1. 13 Apr, 2022 17 commits
    • Minghao Chi's avatar
      net: ethernet: ti: am65-cpsw-nuss: using pm_runtime_resume_and_get instead of pm_runtime_get_sync · 2240514c
      Minghao Chi authored
      Using pm_runtime_resume_and_get is more appropriate
      for simplifing code
      Reported-by: default avatarZeal Robot <zealci@zte.com.cn>
      Signed-off-by: default avatarMinghao Chi <chi.minghao@zte.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2240514c
    • Lin Ma's avatar
      NFC: NULL out the dev->rfkill to prevent UAF · 1b0e8141
      Lin Ma authored
      Commit 3e3b5dfc ("NFC: reorder the logic in nfc_{un,}register_device")
      assumes the device_is_registered() in function nfc_dev_up() will help
      to check when the rfkill is unregistered. However, this check only
      take effect when device_del(&dev->dev) is done in nfc_unregister_device().
      Hence, the rfkill object is still possible be dereferenced.
      
      The crash trace in latest kernel (5.18-rc2):
      
      [   68.760105] ==================================================================
      [   68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750
      [   68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313
      [   68.760756]
      [   68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4
      [   68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
      [   68.760756] Call Trace:
      [   68.760756]  <TASK>
      [   68.760756]  dump_stack_lvl+0x57/0x7d
      [   68.760756]  print_report.cold+0x5e/0x5db
      [   68.760756]  ? __lock_acquire+0x3ec1/0x6750
      [   68.760756]  kasan_report+0xbe/0x1c0
      [   68.760756]  ? __lock_acquire+0x3ec1/0x6750
      [   68.760756]  __lock_acquire+0x3ec1/0x6750
      [   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
      [   68.760756]  ? register_lock_class+0x18d0/0x18d0
      [   68.760756]  lock_acquire+0x1ac/0x4f0
      [   68.760756]  ? rfkill_blocked+0xe/0x60
      [   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
      [   68.760756]  ? mutex_lock_io_nested+0x12c0/0x12c0
      [   68.760756]  ? nla_get_range_signed+0x540/0x540
      [   68.760756]  ? _raw_spin_lock_irqsave+0x4e/0x50
      [   68.760756]  _raw_spin_lock_irqsave+0x39/0x50
      [   68.760756]  ? rfkill_blocked+0xe/0x60
      [   68.760756]  rfkill_blocked+0xe/0x60
      [   68.760756]  nfc_dev_up+0x84/0x260
      [   68.760756]  nfc_genl_dev_up+0x90/0xe0
      [   68.760756]  genl_family_rcv_msg_doit+0x1f4/0x2f0
      [   68.760756]  ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230
      [   68.760756]  ? security_capable+0x51/0x90
      [   68.760756]  genl_rcv_msg+0x280/0x500
      [   68.760756]  ? genl_get_cmd+0x3c0/0x3c0
      [   68.760756]  ? lock_acquire+0x1ac/0x4f0
      [   68.760756]  ? nfc_genl_dev_down+0xe0/0xe0
      [   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
      [   68.760756]  netlink_rcv_skb+0x11b/0x340
      [   68.760756]  ? genl_get_cmd+0x3c0/0x3c0
      [   68.760756]  ? netlink_ack+0x9c0/0x9c0
      [   68.760756]  ? netlink_deliver_tap+0x136/0xb00
      [   68.760756]  genl_rcv+0x1f/0x30
      [   68.760756]  netlink_unicast+0x430/0x710
      [   68.760756]  ? memset+0x20/0x40
      [   68.760756]  ? netlink_attachskb+0x740/0x740
      [   68.760756]  ? __build_skb_around+0x1f4/0x2a0
      [   68.760756]  netlink_sendmsg+0x75d/0xc00
      [   68.760756]  ? netlink_unicast+0x710/0x710
      [   68.760756]  ? netlink_unicast+0x710/0x710
      [   68.760756]  sock_sendmsg+0xdf/0x110
      [   68.760756]  __sys_sendto+0x19e/0x270
      [   68.760756]  ? __ia32_sys_getpeername+0xa0/0xa0
      [   68.760756]  ? fd_install+0x178/0x4c0
      [   68.760756]  ? fd_install+0x195/0x4c0
      [   68.760756]  ? kernel_fpu_begin_mask+0x1c0/0x1c0
      [   68.760756]  __x64_sys_sendto+0xd8/0x1b0
      [   68.760756]  ? lockdep_hardirqs_on+0xbf/0x130
      [   68.760756]  ? syscall_enter_from_user_mode+0x1d/0x50
      [   68.760756]  do_syscall_64+0x3b/0x90
      [   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [   68.760756] RIP: 0033:0x7f67fb50e6b3
      ...
      [   68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
      [   68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3
      [   68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003
      [   68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c
      [   68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e
      [   68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003
      
      [   68.760756]  </TASK>
      [   68.760756]
      [   68.760756] Allocated by task 279:
      [   68.760756]  kasan_save_stack+0x1e/0x40
      [   68.760756]  __kasan_kmalloc+0x81/0xa0
      [   68.760756]  rfkill_alloc+0x7f/0x280
      [   68.760756]  nfc_register_device+0xa3/0x1a0
      [   68.760756]  nci_register_device+0x77a/0xad0
      [   68.760756]  nfcmrvl_nci_register_dev+0x20b/0x2c0
      [   68.760756]  nfcmrvl_nci_uart_open+0xf2/0x1dd
      [   68.760756]  nci_uart_tty_ioctl+0x2c3/0x4a0
      [   68.760756]  tty_ioctl+0x764/0x1310
      [   68.760756]  __x64_sys_ioctl+0x122/0x190
      [   68.760756]  do_syscall_64+0x3b/0x90
      [   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [   68.760756]
      [   68.760756] Freed by task 314:
      [   68.760756]  kasan_save_stack+0x1e/0x40
      [   68.760756]  kasan_set_track+0x21/0x30
      [   68.760756]  kasan_set_free_info+0x20/0x30
      [   68.760756]  __kasan_slab_free+0x108/0x170
      [   68.760756]  kfree+0xb0/0x330
      [   68.760756]  device_release+0x96/0x200
      [   68.760756]  kobject_put+0xf9/0x1d0
      [   68.760756]  nfc_unregister_device+0x77/0x190
      [   68.760756]  nfcmrvl_nci_unregister_dev+0x88/0xd0
      [   68.760756]  nci_uart_tty_close+0xdf/0x180
      [   68.760756]  tty_ldisc_kill+0x73/0x110
      [   68.760756]  tty_ldisc_hangup+0x281/0x5b0
      [   68.760756]  __tty_hangup.part.0+0x431/0x890
      [   68.760756]  tty_release+0x3a8/0xc80
      [   68.760756]  __fput+0x1f0/0x8c0
      [   68.760756]  task_work_run+0xc9/0x170
      [   68.760756]  exit_to_user_mode_prepare+0x194/0x1a0
      [   68.760756]  syscall_exit_to_user_mode+0x19/0x50
      [   68.760756]  do_syscall_64+0x48/0x90
      [   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      This patch just add the null out of dev->rfkill to make sure such
      dereference cannot happen. This is safe since the device_lock() already
      protect the check/write from data race.
      
      Fixes: 3e3b5dfc ("NFC: reorder the logic in nfc_{un,}register_device")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b0e8141
    • Guo Zhengkui's avatar
      ipv6: exthdrs: use swap() instead of open coding it · 5ee6ad1d
      Guo Zhengkui authored
      Address the following coccicheck warning:
      net/ipv6/exthdrs.c:620:44-45: WARNING opportunity for swap()
      
      by using swap() for the swapping of variable values and drop
      the tmp (`addr`) variable that is not needed any more.
      Signed-off-by: default avatarGuo Zhengkui <guozhengkui@vivo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ee6ad1d
    • Alaa Mohamed's avatar
      selftests: net: fib_rule_tests: add support to select a test to run · 816cda9a
      Alaa Mohamed authored
      Add boilerplate test loop in test to run all tests
      in fib_rule_tests.sh
      Signed-off-by: default avatarAlaa Mohamed <eng.alaamohamedsoliman.am@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      816cda9a
    • Lorenzo Bianconi's avatar
      net: ethernet: mtk_eth_soc: use standard property for cci-control-port · 4263f77a
      Lorenzo Bianconi authored
      Rely on standard cci-control-port property to identify CCI port
      reference.
      Update mt7622 dts binding.
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4263f77a
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue · 17e415cf
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      40GbE Intel Wired LAN Driver Updates 2022-04-12
      
      This series contains updates to i40e and ice drivers.
      
      Joe Damato adds TSO support for MPLS packets on i40e and ice drivers. He
      also adds tracking and reporting of tx_stopped statistic for i40e.
      
      Nabil S. Alramli adds reporting of tx_restart to ethtool for i40e.
      
      Mateusz adds new device id support for i40e.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      17e415cf
    • David S. Miller's avatar
      Merge branch 'tls-rx-refactor-part-3' · 8f1c3850
      David S. Miller authored
      Jakub Kicinski says:
      
      ====================
      tls: rx: random refactoring part 3
      
      TLS Rx refactoring. Part 3 of 3. This set is mostly around rx_list
      and async processing. The last two patches are minor optimizations.
      A couple of features to follow.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f1c3850
    • Jakub Kicinski's avatar
      tls: rx: only copy IV from the packet for TLS 1.2 · a4ae58cd
      Jakub Kicinski authored
      TLS 1.3 and ChaChaPoly don't carry IV in the packet.
      The code before this change would copy out iv_size
      worth of whatever followed the TLS header in the packet
      and then for TLS 1.3 | ChaCha overwrite that with
      the sequence number. Waste of cycles especially
      with TLS 1.2 being close to dead and TLS 1.3 being
      the common case.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4ae58cd
    • Jakub Kicinski's avatar
      tls: rx: use MAX_IV_SIZE for allocations · f7d45f4b
      Jakub Kicinski authored
      IVs are 8 or 16 bytes, no point reading out the exact value
      for quantities this small.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7d45f4b
    • Jakub Kicinski's avatar
      tls: rx: use async as an in-out argument · 3547a1f9
      Jakub Kicinski authored
      Propagating EINPROGRESS thru multiple layers of functions is
      error prone. Use darg->async as an in/out argument, like we
      use darg->zc today. On input it tells the code if async is
      allowed, on output if it took place.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3547a1f9
    • Jakub Kicinski's avatar
      tls: rx: return the already-copied data on crypto error · f314bfee
      Jakub Kicinski authored
      async crypto handler will report the socket error no need
      to report it again. We can, however, let the data we already
      copied be reported to user space but we need to make sure
      the error will be reported next time around.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f314bfee
    • Jakub Kicinski's avatar
      tls: rx: treat process_rx_list() errors as transient · 4dcdd971
      Jakub Kicinski authored
      process_rx_list() only fails if it can't copy data to user
      space. There is no point recording the error onto sk->sk_err
      or giving up on the data which was read partially. Treat
      the return value like a normal socket partial read.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4dcdd971
    • Jakub Kicinski's avatar
      tls: rx: assume crypto always calls our callback · 1c699ffa
      Jakub Kicinski authored
      If crypto didn't always invoke our callback for async
      we'd not be clearing skb->sk and would crash in the
      skb core when freeing it. This if must be dead code.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1c699ffa
    • Jakub Kicinski's avatar
      tls: rx: don't handle TLS 1.3 in the async crypto callback · 72f3ad73
      Jakub Kicinski authored
      Async crypto never worked with TLS 1.3 and was explicitly disabled in
      commit 8497ded2 ("net/tls: Disable async decrytion for tls1.3").
      There's no need for us to handle TLS 1.3 padding in the async cb.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72f3ad73
    • Jakub Kicinski's avatar
      tls: rx: move counting TlsDecryptErrors for sync · 284b4d93
      Jakub Kicinski authored
      Move counting TlsDecryptErrors to tls_do_decryption()
      where differences between sync and async crypto are
      reconciled.
      
      No functional changes, this code just always gave
      me a pause.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      284b4d93
    • Jakub Kicinski's avatar
      tls: rx: reuse leave_on_list label for psock · 0775639c
      Jakub Kicinski authored
      The code is identical, we can save a few LoC.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0775639c
    • Jakub Kicinski's avatar
      tls: rx: consistently use unlocked accessors for rx_list · a30295c4
      Jakub Kicinski authored
      rx_list is protected by the socket lock, no need to take
      the built-in spin lock on accesses.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a30295c4
  2. 12 Apr, 2022 23 commits