1. 19 Oct, 2022 8 commits
    • David S. Miller's avatar
      Merge branch 'qdisc-null-deref' · e38cf366
      David S. Miller authored
      Zhengchao Shao says:
      
      ====================
      net: fix null pointer access issue in qdisc
      
      These three patches fix the same type of problem. Set the default qdisc,
      and then construct an init failure scenario when the dev qdisc is
      configured on mqprio to trigger the reset process. NULL pointer access
      may occur during the reset process.
      
      ---
      v2: for fq_codel, revert the patch
      ---
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e38cf366
    • Zhengchao Shao's avatar
      net: sched: sfb: fix null pointer access issue when sfb_init() fails · 2a3fc782
      Zhengchao Shao authored
      When the default qdisc is sfb, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), sfb_reset() is invoked to clear resources.
      In this case, the q->qdisc is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	sfb_init()
      		tcf_block_get()          --->failed, q->qdisc is NULL
      	...
      	qdisc_put()
      		...
      		sfb_reset()
      			qdisc_reset(q->qdisc)    --->q->qdisc is NULL
      				ops = qdisc->ops
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
      RIP: 0010:qdisc_reset+0x2b/0x6f0
      Call Trace:
      <TASK>
      sfb_reset+0x37/0xd0
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f2164122d04
      </TASK>
      
      Fixes: e13e02a3 ("net_sched: SFB flow scheduler")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a3fc782
    • Zhengchao Shao's avatar
      Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()" · f5ffa3b1
      Zhengchao Shao authored
      This reverts commit 494f5063.
      
      When the default qdisc is fq_codel, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), fq_codel_reset() is invoked to clear
      resources. In this case, the flow is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	fq_codel_init()
      		...
      		q->flows_cnt = 1024;
      		...
      		q->flows = kvcalloc(...)      --->failed, q->flows is NULL
      	...
      	qdisc_put()
      		...
      		fq_codel_reset()
      			...
      			flow = q->flows + i   --->q->flows is NULL
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      RIP: 0010:fq_codel_reset+0x14d/0x350
      Call Trace:
      <TASK>
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7fd272b22d04
      </TASK>
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5ffa3b1
    • Zhengchao Shao's avatar
      net: sched: cake: fix null pointer access issue when cake_init() fails · 51f9a892
      Zhengchao Shao authored
      When the default qdisc is cake, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), cake_reset() is invoked to clear
      resources. In this case, the tins is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	cake_init()
      		q->tins = kvcalloc(...)        --->failed, q->tins is NULL
      	...
      	qdisc_put()
      		...
      		cake_reset()
      			...
      			cake_dequeue_one()
      				b = &q->tins[...]   --->q->tins is NULL
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      RIP: 0010:cake_dequeue_one+0xc9/0x3c0
      Call Trace:
      <TASK>
      cake_reset+0xb1/0x140
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f89e5122d04
      </TASK>
      
      Fixes: 046f6fd5 ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51f9a892
    • Manank Patel's avatar
      ethernet: marvell: octeontx2 Fix resource not freed after malloc · 7b55c2ed
      Manank Patel authored
      fix rxsc and txsc not getting freed before going out of scope
      
      Fixes: c54ffc73 ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
      Signed-off-by: default avatarManank Patel <pmanank200502@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b55c2ed
    • Brett Creeley's avatar
      ionic: catch NULL pointer issue on reconfig · aa1d7e12
      Brett Creeley authored
      It's possible that the driver will dereference a qcq that doesn't exist
      when calling ionic_reconfigure_queues(), which causes a page fault BUG.
      
      If a reduction in the number of queues is followed by a different
      reconfig such as changing the ring size, the driver can hit a NULL
      pointer when trying to clean up non-existent queues.
      
      Fix this by checking to make sure both the qcqs array and qcq entry
      exists bofore trying to use and free the entry.
      
      Fixes: 101b40a0 ("ionic: change queue count with no reset")
      Signed-off-by: default avatarBrett Creeley <brett@pensando.io>
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@pensando.ioSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa1d7e12
    • Eric Dumazet's avatar
      net: hsr: avoid possible NULL deref in skb_clone() · d8b57135
      Eric Dumazet authored
      syzbot got a crash [1] in skb_clone(), caused by a bug
      in hsr_get_untagged_frame().
      
      When/if create_stripped_skb_hsr() returns NULL, we must
      not attempt to call skb_clone().
      
      While we are at it, replace a WARN_ONCE() by netdev_warn_once().
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
      CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
      RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641
      Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00
      RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207
      
      RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000
      RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140
      R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640
      R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620
      FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164
      hsr_forward_do net/hsr/hsr_forward.c:461 [inline]
      hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623
      hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69
      __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379
      __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483
      __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599
      netif_receive_skb_internal net/core/dev.c:5685 [inline]
      netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744
      tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544
      tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995
      tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:584
      ksys_write+0x127/0x250 fs/read_write.c:637
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: f266a683 ("net/hsr: Better frame dispatch")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221017165928.2150130-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d8b57135
    • Vikas Gupta's avatar
      bnxt_en: fix memory leak in bnxt_nvm_test() · ba077d68
      Vikas Gupta authored
      Free the kzalloc'ed buffer before returning in the success path.
      
      Fixes: 5b6ff128 ("bnxt_en: implement callbacks for devlink selftests")
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://lore.kernel.org/r/1666020742-25834-1-git-send-email-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ba077d68
  2. 18 Oct, 2022 2 commits
    • Zhengchao Shao's avatar
      ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed · 1ca69520
      Zhengchao Shao authored
      If the initialization fails in calling addrconf_init_net(), devconf_all is
      the pointer that has been released. Then ip6mr_sk_done() is called to
      release the net, accessing devconf->mc_forwarding directly causes invalid
      pointer access.
      
      The process is as follows:
      setup_net()
      	ops_init()
      		addrconf_init_net()
      		all = kmemdup(...)           ---> alloc "all"
      		...
      		net->ipv6.devconf_all = all;
      		__addrconf_sysctl_register() ---> failed
      		...
      		kfree(all);                  ---> ipv6.devconf_all invalid
      		...
      	ops_exit_list()
      		...
      		ip6mr_sk_done()
      			devconf = net->ipv6.devconf_all;
      			//devconf is invalid pointer
      			if (!devconf || !atomic_read(&devconf->mc_forwarding))
      
      The following is the Call Trace information:
      BUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0
      Read of size 4 at addr ffff888075508e88 by task ip/14554
      Call Trace:
      <TASK>
      dump_stack_lvl+0x8e/0xd1
      print_report+0x155/0x454
      kasan_report+0xba/0x1f0
      kasan_check_range+0x35/0x1b0
      ip6mr_sk_done+0x112/0x3a0
      rawv6_close+0x48/0x70
      inet_release+0x109/0x230
      inet6_release+0x4c/0x70
      sock_release+0x87/0x1b0
      igmp6_net_exit+0x6b/0x170
      ops_exit_list+0xb0/0x170
      setup_net+0x7ac/0xbd0
      copy_net_ns+0x2e6/0x6b0
      create_new_namespaces+0x382/0xa50
      unshare_nsproxy_namespaces+0xa6/0x1c0
      ksys_unshare+0x3a4/0x7e0
      __x64_sys_unshare+0x2d/0x40
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f7963322547
      
      </TASK>
      Allocated by task 14554:
      kasan_save_stack+0x1e/0x40
      kasan_set_track+0x21/0x30
      __kasan_kmalloc+0xa1/0xb0
      __kmalloc_node_track_caller+0x4a/0xb0
      kmemdup+0x28/0x60
      addrconf_init_net+0x1be/0x840
      ops_init+0xa5/0x410
      setup_net+0x5aa/0xbd0
      copy_net_ns+0x2e6/0x6b0
      create_new_namespaces+0x382/0xa50
      unshare_nsproxy_namespaces+0xa6/0x1c0
      ksys_unshare+0x3a4/0x7e0
      __x64_sys_unshare+0x2d/0x40
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      Freed by task 14554:
      kasan_save_stack+0x1e/0x40
      kasan_set_track+0x21/0x30
      kasan_save_free_info+0x2a/0x40
      ____kasan_slab_free+0x155/0x1b0
      slab_free_freelist_hook+0x11b/0x220
      __kmem_cache_free+0xa4/0x360
      addrconf_init_net+0x623/0x840
      ops_init+0xa5/0x410
      setup_net+0x5aa/0xbd0
      copy_net_ns+0x2e6/0x6b0
      create_new_namespaces+0x382/0xa50
      unshare_nsproxy_namespaces+0xa6/0x1c0
      ksys_unshare+0x3a4/0x7e0
      __x64_sys_unshare+0x2d/0x40
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      Fixes: 7d9b1b57 ("ip6mr: fix use-after-free in ip6mr_sk_done()")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221017080331.16878-1-shaozhengchao@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1ca69520
    • Kuniyuki Iwashima's avatar
      udp: Update reuse->has_conns under reuseport_lock. · 69421bf9
      Kuniyuki Iwashima authored
      When we call connect() for a UDP socket in a reuseport group, we have
      to update sk->sk_reuseport_cb->has_conns to 1.  Otherwise, the kernel
      could select a unconnected socket wrongly for packets sent to the
      connected socket.
      
      However, the current way to set has_conns is illegal and possible to
      trigger that problem.  reuseport_has_conns() changes has_conns under
      rcu_read_lock(), which upgrades the RCU reader to the updater.  Then,
      it must do the update under the updater's lock, reuseport_lock, but
      it doesn't for now.
      
      For this reason, there is a race below where we fail to set has_conns
      resulting in the wrong socket selection.  To avoid the race, let's split
      the reader and updater with proper locking.
      
       cpu1                               cpu2
      +----+                             +----+
      
      __ip[46]_datagram_connect()        reuseport_grow()
      .                                  .
      |- reuseport_has_conns(sk, true)   |- more_reuse = __reuseport_alloc(more_socks_size)
      |  .                               |
      |  |- rcu_read_lock()
      |  |- reuse = rcu_dereference(sk->sk_reuseport_cb)
      |  |
      |  |                               |  /* reuse->has_conns == 0 here */
      |  |                               |- more_reuse->has_conns = reuse->has_conns
      |  |- reuse->has_conns = 1         |  /* more_reuse->has_conns SHOULD BE 1 HERE */
      |  |                               |
      |  |                               |- rcu_assign_pointer(reuse->socks[i]->sk_reuseport_cb,
      |  |                               |                     more_reuse)
      |  `- rcu_read_unlock()            `- kfree_rcu(reuse, rcu)
      |
      |- sk->sk_state = TCP_ESTABLISHED
      
      Note the likely(reuse) in reuseport_has_conns_set() is always true,
      but we put the test there for ease of review.  [0]
      
      For the record, usually, sk_reuseport_cb is changed under lock_sock().
      The only exception is reuseport_grow() & TCP reqsk migration case.
      
        1) shutdown() TCP listener, which is moved into the latter part of
           reuse->socks[] to migrate reqsk.
      
        2) New listen() overflows reuse->socks[] and call reuseport_grow().
      
        3) reuse->max_socks overflows u16 with the new listener.
      
        4) reuseport_grow() pops the old shutdown()ed listener from the array
           and update its sk->sk_reuseport_cb as NULL without lock_sock().
      
      shutdown()ed TCP sk->sk_reuseport_cb can be changed without lock_sock(),
      but, reuseport_has_conns_set() is called only for UDP under lock_sock(),
      so likely(reuse) never be false in reuseport_has_conns_set().
      
      [0]: https://lore.kernel.org/netdev/CANn89iLja=eQHbsM_Ta2sQF0tOGU8vAGrh_izRuuHjuO1ouUag@mail.gmail.com/
      
      Fixes: acdcecc6 ("udp: correct reuseport selection with connected sockets")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20221014182625.89913-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      69421bf9
  3. 17 Oct, 2022 5 commits
  4. 16 Oct, 2022 1 commit
    • Eric Dumazet's avatar
      skmsg: pass gfp argument to alloc_sk_msg() · 2d1f274b
      Eric Dumazet authored
      syzbot found that alloc_sk_msg() could be called from a
      non sleepable context. sk_psock_verdict_recv() uses
      rcu_read_lock() protection.
      
      We need the callers to pass a gfp_t argument to avoid issues.
      
      syzbot report was:
      
      BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
      in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 3613, name: syz-executor414
      preempt_count: 0, expected: 0
      RCU nest depth: 1, expected: 0
      INFO: lockdep is turned off.
      CPU: 0 PID: 3613 Comm: syz-executor414 Not tainted 6.0.0-syzkaller-09589-g55be6084 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
      __might_resched+0x538/0x6a0 kernel/sched/core.c:9877
      might_alloc include/linux/sched/mm.h:274 [inline]
      slab_pre_alloc_hook mm/slab.h:700 [inline]
      slab_alloc_node mm/slub.c:3162 [inline]
      slab_alloc mm/slub.c:3256 [inline]
      kmem_cache_alloc_trace+0x59/0x310 mm/slub.c:3287
      kmalloc include/linux/slab.h:600 [inline]
      kzalloc include/linux/slab.h:733 [inline]
      alloc_sk_msg net/core/skmsg.c:507 [inline]
      sk_psock_skb_ingress_self+0x5c/0x330 net/core/skmsg.c:600
      sk_psock_verdict_apply+0x395/0x440 net/core/skmsg.c:1014
      sk_psock_verdict_recv+0x34d/0x560 net/core/skmsg.c:1201
      tcp_read_skb+0x4a1/0x790 net/ipv4/tcp.c:1770
      tcp_rcv_established+0x129d/0x1a10 net/ipv4/tcp_input.c:5971
      tcp_v4_do_rcv+0x479/0xac0 net/ipv4/tcp_ipv4.c:1681
      sk_backlog_rcv include/net/sock.h:1109 [inline]
      __release_sock+0x1d8/0x4c0 net/core/sock.c:2906
      release_sock+0x5d/0x1c0 net/core/sock.c:3462
      tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1483
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg net/socket.c:734 [inline]
      __sys_sendto+0x46d/0x5f0 net/socket.c:2117
      __do_sys_sendto net/socket.c:2129 [inline]
      __se_sys_sendto net/socket.c:2125 [inline]
      __x64_sys_sendto+0xda/0xf0 net/socket.c:2125
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: 43312915 ("skmsg: Get rid of unncessary memset()")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Cong Wang <cong.wang@bytedance.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d1f274b
  5. 15 Oct, 2022 11 commits
  6. 14 Oct, 2022 9 commits
    • Krzysztof Kozlowski's avatar
      MAINTAINERS: nfc: s3fwrn5: Drop Krzysztof Opasiak · 0c934117
      Krzysztof Kozlowski authored
      Emails to Krzysztof Opasiak bounce ("Recipient address rejected: User
      unknown") so drop his email from maintainers of s3fwrn5 NFC bindings and
      driver.
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c934117
    • Palmer Dabbelt's avatar
      MAINTAINERS: git://github -> https://github.com for petkan · 9a9a5d80
      Palmer Dabbelt authored
      Github deprecated the git:// links about a year ago, so let's move to
      the https:// URLs instead.
      Reported-by: default avatarConor Dooley <conor.dooley@microchip.com>
      Link: https://github.blog/2021-09-01-improving-git-protocol-security-github/Signed-off-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9a9a5d80
    • zhangxiangqian's avatar
      net: macvlan: change schedule system_wq to system_unbound_wq · 3d6642ea
      zhangxiangqian authored
      For FT2000+/64 devices,
      when four virtual machines share the same physical network interface,
      DROP will occur due to the single core CPU performance problem.
      
      ip_check_defrag and macvlan_process_broadcast is on the same CPU.
      When the MACVLAN PORT increases, the CPU usage reaches more than 90%.
      bc_queue > bc_queue_len_used (default 1000), causing DROP.
      Signed-off-by: default avatarzhangxiangqian <zhangxiangqian@kylinos.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d6642ea
    • Jakub Kicinski's avatar
      tls: strp: make sure the TCP skbs do not have overlapping data · 0d87bbd3
      Jakub Kicinski authored
      TLS tries to get away with using the TCP input queue directly.
      This does not work if there is duplicated data (multiple skbs
      holding bytes for the same seq number range due to retransmits).
      Check for this condition and fall back to copy mode, it should
      be rare.
      
      Fixes: 84c61fe1 ("tls: rx: do not use the standard strparser")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d87bbd3
    • Jan Sokolowski's avatar
      i40e: Fix DMA mappings leak · aae425ef
      Jan Sokolowski authored
      During reallocation of RX buffers, new DMA mappings are created for
      those buffers.
      
      steps for reproduction:
      while :
      do
      for ((i=0; i<=8160; i=i+32))
      do
      ethtool -G enp130s0f0 rx $i tx $i
      sleep 0.5
      ethtool -g enp130s0f0
      done
      done
      
      This resulted in crash:
      i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536
      Driver BUG
      WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50
      Call Trace:
      i40e_free_rx_resources+0x70/0x80 [i40e]
      i40e_set_ringparam+0x27c/0x800 [i40e]
      ethnl_set_rings+0x1b2/0x290
      genl_family_rcv_msg_doit.isra.15+0x10f/0x150
      genl_family_rcv_msg+0xb3/0x160
      ? rings_fill_reply+0x1a0/0x1a0
      genl_rcv_msg+0x47/0x90
      ? genl_family_rcv_msg+0x160/0x160
      netlink_rcv_skb+0x4c/0x120
      genl_rcv+0x24/0x40
      netlink_unicast+0x196/0x230
      netlink_sendmsg+0x204/0x3d0
      sock_sendmsg+0x4c/0x50
      __sys_sendto+0xee/0x160
      ? handle_mm_fault+0xbe/0x1e0
      ? syscall_trace_enter+0x1d3/0x2c0
      __x64_sys_sendto+0x24/0x30
      do_syscall_64+0x5b/0x1a0
      entry_SYSCALL_64_after_hwframe+0x65/0xca
      RIP: 0033:0x7f5eac8b035b
      Missing register, driver bug
      WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140
      Call Trace:
      xdp_rxq_info_unreg+0x1e/0x50
      i40e_free_rx_resources+0x70/0x80 [i40e]
      i40e_set_ringparam+0x27c/0x800 [i40e]
      ethnl_set_rings+0x1b2/0x290
      genl_family_rcv_msg_doit.isra.15+0x10f/0x150
      genl_family_rcv_msg+0xb3/0x160
      ? rings_fill_reply+0x1a0/0x1a0
      genl_rcv_msg+0x47/0x90
      ? genl_family_rcv_msg+0x160/0x160
      netlink_rcv_skb+0x4c/0x120
      genl_rcv+0x24/0x40
      netlink_unicast+0x196/0x230
      netlink_sendmsg+0x204/0x3d0
      sock_sendmsg+0x4c/0x50
      __sys_sendto+0xee/0x160
      ? handle_mm_fault+0xbe/0x1e0
      ? syscall_trace_enter+0x1d3/0x2c0
      __x64_sys_sendto+0x24/0x30
      do_syscall_64+0x5b/0x1a0
      entry_SYSCALL_64_after_hwframe+0x65/0xca
      RIP: 0033:0x7f5eac8b035b
      
      This was caused because of new buffers with different RX ring count should
      substitute older ones, but those buffers were freed in
      i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,
      thus kfree on rx_bi caused leak of already mapped DMA.
      
      Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally
      reallocate back to rx_bi when BPF program unloads.
      
      If BPF program is loaded/unloaded and XSK pools are created, reallocate
      RX queues accordingly in XSP_SETUP_XSK_POOL handler.
      
      Fixes: be1222b5 ("i40e: Separate kernel allocated rx_bi rings from AF_XDP rings")
      Signed-off-by: default avatarJan Sokolowski <jan.sokolowski@intel.com>
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: Chandan <chandanx.rout@intel.com> (A Contingent Worker at Intel)
      Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aae425ef
    • Christian Marangi's avatar
      net: dsa: qca8k: fix ethtool autocast mib for big-endian systems · 0d4636f7
      Christian Marangi authored
      The switch sends autocast mib in little-endian. This is problematic for
      big-endian system as the values needs to be converted.
      
      Fix this by converting each mib value to cpu byte order.
      
      Fixes: 5c957c7c ("net: dsa: qca8k: add support for mib autocast in Ethernet packet")
      Tested-by: default avatarPawel Dembicki <paweldembicki@gmail.com>
      Tested-by: default avatarLech Perczak <lech.perczak@gmail.com>
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d4636f7
    • Christian Marangi's avatar
      net: dsa: qca8k: fix inband mgmt for big-endian systems · a2550d3c
      Christian Marangi authored
      The header and the data of the skb for the inband mgmt requires
      to be in little-endian. This is problematic for big-endian system
      as the mgmt header is written in the cpu byte order.
      
      Fix this by converting each value for the mgmt header and data to
      little-endian, and convert to cpu byte order the mgmt header and
      data sent by the switch.
      
      Fixes: 5950c7c0 ("net: dsa: qca8k: add support for mgmt read/write in Ethernet packet")
      Tested-by: default avatarPawel Dembicki <paweldembicki@gmail.com>
      Tested-by: default avatarLech Perczak <lech.perczak@gmail.com>
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Reviewed-by: default avatarLech Perczak <lech.perczak@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2550d3c
    • Alexander Potapenko's avatar
      tipc: fix an information leak in tipc_topsrv_kern_subscr · 777ecaab
      Alexander Potapenko authored
      Use a 8-byte write to initialize sub.usr_handle in
      tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized
      when issuing setsockopt(..., SOL_TIPC, ...).
      This resulted in an infoleak reported by KMSAN when the packet was
      received:
      
        =====================================================
        BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169
         instrument_copy_to_user ./include/linux/instrumented.h:121
         copyout+0xbc/0x100 lib/iov_iter.c:169
         _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527
         copy_to_iter ./include/linux/uio.h:176
         simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513
         __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
         skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527
         skb_copy_datagram_msg ./include/linux/skbuff.h:3903
         packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469
         ____sys_recvmsg+0x2c4/0x810 net/socket.c:?
         ___sys_recvmsg+0x217/0x840 net/socket.c:2743
         __sys_recvmsg net/socket.c:2773
         __do_sys_recvmsg net/socket.c:2783
         __se_sys_recvmsg net/socket.c:2780
         __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780
         do_syscall_x64 arch/x86/entry/common.c:50
         do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
         entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
      
        ...
      
        Uninit was stored to memory at:
         tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156
         tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375
         tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579
         tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
         tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084
         tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201
         __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252
         __do_sys_setsockopt net/socket.c:2263
         __se_sys_setsockopt net/socket.c:2260
         __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260
         do_syscall_x64 arch/x86/entry/common.c:50
         do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
         entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
      
        Local variable sub created at:
         tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562
         tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
      
        Bytes 84-87 of 88 are uninitialized
        Memory access of size 88 starts at ffff88801ed57cd0
        Data copied to user address 0000000020000400
        ...
        =====================================================
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Fixes: 026321c6 ("tipc: rename tipc_server to tipc_topsrv")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      777ecaab
    • Mark Tomlinson's avatar
      tipc: Fix recognition of trial period · 28be7ca4
      Mark Tomlinson authored
      The trial period exists until jiffies is after addr_trial_end. But as
      jiffies will eventually overflow, just using time_after will eventually
      give incorrect results. As the node address is set once the trial period
      ends, this can be used to know that we are not in the trial period.
      
      Fixes: e415577f ("tipc: correct discovery message handling during address trial period")
      Signed-off-by: default avatarMark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28be7ca4
  7. 13 Oct, 2022 4 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 66ae0436
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, and wifi.
      
      Current release - regressions:
      
         - Revert "net/sched: taprio: make qdisc_leaf() see the
           per-netdev-queue pfifo child qdiscs", it may cause crashes when the
           qdisc is reconfigured
      
         - inet: ping: fix splat due to packet allocation refactoring in inet
      
         - tcp: clean up kernel listener's reqsk in inet_twsk_purge(), fix UAF
           due to races when per-netns hash table is used
      
        Current release - new code bugs:
      
         - eth: adin1110: check in netdev_event that netdev belongs to driver
      
         - fixes for PTR_ERR() vs NULL bugs in driver code, from Dan and co.
      
        Previous releases - regressions:
      
         - ipv4: handle attempt to delete multipath route when fib_info
           contains an nh reference, avoid oob access
      
         - wifi: fix handful of bugs in the new Multi-BSSID code
      
         - wifi: mt76: fix rate reporting / throughput regression on mt7915
           and newer, fix checksum offload
      
         - wifi: iwlwifi: mvm: fix double list_add at
           iwl_mvm_mac_wake_tx_queue (other cases)
      
         - wifi: mac80211: do not drop packets smaller than the LLC-SNAP
           header on fast-rx
      
        Previous releases - always broken:
      
         - ieee802154: don't warn zero-sized raw_sendmsg()
      
         - ipv6: ping: fix wrong checksum for large frames
      
         - mctp: prevent double key removal and unref
      
         - tcp/udp: fix memory leaks and races around IPV6_ADDRFORM
      
         - hv_netvsc: fix race between VF offering and VF association message
      
        Misc:
      
         - remove -Warray-bounds silencing in the drivers, compilers fixed"
      
      * tag 'net-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (73 commits)
        sunhme: fix an IS_ERR() vs NULL check in probe
        net: marvell: prestera: fix a couple NULL vs IS_ERR() checks
        kcm: avoid potential race in kcm_tx_work
        tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
        net: phy: micrel: Fixes FIELD_GET assertion
        openvswitch: add nf_ct_is_confirmed check before assigning the helper
        tcp: Fix data races around icsk->icsk_af_ops.
        ipv6: Fix data races around sk->sk_prot.
        tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
        udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
        tcp/udp: Fix memory leak in ipv6_renew_options().
        mctp: prevent double key removal and unref
        selftests: netfilter: Fix nft_fib.sh for all.rp_filter=1
        netfilter: rpfilter/fib: Populate flowic_l3mdev field
        selftests: netfilter: Test reverse path filtering
        net/mlx5: Make ASO poll CQ usable in atomic context
        tcp: cdg: allow tcp_cdg_release() to be called multiple times
        inet: ping: fix recent breakage
        ipv6: ping: fix wrong checksum for large frames
        net: ethernet: ti: am65-cpsw: set correct devlink flavour for unused ports
        ...
      66ae0436
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · d6f04f26
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
      
       - Fix a regression in virtio pci on power
      
       - Add a reviewer for ifcvf
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vdpa/ifcvf: add reviewer
        virtio_pci: use irq to detect interrupt support
      d6f04f26
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · aa41478a
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Found that the synthetic events were using strlen/strscpy() on values
         that could have come from userspace, and that is bad.
      
         Consolidate the string logic of kprobe and eprobe and extend it to
         the synthetic events to safely process string addresses.
      
       - Clean up content of text dump in ftrace_bug() where the output does
         not make char reads into signed and sign extending the byte output.
      
       - Fix some kernel docs in the ring buffer code.
      
      * tag 'trace-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: Fix reading strings from synthetic events
        tracing: Add "(fault)" name injection to kernel probes
        tracing: Move duplicate code of trace_kprobe/eprobe.c into header
        ring-buffer: Fix kernel-doc
        ftrace: Fix char print issue in print_ip_ins()
      aa41478a
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.1-rc1' of git://www.linux-watchdog.org/linux-watchdog · 3d33e6dd
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - new driver for Exar/MaxLinear XR28V38x
      
       - support for exynosautov9 SoC
      
       - support for Renesas R-Car V5H (R8A779G0) and RZ/V2M (r9a09g011) SoC
      
       - support for imx93
      
       - several other fixes and improvements
      
      * tag 'linux-watchdog-6.1-rc1' of git://www.linux-watchdog.org/linux-watchdog: (36 commits)
        watchdog: twl4030_wdt: add missing mod_devicetable.h include
        dt-bindings: watchdog: migrate mt7621 text bindings to YAML
        watchdog: sp5100_tco: Add "action" module parameter
        watchdog: imx93: add watchdog timer on imx93
        watchdog: imx7ulp_wdt: init wdog when it was active
        watchdog: imx7ulp_wdt: Handle wdog reconfigure failure
        watchdog: imx7ulp_wdt: Fix RCS timeout issue
        watchdog: imx7ulp_wdt: Check CMD32EN in wdog init
        watchdog: imx7ulp: Add explict memory barrier for unlock sequence
        watchdog: imx7ulp: Move suspend/resume to noirq phase
        watchdog: rti-wdt:using the pm_runtime_resume_and_get to simplify the code
        dt-bindings: watchdog: rockchip: add rockchip,rk3128-wdt
        watchdog: s3c2410_wdt: support exynosautov9 watchdog
        dt-bindings: watchdog: add exynosautov9 compatible
        watchdog: npcm: Enable clock if provided
        watchdog: meson: keep running if already active
        watchdog: dt-bindings: atmel,at91sam9-wdt: convert to json-schema
        watchdog: armada_37xx_wdt: Fix .set_timeout callback
        watchdog: sa1100: make variable sa1100dog_driver static
        watchdog: w83977f_wdt: Fix comment typo
        ...
      3d33e6dd