1. 16 Nov, 2023 10 commits
  2. 15 Nov, 2023 19 commits
  3. 14 Nov, 2023 11 commits
    • Eric Dumazet's avatar
      af_unix: fix use-after-free in unix_stream_read_actor() · 4b7b4926
      Eric Dumazet authored
      syzbot reported the following crash [1]
      
      After releasing unix socket lock, u->oob_skb can be changed
      by another thread. We must temporarily increase skb refcount
      to make sure this other thread will not free the skb under us.
      
      [1]
      
      BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
      Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297
      
      CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0xc4/0x620 mm/kasan/report.c:475
      kasan_report+0xda/0x110 mm/kasan/report.c:588
      unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
      unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
      unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
      unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903
      sock_recvmsg_nosec net/socket.c:1044 [inline]
      sock_recvmsg+0xe2/0x170 net/socket.c:1066
      ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803
      ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845
      __sys_recvmsg+0x114/0x1e0 net/socket.c:2875
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7fc67492c559
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
      RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559
      RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
      RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340
      R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388
      </TASK>
      
      Allocated by task 5295:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
      kasan_slab_alloc include/linux/kasan.h:188 [inline]
      slab_post_alloc_hook mm/slab.h:763 [inline]
      slab_alloc_node mm/slub.c:3478 [inline]
      kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
      __alloc_skb+0x287/0x330 net/core/skbuff.c:641
      alloc_skb include/linux/skbuff.h:1286 [inline]
      alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
      sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
      sock_alloc_send_skb include/net/sock.h:1884 [inline]
      queue_oob net/unix/af_unix.c:2147 [inline]
      unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
      ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
      __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Freed by task 5295:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
      ____kasan_slab_free mm/kasan/common.c:236 [inline]
      ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
      kasan_slab_free include/linux/kasan.h:164 [inline]
      slab_free_hook mm/slub.c:1800 [inline]
      slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
      slab_free mm/slub.c:3809 [inline]
      kmem_cache_free+0xf8/0x340 mm/slub.c:3831
      kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015
      __kfree_skb net/core/skbuff.c:1073 [inline]
      consume_skb net/core/skbuff.c:1288 [inline]
      consume_skb+0xdf/0x170 net/core/skbuff.c:1282
      queue_oob net/unix/af_unix.c:2178 [inline]
      unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
      ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
      __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      The buggy address belongs to the object at ffff88801f3b9c80
      which belongs to the cache skbuff_head_cache of size 240
      The buggy address is located 68 bytes inside of
      freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70)
      
      The buggy address belongs to the physical page:
      page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9
      flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
      page_type: 0xffffffff()
      raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000
      raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431
      set_page_owner include/linux/page_owner.h:31 [inline]
      post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
      prep_new_page mm/page_alloc.c:1544 [inline]
      get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312
      __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568
      alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
      alloc_slab_page mm/slub.c:1870 [inline]
      allocate_slab+0x251/0x380 mm/slub.c:2017
      new_slab mm/slub.c:2070 [inline]
      ___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
      __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
      __slab_alloc_node mm/slub.c:3375 [inline]
      slab_alloc_node mm/slub.c:3468 [inline]
      kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523
      __alloc_skb+0x287/0x330 net/core/skbuff.c:641
      alloc_skb include/linux/skbuff.h:1286 [inline]
      alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
      sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
      sock_alloc_send_skb include/net/sock.h:1884 [inline]
      queue_oob net/unix/af_unix.c:2147 [inline]
      unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
      ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
      __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1137 [inline]
      free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347
      free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487
      __unfreeze_partials+0x21d/0x240 mm/slub.c:2655
      qlink_free mm/kasan/quarantine.c:168 [inline]
      qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
      kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
      __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
      kasan_slab_alloc include/linux/kasan.h:188 [inline]
      slab_post_alloc_hook mm/slab.h:763 [inline]
      slab_alloc_node mm/slub.c:3478 [inline]
      slab_alloc mm/slub.c:3486 [inline]
      __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
      kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502
      vm_area_dup+0x21/0x2f0 kernel/fork.c:500
      __split_vma+0x17d/0x1070 mm/mmap.c:2365
      split_vma mm/mmap.c:2437 [inline]
      vma_modify+0x25d/0x450 mm/mmap.c:2472
      vma_modify_flags include/linux/mm.h:3271 [inline]
      mprotect_fixup+0x228/0xc80 mm/mprotect.c:635
      do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809
      __do_sys_mprotect mm/mprotect.c:830 [inline]
      __se_sys_mprotect mm/mprotect.c:827 [inline]
      __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Memory state around the buggy address:
      ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
      >ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ^
      ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
      ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
      
      Fixes: 876c14ad ("af_unix: fix holding spinlock in oob handling")
      Reported-and-tested-by: syzbot+7a2d546fa43e49315ed3@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Rao Shoaib <rao.shoaib@oracle.com>
      Reviewed-by: default avatarRao shoaib <rao.shoaib@oracle.com>
      Link: https://lore.kernel.org/r/20231113134938.168151-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4b7b4926
    • Jakub Kicinski's avatar
      Merge branch 'r8169-fix-dash-devices-network-lost-issue' · 48c205c6
      Jakub Kicinski authored
      ChunHao Lin says:
      
      ====================
      r8169: fix DASH devices network lost issue
      
      This series are used to fix network lost issue on systems that support
      DASH. It has been tested on rtl8168ep and rtl8168fp.
      ====================
      
      Link: https://lore.kernel.org/r/20231109173400.4573-1-hau@realtek.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      48c205c6
    • ChunHao Lin's avatar
      r8169: fix network lost after resume on DASH systems · 868c3b95
      ChunHao Lin authored
      Device that support DASH may be reseted or powered off during suspend.
      So driver needs to handle DASH during system suspend and resume. Or
      DASH firmware will influence device behavior and causes network lost.
      
      Fixes: b646d900 ("r8169: magic.")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarChunHao Lin <hau@realtek.com>
      Link: https://lore.kernel.org/r/20231109173400.4573-3-hau@realtek.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      868c3b95
    • ChunHao Lin's avatar
      r8169: add handling DASH when DASH is disabled · 0ab0c45d
      ChunHao Lin authored
      For devices that support DASH, even DASH is disabled, there may still
      exist a default firmware that will influence device behavior.
      So driver needs to handle DASH for devices that support DASH, no
      matter the DASH status is.
      
      This patch also prepares for "fix network lost after resume on DASH
      systems".
      
      Fixes: ee7a1beb ("r8169:call "rtl8168_driver_start" "rtl8168_driver_stop" only when hardware dash function is enabled")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChunHao Lin <hau@realtek.com>
      Reviewed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/20231109173400.4573-2-hau@realtek.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0ab0c45d
    • Jakub Kicinski's avatar
      Merge branch 'fix-large-frames-in-the-gemini-ethernet-driver' · 334e90b8
      Jakub Kicinski authored
      Linus Walleij says:
      
      ====================
      Fix large frames in the Gemini ethernet driver
      
      This is the result of a bug hunt for a problem with the
      RTL8366RB DSA switch leading me wrong all over the place.
      
      I am indebted to Vladimir Oltean who as usual pointed
      out where the real problem was, many thanks!
      
      Tryig to actually use big ("jumbo") frames on this
      hardware uncovered the real bugs. Then I tested it on
      the DSA switch and it indeed fixes the issue.
      
      To make sure it also works fine with big frames on
      non-DSA devices I also copied a large video file over
      scp to a device with maximum frame size, the data
      was transported in large TCP packets ending up in
      0x7ff sized frames using software checksumming at
      ~2.0 MB/s.
      
      If I set down the MTU to the standard 1500 bytes so
      that hardware checksumming is used, the scp transfer
      of the same file was slightly lower, ~1.8-1.9 MB/s.
      
      Despite this not being the best test it shows that
      we can now stress the hardware with large frames
      and that software checksum works fine.
      
      v3: https://lore.kernel.org/r/20231107-gemini-largeframe-fix-v3-0-e3803c080b75@linaro.org
      v2: https://lore.kernel.org/r/20231105-gemini-largeframe-fix-v2-0-cd3a5aa6c496@linaro.org
      v1: https://lore.kernel.org/r/20231104-gemini-largeframe-fix-v1-0-9c5513f22f33@linaro.org
      ====================
      
      Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-0-6e611528db08@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      334e90b8
    • Linus Walleij's avatar
      net: ethernet: cortina: Fix MTU max setting · dc6c0bfb
      Linus Walleij authored
      The RX max frame size is over 10000 for the Gemini ethernet,
      but the TX max frame size is actually just 2047 (0x7ff after
      checking the datasheet). Reflect this in what we offer to Linux,
      cap the MTU at the TX max frame minus ethernet headers.
      
      We delete the code disabling the hardware checksum for large
      MTUs as netdev->mtu can no longer be larger than
      netdev->max_mtu meaning the if()-clause in gmac_fix_features()
      is never true.
      
      Fixes: 4d5ae32f ("net: ethernet: Add a driver for Gemini gigabit ethernet")
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-3-6e611528db08@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dc6c0bfb
    • Linus Walleij's avatar
      net: ethernet: cortina: Handle large frames · d4d0c5b4
      Linus Walleij authored
      The Gemini ethernet controller provides hardware checksumming
      for frames up to 1514 bytes including ethernet headers but not
      FCS.
      
      If we start sending bigger frames (after first bumping up the MTU
      on both interfaces sending and receiving the frames), truncated
      packets start to appear on the target such as in this tcpdump
      resulting from ping -s 1474:
      
      23:34:17.241983 14:d6:4d:a8:3c:4f (oui Unknown) > bc:ae:c5:6b:a8:3d (oui Unknown),
      ethertype IPv4 (0x0800), length 1514: truncated-ip - 2 bytes missing!
      (tos 0x0, ttl 64, id 32653, offset 0, flags [DF], proto ICMP (1), length 1502)
      OpenWrt.lan > Fecusia: ICMP echo request, id 1672, seq 50, length 1482
      
      If we bypass the hardware checksumming and provide a software
      fallback, everything starts working fine up to the max TX MTU
      of 2047 bytes, for example ping -s2000 192.168.1.2:
      
      00:44:29.587598 bc:ae:c5:6b:a8:3d (oui Unknown) > 14:d6:4d:a8:3c:4f (oui Unknown),
      ethertype IPv4 (0x0800), length 2042:
      (tos 0x0, ttl 64, id 51828, offset 0, flags [none], proto ICMP (1), length 2028)
      Fecusia > OpenWrt.lan: ICMP echo reply, id 1683, seq 4, length 2008
      
      The bit enabling to bypass hardware checksum (or any of the
      "TSS" bits) are undocumented in the hardware reference manual.
      The entire hardware checksum unit appears undocumented. The
      conclusion that we need to use the "bypass" bit was found by
      trial-and-error.
      
      Since no hardware checksum will happen, we slot in a software
      checksum fallback.
      
      Check for the condition where we need to compute checksum on the
      skb with either hardware or software using == CHECKSUM_PARTIAL instead
      of != CHECKSUM_NONE which is an incomplete check according to
      <linux/skbuff.h>.
      
      On the D-Link DIR-685 router this fixes a bug on the conduit
      interface to the RTL8366RB DSA switch: as the switch needs to add
      space for its tag it increases the MTU on the conduit interface
      to 1504 and that means that when the router sends packages
      of 1500 bytes these get an extra 4 bytes of DSA tag and the
      transfer fails because of the erroneous hardware checksumming,
      affecting such basic functionality as the LuCI web interface.
      
      Fixes: 4d5ae32f ("net: ethernet: Add a driver for Gemini gigabit ethernet")
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-2-6e611528db08@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d4d0c5b4
    • Linus Walleij's avatar
      net: ethernet: cortina: Fix max RX frame define · 510e35fb
      Linus Walleij authored
      Enumerator 3 is 1548 bytes according to the datasheet.
      Not 1542.
      
      Fixes: 4d5ae32f ("net: ethernet: Add a driver for Gemini gigabit ethernet")
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-1-6e611528db08@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      510e35fb
    • Eric Dumazet's avatar
      bonding: stop the device in bond_setup_by_slave() · 3cffa2dd
      Eric Dumazet authored
      Commit 9eed321c ("net: lapbether: only support ethernet devices")
      has been able to keep syzbot away from net/lapb, until today.
      
      In the following splat [1], the issue is that a lapbether device has
      been created on a bonding device without members. Then adding a non
      ARPHRD_ETHER member forced the bonding master to change its type.
      
      The fix is to make sure we call dev_close() in bond_setup_by_slave()
      so that the potential linked lapbether devices (or any other devices
      having assumptions on the physical device) are removed.
      
      A similar bug has been addressed in commit 40baec22
      ("bonding: fix panic on non-ARPHRD_ETHER enslave failure")
      
      [1]
      skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0
      kernel BUG at net/core/skbuff.c:192 !
      Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
      pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : skb_panic net/core/skbuff.c:188 [inline]
      pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202
      lr : skb_panic net/core/skbuff.c:188 [inline]
      lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202
      sp : ffff800096a06aa0
      x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000
      x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea
      x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140
      x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100
      x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001
      x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000
      x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00
      x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001
      x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c
      x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086
      Call trace:
      skb_panic net/core/skbuff.c:188 [inline]
      skb_under_panic+0x13c/0x140 net/core/skbuff.c:202
      skb_push+0xf0/0x108 net/core/skbuff.c:2446
      ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384
      dev_hard_header include/linux/netdevice.h:3136 [inline]
      lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257
      lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447
      lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149
      lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251
      __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326
      lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492
      notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93
      raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461
      call_netdevice_notifiers_info net/core/dev.c:1970 [inline]
      call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
      call_netdevice_notifiers net/core/dev.c:2022 [inline]
      __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508
      dev_close_many+0x1e0/0x470 net/core/dev.c:1559
      dev_close+0x174/0x250 net/core/dev.c:1585
      lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466
      notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93
      raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461
      call_netdevice_notifiers_info net/core/dev.c:1970 [inline]
      call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
      call_netdevice_notifiers net/core/dev.c:2022 [inline]
      __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508
      dev_close_many+0x1e0/0x470 net/core/dev.c:1559
      dev_close+0x174/0x250 net/core/dev.c:1585
      bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332
      bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539
      dev_ifsioc+0x754/0x9ac
      dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786
      sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217
      sock_ioctl+0x4e8/0x834 net/socket.c:1322
      vfs_ioctl fs/ioctl.c:51 [inline]
      __do_sys_ioctl fs/ioctl.c:871 [inline]
      __se_sys_ioctl fs/ioctl.c:857 [inline]
      __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857
      __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
      invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
      el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
      do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
      el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
      el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      Code: aa1803e6 aa1903e7 a90023f5 94785b8b (d4210000)
      
      Fixes: 872254dd ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://lore.kernel.org/r/20231109180102.4085183-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3cffa2dd
    • Eric Dumazet's avatar
      ptp: annotate data-race around q->head and q->tail · 73bde5a3
      Eric Dumazet authored
      As I was working on a syzbot report, I found that KCSAN would
      probably complain that reading q->head or q->tail without
      barriers could lead to invalid results.
      
      Add corresponding READ_ONCE() and WRITE_ONCE() to avoid
      load-store tearing.
      
      Fixes: d94ba80e ("ptp: Added a brand new class driver for ptp clocks.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Link: https://lore.kernel.org/r/20231109174859.3995880-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      73bde5a3
    • Jakub Kicinski's avatar
      Revert "ptp: Fixes a null pointer dereference in ptp_ioctl" · 4b3812d9
      Jakub Kicinski authored
      This reverts commit 8a4f030d.
      
      Richard says:
      
        The test itself is harmless, but keeping it will make people think,
        "oh this pointer can be invalid."
      
        In fact the core stack ensures that ioctl() can't be invoked after
        release(), otherwise Bad Stuff happens.
      
      Fixes: 8a4f030d ("ptp: Fixes a null pointer dereference in ptp_ioctl")
      Link: https://lore.kernel.org/all/ZVAf_qdRfDAQYUt-@hoboy.vegasvil.org/Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4b3812d9