From ec4efc4a10c3b9a3ab4cf37dc3719fd3c4632cd0 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Tue, 13 Dec 2016 09:39:18 +0100 Subject: mac80211: don't call drv_set_default_unicast_key() for VLANs Since drivers know nothing about AP_VLAN interfaces, trying to call drv_set_default_unicast_key() just results in a warning and no call to the driver. Avoid the warning by not calling the driver for this on AP_VLAN interfaces. This means that drivers that somehow need this call for AP mode will fail to work properly in the presence of VLAN interfaces, but the current drivers don't seem to use it, and mac80211 will select and indicate the key - so drivers should be OK now. Reported-by: Jouni Malinen Signed-off-by: Johannes Berg --- net/mac80211/key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/mac80211/key.c b/net/mac80211/key.c index edd6f2945f69..a98fc2b5e0dc 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -265,7 +265,8 @@ static void __ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata, if (uni) { rcu_assign_pointer(sdata->default_unicast_key, key); ieee80211_check_fast_xmit_iface(sdata); - drv_set_default_unicast_key(sdata->local, sdata, idx); + if (sdata->vif.type != NL80211_IFTYPE_AP_VLAN) + drv_set_default_unicast_key(sdata->local, sdata, idx); } if (multi) -- cgit v1.2.3 From d8da0b5d64d58f7775a94bcf12dda50f13a76f22 Mon Sep 17 00:00:00 2001 From: Cedric Izoard Date: Wed, 7 Dec 2016 09:59:00 +0000 Subject: mac80211: Ensure enough headroom when forwarding mesh pkt When a buffer is duplicated during MESH packet forwarding, this patch ensures that the new buffer has enough headroom. Signed-off-by: Cedric Izoard Signed-off-by: Johannes Berg --- net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index eeab7250f4b9..3e289a64ed43 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2472,7 +2472,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) if (!ifmsh->mshcfg.dot11MeshForwarding) goto out; - fwd_skb = skb_copy(skb, GFP_ATOMIC); + fwd_skb = skb_copy_expand(skb, local->tx_headroom, 0, GFP_ATOMIC); if (!fwd_skb) { net_info_ratelimited("%s: failed to clone mesh frame\n", sdata->name); -- cgit v1.2.3 From a17d93ff3a950fefaea40e4a4bf3669b9137c533 Mon Sep 17 00:00:00 2001 From: Ben Greear Date: Wed, 14 Dec 2016 11:30:38 -0800 Subject: mac80211: fix legacy and invalid rx-rate report This fixes obtaining the rate info via sta_set_sinfo when the rx rate is invalid (for instance, on IBSS interface that has received no frames from one of its peers). Also initialize rinfo->flags for legacy rates, to not rely on the whole sinfo being initialized to zero. Signed-off-by: Ben Greear Signed-off-by: Johannes Berg --- net/mac80211/sta_info.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'net') diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 1711bae4abf2..b6cfcf038c11 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -1972,6 +1972,7 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u16 rate, u16 brate; unsigned int shift; + rinfo->flags = 0; sband = local->hw.wiphy->bands[(rate >> 4) & 0xf]; brate = sband->bitrates[rate & 0xf].bitrate; if (rinfo->bw == RATE_INFO_BW_5) @@ -1987,14 +1988,15 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u16 rate, rinfo->flags |= RATE_INFO_FLAGS_SHORT_GI; } -static void sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo) +static int sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo) { u16 rate = ACCESS_ONCE(sta_get_last_rx_stats(sta)->last_rate); if (rate == STA_STATS_RATE_INVALID) - rinfo->flags = 0; - else - sta_stats_decode_rate(sta->local, rate, rinfo); + return -EINVAL; + + sta_stats_decode_rate(sta->local, rate, rinfo); + return 0; } static void sta_set_tidstats(struct sta_info *sta, @@ -2199,8 +2201,8 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo) } if (!(sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE))) { - sta_set_rate_info_rx(sta, &sinfo->rxrate); - sinfo->filled |= BIT(NL80211_STA_INFO_RX_BITRATE); + if (sta_set_rate_info_rx(sta, &sinfo->rxrate) == 0) + sinfo->filled |= BIT(NL80211_STA_INFO_RX_BITRATE); } sinfo->filled |= BIT(NL80211_STA_INFO_TID_STATS); -- cgit v1.2.3 From 970bfcd09791282de7de6589bfe440eb11e2efd2 Mon Sep 17 00:00:00 2001 From: Paul Blakey Date: Wed, 14 Dec 2016 19:00:57 +0200 Subject: net/sched: cls_flower: Use mask for addr_type When addr_type is set, mask should also be set. Fixes: 66530bdf85eb ('sched,cls_flower: set key address type when present') Fixes: bc3103f1ed40 ('net/sched: cls_flower: Classify packet in ip tunnels') Signed-off-by: Paul Blakey Reviewed-by: Roi Dayan Acked-by: Jiri Pirko Signed-off-by: David S. Miller --- net/sched/cls_flower.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'net') diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index e040c5140f61..9758f5adbc2a 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -509,6 +509,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, if (tb[TCA_FLOWER_KEY_IPV4_SRC] || tb[TCA_FLOWER_KEY_IPV4_DST]) { key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; + mask->control.addr_type = ~0; fl_set_key_val(tb, &key->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC, &mask->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC_MASK, sizeof(key->ipv4.src)); @@ -517,6 +518,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, sizeof(key->ipv4.dst)); } else if (tb[TCA_FLOWER_KEY_IPV6_SRC] || tb[TCA_FLOWER_KEY_IPV6_DST]) { key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + mask->control.addr_type = ~0; fl_set_key_val(tb, &key->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC, &mask->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC_MASK, sizeof(key->ipv6.src)); @@ -571,6 +573,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, if (tb[TCA_FLOWER_KEY_ENC_IPV4_SRC] || tb[TCA_FLOWER_KEY_ENC_IPV4_DST]) { key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; + mask->enc_control.addr_type = ~0; fl_set_key_val(tb, &key->enc_ipv4.src, TCA_FLOWER_KEY_ENC_IPV4_SRC, &mask->enc_ipv4.src, @@ -586,6 +589,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, if (tb[TCA_FLOWER_KEY_ENC_IPV6_SRC] || tb[TCA_FLOWER_KEY_ENC_IPV6_DST]) { key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + mask->enc_control.addr_type = ~0; fl_set_key_val(tb, &key->enc_ipv6.src, TCA_FLOWER_KEY_ENC_IPV6_SRC, &mask->enc_ipv6.src, -- cgit v1.2.3 From f93bd17b916959fc20fbb7dc578e1f2657a8c343 Mon Sep 17 00:00:00 2001 From: Paul Blakey Date: Wed, 14 Dec 2016 19:00:58 +0200 Subject: net/sched: cls_flower: Use masked key when calling HW offloads Zero bits on the mask signify a "don't care" on the corresponding bits in key. Some HWs require those bits on the key to be zero. Since these bits are masked anyway, it's okay to provide the masked key to all drivers. Fixes: 5b33f48842fa ('net/flower: Introduce hardware offload support') Signed-off-by: Paul Blakey Reviewed-by: Roi Dayan Acked-by: Jiri Pirko Signed-off-by: David S. Miller --- net/sched/cls_flower.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 9758f5adbc2a..35ac28d0720c 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -252,7 +252,7 @@ static int fl_hw_replace_filter(struct tcf_proto *tp, offload.cookie = (unsigned long)f; offload.dissector = dissector; offload.mask = mask; - offload.key = &f->key; + offload.key = &f->mkey; offload.exts = &f->exts; tc->type = TC_SETUP_CLSFLOWER; -- cgit v1.2.3 From 9af7e923fdd82dc25ad5ea75e24e92708947f961 Mon Sep 17 00:00:00 2001 From: Tom Herbert Date: Wed, 14 Dec 2016 16:54:15 -0800 Subject: inet: Don't go into port scan when looking for specific bind port inet_csk_get_port is called with port number (snum argument) that may be zero or nonzero. If it is zero, then the intent is to find an available ephemeral port number to bind to. If snum is non-zero then the caller is asking to allocate a specific port number. In the latter case we never want to perform the scan in ephemeral port range. It is conceivable that this can happen if the "goto again" in "tb_found:" is done. This patch adds a check that snum is zero before doing the "goto again". Signed-off-by: Tom Herbert Signed-off-by: David S. Miller --- net/ipv4/inet_connection_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index d5d3ead0a6c3..f59838a60ea5 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -212,7 +212,7 @@ tb_found: sk->sk_reuseport && !rcu_access_pointer(sk->sk_reuseport_cb) && uid_eq(tb->fastuid, uid))) && - smallest_size != -1 && --attempts >= 0) { + !snum && smallest_size != -1 && --attempts >= 0) { spin_unlock_bh(&head->lock); goto again; } -- cgit v1.2.3 From 0643ee4fd1b79c1af3bd7bc8968dbf5fd047f490 Mon Sep 17 00:00:00 2001 From: Tom Herbert Date: Wed, 14 Dec 2016 16:54:16 -0800 Subject: inet: Fix get port to handle zero port number with soreuseport set A user may call listen with binding an explicit port with the intent that the kernel will assign an available port to the socket. In this case inet_csk_get_port does a port scan. For such sockets, the user may also set soreuseport with the intent a creating more sockets for the port that is selected. The problem is that the initial socket being opened could inadvertently choose an existing and unreleated port number that was already created with soreuseport. This patch adds a boolean parameter to inet_bind_conflict that indicates rather soreuseport is allowed for the check (in addition to sk->sk_reuseport). In calls to inet_bind_conflict from inet_csk_get_port the argument is set to true if an explicit port is being looked up (snum argument is nonzero), and is false if port scan is done. Signed-off-by: Tom Herbert Signed-off-by: David S. Miller --- include/net/inet6_connection_sock.h | 3 ++- include/net/inet_connection_sock.h | 6 ++++-- net/ipv4/inet_connection_sock.c | 14 +++++++++----- net/ipv6/inet6_connection_sock.c | 7 ++++--- 4 files changed, 19 insertions(+), 11 deletions(-) (limited to 'net') diff --git a/include/net/inet6_connection_sock.h b/include/net/inet6_connection_sock.h index 954ad6bfb56a..3212b39b5bfc 100644 --- a/include/net/inet6_connection_sock.h +++ b/include/net/inet6_connection_sock.h @@ -22,7 +22,8 @@ struct sock; struct sockaddr; int inet6_csk_bind_conflict(const struct sock *sk, - const struct inet_bind_bucket *tb, bool relax); + const struct inet_bind_bucket *tb, bool relax, + bool soreuseport_ok); struct dst_entry *inet6_csk_route_req(const struct sock *sk, struct flowi6 *fl6, const struct request_sock *req, u8 proto); diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h index 146054ceea8e..85ee3879499e 100644 --- a/include/net/inet_connection_sock.h +++ b/include/net/inet_connection_sock.h @@ -63,7 +63,8 @@ struct inet_connection_sock_af_ops { #endif void (*addr2sockaddr)(struct sock *sk, struct sockaddr *); int (*bind_conflict)(const struct sock *sk, - const struct inet_bind_bucket *tb, bool relax); + const struct inet_bind_bucket *tb, + bool relax, bool soreuseport_ok); void (*mtu_reduced)(struct sock *sk); }; @@ -261,7 +262,8 @@ inet_csk_rto_backoff(const struct inet_connection_sock *icsk, struct sock *inet_csk_accept(struct sock *sk, int flags, int *err); int inet_csk_bind_conflict(const struct sock *sk, - const struct inet_bind_bucket *tb, bool relax); + const struct inet_bind_bucket *tb, bool relax, + bool soreuseport_ok); int inet_csk_get_port(struct sock *sk, unsigned short snum); struct dst_entry *inet_csk_route_req(const struct sock *sk, struct flowi4 *fl4, diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index f59838a60ea5..19ea045c50ed 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -45,11 +45,12 @@ void inet_get_local_port_range(struct net *net, int *low, int *high) EXPORT_SYMBOL(inet_get_local_port_range); int inet_csk_bind_conflict(const struct sock *sk, - const struct inet_bind_bucket *tb, bool relax) + const struct inet_bind_bucket *tb, bool relax, + bool reuseport_ok) { struct sock *sk2; - int reuse = sk->sk_reuse; - int reuseport = sk->sk_reuseport; + bool reuse = sk->sk_reuse; + bool reuseport = !!sk->sk_reuseport && reuseport_ok; kuid_t uid = sock_i_uid((struct sock *)sk); /* @@ -105,6 +106,7 @@ int inet_csk_get_port(struct sock *sk, unsigned short snum) struct inet_bind_bucket *tb; kuid_t uid = sock_i_uid(sk); u32 remaining, offset; + bool reuseport_ok = !!snum; if (port) { have_port: @@ -165,7 +167,8 @@ other_parity_scan: smallest_size = tb->num_owners; smallest_port = port; } - if (!inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb, false)) + if (!inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb, false, + reuseport_ok)) goto tb_found; goto next_port; } @@ -206,7 +209,8 @@ tb_found: sk->sk_reuseport && uid_eq(tb->fastuid, uid))) && smallest_size == -1) goto success; - if (inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb, true)) { + if (inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb, true, + reuseport_ok)) { if ((reuse || (tb->fastreuseport > 0 && sk->sk_reuseport && diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c index 1c86c478f578..7396e75e161b 100644 --- a/net/ipv6/inet6_connection_sock.c +++ b/net/ipv6/inet6_connection_sock.c @@ -29,11 +29,12 @@ #include int inet6_csk_bind_conflict(const struct sock *sk, - const struct inet_bind_bucket *tb, bool relax) + const struct inet_bind_bucket *tb, bool relax, + bool reuseport_ok) { const struct sock *sk2; - int reuse = sk->sk_reuse; - int reuseport = sk->sk_reuseport; + bool reuse = !!sk->sk_reuse; + bool reuseport = !!sk->sk_reuseport && reuseport_ok; kuid_t uid = sock_i_uid((struct sock *)sk); /* We must walk the whole port owner list in this case. -DaveM */ -- cgit v1.2.3 From 078497a4d9535026b137c08e3746e600d5669a05 Mon Sep 17 00:00:00 2001 From: LABBE Corentin Date: Thu, 15 Dec 2016 11:42:46 +0100 Subject: irda: irproc.c: Remove unneeded linux/miscdevice.h include irproc.c does not use any miscdevice so this patch remove this unnecessary inclusion. Signed-off-by: Corentin Labbe Signed-off-by: David S. Miller --- net/irda/irproc.c | 1 - 1 file changed, 1 deletion(-) (limited to 'net') diff --git a/net/irda/irproc.c b/net/irda/irproc.c index b9ac598e2116..77cfdde9d82f 100644 --- a/net/irda/irproc.c +++ b/net/irda/irproc.c @@ -23,7 +23,6 @@ * ********************************************************************/ -#include #include #include #include -- cgit v1.2.3 From e292823559709b09cd9bf7bd112bd13c93daa146 Mon Sep 17 00:00:00 2001 From: LABBE Corentin Date: Thu, 15 Dec 2016 11:42:47 +0100 Subject: irda: irnet: Move linux/miscdevice.h include The only use of miscdevice is irda_ppp so no need to include linux/miscdevice.h for all irda files. This patch move the linux/miscdevice.h include to irnet_ppp.h Signed-off-by: Corentin Labbe Signed-off-by: David S. Miller --- net/irda/irnet/irnet.h | 1 - net/irda/irnet/irnet_ppp.h | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/irda/irnet/irnet.h b/net/irda/irnet/irnet.h index 8d65bb9477fc..c69f0f38f566 100644 --- a/net/irda/irnet/irnet.h +++ b/net/irda/irnet/irnet.h @@ -245,7 +245,6 @@ #include #include #include -#include #include #include #include /* isspace() */ diff --git a/net/irda/irnet/irnet_ppp.h b/net/irda/irnet/irnet_ppp.h index 940225866da0..693ebc08fa2e 100644 --- a/net/irda/irnet/irnet_ppp.h +++ b/net/irda/irnet/irnet_ppp.h @@ -15,6 +15,7 @@ /***************************** INCLUDES *****************************/ #include "irnet.h" /* Module global include */ +#include /************************ CONSTANTS & MACROS ************************/ -- cgit v1.2.3 From 24c946cc5d35e32c5bb0c07ebdad32756e2bd20d Mon Sep 17 00:00:00 2001 From: LABBE Corentin Date: Thu, 15 Dec 2016 11:42:48 +0100 Subject: irnet: ppp: move IRNET_MINOR to include/linux/miscdevice.h This patch move the define for IRNET_MINOR to include/linux/miscdevice.h It is better that all minor number definitions are in the same place. Signed-off-by: Corentin Labbe Acked-by: Greg Kroah-Hartman Signed-off-by: David S. Miller --- include/linux/miscdevice.h | 1 + net/irda/irnet/irnet_ppp.h | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h index 722698a43d79..86d5704c9e23 100644 --- a/include/linux/miscdevice.h +++ b/include/linux/miscdevice.h @@ -32,6 +32,7 @@ #define STORE_QUEUE_MINOR 155 /* unused */ #define I2O_MINOR 166 #define MICROCODE_MINOR 184 +#define IRNET_MINOR 187 #define VFIO_MINOR 196 #define TUN_MINOR 200 #define CUSE_MINOR 203 diff --git a/net/irda/irnet/irnet_ppp.h b/net/irda/irnet/irnet_ppp.h index 693ebc08fa2e..18fceadbb4bf 100644 --- a/net/irda/irnet/irnet_ppp.h +++ b/net/irda/irnet/irnet_ppp.h @@ -21,7 +21,6 @@ /* /dev/irnet file constants */ #define IRNET_MAJOR 10 /* Misc range */ -#define IRNET_MINOR 187 /* Official allocation */ /* IrNET control channel stuff */ #define IRNET_MAX_COMMAND 256 /* Max length of a command line */ -- cgit v1.2.3 From 33de4d1bb9e3d90e2238e85d7865ec664cf48e60 Mon Sep 17 00:00:00 2001 From: LABBE Corentin Date: Thu, 15 Dec 2016 11:42:49 +0100 Subject: irda: irnet: Remove unused IRNET_MAJOR define The IRNET_MAJOR define is not used, so this patch remove it. Signed-off-by: Corentin Labbe Signed-off-by: David S. Miller --- net/irda/irnet/irnet_ppp.h | 3 --- 1 file changed, 3 deletions(-) (limited to 'net') diff --git a/net/irda/irnet/irnet_ppp.h b/net/irda/irnet/irnet_ppp.h index 18fceadbb4bf..ec092c9bdf3c 100644 --- a/net/irda/irnet/irnet_ppp.h +++ b/net/irda/irnet/irnet_ppp.h @@ -19,9 +19,6 @@ /************************ CONSTANTS & MACROS ************************/ -/* /dev/irnet file constants */ -#define IRNET_MAJOR 10 /* Misc range */ - /* IrNET control channel stuff */ #define IRNET_MAX_COMMAND 256 /* Max length of a command line */ -- cgit v1.2.3 From 616f6b40236fb9fdfc5267e2e945e16b7448b641 Mon Sep 17 00:00:00 2001 From: LABBE Corentin Date: Thu, 15 Dec 2016 11:42:50 +0100 Subject: irda: irnet: add member name to the miscdevice declaration Since the struct miscdevice have many members, it is dangerous to init it without members name relying only on member order. This patch add member name to the init declaration. Signed-off-by: Corentin Labbe Signed-off-by: David S. Miller --- net/irda/irnet/irnet_ppp.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/irda/irnet/irnet_ppp.h b/net/irda/irnet/irnet_ppp.h index ec092c9bdf3c..32061442cc8e 100644 --- a/net/irda/irnet/irnet_ppp.h +++ b/net/irda/irnet/irnet_ppp.h @@ -108,9 +108,9 @@ static const struct file_operations irnet_device_fops = /* Structure so that the misc major (drivers/char/misc.c) take care of us... */ static struct miscdevice irnet_misc_device = { - IRNET_MINOR, - "irnet", - &irnet_device_fops + .minor = IRNET_MINOR, + .name = "irnet", + .fops = &irnet_device_fops }; #endif /* IRNET_PPP_H */ -- cgit v1.2.3 From 5cb2cd68ddf9a13af36cec633006c0f2bdfb300a Mon Sep 17 00:00:00 2001 From: Xin Long Date: Thu, 15 Dec 2016 23:00:55 +0800 Subject: sctp: sctp_epaddr_lookup_transport should be protected by rcu_read_lock Since commit 7fda702f9315 ("sctp: use new rhlist interface on sctp transport rhashtable"), sctp has changed to use rhlist_lookup to look up transport, but rhlist_lookup doesn't call rcu_read_lock inside, unlike rhashtable_lookup_fast. It is called in sctp_epaddr_lookup_transport and sctp_addrs_lookup_transport. sctp_addrs_lookup_transport is always in the protection of rcu_read_lock(), as __sctp_lookup_association is called in rx path or sctp_lookup_association which are in the protection of rcu_read_lock() already. But sctp_epaddr_lookup_transport is called by sctp_endpoint_lookup_assoc, it doesn't call rcu_read_lock, which may cause "suspicious rcu_dereference_check usage' in __rhashtable_lookup. This patch is to fix it by adding rcu_read_lock in sctp_endpoint_lookup_assoc before calling sctp_epaddr_lookup_transport. Fixes: 7fda702f9315 ("sctp: use new rhlist interface on sctp transport rhashtable") Reported-by: Dmitry Vyukov Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller --- net/sctp/endpointola.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c index 1f03065686fe..410ddc1e3443 100644 --- a/net/sctp/endpointola.c +++ b/net/sctp/endpointola.c @@ -331,7 +331,9 @@ struct sctp_association *sctp_endpoint_lookup_assoc( * on this endpoint. */ if (!ep->base.bind_addr.port) - goto out; + return NULL; + + rcu_read_lock(); t = sctp_epaddr_lookup_transport(ep, paddr); if (!t) goto out; @@ -339,6 +341,7 @@ struct sctp_association *sctp_endpoint_lookup_assoc( *transport = t; asoc = t->asoc; out: + rcu_read_unlock(); return asoc; } -- cgit v1.2.3 From 08abb79542c9e8c367d1d8e44fe1026868d3f0a7 Mon Sep 17 00:00:00 2001 From: Xin Long Date: Thu, 15 Dec 2016 23:05:52 +0800 Subject: sctp: sctp_transport_lookup_process should rcu_read_unlock when transport is null Prior to this patch, sctp_transport_lookup_process didn't rcu_read_unlock when it failed to find a transport by sctp_addrs_lookup_transport. This patch is to fix it by moving up rcu_read_unlock right before checking transport and also to remove the out path. Fixes: 1cceda784980 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller --- net/sctp/socket.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'net') diff --git a/net/sctp/socket.c b/net/sctp/socket.c index d5f4b4a8369b..318c6786d653 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4472,18 +4472,17 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *), const union sctp_addr *paddr, void *p) { struct sctp_transport *transport; - int err = -ENOENT; + int err; rcu_read_lock(); transport = sctp_addrs_lookup_transport(net, laddr, paddr); + rcu_read_unlock(); if (!transport) - goto out; + return -ENOENT; - rcu_read_unlock(); err = cb(transport, p); sctp_transport_put(transport); -out: return err; } EXPORT_SYMBOL_GPL(sctp_transport_lookup_process); -- cgit v1.2.3 From f23bc46c30ca5ef58b8549434899fcbac41b2cfc Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Thu, 15 Dec 2016 12:12:54 -0800 Subject: net: xdp: add invalid buffer warning This adds a warning for drivers to use when encountering an invalid buffer for XDP. For normal cases this should not happen but to catch this in virtual/qemu setups that I may not have expected from the emulation layer having a standard warning is useful. Signed-off-by: John Fastabend Signed-off-by: David S. Miller --- include/linux/filter.h | 1 + net/core/filter.c | 6 ++++++ 2 files changed, 7 insertions(+) (limited to 'net') diff --git a/include/linux/filter.h b/include/linux/filter.h index 6a1658308612..af8a1804cac6 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -602,6 +602,7 @@ bool bpf_helper_changes_pkt_data(void *func); struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, const struct bpf_insn *patch, u32 len); void bpf_warn_invalid_xdp_action(u32 act); +void bpf_warn_invalid_xdp_buffer(void); #ifdef CONFIG_BPF_JIT extern int bpf_jit_enable; diff --git a/net/core/filter.c b/net/core/filter.c index b1461708a977..7190bd648154 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2972,6 +2972,12 @@ void bpf_warn_invalid_xdp_action(u32 act) } EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_action); +void bpf_warn_invalid_xdp_buffer(void) +{ + WARN_ONCE(1, "Illegal XDP buffer encountered, expect throughput degradation\n"); +} +EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_buffer); + static u32 sk_filter_convert_ctx_access(enum bpf_access_type type, int dst_reg, int src_reg, int ctx_off, struct bpf_insn *insn_buf, -- cgit v1.2.3 From 99a5e178bde4b0fa1f25ca8d9caee0cb5e329e7c Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 16 Dec 2016 16:58:43 -0800 Subject: ATM: use designated initializers Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook Signed-off-by: David S. Miller --- net/atm/lec.c | 6 ++-- net/atm/mpoa_caches.c | 43 ++++++++++++++-------------- net/vmw_vsock/vmci_transport_notify.c | 30 +++++++++---------- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +++++++++---------- 4 files changed, 54 insertions(+), 55 deletions(-) (limited to 'net') diff --git a/net/atm/lec.c b/net/atm/lec.c index 779b3fa6052d..019557d0a11d 100644 --- a/net/atm/lec.c +++ b/net/atm/lec.c @@ -111,9 +111,9 @@ static inline void lec_arp_put(struct lec_arp_table *entry) } static struct lane2_ops lane2_ops = { - lane2_resolve, /* resolve, spec 3.1.3 */ - lane2_associate_req, /* associate_req, spec 3.1.4 */ - NULL /* associate indicator, spec 3.1.5 */ + .resolve = lane2_resolve, /* spec 3.1.3 */ + .associate_req = lane2_associate_req, /* spec 3.1.4 */ + .associate_indicator = NULL /* spec 3.1.5 */ }; static unsigned char bus_mac[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c index 9e60e74c807d..a89fdebeffda 100644 --- a/net/atm/mpoa_caches.c +++ b/net/atm/mpoa_caches.c @@ -535,33 +535,32 @@ static void eg_destroy_cache(struct mpoa_client *mpc) static const struct in_cache_ops ingress_ops = { - in_cache_add_entry, /* add_entry */ - in_cache_get, /* get */ - in_cache_get_with_mask, /* get_with_mask */ - in_cache_get_by_vcc, /* get_by_vcc */ - in_cache_put, /* put */ - in_cache_remove_entry, /* remove_entry */ - cache_hit, /* cache_hit */ - clear_count_and_expired, /* clear_count */ - check_resolving_entries, /* check_resolving */ - refresh_entries, /* refresh */ - in_destroy_cache /* destroy_cache */ + .add_entry = in_cache_add_entry, + .get = in_cache_get, + .get_with_mask = in_cache_get_with_mask, + .get_by_vcc = in_cache_get_by_vcc, + .put = in_cache_put, + .remove_entry = in_cache_remove_entry, + .cache_hit = cache_hit, + .clear_count = clear_count_and_expired, + .check_resolving = check_resolving_entries, + .refresh = refresh_entries, + .destroy_cache = in_destroy_cache }; static const struct eg_cache_ops egress_ops = { - eg_cache_add_entry, /* add_entry */ - eg_cache_get_by_cache_id, /* get_by_cache_id */ - eg_cache_get_by_tag, /* get_by_tag */ - eg_cache_get_by_vcc, /* get_by_vcc */ - eg_cache_get_by_src_ip, /* get_by_src_ip */ - eg_cache_put, /* put */ - eg_cache_remove_entry, /* remove_entry */ - update_eg_cache_entry, /* update */ - clear_expired, /* clear_expired */ - eg_destroy_cache /* destroy_cache */ + .add_entry = eg_cache_add_entry, + .get_by_cache_id = eg_cache_get_by_cache_id, + .get_by_tag = eg_cache_get_by_tag, + .get_by_vcc = eg_cache_get_by_vcc, + .get_by_src_ip = eg_cache_get_by_src_ip, + .put = eg_cache_put, + .remove_entry = eg_cache_remove_entry, + .update = update_eg_cache_entry, + .clear_expired = clear_expired, + .destroy_cache = eg_destroy_cache }; - void atm_mpoa_init_cache(struct mpoa_client *mpc) { mpc->in_ops = &ingress_ops; diff --git a/net/vmw_vsock/vmci_transport_notify.c b/net/vmw_vsock/vmci_transport_notify.c index fd8cf0214d51..1406db4d97d1 100644 --- a/net/vmw_vsock/vmci_transport_notify.c +++ b/net/vmw_vsock/vmci_transport_notify.c @@ -662,19 +662,19 @@ static void vmci_transport_notify_pkt_process_negotiate(struct sock *sk) /* Socket control packet based operations. */ const struct vmci_transport_notify_ops vmci_transport_notify_pkt_ops = { - vmci_transport_notify_pkt_socket_init, - vmci_transport_notify_pkt_socket_destruct, - vmci_transport_notify_pkt_poll_in, - vmci_transport_notify_pkt_poll_out, - vmci_transport_notify_pkt_handle_pkt, - vmci_transport_notify_pkt_recv_init, - vmci_transport_notify_pkt_recv_pre_block, - vmci_transport_notify_pkt_recv_pre_dequeue, - vmci_transport_notify_pkt_recv_post_dequeue, - vmci_transport_notify_pkt_send_init, - vmci_transport_notify_pkt_send_pre_block, - vmci_transport_notify_pkt_send_pre_enqueue, - vmci_transport_notify_pkt_send_post_enqueue, - vmci_transport_notify_pkt_process_request, - vmci_transport_notify_pkt_process_negotiate, + .socket_init = vmci_transport_notify_pkt_socket_init, + .socket_destruct = vmci_transport_notify_pkt_socket_destruct, + .poll_in = vmci_transport_notify_pkt_poll_in, + .poll_out = vmci_transport_notify_pkt_poll_out, + .handle_notify_pkt = vmci_transport_notify_pkt_handle_pkt, + .recv_init = vmci_transport_notify_pkt_recv_init, + .recv_pre_block = vmci_transport_notify_pkt_recv_pre_block, + .recv_pre_dequeue = vmci_transport_notify_pkt_recv_pre_dequeue, + .recv_post_dequeue = vmci_transport_notify_pkt_recv_post_dequeue, + .send_init = vmci_transport_notify_pkt_send_init, + .send_pre_block = vmci_transport_notify_pkt_send_pre_block, + .send_pre_enqueue = vmci_transport_notify_pkt_send_pre_enqueue, + .send_post_enqueue = vmci_transport_notify_pkt_send_post_enqueue, + .process_request = vmci_transport_notify_pkt_process_request, + .process_negotiate = vmci_transport_notify_pkt_process_negotiate, }; diff --git a/net/vmw_vsock/vmci_transport_notify_qstate.c b/net/vmw_vsock/vmci_transport_notify_qstate.c index 21e591dafb03..f3a0afc46208 100644 --- a/net/vmw_vsock/vmci_transport_notify_qstate.c +++ b/net/vmw_vsock/vmci_transport_notify_qstate.c @@ -420,19 +420,19 @@ vmci_transport_notify_pkt_send_pre_enqueue( /* Socket always on control packet based operations. */ const struct vmci_transport_notify_ops vmci_transport_notify_pkt_q_state_ops = { - vmci_transport_notify_pkt_socket_init, - vmci_transport_notify_pkt_socket_destruct, - vmci_transport_notify_pkt_poll_in, - vmci_transport_notify_pkt_poll_out, - vmci_transport_notify_pkt_handle_pkt, - vmci_transport_notify_pkt_recv_init, - vmci_transport_notify_pkt_recv_pre_block, - vmci_transport_notify_pkt_recv_pre_dequeue, - vmci_transport_notify_pkt_recv_post_dequeue, - vmci_transport_notify_pkt_send_init, - vmci_transport_notify_pkt_send_pre_block, - vmci_transport_notify_pkt_send_pre_enqueue, - vmci_transport_notify_pkt_send_post_enqueue, - vmci_transport_notify_pkt_process_request, - vmci_transport_notify_pkt_process_negotiate, + .socket_init = vmci_transport_notify_pkt_socket_init, + .socket_destruct = vmci_transport_notify_pkt_socket_destruct, + .poll_in = vmci_transport_notify_pkt_poll_in, + .poll_out = vmci_transport_notify_pkt_poll_out, + .handle_notify_pkt = vmci_transport_notify_pkt_handle_pkt, + .recv_init = vmci_transport_notify_pkt_recv_init, + .recv_pre_block = vmci_transport_notify_pkt_recv_pre_block, + .recv_pre_dequeue = vmci_transport_notify_pkt_recv_pre_dequeue, + .recv_post_dequeue = vmci_transport_notify_pkt_recv_post_dequeue, + .send_init = vmci_transport_notify_pkt_send_init, + .send_pre_block = vmci_transport_notify_pkt_send_pre_block, + .send_pre_enqueue = vmci_transport_notify_pkt_send_pre_enqueue, + .send_post_enqueue = vmci_transport_notify_pkt_send_post_enqueue, + .process_request = vmci_transport_notify_pkt_process_request, + .process_negotiate = vmci_transport_notify_pkt_process_negotiate, }; -- cgit v1.2.3 From 9d1c0ca5e1d6697ce1e32bb708bfe24dff34f287 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 16 Dec 2016 16:58:58 -0800 Subject: net: use designated initializers Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook Signed-off-by: David S. Miller --- net/decnet/dn_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c index b2c26b081134..41f803e35da3 100644 --- a/net/decnet/dn_dev.c +++ b/net/decnet/dn_dev.c @@ -201,7 +201,7 @@ static struct dn_dev_sysctl_table { .extra1 = &min_t3, .extra2 = &max_t3 }, - {0} + { } }, }; -- cgit v1.2.3 From e999cb43d51f3635afd6253c5c066798ad998255 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 16 Dec 2016 17:03:39 -0800 Subject: net/x25: use designated initializers Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook Signed-off-by: David S. Miller --- net/x25/sysctl_net_x25.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/x25/sysctl_net_x25.c b/net/x25/sysctl_net_x25.c index 43239527a205..a06dfe143c67 100644 --- a/net/x25/sysctl_net_x25.c +++ b/net/x25/sysctl_net_x25.c @@ -70,7 +70,7 @@ static struct ctl_table x25_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, - { 0, }, + { }, }; void __init x25_register_sysctl(void) -- cgit v1.2.3 From c2ed1880fd61a998e3ce40254a99a2ad000f1a7d Mon Sep 17 00:00:00 2001 From: Mantas M Date: Fri, 16 Dec 2016 10:30:59 +0200 Subject: net: ipv6: check route protocol when deleting routes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The protocol field is checked when deleting IPv4 routes, but ignored for IPv6, which causes problems with routing daemons accidentally deleting externally set routes (observed by multiple bird6 users). This can be verified using `ip -6 route del proto something`. Signed-off-by: Mantas Mikulėnas Signed-off-by: David S. Miller --- net/ipv6/route.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net') diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 2413a0637d99..890acace01d0 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2174,6 +2174,8 @@ static int ip6_route_del(struct fib6_config *cfg) continue; if (cfg->fc_metric && cfg->fc_metric != rt->rt6i_metric) continue; + if (cfg->fc_protocol && cfg->fc_protocol != rt->rt6i_protocol) + continue; dst_hold(&rt->dst); read_unlock_bh(&table->tb6_lock); -- cgit v1.2.3