1. 10 Nov, 2022 6 commits
  2. 09 Nov, 2022 11 commits
  3. 08 Nov, 2022 15 commits
  4. 07 Nov, 2022 8 commits
    • Geert Uytterhoeven's avatar
      can: rcar_canfd: Add missing ECC error checks for channels 2-7 · 8b043dfb
      Geert Uytterhoeven authored
      When introducing support for R-Car V3U, which has 8 instead of 2
      channels, the ECC error bitmask was extended to take into account the
      extra channels, but rcar_canfd_global_error() was not updated to act
      upon the extra bits.
      
      Replace the RCANFD_GERFL_EEF[01] macros by a new macro that takes the
      channel number, fixing R-Car V3U while simplifying the code.
      
      Fixes: 45721c40 ("can: rcar_canfd: Add support for r8a779a0 SoC")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarBiju Das <biju.das.jz@bp.renesas.com>
      Link: https://lore.kernel.org/all/4edb2ea46cc64d0532a08a924179827481e14b4f.1666951503.git.geert+renesas@glider.be
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      8b043dfb
    • Oliver Hartkopp's avatar
      can: dev: fix skb drop check · ae64438b
      Oliver Hartkopp authored
      In commit a6d190f8 ("can: skb: drop tx skb if in listen only
      mode") the priv->ctrlmode element is read even on virtual CAN
      interfaces that do not create the struct can_priv at startup. This
      out-of-bounds read may lead to CAN frame drops for virtual CAN
      interfaces like vcan and vxcan.
      
      This patch mainly reverts the original commit and adds a new helper
      for CAN interface drivers that provide the required information in
      struct can_priv.
      
      Fixes: a6d190f8 ("can: skb: drop tx skb if in listen only mode")
      Reported-by: default avatarDariusz Stojaczyk <Dariusz.Stojaczyk@opensynergy.com>
      Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
      Cc: Max Staudt <max@enpas.org>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Acked-by: default avatarVincent Mailhol <mailhol.vincent@wanadoo.fr>
      Link: https://lore.kernel.org/all/20221102095431.36831-1-socketcan@hartkopp.net
      Cc: stable@vger.kernel.org # 6.0.x
      [mkl: patch pch_can, too]
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ae64438b
    • Oliver Hartkopp's avatar
      can: j1939: j1939_send_one(): fix missing CAN header initialization · 3eb3d283
      Oliver Hartkopp authored
      The read access to struct canxl_frame::len inside of a j1939 created
      skbuff revealed a missing initialization of reserved and later filled
      elements in struct can_frame.
      
      This patch initializes the 8 byte CAN header with zero.
      
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Cc: Oleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/linux-can/20221104052235.GA6474@pengutronix.de
      Reported-by: syzbot+d168ec0caca4697e03b1@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Link: https://lore.kernel.org/all/20221104075000.105414-1-socketcan@hartkopp.net
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      3eb3d283
    • Oliver Hartkopp's avatar
      can: isotp: fix tx state handling for echo tx processing · 86633786
      Oliver Hartkopp authored
      In commit 4b7fe92c ("can: isotp: add local echo tx processing for
      consecutive frames") the data flow for consecutive frames (CF) has been
      reworked to improve the reliability of long data transfers.
      
      This rework did not touch the transmission and the tx state changes of
      single frame (SF) transfers which likely led to the WARN in the
      isotp_tx_timer_handler() catching a wrong tx state. This patch makes use
      of the improved frame processing for SF frames and sets the ISOTP_SENDING
      state in isotp_sendmsg() within the cmpxchg() condition handling.
      
      A review of the state machine and the timer handling additionally revealed
      a missing echo timeout handling in the case of the burst mode in
      isotp_rcv_echo() and removes a potential timer configuration uncertainty
      in isotp_rcv_fc() when the receiver requests consecutive frames.
      
      Fixes: 4b7fe92c ("can: isotp: add local echo tx processing for consecutive frames")
      Link: https://lore.kernel.org/linux-can/CAO4mrfe3dG7cMP1V5FLUkw7s+50c9vichigUMQwsxX4M=45QEw@mail.gmail.com/T/#uReported-by: default avatarWei Chen <harperchen1110@gmail.com>
      Cc: stable@vger.kernel.org # v6.0
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Link: https://lore.kernel.org/all/20221104142551.16924-1-socketcan@hartkopp.netSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      86633786
    • Zhengchao Shao's avatar
      can: af_can: fix NULL pointer dereference in can_rx_register() · 8aa59e35
      Zhengchao Shao authored
      It causes NULL pointer dereference when testing as following:
      (a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket.
      (b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan
          link device, and bind vxcan device to bond device (can also use
          ifenslave command to bind vxcan device to bond device).
      (c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket.
      (d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.
      
      The bond device invokes the can-raw protocol registration interface to
      receive CAN packets. However, ml_priv is not allocated to the dev,
      dev_rcv_lists is assigned to NULL in can_rx_register(). In this case,
      it will occur the NULL pointer dereference issue.
      
      The following is the stack information:
      BUG: kernel NULL pointer dereference, address: 0000000000000008
      PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      RIP: 0010:can_rx_register+0x12d/0x1e0
      Call Trace:
      <TASK>
      raw_enable_filters+0x8d/0x120
      raw_enable_allfilters+0x3b/0x130
      raw_bind+0x118/0x4f0
      __sys_bind+0x163/0x1a0
      __x64_sys_bind+0x1e/0x30
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      </TASK>
      
      Fixes: 4e096a18 ("net: introduce CAN specific pointer in the struct net_device")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Link: https://lore.kernel.org/all/20221028085650.170470-1-shaozhengchao@huawei.comSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      8aa59e35
    • Chen Zhongjin's avatar
      can: af_can: can_exit(): add missing dev_remove_pack() of canxl_packet · a3335fae
      Chen Zhongjin authored
      In can_init(), dev_add_pack(&canxl_packet) is added but not removed in
      can_exit(). It breaks the packet handler list and can make kernel
      panic when can_init() is called for the second time.
      
      | > modprobe can && rmmod can
      | > rmmod xxx && modprobe can
      |
      | BUG: unable to handle page fault for address: fffffbfff807d7f4
      | RIP: 0010:dev_add_pack+0x133/0x1f0
      | Call Trace:
      |  <TASK>
      |  can_init+0xaa/0x1000 [can]
      |  do_one_initcall+0xd3/0x4e0
      |  ...
      
      Fixes: fb08cba1 ("can: canxl: update CAN infrastructure for CAN XL frames")
      Signed-off-by: default avatarChen Zhongjin <chenzhongjin@huawei.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Link: https://lore.kernel.org/all/20221031033053.37849-1-chenzhongjin@huawei.com
      [mkl: adjust subject and commit message]
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      a3335fae
    • Alexander Potapenko's avatar
      ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network · c23fb2c8
      Alexander Potapenko authored
      When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved
      remained uninitialized, resulting in a 1-byte infoleak:
      
        BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841
         __netdev_start_xmit ./include/linux/netdevice.h:4841
         netdev_start_xmit ./include/linux/netdevice.h:4857
         xmit_one net/core/dev.c:3590
         dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606
         __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256
         dev_queue_xmit ./include/linux/netdevice.h:3009
         __netlink_deliver_tap_skb net/netlink/af_netlink.c:307
         __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325
         netlink_deliver_tap net/netlink/af_netlink.c:338
         __netlink_sendskb net/netlink/af_netlink.c:1263
         netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272
         netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360
         nlmsg_unicast ./include/net/netlink.h:1061
         rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758
         ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628
         rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
        ...
        Uninit was created at:
         slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742
         slab_alloc_node mm/slub.c:3398
         __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437
         __do_kmalloc_node mm/slab_common.c:954
         __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975
         kmalloc_reserve net/core/skbuff.c:437
         __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509
         alloc_skb ./include/linux/skbuff.h:1267
         nlmsg_new ./include/net/netlink.h:964
         ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608
         rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
         netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540
         rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109
         netlink_unicast_kernel net/netlink/af_netlink.c:1319
         netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345
         netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921
        ...
      
      This patch ensures that the reserved field is always initialized.
      
      Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com
      Fixes: 2a8cc6c8 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.")
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c23fb2c8
    • Lu Wei's avatar
      tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent · 0c175da7
      Lu Wei authored
      If setsockopt with option name of TCP_REPAIR_OPTIONS and opt_code
      of TCPOPT_SACK_PERM is called to enable sack after data is sent
      and dupacks are received , it will trigger a warning in function
      tcp_verify_left_out() as follows:
      
      ============================================
      WARNING: CPU: 8 PID: 0 at net/ipv4/tcp_input.c:2132
      tcp_timeout_mark_lost+0x154/0x160
      tcp_enter_loss+0x2b/0x290
      tcp_retransmit_timer+0x50b/0x640
      tcp_write_timer_handler+0x1c8/0x340
      tcp_write_timer+0xe5/0x140
      call_timer_fn+0x3a/0x1b0
      __run_timers.part.0+0x1bf/0x2d0
      run_timer_softirq+0x43/0xb0
      __do_softirq+0xfd/0x373
      __irq_exit_rcu+0xf6/0x140
      
      The warning is caused in the following steps:
      1. a socket named socketA is created
      2. socketA enters repair mode without build a connection
      3. socketA calls connect() and its state is changed to TCP_ESTABLISHED
         directly
      4. socketA leaves repair mode
      5. socketA calls sendmsg() to send data, packets_out and sack_outs(dup
         ack receives) increase
      6. socketA enters repair mode again
      7. socketA calls setsockopt with TCPOPT_SACK_PERM to enable sack
      8. retransmit timer expires, it calls tcp_timeout_mark_lost(), lost_out
         increases
      9. sack_outs + lost_out > packets_out triggers since lost_out and
         sack_outs increase repeatly
      
      In function tcp_timeout_mark_lost(), tp->sacked_out will be cleared if
      Step7 not happen and the warning will not be triggered. As suggested by
      Denis and Eric, TCP_REPAIR_OPTIONS should be prohibited if data was
      already sent.
      
      socket-tcp tests in CRIU has been tested as follows:
      $ sudo ./test/zdtm.py run -t zdtm/static/socket-tcp*  --keep-going \
             --ignore-taint
      
      socket-tcp* represent all socket-tcp tests in test/zdtm/static/.
      
      Fixes: b139ba4e ("tcp: Repair connection-time negotiated parameters")
      Signed-off-by: default avatarLu Wei <luwei32@huawei.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c175da7