1. 16 Feb, 2023 3 commits
  2. 15 Feb, 2023 6 commits
    • Jakub Kicinski's avatar
      net: mpls: fix stale pointer if allocation fails during device rename · fda6c89f
      Jakub Kicinski authored
      lianhui reports that when MPLS fails to register the sysctl table
      under new location (during device rename) the old pointers won't
      get overwritten and may be freed again (double free).
      
      Handle this gracefully. The best option would be unregistering
      the MPLS from the device completely on failure, but unfortunately
      mpls_ifdown() can fail. So failing fully is also unreliable.
      
      Another option is to register the new table first then only
      remove old one if the new one succeeds. That requires more
      code, changes order of notifications and two tables may be
      visible at the same time.
      
      sysctl point is not used in the rest of the code - set to NULL
      on failures and skip unregister if already NULL.
      Reported-by: default avatarlianhui tang <bluetlh@gmail.com>
      Fixes: 0fae3bf0 ("mpls: handle device renames for per-device sysctls")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fda6c89f
    • Pedro Tammela's avatar
      net/sched: tcindex: search key must be 16 bits · 42018a32
      Pedro Tammela authored
      Syzkaller found an issue where a handle greater than 16 bits would trigger
      a null-ptr-deref in the imperfect hash area update.
      
      general protection fault, probably for non-canonical address
      0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
      CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted
      6.2.0-rc7-syzkaller-00112-gc68f345b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 01/21/2023
      RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509
      Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb
      a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c
      02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00
      RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8
      RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8
      R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00
      FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572
      tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155
      rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132
      netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xd3/0x120 net/socket.c:734
      ____sys_sendmsg+0x334/0x8c0 net/socket.c:2476
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
      __sys_sendmmsg+0x18f/0x460 net/socket.c:2616
      __do_sys_sendmmsg net/socket.c:2645 [inline]
      __se_sys_sendmmsg net/socket.c:2642 [inline]
      __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
      
      Fixes: ee059170 ("net/sched: tcindex: update imperfect hash filters respecting rcu")
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42018a32
    • Tung Nguyen's avatar
      tipc: fix kernel warning when sending SYN message · 11a4d6f6
      Tung Nguyen authored
      When sending a SYN message, this kernel stack trace is observed:
      
      ...
      [   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
      ...
      [   13.398494] Call Trace:
      [   13.398630]  <TASK>
      [   13.398630]  ? __alloc_skb+0xed/0x1a0
      [   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
      [   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
      [   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
      [   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
      [   13.398630]  ? __local_bh_enable_ip+0x37/0x80
      [   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
      [   13.398630]  ? __sys_connect+0x9f/0xd0
      [   13.398630]  __sys_connect+0x9f/0xd0
      [   13.398630]  ? preempt_count_add+0x4d/0xa0
      [   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
      [   13.398630]  __x64_sys_connect+0x16/0x20
      [   13.398630]  do_syscall_64+0x42/0x90
      [   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      It is because commit a41dad90 ("iov_iter: saner checks for attempt
      to copy to/from iterator") has introduced sanity check for copying
      from/to iov iterator. Lacking of copy direction from the iterator
      viewpoint would lead to kernel stack trace like above.
      
      This commit fixes this issue by initializing the iov iterator with
      the correct copy direction when sending SYN or ACK without data.
      
      Fixes: f25dcc76 ("tipc: tipc ->sendmsg() conversion")
      Reported-by: syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarTung Nguyen <tung.q.nguyen@dektech.com.au>
      Link: https://lore.kernel.org/r/20230214012606.5804-1-tung.q.nguyen@dektech.com.auSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      11a4d6f6
    • Miroslav Lichvar's avatar
      igb: Fix PPS input and output using 3rd and 4th SDP · 207ce626
      Miroslav Lichvar authored
      Fix handling of the tsync interrupt to compare the pin number with
      IGB_N_SDP instead of IGB_N_EXTTS/IGB_N_PEROUT and fix the indexing to
      the perout array.
      
      Fixes: cf99c1dd ("igb: move PEROUT and EXTTS isr logic to separate functions")
      Reported-by: default avatarMatt Corallo <ntp-lists@mattcorallo.com>
      Signed-off-by: default avatarMiroslav Lichvar <mlichvar@redhat.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Link: https://lore.kernel.org/r/20230213185822.3960072-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      207ce626
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · d3a37346
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-02-13 (ice)
      
      This series contains updates to ice driver only.
      
      Michal fixes check of scheduling node weight and priority to be done
      against desired value, not current value.
      
      Jesse adds setting of all multicast when adding promiscuous mode to
      resolve traffic being lost due to filter settings.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        ice: fix lost multicast packets in promisc mode
        ice: Fix check for weight and priority of a scheduling node
      ====================
      
      Link: https://lore.kernel.org/r/20230213185259.3959224-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d3a37346
    • Eric Dumazet's avatar
      net: use a bounce buffer for copying skb->mark · 2558b803
      Eric Dumazet authored
      syzbot found arm64 builds would crash in sock_recv_mark()
      when CONFIG_HARDENED_USERCOPY=y
      
      x86 and powerpc are not detecting the issue because
      they define user_access_begin.
      This will be handled in a different patch,
      because a check_object_size() is missing.
      
      Only data from skb->cb[] can be copied directly to/from user space,
      as explained in commit 79a8a642 ("net: Whitelist
      the skbuff_head_cache "cb" field")
      
      syzbot report was:
      usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!
      ------------[ cut here ]------------
      kernel BUG at mm/usercopy.c:102 !
      Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
      pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90
      lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90
      sp : ffff80000fb9b9a0
      x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00
      x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000
      x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8
      x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000
      x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118
      x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400
      x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00
      x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000
      x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
      x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c
      Call trace:
      usercopy_abort+0x90/0x94 mm/usercopy.c:90
      __check_heap_object+0xa8/0x100 mm/slub.c:4761
      check_heap_object mm/usercopy.c:196 [inline]
      __check_object_size+0x208/0x6b8 mm/usercopy.c:251
      check_object_size include/linux/thread_info.h:199 [inline]
      __copy_to_user include/linux/uaccess.h:115 [inline]
      put_cmsg+0x408/0x464 net/core/scm.c:238
      sock_recv_mark net/socket.c:975 [inline]
      __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984
      sock_recv_cmsgs include/net/sock.h:2728 [inline]
      packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482
      ____sys_recvmsg+0x110/0x3a0
      ___sys_recvmsg net/socket.c:2737 [inline]
      __sys_recvmsg+0x194/0x210 net/socket.c:2767
      __do_sys_recvmsg net/socket.c:2777 [inline]
      __se_sys_recvmsg net/socket.c:2774 [inline]
      __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774
      __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
      invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52
      el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142
      do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193
      el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637
      el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)
      
      Fixes: 6fd1d51c ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Erin MacNeil <lnx.erin@gmail.com>
      Reviewed-by: default avatarAlexander Lobakin <alexandr.lobakin@intel.com>
      Link: https://lore.kernel.org/r/20230213160059.3829741-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2558b803
  3. 14 Feb, 2023 6 commits
  4. 13 Feb, 2023 7 commits
  5. 11 Feb, 2023 8 commits
  6. 10 Feb, 2023 10 commits