1. 13 Apr, 2021 1 commit
    • Hristo Venev's avatar
      net: sit: Unregister catch-all devices · 610f8c0f
      Hristo Venev authored
      A sit interface created without a local or a remote address is linked
      into the `sit_net::tunnels_wc` list of its original namespace. When
      deleting a network namespace, delete the devices that have been moved.
      
      The following script triggers a null pointer dereference if devices
      linked in a deleted `sit_net` remain:
      
          for i in `seq 1 30`; do
              ip netns add ns-test
              ip netns exec ns-test ip link add dev veth0 type veth peer veth1
              ip netns exec ns-test ip link add dev sit$i type sit dev veth0
              ip netns exec ns-test ip link set dev sit$i netns $$
              ip netns del ns-test
          done
          for i in `seq 1 30`; do
              ip link del dev sit$i
          done
      
      Fixes: 5e6700b3 ("sit: add support of x-netns")
      Signed-off-by: default avatarHristo Venev <hristo@venev.name>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      610f8c0f
  2. 12 Apr, 2021 5 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · ccb39c62
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix NAT IPv6 offload in the flowtable.
      
      2) icmpv6 is printed as unknown in /proc/net/nf_conntrack.
      
      3) Use div64_u64() in nft_limit, from Eric Dumazet.
      
      4) Use pre_exit to unregister ebtables and arptables hooks,
         from Florian Westphal.
      
      5) Fix out-of-bound memset in x_tables compat match/target,
         also from Florian.
      
      6) Clone set elements expression to ensure proper initialization.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ccb39c62
    • Pablo Neira Ayuso's avatar
      netfilter: nftables: clone set element expression template · 4d8f9065
      Pablo Neira Ayuso authored
      memcpy() breaks when using connlimit in set elements. Use
      nft_expr_clone() to initialize the connlimit expression list, otherwise
      connlimit garbage collector crashes when walking on the list head copy.
      
      [  493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
      [  493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]
      [  493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83
      [  493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297
      [  493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000
      [  493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0
      [  493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c
      [  493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001
      [  493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000
      [  493.064721] FS:  0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000
      [  493.064725] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0
      [  493.064733] Call Trace:
      [  493.064737]  nf_conncount_gc_list+0x8f/0x150 [nf_conncount]
      [  493.064746]  nft_rhash_gc+0x106/0x390 [nf_tables]
      Reported-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      Fixes: 40944452 ("netfilter: nf_tables: add elements with stateful expressions")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4d8f9065
    • Florian Westphal's avatar
      netfilter: x_tables: fix compat match/target pad out-of-bound write · b29c457a
      Florian Westphal authored
      xt_compat_match/target_from_user doesn't check that zeroing the area
      to start of next rule won't write past end of allocated ruleset blob.
      
      Remove this code and zero the entire blob beforehand.
      
      Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
      Reported-by: default avatarAndy Nguyen <theflow@google.com>
      Fixes: 9fa492cd ("[NETFILTER]: x_tables: simplify compat API")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b29c457a
    • Jakub Kicinski's avatar
      ethtool: fix kdoc attr name · f33b0e19
      Jakub Kicinski authored
      Add missing 't' in attrtype.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f33b0e19
    • Pali Rohár's avatar
      net: phy: marvell: fix detection of PHY on Topaz switches · 1fe976d3
      Pali Rohár authored
      Since commit fee2d546 ("net: phy: marvell: mv88e6390 temperature
      sensor reading"), Linux reports the temperature of Topaz hwmon as
      constant -75°C.
      
      This is because switches from the Topaz family (88E6141 / 88E6341) have
      the address of the temperature sensor register different from Peridot.
      
      This address is instead compatible with 88E1510 PHYs, as was used for
      Topaz before the above mentioned commit.
      
      Create a new mapping table between switch family and PHY ID for families
      which don't have a model number. And define PHY IDs for Topaz and Peridot
      families.
      
      Create a new PHY ID and a new PHY driver for Topaz's internal PHY.
      The only difference from Peridot's PHY driver is the HWMON probing
      method.
      
      Prior this change Topaz's internal PHY is detected by kernel as:
      
        PHY [...] driver [Marvell 88E6390] (irq=63)
      
      And afterwards as:
      
        PHY [...] driver [Marvell 88E6341 Family] (irq=63)
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      BugLink: https://github.com/globalscaletechnologies/linux/issues/1
      Fixes: fee2d546 ("net: phy: marvell: mv88e6390 temperature sensor reading")
      Reviewed-by: default avatarMarek Behún <kabel@kernel.org>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1fe976d3
  3. 11 Apr, 2021 3 commits
  4. 10 Apr, 2021 3 commits
    • Florian Westphal's avatar
      netfilter: arp_tables: add pre_exit hook for table unregister · d163a925
      Florian Westphal authored
      Same problem that also existed in iptables/ip(6)tables, when
      arptable_filter is removed there is no longer a wait period before the
      table/ruleset is free'd.
      
      Unregister the hook in pre_exit, then remove the table in the exit
      function.
      This used to work correctly because the old nf_hook_unregister API
      did unconditional synchronize_net.
      
      The per-net hook unregister function uses call_rcu instead.
      
      Fixes: b9e69e12 ("netfilter: xtables: don't hook tables by default")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d163a925
    • Florian Westphal's avatar
      netfilter: bridge: add pre_exit hooks for ebtable unregistration · 7ee3c61d
      Florian Westphal authored
      Just like ip/ip6/arptables, the hooks have to be removed, then
      synchronize_rcu() has to be called to make sure no more packets are being
      processed before the ruleset data is released.
      
      Place the hook unregistration in the pre_exit hook, then call the new
      ebtables pre_exit function from there.
      
      Years ago, when first netns support got added for netfilter+ebtables,
      this used an older (now removed) netfilter hook unregister API, that did
      a unconditional synchronize_rcu().
      
      Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit
      handlers may free the ebtable ruleset while packets are still in flight.
      
      This can only happens on module removal, not during netns exit.
      
      The new function expects the table name, not the table struct.
      
      This is because upcoming patch set (targeting -next) will remove all
      net->xt.{nat,filter,broute}_table instances, this makes it necessary
      to avoid external references to those member variables.
      
      The existing APIs will be converted, so follow the upcoming scheme of
      passing name + hook type instead.
      
      Fixes: aee12a0a ("ebtables: remove nf_hook_register usage")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7ee3c61d
    • Eric Dumazet's avatar
      netfilter: nft_limit: avoid possible divide error in nft_limit_init · b895bdf5
      Eric Dumazet authored
      div_u64() divides u64 by u32.
      
      nft_limit_init() wants to divide u64 by u64, use the appropriate
      math function (div64_u64)
      
      divide error: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]
      RIP: 0010:div_u64 include/linux/math64.h:127 [inline]
      RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85
      Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00
      RSP: 0018:ffffc90009447198 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003
      RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000
      R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      FS:  000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]
       nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713
       nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160
       nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321
       nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456
       nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
       nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
       netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
       netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
       netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
       sock_sendmsg_nosec net/socket.c:654 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:674
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: c26844ed ("netfilter: nf_tables: Fix nft limit burst handling")
      Fixes: 3e0f64b7 ("netfilter: nft_limit: fix packet ratelimiting")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Diagnosed-by: default avatarLuigi Rizzo <lrizzo@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b895bdf5
  5. 09 Apr, 2021 26 commits
  6. 08 Apr, 2021 2 commits
    • Muhammad Usama Anjum's avatar
      net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh · 864db232
      Muhammad Usama Anjum authored
      nlh is being checked for validtity two times when it is dereferenced in
      this function. Check for validity again when updating the flags through
      nlh pointer to make the dereferencing safe.
      
      CC: <stable@vger.kernel.org>
      Addresses-Coverity: ("NULL pointer dereference")
      Signed-off-by: default avatarMuhammad Usama Anjum <musamaanjum@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      864db232
    • David S. Miller's avatar
      Merge branch 'lantiq-GSWIP-fixes' · 2d1b50ab
      David S. Miller authored
      Martin Blumenstingl says:
      
      ====================
      lantiq: GSWIP: two more fixes
      
      after my last patch got accepted and is now in net as commit
      3e6fdeb2 ("net: dsa: lantiq_gswip: Let GSWIP automatically set
      the xMII clock") [0] some more people from the OpenWrt community
      (many thanks to everyone involved) helped test the GSWIP driver: [1]
      
      It turns out that the previous fix does not work for all boards.
      There's no regression, but it doesn't fix as many problems as I
      thought. This is why two more fixes are needed:
      - the first one solves many (four known but probably there are
        a few extra hidden ones) reported bugs with the GSWIP where no
        traffic would flow. Not all circumstances are fully understood
        but testing shows that switching away from PHY auto polling
        solves all of them
      - while investigating the different problems which are addressed
        by the first patch some small issues with the existing code were
        found. These are addressed by the second patch
      
      Changes since v1 at [0]:
      - Don't configure the link parameters in gswip_phylink_mac_config
        (as we're using the "modern" way in gswip_phylink_mac_link_up).
        Thanks to Andrew for the hint with the phylink documentation.
      - Clarify that GSWIP_MII_CFG_RMII_CLK is ignored by the hardware in
        the description of the second patch as suggested by Hauke
      - Don't set GSWIP_MII_CFG_RGMII_IBS in the second patch as we don't
        have any hardware available for testing this. The patch
        description now also reflects this.
      - Added Andrew's Reviewed-by to the first patch (thank you!)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d1b50ab