1. 23 Jul, 2020 5 commits
    • David S. Miller's avatar
      Merge branch 'sctp-shrink-stream-outq-in-the-right-place' · f6591733
      David S. Miller authored
      Xin Long says:
      
      ====================
      sctp: shrink stream outq in the right place
      
      Patch 1 is an improvement, and Patch 2 is a bug fix.
      ====================
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6591733
    • Xin Long's avatar
      sctp: shrink stream outq when fails to do addstream reconf · 3ecdda3e
      Xin Long authored
      When adding a stream with stream reconf, the new stream firstly is in
      CLOSED state but new out chunks can still be enqueued. Then once gets
      the confirmation from the peer, the state will change to OPEN.
      
      However, if the peer denies, it needs to roll back the stream. But when
      doing that, it only sets the stream outcnt back, and the chunks already
      in the new stream don't get purged. It caused these chunks can still be
      dequeued in sctp_outq_dequeue_data().
      
      As its stream is still in CLOSE, the chunk will be enqueued to the head
      again by sctp_outq_head_data(). This chunk will never be sent out, and
      the chunks after it can never be dequeued. The assoc will be 'hung' in
      a dead loop of sending this chunk.
      
      To fix it, this patch is to purge these chunks already in the new
      stream by calling sctp_stream_shrink_out() when failing to do the
      addstream reconf.
      
      Fixes: 11ae76e6 ("sctp: implement receiver-side procedures for the Reconf Response Parameter")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ecdda3e
    • Xin Long's avatar
      sctp: shrink stream outq only when new outcnt < old outcnt · 8f13399d
      Xin Long authored
      It's not necessary to go list_for_each for outq->out_chunk_list
      when new outcnt >= old outcnt, as no chunk with higher sid than
      new (outcnt - 1) exists in the outqueue.
      
      While at it, also move the list_for_each code in a new function
      sctp_stream_shrink_out(), which will be used in the next patch.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f13399d
    • Peilin Ye's avatar
      AX.25: Fix out-of-bounds read in ax25_connect() · 2f2a7ffa
      Peilin Ye authored
      Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient.
      ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis`
      equals to 7 or 8. Fix it.
      
      This issue has been reported as a KMSAN uninit-value bug, because in such
      a case, ax25_connect() reaches into the uninitialized portion of the
      `struct sockaddr_storage` statically allocated in __sys_connect().
      
      It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because
      `addr_len` is guaranteed to be less than or equal to
      `sizeof(struct full_sockaddr_ax25)`.
      
      Reported-by: syzbot+c82752228ed975b0a623@syzkaller.appspotmail.com
      Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f2a7ffa
    • Claudiu Manoil's avatar
      enetc: Remove the mdio bus on PF probe bailout · 26cb7085
      Claudiu Manoil authored
      For ENETC ports that register an external MDIO bus,
      the bus doesn't get removed on the error bailout path
      of enetc_pf_probe().
      
      This issue became much more visible after recent:
      commit 07095c02 ("net: enetc: Use DT protocol information to set up the ports")
      Before this commit, one could make probing fail on the error
      path only by having register_netdev() fail, which is unlikely.
      But after this commit, because it moved the enetc_of_phy_get()
      call up in the probing sequence, now we can trigger an mdiobus_free()
      bug just by forcing enetc_alloc_msix() to return error, i.e. with the
      'pci=nomsi' kernel bootarg (since ENETC relies on MSI support to work),
      as the calltrace below shows:
      
      kernel BUG at /home/eiz/work/enetc/net/drivers/net/phy/mdio_bus.c:648!
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      [...]
      Hardware name: LS1028A RDB Board (DT)
      pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--)
      pc : mdiobus_free+0x50/0x58
      lr : devm_mdiobus_free+0x14/0x20
      [...]
      Call trace:
       mdiobus_free+0x50/0x58
       devm_mdiobus_free+0x14/0x20
       release_nodes+0x138/0x228
       devres_release_all+0x38/0x60
       really_probe+0x1c8/0x368
       driver_probe_device+0x5c/0xc0
       device_driver_attach+0x74/0x80
       __driver_attach+0x8c/0xd8
       bus_for_each_dev+0x7c/0xd8
       driver_attach+0x24/0x30
       bus_add_driver+0x154/0x200
       driver_register+0x64/0x120
       __pci_register_driver+0x44/0x50
       enetc_pf_driver_init+0x24/0x30
       do_one_initcall+0x60/0x1c0
       kernel_init_freeable+0x1fc/0x274
       kernel_init+0x14/0x110
       ret_from_fork+0x10/0x34
      
      Fixes: ebfcb23d ("enetc: Add ENETC PF level external MDIO support")
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26cb7085
  2. 22 Jul, 2020 3 commits
  3. 21 Jul, 2020 32 commits