1. 15 Jan, 2018 5 commits
    • Mike Maloney's avatar
      ipv6: fix udpv6 sendmsg crash caused by too small MTU · 749439bf
      Mike Maloney authored
      The logic in __ip6_append_data() assumes that the MTU is at least large
      enough for the headers.  A device's MTU may be adjusted after being
      added while sendmsg() is processing data, resulting in
      __ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
      the fragmentation header, the math results in a negative 'maxfraglen',
      which causes problems when refragmenting any previous skb in the
      skb_write_queue, leaving it possibly malformed.
      
      Instead sendmsg returns EINVAL when the mtu is calculated to be less
      than IPV6_MIN_MTU.
      
      Found by syzkaller:
      kernel BUG at ./include/linux/skbuff.h:2064!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff8801d0b68580 task.stack: ffff8801ac6b8000
      RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline]
      RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617
      RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216
      RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000
      RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0
      RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000
      R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8
      R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000
      FS:  00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ip6_finish_skb include/net/ipv6.h:911 [inline]
       udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093
       udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363
       inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:643
       SYSC_sendto+0x352/0x5a0 net/socket.c:1750
       SyS_sendto+0x40/0x50 net/socket.c:1718
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      RIP: 0033:0x4512e9
      RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9
      RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005
      RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c
      R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69
      R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000
      Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba
      RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570
      RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarMike Maloney <maloney@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      749439bf
    • Arnd Bergmann's avatar
      net: cs89x0: add MODULE_LICENSE · 6200b430
      Arnd Bergmann authored
      This driver lacks a MODULE_LICENSE tag, leading to a Kbuild warning:
      
      WARNING: modpost: missing MODULE_LICENSE() in drivers/net/ethernet/cirrus/cs89x0.o
      
      This adds license, author, and description according to the
      comment block at the start of the file.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6200b430
    • Guillaume Nault's avatar
      ppp: unlock all_ppp_mutex before registering device · 0171c418
      Guillaume Nault authored
      ppp_dev_uninit(), which is the .ndo_uninit() handler of PPP devices,
      needs to lock pn->all_ppp_mutex. Therefore we mustn't call
      register_netdevice() with pn->all_ppp_mutex already locked, or we'd
      deadlock in case register_netdevice() fails and calls .ndo_uninit().
      
      Fortunately, we can unlock pn->all_ppp_mutex before calling
      register_netdevice(). This lock protects pn->units_idr, which isn't
      used in the device registration process.
      
      However, keeping pn->all_ppp_mutex locked during device registration
      did ensure that no device in transient state would be published in
      pn->units_idr. In practice, unlocking it before calling
      register_netdevice() doesn't change this property: ppp_unit_register()
      is called with 'ppp_mutex' locked and all searches done in
      pn->units_idr hold this lock too.
      
      Fixes: 8cb775bc ("ppp: fix device unregistration upon netns deletion")
      Reported-and-tested-by: syzbot+367889b9c9e279219175@syzkaller.appspotmail.com
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0171c418
    • Michael S. Tsirkin's avatar
      ptr_ring: document usage around __ptr_ring_peek · 66940f35
      Michael S. Tsirkin authored
      This explains why is the net usage of __ptr_ring_peek
      actually ok without locks.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66940f35
    • Stephen Hemminger's avatar
      9p: add missing module license for xen transport · d542296a
      Stephen Hemminger authored
      The 9P of Xen module is missing required license and module information.
      See https://bugzilla.kernel.org/show_bug.cgi?id=198109Reported-by: default avatarAlan Bartlett <ajb@elrepo.org>
      Fixes: 868eb122 ("xen/9pfs: introduce Xen 9pfs transport driver")
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d542296a
  2. 14 Jan, 2018 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 8155aedf
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-01-13
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Follow-up fix to the recent BPF out-of-bounds speculation
         fix that prevents max_entries overflows and an undefined
         behavior on 32 bit archs on index_mask calculation, from
         Daniel.
      
      2) Reject unsupported BPF_ARSH opcode in 32 bit ALU mode that
         was otherwise throwing an unknown opcode warning in the
         interpreter, from Daniel.
      
      3) Typo fix in one of the user facing verbose() messages that
         was added during the BPF out-of-bounds speculation fix,
         from Colin.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8155aedf
  3. 12 Jan, 2018 14 commits
  4. 11 Jan, 2018 3 commits
    • Eran Ben Elisha's avatar
      {net,ib}/mlx5: Don't disable local loopback multicast traffic when needed · 8978cc92
      Eran Ben Elisha authored
      There are systems platform information management interfaces (such as
      HOST2BMC) for which we cannot disable local loopback multicast traffic.
      
      Separate disable_local_lb_mc and disable_local_lb_uc capability bits so
      driver will not disable multicast loopback traffic if not supported.
      (It is expected that Firmware will not set disable_local_lb_mc if
      HOST2BMC is running for example.)
      
      Function mlx5_nic_vport_update_local_lb will do best effort to
      disable/enable UC/MC loopback traffic and return success only in case it
      succeeded to changed all allowed by Firmware.
      
      Adapt mlx5_ib and mlx5e to support the new cap bits.
      
      Fixes: 2c43c5a0 ("net/mlx5e: Enable local loopback in loopback selftest")
      Fixes: c85023e1 ("IB/mlx5: Add raw ethernet local loopback support")
      Fixes: bded747b ("net/mlx5: Add raw ethernet local loopback firmware command")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Cc: kernel-team@fb.com
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      8978cc92
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · cbd0a6a2
      Linus Torvalds authored
      Pull vfs regression fix from Al Viro/
      
      Fix a leak in socket() introduced by commit 8e1611e2 ("make
      sock_alloc_file() do sock_release() on failures").
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        Fix a leak in socket(2) when we fail to allocate a file descriptor.
      cbd0a6a2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 64fce444
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) BPF speculation prevention and BPF_JIT_ALWAYS_ON, from Alexei
          Starovoitov.
      
       2) Revert dev_get_random_name() changes as adjust the error code
          returns seen by userspace definitely breaks stuff.
      
       3) Fix TX DMA map/unmap on older iwlwifi devices, from Emmanuel
          Grumbach.
      
       4) From wrong AF family when requesting sock diag modules, from Andrii
          Vladyka.
      
       5) Don't add new ipv6 routes attached to the null_entry, from Wei Wang.
      
       6) Some SCTP sockopt length fixes from Marcelo Ricardo Leitner.
      
       7) Don't leak when removing VLAN ID 0, from Cong Wang.
      
       8) Hey there's a potential leak in ipv6_make_skb() too, from Eric
          Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
        ipv6: sr: fix TLVs not being copied using setsockopt
        ipv6: fix possible mem leaks in ipv6_make_skb()
        mlxsw: spectrum_qdisc: Don't use variable array in mlxsw_sp_tclass_congestion_enable
        mlxsw: pci: Wait after reset before accessing HW
        nfp: always unmask aux interrupts at init
        8021q: fix a memory leak for VLAN 0 device
        of_mdio: avoid MDIO bus removal when a PHY is missing
        caif_usb: use strlcpy() instead of strncpy()
        doc: clarification about setting SO_ZEROCOPY
        net: gianfar_ptp: move set_fipers() to spinlock protecting area
        sctp: make use of pre-calculated len
        sctp: add a ceiling to optlen in some sockopts
        sctp: GFP_ATOMIC is not needed in sctp_setsockopt_events
        bpf: introduce BPF_JIT_ALWAYS_ON config
        bpf: avoid false sharing of map refcount with max_entries
        ipv6: remove null_entry before adding default route
        SolutionEngine771x: add Ether TSU resource
        SolutionEngine771x: fix Ether platform data
        docs-rst: networking: wire up msg_zerocopy
        net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()
        ...
      64fce444
  5. 10 Jan, 2018 17 commits