<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/net/packet, branch linux-4.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-4.12.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-4.12.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2017-09-20T06:22:07+00:00</updated>
<entry>
<title>packet: Don't write vnet header beyond end of buffer</title>
<updated>2017-09-20T06:22:07+00:00</updated>
<author>
<name>Benjamin Poirier</name>
<email>bpoirier@suse.com</email>
</author>
<published>2017-08-28T18:29:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e7ebdeb47c8b14614c65a0a2ad07cf4c04e51469'/>
<id>urn:sha1:e7ebdeb47c8b14614c65a0a2ad07cf4c04e51469</id>
<content type='text'>
[ Upstream commit edbd58be15a957f6a760c4a514cd475217eb97fd ]

... which may happen with certain values of tp_reserve and maclen.

Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
Signed-off-by: Benjamin Poirier &lt;bpoirier@suse.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>packet: fix tp_reserve race in packet_set_ring</title>
<updated>2017-08-13T02:34:27+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2017-08-10T16:41:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=91b2b39b49c25a0a76e3ef5302e848e6c9e60cfd'/>
<id>urn:sha1:91b2b39b49c25a0a76e3ef5302e848e6c9e60cfd</id>
<content type='text'>
[ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ]

Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.

This bug was discovered by syzkaller.

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>packet: fix use-after-free in prb_retire_rx_blk_timer_expired()</title>
<updated>2017-08-11T15:33:57+00:00</updated>
<author>
<name>WANG Cong</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2017-07-24T17:07:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=efb5ce567529648bb9a203d77e069f066096d943'/>
<id>urn:sha1:efb5ce567529648bb9a203d77e069f066096d943</id>
<content type='text'>
[ Upstream commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042 ]

There are multiple reports showing we have a use-after-free in
the timer prb_retire_rx_blk_timer_expired(), where we use struct
tpacket_kbdq_core::pkbdq, a pg_vec, after it gets freed by
free_pg_vec().

The interesting part is it is not freed via packet_release() but
via packet_setsockopt(), which means we are not closing the socket.
Looking into the big and fat function packet_set_ring(), this could
happen if we satisfy the following conditions:

1. closing == 0, not on packet_release() path
2. req-&gt;tp_block_nr == 0, we don't allocate a new pg_vec
3. rx_ring-&gt;pg_vec is already set as V3, which means we already called
   packet_set_ring() wtih req-&gt;tp_block_nr &gt; 0 previously
4. req-&gt;tp_frame_nr == 0, pass sanity check
5. po-&gt;mapped == 0, never called mmap()

In this scenario we are clearing the old rx_ring-&gt;pg_vec, so we need
to free this pg_vec, but we don't stop the timer on this path because
of closing==0.

The timer has to be stopped as long as we need to free pg_vec, therefore
the check on closing!=0 is wrong, we should check pg_vec!=NULL instead.

Thanks to liujian for testing different fixes.

Reported-by: alexander.levin@verizon.com
Reported-by: Dave Jones &lt;davej@codemonkey.org.uk&gt;
Reported-by: liujian (CE) &lt;liujian56@huawei.com&gt;
Tested-by: liujian (CE) &lt;liujian56@huawei.com&gt;
Cc: Ding Tianhong &lt;dingtianhong@huawei.com&gt;
Cc: Willem de Bruijn &lt;willemdebruijn.kernel@gmail.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>net/packet: fix missing net_device reference release</title>
<updated>2017-05-15T18:22:12+00:00</updated>
<author>
<name>Douglas Caetano dos Santos</name>
<email>douglascs@taghos.com.br</email>
</author>
<published>2017-05-12T18:19:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d19b183cdc1fa3d70d6abe2a4c369e748cd7ebb8'/>
<id>urn:sha1:d19b183cdc1fa3d70d6abe2a4c369e748cd7ebb8</id>
<content type='text'>
When using a TX ring buffer, if an error occurs processing a control
message (e.g. invalid message), the net_device reference is not
released.

Fixes c14ac9451c348 ("sock: enable timestamping using control messages")
Signed-off-by: Douglas Caetano dos Santos &lt;douglascs@taghos.com.br&gt;
Acked-by: Soheil Hassas Yeganeh &lt;soheil@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net</title>
<updated>2017-04-27T02:39:08+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2017-04-27T02:39:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1513c35317c106a1588f3ab32f6888f0e2afd71'/>
<id>urn:sha1:b1513c35317c106a1588f3ab32f6888f0e2afd71</id>
<content type='text'>
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net/packet: check length in getsockopt() called with PACKET_HDRLEN</title>
<updated>2017-04-25T18:05:52+00:00</updated>
<author>
<name>Alexander Potapenko</name>
<email>glider@google.com</email>
</author>
<published>2017-04-25T16:51:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fd2c83b35752f0a8236b976978ad4658df14a59f'/>
<id>urn:sha1:fd2c83b35752f0a8236b976978ad4658df14a59f</id>
<content type='text'>
In the case getsockopt() is called with PACKET_HDRLEN and optlen &lt; 4
|val| remains uninitialized and the syscall may behave differently
depending on its value, and even copy garbage to userspace on certain
architectures. To fix this we now return -EINVAL if optlen is too small.

This bug has been detected with KMSAN.

Signed-off-by: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>packet: add PACKET_FANOUT_FLAG_UNIQUEID to assign new fanout group id.</title>
<updated>2017-04-24T16:46:00+00:00</updated>
<author>
<name>Mike Maloney</name>
<email>maloney@google.com</email>
</author>
<published>2017-04-21T14:56:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4a69a864209e9ab436d4a58e8028ac96cc873d15'/>
<id>urn:sha1:4a69a864209e9ab436d4a58e8028ac96cc873d15</id>
<content type='text'>
Fanout uses a per net global namespace. A process that intends to create
a new fanout group can accidentally join an existing group. It is not
possible to detect this.

Add socket option PACKET_FANOUT_FLAG_UNIQUEID.  When specified the
supplied fanout group id must be set to 0, and the kernel chooses an id
that is not already in use.  This is an ephemeral flag so that
other sockets can be added to this group using setsockopt, but NOT
specifying this flag.  The current getsockopt(..., PACKET_FANOUT, ...)
can be used to retrieve the new group id.

We assume that there are not a lot of fanout groups and that this is not
a high frequency call.

The method assigns ids starting at zero and increases until it finds an
unused id.  It keeps track of the last assigned id, and uses it as a
starting point to find new ids.

Signed-off-by: Mike Maloney &lt;maloney@google.com&gt;
Acked-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net/packet: fix overflow in check for tp_reserve</title>
<updated>2017-03-30T18:04:00+00:00</updated>
<author>
<name>Andrey Konovalov</name>
<email>andreyknvl@google.com</email>
</author>
<published>2017-03-29T14:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bcc5364bdcfe131e6379363f089e7b4108d35b70'/>
<id>urn:sha1:bcc5364bdcfe131e6379363f089e7b4108d35b70</id>
<content type='text'>
When calculating po-&gt;tp_hdrlen + po-&gt;tp_reserve the result can overflow.

Fix by checking that tp_reserve &lt;= INT_MAX on assign.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net/packet: fix overflow in check for tp_frame_nr</title>
<updated>2017-03-30T18:03:59+00:00</updated>
<author>
<name>Andrey Konovalov</name>
<email>andreyknvl@google.com</email>
</author>
<published>2017-03-29T14:11:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b'/>
<id>urn:sha1:8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b</id>
<content type='text'>
When calculating rb-&gt;frames_per_block * req-&gt;tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr &lt;= UINT_MAX.

Since frames_per_block &lt;= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net/packet: fix overflow in check for priv area size</title>
<updated>2017-03-30T18:03:59+00:00</updated>
<author>
<name>Andrey Konovalov</name>
<email>andreyknvl@google.com</email>
</author>
<published>2017-03-29T14:11:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2'/>
<id>urn:sha1:2b6867c2ce76c596676bec7d2d525af525fdc6e2</id>
<content type='text'>
Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
</feed>
