1. 15 Apr, 2022 11 commits
    • Sukadev Bhattiprolu's avatar
    • Stephen Hemminger's avatar
      net: restore alpha order to Ethernet devices in config · da367ac7
      Stephen Hemminger authored
      The displayed list of Ethernet devices in make menuconfig
      has gotten out of order. This is mostly due to changes in vendor
      names etc, but also because of new Microsoft entry in wrong place.
      
      This restores so that the display is in order even if the names
      of the sub directories are not.
      
      Fixes: ca9c54d2 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      da367ac7
    • Paolo Valerio's avatar
      openvswitch: fix OOB access in reserve_sfa_size() · cefa91b2
      Paolo Valerio authored
      Given a sufficiently large number of actions, while copying and
      reserving memory for a new action of a new flow, if next_offset is
      greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
      not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
      bytes increasing actions_len by req_size. This can then lead to an OOB
      write access, especially when further actions need to be copied.
      
      Fix it by rearranging the flow action size check.
      
      KASAN splat below:
      
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
      Write of size 65360 at addr ffff888147e4001c by task handler15/836
      
      CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
      ...
      Call Trace:
       <TASK>
       dump_stack_lvl+0x45/0x5a
       print_report.cold+0x5e/0x5db
       ? __lock_text_start+0x8/0x8
       ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
       kasan_report+0xb5/0x130
       ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
       kasan_check_range+0xf5/0x1d0
       memcpy+0x39/0x60
       reserve_sfa_size+0x1ba/0x380 [openvswitch]
       __add_action+0x24/0x120 [openvswitch]
       ovs_nla_add_action+0xe/0x20 [openvswitch]
       ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
       ? __kernel_text_address+0xe/0x30
       ? unwind_get_return_address+0x56/0xa0
       ? create_prof_cpu_mask+0x20/0x20
       ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
       ? prep_compound_page+0x198/0x2a0
       ? __kasan_check_byte+0x10/0x40
       ? kasan_unpoison+0x40/0x70
       ? ksize+0x44/0x60
       ? reserve_sfa_size+0x75/0x380 [openvswitch]
       __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
       ? __zone_watermark_ok+0x420/0x420
       ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
       ? __alloc_pages+0x1a9/0x3e0
       ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
       ? unwind_next_frame+0x991/0x1e40
       ? __mod_node_page_state+0x99/0x120
       ? __mod_lruvec_page_state+0x2e3/0x470
       ? __kasan_kmalloc_large+0x90/0xe0
       ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
       ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
       ...
      
      Cc: stable@vger.kernel.org
      Fixes: f28cd2af ("openvswitch: fix flow actions reallocation")
      Signed-off-by: default avatarPaolo Valerio <pvalerio@redhat.com>
      Acked-by: default avatarEelco Chaudron <echaudro@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cefa91b2
    • Peilin Ye's avatar
      ip6_gre: Fix skb_under_panic in __gre6_xmit() · ab198e1d
      Peilin Ye authored
      Feng reported an skb_under_panic BUG triggered by running
      test_ip6gretap() in tools/testing/selftests/bpf/test_tunnel.sh:
      
      [   82.492551] skbuff: skb_under_panic: text:ffffffffb268bb8e len:403 put:12 head:ffff9997c5480000 data:ffff9997c547fff8 tail:0x18b end:0x2c0 dev:ip6gretap11
      <...>
      [   82.607380] Call Trace:
      [   82.609389]  <TASK>
      [   82.611136]  skb_push.cold.109+0x10/0x10
      [   82.614289]  __gre6_xmit+0x41e/0x590
      [   82.617169]  ip6gre_tunnel_xmit+0x344/0x3f0
      [   82.620526]  dev_hard_start_xmit+0xf1/0x330
      [   82.623882]  sch_direct_xmit+0xe4/0x250
      [   82.626961]  __dev_queue_xmit+0x720/0xfe0
      <...>
      [   82.633431]  packet_sendmsg+0x96a/0x1cb0
      [   82.636568]  sock_sendmsg+0x30/0x40
      <...>
      
      The following sequence of events caused the BUG:
      
      1. During ip6gretap device initialization, tunnel->tun_hlen (e.g. 4) is
         calculated based on old flags (see ip6gre_calc_hlen());
      2. packet_snd() reserves header room for skb A, assuming
         tunnel->tun_hlen is 4;
      3. Later (in clsact Qdisc), the eBPF program sets a new tunnel key for
         skb A using bpf_skb_set_tunnel_key() (see _ip6gretap_set_tunnel());
      4. __gre6_xmit() detects the new tunnel key, and recalculates
         "tun_hlen" (e.g. 12) based on new flags (e.g. TUNNEL_KEY and
         TUNNEL_SEQ);
      5. gre_build_header() calls skb_push() with insufficient reserved header
         room, triggering the BUG.
      
      As sugguested by Cong, fix it by moving the call to skb_cow_head() after
      the recalculation of tun_hlen.
      
      Reproducer:
      
        OBJ=$LINUX/tools/testing/selftests/bpf/test_tunnel_kern.o
      
        ip netns add at_ns0
        ip link add veth0 type veth peer name veth1
        ip link set veth0 netns at_ns0
        ip netns exec at_ns0 ip addr add 172.16.1.100/24 dev veth0
        ip netns exec at_ns0 ip link set dev veth0 up
        ip link set dev veth1 up mtu 1500
        ip addr add dev veth1 172.16.1.200/24
      
        ip netns exec at_ns0 ip addr add ::11/96 dev veth0
        ip netns exec at_ns0 ip link set dev veth0 up
        ip addr add dev veth1 ::22/96
        ip link set dev veth1 up
      
        ip netns exec at_ns0 \
        	ip link add dev ip6gretap00 type ip6gretap seq flowlabel 0xbcdef key 2 \
        	local ::11 remote ::22
      
        ip netns exec at_ns0 ip addr add dev ip6gretap00 10.1.1.100/24
        ip netns exec at_ns0 ip addr add dev ip6gretap00 fc80::100/96
        ip netns exec at_ns0 ip link set dev ip6gretap00 up
      
        ip link add dev ip6gretap11 type ip6gretap external
        ip addr add dev ip6gretap11 10.1.1.200/24
        ip addr add dev ip6gretap11 fc80::200/24
        ip link set dev ip6gretap11 up
      
        tc qdisc add dev ip6gretap11 clsact
        tc filter add dev ip6gretap11 egress bpf da obj $OBJ sec ip6gretap_set_tunnel
        tc filter add dev ip6gretap11 ingress bpf da obj $OBJ sec ip6gretap_get_tunnel
      
        ping6 -c 3 -w 10 -q ::11
      
      Fixes: 6712abc1 ("ip6_gre: add ip6 gre and gretap collect_md mode")
      Reported-by: default avatarFeng Zhou <zhoufeng.zf@bytedance.com>
      Co-developed-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarPeilin Ye <peilin.ye@bytedance.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab198e1d
    • Peilin Ye's avatar
      ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() · f40c064e
      Peilin Ye authored
      Do not update tunnel->tun_hlen in data plane code.  Use a local variable
      instead, just like "tunnel_hlen" in net/ipv4/ip_gre.c:gre_fb_xmit().
      Co-developed-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarPeilin Ye <peilin.ye@bytedance.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f40c064e
    • David S. Miller's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 226c6024
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-04-14
      
      This series contains updates to ice driver only.
      
      Maciej adjusts implementation in __ice_alloc_rx_bufs_zc() for when
      ice_fill_rx_descs() does not return the entire buffer request and fixes a
      return value for !CONFIG_NET_SWITCHDEV configuration which was preventing
      VF creation.
      
      Wojciech prevents eswitch transmit when VFs are being removed which was
      causing NULL pointer dereference.
      
      Jianglei Nie fixes a memory leak on error path of getting OROM data.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      226c6024
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 2cc7fb9d
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2022-04-14
      
      1) Fix the output interface for VRF cases in xfrm_dst_lookup.
         From David Ahern.
      
      2) Fix write out of bounds by doing COW on esp output when the
         packet size is larger than a page.
         From Sabrina Dubroca.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2cc7fb9d
    • Hangbin Liu's avatar
      net/packet: fix packet_sock xmit return value checking · 29e8e659
      Hangbin Liu authored
      packet_sock xmit could be dev_queue_xmit, which also returns negative
      errors. So only checking positive errors is not enough, or userspace
      sendmsg may return success while packet is not send out.
      
      Move the net_xmit_errno() assignment in the braces as checkpatch.pl said
      do not use assignment in if condition.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarFlavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      29e8e659
    • Tony Lu's avatar
      net/smc: Fix sock leak when release after smc_shutdown() · 1a74e993
      Tony Lu authored
      Since commit e5d5aadc ("net/smc: fix sk_refcnt underflow on linkdown
      and fallback"), for a fallback connection, __smc_release() does not call
      sock_put() if its state is already SMC_CLOSED.
      
      When calling smc_shutdown() after falling back, its state is set to
      SMC_CLOSED but does not call sock_put(), so this patch calls it.
      
      Reported-and-tested-by: syzbot+6e29a053eb165bd50de5@syzkaller.appspotmail.com
      Fixes: e5d5aadc ("net/smc: fix sk_refcnt underflow on linkdown and fallback")
      Signed-off-by: default avatarTony Lu <tonylu@linux.alibaba.com>
      Acked-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a74e993
    • David Howells's avatar
      rxrpc: Restore removed timer deletion · ee3b0826
      David Howells authored
      A recent patch[1] from Eric Dumazet flipped the order in which the
      keepalive timer and the keepalive worker were cancelled in order to fix a
      syzbot reported issue[2].  Unfortunately, this enables the mirror image bug
      whereby the timer races with rxrpc_exit_net(), restarting the worker after
      it has been cancelled:
      
      	CPU 1		CPU 2
      	===============	=====================
      			if (rxnet->live)
      			<INTERRUPT>
      	rxnet->live = false;
       	cancel_work_sync(&rxnet->peer_keepalive_work);
      			rxrpc_queue_work(&rxnet->peer_keepalive_work);
      	del_timer_sync(&rxnet->peer_keepalive_timer);
      
      Fix this by restoring the removed del_timer_sync() so that we try to remove
      the timer twice.  If the timer runs again, it should see ->live == false
      and not restart the worker.
      
      Fixes: 1946014c ("rxrpc: fix a race in rxrpc_exit_net()")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Eric Dumazet <edumazet@google.com>
      cc: Marc Dionne <marc.dionne@auristor.com>
      cc: linux-afs@lists.infradead.org
      Link: https://lore.kernel.org/r/20220404183439.3537837-1-eric.dumazet@gmail.com/ [1]
      Link: https://syzkaller.appspot.com/bug?extid=724378c4bb58f703b09a [2]
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee3b0826
    • Arun Ramadoss's avatar
      net: phy: LAN937x: added PHY_POLL_CABLE_TEST flag · 6f06aa6b
      Arun Ramadoss authored
      Added the phy_poll_cable_test flag for the lan937x phy driver.
      Tested using command -  ethtool --cable-test <dev>
      
      Fixes: 680baca5 ("net: phy: added the LAN937x phy support")
      Signed-off-by: default avatarArun Ramadoss <arun.ramadoss@microchip.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f06aa6b
  2. 14 Apr, 2022 12 commits
    • Linus Torvalds's avatar
      Merge tag 'net-5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · d20339fa
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from wireless and netfilter.
      
        Current release - regressions:
      
         - smc: fix af_ops of child socket pointing to released memory
      
         - wifi: ath9k: fix usage of driver-private space in tx_info
      
        Previous releases - regressions:
      
         - ipv6: fix panic when forwarding a pkt with no in6 dev
      
         - sctp: use the correct skb for security_sctp_assoc_request
      
         - smc: fix NULL pointer dereference in smc_pnet_find_ib()
      
         - sched: fix initialization order when updating chain 0 head
      
         - phy: don't defer probe forever if PHY IRQ provider is missing
      
         - dsa: revert "net: dsa: setup master before ports"
      
         - dsa: felix: fix tagging protocol changes with multiple CPU ports
      
         - eth: ice:
            - fix use-after-free when freeing @rx_cpu_rmap
            - revert "iavf: fix deadlock occurrence during resetting VF
              interface"
      
         - eth: lan966x: stop processing the MAC entry is port is wrong
      
        Previous releases - always broken:
      
         - sched:
            - flower: fix parsing of ethertype following VLAN header
            - taprio: check if socket flags are valid
      
         - nfc: add flush_workqueue to prevent uaf
      
         - veth: ensure eth header is in skb's linear part
      
         - eth: stmmac: fix altr_tse_pcs function when using a fixed-link
      
         - eth: macb: restart tx only if queue pointer is lagging
      
         - eth: macvlan: fix leaking skb in source mode with nodst option"
      
      * tag 'net-5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (52 commits)
        net: bcmgenet: Revert "Use stronger register read/writes to assure ordering"
        rtnetlink: Fix handling of disabled L3 stats in RTM_GETSTATS replies
        net: dsa: felix: fix tagging protocol changes with multiple CPU ports
        tun: annotate access to queue->trans_start
        nfc: nci: add flush_workqueue to prevent uaf
        net: dsa: realtek: don't parse compatible string for RTL8366S
        net: dsa: realtek: fix Kconfig to assure consistent driver linkage
        net: ftgmac100: access hardware register after clock ready
        Revert "net: dsa: setup master before ports"
        macvlan: Fix leaking skb in source mode with nodst option
        netfilter: nf_tables: nft_parse_register can return a negative value
        net: lan966x: Stop processing the MAC entry is port is wrong.
        net: lan966x: Fix when a port's upper is changed.
        net: lan966x: Fix IGMP snooping when frames have vlan tag
        net: lan966x: Update lan966x_ptp_get_nominal_value
        sctp: Initialize daddr on peeled off socket
        net/smc: Fix af_ops of child socket pointing to released memory
        net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
        net/smc: use memcpy instead of snprintf to avoid out of bounds read
        net: macb: Restart tx only if queue pointer is lagging
        ...
      d20339fa
    • Linus Torvalds's avatar
      Merge tag 'sound-5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · b9b4c79e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This became an unexpectedly large pull request due to various
        regression fixes in the previous kernels.
      
        The majority of fixes are a series of patches to address the
        regression at probe errors in devres'ed drivers, while there are yet
        more fixes for the x86 SG allocations and for USB-audio buffer
        management. In addition, a few HD-audio quirks and other small fixes
        are found"
      
      * tag 'sound-5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (52 commits)
        ALSA: usb-audio: Limit max buffer and period sizes per time
        ALSA: memalloc: Add fallback SG-buffer allocations for x86
        ALSA: nm256: Don't call card private_free at probe error path
        ALSA: mtpav: Don't call card private_free at probe error path
        ALSA: rme9652: Fix the missing snd_card_free() call at probe error
        ALSA: hdspm: Fix the missing snd_card_free() call at probe error
        ALSA: hdsp: Fix the missing snd_card_free() call at probe error
        ALSA: oxygen: Fix the missing snd_card_free() call at probe error
        ALSA: lx6464es: Fix the missing snd_card_free() call at probe error
        ALSA: cmipci: Fix the missing snd_card_free() call at probe error
        ALSA: aw2: Fix the missing snd_card_free() call at probe error
        ALSA: als300: Fix the missing snd_card_free() call at probe error
        ALSA: lola: Fix the missing snd_card_free() call at probe error
        ALSA: bt87x: Fix the missing snd_card_free() call at probe error
        ALSA: sis7019: Fix the missing error handling
        ALSA: intel_hdmi: Fix the missing snd_card_free() call at probe error
        ALSA: via82xx: Fix the missing snd_card_free() call at probe error
        ALSA: sonicvibes: Fix the missing snd_card_free() call at probe error
        ALSA: rme96: Fix the missing snd_card_free() call at probe error
        ALSA: rme32: Fix the missing snd_card_free() call at probe error
        ...
      b9b4c79e
    • Linus Torvalds's avatar
      Merge tag 'for-5.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 722985e2
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A few more code and warning fixes.
      
        There's one feature ioctl removal patch slated for 5.18 that did not
        make it to the main pull request. It's just a one-liner and the ioctl
        has a v2 that's in use for a long time, no point to postpone it to
        5.19.
      
        Late update:
      
         - remove balance v1 ioctl, superseded by v2 in 2012
      
        Fixes:
      
         - add back cgroup attribution for compressed writes
      
         - add super block write start/end annotations to asynchronous balance
      
         - fix root reference count on an error handling path
      
         - in zoned mode, activate zone at the chunk allocation time to avoid
           ENOSPC due to timing issues
      
         - fix delayed allocation accounting for direct IO
      
        Warning fixes:
      
         - simplify assertion condition in zoned check
      
         - remove an unused variable"
      
      * tag 'for-5.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix btrfs_submit_compressed_write cgroup attribution
        btrfs: fix root ref counts in error handling in btrfs_get_root_ref
        btrfs: zoned: activate block group only for extent allocation
        btrfs: return allocated block group from do_chunk_alloc()
        btrfs: mark resumed async balance as writing
        btrfs: remove support of balance v1 ioctl
        btrfs: release correct delalloc amount in direct IO write path
        btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
        btrfs: zoned: remove redundant condition in btrfs_run_delalloc_range
      722985e2
    • Linus Torvalds's avatar
      Merge tag 'fscache-fixes-20220413' of... · ec9c57a7
      Linus Torvalds authored
      Merge tag 'fscache-fixes-20220413' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
      
      Pull fscache fixes from David Howells:
       "Here's a collection of fscache and cachefiles fixes and misc small
        cleanups. The two main fixes are:
      
         - Add a missing unmark of the inode in-use mark in an error path.
      
         - Fix a KASAN slab-out-of-bounds error when setting the xattr on a
           cachefiles volume due to the wrong length being given to memcpy().
      
        In addition, there's the removal of an unused parameter, removal of an
        unused Kconfig option, conditionalising a bit of procfs-related stuff
        and some doc fixes"
      
      * tag 'fscache-fixes-20220413' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        fscache: remove FSCACHE_OLD_API Kconfig option
        fscache: Use wrapper fscache_set_cache_state() directly when relinquishing
        fscache: Move fscache_cookies_seq_ops specific code under CONFIG_PROC_FS
        fscache: Remove the cookie parameter from fscache_clear_page_bits()
        docs: filesystems: caching/backend-api.rst: fix an object withdrawn API
        docs: filesystems: caching/backend-api.rst: correct two relinquish APIs use
        cachefiles: Fix KASAN slab-out-of-bounds in cachefiles_set_volume_xattr
        cachefiles: unmark inode in use in error path
      ec9c57a7
    • Jianglei Nie's avatar
      ice: Fix memory leak in ice_get_orom_civd_data() · 7c8881b7
      Jianglei Nie authored
      A memory chunk was allocated for orom_data in ice_get_orom_civd_data()
      by vzmalloc(). But when ice_read_flash_module() fails, the allocated
      memory is not freed, which will lead to a memory leak.
      
      We can fix it by freeing the orom_data when ce_read_flash_module() fails.
      
      Fixes: af18d886 ("ice: reduce time to read Option ROM CIVD data")
      Signed-off-by: default avatarJianglei Nie <niejianglei2021@163.com>
      Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      7c8881b7
    • Wojciech Drewek's avatar
      ice: fix crash in switchdev mode · d2016651
      Wojciech Drewek authored
      Below steps end up with crash:
      - modprobe ice
      - devlink dev eswitch set $PF1_PCI mode switchdev
      - echo 64 > /sys/class/net/$PF1/device/sriov_numvfs
      - rmmod ice
      
      Calling ice_eswitch_port_start_xmit while the process of removing
      VFs is in progress ends up with NULL pointer dereference.
      That's because PR netdev is not released but some resources
      are already freed. Fix it by checking if ICE_VF_DIS bit is set.
      
      Call trace:
      [ 1379.595146] BUG: kernel NULL pointer dereference, address: 0000000000000040
      [ 1379.595284] #PF: supervisor read access in kernel mode
      [ 1379.595410] #PF: error_code(0x0000) - not-present page
      [ 1379.595535] PGD 0 P4D 0
      [ 1379.595657] Oops: 0000 [#1] PREEMPT SMP PTI
      [ 1379.595783] CPU: 4 PID: 974 Comm: NetworkManager Kdump: loaded Tainted: G           OE     5.17.0-rc8_mrq_dev-queue+ #12
      [ 1379.595926] Hardware name: Intel Corporation S1200SP/S1200SP, BIOS S1200SP.86B.03.01.0042.013020190050 01/30/2019
      [ 1379.596063] RIP: 0010:ice_eswitch_port_start_xmit+0x46/0xd0 [ice]
      [ 1379.596292] Code: c7 c8 09 00 00 e8 9a c9 fc ff 84 c0 0f 85 82 00 00 00 4c 89 e7 e8 ca 70 fe ff 48 8b 7d 58 48 89 c3 48 85 ff 75 5e 48 8b 53 20 <8b> 42 40 85 c0 74 78 8d 48 01 f0 0f b1 4a 40 75 f2 0f b6 95 84 00
      [ 1379.596456] RSP: 0018:ffffaba0c0d7bad0 EFLAGS: 00010246
      [ 1379.596584] RAX: ffff969c14c71680 RBX: ffff969c14c71680 RCX: 000100107a0f0000
      [ 1379.596715] RDX: 0000000000000000 RSI: ffff969b9d631000 RDI: 0000000000000000
      [ 1379.596846] RBP: ffff969c07b46500 R08: ffff969becfca8ac R09: 0000000000000001
      [ 1379.596977] R10: 0000000000000004 R11: ffffaba0c0d7bbec R12: ffff969b9d631000
      [ 1379.597106] R13: ffffffffc08357a0 R14: ffff969c07b46500 R15: ffff969b9d631000
      [ 1379.597237] FS:  00007f72c0e25c80(0000) GS:ffff969f13500000(0000) knlGS:0000000000000000
      [ 1379.597414] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1379.597562] CR2: 0000000000000040 CR3: 000000012b316006 CR4: 00000000003706e0
      [ 1379.597713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1379.597863] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1379.598015] Call Trace:
      [ 1379.598153]  <TASK>
      [ 1379.598294]  dev_hard_start_xmit+0xd9/0x220
      [ 1379.598444]  sch_direct_xmit+0x8a/0x340
      [ 1379.598592]  __dev_queue_xmit+0xa3c/0xd30
      [ 1379.598739]  ? packet_parse_headers+0xb4/0xf0
      [ 1379.598890]  packet_sendmsg+0xa15/0x1620
      [ 1379.599038]  ? __check_object_size+0x46/0x140
      [ 1379.599186]  sock_sendmsg+0x5e/0x60
      [ 1379.599330]  ____sys_sendmsg+0x22c/0x270
      [ 1379.599474]  ? import_iovec+0x17/0x20
      [ 1379.599622]  ? sendmsg_copy_msghdr+0x59/0x90
      [ 1379.599771]  ___sys_sendmsg+0x81/0xc0
      [ 1379.599917]  ? __pollwait+0xd0/0xd0
      [ 1379.600061]  ? preempt_count_add+0x68/0xa0
      [ 1379.600210]  ? _raw_write_lock_irq+0x1a/0x40
      [ 1379.600369]  ? ep_done_scan+0xc9/0x110
      [ 1379.600494]  ? _raw_spin_unlock_irqrestore+0x25/0x40
      [ 1379.600622]  ? preempt_count_add+0x68/0xa0
      [ 1379.600747]  ? _raw_spin_lock_irq+0x1a/0x40
      [ 1379.600899]  ? __fget_light+0x8f/0x110
      [ 1379.601024]  __sys_sendmsg+0x49/0x80
      [ 1379.601148]  ? release_ds_buffers+0x50/0xe0
      [ 1379.601274]  do_syscall_64+0x3b/0x90
      [ 1379.601399]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [ 1379.601525] RIP: 0033:0x7f72c1e2e35d
      
      Fixes: f5396b8a ("ice: switchdev slow path")
      Signed-off-by: default avatarWojciech Drewek <wojciech.drewek@intel.com>
      Reported-by: default avatarMarcin Szycik <marcin.szycik@linux.intel.com>
      Reviewed-by: default avatarMichal Swiatkowski <michal.swiatkowski@linux.intel.com>
      Tested-by: default avatarSandeep Penigalapati <sandeep.penigalapati@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      d2016651
    • Maciej Fijalkowski's avatar
      ice: allow creating VFs for !CONFIG_NET_SWITCHDEV · aacca7a8
      Maciej Fijalkowski authored
      Currently for !CONFIG_NET_SWITCHDEV kernel builds it is not possible to
      create VFs properly as call to ice_eswitch_configure() returns
      -EOPNOTSUPP for us. This is because CONFIG_ICE_SWITCHDEV depends on
      CONFIG_NET_SWITCHDEV.
      
      Change the ice_eswitch_configure() implementation for
      !CONFIG_ICE_SWITCHDEV to return 0 instead -EOPNOTSUPP and let
      ice_ena_vfs() finish its work properly.
      
      CC: Grzegorz Nitka <grzegorz.nitka@intel.com>
      Fixes: 1a1c40df ("ice: set and release switchdev environment")
      Signed-off-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Signed-off-by: default avatarMichal Swiatkowski <michal.swiatkowski@intel.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      aacca7a8
    • Maciej Fijalkowski's avatar
      ice: xsk: check if Rx ring was filled up to the end · d1fc4c6f
      Maciej Fijalkowski authored
      __ice_alloc_rx_bufs_zc() checks if a number of the descriptors to be
      allocated would cause the ring wrap. In that case, driver will issue two
      calls to xsk_buff_alloc_batch() - one that will fill the ring up to the
      end and the second one that will start with filling descriptors from the
      beginning of the ring.
      
      ice_fill_rx_descs() is a wrapper for taking care of what
      xsk_buff_alloc_batch() gave back to the driver. It works in a best
      effort approach, so for example when driver asks for 64 buffers,
      ice_fill_rx_descs() could assign only 32. Such case needs to be checked
      when ring is being filled up to the end, because in that situation ntu
      might not reached the end of the ring.
      
      Fix the ring wrap by checking if nb_buffs_extra has the expected value.
      If not, bump ntu and go directly to tail update.
      
      Fixes: 3876ff52 ("ice: xsk: Handle SW XDP ring wrap and bump tail more often")
      Signed-off-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Signed-off-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Tested-by: default avatarShwetha Nagaraju <Shwetha.nagaraju@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      d1fc4c6f
    • Jeremy Linton's avatar
      net: bcmgenet: Revert "Use stronger register read/writes to assure ordering" · 2df3fc4a
      Jeremy Linton authored
      It turns out after digging deeper into this bug, that it was being
      triggered by GCC12 failing to call the bcmgenet_enable_dma()
      routine. Given that a gcc12 fix has been merged [1] and the genet
      driver now works properly when built with gcc12, this commit should
      be reverted.
      
      [1]
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105160
      https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=aabb9a261ef060cf24fd626713f1d7d9df81aa57
      
      Fixes: 8d3ea3d4 ("net: bcmgenet: Use stronger register read/writes to assure ordering")
      Signed-off-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20220412210420.1129430-1-jeremy.linton@arm.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      2df3fc4a
    • Petr Machata's avatar
      rtnetlink: Fix handling of disabled L3 stats in RTM_GETSTATS replies · 23cfe941
      Petr Machata authored
      When L3 stats are disabled, rtnl_offload_xstats_get_size_stats() returns
      size of 0, which is supposed to be an indication that the corresponding
      attribute should not be emitted. However, instead, the current code
      reserves a 0-byte attribute.
      
      The reason this does not show up as a citation on a kasan kernel is that
      netdev_offload_xstats_get(), which is supposed to fill in the data, never
      ends up getting called, because rtnl_offload_xstats_get_stats() notices
      that the stats are not actually used and skips the call.
      
      Thus a zero-length IFLA_OFFLOAD_XSTATS_L3_STATS attribute ends up in a
      response, confusing the userspace.
      
      Fix by skipping the L3-stats related block in rtnl_offload_xstats_fill().
      
      Fixes: 0e7788fd ("net: rtnetlink: Add UAPI for obtaining L3 offload xstats")
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Link: https://lore.kernel.org/r/591b58e7623edc3eb66dd1fcfa8c8f133d090974.1649794741.git.petrm@nvidia.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      23cfe941
    • Vladimir Oltean's avatar
      net: dsa: felix: fix tagging protocol changes with multiple CPU ports · 00fa91bc
      Vladimir Oltean authored
      When the device tree has 2 CPU ports defined, a single one is active
      (has any dp->cpu_dp pointers point to it). Yet the second one is still a
      CPU port, and DSA still calls ->change_tag_protocol on it.
      
      On the NXP LS1028A, the CPU ports are ports 4 and 5. Port 4 is the
      active CPU port and port 5 is inactive.
      
      After the following commands:
      
       # Initial setting
       cat /sys/class/net/eno2/dsa/tagging
       ocelot
       echo ocelot-8021q > /sys/class/net/eno2/dsa/tagging
       echo ocelot > /sys/class/net/eno2/dsa/tagging
      
      traffic is now broken, because the driver has moved the NPI port from
      port 4 to port 5, unbeknown to DSA.
      
      The problem can be avoided by detecting that the second CPU port is
      unused, and not doing anything for it. Further rework will be needed
      when proper support for multiple CPU ports is added.
      
      Treat this as a bug and prepare current kernels to work in single-CPU
      mode with multiple-CPU DT blobs.
      
      Fixes: adb3dccf ("net: dsa: felix: convert to the new .change_tag_protocol DSA API")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20220412172209.2531865-1-vladimir.oltean@nxp.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      00fa91bc
    • Antoine Tenart's avatar
      tun: annotate access to queue->trans_start · 968a1a5d
      Antoine Tenart authored
      Commit 5337824f ("net: annotate accesses to queue->trans_start")
      introduced a new helper, txq_trans_cond_update, to update
      queue->trans_start using WRITE_ONCE. One snippet in drivers/net/tun.c
      was missed, as it was introduced roughly at the same time.
      
      Fixes: 5337824f ("net: annotate accesses to queue->trans_start")
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarAntoine Tenart <atenart@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20220412135852.466386-1-atenart@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      968a1a5d
  3. 13 Apr, 2022 14 commits
    • Lin Ma's avatar
      nfc: nci: add flush_workqueue to prevent uaf · ef27324e
      Lin Ma authored
      Our detector found a concurrent use-after-free bug when detaching an
      NCI device. The main reason for this bug is the unexpected scheduling
      between the used delayed mechanism (timer and workqueue).
      
      The race can be demonstrated below:
      
      Thread-1                           Thread-2
                                       | nci_dev_up()
                                       |   nci_open_device()
                                       |     __nci_request(nci_reset_req)
                                       |       nci_send_cmd
                                       |         queue_work(cmd_work)
      nci_unregister_device()          |
        nci_close_device()             | ...
          del_timer_sync(cmd_timer)[1] |
      ...                              | Worker
      nci_free_device()                | nci_cmd_work()
        kfree(ndev)[3]                 |   mod_timer(cmd_timer)[2]
      
      In short, the cleanup routine thought that the cmd_timer has already
      been detached by [1] but the mod_timer can re-attach the timer [2], even
      it is already released [3], resulting in UAF.
      
      This UAF is easy to trigger, crash trace by POC is like below
      
      [   66.703713] ==================================================================
      [   66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490
      [   66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33
      [   66.703974]
      [   66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5
      [   66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work
      [   66.703974] Call Trace:
      [   66.703974]  <TASK>
      [   66.703974]  dump_stack_lvl+0x57/0x7d
      [   66.703974]  print_report.cold+0x5e/0x5db
      [   66.703974]  ? enqueue_timer+0x448/0x490
      [   66.703974]  kasan_report+0xbe/0x1c0
      [   66.703974]  ? enqueue_timer+0x448/0x490
      [   66.703974]  enqueue_timer+0x448/0x490
      [   66.703974]  __mod_timer+0x5e6/0xb80
      [   66.703974]  ? mark_held_locks+0x9e/0xe0
      [   66.703974]  ? try_to_del_timer_sync+0xf0/0xf0
      [   66.703974]  ? lockdep_hardirqs_on_prepare+0x17b/0x410
      [   66.703974]  ? queue_work_on+0x61/0x80
      [   66.703974]  ? lockdep_hardirqs_on+0xbf/0x130
      [   66.703974]  process_one_work+0x8bb/0x1510
      [   66.703974]  ? lockdep_hardirqs_on_prepare+0x410/0x410
      [   66.703974]  ? pwq_dec_nr_in_flight+0x230/0x230
      [   66.703974]  ? rwlock_bug.part.0+0x90/0x90
      [   66.703974]  ? _raw_spin_lock_irq+0x41/0x50
      [   66.703974]  worker_thread+0x575/0x1190
      [   66.703974]  ? process_one_work+0x1510/0x1510
      [   66.703974]  kthread+0x2a0/0x340
      [   66.703974]  ? kthread_complete_and_exit+0x20/0x20
      [   66.703974]  ret_from_fork+0x22/0x30
      [   66.703974]  </TASK>
      [   66.703974]
      [   66.703974] Allocated by task 267:
      [   66.703974]  kasan_save_stack+0x1e/0x40
      [   66.703974]  __kasan_kmalloc+0x81/0xa0
      [   66.703974]  nci_allocate_device+0xd3/0x390
      [   66.703974]  nfcmrvl_nci_register_dev+0x183/0x2c0
      [   66.703974]  nfcmrvl_nci_uart_open+0xf2/0x1dd
      [   66.703974]  nci_uart_tty_ioctl+0x2c3/0x4a0
      [   66.703974]  tty_ioctl+0x764/0x1310
      [   66.703974]  __x64_sys_ioctl+0x122/0x190
      [   66.703974]  do_syscall_64+0x3b/0x90
      [   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [   66.703974]
      [   66.703974] Freed by task 406:
      [   66.703974]  kasan_save_stack+0x1e/0x40
      [   66.703974]  kasan_set_track+0x21/0x30
      [   66.703974]  kasan_set_free_info+0x20/0x30
      [   66.703974]  __kasan_slab_free+0x108/0x170
      [   66.703974]  kfree+0xb0/0x330
      [   66.703974]  nfcmrvl_nci_unregister_dev+0x90/0xd0
      [   66.703974]  nci_uart_tty_close+0xdf/0x180
      [   66.703974]  tty_ldisc_kill+0x73/0x110
      [   66.703974]  tty_ldisc_hangup+0x281/0x5b0
      [   66.703974]  __tty_hangup.part.0+0x431/0x890
      [   66.703974]  tty_release+0x3a8/0xc80
      [   66.703974]  __fput+0x1f0/0x8c0
      [   66.703974]  task_work_run+0xc9/0x170
      [   66.703974]  exit_to_user_mode_prepare+0x194/0x1a0
      [   66.703974]  syscall_exit_to_user_mode+0x19/0x50
      [   66.703974]  do_syscall_64+0x48/0x90
      [   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      To fix the UAF, this patch adds flush_workqueue() to ensure the
      nci_cmd_work is finished before the following del_timer_sync.
      This combination will promise the timer is actually detached.
      
      Fixes: 6a2968aa ("NFC: basic NCI protocol implementation")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef27324e
    • Alvin Šipraga's avatar
      net: dsa: realtek: don't parse compatible string for RTL8366S · 8e925de6
      Alvin Šipraga authored
      This switch is not even supported, but if someone were to actually put
      this compatible string "realtek,rtl8366s" in their device tree, they
      would be greeted with a kernel panic because the probe function would
      dereference NULL. So let's just remove it.
      
      Link: https://lore.kernel.org/all/CACRpkdYdKZs0WExXc3=0yPNOwP+oOV60HRz7SRoGjZvYHaT=1g@mail.gmail.com/Signed-off-by: default avatarAlvin Šipraga <alsi@bang-olufsen.dk>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e925de6
    • Alvin Šipraga's avatar
      net: dsa: realtek: fix Kconfig to assure consistent driver linkage · 2511e0c8
      Alvin Šipraga authored
      The kernel test robot reported a build failure:
      
      or1k-linux-ld: drivers/net/dsa/realtek/realtek-smi.o:(.rodata+0x16c): undefined reference to `rtl8366rb_variant'
      
      ... with the following build configuration:
      
      CONFIG_NET_DSA_REALTEK=y
      CONFIG_NET_DSA_REALTEK_SMI=y
      CONFIG_NET_DSA_REALTEK_RTL8365MB=y
      CONFIG_NET_DSA_REALTEK_RTL8366RB=m
      
      The problem here is that the realtek-smi interface driver gets built-in,
      while the rtl8366rb switch subdriver gets built as a module, hence the
      symbol rtl8366rb_variant is not reachable when defining the OF device
      table in the interface driver.
      
      The Kconfig dependencies don't help in this scenario because they just
      say that the subdriver(s) depend on at least one interface driver. In
      fact, the subdrivers don't depend on the interface drivers at all, and
      can even be built even in their absence. Somewhat strangely, the
      interface drivers can also be built in the absence of any subdriver,
      BUT, if a subdriver IS enabled, then it must be reachable according to
      the linkage of the interface driver: effectively what the IS_REACHABLE()
      macro achieves. If it is not reachable, the above kind of linker error
      will be observed.
      
      Rather than papering over the above build error by simply using
      IS_REACHABLE(), we can do a little better and admit that it is actually
      the interface drivers that have a dependency on the subdrivers. So this
      patch does exactly that. Specifically, we ensure that:
      
      1. The interface drivers' Kconfig symbols must have a value no greater
         than the value of any subdriver Kconfig symbols.
      
      2. The subdrivers should by default enable both interface drivers, since
         most users probably want at least one of them; those interface
         drivers can be explicitly disabled however.
      
      What this doesn't do is prevent a user from building only a subdriver,
      without any interface driver. To that end, add an additional line of
      help in the menu to guide users in the right direction.
      
      Link: https://lore.kernel.org/all/202204110757.XIafvVnj-lkp@intel.com/Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: aac94001 ("net: dsa: realtek: add new mdio interface for drivers")
      Signed-off-by: default avatarAlvin Šipraga <alsi@bang-olufsen.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2511e0c8
    • David S. Miller's avatar
      Merge tag 'wireless-2022-04-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · dad32cfe
      David S. Miller authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v5.18
      
      First set of fixes for v5.18. Maintainers file updates, two
      compilation warning fixes, one revert for ath11k and smaller fixes to
      drivers and stack. All the usual stuff.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dad32cfe
    • Dylan Hung's avatar
      net: ftgmac100: access hardware register after clock ready · 3d250452
      Dylan Hung authored
      AST2600 MAC register 0x58 is writable only when the MAC clock is
      enabled.  Usually, the MAC clock is enabled by the bootloader so
      register 0x58 is set normally when the bootloader is involved.  To make
      ast2600 ftgmac100 work without the bootloader, postpone the register
      write until the clock is ready.
      
      Fixes: 137d23ce ("net: ftgmac100: Fix Aspeed ast2600 TX hang issue")
      Signed-off-by: default avatarDylan Hung <dylan_hung@aspeedtech.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d250452
    • Vladimir Oltean's avatar
      Revert "net: dsa: setup master before ports" · 762c2998
      Vladimir Oltean authored
      This reverts commit 11fd667d.
      
      dsa_slave_change_mtu() updates the MTU of the DSA master and of the
      associated CPU port, but only if it detects a change to the master MTU.
      
      The blamed commit in the Fixes: tag below addressed a regression where
      dsa_slave_change_mtu() would return early and not do anything due to
      ds->ops->port_change_mtu() not being implemented.
      
      However, that commit also had the effect that the master MTU got set up
      to the correct value by dsa_master_setup(), but the associated CPU port's
      MTU did not get updated. This causes breakage for drivers that rely on
      the ->port_change_mtu() DSA call to account for the tagging overhead on
      the CPU port, and don't set up the initial MTU during the setup phase.
      
      Things actually worked before because they were in a fragile equilibrium
      where dsa_slave_change_mtu() was called before dsa_master_setup() was.
      So dsa_slave_change_mtu() could actually detect a change and update the
      CPU port MTU too.
      
      Restore the code to the way things used to work by reverting the reorder
      of dsa_tree_setup_master() and dsa_tree_setup_ports(). That change did
      not have a concrete motivation going for it anyway, it just looked
      better.
      
      Fixes: 066dfc42 ("Revert "net: dsa: stop updating master MTU from master.c"")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      762c2998
    • Martin Willi's avatar
      macvlan: Fix leaking skb in source mode with nodst option · e16b8598
      Martin Willi authored
      The MACVLAN receive handler clones skbs to all matching source MACVLAN
      interfaces, before it passes the packet along to match on destination
      based MACVLANs.
      
      When using the MACVLAN nodst mode, passing the packet to destination based
      MACVLANs is omitted and the handler returns with RX_HANDLER_CONSUMED.
      However, the passed skb is not freed, leaking for any packet processed
      with the nodst option.
      
      Properly free the skb when consuming packets to fix that leak.
      
      Fixes: 427f0c8c ("macvlan: Add nodst option to macvlan type source")
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e16b8598
    • Sabrina Dubroca's avatar
      esp: limit skb_page_frag_refill use to a single page · 5bd8baab
      Sabrina Dubroca authored
      Commit ebe48d36 ("esp: Fix possible buffer overflow in ESP
      transformation") tried to fix skb_page_frag_refill usage in ESP by
      capping allocsize to 32k, but that doesn't completely solve the issue,
      as skb_page_frag_refill may return a single page. If that happens, we
      will write out of bounds, despite the check introduced in the previous
      patch.
      
      This patch forces COW in cases where we would end up calling
      skb_page_frag_refill with a size larger than a page (first in
      esp_output_head with tailen, then in esp_output_tail with
      skb->data_len).
      
      Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible")
      Fixes: 03e2a30f ("esp6: Avoid skb_cow_data whenever possible")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      5bd8baab
    • Takashi Iwai's avatar
      ALSA: usb-audio: Limit max buffer and period sizes per time · 24d0c9f0
      Takashi Iwai authored
      In the previous fix, we increased the max buffer bytes from 1MB to 4MB
      so that we can use bigger buffers for the modern HiFi devices with
      higher rates, more channels and wider formats.  OTOH, extending this
      has a concern that too big buffer is allowed for the lower rates, less
      channels and narrower formats; when an application tries to allocate
      as big buffer as possible, it'll lead to unexpectedly too huge size.
      
      Also, we had a problem about the inconsistent max buffer and period
      bytes for the implicit feedback mode when both streams have different
      channels.  This was fixed by the (relatively complex) patch to reduce
      the max buffer and period bytes accordingly.
      
      This is an alternative fix for those, a patch to kill two birds with
      one stone (*): instead of increasing the max buffer bytes blindly and
      applying the reduction per channels, we simply use the hw constraints
      for the buffer and period "time".  Meanwhile the max buffer and period
      bytes are set unlimited instead.
      
      Since the inconsistency of buffer (and period) bytes comes from the
      difference of the channels in the tied streams, as long as we care
      only about the buffer (and period) time, it doesn't matter; the buffer
      time is same for different channels, although we still allow higher
      buffer size.  Similarly, this will allow more buffer bytes for HiFi
      devices while it also keeps the reasonable size for the legacy
      devices, too.
      
      As of this patch, the max period and buffer time are set to 1 and 2
      seconds, which should be large enough for all possible use cases.
      
      (*) No animals were harmed in the making of this patch.
      
      Fixes: 98c27add ("ALSA: usb-audio: Cap upper limits of buffer/period bytes for implicit fb")
      Fixes: fee2ec8c ("ALSA: usb-audio: Increase max buffer size")
      Link: https://lore.kernel.org/r/20220412130740.18933-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      24d0c9f0
    • Takashi Iwai's avatar
      ALSA: memalloc: Add fallback SG-buffer allocations for x86 · 925ca893
      Takashi Iwai authored
      The recent change for memory allocator replaced the SG-buffer handling
      helper for x86 with the standard non-contiguous page handler.  This
      works for most cases, but there is a corner case I obviously
      overlooked, namely, the fallback of non-contiguous handler without
      IOMMU.  When the system runs without IOMMU, the core handler tries to
      use the continuous pages with a single SGL entry.  It works nicely for
      most cases, but when the system memory gets fragmented, the large
      allocation may fail frequently.
      
      Ideally the non-contig handler could deal with the proper SG pages,
      it's cumbersome to extend for now.  As a workaround, here we add new
      types for (minimalistic) SG allocations, instead, so that the
      allocator falls back to those types automatically when the allocation
      with the standard API failed.
      
      BTW, one better (but pretty minor) improvement from the previous
      SG-buffer code is that this provides the proper mmap support without
      the PCM's page fault handling.
      
      Fixes: 2c95b92e ("ALSA: memalloc: Unify x86 SG-buffer handling (take#3)")
      BugLink: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/2272
      BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1198248
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20220413054808.7547-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      925ca893
    • Linus Torvalds's avatar
      Merge tag 'hardening-v5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · a1994480
      Linus Torvalds authored
      Pull hardening fixes from Kees Cook:
      
       - latent_entropy: Use /dev/urandom instead of small GCC seed (Jason
         Donenfeld)
      
       - uapi/stddef.h: add missed include guards (Tadeusz Struk)
      
      * tag 'hardening-v5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        gcc-plugins: latent_entropy: use /dev/urandom
        uapi/linux/stddef.h: Add include guards
      a1994480
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · c1488c97
      Linus Torvalds authored
      Pull nfsd fixes from Chuck Lever:
      
       - Fix a write performance regression
      
       - Fix crashes during request deferral on RDMA transports
      
      * tag 'nfsd-5.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        SUNRPC: Fix the svc_deferred_event trace class
        SUNRPC: Fix NFSD's request deferral on RDMA transports
        nfsd: Clean up nfsd_file_put()
        nfsd: Fix a write performance regression
        SUNRPC: Return true/false (not 1/0) from bool functions
      c1488c97
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 453096eb
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "x86:
      
         - Miscellaneous bugfixes
      
         - A small cleanup for the new workqueue code
      
         - Documentation syntax fix
      
        RISC-V:
      
         - Remove hgatp zeroing in kvm_arch_vcpu_put()
      
         - Fix alignment of the guest_hang() in KVM selftest
      
         - Fix PTE A and D bits in KVM selftest
      
         - Missing #include in vcpu_fp.c
      
        ARM:
      
         - Some PSCI fixes after introducing PSCIv1.1 and SYSTEM_RESET2
      
         - Fix the MMU write-lock not being taken on THP split
      
         - Fix mixed-width VM handling
      
         - Fix potential UAF when debugfs registration fails
      
         - Various selftest updates for all of the above"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (24 commits)
        KVM: x86: hyper-v: Avoid writing to TSC page without an active vCPU
        KVM: SVM: Do not activate AVIC for SEV-enabled guest
        Documentation: KVM: Add SPDX-License-Identifier tag
        selftests: kvm: add tsc_scaling_sync to .gitignore
        RISC-V: KVM: include missing hwcap.h into vcpu_fp
        KVM: selftests: riscv: Fix alignment of the guest_hang() function
        KVM: selftests: riscv: Set PTE A and D bits in VS-stage page table
        RISC-V: KVM: Don't clear hgatp CSR in kvm_arch_vcpu_put()
        selftests: KVM: Free the GIC FD when cleaning up in arch_timer
        selftests: KVM: Don't leak GIC FD across dirty log test iterations
        KVM: Don't create VM debugfs files outside of the VM directory
        KVM: selftests: get-reg-list: Add KVM_REG_ARM_FW_REG(3)
        KVM: avoid NULL pointer dereference in kvm_dirty_ring_push
        KVM: arm64: selftests: Introduce vcpu_width_config
        KVM: arm64: mixed-width check should be skipped for uninitialized vCPUs
        KVM: arm64: vgic: Remove unnecessary type castings
        KVM: arm64: Don't split hugepages outside of MMU write lock
        KVM: arm64: Drop unneeded minor version check from PSCI v1.x handler
        KVM: arm64: Actually prevent SMC64 SYSTEM_RESET2 from AArch32
        KVM: arm64: Generally disallow SMC64 for AArch32 guests
        ...
      453096eb
    • Linus Torvalds's avatar
      Merge tag 'media/v5.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 7083b89e
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
      
       - a regression fix for si2157
      
       - a Kconfig dependency fix for imx-mipi-csis
      
       - fix the rockchip/rga driver probing logic
      
      * tag 'media/v5.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: si2157: unknown chip version Si2147-A30 ROM 0x50
        media: platform: imx-mipi-csis: Add dependency on VIDEO_DEV
        media: rockchip/rga: do proper error checking in probe
      7083b89e
  4. 12 Apr, 2022 3 commits
    • Mikulas Patocka's avatar
      stat: fix inconsistency between struct stat and struct compat_stat · 932aba1e
      Mikulas Patocka authored
      struct stat (defined in arch/x86/include/uapi/asm/stat.h) has 32-bit
      st_dev and st_rdev; struct compat_stat (defined in
      arch/x86/include/asm/compat.h) has 16-bit st_dev and st_rdev followed by
      a 16-bit padding.
      
      This patch fixes struct compat_stat to match struct stat.
      
      [ Historical note: the old x86 'struct stat' did have that 16-bit field
        that the compat layer had kept around, but it was changes back in 2003
        by "struct stat - support larger dev_t":
      
          https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=e95b2065677fe32512a597a79db94b77b90c968d
      
        and back in those days, the x86_64 port was still new, and separate
        from the i386 code, and had already picked up the old version with a
        16-bit st_dev field ]
      
      Note that we can't change compat_dev_t because it is used by
      compat_loop_info.
      
      Also, if the st_dev and st_rdev values are 32-bit, we don't have to use
      old_valid_dev to test if the value fits into them.  This fixes
      -EOVERFLOW on filesystems that are on NVMe because NVMe uses the major
      number 259.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: Andreas Schwab <schwab@linux-m68k.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Christoph Hellwig <hch@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      932aba1e
    • Jason A. Donenfeld's avatar
      gcc-plugins: latent_entropy: use /dev/urandom · c40160f2
      Jason A. Donenfeld authored
      While the latent entropy plugin mostly doesn't derive entropy from
      get_random_const() for measuring the call graph, when __latent_entropy is
      applied to a constant, then it's initialized statically to output from
      get_random_const(). In that case, this data is derived from a 64-bit
      seed, which means a buffer of 512 bits doesn't really have that amount
      of compile-time entropy.
      
      This patch fixes that shortcoming by just buffering chunks of
      /dev/urandom output and doling it out as requested.
      
      At the same time, it's important that we don't break the use of
      -frandom-seed, for people who want the runtime benefits of the latent
      entropy plugin, while still having compile-time determinism. In that
      case, we detect whether gcc's set_random_seed() has been called by
      making a call to get_random_seed(noinit=true) in the plugin init
      function, which is called after set_random_seed() is called but before
      anything that calls get_random_seed(noinit=false), and seeing if it's
      zero or not. If it's not zero, we're in deterministic mode, and so we
      just generate numbers with a basic xorshift prng.
      
      Note that we don't detect if -frandom-seed is being used using the
      documented local_tick variable, because it's assigned via:
         local_tick = (unsigned) tv.tv_sec * 1000 + tv.tv_usec / 1000;
      which may well overflow and become -1 on its own, and so isn't
      reliable: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105171
      
      [kees: The 256 byte rnd_buf size was chosen based on average (250),
       median (64), and std deviation (575) bytes of used entropy for a
       defconfig x86_64 build]
      
      Fixes: 38addce8 ("gcc-plugins: Add latent_entropy plugin")
      Cc: stable@vger.kernel.org
      Cc: PaX Team <pageexec@freemail.hu>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20220405222815.21155-1-Jason@zx2c4.com
      c40160f2
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 625e8cb8
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      1) Fix cgroupv2 from the input path, from Florian Westphal.
      
      2) Fix incorrect return value of nft_parse_register(), from Antoine Tenart.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: nft_parse_register can return a negative value
        netfilter: nft_socket: make cgroup match work in input too
      ====================
      
      Link: https://lore.kernel.org/r/20220412094246.448055-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      625e8cb8