1. 14 May, 2014 4 commits
  2. 13 May, 2014 4 commits
    • Alexei Starovoitov's avatar
      net: filter: x86: fix JIT address randomization · 773cd38f
      Alexei Starovoitov authored
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page
      
      Fixes: 314beb9b ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      773cd38f
    • David S. Miller's avatar
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 6262971a
      David S. Miller authored
      Included changes:
      - properly release neigh_ifinfo in batadv_iv_ogm_process_per_outif()
      - properly release orig_ifinfo->router when freeing orig_ifinfo
      - properly release neigh_node objects during periodic check
      - properly release neigh_info objects when the related hard_iface
        is free'd
      
      These changes are all very important because they fix some
      reference counting imbalances that lead to the
      impossibility of releasing the netdev object used by
      batman-adv on shutdown.
      The consequence is that such object cannot be destroyed by
      the networking stack (the refcounter does not reach zero)
      thus bringing the system in hanging state during a normal
      reboot operation or a network reconfiguration.
      6262971a
    • Duan Jiong's avatar
      neigh: set nud_state to NUD_INCOMPLETE when probing router reachability · 2176d5d4
      Duan Jiong authored
      Since commit 7e980569("ipv6: router reachability probing"), a router falls
      into NUD_FAILED will be probed.
      
      Now if function rt6_select() selects a router which neighbour state is NUD_FAILED,
      and at the same time function rt6_probe() changes the neighbour state to NUD_PROBE,
      then function dst_neigh_output() can directly send packets, but actually the
      neighbour still is unreachable. If we set nud_state to NUD_INCOMPLETE instead
      NUD_PROBE, packets will not be sent out until the neihbour is reachable.
      
      In addition, because the route should be probes with a single NS, so we must
      set neigh->probes to neigh_max_probes(), then the neigh timer timeout and function
      neigh_timer_handler() will not send other NS Messages.
      Signed-off-by: default avatarDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2176d5d4
    • Susant Sahani's avatar
      ip6_tunnel: fix potential NULL pointer dereference · c8965932
      Susant Sahani authored
      The function ip6_tnl_validate assumes that the rtnl
      attribute IFLA_IPTUN_PROTO always be filled . If this
      attribute is not filled by  the userspace application
      kernel get crashed with NULL pointer dereference. This
      patch fixes the potential kernel crash when
      IFLA_IPTUN_PROTO is missing .
      Signed-off-by: default avatarSusant Sahani <susant@redhat.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8965932
  3. 12 May, 2014 3 commits
  4. 11 May, 2014 1 commit
  5. 10 May, 2014 3 commits
  6. 09 May, 2014 15 commits
  7. 08 May, 2014 1 commit
  8. 07 May, 2014 9 commits