24 Nov, 2016
16 commits
-
Stas Nichiporovich reports oops in nf_nat_bysource_cmp(), trying to
access nf_conn struct at address 0xffffffffffffff50.This is the result of fetching a null rhash list (struct embedded at
offset 176; 0 - 176 gets us ...fff50).The problem is that conntrack entries are allocated from a
SLAB_DESTROY_BY_RCU cache, i.e. entries can be free'd and reused
on another cpu while nf nat bysource hash access the same conntrack entry.Freeing is fine (we hold rcu read lock); zeroing rhlist_head isn't.
-> Move the rhlist struct outside of the memset()-inited area.
Fixes: 7c9664351980aaa6a ("netfilter: move nat hlist_head to nf_conn")
Reported-by: Stas Nichiporovich
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Otherwise, kernel panic will happen if the user does not specify
the related attributes.Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso -
As Liping Zhang reports, after commit a8b1e36d0d1d ("netfilter: nft_dynset:
fix element timeout for HZ != 1000"), priv->timeout was stored in jiffies,
while set->timeout was stored in milliseconds. This is inconsistent and
incorrect.Firstly, we already call msecs_to_jiffies in nft_set_elem_init, so
priv->timeout will be converted to jiffies twice.Secondly, if the user did not specify the NFTA_DYNSET_TIMEOUT attr,
set->timeout will be used, but we forget to call msecs_to_jiffies
when do update elements.Fix this by using jiffies internally for traditional sets and doing the
conversions to/from msec when interacting with userspace - as dynset
already does.This is preferable to doing the conversions, when elements are inserted or
updated, because this can happen very frequently on busy dynsets.Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000")
Reported-by: Liping Zhang
Signed-off-by: Anders K. Pedersen
Acked-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso -
I got offlist bug report about failing connections and high cpu usage.
This happens because we hit 'elasticity' checks in rhashtable that
refuses bucket list exceeding 16 entries.The nat bysrc hash unfortunately needs to insert distinct objects that
share same key and are identical (have same source tuple), this cannot
be avoided.Switch to the rhlist interface which is designed for this.
The nulls_base is removed here, I don't think its needed:
A (unlikely) false positive results in unneeded port clash resolution,
a false negative results in packet drop during conntrack confirmation,
when we try to insert the duplicate into main conntrack hash table.Tested by adding multiple ip addresses to host, then adding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE... and then creating multiple connections, from same source port but
different addresses:for i in $(seq 2000 2032);do nc -p 1234 192.168.7.1 $i > /dev/null & done
(all of these then get hashed to same bysource slot)
Then, to test that nat conflict resultion is working:
nc -s 10.0.0.1 -p 1234 192.168.7.1 2000
nc -s 10.0.0.2 -p 1234 192.168.7.1 2000tcp .. src=10.0.0.1 dst=192.168.7.1 sport=1234 dport=2000 src=192.168.7.1 dst=192.168.7.10 sport=2000 dport=1024 [ASSURED]
tcp .. src=10.0.0.2 dst=192.168.7.1 sport=1234 dport=2000 src=192.168.7.1 dst=192.168.7.10 sport=2000 dport=1025 [ASSURED]
tcp .. src=192.168.7.10 dst=192.168.7.1 sport=1234 dport=2000 src=192.168.7.1 dst=192.168.7.10 sport=2000 dport=1234 [ASSURED]
tcp .. src=192.168.7.10 dst=192.168.7.1 sport=1234 dport=2001 src=192.168.7.1 dst=192.168.7.10 sport=2001 dport=1234 [ASSURED]
[..]-> nat altered source ports to 1024 and 1025, respectively.
This can also be confirmed on destination host which shows
ESTAB 0 0 192.168.7.1:2000 192.168.7.10:1024
ESTAB 0 0 192.168.7.1:2000 192.168.7.10:1025
ESTAB 0 0 192.168.7.1:2000 192.168.7.10:1234Cc: Herbert Xu
Fixes: 870190a9ec907 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
The comparator works like memcmp, i.e. 0 means objects are equal.
In other words, when objects are distinct they are treated as identical,
when they are distinct they are allegedly the same.The first case is rare (distinct objects are unlikely to get hashed to
same bucket).The second case results in unneeded port conflict resolutions attempts.
Fixes: 870190a9ec907 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Use the function nft_parse_u32_check() to fetch the value and validate
the u32 attribute into the hash len u8 field.This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check
on u8 nft_exthdr attributes").Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso -
Since kernel 4.7 this defaults to off.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
nf_send_reset6 is not considering the L3 domain and lookups are sent
to the wrong table. For example consider the following output rule:ip6tables -A OUTPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
using perf to analyze lookups via the fib6_table_lookup tracepoint shows:
swapper 0 [001] 248.787816: fib6:fib6_table_lookup: table 255 oif 0 iif 1 src 2100:1::3 dst 2100:1:
ffffffff81439cdc perf_trace_fib6_table_lookup ([kernel.kallsyms])
ffffffff814c1ce3 trace_fib6_table_lookup ([kernel.kallsyms])
ffffffff814c3e89 ip6_pol_route ([kernel.kallsyms])
ffffffff814c40d5 ip6_pol_route_output ([kernel.kallsyms])
ffffffff814e7b6f fib6_rule_action ([kernel.kallsyms])
ffffffff81437f60 fib_rules_lookup ([kernel.kallsyms])
ffffffff814e7c79 fib6_rule_lookup ([kernel.kallsyms])
ffffffff814c2541 ip6_route_output_flags ([kernel.kallsyms])
528 nf_send_reset6 ([nf_reject_ipv6])The lookup is directed to table 255 rather than the table associated with
the device via the L3 domain. Update nf_send_reset6 to pull the L3 domain
from the dst currently attached to the skb.Signed-off-by: David Ahern
Signed-off-by: Pablo Neira Ayuso -
ip_route_me_harder is not considering the L3 domain and sending lookups
to the wrong table. For example consider the following output rule:iptables -I OUTPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
using perf to analyze lookups via the fib_table_lookup tracepoint shows:
vrf-test 1187 [001] 46887.295927: fib:fib_table_lookup: table 255 oif 0 iif 0 src 0.0.0.0 dst 10.100.1.254 tos 0 scope 0 flags 0
ffffffff8143922c perf_trace_fib_table_lookup ([kernel.kallsyms])
ffffffff81493aac fib_table_lookup ([kernel.kallsyms])
ffffffff8148dda3 __inet_dev_addr_type ([kernel.kallsyms])
ffffffff8148ddf6 inet_addr_type ([kernel.kallsyms])
ffffffff8149e344 ip_route_me_harder ([kernel.kallsyms])and
vrf-test 1187 [001] 46887.295933: fib:fib_table_lookup: table 255 oif 0 iif 1 src 10.100.1.254 dst 10.100.1.2 tos 0 scope 0 flags
ffffffff8143922c perf_trace_fib_table_lookup ([kernel.kallsyms])
ffffffff81493aac fib_table_lookup ([kernel.kallsyms])
ffffffff814998ff fib4_rule_action ([kernel.kallsyms])
ffffffff81437f35 fib_rules_lookup ([kernel.kallsyms])
ffffffff81499758 __fib_lookup ([kernel.kallsyms])
ffffffff8144f010 fib_lookup.constprop.34 ([kernel.kallsyms])
ffffffff8144f759 __ip_route_output_key_hash ([kernel.kallsyms])
ffffffff8144fc6a ip_route_output_flow ([kernel.kallsyms])
ffffffff8149e39b ip_route_me_harder ([kernel.kallsyms])In both cases the lookups are directed to table 255 rather than the
table associated with the device via the L3 domain. Update both
lookups to pull the L3 domain from the dst currently attached to the
skb.Signed-off-by: David Ahern
Signed-off-by: Pablo Neira Ayuso -
Make sure mlx4_en_free_resources is called under the netdev state lock.
This is needed since RCU dereference of XDP prog should be protected.Fixes: 326fe02d1ed6 ("net/mlx4_en: protect ring->xdp_prog with rcu_read_lock")
Signed-off-by: Tariq Toukan
Reported-by: Sagi Grimberg
CC: Brenden Blanco
Signed-off-by: David S. Miller -
This reverts commit 7c6ae610a1f0, because l2tp_xmit_skb() never
returns NET_XMIT_CN, it ignores the return value of l2tp_xmit_core().Cc: Gao Feng
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
For RT netlink, calcit() function should return the minimal size for
netlink dump message. This will make sure that dump message for every
network device can be stored.Currently, rtnl_calcit() function doesn't account the size of header of
netlink message, this patch will fix it.Signed-off-by: Zhang Shengju
Signed-off-by: David S. Miller -
Knowing that:
#define TUNNEL_DST_PORT_FREE_REQ_TUNNEL_TYPE_VXLAN (0x1UL << 0)
#define TUNNEL_DST_PORT_FREE_REQ_TUNNEL_TYPE_GENEVE (0x5UL << 0)
and that 'bnxt_hwrm_tunnel_dst_port_alloc()' is only called with one of
these 2 constants, the TUNNEL_DST_PORT_ALLOC_REQ_TUNNEL_TYPE_GENEVE can not
trigger.Replace the bit test that overlap by an equality test, just as in
'bnxt_hwrm_tunnel_dst_port_free()' above.Signed-off-by: Christophe JAILLET
Acked-by: Michael Chan
Signed-off-by: David S. Miller -
Fix kernel-doc warning in (missing ':'):
..//include/linux/netdevice.h:1904: warning: No description found for parameter 'prio_tc_map[TC_BITMASK + 1]'
Signed-off-by: Randy Dunlap
Signed-off-by: David S. Miller -
When dev_set_promiscuity failed in macvlan_open, it always invokes
dev_set_allmulti without checking if necessary.
Now check the IFF_ALLMULTI flag firstly before rollback the multicast
setting in the error handler.Signed-off-by: Gao Feng
Signed-off-by: David S. Miller -
Fix setting of SUPPORTED_FIBRE bit as it was not present in features
of KSZ8041.Signed-off-by: Kirill Esipov
Signed-off-by: David S. Miller
23 Nov, 2016
1 commit
-
Andre Noll reported panics after my recent fix (commit 34fad54c2537
"net: __skb_flow_dissect() must cap its return value")After some more headaches, Alexander root caused the problem to
init_default_flow_dissectors() being called too late, in case
a network driver like IGB is not a module and receives DHCP message
very early.Fix is to call init_default_flow_dissectors() much earlier,
as it is a core infrastructure and does not depend on another
kernel service.Fixes: 06635a35d13d4 ("flow_dissect: use programable dissector in skb_flow_dissect and friends")
Signed-off-by: Eric Dumazet
Reported-by: Andre Noll
Diagnosed-by: Alexander Duyck
Signed-off-by: David S. Miller
22 Nov, 2016
6 commits
-
Pull apparmor bugfix from James Morris:
"This has a fix for a policy replacement bug that is fairly serious for
apache mod_apparmor users, as it results in the wrong policy being
applied on an network facing service"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
apparmor: fix change_hat not finding hat after policy replacement -
Pull sparc fixes from David Miller:
1) With modern networking cards we can run out of 32-bit DMA space, so
support 64-bit DMA addressing when possible on sparc64. From Dave
Tushar.2) Some signal frame validation checks are inverted on sparc32, fix
from Andreas Larsson.3) Lockdep tables can get too large in some circumstances on sparc64,
add a way to adjust the size a bit. From Babu Moger.4) Fix NUMA node probing on some sun4v systems, from Thomas Tai.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc: drop duplicate header scatterlist.h
lockdep: Limit static allocations if PROVE_LOCKING_SMALL is defined
config: Adding the new config parameter CONFIG_PROVE_LOCKING_SMALL for sparc
sunbmac: Fix compiler warning
sunqe: Fix compiler warnings
sparc64: Enable 64-bit DMA
sparc64: Enable sun4v dma ops to use IOMMU v2 APIs
sparc64: Bind PCIe devices to use IOMMU v2 service
sparc64: Initialize iommu_map_table and iommu_pool
sparc64: Add ATU (new IOMMU) support
sparc64: Add FORCE_MAX_ZONEORDER and default to 13
sparc64: fix compile warning section mismatch in find_node()
sparc32: Fix inverted invalid_frame_pointer checks on sigreturns
sparc64: Fix find_node warning if numa node cannot be found -
Pull networking fixes from David Miller:
1) Clear congestion control state when changing algorithms on an
existing socket, from Florian Westphal.2) Fix register bit values in altr_tse_pcs portion of stmmac driver,
from Jia Jie Ho.3) Fix PTP handling in stammc driver for GMAC4, from Giuseppe
CAVALLARO.4) Fix udplite multicast delivery handling, it ignores the udp_table
parameter passed into the lookups, from Pablo Neira Ayuso.5) Synchronize the space estimated by rtnl_vfinfo_size and the space
actually used by rtnl_fill_vfinfo. From Sabrina Dubroca.6) Fix memory leak in fib_info when splitting nodes, from Alexander
Duyck.7) If a driver does a napi_hash_del() explicitily and not via
netif_napi_del(), it must perform RCU synchronization as needed. Fix
this in virtio-net and bnxt drivers, from Eric Dumazet.8) Likewise, it is not necessary to invoke napi_hash_del() is we are
also doing neif_napi_del() in the same code path. Remove such calls
from be2net and cxgb4 drivers, also from Eric Dumazet.9) Don't allocate an ID in peernet2id_alloc() if the netns is dead,
from WANG Cong.10) Fix OF node and device struct leaks in of_mdio, from Johan Hovold.
11) We cannot cache routes in ip6_tunnel when using inherited traffic
classes, from Paolo Abeni.12) Fix several crashes and leaks in cpsw driver, from Johan Hovold.
13) Splice operations cannot use freezable blocking calls in AF_UNIX,
from WANG Cong.14) Link dump filtering by master device and kind support added an error
in loop index updates during the dump if we actually do filter, fix
from Zhang Shengju.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
tcp: zero ca_priv area when switching cc algorithms
net: l2tp: Treat NET_XMIT_CN as success in l2tp_eth_dev_xmit
ethernet: stmmac: make DWMAC_STM32 depend on it's associated SoC
tipc: eliminate obsolete socket locking policy description
rtnl: fix the loop index update error in rtnl_dump_ifinfo()
l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
net: macb: add check for dma mapping error in start_xmit()
rtnetlink: fix FDB size computation
netns: fix get_net_ns_by_fd(int pid) typo
af_unix: conditionally use freezable blocking calls in read
net: ethernet: ti: cpsw: fix fixed-link phy probe deferral
net: ethernet: ti: cpsw: add missing sanity check
net: ethernet: ti: cpsw: fix secondary-emac probe error path
net: ethernet: ti: cpsw: fix of_node and phydev leaks
net: ethernet: ti: cpsw: fix deferred probe
net: ethernet: ti: cpsw: fix mdio device reference leak
net: ethernet: ti: cpsw: fix bad register access in probe error path
net: sky2: Fix shutdown crash
cfg80211: limit scan results cache size
net sched filters: pass netlink message flags in event notification
... -
We need to zero out the private data area when application switches
connection to different algorithm (TCP_CONGESTION setsockopt).When congestion ops get assigned at connect time everything is already
zeroed because sk_alloc uses GFP_ZERO flag. But in the setsockopt case
this contains whatever previous cc placed there.Signed-off-by: Florian Westphal
Signed-off-by: David S. Miller -
The tc could return NET_XMIT_CN as one congestion notification, but
it does not mean the packe is lost. Other modules like ipvlan,
macvlan, and others treat NET_XMIT_CN as success too.
So l2tp_eth_dev_xmit should add the NET_XMIT_CN check.Signed-off-by: Gao Feng
Signed-off-by: David S. Miller -
There's not much point, except compile test, enabling the stmmac
platform drivers unless the STM32 SoC is enabled. It's not
useful without it.Signed-off-by: Peter Robinson
Signed-off-by: David S. Miller
21 Nov, 2016
3 commits
-
After a policy replacement, the task cred may be out of date and need
to be updated. However change_hat is using the stale profiles from
the out of date cred resulting in either: a stale profile being applied
or, incorrect failure when searching for a hat profile as it has been
migrated to the new parent profile.Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
Cc: stable@vger.kernel.org
Signed-off-by: John Johansen
Signed-off-by: James Morris -
Pull ARM fixes from Russell King:
"A few more ARM fixes:- the assembly backtrace code suffers problems with the new printk()
implementation which assumes that kernel messages without KERN_CONT
should have newlines inserted between them. Fix this.
- fix a section naming error - ".init.text" rather than ".text.init"
- preallocate DMA debug memory at core_initcall() time rather than
fs_initcall(), as we have some core drivers that need to use DMA
mapping - and that triggers a kernel warning from the DMA debug
code.
- fix XIP kernels after the ro_after_init changes made this data
permanently read-only"* 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
ARM: Fix XIP kernels
ARM: 8628/1: dma-mapping: preallocate DMA-debug hash tables in core_initcall
ARM: 8624/1: proc-v7m.S: fix init section name
ARM: fix backtrace
20 Nov, 2016
14 commits
-
The comment block in socket.c describing the locking policy is
obsolete, and does not reflect current reality. We remove it in this
commit.Since the current locking policy is much simpler and follows a
mainstream approach, we see no need to add a new description.Signed-off-by: Jon Maloy
Signed-off-by: David S. Miller -
If the link is filtered out, loop index should also be updated. If not,
loop index will not be correct.Fixes: dc599f76c22b0 ("net: Add support for filtering link dump by master device and kind")
Signed-off-by: Zhang Shengju
Acked-by: David Ahern
Signed-off-by: David S. Miller -
Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
[] dump_stack+0xb3/0x118 lib/dump_stack.c:15
[] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
[< inline >] print_address_description mm/kasan/report.c:194
[] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
[< inline >] kasan_report mm/kasan/report.c:303
[] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
[< inline >] __write_once_size ./include/linux/compiler.h:249
[< inline >] __hlist_del ./include/linux/list.h:622
[< inline >] hlist_del_init ./include/linux/list.h:637
[] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
[] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[] sock_release+0x8d/0x1d0 net/socket.c:570
[] sock_close+0x16/0x20 net/socket.c:1017
[] __fput+0x28c/0x780 fs/file_table.c:208
[] ____fput+0x15/0x20 fs/file_table.c:244
[] task_work_run+0xf9/0x170
[] do_exit+0x85e/0x2a00
[] do_group_exit+0x108/0x330
[] get_signal+0x617/0x17a0 kernel/signal.c:2307
[] do_signal+0x7f/0x18f0
[] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
[ 1116.897025] [] save_stack_trace+0x16/0x20
[ 1116.897025] [] save_stack+0x46/0xd0
[ 1116.897025] [] kasan_kmalloc+0xad/0xe0
[ 1116.897025] [] kasan_slab_alloc+0x12/0x20
[ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417
[ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708
[ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716
[ 1116.897025] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
[ 1116.897025] [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
[ 1116.897025] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388
[ 1116.897025] [] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
[ 1116.897025] [] __sock_create+0x37b/0x640 net/socket.c:1153
[ 1116.897025] [< inline >] sock_create net/socket.c:1193
[ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223
[ 1116.897025] [] SyS_socket+0xef/0x1b0 net/socket.c:1203
[ 1116.897025] [] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
[ 1116.897025] [] save_stack_trace+0x16/0x20
[ 1116.897025] [] save_stack+0x46/0xd0
[ 1116.897025] [] kasan_slab_free+0x71/0xb0
[ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352
[ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374
[ 1116.897025] [< inline >] slab_free mm/slub.c:2951
[ 1116.897025] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
[ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369
[ 1116.897025] [] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
[ 1116.897025] [] sk_destruct+0x44/0x80 net/core/sock.c:1452
[ 1116.897025] [] __sk_free+0x53/0x220 net/core/sock.c:1460
[ 1116.897025] [] sk_free+0x23/0x30 net/core/sock.c:1471
[ 1116.897025] [] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
[ 1116.897025] [] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
[ 1116.897025] [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[ 1116.897025] [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[ 1116.897025] [] sock_release+0x8d/0x1d0 net/socket.c:570
[ 1116.897025] [] sock_close+0x16/0x20 net/socket.c:1017
[ 1116.897025] [] __fput+0x28c/0x780 fs/file_table.c:208
[ 1116.897025] [] ____fput+0x15/0x20 fs/file_table.c:244
[ 1116.897025] [] task_work_run+0xf9/0x170
[ 1116.897025] [] do_exit+0x85e/0x2a00
[ 1116.897025] [] do_group_exit+0x108/0x330
[ 1116.897025] [] get_signal+0x617/0x17a0 kernel/signal.c:2307
[ 1116.897025] [] do_signal+0x7f/0x18f0
[ 1116.897025] [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[ 1116.897025] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[ 1116.897025] [] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb==================================================================
The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding
Reported-by: Andrey Konovalov
Tested-by: Baozeng Ding
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller -
Pull ARM SoC fixes from Olof Johansson:
"Again a set of smaller fixes across several platforms (OMAP, Marvell,
Allwinner, i.MX, etc).A handful of typo fixes and smaller missing contents from device
trees, with some tweaks to OMAP mach files to deal with CPU feature
print misformatting, potential NULL ptr dereference and one setup
issue with UARTs"* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ipmi/bt-bmc: change compatible node to 'aspeed, ast2400-ibt-bmc'
ARM: dts: STiH410-b2260: Fix typo in spi0 chipselect definition
ARM: dts: omap5: board-common: fix wrong SMPS6 (VDD-DDR3) voltage
ARM: omap3: Add missing memory node in SOM-LV
arm64: dts: marvell: add unique identifiers for Armada A8k SPI controllers
arm64: dts: marvell: fix clocksource for CP110 slave SPI0
arm64: dts: marvell: Fix typo in label name on Armada 37xx
ASoC: omap-abe-twl6040: fix typo in bindings documentation
dts: omap5: board-common: enable twl6040 headset jack detection
dts: omap5: board-common: add phandle to reference Palmas gpadc
ARM: OMAP2+: avoid NULL pointer dereference
ARM: OMAP2+: PRM: initialize en_uart4_mask and grpsel_uart4_mask
ARM: dts: omap3: Fix memory node in Torpedo board
ARM: AM43XX: Select OMAP_INTERCONNECT in Kconfig
ARM: OMAP3: Fix formatting of features printed
ARM: dts: imx53-qsb: Fix regulator constraints
ARM: dts: sun8i: fix the pinmux for UART1 -
Pull ext4 fixes from Ted Ts'o:
"A security fix (so a maliciously corrupted file system image won't
panic the kernel) and some fixes for CONFIG_VMAP_STACK"* tag 'ext4_for_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: sanity check the block and cluster size at mount time
fscrypto: don't use on-stack buffer for key derivation
fscrypto: don't use on-stack buffer for filename encryption -
If the block size or cluster size is insane, reject the mount. This
is important for security reasons (although we shouldn't be just
depending on this check).Ref: http://www.securityfocus.com/archive/1/539661
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506
Reported-by: Borislav Petkov
Reported-by: Nikolay Borisov
Signed-off-by: Theodore Ts'o
Cc: stable@vger.kernel.org -
With the new (in 4.9) option to use a virtually-mapped stack
(CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
the scatterlist crypto API because they may not be directly mappable to
struct page. get_crypt_info() was using a stack buffer to hold the
output from the encryption operation used to derive the per-file key.
Fix it by using a heap buffer.This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
because this allowed the BUG in sg_set_buf() to be triggered.Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers
Signed-off-by: Theodore Ts'o -
With the new (in 4.9) option to use a virtually-mapped stack
(CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
the scatterlist crypto API because they may not be directly mappable to
struct page. For short filenames, fname_encrypt() was encrypting a
stack buffer holding the padded filename. Fix it by encrypting the
filename in-place in the output buffer, thereby making the temporary
buffer unnecessary.This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
because this allowed the BUG in sg_set_buf() to be triggered.Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers
Signed-off-by: Theodore Ts'o -
Pull i2c fixes from Wolfram Sang:
"Some I2C driver bugfixes (and one documentation fix)"* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: i2c-mux-pca954x: fix deselect enabling for device-tree
i2c: digicolor: use clk_disable_unprepare instead of clk_unprepare
i2c: mux: fix up dependencies
i2c: Documentation: i2c-topology: fix minor whitespace nit
i2c: mux: demux-pinctrl: make drivers with no pinctrl work again -
Pull KVM fixes from Radim Krčmář:
"ARM:
- Fix handling of the 32bit cycle counter
- Fix cycle counter filteringx86:
- Fix a race leading to double unregistering of user notifiers
- Amend oversight in kvm_arch_set_irq that turned Hyper-V code dead
- Use SRCU around kvm_lapic_set_vapic_addr
- Avoid recursive flushing of asynchronous page faults
- Do not rely on deferred update in KVM_GET_CLOCK, which fixes #GP
- Let userspace know that KVM_GET_CLOCK is useful with master clock;
4.9 changed the return value to better match the guest clock, but
didn't provide means to let guests take advantage of it"* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
kvm: x86: merge kvm_arch_set_irq and kvm_arch_set_irq_inatomic
KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr
KVM: async_pf: avoid recursive flushing of work items
kvm: kvmclock: let KVM_GET_CLOCK return whether the master clock is in use
KVM: Disable irq while unregistering user notifier
KVM: x86: do not go through vcpu in __get_kvmclock_ns
KVM: arm64: Fix the issues when guest PMCCFILTR is configured
arm64: KVM: pmu: Fix AArch32 cycle counter access -
Deselect functionality can be ignored for device-trees with
"i2c-mux-idle-disconnect" entries if no platform_data is available.
By enabling the deselect functionality outside the platform_data
block the logic works as it did in previous kernels.Fixes: 7fcac9807175 ("i2c: i2c-mux-pca954x: convert to use an explicit i2c mux core")
Cc: # v4.7+
Signed-off-by: Alex Hemme
Signed-off-by: Ziyang Wu
[touched up a few minor issues /peda]
Signed-off-by: Peter Rosin
Signed-off-by: Wolfram Sang -
Pull powerpc fixes from Michael Ellerman:
"Fixes marked for stable:
- fix system reset interrupt winkle wakeups
- fix setting of AIL in hypervisor modeFixes for code merged this cycle:
- fix exception vector build with 2.23 era binutils
- fix missing update of HID register on secondary CPUsOther:
- fix missing pr_cont()s
- invalidate ERAT on tlbiel for POWER9 DD1"* tag 'powerpc-4.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc/mm: Fix missing update of HID register on secondary CPUs
powerpc/mm/radix: Invalidate ERAT on tlbiel for POWER9 DD1
powerpc/64: Fix setting of AIL in hypervisor mode
powerpc/oops: Fix missing pr_cont()s in instruction dump
powerpc/oops: Fix missing pr_cont()s in show_regs()
powerpc/oops: Fix missing pr_cont()s in print_msr_bits() et. al.
powerpc/oops: Fix missing pr_cont()s in show_stack()
powerpc: Fix exception vector build with 2.23 era binutils
powerpc/64s: Fix system reset interrupt winkle wakeups -
Pull crypto fixes from Herbert Xu:
"This fixes the following issues:- Compiler warning in caam driver that was the last one remaining
- Do not register aes-xts in caam drivers on unsupported platforms
- Regression in algif_hash interface that may lead to an oops"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: algif_hash - Fix NULL hash crash with shash
crypto: caam - fix type mismatch warning
crypto: caam - do not register AES-XTS mode on LP units -
Pull LED subsystem update from Jacek Anaszewski:
"I'd like to announce a new co-maintainer - Pavel Machek"* tag 'leds_4.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
MAINTAINERS: Add LED subsystem co-maintainer