1. 17 Sep, 2016 3 commits
    • Eric Dumazet's avatar
      net: avoid sk_forward_alloc overflows · 20c64d5c
      Eric Dumazet authored
      A malicious TCP receiver, sending SACK, can force the sender to split
      skbs in write queue and increase its memory usage.
      
      Then, when socket is closed and its write queue purged, we might
      overflow sk_forward_alloc (It becomes negative)
      
      sk_mem_reclaim() does nothing in this case, and more than 2GB
      are leaked from TCP perspective (tcp_memory_allocated is not changed)
      
      Then warnings trigger from inet_sock_destruct() and
      sk_stream_kill_queues() seeing a not zero sk_forward_alloc
      
      All TCP stack can be stuck because TCP is under memory pressure.
      
      A simple fix is to preemptively reclaim from sk_mem_uncharge().
      
      This makes sure a socket wont have more than 2 MB forward allocated,
      after burst and idle period.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20c64d5c
    • Eric Dumazet's avatar
      tcp: fix overflow in __tcp_retransmit_skb() · ffb4d6c8
      Eric Dumazet authored
      If a TCP socket gets a large write queue, an overflow can happen
      in a test in __tcp_retransmit_skb() preventing all retransmits.
      
      The flow then stalls and resets after timeouts.
      
      Tested:
      
      sysctl -w net.core.wmem_max=1000000000
      netperf -H dest -- -s 1000000000
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffb4d6c8
    • Filipe Manco's avatar
      xen-netback: fix error handling on netback_probe() · cce94483
      Filipe Manco authored
      In case of error during netback_probe() (e.g. an entry missing on the
      xenstore) netback_remove() is called on the new device, which will set
      the device backend state to XenbusStateClosed by calling
      set_backend_state(). However, the backend state wasn't initialized by
      netback_probe() at this point, which will cause and invalid transaction
      and set_backend_state() to BUG().
      
      Initialize the backend state at the beginning of netback_probe() to
      XenbusStateInitialising, and create two new valid state transitions on
      set_backend_state(), from XenbusStateInitialising to XenbusStateClosed,
      and from XenbusStateInitialising to XenbusStateInitWait.
      Signed-off-by: default avatarFilipe Manco <filipe.manco@neclab.eu>
      Acked-by: default avatarWei Liu <wei.liu2@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cce94483
  2. 16 Sep, 2016 16 commits
  3. 13 Sep, 2016 6 commits
    • Johannes Berg's avatar
      nl80211: validate number of probe response CSA counters · ad5987b4
      Johannes Berg authored
      Due to an apparent copy/paste bug, the number of counters for the
      beacon configuration were checked twice, instead of checking the
      number of probe response counters. Fix this to check the number of
      probe response counters before parsing those.
      
      Cc: stable@vger.kernel.org
      Fixes: 9a774c78 ("cfg80211: Support multiple CSA counters")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      ad5987b4
    • Christophe Jaillet's avatar
      drivers: net: phy: xgene: Fix 'remove' function · 440f895a
      Christophe Jaillet authored
      If 'IS_ERR(pdata->clk)' is true, then 'clk_disable_unprepare(pdata->clk)'
      will do nothing.
      
      It is likely that 'if (!IS_ERR(pdata->clk))' was expected here.
      In fact, the test can even be removed because 'clk_disable_unprepare'
      already handles such cases.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      440f895a
    • Xin Long's avatar
      sctp: hold the transport before using it in sctp_hash_cmp · 715f5552
      Xin Long authored
      Since commit 4f008781 ("sctp: apply rhashtable api to send/recv
      path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp,
      in which it compares the members of the transport with the rhashtable
      args to check if it's the right transport.
      
      But sctp uses the transport without holding it in sctp_hash_cmp, it can
      cause a use-after-free panic. As after it gets transport from hashtable,
      another CPU may close the sk and free the asoc. In sctp_association_free,
      it frees all the transports, meanwhile, the assoc's refcnt may be reduced
      to 0, assoc can be destroyed by sctp_association_destroy.
      
      So after that, transport->assoc is actually an unavailable memory address
      in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still
      can not avoid this, as assoc is not freed by RCU.
      
      This patch is to hold the transport before checking it's members with
      sctp_transport_hold, in which it checks the refcnt first, holds it if
      it's not 0.
      
      Fixes: 4f008781 ("sctp: apply rhashtable api to send/recv path")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      715f5552
    • Baoquan He's avatar
      bnx2: Reset device during driver initialization · 3e1be7ad
      Baoquan He authored
      When system enters into kdump kernel because of kernel panic, it won't
      shutdown devices. On-flight DMA will continue transferring data until
      device driver initializes. All devices are supposed to reset during
      driver initialization. And this property is used to fix the kdump
      failure in system with intel iommu. Other systems with hardware iommu
      should be similar. Please check commit 091d42e4 ("iommu/vt-d: Copy
      translation tables from old kernel") and those commits around.
      
      But bnx2 driver doesn't reset device during driver initialization. The
      device resetting is deferred to net device up stage. This will cause
      hardware iommu handling failure on bnx2 device. And its resetting relies
      on firmware. So in this patch move the firmware requesting code to earlier
      bnx2_init_one(), then next call bnx2_reset_chip to reset device.
      Signed-off-by: default avatarBaoquan He <bhe@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e1be7ad
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 67b9f0b7
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Endianess fix for the new nf_tables netlink trace infrastructure,
         NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang.
      
      2) Fix broken re-route after userspace queueing in nf_tables route
         chain. This patch is large but it is simple since it is just getting
         this code in sync with iptable_mangle. Also from Liping.
      
      3) NAT mangling via ctnetlink lies to userspace when nf_nat_setup_info()
         fails to setup the NAT conntrack extension. This problem has been
         there since the beginning, but it can now show up after rhashtable
         conversion.
      
      4) Fix possible NULL pointer dereference due to failures in allocating
         the synproxy and seqadj conntrack extensions, from Gao feng.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67b9f0b7
    • Gao Feng's avatar
      netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions · 4440a2ab
      Gao Feng authored
      When memory is exhausted, nfct_seqadj_ext_add may fail to add the
      synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
      check if get valid seqadj pointer by the nfct_seqadj.
      
      Now drop the packet directly when fail to add seqadj extension to
      avoid dereference NULL pointer in nf_ct_seqadj_init from
      init_conntrack().
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4440a2ab
  4. 12 Sep, 2016 11 commits
  5. 11 Sep, 2016 4 commits