1. 01 Dec, 2022 4 commits
    • Kuniyuki Iwashima's avatar
      af_unix: Get user_ns from in_skb in unix_diag_get_exact(). · b3abe42e
      Kuniyuki Iwashima authored
      Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
      the root cause: in unix_diag_get_exact(), the newly allocated skb does not
      have sk. [2]
      
      We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
      sk_diag_fill().
      
      [0]:
      BUG: kernel NULL pointer dereference, address: 0000000000000270
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
      RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
      RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
      RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
      Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
      54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
      9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
      RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
      RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
      RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
      RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
      R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
      R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
      FS:  00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       unix_diag_get_exact net/unix/diag.c:285 [inline]
       unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
       __sock_diag_cmd net/core/sock_diag.c:235 [inline]
       sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
       netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
       sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
       netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
       netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
       netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg net/socket.c:734 [inline]
       ____sys_sendmsg+0x38f/0x500 net/socket.c:2476
       ___sys_sendmsg net/socket.c:2530 [inline]
       __sys_sendmsg+0x197/0x230 net/socket.c:2559
       __do_sys_sendmsg net/socket.c:2568 [inline]
       __se_sys_sendmsg net/socket.c:2566 [inline]
       __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x4697f9
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
      89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
      01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
      R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
       </TASK>
      Modules linked in:
      CR2: 0000000000000270
      
      [1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
      [2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
      
      Fixes: cae9910e ("net: Add UNIX_DIAG_UID to Netlink UNIX socket diagnostics.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarWei Chen <harperchen1110@gmail.com>
      Diagnosed-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b3abe42e
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d68d7d20
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      1) Check for interval validity in all concatenation fields in
         nft_set_pipapo, from Stefano Brivio.
      
      2) Missing preemption disabled in conntrack and flowtable stat
         updates, from Xin Long.
      
      3) Fix compilation warning when CONFIG_NF_CONNTRACK_MARK=n.
      
      Except for 3) which was a bug introduced in a recent fix in 6.1-rc
      - anything else, broken for several releases.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark
        netfilter: conntrack: fix using __this_cpu_add in preemptible
        netfilter: flowtable_offload: fix using __this_cpu_add in preemptible
        netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one
      ====================
      
      Link: https://lore.kernel.org/r/20221130121934.1125-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d68d7d20
    • Siddharth Vadapalli's avatar
      net: ethernet: ti: am65-cpsw: Fix RGMII configuration at SPEED_10 · 6c681f89
      Siddharth Vadapalli authored
      The am65-cpsw driver supports configuring all RGMII variants at interface
      speed of 10 Mbps. However, in the process of shifting to the PHYLINK
      framework, the support for all variants of RGMII except the
      PHY_INTERFACE_MODE_RGMII variant was accidentally removed.
      
      Fix this by using phy_interface_mode_is_rgmii() to check for all variants
      of RGMII mode.
      
      Fixes: e8609e69 ("net: ethernet: ti: am65-cpsw: Convert to PHYLINK")
      Reported-by: default avatarSchuyler Patton <spatton@ti.com>
      Signed-off-by: default avatarSiddharth Vadapalli <s-vadapalli@ti.com>
      Link: https://lore.kernel.org/r/20221129050639.111142-1-s-vadapalli@ti.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6c681f89
    • YueHaibing's avatar
      net: broadcom: Add PTP_1588_CLOCK_OPTIONAL dependency for BCMGENET under ARCH_BCM2835 · 421f8663
      YueHaibing authored
      commit 8d820bc9 ("net: broadcom: Fix BCMGENET Kconfig") fixes the build
      that contain 99addbe3 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
      and enable BCMGENET=y but PTP_1588_CLOCK_OPTIONAL=m, which otherwise
      leads to a link failure. However this may trigger a runtime failure.
      
      Fix the original issue by propagating the PTP_1588_CLOCK_OPTIONAL dependency
      of BROADCOM_PHY down to BCMGENET.
      
      Fixes: 8d820bc9 ("net: broadcom: Fix BCMGENET Kconfig")
      Fixes: 99addbe3 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20221125115003.30308-1-yuehaibing@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      421f8663
  2. 30 Nov, 2022 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark · 1feeae07
      Pablo Neira Ayuso authored
      All warnings (new ones prefixed by >>):
      
         net/netfilter/nf_conntrack_netlink.c: In function '__ctnetlink_glue_build':
      >> net/netfilter/nf_conntrack_netlink.c:2674:13: warning: unused variable 'mark' [-Wunused-variable]
          2674 |         u32 mark;
               |             ^~~~
      
      Fixes: 52d1aa8b ("netfilter: conntrack: Fix data-races around ct mark")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Tested-by: default avatarIvan Babrou <ivan@ivan.computer>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1feeae07
    • Xin Long's avatar
      netfilter: conntrack: fix using __this_cpu_add in preemptible · 9464d0b6
      Xin Long authored
      Currently in nf_conntrack_hash_check_insert(), when it fails in
      nf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the
      preemptible context, a call trace can be triggered:
      
         BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636
         caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
         Call Trace:
          <TASK>
          dump_stack_lvl+0x33/0x46
          check_preemption_disabled+0xc3/0xf0
          nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
          ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]
          ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]
          nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]
          netlink_rcv_skb+0x50/0x100
          nfnetlink_rcv+0x65/0x144 [nfnetlink]
          netlink_unicast+0x1ae/0x290
          netlink_sendmsg+0x257/0x4f0
          sock_sendmsg+0x5f/0x70
      
      This patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for
      nf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(),
      as well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().
      
      Note that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is
      safe to use NF_CT_STAT_INC(), as it's under local_bh_disable().
      
      Fixes: c56716c6 ("netfilter: extensions: introduce extension genid count")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9464d0b6
  3. 29 Nov, 2022 21 commits
  4. 28 Nov, 2022 13 commits