From 026e43def736923fedb9919a0bd22fff7ba03e8b Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 12 Dec 2012 18:11:34 +0000 Subject: nfc: remove noisy message from llcp_sock_sendmsg This is easily triggerable when fuzz-testing as an unprivileged user. We could rate-limit it, but given we don't print similar messages for other protocols, I just removed it. Signed-off-by: Dave Jones Signed-off-by: David S. Miller --- net/nfc/llcp/sock.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c index 0fa1e92ceac8..fea22eb41b82 100644 --- a/net/nfc/llcp/sock.c +++ b/net/nfc/llcp/sock.c @@ -614,10 +614,6 @@ static int llcp_sock_sendmsg(struct kiocb *iocb, struct socket *sock, if (msg->msg_namelen < sizeof(*addr)) { release_sock(sk); - - pr_err("Invalid socket address length %d\n", - msg->msg_namelen); - return -EINVAL; } -- cgit v1.2.3-59-g8ed1b From 499744209b2cbca66c42119226e5470da3bb7040 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 12 Dec 2012 19:22:57 +0000 Subject: tuntap: dont use skb after netif_rx_ni(skb) On Wed, 2012-12-12 at 23:16 -0500, Dave Jones wrote: > Since todays net merge, I see this when I start openvpn.. > > general protection fault: 0000 [#1] PREEMPT SMP > Modules linked in: ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables xfs iTCO_wdt iTCO_vendor_support snd_emu10k1 snd_util_mem snd_ac97_codec coretemp ac97_bus microcode snd_hwdep snd_seq pcspkr snd_pcm snd_page_alloc snd_timer lpc_ich i2c_i801 snd_rawmidi mfd_core snd_seq_device snd e1000e soundcore emu10k1_gp gameport i82975x_edac edac_core vhost_net tun macvtap macvlan kvm_intel kvm binfmt_misc nfsd auth_rpcgss nfs_acl lockd sunrpc btrfs libcrc32c zlib_deflate firewire_ohci sata_sil firewire_core crc_itu_t radeon i2c_algo_bit drm_kms_helper ttm drm i2c_core floppy > CPU 0 > Pid: 1381, comm: openvpn Not tainted 3.7.0+ #14 /D975XBX > RIP: 0010:[] [] skb_flow_dissect+0x314/0x3e0 > RSP: 0018:ffff88007d0d9c48 EFLAGS: 00010206 > RAX: 000000000000055d RBX: 6b6b6b6b6b6b6b4b RCX: 1471030a0180040a > RDX: 0000000000000005 RSI: 00000000ffffffe0 RDI: ffff8800ba83fa80 > RBP: ffff88007d0d9cb8 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000101 R12: ffff8800ba83fa80 > R13: 0000000000000008 R14: ffff88007d0d9cc8 R15: ffff8800ba83fa80 > FS: 00007f6637104800(0000) GS:ffff8800bf600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f563f5b01c4 CR3: 000000007d140000 CR4: 00000000000007f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process openvpn (pid: 1381, threadinfo ffff88007d0d8000, task ffff8800a540cd60) > Stack: > ffff8800ba83fa80 0000000000000296 0000000000000000 0000000000000000 > ffff88007d0d9cc8 ffffffff815bcff4 ffff88007d0d9ce8 ffffffff815b1831 > ffff88007d0d9ca8 00000000703f6364 ffff8800ba83fa80 0000000000000000 > Call Trace: > [] ? netif_rx+0x114/0x4c0 > [] ? skb_copy_datagram_from_iovec+0x61/0x290 > [] __skb_get_rxhash+0x1a/0xd0 > [] tun_get_user+0x418/0x810 [tun] > [] ? delay_tsc+0x98/0xf0 > [] ? __rcu_read_unlock+0x5c/0xa0 > [] tun_chr_aio_write+0x81/0xb0 [tun] > [] ? __buffer_unlock_commit+0x41/0x50 > [] do_sync_write+0xa7/0xe0 > [] vfs_write+0xaf/0x190 > [] sys_write+0x55/0xa0 > [] tracesys+0xdd/0xe2 > Code: 41 8b 44 24 68 41 2b 44 24 6c 01 de 29 f0 83 f8 03 0f 8e a0 00 00 00 48 63 de 49 03 9c 24 e0 00 00 00 48 85 db 0f 84 72 fe ff ff <8b> 03 41 89 46 08 b8 01 00 00 00 e9 43 fd ff ff 0f 1f 40 00 48 > RIP [] skb_flow_dissect+0x314/0x3e0 > RSP > ---[ end trace 6d42c834c72c002e ]--- > > > Faulting instruction is > > 0: 8b 03 mov (%rbx),%eax > > rbx is slab poison (-20) so this looks like a use-after-free here... > > flow->ports = *ports; > 314: 8b 03 mov (%rbx),%eax > 316: 41 89 46 08 mov %eax,0x8(%r14) > > in the inlined skb_header_pointer in skb_flow_dissect > > Dave > commit 96442e4242 (tuntap: choose the txq based on rxq) added a use after free. Cache rxhash in a temp variable before calling netif_rx_ni() Reported-by: Dave Jones Signed-off-by: Eric Dumazet Cc: Jason Wang Acked-by: Jason Wang Signed-off-by: David S. Miller --- drivers/net/tun.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 2ac2164a1e39..40b426edc9e6 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -297,13 +297,12 @@ static void tun_flow_cleanup(unsigned long data) spin_unlock_bh(&tun->lock); } -static void tun_flow_update(struct tun_struct *tun, struct sk_buff *skb, +static void tun_flow_update(struct tun_struct *tun, u32 rxhash, u16 queue_index) { struct hlist_head *head; struct tun_flow_entry *e; unsigned long delay = tun->ageing_time; - u32 rxhash = skb_get_rxhash(skb); if (!rxhash) return; @@ -1010,6 +1009,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, int copylen; bool zerocopy = false; int err; + u32 rxhash; if (!(tun->flags & TUN_NO_PI)) { if ((len -= sizeof(pi)) > total_len) @@ -1162,12 +1162,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, skb_shinfo(skb)->tx_flags |= SKBTX_DEV_ZEROCOPY; } + rxhash = skb_get_rxhash(skb); netif_rx_ni(skb); tun->dev->stats.rx_packets++; tun->dev->stats.rx_bytes += len; - tun_flow_update(tun, skb, tfile->queue_index); + tun_flow_update(tun, rxhash, tfile->queue_index); return total_len; } -- cgit v1.2.3-59-g8ed1b From 7bdc1b4abab3af0a803300f706c9814ef4e20a3e Mon Sep 17 00:00:00 2001 From: YOSHIFUJI Hideaki / 吉藤英明 Date: Thu, 13 Dec 2012 04:29:36 +0000 Subject: ndisc: Fix padding error in link-layer address option. If a natural number n exists where 2 + data_len <= 8n < 2 + data_len + pad, post padding is not initialized correctly. (Un)fortunately, the only type that requires pad is Infiniband, whose pad is 2 and data_len is 20, and this logical error has not become obvious, but it is better to fix. Note that ndisc_opt_addr_space() handles the situation described above correctly. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/ndisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 4c02e6ab96e7..f2a007b7bde3 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -151,8 +151,8 @@ static inline int ndisc_opt_addr_space(struct net_device *dev) static u8 *ndisc_fill_addr_option(u8 *opt, int type, void *data, int data_len, unsigned short addr_type) { - int space = NDISC_OPT_SPACE(data_len); int pad = ndisc_addr_option_pad(addr_type); + int space = NDISC_OPT_SPACE(data_len + pad); opt[0] = type; opt[1] = space>>3; -- cgit v1.2.3-59-g8ed1b From dc2e57340deb8be1133b1eae2c7d4303133c133c Mon Sep 17 00:00:00 2001 From: Yan Burman Date: Thu, 13 Dec 2012 05:20:59 +0000 Subject: net: ethool: Document struct ethtool_flow_ext Add documentation for struct ethtool_flow_ext especially in regard to what flags are needed for which fields. Signed-off-by: Yan Burman Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller --- include/uapi/linux/ethtool.h | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h index be8c41e2dc15..0c9b44871df0 100644 --- a/include/uapi/linux/ethtool.h +++ b/include/uapi/linux/ethtool.h @@ -503,9 +503,20 @@ union ethtool_flow_union { __u8 hdata[52]; }; +/** + * struct ethtool_flow_ext - additional RX flow fields + * @h_dest: destination MAC address + * @vlan_etype: VLAN EtherType + * @vlan_tci: VLAN tag control information + * @data: user defined data + * + * Note, @vlan_etype, @vlan_tci, and @data are only valid if %FLOW_EXT + * is set in &struct ethtool_rx_flow_spec @flow_type. + * @h_dest is valid if %FLOW_MAC_EXT is set. + */ struct ethtool_flow_ext { __u8 padding[2]; - unsigned char h_dest[ETH_ALEN]; /* destination eth addr */ + unsigned char h_dest[ETH_ALEN]; __be16 vlan_etype; __be16 vlan_tci; __be32 data[2]; @@ -519,7 +530,8 @@ struct ethtool_flow_ext { * @m_u: Masks for flow field bits to be matched * @m_ext: Masks for additional field bits to be matched * Note, all additional fields must be ignored unless @flow_type - * includes the %FLOW_EXT flag. + * includes the %FLOW_EXT or %FLOW_MAC_EXT flag + * (see &struct ethtool_flow_ext description). * @ring_cookie: RX ring/queue index to deliver to, or %RX_CLS_FLOW_DISC * if packets should be discarded * @location: Location of rule in the table. Locations must be -- cgit v1.2.3-59-g8ed1b From eca2a43bb0d2c6ebd528be6acb30a88435abe307 Mon Sep 17 00:00:00 2001 From: stephen hemminger Date: Thu, 13 Dec 2012 06:51:28 +0000 Subject: bridge: fix icmpv6 endian bug and other sparse warnings Fix the warnings reported by sparse on recent bridge multicast changes. Mostly just rcu annotation issues but in this case sparse found a real bug! The ICMPv6 mld2 query mrc values is in network byte order. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- net/bridge/br_multicast.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 977c3ee02e65..1093c89095d8 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -622,7 +622,7 @@ out: struct net_bridge_port_group *br_multicast_new_port_group( struct net_bridge_port *port, struct br_ip *group, - struct net_bridge_port_group *next) + struct net_bridge_port_group __rcu *next) { struct net_bridge_port_group *p; @@ -632,7 +632,7 @@ struct net_bridge_port_group *br_multicast_new_port_group( p->addr = *group; p->port = port; - p->next = next; + rcu_assign_pointer(p->next, next); hlist_add_head(&p->mglist, &port->mglist); setup_timer(&p->timer, br_multicast_port_group_expired, (unsigned long)p); @@ -1138,7 +1138,7 @@ static int br_ip6_multicast_query(struct net_bridge *br, struct sk_buff *skb) { const struct ipv6hdr *ip6h = ipv6_hdr(skb); - struct mld_msg *mld = (struct mld_msg *) icmp6_hdr(skb); + struct mld_msg *mld; struct net_bridge_mdb_entry *mp; struct mld2_query *mld2q; struct net_bridge_port_group *p; @@ -1165,6 +1165,7 @@ static int br_ip6_multicast_query(struct net_bridge *br, if (max_delay) group = &mld->mld_mca; } else if (skb->len >= sizeof(*mld2q)) { + u16 mrc; if (!pskb_may_pull(skb, sizeof(*mld2q))) { err = -EINVAL; goto out; @@ -1172,7 +1173,8 @@ static int br_ip6_multicast_query(struct net_bridge *br, mld2q = (struct mld2_query *)icmp6_hdr(skb); if (!mld2q->mld2q_nsrcs) group = &mld2q->mld2q_mca; - max_delay = mld2q->mld2q_mrc ? MLDV2_MRC(mld2q->mld2q_mrc) : 1; + mrc = ntohs(mld2q->mld2q_mrc); + max_delay = mrc ? MLDV2_MRC(mrc) : 1; } if (!group) -- cgit v1.2.3-59-g8ed1b