2tp: hold tunnel used while creating sessions with netlink · e702c120
      Guillaume Nault authored
      Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on
      us. Otherwise l2tp_tunnel_destruct() might release the last reference
      count concurrently, thus freeing the tunnel while we're using it.
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e702c120
    • Guillaume Nault's avatar
      l2tp: hold tunnel while handling genl TUNNEL_GET commands · 4e4b21da
      Guillaume Nault authored
      Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
      a reference on the tunnel, preventing l2tp_tunnel_destruct() from
      freeing it from under us.
      
      Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
      the reference when needed.
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e4b21da
    • Guillaume Nault's avatar
      l2tp: hold tunnel while handling genl tunnel updates · 8c0e4215
      Guillaume Nault authored
      We need to make sure the tunnel is not going to be destroyed by
      l2tp_tunnel_destruct() concurrently.
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c0e4215
    • Guillaume Nault's avatar
      l2tp: hold tunnel while processing genl delete command · bb0a32ce
      Guillaume Nault authored
      l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to
      prevent it from being concurrently freed by l2tp_tunnel_destruct().
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb0a32ce
    • Guillaume Nault's avatar
      l2tp: hold tunnel while looking up sessions in l2tp_netlink · 54652eb1
      Guillaume Nault authored
      l2tp_tunnel_find() doesn't take a reference on the returned tunnel.
      Therefore, it's unsafe to use it because the returned tunnel can go
      away on us anytime.
      
      Fix this by defining l2tp_tunnel_get(), which works like
      l2tp_tunnel_find(), but takes a reference on the returned tunnel.
      Caller then has to drop this reference using l2tp_tunnel_dec_refcount().
      
      As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's
      simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code
      has been broken (not even compiling) in May 2012 by
      commit a4ca44fa ("net: l2tp: Standardize logging styles")
      and fixed more than two years later by
      commit 29abe2fd ("l2tp: fix missing line continuation"). So it
      doesn't appear to be used by anyone.
      
      Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h,
      let's just simplify things and call kfree_rcu() directly in
      l2tp_tunnel_dec_refcount(). Extra assertions and debugging code
      provided by l2tp_tunnel_free() didn't help catching any of the
      reference counting and socket handling issues found while working on
      this series.
      
      Fixes: 309795f4 ("l2tp: Add netlink control API for L2TP")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54652eb1
    • Guillaume Nault's avatar
      l2tp: initialise session's refcount before making it reachable · 9ee369a4
      Guillaume Nault authored
      Sessions must be fully initialised before calling
      l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
      where partially initialised sessions can be accessed by external users.
      
      Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ee369a4
    • Antoine Tenart's avatar
      net: mvpp2: fix the mac address used when using PPv2.2 · 4c228682
      Antoine Tenart authored
      The mac address is only retrieved from h/w when using PPv2.1. Otherwise
      the variable holding it is still checked and used if it contains a valid
      value. As the variable isn't initialized to an invalid mac address
      value, we end up with random mac addresses which can be the same for all
      the ports handled by this PPv2 driver.
      
      Fixes this by initializing the h/w mac address variable to {0}, which is
      an invalid mac address value. This way the random assignation fallback
      is called and all ports end up with their own addresses.
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@free-electrons.com>
      Fixes: 26975821 ("net: mvpp2: handle misc PPv2.1/PPv2.2 differences")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c228682
    • Aleksander Morgado's avatar
      cdc_ncm: flag the u-blox TOBY-L4 as wwan · 3b638f0f
      Aleksander Morgado authored
      The u-blox TOBY-L4 is a LTE Advanced (Cat 6) module with HSPA+ and 2G
      fallback.
      
      Unlike the TOBY-L2, this module has one single USB layout and exposes
      several TTYs for control and a NCM interface for data. Connecting this
      module may be done just by activating the desired PDP context with
      'AT+CGACT=1,<cid>' and then running DHCP on the NCM interface.
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b638f0f
    • Jesper Dangaard Brouer's avatar
      net: missing call of trace_napi_poll in busy_poll_stop · 1e22391e
      Jesper Dangaard Brouer authored
      Noticed that busy_poll_stop() also invoke the drivers napi->poll()
      function pointer, but didn't have an associated call to trace_napi_poll()
      like all other call sites.
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e22391e
    • Mathias Krause's avatar
      xfrm_user: fix info leak in build_aevent() · 931e79d7
      Mathias Krause authored
      The memory reserved to dump the ID of the xfrm state includes a padding
      byte in struct xfrm_usersa_id added by the compiler for alignment. To
      prevent the heap info leak, memset(0) the sa_id before filling it.
      
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Fixes: d51d081d ("[IPSEC]: Sync series - user")
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      931e79d7
    • Mathias Krause's avatar
      xfrm_user: fix info leak in build_expire() · e3e5fc16
      Mathias Krause authored
      The memory reserved to dump the expired xfrm state includes padding
      bytes in struct xfrm_user_expire added by the compiler for alignment. To
      prevent the heap info leak, memset(0) the remainder of the struct.
      Initializing the whole structure isn't needed as copy_to_user_state()
      already takes care of clearing the padding bytes within the 'state'
      member.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      e3e5fc16
    • Mathias Krause's avatar
      xfrm_user: fix info leak in xfrm_notify_sa() · 50329c8a
      Mathias Krause authored
      The memory reserved to dump the ID of the xfrm state includes a padding
      byte in struct xfrm_usersa_id added by the compiler for alignment. To
      prevent the heap info leak, memset(0) the whole struct before filling
      it.
      
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Fixes: 0603eac0 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      50329c8a
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_user_offload() · 5fe0d4bd
      Mathias Krause authored
      The memory reserved to dump the xfrm offload state includes padding
      bytes of struct xfrm_user_offload added by the compiler for alignment.
      Add an explicit memset(0) before filling the buffer to avoid the heap
      info leak.
      
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Fixes: d77e38e6 ("xfrm: Add an IPsec hardware offloading API")
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      5fe0d4bd
  3. 26 Aug, 2017 7 commits