1. 20 Mar, 2020 40 commits
    • Sven Eckelmann's avatar
      batman-adv: Fix debugfs path for renamed hardif · f7e13c96
      Sven Eckelmann authored
      commit 36dc621c upstream.
      
      batman-adv is creating special debugfs directories in the init
      net_namespace for each valid hard-interface (net_device). But it is
      possible to rename a net_device to a completely different name then the
      original one.
      
      It can therefore happen that a user registers a new net_device which gets
      the name "wlan0" assigned by default. batman-adv is also adding a new
      directory under $debugfs/batman-adv/ with the name "wlan0".
      
      The user then decides to rename this device to "wl_pri" and registers a
      different device. The kernel may now decide to use the name "wlan0" again
      for this new device. batman-adv will detect it as a valid net_device and
      tries to create a directory with the name "wlan0" under
      $debugfs/batman-adv/. But there already exists one with this name under
      this path and thus this fails. batman-adv will detect a problem and
      rollback the registering of this device.
      
      batman-adv must therefore take care of renaming the debugfs directories
      for hard-interfaces whenever it detects such a net_device rename.
      
      Fixes: 5bc7c1eb ("batman-adv: add debugfs structure for information per interface")
      Reported-by: default avatarJohn Soros <sorosj@gmail.com>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7e13c96
    • Marek Lindner's avatar
      batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs · 0b81edc8
      Marek Lindner authored
      commit 16116dac upstream.
      
      A translation table TVLV changset sent with an OGM consists
      of a number of headers (one per VLAN) plus the changeset
      itself (addition and/or deletion of entries).
      
      The per-VLAN headers are used by OGM recipients for consistency
      checks. Said consistency check might determine that a full
      translation table request is needed to restore consistency. If
      the TT sender adds per-VLAN headers of empty VLANs into the OGM,
      recipients are led to believe to have reached an inconsistent
      state and thus request a full table update. The full table does
      not contain empty VLANs (due to missing entries) the cycle
      restarts when the next OGM is issued.
      
      Consequently, when the translation table TVLV headers are
      composed, empty VLANs are to be excluded.
      
      Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific")
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b81edc8
    • Linus Lüssing's avatar
      batman-adv: Fix TT sync flags for intermediate TT responses · 24443bf3
      Linus Lüssing authored
      commit 7072337e upstream.
      
      The previous TT sync fix so far only fixed TT responses issued by the
      target node directly. So far, TT responses issued by intermediate nodes
      still lead to the wrong flags being added, leading to CRC mismatches.
      
      This behaviour was observed at Freifunk Hannover in a 800 nodes setup
      where a considerable amount of nodes were still infected with 'WI'
      TT flags even with (most) nodes having the previous TT sync fix applied.
      
      I was able to reproduce the issue with intermediate TT responses in a
      four node test setup and this patch fixes this issue by ensuring to
      use the per originator instead of the summarized, OR'd ones.
      
      Fixes: e9c00136 ("batman-adv: fix tt_global_entries flags update")
      Reported-by: default avatarLeonardo Mörlein <me@irrelefant.net>
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24443bf3
    • Sven Eckelmann's avatar
      batman-adv: Avoid race in TT TVLV allocator helper · f4d59337
      Sven Eckelmann authored
      commit 8ba0f9bd upstream.
      
      The functions batadv_tt_prepare_tvlv_local_data and
      batadv_tt_prepare_tvlv_global_data are responsible for preparing a buffer
      which can be used to store the TVLV container for TT and add the VLAN
      information to it.
      
      This will be done in three phases:
      
      1. count the number of VLANs and their entries
      2. allocate the buffer using the counters from the previous step and limits
         from the caller (parameter tt_len)
      3. insert the VLAN information to the buffer
      
      The step 1 and 3 operate on a list which contains the VLANs. The access to
      these lists must be protected with an appropriate lock or otherwise they
      might operate on on different entries. This could for example happen when
      another context is adding VLAN entries to this list.
      
      This could lead to a buffer overflow in these functions when enough entries
      were added between step 1 and 3 to the VLAN lists that the buffer room for
      the entries (*tt_change) is smaller then the now required extra buffer for
      new VLAN entries.
      
      Fixes: 7ea7b4a1 ("batman-adv: make the TT CRC logic VLAN specific")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4d59337
    • Sven Eckelmann's avatar
      batman-adv: Fix internal interface indices types · 8142ea6b
      Sven Eckelmann authored
      commit f22e0893 upstream.
      
      batman-adv uses internal indices for each enabled and active interface.
      It is currently used by the B.A.T.M.A.N. IV algorithm to identifify the
      correct position in the ogm_cnt bitmaps.
      
      The type for the number of enabled interfaces (which defines the next
      interface index) was set to char. This type can be (depending on the
      architecture) either signed (limiting batman-adv to 127 active slave
      interfaces) or unsigned (limiting batman-adv to 255 active slave
      interfaces).
      
      This limit was not correctly checked when an interface was enabled and thus
      an overflow happened. This was only catched on systems with the signed char
      type when the B.A.T.M.A.N. IV code tried to resize its counter arrays with
      a negative size.
      
      The if_num interface index was only a s16 and therefore significantly
      smaller than the ifindex (int) used by the code net code.
      
      Both &batadv_hard_iface->if_num and &batadv_priv->num_ifaces must be
      (unsigned) int to support the same number of slave interfaces as the net
      core code. And the interface activation code must check the number of
      active slave interfaces to avoid integer overflows.
      
      Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8142ea6b
    • Sven Eckelmann's avatar
      batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq · 13e6a853
      Sven Eckelmann authored
      commit 5ba7dcfe upstream.
      
      The originator node object orig_neigh_node is used to when accessing the
      bcast_own(_sum) and real_packet_count information. The access to them has
      to be protected with the spinlock in orig_neigh_node.
      
      But the function uses the lock in orig_node instead. This is incorrect
      because they could be two different originator node objects.
      
      Fixes: 0ede9f41 ("batman-adv: protect bit operations to count OGMs with spinlock")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13e6a853
    • Sven Eckelmann's avatar
      batman-adv: Fix check of retrieved orig_gw in batadv_v_gw_is_eligible · 8c69c09f
      Sven Eckelmann authored
      commit 198a62dd upstream.
      
      The batadv_v_gw_is_eligible function already assumes that orig_node is not
      NULL. But batadv_gw_node_get may have failed to find the originator. It
      must therefore be checked whether the batadv_gw_node_get failed and not
      whether orig_node is NULL to detect this error.
      
      Fixes: 50164d8f ("batman-adv: B.A.T.M.A.N. V - implement GW selection logic")
      Signed-off-by: default avatarSven Eckelmann <sven.eckelmann@openmesh.com>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c69c09f
    • Sven Eckelmann's avatar
      batman-adv: Always initialize fragment header priority · ea40bc53
      Sven Eckelmann authored
      commit fe77d825 upstream.
      
      The batman-adv unuicast fragment header contains 3 bits for the priority of
      the packet. These bits will be initialized when the skb->priority contains
      a value between 256 and 263. But otherwise, the uninitialized bits from the
      stack will be used.
      
      Fixes: c0f25c80 ("batman-adv: Include frame priority in fragment header")
      Signed-off-by: default avatarSven Eckelmann <sven.eckelmann@open-mesh.com>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea40bc53
    • Sven Eckelmann's avatar
      batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation · 0478b593
      Sven Eckelmann authored
      commit 6a4bc44b upstream.
      
      The neighbor compare API implementation for B.A.T.M.A.N. V checks whether
      the neigh_ifinfo for this neighbor on a specific interface exists. A
      warning is printed when it isn't found.
      
      But it is not called inside a lock which would prevent that this
      information is lost right before batadv_neigh_ifinfo_get. It must therefore
      be expected that batadv_v_neigh_(cmp|is_sob) might not be able to get the
      requested neigh_ifinfo.
      
      A WARN_ON for such a situation seems not to be appropriate because this
      will only flood the kernel logs. The warnings must therefore be removed.
      Signed-off-by: default avatarSven Eckelmann <sven.eckelmann@openmesh.com>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0478b593
    • Linus Lüssing's avatar
      batman-adv: fix TT sync flag inconsistencies · 805596e6
      Linus Lüssing authored
      commit 54e22f26 upstream.
      
      This patch fixes an issue in the translation table code potentially
      leading to a TT Request + Response storm. The issue may occur for nodes
      involving BLA and an inconsistent configuration of the batman-adv AP
      isolation feature. However, since the new multicast optimizations, a
      single, malformed packet may lead to a mesh-wide, persistent
      Denial-of-Service, too.
      
      The issue occurs because nodes are currently OR-ing the TT sync flags of
      all originators announcing a specific MAC address via the
      translation table. When an intermediate node now receives a TT Request
      and wants to answer this on behalf of the destination node, then this
      intermediate node now responds with an altered flag field and broken
      CRC. The next OGM of the real destination will lead to a CRC mismatch
      and triggering a TT Request and Response again.
      
      Furthermore, the OR-ing is currently never undone as long as at least
      one originator announcing the according MAC address remains, leading to
      the potential persistency of this issue.
      
      This patch fixes this issue by storing the flags used in the CRC
      calculation on a a per TT orig entry basis to be able to respond with
      the correct, original flags in an intermediate TT Response for one
      thing. And to be able to correctly unset sync flags once all nodes
      announcing a sync flag vanish for another.
      
      Fixes: e9c00136 ("batman-adv: fix tt_global_entries flags update")
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      [sw: typo in commit message]
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      805596e6
    • Sven Eckelmann's avatar
      batman-adv: Accept only filled wifi station info · f357813e
      Sven Eckelmann authored
      commit d6289088 upstream.
      
      The wifi driver can decide to not provide parts of the station info. For
      example, the expected throughput of the station can be omitted when the
      used rate control doesn't provide this kind of information.
      
      The B.A.T.M.A.N. V implementation must therefore check the filled bitfield
      before it tries to access the expected_throughput of the returned
      station_info.
      Reported-by: default avatarAlvaro Antelo <alvaro.antelo@gmail.com>
      Fixes: c833484e ("batman-adv: ELP - compute the metric based on the estimated throughput")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Reviewed-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f357813e
    • Sven Eckelmann's avatar
      batman-adv: Use default throughput value on cfg80211 error · 1c5a456a
      Sven Eckelmann authored
      commit 3f3f8732 upstream.
      
      A wifi interface should never be handled like an ethernet devices. The
      parser of the cfg80211 output must therefore skip the ethtool code when
      cfg80211_get_station returned an error.
      
      Fixes: f44a3ae9 ("batman-adv: refactor wifi interface detection")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Reviewed-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c5a456a
    • Sven Eckelmann's avatar
      batman-adv: Fix rx packet/bytes stats on local ARP reply · 65927b33
      Sven Eckelmann authored
      commit 36d4d68c upstream.
      
      The stats are generated by batadv_interface_stats and must not be stored
      directly in the net_device stats member variable. The batadv_priv
      bat_counters information is assembled when ndo_get_stats is called. The
      stats previously stored in net_device::stats is then overwritten.
      
      The batman-adv counters must therefore be increased when an ARP packet is
      answered locally via the distributed arp table.
      
      Fixes: c384ea3e ("batman-adv: Distributed ARP Table - add snooping functions for ARP messages")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65927b33
    • Sven Eckelmann's avatar
      batman-adv: Initialize gw sel_class via batadv_algo · 4ae2c062
      Sven Eckelmann authored
      commit 1a9070ec upstream.
      
      The gateway selection class variable is shared between different algorithm
      versions. But the interpretation of the content is algorithm specific. The
      initialization is therefore also algorithm specific.
      
      But this was implemented incorrectly and the initialization for BATMAN_V
      always overwrote the value previously written for BATMAN_IV. This could
      only be avoided when BATMAN_V was disabled during compile time.
      
      Using a special batadv_algo hook for this initialization avoids this
      problem.
      
      Fixes: 50164d8f ("batman-adv: B.A.T.M.A.N. V - implement GW selection logic")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ae2c062
    • Linus Lüssing's avatar
      batman-adv: Fix transmission of final, 16th fragment · e1244b87
      Linus Lüssing authored
      commit 51c6b429 upstream.
      
      Trying to split and transmit a unicast packet in 16 parts will fail for
      the final fragment: After having sent the 15th one with a frag_packet.no
      index of 14, we will increase the the index to 15 - and return with an
      error code immediately, even though one more fragment is due for
      transmission and allowed.
      
      Fixing this issue by moving the check before incrementing the index.
      
      While at it, adding an unlikely(), because the check is actually more of
      an assertion.
      
      Fixes: ee75ed88 ("batman-adv: Fragment and send skbs larger than mtu")
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1244b87
    • Sven Eckelmann's avatar
      batman-adv: Fix double free during fragment merge error · 351f7cbf
      Sven Eckelmann authored
      commit 248e23b5 upstream.
      
      The function batadv_frag_skb_buffer was supposed not to consume the skbuff
      on errors. This was followed in the helper function
      batadv_frag_insert_packet when the skb would potentially be inserted in the
      fragment queue. But it could happen that the next helper function
      batadv_frag_merge_packets would try to merge the fragments and fail. This
      results in a kfree_skb of all the enqueued fragments (including the just
      inserted one). batadv_recv_frag_packet would detect the error in
      batadv_frag_skb_buffer and try to free the skb again.
      
      The behavior of batadv_frag_skb_buffer (and its helper
      batadv_frag_insert_packet) must therefore be changed to always consume the
      skbuff to have a common behavior and avoid the double kfree_skb.
      
      Fixes: 610bfc6b ("batman-adv: Receive fragmented packets and merge")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      351f7cbf
    • Vladis Dronov's avatar
      efi: Add a sanity check to efivar_store_raw() · af83aa2e
      Vladis Dronov authored
      commit d6c066fd upstream.
      
      Add a sanity check to efivar_store_raw() the same way
      efivar_{attr,size,data}_read() and efivar_show_raw() have it.
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200305084041.24053-3-vdronov@redhat.com
      Link: https://lore.kernel.org/r/20200308080859.21568-25-ardb@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      af83aa2e
    • Eric Dumazet's avatar
      ipv6: restrict IPV6_ADDRFORM operation · 11ac2ba0
      Eric Dumazet authored
      commit b6f61189 upstream.
      
      IPV6_ADDRFORM is able to transform IPv6 socket to IPv4 one.
      While this operation sounds illogical, we have to support it.
      
      One of the things it does for TCP socket is to switch sk->sk_prot
      to tcp_prot.
      
      We now have other layers playing with sk->sk_prot, so we should make
      sure to not interfere with them.
      
      This patch makes sure sk_prot is the default pointer for TCP IPv6 socket.
      
      syzbot reported :
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      PGD a0113067 P4D a0113067 PUD a8771067 PMD 0
      Oops: 0010 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 10686 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:0x0
      Code: Bad RIP value.
      RSP: 0018:ffffc9000281fce0 EFLAGS: 00010246
      RAX: 1ffffffff15f48ac RBX: ffffffff8afa4560 RCX: dffffc0000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a69a8f40
      RBP: ffffc9000281fd10 R08: ffffffff86ed9b0c R09: ffffed1014d351f5
      R10: ffffed1014d351f5 R11: 0000000000000000 R12: ffff8880920d3098
      R13: 1ffff1101241a613 R14: ffff8880a69a8f40 R15: 0000000000000000
      FS:  00007f2ae75db700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffffffffd6 CR3: 00000000a3b85000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       inet_release+0x165/0x1c0 net/ipv4/af_inet.c:427
       __sock_release net/socket.c:605 [inline]
       sock_close+0xe1/0x260 net/socket.c:1283
       __fput+0x2e4/0x740 fs/file_table.c:280
       ____fput+0x15/0x20 fs/file_table.c:313
       task_work_run+0x176/0x1b0 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:188 [inline]
       exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
       prepare_exit_to_usermode+0x480/0x5b0 arch/x86/entry/common.c:195
       syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:278
       do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x45c429
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f2ae75dac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: 0000000000000000 RBX: 00007f2ae75db6d4 RCX: 000000000045c429
      RDX: 0000000000000001 RSI: 000000000000011a RDI: 0000000000000004
      RBP: 000000000076bf20 R08: 0000000000000038 R09: 0000000000000000
      R10: 0000000020000180 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000a9d R14: 00000000004ccfb4 R15: 000000000076bf2c
      Modules linked in:
      CR2: 0000000000000000
      ---[ end trace 82567b5207e87bae ]---
      RIP: 0010:0x0
      Code: Bad RIP value.
      RSP: 0018:ffffc9000281fce0 EFLAGS: 00010246
      RAX: 1ffffffff15f48ac RBX: ffffffff8afa4560 RCX: dffffc0000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a69a8f40
      RBP: ffffc9000281fd10 R08: ffffffff86ed9b0c R09: ffffed1014d351f5
      R10: ffffed1014d351f5 R11: 0000000000000000 R12: ffff8880920d3098
      R13: 1ffff1101241a613 R14: ffff8880a69a8f40 R15: 0000000000000000
      FS:  00007f2ae75db700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffffffffd6 CR3: 00000000a3b85000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: syzbot+1938db17e275e85dc328@syzkaller.appspotmail.com
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      11ac2ba0
    • Daniel Drake's avatar
      iommu/vt-d: Ignore devices with out-of-spec domain number · 159ba998
      Daniel Drake authored
      commit da72a379 upstream.
      
      VMD subdevices are created with a PCI domain ID of 0x10000 or
      higher.
      
      These subdevices are also handled like all other PCI devices by
      dmar_pci_bus_notifier().
      
      However, when dmar_alloc_pci_notify_info() take records of such devices,
      it will truncate the domain ID to a u16 value (in info->seg).
      The device at (e.g.) 10000:00:02.0 is then treated by the DMAR code as if
      it is 0000:00:02.0.
      
      In the unlucky event that a real device also exists at 0000:00:02.0 and
      also has a device-specific entry in the DMAR table,
      dmar_insert_dev_scope() will crash on:
         BUG_ON(i >= devices_cnt);
      
      That's basically a sanity check that only one PCI device matches a
      single DMAR entry; in this case we seem to have two matching devices.
      
      Fix this by ignoring devices that have a domain number higher than
      what can be looked up in the DMAR table.
      
      This problem was carefully diagnosed by Jian-Hong Pan.
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarDaniel Drake <drake@endlessm.com>
      Fixes: 59ce0515 ("iommu/vt-d: Update DRHD/RMRR/ATSR device scope caches when PCI hotplug happens")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      159ba998
    • Zhenzhong Duan's avatar
      iommu/vt-d: Fix the wrong printing in RHSA parsing · 1d66a550
      Zhenzhong Duan authored
      commit b0bb0c22 upstream.
      
      When base address in RHSA structure doesn't match base address in
      each DRHD structure, the base address in last DRHD is printed out.
      
      This doesn't make sense when there are multiple DRHD units, fix it
      by printing the buggy RHSA's base address.
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarZhenzhong Duan <zhenzhong.duan@gmail.com>
      Fixes: fd0c8894 ("intel-iommu: Set a more specific taint flag for invalid BIOS DMAR tables")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d66a550
    • qize wang's avatar
      mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() · cb87b895
      qize wang authored
      commit 1e58252e upstream.
      
      mwifiex_process_tdls_action_frame() without checking
      the incoming tdls infomation element's vality before use it,
      this may cause multi heap buffer overflows.
      
      Fix them by putting vality check before use it.
      
      IE is TLV struct, but ht_cap and  ht_oper aren’t TLV struct.
      the origin marvell driver code is wrong:
      
      memcpy(&sta_ptr->tdls_cap.ht_oper, pos,....
      memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,...
      
      Fix the bug by changing pos(the address of IE) to
      pos+2 ( the address of IE value ).
      Signed-off-by: default avatarqize wang <wangqize888888888@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarMatthias Maennich <maennich@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb87b895
    • Jakub Kicinski's avatar
      netfilter: cthelper: add missing attribute validation for cthelper · a2ecb2d1
      Jakub Kicinski authored
      commit c049b345 upstream.
      
      Add missing attribute validation for cthelper
      to the netlink policy.
      
      Fixes: 12f7a505 ("netfilter: add user-space connection tracking helper infrastructure")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2ecb2d1
    • Jakub Kicinski's avatar
      nl80211: add missing attribute validation for channel switch · 85a7e73a
      Jakub Kicinski authored
      commit 5cde05c6 upstream.
      
      Add missing attribute validation for NL80211_ATTR_OPER_CLASS
      to the netlink policy.
      
      Fixes: 1057d35e ("cfg80211: introduce TDLS channel switch commands")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20200303051058.4089398-4-kuba@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85a7e73a
    • Jakub Kicinski's avatar
      nl80211: add missing attribute validation for beacon report scanning · 0a626cd0
      Jakub Kicinski authored
      commit 056e9375 upstream.
      
      Add missing attribute validation for beacon report scanning
      to the netlink policy.
      
      Fixes: 1d76250b ("nl80211: support beacon report scanning")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20200303051058.4089398-3-kuba@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a626cd0
    • Jakub Kicinski's avatar
      nl80211: add missing attribute validation for critical protocol indication · d4ffeafd
      Jakub Kicinski authored
      commit 0e1a1d85 upstream.
      
      Add missing attribute validation for critical protocol fields
      to the netlink policy.
      
      Fixes: 5de17984 ("cfg80211: introduce critical protocol indication from user-space")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20200303051058.4089398-2-kuba@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4ffeafd
    • Yonghyun Hwang's avatar
      iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page · 045bf097
      Yonghyun Hwang authored
      commit 77a1bce8 upstream.
      
      intel_iommu_iova_to_phys() has a bug when it translates an IOVA for a huge
      page onto its corresponding physical address. This commit fixes the bug by
      accomodating the level of page entry for the IOVA and adds IOVA's lower
      address to the physical address.
      
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Reviewed-by: default avatarMoritz Fischer <mdf@kernel.org>
      Signed-off-by: default avatarYonghyun Hwang <yonghyun@google.com>
      Fixes: 38717946 ("VT-d: Changes to support KVM")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      045bf097
    • Hans de Goede's avatar
      iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint · 5145afc8
      Hans de Goede authored
      commit 59833696 upstream.
      
      Quoting from the comment describing the WARN functions in
      include/asm-generic/bug.h:
      
       * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report
       * significant kernel issues that need prompt attention if they should ever
       * appear at runtime.
       *
       * Do not use these macros when checking for invalid external inputs
      
      The (buggy) firmware tables which the dmar code was calling WARN_TAINT
      for really are invalid external inputs. They are not under the kernel's
      control and the issues in them cannot be fixed by a kernel update.
      So logging a backtrace, which invites bug reports to be filed about this,
      is not helpful.
      
      Some distros, e.g. Fedora, have tools watching for the kernel backtraces
      logged by the WARN macros and offer the user an option to file a bug for
      this when these are encountered. The WARN_TAINT in warn_invalid_dmar()
      + another iommu WARN_TAINT, addressed in another patch, have lead to over
      a 100 bugs being filed this way.
      
      This commit replaces the WARN_TAINT("...") calls, with
      pr_warn(FW_BUG "...") + add_taint(TAINT_FIRMWARE_WORKAROUND, ...) calls
      avoiding the backtrace and thus also avoiding bug-reports being filed
      about this against the kernel.
      
      Fixes: fd0c8894 ("intel-iommu: Set a more specific taint flag for invalid BIOS DMAR tables")
      Fixes: e625b4a9 ("iommu/vt-d: Parse ANDD records")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Acked-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20200309140138.3753-2-hdegoede@redhat.com
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1564895Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5145afc8
    • Vladis Dronov's avatar
      efi: Fix a race and a buffer overflow while reading efivars via sysfs · 16d8f5de
      Vladis Dronov authored
      commit 286d3250 upstream.
      
      There is a race and a buffer overflow corrupting a kernel memory while
      reading an EFI variable with a size more than 1024 bytes via the older
      sysfs method. This happens because accessing struct efi_variable in
      efivar_{attr,size,data}_read() and friends is not protected from
      a concurrent access leading to a kernel memory corruption and, at best,
      to a crash. The race scenario is the following:
      
      CPU0:                                CPU1:
      efivar_attr_read()
        var->DataSize = 1024;
        efivar_entry_get(... &var->DataSize)
          down_interruptible(&efivars_lock)
                                           efivar_attr_read() // same EFI var
                                             var->DataSize = 1024;
                                             efivar_entry_get(... &var->DataSize)
                                               down_interruptible(&efivars_lock)
          virt_efi_get_variable()
          // returns EFI_BUFFER_TOO_SMALL but
          // var->DataSize is set to a real
          // var size more than 1024 bytes
          up(&efivars_lock)
                                               virt_efi_get_variable()
                                               // called with var->DataSize set
                                               // to a real var size, returns
                                               // successfully and overwrites
                                               // a 1024-bytes kernel buffer
                                               up(&efivars_lock)
      
      This can be reproduced by concurrent reading of an EFI variable which size
      is more than 1024 bytes:
      
        ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \
        cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done
      
      Fix this by using a local variable for a var's data buffer size so it
      does not get overwritten.
      
      Fixes: e14ab23d ("efivars: efivar_entry API")
      Reported-by: Bob Sanders <bob.sanders@hpe.com> and the LTP testsuite
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200305084041.24053-2-vdronov@redhat.com
      Link: https://lore.kernel.org/r/20200308080859.21568-24-ardb@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16d8f5de
    • Eugeniy Paltsev's avatar
      ARC: define __ALIGN_STR and __ALIGN symbols for ARC · b5badebc
      Eugeniy Paltsev authored
      commit 8d92e992 upstream.
      
      The default defintions use fill pattern 0x90 for padding which for ARC
      generates unintended "ldh_s r12,[r0,0x20]" corresponding to opcode 0x9090
      
      So use ".align 4" which insert a "nop_s" instruction instead.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5badebc
    • Vitaly Kuznetsov's avatar
      KVM: x86: clear stale x86_emulate_ctxt->intercept value · 3a91d55c
      Vitaly Kuznetsov authored
      commit 342993f9 upstream.
      
      After commit 07721fee ("KVM: nVMX: Don't emulate instructions in guest
      mode") Hyper-V guests on KVM stopped booting with:
      
       kvm_nested_vmexit:    rip fffff802987d6169 reason EPT_VIOLATION info1 181
          info2 0 int_info 0 int_info_err 0
       kvm_page_fault:       address febd0000 error_code 181
       kvm_emulate_insn:     0:fffff802987d6169: f3 a5
       kvm_emulate_insn:     0:fffff802987d6169: f3 a5 FAIL
       kvm_inj_exception:    #UD (0x0)
      
      "f3 a5" is a "rep movsw" instruction, which should not be intercepted
      at all.  Commit c44b4c6a ("KVM: emulate: clean up initializations in
      init_decode_cache") reduced the number of fields cleared by
      init_decode_cache() claiming that they are being cleared elsewhere,
      'intercept', however, is left uncleared if the instruction does not have
      any of the "slow path" flags (NotImpl, Stack, Op3264, Sse, Mmx, CheckPerm,
      NearBranch, No16 and of course Intercept itself).
      
      Fixes: c44b4c6a ("KVM: emulate: clean up initializations in init_decode_cache")
      Fixes: 07721fee ("KVM: nVMX: Don't emulate instructions in guest mode")
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Reviewed-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a91d55c
    • Al Viro's avatar
      gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache · c919b9a1
      Al Viro authored
      commit 21039132 upstream.
      
      with the way fs/namei.c:do_last() had been done, ->atomic_open()
      instances needed to recognize the case when existing file got
      found with O_EXCL|O_CREAT, either by falling back to finish_no_open()
      or failing themselves.  gfs2 one didn't.
      
      Fixes: 6d4ade98 (GFS2: Add atomic_open support)
      Cc: stable@kernel.org # v3.11
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c919b9a1
    • Al Viro's avatar
      cifs_atomic_open(): fix double-put on late allocation failure · ca9a513b
      Al Viro authored
      commit d9a9f484 upstream.
      
      several iterations of ->atomic_open() calling conventions ago, we
      used to need fput() if ->atomic_open() failed at some point after
      successful finish_open().  Now (since 2016) it's not needed -
      struct file carries enough state to make fput() work regardless
      of the point in struct file lifecycle and discarding it on
      failure exits in open() got unified.  Unfortunately, I'd missed
      the fact that we had an instance of ->atomic_open() (cifs one)
      that used to need that fput(), as well as the stale comment in
      finish_open() demanding such late failure handling.  Trivially
      fixed...
      
      Fixes: fe9ec829 "do_last(): take fput() on error after opening to out:"
      Cc: stable@kernel.org # v4.7+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca9a513b
    • Colin Ian King's avatar
      drm/amd/display: remove duplicated assignment to grph_obj_type · 346ff2f6
      Colin Ian King authored
      commit d785476c upstream.
      
      Variable grph_obj_type is being assigned twice, one of these is
      redundant so remove it.
      
      Addresses-Coverity: ("Evaluation order violation")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: <nobuhiro1.iwamatsu@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      346ff2f6
    • Hillf Danton's avatar
      workqueue: don't use wq_select_unbound_cpu() for bound works · 3772b93d
      Hillf Danton authored
      commit aa202f1f upstream.
      
      wq_select_unbound_cpu() is designed for unbound workqueues only, but
      it's wrongly called when using a bound workqueue too.
      
      Fixing this ensures work queued to a bound workqueue with
      cpu=WORK_CPU_UNBOUND always runs on the local CPU.
      
      Before, that would happen only if wq_unbound_cpumask happened to include
      it (likely almost always the case), or was empty, or we got lucky with
      forced round-robin placement.  So restricting
      /sys/devices/virtual/workqueue/cpumask to a small subset of a machine's
      CPUs would cause some bound work items to run unexpectedly there.
      
      Fixes: ef557180 ("workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs")
      Cc: stable@vger.kernel.org # v4.5+
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      [dj: massage changelog]
      Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3772b93d
    • Hans de Goede's avatar
      iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint · 412c17e2
      Hans de Goede authored
      commit 81ee85d0 upstream.
      
      Quoting from the comment describing the WARN functions in
      include/asm-generic/bug.h:
      
       * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report
       * significant kernel issues that need prompt attention if they should ever
       * appear at runtime.
       *
       * Do not use these macros when checking for invalid external inputs
      
      The (buggy) firmware tables which the dmar code was calling WARN_TAINT
      for really are invalid external inputs. They are not under the kernel's
      control and the issues in them cannot be fixed by a kernel update.
      So logging a backtrace, which invites bug reports to be filed about this,
      is not helpful.
      
      Fixes: 556ab45f ("ioat2: catch and recover from broken vtd configurations v6")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Link: https://lore.kernel.org/r/20200309182510.373875-1-hdegoede@redhat.com
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=701847Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      412c17e2
    • Halil Pasic's avatar
      virtio-blk: fix hw_queue stopped on arbitrary error · 64007a74
      Halil Pasic authored
      commit f5f6b95c upstream.
      
      Since nobody else is going to restart our hw_queue for us, the
      blk_mq_start_stopped_hw_queues() is in virtblk_done() is not sufficient
      necessarily sufficient to ensure that the queue will get started again.
      In case of global resource outage (-ENOMEM because mapping failure,
      because of swiotlb full) our virtqueue may be empty and we can get
      stuck with a stopped hw_queue.
      
      Let us not stop the queue on arbitrary errors, but only on -EONSPC which
      indicates a full virtqueue, where the hw_queue is guaranteed to get
      started by virtblk_done() before when it makes sense to carry on
      submitting requests. Let us also remove a stale comment.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Fixes: f7728002 ("virtio_ring: fix return code on DMA mapping fails")
      Link: https://lore.kernel.org/r/20200213123728.61216-2-pasic@linux.ibm.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64007a74
    • Heiner Kallweit's avatar
      net: phy: fix MDIO bus PM PHY resuming · e9ed467f
      Heiner Kallweit authored
      [ Upstream commit 611d779a ]
      
      So far we have the unfortunate situation that mdio_bus_phy_may_suspend()
      is called in suspend AND resume path, assuming that function result is
      the same. After the original change this is no longer the case,
      resulting in broken resume as reported by Geert.
      
      To fix this call mdio_bus_phy_may_suspend() in the suspend path only,
      and let the phy_device store the info whether it was suspended by
      MDIO bus PM.
      
      Fixes: 503ba7c6 ("net: phy: Avoid multiple suspends")
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Tested-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e9ed467f
    • Shakeel Butt's avatar
      cgroup: memcg: net: do not associate sock with unrelated cgroup · 529f4b7a
      Shakeel Butt authored
      [ Upstream commit e876ecc6 ]
      
      We are testing network memory accounting in our setup and noticed
      inconsistent network memory usage and often unrelated cgroups network
      usage correlates with testing workload. On further inspection, it
      seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in
      irq context specially for cgroup v1.
      
      mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context
      and kind of assumes that this can only happen from sk_clone_lock()
      and the source sock object has already associated cgroup. However in
      cgroup v1, where network memory accounting is opt-in, the source sock
      can be unassociated with any cgroup and the new cloned sock can get
      associated with unrelated interrupted cgroup.
      
      Cgroup v2 can also suffer if the source sock object was created by
      process in the root cgroup or if sk_alloc() is called in irq context.
      The fix is to just do nothing in interrupt.
      
      WARNING: Please note that about half of the TCP sockets are allocated
      from the IRQ context, so, memory used by such sockets will not be
      accouted by the memcg.
      
      The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
      
      CPU: 70 PID: 12720 Comm: ssh Tainted:  5.6.0-smp-DEV #1
      Hardware name: ...
      Call Trace:
       <IRQ>
       dump_stack+0x57/0x75
       mem_cgroup_sk_alloc+0xe9/0xf0
       sk_clone_lock+0x2a7/0x420
       inet_csk_clone_lock+0x1b/0x110
       tcp_create_openreq_child+0x23/0x3b0
       tcp_v6_syn_recv_sock+0x88/0x730
       tcp_check_req+0x429/0x560
       tcp_v6_rcv+0x72d/0xa40
       ip6_protocol_deliver_rcu+0xc9/0x400
       ip6_input+0x44/0xd0
       ? ip6_protocol_deliver_rcu+0x400/0x400
       ip6_rcv_finish+0x71/0x80
       ipv6_rcv+0x5b/0xe0
       ? ip6_sublist_rcv+0x2e0/0x2e0
       process_backlog+0x108/0x1e0
       net_rx_action+0x26b/0x460
       __do_softirq+0x104/0x2a6
       do_softirq_own_stack+0x2a/0x40
       </IRQ>
       do_softirq.part.19+0x40/0x50
       __local_bh_enable_ip+0x51/0x60
       ip6_finish_output2+0x23d/0x520
       ? ip6table_mangle_hook+0x55/0x160
       __ip6_finish_output+0xa1/0x100
       ip6_finish_output+0x30/0xd0
       ip6_output+0x73/0x120
       ? __ip6_finish_output+0x100/0x100
       ip6_xmit+0x2e3/0x600
       ? ipv6_anycast_cleanup+0x50/0x50
       ? inet6_csk_route_socket+0x136/0x1e0
       ? skb_free_head+0x1e/0x30
       inet6_csk_xmit+0x95/0xf0
       __tcp_transmit_skb+0x5b4/0xb20
       __tcp_send_ack.part.60+0xa3/0x110
       tcp_send_ack+0x1d/0x20
       tcp_rcv_state_process+0xe64/0xe80
       ? tcp_v6_connect+0x5d1/0x5f0
       tcp_v6_do_rcv+0x1b1/0x3f0
       ? tcp_v6_do_rcv+0x1b1/0x3f0
       __release_sock+0x7f/0xd0
       release_sock+0x30/0xa0
       __inet_stream_connect+0x1c3/0x3b0
       ? prepare_to_wait+0xb0/0xb0
       inet_stream_connect+0x3b/0x60
       __sys_connect+0x101/0x120
       ? __sys_getsockopt+0x11b/0x140
       __x64_sys_connect+0x1a/0x20
       do_syscall_64+0x51/0x200
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
      Fixes: 2d758073 ("mm: memcontrol: consolidate cgroup socket tracking")
      Fixes: d979a39d ("cgroup: duplicate cgroup reference when cloning sockets")
      Signed-off-by: default avatarShakeel Butt <shakeelb@google.com>
      Reviewed-by: default avatarRoman Gushchin <guro@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      529f4b7a
    • Eric Dumazet's avatar
      bonding/alb: make sure arp header is pulled before accessing it · 9fc9ba07
      Eric Dumazet authored
      commit b7469e83 upstream.
      
      Similar to commit 38f88c45 ("bonding/alb: properly access headers
      in bond_alb_xmit()"), we need to make sure arp header was pulled
      in skb->head before blindly accessing it in rlb_arp_xmit().
      
      Remove arp_pkt() private helper, since it is more readable/obvious
      to have the following construct back to back :
      
      	if (!pskb_network_may_pull(skb, sizeof(*arp)))
      		return NULL;
      	arp = (struct arp_pkt *)skb_network_header(skb);
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
      BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
      BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
      CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
       rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
       bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
       __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
       bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
       __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
       netdev_start_xmit include/linux/netdevice.h:4538 [inline]
       xmit_one net/core/dev.c:3470 [inline]
       dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
       __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
       packet_snd net/packet/af_packet.c:2967 [inline]
       packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       __sys_sendto+0xc1b/0xc50 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2006
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45c479
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
      RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
      RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
       sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
       packet_alloc_skb net/packet/af_packet.c:2815 [inline]
       packet_snd net/packet/af_packet.c:2910 [inline]
       packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       __sys_sendto+0xc1b/0xc50 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2006
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9fc9ba07
    • Eric Dumazet's avatar
      slip: make slhc_compress() more robust against malicious packets · 7a7c8ba5
      Eric Dumazet authored
      [ Upstream commit 110a40df ]
      
      Before accessing various fields in IPV4 network header
      and TCP header, make sure the packet :
      
      - Has IP version 4 (ip->version == 4)
      - Has not a silly network length (ip->ihl >= 5)
      - Is big enough to hold network and transport headers
      - Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
      CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
       ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
       __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
       ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
       ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f7cd99
      Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
      RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
      RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      
      Fixes: b5451d78 ("slip: Move the SLIP drivers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a7c8ba5