linux-stable.git/drivers/infiniband, branch v3.13 Linux kernel stable tree infiniband: make sure the src net is infiniband when create new link 2014-01-04T01:38:56+00:00 Hangbin Liu liuhangbin@gmail.com 2014-01-03T03:33:45+00:00 0d68fc4f1210f8caea2bdd68f99dc6da35ee3740 When we create a new infiniband link with uninfiniband device, e.g. `ip link add link em1 type ipoib pkey 0x8001`. We will get a NULL pointer dereference cause other dev like Ethernet don't have struct ib_device. The code path is: rtnl_newlink |-- ipoib_new_child_link |-- __ipoib_vlan_add |-- ipoib_set_dev_features |-- ib_query_device Fix this bug by make sure the src net is infiniband when create new link. Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
When we create a new infiniband link with uninfiniband device, e.g. `ip link
add link em1 type ipoib pkey 0x8001`. We will get a NULL pointer dereference
cause other dev like Ethernet don't have struct ib_device.

The code path is:
rtnl_newlink
  |-- ipoib_new_child_link
        |-- __ipoib_vlan_add
              |-- ipoib_set_dev_features
                    |-- ib_query_device

Fix this bug by make sure the src net is infiniband when create new link.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-12-30T17:33:30+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-12-30T17:33:30+00:00 67e0c1b037f8739a023c0129c1e0946defbaefb5 Pull networking fixes from David Miller: "Some holiday bug fixes for 3.13... There is still one bug I'd like to get fixed before 3.13-final. The vlan code erroneously assignes the header ops of the underlying real device to the VLAN device above it when the real device can hardware offload VLAN handling. That's completely bogus because header ops are tied to the device type, so they only expect to see a 'dev' argument compatible with their ops. The fix is the have the VLAN code use a special set of header ops that does the pass-thru correctly, by calling the underlying real device's header ops but _also_ passing in the real device instead of the VLAN device. That fix is currently waiting some testing. Anyways, of note here: 1) Fix bitmap edge case in radiotap, from Johannes Berg. 2) Fix oops on driver unload in rtlwifi, from Larry Finger. 3) Bonding doesn't do locking correctly during speed/duplex/link changes, from Ding Tianhong. 4) Fix header parsing in GRE code, this bug has been around for a few releases. From Timo Teräs. 5) SIT tunnel driver MTU check needs to take GSO into account, from Eric Dumazet. 6) Minor info leak in inet_diag, from Daniel Borkmann. 7) Info leak in YAM hamradio driver, from Salva Peiró. 8) Fix route expiration state handling in ipv6 routing code, from Li RongQing. 9) DCCP probe module does not check request_module()'s return value, from Wang Weidong. 10) cpsw driver passes NULL device names to request_irq(), from Mugunthan V N. 11) Prevent a NULL splat in RDS binding code, from Sasha Levin. 12) Fix 4G overflow test in tg3 driver, from Nithin Sujir. 13) Cure use after free in arc_emac and fec driver's software timestamp handling, from Eric Dumazet. 14) SIT driver can fail to release the route when iptunnel_handle_offloads() throws an error. From Li RongQing. 15) Several batman-adv fixes from Simon Wunderlich and Antonio Quartulli. 16) Fix deadlock during TIPC socket release, from Ying Xue. 17) Fix regression in ROSE protocol recvmsg() msg_name handling, from Florian Westphal. 18) stmmac PTP support releases wrong spinlock, from Vince Bridgers" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits) stmmac: Fix incorrect spinlock release and PTP cap detection. phy: IRQ cannot be shared net: rose: restore old recvmsg behavior xen-netback: fix guest-receive-side array sizes fec: Do not assume that PHY reset is active low tipc: fix deadlock during socket release netfilter: nf_tables: fix wrong datatype in nft_validate_data_load() batman-adv: fix vlan header access batman-adv: clean nf state when removing protocol header batman-adv: fix alignment for batadv_tvlv_tt_change batman-adv: fix size of batadv_bla_claim_dst batman-adv: fix size of batadv_icmp_header batman-adv: fix header alignment by unrolling batadv_header batman-adv: fix alignment for batadv_coded_packet netfilter: nf_tables: fix oops when updating table with user chains netfilter: nf_tables: fix dumping with large number of sets ipv6: release dst properly in ipip6_tunnel_xmit netxen: Correct off-by-one errors in bounds checks net: Add some clarification to skb_tx_timestamp() comment. arc_emac: fix potential use after free ... 
Pull networking fixes from David Miller:
 "Some holiday bug fixes for 3.13...  There is still one bug I'd like to
  get fixed before 3.13-final.

  The vlan code erroneously assignes the header ops of the underlying
  real device to the VLAN device above it when the real device can
  hardware offload VLAN handling.  That's completely bogus because
  header ops are tied to the device type, so they only expect to see a
  'dev' argument compatible with their ops.

  The fix is the have the VLAN code use a special set of header ops that
  does the pass-thru correctly, by calling the underlying real device's
  header ops but _also_ passing in the real device instead of the VLAN
  device.

  That fix is currently waiting some testing.

  Anyways, of note here:

   1) Fix bitmap edge case in radiotap, from Johannes Berg.

   2) Fix oops on driver unload in rtlwifi, from Larry Finger.

   3) Bonding doesn't do locking correctly during speed/duplex/link
      changes, from Ding Tianhong.

   4) Fix header parsing in GRE code, this bug has been around for a few
      releases.  From Timo Teräs.

   5) SIT tunnel driver MTU check needs to take GSO into account, from
      Eric Dumazet.

   6) Minor info leak in inet_diag, from Daniel Borkmann.

   7) Info leak in YAM hamradio driver, from Salva Peiró.

   8) Fix route expiration state handling in ipv6 routing code, from Li
      RongQing.

   9) DCCP probe module does not check request_module()'s return value,
      from Wang Weidong.

  10) cpsw driver passes NULL device names to request_irq(), from
      Mugunthan V N.

  11) Prevent a NULL splat in RDS binding code, from Sasha Levin.

  12) Fix 4G overflow test in tg3 driver, from Nithin Sujir.

  13) Cure use after free in arc_emac and fec driver's software
      timestamp handling, from Eric Dumazet.

  14) SIT driver can fail to release the route when
      iptunnel_handle_offloads() throws an error.  From Li RongQing.

  15) Several batman-adv fixes from Simon Wunderlich and Antonio
      Quartulli.

  16) Fix deadlock during TIPC socket release, from Ying Xue.

  17) Fix regression in ROSE protocol recvmsg() msg_name handling, from
      Florian Westphal.

  18) stmmac PTP support releases wrong spinlock, from Vince Bridgers"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
  stmmac: Fix incorrect spinlock release and PTP cap detection.
  phy: IRQ cannot be shared
  net: rose: restore old recvmsg behavior
  xen-netback: fix guest-receive-side array sizes
  fec: Do not assume that PHY reset is active low
  tipc: fix deadlock during socket release
  netfilter: nf_tables: fix wrong datatype in nft_validate_data_load()
  batman-adv: fix vlan header access
  batman-adv: clean nf state when removing protocol header
  batman-adv: fix alignment for batadv_tvlv_tt_change
  batman-adv: fix size of batadv_bla_claim_dst
  batman-adv: fix size of batadv_icmp_header
  batman-adv: fix header alignment by unrolling batadv_header
  batman-adv: fix alignment for batadv_coded_packet
  netfilter: nf_tables: fix oops when updating table with user chains
  netfilter: nf_tables: fix dumping with large number of sets
  ipv6: release dst properly in ipip6_tunnel_xmit
  netxen: Correct off-by-one errors in bounds checks
  net: Add some clarification to skb_tx_timestamp() comment.
  arc_emac: fix potential use after free
  ...
Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband 2013-12-24T01:23:42+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-12-24T01:23:42+00:00 6961bc6c7055d0d1b2a670dbdca2c0165e267514 Pull infiniband fixes from Roland Dreier: "Last batch of InfiniBand/RDMA changes for 3.13 / 2014: - Additional checks for uverbs to ensure forward compatibility, handle malformed input better. - Fix potential use-after-free in iWARP connection manager. - Make a function static" * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/uverbs: Check access to userspace response buffer in extended command IB/uverbs: Check input length in flow steering uverbs IB/uverbs: Set error code when fail to consume all flow_spec items IB/uverbs: Check reserved fields in create_flow IB/uverbs: Check comp_mask in destroy_flow IB/uverbs: Check reserved field in extended command header IB/uverbs: New macro to set pointers to NULL if length is 0 in INIT_UDATA() IB/core: const'ify inbuf in struct ib_udata RDMA/iwcm: Don't touch cm_id after deref in rem_ref RDMA/cxgb4: Make _c4iw_write_mem_dma() static 
Pull infiniband fixes from Roland Dreier:
 "Last batch of InfiniBand/RDMA changes for 3.13 / 2014:
   - Additional checks for uverbs to ensure forward compatibility,
     handle malformed input better.
   - Fix potential use-after-free in iWARP connection manager.
   - Make a function static"

* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/uverbs: Check access to userspace response buffer in extended command
  IB/uverbs: Check input length in flow steering uverbs
  IB/uverbs: Set error code when fail to consume all flow_spec items
  IB/uverbs: Check reserved fields in create_flow
  IB/uverbs: Check comp_mask in destroy_flow
  IB/uverbs: Check reserved field in extended command header
  IB/uverbs: New macro to set pointers to NULL if length is 0 in INIT_UDATA()
  IB/core: const'ify inbuf in struct ib_udata
  RDMA/iwcm: Don't touch cm_id after deref in rem_ref
  RDMA/cxgb4: Make _c4iw_write_mem_dma() static
Merge branches 'cxgb4', 'flowsteer' and 'misc' into for-linus 2013-12-23T17:19:02+00:00 Roland Dreier roland@purestorage.com 2013-12-23T17:19:02+00:00 22f12c60e12a4112fdca31582e66fe501600ee2b 






RDMA/cxgb4: Use cxgb4_select_ntuple to correctly calculate ntuple fields
2013-12-22T23:09:08+00:00

Kumar Sanghvi
kumaras@chelsio.com

2013-12-18T11:08:26+00:00

41b4f86c1368758a02129e0629a9cc7c2811fa32

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>





Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>







RDMA/cxgb4: Server filters are supported only for IPv4
2013-12-22T23:09:08+00:00

Kumar Sanghvi
kumaras@chelsio.com

2013-12-18T11:08:25+00:00

8c04469057c3307d92d2c7076edcf9eb8f752bca

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>





Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>







RDMA/cxgb4: Calculate the filter server TID properly
2013-12-22T23:09:08+00:00

Kumar Sanghvi
kumaras@chelsio.com

2013-12-18T11:08:24+00:00

a4ea025fc24532bae8a038d038f8e0f15b8a7d98

Based on original work by Santosh Rastapur <santosh@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>





Based on original work by Santosh Rastapur <santosh@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>







IB/uverbs: Check access to userspace response buffer in extended command
2013-12-20T18:54:34+00:00

Yann Droneaud
ydroneaud@opteya.com

2013-12-11T22:01:51+00:00

6cc3df840a84dc4e8a874e74cd62a138074922ba

This patch adds a check on the output buffer with access_ok(VERIFY_WRITE, ...)
to ensure the whole buffer is in userspace memory before using the
pointer in uverbs functions.  If the buffer or a subset of it is not
valid, returns -EFAULT to the caller.

This will also catch invalid buffer before the final call to
copy_to_user() which happen late in most uverb functions.

Just like the check in read(2) syscall, it's a sanity check to detect
invalid parameters provided by userspace. This particular check was added
in vfs_read() by Linus Torvalds for v2.6.12 with following commit message:

https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/?id=fd770e66c9a65b14ce114e171266cf6f393df502

  Make read/write always do the full "access_ok()" tests.

  The actual user copy will do them too, but only for the
  range that ends up being actually copied. That hides
  bugs when the range has been clamped by file size or other
  issues.

Note: there's no need to check input buffer since vfs_write() already does
access_ok(VERIFY_READ, ...) as part of write() syscall.

Link: http://marc.info/?i=cover.1387273677.git.ydroneaud@opteya.com
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>





This patch adds a check on the output buffer with access_ok(VERIFY_WRITE, ...)
to ensure the whole buffer is in userspace memory before using the
pointer in uverbs functions.  If the buffer or a subset of it is not
valid, returns -EFAULT to the caller.

This will also catch invalid buffer before the final call to
copy_to_user() which happen late in most uverb functions.

Just like the check in read(2) syscall, it's a sanity check to detect
invalid parameters provided by userspace. This particular check was added
in vfs_read() by Linus Torvalds for v2.6.12 with following commit message:

https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/?id=fd770e66c9a65b14ce114e171266cf6f393df502

  Make read/write always do the full "access_ok()" tests.

  The actual user copy will do them too, but only for the
  range that ends up being actually copied. That hides
  bugs when the range has been clamped by file size or other
  issues.

Note: there's no need to check input buffer since vfs_write() already does
access_ok(VERIFY_READ, ...) as part of write() syscall.

Link: http://marc.info/?i=cover.1387273677.git.ydroneaud@opteya.com
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>







IB/uverbs: Check input length in flow steering uverbs
2013-12-20T18:54:33+00:00

Yann Droneaud
ydroneaud@opteya.com

2013-12-11T22:01:52+00:00

6bcca3d4a3bcc9859cf001a0a21c8796edae2dc0

Since ib_copy_from_udata() doesn't check yet the available input data
length before accessing userspace memory, an explicit check of this
length is required to prevent:

- reading past the user provided buffer,
- underflow when subtracting the expected command size from the input
  length.

This will ensure the newly added flow steering uverbs don't try to
process truncated commands.

Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>





Since ib_copy_from_udata() doesn't check yet the available input data
length before accessing userspace memory, an explicit check of this
length is required to prevent:

- reading past the user provided buffer,
- underflow when subtracting the expected command size from the input
  length.

This will ensure the newly added flow steering uverbs don't try to
process truncated commands.

Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>







IB/uverbs: Set error code when fail to consume all flow_spec items
2013-12-20T18:54:33+00:00

Yann Droneaud
ydroneaud@opteya.com

2013-12-11T22:01:50+00:00

98a37510ec1452817600d8ea47cff1d9f8d9bec8

If the flow_spec items parsed count does not match the number of items
declared in the flow_attr command, or if not all bytes are used for
flow_spec items (eg. trailing garbage), a log message is reported and
the function leave through the error path. Unfortunately the error
code is currently not set.

This patch set error code to -EINVAL in such cases, so that the error
is reported to userspace instead of silently fail.

Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>





If the flow_spec items parsed count does not match the number of items
declared in the flow_attr command, or if not all bytes are used for
flow_spec items (eg. trailing garbage), a log message is reported and
the function leave through the error path. Unfortunately the error
code is currently not set.

This patch set error code to -EINVAL in such cases, so that the error
is reported to userspace instead of silently fail.

Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>