- 28 Jul, 2023 16 commits
-
-
Jakub Kicinski authored
This reverts commit 20bf98c9. Richard raised concerns about correctness of the code on previous generations of the HW. Fixes: 20bf98c9 ("net: stmmac: correct MAC propagation delay") Link: https://lore.kernel.org/all/ZMGIuKVP7BEotbrn@hoboy.vegasvil.org/ Link: https://lore.kernel.org/r/20230726224054.3241127-1-kuba@kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jakub Kicinski authored
Andrew Halaney says: ==================== net: stmmac: Increase clk_ptp_ref rate This series aims to increase the clk_ptp_ref rate to get the best possible PTP timestamping resolution possible. Some modified disclosure about my development/testing process from the RFC/RFT v1 follows. Disclosure: I don't know much about PTP beyond what you can google in an afternoon, don't have access to documentation about the stmmac IP, and have only tested that (based on code comments and git commit history) the programming of the subsecond register (and the clock rate) makes more sense with these changes. Qualcomm has tested a similar change offlist, verifying PTP more formally as I understand it. The last version was an RFC/RFT, but I didn't get a lot of confirmation that doing patch 3 in that series (essentially setting clk_ptp_ref to whatever its max value is) for the whole stmmac ecosystem was a safe idea. So I am erring on the side of caution and doing this for the Qualcomm platform only. See v1 for an approach that would apply to all stmmac platform drivers with clk_ptp_ref. v1: https://lore.kernel.org/netdev/20230711205732.364954-1-ahalaney@redhat.com/ ==================== Link: https://lore.kernel.org/r/20230725211853.895832-2-ahalaney@redhat.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Andrew Halaney authored
Qualcomm clocks can set their frequency to a variety of levels generally. Let's use the max for clk_ptp_ref to ensure the best timestamping resolution possible. Without this, the default value of the clock is used. For sa8775p-ride this is 19.2 MHz, far less than the 230.4 MHz possible. Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Andrew Halaney <ahalaney@redhat.com> Link: https://lore.kernel.org/r/20230725211853.895832-4-ahalaney@redhat.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Andrew Halaney authored
The priv variable is _always_ of type (struct stmmac_priv *), so let's stop using (void *) since it isn't abstracting anything. Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Andrew Halaney <ahalaney@redhat.com> Link: https://lore.kernel.org/r/20230725211853.895832-3-ahalaney@redhat.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-nextJakub Kicinski authored
Florian Westphal says: ==================== netfilter updates for net-next 1. silence a harmless warning for CONFIG_NF_CONNTRACK_PROCFS=n builds, from Zhu Wang. 2, 3: Allow NLA_POLICY_MASK to be used with BE16/BE32 types, and replace a few manual checks with nla_policy based one in nf_tables, from myself. 4: cleanup in ctnetlink to validate while parsing rather than using two steps, from Lin Ma. 5: refactor boyer-moore textsearch by moving a small chunk to a helper function, rom Jeremy Sowden. * tag 'nf-next-23-07-27' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next: lib/ts_bm: add helper to reduce indentation and improve readability netfilter: conntrack: validate cta_ip via parsing netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options netlink: allow be16 and be32 types in all uint policy checks nf_conntrack: fix -Wunused-const-variable= ==================== Link: https://lore.kernel.org/r/20230727133604.8275-1-fw@strlen.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jakub Kicinski authored
Hannes Reinecke says: ==================== net/tls: fixes for NVMe-over-TLS here are some small fixes to get NVMe-over-TLS up and running. The first set are just minor modifications to have MSG_EOR handled for TLS, but the second set implements the ->read_sock() callback for tls_sw. The ->read_sock() callbacks return -EIO when encountering any TLS Alert message, but as that's the default behaviour anyway I guess we can get away with it. ==================== Applied on top of the tag in case Sagi gets convinced to pull it. Link: https://lore.kernel.org/r/20230726191556.41714-1-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hannes Reinecke authored
Implement ->read_sock() function for use with nvme-tcp. Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Cc: Boris Pismenny <boris.pismenny@gmail.com> Link: https://lore.kernel.org/r/20230726191556.41714-7-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hannes Reinecke authored
Split tls_rx_reader_{lock,unlock} into an 'acquire/release' and the actual locking part. With that we can use the tls_rx_reader_lock in situations where the socket is already locked. Suggested-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20230726191556.41714-6-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hannes Reinecke authored
TLS resets the protocol operations, so the read_sock() callback might be changed, too. In this case using sock->ops->readsock() in tls_strp_read_copyin() will enter an infinite recursion if the read_sock() callback is calling tls_rx_rec_wait() which will call into sock->ops->readsock() via tls_strp_read_copyin(). But as tls_strp_read_copyin() is supposed to produce data from the consumed socket and that socket is always a TCP socket we can call tcp_read_sock() directly without having to deal with callbacks. Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20230726191556.41714-5-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hannes Reinecke authored
As the recent patch is modifying the behaviour for TLS re MSG_EOR handling we should be having a test for it. Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20230726191556.41714-4-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hannes Reinecke authored
tls_push_data() MSG_MORE, but bails out on MSG_EOR. Seeing that MSG_EOR is basically the opposite of MSG_MORE this patch adds handling MSG_EOR by treating it as the absence of MSG_MORE. Consequently we should return an error when both are set. Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20230726191556.41714-3-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Hannes Reinecke authored
tls_sw_sendmsg() already handles MSG_MORE, but bails out on MSG_EOR. Seeing that MSG_EOR is basically the opposite of MSG_MORE this patch adds handling MSG_EOR by treating it as the negation of MSG_MORE. And erroring out if MSG_EOR is specified with MSG_MORE. Signed-off-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20230726191556.41714-2-hare@suse.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
YueHaibing authored
These declarations is not used after ipx protocol removed. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230726144054.28780-1-yuehaibing@huawei.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
YueHaibing authored
This is not used, so can remove it. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230726143715.24700-1-yuehaibing@huawei.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
YueHaibing authored
This is never used, so can remove it. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230726143239.9904-1-yuehaibing@huawei.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
YueHaibing authored
Since commit 19e3a9c9 ("net: bridge: convert multicast to generic rhashtable") this is not used, so can remove it. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Link: https://lore.kernel.org/r/20230726143141.11704-1-yuehaibing@huawei.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
- 27 Jul, 2023 24 commits
-
-
Patrick Rohr authored
Removes superfluous (and misplaced) comment from ndisc_router_discovery. Signed-off-by: Patrick Rohr <prohr@google.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20230726184742.342825-1-prohr@google.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski authored
Cross-merge networking fixes after downstream PR. No conflicts or adjacent changes. Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds authored
Pull networking fixes from Paolo Abeni: "Including fixes from can, netfilter. Current release - regressions: - core: fix splice_to_socket() for O_NONBLOCK socket - af_unix: fix fortify_panic() in unix_bind_bsd(). - can: raw: fix lockdep issue in raw_release() Previous releases - regressions: - tcp: reduce chance of collisions in inet6_hashfn(). - netfilter: skip immediate deactivate in _PREPARE_ERROR - tipc: stop tipc crypto on failure in tipc_node_create - eth: igc: fix kernel panic during ndo_tx_timeout callback - eth: iavf: fix potential deadlock on allocation failure Previous releases - always broken: - ipv6: fix bug where deleting a mngtmpaddr can create a new temporary address - eth: ice: fix memory management in ice_ethtool_fdir.c - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue - eth: vxlan: calculate correct header length for GPE - eth: stmmac: apply redundant write work around on 4.xx too" * tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits) tipc: stop tipc crypto on failure in tipc_node_create af_unix: Terminate sun_path when bind()ing pathname socket. tipc: check return value of pskb_trim() benet: fix return value check in be_lancer_xmit_workarounds() virtio-net: fix race between set queues and probe net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 splice, net: Fix splice_to_socket() for O_NONBLOCK socket net: fec: tx processing does not call XDP APIs if budget is 0 mptcp: more accurate NL event generation selftests: mptcp: join: only check for ip6tables if needed tools: ynl-gen: fix parse multi-attr enum attribute tools: ynl-gen: fix enum index in _decode_enum(..) netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR netfilter: nft_set_rbtree: fix overlap expiration walk igc: Fix Kernel Panic during ndo_tx_timeout callback net: dsa: qca8k: fix mdb add/del case with 0 VID net: dsa: qca8k: fix broken search_and_del net: dsa: qca8k: fix search_and_insert wrong handling of new rule net: dsa: qca8k: enable use_single_write for qca8xxx ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwireLinus Torvalds authored
Pull soundwire fixes from Vinod Koul: - Core fix for enumeration completion - Qualcomm driver fix to update status - AMD driver fix for probe error check * tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire: soundwire: amd: Fix a check for errors in probe() soundwire: qcom: update status correctly with mask soundwire: fix enumeration completion
-
git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phyLinus Torvalds authored
Pull phy fixes from Vinod Koul: - Out of bound fix for hisilicon phy - Qualcomm synopsis femto phy for keeping clock enabled during suspend and enabling ref clocks - Mediatek driver fixes for upper limit test and error code * tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code phy: qcom-snps-femto-v2: properly enable ref clock phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend phy: mediatek: hdmi: mt8195: fix prediv bad upper limit test phy: phy-mtk-dp: Fix an error code in probe()
-
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linuxLinus Torvalds authored
Pull btrfs fixes from David Sterba: - fix accounting of global block reserve size when block group tree is enabled - the async discard has been enabled in 6.2 unconditionally, but for zoned mode it does not make that much sense to do it asynchronously as the zones are reset as needed - error handling and proper error value propagation fixes * tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: check for commit error at btrfs_attach_transaction_barrier() btrfs: check if the transaction was aborted at btrfs_wait_for_commit() btrfs: remove BUG_ON()'s in add_new_free_space() btrfs: account block group tree when calculating global reserve size btrfs: zoned: do not enable async discard
-
git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblockLinus Torvalds authored
Pull memblock fix from Mike Rapoport: "A call to memblock_free() or memblock_phys_free() issued after memblock data is discarded will result in use after free in memblock_isolate_range(). Avoid those issues by making sure that memblock_discard points memblock.reserved.regions back at the static buffer" * tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock: mm,memblock: reset memblock.reserved to system init state to prevent UAF
-
Jann Horn authored
lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't be called in the VMA-locked page fault path by ensuring that vma->anon_vma is set. However, this check happens before the VMA is locked, which means a concurrent move_vma() can concurrently call unlink_anon_vmas(), which disassociates the VMA's anon_vma. This means we can get UAF in the following scenario: THREAD 1 THREAD 2 ======== ======== <page fault> lock_vma_under_rcu() rcu_read_lock() mas_walk() check vma->anon_vma mremap() syscall move_vma() vma_start_write() unlink_anon_vmas() <syscall end> handle_mm_fault() __handle_mm_fault() handle_pte_fault() do_pte_missing() do_anonymous_page() anon_vma_prepare() __anon_vma_prepare() find_mergeable_anon_vma() mas_walk() [looks up VMA X] munmap() syscall (deletes VMA X) reusable_anon_vma() [called on freed VMA X] This is a security bug if you can hit it, although an attacker would have to win two races at once where the first race window is only a few instructions wide. This patch is based on some previous discussion with Linus Torvalds on the security list. Cc: stable@vger.kernel.org Fixes: 5e31275c ("mm: add per-VMA lock and helper functions to control it") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Paolo Abeni authored
Arseniy Krasnov says: ==================== virtio/vsock: some updates for MSG_PEEK flag This patchset does several things around MSG_PEEK flag support. In general words it reworks MSG_PEEK test and adds support for this flag in SOCK_SEQPACKET logic. Here is per-patch description: 1) This is cosmetic change for SOCK_STREAM implementation of MSG_PEEK: 1) I think there is no need of "safe" mode walk here as there is no "unlink" of skbs inside loop (it is MSG_PEEK mode - we don't change queue). 2) Nested while loop is removed: in case of MSG_PEEK we just walk over skbs and copy data from each one. I guess this nested loop even didn't behave as loop - it always executed just for single iteration. 2) This adds MSG_PEEK support for SOCK_SEQPACKET. It could be implemented be reworking MSG_PEEK callback for SOCK_STREAM to support SOCK_SEQPACKET also, but I think it will be more simple and clear from potential bugs to implemented it as separate function thus not mixing logics for both types of socket. So I've added it as dedicated function. 3) This is reworked MSG_PEEK test for SOCK_STREAM. Previous version just sent single byte, then tried to read it with MSG_PEEK flag, then read it in normal way. New version is more complex: now sender uses buffer instead of single byte and this buffer is initialized with random values. Receiver tests several things: 1) Read empty socket with MSG_PEEK flag. 2) Read part of buffer with MSG_PEEK flag. 3) Read whole buffer with MSG_PEEK flag, then checks that it is same as buffer from 2) (limited by size of buffer from 2) of course). 4) Read whole buffer without any flags, then checks that it is same as buffer from 3). 4) This is MSG_PEEK test for SOCK_SEQPACKET. It works in the same way as for SOCK_STREAM, except it also checks combination of MSG_TRUNC and MSG_PEEK. ==================== Link: https://lore.kernel.org/r/20230725172912.1659970-1-AVKrasnov@sberdevices.ruSigned-off-by: Paolo Abeni <pabeni@redhat.com>
-
Arseniy Krasnov authored
This adds MSG_PEEK test for SOCK_SEQPACKET. It works in the same way as SOCK_STREAM test, except it also tests MSG_TRUNC flag. Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-
Arseniy Krasnov authored
This new version makes test more complicated by adding empty read, partial read and data comparisons between MSG_PEEK and normal reads. Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-
Arseniy Krasnov authored
This adds support of MSG_PEEK flag for SOCK_SEQPACKET type of socket. Difference with SOCK_STREAM is that this callback returns either length of the message or error. Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-
Arseniy Krasnov authored
This reworks current implementation of MSG_PEEK logic: 1) Replaces 'skb_queue_walk_safe()' with 'skb_queue_walk()'. There is no need in the first one, as there are no removes of skb in loop. 2) Removes nested while loop - MSG_PEEK logic could be implemented without it: just iterate over skbs without removing it and copy data from each until destination buffer is not full. Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> Reviewed-by: Bobby Eshleman <bobby.eshleman@bytedance.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-
Jeremy Sowden authored
The flow-control of `bm_find` is very deeply nested with a conditional comparing a ternary expression against the pattern inside a for-loop inside a while-loop inside a for-loop. Move the inner for-loop into a helper function to reduce the amount of indentation and make the code easier to read. Fix indentation and trailing white-space in preceding debug logging statement. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
-
Lin Ma authored
In current ctnetlink_parse_tuple_ip() function, nested parsing and validation is splitting as two parts, which could be cleanup to a simplified form. As the nla_parse_nested_deprecated function supports validation in the fly. These two finially reach same place __nla_validate_parse with same validate flag. nla_parse_nested_deprecated __nla_parse(.., NL_VALIDATE_LIBERAL, ..) __nla_validate_parse nla_validate_nested_deprecated __nla_validate_nested(.., NL_VALIDATE_LIBERAL, ..) __nla_validate __nla_validate_parse This commit removes the call to nla_validate_nested_deprecated and pass cta_ip_nla_policy when do parsing. Signed-off-by: Lin Ma <linma@zju.edu.cn> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Florian Westphal <fw@strlen.de>
-
Florian Westphal authored
nf_tables relies on manual test of netlink attributes coming from userspace even in cases where this could be handled via netlink policy. Convert a bunch of 'flag' attributes to use NLA_POLICY_MASK checks. Signed-off-by: Florian Westphal <fw@strlen.de>
-
Florian Westphal authored
__NLA_IS_BEINT_TYPE(tp) isn't useful. NLA_BE16/32 are identical to NLA_U16/32, the only difference is that it tells the netlink validation functions that byteorder conversion might be needed before comparing the value to the policy min/max ones. After this change all policy macros that can be used with UINT types, such as NLA_POLICY_MASK() can also be used with NLA_BE16/32. This will be used to validate nf_tables flag attributes which are in bigendian byte order. Signed-off-by: Florian Westphal <fw@strlen.de>
-
Zhu Wang authored
When building with W=1, the following warning occurs. net/netfilter/nf_conntrack_proto_dccp.c:72:27: warning: ‘dccp_state_names’ defined but not used [-Wunused-const-variable=] static const char * const dccp_state_names[] = { We include dccp_state_names in the macro CONFIG_NF_CONNTRACK_PROCFS, since it is only used in the place which is included in the macro CONFIG_NF_CONNTRACK_PROCFS. Fixes: 2bc78049 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") Signed-off-by: Zhu Wang <wangzhu9@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Florian Westphal <fw@strlen.de>
-
Fedor Pchelkin authored
If tipc_link_bc_create() fails inside tipc_node_create() for a newly allocated tipc node then we should stop its tipc crypto and free the resources allocated with a call to tipc_crypto_start(). As the node ref is initialized to one to that point, just put the ref on tipc_link_bc_create() error case that would lead to tipc_node_free() be eventually executed and properly clean the node and its crypto resources. Found by Linux Verification Center (linuxtesting.org). Fixes: cb8092d7 ("tipc: move bc link creation back to tipc_node_create") Suggested-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Reviewed-by: Xin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/20230725214628.25246-1-pchelkin@ispras.ruSigned-off-by: Paolo Abeni <pabeni@redhat.com>
-
Kuniyuki Iwashima authored
kernel test robot reported slab-out-of-bounds access in strlen(). [0] Commit 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().") removed unix_mkname_bsd() call in unix_bind_bsd(). If sunaddr->sun_path is not terminated by user and we don't enable CONFIG_INIT_STACK_ALL_ZERO=y, strlen() will do the out-of-bounds access during file creation. Let's go back to strlen()-with-sockaddr_storage way and pack all 108 trickiness into unix_mkname_bsd() with bold comments. [0]: BUG: KASAN: slab-out-of-bounds in strlen (lib/string.c:?) Read of size 1 at addr ffff000015492777 by task fortify_strlen_/168 CPU: 0 PID: 168 Comm: fortify_strlen_ Not tainted 6.5.0-rc1-00333-g3329b603ebba #16 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace (arch/arm64/kernel/stacktrace.c:235) show_stack (arch/arm64/kernel/stacktrace.c:242) dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:365 mm/kasan/report.c:475) kasan_report (mm/kasan/report.c:590) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) strlen (lib/string.c:?) getname_kernel (./include/linux/fortify-string.h:? fs/namei.c:226) kern_path_create (fs/namei.c:3926) unix_bind (net/unix/af_unix.c:1221 net/unix/af_unix.c:1324) __sys_bind (net/socket.c:1792) __arm64_sys_bind (net/socket.c:1801) invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52) el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147) do_el0_svc (arch/arm64/kernel/syscall.c:189) el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?) el0t_64_sync (arch/arm64/kernel/entry.S:591) Allocated by task 168: kasan_set_track (mm/kasan/common.c:45 mm/kasan/common.c:52) kasan_save_alloc_info (mm/kasan/generic.c:512) __kasan_kmalloc (mm/kasan/common.c:383) __kmalloc (mm/slab_common.c:? mm/slab_common.c:998) unix_bind (net/unix/af_unix.c:257 net/unix/af_unix.c:1213 net/unix/af_unix.c:1324) __sys_bind (net/socket.c:1792) __arm64_sys_bind (net/socket.c:1801) invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52) el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147) do_el0_svc (arch/arm64/kernel/syscall.c:189) el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?) el0t_64_sync (arch/arm64/kernel/entry.S:591) The buggy address belongs to the object at ffff000015492700 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes to the right of allocated 119-byte region [ffff000015492700, ffff000015492777) The buggy address belongs to the physical page: page:00000000aeab52ba refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55492 anon flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff) page_type: 0xffffffff() raw: 03fffc0000000200 ffff0000084018c0 fffffc00003d0e00 0000000000000005 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000015492600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff000015492680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff000015492700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fc ^ ffff000015492780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff000015492800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().") Reported-by: kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/netdev/202307262110.659e5e8-oliver.sang@intel.com/Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20230726190828.47874-1-kuniyu@amazon.comSigned-off-by: Paolo Abeni <pabeni@redhat.com>
-
Yuanjun Gong authored
goto free_skb if an unexpected result is returned by pskb_tirm() in tipc_crypto_rcv_complete(). Fixes: fc1b6d6d ("tipc: introduce TIPC encryption & authentication") Signed-off-by: Yuanjun Gong <ruc_gongyuanjun@163.com> Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> Link: https://lore.kernel.org/r/20230725064810.5820-1-ruc_gongyuanjun@163.comSigned-off-by: Paolo Abeni <pabeni@redhat.com>
-
Yuanjun Gong authored
in be_lancer_xmit_workarounds(), it should go to label 'tx_drop' if an unexpected value is returned by pskb_trim(). Fixes: 93040ae5 ("be2net: Fix to trim skb for padded vlan packets to workaround an ASIC Bug") Signed-off-by: Yuanjun Gong <ruc_gongyuanjun@163.com> Link: https://lore.kernel.org/r/20230725032726.15002-1-ruc_gongyuanjun@163.comSigned-off-by: Paolo Abeni <pabeni@redhat.com>
-
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nfJakub Kicinski authored
Florian Westphal says: ==================== netfilter fixes for net 1. On-demand overlap detection in 'rbtree' set can cause memory leaks. This is broken since 6.2. 2. An earlier fix in 6.4 to address an imbalance in refcounts during transaction error unwinding was incomplete, from Pablo Neira. 3. Disallow adding a rule to a deleted chain, also from Pablo. Broken since 5.9. * tag 'nf-23-07-26' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR netfilter: nft_set_rbtree: fix overlap expiration walk ==================== Link: https://lore.kernel.org/r/20230726152524.26268-1-fw@strlen.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Jason Wang authored
A race were found where set_channels could be called after registering but before virtnet_set_queues() in virtnet_probe(). Fixing this by moving the virtnet_set_queues() before netdevice registering. While at it, use _virtnet_set_queues() to avoid holding rtnl as the device is not even registered at that time. Cc: stable@vger.kernel.org Fixes: a220871b ("virtio-net: correctly enable multiqueue") Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com> Link: https://lore.kernel.org/r/20230725072049.617289-1-jasowang@redhat.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-