1. 19 May, 2023 3 commits
    • Jakub Kicinski's avatar
      tls: rx: strp: set the skb->len of detached / CoW'ed skbs · 210620ae
      Jakub Kicinski authored
      alloc_skb_with_frags() fills in page frag sizes but does not
      set skb->len and skb->data_len. Set those correctly otherwise
      device offload will most likely generate an empty skb and
      hit the BUG() at the end of __skb_nsg().
      
      Fixes: 84c61fe1 ("tls: rx: do not use the standard strparser")
      Tested-by: default avatarShai Amiram <samiram@nvidia.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      210620ae
    • Jakub Kicinski's avatar
      tls: rx: device: fix checking decryption status · b3a03b54
      Jakub Kicinski authored
      skb->len covers the entire skb, including the frag_list.
      In fact we're guaranteed that rxm->full_len <= skb->len,
      so since the change under Fixes we were not checking decrypt
      status of any skb but the first.
      
      Note that the skb_pagelen() added here may feel a bit costly,
      but it's removed by subsequent fixes, anyway.
      Reported-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Fixes: 86b259f6 ("tls: rx: device: bound the frag walk")
      Tested-by: default avatarShai Amiram <samiram@nvidia.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3a03b54
    • Tudor Ambarus's avatar
      net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize · 7e01c7f7
      Tudor Ambarus authored
      Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than
      the calculated "min" value, but greater than zero, the logic sets
      tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in
      cdc_ncm_fill_tx_frame() where all the data is handled.
      
      For small values of dwNtbOutMaxSize the memory allocated during
      alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to
      how size is aligned at alloc time:
      	size = SKB_DATA_ALIGN(size);
              size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
      Thus we hit the same bug that we tried to squash with
      commit 2be6d4d1 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
      
      Low values of dwNtbOutMaxSize do not cause an issue presently because at
      alloc_skb() time more memory (512b) is allocated than required for the
      SKB headers alone (320b), leaving some space (512b - 320b = 192b)
      for CDC data (172b).
      
      However, if more elements (for example 3 x u64 = [24b]) were added to
      one of the SKB header structs, say 'struct skb_shared_info',
      increasing its original size (320b [320b aligned]) to something larger
      (344b [384b aligned]), then suddenly the CDC data (172b) no longer
      fits in the spare SKB data area (512b - 384b = 128b).
      
      Consequently the SKB bounds checking semantics fails and panics:
      
      skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:113!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
      Workqueue: mld mld_ifc_work
      RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
      RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
      [snip]
      Call Trace:
       <TASK>
       skb_put+0x151/0x210 net/core/skbuff.c:2047
       skb_put_zero include/linux/skbuff.h:2422 [inline]
       cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
       cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
       cdc_ncm_tx_fixup+0xa3/0x100
      
      Deal with too low values of dwNtbOutMaxSize, clamp it in the range
      [USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure
      enough data space is allocated to handle CDC data by making sure
      dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
      
      Fixes: 289507d3 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning")
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com
      Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d
      Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/Signed-off-by: default avatarTudor Ambarus <tudor.ambarus@linaro.org>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230517133808.1873695-2-tudor.ambarus@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7e01c7f7
  2. 18 May, 2023 10 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1f594fe7
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from can, xfrm, bluetooth and netfilter.
      
        Current release - regressions:
      
         - ipv6: fix RCU splat in ipv6_route_seq_show()
      
         - wifi: iwlwifi: disable RFI feature
      
        Previous releases - regressions:
      
         - tcp: fix possible sk_priority leak in tcp_v4_send_reset()
      
         - tipc: do not update mtu if msg_max is too small in mtu negotiation
      
         - netfilter: fix null deref on element insertion
      
         - devlink: change per-devlink netdev notifier to static one
      
         - phylink: fix ksettings_set() ethtool call
      
         - wifi: mac80211: fortify the spinlock against deadlock by interrupt
      
         - wifi: brcmfmac: check for probe() id argument being NULL
      
         - eth: ice:
            - fix undersized tx_flags variable
            - fix ice VF reset during iavf initialization
      
         - eth: hns3: fix sending pfc frames after reset issue
      
        Previous releases - always broken:
      
         - xfrm: release all offloaded policy memory
      
         - nsh: use correct mac_offset to unwind gso skb in nsh_gso_segment()
      
         - vsock: avoid to close connected socket after the timeout
      
         - dsa: rzn1-a5psw: enable management frames for CPU port
      
         - eth: virtio_net: fix error unwinding of XDP initialization
      
         - eth: tun: fix memory leak for detached NAPI queue.
      
        Misc:
      
         - MAINTAINERS: sctp: move Neil to CREDITS"
      
      * tag 'net-6.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (107 commits)
        MAINTAINERS: skip CCing netdev for Bluetooth patches
        mdio_bus: unhide mdio_bus_init prototype
        bridge: always declare tunnel functions
        atm: hide unused procfs functions
        net: isa: include net/Space.h
        Revert "ARM: dts: stm32: add CAN support on stm32f746"
        netfilter: nft_set_rbtree: fix null deref on element insertion
        netfilter: nf_tables: fix nft_trans type confusion
        netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
        net: wwan: t7xx: Ensure init is completed before system sleep
        net: selftests: Fix optstring
        net: pcs: xpcs: fix C73 AN not getting enabled
        net: wwan: iosm: fix NULL pointer dereference when removing device
        vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
        mailmap: add entries for Nikolay Aleksandrov
        igb: fix bit_shift to be in [1..8] range
        net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset
        cassini: Fix a memory leak in the error handling path of cas_init_one()
        tun: Fix memory leak for detached NAPI queue.
        can: kvaser_pciefd: Disable interrupts in probe error path
        ...
      1f594fe7
    • Linus Torvalds's avatar
      Merge tag 'media/v6.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · b802651b
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "Several fixes for the dvb core and drivers:
      
         - fix UAF and null pointer de-reference in DVB core
      
         - fix kernel runtime warning for blocking operation in wait_event*()
           in dvb core
      
         - fix write size bug in DVB conditional access core
      
         - fix dvb demux continuity counter debug check logic
      
         - randconfig build fixes in pvrusb2 and mn88443x
      
         - fix memory leak in ttusb-dec
      
         - fix netup_unidvb probe-time error check logic
      
         - improve error handling in dw2102 if it can't retrieve DVB MAC
           address"
      
      * tag 'media/v6.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
        media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
        media: dvb-core: Fix use-after-free due to race at dvb_register_device()
        media: dvb-core: Fix use-after-free due on race condition at dvb_net
        media: dvb-core: Fix use-after-free on race condition at dvb_frontend
        media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
        media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
        media: dvb_ca_en50221: fix a size write bug
        media: netup_unidvb: fix irq init by register it at the end of probe
        media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
        media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
        media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
        media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
        media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
        media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
        media: netup_unidvb: fix use-after-free at del_timer()
        media: dvb_demux: fix a bug for the continuity counter
        media: pvrusb2: fix DVB_CORE dependency
      b802651b
    • Paolo Abeni's avatar
      Merge tag 'linux-can-fixes-for-6.4-20230518' of... · 6e42fae0
      Paolo Abeni authored
      Merge tag 'linux-can-fixes-for-6.4-20230518' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2023-05-18
      
      this is a pull request of 7 patches for net/master.
      
      The first 6 patches are by Jimmy Assarsson and fix several bugs in the
      kvaser_pciefd driver.
      
      The latest patch is from me and reverts a change in stm32f746.dtsi
      that causes build errors due to a missing dependent patch.
      
      * tag 'linux-can-fixes-for-6.4-20230518' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        Revert "ARM: dts: stm32: add CAN support on stm32f746"
        can: kvaser_pciefd: Disable interrupts in probe error path
        can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
        can: kvaser_pciefd: Empty SRB buffer in probe
        can: kvaser_pciefd: Call request_irq() before enabling interrupts
        can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
        can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
      ====================
      
      Link: https://lore.kernel.org/r/20230518073241.1110453-1-mkl@pengutronix.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6e42fae0
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-05-17' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 30a0f49d
      Jakub Kicinski authored
      Florian Westphal says:
      
      ====================
      Netfilter fixes for net
      
      1. Silence warning about unused variable when CONFIG_NF_NAT=n, from Tom Rix.
      2. nftables: Fix possible out-of-bounds access, from myself.
      3. nftables: fix null deref+UAF during element insertion into rbtree,
         also from myself.
      
      * tag 'nf-23-05-17' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nft_set_rbtree: fix null deref on element insertion
        netfilter: nf_tables: fix nft_trans type confusion
        netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
      ====================
      
      Link: https://lore.kernel.org/r/20230517123756.7353-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      30a0f49d
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · c259ad11
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.4
      
      A lot of fixes this time, for both the stack and the drivers. The
      brcmfmac resume fix has been reported by several people so I would say
      it's the most important here. The iwlwifi RFI workaround is also
      something which was reported as a regression recently.
      
      * tag 'wireless-2023-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (31 commits)
        wifi: b43: fix incorrect __packed annotation
        wifi: rtw88: sdio: Always use two consecutive bytes for word operations
        mac80211_hwsim: fix memory leak in hwsim_new_radio_nl
        wifi: iwlwifi: mvm: Add locking to the rate read flow
        wifi: iwlwifi: Don't use valid_links to iterate sta links
        wifi: iwlwifi: mvm: don't trust firmware n_channels
        wifi: iwlwifi: mvm: fix OEM's name in the tas approved list
        wifi: iwlwifi: fix OEM's name in the ppag approved list
        wifi: iwlwifi: mvm: fix initialization of a return value
        wifi: iwlwifi: mvm: fix access to fw_id_to_mac_id
        wifi: iwlwifi: fw: fix DBGI dump
        wifi: iwlwifi: mvm: fix number of concurrent link checks
        wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock
        wifi: iwlwifi: mvm: don't double-init spinlock
        wifi: iwlwifi: mvm: always free dup_data
        wifi: mac80211: recalc chanctx mindef before assigning
        wifi: mac80211: consider reserved chanctx for mindef
        wifi: mac80211: simplify chanctx allocation
        wifi: mac80211: Abort running color change when stopping the AP
        wifi: mac80211: fix min center freq offset tracing
        ...
      ====================
      
      Link: https://lore.kernel.org/r/20230517151914.B0AF6C433EF@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c259ad11
    • Jakub Kicinski's avatar
      MAINTAINERS: skip CCing netdev for Bluetooth patches · bfa00d8f
      Jakub Kicinski authored
      As requested by Marcel skip netdev for Bluetooth patches.
      Bluetooth has its own mailing list and overloading netdev
      leads to fewer people reading it.
      
      Link: https://lore.kernel.org/netdev/639C8EA4-1F6E-42BE-8F04-E4A753A6EFFC@holtmann.org/Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230517014253.1233333-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      bfa00d8f
    • Arnd Bergmann's avatar
      mdio_bus: unhide mdio_bus_init prototype · 2e9f8ab6
      Arnd Bergmann authored
      mdio_bus_init() is either used as a local module_init() entry,
      or it gets called in phy_device.c. In the former case, there
      is no declaration, which causes a warning:
      
      drivers/net/phy/mdio_bus.c:1371:12: error: no previous prototype for 'mdio_bus_init' [-Werror=missing-prototypes]
      
      Remove the #ifdef around the declaration to avoid the warning..
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20230516194625.549249-4-arnd@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2e9f8ab6
    • Arnd Bergmann's avatar
      bridge: always declare tunnel functions · 89dcd87c
      Arnd Bergmann authored
      When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still
      defined but have no prototype or caller. This causes a W=1 warning for
      the missing prototypes:
      
      net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes]
      net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes]
      
      The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING,
      and I coulnd't easily figure out the right set of #ifdefs, so just
      move the declarations out of the #ifdef to avoid the warning,
      at a small cost in code size over a more elaborate fix.
      
      Fixes: 188c67dd ("net: bridge: vlan options: add support for tunnel id dumping")
      Fixes: 569da082 ("net: bridge: vlan options: add support for tunnel mapping set/del")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      89dcd87c
    • Arnd Bergmann's avatar
      atm: hide unused procfs functions · fb1b7be9
      Arnd Bergmann authored
      When CONFIG_PROC_FS is disabled, the function declarations for some
      procfs functions are hidden, but the definitions are still build,
      as shown by this compiler warning:
      
      net/atm/resources.c:403:7: error: no previous prototype for 'atm_dev_seq_start' [-Werror=missing-prototypes]
      net/atm/resources.c:409:6: error: no previous prototype for 'atm_dev_seq_stop' [-Werror=missing-prototypes]
      net/atm/resources.c:414:7: error: no previous prototype for 'atm_dev_seq_next' [-Werror=missing-prototypes]
      
      Add another #ifdef to leave these out of the build.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20230516194625.549249-2-arnd@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fb1b7be9
    • Arnd Bergmann's avatar
      net: isa: include net/Space.h · 067dee65
      Arnd Bergmann authored
      The legacy drivers that still get called from net/Space.c have prototypes
      in net/Space, but this header is not included in most of the files that
      define those functions:
      
      drivers/net/ethernet/cirrus/cs89x0.c:1649:28: error: no previous prototype for 'cs89x0_probe' [-Werror=missing-prototypes]
      drivers/net/ethernet/8390/ne.c:947:28: error: no previous prototype for 'ne_probe' [-Werror=missing-prototypes]
      drivers/net/ethernet/8390/smc-ultra.c:167:28: error: no previous prototype for 'ultra_probe' [-Werror=missing-prototypes]
      drivers/net/ethernet/amd/lance.c:438:28: error: no previous prototype for 'lance_probe' [-Werror=missing-prototypes]
      drivers/net/ethernet/3com/3c515.c:422:20: error: no previous prototype for 'tc515_probe' [-Werror=missing-prototypes]
      
      Add the inclusion to avoids the warnings.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20230516194625.549249-1-arnd@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      067dee65
  3. 17 May, 2023 27 commits