1. 12 May, 2022 4 commits
  2. 11 May, 2022 12 commits
  3. 10 May, 2022 9 commits
  4. 09 May, 2022 10 commits
  5. 06 May, 2022 5 commits
    • Kees Cook's avatar
      net: chelsio: cxgb4: Avoid potential negative array offset · 1c7ab9cd
      Kees Cook authored
      Using min_t(int, ...) as a potential array index implies to the compiler
      that negative offsets should be allowed. This is not the case, though.
      Replace "int" with "unsigned int". Fixes the following warning exposed
      under future CONFIG_FORTIFY_SOURCE improvements:
      
      In file included from include/linux/string.h:253,
                       from include/linux/bitmap.h:11,
                       from include/linux/cpumask.h:12,
                       from include/linux/smp.h:13,
                       from include/linux/lockdep.h:14,
                       from include/linux/rcupdate.h:29,
                       from include/linux/rculist.h:11,
                       from include/linux/pid.h:5,
                       from include/linux/sched.h:14,
                       from include/linux/delay.h:23,
                       from drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:35:
      drivers/net/ethernet/chelsio/cxgb4/t4_hw.c: In function 't4_get_raw_vpd_params':
      include/linux/fortify-string.h:46:33: warning: '__builtin_memcpy' pointer overflow between offset 29 and size [2147483648, 4294967295] [-Warray-bounds]
         46 | #define __underlying_memcpy     __builtin_memcpy
            |                                 ^
      include/linux/fortify-string.h:388:9: note: in expansion of macro '__underlying_memcpy'
        388 |         __underlying_##op(p, q, __fortify_size);                        \
            |         ^~~~~~~~~~~~~
      include/linux/fortify-string.h:433:26: note: in expansion of macro '__fortify_memcpy_chk'
        433 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
            |                          ^~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:2796:9: note: in expansion of macro 'memcpy'
       2796 |         memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
            |         ^~~~~~
      include/linux/fortify-string.h:46:33: warning: '__builtin_memcpy' pointer overflow between offset 0 and size [2147483648, 4294967295] [-Warray-bounds]
         46 | #define __underlying_memcpy     __builtin_memcpy
            |                                 ^
      include/linux/fortify-string.h:388:9: note: in expansion of macro '__underlying_memcpy'
        388 |         __underlying_##op(p, q, __fortify_size);                        \
            |         ^~~~~~~~~~~~~
      include/linux/fortify-string.h:433:26: note: in expansion of macro '__fortify_memcpy_chk'
        433 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
            |                          ^~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:2798:9: note: in expansion of macro 'memcpy'
       2798 |         memcpy(p->sn, vpd + sn, min_t(int, sn_len, SERNUM_LEN));
            |         ^~~~~~
      
      Additionally remove needless cast from u8[] to char * in last strim()
      call.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Link: https://lore.kernel.org/lkml/202205031926.FVP7epJM-lkp@intel.com
      Fixes: fc927929 ("cxgb4: Search VPD with pci_vpd_find_ro_info_keyword()")
      Fixes: 24c521f8 ("cxgb4: Use pci_vpd_find_id_string() to find VPD ID string")
      Cc: Raju Rangoju <rajur@chelsio.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20220505233101.1224230-1-keescook@chromium.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1c7ab9cd
    • Eric Dumazet's avatar
      netlink: do not reset transport header in netlink_recvmsg() · d5076fe4
      Eric Dumazet authored
      netlink_recvmsg() does not need to change transport header.
      
      If transport header was needed, it should have been reset
      by the producer (netlink_dump()), not the consumer(s).
      
      The following trace probably happened when multiple threads
      were using MSG_PEEK.
      
      BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
      
      write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1:
       skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
       netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
       sock_recvmsg_nosec net/socket.c:948 [inline]
       sock_recvmsg net/socket.c:966 [inline]
       __sys_recvfrom+0x204/0x2c0 net/socket.c:2097
       __do_sys_recvfrom net/socket.c:2115 [inline]
       __se_sys_recvfrom net/socket.c:2111 [inline]
       __x64_sys_recvfrom+0x74/0x90 net/socket.c:2111
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0:
       skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
       netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
       ____sys_recvmsg+0x162/0x2f0
       ___sys_recvmsg net/socket.c:2674 [inline]
       __sys_recvmsg+0x209/0x3f0 net/socket.c:2704
       __do_sys_recvmsg net/socket.c:2714 [inline]
       __se_sys_recvmsg net/socket.c:2711 [inline]
       __x64_sys_recvmsg+0x42/0x50 net/socket.c:2711
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      value changed: 0xffff -> 0x0000
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700eb-dirty #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20220505161946.2867638-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d5076fe4
    • Lokesh Dhoundiyal's avatar
      ipv4: drop dst in multicast routing path · 9e6c6d17
      Lokesh Dhoundiyal authored
      kmemleak reports the following when routing multicast traffic over an
      ipsec tunnel.
      
      Kmemleak output:
      unreferenced object 0x8000000044bebb00 (size 256):
        comm "softirq", pid 0, jiffies 4294985356 (age 126.810s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80  ..............t.
          80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000f83947e0>] __kmalloc+0x1e8/0x300
          [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58
          [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8
          [<00000000824f6cf1>] gre_rcv+0x178/0x540
          [<00000000ccd4e162>] gre_rcv+0x7c/0xd8
          [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350
          [<000000006a483377>] ip_local_deliver_finish+0x54/0x68
          [<00000000d9271b3a>] ip_local_deliver+0x128/0x168
          [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8
          [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0
          [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0
          [<00000000013d7914>] irq_exit+0xc4/0xe0
          [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108
          [<000000000751eb8e>] handle_int+0x16c/0x178
          [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28
      
      The metadata dst is leaked when ip_route_input_mc() updates the dst for
      the skb. Commit f38a9eb1 ("dst: Metadata destinations") correctly
      handled dropping the dst in ip_route_input_slow() but missed the
      multicast case which is handled by ip_route_input_mc(). Drop the dst in
      ip_route_input_mc() avoiding the leak.
      
      Fixes: f38a9eb1 ("dst: Metadata destinations")
      Signed-off-by: default avatarLokesh Dhoundiyal <lokesh.dhoundiyal@alliedtelesis.co.nz>
      Signed-off-by: default avatarChris Packham <chris.packham@alliedtelesis.co.nz>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20220505020017.3111846-1-chris.packham@alliedtelesis.co.nzSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9e6c6d17
    • Michal Michalik's avatar
      ice: fix PTP stale Tx timestamps cleanup · a11b6c1a
      Michal Michalik authored
      Read stale PTP Tx timestamps from PHY on cleanup.
      
      After running out of Tx timestamps request handlers, hardware (HW) stops
      reporting finished requests. Function ice_ptp_tx_tstamp_cleanup() used
      to only clean up stale handlers in driver and was leaving the hardware
      registers not read. Not reading stale PTP Tx timestamps prevents next
      interrupts from arriving and makes timestamping unusable.
      
      Fixes: ea9b847c ("ice: enable transmit timestamps for E810 devices")
      Signed-off-by: default avatarMichal Michalik <michal.michalik@intel.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      a11b6c1a
    • Anatolii Gerasymenko's avatar
      ice: clear stale Tx queue settings before configuring · 6096dae9
      Anatolii Gerasymenko authored
      The iAVF driver uses 3 virtchnl op codes to communicate with the PF
      regarding the VF Tx queues:
      
      * VIRTCHNL_OP_CONFIG_VSI_QUEUES configures the hardware and firmware
      logic for the Tx queues
      
      * VIRTCHNL_OP_ENABLE_QUEUES configures the queue interrupts
      
      * VIRTCHNL_OP_DISABLE_QUEUES disables the queue interrupts and Tx rings.
      
      There is a bug in the iAVF driver due to the race condition between VF
      reset request and shutdown being executed in parallel. This leads to a
      break in logic and VIRTCHNL_OP_DISABLE_QUEUES is not being sent.
      
      If this occurs, the PF driver never cleans up the Tx queues. This results
      in leaving behind stale Tx queue settings in the hardware and firmware.
      
      The most obvious outcome is that upon the next
      VIRTCHNL_OP_CONFIG_VSI_QUEUES, the PF will fail to program the Tx
      scheduler node due to a lack of space.
      
      We need to protect ICE driver against such situation.
      
      To fix this, make sure we clear existing stale settings out when
      handling VIRTCHNL_OP_CONFIG_VSI_QUEUES. This ensures we remove the
      previous settings.
      
      Calling ice_vf_vsi_dis_single_txq should be safe as it will do nothing if
      the queue is not configured. The function already handles the case when the
      Tx queue is not currently configured and exits with a 0 return in that
      case.
      
      Fixes: 7ad15440 ("ice: Refactor VIRTCHNL_OP_CONFIG_VSI_QUEUES handling")
      Signed-off-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: default avatarAnatolii Gerasymenko <anatolii.gerasymenko@intel.com>
      Tested-by: default avatarKonrad Jankowski <konrad0.jankowski@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      6096dae9