1. 28 Aug, 2023 1 commit
    • Kuniyuki Iwashima's avatar
      netrom: Deny concurrent connect(). · c2f8fd79
      Kuniyuki Iwashima authored
      syzkaller reported null-ptr-deref [0] related to AF_NETROM.
      This is another self-accept issue from the strace log. [1]
      
      syz-executor creates an AF_NETROM socket and calls connect(), which
      is blocked at that time.  Then, sk->sk_state is TCP_SYN_SENT and
      sock->state is SS_CONNECTING.
      
        [pid  5059] socket(AF_NETROM, SOCK_SEQPACKET, 0) = 4
        [pid  5059] connect(4, {sa_family=AF_NETROM, sa_data="..." <unfinished ...>
      
      Another thread calls connect() concurrently, which finally fails
      with -EINVAL.  However, the problem here is the socket state is
      reset even while the first connect() is blocked.
      
        [pid  5060] connect(4, NULL, 0 <unfinished ...>
        [pid  5060] <... connect resumed>)      = -1 EINVAL (Invalid argument)
      
      As sk->state is TCP_CLOSE and sock->state is SS_UNCONNECTED, the
      following listen() succeeds.  Then, the first connect() looks up
      itself as a listener and puts skb into the queue with skb->sk itself.
      As a result, the next accept() gets another FD of itself as 3, and
      the first connect() finishes.
      
        [pid  5060] listen(4, 0 <unfinished ...>
        [pid  5060] <... listen resumed>)       = 0
        [pid  5060] accept(4, NULL, NULL <unfinished ...>
        [pid  5060] <... accept resumed>)       = 3
        [pid  5059] <... connect resumed>)      = 0
      
      Then, accept4() is called but blocked, which causes the general protection
      fault later.
      
        [pid  5059] accept4(4, NULL, 0x20000400, SOCK_NONBLOCK <unfinished ...>
      
      After that, another self-accept occurs by accept() and writev().
      
        [pid  5060] accept(4, NULL, NULL <unfinished ...>
        [pid  5061] writev(3, [{iov_base=...}] <unfinished ...>
        [pid  5061] <... writev resumed>)       = 99
        [pid  5060] <... accept resumed>)       = 6
      
      Finally, the leader thread close()s all FDs.  Since the three FDs
      reference the same socket, nr_release() does the cleanup for it
      three times, and the remaining accept4() causes the following fault.
      
        [pid  5058] close(3)                    = 0
        [pid  5058] close(4)                    = 0
        [pid  5058] close(5)                    = -1 EBADF (Bad file descriptor)
        [pid  5058] close(6)                    = 0
        [pid  5058] <... exit_group resumed>)   = ?
        [   83.456055][ T5059] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
      
      To avoid the issue, we need to return an error for connect() if
      another connect() is in progress, as done in __inet_stream_connect().
      
      [0]:
      general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
      CPU: 0 PID: 5059 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller-00194-gace0ab3a #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
      RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5012
      Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 11 6e 23 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 48 90 0f 84 96 0d 00
      RSP: 0018:ffffc90003d6f9e0 EFLAGS: 00010006
      RAX: ffff8880244c8000 RBX: 1ffff920007adf6c RCX: 0000000000000003
      RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000018
      RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000001
      R10: 0000000000000018 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      FS:  00007f51d519a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f51d5158d58 CR3: 000000002943f000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       lock_acquire kernel/locking/lockdep.c:5761 [inline]
       lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
       prepare_to_wait+0x47/0x380 kernel/sched/wait.c:269
       nr_accept+0x20d/0x650 net/netrom/af_netrom.c:798
       do_accept+0x3a6/0x570 net/socket.c:1872
       __sys_accept4_file net/socket.c:1913 [inline]
       __sys_accept4+0x99/0x120 net/socket.c:1943
       __do_sys_accept4 net/socket.c:1954 [inline]
       __se_sys_accept4 net/socket.c:1951 [inline]
       __x64_sys_accept4+0x96/0x100 net/socket.c:1951
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f51d447cae9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f51d519a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
      RAX: ffffffffffffffda RBX: 00007f51d459bf80 RCX: 00007f51d447cae9
      RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000004
      RBP: 00007f51d44c847a R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000800 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007f51d459bf80 R15: 00007ffc25c34e48
       </TASK>
      
      Link: https://syzkaller.appspot.com/text?tag=CrashLog&x=152cdb63a80000 [1]
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: syzbot+666c97e4686410e79649@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=666c97e4686410e79649Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2f8fd79
  2. 26 Aug, 2023 12 commits
  3. 25 Aug, 2023 9 commits
  4. 24 Aug, 2023 7 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · b5cc3833
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from wifi, can and netfilter.
      
        Fixes to fixes:
      
         - nf_tables:
             - GC transaction race with abort path
             - defer gc run if previous batch is still pending
      
        Previous releases - regressions:
      
         - ipv4: fix data-races around inet->inet_id
      
         - phy: fix deadlocking in phy_error() invocation
      
         - mdio: fix C45 read/write protocol
      
         - ipvlan: fix a reference count leak warning in ipvlan_ns_exit()
      
         - ice: fix NULL pointer deref during VF reset
      
         - i40e: fix potential NULL pointer dereferencing of pf->vf in
           i40e_sync_vsi_filters()
      
         - tg3: use slab_build_skb() when needed
      
         - mtk_eth_soc: fix NULL pointer on hw reset
      
        Previous releases - always broken:
      
         - core: validate veth and vxcan peer ifindexes
      
         - sched: fix a qdisc modification with ambiguous command request
      
         - devlink: add missing unregister linecard notification
      
         - wifi: mac80211: limit reorder_buf_filtered to avoid UBSAN warning
      
         - batman:
            - do not get eth header before batadv_check_management_packet
            - fix batadv_v_ogm_aggr_send memory leak
      
         - bonding: fix macvlan over alb bond support
      
         - mlxsw: set time stamp fields also when its type is MIRROR_UTC"
      
      * tag 'net-6.5-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (54 commits)
        selftests: bonding: add macvlan over bond testing
        selftest: bond: add new topo bond_topo_2d1c.sh
        bonding: fix macvlan over alb bond support
        rtnetlink: Reject negative ifindexes in RTM_NEWLINK
        netfilter: nf_tables: defer gc run if previous batch is still pending
        netfilter: nf_tables: fix out of memory error handling
        netfilter: nf_tables: use correct lock to protect gc_list
        netfilter: nf_tables: GC transaction race with abort path
        netfilter: nf_tables: flush pending destroy work before netlink notifier
        netfilter: nf_tables: validate all pending tables
        ibmveth: Use dcbf rather than dcbfl
        i40e: fix potential NULL pointer dereferencing of pf->vf i40e_sync_vsi_filters()
        net/sched: fix a qdisc modification with ambiguous command request
        igc: Fix the typo in the PTM Control macro
        batman-adv: Hold rtnl lock during MTU update via netlink
        igb: Avoid starting unnecessary workqueues
        can: raw: add missing refcount for memory leak fix
        can: isotp: fix support for transmission of SF without flow control
        bnx2x: new flag for track HW resource allocation
        sfc: allocate a big enough SKB for loopback selftest packet
        ...
      b5cc3833
    • Paolo Abeni's avatar
      Merge tag 'nf-23-08-23' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 8938fc0c
      Paolo Abeni authored
      Florian Westphal says:
      
      ====================
      netfilter updates for net
      
      This PR contains nf_tables updates for your *net* tree.
      
      First patch fixes table validation, I broke this in 6.4 when tracking
      validation state per table, reported by Pablo, fixup from myself.
      
      Second patch makes sure objects waiting for memory release have been
      released, this was broken in 6.1, patch from Pablo Neira Ayuso.
      
      Patch three is a fix-for-fix from previous PR: In case a transaction
      gets aborted, gc sequence counter needs to be incremented so pending
      gc requests are invalidated, from Pablo.
      
      Same for patch 4: gc list needs to use gc list lock, not destroy lock,
      also from Pablo.
      
      Patch 5 fixes a UaF in a set backend, but this should only occur when
      failslab is enabled for GFP_KERNEL allocations, broken since feature
      was added in 5.6, from myself.
      
      Patch 6 fixes a double-free bug that was also added via previous PR:
      We must not schedule gc work if the previous batch is still queued.
      
      netfilter pull request 2023-08-23
      
      * tag 'nf-23-08-23' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: defer gc run if previous batch is still pending
        netfilter: nf_tables: fix out of memory error handling
        netfilter: nf_tables: use correct lock to protect gc_list
        netfilter: nf_tables: GC transaction race with abort path
        netfilter: nf_tables: flush pending destroy work before netlink notifier
        netfilter: nf_tables: validate all pending tables
      ====================
      
      Link: https://lore.kernel.org/r/20230823152711.15279-1-fw@strlen.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8938fc0c
    • Paolo Abeni's avatar
      Merge branch 'fix-macvlan-over-alb-bond-support' · b251610c
      Paolo Abeni authored
      Hangbin Liu says:
      
      ====================
      fix macvlan over alb bond support
      
      Currently, the macvlan over alb bond is broken after commit
      14af9963 ("bonding: Support macvlans on top of tlb/rlb mode bonds").
      Fix this and add relate tests.
      ====================
      
      Link: https://lore.kernel.org/r/20230823071907.3027782-1-liuhangbin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b251610c
    • Hangbin Liu's avatar
      selftests: bonding: add macvlan over bond testing · 246af950
      Hangbin Liu authored
      Add a macvlan over bonding test with mode active-backup, balance-tlb
      and balance-alb.
      
      ]# ./bond_macvlan.sh
      TEST: active-backup: IPv4: client->server                           [ OK ]
      TEST: active-backup: IPv6: client->server                           [ OK ]
      TEST: active-backup: IPv4: client->macvlan_1                        [ OK ]
      TEST: active-backup: IPv6: client->macvlan_1                        [ OK ]
      TEST: active-backup: IPv4: client->macvlan_2                        [ OK ]
      TEST: active-backup: IPv6: client->macvlan_2                        [ OK ]
      TEST: active-backup: IPv4: macvlan_1->macvlan_2                     [ OK ]
      TEST: active-backup: IPv6: macvlan_1->macvlan_2                     [ OK ]
      TEST: active-backup: IPv4: server->client                           [ OK ]
      TEST: active-backup: IPv6: server->client                           [ OK ]
      TEST: active-backup: IPv4: macvlan_1->client                        [ OK ]
      TEST: active-backup: IPv6: macvlan_1->client                        [ OK ]
      TEST: active-backup: IPv4: macvlan_2->client                        [ OK ]
      TEST: active-backup: IPv6: macvlan_2->client                        [ OK ]
      TEST: active-backup: IPv4: macvlan_2->macvlan_2                     [ OK ]
      TEST: active-backup: IPv6: macvlan_2->macvlan_2                     [ OK ]
      [...]
      TEST: balance-alb: IPv4: client->server                             [ OK ]
      TEST: balance-alb: IPv6: client->server                             [ OK ]
      TEST: balance-alb: IPv4: client->macvlan_1                          [ OK ]
      TEST: balance-alb: IPv6: client->macvlan_1                          [ OK ]
      TEST: balance-alb: IPv4: client->macvlan_2                          [ OK ]
      TEST: balance-alb: IPv6: client->macvlan_2                          [ OK ]
      TEST: balance-alb: IPv4: macvlan_1->macvlan_2                       [ OK ]
      TEST: balance-alb: IPv6: macvlan_1->macvlan_2                       [ OK ]
      TEST: balance-alb: IPv4: server->client                             [ OK ]
      TEST: balance-alb: IPv6: server->client                             [ OK ]
      TEST: balance-alb: IPv4: macvlan_1->client                          [ OK ]
      TEST: balance-alb: IPv6: macvlan_1->client                          [ OK ]
      TEST: balance-alb: IPv4: macvlan_2->client                          [ OK ]
      TEST: balance-alb: IPv6: macvlan_2->client                          [ OK ]
      TEST: balance-alb: IPv4: macvlan_2->macvlan_2                       [ OK ]
      TEST: balance-alb: IPv6: macvlan_2->macvlan_2                       [ OK ]
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      246af950
    • Hangbin Liu's avatar
      selftest: bond: add new topo bond_topo_2d1c.sh · 27aa43f8
      Hangbin Liu authored
      Add a new testing topo bond_topo_2d1c.sh which is used more commonly.
      Make bond_topo_3d1c.sh just source bond_topo_2d1c.sh and add the
      extra link.
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      27aa43f8
    • Hangbin Liu's avatar
      bonding: fix macvlan over alb bond support · e74216b8
      Hangbin Liu authored
      The commit 14af9963 ("bonding: Support macvlans on top of tlb/rlb mode
      bonds") aims to enable the use of macvlans on top of rlb bond mode. However,
      the current rlb bond mode only handles ARP packets to update remote neighbor
      entries. This causes an issue when a macvlan is on top of the bond, and
      remote devices send packets to the macvlan using the bond's MAC address
      as the destination. After delivering the packets to the macvlan, the macvlan
      will rejects them as the MAC address is incorrect. Consequently, this commit
      makes macvlan over bond non-functional.
      
      To address this problem, one potential solution is to check for the presence
      of a macvlan port on the bond device using netif_is_macvlan_port(bond->dev)
      and return NULL in the rlb_arp_xmit() function. However, this approach
      doesn't fully resolve the situation when a VLAN exists between the bond and
      macvlan.
      
      So let's just do a partial revert for commit 14af9963 in rlb_arp_xmit().
      As the comment said, Don't modify or load balance ARPs that do not originate
      locally.
      
      Fixes: 14af9963 ("bonding: Support macvlans on top of tlb/rlb mode bonds")
      Reported-by: susan.zheng@veritas.com
      Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2117816Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e74216b8
    • Ido Schimmel's avatar
      rtnetlink: Reject negative ifindexes in RTM_NEWLINK · 30188bd7
      Ido Schimmel authored
      Negative ifindexes are illegal, but the kernel does not validate the
      ifindex in the ancillary header of RTM_NEWLINK messages, resulting in
      the kernel generating a warning [1] when such an ifindex is specified.
      
      Fix by rejecting negative ifindexes.
      
      [1]
      WARNING: CPU: 0 PID: 5031 at net/core/dev.c:9593 dev_index_reserve+0x1a2/0x1c0 net/core/dev.c:9593
      [...]
      Call Trace:
       <TASK>
       register_netdevice+0x69a/0x1490 net/core/dev.c:10081
       br_dev_newlink+0x27/0x110 net/bridge/br_netlink.c:1552
       rtnl_newlink_create net/core/rtnetlink.c:3471 [inline]
       __rtnl_newlink+0x115e/0x18c0 net/core/rtnetlink.c:3688
       rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3701
       rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6427
       netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
       netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
       netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
       netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
       sock_sendmsg_nosec net/socket.c:728 [inline]
       sock_sendmsg+0xd9/0x180 net/socket.c:751
       ____sys_sendmsg+0x6ac/0x940 net/socket.c:2538
       ___sys_sendmsg+0x135/0x1d0 net/socket.c:2592
       __sys_sendmsg+0x117/0x1e0 net/socket.c:2621
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 38f7b870 ("[RTNETLINK]: Link creation API")
      Reported-by: syzbot+5ba06978f34abb058571@syzkaller.appspotmail.com
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20230823064348.2252280-1-idosch@nvidia.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      30188bd7
  5. 23 Aug, 2023 11 commits