1. 20 Jul, 2021 11 commits
  2. 19 Jul, 2021 19 commits
  3. 18 Jul, 2021 4 commits
    • Nguyen Dinh Phi's avatar
      netrom: Decrease sock refcount when sock timers expire · 517a16b1
      Nguyen Dinh Phi authored
      Commit 63346650 ("netrom: switch to sock timer API") switched to use
      sock timer API. It replaces mod_timer() by sk_reset_timer(), and
      del_timer() by sk_stop_timer().
      
      Function sk_reset_timer() will increase the refcount of sock if it is
      called on an inactive timer, hence, in case the timer expires, we need to
      decrease the refcount ourselves in the handler, otherwise, the sock
      refcount will be unbalanced and the sock will never be freed.
      Signed-off-by: default avatarNguyen Dinh Phi <phind.uet@gmail.com>
      Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
      Fixes: 63346650 ("netrom: switch to sock timer API")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      517a16b1
    • Xin Long's avatar
      sctp: trim optlen when it's a huge value in sctp_setsockopt · 2f3fdd8d
      Xin Long authored
      After commit ca84bd05 ("sctp: copy the optval from user space in
      sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
      the optlen, and it would fail the allocation and return error if the
      optlen from user space is a huge value.
      
      This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
      SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
      be trimmed to a biggest value it needs when optlen is a huge value,
      instead of failing the allocation and returning error.
      
      This patch is to fix the allocation failure when it's a huge optlen from
      user space by trimming it to the biggest size sctp sockopt may need when
      necessary, and this biggest size is from sctp_setsockopt_reset_streams()
      for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT
      and SCTP_AUTH_KEY.
      
      Fixes: ca84bd05 ("sctp: copy the optval from user space in sctp_setsockopt")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f3fdd8d
    • Pavel Skripkin's avatar
      net: sched: fix memory leak in tcindex_partial_destroy_work · f5051bce
      Pavel Skripkin authored
      Syzbot reported memory leak in tcindex_set_parms(). The problem was in
      non-freed perfect hash in tcindex_partial_destroy_work().
      
      In tcindex_set_parms() new tcindex_data is allocated and some fields from
      old one are copied to new one, but not the perfect hash. Since
      tcindex_partial_destroy_work() is the destroy function for old
      tcindex_data, we need to free perfect hash to avoid memory leak.
      
      Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5051bce
    • Pravin B Shelar's avatar
      net: Fix zero-copy head len calculation. · a17ad096
      Pravin B Shelar authored
      In some cases skb head could be locked and entire header
      data is pulled from skb. When skb_zerocopy() called in such cases,
      following BUG is triggered. This patch fixes it by copying entire
      skb in such cases.
      This could be optimized incase this is performance bottleneck.
      
      ---8<---
      kernel BUG at net/core/skbuff.c:2961!
      invalid opcode: 0000 [#1] SMP PTI
      CPU: 2 PID: 0 Comm: swapper/2 Tainted: G           OE     5.4.0-77-generic #86-Ubuntu
      Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.13.0-1ubuntu1.1 04/01/2014
      RIP: 0010:skb_zerocopy+0x37a/0x3a0
      RSP: 0018:ffffbcc70013ca38 EFLAGS: 00010246
      Call Trace:
       <IRQ>
       queue_userspace_packet+0x2af/0x5e0 [openvswitch]
       ovs_dp_upcall+0x3d/0x60 [openvswitch]
       ovs_dp_process_packet+0x125/0x150 [openvswitch]
       ovs_vport_receive+0x77/0xd0 [openvswitch]
       netdev_port_receive+0x87/0x130 [openvswitch]
       netdev_frame_hook+0x4b/0x60 [openvswitch]
       __netif_receive_skb_core+0x2b4/0xc90
       __netif_receive_skb_one_core+0x3f/0xa0
       __netif_receive_skb+0x18/0x60
       process_backlog+0xa9/0x160
       net_rx_action+0x142/0x390
       __do_softirq+0xe1/0x2d6
       irq_exit+0xae/0xb0
       do_IRQ+0x5a/0xf0
       common_interrupt+0xf/0xf
      
      Code that triggered BUG:
      int
      skb_zerocopy(struct sk_buff *to, struct sk_buff *from, int len, int hlen)
      {
              int i, j = 0;
              int plen = 0; /* length of skb->head fragment */
              int ret;
              struct page *page;
              unsigned int offset;
      
              BUG_ON(!from->head_frag && !hlen);
      Signed-off-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a17ad096
  4. 17 Jul, 2021 1 commit
    • Mahesh Bandewar's avatar
      bonding: fix build issue · 5b69874f
      Mahesh Bandewar authored
      The commit 9a560550 (" bonding: Add struct bond_ipesc to manage SA") is causing
      following build error when XFRM is not selected in kernel config.
      
      lld: error: undefined symbol: xfrm_dev_state_flush
      >>> referenced by bond_main.c:3453 (drivers/net/bonding/bond_main.c:3453)
      >>>               net/bonding/bond_main.o:(bond_netdev_event) in archive drivers/built-in.a
      
      Fixes: 9a560550 (" bonding: Add struct bond_ipesc to manage SA")
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      CC: Taehee Yoo <ap420073@gmail.com>
      CC: Jay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b69874f
  5. 16 Jul, 2021 3 commits
  6. 15 Jul, 2021 2 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 20192d9c
      David S. Miller authored
      Andrii Nakryiko says:
      
      ====================
      pull-request: bpf 2021-07-15
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 9 non-merge commits during the last 5 day(s) which contain
      a total of 9 files changed, 37 insertions(+), 15 deletions(-).
      
      The main changes are:
      
      1) Fix NULL pointer dereference in BPF_TEST_RUN for BPF_XDP_DEVMAP and
         BPF_XDP_CPUMAP programs, from Xuan Zhuo.
      
      2) Fix use-after-free of net_device in XDP bpf_link, from Xuan Zhuo.
      
      3) Follow-up fix to subprog poke descriptor use-after-free problem, from
         Daniel Borkmann and John Fastabend.
      
      4) Fix out-of-range array access in s390 BPF JIT backend, from Colin Ian King.
      
      5) Fix memory leak in BPF sockmap, from John Fastabend.
      
      6) Fix for sockmap to prevent proc stats reporting bug, from John Fastabend
         and Jakub Sitnicki.
      
      7) Fix NULL pointer dereference in bpftool, from Tobias Klauser.
      
      8) AF_XDP documentation fixes, from Baruch Siach.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20192d9c
    • Dongliang Mu's avatar
      usb: hso: fix error handling code of hso_create_net_device · a6ecfb39
      Dongliang Mu authored
      The current error handling code of hso_create_net_device is
      hso_free_net_device, no matter which errors lead to. For example,
      WARNING in hso_free_net_device [1].
      
      Fix this by refactoring the error handling code of
      hso_create_net_device by handling different errors by different code.
      
      [1] https://syzkaller.appspot.com/bug?id=66eff8d49af1b28370ad342787413e35bbe76efe
      
      Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
      Fixes: 5fcfb6d0 ("hso: fix bailout in error case of probe")
      Signed-off-by: default avatarDongliang Mu <mudongliangabcd@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6ecfb39