1. 15 Apr, 2020 3 commits
    • Xin Long's avatar
      esp6: get the right proto for transport mode in esp6_gso_encap · 3c96ec56
      Xin Long authored
      For transport mode, when ipv6 nexthdr is set, the packet format might
      be like:
      
          ----------------------------------------------------
          |        | dest |     |     |      |  ESP    | ESP |
          | IP6 hdr| opts.| ESP | TCP | Data | Trailer | ICV |
          ----------------------------------------------------
      
      What it wants to get for x-proto in esp6_gso_encap() is the proto that
      will be set in ESP nexthdr. So it should skip all ipv6 nexthdrs and
      get the real transport protocol. Othersize, the wrong proto number
      will be set into ESP nexthdr.
      
      This patch is to skip all ipv6 nexthdrs by calling ipv6_skip_exthdr()
      in esp6_gso_encap().
      
      Fixes: 7862b405 ("esp: Add gso handlers for esp4 and esp6")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      3c96ec56
    • Xin Long's avatar
      xfrm: do pskb_pull properly in __xfrm_transport_prep · 06a0afcf
      Xin Long authored
      For transport mode, when ipv6 nexthdr is set, the packet format might
      be like:
      
          ----------------------------------------------------
          |        | dest |     |     |      |  ESP    | ESP |
          | IP6 hdr| opts.| ESP | TCP | Data | Trailer | ICV |
          ----------------------------------------------------
      
      and in __xfrm_transport_prep():
      
        pskb_pull(skb, skb->mac_len + sizeof(ip6hdr) + x->props.header_len);
      
      it will pull the data pointer to the wrong position, as it missed the
      nexthdrs/dest opts.
      
      This patch is to fix it by using:
      
        pskb_pull(skb, skb_transport_offset(skb) + x->props.header_len);
      
      as we can be sure transport_header points to ESP header at that moment.
      
      It also fixes a panic when packets with ipv6 nexthdr are sent over
      esp6 transport mode:
      
        [  100.473845] kernel BUG at net/core/skbuff.c:4325!
        [  100.478517] RIP: 0010:__skb_to_sgvec+0x252/0x260
        [  100.494355] Call Trace:
        [  100.494829]  skb_to_sgvec+0x11/0x40
        [  100.495492]  esp6_output_tail+0x12e/0x550 [esp6]
        [  100.496358]  esp6_xmit+0x1d5/0x260 [esp6_offload]
        [  100.498029]  validate_xmit_xfrm+0x22f/0x2e0
        [  100.499604]  __dev_queue_xmit+0x589/0x910
        [  100.502928]  ip6_finish_output2+0x2a5/0x5a0
        [  100.503718]  ip6_output+0x6c/0x120
        [  100.505198]  xfrm_output_resume+0x4bf/0x530
        [  100.508683]  xfrm6_output+0x3a/0xc0
        [  100.513446]  inet6_csk_xmit+0xa1/0xf0
        [  100.517335]  tcp_sendmsg+0x27/0x40
        [  100.517977]  sock_sendmsg+0x3e/0x60
        [  100.518648]  __sys_sendto+0xee/0x160
      
      Fixes: c35fe410 ("xfrm: Add mode handlers for IPsec on layer 2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      06a0afcf
    • Xin Long's avatar
      xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input · afcaf61b
      Xin Long authored
      For beet mode, when it's ipv6 inner address with nexthdrs set,
      the packet format might be:
      
          ----------------------------------------------------
          | outer  |     | dest |     |      |  ESP    | ESP |
          | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
          ----------------------------------------------------
      
      The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
      continue processing the packet when nexthdr returns 0 in
      xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
      packet will be dropped.
      
      I don't see any error cases that nexthdr may return 0. So
      fix it by removing the check for nexthdr == 0.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      afcaf61b
  2. 14 Apr, 2020 15 commits
  3. 13 Apr, 2020 3 commits
  4. 12 Apr, 2020 3 commits
  5. 11 Apr, 2020 3 commits
  6. 10 Apr, 2020 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 40fc7ad2
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2020-04-10
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 13 non-merge commits during the last 7 day(s) which contain
      a total of 13 files changed, 137 insertions(+), 43 deletions(-).
      
      The main changes are:
      
      1) JIT code emission fixes for riscv and arm32, from Luke Nelson and Xi Wang.
      
      2) Disable vmlinux BTF info if GCC_PLUGIN_RANDSTRUCT is used, from Slava Bacherikov.
      
      3) Fix oob write in AF_XDP when meta data is used, from Li RongQing.
      
      4) Fix bpf_get_link_xdp_id() handling on single prog when flags are specified,
         from Andrey Ignatov.
      
      5) Fix sk_assign() BPF helper for request sockets that can have sk_reuseport
         field uninitialized, from Joe Stringer.
      
      6) Fix mprotect() test case for the BPF LSM, from KP Singh.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40fc7ad2
  7. 09 Apr, 2020 8 commits
    • Taras Chornyi's avatar
      net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin · 690cc863
      Taras Chornyi authored
      When CONFIG_IP_MULTICAST is not set and multicast ip is added to the device
      with autojoin flag or when multicast ip is deleted kernel will crash.
      
      steps to reproduce:
      
      ip addr add 224.0.0.0/32 dev eth0
      ip addr del 224.0.0.0/32 dev eth0
      
      or
      
      ip addr add 224.0.0.0/32 dev eth0 autojoin
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
       pc : _raw_write_lock_irqsave+0x1e0/0x2ac
       lr : lock_sock_nested+0x1c/0x60
       Call trace:
        _raw_write_lock_irqsave+0x1e0/0x2ac
        lock_sock_nested+0x1c/0x60
        ip_mc_config.isra.28+0x50/0xe0
        inet_rtm_deladdr+0x1a8/0x1f0
        rtnetlink_rcv_msg+0x120/0x350
        netlink_rcv_skb+0x58/0x120
        rtnetlink_rcv+0x14/0x20
        netlink_unicast+0x1b8/0x270
        netlink_sendmsg+0x1a0/0x3b0
        ____sys_sendmsg+0x248/0x290
        ___sys_sendmsg+0x80/0xc0
        __sys_sendmsg+0x68/0xc0
        __arm64_sys_sendmsg+0x20/0x30
        el0_svc_common.constprop.2+0x88/0x150
        do_el0_svc+0x20/0x80
       el0_sync_handler+0x118/0x190
        el0_sync+0x140/0x180
      
      Fixes: 93a714d6 ("multicast: Extend ip address command to enable multicast group join/leave on")
      Signed-off-by: default avatarTaras Chornyi <taras.chornyi@plvision.eu>
      Signed-off-by: default avatarVadym Kochan <vadym.kochan@plvision.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      690cc863
    • Ka-Cheong Poon's avatar
      net/rds: Fix MR reference counting problem · 2fabef4f
      Ka-Cheong Poon authored
      In rds_free_mr(), it calls rds_destroy_mr(mr) directly.  But this
      defeats the purpose of reference counting and makes MR free handling
      impossible.  It means that holding a reference does not guarantee that
      it is safe to access some fields.  For example, In
      rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
      calls mr->r_trans->sync_mr().  But if rds_free_mr() (and
      rds_destroy_mr()) is called in between (there is no lock preventing
      this to happen), r_trans_private is set to NULL, causing a panic.
      Similar issue is in rds_rdma_unuse().
      Reported-by: default avatarzerons <sironhide0null@gmail.com>
      Signed-off-by: default avatarKa-Cheong Poon <ka-cheong.poon@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fabef4f
    • Ka-Cheong Poon's avatar
    • Taehee Yoo's avatar
      net: macsec: fix using wrong structure in macsec_changelink() · 022e9d60
      Taehee Yoo authored
      In the macsec_changelink(), "struct macsec_tx_sa tx_sc" is used to
      store "macsec_secy.tx_sc".
      But, the struct type of tx_sc is macsec_tx_sc, not macsec_tx_sa.
      So, the macsec_tx_sc should be used instead.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add macsec0 link dummy0 type macsec
          ip link set macsec0 type macsec encrypt off
      
      Splat looks like:
      [61119.963483][ T9335] ==================================================================
      [61119.964709][ T9335] BUG: KASAN: slab-out-of-bounds in macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.965787][ T9335] Read of size 160 at addr ffff888020d69c68 by task ip/9335
      [61119.966699][ T9335]
      [61119.966979][ T9335] CPU: 0 PID: 9335 Comm: ip Not tainted 5.6.0+ #503
      [61119.967791][ T9335] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [61119.968914][ T9335] Call Trace:
      [61119.969324][ T9335]  dump_stack+0x96/0xdb
      [61119.969809][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.970554][ T9335]  print_address_description.constprop.5+0x1be/0x360
      [61119.971294][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.971973][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.972703][ T9335]  __kasan_report+0x12a/0x170
      [61119.973323][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.973942][ T9335]  kasan_report+0xe/0x20
      [61119.974397][ T9335]  check_memory_region+0x149/0x1a0
      [61119.974866][ T9335]  memcpy+0x1f/0x50
      [61119.975209][ T9335]  macsec_changelink.part.34+0xb6/0x200 [macsec]
      [61119.975825][ T9335]  ? macsec_get_stats64+0x3e0/0x3e0 [macsec]
      [61119.976451][ T9335]  ? kernel_text_address+0x111/0x120
      [61119.976990][ T9335]  ? pskb_expand_head+0x25f/0xe10
      [61119.977503][ T9335]  ? stack_trace_save+0x82/0xb0
      [61119.977986][ T9335]  ? memset+0x1f/0x40
      [61119.978397][ T9335]  ? __nla_validate_parse+0x98/0x1ab0
      [61119.978936][ T9335]  ? macsec_alloc_tfm+0x90/0x90 [macsec]
      [61119.979511][ T9335]  ? __kasan_slab_free+0x111/0x150
      [61119.980021][ T9335]  ? kfree+0xce/0x2f0
      [61119.980700][ T9335]  ? netlink_trim+0x196/0x1f0
      [61119.981420][ T9335]  ? nla_memcpy+0x90/0x90
      [61119.982036][ T9335]  ? register_lock_class+0x19e0/0x19e0
      [61119.982776][ T9335]  ? memcpy+0x34/0x50
      [61119.983327][ T9335]  __rtnl_newlink+0x922/0x1270
      [ ... ]
      
      Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      022e9d60
    • Colin Ian King's avatar
      net-sysfs: remove redundant assignment to variable ret · 5f0224a6
      Colin Ian King authored
      The variable ret is being initialized with a value that is never read
      and it is being updated later with a new value.  The initialization is
      redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f0224a6
    • Wang Wenhu's avatar
      net: qrtr: send msgs from local of same id as broadcast · 6dbf02ac
      Wang Wenhu authored
      If the local node id(qrtr_local_nid) is not modified after its
      initialization, it equals to the broadcast node id(QRTR_NODE_BCAST).
      So the messages from local node should not be taken as broadcast
      and keep the process going to send them out anyway.
      
      The definitions are as follow:
      static unsigned int qrtr_local_nid = NUMA_NO_NODE;
      
      Fixes: fdf5fd39 ("net: qrtr: Broadcast messages only from control port")
      Signed-off-by: default avatarWang Wenhu <wenhu.wang@vivo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dbf02ac
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 3d61a39d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2020-04-08
      
      This series introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v5.3
       ('net/mlx5: Fix frequent ioread PCI access during recovery')
       ('net/mlx5e: Add missing release firmware call')
      
      For -stable v5.4
       ('net/mlx5e: Fix nest_level for vlan pop action')
       ('net/mlx5e: Fix pfnum in devlink port attribute')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d61a39d
    • Lothar Rubusch's avatar
      Documentation: devlink: fix broken link warning · e750b84d
      Lothar Rubusch authored
      At 'make htmldocs' the following warning is thrown:
      
      Documentation/networking/devlink/devlink-trap.rst:302:
      WARNING: undefined label: generic-packet-trap-groups
      
      Fixes the warning by setting the label to the specified header,
      within the same document.
      Signed-off-by: default avatarLothar Rubusch <l.rubusch@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e750b84d
  8. 08 Apr, 2020 4 commits