1. 08 Apr, 2016 2 commits
    • Roopa Prabhu's avatar
      mpls: find_outdev: check for err ptr in addition to NULL check · 94a57f1f
      Roopa Prabhu authored
      find_outdev calls inet{,6}_fib_lookup_dev() or dev_get_by_index() to
      find the output device. In case of an error, inet{,6}_fib_lookup_dev()
      returns error pointer and dev_get_by_index() returns NULL. But the function
      only checks for NULL and thus can end up calling dev_put on an ERR_PTR.
      This patch adds an additional check for err ptr after the NULL check.
      
      Before: Trying to add an mpls route with no oif from user, no available
      path to 10.1.1.8 and no default route:
      $ip -f mpls route add 100 as 200 via inet 10.1.1.8
      [  822.337195] BUG: unable to handle kernel NULL pointer dereference at
      00000000000003a3
      [  822.340033] IP: [<ffffffff8148781e>] mpls_nh_assign_dev+0x10b/0x182
      [  822.340033] PGD 1db38067 PUD 1de9e067 PMD 0
      [  822.340033] Oops: 0000 [#1] SMP
      [  822.340033] Modules linked in:
      [  822.340033] CPU: 0 PID: 11148 Comm: ip Not tainted 4.5.0-rc7+ #54
      [  822.340033] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org
      04/01/2014
      [  822.340033] task: ffff88001db82580 ti: ffff88001dad4000 task.ti:
      ffff88001dad4000
      [  822.340033] RIP: 0010:[<ffffffff8148781e>]  [<ffffffff8148781e>]
      mpls_nh_assign_dev+0x10b/0x182
      [  822.340033] RSP: 0018:ffff88001dad7a88  EFLAGS: 00010282
      [  822.340033] RAX: ffffffffffffff9b RBX: ffffffffffffff9b RCX:
      0000000000000002
      [  822.340033] RDX: 00000000ffffff9b RSI: 0000000000000008 RDI:
      0000000000000000
      [  822.340033] RBP: ffff88001ddc9ea0 R08: ffff88001e9f1768 R09:
      0000000000000000
      [  822.340033] R10: ffff88001d9c1100 R11: ffff88001e3c89f0 R12:
      ffffffff8187e0c0
      [  822.340033] R13: ffffffff8187e0c0 R14: ffff88001ddc9e80 R15:
      0000000000000004
      [  822.340033] FS:  00007ff9ed798700(0000) GS:ffff88001fc00000(0000)
      knlGS:0000000000000000
      [  822.340033] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  822.340033] CR2: 00000000000003a3 CR3: 000000001de89000 CR4:
      00000000000006f0
      [  822.340033] Stack:
      [  822.340033]  0000000000000000 0000000100000000 0000000000000000
      0000000000000000
      [  822.340033]  0000000000000000 0801010a00000000 0000000000000000
      0000000000000000
      [  822.340033]  0000000000000004 ffffffff8148749b ffffffff8187e0c0
      000000000000001c
      [  822.340033] Call Trace:
      [  822.340033]  [<ffffffff8148749b>] ? mpls_rt_alloc+0x2b/0x3e
      [  822.340033]  [<ffffffff81488e66>] ? mpls_rtm_newroute+0x358/0x3e2
      [  822.340033]  [<ffffffff810e7bbc>] ? get_page+0x5/0xa
      [  822.340033]  [<ffffffff813b7d94>] ? rtnetlink_rcv_msg+0x17e/0x191
      [  822.340033]  [<ffffffff8111794e>] ? __kmalloc_track_caller+0x8c/0x9e
      [  822.340033]  [<ffffffff813c9393>] ?
      rht_key_hashfn.isra.20.constprop.57+0x14/0x1f
      [  822.340033]  [<ffffffff813b7c16>] ? __rtnl_unlock+0xc/0xc
      [  822.340033]  [<ffffffff813cb794>] ? netlink_rcv_skb+0x36/0x82
      [  822.340033]  [<ffffffff813b4507>] ? rtnetlink_rcv+0x1f/0x28
      [  822.340033]  [<ffffffff813cb2b1>] ? netlink_unicast+0x106/0x189
      [  822.340033]  [<ffffffff813cb5b3>] ? netlink_sendmsg+0x27f/0x2c8
      [  822.340033]  [<ffffffff81392ede>] ? sock_sendmsg_nosec+0x10/0x1b
      [  822.340033]  [<ffffffff81393df1>] ? ___sys_sendmsg+0x182/0x1e3
      [  822.340033]  [<ffffffff810e4f35>] ?
      __alloc_pages_nodemask+0x11c/0x1e4
      [  822.340033]  [<ffffffff8110619c>] ? PageAnon+0x5/0xd
      [  822.340033]  [<ffffffff811062fe>] ? __page_set_anon_rmap+0x45/0x52
      [  822.340033]  [<ffffffff810e7bbc>] ? get_page+0x5/0xa
      [  822.340033]  [<ffffffff810e85ab>] ? __lru_cache_add+0x1a/0x3a
      [  822.340033]  [<ffffffff81087ea9>] ? current_kernel_time64+0x9/0x30
      [  822.340033]  [<ffffffff813940c4>] ? __sys_sendmsg+0x3c/0x5a
      [  822.340033]  [<ffffffff8148f597>] ?
      entry_SYSCALL_64_fastpath+0x12/0x6a
      [  822.340033] Code: 83 08 04 00 00 65 ff 00 48 8b 3c 24 e8 40 7c f2 ff
      eb 13 48 c7 c3 9f ff ff ff eb 0f 89 ce e8 f1 ae f1 ff 48 89 c3 48 85 db
      74 15 <48> 8b 83 08 04 00 00 65 ff 08 48 81 fb 00 f0 ff ff 76 0d eb 07
      [  822.340033] RIP  [<ffffffff8148781e>] mpls_nh_assign_dev+0x10b/0x182
      [  822.340033]  RSP <ffff88001dad7a88>
      [  822.340033] CR2: 00000000000003a3
      [  822.435363] ---[ end trace 98cc65e6f6b8bf11 ]---
      
      After patch:
      $ip -f mpls route add 100 as 200 via inet 10.1.1.8
      RTNETLINK answers: Network is unreachable
      Signed-off-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Reported-by: default avatarDavid Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94a57f1f
    • Jakub Sitnicki's avatar
      ipv6: Count in extension headers in skb->network_header · 3ba3458f
      Jakub Sitnicki authored
      When sending a UDPv6 message longer than MTU, account for the length
      of fragmentable IPv6 extension headers in skb->network_header offset.
      Same as we do in alloc_new_skb path in __ip6_append_data().
      
      This ensures that later on __ip6_make_skb() will make space in
      headroom for fragmentable extension headers:
      
      	/* move skb->data to ip header from ext header */
      	if (skb->data < skb_network_header(skb))
      		__skb_pull(skb, skb_network_offset(skb));
      
      Prevents a splat due to skb_under_panic:
      
      skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \
      head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:104!
      invalid opcode: 0000 [#1] KASAN
      CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65
      [...]
      Call Trace:
       [<ffffffff813eb7b9>] skb_push+0x79/0x80
       [<ffffffff8143397b>] eth_header+0x2b/0x100
       [<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310
       [<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0
       [<ffffffff814efe3a>] ip6_output+0x16a/0x280
       [<ffffffff815440c1>] ip6_local_out+0xb1/0xf0
       [<ffffffff814f1115>] ip6_send_skb+0x45/0xd0
       [<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0
       [<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090
      [...]
      Reported-by: default avatarJi Jianwen <jiji@redhat.com>
      Signed-off-by: default avatarJakub Sitnicki <jkbs@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ba3458f
  2. 07 Apr, 2016 3 commits
  3. 06 Apr, 2016 15 commits
  4. 05 Apr, 2016 8 commits
  5. 04 Apr, 2016 3 commits
  6. 02 Apr, 2016 4 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 05cf8077
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Missing device reference in IPSEC input path results in crashes
          during device unregistration.  From Subash Abhinov Kasiviswanathan.
      
       2) Per-queue ISR register writes not being done properly in macb
          driver, from Cyrille Pitchen.
      
       3) Stats accounting bugs in bcmgenet, from Patri Gynther.
      
       4) Lightweight tunnel's TTL and TOS were swapped in netlink dumps, from
          Quentin Armitage.
      
       5) SXGBE driver has off-by-one in probe error paths, from Rasmus
          Villemoes.
      
       6) Fix race in save/swap/delete options in netfilter ipset, from
          Vishwanath Pai.
      
       7) Ageing time of bridge not set properly when not operating over a
          switchdev device.  Fix from Haishuang Yan.
      
       8) Fix GRO regression wrt nested FOU/GUE based tunnels, from Alexander
          Duyck.
      
       9) IPV6 UDP code bumps wrong stats, from Eric Dumazet.
      
      10) FEC driver should only access registers that actually exist on the
          given chipset, fix from Fabio Estevam.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
        net: mvneta: fix changing MTU when using per-cpu processing
        stmmac: fix MDIO settings
        Revert "stmmac: Fix 'eth0: No PHY found' regression"
        stmmac: fix TX normal DESC
        net: mvneta: use cache_line_size() to get cacheline size
        net: mvpp2: use cache_line_size() to get cacheline size
        net: mvpp2: fix maybe-uninitialized warning
        tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
        net: usb: cdc_ncm: adding Telit LE910 V2 mobile broadband card
        rtnl: fix msg size calculation in if_nlmsg_size()
        fec: Do not access unexisting register in Coldfire
        net: mvneta: replace MVNETA_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES
        net: mvpp2: replace MVPP2_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES
        net: dsa: mv88e6xxx: Clear the PDOWN bit on setup
        net: dsa: mv88e6xxx: Introduce _mv88e6xxx_phy_page_{read, write}
        bpf: make padding in bpf_tunnel_key explicit
        ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates
        bnxt_en: Fix ethtool -a reporting.
        bnxt_en: Fix typo in bnxt_hwrm_set_pause_common().
        bnxt_en: Implement proper firmware message padding.
        ...
      05cf8077
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · cf78031a
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of const updates for reset ops and a couple fixes to the
        newly introduced IPQ4019 clock driver"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: qcom: ipq4019: add some fixed clocks for ddrppl and fepll
        clk: qcom: ipq4019: switch remaining defines to enums
        clk: qcom: Make reset_control_ops const
        clk: tegra: Make reset_control_ops const
        clk: sunxi: Make reset_control_ops const
        clk: atlas7: Make reset_control_ops const
        clk: rockchip: Make reset_control_ops const
        clk: mmp: Make reset_control_ops const
        clk: mediatek: Make reset_control_ops const
      cf78031a
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 1826907c
      Linus Torvalds authored
      Pull power management and ACPI fix from Rafael J. Wysocki:
       "Just one fix for a nasty boot failure on some systems based on Intel
        Skylake that shipped with broken firmware where enabling
        hardware-coordinated P-states management (HWP) causes a faulty
        interrupt handler in SMM to be invoked and crash the system (Srinivas
        Pandruvada)"
      
      * tag 'pm+acpi-4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / processor: Request native thermal interrupt handling via _OSC
      1826907c
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 4e19fd93
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "11 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        .mailmap: add Christophe Ricard
        Make CONFIG_FHANDLE default y
        mm/page_isolation.c: fix the function comments
        oom, oom_reaper: do not enqueue task if it is on the oom_reaper_list head
        mm/page_isolation: fix tracepoint to mirror check function behavior
        mm/rmap: batched invalidations should use existing api
        x86/mm: TLB_REMOTE_SEND_IPI should count pages
        mm: fix invalid node in alloc_migrate_target()
        include/linux/huge_mm.h: return NULL instead of false for pmd_trans_huge_lock()
        mm, kasan: fix compilation for CONFIG_SLAB
        MAINTAINERS: orangefs mailing list is subscribers-only
      4e19fd93
  7. 01 Apr, 2016 5 commits