1. 03 Nov, 2022 14 commits
  2. 02 Nov, 2022 26 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix attempting to access uninitialized memory · b1a2cd50
      Luiz Augusto von Dentz authored
      On l2cap_parse_conf_req the variable efs is only initialized if
      remote_efs has been set.
      
      CVE: CVE-2022-42895
      CC: stable@vger.kernel.org
      Reported-by: default avatarTamás Koczka <poprdi@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      b1a2cd50
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm · f937b758
      Luiz Augusto von Dentz authored
      l2cap_global_chan_by_psm shall not return fixed channels as they are not
      meant to be connected by (S)PSM.
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      f937b758
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM · 711f8c3f
      Luiz Augusto von Dentz authored
      The Bluetooth spec states that the valid range for SPSM is from
      0x0001-0x00ff so it is invalid to accept values outside of this range:
      
        BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
        page 1059:
        Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
      
      CVE: CVE-2022-42896
      CC: stable@vger.kernel.org
      Reported-by: default avatarTamás Koczka <poprdi@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      711f8c3f
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect · 5638d9ea
      Luiz Augusto von Dentz authored
      When disconnecting an ISO link the controller may not generate
      HCI_EV_NUM_COMP_PKTS for unacked packets which needs to be restored in
      hci_conn_del otherwise the host would assume they are still in use and
      would not be able to use all the buffers available.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Tested-by: default avatarFrédéric Danis <frederic.danis@collabora.com>
      5638d9ea
    • Hawkins Jiawei's avatar
      Bluetooth: L2CAP: Fix memory leak in vhci_write · 7c9524d9
      Hawkins Jiawei authored
      Syzkaller reports a memory leak as follows:
      ====================================
      BUG: memory leak
      unreferenced object 0xffff88810d81ac00 (size 240):
        [...]
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418
          [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]
          [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]
          [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]
          [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511
          [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]
          [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]
          [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578
          [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631
          [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
          [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      ====================================
      
      HCI core will uses hci_rx_work() to process frame, which is queued to
      the hdev->rx_q tail in hci_recv_frame() by HCI driver.
      
      Yet the problem is that, HCI core may not free the skb after handling
      ACL data packets. To be more specific, when start fragment does not
      contain the L2CAP length, HCI core just copies skb into conn->rx_skb and
      finishes frame process in l2cap_recv_acldata(), without freeing the skb,
      which triggers the above memory leak.
      
      This patch solves it by releasing the relative skb, after processing
      the above case in l2cap_recv_acldata().
      
      Fixes: 4d7ea8ee ("Bluetooth: L2CAP: Fix handling fragmented length")
      Link: https://lore.kernel.org/all/0000000000000d0b1905e6aaef64@google.com/
      Reported-and-tested-by: syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com
      Signed-off-by: default avatarHawkins Jiawei <yin31149@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7c9524d9
    • Zhengchao Shao's avatar
      Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() · 0d0e2d03
      Zhengchao Shao authored
      When l2cap_recv_frame() is invoked to receive data, and the cid is
      L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
      However, after a channel is created, the hold operation of the channel
      is not performed. In this case, the value of channel reference counting
      is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
      invokes the close hook function of A2MP to release the channel. Then
       l2cap_chan_unlock(chan) will trigger UAF issue.
      
      The process is as follows:
      Receive data:
      l2cap_data_channel()
          a2mp_channel_create()  --->channel ref is 2
          l2cap_chan_put()       --->channel ref is 1
      
      Triger event:
          hci_error_reset()
              hci_dev_do_close()
              ...
              l2cap_disconn_cfm()
                  l2cap_conn_del()
                      l2cap_chan_hold()    --->channel ref is 2
                      l2cap_chan_del()     --->channel ref is 1
                      a2mp_chan_close_cb() --->channel ref is 0, release channel
                      l2cap_chan_unlock()  --->UAF of channel
      
      The detailed Call Trace is as follows:
      BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
      Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
      Workqueue: hci0 hci_error_reset
      Call Trace:
       <TASK>
       dump_stack_lvl+0xcd/0x134
       print_report.cold+0x2ba/0x719
       kasan_report+0xb1/0x1e0
       kasan_check_range+0x140/0x190
       __mutex_unlock_slowpath+0xa6/0x5e0
       l2cap_conn_del+0x404/0x7b0
       l2cap_disconn_cfm+0x8c/0xc0
       hci_conn_hash_flush+0x11f/0x260
       hci_dev_close_sync+0x5f5/0x11f0
       hci_dev_do_close+0x2d/0x70
       hci_error_reset+0x9e/0x140
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
       </TASK>
      
      Allocated by task 7593:
       kasan_save_stack+0x1e/0x40
       __kasan_kmalloc+0xa9/0xd0
       l2cap_chan_create+0x40/0x930
       amp_mgr_create+0x96/0x990
       a2mp_channel_create+0x7d/0x150
       l2cap_recv_frame+0x51b8/0x9a70
       l2cap_recv_acldata+0xaa3/0xc00
       hci_rx_work+0x702/0x1220
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
      
      Freed by task 7593:
       kasan_save_stack+0x1e/0x40
       kasan_set_track+0x21/0x30
       kasan_set_free_info+0x20/0x30
       ____kasan_slab_free+0x167/0x1c0
       slab_free_freelist_hook+0x89/0x1c0
       kfree+0xe2/0x580
       l2cap_chan_put+0x22a/0x2d0
       l2cap_conn_del+0x3fc/0x7b0
       l2cap_disconn_cfm+0x8c/0xc0
       hci_conn_hash_flush+0x11f/0x260
       hci_dev_close_sync+0x5f5/0x11f0
       hci_dev_do_close+0x2d/0x70
       hci_error_reset+0x9e/0x140
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
      
      Last potentially related work creation:
       kasan_save_stack+0x1e/0x40
       __kasan_record_aux_stack+0xbe/0xd0
       call_rcu+0x99/0x740
       netlink_release+0xe6a/0x1cf0
       __sock_release+0xcd/0x280
       sock_close+0x18/0x20
       __fput+0x27c/0xa90
       task_work_run+0xdd/0x1a0
       exit_to_user_mode_prepare+0x23c/0x250
       syscall_exit_to_user_mode+0x19/0x50
       do_syscall_64+0x42/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
       kasan_save_stack+0x1e/0x40
       __kasan_record_aux_stack+0xbe/0xd0
       call_rcu+0x99/0x740
       netlink_release+0xe6a/0x1cf0
       __sock_release+0xcd/0x280
       sock_close+0x18/0x20
       __fput+0x27c/0xa90
       task_work_run+0xdd/0x1a0
       exit_to_user_mode_prepare+0x23c/0x250
       syscall_exit_to_user_mode+0x19/0x50
       do_syscall_64+0x42/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: d0be8347 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      0d0e2d03
    • Soenke Huster's avatar
      Bluetooth: virtio_bt: Use skb_put to set length · 160fbcf3
      Soenke Huster authored
      By using skb_put we ensure that skb->tail is set
      correctly. Currently, skb->tail is always zero, which
      leads to errors, such as the following page fault in
      rfcomm_recv_frame:
      
          BUG: unable to handle page fault for address: ffffed1021de29ff
          #PF: supervisor read access in kernel mode
          #PF: error_code(0x0000) - not-present page
          RIP: 0010:rfcomm_run+0x831/0x4040 (net/bluetooth/rfcomm/core.c:1751)
      
      Fixes: afd2daa2 ("Bluetooth: Add support for virtio transport driver")
      Signed-off-by: default avatarSoenke Huster <soenke.huster@eknoes.de>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      160fbcf3
    • Pauli Virtanen's avatar
      Bluetooth: hci_conn: Fix CIS connection dst_type handling · b36a234d
      Pauli Virtanen authored
      hci_connect_cis and iso_connect_cis call hci_bind_cis inconsistently
      with dst_type being either ISO socket address type or the HCI type, but
      these values cannot be mixed like this. Fix this by using only the HCI
      type.
      
      CIS connection dst_type was also not initialized in hci_bind_cis, even
      though it is used in hci_conn_hash_lookup_cis to find existing
      connections.  Set the value in hci_bind_cis, so that existing CIS
      connections are found e.g. when doing deferred socket connections, also
      when dst_type is not 0 (ADDR_LE_DEV_PUBLIC).
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      b36a234d
    • Maxim Mikityanskiy's avatar
      Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu · 3aff8aac
      Maxim Mikityanskiy authored
      Fix the race condition between the following two flows that run in
      parallel:
      
      1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) ->
         __sock_queue_rcv_skb.
      
      2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram.
      
      An SKB can be queued by the first flow and immediately dequeued and
      freed by the second flow, therefore the callers of l2cap_reassemble_sdu
      can't use the SKB after that function returns. However, some places
      continue accessing struct l2cap_ctrl that resides in the SKB's CB for a
      short time after l2cap_reassemble_sdu returns, leading to a
      use-after-free condition (the stack trace is below, line numbers for
      kernel 5.19.8).
      
      Fix it by keeping a local copy of struct l2cap_ctrl.
      
      BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
      Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169
      
      Workqueue: hci0 hci_rx_work [bluetooth]
      Call Trace:
       <TASK>
       dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
       print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)
       ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
       kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
       ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
       l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
       l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth
       ret_from_fork (arch/x86/entry/entry_64.S:306)
       </TASK>
      
      Allocated by task 43169:
       kasan_save_stack (mm/kasan/common.c:39)
       __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
       kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)
       __alloc_skb (net/core/skbuff.c:414)
       l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth
       l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth
       hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth
       process_one_work (kernel/workqueue.c:2289)
       worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)
       kthread (kernel/kthread.c:376)
       ret_from_fork (arch/x86/entry/entry_64.S:306)
      
      Freed by task 27920:
       kasan_save_stack (mm/kasan/common.c:39)
       kasan_set_track (mm/kasan/common.c:45)
       kasan_set_free_info (mm/kasan/generic.c:372)
       ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)
       slab_free_freelist_hook (mm/slub.c:1780)
       kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)
       skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)
       bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth
       l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth
       sock_read_iter (net/socket.c:1087)
       new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)
       vfs_read (fs/read_write.c:482)
       ksys_read (fs/read_write.c:620)
       do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      
      Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u
      Fixes: d2a7ac5d ("Bluetooth: Add the ERTM receive state machine")
      Fixes: 4b51dae9 ("Bluetooth: Add streaming mode receive and incoming packet classifier")
      Signed-off-by: default avatarMaxim Mikityanskiy <maxtram95@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      3aff8aac
    • Linus Torvalds's avatar
      Merge tag 'parisc-for-6.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 8e5423e9
      Linus Torvalds authored
      Pull parisc architecture fixes from Helge Deller:
       "This mostly handles oddities with the serial port 8250_gsc.c driver.
      
        Although the name suggests it's just for serial ports on the GSC bus
        (e.g. in older PA-RISC machines), it handles serial ports on PA-RISC
        PCI devices (e.g. on the SuperIO chip) as well.
      
        Thus this renames the driver to 8250_parisc and fixes the config
        dependencies.
      
        The other change is a cleanup on how the device IDs of devices in a
        PA-RISC machine are shown at startup"
      
      * tag 'parisc-for-6.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Avoid printing the hardware path twice
        parisc: Export iosapic_serial_irq() symbol for serial port driver
        MAINTAINERS: adjust entry after renaming parisc serial driver
        parisc: Use signed char for hardware path in pdc.h
        parisc/serial: Rename 8250_gsc.c to 8250_parisc.c
        parisc: Make 8250_gsc driver dependend on CONFIG_PARISC
      8e5423e9
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: enforce documented limit to prevent allocating huge memory · 510841da
      Jozsef Kadlecsik authored
      Daniel Xu reported that the hash:net,iface type of the ipset subsystem does
      not limit adding the same network with different interfaces to a set, which
      can lead to huge memory usage or allocation failure.
      
      The quick reproducer is
      
      $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0
      $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done
      
      The backtrace when vmalloc fails:
      
              [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages
              <...>
              [Tue Oct 25 00:13:08 2022] Call Trace:
              [Tue Oct 25 00:13:08 2022]  <TASK>
              [Tue Oct 25 00:13:08 2022]  dump_stack_lvl+0x48/0x60
              [Tue Oct 25 00:13:08 2022]  warn_alloc+0x155/0x180
              [Tue Oct 25 00:13:08 2022]  __vmalloc_node_range+0x72a/0x760
              [Tue Oct 25 00:13:08 2022]  ? hash_netiface4_add+0x7c0/0xb20
              [Tue Oct 25 00:13:08 2022]  ? __kmalloc_large_node+0x4a/0x90
              [Tue Oct 25 00:13:08 2022]  kvmalloc_node+0xa6/0xd0
              [Tue Oct 25 00:13:08 2022]  ? hash_netiface4_resize+0x99/0x710
              <...>
      
      The fix is to enforce the limit documented in the ipset(8) manpage:
      
      >  The internal restriction of the hash:net,iface set type is that the same
      >  network prefix cannot be stored with more than 64 different interfaces
      >  in a single set.
      
      Fixes: ccf0a4b7 ("netfilter: ipset: Add bucketsize parameter to all hash types")
      Reported-by: default avatarDaniel Xu <dxu@dxuuu.xyz>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      510841da
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-6.1-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · 31fc92fc
      Linus Torvalds authored
      Pull NFS client bugfixes from Anna Schumaker:
      
       - Fix some coccicheck warnings
      
       - Avoid memcpy() run-time warning
      
       - Fix up various state reclaim / RECLAIM_COMPLETE errors
      
       - Fix a null pointer dereference in sysfs
      
       - Fix LOCK races
      
       - Fix gss_unwrap_resp_integ() crasher
      
       - Fix zero length clones
      
       - Fix memleak when allocate slot fails
      
      * tag 'nfs-for-6.1-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        nfs4: Fix kmemleak when allocate slot failed
        NFSv4.2: Fixup CLONE dest file size for zero-length count
        SUNRPC: Fix crasher in gss_unwrap_resp_integ()
        NFSv4: Retry LOCK on OLD_STATEID during delegation return
        SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed
        NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
        NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
        NFSv4: Fix a potential state reclaim deadlock
        NFS: Avoid memcpy() run-time warning for struct sockaddr overflows
        nfs: Remove redundant null checks before kfree
      31fc92fc
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · ae13366b
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Fix a few more of the usual sorts of bugs:
      
         - Another regression with source route validation in CMA, introduced
           this merge window
      
         - Crash in hfi1 due to faulty list operations
      
         - PCI ID updates for EFA
      
         - Disable LOCAL_INV in hns because it causes a HW hang
      
         - Crash in hns due to missing initialization
      
         - Memory leak in rxe
      
         - Missing error unwind during ib_core module loading
      
         - Missing error handling in qedr around work queue creation during
           startup"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()
        RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
        RDMA/rxe: Fix mr leak in RESPST_ERR_RNR
        RDMA/hns: Fix NULL pointer problem in free_mr_init()
        RDMA/hns: Disable local invalidate operation
        RDMA/efa: Add EFA 0xefa2 PCI ID
        IB/hfi1: Correctly move list in sc_disable()
        RDMA/cma: Use output interface for net_dev check
      ae13366b
    • David S. Miller's avatar
      Merge branch 'misdn-fixes' · ba9169f5
      David S. Miller authored
      Yang Yingliang says:
      
      ====================
      two fixes for mISDN
      
      This patchset fixes two issues when device_add() returns error.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba9169f5
    • Yang Yingliang's avatar
      isdn: mISDN: netjet: fix wrong check of device registration · bf00f542
      Yang Yingliang authored
      The class is set in mISDN_register_device(), but if device_add() returns
      error, it will lead to delete a device without added, fix this by using
      device_is_registered() to check if the device is registered.
      
      Fixes: a900845e ("mISDN: Add support for Traverse Technologies NETJet PCI cards")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf00f542
    • Yang Yingliang's avatar
      mISDN: fix possible memory leak in mISDN_register_device() · e7d1d4d9
      Yang Yingliang authored
      Afer commit 1fa5ae85 ("driver core: get rid of struct device's
      bus_id string array"), the name of device is allocated dynamically,
      add put_device() to give up the reference, so that the name can be
      freed in kobject_cleanup() when the refcount is 0.
      
      Set device class before put_device() to avoid null release() function
      WARN message in device_release().
      
      Fixes: 1fa5ae85 ("driver core: get rid of struct device's bus_id string array")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7d1d4d9
    • Zhang Qilong's avatar
      rose: Fix NULL pointer dereference in rose_send_frame() · e97c089d
      Zhang Qilong authored
      The syzkaller reported an issue:
      
      KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]
      CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
      Workqueue: rcu_gp srcu_invoke_callbacks
      RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101
      Call Trace:
       <IRQ>
       rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255
       rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009
       rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111
       call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
       expire_timers kernel/time/timer.c:1519 [inline]
       __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
       __run_timers kernel/time/timer.c:1768 [inline]
       run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
       __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
       [...]
       </IRQ>
      
      It triggers NULL pointer dereference when 'neigh->dev->dev_addr' is
      called in the rose_send_frame(). It's the first occurrence of the
      `neigh` is in rose_loopback_timer() as `rose_loopback_neigh', and
      the 'dev' in 'rose_loopback_neigh' is initialized sa nullptr.
      
      It had been fixed by commit 3b3fd068
      ("rose: Fix Null pointer dereference in rose_send_frame()") ever.
      But it's introduced by commit 3c53cd65
      ("rose: check NULL rose_loopback_neigh->loopback") again.
      
      We fix it by add NULL check in rose_transmit_clear_request(). When
      the 'dev' in 'neigh' is NULL, we don't reply the request and just
      clear it.
      
      syzkaller don't provide repro, and I provide a syz repro like:
      r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
      ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201})
      r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
      bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)
      connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)
      
      Fixes: 3c53cd65 ("rose: check NULL rose_loopback_neigh->loopback")
      Signed-off-by: default avatarZhang Qilong <zhangqilong3@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e97c089d
    • Chen Zhongjin's avatar
      netfilter: nf_nat: Fix possible memory leak in nf_nat_init() · cbc1dd5b
      Chen Zhongjin authored
      In nf_nat_init(), register_nf_nat_bpf() can fail and return directly
      without any error handling.
      Then nf_nat_bysource will leak and registering of &nat_net_ops,
      &follow_master_nat and nf_nat_hook won't be reverted.
      
      This leaves wild ops in linkedlists and when another module tries to
      call register_pernet_operations() or nf_ct_helper_expectfn_register()
      it triggers page fault:
      
       BUG: unable to handle page fault for address: fffffbfff81b964c
       RIP: 0010:register_pernet_operations+0x1b9/0x5f0
       Call Trace:
       <TASK>
        register_pernet_subsys+0x29/0x40
        ebtables_init+0x58/0x1000 [ebtables]
        ...
      
      Fixes: 820dc052 ("net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c")
      Signed-off-by: default avatarChen Zhongjin <chenzhongjin@huawei.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cbc1dd5b
    • Zhengchao Shao's avatar
      ipvs: fix WARNING in ip_vs_app_net_cleanup() · 5663ed63
      Zhengchao Shao authored
      During the initialization of ip_vs_app_net_init(), if file ip_vs_app
      fails to be created, the initialization is successful by default.
      Therefore, the ip_vs_app file doesn't be found during the remove in
      ip_vs_app_net_cleanup(). It will cause WRNING.
      
      The following is the stack information:
      name 'ip_vs_app'
      WARNING: CPU: 1 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460
      Modules linked in:
      Workqueue: netns cleanup_net
      RIP: 0010:remove_proc_entry+0x389/0x460
      Call Trace:
      <TASK>
      ops_exit_list+0x125/0x170
      cleanup_net+0x4ea/0xb00
      process_one_work+0x9bf/0x1710
      worker_thread+0x665/0x1080
      kthread+0x2e4/0x3a0
      ret_from_fork+0x1f/0x30
      </TASK>
      
      Fixes: 457c4cbc ("[NET]: Make /proc/net per network namespace")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5663ed63
    • Zhengchao Shao's avatar
      ipvs: fix WARNING in __ip_vs_cleanup_batch() · 3d00c6a0
      Zhengchao Shao authored
      During the initialization of ip_vs_conn_net_init(), if file ip_vs_conn
      or ip_vs_conn_sync fails to be created, the initialization is successful
      by default. Therefore, the ip_vs_conn or ip_vs_conn_sync file doesn't
      be found during the remove.
      
      The following is the stack information:
      name 'ip_vs_conn_sync'
      WARNING: CPU: 3 PID: 9 at fs/proc/generic.c:712
      remove_proc_entry+0x389/0x460
      Modules linked in:
      Workqueue: netns cleanup_net
      RIP: 0010:remove_proc_entry+0x389/0x460
      Call Trace:
      <TASK>
      __ip_vs_cleanup_batch+0x7d/0x120
      ops_exit_list+0x125/0x170
      cleanup_net+0x4ea/0xb00
      process_one_work+0x9bf/0x1710
      worker_thread+0x665/0x1080
      kthread+0x2e4/0x3a0
      ret_from_fork+0x1f/0x30
      </TASK>
      
      Fixes: 61b1ab45 ("IPVS: netns, add basic init per netns.")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3d00c6a0
    • Jason A. Donenfeld's avatar
      ipvs: use explicitly signed chars · 5c26159c
      Jason A. Donenfeld authored
      The `char` type with no explicit sign is sometimes signed and sometimes
      unsigned. This code will break on platforms such as arm, where char is
      unsigned. So mark it here as explicitly signed, so that the
      todrop_counter decrement and subsequent comparison is correct.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5c26159c
    • Florian Westphal's avatar
      netlink: introduce bigendian integer types · ecaf75ff
      Florian Westphal authored
      Jakub reported that the addition of the "network_byte_order"
      member in struct nla_policy increases size of 32bit platforms.
      
      Instead of scraping the bit from elsewhere Johannes suggested
      to add explicit NLA_BE types instead, so do this here.
      
      NLA_POLICY_MAX_BE() macro is removed again, there is no need
      for it: NLA_POLICY_MAX(NLA_BE.., ..) will do the right thing.
      
      NLA_BE64 can be added later.
      
      Fixes: 08724ef6 ("netlink: introduce NLA_POLICY_MAX_BE")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Suggested-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Link: https://lore.kernel.org/r/20221031123407.9158-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ecaf75ff
    • Horatiu Vultur's avatar
      net: lan966x: Fix unmapping of received frames using FDMA · fc57062f
      Horatiu Vultur authored
      When lan966x was receiving a frame, then it was building the skb and
      after that it was calling dma_unmap_single with frame size as the
      length. This actually has 2 issues:
      1. It is using a length to map and a different length to unmap.
      2. When the unmap was happening, the data was sync for cpu but it could
         be that this will overwrite what build_skb was initializing.
      
      The fix for these two problems is to change the order of operations.
      First to sync the frame for cpu, then to build the skb and in the end to
      unmap using the correct size but without sync the frame again for cpu.
      
      Fixes: c8349639 ("net: lan966x: Add FDMA functionality")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Link: https://lore.kernel.org/r/20221031133421.1283196-1-horatiu.vultur@microchip.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fc57062f
    • Jakub Kicinski's avatar
      Merge branch 'net-lan966x-fixes-for-when-mtu-is-changed' · 70644f72
      Jakub Kicinski authored
      Horatiu Vultur says:
      
      ====================
      net: lan966x: Fixes for when MTU is changed
      
      There were multiple problems in different parts of the driver when
      the MTU was changed.
      The first problem was that the HW was missing to configure the correct
      value, it was missing ETH_HLEN and ETH_FCS_LEN. The second problem was
      when vlan filtering was enabled/disabled, the MRU was not adjusted
      corretly. While the last issue was that the FDMA was calculated wrongly
      the correct maximum MTU.
      ====================
      
      Link: https://lore.kernel.org/r/20221030213636.1031408-1-horatiu.vultur@microchip.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      70644f72
    • Horatiu Vultur's avatar
      net: lan966x: Fix FDMA when MTU is changed · 872ad758
      Horatiu Vultur authored
      When MTU is changed, FDMA is required to calculate what is the maximum
      size of the frame that it can received. So it can calculate what is the
      page order needed to allocate for the received frames.
      The first problem was that, when the max MTU was calculated it was
      reading the value from dev and not from HW, so in this way it was
      missing L2 header + the FCS.
      The other problem was that once the skb is created using
      __build_skb_around, it would reserve some space for skb_shared_info.
      So if we received a frame which size is at the limit of the page order
      then the creating will failed because it would not have space to put all
      the data.
      
      Fixes: 2ea1cbac ("net: lan966x: Update FDMA to change MTU.")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      872ad758
    • Horatiu Vultur's avatar
      net: lan966x: Adjust maximum frame size when vlan is enabled/disabled · 25f28bb1
      Horatiu Vultur authored
      When vlan filtering is enabled/disabled, it is required to adjust the
      maximum received frame size that it can received. When vlan filtering is
      enabled, it would all to receive extra 4 bytes, that are the vlan tag.
      So the maximum frame size would be 1522 with a vlan tag. If vlan
      filtering is disabled then the maximum frame size would be 1518
      regardless if there is or not a vlan tag.
      
      Fixes: 6d2c186a ("net: lan966x: Add vlan support.")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      25f28bb1