1. 27 Oct, 2016 3 commits
    • Liping Zhang's avatar
      netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled · bb6a6e8e
      Liping Zhang authored
      When CONFIG_NFT_SET_HASH is not enabled and I input the following rule:
      "nft add rule filter output flow table test {ip daddr counter }", kernel
      panic happened on my system:
       BUG: unable to handle kernel NULL pointer dereference at (null)
       IP: [<          (null)>]           (null)
       [...]
       Call Trace:
       [<ffffffffa0590466>] ? nft_dynset_eval+0x56/0x100 [nf_tables]
       [<ffffffffa05851bb>] nft_do_chain+0xfb/0x4e0 [nf_tables]
       [<ffffffffa0432f01>] ? nf_conntrack_tuple_taken+0x61/0x210 [nf_conntrack]
       [<ffffffffa0459ea6>] ? get_unique_tuple+0x136/0x560 [nf_nat]
       [<ffffffffa043bca1>] ? __nf_ct_ext_add_length+0x111/0x130 [nf_conntrack]
       [<ffffffffa045a357>] ? nf_nat_setup_info+0x87/0x3b0 [nf_nat]
       [<ffffffff81761e27>] ? ipt_do_table+0x327/0x610
       [<ffffffffa045a6d7>] ? __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat]
       [<ffffffffa059f21f>] nft_ipv4_output+0xaf/0xd0 [nf_tables_ipv4]
       [<ffffffff81702515>] nf_iterate+0x55/0x60
       [<ffffffff81702593>] nf_hook_slow+0x73/0xd0
      
      Because in rbtree type set, ops->update is not implemented. So just keep
      it simple, in such case, report -EOPNOTSUPP to the user space.
      
      Fixes: 22fe54d5 ("netfilter: nf_tables: add support for dynamic set updates")
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bb6a6e8e
    • Mintz, Yuval's avatar
      MAINTAINERS: Update qlogic networking drivers · 67f0160f
      Mintz, Yuval authored
      Following Cavium's acquisition of qlogic we need to update all the qlogic
      drivers maintainer's entries to point to our new e-mail addresses,
      as well as update some of the driver's maintainers as those are no longer
      working for Cavium.
      
      I would like to thank Sony Chacko and Rajesh Borundia for their support
      and development of our various networking drivers.
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67f0160f
    • Stephen Hemminger's avatar
      netvsc: fix incorrect receive checksum offloading · e52fed71
      Stephen Hemminger authored
      The Hyper-V netvsc driver was looking at the incorrect status bits
      in the checksum info. It was setting the receive checksum unnecessary
      flag based on the IP header checksum being correct. The checksum
      flag is skb is about TCP and UDP checksum status. Because of this
      bug, any packet received with bad TCP checksum would be passed
      up the stack and to the application causing data corruption.
      The problem is reproducible via netcat and netem.
      
      This had a side effect of not doing receive checksum offload
      on IPv6. The driver was also also always doing checksum offload
      independent of the checksum setting done via ethtool.
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e52fed71
  2. 26 Oct, 2016 4 commits
  3. 23 Oct, 2016 5 commits
    • David S. Miller's avatar
      Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 44060abe
      David S. Miller authored
      Johan Hedberg says:
      
      ====================
      pull request: bluetooth 2016-10-21
      
      Here are some more Bluetooth fixes for the 4.9 kernel:
      
       - Fix to btwilink driver probe function return value
       - Power management fix to hci_bcm
       - Fix to encoding name in scan response data
      
      Please let me know if there are any issues pulling. Thanks.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44060abe
    • Jiri Slaby's avatar
      net: sctp, forbid negative length · a4b8e71b
      Jiri Slaby authored
      Most of getsockopt handlers in net/sctp/socket.c check len against
      sizeof some structure like:
              if (len < sizeof(int))
                      return -EINVAL;
      
      On the first look, the check seems to be correct. But since len is int
      and sizeof returns size_t, int gets promoted to unsigned size_t too. So
      the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is
      false.
      
      Fix this in sctp by explicitly checking len < 0 before any getsockopt
      handler is called.
      
      Note that sctp_getsockopt_events already handled the negative case.
      Since we added the < 0 check elsewhere, this one can be removed.
      
      If not checked, this is the result:
      UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19
      shift exponent 52 is too large for 32-bit type 'int'
      CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
       0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3
       ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270
       0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422
      Call Trace:
       [<ffffffffb3051498>] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300
      ...
       [<ffffffffb273f0e4>] ? kmalloc_order+0x24/0x90
       [<ffffffffb27416a4>] ? kmalloc_order_trace+0x24/0x220
       [<ffffffffb2819a30>] ? __kmalloc+0x330/0x540
       [<ffffffffc18c25f4>] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp]
       [<ffffffffc18d2bcd>] ? sctp_getsockopt+0x10d/0x1b0 [sctp]
       [<ffffffffb37c1219>] ? sock_common_getsockopt+0xb9/0x150
       [<ffffffffb37be2f5>] ? SyS_getsockopt+0x1a5/0x270
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: linux-sctp@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4b8e71b
    • Fabio Estevam's avatar
      net: fec: Call swap_buffer() prior to IP header alignment · 235bde1e
      Fabio Estevam authored
      Commit 3ac72b7b ("net: fec: align IP header in hardware") breaks
      networking on mx28.
      
      There is an erratum on mx28 (ENGR121613 - ENET big endian mode
      not compatible with ARM little endian) that requires an additional
      byte-swap operation to workaround this problem.
      
      So call swap_buffer() prior to performing the IP header alignment
      to restore network functionality on mx28.
      
      Fixes: 3ac72b7b ("net: fec: align IP header in hardware")
      Reported-and-tested-by: default avatarHenri Roosen <henri.roosen@ginzinger.com>
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      235bde1e
    • Jason A. Donenfeld's avatar
      ipv6: do not increment mac header when it's unset · b678aa57
      Jason A. Donenfeld authored
      Otherwise we'll overflow the integer. This occurs when layer 3 tunneled
      packets are handed off to the IPv6 layer.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b678aa57
    • Sudarsana Reddy Kalluru's avatar
      bnx2x: Use the correct divisor value for PHC clock readings. · a6e2846c
      Sudarsana Reddy Kalluru authored
      Time Sync (PTP) implementation uses the divisor/shift value for converting
      the clock ticks to nanoseconds. Driver currently defines shift value as 1,
      this results in the nanoseconds value to be calculated as half the actual
      value. Hence the user application fails to synchronize the device clock
      value with the PTP master device clock. Need to use the 'shift' value of 0.
      Signed-off-by: default avatarSony.Chacko <Sony.Chacko@cavium.com>
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6e2846c
  4. 22 Oct, 2016 13 commits
  5. 21 Oct, 2016 3 commits
    • WANG Cong's avatar
      ipv6: fix a potential deadlock in do_ipv6_setsockopt() · 8651be8f
      WANG Cong authored
      Baozeng reported this deadlock case:
      
             CPU0                    CPU1
             ----                    ----
        lock([  165.136033] sk_lock-AF_INET6);
                                     lock([  165.136033] rtnl_mutex);
                                     lock([  165.136033] sk_lock-AF_INET6);
        lock([  165.136033] rtnl_mutex);
      
      Similar to commit 87e9f031
      ("ipv4: fix a potential deadlock in mcast getsockopt() path")
      this is due to we still have a case, ipv6_sock_mc_close(),
      where we acquire sk_lock before rtnl_lock. Close this deadlock
      with the similar solution, that is always acquire rtnl lock first.
      
      Fixes: baf606d9 ("ipv4,ipv6: grab rtnl before locking the socket")
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Tested-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8651be8f
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 8dbad1a8
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Fix compilation warning in xt_hashlimit on m68k 32-bits, from
         Geert Uytterhoeven.
      
      2) Fix wrong timeout in set elements added from packet path via
         nft_dynset, from Anders K. Pedersen.
      
      3) Remove obsolete nf_conntrack_events_retry_timeout sysctl
         documentation, from Nicolas Dichtel.
      
      4) Ensure proper initialization of log flags via xt_LOG, from
         Liping Zhang.
      
      5) Missing alias to autoload ipcomp, also from Liping Zhang.
      
      6) Missing NFTA_HASH_OFFSET attribute validation, again from Liping.
      
      7) Wrong integer type in the new nft_parse_u32_check() function,
         from Dan Carpenter.
      
      8) Another wrong integer type declaration in nft_exthdr_init, also
         from Dan Carpenter.
      
      9) Fix insufficient mode validation in nft_range.
      
      10) Fix compilation warning in nft_range due to possible uninitialized
          value, from Arnd Bergmann.
      
      11) Zero nf_hook_ops allocated via xt_hook_alloc() in x_tables to
          calm down kmemcheck, from Florian Westphal.
      
      12) Schedule gc_worker() to run again if GC_MAX_EVICTS quota is reached,
          from Nicolas Dichtel.
      
      13) Fix nf_queue() after conversion to single-linked hook list, related
          to incorrect bypass flag handling and incorrect hook point of
          reinjection.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8dbad1a8
    • Florian Fainelli's avatar
      kexec: Export kexec_in_progress to modules · 97dcaa0f
      Florian Fainelli authored
      The bcm_sf2 driver uses kexec_in_progress to know whether it can power
      down an integrated PHY during shutdown, and can be built as a module.
      Other modules may be using this in the future, so export it.
      
      Fixes: 2399d614 ("net: dsa: bcm_sf2: Prevent GPHY shutdown for kexec'd kernels")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      97dcaa0f
  6. 20 Oct, 2016 12 commits
    • Eric Dumazet's avatar
      ipv4: disable BH in set_ping_group_range() · a681574c
      Eric Dumazet authored
      In commit 4ee3bd4a ("ipv4: disable BH when changing ip local port
      range") Cong added BH protection in set_local_port_range() but missed
      that same fix was needed in set_ping_group_range()
      
      Fixes: b8f1a556 ("udp: Add function to make source port for UDP tunnels")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarEric Salo <salo@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a681574c
    • Eric Dumazet's avatar
      udp: must lock the socket in udp_disconnect() · 286c72de
      Eric Dumazet authored
      Baozeng Ding reported KASAN traces showing uses after free in
      udp_lib_get_port() and other related UDP functions.
      
      A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
      
      I could write a reproducer with two threads doing :
      
      static int sock_fd;
      static void *thr1(void *arg)
      {
      	for (;;) {
      		connect(sock_fd, (const struct sockaddr *)arg,
      			sizeof(struct sockaddr_in));
      	}
      }
      
      static void *thr2(void *arg)
      {
      	struct sockaddr_in unspec;
      
      	for (;;) {
      		memset(&unspec, 0, sizeof(unspec));
      	        connect(sock_fd, (const struct sockaddr *)&unspec,
      			sizeof(unspec));
              }
      }
      
      Problem is that udp_disconnect() could run without holding socket lock,
      and this was causing list corruptions.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      286c72de
    • Florian Fainelli's avatar
      net: dsa: bcm_sf2: Prevent GPHY shutdown for kexec'd kernels · 2399d614
      Florian Fainelli authored
      For a kernel that is being kexec'd we re-enable the integrated GPHY in
      order for the subsequent MDIO bus scan to succeed and properly bind to
      the bcm7xxx PHY driver. If we did not do that, the GPHY would be shut
      down by the time the MDIO driver is probing the bus, and it would fail
      to read the correct PHY OUI and therefore bind to an appropriate PHY
      driver. Later on, this would cause DSA not to be able to successfully
      attach to the PHY, and the interface would not be created at all.
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2399d614
    • Daniel Borkmann's avatar
      bpf, test: fix ld_abs + vlan push/pop stress test · 0d906b1e
      Daniel Borkmann authored
      After commit 636c2628 ("net: skbuff: Remove errornous length
      validation in skb_vlan_pop()") mentioned test case stopped working,
      throwing a -12 (ENOMEM) return code. The issue however is not due to
      636c2628, but rather due to a buggy test case that got uncovered
      from the change in behaviour in 636c2628.
      
      The data_size of that test case for the skb was set to 1. In the
      bpf_fill_ld_abs_vlan_push_pop() handler bpf insns are generated that
      loop with: reading skb data, pushing 68 tags, reading skb data,
      popping 68 tags, reading skb data, etc, in order to force a skb
      expansion and thus trigger that JITs recache skb->data. Problem is
      that initial data_size is too small.
      
      While before 636c2628, the test silently bailed out due to the
      skb->len < VLAN_ETH_HLEN check with returning 0, and now throwing an
      error from failing skb_ensure_writable(). Set at least minimum of
      ETH_HLEN as an initial length so that on first push of data, equivalent
      pop will succeed.
      
      Fixes: 4d9c5c53 ("test_bpf: add bpf_skb_vlan_push/pop() tests")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d906b1e
    • Sabrina Dubroca's avatar
      net: add recursion limit to GRO · fcd91dd4
      Sabrina Dubroca authored
      Currently, GRO can do unlimited recursion through the gro_receive
      handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
      to one level with encap_mark, but both VLAN and TEB still have this
      problem.  Thus, the kernel is vulnerable to a stack overflow, if we
      receive a packet composed entirely of VLAN headers.
      
      This patch adds a recursion counter to the GRO layer to prevent stack
      overflow.  When a gro_receive function hits the recursion limit, GRO is
      aborted for this skb and it is processed normally.  This recursion
      counter is put in the GRO CB, but could be turned into a percpu counter
      if we run out of space in the CB.
      
      Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.
      
      Fixes: CVE-2016-7039
      Fixes: 9b174d88 ("net: Add Transparent Ethernet Bridging GRO support.")
      Fixes: 66e5133f ("vlan: Add GRO support for non hardware accelerated vlan")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarJiri Benc <jbenc@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarTom Herbert <tom@herbertland.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fcd91dd4
    • Jiri Bohac's avatar
      ipv6: properly prevent temp_prefered_lft sysctl race · 7aa8e63f
      Jiri Bohac authored
      The check for an underflow of tmp_prefered_lft is always false
      because tmp_prefered_lft is unsigned. The intention of the check
      was to guard against racing with an update of the
      temp_prefered_lft sysctl, potentially resulting in an underflow.
      
      As suggested by David Miller, the best way to prevent the race is
      by reading the sysctl variable using READ_ONCE.
      Signed-off-by: default avatarJiri Bohac <jbohac@suse.cz>
      Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
      Fixes: 76506a98 ("IPv6: fix DESYNC_FACTOR")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7aa8e63f
    • Pablo Neira Ayuso's avatar
      netfilter: fix nf_queue handling · 7034b566
      Pablo Neira Ayuso authored
      nf_queue handling is broken since e3b37f11 ("netfilter: replace
      list_head with single linked list") for two reasons:
      
      1) If the bypass flag is set on, there are no userspace listeners and
         we still have more hook entries to iterate over, then jump to the
         next hook. Otherwise accept the packet. On nf_reinject() path, the
         okfn() needs to be invoked.
      
      2) We should not re-enter the same hook on packet reinjection. If the
         packet is accepted, we have to skip the current hook from where the
         packet was enqueued, otherwise the packets gets enqueued over and
         over again.
      
      This restores the previous list_for_each_entry_continue() behaviour
      happening from nf_iterate() that was dealing with these two cases.
      This patch introduces a new nf_queue() wrapper function so this fix
      becomes simpler.
      
      Fixes: e3b37f11 ("netfilter: replace list_head with single linked list")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7034b566
    • Nicolas Dichtel's avatar
      netfilter: conntrack: restart gc immediately if GC_MAX_EVICTS is reached · 7bb6615d
      Nicolas Dichtel authored
      When the maximum evictions number is reached, do not wait 5 seconds before
      the next run.
      
      CC: Florian Westphal <fw@strlen.de>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7bb6615d
    • Giuseppe CAVALLARO's avatar
      stmmac: display the descriptors if DES0 = 0 · 8be0328e
      Giuseppe CAVALLARO authored
      It makes sense to display the descriptors even if
      DES0 is zero. This helps for example in case of it
      is needed to dump rx write-back descriptors to get
      timestamp status.
      Signed-off-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre TORGUE <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8be0328e
    • David S. Miller's avatar
      Merge branch 'ncsi-fixes' · ae3877bc
      David S. Miller authored
      Gavin Shan says:
      
      ====================
      net/ncsi: More bug fixes
      
      This series fixes 2 issues that were found during NCSI's availability
      testing on BCM5718 and improves HNCDSC AEN handler:
      
         * PATCH[1] refactors the code so that minimal code change is put
           to PATCH[2].
         * PATCH[2] fixes the NCSI channel's stale link state before doing
           failover.
         * PATCH[3] chooses the hot channel, which was ever chosen as active
           channel, when the available channels are all in link-down state.
         * PATCH[4] improves Host Network Controller Driver Status Change
           (HNCDSC) AEN handler
      
      Changelog
      =========
      v2:
         * Merged PATCH[v1 1/2] to PATCH[v2 1].
         * Avoid if/else statements in ncsi_suspend_channel() as Joel suggested.
         * Added comments to explain why we need retrieve last link states in
           ncsi_suspend_channel().
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae3877bc
    • Gavin Shan's avatar
      net/ncsi: Improve HNCDSC AEN handler · 22d8aa93
      Gavin Shan authored
      This improves AEN handler for Host Network Controller Driver Status
      Change (HNCDSC):
      
         * The channel's lock should be hold when accessing its state.
         * Do failover when host driver isn't ready.
         * Configure channel when host driver becomes ready.
      Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22d8aa93
    • Gavin Shan's avatar
      net/ncsi: Choose hot channel as active one if necessary · bbc7c01e
      Gavin Shan authored
      The issue was found on BCM5718 which has two NCSI channels in one
      package: C0 and C1. C0 is in link-up state while C1 is in link-down
      state. C0 is chosen as active channel until unplugging and plugging
      C0's cable:  On unplugging C0's cable, LSC (Link State Change) AEN
      packet received on C0 to report link-down event. After that, C1 is
      chosen as active channel. LSC AEN for link-up event is lost on C0
      when plugging C0's cable back. We lose the network even C0 is usable.
      
      This resolves the issue by recording the (hot) channel that was ever
      chosen as active one. The hot channel is chosen to be active one
      if none of available channels in link-up state. With this, C0 is still
      the active one after unplugging C0's cable. LSC AEN packet received
      on C0 when plugging its cable back.
      Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbc7c01e