<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/packet, branch v3.12.73</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: don't call strlen() on the user buffer in packet_bind_spkt()</title>
<updated>2017-03-28T13:49:21+00:00</updated>
<author>
<name>Alexander Potapenko</name>
<email>glider@google.com</email>
</author>
<published>2017-03-01T11:57:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=366b793e30af5debe1098781601959326dace6e6'/>
<id>366b793e30af5debe1098781601959326dace6e6</id>
<content type='text'>
[ Upstream commit 540e2894f7905538740aaf122bd8e0548e1c34a4 ]

KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
uninitialized memory in packet_bind_spkt():
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;

==================================================================
BUG: KMSAN: use of unitialized memory
CPU: 0 PID: 1074 Comm: packet Not tainted 4.8.0-rc6+ #1891
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
 0000000000000000 ffff88006b6dfc08 ffffffff82559ae8 ffff88006b6dfb48
 ffffffff818a7c91 ffffffff85b9c870 0000000000000092 ffffffff85b9c550
 0000000000000000 0000000000000092 00000000ec400911 0000000000000002
Call Trace:
 [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 [&lt;ffffffff82559ae8&gt;] dump_stack+0x238/0x290 lib/dump_stack.c:51
 [&lt;ffffffff818a6626&gt;] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1003
 [&lt;ffffffff818a783b&gt;] __msan_warning+0x5b/0xb0
mm/kmsan/kmsan_instr.c:424
 [&lt;     inline     &gt;] strlen lib/string.c:484
 [&lt;ffffffff8259b58d&gt;] strlcpy+0x9d/0x200 lib/string.c:144
 [&lt;ffffffff84b2eca4&gt;] packet_bind_spkt+0x144/0x230
net/packet/af_packet.c:3132
 [&lt;ffffffff84242e4d&gt;] SYSC_bind+0x40d/0x5f0 net/socket.c:1370
 [&lt;ffffffff84242a22&gt;] SyS_bind+0x82/0xa0 net/socket.c:1356
 [&lt;ffffffff8515991b&gt;] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
chained origin: 00000000eba00911
 [&lt;ffffffff810bb787&gt;] save_stack_trace+0x27/0x50
arch/x86/kernel/stacktrace.c:67
 [&lt;     inline     &gt;] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
 [&lt;     inline     &gt;] kmsan_save_stack mm/kmsan/kmsan.c:334
 [&lt;ffffffff818a59f8&gt;] kmsan_internal_chain_origin+0x118/0x1e0
mm/kmsan/kmsan.c:527
 [&lt;ffffffff818a7773&gt;] __msan_set_alloca_origin4+0xc3/0x130
mm/kmsan/kmsan_instr.c:380
 [&lt;ffffffff84242b69&gt;] SYSC_bind+0x129/0x5f0 net/socket.c:1356
 [&lt;ffffffff84242a22&gt;] SyS_bind+0x82/0xa0 net/socket.c:1356
 [&lt;ffffffff8515991b&gt;] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
origin description: ----address@SYSC_bind (origin=00000000eb400911)
==================================================================
(the line numbers are relative to 4.8-rc6, but the bug persists
upstream)

, when I run the following program as root:

=====================================
 #include &lt;string.h&gt;
 #include &lt;sys/socket.h&gt;
 #include &lt;netpacket/packet.h&gt;
 #include &lt;net/ethernet.h&gt;

 int main() {
   struct sockaddr addr;
   memset(&amp;addr, 0xff, sizeof(addr));
   addr.sa_family = AF_PACKET;
   int fd = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL));
   bind(fd, &amp;addr, sizeof(addr));
   return 0;
 }
=====================================

This happens because addr.sa_data copied from the userspace is not
zero-terminated, and copying it with strlcpy() in packet_bind_spkt()
results in calling strlen() on the kernel copy of that non-terminated
buffer.

Signed-off-by: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 540e2894f7905538740aaf122bd8e0548e1c34a4 ]

KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
uninitialized memory in packet_bind_spkt():
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;

==================================================================
BUG: KMSAN: use of unitialized memory
CPU: 0 PID: 1074 Comm: packet Not tainted 4.8.0-rc6+ #1891
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
 0000000000000000 ffff88006b6dfc08 ffffffff82559ae8 ffff88006b6dfb48
 ffffffff818a7c91 ffffffff85b9c870 0000000000000092 ffffffff85b9c550
 0000000000000000 0000000000000092 00000000ec400911 0000000000000002
Call Trace:
 [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 [&lt;ffffffff82559ae8&gt;] dump_stack+0x238/0x290 lib/dump_stack.c:51
 [&lt;ffffffff818a6626&gt;] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1003
 [&lt;ffffffff818a783b&gt;] __msan_warning+0x5b/0xb0
mm/kmsan/kmsan_instr.c:424
 [&lt;     inline     &gt;] strlen lib/string.c:484
 [&lt;ffffffff8259b58d&gt;] strlcpy+0x9d/0x200 lib/string.c:144
 [&lt;ffffffff84b2eca4&gt;] packet_bind_spkt+0x144/0x230
net/packet/af_packet.c:3132
 [&lt;ffffffff84242e4d&gt;] SYSC_bind+0x40d/0x5f0 net/socket.c:1370
 [&lt;ffffffff84242a22&gt;] SyS_bind+0x82/0xa0 net/socket.c:1356
 [&lt;ffffffff8515991b&gt;] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
chained origin: 00000000eba00911
 [&lt;ffffffff810bb787&gt;] save_stack_trace+0x27/0x50
arch/x86/kernel/stacktrace.c:67
 [&lt;     inline     &gt;] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
 [&lt;     inline     &gt;] kmsan_save_stack mm/kmsan/kmsan.c:334
 [&lt;ffffffff818a59f8&gt;] kmsan_internal_chain_origin+0x118/0x1e0
mm/kmsan/kmsan.c:527
 [&lt;ffffffff818a7773&gt;] __msan_set_alloca_origin4+0xc3/0x130
mm/kmsan/kmsan_instr.c:380
 [&lt;ffffffff84242b69&gt;] SYSC_bind+0x129/0x5f0 net/socket.c:1356
 [&lt;ffffffff84242a22&gt;] SyS_bind+0x82/0xa0 net/socket.c:1356
 [&lt;ffffffff8515991b&gt;] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
origin description: ----address@SYSC_bind (origin=00000000eb400911)
==================================================================
(the line numbers are relative to 4.8-rc6, but the bug persists
upstream)

, when I run the following program as root:

=====================================
 #include &lt;string.h&gt;
 #include &lt;sys/socket.h&gt;
 #include &lt;netpacket/packet.h&gt;
 #include &lt;net/ethernet.h&gt;

 int main() {
   struct sockaddr addr;
   memset(&amp;addr, 0xff, sizeof(addr));
   addr.sa_family = AF_PACKET;
   int fd = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL));
   bind(fd, &amp;addr, sizeof(addr));
   return 0;
 }
=====================================

This happens because addr.sa_data copied from the userspace is not
zero-terminated, and copying it with strlcpy() in packet_bind_spkt()
results in calling strlen() on the kernel copy of that non-terminated
buffer.

Signed-off-by: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>af_packet: remove a stray tab in packet_set_ring()</title>
<updated>2017-03-01T19:27:49+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2014-02-18T12:20:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8c3bdeae0aea6ceefdf50c0582c1db1e4b112f79'/>
<id>8c3bdeae0aea6ceefdf50c0582c1db1e4b112f79</id>
<content type='text'>
commit d7cf0c34af067555737193b6c1aa7abaa677f29c upstream.

At first glance it looks like there is a missing curly brace but
actually the code works the same either way.  I have adjusted the
indenting but left the code the same.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d7cf0c34af067555737193b6c1aa7abaa677f29c upstream.

At first glance it looks like there is a missing curly brace but
actually the code works the same either way.  I have adjusted the
indenting but left the code the same.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: Do not call fanout_release from atomic contexts</title>
<updated>2017-03-01T19:27:35+00:00</updated>
<author>
<name>Anoob Soman</name>
<email>anoob.soman@citrix.com</email>
</author>
<published>2017-02-15T20:25:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fbc87738af9dc0270d89bac3706ec6bfd6238b75'/>
<id>fbc87738af9dc0270d89bac3706ec6bfd6238b75</id>
<content type='text'>
[ Upstream commit 2bd624b4611ffee36422782d16e1c944d1351e98 ]

Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.

1. calling mutex_lock(&amp;fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.

[  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[  ]
[  ] rcu_scheduler_active = 1, debug_locks = 0
[  ] 4 locks held by ovs-vswitchd/1969:
[  ]  #0:  (cb_lock){++++++}, at: [&lt;ffffffff8158a6c9&gt;] genl_rcv+0x19/0x40
[  ]  #1:  (ovs_mutex){+.+.+.}, at: [&lt;ffffffffa04878ca&gt;] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[  ]  #2:  (rtnl_mutex){+.+.+.}, at: [&lt;ffffffff81564157&gt;] rtnl_lock+0x17/0x20
[  ]  #3:  (rcu_read_lock){......}, at: [&lt;ffffffff81614165&gt;] packet_notifier+0x5/0x3f0
[  ]
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810c9077&gt;] lockdep_rcu_suspicious+0x107/0x110
[  ]  [&lt;ffffffff810a2da7&gt;] ___might_sleep+0x57/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff810de93f&gt;] ? vprintk_default+0x1f/0x30
[  ]  [&lt;ffffffff81186e88&gt;] ? printk+0x4d/0x4f
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

2. calling mutex_lock(&amp;fanout_mutex) inside spin_lock(&amp;po-&gt;bind_lock).
"sleeping function called from invalid context"

[  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810a2f52&gt;] ___might_sleep+0x202/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

3. calling dev_remove_pack(&amp;fanout-&gt;prot_hook), from inside
spin_lock(&amp;po-&gt;bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-&gt; synchronize_net(), which might sleep.

[  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff81186274&gt;] __schedule_bug+0x64/0x73
[  ]  [&lt;ffffffff8162b8cb&gt;] __schedule+0x6b/0xd10
[  ]  [&lt;ffffffff8162c5db&gt;] schedule+0x6b/0x80
[  ]  [&lt;ffffffff81630b1d&gt;] schedule_timeout+0x38d/0x410
[  ]  [&lt;ffffffff810ea3fd&gt;] synchronize_sched_expedited+0x53d/0x810
[  ]  [&lt;ffffffff810ea6de&gt;] synchronize_rcu_expedited+0xe/0x10
[  ]  [&lt;ffffffff8154eab5&gt;] synchronize_net+0x35/0x50
[  ]  [&lt;ffffffff8154eae3&gt;] dev_remove_pack+0x13/0x20
[  ]  [&lt;ffffffff8161077e&gt;] fanout_release+0xbe/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

4. fanout_release() races with calls from different CPU.

To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&amp;fanout-&gt;prot_hook) and
netdev_run_todo will be happy that &amp;dev-&gt;ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout-&gt;prot_hook is removed as well.

[js] no rollover in 3.12

Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2bd624b4611ffee36422782d16e1c944d1351e98 ]

Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.

1. calling mutex_lock(&amp;fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.

[  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[  ]
[  ] rcu_scheduler_active = 1, debug_locks = 0
[  ] 4 locks held by ovs-vswitchd/1969:
[  ]  #0:  (cb_lock){++++++}, at: [&lt;ffffffff8158a6c9&gt;] genl_rcv+0x19/0x40
[  ]  #1:  (ovs_mutex){+.+.+.}, at: [&lt;ffffffffa04878ca&gt;] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[  ]  #2:  (rtnl_mutex){+.+.+.}, at: [&lt;ffffffff81564157&gt;] rtnl_lock+0x17/0x20
[  ]  #3:  (rcu_read_lock){......}, at: [&lt;ffffffff81614165&gt;] packet_notifier+0x5/0x3f0
[  ]
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810c9077&gt;] lockdep_rcu_suspicious+0x107/0x110
[  ]  [&lt;ffffffff810a2da7&gt;] ___might_sleep+0x57/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff810de93f&gt;] ? vprintk_default+0x1f/0x30
[  ]  [&lt;ffffffff81186e88&gt;] ? printk+0x4d/0x4f
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

2. calling mutex_lock(&amp;fanout_mutex) inside spin_lock(&amp;po-&gt;bind_lock).
"sleeping function called from invalid context"

[  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810a2f52&gt;] ___might_sleep+0x202/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

3. calling dev_remove_pack(&amp;fanout-&gt;prot_hook), from inside
spin_lock(&amp;po-&gt;bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-&gt; synchronize_net(), which might sleep.

[  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff81186274&gt;] __schedule_bug+0x64/0x73
[  ]  [&lt;ffffffff8162b8cb&gt;] __schedule+0x6b/0xd10
[  ]  [&lt;ffffffff8162c5db&gt;] schedule+0x6b/0x80
[  ]  [&lt;ffffffff81630b1d&gt;] schedule_timeout+0x38d/0x410
[  ]  [&lt;ffffffff810ea3fd&gt;] synchronize_sched_expedited+0x53d/0x810
[  ]  [&lt;ffffffff810ea6de&gt;] synchronize_rcu_expedited+0xe/0x10
[  ]  [&lt;ffffffff8154eab5&gt;] synchronize_net+0x35/0x50
[  ]  [&lt;ffffffff8154eae3&gt;] dev_remove_pack+0x13/0x20
[  ]  [&lt;ffffffff8161077e&gt;] fanout_release+0xbe/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

4. fanout_release() races with calls from different CPU.

To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&amp;fanout-&gt;prot_hook) and
netdev_run_todo will be happy that &amp;dev-&gt;ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout-&gt;prot_hook is removed as well.

[js] no rollover in 3.12

Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix races in fanout_add()</title>
<updated>2017-03-01T19:24:36+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-02-14T17:03:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6d46193d7ccae0758a8e887a6897a3e133eb9610'/>
<id>6d46193d7ccae0758a8e887a6897a3e133eb9610</id>
<content type='text'>
[ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ]

Multiple threads can call fanout_add() at the same time.

We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po-&gt;rollover that was set by another thread.

Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.

[js] no rollover in 3.12

Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ]

Multiple threads can call fanout_add() at the same time.

We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po-&gt;rollover that was set by another thread.

Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.

[js] no rollover in 3.12

Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: round up linear to header len</title>
<updated>2017-03-01T08:59:48+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2017-02-07T20:57:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=da00bdddfea8683566b2aa1afec4b1c83bdb4abf'/>
<id>da00bdddfea8683566b2aa1afec4b1c83bdb4abf</id>
<content type='text'>
[ Upstream commit 57031eb794906eea4e1c7b31dc1e2429c0af0c66 ]

Link layer protocols may unconditionally pull headers, as Ethernet
does in eth_type_trans. Ensure that the entire link layer header
always lies in the skb linear segment. tpacket_snd has such a check.
Extend this to packet_snd.

Variable length link layer headers complicate the computation
somewhat. Here skb-&gt;len may be smaller than dev-&gt;hard_header_len.

Round up the linear length to be at least as long as the smallest of
the two.

[js] no virtio helpers in 3.12

Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 57031eb794906eea4e1c7b31dc1e2429c0af0c66 ]

Link layer protocols may unconditionally pull headers, as Ethernet
does in eth_type_trans. Ensure that the entire link layer header
always lies in the skb linear segment. tpacket_snd has such a check.
Extend this to packet_snd.

Variable length link layer headers complicate the computation
somewhat. Here skb-&gt;len may be smaller than dev-&gt;hard_header_len.

Round up the linear length to be at least as long as the smallest of
the two.

[js] no virtio helpers in 3.12

Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix race condition in packet_set_ring</title>
<updated>2016-12-13T15:57:17+00:00</updated>
<author>
<name>Philip Pettersson</name>
<email>philip.pettersson@gmail.com</email>
</author>
<published>2016-11-30T22:55:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c80480c4ad5208431a7fb003472bd576bbe6ebb7'/>
<id>c80480c4ad5208431a7fb003472bd576bbe6ebb7</id>
<content type='text'>
[ Upstream commit 84ac7260236a49c79eede91617700174c2c19b0c ]

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson &lt;philip.pettersson@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 84ac7260236a49c79eede91617700174c2c19b0c ]

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson &lt;philip.pettersson@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: call fanout_release, while UNREGISTERING a netdev</title>
<updated>2016-11-28T21:22:27+00:00</updated>
<author>
<name>Anoob Soman</name>
<email>anoob.soman@citrix.com</email>
</author>
<published>2016-10-05T14:12:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1bd84554a87f1065b05d34fe737e5b20e01be99a'/>
<id>1bd84554a87f1065b05d34fe737e5b20e01be99a</id>
<content type='text'>
[ Upstream commit 6664498280cf17a59c3e7cf1a931444c02633ed1 ]

If a socket has FANOUT sockopt set, a new proto_hook is registered
as part of fanout_add(). When processing a NETDEV_UNREGISTER event in
af_packet, __fanout_unlink is called for all sockets, but prot_hook which was
registered as part of fanout_add is not removed. Call fanout_release, on a
NETDEV_UNREGISTER, which removes prot_hook and removes fanout from the
fanout_list.

This fixes BUG_ON(!list_empty(&amp;dev-&gt;ptype_specific)) in netdev_run_todo()

Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6664498280cf17a59c3e7cf1a931444c02633ed1 ]

If a socket has FANOUT sockopt set, a new proto_hook is registered
as part of fanout_add(). When processing a NETDEV_UNREGISTER event in
af_packet, __fanout_unlink is called for all sockets, but prot_hook which was
registered as part of fanout_add is not removed. Call fanout_release, on a
NETDEV_UNREGISTER, which removes prot_hook and removes fanout from the
fanout_list.

This fixes BUG_ON(!list_empty(&amp;dev-&gt;ptype_specific)) in netdev_run_todo()

Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>random32: add prandom_u32_max and convert open coded users</title>
<updated>2016-08-19T07:51:00+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-01-22T01:29:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=73596d54f314ac2cc24ab211bde7de10fbc2f2e7'/>
<id>73596d54f314ac2cc24ab211bde7de10fbc2f2e7</id>
<content type='text'>
commit f337db64af059c9a94278a8b0ab97d87259ff62f upstream.

Many functions have open coded a function that returns a random
number in range [0,N-1]. Under the assumption that we have a PRNG
such as taus113 with being well distributed in [0, ~0U] space,
we can implement such a function as uword t = (n*m')&gt;&gt;32, where
m' is a random number obtained from PRNG, n the right open interval
border and t our resulting random number, with n,m',t in u32 universe.

Lets go with Joe and simply call it prandom_u32_max(), although
technically we have an right open interval endpoint, but that we
have documented. Other users can further be migrated to the new
prandom_u32_max() function later on; for now, we need to make sure
to migrate reciprocal_divide() users for the reciprocal_divide()
follow-up fixup since their function signatures are going to change.

Joint work with Hannes Frederic Sowa.

Cc: Jakub Zawadzki &lt;darkjames-ws@darkjames.pl&gt;
Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f337db64af059c9a94278a8b0ab97d87259ff62f upstream.

Many functions have open coded a function that returns a random
number in range [0,N-1]. Under the assumption that we have a PRNG
such as taus113 with being well distributed in [0, ~0U] space,
we can implement such a function as uword t = (n*m')&gt;&gt;32, where
m' is a random number obtained from PRNG, n the right open interval
border and t our resulting random number, with n,m',t in u32 universe.

Lets go with Joe and simply call it prandom_u32_max(), although
technically we have an right open interval endpoint, but that we
have documented. Other users can further be migrated to the new
prandom_u32_max() function later on; for now, we need to make sure
to migrate reciprocal_divide() users for the reciprocal_divide()
follow-up fixup since their function signatures are going to change.

Joint work with Hannes Frederic Sowa.

Cc: Jakub Zawadzki &lt;darkjames-ws@darkjames.pl&gt;
Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface</title>
<updated>2016-05-18T07:03:50+00:00</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2016-04-10T10:52:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0c0e877eefd101c036189995e68f726bd0f9d03d'/>
<id>0c0e877eefd101c036189995e68f726bd0f9d03d</id>
<content type='text'>
[ Upstream commit 309cf37fe2a781279b7675d4bb7173198e532867 ]

Because we miss to wipe the remainder of i-&gt;addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.

Fix this by explicitly memset(0)ing the remaining bytes in i-&gt;addr[].

Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Pavel Emelyanov &lt;xemul@parallels.com&gt;
Acked-by: Pavel Emelyanov &lt;xemul@virtuozzo.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 309cf37fe2a781279b7675d4bb7173198e532867 ]

Because we miss to wipe the remainder of i-&gt;addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.

Fix this by explicitly memset(0)ing the remaining bytes in i-&gt;addr[].

Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Pavel Emelyanov &lt;xemul@parallels.com&gt;
Acked-by: Pavel Emelyanov &lt;xemul@virtuozzo.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: infer protocol from ethernet header if unset</title>
<updated>2016-01-05T15:11:08+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>daniel@iogearbox.net</email>
</author>
<published>2015-11-11T22:25:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fbc3cdbe235eecd3ed1a1686dd95ff1cada60513'/>
<id>fbc3cdbe235eecd3ed1a1686dd95ff1cada60513</id>
<content type='text'>
[ Upstream commit c72219b75fde768efccf7666342282fab7f9e4e7 ]

In case no struct sockaddr_ll has been passed to packet
socket's sendmsg() when doing a TX_RING flush run, then
skb-&gt;protocol is set to po-&gt;num instead, which is the protocol
passed via socket(2)/bind(2).

Applications only xmitting can go the path of allocating the
socket as socket(PF_PACKET, &lt;mode&gt;, 0) and do a bind(2) on the
TX_RING with sll_protocol of 0. That way, register_prot_hook()
is neither called on creation nor on bind time, which saves
cycles when there's no interest in capturing anyway.

That leaves us however with po-&gt;num 0 instead and therefore
the TX_RING flush run sets skb-&gt;protocol to 0 as well. Eric
reported that this leads to problems when using tools like
trafgen over bonding device. I.e. the bonding's hash function
could invoke the kernel's flow dissector, which depends on
skb-&gt;protocol being properly set. In the current situation, all
the traffic is then directed to a single slave.

Fix it up by inferring skb-&gt;protocol from the Ethernet header
when not set and we have ARPHRD_ETHER device type. This is only
done in case of SOCK_RAW and where we have a dev-&gt;hard_header_len
length. In case of ARPHRD_ETHER devices, this is guaranteed to
cover ETH_HLEN, and therefore being accessed on the skb after
the skb_store_bits().

Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c72219b75fde768efccf7666342282fab7f9e4e7 ]

In case no struct sockaddr_ll has been passed to packet
socket's sendmsg() when doing a TX_RING flush run, then
skb-&gt;protocol is set to po-&gt;num instead, which is the protocol
passed via socket(2)/bind(2).

Applications only xmitting can go the path of allocating the
socket as socket(PF_PACKET, &lt;mode&gt;, 0) and do a bind(2) on the
TX_RING with sll_protocol of 0. That way, register_prot_hook()
is neither called on creation nor on bind time, which saves
cycles when there's no interest in capturing anyway.

That leaves us however with po-&gt;num 0 instead and therefore
the TX_RING flush run sets skb-&gt;protocol to 0 as well. Eric
reported that this leads to problems when using tools like
trafgen over bonding device. I.e. the bonding's hash function
could invoke the kernel's flow dissector, which depends on
skb-&gt;protocol being properly set. In the current situation, all
the traffic is then directed to a single slave.

Fix it up by inferring skb-&gt;protocol from the Ethernet header
when not set and we have ARPHRD_ETHER device type. This is only
done in case of SOCK_RAW and where we have a dev-&gt;hard_header_len
length. In case of ARPHRD_ETHER devices, this is guaranteed to
cover ETH_HLEN, and therefore being accessed on the skb after
the skb_store_bits().

Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
