[PATCH] inet: sanitize socket() protocol value

_SYSCALL_64_fastpath+0x12/0x71 Code: Bad RIP value. RIP [< (null)>] (null) RSP CR2: ---[ end trace bd60b4fe2edc2537 ]--- Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> Cc: Eric Dumazet <eduma...@google.com> Cc: <

Re: [PATCH] inet: sanitize socket() protocol value

On 12/17/2015 02:01 AM, Eric Dumazet wrote: On Wed, Dec 16, 2015 at 4:57 PM, Vegard Nossum <vegard.nos...@oracle.com> wrote: If you create a raw socket with a protocol of e.g. 0x1, then inet_sk(sk)->inet_num will get set to 0 since it only has room for 16 bits. This causes problem

Re: [PATCH] decnet: fix possible NULL deref in dnet_select_source()

On 7 April 2014 at 21:18, David Miller wrote: > From: Eric Dumazet > Date: Sun, 06 Apr 2014 14:59:14 -0700 > >> From: Eric Dumazet >> >> dnet_select_source() should make sure dn_ptr is not NULL. >> >> While looking at this decnet

[PATCH] phy: add HAS_IOMEM/OF_MDIO dependencies to MDIO_OCTEON

() is defined only when HAS_IOMEM is selected. of_mdiobus_register() is defined only when OF_MDIO is selected. Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> Cc: Florian Fainelli <f.faine...@gmail.com> Cc: netdev@vger.kernel.org --- drivers/net/phy/Kconfig | 2 ++ 1 file changed,

Use-after-free/out-of-bounds in tipc filter_rcv()

Hi all, On latest linus/master I'm able to trigger the following KASAN warnings: == BUG: KASAN: out-of-bounds in filter_rcv+0xc3/0xa10 at addr 880014b4d680 Read of size 4 by task a.out/992

NULL pointer deref in dccp (inet_csk_listen_start/inet_csk_get_port)

Hi all, I've been running into the following oops: [ 1128.895622] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1128.896010] IP: [< (null)>] (null) [ 1128.896010] PGD 179ee067 PUD 189b1067 PMD 0 [ 1128.896010] Oops: 0010 [#1] PREEMPT SMP [

[PATCH] dccp: fix use-after-free after cloning struct dccp_sock

y instead? Anyway, this is a tentative patch that explains the issue and fixes this particular problem -- dccp fuzzing now runs for minutes rather than seconds before encountering a crash. I haven't tested any real world workloads on this patch. Signed-off-by: Vegard Nossum <vegard.nos..

[PATCH] net: mark DECnet as broken

it fixed anyway. To shield unsuspecting users from the possible DOS, we should mark this BROKEN until somebody who actually uses this code can fix it. Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> Link: https://lkml.org/lkml/2015/12/17/666 Cc: Eric Dumazet <eric.duma...@gmail.com&g

Re: [PATCH] xfrm: use printk instead of WARN for bad policy reporting

On 07/20/2016 02:15 PM, Steffen Klassert wrote: On Wed, Jul 20, 2016 at 10:32:35AM +0200, Vegard Nossum wrote: AFAICT this message is just printed whenever input validation fails. This is a normal failure and we shouldn't be dumping the stack over it. Looks like it was originally a printk

Re: [PATCH] xfrm: use printk instead of WARN for bad policy reporting

On 07/27/2016 08:31 AM, Herbert Xu wrote: On Wed, Jul 27, 2016 at 08:20:57AM +0200, Vegard Nossum wrote: Here's another patch to remove that too. I don't actually *use* this code myself and I feel the justification I've given for removing the WARN to be a bit weak, so if you don't take

Re: [PATCH] xfrm: use printk instead of WARN for bad policy reporting

On 07/27/2016 05:01 AM, Herbert Xu wrote: On Wed, Jul 20, 2016 at 01:53:12PM +0200, Vegard Nossum wrote: Just FYI I'm also running into the // reset the timers here? WARN(1, "Don't know what to do with soft policy expire\n"); in xfrm_add_pol_expire() from the same commit, but

[PATCH] net/irda: fix NULL pointer dereference on memory allocation failure

055b30 ]--- The problem is that irda_open_tsap() can fail and leave self->tsap = NULL, and then irttp_connect_request() almost immediately dereferences it. Cc: sta...@vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/irda/af_irda.c | 7 +-- 1 file change

[PATCH] net/sctp: terminate rhashtable walk correctly

: f2dba9c6 ("rhashtable: Introduce rhashtable_walk_*") Cc: Xin Long <lucien@gmail.com> Cc: Herbert Xu <herb...@gondor.apana.org.au> Cc: sta...@vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/sctp/socket.c | 1 + 1 file changed, 1 insertio

[PATCH] tipc: fix NULL pointer dereference in shutdown()

create() callers. Cc: sta...@vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/tipc/socket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index c49b8df..f9f5f3c 100644 --- a/net/tipc/socket.c +++ b/net/t

Re: [PATCH] 9p/trans_virtio: use kvfree() for iov_iter_get_pages_alloc()

On 07/22/2016 01:12 PM, Vegard Nossum wrote: The memory allocated by iov_iter_get_pages_alloc() can be allocated with vmalloc() if kmalloc() failed -- see get_pages_array(). In that case we need to free it with vfree(), so let's use kvfree(). The bug manifests like this: BUG: unable to handle

[PATCH] net/irda: handle iriap_register_lsap() allocation failure

ged userspace). I have tested my patch with a reproducer. Cc: sta...@vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/irda/iriap.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/irda/iriap.c b/net/irda/iriap.c index 4a7ae32a..1138e

[PATCH RESEND] net/sctp: always initialise sctp_ht_iter::start_fail

c382d875 ("net/sctp: terminate rhashtable walk correctly"). Cc: Xin Long <lucien@gmail.com> Cc: Herbert Xu <herb...@gondor.apana.org.au> Cc: Eric W. Biederman <ebied...@xmission.com> Cc: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Cc: sta...@vger.kernel.org

Re: [PATCH] tipc: fix NULL pointer dereference in shutdown()

Hi, I didn't see this patch go in yet. Jon Maloy, ping? Should this go through somebody else? Vegard On 07/23/2016 11:49 AM, Xue, Ying wrote: Acked-by: Ying Xue <ying@windriver.com> -Original Message- From: Vegard Nossum [mailto:vegard.nos...@oracle.com] Sent: Saturday, J

[PATCH] rhashtable: fix shift by 64 when shrinking

when called with an argument of 0, so let's avoid the call and just fall back to ht->p.min_size (which should never be smaller than HASH_MIN_SIZE). Cc: Herbert Xu <herb...@gondor.apana.org.au> Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- lib/rhashtable.c | 6 --

[PATCH] ieee802154: check device type

is doing. (Maybe we should even be calling this directly?) Cc: Lennert Buytenhek <buyt...@wantstofly.org> Cc: Alexander Aring <alex.ar...@gmail.com> Cc: Marcel Holtmann <mar...@holtmann.org> Cc: Dmitry Eremin-Solenikov <dbarysh...@gmail.com> Cc: Sergey Lapin <sla...@ossfa

[PATCH] xfrm: use printk instead of WARN for bad policy reporting

hemminger <shemmin...@vyatta.com> Date: Wed May 12 06:37:06 2010 + xfrm: add severity to printk Cc: Stephen Hemminger <step...@networkplumber.org> Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/xfrm/xfrm_user.c | 2 +- 1 file changed, 1 insertion(+), 1 delet

Re: [PATCH] xfrm: use printk instead of WARN for bad policy reporting

On 07/20/2016 10:32 AM, Vegard Nossum wrote: AFAICT this message is just printed whenever input validation fails. This is a normal failure and we shouldn't be dumping the stack over it. Looks like it was originally a printk that was maybe incorrectly upgraded to a WARN: commit

Re: [PATCH] net: check for NULL net_device in FIB tables

On 07/04/2016 11:24 PM, Julian Anastasov wrote: Hello, On Mon, 4 Jul 2016, Vegard Nossum wrote: Alright. Thanks for the review! I can submit a new patch to only check the one place above that actually crashed. Otherwise, if you think it's better to go with your fc_flags suggestion

[PATCH] xfrm: fix crash in XFRM_MSG_GETSA netlink handler

nly after we've processed the first element and checking this before calling xfrm_state_walk_done(). Fixes: d3623099d3 ("ipsec: add support of limited SA dump") Cc: Nicolas Dichtel <nicolas.dich...@6wind.com> Cc: Steffen Klassert <steffen.klass...@secunet.com> Signed-off-by:

[PATCH] net: fix decnet rtnexthop parsing

pv4/fib_semantics.c. This fixes the softlockup for me. Cc: Thomas Graf <tg...@suug.ch> Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/decnet/dn_fib.c | 21 - 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/net/decnet/dn_fib.c b/net/decnet

Re: [PATCH net] ipv4: reject RTNH_F_LINKDOWN for incompatible routes

On 07/09/2016 07:23 PM, Andy Gospodarek wrote: On Sat, Jul 09, 2016 at 12:00:15PM +0300, Julian Anastasov wrote: Vegard Nossum is reporting for a crash in fib_dump_info (fib_nhs==1) when nh_dev = NULL. Problem happens when RTNH_F_LINKDOWN is provided from user space for routes that do not use

Re: [PATCH] net: check for NULL net_device in FIB tables

On 07/04/2016 02:47 PM, Vegard Nossum wrote: struct fib_nh->nh_dev can be NULL, so we should check it before calling __in_dev_get_rcu on it. That should say __in_dev_get_rtnl(), obviously. Multiple places seem to want this (and check the return value), so we can add a convenience wrap

Re: [PATCH] net: check for NULL net_device in FIB tables

On 07/04/2016 09:45 PM, Julian Anastasov wrote: Hello, On Mon, 4 Jul 2016, Vegard Nossum wrote: struct fib_nh->nh_dev can be NULL, so we should check it before calling __in_dev_get_rcu on it. Multiple places seem to want this (and check the return value), so we can add a convenie

[PATCH] net/sctp: always initialise sctp_ht_iter::start_fail

@vger.kernel.org Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/sctp/proc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/sctp/proc.c b/net/sctp/proc.c index 4cb5aed..ef8ba77 100644 --- a/net/sctp/proc.c +++ b/net/sctp/proc.c @@ -293,6 +293,7 @@ static void *sctp_tr

Re: [PATCH] net/sctp: always initialise sctp_ht_iter::start_fail

On 07/23/2016 03:39 PM, Marcelo Ricardo Leitner wrote: On Sat, Jul 23, 2016 at 11:52:23AM +0200, Vegard Nossum wrote: seq_read() can call ->start() twice on the same iterator more than once (e.g. once through traverse() and once in seq_read() itself). But when traverse() returns the er

[PATCH] RDS: fix rds_tcp_init() error path

da...@davemloft.net> Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/rds/tcp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/rds/tcp.c b/net/rds/tcp.c index 74ee126..c8a7b4c 100644 --- a/net/rds/tcp.c +++ b/net/rds/tcp.c @@ -616,7 +616,7 @@

[PATCH] net: check for NULL net_device in FIB tables

S. Miller <da...@davemloft.net> Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- include/linux/inetdevice.h | 7 +++ net/ipv4/fib_semantics.c | 8 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/include/linux/inetdevice.h b/include/linux

[RFC PATCH] net/irda: release sock when waiting in accept()

connect(), irda_sendmsg(), and irda_getsockopt() as far as I can tell at a glance. I'll start with this patch to see if we're going in the right direction -- it does fix the trinity problem for me, although I haven't tested any real IrDA workloads. Signed-off-by: Vegard Nossum <vegard.nos...@oracle.co

[PATCH] net/irda: remove pointless assignment/check

ing lock_sock() and release_sock() on different sockets. My conclusion is that these two lines are complete nonsense and only serve to confuse the reader. Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- net/irda/af_irda.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/irda/

Re: net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()

On 23 August 2016 at 17:05, Joe Perches wrote: > On Tue, 2016-08-23 at 07:21 -0700, Eric Dumazet wrote: >> On Tue, 2016-08-23 at 14:41 +0100, Luis Henriques wrote: >> > From: Avijit Kanti Das >> > >> > memset() the structure ethtool_wolinfo that has