1. 07 Mar, 2020 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 357ddbb9
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Patches to bump position index from sysctl seq_next,
         from Vasilin Averin.
      
      2) Release flowtable hook from error path, from Florian Westphal.
      
      3) Patches to add missing netlink attribute validation,
         from Jakub Kicinski.
      
      4) Missing NFTA_CHAIN_FLAGS in nf_tables_fill_chain_info().
      
      5) Infinite loop in module autoload if extension is not available,
         from Florian Westphal.
      
      6) Missing module ownership in inet/nat chain type definition.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      357ddbb9
  2. 06 Mar, 2020 4 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nft_chain_nat: inet family is missing module ownership · 6a42cefb
      Pablo Neira Ayuso authored
      Set owner to THIS_MODULE, otherwise the nft_chain_nat module might be
      removed while there are still inet/nat chains in place.
      
      [  117.942096] BUG: unable to handle page fault for address: ffffffffa0d5e040
      [  117.942101] #PF: supervisor read access in kernel mode
      [  117.942103] #PF: error_code(0x0000) - not-present page
      [  117.942106] PGD 200c067 P4D 200c067 PUD 200d063 PMD 3dc909067 PTE 0
      [  117.942113] Oops: 0000 [#1] PREEMPT SMP PTI
      [  117.942118] CPU: 3 PID: 27 Comm: kworker/3:0 Not tainted 5.6.0-rc3+ #348
      [  117.942133] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
      [  117.942145] RIP: 0010:nf_tables_chain_destroy.isra.0+0x94/0x15a [nf_tables]
      [  117.942149] Code: f6 45 54 01 0f 84 d1 00 00 00 80 3b 05 74 44 48 8b 75 e8 48 c7 c7 72 be de a0 e8 56 e6 2d e0 48 8b 45 e8 48 c7 c7 7f be de a0 <48> 8b 30 e8 43 e6 2d e0 48 8b 45 e8 48 8b 40 10 48 85 c0 74 5b 8b
      [  117.942152] RSP: 0018:ffffc9000015be10 EFLAGS: 00010292
      [  117.942155] RAX: ffffffffa0d5e040 RBX: ffff88840be87fc2 RCX: 0000000000000007
      [  117.942158] RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffffffffa0debe7f
      [  117.942160] RBP: ffff888403b54b50 R08: 0000000000001482 R09: 0000000000000004
      [  117.942162] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8883eda7e540
      [  117.942164] R13: dead000000000122 R14: dead000000000100 R15: ffff888403b3db80
      [  117.942167] FS:  0000000000000000(0000) GS:ffff88840e4c0000(0000) knlGS:0000000000000000
      [  117.942169] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  117.942172] CR2: ffffffffa0d5e040 CR3: 00000003e4c52002 CR4: 00000000001606e0
      [  117.942174] Call Trace:
      [  117.942188]  nf_tables_trans_destroy_work.cold+0xd/0x12 [nf_tables]
      [  117.942196]  process_one_work+0x1d6/0x3b0
      [  117.942200]  worker_thread+0x45/0x3c0
      [  117.942203]  ? process_one_work+0x3b0/0x3b0
      [  117.942210]  kthread+0x112/0x130
      [  117.942214]  ? kthread_create_worker_on_cpu+0x40/0x40
      [  117.942221]  ret_from_fork+0x35/0x40
      
      nf_tables_chain_destroy() crashes on module_put() because the module is
      gone.
      
      Fixes: d164385e ("netfilter: nat: add inet family nat support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6a42cefb
    • Paolo Abeni's avatar
      mptcp: always include dack if possible. · 2398e399
      Paolo Abeni authored
      Currently passive MPTCP socket can skip including the DACK
      option - if the peer sends data before accept() completes.
      
      The above happens because the msk 'can_ack' flag is set
      only after the accept() call.
      
      Such missing DACK option may cause - as per RFC spec -
      unwanted fallback to TCP.
      
      This change addresses the issue using the key material
      available in the current subflow, if any, to create a suitable
      dack option when msk ack seq is not yet available.
      
      v1 -> v2:
       - adavance the generated ack after the initial MPC packet
      
      Fixes: d22f4988 ("mptcp: process MP_CAPABLE data option")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2398e399
    • Dan Carpenter's avatar
      net: nfc: fix bounds checking bugs on "pipe" · a3aefbfe
      Dan Carpenter authored
      This is similar to commit 674d9de0 ("NFC: Fix possible memory
      corruption when handling SHDLC I-Frame commands") and commit d7ee81ad
      ("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
      added range checks on "pipe".
      
      The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
      It's in the 0-255 range.  We're using it as the array index into the
      hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
      
      Fixes: 118278f2 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3aefbfe
    • Jiang Lidong's avatar
      veth: ignore peer tx_dropped when counting local rx_dropped · e25d5dbc
      Jiang Lidong authored
      When local NET_RX backlog is full due to traffic overrun,
      peer veth tx_dropped counter increases. At that time, list
      local veth stats, rx_dropped has double value of peer
      tx_dropped, even bigger than transmit packets by peer.
      
      In NET_RX softirq process, if any packet drop case happens,
      it increases dev's rx_dropped counter and returns NET_RX_DROP.
      
      At veth tx side, it records any error returned from peer netif_rx
      into local dev tx_dropped counter.
      
      In veth get stats process, it puts local dev rx_dropped and
      peer dev tx_dropped into together as local rx_drpped value.
      So that it shows double value of real dropped packets number in
      this case.
      
      This patch ignores peer tx_dropped when counting local rx_dropped,
      since peer tx_dropped is duplicated to local rx_dropped at most cases.
      Signed-off-by: default avatarJiang Lidong <jianglidong3@jd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e25d5dbc
  3. 05 Mar, 2020 6 commits
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2020-03-05' of... · 2f63f2d5
      David S. Miller authored
      Merge tag 'wireless-drivers-2020-03-05' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.6
      
      Second set of fixes for v5.6. Only two small fixes this time.
      
      iwlwifi
      
      * fix another initialisation regression with 3168 devices
      
      mt76
      
      * fix memory corruption with too many rx fragments
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f63f2d5
    • Tom Zhao's avatar
      sfc: complete the next packet when we receive a timestamp · 3b4f06c7
      Tom Zhao authored
      We now ignore the "completion" event when using tx queue timestamping,
      and only pay attention to the two (high and low) timestamp events. The
      NIC will send a pair of timestamp events for every packet transmitted.
      The current firmware may merge the completion events, and it is possible
      that future versions may reorder the completion and timestamp events.
      As such the completion event is not useful.
      
      Without this patch in place a merged completion event on a queue with
      timestamping will cause a "spurious TX completion" error. This affects
      SFN8000-series adapters.
      Signed-off-by: default avatarTom Zhao <tzhao@solarflare.com>
      Acked-by: default avatarMartin Habets <mhabets@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b4f06c7
    • Jian Shen's avatar
      net: hns3: fix a not link up issue when fibre port supports autoneg · 68e1006f
      Jian Shen authored
      When fibre port supports auto-negotiation, the IMP(Intelligent
      Management Process) processes the speed of auto-negotiation
      and the  user's speed separately.
      For below case, the port will get a not link up problem.
      step 1: disables auto-negotiation and sets speed to A, then
      the driver's MAC speed will be updated to A.
      step 2: enables auto-negotiation and MAC gets negotiated
      speed B, then the driver's MAC speed will be updated to B
      through querying in periodical task.
      step 3: MAC gets new negotiated speed A.
      step 4: disables auto-negotiation and sets speed to B before
      periodical task query new MAC speed A, the driver will  ignore
      the speed configuration.
      
      This patch fixes it by skipping speed and duplex checking when
      fibre port supports auto-negotiation.
      
      Fixes: 22f48e24 ("net: hns3: add autoneg and change speed support for fibre port")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68e1006f
    • Eric Dumazet's avatar
      slip: make slhc_compress() more robust against malicious packets · 110a40df
      Eric Dumazet authored
      Before accessing various fields in IPV4 network header
      and TCP header, make sure the packet :
      
      - Has IP version 4 (ip->version == 4)
      - Has not a silly network length (ip->ihl >= 5)
      - Is big enough to hold network and transport headers
      - Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
      CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
       ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
       __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
       ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
       ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f7cd99
      Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
      RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
      RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      
      Fixes: b5451d78 ("slip: Move the SLIP drivers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      110a40df
    • Florian Westphal's avatar
      netfilter: nf_tables: fix infinite loop when expr is not available · 1d305ba4
      Florian Westphal authored
      nft will loop forever if the kernel doesn't support an expression:
      
      1. nft_expr_type_get() appends the family specific name to the module list.
      2. -EAGAIN is returned to nfnetlink, nfnetlink calls abort path.
      3. abort path sets ->done to true and calls request_module for the
         expression.
      4. nfnetlink replays the batch, we end up in nft_expr_type_get() again.
      5. nft_expr_type_get attempts to append family-specific name. This
         one already exists on the list, so we continue
      6. nft_expr_type_get adds the generic expression name to the module
         list. -EAGAIN is returned, nfnetlink calls abort path.
      7. abort path encounters the family-specific expression which
         has 'done' set, so it gets removed.
      8. abort path requests the generic expression name, sets done to true.
      9. batch is replayed.
      
      If the expression could not be loaded, then we will end up back at 1),
      because the family-specific name got removed and the cycle starts again.
      
      Note that userspace can SIGKILL the nft process to stop the cycle, but
      the desired behaviour is to return an error after the generic expr name
      fails to load the expression.
      
      Fixes: eb014de4 ("netfilter: nf_tables: autoload modules from the abort path")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1d305ba4
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: dump NFTA_CHAIN_FLAGS attribute · d78008de
      Pablo Neira Ayuso authored
      Missing NFTA_CHAIN_FLAGS netlink attribute when dumping basechain
      definitions.
      
      Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d78008de
  4. 04 Mar, 2020 14 commits
  5. 03 Mar, 2020 15 commits