11 Apr, 2013
2 commits
-
Pull networking fixes from David Miller:
1) cfg80211_conn_scan() must be called with the sched_scan_mutex, fix
from Artem Savkov.2) Fix regression in TCP ICMPv6 processing, we do not want to treat
redirects as socket errors, from Christoph Paasch.3) Fix several recvmsg() msg_name kernel memory leaks into userspace,
in ATM, AX25, Bluetooth, CAIF, IRDA, s390 IUCV, L2TP, LLC, Netrom,
NFC, Rose, TIPC, and VSOCK. From Mathias Krause and Wei Yongjun.4) Fix AF_IUCV handling of segmented SKBs in recvmsg(), from Ursula
Braun and Eric Dumazet.5) CAN gw.c code does kfree() on SLAB cache memory, use
kmem_cache_free() instead. Fix from Wei Yongjun.6) Fix LSM regression on TCP SYN/ACKs, some LSMs such as SELINUX want
an skb->sk socket context available for these packets, but nothing
else requires it. From Eric Dumazet and Paul Moore.7) Fix ipv4 address lifetime processing so that we don't perform
sleepable acts inside of rcu_read_lock() sections, do them in an
rtnl_lock() section instead. From Jiri Pirko.8) mvneta driver accidently sets HW features after device registry, it
should do so beforehand. Fix from Willy Tarreau.9) Fix bonding unload races more correctly, from Nikolay Aleksandrov
and Veaceslav Falico.10) rtnl_dump_ifinfo() and rtnl_calcit() invoke nlmsg_parse() with wrong
header size argument. Fix from Michael Riesch.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
lsm: add the missing documentation for the security_skb_owned_by() hook
bnx2x: Prevent null pointer dereference in AFEX mode
e100: Add dma mapping error check
selinux: add a skb_owned_by() hook
can: gw: use kmem_cache_free() instead of kfree()
netrom: fix invalid use of sizeof in nr_recvmsg()
qeth: fix qeth_wait_for_threads() deadlock for OSN devices
af_iucv: fix recvmsg by replacing skb_pull() function
rtnetlink: Call nlmsg_parse() with correct header length
bonding: fix bonding_masters race condition in bond unloading
Revert "bonding: remove sysfs before removing devices"
net: mvneta: enable features before registering the driver
hyperv: Fix RNDIS send_completion code path
hyperv: Fix a kernel warning from netvsc_linkstatus_callback()
net: ipv4: fix schedule while atomic bug in check_lifetime()
net: ipv4: reset check_lifetime_work after changing lifetime
bnx2x: Fix KR2 rapid link flap
sctp: remove 'sridhar' from maintainers list
VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()
VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()
... -
Pull NFS client bugfixes from Trond Myklebust:
- fix for memory corruption issues in nfs4[01]_walk_client_list (stable)
- fix for an Oopsable bug in rpc_clone_client (stable)
- another state manager deadlock in the NFSv4 open code
- memory leaks in nfs4_discover_server_trunking and rpc_new_client* tag 'nfs-for-3.9-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFSv4: Fix another potential state manager deadlock
SUNRPC: Fix a potential memory leak in rpc_new_client
NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
NFSv4: Fix a memory leak in nfs4_discover_server_trunking
SUNRPC: Remove extra xprt_put()
10 Apr, 2013
2 commits
-
Marc Kleine-Budde says:
====================
here's a fix for the v3.9 release cycle, if not too late:Wei Yongjun contributes a patch for the can-gw protocoll. The patch fixes the
memory allocated with kmem_cache_alloc(), is now freed using kmem_cache_free(),
not kfree().
====================Signed-off-by: David S. Miller
-
Commit 90ba9b1986b5ac (tcp: tcp_make_synack() can use alloc_skb())
broke certain SELinux/NetLabel configurations by no longer correctly
assigning the sock to the outgoing SYNACK packet.Cost of atomic operations on the LISTEN socket is quite big,
and we would like it to happen only if really needed.This patch introduces a new security_ops->skb_owned_by() method,
that is a void operation unless selinux is active.Reported-by: Miroslav Vadkerti
Diagnosed-by: Paul Moore
Signed-off-by: Eric Dumazet
Cc: "David S. Miller"
Cc: linux-security-module@vger.kernel.org
Acked-by: James Morris
Tested-by: Paul Moore
Acked-by: Paul Moore
Signed-off-by: David S. Miller
09 Apr, 2013
7 commits
-
Memory allocated by kmem_cache_alloc() should be freed using
kmem_cache_free(), not kfree().Cc: linux-stable # >= v3.2
Signed-off-by: Wei Yongjun
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde -
sizeof() when applied to a pointer typed expression gives the size of the
pointer, not that of the pointed data.
Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg)Signed-off-by: Wei Yongjun
Signed-off-by: David S. Miller -
When receiving data messages, the "BUG_ON(skb->len < skb->data_len)" in
the skb_pull() function triggers a kernel panic.Replace the skb_pull logic by a per skb offset as advised by
Eric Dumazet.Signed-off-by: Ursula Braun
Signed-off-by: Frank Blaschka
Reviewed-by: Hendrik Brueckner
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
Signed-off-by: Michael Riesch
Cc: "David S. Miller"
Cc: Greg Kroah-Hartman
Cc: Jiri Benc
Cc: "Theodore Ts'o"
Cc: linux-kernel@vger.kernel.org
Acked-by: Mark Rustad
Signed-off-by: David S. Miller -
…wireless into for-davem
-
move might_sleep operations out of the rcu_read_lock() section.
Also fix iterating over ifa_dev->ifa_listIntroduced by: commit 5c766d642bcaf "ipv4: introduce address lifetime"
Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller -
This will result in calling check_lifetime in nearest opportunity and
that function will adjust next time to call check_lifetime correctly.
Without this, check_lifetime is called in time computed by previous run,
not affecting modified lifetime.Introduced by: commit 5c766d642bcaf "ipv4: introduce address lifetime"
Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller
08 Apr, 2013
17 commits
-
The code misses to update the msg_namelen member to 0 and therefore
makes net/socket.c leak the local, uninitialized sockaddr_storage
variable to userland -- 128 bytes of kernel stack memory.Cc: Andy King
Cc: Dmitry Torokhov
Cc: George Zhang
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
In case we received no data on the call to skb_recv_datagram(), i.e.
skb->data is NULL, vmci_transport_dgram_dequeue() will return with 0
without updating msg_namelen leading to net/socket.c leaking the local,
uninitialized sockaddr_storage variable to userland -- 128 bytes of
kernel stack memory.Fix this by moving the already existing msg_namelen assignment a few
lines above.Cc: Andy King
Cc: Dmitry Torokhov
Cc: George Zhang
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The code in set_orig_addr() does not initialize all of the members of
struct sockaddr_tipc when filling the sockaddr info -- namely the union
is only partly filled. This will make recv_msg() and recv_stream() --
the only users of this function -- leak kernel stack memory as the
msg_name member is a local variable in net/socket.c.Additionally to that both recv_msg() and recv_stream() fail to update
the msg_namelen member to 0 while otherwise returning with 0, i.e.
"success". This is the case for, e.g., non-blocking sockets. This will
lead to a 128 byte kernel stack leak in net/socket.c.Fix the first issue by initializing the memory of the union with
memset(0). Fix the second one by setting msg_namelen to 0 early as it
will be updated later if we're going to fill the msg_name member.Cc: Jon Maloy
Cc: Allan Stephens
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The code in rose_recvmsg() does not initialize all of the members of
struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
Nor does it initialize the padding bytes of the structure inserted by
the compiler for alignment. This will lead to leaking uninitialized
kernel stack bytes in net/socket.c.Fix the issue by initializing the memory used for sockaddr info with
memset(0).Cc: Ralf Baechle
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.Cc: Lauro Ramos Venancio
Cc: Aloisio Almeida Jr
Cc: Samuel Ortiz
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more
bytes.Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
For stream sockets the code misses to update the msg_namelen member
to 0 and therefore makes net/socket.c leak the local, uninitialized
sockaddr_storage variable to userland -- 128 bytes of kernel stack
memory. The msg_namelen update is also missing for datagram sockets
in case the socket is shutting down during receive.Fix both issues by setting msg_namelen to 0 early. It will be
updated later if we're going to fill the msg_name member.Cc: Arnaldo Carvalho de Melo
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
in l2tp_ip6_recvmsg() in case msg_name is set.Initialize l2tp_conn_id with 0 to avoid the info leak.
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about iucv_sock_recvmsg() not filling the msg_name in case it was set.Cc: Ursula Braun
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about irda_recvmsg_dgram() not filling the msg_name in case it was
set.Cc: Samuel Ortiz
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about caif_seqpkt_recvmsg() not filling the msg_name in case it was
set.Cc: Sjur Braendeland
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in
the flags, sco_sock_recvmsg() returns early with 0 without updating the
possibly set msg_namelen member. This, in turn, leads to a 128 byte
kernel stack leak in net/socket.c.Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_recvmsg().Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
In case the socket is already shutting down, bt_sock_recvmsg() returns
with 0 without updating msg_namelen leading to net/socket.c leaking the
local, uninitialized sockaddr_storage variable to userland -- 128 bytes
of kernel stack memory.Fix this by moving the msg_namelen assignment in front of the shutdown
test.Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
When msg_namelen is non-zero the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of struct
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
not always filled up to this size.Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about vcc_recvmsg() not filling the msg_name in case it was set.Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
Tetja Rediske found that if the host receives an ICMPv6 redirect message
after sending a SYN+ACK, the connection will be reset.He bisected it down to 093d04d (ipv6: Change skb->data before using
icmpv6_notify() to propagate redirect), but the origin of the bug comes
from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
handlers.). The bug simply did not trigger prior to 093d04d, because
skb->data did not point to the inner IP header and thus icmpv6_notify
did not call the correct err_handler.This patch adds the missing "goto out;" in tcp_v6_err. After receiving
an ICMPv6 Redirect, we should not continue processing the ICMP in
tcp_v6_err, as this may trigger the removal of request-socks or setting
sk_err(_soft).Reported-by: Tetja Rediske
Signed-off-by: Christoph Paasch
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
06 Apr, 2013
3 commits
-
If the call to rpciod_up() fails, we currently leak a reference to the
struct rpc_xprt.
As part of the fix, we also remove the redundant check for xprt!=NULL.
This is already taken care of by the callers.Signed-off-by: Trond Myklebust
-
While testing error cases where rpc_new_client() fails, I saw
some oopses.If rpc_new_client() fails, it already invokes xprt_put(). Thus
__rpc_clone_client() does not need to invoke it again.Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
Fri Sep 14, 2012.Signed-off-by: Chuck Lever
Cc: stable@vger.kernel.org [>=3.7]
Signed-off-by: Trond Myklebust -
Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code
to reset nf_trace in nf_reset(). This is wrong and unnecessary.nf_reset() is used in the following cases:
- when passing packets up the the socket layer, at which point we want to
release all netfilter references that might keep modules pinned while
the packet is queued. nf_trace doesn't matter anymore at this point.- when encapsulating or decapsulating IPsec packets. We want to continue
tracing these packets after IPsec processing.- when passing packets through virtual network devices. Only devices on
that encapsulate in IPv4/v6 matter since otherwise nf_trace is not
used anymore. Its not entirely clear whether those packets should
be traced after that, however we've always done that.- when passing packets through virtual network devices that make the
packet cross network namespace boundaries. This is the only cases
where we clearly want to reset nf_trace and is also what the
original patch intended to fix.Add a new function nf_reset_trace() and use it in dev_forward_skb() to
fix this properly.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
05 Apr, 2013
6 commits
-
if userspace changes lifetime of address, send netlink notification and
call notifier.Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller -
It was reported that the following LSB test case failed
https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
were not coallescing unix stream messages when the application was
expecting us to.The problem was that the first send was before the socket was accepted
and thus sock->sk_socket was NULL in maybe_add_creds, and the second
send after the socket was accepted had a non-NULL value for sk->socket
and thus we could tell the credentials were not needed so we did not
bother.The unnecessary credentials on the first message cause
unix_stream_recvmsg to start verifying that all messages had the same
credentials before coallescing and then the coallescing failed because
the second message had no credentials.Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
long standing pessimization which would fail to coallesce messages when
reading from a unix stream socket if the senders were different even if
we did not care about their credentials.I have tested this and verified that the in the LSB test case mentioned
above that the messages do coallesce now, while the were failing to
coallesce without this change.Reported-by: Karel Srot
Reported-by: Ding Tianhong
Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller -
This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
The problem that the above patch was meant to address is that af_unix
messages are not being coallesced because we are sending unnecesarry
credentials. Not sending credentials in maybe_add_creds totally
breaks unconnected unix domain sockets that wish to send credentails
to other sockets.In practice this break some versions of udev because they receive a
message and the sending uid is bogus so they drop the message.Reported-by: Sven Joachim
Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller -
A few drivers use dev_uc_sync/unsync to synchronize the
address lists from master down to slave/lower devices. In
some cases (bond/team) a single address list is synched down
to multiple devices. At the time of unsync, we have a leak
in these lower devices, because "synced" is treated as a
boolean and the address will not be unsynced for anything after
the first device/call.Treat "synced" as a count (same as refcount) and allow all
unsync calls to work.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
Pablo Neira Ayuso says:
====================
The following patchset contains netfilter updates for your net tree,
they are:* Fix missing the skb->trace reset in nf_reset, noticed by Gao Feng
while using the TRACE target with several net namespaces.* Fix prefix translation in IPv6 NPT if non-multiple of 32 prefixes
are used, from Matthias Schiffer.* Fix invalid nfacct objects with empty name, they are now rejected
with -EINVAL, spotted by Michael Zintakis, patch from myself.* A couple of fixes for wrong return values in the error path of
nfnetlink_queue and nf_conntrack, from Wei Yongjun.
====================Signed-off-by: David S. Miller
-
…le/wireless into wireless
John W. Linville says:
====================
Here are some more fixes intended for the 3.9 stream...Regarding the mac80211 bits, Johannes says:
"I had changed the idle handling to simplify it, but broken the
sequencing of commands, at least for ath9k-htc, one patch restores the
sequence. The other patch fixes a crash Jouni found while stress-testing
the remain-on-channel code, when an item is deleted the work struct can
run twice and crash the second time."As for the iwlwifi bits, Johannes says:
"The only fix here is to the passive-no-RX firmware regulatory
enforcement driver support code to not drop auth frames in quick
succession, leading to not being able to connect to APs on passive
channels in certain circumstances."Don't forget the NFC bits, about which Samuel says:
"This time we have:
- A crash fix for when a DGRAM LLCP socket is listening while the NFC adapter
is physically removed.
- A potential double skb free when the LLCP socket receive queue is full.
- A fix for properly handling multiple and consecutive LLCP connections, and
not trash the socket ack log.
- A build failure for the MEI microread physical layer, now that the MEI bus
APIs have been merged into char-misc-next."On top of that, Stone Piao provides an mwifiex fix to avoid accessing
beyond the end of a buffer.
====================Signed-off-by: David S. Miller <davem@davemloft.net>
04 Apr, 2013
2 commits
-
…wireless into for-davem
03 Apr, 2013
1 commit
-
The bitmask used for the prefix mangling was being calculated
incorrectly, leading to the wrong part of the address being replaced
when the prefix length wasn't a multiple of 32.Signed-off-by: Matthias Schiffer
Signed-off-by: Pablo Neira Ayuso
