26 Feb, 2017
1 commit
-
[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]
It seems nobody used LLC since linux-3.12.
Fortunately fuzzers like syzkaller still know how to run this code,
otherwise it would be no fun.Setting skb->sk without skb->destructor leads to all kinds of
bugs, we now prefer to be very strict about it.Ideally here we would use skb_set_owner() but this helper does not exist yet,
only CAN seems to have a private helper for that.Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
Signed-off-by: Eric Dumazet
Reported-by: Andrey Konovalov
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
17 Sep, 2016
1 commit
-
(As asked by Dave in Februrary)
Signed-off-by: Alan Cox
Signed-off-by: David S. Miller
10 May, 2016
1 commit
-
In netdevice.h we removed the structure in net-next that is being
changes in 'net'. In macsec.c and rtnetlink.c we have overlaps
between fixes in 'net' and the u64 attribute changes in 'net-next'.The mlx5 conflicts have to do with vxlan support dependencies.
Signed-off-by: David S. Miller
05 May, 2016
1 commit
-
The stack object “info” has a total size of 12 bytes. Its last byte
is padding which is not initialized and leaked via “put_cmsg”.Signed-off-by: Kangjie Lu
Signed-off-by: David S. Miller
14 Apr, 2016
1 commit
-
sock_owned_by_user should not be used without socket lock held. It seems
to be a common practice to check .owned before lock reclassification, so
provide a little help to abstract this check away.Cc: linux-cifs@vger.kernel.org
Cc: linux-bluetooth@vger.kernel.org
Cc: linux-nfs@vger.kernel.org
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
18 Feb, 2016
1 commit
-
The timeout is a long, we return it truncated if it is huge. Basically
harmless as the only caller does a boolean check, but tidy it up anyway.(64bit build tested this time. Thank you 0day)
Signed-off-by: Alan Cox
Signed-off-by: David S. Miller
27 Jul, 2015
1 commit
-
Currently, tcp_recvmsg enters a busy loop in sk_wait_data if called
with flags = MSG_WAITALL | MSG_PEEK.sk_wait_data waits for sk_receive_queue not empty, but in this case,
the receive queue is not empty, but does not contain any skb that we
can use.Add a "last skb seen on receive queue" argument to sk_wait_data, so
that it sleeps until the receive queue has new skbs.Link: https://bugzilla.kernel.org/show_bug.cgi?id=99461
Link: https://sourceware.org/bugzilla/show_bug.cgi?id=18493
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1205258
Reported-by: Enrico Scholz
Reported-by: Dan Searle
Signed-off-by: Sabrina Dubroca
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
11 May, 2015
1 commit
-
In preparation for changing how struct net is refcounted
on kernel sockets pass the knowledge that we are creating
a kernel socket from sock_create_kern through to sk_alloc.Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
03 Mar, 2015
1 commit
-
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.Cc: Christoph Hellwig
Suggested-by: Al Viro
Signed-off-by: Ying Xue
Signed-off-by: David S. Miller
25 Jan, 2015
1 commit
-
The timeout entries are sizeof(int) rather than sizeof(long), which
means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.Signed-off-by: Sasha Levin
Signed-off-by: David S. Miller
11 Dec, 2014
3 commits
-
It's better when function pointer arrays aren't modifiable.
Net change:
$ size net/llc/built-in.o.*
text data bss dec hex filename
61193 12758 1344 75295 1261f net/llc/built-in.o.new
47113 27030 1344 75487 126df net/llc/built-in.o.oldSigned-off-by: Joe Perches
Signed-off-by: David S. Miller -
It's better when function pointer arrays aren't modifiable.
Net change from original:
$ size net/llc/built-in.o.*
text data bss dec hex filename
61065 12886 1344 75295 1261f net/llc/built-in.o.new
47113 27030 1344 75487 126df net/llc/built-in.o.oldSigned-off-by: Joe Perches
Signed-off-by: David S. Miller -
It's better when function pointer arrays aren't modifiable.
Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
24 Nov, 2014
1 commit
-
Signed-off-by: Al Viro
06 Nov, 2014
1 commit
-
This encapsulates all of the skb_copy_datagram_iovec() callers
with call argument signature "skb, offset, msghdr->msg_iov, length".When we move to iov_iters in the networking, the iov_iter object will
sit in the msghdr.Having a helper like this means there will be less places to touch
during that transformation.Based upon descriptions and patch from Al Viro.
Signed-off-by: David S. Miller
25 Oct, 2014
1 commit
-
Signed-off-by: Fabian Frederick
Signed-off-by: David S. Miller
28 Sep, 2014
1 commit
-
Per commit "77873803363c net_dma: mark broken" net_dma is no longer used
and there is no plan to fix it.This is the mechanical removal of bits in CONFIG_NET_DMA ifdef guards.
Reverting the remainder of the net_dma induced changes is deferred to
subsequent patches.Marked for stable due to Roman's report of a memory leak in
dma_pin_iovec_pages():https://lkml.org/lkml/2014/9/3/177
Cc: Dave Jiang
Cc: Vinod Koul
Cc: David Whipple
Cc: Alexander Duyck
Cc:
Reported-by: Roman Gushchin
Acked-by: David S. Miller
Signed-off-by: Dan Williams
29 Jan, 2014
1 commit
-
Sending malformed llc packets triggers this spew, which seems excessive.
WARNING: CPU: 1 PID: 6917 at net/llc/llc_output.c:46 llc_mac_hdr_init+0x85/0x90 [llc]()
device type not supported: 0
CPU: 1 PID: 6917 Comm: trinity-c1 Not tainted 3.13.0+ #95
0000000000000009 00000000007e257d ffff88009232fbe8 ffffffffac737325
ffff88009232fc30 ffff88009232fc20 ffffffffac06d28d ffff88020e07f180
ffff88009232fec0 00000000000000c8 0000000000000000 ffff88009232fe70
Call Trace:
[] dump_stack+0x4e/0x7a
[] warn_slowpath_common+0x7d/0xa0
[] warn_slowpath_fmt+0x5c/0x80
[] llc_mac_hdr_init+0x85/0x90 [llc]
[] llc_build_and_send_ui_pkt+0x79/0x90 [llc]
[] llc_ui_sendmsg+0x23a/0x400 [llc2]
[] sock_sendmsg+0x9c/0xe0
[] ? might_fault+0x47/0x50
[] SYSC_sendto+0x121/0x1c0
[] ? syscall_trace_enter+0x207/0x270
[] SyS_sendto+0xe/0x10
[] tracesys+0xdd/0xe2Until 2009, this was a printk, when it was changed in
bf9ae5386bc: "llc: use dev_hard_header".Let userland figure out what -EINVAL means by itself.
Signed-off-by: Dave Jones
Signed-off-by: David S. Miller
19 Jan, 2014
1 commit
-
This is a follow-up patch to f3d3342602f8bc ("net: rework recvmsg
handler msg_name and msg_namelen logic").DECLARE_SOCKADDR validates that the structure we use for writing the
name information to is not larger than the buffer which is reserved
for msg->msg_name (which is 128 bytes). Also use DECLARE_SOCKADDR
consistently in sendmsg code paths.Signed-off-by: Steffen Hurrle
Suggested-by: Hannes Frederic Sowa
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
07 Jan, 2014
1 commit
-
Conflicts:
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c
net/ipv6/ip6_tunnel.c
net/ipv6/ip6_vti.cipv6 tunnel statistic bug fixes conflicting with consolidation into
generic sw per-cpu net stats.qlogic conflict between queue counting bug fix and the addition
of multiple MAC address support.Signed-off-by: David S. Miller
04 Jan, 2014
1 commit
-
The llc_sap_list_lock does not need to be global, only acquired
in core.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
03 Jan, 2014
1 commit
-
While commit 30a584d944fb fixes datagram interface in LLC, a use
after free bug has been introduced for SOCK_STREAM sockets that do
not make use of MSG_PEEK.The flow is as follow ...
if (!(flags & MSG_PEEK)) {
...
sk_eat_skb(sk, skb, false);
...
}
...
if (used + offset < skb->len)
continue;... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
original length and work on skb_len to check partial reads.Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes")
Signed-off-by: Daniel Borkmann
Cc: Stephen Hemminger
Cc: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
28 Dec, 2013
1 commit
-
Signed-off-by: Weilong Chen
Signed-off-by: David S. Miller
21 Nov, 2013
1 commit
-
This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
set msg_namelen to the proper size
Suggested-by: Eric Dumazet
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
04 Sep, 2013
1 commit
-
Convert the llc_ static inlines to the
equivalents from etherdevice.h and remove
the llc_ static inline functions.llc_mac_null -> is_zero_ether_addr
llc_mac_multicast -> is_multicast_ether_addr
llc_mac_match -> ether_addr_equalSigned-off-by: Joe Perches
Signed-off-by: David S. Miller
16 Aug, 2013
1 commit
-
UIDs are printed in the proc_fs as signed int, whereas
they are unsigned int.Signed-off-by: Francesco Fusco
Signed-off-by: David S. Miller
08 Apr, 2013
1 commit
-
For stream sockets the code misses to update the msg_namelen member
to 0 and therefore makes net/socket.c leak the local, uninitialized
sockaddr_storage variable to userland -- 128 bytes of kernel stack
memory. The msg_namelen update is also missing for datagram sockets
in case the socket is shutting down during receive.Fix both issues by setting msg_namelen to 0 early. It will be
updated later if we're going to fill the msg_name member.Cc: Arnaldo Carvalho de Melo
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller
28 Feb, 2013
1 commit
-
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;type T;
expression a,c,d,e;
identifier b;
statement S;
@@-T b;
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin
Acked-by: Paul E. McKenney
Signed-off-by: Sasha Levin
Cc: Wu Fengguang
Cc: Marcelo Tosatti
Cc: Gleb Natapov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
19 Nov, 2012
1 commit
-
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.Allow creation of af_key sockets.
Allow creation of llc sockets.
Allow creation of af_packet sockets.Allow sending xfrm netlink control messages.
Allow binding to netlink multicast groups.
Allow sending to netlink multicast groups.
Allow adding and dropping netlink multicast groups.
Allow sending to all netlink multicast groups and port ids.Allow reading the netfilter SO_IP_SET socket option.
Allow sending netfilter netlink messages.
Allow setting and getting ip_vs netfilter socket options.Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
18 Sep, 2012
7 commits
-
Signed-off-by: David S. Miller
-
Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
These arrays are accessed by iteration in
llc_exec_station_trans_actions(). There must not be any zero-filled
gaps in them, so the explicit indices are pointless.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
We only ever put one skb on the send queue, and then immediately
send it. Remove the queue and call dev_queue_xmit() directly.This leaves struct llc_station empty, so remove that as well.
Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
We only ever put one skb on the event queue, and then immediately
process it. Remove the queue and fold together the related functions,
removing several blatantly false comments.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
The initial state is UP and there is no way to enter the other states
as the required event type is never generated. Delete all states,
event types, and other dead code. The only thing left is handling
of the XID and TEST commands.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller
25 Aug, 2012
1 commit
-
This is an initial merge in of Eric Biederman's work to start adding
user namespace support to the networking.Signed-off-by: David S. Miller
16 Aug, 2012
1 commit
-
The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.Signed-off-by: Mathias Krause
Cc: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
15 Aug, 2012
2 commits
-
Cc: Alexey Kuznetsov
Cc: James Morris
Cc: Hideaki YOSHIFUJI
Cc: Patrick McHardy
Cc: Arnaldo Carvalho de Melo
Cc: Sridhar Samudrala
Acked-by: Vlad Yasevich
Acked-by: David S. Miller
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman -
When registering the handlers, any state they rely on must be
completely initialised first. When unregistering, we must wait until
they are definitely no longer running. llc_rcv() must also avoid
reading the handler pointers again after checking for NULL.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller