1. 17 Sep, 2023 1 commit
  2. 15 Sep, 2023 7 commits
  3. 14 Sep, 2023 5 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9fdfb15a
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Quite unusually, this does not contains any fix coming from subtrees
        (nf, ebpf, wifi, etc).
      
        Current release - regressions:
      
         - bcmasp: fix possible OOB write in bcmasp_netfilt_get_all_active()
      
        Previous releases - regressions:
      
         - ipv4: fix one memleak in __inet_del_ifa()
      
         - tcp: fix bind() regressions for v4-mapped-v6 addresses.
      
         - tls: do not free tls_rec on async operation in
           bpf_exec_tx_verdict()
      
         - dsa: fixes for SJA1105 FDB regressions
      
         - veth: update XDP feature set when bringing up device
      
         - igb: fix hangup when enabling SR-IOV
      
        Previous releases - always broken:
      
         - kcm: fix memory leak in error path of kcm_sendmsg()
      
         - smc: fix data corruption in smcr_port_add
      
         - microchip: fix possible memory leak for vcap_dup_rule()"
      
      * tag 'net-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (37 commits)
        kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
        net: renesas: rswitch: Add spin lock protection for irq {un}mask
        net: renesas: rswitch: Fix unmasking irq condition
        igb: clean up in all error paths when enabling SR-IOV
        ixgbe: fix timestamp configuration code
        selftest: tcp: Add v4-mapped-v6 cases in bind_wildcard.c.
        selftest: tcp: Move expected_errno into each test case in bind_wildcard.c.
        selftest: tcp: Fix address length in bind_wildcard.c.
        tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.
        tcp: Fix bind() regression for v4-mapped-v6 wildcard address.
        tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any).
        ipv6: fix ip6_sock_set_addr_preferences() typo
        veth: Update XDP feature set when bringing up device
        net: macb: fix sleep inside spinlock
        net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
        net: ethernet: mtk_eth_soc: fix pse_port configuration for MT7988
        net: ethernet: mtk_eth_soc: fix uninitialized variable
        kcm: Fix memory leak in error path of kcm_sendmsg()
        r8152: check budget for r8152_poll()
        net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset
        ...
      9fdfb15a
    • Kuniyuki Iwashima's avatar
      kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). · a22730b1
      Kuniyuki Iwashima authored
      syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88b
      ("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
      updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
      following sendmsg() will resume from the skb.
      
      However, we cannot know how many bytes were copied when we get the error.
      Thus, we could mess up the MSG_MORE queue.
      
      When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
      do so for UDP by udp_flush_pending_frames().
      
      Even without this change, when the error occurred, the following sendmsg()
      resumed from a wrong skb and the queue was messed up.  However, we have
      yet to get such a report, and only syzkaller stumbled on it.  So, this
      can be changed safely.
      
      Note this does not change SOCK_SEQPACKET behaviour.
      
      Fixes: c821a88b ("kcm: Fix memory leak in error path of kcm_sendmsg()")
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230912022753.33327-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a22730b1
    • Paolo Abeni's avatar
      Merge branch 'net-renesas-rswitch-fix-a-lot-of-redundant-irq-issue' · 96f7dc69
      Paolo Abeni authored
      Yoshihiro Shimoda says:
      
      ====================
      net: renesas: rswitch: Fix a lot of redundant irq issue
      
      After this patch series was applied, a lot of redundant interrupts
      no longer occur.
      
      For example: when "iperf3 -c <ipaddr> -R" on R-Car S4-8 Spider
       Before the patches are applied: about 800,000 times happened
       After the patches were applied: about 100,000 times happened
      ====================
      
      Link: https://lore.kernel.org/r/20230912014936.3175430-1-yoshihiro.shimoda.uh@renesas.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      96f7dc69
    • Yoshihiro Shimoda's avatar
      net: renesas: rswitch: Add spin lock protection for irq {un}mask · c4f922e8
      Yoshihiro Shimoda authored
      Add spin lock protection for irq {un}mask registers' control.
      
      After napi_complete_done() and this protection were applied,
      a lot of redundant interrupts no longer occur.
      
      For example: when "iperf3 -c <ipaddr> -R" on R-Car S4-8 Spider
       Before the patches are applied: about 800,000 times happened
       After the patches were applied: about 100,000 times happened
      
      Fixes: 3590918b ("net: ethernet: renesas: Add support for "Ethernet Switch"")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c4f922e8
    • Yoshihiro Shimoda's avatar
      net: renesas: rswitch: Fix unmasking irq condition · e7b1ef29
      Yoshihiro Shimoda authored
      Fix unmasking irq condition by using napi_complete_done(). Otherwise,
      redundant interrupts happen.
      
      Fixes: 3590918b ("net: ethernet: renesas: Add support for "Ethernet Switch"")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e7b1ef29
  4. 13 Sep, 2023 14 commits
    • Linus Torvalds's avatar
      Merge tag 'pmdomain-v6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm · aed8aee1
      Linus Torvalds authored
      Pull genpm / pmdomain rename from Ulf Hansson:
       "This renames the genpd subsystem to pmdomain.
      
        As discussed on LKML, using 'genpd' as the name of a subsystem isn't
        very self-explanatory and the acronym itself that means Generic PM
        Domain, is known only by a limited group of people.
      
        The suggestion to improve the situation is to rename the subsystem to
        'pmdomain', which there seems to be a good consensus around using.
      
        Ideally it should indicate that its purpose is to manage Power Domains
        or 'PM domains' as we often also use within the Linux Kernel
        terminology"
      
      * tag 'pmdomain-v6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
        pmdomain: Rename the genpd subsystem to pmdomain
      aed8aee1
    • Linus Torvalds's avatar
      Merge tag 'tpmdd-v6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd · 23f108dc
      Linus Torvalds authored
      Pull tpm fix from Jarkko Sakkinen.
      
      * tag 'tpmdd-v6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
        tpm: Fix typo in tpmrm class definition
      23f108dc
    • Linus Torvalds's avatar
      Merge tag 'parisc-for-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 847165d7
      Linus Torvalds authored
      Pull parisc architecture fixes from Helge Deller:
      
       - fix reference to exported symbols for parisc64 [Masahiro Yamada]
      
       - Block-TLB (BTLB) support on 32-bit CPUs
      
       - sparse and build-warning fixes
      
      * tag 'parisc-for-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        linux/export: fix reference to exported functions for parisc64
        parisc: BTLB: Initialize BTLB tables at CPU startup
        parisc: firmware: Simplify calling non-PA20 functions
        parisc: BTLB: _edata symbol has to be page aligned for BTLB support
        parisc: BTLB: Add BTLB insert and purge firmware function wrappers
        parisc: BTLB: Clear possibly existing BTLB entries
        parisc: Prepare for Block-TLB support on 32-bit kernel
        parisc: shmparam.h: Document aliasing requirements of PA-RISC
        parisc: irq: Make irq_stack_union static to avoid sparse warning
        parisc: drivers: Fix sparse warning
        parisc: iosapic.c: Fix sparse warnings
        parisc: ccio-dma: Fix sparse warnings
        parisc: sba-iommu: Fix sparse warnigs
        parisc: sba: Fix compile warning wrt list of SBA devices
        parisc: sba_iommu: Fix build warning if procfs if disabled
      847165d7
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 99214f67
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Add missing LOCKDOWN checks for eventfs callers
      
         When LOCKDOWN is active for tracing, it causes inconsistent state
         when some functions succeed and others fail.
      
       - Use dput() to free the top level eventfs descriptor
      
         There was a race between accesses and freeing it.
      
       - Fix a long standing bug that eventfs exposed due to changing timings
         by dynamically creating files. That is, If a event file is opened for
         an instance, there's nothing preventing the instance from being
         removed which will make accessing the files cause use-after-free
         bugs.
      
       - Fix a ring buffer race that happens when iterating over the ring
         buffer while writers are active. Check to make sure not to read the
         event meta data if it's beyond the end of the ring buffer sub buffer.
      
       - Fix the print trigger that disappeared because the test to create it
         was looking for the event dir field being filled, but now it has the
         "ef" field filled for the eventfs structure.
      
       - Remove the unused "dir" field from the event structure.
      
       - Fix the order of the trace_dynamic_info as it had it backwards for
         the offset and len fields for which one was for which endianess.
      
       - Fix NULL pointer dereference with eventfs_remove_rec()
      
         If an allocation fails in one of the eventfs_add_*() functions, the
         caller of it in event_subsystem_dir() or event_create_dir() assigns
         the result to the structure. But it's assigning the ERR_PTR and not
         NULL. This was passed to eventfs_remove_rec() which expects either a
         good pointer or a NULL, not ERR_PTR. The fix is to not assign the
         ERR_PTR to the structure, but to keep it NULL on error.
      
       - Fix list_for_each_rcu() to use list_for_each_srcu() in
         dcache_dir_open_wrapper(). One iteration of the code used RCU but
         because it had to call sleepable code, it had to be changed to use
         SRCU, but one of the iterations was missed.
      
       - Fix synthetic event print function to use "as_u64" instead of passing
         in a pointer to the union. To fix big/little endian issues, the u64
         that represented several types was turned into a union to define the
         types properly.
      
      * tag 'trace-v6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        eventfs: Fix the NULL pointer dereference bug in eventfs_remove_rec()
        tracefs/eventfs: Use list_for_each_srcu() in dcache_dir_open_wrapper()
        tracing/synthetic: Print out u64 values properly
        tracing/synthetic: Fix order of struct trace_dynamic_info
        selftests/ftrace: Fix dependencies for some of the synthetic event tests
        tracing: Remove unused trace_event_file dir field
        tracing: Use the new eventfs descriptor for print trigger
        ring-buffer: Do not attempt to read past "commit"
        tracefs/eventfs: Free top level files on removal
        ring-buffer: Avoid softlockup in ring_buffer_resize()
        tracing: Have event inject files inc the trace array ref count
        tracing: Have option files inc the trace array ref count
        tracing: Have current_trace inc the trace array ref count
        tracing: Have tracing_max_latency inc the trace array ref count
        tracing: Increase trace array ref count on enable and filter files
        tracefs/eventfs: Use dput to free the toplevel events directory
        tracefs/eventfs: Add missing lockdown checks
        tracefs: Add missing lockdown check to tracefs_create_dir()
      99214f67
    • Corinna Vinschen's avatar
      igb: clean up in all error paths when enabling SR-IOV · bc6ed2fa
      Corinna Vinschen authored
      After commit 50f30349 ("igb: Enable SR-IOV after reinit"), removing
      the igb module could hang or crash (depending on the machine) when the
      module has been loaded with the max_vfs parameter set to some value != 0.
      
      In case of one test machine with a dual port 82580, this hang occurred:
      
      [  232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1
      [  233.093257] igb 0000:41:00.1: IOV Disabled
      [  233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0
      [  233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata)
      [  233.352248] igb 0000:41:00.0:   device [8086:1516] error status/mask=00100000
      [  233.361088] igb 0000:41:00.0:    [20] UnsupReq               (First)
      [  233.368183] igb 0000:41:00.0: AER:   TLP Header: 40000001 0000040f cdbfc00c c
      [  233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata)
      [  233.388779] igb 0000:41:00.1:   device [8086:1516] error status/mask=00100000
      [  233.397629] igb 0000:41:00.1:    [20] UnsupReq               (First)
      [  233.404736] igb 0000:41:00.1: AER:   TLP Header: 40000001 0000040f cdbfc00c c
      [  233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback)
      [  233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0
      [  233.546197] pcieport 0000:40:01.0: AER: device recovery failed
      [  234.157244] igb 0000:41:00.0: IOV Disabled
      [  371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds.
      [  371.627489]       Not tainted 6.4.0-dirty #2
      [  371.632257] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this.
      [  371.641000] task:irq/35-aerdrv   state:D stack:0     pid:257   ppid:2      f0
      [  371.650330] Call Trace:
      [  371.653061]  <TASK>
      [  371.655407]  __schedule+0x20e/0x660
      [  371.659313]  schedule+0x5a/0xd0
      [  371.662824]  schedule_preempt_disabled+0x11/0x20
      [  371.667983]  __mutex_lock.constprop.0+0x372/0x6c0
      [  371.673237]  ? __pfx_aer_root_reset+0x10/0x10
      [  371.678105]  report_error_detected+0x25/0x1c0
      [  371.682974]  ? __pfx_report_normal_detected+0x10/0x10
      [  371.688618]  pci_walk_bus+0x72/0x90
      [  371.692519]  pcie_do_recovery+0xb2/0x330
      [  371.696899]  aer_process_err_devices+0x117/0x170
      [  371.702055]  aer_isr+0x1c0/0x1e0
      [  371.705661]  ? __set_cpus_allowed_ptr+0x54/0xa0
      [  371.710723]  ? __pfx_irq_thread_fn+0x10/0x10
      [  371.715496]  irq_thread_fn+0x20/0x60
      [  371.719491]  irq_thread+0xe6/0x1b0
      [  371.723291]  ? __pfx_irq_thread_dtor+0x10/0x10
      [  371.728255]  ? __pfx_irq_thread+0x10/0x10
      [  371.732731]  kthread+0xe2/0x110
      [  371.736243]  ? __pfx_kthread+0x10/0x10
      [  371.740430]  ret_from_fork+0x2c/0x50
      [  371.744428]  </TASK>
      
      The reproducer was a simple script:
      
        #!/bin/sh
        for i in `seq 1 5`; do
          modprobe -rv igb
          modprobe -v igb max_vfs=1
          sleep 1
          modprobe -rv igb
        done
      
      It turned out that this could only be reproduce on 82580 (quad and
      dual-port), but not on 82576, i350 and i210.  Further debugging showed
      that igb_enable_sriov()'s call to pci_enable_sriov() is failing, because
      dev->is_physfn is 0 on 82580.
      
      Prior to commit 50f30349 ("igb: Enable SR-IOV after reinit"),
      igb_enable_sriov() jumped into the "err_out" cleanup branch.  After this
      commit it only returned the error code.
      
      So the cleanup didn't take place, and the incorrect VF setup in the
      igb_adapter structure fooled the igb driver into assuming that VFs have
      been set up where no VF actually existed.
      
      Fix this problem by cleaning up again if pci_enable_sriov() fails.
      
      Fixes: 50f30349 ("igb: Enable SR-IOV after reinit")
      Signed-off-by: default avatarCorinna Vinschen <vinschen@redhat.com>
      Reviewed-by: default avatarAkihiko Odaki <akihiko.odaki@daynix.com>
      Tested-by: default avatarRafal Romanowski <rafal.romanowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc6ed2fa
    • Vadim Fedorenko's avatar
      ixgbe: fix timestamp configuration code · 3c44191d
      Vadim Fedorenko authored
      The commit in fixes introduced flags to control the status of hardware
      configuration while processing packets. At the same time another structure
      is used to provide configuration of timestamper to user-space applications.
      The way it was coded makes this structures go out of sync easily. The
      repro is easy for 82599 chips:
      
      [root@hostname ~]# hwstamp_ctl -i eth0 -r 12 -t 1
      current settings:
      tx_type 0
      rx_filter 0
      new settings:
      tx_type 1
      rx_filter 12
      
      The eth0 device is properly configured to timestamp any PTPv2 events.
      
      [root@hostname ~]# hwstamp_ctl -i eth0 -r 1 -t 1
      current settings:
      tx_type 1
      rx_filter 12
      SIOCSHWTSTAMP failed: Numerical result out of range
      The requested time stamping mode is not supported by the hardware.
      
      The error is properly returned because HW doesn't support all packets
      timestamping. But the adapter->flags is cleared of timestamp flags
      even though no HW configuration was done. From that point no RX timestamps
      are received by user-space application. But configuration shows good
      values:
      
      [root@hostname ~]# hwstamp_ctl -i eth0
      current settings:
      tx_type 1
      rx_filter 12
      
      Fix the issue by applying new flags only when the HW was actually
      configured.
      
      Fixes: a9763f3c ("ixgbe: Update PTP to support X550EM_x devices")
      Signed-off-by: default avatarVadim Fedorenko <vadim.fedorenko@linux.dev>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c44191d
    • Ulf Hansson's avatar
      pmdomain: Rename the genpd subsystem to pmdomain · e2ad626f
      Ulf Hansson authored
      It has been pointed out that naming a subsystem "genpd" isn't very
      self-explanatory and the acronym itself that means Generic PM Domain, is
      known only by a limited group of people.
      
      In a way to improve the situation, let's rename the subsystem to pmdomain,
      which ideally should indicate that this is about so called Power Domains or
      "PM domains" as we often also use within the Linux Kernel terminology.
      Suggested-by: default avatarRafael J. Wysocki <rafael@kernel.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Acked-by: default avatarRafael J. Wysocki <rafael@kernel.org>
      Acked-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Link: https://lore.kernel.org/r/20230912221127.487327-1-ulf.hansson@linaro.org
      e2ad626f
    • David S. Miller's avatar
      Merge branch 'tcp-bind-fixes' · ab6c4ec8
      David S. Miller authored
      Kuniyuki Iwashima says:
      
      ====================
      tcp: Fix bind() regression for v4-mapped-v6 address
      
      Since bhash2 was introduced, bind() is broken in two cases related
      to v4-mapped-v6 address.
      
      This series fixes the regression and adds test to cover the cases.
      
      Changes:
        v2:
          * Added patch 1 to factorise duplicated comparison (Eric Dumazet)
      
        v1: https://lore.kernel.org/netdev/20230911165106.39384-1-kuniyu@amazon.com/
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab6c4ec8
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Add v4-mapped-v6 cases in bind_wildcard.c. · 8637d8e8
      Kuniyuki Iwashima authored
      We add these 8 test cases in bind_wildcard.c to check bind() conflicts.
      
        1st bind()          2nd bind()
        ---------           ---------
        0.0.0.0             ::FFFF:0.0.0.0
        ::FFFF:0.0.0.0      0.0.0.0
        0.0.0.0             ::FFFF:127.0.0.1
        ::FFFF:127.0.0.1    0.0.0.0
        127.0.0.1           ::FFFF:0.0.0.0
        ::FFFF:0.0.0.0      127.0.0.1
        127.0.0.1           ::FFFF:127.0.0.1
        ::FFFF:127.0.0.1    127.0.0.1
      
      All test passed without bhash2 and with bhash2 and this series.
      
       Before bhash2:
        $ uname -r
        6.0.0-rc1-00393-g0bf73255
        $ ./bind_wildcard
        ...
        # PASSED: 16 / 16 tests passed.
      
       Just after bhash2:
        $ uname -r
        6.0.0-rc1-00394-g28044fc1
        $ ./bind_wildcard
        ...
        ok 15 bind_wildcard.v4_local_v6_v4mapped_local.v4_v6
        not ok 16 bind_wildcard.v4_local_v6_v4mapped_local.v6_v4
        # FAILED: 15 / 16 tests passed.
      
       On net.git:
        $ ./bind_wildcard
        ...
        not ok 14 bind_wildcard.v4_local_v6_v4mapped_any.v6_v4
        not ok 16 bind_wildcard.v4_local_v6_v4mapped_local.v6_v4
        # FAILED: 13 / 16 tests passed.
      
       With this series:
        $ ./bind_wildcard
        ...
        # PASSED: 16 / 16 tests passed.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8637d8e8
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Move expected_errno into each test case in bind_wildcard.c. · 2895d879
      Kuniyuki Iwashima authored
      This is a preparation patch for the following patch.
      
      Let's define expected_errno in each test case so that we can add other test
      cases easily.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2895d879
    • Kuniyuki Iwashima's avatar
      selftest: tcp: Fix address length in bind_wildcard.c. · 0071d155
      Kuniyuki Iwashima authored
      The selftest passes the IPv6 address length for an IPv4 address.
      We should pass the correct length.
      
      Note inet_bind_sk() does not check if the size is larger than
      sizeof(struct sockaddr_in), so there is no real bug in this
      selftest.
      
      Fixes: 13715acf ("selftest: Add test for bind() conflicts.")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0071d155
    • Kuniyuki Iwashima's avatar
      tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address. · c48ef9c4
      Kuniyuki Iwashima authored
      Since bhash2 was introduced, the example below does not work as expected.
      These two bind() should conflict, but the 2nd bind() now succeeds.
      
        from socket import *
      
        s1 = socket(AF_INET6, SOCK_STREAM)
        s1.bind(('::ffff:127.0.0.1', 0))
      
        s2 = socket(AF_INET, SOCK_STREAM)
        s2.bind(('127.0.0.1', s1.getsockname()[1]))
      
      During the 2nd bind() in inet_csk_get_port(), inet_bind2_bucket_find()
      fails to find the 1st socket's tb2, so inet_bind2_bucket_create() allocates
      a new tb2 for the 2nd socket.  Then, we call inet_csk_bind_conflict() that
      checks conflicts in the new tb2 by inet_bhash2_conflict().  However, the
      new tb2 does not include the 1st socket, thus the bind() finally succeeds.
      
      In this case, inet_bind2_bucket_match() must check if AF_INET6 tb2 has
      the conflicting v4-mapped-v6 address so that inet_bind2_bucket_find()
      returns the 1st socket's tb2.
      
      Note that if we bind two sockets to 127.0.0.1 and then ::FFFF:127.0.0.1,
      the 2nd bind() fails properly for the same reason mentinoed in the previous
      commit.
      
      Fixes: 28044fc1 ("net: Add a bhash2 table hashed by port and address")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarAndrei Vagin <avagin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c48ef9c4
    • Kuniyuki Iwashima's avatar
      tcp: Fix bind() regression for v4-mapped-v6 wildcard address. · aa99e5f8
      Kuniyuki Iwashima authored
      Andrei Vagin reported bind() regression with strace logs.
      
      If we bind() a TCPv6 socket to ::FFFF:0.0.0.0 and then bind() a TCPv4
      socket to 127.0.0.1, the 2nd bind() should fail but now succeeds.
      
        from socket import *
      
        s1 = socket(AF_INET6, SOCK_STREAM)
        s1.bind(('::ffff:0.0.0.0', 0))
      
        s2 = socket(AF_INET, SOCK_STREAM)
        s2.bind(('127.0.0.1', s1.getsockname()[1]))
      
      During the 2nd bind(), if tb->family is AF_INET6 and sk->sk_family is
      AF_INET in inet_bind2_bucket_match_addr_any(), we still need to check
      if tb has the v4-mapped-v6 wildcard address.
      
      The example above does not work after commit 5456262d ("net: Fix
      incorrect address comparison when searching for a bind2 bucket"), but
      the blamed change is not the commit.
      
      Before the commit, the leading zeros of ::FFFF:0.0.0.0 were treated
      as 0.0.0.0, and the sequence above worked by chance.  Technically, this
      case has been broken since bhash2 was introduced.
      
      Note that if we bind() two sockets to 127.0.0.1 and then ::FFFF:0.0.0.0,
      the 2nd bind() fails properly because we fall back to using bhash to
      detect conflicts for the v4-mapped-v6 address.
      
      Fixes: 28044fc1 ("net: Add a bhash2 table hashed by port and address")
      Reported-by: default avatarAndrei Vagin <avagin@google.com>
      Closes: https://lore.kernel.org/netdev/ZPuYBOFC8zsK6r9T@google.com/Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa99e5f8
    • Kuniyuki Iwashima's avatar
      tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any). · c6d27706
      Kuniyuki Iwashima authored
      This is a prep patch to make the following patches cleaner that touch
      inet_bind2_bucket_match() and inet_bind2_bucket_match_addr_any().
      
      Both functions have duplicated comparison for netns, port, and l3mdev.
      Let's factorise them.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6d27706
  5. 12 Sep, 2023 13 commits
    • Justin M. Forbes's avatar
      tpm: Fix typo in tpmrm class definition · ea72883a
      Justin M. Forbes authored
      Commit d2e8071b ("tpm: make all 'class' structures const")
      unfortunately had a typo for the name on tpmrm.
      
      Fixes: d2e8071b ("tpm: make all 'class' structures const")
      Signed-off-by: default avatarJustin M. Forbes <jforbes@fedoraproject.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      ea72883a
    • Linus Torvalds's avatar
      Merge tag 'for-6.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 3669558b
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - several fixes for handling directory item (inserting, removing,
         iteration, error handling)
      
       - fix transaction commit stalls when auto relocation is running and
         blocks other tasks that want to commit
      
       - fix a build error when DEBUG is enabled
      
       - fix lockdep warning in inode number lookup ioctl
      
       - fix race when finishing block group creation
      
       - remove link to obsolete wiki in several files
      
      * tag 'for-6.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        MAINTAINERS: remove links to obsolete btrfs.wiki.kernel.org
        btrfs: assert delayed node locked when removing delayed item
        btrfs: remove BUG() after failure to insert delayed dir index item
        btrfs: improve error message after failure to add delayed dir index item
        btrfs: fix a compilation error if DEBUG is defined in btree_dirty_folio
        btrfs: check for BTRFS_FS_ERROR in pending ordered assert
        btrfs: fix lockdep splat and potential deadlock after failure running delayed items
        btrfs: do not block starts waiting on previous transaction commit
        btrfs: release path before inode lookup during the ino lookup ioctl
        btrfs: fix race between finishing block group creation and its item update
      3669558b
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.6-2' of... · 2c758cef
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
      
       - various platform/mellanox fixes
      
       - one new DMI quirk for asus-wmi
      
      * tag 'platform-drivers-x86-v6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: asus-wmi: Support 2023 ROG X16 tablet mode
        platform/mellanox: NVSW_SN2201 should depend on ACPI
        platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig
        platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
        platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
        platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
        platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
      2c758cef
    • Eric Dumazet's avatar
      ipv6: fix ip6_sock_set_addr_preferences() typo · 8cdd9f1a
      Eric Dumazet authored
      ip6_sock_set_addr_preferences() second argument should be an integer.
      
      SUNRPC attempts to set IPV6_PREFER_SRC_PUBLIC were
      translated to IPV6_PREFER_SRC_TMP
      
      Fixes: 18d5ad62 ("ipv6: add ip6_sock_set_addr_preferences")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Chuck Lever <chuck.lever@oracle.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230911154213.713941-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8cdd9f1a
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-next-6.6-rc2' of... · a747acc0
      Linus Torvalds authored
      Merge tag 'linux-kselftest-next-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
      
       - kselftest runner script to propagate SIGTERM to runner child
         to avoid kselftest hang
      
       - install symlinks required for test execution to avoid test
         failures
      
       - kselftest dependency checker script argument parsing
      
      * tag 'linux-kselftest-next-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests: Keep symlinks, when possible
        selftests: fix dependency checker script
        kselftest/runner.sh: Propagate SIGTERM to runner child
        selftests/ftrace: Correctly enable event in instance-event.tc
      a747acc0
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-kunit-6.6-rc2' of... · fb52c87a
      Linus Torvalds authored
      Merge tag 'linux-kselftest-kunit-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kunit fixes from Shuah Khan:
       "Fixes to possible memory leak, null-ptr-deref, wild-memory-access, and
        error path bugs"
      
      * tag 'linux-kselftest-kunit-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        kunit: Fix possible memory leak in kunit_filter_suites()
        kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter()
        kunit: Fix the wrong err path and add goto labels in kunit_filter_suites()
        kunit: Fix wild-memory-access bug in kunit_free_suite_set()
        kunit: test: Make filter strings in executor_test writable
      fb52c87a
    • Linus Torvalds's avatar
      Merge tag 'ovl-fixes-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs · afe03f08
      Linus Torvalds authored
      Pull overlayfs fixes from Amir Goldstein:
       "Two fixes for pretty old regressions"
      
      * tag 'ovl-fixes-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs:
        ovl: fix incorrect fdput() on aio completion
        ovl: fix failed copyup of fileattr on a symlink
      afe03f08
    • Masahiro Yamada's avatar
      linux/export: fix reference to exported functions for parisc64 · 08700ec7
      Masahiro Yamada authored
      John David Anglin reported parisc has been broken since commit
      ddb5cdba ("kbuild: generate KSYMTAB entries by modpost").
      
      Like ia64, parisc64 uses a function descriptor. The function
      references must be prefixed with P%.
      
      Also, symbols prefixed $$ from the library have the symbol type
      STT_LOPROC instead of STT_FUNC. They should be handled as functions
      too.
      
      Fixes: ddb5cdba ("kbuild: generate KSYMTAB entries by modpost")
      Reported-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Tested-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Tested-by: default avatarHelge Deller <deller@gmx.de>
      Closes: https://lore.kernel.org/linux-parisc/1901598a-e11d-f7dd-a5d9-9a69d06e6b6e@bell.net/T/#uSigned-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      08700ec7
    • Toke Høiland-Jørgensen's avatar
      veth: Update XDP feature set when bringing up device · 7a6102aa
      Toke Høiland-Jørgensen authored
      There's an early return in veth_set_features() if the device is in a down
      state, which leads to the XDP feature flags not being updated when enabling
      GRO while the device is down. Which in turn leads to XDP_REDIRECT not
      working, because the redirect code now checks the flags.
      
      Fix this by updating the feature flags after bringing the device up.
      
      Before this patch:
      
      NETDEV_XDP_ACT_BASIC:		yes
      NETDEV_XDP_ACT_REDIRECT:	yes
      NETDEV_XDP_ACT_NDO_XMIT:	no
      NETDEV_XDP_ACT_XSK_ZEROCOPY:	no
      NETDEV_XDP_ACT_HW_OFFLOAD:	no
      NETDEV_XDP_ACT_RX_SG:		yes
      NETDEV_XDP_ACT_NDO_XMIT_SG:	no
      
      After this patch:
      
      NETDEV_XDP_ACT_BASIC:		yes
      NETDEV_XDP_ACT_REDIRECT:	yes
      NETDEV_XDP_ACT_NDO_XMIT:	yes
      NETDEV_XDP_ACT_XSK_ZEROCOPY:	no
      NETDEV_XDP_ACT_HW_OFFLOAD:	no
      NETDEV_XDP_ACT_RX_SG:		yes
      NETDEV_XDP_ACT_NDO_XMIT_SG:	yes
      
      Fixes: fccca038 ("veth: take into account device reconfiguration for xdp_features flag")
      Fixes: 66c0e13a ("drivers: net: turn on XDP features")
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/r/20230911135826.722295-1-toke@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7a6102aa
    • Jinjie Ruan's avatar
      eventfs: Fix the NULL pointer dereference bug in eventfs_remove_rec() · c8414dab
      Jinjie Ruan authored
      Inject fault while probing btrfs.ko, if kstrdup() fails in
      eventfs_prepare_ef() in eventfs_add_dir(), it will return ERR_PTR
      to assign file->ef. But the eventfs_remove() check NULL in
      trace_module_remove_events(), which causes the below NULL
      pointer dereference.
      
      As both Masami and Steven suggest, allocater side should handle the
      error carefully and remove it, so fix the places where it failed.
      
       Could not create tracefs 'raid56_write' directory
       Btrfs loaded, zoned=no, fsverity=no
       Unable to handle kernel NULL pointer dereference at virtual address 000000000000001c
       Mem abort info:
         ESR = 0x0000000096000004
         EC = 0x25: DABT (current EL), IL = 32 bits
         SET = 0, FnV = 0
         EA = 0, S1PTW = 0
         FSC = 0x04: level 0 translation fault
       Data abort info:
         ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
         CM = 0, WnR = 0, TnD = 0, TagAccess = 0
         GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
       user pgtable: 4k pages, 48-bit VAs, pgdp=0000000102544000
       [000000000000001c] pgd=0000000000000000, p4d=0000000000000000
       Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
       Dumping ftrace buffer:
          (ftrace buffer empty)
       Modules linked in: btrfs(-) libcrc32c xor xor_neon raid6_pq cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: btrfs]
       CPU: 15 PID: 1343 Comm: rmmod Tainted: G                 N 6.5.0+ #40
       Hardware name: linux,dummy-virt (DT)
       pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
       pc : eventfs_remove_rec+0x24/0xc0
       lr : eventfs_remove+0x68/0x1d8
       sp : ffff800082d63b60
       x29: ffff800082d63b60 x28: ffffb84b80ddd00c x27: ffffb84b3054ba40
       x26: 0000000000000002 x25: ffff800082d63bf8 x24: ffffb84b8398e440
       x23: ffffb84b82af3000 x22: dead000000000100 x21: dead000000000122
       x20: ffff800082d63bf8 x19: fffffffffffffff4 x18: ffffb84b82508820
       x17: 0000000000000000 x16: 0000000000000000 x15: 000083bc876a3166
       x14: 000000000000006d x13: 000000000000006d x12: 0000000000000000
       x11: 0000000000000001 x10: 00000000000017e0 x9 : 0000000000000001
       x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffb84b84289804
       x5 : 0000000000000000 x4 : 9696969696969697 x3 : ffff33a5b7601f38
       x2 : 0000000000000000 x1 : ffff800082d63bf8 x0 : fffffffffffffff4
       Call trace:
        eventfs_remove_rec+0x24/0xc0
        eventfs_remove+0x68/0x1d8
        remove_event_file_dir+0x88/0x100
        event_remove+0x140/0x15c
        trace_module_notify+0x1fc/0x230
        notifier_call_chain+0x98/0x17c
        blocking_notifier_call_chain+0x4c/0x74
        __arm64_sys_delete_module+0x1a4/0x298
        invoke_syscall+0x44/0x100
        el0_svc_common.constprop.1+0x68/0xe0
        do_el0_svc+0x1c/0x28
        el0_svc+0x3c/0xc4
        el0t_64_sync_handler+0xa0/0xc4
        el0t_64_sync+0x174/0x178
       Code: 5400052c a90153b3 aa0003f3 aa0103f4 (f9401400)
       ---[ end trace 0000000000000000 ]---
       Kernel panic - not syncing: Oops: Fatal exception
       SMP: stopping secondary CPUs
       Dumping ftrace buffer:
          (ftrace buffer empty)
       Kernel Offset: 0x384b00c00000 from 0xffff800080000000
       PHYS_OFFSET: 0xffffcc5b80000000
       CPU features: 0x88000203,3c020000,1000421b
       Memory Limit: none
       Rebooting in 1 seconds..
      
      Link: https://lore.kernel.org/linux-trace-kernel/20230912134752.1838524-1-ruanjinjie@huawei.com
      Link: https://lore.kernel.org/all/20230912025808.668187-1-ruanjinjie@huawei.com/
      Link: https://lore.kernel.org/all/20230911052818.1020547-1-ruanjinjie@huawei.com/
      Link: https://lore.kernel.org/all/20230909072817.182846-1-ruanjinjie@huawei.com/
      Link: https://lore.kernel.org/all/20230908074816.3724716-1-ruanjinjie@huawei.com/
      
      Cc: Ajay Kaher <akaher@vmware.com>
      Fixes: 5bdcd5f5 ("eventfs: Implement removal of meta data from eventfs")
      Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
      Suggested-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Suggested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      c8414dab
    • Sascha Hauer's avatar
      net: macb: fix sleep inside spinlock · 403f0e77
      Sascha Hauer authored
      macb_set_tx_clk() is called under a spinlock but itself calls clk_set_rate()
      which can sleep. This results in:
      
      | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
      | pps pps1: new PPS source ptp1
      | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 40, name: kworker/u4:3
      | preempt_count: 1, expected: 0
      | RCU nest depth: 0, expected: 0
      | 4 locks held by kworker/u4:3/40:
      |  #0: ffff000003409148
      | macb ff0c0000.ethernet: gem-ptp-timer ptp clock registered.
      |  ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x14c/0x51c
      |  #1: ffff8000833cbdd8 ((work_completion)(&pl->resolve)){+.+.}-{0:0}, at: process_one_work+0x14c/0x51c
      |  #2: ffff000004f01578 (&pl->state_mutex){+.+.}-{4:4}, at: phylink_resolve+0x44/0x4e8
      |  #3: ffff000004f06f50 (&bp->lock){....}-{3:3}, at: macb_mac_link_up+0x40/0x2ac
      | irq event stamp: 113998
      | hardirqs last  enabled at (113997): [<ffff800080e8503c>] _raw_spin_unlock_irq+0x30/0x64
      | hardirqs last disabled at (113998): [<ffff800080e84478>] _raw_spin_lock_irqsave+0xac/0xc8
      | softirqs last  enabled at (113608): [<ffff800080010630>] __do_softirq+0x430/0x4e4
      | softirqs last disabled at (113597): [<ffff80008001614c>] ____do_softirq+0x10/0x1c
      | CPU: 0 PID: 40 Comm: kworker/u4:3 Not tainted 6.5.0-11717-g9355ce8b2f50-dirty #368
      | Hardware name: ... ZynqMP ... (DT)
      | Workqueue: events_power_efficient phylink_resolve
      | Call trace:
      |  dump_backtrace+0x98/0xf0
      |  show_stack+0x18/0x24
      |  dump_stack_lvl+0x60/0xac
      |  dump_stack+0x18/0x24
      |  __might_resched+0x144/0x24c
      |  __might_sleep+0x48/0x98
      |  __mutex_lock+0x58/0x7b0
      |  mutex_lock_nested+0x24/0x30
      |  clk_prepare_lock+0x4c/0xa8
      |  clk_set_rate+0x24/0x8c
      |  macb_mac_link_up+0x25c/0x2ac
      |  phylink_resolve+0x178/0x4e8
      |  process_one_work+0x1ec/0x51c
      |  worker_thread+0x1ec/0x3e4
      |  kthread+0x120/0x124
      |  ret_from_fork+0x10/0x20
      
      The obvious fix is to move the call to macb_set_tx_clk() out of the
      protected area. This seems safe as rx and tx are both disabled anyway at
      this point.
      It is however not entirely clear what the spinlock shall protect. It
      could be the read-modify-write access to the NCFGR register, but this
      is accessed in macb_set_rx_mode() and macb_set_rxcsum_feature() as well
      without holding the spinlock. It could also be the register accesses
      done in mog_init_rings() or macb_init_buffers(), but again these
      functions are called without holding the spinlock in macb_hresp_error_task().
      The locking seems fishy in this driver and it might deserve another look
      before this patch is applied.
      
      Fixes: 633e98a7 ("net: macb: use resolved link config in mac_link_up()")
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Link: https://lore.kernel.org/r/20230908112913.1701766-1-s.hauer@pengutronix.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      403f0e77
    • Liu Jian's avatar
      net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() · cfaa80c9
      Liu Jian authored
      I got the below warning when do fuzzing test:
      BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
      Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
      
      CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G           OE
      Hardware name: linux,dummy-virt (DT)
      Workqueue: pencrypt_parallel padata_parallel_worker
      Call trace:
       dump_backtrace+0x0/0x420
       show_stack+0x34/0x44
       dump_stack+0x1d0/0x248
       __kasan_report+0x138/0x140
       kasan_report+0x44/0x6c
       __asan_load4+0x94/0xd0
       scatterwalk_copychunks+0x320/0x470
       skcipher_next_slow+0x14c/0x290
       skcipher_walk_next+0x2fc/0x480
       skcipher_walk_first+0x9c/0x110
       skcipher_walk_aead_common+0x380/0x440
       skcipher_walk_aead_encrypt+0x54/0x70
       ccm_encrypt+0x13c/0x4d0
       crypto_aead_encrypt+0x7c/0xfc
       pcrypt_aead_enc+0x28/0x84
       padata_parallel_worker+0xd0/0x2dc
       process_one_work+0x49c/0xbdc
       worker_thread+0x124/0x880
       kthread+0x210/0x260
       ret_from_fork+0x10/0x18
      
      This is because the value of rec_seq of tls_crypto_info configured by the
      user program is too large, for example, 0xffffffffffffff. In addition, TLS
      is asynchronously accelerated. When tls_do_encryption() returns
      -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
      skmsg is released before the asynchronous encryption process ends. As a
      result, the UAF problem occurs during the asynchronous processing of the
      encryption module.
      
      If the operation is asynchronous and the encryption module returns
      EINPROGRESS, do not free the record information.
      
      Fixes: 635d9398 ("net/tls: free record only on encryption error")
      Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
      Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      cfaa80c9
    • Steven Rostedt (Google)'s avatar
      tracefs/eventfs: Use list_for_each_srcu() in dcache_dir_open_wrapper() · 9243e543
      Steven Rostedt (Google) authored
      The eventfs files list is protected by SRCU. In earlier iterations it was
      protected with just RCU, but because it needed to also call sleepable
      code, it had to be switch to SRCU. The dcache_dir_open_wrapper()
      list_for_each_rcu() was missed and did not get converted over to
      list_for_each_srcu(). That needs to be fixed.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20230911120053.ca82f545e7f46ea753deda18@kernel.org/
      Link: https://lore.kernel.org/linux-trace-kernel/20230911200654.71ce927c@gandalf.local.home
      
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Ajay Kaher <akaher@vmware.com>
      Cc: "Paul E. McKenney" <paulmck@kernel.org>
      Reported-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Fixes: 63940449 ("eventfs: Implement eventfs lookup, read, open functions")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      9243e543