[RFC PATCH linux 0/2] net sched actions: access to uninitialized data and error handling

---[ end trace 89cb022ec57f7bd1 ]--- Wolfgang Bumiller (2): net sched actions: fix access to uninitialized data net sched actions: fix refcount decrement on error net/sched/act_api.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) -- 2.11.0

[PATCH linux 1/2] net sched actions: fix access to uninitialized data

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- net/sched/act_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/act_api.c b/net/sched/act_api.c index b70aa57319ea..8cc883c063f0 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@

[PATCH linux 2/2] net sched actions: fix refcount decrement on error

->init() then * ACT_P_CREATED is not returned (a zero is). */ Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- Note that I'm unsure about this patch. The hangups weren't very reliable and I couldn't actually reproduce them when building from git/master (as I can only test a

Re: [PATCH v2 net 2/2] net sched actions: decrement module refcount earlier

> On April 19, 2017 at 1:32 PM Jamal Hadi Salim <j...@mojatatu.com> wrote: > > > On 17-04-19 04:09 AM, Wolfgang Bumiller wrote: > > This solves one issue, but I am afraid the issue Cong mentioned is a > possibility still. > Lets say user did a replace and tr

Re: [PATCH linux 2/2] net sched actions: fix refcount decrement on error

On Wed, Apr 12, 2017 at 09:27:31PM -0700, Cong Wang wrote: > On Wed, Apr 12, 2017 at 7:21 AM, Wolfgang Bumiller > <w.bumil...@proxmox.com> wrote: > > If memory allocation for nla_memdup_cookie() fails > > module_put has to be guarded by the same condition as it was >

Re: [PATCH linux 2/2] net sched actions: fix refcount decrement on error

On Thu, Apr 13, 2017 at 11:03:37AM -0700, Cong Wang wrote: > On Thu, Apr 13, 2017 at 1:06 AM, Wolfgang Bumiller > <w.bumil...@proxmox.com> wrote: > > On Wed, Apr 12, 2017 at 09:27:31PM -0700, Cong Wang wrote: > >> Instead of duplicating code, you can add the check &g

[PATCH v3 net] net sched actions: allocate act cookie early

early and assign it on success at the end. CVE-2017-7979 Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies") Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> Acked-by: Jamal Hadi Salim <j...@mojatatu.com> --- This replaces both patches of the previo

Re: [PATCH linux 2/2] net sched actions: fix refcount decrement on error

> On April 15, 2017 at 8:20 PM Cong Wang <xiyou.wangc...@gmail.com> wrote: > > > On Fri, Apr 14, 2017 at 2:08 AM, Wolfgang Bumiller > <w.bumil...@proxmox.com> wrote: > > Before I do that - trying to wrap my head around the interdependencies > >

[PATCH v2 net 2/2] net sched actions: decrement module refcount earlier

Whether the reference count has to be decremented depends on whether the policy was created. If TCA_ACT_COOKIE is passed and an error occurs there, the same condition still has to be honored. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> Cc: Jamal Hadi Salim <j...@mojatatu.co

[PATCH v2 net 1/2] net sched actions: fix access to uninitialized data

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> Acked-by: Cong Wang <xiyou.wangc...@gmail.com> Acked-by: Jamal Hadi Salim <j...@mojatatu.com> --- (same as v1) net/sched/act_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/act

Re: [PATCH v2 net 2/2] net sched actions: decrement module refcount earlier

> On April 19, 2017 at 8:23 AM Cong Wang wrote: > > > On Tue, Apr 18, 2017 at 7:21 PM, Jamal Hadi Salim wrote: > > Indeed. Allocate the cookie before init? That way, we fail early > > and dont need to worry about restoring anything. > > No,

[PATCH v2 net 0/2] nbyte, cmp and text filter fixups

Changes: * Fixed up commit message * Removed not really related iproute2 patch from this thread. This fixes an oob read in em_nbyte and allows 'layer 0' in cmp and nbyte and em_text to actually match layer 0 rather than being the same as specifying layer 1. Wolfgang Bumiller (2): net

[PATCH iproute2] tc/lexer: let quotes actually start strings

-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- (Resent as separate thread) tc/emp_ematch.l | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tc/emp_ematch.l b/tc/emp_ematch.l index dc106759..d7a99304 100644 --- a/tc/emp_ematch.l +++ b/tc/emp_ematch.l @@ -137,7

[PATCH v2 net 1/2] net: sched: em_nbyte: don't add the data offset twice

'ptr' is shifted by the offset and then validated, the memcmp should not add it a second time. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- No changes in this patch net/sched/em_nbyte.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/em_nby

[PATCH v2 net 2/2] net: sched: fix TCF_LAYER_LINK case in tcf_get_base_ptr

TCF_LAYER_LINK and TCF_LAYER_NETWORK returned the same pointer as skb->data points to the network header. Use skb_mac_header instead. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- Only change: fixed up commit message Previous comment: Alternatively this could return

Re: [PATCH net-next 1/1] rtnetlink: request RTM_GETLINK by pid or fd

On Tue, Jan 23, 2018 at 10:30:09AM +0100, Jiri Benc wrote: > On Mon, 22 Jan 2018 23:25:41 +0100, Christian Brauner wrote: > > This is not necessarily true in scenarios where I move a network device > > via RTM_NEWLINK + IFLA_NET_NS_PID into a network namespace I haven't > > created. Here is an

Re: [PATCH iproute2] police: don't skip parameters after actions

On Mon, Jan 29, 2018 at 08:07:23AM -0800, Stephen Hemminger wrote: > On Mon, 29 Jan 2018 12:13:11 +0100 > Wolfgang Bumiller <w.bumil...@proxmox.com> wrote: > > > The 'parse_action_control()' helper advances the argument > > pointers to past its parsed action al

[PATCH iproute2] police: don't skip parameters after actions

The 'parse_action_control()' helper advances the argument pointers to past its parsed action already, so don't advance it further in 'act_parse_polic()'. Fixes: e67aba559581 ("tc: actions: add helpers to parse and print control actions") Signed-off-by: Wolfgang Bumiller <w.bumil..

[PATCH net 2/2] net_sched: fix TCF_LAYER_LINK case in tcf_get_base_ptr

TCF_LAYER_LINK and TCF_LAYER_NETWORK returned the same pointer as skb->data points to the network header. Use skb_mac_header instead. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- Alternatively this could return skb->head directly, but 'sk_buff->mac_header' is docu

[PATCH net 1/2] net: sched: em_nbyte: don't add the data offset twice

'ptr' is shifted by the offset and then validated, the memcmp should not add it a second time. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- net/sched/em_nbyte.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c

[PATCH net+iproute2 0/2] nbyte, cmp and text filter fixups

memcmp the entire a byte sequence at once. Wolfgang Bumiller (1; 2): tc/lexer: let quotes actually start strings tc/emp_ematch.l | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) net: sched: em_nbyte: don't add the data offset twice net_sched: fix TCF_LAYER_LINK case

[PATCH iproute2] tc/lexer: let quotes actually start strings

-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- tc/emp_ematch.l | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tc/emp_ematch.l b/tc/emp_ematch.l index dc106759..d7a99304 100644 --- a/tc/emp_ematch.l +++ b/tc/emp_ematch.l @@ -137,7

[PATCH linux] net: fix deadlock while clearing neighbor proxy table

and perform the destruction. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289 Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().") Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- I do feel bad about moving the unlock call

Re: [PATCH linux] net: fix deadlock while clearing neighbor proxy table

David Miller wrote: > From: Wolfgang Bumiller <w.bumil...@proxmox.com> > Date: Tue, 10 Apr 2018 11:15:14 +0200 > > > diff --git a/net/core/neighbour.c b/net/core/neighbour.c > > index 7b7a14abba28..601df647588c 100644 > > --- a/net/core/neighbour.c > > +

[PATCH v2 net] net: fix deadlock while clearing neighbor proxy table

and perform the destruction. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289 Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().") Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- Changes to v1: * Renamed 'pneigh_ifdown' to 'pneig