1. 17 Jul, 2016 4 commits
  2. 15 Jul, 2016 14 commits
  3. 14 Jul, 2016 1 commit
    • Beniamino Galvani's avatar
      bonding: set carrier off for devices created through netlink · 005db31d
      Beniamino Galvani authored
      Commit e826eafa ("bonding: Call netif_carrier_off after
      register_netdevice") moved netif_carrier_off() from bond_init() to
      bond_create(), but the latter is called only for initial default
      devices and ones created through sysfs:
      
       $ modprobe bonding
       $ echo +bond1 > /sys/class/net/bonding_masters
       $ ip link add bond2 type bond
       $ grep "MII Status" /proc/net/bonding/*
       /proc/net/bonding/bond0:MII Status: down
       /proc/net/bonding/bond1:MII Status: down
       /proc/net/bonding/bond2:MII Status: up
      
      Ensure that carrier is initially off also for devices created through
      netlink.
      Signed-off-by: default avatarBeniamino Galvani <bgalvani@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      005db31d
  4. 13 Jul, 2016 9 commits
    • David S. Miller's avatar
      Merge branch 'sk_filter-trim-limit' · 790e5ef5
      David S. Miller authored
      Willem de Bruijn says:
      
      ====================
      limit sk_filter trim to payload
      
      Sockets can apply a filter to incoming packets to drop or trim them.
      Fix two codepaths that call skb_pull/__skb_pull after sk_filter
      without checking for packet length.
      
      Reading beyond skb->tail after trimming happens in more codepaths, but
      safety of reading in the linear segment is based on minimum allocation
      size (MAX_HEADER, GRO_MAX_HEAD, ..).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      790e5ef5
    • Willem de Bruijn's avatar
      dccp: limit sk_filter trim to payload · 4f0c40d9
      Willem de Bruijn authored
      Dccp verifies packet integrity, including length, at initial rcv in
      dccp_invalid_packet, later pulls headers in dccp_enqueue_skb.
      
      A call to sk_filter in-between can cause __skb_pull to wrap skb->len.
      skb_copy_datagram_msg interprets this as a negative value, so
      (correctly) fails with EFAULT. The negative length is reported in
      ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close.
      
      Introduce an sk_receive_skb variant that caps how small a filter
      program can trim packets, and call this in dccp with the header
      length. Excessively trimmed packets are now processed normally and
      queued for reception as 0B payloads.
      
      Fixes: 7c657876 ("[DCCP]: Initial implementation")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f0c40d9
    • Willem de Bruijn's avatar
      rose: limit sk_filter trim to payload · f4979fce
      Willem de Bruijn authored
      Sockets can have a filter program attached that drops or trims
      incoming packets based on the filter program return value.
      
      Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
      verifies this on arrival in rose_route_frame and unconditionally pulls
      the bytes in rose_recvmsg. The filter can trim packets to below this
      value in-between, causing pull to fail, leaving the partial header at
      the time of skb_copy_datagram_msg.
      
      Place a lower bound on the size to which sk_filter may trim packets
      by introducing sk_filter_trim_cap and call this for rose packets.
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4979fce
    • David S. Miller's avatar
      Merge branch 'mlx5-fixes' · 22cb99fb
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5 tx timeout watchdog fixes
      
      This patch set provides two trivial fixes for the tx timeout series lately
      applied into net 4.7.
      
      From Daniel, detect stuck queues due to BQL
      From Mohamad, fix tx timeout watchdog false alarm
      
      Hopefully those two fixes will make it to -stable, assuming
      3947ca18 ('net/mlx5e: Implement ndo_tx_timeout callback') was also backported to -stable.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22cb99fb
    • Mohamad Haj Yahia's avatar
      net/mlx5e: start/stop all tx queues upon open/close netdev · c3b7c5c9
      Mohamad Haj Yahia authored
      Start all tx queues (including inactive ones) when opening the netdev.
      Stop all tx queues (including inactive ones) when closing the netdev.
      
      This is a workaround for the tx timeout watchdog false alarm issue in
      which the netdev watchdog is polling all the tx queues which may include
      inactive queues and thus once lowering the real tx queues number
      (ethtool -L) it will generate tx timeout watchdog false alarms.
      
      Fixes: 3947ca18 ('net/mlx5e: Implement ndo_tx_timeout callback')
      Signed-off-by: default avatarMohamad Haj Yahia <mohamad@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c3b7c5c9
    • Daniel Jurgens's avatar
      net/mlx5e: Fix TX Timeout to detect queues stuck on BQL · 2c1ccc99
      Daniel Jurgens authored
      Change netif_tx_queue_stopped to netif_xmit_stopped.  This will show
      when queues are stopped due to byte queue limits.
      
      Fixes: 3947ca18 ('net/mlx5e: Implement ndo_tx_timeout callback')
      Signed-off-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c1ccc99
    • David S. Miller's avatar
      Merge branch 'ethoc-fixes' · ea43f860
      David S. Miller authored
      Florian Fainelli says:
      
      ====================
      net: ethoc: Error path and transmit fixes
      
      This patch series contains two patches for the ethoc driver while testing on a
      TS-7300 board where ethoc is provided by an on-board FPGA.
      
      First patch was cooked after chasing crashes with invalid resources passed to
      the driver.
      
      Second patch was cooked after seeing that an interface configured with IP
      192.168.2.2 was sending ARP packets for 192.168.0.0, no wonder why it could not
      work.
      
      I don't have access to any other platform using an ethoc interface so
      it could be good to some testing on Xtensa for instance.
      
      Changes in v3:
      
      - corrected the error path if skb_put_padto() fails, thanks to Max
        for spotting this!
      
      Changes in v2:
      
      - fixed the first commit message
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea43f860
    • Florian Fainelli's avatar
      net: ethoc: Correctly pad short packets · ee6c21b9
      Florian Fainelli authored
      Even though the hardware can be doing zero padding, we want the SKB to
      be going out on the wire with the appropriate size. This fixes packet
      truncations observed with e.g: ARP packets.
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee6c21b9
    • Florian Fainelli's avatar
      net: ethoc: Fix early error paths · 386512d1
      Florian Fainelli authored
      In case any operation fails before we can successfully go the point
      where we would register a MDIO bus, we would be going to an error label
      which involves unregistering then freeing this yet to be created MDIO
      bus. Update all error paths to go to label free which is the only one
      valid until either the clock is enabled, or the MDIO bus is allocated
      and registered. This fixes kernel oops observed while trying to
      dereference the MDIO bus structure which is not yet allocated.
      
      Fixes: a1702857 ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      386512d1
  5. 12 Jul, 2016 8 commits
    • Noam Camus's avatar
      net: nps_enet: Fix PCS reset · 136ab0d0
      Noam Camus authored
      During commit b54b8c2d
       ("net: ezchip: adapt driver to little endian architecture")
       adapting to little endian architecture,
       zeroing of controller was left out.
      Signed-off-by: default avatarElad Kanfi <eladkan@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      136ab0d0
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 92a03eb0
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      The following patchset contains Netfilter/IPVS fixes for your net tree.
      they are:
      
      1) Fix leak in the error path of nft_expr_init(), from Liping Zhang.
      
      2) Tracing from nf_tables cannot be disabled, also from Zhang.
      
      3) Fix an integer overflow on 32bit archs when setting the number of
         hashtable buckets, from Florian Westphal.
      
      4) Fix configuration of ipvs sync in backup mode with IPv6 address,
         from Quentin Armitage via Simon Horman.
      
      5) Fix incorrect timeout calculation in nft_ct NFT_CT_EXPIRATION,
         from Florian Westphal.
      
      6) Skip clash resolution in conntrack insertion races if NAT is in
         place.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92a03eb0
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: skip clash resolution if nat is in place · 590b52e1
      Pablo Neira Ayuso authored
      The clash resolution is not easy to apply if the NAT table is
      registered. Even if no NAT rules are installed, the nul-binding ensures
      that a unique tuple is used, thus, the packet that loses race gets a
      different source port number, as described by:
      
      http://marc.info/?l=netfilter-devel&m=146818011604484&w=2
      
      Clash resolution with NAT is also problematic if addresses/port range
      ports are used since the conntrack that wins race may describe a
      different mangling that we may have earlier applied to the packet via
      nf_nat_setup_info().
      
      Fixes: 71d8c47f ("netfilter: conntrack: introduce clash resolution on insertion race")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: default avatarMarc Dionne <marc.c.dionne@gmail.com>
      590b52e1
    • David S. Miller's avatar
      Merge branch 'tipc-fixes' · ce9a4f31
      David S. Miller authored
      Jon Maloy says:
      
      ====================
      tipc: three small fixes
      
      Fixes for some broadcast link problems that may occur in large systems.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce9a4f31
    • Jon Paul Maloy's avatar
      tipc: reset all unicast links when broadcast send link fails · 1fc07f3e
      Jon Paul Maloy authored
      In test situations with many nodes and a heavily stressed system we have
      observed that the transmission broadcast link may fail due to an
      excessive number of retransmissions of the same packet. In such
      situations we need to reset all unicast links to all peers, in order to
      reset and re-synchronize the broadcast link.
      
      In this commit, we add a new function tipc_bearer_reset_all() to be used
      in such situations. The function scans across all bearers and resets all
      their pertaining links.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1fc07f3e
    • Jon Paul Maloy's avatar
      tipc: ensure correct broadcast send buffer release when peer is lost · a71eb720
      Jon Paul Maloy authored
      After a new receiver peer has been added to the broadcast transmission
      link, we allow immediate transmission of new broadcast packets, trusting
      that the new peer will not accept the packets until it has received the
      previously sent unicast broadcast initialiation message. In the same
      way, the sender must not accept any acknowledges until it has itself
      received the broadcast initialization from the peer, as well as
      confirmation of the reception of its own initialization message.
      
      Furthermore, when a receiver peer goes down, the sender has to produce
      the missing acknowledges from the lost peer locally, in order ensure
      correct release of the buffers that were expected to be acknowledged by
      the said peer.
      
      In a highly stressed system we have observed that contact with a peer
      may come up and be lost before the above mentioned broadcast initial-
      ization and confirmation have been received. This leads to the locally
      produced acknowledges being rejected, and the non-acknowledged buffers
      to linger in the broadcast link transmission queue until it fills up
      and the link goes into permanent congestion.
      
      In this commit, we remedy this by temporarily setting the corresponding
      broadcast receive link state to ESTABLISHED and the 'bc_peer_is_up'
      state to true before we issue the local acknowledges. This ensures that
      those acknowledges will always be accepted. The mentioned state values
      are restored immediately afterwards when the link is reset.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a71eb720
    • Jon Paul Maloy's avatar
      tipc: extend broadcast link initialization criteria · 2d18ac4b
      Jon Paul Maloy authored
      At first contact between two nodes, an endpoint might sometimes have
      time to send out a LINK_PROTOCOL/STATE packet before it has received
      the broadcast initialization packet from the peer, i.e., before it has
      received a valid broadcast packet number to add to the 'bc_ack' field
      of the protocol message.
      
      This means that the peer endpoint will receive a protocol packet with an
      invalid broadcast acknowledge value of 0. Under unlucky circumstances
      this may lead to the original, already received acknowledge value being
      overwritten, so that the whole broadcast link goes stale after a while.
      
      We fix this by delaying the setting of the link field 'bc_peer_is_up'
      until we know that the peer really has received our own broadcast
      initialization message. The latter is always sent out as the first
      unicast message on a link, and always with seqeunce number 1. Because
      of this, we only need to look for a non-zero unicast acknowledge value
      in the arriving STATE messages, and once that is confirmed we know we
      are safe and can set the mentioned field. Before this moment, we must
      ignore all broadcast acknowledges from the peer.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d18ac4b
    • Mario Limonciello's avatar
      r8152: Add support for setting pass through MAC address on RTL8153-AD · 34ee32c9
      Mario Limonciello authored
      The RTL8153-AD supports a persistent system specific MAC address.
      This means a device plugged into two different systems with host side
      support will show different (but persistent) MAC addresses.
      
      This information for the system's persistent MAC address is burned in when
      the system HW is built and available under \_SB.AMAC in the DSDT at runtime.
      
      This technology is currently implemented in the Dell TB15 and WD15 Type-C
      docks.  More information is available here:
      http://www.dell.com/support/article/us/en/04/SLN301147Signed-off-by: default avatarMario Limonciello <mario_limonciello@dell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34ee32c9
  6. 11 Jul, 2016 4 commits
    • Soheil Hassas Yeganeh's avatar
      sock: ignore SCM_RIGHTS and SCM_CREDENTIALS in __sock_cmsg_send · 779f1ede
      Soheil Hassas Yeganeh authored
      Sergei Trofimovich reported that pulse audio sends SCM_CREDENTIALS
      as a control message to TCP. Since __sock_cmsg_send does not
      support SCM_RIGHTS and SCM_CREDENTIALS, it returns an error and
      hence breaks pulse audio over TCP.
      
      SCM_RIGHTS and SCM_CREDENTIALS are sent on the SOL_SOCKET layer
      but they semantically belong to SOL_UNIX. Since all
      cmsg-processing functions including sock_cmsg_send ignore control
      messages of other layers, it is best to ignore SCM_RIGHTS
      and SCM_CREDENTIALS for consistency (and also for fixing pulse
      audio over TCP).
      
      Fixes: c14ac945 ("sock: enable timestamping using control messages")
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Reported-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Tested-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      779f1ede
    • Julian Anastasov's avatar
      ipv4: reject RTNH_F_DEAD and RTNH_F_LINKDOWN from user space · 80610229
      Julian Anastasov authored
      Vegard Nossum is reporting for a crash in fib_dump_info
      when nh_dev = NULL and fib_nhs == 1:
      
      Pid: 50, comm: netlink.exe Not tainted 4.7.0-rc5+
      RIP: 0033:[<00000000602b3d18>]
      RSP: 0000000062623890  EFLAGS: 00010202
      RAX: 0000000000000000 RBX: 000000006261b800 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000024 RDI: 000000006245ba00
      RBP: 00000000626238f0 R08: 000000000000029c R09: 0000000000000000
      R10: 0000000062468038 R11: 000000006245ba00 R12: 000000006245ba00
      R13: 00000000625f96c0 R14: 00000000601e16f0 R15: 0000000000000000
      Kernel panic - not syncing: Kernel mode fault at addr 0x2e0, ip 0x602b3d18
      CPU: 0 PID: 50 Comm: netlink.exe Not tainted 4.7.0-rc5+ #581
      Stack:
       626238f0 960226a02 00000400 000000fe
       62623910 600afca7 62623970 62623a48
       62468038 00000018 00000000 00000000
      Call Trace:
       [<602b3e93>] rtmsg_fib+0xd3/0x190
       [<602b6680>] fib_table_insert+0x260/0x500
       [<602b0e5d>] inet_rtm_newroute+0x4d/0x60
       [<60250def>] rtnetlink_rcv_msg+0x8f/0x270
       [<60267079>] netlink_rcv_skb+0xc9/0xe0
       [<60250d4b>] rtnetlink_rcv+0x3b/0x50
       [<60265400>] netlink_unicast+0x1a0/0x2c0
       [<60265e47>] netlink_sendmsg+0x3f7/0x470
       [<6021dc9a>] sock_sendmsg+0x3a/0x90
       [<6021e0d0>] ___sys_sendmsg+0x300/0x360
       [<6021fa64>] __sys_sendmsg+0x54/0xa0
       [<6021fac0>] SyS_sendmsg+0x10/0x20
       [<6001ea68>] handle_syscall+0x88/0x90
       [<600295fd>] userspace+0x3fd/0x500
       [<6001ac55>] fork_handler+0x85/0x90
      
      $ addr2line -e vmlinux -i 0x602b3d18
      include/linux/inetdevice.h:222
      net/ipv4/fib_semantics.c:1264
      
      Problem happens when RTNH_F_LINKDOWN is provided from user space
      when creating routes that do not use the flag, catched with
      netlink fuzzer.
      
      Currently, the kernel allows user space to set both flags
      to nh_flags and fib_flags but this is not intentional, the
      assumption was that they are not set. Fix this by rejecting
      both flags with EINVAL.
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Fixes: 0eeb075f ("net: ipv4 sysctl option to ignore routes when nexthop link is down")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Cc: Dinesh Dutt <ddutt@cumulusnetworks.com>
      Cc: Scott Feldman <sfeldma@gmail.com>
      Reviewed-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80610229
    • Eric Dumazet's avatar
      tcp: make challenge acks less predictable · 75ff39cc
      Eric Dumazet authored
      Yue Cao claims that current host rate limiting of challenge ACKS
      (RFC 5961) could leak enough information to allow a patient attacker
      to hijack TCP sessions. He will soon provide details in an academic
      paper.
      
      This patch increases the default limit from 100 to 1000, and adds
      some randomization so that the attacker can no longer hijack
      sessions without spending a considerable amount of probes.
      
      Based on initial analysis and patch from Linus.
      
      Note that we also have per socket rate limiting, so it is tempting
      to remove the host limit in the future.
      
      v2: randomize the count of challenge acks per second, not the period.
      
      Fixes: 282f23c6 ("tcp: implement RFC 5961 3.2")
      Reported-by: default avatarYue Cao <ycao009@ucr.edu>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75ff39cc
    • Michal Kubeček's avatar
      udp: prevent bugcheck if filter truncates packet too much · a6127697
      Michal Kubeček authored
      If socket filter truncates an udp packet below the length of UDP header
      in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
      BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
      kernel is configured that way) can be easily enforced by an unprivileged
      user which was reported as CVE-2016-6162. For a reproducer, see
      http://seclists.org/oss-sec/2016/q3/8
      
      Fixes: e6afc8ac ("udp: remove headers from UDP packets before queueing")
      Reported-by: default avatarMarco Grassi <marco.gra@gmail.com>
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6127697