1. 21 Nov, 2014 9 commits
    • Calvin Owens's avatar
      tcp: Restore RFC5961-compliant behavior for SYN packets · 0c228e83
      Calvin Owens authored
      Commit c3ae62af ("tcp: should drop incoming frames without ACK
      flag set") was created to mitigate a security vulnerability in which a
      local attacker is able to inject data into locally-opened sockets by
      using TCP protocol statistics in procfs to quickly find the correct
      sequence number.
      
      This broke the RFC5961 requirement to send a challenge ACK in response
      to spurious RST packets, which was subsequently fixed by commit
      7b514a88 ("tcp: accept RST without ACK flag").
      
      Unfortunately, the RFC5961 requirement that spurious SYN packets be
      handled in a similar manner remains broken.
      
      RFC5961 section 4 states that:
      
         ... the handling of the SYN in the synchronized state SHOULD be
         performed as follows:
      
         1) If the SYN bit is set, irrespective of the sequence number, TCP
            MUST send an ACK (also referred to as challenge ACK) to the remote
            peer:
      
            <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
      
            After sending the acknowledgment, TCP MUST drop the unacceptable
            segment and stop processing further.
      
         By sending an ACK, the remote peer is challenged to confirm the loss
         of the previous connection and the request to start a new connection.
         A legitimate peer, after restart, would not have a TCB in the
         synchronized state.  Thus, when the ACK arrives, the peer should send
         a RST segment back with the sequence number derived from the ACK
         field that caused the RST.
      
         This RST will confirm that the remote peer has indeed closed the
         previous connection.  Upon receipt of a valid RST, the local TCP
         endpoint MUST terminate its connection.  The local TCP endpoint
         should then rely on SYN retransmission from the remote end to
         re-establish the connection.
      
      This patch lets SYN packets through the discard added in c3ae62af,
      so that spurious SYN packets are properly dealt with as per the RFC.
      
      The challenge ACK is sent unconditionally and is rate-limited, so the
      original vulnerability is not reintroduced by this patch.
      Signed-off-by: default avatarCalvin Owens <calvinowens@fb.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c228e83
    • Eric Dumazet's avatar
      net: Revert "net: avoid one atomic operation in skb_clone()" · e7820e39
      Eric Dumazet authored
      Not sure what I was thinking, but doing anything after
      releasing a refcount is suicidal or/and embarrassing.
      
      By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu
      could have released last reference and freed whole skb.
      
      We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set.
      Reported-by: default avatarChris Mason <clm@fb.com>
      Fixes: ce1a4ea3 ("net: avoid one atomic operation in skb_clone()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Sabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7820e39
    • Jason Wang's avatar
      virtio-net: validate features during probe · 892d6eb1
      Jason Wang authored
      We currently trigger BUG when VIRTIO_NET_F_CTRL_VQ
      is not set but one of features depending on it is.
      That's not a friendly way to report errors to
      hypervisors.
      Let's check, and fail probe instead.
      
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
      Cc: Wanlong Gao <gaowanlong@cn.fujitsu.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarCornelia Huck <cornelia.huck@de.ibm.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      892d6eb1
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 7e09dccd
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains two bugfixes for your net tree, they are:
      
      1) Validate netlink group from nfnetlink to avoid an out of bound array
         access. This should only happen with superuser priviledges though.
         Discovered by Andrey Ryabinin using trinity.
      
      2) Don't push ethernet header before calling the netfilter output hook
         for multicast traffic, this breaks ebtables since it expects to see
         skb->data pointing to the network header, patch from Linus Luessing.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7e09dccd
    • David S. Miller's avatar
      Merge tag 'master-2014-11-20' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · c8577819
      David S. Miller authored
      John W. Linville says:
      
      ====================
      pull request: wireless 2014-11-20
      
      Please full this little batch of fixes intended for the 3.18 stream!
      
      For the mac80211 patch, Johannes says:
      
      "Here's another last minute fix, for minstrel HT crashing
      depending on the value of some uninitialised stack."
      
      On top of that...
      
      Ben Greear fixes an ath9k regression in which a BSSID mask is
      miscalculated.
      
      Dmitry Torokhov corrects an error handling routing in brcmfmac which
      was checking an unsigned variable for a negative value.
      
      Johannes Berg avoids a build problem in brcmfmac for arches where
      linux/unaligned/access_ok.h and asm/unaligned.h conflict.
      
      Mathy Vanhoef addresses another brcmfmac issue so as to eliminate a
      use-after-free of the URB transfer buffer if a timeout occurs.
      
      Please let me know if there are problems!
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8577819
    • Anish Bhatt's avatar
      cxgb4 : Fix DCB priority groups being returned in wrong order · 17544e2a
      Anish Bhatt authored
      Peer priority groups were being reversed, but this was missed in the previous
      fix sent out for this issue.
      
      v2 : Previous patch was doing extra unnecessary work, result is the same.
      Please ignore previous patch
      
      Fixes :	ee7bc3cd ('cxgb4 : dcb open-lldp interop fixes')
      Signed-off-by: default avatarAnish Bhatt <anish@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      17544e2a
    • Jiri Bohac's avatar
      ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg · 01462405
      Jiri Bohac authored
      This fixes an old regression introduced by commit
      b0d0d915 (ipx: remove the BKL).
      
      When a recvmsg syscall blocks waiting for new data, no data can be sent on the
      same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked.
      
      This breaks mars-nwe (NetWare emulator):
      - the ncpserv process reads the request using recvmsg
      - ncpserv forks and spawns nwconn
      - ncpserv calls a (blocking) recvmsg and waits for new requests
      - nwconn deadlocks in sendmsg on the same socket
      
      Commit b0d0d915 has simply replaced BKL locking with
      lock_sock/release_sock. Unlike now, BKL got unlocked while
      sleeping, so a blocking recvmsg did not block a concurrent
      sendmsg.
      
      Only keep the socket locked while actually working with the socket data and
      release it prior to calling skb_recv_datagram().
      Signed-off-by: default avatarJiri Bohac <jbohac@suse.cz>
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01462405
    • Joe Stringer's avatar
      openvswitch: Don't validate IPv6 label masks. · d3052bb5
      Joe Stringer authored
      When userspace doesn't provide a mask, OVS datapath generates a fully
      unwildcarded mask for the flow by copying the flow and setting all bits
      in all fields. For IPv6 label, this creates a mask that matches on the
      upper 12 bits, causing the following error:
      
      openvswitch: netlink: Invalid IPv6 flow label value (value=ffffffff, max=fffff)
      
      This patch ignores the label validation check for masks, avoiding this
      error.
      Signed-off-by: default avatarJoe Stringer <joestringer@nicira.com>
      Acked-by: default avatarPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3052bb5
    • Mathias Krause's avatar
      pptp: fix stack info leak in pptp_getname() · a5f6fc28
      Mathias Krause authored
      pptp_getname() only partially initializes the stack variable sa,
      particularly only fills the pptp part of the sa_addr union. The code
      thereby discloses 16 bytes of kernel stack memory via getsockname().
      
      Fix this by memset(0)'ing the union before.
      
      Cc: Dmitry Kozlov <xeb@mail.ru>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5f6fc28
  2. 20 Nov, 2014 1 commit
  3. 19 Nov, 2014 6 commits
    • Anish Bhatt's avatar
      cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection · ee7255ad
      Anish Bhatt authored
      cxgb4i was returning wrong error and not releasing module reference if remote
      end abruptly closed TCP connection. This prevents the cxgb4 network module from
      being unloaded, further affecting other network drivers dependent on cxgb4
      
      Sending to net as this affects all cxgb4 based network drivers.
      Signed-off-by: default avatarAnish Bhatt <anish@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee7255ad
    • Duan Jiong's avatar
      ipv6: delete protocol and unregister rtnetlink when cleanup · ffb1388a
      Duan Jiong authored
      pim6_protocol was added when initiation, but it not deleted.
      Similarly, unregister RTNL_FAMILY_IP6MR rtnetlink.
      Signed-off-by: default avatarDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Reviewed-by: default avatarCong Wang <cwang@twopensource.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffb1388a
    • John W. Linville's avatar
      Merge tag 'mac80211-for-john-2014-11-18' of... · 6158fb37
      John W. Linville authored
      Merge tag 'mac80211-for-john-2014-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg <johannes@sipsolutions.net> says:
      
      "Here's another last minute fix, for minstrel HT crashing
      depending on the value of some uninitialised stack."
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      6158fb37
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-3.18-20141118' of git://gitorious.org/linux-can/linux-can · ddecab1a
      David S. Miller authored
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2014-11-18
      
      this is a pull request of 17 patches for net/master for the v3.18 release
      cycle.
      
      The last patch of this pull request ("can: m_can: update to support CAN FD
      features") adds, as the description says, a new feature to the m_can driver. As
      the m_can driver has been added in v3.18 there is no risk of causing a
      regression. Give me a note if this is not okay and I'll create a new pull
      request without it.
      
      There is a patch for the CAN infrastructure by Thomas Körper which fixes
      calling kfree_skb() from interrupt context. Roman Fietze fixes a typo also in
      the infrastructure. A patch by Dong Aisheng adds a generic helper function to
      tell if a skb is normal CAN or CAN-FD frame. Alexey Khoroshilov of the Linux
      Driver Verification project fixes a memory leak in the esd_usb2 driver. Two
      patches by Sudip Mukherjee remove unused variables and fixe the signess of a
      variable. Three patches by me add the missing .ndo_change_mtu callback to the
      xilinx_can, rcar_can and gs_usb driver.
      
      The remaining patches improve the m_can driver: David Cohen adds the missing
      CONFIG_HAS_IOMEM dependency. Dong Aisheng provides 6 bugfix patches (most
      important: missing RAM init, sleep in NAPI poll, dlc in RTR). While the last of
      his patches adds CAN FD support to the driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ddecab1a
    • Or Gerlitz's avatar
      net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too · 9737c6ab
      Or Gerlitz authored
      This is currently missing, which results in a crash when one attempts
      to set VXLAN tunnel over the mlx4_en when acting as PF.
      
      	[ 2408.785472] BUG: unable to handle kernel NULL pointer dereference at (null)
      	[...]
      	[ 2408.994104] Call Trace:
      	[ 2408.996584]  [<ffffffffa021f7f5>] ? vxlan_get_rx_port+0xd6/0x103 [vxlan]
      	[ 2409.003316]  [<ffffffffa021f71f>] ? vxlan_lowerdev_event+0xf2/0xf2 [vxlan]
      	[ 2409.010225]  [<ffffffffa0630358>] mlx4_en_start_port+0x862/0x96a [mlx4_en]
      	[ 2409.017132]  [<ffffffffa063070f>] mlx4_en_open+0x17f/0x1b8 [mlx4_en]
      
      While here, make sure to invoke vxlan_get_rx_port() only when VXLAN
      offloads are actually enabled and not when they are only supported.
      Reported-by: default avatarIdo Shamay <idos@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9737c6ab
    • Nikolay Aleksandrov's avatar
      bonding: fix curr_active_slave/carrier with loadbalance arp monitoring · b8e4500f
      Nikolay Aleksandrov authored
      Since commit 6fde8f03 ("bonding: fix locking in
      bond_loadbalance_arp_mon()") we can have a stale bond carrier state and
      stale curr_active_slave when using arp monitoring in loadbalance modes. The
      reason is that in bond_loadbalance_arp_mon() we can't have
      do_failover == true but slave_state_changed == false, whenever do_failover
      is true then slave_state_changed is also true. Then the following piece
      from bond_loadbalance_arp_mon():
                      if (slave_state_changed) {
                              bond_slave_state_change(bond);
                              if (BOND_MODE(bond) == BOND_MODE_XOR)
                                      bond_update_slave_arr(bond, NULL);
                      } else if (do_failover) {
                              block_netpoll_tx();
                              bond_select_active_slave(bond);
                              unblock_netpoll_tx();
                      }
      
      will execute only the first branch, always and regardless of do_failover.
      Since these two events aren't related in such way, we need to decouple and
      consider them separately.
      
      For example this issue could lead to the following result:
      Bonding Mode: load balancing (round-robin)
      *MII Status: down*
      MII Polling Interval (ms): 0
      Up Delay (ms): 0
      Down Delay (ms): 0
      ARP Polling Interval (ms): 100
      ARP IP target/s (n.n.n.n form): 192.168.9.2
      
      Slave Interface: ens12
      *MII Status: up*
      Speed: 10000 Mbps
      Duplex: full
      Link Failure Count: 2
      Permanent HW addr: 00:0f:53:01:42:2c
      Slave queue ID: 0
      
      Slave Interface: eth1
      *MII Status: up*
      Speed: Unknown
      Duplex: Unknown
      Link Failure Count: 70
      Permanent HW addr: 52:54:00:2f:0f:8e
      Slave queue ID: 0
      
      Since some interfaces are up, then the status of the bond should also be
      up, but it will never change unless something invokes bond_set_carrier()
      (i.e. enslave, bond_select_active_slave etc). Now, if I force the
      calling of bond_select_active_slave via for example changing
      primary_reselect (it can change in any mode), then the MII status goes to
      "up" because it calls bond_select_active_slave() which should've been done
      from bond_loadbalance_arp_mon() itself.
      
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: Ding Tianhong <dingtianhong@huawei.com>
      
      Fixes: 6fde8f03 ("bonding: fix locking in bond_loadbalance_arp_mon()")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Acked-by: default avatarVeaceslav Falico <vfalico@gmail.com>
      Acked-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Acked-by: default avatarDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8e4500f
  4. 18 Nov, 2014 19 commits
  5. 17 Nov, 2014 5 commits
    • Dmitry Torokhov's avatar
      brcmfmac: fix error handling of irq_of_parse_and_map · 4c69f05e
      Dmitry Torokhov authored
      Return value of irq_of_parse_and_map() is unsigned int, with 0
      indicating failure, so testing for negative result never works.
      Signed-off-by: default avatarDmitry Torokhov <dtor@chromium.org>
      Cc: stable@vger.kernel.org # v3.17
      Acked-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      4c69f05e
    • Mathy Vanhoef's avatar
      brcmfmac: kill URB when request timed out · 8180bd47
      Mathy Vanhoef authored
      Kill the submitted URB in brcmf_usb_dl_cmd if the request timed out. This
      assures the URB is never submitted twice. It also prevents a possible
      use-after-free of the URB transfer buffer if a timeout occurs.
      Signed-off-by: default avatarMathy Vanhoef <vanhoefm@gmail.com>
      Acked-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      8180bd47
    • Ben Greear's avatar
      ath9k: fix regression in bssidmask calculation · daad1660
      Ben Greear authored
      The commit that went into 3.17:
      
          ath9k: Summarize hw state per channel context
      
          Group and set hw state (opmode, primary_sta, beacon conf) per
          channel context instead of whole list of vifs. This would allow
          each channel context to run in different mode (STA/AP).
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarRajkumar Manoharan <rmanohar@qti.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      
      broke multi-vif configuration due to not properly calculating
      the bssid mask.
      
      The test case that caught this was:
      
       create wlan0 and sta0-4 (6 total), not sure how much that matters.
       associate all 6 (works fine)
       disconnect 5 of them, leaving sta0 up
       Start trying to bring up the other 5 one at a time.  It will
       fail, with iw events looking like this (in these logs, several
       sta are trying to come up, but symptom is the same with just one)
      
      The patch causing the regression made quite a few changes, but
      the part I think caused this particular problem was not
      recalculating the bssid mask when adding and removing interfaces.
      
      Re-adding those calls fixes my test case.  Fix bad comment
      as well.
      Signed-off-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      daad1660
    • Linus Lüssing's avatar
      bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries · f0b4eece
      Linus Lüssing authored
      Ebtables on the OUTPUT chain (NF_BR_LOCAL_OUT) would not work as expected
      for both locally generated IGMP and MLD queries. The IP header specific
      filter options are off by 14 Bytes for netfilter (actual output on
      interfaces is fine).
      
      NF_HOOK() expects the skb->data to point to the IP header, not the
      ethernet one (while dev_queue_xmit() does not). Luckily there is an
      br_dev_queue_push_xmit() helper function already - let's just use that.
      
      Introduced by eb1d1641
      ("bridge: Add core IGMP snooping support")
      
      Ebtables example:
      
      $ ebtables -I OUTPUT -p IPv6 -o eth1 --logical-out br0 \
      	--log --log-level 6 --log-ip6 --log-prefix="~EBT: " -j DROP
      
      before (broken):
      
      ~EBT:  IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
      	MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
      	SRC=64a4:39c2:86dd:6000:0000:0020:0001:fe80 IPv6 \
      	DST=0000:0000:0000:0004:64ff:fea4:39c2:ff02, \
      	IPv6 priority=0x3, Next Header=2
      
      after (working):
      
      ~EBT:  IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
      	MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
      	SRC=fe80:0000:0000:0000:0004:64ff:fea4:39c2 IPv6 \
      	DST=ff02:0000:0000:0000:0000:0000:0000:0001, \
      	IPv6 priority=0x0, Next Header=0
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@web.de>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f0b4eece
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind · 97840cb6
      Pablo Neira Ayuso authored
      Make sure the netlink group exists, otherwise you can trigger an out
      of bound array memory access from the netlink_bind() path. This splat
      can only be triggered only by superuser.
      
      [  180.203600] UBSan: Undefined behaviour in ../net/netfilter/nfnetlink.c:467:28
      [  180.204249] index 9 is out of range for type 'int [9]'
      [  180.204697] CPU: 0 PID: 1771 Comm: trinity-main Not tainted 3.18.0-rc4-mm1+ #122
      [  180.205365] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org
      +04/01/2014
      [  180.206498]  0000000000000018 0000000000000000 0000000000000009 ffff88007bdf7da8
      [  180.207220]  ffffffff82b0ef5f 0000000000000092 ffffffff845ae2e0 ffff88007bdf7db8
      [  180.207887]  ffffffff8199e489 ffff88007bdf7e18 ffffffff8199ea22 0000003900000000
      [  180.208639] Call Trace:
      [  180.208857] dump_stack (lib/dump_stack.c:52)
      [  180.209370] ubsan_epilogue (lib/ubsan.c:174)
      [  180.209849] __ubsan_handle_out_of_bounds (lib/ubsan.c:400)
      [  180.210512] nfnetlink_bind (net/netfilter/nfnetlink.c:467)
      [  180.210986] netlink_bind (net/netlink/af_netlink.c:1483)
      [  180.211495] SYSC_bind (net/socket.c:1541)
      
      Moreover, define the missing nf_tables and nf_acct multicast groups too.
      Reported-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      97840cb6