1. 06 Jun, 2024 2 commits
    • Jacob Keller's avatar
      ice: fix iteration of TLVs in Preserved Fields Area · 03e4a092
      Jacob Keller authored
      The ice_get_pfa_module_tlv() function iterates over the Type-Length-Value
      structures in the Preserved Fields Area (PFA) of the NVM. This is used by
      the driver to access data such as the Part Board Assembly identifier.
      
      The function uses simple logic to iterate over the PFA. First, the pointer
      to the PFA in the NVM is read. Then the total length of the PFA is read
      from the first word.
      
      A pointer to the first TLV is initialized, and a simple loop iterates over
      each TLV. The pointer is moved forward through the NVM until it exceeds the
      PFA area.
      
      The logic seems sound, but it is missing a key detail. The Preserved
      Fields Area length includes one additional final word. This is documented
      in the device data sheet as a dummy word which contains 0xFFFF. All NVMs
      have this extra word.
      
      If the driver tries to scan for a TLV that is not in the PFA, it will read
      past the size of the PFA. It reads and interprets the last dummy word of
      the PFA as a TLV with type 0xFFFF. It then reads the word following the PFA
      as a length.
      
      The PFA resides within the Shadow RAM portion of the NVM, which is
      relatively small. All of its offsets are within a 16-bit size. The PFA
      pointer and TLV pointer are stored by the driver as 16-bit values.
      
      In almost all cases, the word following the PFA will be such that
      interpreting it as a length will result in 16-bit arithmetic overflow. Once
      overflowed, the new next_tlv value is now below the maximum offset of the
      PFA. Thus, the driver will continue to iterate the data as TLVs. In the
      worst case, the driver hits on a sequence of reads which loop back to
      reading the same offsets in an endless loop.
      
      To fix this, we need to correct the loop iteration check to account for
      this extra word at the end of the PFA. This alone is sufficient to resolve
      the known cases of this issue in the field. However, it is plausible that
      an NVM could be misconfigured or have corrupt data which results in the
      same kind of overflow. Protect against this by using check_add_overflow
      when calculating both the maximum offset of the TLVs, and when calculating
      the next_tlv offset at the end of each loop iteration. This ensures that
      the driver will not get stuck in an infinite loop when scanning the PFA.
      
      Fixes: e961b679 ("ice: add board identifier info to devlink .info_get")
      Co-developed-by: default avatarPaul Greenwalt <paul.greenwalt@intel.com>
      Signed-off-by: default avatarPaul Greenwalt <paul.greenwalt@intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Tested-by: default avatarPucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://lore.kernel.org/r/20240603-net-2024-05-30-intel-net-fixes-v2-1-e3563aa89b0c@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      03e4a092
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 886bf917
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2024-06-05
      
      We've added 8 non-merge commits during the last 6 day(s) which contain
      a total of 9 files changed, 34 insertions(+), 35 deletions(-).
      
      The main changes are:
      
      1) Fix a potential use-after-free in bpf_link_free when the link uses
         dealloc_deferred to free the link object but later still tests for
         presence of link->ops->dealloc, from Cong Wang.
      
      2) Fix BPF test infra to set the run context for rawtp test_run callback
         where syzbot reported a crash, from Jiri Olsa.
      
      3) Fix bpf_session_cookie BTF_ID in the special_kfunc_set list to exclude
         it for the case of !CONFIG_FPROBE, also from Jiri Olsa.
      
      4) Fix a Coverity static analysis report to not close() a link_fd of -1
         in the multi-uprobe feature detector, from Andrii Nakryiko.
      
      5) Revert support for redirect to any xsk socket bound to the same umem
         as it can result in corrupted ring state which can lead to a crash when
         flushing rings. A different approach will be pursued for bpf-next to
         address it safely, from Magnus Karlsson.
      
      6) Fix inet_csk_accept prototype in test_sk_storage_tracing.c which caused
         BPF CI failure after the last tree fast forwarding, from Andrii Nakryiko.
      
      7) Fix a coccicheck warning in BPF devmap that iterator variable cannot
         be NULL, from Thorsten Blum.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        Revert "xsk: Document ability to redirect to any socket bound to the same umem"
        Revert "xsk: Support redirect to any socket bound to the same umem"
        bpf: Set run context for rawtp test_run callback
        bpf: Fix a potential use-after-free in bpf_link_free()
        bpf, devmap: Remove unnecessary if check in for loop
        libbpf: don't close(-1) in multi-uprobe feature detector
        bpf: Fix bpf_session_cookie BTF_ID in special_kfunc_set list
        selftests/bpf: fix inet_csk_accept prototype in test_sk_storage_tracing.c
      ====================
      
      Link: https://lore.kernel.org/r/20240605091525.22628-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      886bf917
  2. 05 Jun, 2024 21 commits
  3. 04 Jun, 2024 10 commits
    • Jakub Kicinski's avatar
      net: tls: fix marking packets as decrypted · a535d594
      Jakub Kicinski authored
      For TLS offload we mark packets with skb->decrypted to make sure
      they don't escape the host without getting encrypted first.
      The crypto state lives in the socket, so it may get detached
      by a call to skb_orphan(). As a safety check - the egress path
      drops all packets with skb->decrypted and no "crypto-safe" socket.
      
      The skb marking was added to sendpage only (and not sendmsg),
      because tls_device injected data into the TCP stack using sendpage.
      This special case was missed when sendpage got folded into sendmsg.
      
      Fixes: c5c37af6 ("tcp: Convert do_tcp_sendpages() to use MSG_SPLICE_PAGES")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240530232607.82686-1-kuba@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a535d594
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2024-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · d6301802
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.10-rc3
      
      The first fixes for v6.10. And we have a big one, I suspect the
      biggest wireless pull request we ever had. There are fixes all over,
      both in stack and drivers. Likely the most important here are mt76 not
      working on mt7615 devices, ath11k not being able to connect to 6 GHz
      networks and rtlwifi suffering from packet loss. But of course there's
      much more.
      
      * tag 'wireless-2024-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (37 commits)
        wifi: rtlwifi: Ignore IEEE80211_CONF_CHANGE_RETRY_LIMITS
        wifi: mt76: mt7615: add missing chanctx ops
        wifi: wilc1000: document SRCU usage instead of SRCU
        Revert "wifi: wilc1000: set atomic flag on kmemdup in srcu critical section"
        Revert "wifi: wilc1000: convert list management to RCU"
        wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
        wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
        wifi: mac80211: fix Spatial Reuse element size check
        wifi: iwlwifi: mvm: don't read past the mfuart notifcation
        wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill
        wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
        wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option
        wifi: iwlwifi: mvm: handle BA session teardown in RF-kill
        wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd
        wifi: iwlwifi: mvm: remove stale STA link data during restart
        wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
        wifi: iwlwifi: mvm: set properly mac header
        wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
        wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup
        wifi: iwlwifi: mvm: fix a crash on 7265
        ...
      ====================
      
      Link: https://lore.kernel.org/r/20240603115129.9494CC2BD10@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d6301802
    • Jeff Johnson's avatar
      lib/test_rhashtable: add missing MODULE_DESCRIPTION() macro · c6cab01d
      Jeff Johnson authored
      make allmodconfig && make W=1 C=1 reports:
      WARNING: modpost: missing MODULE_DESCRIPTION() in lib/test_rhashtable.o
      
      Add the missing invocation of the MODULE_DESCRIPTION() macro.
      Signed-off-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
      Link: https://lore.kernel.org/r/20240531-md-lib-test_rhashtable-v1-1-cd6d4138f1b6@quicinc.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c6cab01d
    • Jakub Kicinski's avatar
      Merge branch 'dst_cache-fix-possible-races' · d730a42c
      Jakub Kicinski authored
      Eric Dumazet says:
      
      ====================
      dst_cache: fix possible races
      
      This series is inspired by various undisclosed syzbot
      reports hinting at corruptions in dst_cache structures.
      
      It seems at least four users of dst_cache are racy against
      BH reentrancy.
      
      Last patch is adding a DEBUG_NET check to catch future misuses.
      ====================
      
      Link: https://lore.kernel.org/r/20240531132636.2637995-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d730a42c
    • Eric Dumazet's avatar
      net: dst_cache: add two DEBUG_NET warnings · 2fe6fb36
      Eric Dumazet authored
      After fixing four different bugs involving dst_cache
      users, it might be worth adding a check about BH being
      blocked by dst_cache callers.
      
      DEBUG_NET_WARN_ON_ONCE(!in_softirq());
      
      It is not fatal, if we missed valid case where no
      BH deadlock is to be feared, we might change this.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-6-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2fe6fb36
    • Eric Dumazet's avatar
      ila: block BH in ila_output() · cf28ff8e
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      ila_output() is called from lwtunnel_output()
      possibly from process context, and under rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter ila_output()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable().
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-5-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cf28ff8e
    • Eric Dumazet's avatar
      ipv6: sr: block BH in seg6_output_core() and seg6_input_core() · c0b98ac1
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      Disabling preemption in seg6_output_core() is not good enough,
      because seg6_output_core() is called from process context,
      lwtunnel_output() only uses rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter seg6_output_core()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable() instead of
      preempt_disable().
      
      Apply a similar change in seg6_input_core().
      
      Fixes: fa79581e ("ipv6: sr: fix several BUGs when preemption is enabled")
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: David Lebrun <dlebrun@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c0b98ac1
    • Eric Dumazet's avatar
      net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() · db0090c6
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      Disabling preemption in rpl_output() is not good enough,
      because rpl_output() is called from process context,
      lwtunnel_output() only uses rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter rpl_output()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable() instead of
      preempt_disable().
      
      Apply a similar change in rpl_input().
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Alexander Aring <aahringo@redhat.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-3-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      db0090c6
    • Eric Dumazet's avatar
      ipv6: ioam: block BH from ioam6_output() · 2fe40483
      Eric Dumazet authored
      As explained in commit 13788174 ("tipc: block BH
      before using dst_cache"), net/core/dst_cache.c
      helpers need to be called with BH disabled.
      
      Disabling preemption in ioam6_output() is not good enough,
      because ioam6_output() is called from process context,
      lwtunnel_output() only uses rcu_read_lock().
      
      We might be interrupted by a softirq, re-enter ioam6_output()
      and corrupt dst_cache data structures.
      
      Fix the race by using local_bh_disable() instead of
      preempt_disable().
      
      Fixes: 8cb3bf8b ("ipv6: ioam: Add support for the ip6ip6 encapsulation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Justin Iurman <justin.iurman@uliege.be>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Link: https://lore.kernel.org/r/20240531132636.2637995-2-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2fe40483
    • Matthias Stocker's avatar
      vmxnet3: disable rx data ring on dma allocation failure · ffbe335b
      Matthias Stocker authored
      When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,
      the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset
      rq->data_ring.desc_size for the data ring that failed, which presumably
      causes the hypervisor to reference it on packet reception.
      
      To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell
      the hypervisor to disable this feature.
      
      [   95.436876] kernel BUG at net/core/skbuff.c:207!
      [   95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      [   95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1
      [   95.441558] Hardware name: VMware, Inc. VMware Virtual
      Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
      [   95.443481] RIP: 0010:skb_panic+0x4d/0x4f
      [   95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50
      ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9
      ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24
      [   95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246
      [   95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f
      [   95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f
      [   95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60
      [   95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000
      [   95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0
      [   95.455682] FS:  0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000
      [   95.457178] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0
      [   95.459791] Call Trace:
      [   95.460515]  <IRQ>
      [   95.461180]  ? __die_body.cold+0x19/0x27
      [   95.462150]  ? die+0x2e/0x50
      [   95.462976]  ? do_trap+0xca/0x110
      [   95.463973]  ? do_error_trap+0x6a/0x90
      [   95.464966]  ? skb_panic+0x4d/0x4f
      [   95.465901]  ? exc_invalid_op+0x50/0x70
      [   95.466849]  ? skb_panic+0x4d/0x4f
      [   95.467718]  ? asm_exc_invalid_op+0x1a/0x20
      [   95.468758]  ? skb_panic+0x4d/0x4f
      [   95.469655]  skb_put.cold+0x10/0x10
      [   95.470573]  vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]
      [   95.471853]  vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]
      [   95.473185]  __napi_poll+0x2b/0x160
      [   95.474145]  net_rx_action+0x2c6/0x3b0
      [   95.475115]  handle_softirqs+0xe7/0x2a0
      [   95.476122]  __irq_exit_rcu+0x97/0xb0
      [   95.477109]  common_interrupt+0x85/0xa0
      [   95.478102]  </IRQ>
      [   95.478846]  <TASK>
      [   95.479603]  asm_common_interrupt+0x26/0x40
      [   95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20
      [   95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
      [   95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246
      [   95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000
      [   95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001
      [   95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3
      [   95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260
      [   95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000
      [   95.495035]  acpi_safe_halt+0x14/0x20
      [   95.496127]  acpi_idle_do_entry+0x2f/0x50
      [   95.497221]  acpi_idle_enter+0x7f/0xd0
      [   95.498272]  cpuidle_enter_state+0x81/0x420
      [   95.499375]  cpuidle_enter+0x2d/0x40
      [   95.500400]  do_idle+0x1e5/0x240
      [   95.501385]  cpu_startup_entry+0x29/0x30
      [   95.502422]  start_secondary+0x11c/0x140
      [   95.503454]  common_startup_64+0x13e/0x141
      [   95.504466]  </TASK>
      [   95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4
      nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
      nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
      nf_defrag_ipv4 rfkill ip_set nf_tables vsock_loopback
      vmw_vsock_virtio_transport_common qrtr vmw_vsock_vmci_transport vsock
      sunrpc binfmt_misc pktcdvd vmw_balloon pcspkr vmw_vmci i2c_piix4 joydev
      loop dm_multipath nfnetlink zram crct10dif_pclmul crc32_pclmul vmwgfx
      crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel
      sha512_ssse3 sha256_ssse3 vmxnet3 sha1_ssse3 drm_ttm_helper vmw_pvscsi
      ttm ata_generic pata_acpi serio_raw scsi_dh_rdac scsi_dh_emc
      scsi_dh_alua ip6_tables ip_tables fuse
      [   95.516536] ---[ end trace 0000000000000000 ]---
      
      Fixes: 6f483338 ("net: vmxnet3: Fix NULL pointer dereference in vmxnet3_rq_rx_complete()")
      Signed-off-by: default avatarMatthias Stocker <mstocker@barracuda.com>
      Reviewed-by: default avatarSubbaraya Sundeep <sbhatta@marvell.com>
      Reviewed-by: default avatarRonak Doshi <ronak.doshi@broadcom.com>
      Link: https://lore.kernel.org/r/20240531103711.101961-1-mstocker@barracuda.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ffbe335b
  4. 03 Jun, 2024 3 commits
  5. 01 Jun, 2024 4 commits