1. 31 Jul, 2023 1 commit
    • Kuniyuki Iwashima's avatar
      net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. · e7397184
      Kuniyuki Iwashima authored
      syzkaller found zero division error [0] in div_s64_rem() called from
      get_cycle_time_elapsed(), where sched->cycle_time is the divisor.
      
      We have tests in parse_taprio_schedule() so that cycle_time will never
      be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().
      
      The problem is that the types of divisor are different; cycle_time is
      s64, but the argument of div_s64_rem() is s32.
      
      syzkaller fed this input and 0x100000000 is cast to s32 to be 0.
      
        @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}
      
      We use s64 for cycle_time to cast it to ktime_t, so let's keep it and
      set max for cycle_time.
      
      While at it, we prevent overflow in setup_txtime() and add another
      test in parse_taprio_schedule() to check if cycle_time overflows.
      
      Also, we add a new tdc test case for this issue.
      
      [0]:
      divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
      CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Workqueue: ipv6_addrconf addrconf_dad_work
      RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]
      RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]
      RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344
      Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10
      RSP: 0018:ffffc90000acf260 EFLAGS: 00010206
      RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000
      RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934
      R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800
      R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0
      PKRU: 55555554
      Call Trace:
       <TASK>
       get_packet_txtime net/sched/sch_taprio.c:508 [inline]
       taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577
       taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658
       dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732
       __dev_xmit_skb net/core/dev.c:3821 [inline]
       __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169
       dev_queue_xmit include/linux/netdevice.h:3088 [inline]
       neigh_resolve_output net/core/neighbour.c:1552 [inline]
       neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532
       neigh_output include/net/neighbour.h:544 [inline]
       ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135
       __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196
       ip6_finish_output net/ipv6/ip6_output.c:207 [inline]
       NF_HOOK_COND include/linux/netfilter.h:292 [inline]
       ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228
       dst_output include/net/dst.h:458 [inline]
       NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303
       ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508
       ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666
       addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175
       process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597
       worker_thread+0x60f/0x1240 kernel/workqueue.c:2748
       kthread+0x2fe/0x3f0 kernel/kthread.c:389
       ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
       </TASK>
      Modules linked in:
      
      Fixes: 4cfd5779 ("taprio: Add support for txtime-assist mode")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Co-developed-by: default avatarEric Dumazet <edumazet@google.com>
      Co-developed-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Acked-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7397184
  2. 29 Jul, 2023 18 commits
  3. 28 Jul, 2023 7 commits
    • Eugen Hristev's avatar
      dt-bindings: net: rockchip-dwmac: fix {tx|rx}-delay defaults/range in schema · 5416d792
      Eugen Hristev authored
      The range and the defaults are specified in the description instead of
      being specified in the schema.
      Fix it by adding the default value in the `default` field and specifying
      the range as `minimum` and `maximum`.
      
      Fixes: b331b8ef ("dt-bindings: net: convert rockchip-dwmac to json-schema")
      Signed-off-by: default avatarEugen Hristev <eugen.hristev@collabora.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5416d792
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 4a082260
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-07-26
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5: Unregister devlink params in case interface is down
        net/mlx5: DR, Fix peer domain namespace setting
        net/mlx5: fs_chains: Fix ft prio if ignore_flow_level is not supported
        net/mlx5e: kTLS, Fix protection domain in use syndrome when devlink reload
        net/mlx5: Bridge, set debugfs access right to root-only
        net/mlx5e: xsk: Fix crash on regular rq reactivation
        net/mlx5e: xsk: Fix invalid buffer access for legacy rq
        net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
        net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is set
        net/mlx5e: Don't hold encap tbl lock if there is no encap action
        net/mlx5: Honor user input for migratable port fn attr
        net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
        net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
        net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
        net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups
      ====================
      
      Link: https://lore.kernel.org/r/20230726213206.47022-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4a082260
    • Yuanjun Gong's avatar
      net: dsa: fix value check in bcm_sf2_sw_probe() · dadc5b86
      Yuanjun Gong authored
      in bcm_sf2_sw_probe(), check the return value of clk_prepare_enable()
      and return the error code if clk_prepare_enable() returns an
      unexpected value.
      
      Fixes: e9ec5c3b ("net: dsa: bcm_sf2: request and handle clocks")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20230726170506.16547-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dadc5b86
    • Eric Dumazet's avatar
      net: flower: fix stack-out-of-bounds in fl_set_key_cfm() · 4d50e500
      Eric Dumazet authored
      Typical misuse of
      
      	nla_parse_nested(array, XXX_MAX, ...);
      
      array must be declared as
      
      	struct nlattr *array[XXX_MAX + 1];
      
      v2: Based on feedbacks from Ido Schimmel and Zahari Doychev,
      I also changed TCA_FLOWER_KEY_CFM_OPT_MAX and cfm_opt_policy
      definitions.
      
      syzbot reported:
      
      BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
      Write of size 32 at addr ffffc90003a0ee20 by task syz-executor296/5014
      
      CPU: 0 PID: 5014 Comm: syz-executor296 Not tainted 6.5.0-rc2-syzkaller-00307-gd192f538 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0x163/0x540 mm/kasan/report.c:475
      kasan_report+0x175/0x1b0 mm/kasan/report.c:588
      kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
      __asan_memset+0x23/0x40 mm/kasan/shadow.c:84
      __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
      __nla_parse+0x40/0x50 lib/nlattr.c:700
      nla_parse_nested include/net/netlink.h:1262 [inline]
      fl_set_key_cfm+0x1e3/0x440 net/sched/cls_flower.c:1718
      fl_set_key+0x2168/0x6620 net/sched/cls_flower.c:1884
      fl_tmplt_create+0x1fe/0x510 net/sched/cls_flower.c:2666
      tc_chain_tmplt_add net/sched/cls_api.c:2959 [inline]
      tc_ctl_chain+0x131d/0x1ac0 net/sched/cls_api.c:3068
      rtnetlink_rcv_msg+0x82b/0xf50 net/core/rtnetlink.c:6424
      netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2549
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x7c3/0x990 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0xa2a/0xd60 net/netlink/af_netlink.c:1914
      sock_sendmsg_nosec net/socket.c:725 [inline]
      sock_sendmsg net/socket.c:748 [inline]
      ____sys_sendmsg+0x592/0x890 net/socket.c:2494
      ___sys_sendmsg net/socket.c:2548 [inline]
      __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2577
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f54c6150759
      Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007ffe06c30578 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f54c619902d RCX: 00007f54c6150759
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007ffe06c30590 R08: 0000000000000000 R09: 00007ffe06c305f0
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54c61c35f0
      R13: 00007ffe06c30778 R14: 0000000000000001 R15: 0000000000000001
      </TASK>
      
      The buggy address belongs to stack of task syz-executor296/5014
      and is located at offset 32 in frame:
      fl_set_key_cfm+0x0/0x440 net/sched/cls_flower.c:374
      
      This frame has 1 object:
      [32, 56) 'nla_cfm_opt'
      
      The buggy address belongs to the virtual mapping at
      [ffffc90003a08000, ffffc90003a11000) created by:
      copy_process+0x5c8/0x4290 kernel/fork.c:2330
      
      Fixes: 7cfffd5f ("net: flower: add support for matching cfm fields")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Simon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarZahari Doychev <zdoychev@maxlinear.com>
      Link: https://lore.kernel.org/r/20230726145815.943910-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4d50e500
    • Jakub Kicinski's avatar
      MAINTAINERS: stmmac: retire Giuseppe Cavallaro · fa467226
      Jakub Kicinski authored
      I tried to get stmmac maintainers to be more active by agreeing with
      them off-list on a review rotation. I pinged Peppe 3 times over 2 weeks
      during his "shift month", no reviews are flowing.
      
      All the contributions are much appreciated! But stmmac is quite
      active, we need participating maintainers :(
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230726151120.1649474-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa467226
    • Russell King (Oracle)'s avatar
      net: dsa: fix older DSA drivers using phylink · 9945c1fb
      Russell King (Oracle) authored
      Older DSA drivers that do not provide an dsa_ops adjust_link method end
      up using phylink. Unfortunately, a recent phylink change that requires
      its supported_interfaces bitmap to be filled breaks these drivers
      because the bitmap remains empty.
      
      Rather than fixing each driver individually, fix it in the core code so
      we have a sensible set of defaults.
      Reported-by: default avatarSergei Antonov <saproj@gmail.com>
      Fixes: de5c9bf4 ("net: phylink: require supported_interfaces to be filled")
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Tested-by: Vladimir Oltean <olteanv@gmail.com> # dsa_loop
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/E1qOflM-001AEz-D3@rmk-PC.armlinux.org.ukSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9945c1fb
    • Lin Ma's avatar
      rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length · d73ef2d6
      Lin Ma authored
      There are totally 9 ndo_bridge_setlink handlers in the current kernel,
      which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3)
      i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5)
      ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7)
      nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink.
      
      By investigating the code, we find that 1-7 parse and use nlattr
      IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can
      lead to an out-of-attribute read and allow a malformed nlattr (e.g.,
      length 0) to be viewed as a 2 byte integer.
      
      To avoid such issues, also for other ndo_bridge_setlink handlers in the
      future. This patch adds the nla_len check in rtnl_bridge_setlink and
      does an early error return if length mismatches. To make it works, the
      break is removed from the parsing for IFLA_BRIDGE_FLAGS to make sure
      this nla_for_each_nested iterates every attribute.
      
      Fixes: b1edc14a ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
      Fixes: 51616018 ("i40e: Add support for getlink, setlink ndo ops")
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://lore.kernel.org/r/20230726075314.1059224-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d73ef2d6
  4. 27 Jul, 2023 14 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 57012c57
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from can, netfilter.
      
        Current release - regressions:
      
         - core: fix splice_to_socket() for O_NONBLOCK socket
      
         - af_unix: fix fortify_panic() in unix_bind_bsd().
      
         - can: raw: fix lockdep issue in raw_release()
      
        Previous releases - regressions:
      
         - tcp: reduce chance of collisions in inet6_hashfn().
      
         - netfilter: skip immediate deactivate in _PREPARE_ERROR
      
         - tipc: stop tipc crypto on failure in tipc_node_create
      
         - eth: igc: fix kernel panic during ndo_tx_timeout callback
      
         - eth: iavf: fix potential deadlock on allocation failure
      
        Previous releases - always broken:
      
         - ipv6: fix bug where deleting a mngtmpaddr can create a new
           temporary address
      
         - eth: ice: fix memory management in ice_ethtool_fdir.c
      
         - eth: hns3: fix the imp capability bit cannot exceed 32 bits issue
      
         - eth: vxlan: calculate correct header length for GPE
      
         - eth: stmmac: apply redundant write work around on 4.xx too"
      
      * tag 'net-6.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
        tipc: stop tipc crypto on failure in tipc_node_create
        af_unix: Terminate sun_path when bind()ing pathname socket.
        tipc: check return value of pskb_trim()
        benet: fix return value check in be_lancer_xmit_workarounds()
        virtio-net: fix race between set queues and probe
        net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
        splice, net: Fix splice_to_socket() for O_NONBLOCK socket
        net: fec: tx processing does not call XDP APIs if budget is 0
        mptcp: more accurate NL event generation
        selftests: mptcp: join: only check for ip6tables if needed
        tools: ynl-gen: fix parse multi-attr enum attribute
        tools: ynl-gen: fix enum index in _decode_enum(..)
        netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
        netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
        netfilter: nft_set_rbtree: fix overlap expiration walk
        igc: Fix Kernel Panic during ndo_tx_timeout callback
        net: dsa: qca8k: fix mdb add/del case with 0 VID
        net: dsa: qca8k: fix broken search_and_del
        net: dsa: qca8k: fix search_and_insert wrong handling of new rule
        net: dsa: qca8k: enable use_single_write for qca8xxx
        ...
      57012c57
    • Linus Torvalds's avatar
      Merge tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire · bc168790
      Linus Torvalds authored
      Pull soundwire fixes from Vinod Koul:
      
       - Core fix for enumeration completion
      
       - Qualcomm driver fix to update status
      
       - AMD driver fix for probe error check
      
      * tag 'soundwire-6.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
        soundwire: amd: Fix a check for errors in probe()
        soundwire: qcom: update status correctly with mask
        soundwire: fix enumeration completion
      bc168790
    • Linus Torvalds's avatar
      Merge tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy · 53c8621b
      Linus Torvalds authored
      Pull phy fixes from Vinod Koul:
      
       - Out of bound fix for hisilicon phy
      
       - Qualcomm synopsis femto phy for keeping clock enabled during suspend
         and enabling ref clocks
      
       - Mediatek driver fixes for upper limit test and error code
      
      * tag 'phy-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
        phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
        phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
        phy: qcom-snps-femto-v2: properly enable ref clock
        phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend
        phy: mediatek: hdmi: mt8195: fix prediv bad upper limit test
        phy: phy-mtk-dp: Fix an error code in probe()
      53c8621b
    • Linus Torvalds's avatar
      Merge tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 64de76ce
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix accounting of global block reserve size when block group tree is
         enabled
      
       - the async discard has been enabled in 6.2 unconditionally, but for
         zoned mode it does not make that much sense to do it asynchronously
         as the zones are reset as needed
      
       - error handling and proper error value propagation fixes
      
      * tag 'for-6.5-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: check for commit error at btrfs_attach_transaction_barrier()
        btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
        btrfs: remove BUG_ON()'s in add_new_free_space()
        btrfs: account block group tree when calculating global reserve size
        btrfs: zoned: do not enable async discard
      64de76ce
    • Linus Torvalds's avatar
      Merge tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock · 379e6671
      Linus Torvalds authored
      Pull memblock fix from Mike Rapoport:
       "A call to memblock_free() or memblock_phys_free() issued after
        memblock data is discarded will result in use after free in
        memblock_isolate_range().
      
        Avoid those issues by making sure that memblock_discard points
        memblock.reserved.regions back at the static buffer"
      
      * tag 'fixes-2023-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock:
        mm,memblock: reset memblock.reserved to system init state to prevent UAF
      379e6671
    • Jann Horn's avatar
      mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock · 657b5146
      Jann Horn authored
      lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't
      be called in the VMA-locked page fault path by ensuring that
      vma->anon_vma is set.
      
      However, this check happens before the VMA is locked, which means a
      concurrent move_vma() can concurrently call unlink_anon_vmas(), which
      disassociates the VMA's anon_vma.
      
      This means we can get UAF in the following scenario:
      
        THREAD 1                   THREAD 2
        ========                   ========
        <page fault>
          lock_vma_under_rcu()
            rcu_read_lock()
            mas_walk()
            check vma->anon_vma
      
                                   mremap() syscall
                                     move_vma()
                                      vma_start_write()
                                       unlink_anon_vmas()
                                   <syscall end>
      
          handle_mm_fault()
            __handle_mm_fault()
              handle_pte_fault()
                do_pte_missing()
                  do_anonymous_page()
                    anon_vma_prepare()
                      __anon_vma_prepare()
                        find_mergeable_anon_vma()
                          mas_walk() [looks up VMA X]
      
                                   munmap() syscall (deletes VMA X)
      
                          reusable_anon_vma() [called on freed VMA X]
      
      This is a security bug if you can hit it, although an attacker would
      have to win two races at once where the first race window is only a few
      instructions wide.
      
      This patch is based on some previous discussion with Linus Torvalds on
      the security list.
      
      Cc: stable@vger.kernel.org
      Fixes: 5e31275c ("mm: add per-VMA lock and helper functions to control it")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      657b5146
    • Fedor Pchelkin's avatar
      tipc: stop tipc crypto on failure in tipc_node_create · de52e173
      Fedor Pchelkin authored
      If tipc_link_bc_create() fails inside tipc_node_create() for a newly
      allocated tipc node then we should stop its tipc crypto and free the
      resources allocated with a call to tipc_crypto_start().
      
      As the node ref is initialized to one to that point, just put the ref on
      tipc_link_bc_create() error case that would lead to tipc_node_free() be
      eventually executed and properly clean the node and its crypto resources.
      
      Found by Linux Verification Center (linuxtesting.org).
      
      Fixes: cb8092d7 ("tipc: move bc link creation back to tipc_node_create")
      Suggested-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/20230725214628.25246-1-pchelkin@ispras.ruSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      de52e173
    • Kuniyuki Iwashima's avatar
      af_unix: Terminate sun_path when bind()ing pathname socket. · ecb4534b
      Kuniyuki Iwashima authored
      kernel test robot reported slab-out-of-bounds access in strlen(). [0]
      
      Commit 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().")
      removed unix_mkname_bsd() call in unix_bind_bsd().
      
      If sunaddr->sun_path is not terminated by user and we don't enable
      CONFIG_INIT_STACK_ALL_ZERO=y, strlen() will do the out-of-bounds access
      during file creation.
      
      Let's go back to strlen()-with-sockaddr_storage way and pack all 108
      trickiness into unix_mkname_bsd() with bold comments.
      
      [0]:
      BUG: KASAN: slab-out-of-bounds in strlen (lib/string.c:?)
      Read of size 1 at addr ffff000015492777 by task fortify_strlen_/168
      
      CPU: 0 PID: 168 Comm: fortify_strlen_ Not tainted 6.5.0-rc1-00333-g3329b603ebba #16
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace (arch/arm64/kernel/stacktrace.c:235)
       show_stack (arch/arm64/kernel/stacktrace.c:242)
       dump_stack_lvl (lib/dump_stack.c:107)
       print_report (mm/kasan/report.c:365 mm/kasan/report.c:475)
       kasan_report (mm/kasan/report.c:590)
       __asan_report_load1_noabort (mm/kasan/report_generic.c:378)
       strlen (lib/string.c:?)
       getname_kernel (./include/linux/fortify-string.h:? fs/namei.c:226)
       kern_path_create (fs/namei.c:3926)
       unix_bind (net/unix/af_unix.c:1221 net/unix/af_unix.c:1324)
       __sys_bind (net/socket.c:1792)
       __arm64_sys_bind (net/socket.c:1801)
       invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52)
       el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147)
       do_el0_svc (arch/arm64/kernel/syscall.c:189)
       el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648)
       el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?)
       el0t_64_sync (arch/arm64/kernel/entry.S:591)
      
      Allocated by task 168:
       kasan_set_track (mm/kasan/common.c:45 mm/kasan/common.c:52)
       kasan_save_alloc_info (mm/kasan/generic.c:512)
       __kasan_kmalloc (mm/kasan/common.c:383)
       __kmalloc (mm/slab_common.c:? mm/slab_common.c:998)
       unix_bind (net/unix/af_unix.c:257 net/unix/af_unix.c:1213 net/unix/af_unix.c:1324)
       __sys_bind (net/socket.c:1792)
       __arm64_sys_bind (net/socket.c:1801)
       invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52)
       el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147)
       do_el0_svc (arch/arm64/kernel/syscall.c:189)
       el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648)
       el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?)
       el0t_64_sync (arch/arm64/kernel/entry.S:591)
      
      The buggy address belongs to the object at ffff000015492700
       which belongs to the cache kmalloc-128 of size 128
      The buggy address is located 0 bytes to the right of
       allocated 119-byte region [ffff000015492700, ffff000015492777)
      
      The buggy address belongs to the physical page:
      page:00000000aeab52ba refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55492
      anon flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff)
      page_type: 0xffffffff()
      raw: 03fffc0000000200 ffff0000084018c0 fffffc00003d0e00 0000000000000005
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff000015492600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff000015492680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff000015492700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fc
                                                                   ^
       ffff000015492780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff000015492800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: 06d4c8a8 ("af_unix: Fix fortify_panic() in unix_bind_bsd().")
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Closes: https://lore.kernel.org/netdev/202307262110.659e5e8-oliver.sang@intel.com/Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20230726190828.47874-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ecb4534b
    • Yuanjun Gong's avatar
      tipc: check return value of pskb_trim() · e46e06ff
      Yuanjun Gong authored
      goto free_skb if an unexpected result is returned by pskb_tirm()
      in tipc_crypto_rcv_complete().
      
      Fixes: fc1b6d6d ("tipc: introduce TIPC encryption & authentication")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarTung Nguyen <tung.q.nguyen@dektech.com.au>
      Link: https://lore.kernel.org/r/20230725064810.5820-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e46e06ff
    • Yuanjun Gong's avatar
      benet: fix return value check in be_lancer_xmit_workarounds() · 5c85f706
      Yuanjun Gong authored
      in be_lancer_xmit_workarounds(), it should go to label 'tx_drop'
      if an unexpected value is returned by pskb_trim().
      
      Fixes: 93040ae5 ("be2net: Fix to trim skb for padded vlan packets to workaround an ASIC Bug")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Link: https://lore.kernel.org/r/20230725032726.15002-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5c85f706
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-07-26' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · ff0df208
      Jakub Kicinski authored
      Florian Westphal says:
      
      ====================
      netfilter fixes for net
      
      1. On-demand overlap detection in 'rbtree' set can cause memory leaks.
         This is broken since 6.2.
      
      2. An earlier fix in 6.4 to address an imbalance in refcounts during
         transaction error unwinding was incomplete, from Pablo Neira.
      
      3. Disallow adding a rule to a deleted chain, also from Pablo.
         Broken since 5.9.
      
      * tag 'nf-23-07-26' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
        netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
        netfilter: nft_set_rbtree: fix overlap expiration walk
      ====================
      
      Link: https://lore.kernel.org/r/20230726152524.26268-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ff0df208
    • Jason Wang's avatar
      virtio-net: fix race between set queues and probe · 25266128
      Jason Wang authored
      A race were found where set_channels could be called after registering
      but before virtnet_set_queues() in virtnet_probe(). Fixing this by
      moving the virtnet_set_queues() before netdevice registering. While at
      it, use _virtnet_set_queues() to avoid holding rtnl as the device is
      not even registered at that time.
      
      Cc: stable@vger.kernel.org
      Fixes: a220871b ("virtio-net: correctly enable multiqueue")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Link: https://lore.kernel.org/r/20230725072049.617289-1-jasowang@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      25266128
    • Lin Ma's avatar
      net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 · 6c58c881
      Lin Ma authored
      The nla_for_each_nested parsing in function mqprio_parse_nlattr() does
      not check the length of the nested attribute. This can lead to an
      out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
      be viewed as 8 byte integer and passed to priv->max_rate/min_rate.
      
      This patch adds the check based on nla_len() when check the nla_type(),
      which ensures that the length of these two attribute must equals
      sizeof(u64).
      
      Fixes: 4e8b86c0 ("mqprio: Introduce new hardware offload mode and shaper in mqprio")
      Reviewed-by: default avatarVictor Nogueira <victor@mojatatu.com>
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Link: https://lore.kernel.org/r/20230725024227.426561-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6c58c881
    • Jan Stancek's avatar
      splice, net: Fix splice_to_socket() for O_NONBLOCK socket · 0f0fa27b
      Jan Stancek authored
      LTP sendfile07 [1], which expects sendfile() to return EAGAIN when
      transferring data from regular file to a "full" O_NONBLOCK socket,
      started failing after commit 2dc334f1 ("splice, net: Use
      sendmsg(MSG_SPLICE_PAGES) rather than ->sendpage()").
      sendfile() no longer immediately returns, but now blocks.
      
      Removed sock_sendpage() handled this case by setting a MSG_DONTWAIT
      flag, fix new splice_to_socket() to do the same for O_NONBLOCK sockets.
      
      [1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/sendfile/sendfile07.c
      
      Fixes: 2dc334f1 ("splice, net: Use sendmsg(MSG_SPLICE_PAGES) rather than ->sendpage()")
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJan Stancek <jstancek@redhat.com>
      Tested-by: default avatarXi Ruoyao <xry111@xry111.site>
      Link: https://lore.kernel.org/r/023c0e21e595e00b93903a813bc0bfb9a5d7e368.1690219914.git.jstancek@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0f0fa27b