1. 21 Jul, 2017 9 commits
    • Eduardo Valentin's avatar
      bridge: mdb: fix leak on complete_info ptr on fail path · e5e5c0ec
      Eduardo Valentin authored
      commit 1bfb1596 upstream.
      
      We currently get the following kmemleak report:
      unreferenced object 0xffff8800039d9820 (size 32):
        comm "softirq", pid 0, jiffies 4295212383 (age 792.416s)
        hex dump (first 32 bytes):
          00 0c e0 03 00 88 ff ff ff 02 00 00 00 00 00 00  ................
          00 00 00 01 ff 11 00 02 86 dd 00 00 ff ff ff ff  ................
        backtrace:
          [<ffffffff8152b4aa>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff811d8ec8>] kmem_cache_alloc_trace+0xb8/0x1c0
          [<ffffffffa0389683>] __br_mdb_notify+0x2a3/0x300 [bridge]
          [<ffffffffa038a0ce>] br_mdb_notify+0x6e/0x70 [bridge]
          [<ffffffffa0386479>] br_multicast_add_group+0x109/0x150 [bridge]
          [<ffffffffa0386518>] br_ip6_multicast_add_group+0x58/0x60 [bridge]
          [<ffffffffa0387fb5>] br_multicast_rcv+0x1d5/0xdb0 [bridge]
          [<ffffffffa037d7cf>] br_handle_frame_finish+0xcf/0x510 [bridge]
          [<ffffffffa03a236b>] br_nf_hook_thresh.part.27+0xb/0x10 [br_netfilter]
          [<ffffffffa03a3738>] br_nf_hook_thresh+0x48/0xb0 [br_netfilter]
          [<ffffffffa03a3fb9>] br_nf_pre_routing_finish_ipv6+0x109/0x1d0 [br_netfilter]
          [<ffffffffa03a4400>] br_nf_pre_routing_ipv6+0xd0/0x14c [br_netfilter]
          [<ffffffffa03a3c27>] br_nf_pre_routing+0x197/0x3d0 [br_netfilter]
          [<ffffffff814a2952>] nf_iterate+0x52/0x60
          [<ffffffff814a29bc>] nf_hook_slow+0x5c/0xb0
          [<ffffffffa037ddf4>] br_handle_frame+0x1a4/0x2c0 [bridge]
      
      This happens when switchdev_port_obj_add() fails. This patch
      frees complete_info object in the fail path.
      Reviewed-by: default avatarVallish Vaidyeshwara <vallish@amazon.com>
      Signed-off-by: default avatarEduardo Valentin <eduval@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5e5c0ec
    • Eric Dumazet's avatar
      net: prevent sign extension in dev_get_stats() · 3f04c32b
      Eric Dumazet authored
      commit 6f64ec74 upstream.
      
      Similar to the fix provided by Dominik Heidler in commit
      9b3dc0a1 ("l2tp: cast l2tp traffic counter to unsigned")
      we need to take care of 32bit kernels in dev_get_stats().
      
      When using atomic_long_read(), we add a 'long' to u64 and
      might misinterpret high order bit, unless we cast to unsigned.
      
      Fixes: caf586e5 ("net: add a core netdev->rx_dropped counter")
      Fixes: 015f0688 ("net: net: add a core netdev->tx_dropped counter")
      Fixes: 6e7333d3 ("net: add rx_nohandler stat counter")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f04c32b
    • WANG Cong's avatar
      tcp: reset sk_rx_dst in tcp_disconnect() · ef138400
      WANG Cong authored
      commit d747a7a5 upstream.
      
      We have to reset the sk->sk_rx_dst when we disconnect a TCP
      connection, because otherwise when we re-connect it this
      dst reference is simply overridden in tcp_finish_connect().
      
      This fixes a dst leak which leads to a loopback dev refcnt
      leak. It is a long-standing bug, Kevin reported a very similar
      (if not same) bug before. Thanks to Andrei for providing such
      a reliable reproducer which greatly narrows down the problem.
      
      Fixes: 41063e9d ("ipv4: Early TCP socket demux.")
      Reported-by: default avatarAndrei Vagin <avagin@gmail.com>
      Reported-by: default avatarKevin Xu <kaiwen.xu@hulu.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef138400
    • Richard Cochran's avatar
      net: dp83640: Avoid NULL pointer dereference. · cf81b4ab
      Richard Cochran authored
      commit db9d8b29 upstream.
      
      The function, skb_complete_tx_timestamp(), used to allow passing in a
      NULL pointer for the time stamps, but that was changed in commit
      62bccb8c ("net-timestamp: Make the
      clone operation stand-alone from phy timestamping"), and the existing
      call sites, all of which are in the dp83640 driver, were fixed up.
      
      Even though the kernel-doc was subsequently updated in commit
      7a76a021 ("net-timestamp: Update
      skb_complete_tx_timestamp comment"), still a bug fix from Manfred
      Rudigier came into the driver using the old semantics.  Probably
      Manfred derived that patch from an older kernel version.
      
      This fix should be applied to the stable trees as well.
      
      Fixes: 81e8f2e9 ("net: dp83640: Fix tx timestamp overflow handling.")
      Signed-off-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf81b4ab
    • WANG Cong's avatar
      ipv6: avoid unregistering inet6_dev for loopback · 0526ff30
      WANG Cong authored
      commit 60abc0be upstream.
      
      The per netns loopback_dev->ip6_ptr is unregistered and set to
      NULL when its mtu is set to smaller than IPV6_MIN_MTU, this
      leads to that we could set rt->rt6i_idev NULL after a
      rt6_uncached_list_flush_dev() and then crash after another
      call.
      
      In this case we should just bring its inet6_dev down, rather
      than unregistering it, at least prior to commit 176c39af
      ("netns: fix addrconf_ifdown kernel panic") we always
      override the case for loopback.
      
      Thanks a lot to Andrey for finding a reliable reproducer.
      
      Fixes: 176c39af ("netns: fix addrconf_ifdown kernel panic")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Cc: Daniel Lezcano <dlezcano@fr.ibm.com>
      Cc: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0526ff30
    • Zach Brown's avatar
      net/phy: micrel: configure intterupts after autoneg workaround · 3f7e07c3
      Zach Brown authored
      commit b866203d upstream.
      
      The commit ("net/phy: micrel: Add workaround for bad autoneg") fixes an
      autoneg failure case by resetting the hardware. This turns off
      intterupts. Things will work themselves out if the phy polls, as it will
      figure out it's state during a poll. However if the phy uses only
      intterupts, the phy will stall, since interrupts are off. This patch
      fixes the issue by calling config_intr after resetting the phy.
      
      Fixes: d2fd719b ("net/phy: micrel: Add workaround for bad autoneg ")
      Signed-off-by: default avatarZach Brown <zach.brown@ni.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f7e07c3
    • Gao Feng's avatar
      net: sched: Fix one possible panic when no destroy callback · dc491cdd
      Gao Feng authored
      commit c1a4872e upstream.
      
      When qdisc fail to init, qdisc_create would invoke the destroy callback
      to cleanup. But there is no check if the callback exists really. So it
      would cause the panic if there is no real destroy callback like the qdisc
      codel, fq, and so on.
      
      Take codel as an example following:
      When a malicious user constructs one invalid netlink msg, it would cause
      codel_init->codel_change->nla_parse_nested failed.
      Then kernel would invoke the destroy callback directly but qdisc codel
      doesn't define one. It causes one panic as a result.
      
      Now add one the check for destroy to avoid the possible panic.
      
      Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
      Signed-off-by: default avatarGao Feng <gfree.wind@vip.163.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc491cdd
    • Eric Dumazet's avatar
      net_sched: fix error recovery at qdisc creation · 13550ffc
      Eric Dumazet authored
      commit 87b60cfa upstream.
      
      Dmitry reported uses after free in qdisc code [1]
      
      The problem here is that ops->init() can return an error.
      
      qdisc_create_dflt() then call ops->destroy(),
      while qdisc_create() does _not_ call it.
      
      Four qdisc chose to call their own ops->destroy(), assuming their caller
      would not.
      
      This patch makes sure qdisc_create() calls ops->destroy()
      and fixes the four qdisc to avoid double free.
      
      [1]
      BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr ffff8801d415d440
      Read of size 8 by task syz-executor2/5030
      CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
       0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400
       ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898
       ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0
      Call Trace:
       [<ffffffff81bbbed4>] __dump_stack lib/dump_stack.c:15 [inline]
       [<ffffffff81bbbed4>] dump_stack+0x6c/0x98 lib/dump_stack.c:51
       [<ffffffff816682b1>] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
       [<ffffffff81668524>] print_address_description mm/kasan/report.c:196 [inline]
       [<ffffffff81668524>] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285
       [<ffffffff81668953>] kasan_report mm/kasan/report.c:305 [inline]
       [<ffffffff81668953>] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326
       [<ffffffff82527b02>] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33
       [<ffffffff82524bdd>] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953
       [<ffffffff82524e30>] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848
       [<ffffffff8252550d>] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline]
       [<ffffffff8252550d>] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064
       [<ffffffff824b1db1>] __dev_open+0x221/0x320 net/core/dev.c:1403
       [<ffffffff824b24ce>] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858
       [<ffffffff824b27de>] dev_change_flags+0x8e/0x140 net/core/dev.c:6926
       [<ffffffff824f5bf6>] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260
       [<ffffffff824f61fa>] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546
       [<ffffffff82430509>] sock_do_ioctl+0x99/0xb0 net/socket.c:879
       [<ffffffff82430d30>] sock_ioctl+0x2a0/0x390 net/socket.c:958
       [<ffffffff816f3b68>] vfs_ioctl fs/ioctl.c:44 [inline]
       [<ffffffff816f3b68>] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611
       [<ffffffff816f41a4>] SYSC_ioctl fs/ioctl.c:626 [inline]
       [<ffffffff816f41a4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617
       [<ffffffff8123e357>] entry_SYSCALL_64_fastpath+0x12/0x17
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13550ffc
    • Vineeth Remanan Pillai's avatar
      xen-netfront: Rework the fix for Rx stall during OOM and network stress · 21f79ae4
      Vineeth Remanan Pillai authored
      commit 538d9291 upstream.
      
      The commit 90c311b0 ("xen-netfront: Fix Rx stall during network
      stress and OOM") caused the refill timer to be triggerred almost on
      all invocations of xennet_alloc_rx_buffers for certain workloads.
      This reworks the fix by reverting to the old behaviour and taking into
      consideration the skb allocation failure. Refill timer is now triggered
      on insufficient requests or skb allocation failure.
      Signed-off-by: default avatarVineeth Remanan Pillai <vineethp@amazon.com>
      Fixes: 90c311b0 (xen-netfront: Fix Rx stall during network stress and OOM)
      Reported-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Eduardo Valentin <eduval@amazon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21f79ae4
  2. 15 Jul, 2017 26 commits
  3. 12 Jul, 2017 5 commits