1. 12 Apr, 2017 3 commits
    • David S. Miller's avatar
      Merge branch 'bridge-register-netdev-before-changelink' · fc9c89b1
      David S. Miller authored
      Ido Schimmel says:
      
      ====================
      bridge: Fix kernel oops during bridge creation
      
      First patch adds a missing ndo_uninit() in the bridge driver, which is a
      prerequisite for the second patch that actually fixes the oops.
      
      Please consider both patches for 4.4.y, 4.9.y and 4.10.y
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc9c89b1
    • Ido Schimmel's avatar
      bridge: netlink: register netdevice before executing changelink · 5b8d5429
      Ido Schimmel authored
      Peter reported a kernel oops when executing the following command:
      
      $ ip link add name test type bridge vlan_default_pvid 1
      
      [13634.939408] BUG: unable to handle kernel NULL pointer dereference at
      0000000000000190
      [13634.939436] IP: __vlan_add+0x73/0x5f0
      [...]
      [13634.939783] Call Trace:
      [13634.939791]  ? pcpu_next_unpop+0x3b/0x50
      [13634.939801]  ? pcpu_alloc+0x3d2/0x680
      [13634.939810]  ? br_vlan_add+0x135/0x1b0
      [13634.939820]  ? __br_vlan_set_default_pvid.part.28+0x204/0x2b0
      [13634.939834]  ? br_changelink+0x120/0x4e0
      [13634.939844]  ? br_dev_newlink+0x50/0x70
      [13634.939854]  ? rtnl_newlink+0x5f5/0x8a0
      [13634.939864]  ? rtnl_newlink+0x176/0x8a0
      [13634.939874]  ? mem_cgroup_commit_charge+0x7c/0x4e0
      [13634.939886]  ? rtnetlink_rcv_msg+0xe1/0x220
      [13634.939896]  ? lookup_fast+0x52/0x370
      [13634.939905]  ? rtnl_newlink+0x8a0/0x8a0
      [13634.939915]  ? netlink_rcv_skb+0xa1/0xc0
      [13634.939925]  ? rtnetlink_rcv+0x24/0x30
      [13634.939934]  ? netlink_unicast+0x177/0x220
      [13634.939944]  ? netlink_sendmsg+0x2fe/0x3b0
      [13634.939954]  ? _copy_from_user+0x39/0x40
      [13634.939964]  ? sock_sendmsg+0x30/0x40
      [13634.940159]  ? ___sys_sendmsg+0x29d/0x2b0
      [13634.940326]  ? __alloc_pages_nodemask+0xdf/0x230
      [13634.940478]  ? mem_cgroup_commit_charge+0x7c/0x4e0
      [13634.940592]  ? mem_cgroup_try_charge+0x76/0x1a0
      [13634.940701]  ? __handle_mm_fault+0xdb9/0x10b0
      [13634.940809]  ? __sys_sendmsg+0x51/0x90
      [13634.940917]  ? entry_SYSCALL_64_fastpath+0x1e/0xad
      
      The problem is that the bridge's VLAN group is created after setting the
      default PVID, when registering the netdevice and executing its
      ndo_init().
      
      Fix this by changing the order of both operations, so that
      br_changelink() is only processed after the netdevice is registered,
      when the VLAN group is already initialized.
      
      Fixes: b6677449 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarPeter V. Saveliev <peter@svinota.eu>
      Tested-by: default avatarPeter V. Saveliev <peter@svinota.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b8d5429
    • Ido Schimmel's avatar
      bridge: implement missing ndo_uninit() · b6fe0440
      Ido Schimmel authored
      While the bridge driver implements an ndo_init(), it was missing a
      symmetric ndo_uninit(), causing the different de-initialization
      operations to be scattered around its dellink() and destructor().
      
      Implement a symmetric ndo_uninit() and remove the overlapping operations
      from its dellink() and destructor().
      
      This is a prerequisite for the next patch, as it allows us to have a
      proper cleanup upon changelink() failure during the bridge's newlink().
      
      Fixes: b6677449 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6fe0440
  2. 11 Apr, 2017 1 commit
  3. 10 Apr, 2017 1 commit
    • Eric Dumazet's avatar
      tcp: clear saved_syn in tcp_disconnect() · 17c3060b
      Eric Dumazet authored
      In the (very unlikely) case a passive socket becomes a listener,
      we do not want to duplicate its saved SYN headers.
      
      This would lead to double frees, use after free, and please hackers and
      various fuzzers
      
      Tested:
          0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
         +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0
         +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
      
         +0 bind(3, ..., ...) = 0
         +0 listen(3, 5) = 0
      
         +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
         +0 > S. 0:0(0) ack 1 <...>
        +.1 < . 1:1(0) ack 1 win 257
         +0 accept(3, ..., ...) = 4
      
         +0 connect(4, AF_UNSPEC, ...) = 0
         +0 close(3) = 0
         +0 bind(4, ..., ...) = 0
         +0 listen(4, 5) = 0
      
         +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
         +0 > S. 0:0(0) ack 1 <...>
        +.1 < . 1:1(0) ack 1 win 257
      
      Fixes: cd8ae852 ("tcp: provide SYN headers for passive connections")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      17c3060b
  4. 08 Apr, 2017 5 commits
  5. 07 Apr, 2017 1 commit
  6. 06 Apr, 2017 10 commits
    • Xin Long's avatar
      team: call netdev_change_features out of team lock · 16cf72bb
      Xin Long authored
      Commit f6988cb6 ("team: don't call netdev_change_features under
      team->lock") fixed the issue calling netdev_change_features under
      team->lock for team_compute_features.
      
      But there are still two places where it calls netdev_change_features
      under team->lock, team_port_add and team_port_del. It may cause a
      dead lock when the slave port with LRO enabled is added.
      
      This patch is to fix this dead lock by moving netdev_change_features
      out of team_port_add and team_port_del, and call it after unlocking
      the team lock.
      Reported-by: default avatarPatrick Talbert <ptalbert@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16cf72bb
    • Xin Long's avatar
      sctp: listen on the sock only when it's state is listening or closed · 34b2789f
      Xin Long authored
      Now sctp doesn't check sock's state before listening on it. It could
      even cause changing a sock with any state to become a listening sock
      when doing sctp_listen.
      
      This patch is to fix it by checking sock's state in sctp_listen, so
      that it will listen on the sock with right state.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34b2789f
    • Oliver Neukum's avatar
      usbnet: make sure no NULL pointer is passed through · 6c22fce0
      Oliver Neukum authored
      Coverity reports:
      
      ** CID 751368:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd()
      
      ________________________________________________________________________________________________________
      *** CID 751368:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd()
      1919     EXPORT_SYMBOL(usbnet_link_change);
      1920
      1921     /*-------------------------------------------------------------------------*/
      1922     static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
      1923                                 u16 value, u16 index, void *data, u16 size)
      1924     {
      >>>     CID 751368:  Null pointer dereferences  (FORWARD_NULL)
      >>>     Assigning: "buf" = "NULL".
      1925            void *buf = NULL;
      1926            int err = -ENOMEM;
      1927
      1928            netdev_dbg(dev->net, "usbnet_read_cmd cmd=0x%02x reqtype=%02x"
      1929                       " value=0x%04x index=0x%04x size=%d\n",
      1930                       cmd, reqtype, value, index, size);
      
      ** CID 751370:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1952 in __usbnet_write_cmd()
      
      ________________________________________________________________________________________________________
      *** CID 751370:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/usbnet.c: 1952 in __usbnet_write_cmd()
      1946     }
      1947
      1948     static int __usbnet_write_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
      1949                                  u16 value, u16 index, const void *data,
      1950                                  u16 size)
      1951     {
      >>>     CID 751370:  Null pointer dereferences  (FORWARD_NULL)
      >>>     Assigning: "buf" = "NULL".
      1952            void *buf = NULL;
      1953            int err = -ENOMEM;
      1954
      1955            netdev_dbg(dev->net, "usbnet_write_cmd cmd=0x%02x reqtype=%02x"
      1956                       " value=0x%04x index=0x%04x size=%d\n",
      1957                       cmd, reqtype, value, index, size);
      
      ** CID 1325026:  Null pointer dereferences  (FORWARD_NULL)
      /drivers/net/usb/ch9200.c: 143 in control_write()
      
      It is valid to offer commands without a buffer, but then you need a size
      of zero. This should actually be checked.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c22fce0
    • WANG Cong's avatar
      net_sched: check noop_qdisc before qdisc_hash_add() · 92f91706
      WANG Cong authored
      Dmitry reported a crash when injecting faults in
      attach_one_default_qdisc() and dev->qdisc is still
      a noop_disc, the check before qdisc_hash_add() fails
      to catch it because it tests NULL. We should test
      against noop_qdisc since it is the default qdisc
      at this point.
      
      Fixes: 59cc1f61 ("net: sched: convert qdisc linked list to hashtable")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92f91706
    • Florian Larysch's avatar
      net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given · a8801799
      Florian Larysch authored
      inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
      ip_route_input when iif is given. If a multipath route is present for
      the designated destination, ip_multipath_icmp_hash ends up being called,
      which uses the source/destination addresses within the skb to calculate
      a hash. However, those are not set in the synthetic skb, causing it to
      return an arbitrary and incorrect result.
      
      Instead, use UDP, which gets no such special treatment.
      Signed-off-by: default avatarFlorian Larysch <fl@n621.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8801799
    • David S. Miller's avatar
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ea6b1720
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Reject invalid updates to netfilter expectation policies, from Pablo
          Neira Ayuso.
      
       2) Fix memory leak in nfnl_cthelper, from Jeffy Chen.
      
       3) Don't do stupid things if we get a neigh_probe() on a neigh entry
          whose ops lack a solicit method. From Eric Dumazet.
      
       4) Don't transmit packets in r8152 driver when the carrier is off, from
          Hayes Wang.
      
       5) Fix ipv6 packet type detection in aquantia driver, from Pavel
          Belous.
      
       6) Don't write uninitialized data into hw registers in bna driver, from
          Arnd Bergmann.
      
       7) Fix locking in ping_unhash(), from Eric Dumazet.
      
       8) Make BPF verifier range checks able to understand certain sequences
          emitted by LLVM, from Alexei Starovoitov.
      
       9) Fix use after free in ipconfig, from Mark Rutland.
      
      10) Fix refcount leak on force commit in openvswitch, from Jarno
          Rajahalme.
      
      11) Fix various overflow checks in AF_PACKET, from Andrey Konovalov.
      
      12) Fix endianness bug in be2net driver, from Suresh Reddy.
      
      13) Don't forget to wake TX queues when processing a timeout, from
          Grygorii Strashko.
      
      14) ARP header on-stack storage is wrong in flow dissector, from Simon
          Horman.
      
      15) Lost retransmit and reordering SNMP stats in TCP can be
          underreported. From Yuchung Cheng.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (82 commits)
        nfp: fix potential use after free on xdp prog
        tcp: fix reordering SNMP under-counting
        tcp: fix lost retransmit SNMP under-counting
        sctp: get sock from transport in sctp_transport_update_pmtu
        net: ethernet: ti: cpsw: fix race condition during open()
        l2tp: fix PPP pseudo-wire auto-loading
        bnx2x: fix spelling mistake in macros HW_INTERRUT_ASSERT_SET_*
        l2tp: take reference on sessions being dumped
        tcp: minimize false-positives on TCP/GRO check
        sctp: check for dst and pathmtu update in sctp_packet_config
        flow dissector: correct size of storage for ARP
        net: ethernet: ti: cpsw: wake tx queues on ndo_tx_timeout
        l2tp: take a reference on sessions used in genetlink handlers
        l2tp: hold session while sending creation notifications
        l2tp: fix duplicate session creation
        l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
        l2tp: fix race in l2tp_recv_common()
        sctp: use right in and out stream cnt
        bpf: add various verifier test cases for self-tests
        bpf, verifier: fix rejection of unaligned access checks for map_value_adj
        ...
      ea6b1720
    • Jakub Kicinski's avatar
      nfp: fix potential use after free on xdp prog · c383bdd1
      Jakub Kicinski authored
      We should unregister the net_device first, before we give back
      our reference on xdp_prog.  Otherwise xdp_prog may be freed
      before .ndo_stop() disabled the datapath.  Found by code inspection.
      
      Fixes: ecd63a02 ("nfp: add XDP support in the driver")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c383bdd1
    • Yuchung Cheng's avatar
      tcp: fix reordering SNMP under-counting · 2d2517ee
      Yuchung Cheng authored
      Currently the reordering SNMP counters only increase if a connection
      sees a higher degree then it has previously seen. It ignores if the
      reordering degree is not greater than the default system threshold.
      This significantly under-counts the number of reordering events
      and falsely convey that reordering is rare on the network.
      
      This patch properly and faithfully records the number of reordering
      events detected by the TCP stack, just like the comment says "this
      exciting event is worth to be remembered". Note that even so TCP
      still under-estimate the actual reordering events because TCP
      requires TS options or certain packet sequences to detect reordering
      (i.e. ACKing never-retransmitted sequence in recovery or disordered
       state).
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d2517ee
    • Yuchung Cheng's avatar
      tcp: fix lost retransmit SNMP under-counting · ecde8f36
      Yuchung Cheng authored
      The lost retransmit SNMP stat is under-counting retransmission
      that uses segment offloading. This patch fixes that so all
      retransmission related SNMP counters are consistent.
      
      Fixes: 10d3be56 ("tcp-tso: do not split TSO packets at retransmit time")
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecde8f36
  7. 05 Apr, 2017 4 commits
  8. 04 Apr, 2017 13 commits
  9. 03 Apr, 2017 2 commits