1. 05 May, 2021 1 commit
  2. 04 May, 2021 4 commits
    • Ramesh Babu B's avatar
      net: stmmac: Clear receive all(RA) bit when promiscuous mode is off · 4c7a9428
      Ramesh Babu B authored
      In promiscuous mode Receive All bit is set in GMAC packet filter register,
      but outside promiscuous mode Receive All bit is not cleared,
      which resulted in all network packets are received when toggle (ON/OFF)
      the promiscuous mode.
      
      Fixes: e0f9956a ("net: stmmac: Add option for VLAN filter fail queue enable")
      Signed-off-by: default avatarRamesh Babu B <ramesh.babu.b@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c7a9428
    • Or Cohen's avatar
      net/nfc: fix use-after-free llcp_sock_bind/connect · c61760e6
      Or Cohen authored
      Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
      and c33b1cc6 ("nfc: fix refcount leak in llcp_sock_bind()")
      fixed a refcount leak bug in bind/connect but introduced a
      use-after-free if the same local is assigned to 2 different sockets.
      
      This can be triggered by the following simple program:
          int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
          int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
          memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
          addr.sa_family = AF_NFC;
          addr.nfc_protocol = NFC_PROTO_NFC_DEP;
          bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
          bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
          close(sock1);
          close(sock2);
      
      Fix this by assigning NULL to llcp_sock->local after calling
      nfc_llcp_local_put.
      
      This addresses CVE-2021-23134.
      Reported-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
      Reported-by: default avatarNadav Markus <nmarkus@paloaltonetworks.com>
      Fixes: c33b1cc6 ("nfc: fix refcount leak in llcp_sock_bind()")
      Signed-off-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c61760e6
    • Jonathon Reinhart's avatar
      net: Only allow init netns to set default tcp cong to a restricted algo · 8d432592
      Jonathon Reinhart authored
      tcp_set_default_congestion_control() is netns-safe in that it writes
      to &net->ipv4.tcp_congestion_control, but it also sets
      ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced.
      This has the unintended side-effect of changing the global
      net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it
      is read-only: 97684f09 ("net: Make tcp_allowed_congestion_control
      readonly in non-init netns")
      
      Resolve this netns "leak" by only allowing the init netns to set the
      default algorithm to one that is restricted. This restriction could be
      removed if tcp_allowed_congestion_control were namespace-ified in the
      future.
      
      This bug was uncovered with
      https://github.com/JonathonReinhart/linux-netns-sysctl-verify
      
      Fixes: 6670e152 ("tcp: Namespace-ify sysctl_tcp_default_congestion_control")
      Signed-off-by: default avatarJonathon Reinhart <jonathon.reinhart@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d432592
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 1682d8df
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-05-04
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 5 non-merge commits during the last 4 day(s) which contain
      a total of 6 files changed, 52 insertions(+), 30 deletions(-).
      
      The main changes are:
      
      1) Fix libbpf overflow when processing BPF ring buffer in case of extreme
         application behavior, from Brendan Jackman.
      
      2) Fix potential data leakage of uninitialized BPF stack under speculative
         execution, from Daniel Borkmann.
      
      3) Fix off-by-one when validating xsk pool chunks, from Xuan Zhuo.
      
      4) Fix snprintf BPF selftest with a pid filter to avoid racing its output
         test buffer, from Florent Revest.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1682d8df
  3. 03 May, 2021 15 commits
  4. 30 Apr, 2021 16 commits
  5. 29 Apr, 2021 4 commits