09 Jan, 2015
3 commits
-
commit d025933e29872cb1fe19fc54d80e4dfa4ee5779c upstream.
As multicast-frames can't be fragmented, "dot11MulticastReceivedFrameCount"
stopped being incremented after the use-after-free fix. Furthermore, the
RX-LED will be triggered by every multicast frame (which wouldn't happen
before) which wouldn't allow the LED to rest at all.Fixes https://bugzilla.kernel.org/show_bug.cgi?id=89431 which also had the
patch.Fixes: b8fff407a180 ("mac80211: fix use-after-free in defragmentation")
Signed-off-by: Andreas Müller
[rewrite commit message]
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit 7e6225a1604d0c6aa4140289bf5761868ffc9c83 upstream.
Avoid a case where we would access uninitialized stack data if the AP
advertises HT support without 40MHz channel support.Fixes: f3000e1b43f1 ("mac80211: fix broken use of VHT/20Mhz with some APs")
Signed-off-by: Jes Sorensen
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit 2967e031d4d737d9cc8252d878a17924d7b704f0 upstream.
Instead of keeping track of all those special cases where
VLAN interfaces have no bss_conf.chandef, just make sure
they have the same as the AP interface they belong to.Among others, this fixes a crash getting a VLAN's channel
from userspace since a NULL channel is returned as a good
result (return value 0) for VLANs since the commit below.Fixes: c12bc4885f4b3 ("mac80211: return the vif's chandef in ieee80211_cfg_get_channel()")
Signed-off-by: Felix Fietkau
[rewrite commit log]
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
17 Dec, 2014
6 commits
-
[ Upstream commit 7f19fc5e0b617593dcda0d9956adc78b559ef1f5 ]
For netlink, we shouldn't be using arch_fast_hash() as a hashing
discipline, but rather jhash() instead.Since netlink sockets can be opened by any user, a local attacker
would be able to easily create collisions with the DPDK-derived
arch_fast_hash(), which trades off performance for security by
using crc32 CPU instructions on x86_64.While it might have a legimite use case in other places, it should
be avoided in netlink context, though. As rhashtable's API is very
flexible, we could later on still decide on other hashing disciplines,
if legitimate.Reference: http://thread.gmane.org/gmane.linux.kernel/1844123
Fixes: e341694e3eb5 ("netlink: Convert netlink_lookup() to use RCU protected hash table")
Cc: Herbert Xu
Signed-off-by: Daniel Borkmann
Acked-by: Thomas Graf
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 69204cf7eb9c5a72067ce6922d4699378251d053 ]
commit 46e5da40ae (net: qdisc: use rcu prefix and silence
sparse warnings) triggers a spurious warning:net/sched/sch_fq_codel.c:97 suspicious rcu_dereference_check() usage!
The code should be using the _bh variant of rcu_dereference.
Signed-off-by: Valdis Kletnieks
Acked-by: Eric Dumazet
Acked-by: John Fastabend
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 0f85feae6b710ced3abad5b2b47d31dfcb956b62 ]
When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in
tcp_vX_send_reset()") I missed other spots we could deref a NULL
skb_dst(skb)Again, if a socket is provided, we do not need skb_dst() to get a
pointer to network namespace : sock_net(sk) is good enough.Reported-by: Dann Frazier
Bisected-by: Dann Frazier
Tested-by: Dann Frazier
Signed-off-by: Eric Dumazet
Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 9772b54c55266ce80c639a80aa68eeb908f8ecf5 ]
To accomodate for enough headroom for tunnels, use MAX_HEADER instead
of LL_MAX_HEADER. Robert reported that he has hit after roughly 40hrs
of trinity an skb_under_panic() via SCTP output path (see reference).
I couldn't reproduce it from here, but not using MAX_HEADER as elsewhere
in other protocols might be one possible cause for this.In any case, it looks like accounting on chunks themself seems to look
good as the skb already passed the SCTP output path and did not hit
any skb_over_panic(). Given tunneling was enabled in his .config, the
headroom would have been expanded by MAX_HEADER in this case.Reported-by: Robert Święcki
Reference: https://lkml.org/lkml/2014/12/1/507
Fixes: 594ccc14dfe4d ("[SCTP] Replace incorrect use of dev_alloc_skb with alloc_skb in sctp_packet_transmit().")
Signed-off-by: Daniel Borkmann
Acked-by: Vlad Yasevich
Acked-by: Neil Horman
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit f2a01517f2a1040a0b156f171a7cefd748f2fd03 ]
Following patch fixes typo in the flow validation. This prevented
installation of ARP and IPv6 flows.Fixes: 19e7a3df72 ("openvswitch: Fix NDP flow mask validation")
Signed-off-by: Pravin B Shelar
Reviewed-by: Thomas Graf
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 6fb2a756739aa507c1fd5b8126f0bfc2f070dc46 ]
Set the inner mac header to point to the GRE payload when
doing GRO. This is needed if we proceed to send the packet
through GRE GSO which now uses the inner mac header instead
of inner network header to determine the length of encapsulation
headers.Fixes: 14051f0452a2 ("gre: Use inner mac length when computing tunnel length")
Reported-by: Wolfgang Walter
Signed-off-by: Tom Herbert
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
30 Nov, 2014
1 commit
-
rtnl_link_get_net() holds a reference on the 'struct net', we need to release
it in case of error.CC: Eric W. Biederman
Fixes: b51642f6d77b ("net: Enable a userns root rtnl calls that are safe for unprivilged users")
Signed-off-by: Nicolas Dichtel
Reviewed-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
28 Nov, 2014
1 commit
-
Pull networking fixes from David Miller:
"Several small fixes here:1) Don't crash in tg3 driver when the number of tx queues has been
configured to be different from the number of rx queues. From
Thadeu Lima de Souza Cascardo.2) VLAN filter not disabled properly in promisc mode in ixgbe driver,
from Vlad Yasevich.3) Fix OOPS on dellink op in VTI tunnel driver, from Xin Long.
4) IPV6 GRE driver WCCP code checks skb->protocol for ETH_P_IP
instead of ETH_P_IPV6, whoops. From Yuri Chislov.5) Socket matching in ping driver is buggy when packet AF does not
match socket's AF. Fix from Jane Zhou.6) Fix checksum calculation errors in VXLAN due to where the
udp_tunnel6_xmit_skb() helper gets it's saddr/daddr from. From
Alexander Duyck.7) Fix 5G detection problem in rtlwifi driver, from Larry Finger.
8) Fix NULL deref in tcp_v{4,6}_send_reset, from Eric Dumazet.
9) Various missing netlink attribute verifications in bridging code,
from Thomas Graf.10) tcp_recvmsg() unconditionally calls ipv4 ip_recv_error even for
ipv6 sockets, whoops. Fix from Willem de Bruijn"* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (29 commits)
net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks
bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK
bridge: Add missing policy entry for IFLA_BRPORT_FAST_LEAVE
net: Check for presence of IFLA_AF_SPEC
net: Validate IFLA_BRIDGE_MODE attribute length
bridge: Validate IFLA_BRIDGE_FLAGS attribute length
stmmac: platform: fix default values of the filter bins setting
net/mlx4_core: Limit count field to 24 bits in qp_alloc_res
net: dsa: bcm_sf2: reset switch prior to initialization
net: dsa: bcm_sf2: fix unmapping registers in case of errors
tg3: fix ring init when there are more TX than RX channels
tcp: fix possible NULL dereference in tcp_vX_send_reset()
rtlwifi: Change order in device startup
rtlwifi: rtl8821ae: Fix 5G detection problem
Revert "netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse"
vxlan: Fix boolean flip in VXLAN_F_UDP_ZERO_CSUM6_[TX|RX]
ip6_udp_tunnel: Fix checksum calculation
net-timestamp: Fix a documentation typo
net/ping: handle protocol mismatching scenario
af_packet: fix sparse warning
...
27 Nov, 2014
4 commits
-
TCP timestamping introduced MSG_ERRQUEUE handling for TCP sockets.
If the socket is of family AF_INET6, call ipv6_recv_error instead
of ip_recv_error.This change is more complex than a single branch due to the loadable
ipv6 module. It reuses a pre-existing indirect function call from
ping. The ping code is safe to call, because it is part of the core
ipv6 module and always present when AF_INET6 sockets are active.Fixes: 4ed2d765 (net-timestamp: TCP timestamping)
Signed-off-by: Willem de Bruijn----
It may also be worthwhile to add WARN_ON_ONCE(sk->family == AF_INET6)
to ip_recv_error.
Signed-off-by: David S. Miller -
Only search for IFLA_EXT_MASK if the message actually carries a
ifinfomsg header and validate minimal length requirements for
IFLA_EXT_MASK.Fixes: 6cbdceeb ("bridge: Dump vlan information from a bridge port")
Cc: Vlad Yasevich
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Fixes: c2d3babf ("bridge: implement multicast fast leave")
Cc: David S. Miller
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Payload is currently accessed blindly and may exceed valid message
boundaries.Fixes: 407af3299 ("bridge: Add netlink interface to configure vlans on bridge ports")
Cc: Vlad Yasevich
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
26 Nov, 2014
4 commits
-
Pull nfsd bugfixes from Bruce Fields:
"These fix one mishandling of the case when security labels are
configured out, and two races in the 4.1 backchannel code"* 'for-3.18' of git://linux-nfs.org/~bfields/linux:
nfsd: Fix slot wake up race in the nfsv4.1 callback code
SUNRPC: Fix locking around callback channel reply receive
nfsd: correctly define v4.2 support attributes -
After commit ca777eff51f7 ("tcp: remove dst refcount false sharing for
prequeue mode") we have to relax check against skb dst in
tcp_v[46]_send_reset() if prequeue dropped the dst.If a socket is provided, a full lookup was done to find this socket,
so the dst test can be skipped.Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88191
Reported-by: Jaša Bartelj
Signed-off-by: Eric Dumazet
Reported-by: Daniel Borkmann
Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")
Signed-off-by: David S. Miller -
This reverts commit 5195c14c8b27cc0b18220ddbf0e5ad3328a04187.
If the conntrack clashes with an existing one, it is left out of
the unconfirmed list, thus, crashing when dropping the packet and
releasing the conntrack since golden rule is that conntracks are
always placed in any of the existing lists for traceability reasons.Reported-by: Daniel Borkmann
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=88841
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
The UDP checksum calculation for VXLAN tunnels is currently using the
socket addresses instead of the actual packet source and destination
addresses. As a result the checksum calculated is incorrect in some
cases.Also uh->check was being set twice, first it was set to 0, and then it is
set again in udp6_set_csum. This change removes the redundant assignment
to 0.Fixes: acbf74a7 ("vxlan: Refactor vxlan driver to make use of the common UDP tunnel functions.")
Cc: Andy Zhou
Signed-off-by: Alexander Duyck
Signed-off-by: David S. Miller
25 Nov, 2014
3 commits
-
ping_lookup() may return a wrong sock if sk_buff's and sock's protocols
dont' match. For example, sk_buff's protocol is ETH_P_IPV6, but sock's
sk_family is AF_INET, in that case, if sk->sk_bound_dev_if is zero, a wrong
sock will be returned.
the fix is to "continue" the searching, if no matching, return NULL.Cc: "David S. Miller"
Cc: Alexey Kuznetsov
Cc: James Morris
Cc: Hideaki YOSHIFUJI
Cc: Patrick McHardy
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Jane Zhou
Signed-off-by: Yiwei Zhao
Signed-off-by: David S. Miller -
af_packet produces lots of these:
net/packet/af_packet.c:384:39: warning: incorrect type in return expression (different modifiers)
net/packet/af_packet.c:384:39: expected struct page [pure] *
net/packet/af_packet.c:384:39: got struct page *this seems to be because sparse does not realize that _pure
refers to function, not the returned pointer.Tweak code slightly to avoid the warning.
Signed-off-by: Michael S. Tsirkin
Signed-off-by: David S. Miller -
When using GRE redirection in WCCP, it sets the wrong skb->protocol,
that is, ETH_P_IP instead of ETH_P_IPV6 for the encapuslated traffic.Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Cc: Dmitry Kozlov
Signed-off-by: Yuri Chislov
Tested-by: Yuri Chislov
Signed-off-by: Daniel Borkmann
Signed-off-by: David S. Miller
24 Nov, 2014
2 commits
-
Now the vti_link_ops do not point the .dellink, for fb tunnel device
(ip_vti0), the net_device will be removed as the default .dellink is
unregister_netdevice_queue,but the tunnel still in the tunnel list,
then if we add a new vti tunnel, in ip_tunnel_find():hlist_for_each_entry_rcu(t, head, hash_node) {
if (local == t->parms.iph.saddr &&
remote == t->parms.iph.daddr &&
link == t->parms.link &&
==> type == t->dev->type &&
ip_tunnel_key_match(&t->parms, flags, key))
break;
}the panic will happen, cause dev of ip_tunnel *t is null:
[ 3835.072977] IP: [] ip_tunnel_find+0x9d/0xc0 [ip_tunnel]
[ 3835.073008] PGD b2c21067 PUD b7277067 PMD 0
[ 3835.073008] Oops: 0000 [#1] SMP
.....
[ 3835.073008] Stack:
[ 3835.073008] ffff8800b72d77f0 ffffffffa0411924 ffff8800bb956000 ffff8800b72d78e0
[ 3835.073008] ffff8800b72d78a0 0000000000000000 ffffffffa040d100 ffff8800b72d7858
[ 3835.073008] ffffffffa040b2e3 0000000000000000 0000000000000000 0000000000000000
[ 3835.073008] Call Trace:
[ 3835.073008] [] ip_tunnel_newlink+0x64/0x160 [ip_tunnel]
[ 3835.073008] [] vti_newlink+0x43/0x70 [ip_vti]
[ 3835.073008] [] rtnl_newlink+0x4fa/0x5f0
[ 3835.073008] [] ? nla_strlcpy+0x5b/0x70
[ 3835.073008] [] ? rtnl_link_ops_get+0x40/0x60
[ 3835.073008] [] ? rtnl_newlink+0x13f/0x5f0
[ 3835.073008] [] rtnetlink_rcv_msg+0xa4/0x270
[ 3835.073008] [] ? sock_has_perm+0x75/0x90
[ 3835.073008] [] ? rtnetlink_rcv+0x30/0x30
[ 3835.073008] [] netlink_rcv_skb+0xa9/0xc0
[ 3835.073008] [] rtnetlink_rcv+0x28/0x30
....modprobe ip_vti
ip link del ip_vti0 type vti
ip link add ip_vti0 type vti
rmmod ip_vtido that one or more times, kernel will panic.
fix it by assigning ip_tunnel_dellink to vti_link_ops' dellink, in
which we skip the unregister of fb tunnel device. do the same on ip6_vti.Signed-off-by: Xin Long
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
This patch adds SKB_GSO_TCPV4 to the list of supported GSO types handled by
the IPv6 GSO offloads. Without this change VXLAN tunnels running over IPv6
do not currently handle IPv4 TCP TSO requests correctly and end up handing
the non-segmented frame off to the device.Below is the before and after for a simple netperf TCP_STREAM test between
two endpoints tunneling IPv4 over a VXLAN tunnel running on IPv6 on top of
a 1Gb/s network adapter.Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec87380 16384 16384 10.29 0.88 Before
87380 16384 16384 10.03 895.69 AfterSigned-off-by: Alexander Duyck
Signed-off-by: David S. Miller
22 Nov, 2014
3 commits
-
Pull networking fixes from David Miller:
1) Fix BUG when decrypting empty packets in mac80211, from Ronald Wahl.
2) nf_nat_range is not fully initialized and this is copied back to
userspace, from Daniel Borkmann.3) Fix read past end of b uffer in netfilter ipset, also from Dan
Carpenter.4) Signed integer overflow in ipv4 address mask creation helper
inet_make_mask(), from Vincent BENAYOUN.5) VXLAN, be2net, mlx4_en, and qlcnic need ->ndo_gso_check() methods to
properly describe the device's capabilities, from Joe Stringer.6) Fix memory leaks and checksum miscalculations in openvswitch, from
Pravin B SHelar and Jesse Gross.7) FIB rules passes back ambiguous error code for unreachable routes,
making behavior confusing for userspace. Fix from Panu Matilainen.8) ieee802154fake_probe() doesn't release resources properly on error,
from Alexey Khoroshilov.9) Fix skb_over_panic in add_grhead(), from Daniel Borkmann.
10) Fix access of stale slave pointers in bonding code, from Nikolay
Aleksandrov.11) Fix stack info leak in PPP pptp code, from Mathias Krause.
12) Cure locking bug in IPX stack, from Jiri Bohac.
13) Revert SKB fclone memory freeing optimization that is racey and can
allow accesses to freed up memory, from Eric Dumazet.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (71 commits)
tcp: Restore RFC5961-compliant behavior for SYN packets
net: Revert "net: avoid one atomic operation in skb_clone()"
virtio-net: validate features during probe
cxgb4 : Fix DCB priority groups being returned in wrong order
ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
openvswitch: Don't validate IPv6 label masks.
pptp: fix stack info leak in pptp_getname()
brcmfmac: don't include linux/unaligned/access_ok.h
cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection
ipv6: delete protocol and unregister rtnetlink when cleanup
net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
bonding: fix curr_active_slave/carrier with loadbalance arp monitoring
mac80211: minstrel_ht: fix a crash in rate sorting
vxlan: Inline vxlan_gso_check().
can: m_can: update to support CAN FD features
can: m_can: fix incorrect error messages
can: m_can: add missing delay after setting CCCR_INIT bit
can: m_can: fix not set can_dlc for remote frame
can: m_can: fix possible sleep in napi poll
can: m_can: add missing message RAM initialization
... -
Commit c3ae62af8e755 ("tcp: should drop incoming frames without ACK
flag set") was created to mitigate a security vulnerability in which a
local attacker is able to inject data into locally-opened sockets by
using TCP protocol statistics in procfs to quickly find the correct
sequence number.This broke the RFC5961 requirement to send a challenge ACK in response
to spurious RST packets, which was subsequently fixed by commit
7b514a886ba50 ("tcp: accept RST without ACK flag").Unfortunately, the RFC5961 requirement that spurious SYN packets be
handled in a similar manner remains broken.RFC5961 section 4 states that:
... the handling of the SYN in the synchronized state SHOULD be
performed as follows:1) If the SYN bit is set, irrespective of the sequence number, TCP
MUST send an ACK (also referred to as challenge ACK) to the remote
peer:After sending the acknowledgment, TCP MUST drop the unacceptable
segment and stop processing further.By sending an ACK, the remote peer is challenged to confirm the loss
of the previous connection and the request to start a new connection.
A legitimate peer, after restart, would not have a TCB in the
synchronized state. Thus, when the ACK arrives, the peer should send
a RST segment back with the sequence number derived from the ACK
field that caused the RST.This RST will confirm that the remote peer has indeed closed the
previous connection. Upon receipt of a valid RST, the local TCP
endpoint MUST terminate its connection. The local TCP endpoint
should then rely on SYN retransmission from the remote end to
re-establish the connection.This patch lets SYN packets through the discard added in c3ae62af8e755,
so that spurious SYN packets are properly dealt with as per the RFC.The challenge ACK is sent unconditionally and is rate-limited, so the
original vulnerability is not reintroduced by this patch.Signed-off-by: Calvin Owens
Acked-by: Eric Dumazet
Acked-by: Neal Cardwell
Signed-off-by: David S. Miller -
Not sure what I was thinking, but doing anything after
releasing a refcount is suicidal or/and embarrassing.By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu
could have released last reference and freed whole skb.We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set.
Reported-by: Chris Mason
Fixes: ce1a4ea3f1258 ("net: avoid one atomic operation in skb_clone()")
Signed-off-by: Eric Dumazet
Cc: Sabrina Dubroca
Signed-off-by: David S. Miller
21 Nov, 2014
4 commits
-
Pablo Neira Ayuso says:
====================
Netfilter fixes for netThe following patchset contains two bugfixes for your net tree, they are:
1) Validate netlink group from nfnetlink to avoid an out of bound array
access. This should only happen with superuser priviledges though.
Discovered by Andrey Ryabinin using trinity.2) Don't push ethernet header before calling the netfilter output hook
for multicast traffic, this breaks ebtables since it expects to see
skb->data pointing to the network header, patch from Linus Luessing.
====================Signed-off-by: David S. Miller
-
John W. Linville says:
====================
pull request: wireless 2014-11-20Please full this little batch of fixes intended for the 3.18 stream!
For the mac80211 patch, Johannes says:
"Here's another last minute fix, for minstrel HT crashing
depending on the value of some uninitialised stack."On top of that...
Ben Greear fixes an ath9k regression in which a BSSID mask is
miscalculated.Dmitry Torokhov corrects an error handling routing in brcmfmac which
was checking an unsigned variable for a negative value.Johannes Berg avoids a build problem in brcmfmac for arches where
linux/unaligned/access_ok.h and asm/unaligned.h conflict.Mathy Vanhoef addresses another brcmfmac issue so as to eliminate a
use-after-free of the URB transfer buffer if a timeout occurs.Please let me know if there are problems!
====================Signed-off-by: David S. Miller
-
This fixes an old regression introduced by commit
b0d0d915 (ipx: remove the BKL).When a recvmsg syscall blocks waiting for new data, no data can be sent on the
same socket with sendmsg because ipx_recvmsg() sleeps with the socket locked.This breaks mars-nwe (NetWare emulator):
- the ncpserv process reads the request using recvmsg
- ncpserv forks and spawns nwconn
- ncpserv calls a (blocking) recvmsg and waits for new requests
- nwconn deadlocks in sendmsg on the same socketCommit b0d0d915 has simply replaced BKL locking with
lock_sock/release_sock. Unlike now, BKL got unlocked while
sleeping, so a blocking recvmsg did not block a concurrent
sendmsg.Only keep the socket locked while actually working with the socket data and
release it prior to calling skb_recv_datagram().Signed-off-by: Jiri Bohac
Reviewed-by: Arnd Bergmann
Signed-off-by: David S. Miller -
When userspace doesn't provide a mask, OVS datapath generates a fully
unwildcarded mask for the flow by copying the flow and setting all bits
in all fields. For IPv6 label, this creates a mask that matches on the
upper 12 bits, causing the following error:openvswitch: netlink: Invalid IPv6 flow label value (value=ffffffff, max=fffff)
This patch ignores the label validation check for masks, avoiding this
error.Signed-off-by: Joe Stringer
Acked-by: Pravin B Shelar
Signed-off-by: David S. Miller
20 Nov, 2014
3 commits
-
pim6_protocol was added when initiation, but it not deleted.
Similarly, unregister RTNL_FAMILY_IP6MR rtnetlink.Signed-off-by: Duan Jiong
Reviewed-by: Cong Wang
Signed-off-by: David S. Miller -
…ernel/git/jberg/mac80211
Johannes Berg <johannes@sipsolutions.net> says:
"Here's another last minute fix, for minstrel HT crashing
depending on the value of some uninitialised stack."Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Both xprt_lookup_rqst() and xprt_complete_rqst() require that you
take the transport lock in order to avoid races with xprt_transmit().Signed-off-by: Trond Myklebust
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton
Signed-off-by: J. Bruce Fields
19 Nov, 2014
1 commit
-
The commit 5935839ad73583781b8bbe8d91412f6826e218a4
"mac80211: improve minstrel_ht rate sorting by throughput & probability"introduced a crash on rate sorting that occurs when the rate added to
the sorting array is faster than all the previous rates. Due to an
off-by-one error, it reads the rate index from tp_list[-1], which
contains uninitialized stack garbage, and then uses the resulting index
for accessing the group rate stats, leading to a crash if the garbage
value is big enough.Cc: Thomas Huehn
Reported-by: Jouni Malinen
Signed-off-by: Felix Fietkau
Signed-off-by: Johannes Berg
17 Nov, 2014
5 commits
-
Ebtables on the OUTPUT chain (NF_BR_LOCAL_OUT) would not work as expected
for both locally generated IGMP and MLD queries. The IP header specific
filter options are off by 14 Bytes for netfilter (actual output on
interfaces is fine).NF_HOOK() expects the skb->data to point to the IP header, not the
ethernet one (while dev_queue_xmit() does not). Luckily there is an
br_dev_queue_push_xmit() helper function already - let's just use that.Introduced by eb1d16414339a6e113d89e2cca2556005d7ce919
("bridge: Add core IGMP snooping support")Ebtables example:
$ ebtables -I OUTPUT -p IPv6 -o eth1 --logical-out br0 \
--log --log-level 6 --log-ip6 --log-prefix="~EBT: " -j DROPbefore (broken):
~EBT: IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
SRC=64a4:39c2:86dd:6000:0000:0020:0001:fe80 IPv6 \
DST=0000:0000:0000:0004:64ff:fea4:39c2:ff02, \
IPv6 priority=0x3, Next Header=2after (working):
~EBT: IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
SRC=fe80:0000:0000:0000:0004:64ff:fea4:39c2 IPv6 \
DST=ff02:0000:0000:0000:0000:0000:0000:0001, \
IPv6 priority=0x0, Next Header=0Signed-off-by: Linus Lüssing
Acked-by: Herbert Xu
Signed-off-by: Pablo Neira Ayuso -
Make sure the netlink group exists, otherwise you can trigger an out
of bound array memory access from the netlink_bind() path. This splat
can only be triggered only by superuser.[ 180.203600] UBSan: Undefined behaviour in ../net/netfilter/nfnetlink.c:467:28
[ 180.204249] index 9 is out of range for type 'int [9]'
[ 180.204697] CPU: 0 PID: 1771 Comm: trinity-main Not tainted 3.18.0-rc4-mm1+ #122
[ 180.205365] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org
+04/01/2014
[ 180.206498] 0000000000000018 0000000000000000 0000000000000009 ffff88007bdf7da8
[ 180.207220] ffffffff82b0ef5f 0000000000000092 ffffffff845ae2e0 ffff88007bdf7db8
[ 180.207887] ffffffff8199e489 ffff88007bdf7e18 ffffffff8199ea22 0000003900000000
[ 180.208639] Call Trace:
[ 180.208857] dump_stack (lib/dump_stack.c:52)
[ 180.209370] ubsan_epilogue (lib/ubsan.c:174)
[ 180.209849] __ubsan_handle_out_of_bounds (lib/ubsan.c:400)
[ 180.210512] nfnetlink_bind (net/netfilter/nfnetlink.c:467)
[ 180.210986] netlink_bind (net/netlink/af_netlink.c:1483)
[ 180.211495] SYSC_bind (net/socket.c:1541)Moreover, define the missing nf_tables and nf_acct multicast groups too.
Reported-by: Andrey Ryabinin
Signed-off-by: Pablo Neira Ayuso -
It has been reported that generating an MLD listener report on
devices with large MTUs (e.g. 9000) and a high number of IPv6
addresses can trigger a skb_over_panic():skbuff: skb_over_panic: text:ffffffff80612a5d len:3776 put:20
head:ffff88046d751000 data:ffff88046d751010 tail:0xed0 end:0xec0
dev:port1
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:100!
invalid opcode: 0000 [#1] SMP
Modules linked in: ixgbe(O)
CPU: 3 PID: 0 Comm: swapper/3 Tainted: G O 3.14.23+ #4
[...]
Call Trace:
[] ? skb_put+0x3a/0x3b
[] ? add_grhead+0x45/0x8e
[] ? add_grec+0x394/0x3d4
[] ? mld_ifc_timer_expire+0x195/0x20d
[] ? mld_dad_timer_expire+0x45/0x45
[] ? call_timer_fn.isra.29+0x12/0x68
[] ? run_timer_softirq+0x163/0x182
[] ? __do_softirq+0xe0/0x21d
[] ? irq_exit+0x4e/0xd3
[] ? smp_apic_timer_interrupt+0x3b/0x46
[] ? apic_timer_interrupt+0x6a/0x70mld_newpack() skb allocations are usually requested with dev->mtu
in size, since commit 72e09ad107e7 ("ipv6: avoid high order allocations")
we have changed the limit in order to be less likely to fail.However, in MLD/IGMP code, we have some rather ugly AVAILABLE(skb)
macros, which determine if we may end up doing an skb_put() for
adding another record. To avoid possible fragmentation, we check
the skb's tailroom as skb->dev->mtu - skb->len, which is a wrong
assumption as the actual max allocation size can be much smaller.The IGMP case doesn't have this issue as commit 57e1ab6eaddc
("igmp: refine skb allocations") stores the allocation size in
the cb[].Set a reserved_tailroom to make it fit into the MTU and use
skb_availroom() helper instead. This also allows to get rid of
igmp_skb_size().Reported-by: Wei Liu
Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations")
Signed-off-by: Daniel Borkmann
Cc: Eric Dumazet
Cc: Hannes Frederic Sowa
Cc: David L Stevens
Acked-by: Eric Dumazet
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller -
Pravin B Shelar says:
====================
Open vSwitchFollowing fixes are accumulated in ovs-repo.
Three of them are related to protocol processing, one is
related to memory leak in case of error and one is to
fix race.
Patch "Validate IPv6 flow key and mask values" has conflicts
with net-next, Let me know if you want me to send the patch
for net-next.
====================Signed-off-by: David S. Miller
-
Solves possible lockup issues that can be seen from firmware DCB agents calling
into the DCB app api.DCB firmware event queues can be tied in with NAPI so that dcb events are
generated in softIRQ context. This can results in calls to dcb_*app()
functions which try to take the dcb_lock.If the the event triggers while we also have the dcb_lock because lldpad or
some other agent happened to be issuing a get/set command we could see a cpu
lockup.This code was not originally written with firmware agents in mind, hence
grabbing dcb_lock from softIRQ context was not considered.Signed-off-by: Anish Bhatt
Signed-off-by: David S. Miller