1. 04 Jan, 2018 10 commits
    • Wei Wang's avatar
      ipv6: fix general protection fault in fib6_add() · 7bbfe00e
      Wei Wang authored
      In fib6_add(), pn could be NULL if fib6_add_1() failed to return a fib6
      node. Checking pn != fn before accessing pn->leaf makes sure pn is not
      NULL.
      This fixes the following GPF reported by syzkaller:
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 3201 Comm: syzkaller001778 Not tainted 4.15.0-rc5+ #151
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:fib6_add+0x736/0x15a0 net/ipv6/ip6_fib.c:1244
      RSP: 0018:ffff8801c7626a70 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000000020 RCX: ffffffff84794465
      RDX: 0000000000000004 RSI: ffff8801d38935f0 RDI: 0000000000000282
      RBP: ffff8801c7626da0 R08: 1ffff10038ec4c35 R09: 0000000000000000
      R10: ffff8801c7626c68 R11: 0000000000000000 R12: 00000000fffffffe
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000009
      FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:0000000009b70840
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 0000000020be1000 CR3: 00000001d585a006 CR4: 00000000001606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       __ip6_ins_rt+0x6c/0x90 net/ipv6/route.c:1006
       ip6_route_multipath_add+0xd14/0x16c0 net/ipv6/route.c:3833
       inet6_rtm_newroute+0xdc/0x160 net/ipv6/route.c:3957
       rtnetlink_rcv_msg+0x733/0x1020 net/core/rtnetlink.c:4411
       netlink_rcv_skb+0x21e/0x460 net/netlink/af_netlink.c:2408
       rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4423
       netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
       netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1301
       netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864
       sock_sendmsg_nosec net/socket.c:636 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:646
       sock_write_iter+0x31a/0x5d0 net/socket.c:915
       call_write_iter include/linux/fs.h:1772 [inline]
       do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
       do_iter_write+0x154/0x540 fs/read_write.c:932
       compat_writev+0x225/0x420 fs/read_write.c:1246
       do_compat_writev+0x115/0x220 fs/read_write.c:1267
       C_SYSC_writev fs/read_write.c:1278 [inline]
       compat_SyS_writev+0x26/0x30 fs/read_write.c:1274
       do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
       do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
       entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:125
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 66f5d6ce ("ipv6: replace rwlock with rcu and spinlock in fib6_table")
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7bbfe00e
    • Mohamed Ghannam's avatar
      RDS: null pointer dereference in rds_atomic_free_op · 7d11f77f
      Mohamed Ghannam authored
      set rm->atomic.op_active to 0 when rds_pin_pages() fails
      or the user supplied address is invalid,
      this prevents a NULL pointer usage in rds_atomic_free_op()
      Signed-off-by: default avatarMohamed Ghannam <simo.ghannam@gmail.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d11f77f
    • Sergei Shtylyov's avatar
      sh_eth: fix TSU resource handling · dfe8266b
      Sergei Shtylyov authored
      When switching  the driver to the managed device API,  I managed to break
      the  case of a  dual Ether devices sharing a single TSU: the 2nd Ether port
      wouldn't probe. Iwamatsu-san has tried to fix this but his patch was buggy
      and he then dropped the ball...
      
      The solution is to  limit calling devm_request_mem_region() to the first
      of  the two  ports  sharing the same TSU, so devm_ioremap_resource() can't
      be used anymore for the TSU resource...
      
      Fixes: d5e07e69 ("sh_eth: use managed device API")
      Reported-by: default avatarNobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfe8266b
    • Jerome Brunet's avatar
      net: stmmac: enable EEE in MII, GMII or RGMII only · 879626e3
      Jerome Brunet authored
      Note in the databook - Section 4.4 - EEE :
      " The EEE feature is not supported when the MAC is configured to use the
      TBI, RTBI, SMII, RMII or SGMII single PHY interface. Even if the MAC
      supports multiple PHY interfaces, you should activate the EEE mode only
      when the MAC is operating with GMII, MII, or RGMII interface."
      
      Applying this restriction solves a stability issue observed on Amlogic
      gxl platforms operating with RMII interface and the internal PHY.
      
      Fixes: 83bf79b6 ("stmmac: disable at run-time the EEE if not supported")
      Signed-off-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Tested-by: default avatarArnaud Patard <arnaud.patard@rtp-net.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      879626e3
    • Andrei Vagin's avatar
      rtnetlink: give a user socket to get_target_net() · f428fe4a
      Andrei Vagin authored
      This function is used from two places: rtnl_dump_ifinfo and
      rtnl_getlink. In rtnl_getlink(), we give a request skb into
      get_target_net(), but in rtnl_dump_ifinfo, we give a response skb
      into get_target_net().
      The problem here is that NETLINK_CB() isn't initialized for the response
      skb. In both cases we can get a user socket and give it instead of skb
      into get_target_net().
      
      This bug was found by syzkaller with this call-trace:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Modules linked in:
      CPU: 1 PID: 3149 Comm: syzkaller140561 Not tainted 4.15.0-rc4-mm1+ #47
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:__netlink_ns_capable+0x8b/0x120 net/netlink/af_netlink.c:868
      RSP: 0018:ffff8801c880f348 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8443f900
      RDX: 000000000000007b RSI: ffffffff86510f40 RDI: 00000000000003d8
      RBP: ffff8801c880f360 R08: 0000000000000000 R09: 1ffff10039101e4f
      R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86510f40
      R13: 000000000000000c R14: 0000000000000004 R15: 0000000000000011
      FS:  0000000001a1a880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020151000 CR3: 00000001c9511005 CR4: 00000000001606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        netlink_ns_capable+0x26/0x30 net/netlink/af_netlink.c:886
        get_target_net+0x9d/0x120 net/core/rtnetlink.c:1765
        rtnl_dump_ifinfo+0x2e5/0xee0 net/core/rtnetlink.c:1806
        netlink_dump+0x48c/0xce0 net/netlink/af_netlink.c:2222
        __netlink_dump_start+0x4f0/0x6d0 net/netlink/af_netlink.c:2319
        netlink_dump_start include/linux/netlink.h:214 [inline]
        rtnetlink_rcv_msg+0x7f0/0xb10 net/core/rtnetlink.c:4485
        netlink_rcv_skb+0x21e/0x460 net/netlink/af_netlink.c:2441
        rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4540
        netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
        netlink_unicast+0x4be/0x6a0 net/netlink/af_netlink.c:1334
        netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
      
      Cc: Jiri Benc <jbenc@redhat.com>
      Fixes: 79e1ad14 ("rtnetlink: use netnsid to query interface")
      Signed-off-by: default avatarAndrei Vagin <avagin@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f428fe4a
    • Pravin B Shelar's avatar
      fb32dd3a
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2018-01-04' of... · af8530cb
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2018-01-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Two fixes:
       * drop mesh frames appearing to be from ourselves
       * check another netlink attribute for existence
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af8530cb
    • Florian Fainelli's avatar
      net: dsa: b53: Turn off Broadcom tags for more switches · 54e98b5d
      Florian Fainelli authored
      Models such as BCM5395/97/98 and BCM53125/24/53115 and compatible require that
      we turn on managed mode to actually act on Broadcom tags, otherwise they just
      pass them through on ingress (host -> switch) and don't insert them in egress
      (switch -> host). Turning on managed mode is simple, but requires us to
      properly support ARL misses on multicast addresses which is a much more
      involved set of changes not suitable for a bug fix for this release.
      Reported-by: default avatarJochen Friedrich <jochen@scram.de>
      Fixes: 7edc58d6 ("net: dsa: b53: Turn on Broadcom tags")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54e98b5d
    • Johannes Berg's avatar
      mac80211: mesh: drop frames appearing to be from us · 736a80bb
      Johannes Berg authored
      If there are multiple mesh stations with the same MAC address,
      they will both get confused and start throwing warnings.
      
      Obviously in this case nothing can actually work anyway, so just
      drop frames that look like they're from ourselves early on.
      Reported-by: default avatarGui Iribarren <gui@altermundi.net>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      736a80bb
    • Hao Chen's avatar
      nl80211: Check for the required netlink attribute presence · 3ea15452
      Hao Chen authored
      nl80211_nan_add_func() does not check if the required attribute
      NL80211_NAN_FUNC_FOLLOW_UP_DEST is present when processing
      NL80211_CMD_ADD_NAN_FUNCTION request. This request can be issued
      by users with CAP_NET_ADMIN privilege and may result in NULL dereference
      and a system crash. Add a check for the required attribute presence.
      Signed-off-by: default avatarHao Chen <flank3rsky@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3ea15452
  2. 03 Jan, 2018 20 commits
  3. 02 Jan, 2018 10 commits