1. 28 Jan, 2023 4 commits
  2. 26 Jan, 2023 6 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 28b4387f
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from netfilter.
      
        Current release - regressions:
      
         - sched: sch_taprio: do not schedule in taprio_reset()
      
        Previous releases - regressions:
      
         - core: fix UaF in netns ops registration error path
      
         - ipv4: prevent potential spectre v1 gadgets
      
         - ipv6: fix reachability confirmation with proxy_ndp
      
         - netfilter: fix for the set rbtree
      
         - eth: fec: use page_pool_put_full_page when freeing rx buffers
      
         - eth: iavf: fix temporary deadlock and failure to set MAC address
      
        Previous releases - always broken:
      
         - netlink: prevent potential spectre v1 gadgets
      
         - netfilter: fixes for SCTP connection tracking
      
         - mctp: struct sock lifetime fixes
      
         - eth: ravb: fix possible hang if RIS2_QFF1 happen
      
         - eth: tg3: resolve deadlock in tg3_reset_task() during EEH
      
        Misc:
      
         - Mat stepped out as MPTCP co-maintainer"
      
      * tag 'net-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (40 commits)
        net: mdio-mux-meson-g12a: force internal PHY off on mux switch
        docs: networking: Fix bridge documentation URL
        tsnep: Fix TX queue stop/wake for multiple queues
        net/tg3: resolve deadlock in tg3_reset_task() during EEH
        net: mctp: mark socks as dead on unhash, prevent re-add
        net: mctp: hold key reference when looking up a general key
        net: mctp: move expiry timer delete to unhash
        net: mctp: add an explicit reference from a mctp_sk_key to sock
        net: ravb: Fix possible hang if RIS2_QFF1 happen
        net: ravb: Fix lack of register setting after system resumed for Gen3
        net/x25: Fix to not accept on connected socket
        ice: move devlink port creation/deletion
        sctp: fail if no bound addresses can be used for a given scope
        net/sched: sch_taprio: do not schedule in taprio_reset()
        Revert "Merge branch 'ethtool-mac-merge'"
        netrom: Fix use-after-free of a listening socket.
        netfilter: conntrack: unify established states for SCTP paths
        Revert "netfilter: conntrack: add sctp DATA_SENT state"
        netfilter: conntrack: fix bug in for_each_sctp_chunk
        netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
        ...
      28b4387f
    • Linus Torvalds's avatar
      treewide: fix up files incorrectly marked executable · 262b42e0
      Linus Torvalds authored
      I'm not exactly clear on what strange workflow causes people to do it,
      but clearly occasionally some files end up being committed as executable
      even though they clearly aren't.
      
      This is a reprise of commit 90fda63f ("treewide: fix up files
      incorrectly marked executable"), just with a different set of files (but
      with the same trivial shell scripting).
      
      So apparently we need to re-do this every five years or so, and Joe
      needs to just keep reminding me to do so ;)
      Reported-by: default avatarJoe Perches <joe@perches.com>
      Fixes: 523375c9 ("drm/vmwgfx: Port vmwgfx to arm64")
      Fixes: 5c439937 ("ASoC: codecs: add support for ES8326")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      262b42e0
    • Jerome Brunet's avatar
      net: mdio-mux-meson-g12a: force internal PHY off on mux switch · 7083df59
      Jerome Brunet authored
      Force the internal PHY off then on when switching to the internal path.
      This fixes problems where the PHY ID is not properly set.
      
      Fixes: 70904251 ("net: phy: add amlogic g12a mdio mux support")
      Suggested-by: default avatarQi Duan <qi.duan@amlogic.com>
      Co-developed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Link: https://lore.kernel.org/r/20230124101157.232234-1-jbrunet@baylibre.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7083df59
    • Ivan Vecera's avatar
    • Gerhard Engleder's avatar
      tsnep: Fix TX queue stop/wake for multiple queues · 3d53aaef
      Gerhard Engleder authored
      netif_stop_queue() and netif_wake_queue() act on TX queue 0. This is ok
      as long as only a single TX queue is supported. But support for multiple
      TX queues was introduced with 76203137 and I missed to adapt stop
      and wake of TX queues.
      
      Use netif_stop_subqueue() and netif_tx_wake_queue() to act on specific
      TX queue.
      
      Fixes: 76203137 ("tsnep: Support multiple TX/RX queue pairs")
      Signed-off-by: default avatarGerhard Engleder <gerhard@engleder-embedded.com>
      Link: https://lore.kernel.org/r/20230124191440.56887-1-gerhard@engleder-embedded.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3d53aaef
    • David Christensen's avatar
      net/tg3: resolve deadlock in tg3_reset_task() during EEH · 6c4ca03b
      David Christensen authored
      During EEH error injection testing, a deadlock was encountered in the tg3
      driver when tg3_io_error_detected() was attempting to cancel outstanding
      reset tasks:
      
      crash> foreach UN bt
      ...
      PID: 159    TASK: c0000000067c6000  CPU: 8   COMMAND: "eehd"
      ...
       #5 [c00000000681f990] __cancel_work_timer at c00000000019fd18
       #6 [c00000000681fa30] tg3_io_error_detected at c00800000295f098 [tg3]
       #7 [c00000000681faf0] eeh_report_error at c00000000004e25c
      ...
      
      PID: 290    TASK: c000000036e5f800  CPU: 6   COMMAND: "kworker/6:1"
      ...
       #4 [c00000003721fbc0] rtnl_lock at c000000000c940d8
       #5 [c00000003721fbe0] tg3_reset_task at c008000002969358 [tg3]
       #6 [c00000003721fc60] process_one_work at c00000000019e5c4
      ...
      
      PID: 296    TASK: c000000037a65800  CPU: 21  COMMAND: "kworker/21:1"
      ...
       #4 [c000000037247bc0] rtnl_lock at c000000000c940d8
       #5 [c000000037247be0] tg3_reset_task at c008000002969358 [tg3]
       #6 [c000000037247c60] process_one_work at c00000000019e5c4
      ...
      
      PID: 655    TASK: c000000036f49000  CPU: 16  COMMAND: "kworker/16:2"
      ...:1
      
       #4 [c0000000373ebbc0] rtnl_lock at c000000000c940d8
       #5 [c0000000373ebbe0] tg3_reset_task at c008000002969358 [tg3]
       #6 [c0000000373ebc60] process_one_work at c00000000019e5c4
      ...
      
      Code inspection shows that both tg3_io_error_detected() and
      tg3_reset_task() attempt to acquire the RTNL lock at the beginning of
      their code blocks.  If tg3_reset_task() should happen to execute between
      the times when tg3_io_error_deteced() acquires the RTNL lock and
      tg3_reset_task_cancel() is called, a deadlock will occur.
      
      Moving tg3_reset_task_cancel() call earlier within the code block, prior
      to acquiring RTNL, prevents this from happening, but also exposes another
      deadlock issue where tg3_reset_task() may execute AFTER
      tg3_io_error_detected() has executed:
      
      crash> foreach UN bt
      PID: 159    TASK: c0000000067d2000  CPU: 9   COMMAND: "eehd"
      ...
       #4 [c000000006867a60] rtnl_lock at c000000000c940d8
       #5 [c000000006867a80] tg3_io_slot_reset at c0080000026c2ea8 [tg3]
       #6 [c000000006867b00] eeh_report_reset at c00000000004de88
      ...
      PID: 363    TASK: c000000037564000  CPU: 6   COMMAND: "kworker/6:1"
      ...
       #3 [c000000036c1bb70] msleep at c000000000259e6c
       #4 [c000000036c1bba0] napi_disable at c000000000c6b848
       #5 [c000000036c1bbe0] tg3_reset_task at c0080000026d942c [tg3]
       #6 [c000000036c1bc60] process_one_work at c00000000019e5c4
      ...
      
      This issue can be avoided by aborting tg3_reset_task() if EEH error
      recovery is already in progress.
      
      Fixes: db84bf43 ("tg3: tg3_reset_task() needs to use rtnl_lock to synchronize")
      Signed-off-by: default avatarDavid Christensen <drc@linux.vnet.ibm.com>
      Reviewed-by: default avatarPavan Chebbi <pavan.chebbi@broadcom.com>
      Link: https://lore.kernel.org/r/20230124185339.225806-1-drc@linux.vnet.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6c4ca03b
  3. 25 Jan, 2023 18 commits
  4. 24 Jan, 2023 12 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux · fb6e71db
      Linus Torvalds authored
      Pull nfsd fix from Chuck Lever:
      
       - Nail another UAF in NFSD's filecache
      
      * tag 'nfsd-6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
        nfsd: don't free files unconditionally in __nfsd_file_cache_purge
      fb6e71db
    • Linus Torvalds's avatar
      Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux · 50306df3
      Linus Torvalds authored
      Pull fscrypt MAINTAINERS entry update from Eric Biggers:
       "Update the MAINTAINERS file entry for fscrypt"
      
      * tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux:
        MAINTAINERS: update fscrypt git repo
      50306df3
    • Petr Pavlu's avatar
      module: Don't wait for GOING modules · 0254127a
      Petr Pavlu authored
      During a system boot, it can happen that the kernel receives a burst of
      requests to insert the same module but loading it eventually fails
      during its init call. For instance, udev can make a request to insert
      a frequency module for each individual CPU when another frequency module
      is already loaded which causes the init function of the new module to
      return an error.
      
      Since commit 6e6de3de ("kernel/module.c: Only return -EEXIST for
      modules that have finished loading"), the kernel waits for modules in
      MODULE_STATE_GOING state to finish unloading before making another
      attempt to load the same module.
      
      This creates unnecessary work in the described scenario and delays the
      boot. In the worst case, it can prevent udev from loading drivers for
      other devices and might cause timeouts of services waiting on them and
      subsequently a failed boot.
      
      This patch attempts a different solution for the problem 6e6de3de
      was trying to solve. Rather than waiting for the unloading to complete,
      it returns a different error code (-EBUSY) for modules in the GOING
      state. This should avoid the error situation that was described in
      6e6de3de (user space attempting to load a dependent module because
      the -EEXIST error code would suggest to user space that the first module
      had been loaded successfully), while avoiding the delay situation too.
      
      This has been tested on linux-next since December 2022 and passes
      all kmod selftests except test 0009 with module compression enabled
      but it has been confirmed that this issue has existed and has gone
      unnoticed since prior to this commit and can also be reproduced without
      module compression with a simple usleep(5000000) on tools/modprobe.c [0].
      These failures are caused by hitting the kernel mod_concurrent_max and can
      happen either due to a self inflicted kernel module auto-loead DoS somehow
      or on a system with large CPU count and each CPU count incorrectly triggering
      many module auto-loads. Both of those issues need to be fixed in-kernel.
      
      [0] https://lore.kernel.org/all/Y9A4fiobL6IHp%2F%2FP@bombadil.infradead.org/
      
      Fixes: 6e6de3de ("kernel/module.c: Only return -EEXIST for modules that have finished loading")
      Co-developed-by: default avatarMartin Wilck <mwilck@suse.com>
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Signed-off-by: default avatarPetr Pavlu <petr.pavlu@suse.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarPetr Mladek <pmladek@suse.com>
      [mcgrof: enhance commit log with testing and kmod test result interpretation ]
      Signed-off-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      0254127a
    • Linus Torvalds's avatar
      Merge tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux · 5149394c
      Linus Torvalds authored
      Pull fsverity MAINTAINERS entry update from Eric Biggers:
       "Update the MAINTAINERS file entry for fsverity"
      
      * tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux:
        MAINTAINERS: update fsverity git repo, list, and patchwork
      5149394c
    • Linus Torvalds's avatar
      ext4: make xattr char unsignedness in hash explicit · 854f0912
      Linus Torvalds authored
      Commit f3bbac32 ("ext4: deal with legacy signed xattr name hash
      values") added a hashing function for the legacy case of having the
      xattr hash calculated using a signed 'char' type.  It left the unsigned
      case alone, since it's all implicitly handled by the '-funsigned-char'
      compiler option.
      
      However, there's been some noise about back-porting it all into stable
      kernels that lack the '-funsigned-char', so let's just make that at
      least possible by making the whole 'this uses unsigned char' very
      explicit in the code itself.  Whether such a back-port is really
      warranted or not, I'll leave to others, but at least together with this
      change it is technically sensible.
      
      Also, add a 'pr_warn_once()' for reporting the "hey, signedness for this
      hash calculation has changed" issue.  Hopefully it never triggers except
      for that xfstests generic/454 test-case, but even if it does it's just
      good information to have.
      
      If for no other reason than "we can remove the legacy signed hash code
      entirely if nobody ever sees the message any more".
      
      Cc: Sasha Levin <sashal@kernel.org>
      Cc: Eric Biggers <ebiggers@kernel.org>
      Cc: Andreas Dilger <adilger@dilger.ca>
      Cc: Theodore Ts'o <tytso@mit.edu>,
      Cc: Jason Donenfeld <Jason@zx2c4.com>
      Cc: Masahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      854f0912
    • Paolo Abeni's avatar
      Revert "Merge branch 'ethtool-mac-merge'" · d968117a
      Paolo Abeni authored
      This reverts commit 0ad999c1, reversing
      changes made to e38553bd.
      
      It was not intended for net.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d968117a
    • Christian Brauner's avatar
      fuse: fixes after adapting to new posix acl api · facd6105
      Christian Brauner authored
      This cycle we ported all filesystems to the new posix acl api. While
      looking at further simplifications in this area to remove the last
      remnants of the generic dummy posix acl handlers we realized that we
      regressed fuse daemons that don't set FUSE_POSIX_ACL but still make use
      of posix acls.
      
      With the change to a dedicated posix acl api interacting with posix acls
      doesn't go through the old xattr codepaths anymore and instead only
      relies the get acl and set acl inode operations.
      
      Before this change fuse daemons that don't set FUSE_POSIX_ACL were able
      to get and set posix acl albeit with two caveats. First, that posix acls
      aren't cached. And second, that they aren't used for permission checking
      in the vfs.
      
      We regressed that use-case as we currently refuse to retrieve any posix
      acls if they aren't enabled via FUSE_POSIX_ACL. So older fuse daemons
      would see a change in behavior.
      
      We can restore the old behavior in multiple ways. We could change the
      new posix acl api and look for a dedicated xattr handler and if we find
      one prefer that over the dedicated posix acl api. That would break the
      consistency of the new posix acl api so we would very much prefer not to
      do that.
      
      We could introduce a new ACL_*_CACHE sentinel that would instruct the
      vfs permission checking codepath to not call into the filesystem and
      ignore acls.
      
      But a more straightforward fix for v6.2 is to do the same thing that
      Overlayfs does and give fuse a separate get acl method for permission
      checking. Overlayfs uses this to express different needs for vfs
      permission lookup and acl based retrieval via the regular system call
      path as well. Let fuse do the same for now. This way fuse can continue
      to refuse to retrieve posix acls for daemons that don't set
      FUSE_POSXI_ACL for permission checking while allowing a fuse server to
      retrieve it via the usual system calls.
      
      In the future, we could extend the get acl inode operation to not just
      pass a simple boolean to indicate rcu lookup but instead make it a flag
      argument. Then in addition to passing the information that this is an
      rcu lookup to the filesystem we could also introduce a flag that tells
      the filesystem that this is a request from the vfs to use these acls for
      permission checking. Then fuse could refuse the get acl request for
      permission checking when the daemon doesn't have FUSE_POSIX_ACL set in
      the same get acl method. This would also help Overlayfs and allow us to
      remove the second method for it as well.
      
      But since that change is more invasive as we need to update the get acl
      inode operation for multiple filesystems we should not do this as a fix
      for v6.2. Instead we will do this for the v6.3 merge window.
      
      Fwiw, since posix acls are now always correctly translated in the new
      posix acl api we could also allow them to be used for daemons without
      FUSE_POSIX_ACL that are not mounted on the host. But this is behavioral
      change and again if dones should be done for v6.3. For now, let's just
      restore the original behavior.
      
      A nice side-effect of this change is that for fuse daemons with and
      without FUSE_POSIX_ACL the same code is used for posix acls in a
      backwards compatible way. This also means we can remove the legacy xattr
      handlers completely. We've also added comments to explain the expected
      behavior for daemons without FUSE_POSIX_ACL into the code.
      
      Fixes: 318e6685 ("xattr: use posix acl api")
      Signed-off-by: default avatarSeth Forshee (Digital Ocean) <sforshee@kernel.org>
      Reviewed-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
      facd6105
    • Kuniyuki Iwashima's avatar
      netrom: Fix use-after-free of a listening socket. · 409db27e
      Kuniyuki Iwashima authored
      syzbot reported a use-after-free in do_accept(), precisely nr_accept()
      as sk_prot_alloc() allocated the memory and sock_put() frees it. [0]
      
      The issue could happen if the heartbeat timer is fired and
      nr_heartbeat_expiry() calls nr_destroy_socket(), where a socket
      has SOCK_DESTROY or a listening socket has SOCK_DEAD.
      
      In this case, the first condition cannot be true.  SOCK_DESTROY is
      flagged in nr_release() only when the file descriptor is close()d,
      but accept() is being called for the listening socket, so the second
      condition must be true.
      
      Usually, the AF_NETROM listener neither starts timers nor sets
      SOCK_DEAD.  However, the condition is met if connect() fails before
      listen().  connect() starts the t1 timer and heartbeat timer, and
      t1timer calls nr_disconnect() when timeout happens.  Then, SOCK_DEAD
      is set, and if we call listen(), the heartbeat timer calls
      nr_destroy_socket().
      
        nr_connect
          nr_establish_data_link(sk)
            nr_start_t1timer(sk)
          nr_start_heartbeat(sk)
                                          nr_t1timer_expiry
                                            nr_disconnect(sk, ETIMEDOUT)
                                              nr_sk(sk)->state = NR_STATE_0
                                              sk->sk_state = TCP_CLOSE
                                              sock_set_flag(sk, SOCK_DEAD)
      nr_listen
        if (sk->sk_state != TCP_LISTEN)
          sk->sk_state = TCP_LISTEN
                                          nr_heartbeat_expiry
                                            switch (nr->state)
                                            case NR_STATE_0
                                              if (sk->sk_state == TCP_LISTEN &&
                                                  sock_flag(sk, SOCK_DEAD))
                                                nr_destroy_socket(sk)
      
      This path seems expected, and nr_destroy_socket() is called to clean
      up resources.  Initially, there was sock_hold() before nr_destroy_socket()
      so that the socket would not be freed, but the commit 517a16b1
      ("netrom: Decrease sock refcount when sock timers expire") accidentally
      removed it.
      
      To fix use-after-free, let's add sock_hold().
      
      [0]:
      BUG: KASAN: use-after-free in do_accept+0x483/0x510 net/socket.c:1848
      Read of size 8 at addr ffff88807978d398 by task syz-executor.3/5315
      
      CPU: 0 PID: 5315 Comm: syz-executor.3 Not tainted 6.2.0-rc3-syzkaller-00165-gd9fc1511 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
       print_address_description mm/kasan/report.c:306 [inline]
       print_report+0x15e/0x461 mm/kasan/report.c:417
       kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
       do_accept+0x483/0x510 net/socket.c:1848
       __sys_accept4_file net/socket.c:1897 [inline]
       __sys_accept4+0x9a/0x120 net/socket.c:1927
       __do_sys_accept net/socket.c:1944 [inline]
       __se_sys_accept net/socket.c:1941 [inline]
       __x64_sys_accept+0x75/0xb0 net/socket.c:1941
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7fa436a8c0c9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fa437784168 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
      RAX: ffffffffffffffda RBX: 00007fa436bac050 RCX: 00007fa436a8c0c9
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
      RBP: 00007fa436ae7ae9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007ffebc6700df R14: 00007fa437784300 R15: 0000000000022000
       </TASK>
      
      Allocated by task 5294:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       ____kasan_kmalloc mm/kasan/common.c:371 [inline]
       ____kasan_kmalloc mm/kasan/common.c:330 [inline]
       __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380
       kasan_kmalloc include/linux/kasan.h:211 [inline]
       __do_kmalloc_node mm/slab_common.c:968 [inline]
       __kmalloc+0x5a/0xd0 mm/slab_common.c:981
       kmalloc include/linux/slab.h:584 [inline]
       sk_prot_alloc+0x140/0x290 net/core/sock.c:2038
       sk_alloc+0x3a/0x7a0 net/core/sock.c:2091
       nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433
       __sock_create+0x359/0x790 net/socket.c:1515
       sock_create net/socket.c:1566 [inline]
       __sys_socket_create net/socket.c:1603 [inline]
       __sys_socket_create net/socket.c:1588 [inline]
       __sys_socket+0x133/0x250 net/socket.c:1636
       __do_sys_socket net/socket.c:1649 [inline]
       __se_sys_socket net/socket.c:1647 [inline]
       __x64_sys_socket+0x73/0xb0 net/socket.c:1647
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 14:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518
       ____kasan_slab_free mm/kasan/common.c:236 [inline]
       ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200
       kasan_slab_free include/linux/kasan.h:177 [inline]
       __cache_free mm/slab.c:3394 [inline]
       __do_kmem_cache_free mm/slab.c:3580 [inline]
       __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587
       sk_prot_free net/core/sock.c:2074 [inline]
       __sk_destruct+0x5df/0x750 net/core/sock.c:2166
       sk_destruct net/core/sock.c:2181 [inline]
       __sk_free+0x175/0x460 net/core/sock.c:2192
       sk_free+0x7c/0xa0 net/core/sock.c:2203
       sock_put include/net/sock.h:1991 [inline]
       nr_heartbeat_expiry+0x1d7/0x460 net/netrom/nr_timer.c:148
       call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700
       expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751
       __run_timers kernel/time/timer.c:2022 [inline]
       __run_timers kernel/time/timer.c:1995 [inline]
       run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035
       __do_softirq+0x1fb/0xadc kernel/softirq.c:571
      
      Fixes: 517a16b1 ("netrom: Decrease sock refcount when sock timers expire")
      Reported-by: syzbot+5fafd5cfe1fc91f6b352@syzkaller.appspotmail.com
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230120231927.51711-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      409db27e
    • Sriram Yagnaraman's avatar
      netfilter: conntrack: unify established states for SCTP paths · a44b7651
      Sriram Yagnaraman authored
      An SCTP endpoint can start an association through a path and tear it
      down over another one. That means the initial path will not see the
      shutdown sequence, and the conntrack entry will remain in ESTABLISHED
      state for 5 days.
      
      By merging the HEARTBEAT_ACKED and ESTABLISHED states into one
      ESTABLISHED state, there remains no difference between a primary or
      secondary path. The timeout for the merged ESTABLISHED state is set to
      210 seconds (hb_interval * max_path_retrans + rto_max). So, even if a
      path doesn't see the shutdown sequence, it will expire in a reasonable
      amount of time.
      
      With this change in place, there is now more than one state from which
      we can transition to ESTABLISHED, COOKIE_ECHOED and HEARTBEAT_SENT, so
      handle the setting of ASSURED bit whenever a state change has happened
      and the new state is ESTABLISHED. Removed the check for dir==REPLY since
      the transition to ESTABLISHED can happen only in the reply direction.
      
      Fixes: 9fb9cbb1 ("[NETFILTER]: Add nf_conntrack subsystem.")
      Signed-off-by: default avatarSriram Yagnaraman <sriram.yagnaraman@est.tech>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a44b7651
    • Sriram Yagnaraman's avatar
      Revert "netfilter: conntrack: add sctp DATA_SENT state" · 13bd9b31
      Sriram Yagnaraman authored
      This reverts commit (bff3d053: "netfilter: conntrack: add sctp
      DATA_SENT state")
      
      Using DATA/SACK to detect a new connection on secondary/alternate paths
      works only on new connections, while a HEARTBEAT is required on
      connection re-use. It is probably consistent to wait for HEARTBEAT to
      create a secondary connection in conntrack.
      Signed-off-by: default avatarSriram Yagnaraman <sriram.yagnaraman@est.tech>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      13bd9b31
    • Sriram Yagnaraman's avatar
      netfilter: conntrack: fix bug in for_each_sctp_chunk · 98ee0077
      Sriram Yagnaraman authored
      skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds
      skb->len, so this offset < skb->len test is redundant.
      
      if sch->length == 0, this will end up in an infinite loop, add a check
      for sch->length > 0
      
      Fixes: 9fb9cbb1 ("[NETFILTER]: Add nf_conntrack subsystem.")
      Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSriram Yagnaraman <sriram.yagnaraman@est.tech>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      98ee0077
    • Sriram Yagnaraman's avatar
      netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE · a9993591
      Sriram Yagnaraman authored
      RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk
      MUST be accepted if the vtag of the packet matches its own tag and the
      T bit is not set OR if it is set to its peer's vtag and the T bit is set
      in chunk flags. Otherwise the packet MUST be silently dropped.
      
      Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above
      description.
      
      Fixes: 9fb9cbb1 ("[NETFILTER]: Add nf_conntrack subsystem.")
      Signed-off-by: default avatarSriram Yagnaraman <sriram.yagnaraman@est.tech>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a9993591