* [PATCH 5/5] ipv4: netfilter: ip_tables: fix information leak to userland
From: kaber @ 2010-11-03 22:12 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1288822372-21245-1-git-send-email-kaber@trash.net>
From: Vasiliy Kulikov <segooon@gmail.com>
Structure ipt_getinfo is copied to userland with the field "name"
that has the last elements unitialized. It leads to leaking of
contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/ipv4/netfilter/ip_tables.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index d31b007..a846d63 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1124,6 +1124,7 @@ static int get_info(struct net *net, void __user *user,
private = &tmp;
}
#endif
+ memset(&info, 0, sizeof(info));
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
--
1.7.1
^ permalink raw reply related
* Re: Linux 2.6.37-rc1 (net/sched: cls_cgroup)
From: Li Zefan @ 2010-11-03 22:19 UTC (permalink / raw)
To: Eric Dumazet
Cc: Randy Dunlap, Herbert Xu, Linus Torvalds, Jamal Hadi Salim,
Thomas Graf, Linux Kernel Mailing List, netdev, Ben Blum
In-Reply-To: <1288821677.2718.27.camel@edumazet-laptop>
On 2010年11月04日 06:01, Eric Dumazet wrote:
> Le mercredi 03 novembre 2010 à 14:21 -0700, Randy Dunlap a écrit :
>> Maybe this isn't normal usage: just modprobe cls_cgroup && rmmod cls_cgroup:
>>
>>
>> [ 107.806607] ------------[ cut here ]------------
>> [ 107.810180] kernel BUG at /local/linsrc/lnx-2637-rc1/kernel/cgroup.c:3855!
>> [ 107.810180] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
>> [ 107.822274] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.1/usb3/3-1/3-1.3/devnum
>> [ 107.824889] CPU 0
>> [ 107.832854] Modules linked in: cls_cgroup(-) ipt_MASQUERADE iptable_nat nf_nat af_packet nfsd lockd nfs_acl auth_rpcgss exportfs sco bridge stp llc bnep l2cap crc16 bluetooth rfkill sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables ipv6 p4_clockmod freq_table speedstep_lib binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath scsi_dh dm_mod kvm uinput mousedev joydev snd_intel8x0 snd_ac97_codec ac97_bus usbmouse snd_seq snd_seq_device usbkbd usbhid snd_pcm ppdev hid tg3 led_class snd_timer dcdbas sr_mod snd iTCO_wdt cdrom iTCO_vendor_support sg rtc_cmos pcspkr soundcore i2c_i801 rng_core snd_page_alloc rtc_core parport_pc shpchp evdev rtc_lib parport 8250_pnp pci_hotplug mac_hid unix ide_pci_generic ide_core ata_generic pata_acpi ata_piix sd_mod crc_t10dif ext3 jbd mbcache uhci_hcd ohci_hcd ssb mmc_core pcmcia pcmcia_core firmware
_c!
>> lass ehci_hcd usbcore nls_base i915 drm_kms_helper intel_agp button intel_gtt video thermal_sys hwmon output [last unloaded: mperf]
>> [ 107.933458]
>> [ 107.933458] Pid: 3400, comm: rmmod Not tainted 2.6.37-rc1 #7 0HH807/OptiPlex GX620
>> [ 107.937800] RIP: 0010:[<ffffffff810e6c9d>] [<ffffffff810e6c9d>] cgroup_unload_subsys+0x64/0x1c8
>> [ 107.937800] RSP: 0018:ffff88006c107ea8 EFLAGS: 00010202
>> [ 107.937800] RAX: 0000000000000000 RBX: ffffffffa0009d50 RCX: 0000000000000000
>> [ 107.937800] RDX: ffffffff81a3a5f0 RSI: ffff88006c107dc8 RDI: ffff88006c107e48
>> [ 107.937800] RBP: ffff88006c107ec8 R08: ffffffff81a3a5f0 R09: 000000000000039a
>> [ 107.937800] R10: 0000000000000001 R11: ffff88006c107e48 R12: 0000000000000000
>> [ 107.937800] R13: 00007fff2664ffc0 R14: 0000000000000000 R15: 0000000000000001
>> [ 107.937800] FS: 00007f52809e46f0(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
>> [ 107.937800] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> [ 107.937800] CR2: 0000003fb5a7bf20 CR3: 000000006c1d8000 CR4: 00000000000006f0
>> [ 107.937800] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> [ 107.937800] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>> [ 107.937800] Process rmmod (pid: 3400, threadinfo ffff88006c106000, task ffff880075a33000)
>> [ 107.937800] Stack:
>> [ 107.937800] ffff88006c107ec8 ffffffffa000a0e0 0000000000000000 00007fff2664ffc0
>> [ 107.937800] ffff88006c107ed8 ffffffffa0009819 ffff88006c107f78 ffffffff810d3cb0
>> [ 108.048442] ffffffffa000a0e0 0000000000000880 ffff88006c107f14 ffffffff8155036b
>> [ 108.057485] Call Trace:
>> [ 108.065148] [<ffffffffa0009819>] exit_cgroup_cls+0x45/0x4e [cls_cgroup]
>> [ 108.070071] [<ffffffff810d3cb0>] sys_delete_module+0x2d6/0x368
>> [ 108.085255] [<ffffffff8155036b>] ? lockdep_sys_exit_thunk+0x35/0x67
>> [ 108.093771] [<ffffffff81007075>] ? xen_zap_pfn_range+0x53/0x139
>> [ 108.101589] [<ffffffff815502f5>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [ 108.111624] [<ffffffff8100ea72>] system_call_fastpath+0x16/0x1b
>> [ 108.119099] Code: 05 51 8d 71 01 0f 0b eb fe 31 f6 48 c7 c7 a0 a5 a3 81 48 ff 05 45 8d 71 01 e8 42 83 46 00 83 7b 58 07 7f 0b 48 ff 05 43 8d 71 01 <0f> 0b eb fe 48 ff 05 40 8d 71 01 48 8d bb 30 01 00 00 48 63 43
>> [ 108.145840] RIP [<ffffffff810e6c9d>] cgroup_unload_subsys+0x64/0x1c8
>> [ 108.152902] RSP <ffff88006c107ea8>
>> [ 108.161767] ---[ end trace 659fde6f8f5f2810 ]---
>>
>>
>>
>> kernel config file is attached (almost allmodconfig).
>> There may be some CONFIG options that are not helping...
>>
>> ---
>
> commits 8e039d84b323c450
> (cgroups: net_cls as module)
>
> followed by commit f845172531f
> (cls_cgroup: Store classid in struct sock)
>
> are the problem :
>
> if CONFIG_NET_CLS_CGROUP is not defined
>
> exit_cgroup_cls() does :
>
> #ifndef CONFIG_NET_CLS_CGROUP
> net_cls_subsys_id = -1; <<< -1
> synchronize_rcu();
> #endif
> cgroup_unload_subsys(&net_cls_subsys);
>
>
> but net_cls_subsys_id is an alias of net_cls_subsys.subsys_id
>
> so putting -1 in it triggers BUG_ON() on line 3855 of kernel/cgroup.c
>
> BUG_ON(ss->subsys_id < CGROUP_BUILTIN_SUBSYS_COUNT);
>
> Herbert, I'll let you fix it ?
>
Exactly what I was going to reply. This bug report also reveals
another bug..
I'll post fixes for the 2 bugs in minutes.
^ permalink raw reply
* [PATCH] de2104x: fix panic on load
From: Eric Dumazet @ 2010-11-03 22:25 UTC (permalink / raw)
To: David Miller; +Cc: netdev
Its now illegal to call netif_stop_queue() before register_netdev()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
drivers/net/tulip/de2104x.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/tulip/de2104x.c b/drivers/net/tulip/de2104x.c
index 28e1ffb..c78a505 100644
--- a/drivers/net/tulip/de2104x.c
+++ b/drivers/net/tulip/de2104x.c
@@ -2021,7 +2021,6 @@ static int __devinit de_init_one (struct pci_dev *pdev,
de->media_timer.data = (unsigned long) de;
netif_carrier_off(dev);
- netif_stop_queue(dev);
/* wake up device, assign resources */
rc = pci_enable_device(pdev);
^ permalink raw reply related
* Re: [PATCH 2/4] Ethtool: convert get_sg/set_sg calls to hw_features flag
From: Micha?? Miros??aw @ 2010-11-03 22:29 UTC (permalink / raw)
To: Matt Carlson
Cc: netdev@vger.kernel.org, e1000-devel@lists.sourceforge.net,
Steve Glendinning, Greg Kroah-Hartman, Rasesh Mody, Debashis Dutt,
Kristoffer Glembo, linux-driver@qlogic.com,
linux-net-drivers@solarflare.com
In-Reply-To: <20101102022438.GA4243@mcarlson.broadcom.com>
On Mon, Nov 01, 2010 at 07:24:38PM -0700, Matt Carlson wrote:
> On Fri, Oct 29, 2010 at 09:28:26PM -0700, Micha?? Miros??aw wrote:
> > diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
> > index 30ccbb6..b07e2d1 100644
> > --- a/drivers/net/tg3.c
> > +++ b/drivers/net/tg3.c
> > @@ -11306,7 +11306,6 @@ static const struct ethtool_ops tg3_ethtool_ops = {
> > .get_rx_csum = tg3_get_rx_csum,
> > .set_rx_csum = tg3_set_rx_csum,
> > .set_tx_csum = tg3_set_tx_csum,
> > - .set_sg = ethtool_op_set_sg,
> > .set_tso = tg3_set_tso,
> > .self_test = tg3_self_test,
> > .get_strings = tg3_get_strings,
> > @@ -14681,6 +14680,7 @@ static int __devinit tg3_init_one(struct pci_dev *pdev,
> > tp->rx_pending = TG3_DEF_RX_RING_PENDING;
> > tp->rx_jumbo_pending = TG3_DEF_RX_JUMBO_RING_PENDING;
> >
> > + dev->hw_features |= NETIF_F_SG;
> Scatter-gather should not be enabled if TG3_FLAG_BROKEN_CHECKSUMS is set. I
> would do the following instead:
>
> if (!(tp->tg3_flags & TG3_FLAG_BROKEN_CHECKSUMS))
> dev->hw_features |= NETIF_F_SG;
>
> TG3_FLAG_BROKEN_CHECKSUMS is set in tg3_get_invariants(), so this code
> would need to be placed later than that function call.
This bug is there now, so I'll queue this as all other hints of existent
bugs that this patch series "uncovers".
Best Regards,
Michał Mirosław
^ permalink raw reply
* Re: Linux 2.6.37-rc1 (net/sched: cls_cgroup)
From: Li Zefan @ 2010-11-03 22:31 UTC (permalink / raw)
To: Eric Dumazet
Cc: Randy Dunlap, Herbert Xu, Linus Torvalds, Jamal Hadi Salim,
Thomas Graf, Linux Kernel Mailing List, netdev, Ben Blum
In-Reply-To: <4CD1DFEC.1080209@gmail.com>
Li Zefan wrote:
> On 2010年11月04日 06:01, Eric Dumazet wrote:
>> Le mercredi 03 novembre 2010 à 14:21 -0700, Randy Dunlap a écrit :
>>> Maybe this isn't normal usage: just modprobe cls_cgroup && rmmod cls_cgroup:
>>>
>>>
>>> [ 107.806607] ------------[ cut here ]------------
>>> [ 107.810180] kernel BUG at /local/linsrc/lnx-2637-rc1/kernel/cgroup.c:3855!
>>> [ 107.810180] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
>>> [ 107.822274] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.1/usb3/3-1/3-1.3/devnum
>>> [ 107.824889] CPU 0
>>> [ 107.832854] Modules linked in: cls_cgroup(-) ipt_MASQUERADE iptable_nat nf_nat af_packet nfsd lockd nfs_acl auth_rpcgss exportfs sco bridge stp llc bnep l2cap crc16 bluetooth rfkill sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables ipv6 p4_clockmod freq_table speedstep_lib binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath scsi_dh dm_mod kvm uinput mousedev joydev snd_intel8x0 snd_ac97_codec ac97_bus usbmouse snd_seq snd_seq_device usbkbd usbhid snd_pcm ppdev hid tg3 led_class snd_timer dcdbas sr_mod snd iTCO_wdt cdrom iTCO_vendor_support sg rtc_cmos pcspkr soundcore i2c_i801 rng_core snd_page_alloc rtc_core parport_pc shpchp evdev rtc_lib parport 8250_pnp pci_hotplug mac_hid unix ide_pci_generic ide_core ata_generic pata_acpi ata_piix sd_mod crc_t10dif ext3 jbd mbcache uhci_hcd ohci_hcd ssb mmc_core pcmcia pcmcia_core firmwar
e
> _c!
>>> lass ehci_hcd usbcore nls_base i915 drm_kms_helper intel_agp button intel_gtt video thermal_sys hwmon output [last unloaded: mperf]
>>> [ 107.933458]
>>> [ 107.933458] Pid: 3400, comm: rmmod Not tainted 2.6.37-rc1 #7 0HH807/OptiPlex GX620
>>> [ 107.937800] RIP: 0010:[<ffffffff810e6c9d>] [<ffffffff810e6c9d>] cgroup_unload_subsys+0x64/0x1c8
>>> [ 107.937800] RSP: 0018:ffff88006c107ea8 EFLAGS: 00010202
>>> [ 107.937800] RAX: 0000000000000000 RBX: ffffffffa0009d50 RCX: 0000000000000000
>>> [ 107.937800] RDX: ffffffff81a3a5f0 RSI: ffff88006c107dc8 RDI: ffff88006c107e48
>>> [ 107.937800] RBP: ffff88006c107ec8 R08: ffffffff81a3a5f0 R09: 000000000000039a
>>> [ 107.937800] R10: 0000000000000001 R11: ffff88006c107e48 R12: 0000000000000000
>>> [ 107.937800] R13: 00007fff2664ffc0 R14: 0000000000000000 R15: 0000000000000001
>>> [ 107.937800] FS: 00007f52809e46f0(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
>>> [ 107.937800] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>>> [ 107.937800] CR2: 0000003fb5a7bf20 CR3: 000000006c1d8000 CR4: 00000000000006f0
>>> [ 107.937800] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> [ 107.937800] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>>> [ 107.937800] Process rmmod (pid: 3400, threadinfo ffff88006c106000, task ffff880075a33000)
>>> [ 107.937800] Stack:
>>> [ 107.937800] ffff88006c107ec8 ffffffffa000a0e0 0000000000000000 00007fff2664ffc0
>>> [ 107.937800] ffff88006c107ed8 ffffffffa0009819 ffff88006c107f78 ffffffff810d3cb0
>>> [ 108.048442] ffffffffa000a0e0 0000000000000880 ffff88006c107f14 ffffffff8155036b
>>> [ 108.057485] Call Trace:
>>> [ 108.065148] [<ffffffffa0009819>] exit_cgroup_cls+0x45/0x4e [cls_cgroup]
>>> [ 108.070071] [<ffffffff810d3cb0>] sys_delete_module+0x2d6/0x368
>>> [ 108.085255] [<ffffffff8155036b>] ? lockdep_sys_exit_thunk+0x35/0x67
>>> [ 108.093771] [<ffffffff81007075>] ? xen_zap_pfn_range+0x53/0x139
>>> [ 108.101589] [<ffffffff815502f5>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [ 108.111624] [<ffffffff8100ea72>] system_call_fastpath+0x16/0x1b
>>> [ 108.119099] Code: 05 51 8d 71 01 0f 0b eb fe 31 f6 48 c7 c7 a0 a5 a3 81 48 ff 05 45 8d 71 01 e8 42 83 46 00 83 7b 58 07 7f 0b 48 ff 05 43 8d 71 01 <0f> 0b eb fe 48 ff 05 40 8d 71 01 48 8d bb 30 01 00 00 48 63 43
>>> [ 108.145840] RIP [<ffffffff810e6c9d>] cgroup_unload_subsys+0x64/0x1c8
>>> [ 108.152902] RSP <ffff88006c107ea8>
>>> [ 108.161767] ---[ end trace 659fde6f8f5f2810 ]---
>>>
>>>
>>>
>>> kernel config file is attached (almost allmodconfig).
>>> There may be some CONFIG options that are not helping...
>>>
>>> ---
>>
>> commits 8e039d84b323c450
>> (cgroups: net_cls as module)
>>
>> followed by commit f845172531f
>> (cls_cgroup: Store classid in struct sock)
>>
>> are the problem :
>>
>> if CONFIG_NET_CLS_CGROUP is not defined
>>
>> exit_cgroup_cls() does :
>>
>> #ifndef CONFIG_NET_CLS_CGROUP
>> net_cls_subsys_id = -1; <<< -1
>> synchronize_rcu();
>> #endif
>> cgroup_unload_subsys(&net_cls_subsys);
>>
>>
>> but net_cls_subsys_id is an alias of net_cls_subsys.subsys_id
>>
>> so putting -1 in it triggers BUG_ON() on line 3855 of kernel/cgroup.c
>>
>> BUG_ON(ss->subsys_id < CGROUP_BUILTIN_SUBSYS_COUNT);
>>
>> Herbert, I'll let you fix it ?
>>
>
> Exactly what I was going to reply. This bug report also reveals
> another bug..
>
> I'll post fixes for the 2 bugs in minutes.
Sorry I'll leave so I can't make it. I'll fix this later
if Herbert hasn't fix it.
^ permalink raw reply
* Re: panic with 2.6.37-rc1
From: Tom Gundersen @ 2010-11-03 22:42 UTC (permalink / raw)
To: Eric Dumazet; +Cc: LKML, netdev, David Miller
In-Reply-To: <1288822281.2718.30.camel@edumazet-laptop>
On Wed, Nov 3, 2010 at 11:11 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le mercredi 03 novembre 2010 à 23:02 +0100, Tom Gundersen a écrit :
>> I get panic during boot both with 2.6.37-rc1 and with current head.
>>
>> Here is the error message:
>> <http://www.lix.polytechnique.fr/~tom/2.6.37-rc1-panic.jpg>. My
>> .config is below.
>>
>> Let me know if you want more info. If you want I can test patches or
>> bisect (if no one has any better suggestions).
>>
>
> Please test following patch, thanks
>
> [PATCH] atl1 : fix panic on load
>
> Its now illegal to call netif_stop_queue() before register_netdev()
>
> Reported-by: Tom Gundersen <teg@jklm.no>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> ---
> drivers/net/atlx/atl1.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/net/atlx/atl1.c b/drivers/net/atlx/atl1.c
> index 43579b3..5336310 100644
> --- a/drivers/net/atlx/atl1.c
> +++ b/drivers/net/atlx/atl1.c
> @@ -3043,7 +3043,6 @@ static int __devinit atl1_probe(struct pci_dev *pdev,
> atl1_pcie_patch(adapter);
> /* assume we have no link for now */
> netif_carrier_off(netdev);
> - netif_stop_queue(netdev);
>
> setup_timer(&adapter->phy_config_timer, atl1_phy_config,
> (unsigned long)adapter);
>
>
The patch solves the problem. Thanks!
Tom
^ permalink raw reply
* Re: [PATCH 2/4] Ethtool: convert get_sg/set_sg calls to hw_features flag
From: Matt Carlson @ 2010-11-03 22:42 UTC (permalink / raw)
To: Micha?? Miros??aw
Cc: Matthew Carlson, netdev@vger.kernel.org,
e1000-devel@lists.sourceforge.net, Steve Glendinning,
Greg Kroah-Hartman, Rasesh Mody, Debashis Dutt, Kristoffer Glembo,
linux-driver@qlogic.com, linux-net-drivers@solarflare.com
In-Reply-To: <20101103222910.GA24320@rere.qmqm.pl>
On Wed, Nov 03, 2010 at 03:29:10PM -0700, Micha?? Miros??aw wrote:
> On Mon, Nov 01, 2010 at 07:24:38PM -0700, Matt Carlson wrote:
> > On Fri, Oct 29, 2010 at 09:28:26PM -0700, Micha?? Miros??aw wrote:
> > > diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
> > > index 30ccbb6..b07e2d1 100644
> > > --- a/drivers/net/tg3.c
> > > +++ b/drivers/net/tg3.c
> > > @@ -11306,7 +11306,6 @@ static const struct ethtool_ops tg3_ethtool_ops = {
> > > .get_rx_csum = tg3_get_rx_csum,
> > > .set_rx_csum = tg3_set_rx_csum,
> > > .set_tx_csum = tg3_set_tx_csum,
> > > - .set_sg = ethtool_op_set_sg,
> > > .set_tso = tg3_set_tso,
> > > .self_test = tg3_self_test,
> > > .get_strings = tg3_get_strings,
> > > @@ -14681,6 +14680,7 @@ static int __devinit tg3_init_one(struct pci_dev *pdev,
> > > tp->rx_pending = TG3_DEF_RX_RING_PENDING;
> > > tp->rx_jumbo_pending = TG3_DEF_RX_JUMBO_RING_PENDING;
> > >
> > > + dev->hw_features |= NETIF_F_SG;
> > Scatter-gather should not be enabled if TG3_FLAG_BROKEN_CHECKSUMS is set. I
> > would do the following instead:
> >
> > if (!(tp->tg3_flags & TG3_FLAG_BROKEN_CHECKSUMS))
> > dev->hw_features |= NETIF_F_SG;
> >
> > TG3_FLAG_BROKEN_CHECKSUMS is set in tg3_get_invariants(), so this code
> > would need to be placed later than that function call.
>
> This bug is there now, so I'll queue this as all other hints of existent
> bugs that this patch series "uncovers".
How so? This patch would be introducing the bug. From tg3_get_invariants:
if (tp->pci_chip_rev_id == CHIPREV_ID_5700_B0)
tp->tg3_flags |= TG3_FLAG_BROKEN_CHECKSUMS;
else {
unsigned long features = NETIF_F_IP_CSUM | NETIF_F_SG | NETIF_F_GRO;
tp->tg3_flags |= TG3_FLAG_RX_CHECKSUMS;
if (tp->tg3_flags3 & TG3_FLG3_5755_PLUS)
features |= NETIF_F_IPV6_CSUM;
tp->dev->features |= features;
vlan_features_add(tp->dev, features);
}
^ permalink raw reply
* Re: [SECURITY] memory corruption in X.25 facilities parsing
From: Andrew Hendry @ 2010-11-03 22:54 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: netdev, security, stable
In-Reply-To: <AANLkTi=fAMDP-rGZfOcHS0j_J=KSBgxqqbLaQsXxooJn@mail.gmail.com>
On Wed, 2010-11-03 at 12:12 +1100, Andrew Hendry wrote:
> There is an issue here, under select scenarios I can crash systems.
> However the patch doesn't resolve it fully, I think after breaking at
> that point the len and p pointers are messed up before it tries to
> parse the next facility.
>
> Maybe it should return not break? It should reject/clear such calls.
> I'll start checking if the callers properly handle errors.
> Also should it be if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1),
> because it does the memcpy with p[1] -1
>
>
> On Wed, Nov 3, 2010 at 2:02 AM, Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> > I put this together after a quick glance, so if someone knows this code
> > better than I do (i.e. at all), feel free to comment or drop this patch
> > if it's unnecessary.
> >
> > A value of 0 will cause a memcpy() of ULONG_MAX size, destroying the
> > kernel heap.
> >
> > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> >
> > --- linux-2.6.36-rc6.orig/net/x25/x25_facilities.c 2010-09-28 21:01:22.000000000 -0400
> > +++ linux-2.6.36-rc6/net/x25/x25_facilities.c 2010-11-02 10:36:02.827291324 -0400
> > @@ -134,14 +134,14 @@ int x25_parse_facilities(struct sk_buff
> > case X25_FAC_CLASS_D:
> > switch (*p) {
> > case X25_FAC_CALLING_AE:
> > - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> > + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
> > break;
> > dte_facs->calling_len = p[2];
> > memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
> > *vc_fac_mask |= X25_MASK_CALLING_AE;
> > break;
> > case X25_FAC_CALLED_AE:
> > - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> > + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
> > break;
> > dte_facs->called_len = p[2];
> > memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
> >
> >
> >
How does this look? It appears to fix it for the cases I could test.
Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 771bab0..3a8c4c4 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
case X25_FAC_CLASS_D:
switch (*p) {
case X25_FAC_CALLING_AE:
- if (p[1] > X25_MAX_DTE_FACIL_LEN)
- break;
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+ return 0;
dte_facs->calling_len = p[2];
memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
*vc_fac_mask |= X25_MASK_CALLING_AE;
break;
case X25_FAC_CALLED_AE:
- if (p[1] > X25_MAX_DTE_FACIL_LEN)
- break;
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+ return 0;
dte_facs->called_len = p[2];
memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
*vc_fac_mask |= X25_MASK_CALLED_AE;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 6317896..1d80e10 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
&x25->vc_facil_mask);
if (len > 0)
skb_pull(skb, len);
+ else
+ return -1;
/*
* Copy any Call User Data.
*/
^ permalink raw reply related
* Re: [PATCH 5/5] ipv4: netfilter: ip_tables: fix information leak to userland
From: Jan Engelhardt @ 2010-11-03 22:55 UTC (permalink / raw)
To: kaber; +Cc: davem, netfilter-devel, netdev
In-Reply-To: <1288822372-21245-6-git-send-email-kaber@trash.net>
On Wednesday 2010-11-03 23:12, kaber@trash.net wrote:
>From: Vasiliy Kulikov <segooon@gmail.com>
>
>Structure ipt_getinfo is copied to userland with the field "name"
>that has the last elements unitialized. It leads to leaking of
>contents of kernel stack memory.
>
>Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
>Signed-off-by: Patrick McHardy <kaber@trash.net>
>---
> net/ipv4/netfilter/ip_tables.c | 1 +
But then we would also need this:
--------8<-------------
parent 93aa45607748d2ffa73f41a435dced6a2fd90cb5 (v2.6.36-rc3-1020-g93aa456)
commit 8aff3f67fa47f7d3211aea8bbef999554d6f65e5
Author: Jan Engelhardt <jengelh@medozas.de>
Date: Wed Nov 3 23:55:18 2010 +0100
netfilter: ip6_tables: fix information leak to userspace
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c683e9e..d13f893 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1137,6 +1137,7 @@ static int get_info(struct net *net, void __user *user,
private = &tmp;
}
#endif
+ memset(&info, 0, sizeof(info));
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
--
# Created with git-export-patch
^ permalink raw reply related
* Re: [PATCH 2/4] Ethtool: convert get_sg/set_sg calls to hw_features flag
From: Michał Mirosław @ 2010-11-03 22:58 UTC (permalink / raw)
To: Matt Carlson
Cc: netdev@vger.kernel.org, e1000-devel@lists.sourceforge.net,
Steve Glendinning, Greg Kroah-Hartman, Rasesh Mody, Debashis Dutt,
Kristoffer Glembo, linux-driver@qlogic.com,
linux-net-drivers@solarflare.com
In-Reply-To: <20101103224247.GB9869@mcarlson.broadcom.com>
On Wed, Nov 03, 2010 at 03:42:47PM -0700, Matt Carlson wrote:
> On Wed, Nov 03, 2010 at 03:29:10PM -0700, Micha?? Miros??aw wrote:
> > On Mon, Nov 01, 2010 at 07:24:38PM -0700, Matt Carlson wrote:
> > > On Fri, Oct 29, 2010 at 09:28:26PM -0700, Micha?? Miros??aw wrote:
> > > > diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
> > > > index 30ccbb6..b07e2d1 100644
> > > > --- a/drivers/net/tg3.c
> > > > +++ b/drivers/net/tg3.c
> > > > @@ -11306,7 +11306,6 @@ static const struct ethtool_ops tg3_ethtool_ops = {
> > > > .get_rx_csum = tg3_get_rx_csum,
> > > > .set_rx_csum = tg3_set_rx_csum,
> > > > .set_tx_csum = tg3_set_tx_csum,
> > > > - .set_sg = ethtool_op_set_sg,
This is exchanged ...
> > > > .set_tso = tg3_set_tso,
> > > > .self_test = tg3_self_test,
> > > > .get_strings = tg3_get_strings,
> > > > @@ -14681,6 +14680,7 @@ static int __devinit tg3_init_one(struct pci_dev *pdev,
> > > > tp->rx_pending = TG3_DEF_RX_RING_PENDING;
> > > > tp->rx_jumbo_pending = TG3_DEF_RX_JUMBO_RING_PENDING;
> > > >
> > > > + dev->hw_features |= NETIF_F_SG;
... for this. (This introduces no functional changes, whatsoever.)
> > > Scatter-gather should not be enabled if TG3_FLAG_BROKEN_CHECKSUMS is set. I
> > > would do the following instead:
> > >
> > > if (!(tp->tg3_flags & TG3_FLAG_BROKEN_CHECKSUMS))
> > > dev->hw_features |= NETIF_F_SG;
> > >
> > > TG3_FLAG_BROKEN_CHECKSUMS is set in tg3_get_invariants(), so this code
> > > would need to be placed later than that function call.
> >
> > This bug is there now, so I'll queue this as all other hints of existent
> > bugs that this patch series "uncovers".
>
> How so? This patch would be introducing the bug. From tg3_get_invariants:
>
> if (tp->pci_chip_rev_id == CHIPREV_ID_5700_B0)
> tp->tg3_flags |= TG3_FLAG_BROKEN_CHECKSUMS;
> else {
> unsigned long features = NETIF_F_IP_CSUM | NETIF_F_SG | NETIF_F_GRO;
>
> tp->tg3_flags |= TG3_FLAG_RX_CHECKSUMS;
> if (tp->tg3_flags3 & TG3_FLG3_5755_PLUS)
> features |= NETIF_F_IPV6_CSUM;
> tp->dev->features |= features;
> vlan_features_add(tp->dev, features);
> }
Actually this is hidden anyway, because currently scatter-gather depends
on checksumming offload. So the SG won't be enabled based on check left
in ethtool_set_sg().
Note, that hw_features flags enable toggling of the offloads but don't
enable them unless requested by a user later.
Best Regards,
Michał Mirosław
^ permalink raw reply
* Re: tap0 device stopped working in 2.6.36 (ok in 2.6.35)
From: Nolan Leake @ 2010-11-03 23:10 UTC (permalink / raw)
To: Jim; +Cc: netdev
In-Reply-To: <4CC84EAD.7040506@xs4all.nl>
On Wed, 2010-10-27 at 18:09 +0200, Jim wrote:
> Not exactly, VirtualBox calls it "bridged adapter", it 'bridges' the
> guest machine to the tap0 interface on the host for so called host-only
> networking.
> See eg. http://forums.virtualbox.org/viewtopic.php?f=1&t=165
>
> And this sequence is now simply failing
> tunctl -t tap0 -u tuxuser
> ifconfig tap0 10.0.0.1 up
Jim,
Could you do me a favor and try this sequence:
tunctl -t tap0 -u tuxuser
<run virtualbox such that it attaches to tap0>
ifconfig tap0 10.0.0.1 up
Thanks,
- nolan
^ permalink raw reply
* Re: Linux 2.6.37-rc1 (net/sched: cls_cgroup)
From: Herbert Xu @ 2010-11-03 23:31 UTC (permalink / raw)
To: Eric Dumazet
Cc: Randy Dunlap, Linus Torvalds, Jamal Hadi Salim, Thomas Graf,
Linux Kernel Mailing List, netdev, Ben Blum
In-Reply-To: <1288821677.2718.27.camel@edumazet-laptop>
On Wed, Nov 03, 2010 at 11:01:17PM +0100, Eric Dumazet wrote:
>
> commits 8e039d84b323c450
> (cgroups: net_cls as module)
>
> followed by commit f845172531f
> (cls_cgroup: Store classid in struct sock)
Indeed, it looks like the tree I worked on didn't have the first
patch applied for some reason.
Anyway, this patch should fix the problem. Thanks Eric!
cls_cgroup: Fix crash on module unload
Somewhere along the lines net_cls_subsys_id became a macro when
cls_cgroup is built as a module. Not only did it make cls_cgroup
completely useless, it also causes it to crash on module unload.
This patch fixes this by removing that macro.
Thanks to Eric Dumazet for diagnosing this problem.
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index 37dff78..d49c40f 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -34,8 +34,6 @@ struct cgroup_subsys net_cls_subsys = {
.populate = cgrp_populate,
#ifdef CONFIG_NET_CLS_CGROUP
.subsys_id = net_cls_subsys_id,
-#else
-#define net_cls_subsys_id net_cls_subsys.subsys_id
#endif
.module = THIS_MODULE,
};
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply related
* Re: [SECURITY] memory corruption in X.25 facilities parsing
From: Dan Rosenberg @ 2010-11-03 23:44 UTC (permalink / raw)
To: Andrew Hendry; +Cc: netdev, security, stable
In-Reply-To: <1288824893.1858.5.camel@jaunty>
Looks good to me. Thanks for the quick turnaround.
-Dan
On Thu, 2010-11-04 at 09:54 +1100, Andrew Hendry wrote:
> On Wed, 2010-11-03 at 12:12 +1100, Andrew Hendry wrote:
> > There is an issue here, under select scenarios I can crash systems.
> > However the patch doesn't resolve it fully, I think after breaking at
> > that point the len and p pointers are messed up before it tries to
> > parse the next facility.
> >
> > Maybe it should return not break? It should reject/clear such calls.
> > I'll start checking if the callers properly handle errors.
> > Also should it be if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1),
> > because it does the memcpy with p[1] -1
> >
> >
> > On Wed, Nov 3, 2010 at 2:02 AM, Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> > > I put this together after a quick glance, so if someone knows this code
> > > better than I do (i.e. at all), feel free to comment or drop this patch
> > > if it's unnecessary.
> > >
> > > A value of 0 will cause a memcpy() of ULONG_MAX size, destroying the
> > > kernel heap.
> > >
> > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> > >
> > > --- linux-2.6.36-rc6.orig/net/x25/x25_facilities.c 2010-09-28 21:01:22.000000000 -0400
> > > +++ linux-2.6.36-rc6/net/x25/x25_facilities.c 2010-11-02 10:36:02.827291324 -0400
> > > @@ -134,14 +134,14 @@ int x25_parse_facilities(struct sk_buff
> > > case X25_FAC_CLASS_D:
> > > switch (*p) {
> > > case X25_FAC_CALLING_AE:
> > > - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> > > + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
> > > break;
> > > dte_facs->calling_len = p[2];
> > > memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
> > > *vc_fac_mask |= X25_MASK_CALLING_AE;
> > > break;
> > > case X25_FAC_CALLED_AE:
> > > - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> > > + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
> > > break;
> > > dte_facs->called_len = p[2];
> > > memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
> > >
> > >
> > >
>
> How does this look? It appears to fix it for the cases I could test.
>
> Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 771bab0..3a8c4c4 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
> case X25_FAC_CLASS_D:
> switch (*p) {
> case X25_FAC_CALLING_AE:
> - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> - break;
> + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
> + return 0;
> dte_facs->calling_len = p[2];
> memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
> *vc_fac_mask |= X25_MASK_CALLING_AE;
> break;
> case X25_FAC_CALLED_AE:
> - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> - break;
> + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
> + return 0;
> dte_facs->called_len = p[2];
> memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
> *vc_fac_mask |= X25_MASK_CALLED_AE;
> diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
> index 6317896..1d80e10 100644
> --- a/net/x25/x25_in.c
> +++ b/net/x25/x25_in.c
> @@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
> &x25->vc_facil_mask);
> if (len > 0)
> skb_pull(skb, len);
> + else
> + return -1;
> /*
> * Copy any Call User Data.
> */
^ permalink raw reply
* Re: [RFC 0/3] MPEG2/TS drop analyzer iptables match extension
From: Jan Engelhardt @ 2010-11-04 0:16 UTC (permalink / raw)
To: Jesper Dangaard Brouer
Cc: Netfilter Developers, paulmck, Eric Dumazet, netdev
In-Reply-To: <Pine.LNX.4.64.1010191608080.18708@ask.diku.dk>
On Tuesday 2010-10-19 16:21, Jesper Dangaard Brouer wrote:
>
> This is my iptables match module for analyzing IPTV MPEG2/TS streams.
> Currently it only detects dropped packets, but I want to extend it for
> analyzing jitter and bursts.
>
> Jan Engelhardt convinced me that I should just send the module as-is
> for review on the list. I wrote the code in 2009, and have only done
> some minor changes to make it work on kernel 2.6.35 since.
This now lives in the mp2t branch (since NFWS already actually) of xt-a,
and I have taken the liberty to start updating it to higher standards.
Please watch that branch, as I don't have any MPEG equipment around me
to do runtime tests.
^ permalink raw reply
* Re: [regression, 2.6.37-rc1] 'ip link tap0 up' stuck in do_exit()
From: Dave Chinner @ 2010-11-04 0:21 UTC (permalink / raw)
To: Eric Dumazet; +Cc: linux-kernel, netdev
In-Reply-To: <20101103112936.GB9169@dastard>
On Wed, Nov 03, 2010 at 10:29:36PM +1100, Dave Chinner wrote:
> On Wed, Nov 03, 2010 at 09:34:48PM +1100, Dave Chinner wrote:
> > On Wed, Nov 03, 2010 at 08:13:22AM +0100, Eric Dumazet wrote:
> > > Le mercredi 03 novembre 2010 à 17:26 +1100, Dave Chinner a écrit :
> > > > Folks,
> > > >
> > > > Starting up KVM on a current mainline kernel using the tap
> > > > device for the networking is resulting in the ip process tryin gto
> > > > up the tap interface hanging. KVM is started with this networking
> > > > config:
> > > >
> > > > ....
> > > > -net nic,vlan=0,macaddr=00:e4:b6:63:63:6d,model=virtio \
> > > > -net tap,vlan=0,script=/vm-images/qemu-ifup,downscript=no \
> > > > ....
> > > >
> > > > And the script is effectively:
> > > >
> > > > switch=br0
> > > > if [ -n "$1" ];then
> > > > /usr/bin/sudo /sbin/ip link set $1 up
> > > > sleep 0.5s
> > > > /usr/bin/sudo /usr/sbin/brctl addif $switch $1
> > > > exit 0
> > > > fi
> > > > exit 1
> > > >
> > > > This is resulting in the command 'ip link set tap0 up' hanging as a zombie:
> > > >
> > > > root 3005 1 0 16:53 pts/3 00:00:00 /bin/sh /vm-images/qemu-ifup tap0
> > > > root 3011 3005 0 16:53 pts/3 00:00:00 /usr/bin/sudo /sbin/ip link set tap0 up
> > > > root 3012 3011 0 16:53 pts/3 00:00:00 [ip] <defunct>
> > > >
> > > > In do_exit() with this trace:
> > > >
> > > > [ 1630.782255] ip x ffff88063fcb3600 0 3012 3011 0x00000000
> > > > [ 1630.789121] ffff880631328000 0000000000000046 0000000000000000 ffff880633104380
> > > > [ 1630.796524] 0000000000013600 ffff88062f031fd8 0000000000013600 0000000000013600
> > > > [ 1630.803925] ffff8806313282d8 ffff8806313282e0 ffff880631328000 0000000000013600
> > > > [ 1630.811324] Call Trace:
> > > > [ 1630.813760] [<ffffffff8104a90d>] ? do_exit+0x716/0x724
> > > > [ 1630.818964] [<ffffffff8104a995>] ? do_group_exit+0x7a/0xa4
> > > > [ 1630.824512] [<ffffffff8104a9d1>] ? sys_exit_group+0x12/0x16
> > > > [ 1630.830149] [<ffffffff81009a82>] ? system_call_fastpath+0x16/0x1b
> > > >
> > > > The address comes down to the schedule() call:
> > > >
> > > > (gdb) l *(do_exit+0x716)
> > > > 0xffffffff8104a90d is in do_exit (kernel/exit.c:1034).
> > > > 1029 preempt_disable();
> > > > 1030 exit_rcu();
> > > > 1031 /* causes final put_task_struct in finish_task_switch(). */
> > > > 1032 tsk->state = TASK_DEAD;
> > > > 1033 schedule();
> > > > 1034 BUG();
> > > > 1035 /* Avoid "noreturn function does return". */
> > > > 1036 for (;;)
> > > > 1037 cpu_relax(); /* For when BUG is null */
> > > > 1038 }
> > > >
> > > > Needless to say, KVM is not starting up. This works just fine on
> > > > 2.6.35.1 and so is a regression. I can't do a lot of testing on this as
> > > > the host is the machine that hosts all my build and test environments....
> > > >
> > > > Cheers,
> > > >
> > > > Dave.
> > >
> > > Could it be the same problem than
> > >
> > > http://kerneltrap.com/mailarchive/linux-netdev/2010/10/23/6288128
> > >
> > > Try to revert bee31369ce16fc3898ec9a54161248c9eddb06bc ?
> >
> > It's working fine on 2.6.36 right now, so it's something that came in
> > with the .37 merge cycle...
>
> Actually, the machine isn't running a 2.6.36 kernel (it had booted
> to the working .35 kernel and I didn't notice). So i've just tested
> a 2.6.36 kernel, and the problem _is present_ in 2.6.36. I've
> reverted the above commit but that does not fix the problem.
Ok, so further investigation has shown I can reproduce this on
2.6.32 and 2.6.35. It's not a new bug, nor do I think that it is
a networking bug as it is not specific to the ip command.
The trigger for the problem is actually an upgrade of the sudo
package in debian unstable which changed the behaviour of sudo (has
some per-login/pty restriction on it now). Basically, the startup
script I'm running does:
sudo kvm .....
which then executes the qemu-ifup bash script which does:
sudo ip ....
sudo brctl ...
because at one point KVM did not create the tap device automatically
and so kvm could be run as a user with only the ifup script
requiring privileges to create the tap device and mark it up. When
KVM started creating the tap device, I added the sudo to the KVM
script, an everything worked again.
Now if I take the 'sudo' out of the ifup script, the hang goes away.
I first removed it from the ip command, and then the brctl command
hung in the same way the ip command was hanging. Hence my thoughts
that it is not directly related to networking utilities.
Unfortunately, it is not trivial to reproduce as I could only
trigger it through this kvm method, not on the command line. e.g:
$ sudo bash -c "sudo ip link set tap1 up"
does not hang.
This sudo package upgrade coincided with kernel upgrades, and so
that lead to my confusion about where it occurred and what triggered
it. Still, it appears to be a bug that has been around for some
time.....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply
* Re: [net-next-2.6 PATCH 1/3] 8021q: set hard_header_len when VLAN offload features are toggled
From: Jesse Gross @ 2010-11-04 0:46 UTC (permalink / raw)
To: John Fastabend; +Cc: davem, netdev
In-Reply-To: <20101031002232.8691.41201.stgit@jf-dev1-dcblab>
On Sat, Oct 30, 2010 at 5:22 PM, John Fastabend
<john.r.fastabend@intel.com> wrote:
> Toggling the vlan tx|rx hw offloads needs to set the hard_header_len
> as well otherwise we end up using LL_RESERVED_SPACE incorrectly.
> This results in pskb_expand_head() being used unnecessarily.
>
> Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Jesse Gross <jesse@nicira.com>
^ permalink raw reply
* Re: [net-next-2.6 PATCH 2/3] net: remove check for headroom in vlan_dev_create
From: Jesse Gross @ 2010-11-04 0:46 UTC (permalink / raw)
To: John Fastabend; +Cc: davem, netdev
In-Reply-To: <20101031002237.8691.6266.stgit@jf-dev1-dcblab>
On Sat, Oct 30, 2010 at 5:22 PM, John Fastabend
<john.r.fastabend@intel.com> wrote:
> It is possible for the headroom to be smaller then the
> hard_header_len for a short period of time after toggling
> the vlan offload setting.
>
> This is not a hard error and skb_cow_head is called in
> __vlan_put_tag() to resolve this.
>
> Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Jesse Gross <jesse@nicira.com>
^ permalink raw reply
* Re: [net-next-2.6 PATCH 3/3] net: consolidate 8021q tagging
From: Jesse Gross @ 2010-11-04 0:47 UTC (permalink / raw)
To: John Fastabend; +Cc: davem, netdev
In-Reply-To: <20101031002242.8691.38060.stgit@jf-dev1-dcblab>
On Sat, Oct 30, 2010 at 5:22 PM, John Fastabend
<john.r.fastabend@intel.com> wrote:
> Now that VLAN packets are tagged in dev_hard_start_xmit()
> at the bottom of the stack we no longer need to tag them
> in the 8021Q module (Except in the !VLAN_FLAG_REORDER_HDR
> case).
>
> This allows the accel path and non accel paths to be consolidated.
> Here the vlan_tci in the skb is always set and we allow the
> stack to add the actual tag in dev_hard_start_xmit().
>
> Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Thanks John.
^ permalink raw reply
* Re: [RFC][net-next-2.6 PATCH 2/4] net: 8021Q consolidate header_ops routines
From: Jesse Gross @ 2010-11-04 0:47 UTC (permalink / raw)
To: John Fastabend; +Cc: netdev
In-Reply-To: <20101021221010.22906.60238.stgit@jf-dev1-dcblab>
On Thu, Oct 21, 2010 at 3:10 PM, John Fastabend
<john.r.fastabend@intel.com> wrote:
> The only thing the 8021Q header ops routines are required
> for is the VLAN_FLAG_REORDER_HDR otherwise by the time
> the VLAN tag has been added the packet is already on
> its way down the stack. In this case using the Ethernet
> ops works OK.
>
> At present the VLAN_FLAG_REORDER_HDR flag does not work
> with vlan offloads. As I understand the flag the intent
> is to allow taps on the vlan device and possibly the
> QOS layer to see the vlan tag info.
>
> By inserting the tag in vlan_tci any taps or QOS policies
> should be able to retrieve the vlan info. This allows
> the flag to work the same in both the offload case and
> non-offloaded case. And allows us to use the underlying
> ethernet ops.
>
> Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
I noticed that you dropped this patch from your most recent series, so
I went back to take a look at it. I realized that it probably works
inconsistently since header caching doesn't take into account
skb->vlan_tci, so whether you see the tag depends on the state of the
cache.
It would be really good to have this type of code consolidation, both
for the sake of sanity and to eliminate the inconsistent behavior. We
could do that by either not using header caching or making it work
with vlan offloading somehow. However, I'm not sure that there's
really much point in that. VLAN_FLAG_REORDER_HDR doesn't work with
cards that do vlan offloading, which is a pretty significant number of
them. It similarly works inconsistently on the rx side. So it's
broken most of the time and worse, the behavior changes depending on
the NIC (and now the ethtool setting). Can we just eliminate it?
^ permalink raw reply
* Re: Linux 2.6.37-rc1 (net/sched: cls_cgroup)
From: Li Zefan @ 2010-11-04 1:46 UTC (permalink / raw)
To: Herbert Xu
Cc: Eric Dumazet, Randy Dunlap, Linus Torvalds, Jamal Hadi Salim,
Thomas Graf, Linux Kernel Mailing List, netdev, Ben Blum
In-Reply-To: <20101103233105.GA26124@gondor.apana.org.au>
>> commits 8e039d84b323c450
>> (cgroups: net_cls as module)
>>
>> followed by commit f845172531f
>> (cls_cgroup: Store classid in struct sock)
>
> Indeed, it looks like the tree I worked on didn't have the first
> patch applied for some reason.
>
The first patch was merged in .34, and the second one .35, and
from the changelog and the diff, seems you did know cls_cgroup
can be a module. ;)
> Anyway, this patch should fix the problem. Thanks Eric!
>
> cls_cgroup: Fix crash on module unload
>
> Somewhere along the lines net_cls_subsys_id became a macro when
> cls_cgroup is built as a module. Not only did it make cls_cgroup
> completely useless, it also causes it to crash on module unload.
>
> This patch fixes this by removing that macro.
>
> Thanks to Eric Dumazet for diagnosing this problem.
>
> Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>
Reviewed-by: Li Zefan <lizf@cn.fujitsu.com>
> diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
> index 37dff78..d49c40f 100644
> --- a/net/sched/cls_cgroup.c
> +++ b/net/sched/cls_cgroup.c
> @@ -34,8 +34,6 @@ struct cgroup_subsys net_cls_subsys = {
> .populate = cgrp_populate,
> #ifdef CONFIG_NET_CLS_CGROUP
> .subsys_id = net_cls_subsys_id,
> -#else
> -#define net_cls_subsys_id net_cls_subsys.subsys_id
> #endif
> .module = THIS_MODULE,
> };
>
> Cheers,
^ permalink raw reply
* Re: [PATCH] de2104x: fix panic on load
From: David Miller @ 2010-11-04 1:54 UTC (permalink / raw)
To: eric.dumazet; +Cc: netdev
In-Reply-To: <1288823132.2718.32.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 03 Nov 2010 23:25:32 +0100
> Its now illegal to call netif_stop_queue() before register_netdev()
>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Applied.
^ permalink raw reply
* Re: [PATCH 0/5] netfilter: netfilter fixes
From: David Miller @ 2010-11-04 1:54 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel, netdev
In-Reply-To: <1288822372-21245-1-git-send-email-kaber@trash.net>
From: kaber@trash.net
Date: Wed, 3 Nov 2010 23:12:47 +0100
> Please apply or pull from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
Pulled, thanks a lot Patrick.
^ permalink raw reply
* Re: panic with 2.6.37-rc1
From: David Miller @ 2010-11-04 1:54 UTC (permalink / raw)
To: teg; +Cc: eric.dumazet, linux-kernel, netdev
In-Reply-To: <AANLkTimY+cC=bu6LDb_e-Qbghd-F0RNZejhKaeXJWbY7@mail.gmail.com>
From: Tom Gundersen <teg@jklm.no>
Date: Wed, 3 Nov 2010 23:42:02 +0100
> On Wed, Nov 3, 2010 at 11:11 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> Le mercredi 03 novembre 2010 à 23:02 +0100, Tom Gundersen a écrit :
>>> I get panic during boot both with 2.6.37-rc1 and with current head.
>>>
>>> Here is the error message:
>>> <http://www.lix.polytechnique.fr/~tom/2.6.37-rc1-panic.jpg>. My
>>> .config is below.
>>>
>>> Let me know if you want more info. If you want I can test patches or
>>> bisect (if no one has any better suggestions).
>>>
>>
>> Please test following patch, thanks
>>
>> [PATCH] atl1 : fix panic on load
>>
>> Its now illegal to call netif_stop_queue() before register_netdev()
>>
>> Reported-by: Tom Gundersen <teg@jklm.no>
>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
...
> The patch solves the problem. Thanks!
Applied, thanks everyone.
^ permalink raw reply
* Re: [PATCH 5/5] ipv4: netfilter: ip_tables: fix information leak to userland
From: David Miller @ 2010-11-04 1:55 UTC (permalink / raw)
To: jengelh; +Cc: kaber, netfilter-devel, netdev
In-Reply-To: <alpine.LNX.2.01.1011032355020.31351@obet.zrqbmnf.qr>
From: Jan Engelhardt <jengelh@medozas.de>
Date: Wed, 3 Nov 2010 23:55:58 +0100 (CET)
> netfilter: ip6_tables: fix information leak to userspace
>
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Good catch, applied, thanks Jan.
^ permalink raw reply
* Re: Linux 2.6.37-rc1 (net/sched: cls_cgroup)
From: David Miller @ 2010-11-04 1:56 UTC (permalink / raw)
To: herbert
Cc: eric.dumazet, randy.dunlap, torvalds, hadi, tgraf, linux-kernel,
netdev, bblum
In-Reply-To: <20101103233105.GA26124@gondor.apana.org.au>
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Wed, 3 Nov 2010 18:31:05 -0500
> cls_cgroup: Fix crash on module unload
>
> Somewhere along the lines net_cls_subsys_id became a macro when
> cls_cgroup is built as a module. Not only did it make cls_cgroup
> completely useless, it also causes it to crash on module unload.
>
> This patch fixes this by removing that macro.
>
> Thanks to Eric Dumazet for diagnosing this problem.
>
> Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Applied, and queued up for -stable, thanks everyone!
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox