<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/packet, branch v3.16.45</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net/packet: fix overflow in check for tp_reserve</title>
<updated>2017-06-05T20:17:21+00:00</updated>
<author>
<name>Andrey Konovalov</name>
<email>andreyknvl@google.com</email>
</author>
<published>2017-03-29T14:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7bb3f26487e578c2cb0567196ce93c008967a269'/>
<id>7bb3f26487e578c2cb0567196ce93c008967a269</id>
<content type='text'>
commit bcc5364bdcfe131e6379363f089e7b4108d35b70 upstream.

When calculating po-&gt;tp_hdrlen + po-&gt;tp_reserve the result can overflow.

Fix by checking that tp_reserve &lt;= INT_MAX on assign.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bcc5364bdcfe131e6379363f089e7b4108d35b70 upstream.

When calculating po-&gt;tp_hdrlen + po-&gt;tp_reserve the result can overflow.

Fix by checking that tp_reserve &lt;= INT_MAX on assign.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/packet: fix overflow in check for tp_frame_nr</title>
<updated>2017-06-05T20:17:21+00:00</updated>
<author>
<name>Andrey Konovalov</name>
<email>andreyknvl@google.com</email>
</author>
<published>2017-03-29T14:11:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7'/>
<id>a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7</id>
<content type='text'>
commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b upstream.

When calculating rb-&gt;frames_per_block * req-&gt;tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr &lt;= UINT_MAX.

Since frames_per_block &lt;= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b upstream.

When calculating rb-&gt;frames_per_block * req-&gt;tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr &lt;= UINT_MAX.

Since frames_per_block &lt;= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/packet: fix overflow in check for priv area size</title>
<updated>2017-06-05T20:17:21+00:00</updated>
<author>
<name>Andrey Konovalov</name>
<email>andreyknvl@google.com</email>
</author>
<published>2017-03-29T14:11:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c'/>
<id>a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c</id>
<content type='text'>
commit 2b6867c2ce76c596676bec7d2d525af525fdc6e2 upstream.

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2b6867c2ce76c596676bec7d2d525af525fdc6e2 upstream.

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: Do not call fanout_release from atomic contexts</title>
<updated>2017-03-16T02:27:14+00:00</updated>
<author>
<name>Anoob Soman</name>
<email>anoob.soman@citrix.com</email>
</author>
<published>2017-02-15T20:25:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d227a42ec0966749eb3514b218c7022d136efafa'/>
<id>d227a42ec0966749eb3514b218c7022d136efafa</id>
<content type='text'>
commit 2bd624b4611ffee36422782d16e1c944d1351e98 upstream.

Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.

1. calling mutex_lock(&amp;fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.

[  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[  ]
[  ] rcu_scheduler_active = 1, debug_locks = 0
[  ] 4 locks held by ovs-vswitchd/1969:
[  ]  #0:  (cb_lock){++++++}, at: [&lt;ffffffff8158a6c9&gt;] genl_rcv+0x19/0x40
[  ]  #1:  (ovs_mutex){+.+.+.}, at: [&lt;ffffffffa04878ca&gt;] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[  ]  #2:  (rtnl_mutex){+.+.+.}, at: [&lt;ffffffff81564157&gt;] rtnl_lock+0x17/0x20
[  ]  #3:  (rcu_read_lock){......}, at: [&lt;ffffffff81614165&gt;] packet_notifier+0x5/0x3f0
[  ]
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810c9077&gt;] lockdep_rcu_suspicious+0x107/0x110
[  ]  [&lt;ffffffff810a2da7&gt;] ___might_sleep+0x57/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff810de93f&gt;] ? vprintk_default+0x1f/0x30
[  ]  [&lt;ffffffff81186e88&gt;] ? printk+0x4d/0x4f
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

2. calling mutex_lock(&amp;fanout_mutex) inside spin_lock(&amp;po-&gt;bind_lock).
"sleeping function called from invalid context"

[  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810a2f52&gt;] ___might_sleep+0x202/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

3. calling dev_remove_pack(&amp;fanout-&gt;prot_hook), from inside
spin_lock(&amp;po-&gt;bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-&gt; synchronize_net(), which might sleep.

[  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff81186274&gt;] __schedule_bug+0x64/0x73
[  ]  [&lt;ffffffff8162b8cb&gt;] __schedule+0x6b/0xd10
[  ]  [&lt;ffffffff8162c5db&gt;] schedule+0x6b/0x80
[  ]  [&lt;ffffffff81630b1d&gt;] schedule_timeout+0x38d/0x410
[  ]  [&lt;ffffffff810ea3fd&gt;] synchronize_sched_expedited+0x53d/0x810
[  ]  [&lt;ffffffff810ea6de&gt;] synchronize_rcu_expedited+0xe/0x10
[  ]  [&lt;ffffffff8154eab5&gt;] synchronize_net+0x35/0x50
[  ]  [&lt;ffffffff8154eae3&gt;] dev_remove_pack+0x13/0x20
[  ]  [&lt;ffffffff8161077e&gt;] fanout_release+0xbe/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

4. fanout_release() races with calls from different CPU.

To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&amp;fanout-&gt;prot_hook) and
netdev_run_todo will be happy that &amp;dev-&gt;ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout-&gt;prot_hook is removed as well.

Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16:
 - Don't call fanout_release_data()
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2bd624b4611ffee36422782d16e1c944d1351e98 upstream.

Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.

1. calling mutex_lock(&amp;fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.

[  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[  ]
[  ] rcu_scheduler_active = 1, debug_locks = 0
[  ] 4 locks held by ovs-vswitchd/1969:
[  ]  #0:  (cb_lock){++++++}, at: [&lt;ffffffff8158a6c9&gt;] genl_rcv+0x19/0x40
[  ]  #1:  (ovs_mutex){+.+.+.}, at: [&lt;ffffffffa04878ca&gt;] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[  ]  #2:  (rtnl_mutex){+.+.+.}, at: [&lt;ffffffff81564157&gt;] rtnl_lock+0x17/0x20
[  ]  #3:  (rcu_read_lock){......}, at: [&lt;ffffffff81614165&gt;] packet_notifier+0x5/0x3f0
[  ]
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810c9077&gt;] lockdep_rcu_suspicious+0x107/0x110
[  ]  [&lt;ffffffff810a2da7&gt;] ___might_sleep+0x57/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff810de93f&gt;] ? vprintk_default+0x1f/0x30
[  ]  [&lt;ffffffff81186e88&gt;] ? printk+0x4d/0x4f
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

2. calling mutex_lock(&amp;fanout_mutex) inside spin_lock(&amp;po-&gt;bind_lock).
"sleeping function called from invalid context"

[  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff810a2f52&gt;] ___might_sleep+0x202/0x210
[  ]  [&lt;ffffffff810a2fd0&gt;] __might_sleep+0x70/0x90
[  ]  [&lt;ffffffff8162e80c&gt;] mutex_lock_nested+0x3c/0x3a0
[  ]  [&lt;ffffffff816106dd&gt;] fanout_release+0x1d/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

3. calling dev_remove_pack(&amp;fanout-&gt;prot_hook), from inside
spin_lock(&amp;po-&gt;bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-&gt; synchronize_net(), which might sleep.

[  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [&lt;ffffffff813770c1&gt;] dump_stack+0x85/0xc4
[  ]  [&lt;ffffffff81186274&gt;] __schedule_bug+0x64/0x73
[  ]  [&lt;ffffffff8162b8cb&gt;] __schedule+0x6b/0xd10
[  ]  [&lt;ffffffff8162c5db&gt;] schedule+0x6b/0x80
[  ]  [&lt;ffffffff81630b1d&gt;] schedule_timeout+0x38d/0x410
[  ]  [&lt;ffffffff810ea3fd&gt;] synchronize_sched_expedited+0x53d/0x810
[  ]  [&lt;ffffffff810ea6de&gt;] synchronize_rcu_expedited+0xe/0x10
[  ]  [&lt;ffffffff8154eab5&gt;] synchronize_net+0x35/0x50
[  ]  [&lt;ffffffff8154eae3&gt;] dev_remove_pack+0x13/0x20
[  ]  [&lt;ffffffff8161077e&gt;] fanout_release+0xbe/0xe0
[  ]  [&lt;ffffffff81614459&gt;] packet_notifier+0x2f9/0x3f0

4. fanout_release() races with calls from different CPU.

To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&amp;fanout-&gt;prot_hook) and
netdev_run_todo will be happy that &amp;dev-&gt;ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout-&gt;prot_hook is removed as well.

Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16:
 - Don't call fanout_release_data()
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: call fanout_release, while UNREGISTERING a netdev</title>
<updated>2017-03-16T02:27:14+00:00</updated>
<author>
<name>Anoob Soman</name>
<email>anoob.soman@citrix.com</email>
</author>
<published>2016-10-05T14:12:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d4c3670b96936201d75ebed09062129dbe6ede7'/>
<id>5d4c3670b96936201d75ebed09062129dbe6ede7</id>
<content type='text'>
commit 6664498280cf17a59c3e7cf1a931444c02633ed1 upstream.

If a socket has FANOUT sockopt set, a new proto_hook is registered
as part of fanout_add(). When processing a NETDEV_UNREGISTER event in
af_packet, __fanout_unlink is called for all sockets, but prot_hook which was
registered as part of fanout_add is not removed. Call fanout_release, on a
NETDEV_UNREGISTER, which removes prot_hook and removes fanout from the
fanout_list.

This fixes BUG_ON(!list_empty(&amp;dev-&gt;ptype_specific)) in netdev_run_todo()

Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6664498280cf17a59c3e7cf1a931444c02633ed1 upstream.

If a socket has FANOUT sockopt set, a new proto_hook is registered
as part of fanout_add(). When processing a NETDEV_UNREGISTER event in
af_packet, __fanout_unlink is called for all sockets, but prot_hook which was
registered as part of fanout_add is not removed. Call fanout_release, on a
NETDEV_UNREGISTER, which removes prot_hook and removes fanout from the
fanout_list.

This fixes BUG_ON(!list_empty(&amp;dev-&gt;ptype_specific)) in netdev_run_todo()

Signed-off-by: Anoob Soman &lt;anoob.soman@citrix.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix races in fanout_add()</title>
<updated>2017-03-16T02:27:13+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-02-14T17:03:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bf7916239a591920427b0ee8022c222eeccba840'/>
<id>bf7916239a591920427b0ee8022c222eeccba840</id>
<content type='text'>
commit d199fab63c11998a602205f7ee7ff7c05c97164b upstream.

Multiple threads can call fanout_add() at the same time.

We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po-&gt;rollover that was set by another thread.

Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.

Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16:
 - No rollover queue stats
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d199fab63c11998a602205f7ee7ff7c05c97164b upstream.

Multiple threads can call fanout_add() at the same time.

We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po-&gt;rollover that was set by another thread.

Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.

Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16:
 - No rollover queue stats
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix race condition in packet_set_ring</title>
<updated>2017-02-23T03:54:41+00:00</updated>
<author>
<name>Philip Pettersson</name>
<email>philip.pettersson@gmail.com</email>
</author>
<published>2016-11-30T22:55:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=943e7299c0fec28de9df8985953f45633b071690'/>
<id>943e7299c0fec28de9df8985953f45633b071690</id>
<content type='text'>
commit 84ac7260236a49c79eede91617700174c2c19b0c upstream.

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson &lt;philip.pettersson@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 84ac7260236a49c79eede91617700174c2c19b0c upstream.

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson &lt;philip.pettersson@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: on direct_xmit, limit tso and csum to supported devices</title>
<updated>2017-02-23T03:54:24+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2016-10-26T15:23:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a920cb0d89fd74b2cb5a8924e59373e144fb6a07'/>
<id>a920cb0d89fd74b2cb5a8924e59373e144fb6a07</id>
<content type='text'>
commit 104ba78c98808ae837d1f63aae58c183db5505df upstream.

When transmitting on a packet socket with PACKET_VNET_HDR and
PACKET_QDISC_BYPASS, validate device support for features requested
in vnet_hdr.

Drop TSO packets sent to devices that do not support TSO or have the
feature disabled. Note that the latter currently do process those
packets correctly, regardless of not advertising the feature.

Because of SKB_GSO_DODGY, it is not sufficient to test device features
with netif_needs_gso. Full validate_xmit_skb is needed.

Switch to software checksum for non-TSO packets that request checksum
offload if that device feature is unsupported or disabled. Note that
similar to the TSO case, device drivers may perform checksum offload
correctly even when not advertising it.

When switching to software checksum, packets hit skb_checksum_help,
which has two BUG_ON checksum not in linear segment. Packet sockets
always allocate at least up to csum_start + csum_off + 2 as linear.

Tested by running github.com/wdebruij/kerneltools/psock_txring_vnet.c

  ethtool -K eth0 tso off tx on
  psock_txring_vnet -d $dst -s $src -i eth0 -l 2000 -n 1 -q -v
  psock_txring_vnet -d $dst -s $src -i eth0 -l 2000 -n 1 -q -v -N

  ethtool -K eth0 tx off
  psock_txring_vnet -d $dst -s $src -i eth0 -l 1000 -n 1 -q -v -G
  psock_txring_vnet -d $dst -s $src -i eth0 -l 1000 -n 1 -q -v -G -N

v2:
  - add EXPORT_SYMBOL_GPL(validate_xmit_skb_list)

Fixes: d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option")
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: open-code the necessary checks as we don't have
 validate_xmit_skb_list()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 104ba78c98808ae837d1f63aae58c183db5505df upstream.

When transmitting on a packet socket with PACKET_VNET_HDR and
PACKET_QDISC_BYPASS, validate device support for features requested
in vnet_hdr.

Drop TSO packets sent to devices that do not support TSO or have the
feature disabled. Note that the latter currently do process those
packets correctly, regardless of not advertising the feature.

Because of SKB_GSO_DODGY, it is not sufficient to test device features
with netif_needs_gso. Full validate_xmit_skb is needed.

Switch to software checksum for non-TSO packets that request checksum
offload if that device feature is unsupported or disabled. Note that
similar to the TSO case, device drivers may perform checksum offload
correctly even when not advertising it.

When switching to software checksum, packets hit skb_checksum_help,
which has two BUG_ON checksum not in linear segment. Packet sockets
always allocate at least up to csum_start + csum_off + 2 as linear.

Tested by running github.com/wdebruij/kerneltools/psock_txring_vnet.c

  ethtool -K eth0 tso off tx on
  psock_txring_vnet -d $dst -s $src -i eth0 -l 2000 -n 1 -q -v
  psock_txring_vnet -d $dst -s $src -i eth0 -l 2000 -n 1 -q -v -N

  ethtool -K eth0 tx off
  psock_txring_vnet -d $dst -s $src -i eth0 -l 1000 -n 1 -q -v -G
  psock_txring_vnet -d $dst -s $src -i eth0 -l 1000 -n 1 -q -v -G -N

v2:
  - add EXPORT_SYMBOL_GPL(validate_xmit_skb_list)

Fixes: d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option")
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: open-code the necessary checks as we don't have
 validate_xmit_skb_list()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface</title>
<updated>2016-06-15T20:29:23+00:00</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2016-04-10T10:52:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d6db3a73d106fdb0eacdecec6be98cb15f1e07bc'/>
<id>d6db3a73d106fdb0eacdecec6be98cb15f1e07bc</id>
<content type='text'>
commit 309cf37fe2a781279b7675d4bb7173198e532867 upstream.

Because we miss to wipe the remainder of i-&gt;addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.

Fix this by explicitly memset(0)ing the remaining bytes in i-&gt;addr[].

Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Pavel Emelyanov &lt;xemul@parallels.com&gt;
Acked-by: Pavel Emelyanov &lt;xemul@virtuozzo.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 309cf37fe2a781279b7675d4bb7173198e532867 upstream.

Because we miss to wipe the remainder of i-&gt;addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.

Fix this by explicitly memset(0)ing the remaining bytes in i-&gt;addr[].

Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Cc: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Cc: Pavel Emelyanov &lt;xemul@parallels.com&gt;
Acked-by: Pavel Emelyanov &lt;xemul@virtuozzo.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: infer protocol from ethernet header if unset</title>
<updated>2015-12-18T16:06:18+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>daniel@iogearbox.net</email>
</author>
<published>2015-11-11T22:25:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d9850f8ef951bca36f1962c1570c3d6f01162316'/>
<id>d9850f8ef951bca36f1962c1570c3d6f01162316</id>
<content type='text'>
commit c72219b75fde768efccf7666342282fab7f9e4e7 upstream.

In case no struct sockaddr_ll has been passed to packet
socket's sendmsg() when doing a TX_RING flush run, then
skb-&gt;protocol is set to po-&gt;num instead, which is the protocol
passed via socket(2)/bind(2).

Applications only xmitting can go the path of allocating the
socket as socket(PF_PACKET, &lt;mode&gt;, 0) and do a bind(2) on the
TX_RING with sll_protocol of 0. That way, register_prot_hook()
is neither called on creation nor on bind time, which saves
cycles when there's no interest in capturing anyway.

That leaves us however with po-&gt;num 0 instead and therefore
the TX_RING flush run sets skb-&gt;protocol to 0 as well. Eric
reported that this leads to problems when using tools like
trafgen over bonding device. I.e. the bonding's hash function
could invoke the kernel's flow dissector, which depends on
skb-&gt;protocol being properly set. In the current situation, all
the traffic is then directed to a single slave.

Fix it up by inferring skb-&gt;protocol from the Ethernet header
when not set and we have ARPHRD_ETHER device type. This is only
done in case of SOCK_RAW and where we have a dev-&gt;hard_header_len
length. In case of ARPHRD_ETHER devices, this is guaranteed to
cover ETH_HLEN, and therefore being accessed on the skb after
the skb_store_bits().

Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c72219b75fde768efccf7666342282fab7f9e4e7 upstream.

In case no struct sockaddr_ll has been passed to packet
socket's sendmsg() when doing a TX_RING flush run, then
skb-&gt;protocol is set to po-&gt;num instead, which is the protocol
passed via socket(2)/bind(2).

Applications only xmitting can go the path of allocating the
socket as socket(PF_PACKET, &lt;mode&gt;, 0) and do a bind(2) on the
TX_RING with sll_protocol of 0. That way, register_prot_hook()
is neither called on creation nor on bind time, which saves
cycles when there's no interest in capturing anyway.

That leaves us however with po-&gt;num 0 instead and therefore
the TX_RING flush run sets skb-&gt;protocol to 0 as well. Eric
reported that this leads to problems when using tools like
trafgen over bonding device. I.e. the bonding's hash function
could invoke the kernel's flow dissector, which depends on
skb-&gt;protocol being properly set. In the current situation, all
the traffic is then directed to a single slave.

Fix it up by inferring skb-&gt;protocol from the Ethernet header
when not set and we have ARPHRD_ETHER device type. This is only
done in case of SOCK_RAW and where we have a dev-&gt;hard_header_len
length. In case of ARPHRD_ETHER devices, this is guaranteed to
cover ETH_HLEN, and therefore being accessed on the skb after
the skb_store_bits().

Reported-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
