1. 08 Jun, 2023 3 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE · 1240eb93
      Pablo Neira Ayuso authored
      In case of error when adding a new rule that refers to an anonymous set,
      deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE.
      Thus, the lookup expression marks anonymous sets as inactive in the next
      generation to ensure it is not reachable in this transaction anymore and
      decrement the set refcount as introduced by c1592a89 ("netfilter:
      nf_tables: deactivate anonymous set from preparation phase"). The abort
      step takes care of undoing the anonymous set.
      
      This is also consistent with rule deletion, where NFT_TRANS_PREPARE is
      used. Note that this error path is exercised in the preparation step of
      the commit protocol. This patch replaces nf_tables_rule_release() by the
      deactivate and destroy calls, this time with NFT_TRANS_PREPARE.
      
      Due to this incorrect error handling, it is possible to access a
      dangling pointer to the anonymous set that remains in the transaction
      list.
      
      [1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110
      [1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256
      [1009.379128] Call Trace:
      [1009.379132]  <TASK>
      [1009.379135]  dump_stack_lvl+0x33/0x50
      [1009.379146]  ? nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379191]  print_address_description.constprop.0+0x27/0x300
      [1009.379201]  kasan_report+0x107/0x120
      [1009.379210]  ? nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379255]  nft_set_lookup_global+0x147/0x1a0 [nf_tables]
      [1009.379302]  nft_lookup_init+0xa5/0x270 [nf_tables]
      [1009.379350]  nf_tables_newrule+0x698/0xe50 [nf_tables]
      [1009.379397]  ? nf_tables_rule_release+0xe0/0xe0 [nf_tables]
      [1009.379441]  ? kasan_unpoison+0x23/0x50
      [1009.379450]  nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink]
      [1009.379470]  ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
      [1009.379485]  ? __alloc_skb+0xb8/0x1e0
      [1009.379493]  ? __alloc_skb+0xb8/0x1e0
      [1009.379502]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [1009.379509]  ? unwind_get_return_address+0x2a/0x40
      [1009.379517]  ? write_profile+0xc0/0xc0
      [1009.379524]  ? avc_lookup+0x8f/0xc0
      [1009.379532]  ? __rcu_read_unlock+0x43/0x60
      
      Fixes: 958bee14 ("netfilter: nf_tables: use new transaction infrastructure to handle sets")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1240eb93
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM · a1a64a15
      Pablo Neira Ayuso authored
      If caller reports ENOMEM, then stop iterating over the batch and send a
      single netlink message to userspace to report OOM.
      
      Fixes: cbb8125e ("netfilter: nfnetlink: deliver netlink errors on batch completion")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a1a64a15
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: integrate pipapo into commit protocol · 212ed75d
      Pablo Neira Ayuso authored
      The pipapo set backend follows copy-on-update approach, maintaining one
      clone of the existing datastructure that is being updated. The clone
      and current datastructures are swapped via rcu from the commit step.
      
      The existing integration with the commit protocol is flawed because
      there is no operation to clean up the clone if the transaction is
      aborted. Moreover, the datastructure swap happens on set element
      activation.
      
      This patch adds two new operations for sets: commit and abort, these new
      operations are invoked from the commit and abort steps, after the
      transactions have been digested, and it updates the pipapo set backend
      to use it.
      
      This patch adds a new ->pending_update field to sets to maintain a list
      of sets that require this new commit and abort operations.
      
      Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      212ed75d
  2. 07 Jun, 2023 8 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · ab39b113
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fixes to debugfs registration
       - Fix use-after-free in hci_remove_ltk/hci_remove_irk
       - Fixes to ISO channel support
       - Fix missing checks for invalid L2CAP DCID
       - Fix l2cap_disconnect_req deadlock
       - Add lock to protect HCI_UNREGISTER
      
      * tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: L2CAP: Add missing checks for invalid DCID
        Bluetooth: ISO: use correct CIS order in Set CIG Parameters event
        Bluetooth: ISO: don't try to remove CIG if there are bound CIS left
        Bluetooth: Fix l2cap_disconnect_req deadlock
        Bluetooth: hci_qca: fix debugfs registration
        Bluetooth: fix debugfs registration
        Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER
        Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
        Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG
        Bluetooth: ISO: consider right CIS when removing CIG at cleanup
      ====================
      
      Link: https://lore.kernel.org/r/20230606003454.2392552-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ab39b113
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 20c47646
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Missing nul-check in basechain hook netlink dump path, from Gavrilov Ilia.
      
      2) Fix bitwise register tracking, from Jeremy Sowden.
      
      3) Null pointer dereference when accessing conntrack helper,
         from Tijs Van Buggenhout.
      
      4) Add schedule point to ipset's call_ad, from Kuniyuki Iwashima.
      
      5) Incorrect boundary check when building chain blob.
      
      * tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: out-of-bound check in chain blob
        netfilter: ipset: Add schedule point in call_ad().
        netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
        netfilter: nft_bitwise: fix register tracking
        netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()
      ====================
      
      Link: https://lore.kernel.org/r/20230606225851.67394-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      20c47646
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · e684ab76
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.4
      
      Both rtw88 and rtw89 have a 802.11 powersave fix for a regression
      introduced in v6.0. mt76 fixes a race and a null pointer dereference.
      iwlwifi fixes an issue where not enough memory was allocated for a
      firmware event. And finally the stack has several smaller fixes all
      over.
      
      * tag 'wireless-2023-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: cfg80211: fix locking in regulatory disconnect
        wifi: cfg80211: fix locking in sched scan stop work
        wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()
        wifi: mac80211: fix switch count in EMA beacons
        wifi: mac80211: don't translate beacon/presp addrs
        wifi: mac80211: mlme: fix non-inheritence element
        wifi: cfg80211: reject bad AP MLD address
        wifi: mac80211: use correct iftype HE cap
        wifi: mt76: mt7996: fix possible NULL pointer dereference in mt7996_mac_write_txwi()
        wifi: rtw89: remove redundant check of entering LPS
        wifi: rtw89: correct PS calculation for SUPPORTS_DYNAMIC_PS
        wifi: rtw88: correct PS calculation for SUPPORTS_DYNAMIC_PS
        wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll
      ====================
      
      Link: https://lore.kernel.org/r/20230606150817.EC133C433D2@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e684ab76
    • Brett Creeley's avatar
      virtio_net: use control_buf for coalesce params · accc1bf2
      Brett Creeley authored
      Commit 699b045a ("net: virtio_net: notifications coalescing
      support") added coalescing command support for virtio_net. However,
      the coalesce commands are using buffers on the stack, which is causing
      the device to see DMA errors. There should also be a complaint from
      check_for_stack() in debug_dma_map_xyz(). Fix this by adding and using
      coalesce params from the control_buf struct, which aligns with other
      commands.
      
      Cc: stable@vger.kernel.org
      Fixes: 699b045a ("net: virtio_net: notifications coalescing support")
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarAllen Hubbe <allen.hubbe@amd.com>
      Signed-off-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Link: https://lore.kernel.org/r/20230605195925.51625-1-brett.creeley@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      accc1bf2
    • Brett Creeley's avatar
      pds_core: Fix FW recovery detection · 4f48c303
      Brett Creeley authored
      Commit 523847df ("pds_core: add devcmd device interfaces") included
      initial support for FW recovery detection. Unfortunately, the ordering
      in pdsc_is_fw_good() was incorrect, which was causing FW recovery to be
      undetected by the driver. Fix this by making sure to update the cached
      fw_status by calling pdsc_is_fw_running() before setting the local FW
      gen.
      
      Fixes: 523847df ("pds_core: add devcmd device interfaces")
      Signed-off-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230605195116.49653-1-brett.creeley@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f48c303
    • Eric Dumazet's avatar
      tcp: gso: really support BIG TCP · 82a01ab3
      Eric Dumazet authored
      We missed that tcp_gso_segment() was assuming skb->len was smaller than 65535 :
      
      oldlen = (u16)~skb->len;
      
      This part came with commit 0718bcc0 ("[NET]: Fix CHECKSUM_HW GSO problems.")
      
      This leads to wrong TCP checksum.
      
      Adapt the code to accept arbitrary packet length.
      
      v2:
        - use two csum_add() instead of csum_fold() (Alexander Duyck)
        - Change delta type to __wsum to reduce casts (Alexander Duyck)
      
      Fixes: 09f3d1a3 ("ipv6/gso: remove temporary HBH/jumbo header")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarAlexander Duyck <alexanderduyck@fb.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230605161647.3624428-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      82a01ab3
    • Kuniyuki Iwashima's avatar
      ipv6: rpl: Fix Route of Death. · a2f4c143
      Kuniyuki Iwashima authored
      A remote DoS vulnerability of RPL Source Routing is assigned CVE-2023-2156.
      
      The Source Routing Header (SRH) has the following format:
      
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Next Header  |  Hdr Ext Len  | Routing Type  | Segments Left |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | CmprI | CmprE |  Pad  |               Reserved                |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                                                               |
        .                                                               .
        .                        Addresses[1..n]                        .
        .                                                               .
        |                                                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      
      The originator of an SRH places the first hop's IPv6 address in the IPv6
      header's IPv6 Destination Address and the second hop's IPv6 address as
      the first address in Addresses[1..n].
      
      The CmprI and CmprE fields indicate the number of prefix octets that are
      shared with the IPv6 Destination Address.  When CmprI or CmprE is not 0,
      Addresses[1..n] are compressed as follows:
      
        1..n-1 : (16 - CmprI) bytes
             n : (16 - CmprE) bytes
      
      Segments Left indicates the number of route segments remaining.  When the
      value is not zero, the SRH is forwarded to the next hop.  Its address
      is extracted from Addresses[n - Segment Left + 1] and swapped with IPv6
      Destination Address.
      
      When Segment Left is greater than or equal to 2, the size of SRH is not
      changed because Addresses[1..n-1] are decompressed and recompressed with
      CmprI.
      
      OTOH, when Segment Left changes from 1 to 0, the new SRH could have a
      different size because Addresses[1..n-1] are decompressed with CmprI and
      recompressed with CmprE.
      
      Let's say CmprI is 15 and CmprE is 0.  When we receive SRH with Segment
      Left >= 2, Addresses[1..n-1] have 1 byte for each, and Addresses[n] has
      16 bytes.  When Segment Left is 1, Addresses[1..n-1] is decompressed to
      16 bytes and not recompressed.  Finally, the new SRH will need more room
      in the header, and the size is (16 - 1) * (n - 1) bytes.
      
      Here the max value of n is 255 as Segment Left is u8, so in the worst case,
      we have to allocate 3825 bytes in the skb headroom.  However, now we only
      allocate a small fixed buffer that is IPV6_RPL_SRH_WORST_SWAP_SIZE (16 + 7
      bytes).  If the decompressed size overflows the room, skb_push() hits BUG()
      below [0].
      
      Instead of allocating the fixed buffer for every packet, let's allocate
      enough headroom only when we receive SRH with Segment Left 1.
      
      [0]:
      skbuff: skb_under_panic: text:ffffffff81c9f6e2 len:576 put:576 head:ffff8880070b5180 data:ffff8880070b4fb0 tail:0x70 end:0x140 dev:lo
      kernel BUG at net/core/skbuff.c:200!
      invalid opcode: 0000 [#1] PREEMPT SMP PTI
      CPU: 0 PID: 154 Comm: python3 Not tainted 6.4.0-rc4-00190-gc308e9ec #7
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      RIP: 0010:skb_panic (net/core/skbuff.c:200)
      Code: 4f 70 50 8b 87 bc 00 00 00 50 8b 87 b8 00 00 00 50 ff b7 c8 00 00 00 4c 8b 8f c0 00 00 00 48 c7 c7 80 6e 77 82 e8 ad 8b 60 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
      RSP: 0018:ffffc90000003da0 EFLAGS: 00000246
      RAX: 0000000000000085 RBX: ffff8880058a6600 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff88807dc1c540 RDI: ffff88807dc1c540
      RBP: ffffc90000003e48 R08: ffffffff82b392c8 R09: 00000000ffffdfff
      R10: ffffffff82a592e0 R11: ffffffff82b092e0 R12: ffff888005b1c800
      R13: ffff8880070b51b8 R14: ffff888005b1ca18 R15: ffff8880070b5190
      FS:  00007f4539f0b740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000055670baf3000 CR3: 0000000005b0e000 CR4: 00000000007506f0
      PKRU: 55555554
      Call Trace:
       <IRQ>
       skb_push (net/core/skbuff.c:210)
       ipv6_rthdr_rcv (./include/linux/skbuff.h:2880 net/ipv6/exthdrs.c:634 net/ipv6/exthdrs.c:718)
       ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
       ip6_input_finish (./include/linux/rcupdate.h:805 net/ipv6/ip6_input.c:483)
       __netif_receive_skb_one_core (net/core/dev.c:5494)
       process_backlog (./include/linux/rcupdate.h:805 net/core/dev.c:5934)
       __napi_poll (net/core/dev.c:6496)
       net_rx_action (net/core/dev.c:6565 net/core/dev.c:6696)
       __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)
       do_softirq (kernel/softirq.c:472 kernel/softirq.c:459)
       </IRQ>
       <TASK>
       __local_bh_enable_ip (kernel/softirq.c:396)
       __dev_queue_xmit (net/core/dev.c:4272)
       ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:134)
       rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
       sock_sendmsg (net/socket.c:724 net/socket.c:747)
       __sys_sendto (net/socket.c:2144)
       __x64_sys_sendto (net/socket.c:2156 net/socket.c:2152 net/socket.c:2152)
       do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      RIP: 0033:0x7f453a138aea
      Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
      RSP: 002b:00007ffcc212a1c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007ffcc212a288 RCX: 00007f453a138aea
      RDX: 0000000000000060 RSI: 00007f4539084c20 RDI: 0000000000000003
      RBP: 00007f4538308e80 R08: 00007ffcc212a300 R09: 000000000000001c
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f4539712d1b
       </TASK>
      Modules linked in:
      
      Fixes: 8610c7c6 ("net: ipv6: add support for rpl sr exthdr")
      Reported-by: Max VA
      Closes: https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-deathSigned-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230605180617.67284-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a2f4c143
    • Jakub Kicinski's avatar
      netlink: specs: ethtool: fix random typos · f6ca5baf
      Jakub Kicinski authored
      Working on the code gen for C reveals typos in the ethtool spec
      as the compiler tries to find the names in the existing uAPI
      header. Fix the mistakes.
      
      Fixes: a353318e ("tools: ynl: populate most of the ethtool spec")
      Acked-by: default avatarStanislav Fomichev <sdf@google.com>
      Link: https://lore.kernel.org/r/20230605233257.843977-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f6ca5baf
  3. 06 Jun, 2023 24 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: out-of-bound check in chain blob · 08e42a0d
      Pablo Neira Ayuso authored
      Add current size of rule expressions to the boundary check.
      
      Fixes: 2c865a8a ("netfilter: nf_tables: add rule blob layout")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      08e42a0d
    • Kuniyuki Iwashima's avatar
      netfilter: ipset: Add schedule point in call_ad(). · 24e22789
      Kuniyuki Iwashima authored
      syzkaller found a repro that causes Hung Task [0] with ipset.  The repro
      first creates an ipset and then tries to delete a large number of IPs
      from the ipset concurrently:
      
        IPSET_ATTR_IPADDR_IPV4 : 172.20.20.187
        IPSET_ATTR_CIDR        : 2
      
      The first deleting thread hogs a CPU with nfnl_lock(NFNL_SUBSYS_IPSET)
      held, and other threads wait for it to be released.
      
      Previously, the same issue existed in set->variant->uadt() that could run
      so long under ip_set_lock(set).  Commit 5e29dc36 ("netfilter: ipset:
      Rework long task execution when adding/deleting entries") tried to fix it,
      but the issue still exists in the caller with another mutex.
      
      While adding/deleting many IPs, we should release the CPU periodically to
      prevent someone from abusing ipset to hang the system.
      
      Note we need to increment the ipset's refcnt to prevent the ipset from
      being destroyed while rescheduling.
      
      [0]:
      INFO: task syz-executor174:268 blocked for more than 143 seconds.
            Not tainted 6.4.0-rc1-00145-gba79e9a7 #1
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      task:syz-executor174 state:D stack:0     pid:268   ppid:260    flags:0x0000000d
      Call trace:
       __switch_to+0x308/0x714 arch/arm64/kernel/process.c:556
       context_switch kernel/sched/core.c:5343 [inline]
       __schedule+0xd84/0x1648 kernel/sched/core.c:6669
       schedule+0xf0/0x214 kernel/sched/core.c:6745
       schedule_preempt_disabled+0x58/0xf0 kernel/sched/core.c:6804
       __mutex_lock_common kernel/locking/mutex.c:679 [inline]
       __mutex_lock+0x6fc/0xdb0 kernel/locking/mutex.c:747
       __mutex_lock_slowpath+0x14/0x20 kernel/locking/mutex.c:1035
       mutex_lock+0x98/0xf0 kernel/locking/mutex.c:286
       nfnl_lock net/netfilter/nfnetlink.c:98 [inline]
       nfnetlink_rcv_msg+0x480/0x70c net/netfilter/nfnetlink.c:295
       netlink_rcv_skb+0x1c0/0x350 net/netlink/af_netlink.c:2546
       nfnetlink_rcv+0x18c/0x199c net/netfilter/nfnetlink.c:658
       netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
       netlink_unicast+0x664/0x8cc net/netlink/af_netlink.c:1365
       netlink_sendmsg+0x6d0/0xa4c net/netlink/af_netlink.c:1913
       sock_sendmsg_nosec net/socket.c:724 [inline]
       sock_sendmsg net/socket.c:747 [inline]
       ____sys_sendmsg+0x4b8/0x810 net/socket.c:2503
       ___sys_sendmsg net/socket.c:2557 [inline]
       __sys_sendmsg+0x1f8/0x2a4 net/socket.c:2586
       __do_sys_sendmsg net/socket.c:2595 [inline]
       __se_sys_sendmsg net/socket.c:2593 [inline]
       __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2593
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall+0x84/0x270 arch/arm64/kernel/syscall.c:52
       el0_svc_common+0x134/0x24c arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
       el0_svc+0x2c/0x7c arch/arm64/kernel/entry-common.c:637
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
       el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Fixes: a7b4f989 ("netfilter: ipset: IP set core support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      24e22789
    • Tijs Van Buggenhout's avatar
      netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper · e1f543dc
      Tijs Van Buggenhout authored
      An nf_conntrack_helper from nf_conn_help may become NULL after DNAT.
      
      Observed when TCP port 1720 (Q931_PORT), associated with h323 conntrack
      helper, is DNAT'ed to another destination port (e.g. 1730), while
      nfqueue is being used for final acceptance (e.g. snort).
      
      This happenned after transition from kernel 4.14 to 5.10.161.
      
      Workarounds:
       * keep the same port (1720) in DNAT
       * disable nfqueue
       * disable/unload h323 NAT helper
      
      $ linux-5.10/scripts/decode_stacktrace.sh vmlinux < /tmp/kernel.log
      BUG: kernel NULL pointer dereference, address: 0000000000000084
      [..]
      RIP: 0010:nf_conntrack_update (net/netfilter/nf_conntrack_core.c:2080 net/netfilter/nf_conntrack_core.c:2134) nf_conntrack
      [..]
      nfqnl_reinject (net/netfilter/nfnetlink_queue.c:237) nfnetlink_queue
      nfqnl_recv_verdict (net/netfilter/nfnetlink_queue.c:1230) nfnetlink_queue
      nfnetlink_rcv_msg (net/netfilter/nfnetlink.c:241) nfnetlink
      [..]
      
      Fixes: ee04805f ("netfilter: conntrack: make conntrack userspace helpers work again")
      Signed-off-by: default avatarTijs Van Buggenhout <tijs.van.buggenhout@axsguard.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e1f543dc
    • Jeremy Sowden's avatar
      netfilter: nft_bitwise: fix register tracking · 14e8b293
      Jeremy Sowden authored
      At the end of `nft_bitwise_reduce`, there is a loop which is intended to
      update the bitwise expression associated with each tracked destination
      register.  However, currently, it just updates the first register
      repeatedly.  Fix it.
      
      Fixes: 34cc9e52 ("netfilter: nf_tables: cancel tracking for clobbered destination registers")
      Signed-off-by: default avatarJeremy Sowden <jeremy@azazel.net>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      14e8b293
    • Gavrilov Ilia's avatar
      netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook() · bd058763
      Gavrilov Ilia authored
      The nla_nest_start_noflag() function may fail and return NULL;
      the return value needs to be checked.
      
      Found by InfoTeCS on behalf of Linux Verification Center
      (linuxtesting.org) with SVACE.
      
      Fixes: d54725cd ("netfilter: nf_tables: support for multiple devices per netdev hook")
      Signed-off-by: default avatarGavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bd058763
    • Johannes Berg's avatar
      wifi: cfg80211: fix locking in regulatory disconnect · f7e60032
      Johannes Berg authored
      This should use wiphy_lock() now instead of requiring the
      RTNL, since __cfg80211_leave() via cfg80211_leave() is now
      requiring that lock to be held.
      
      Fixes: a05829a7 ("cfg80211: avoid holding the RTNL when calling the driver")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      f7e60032
    • Johannes Berg's avatar
      wifi: cfg80211: fix locking in sched scan stop work · 3e54ed82
      Johannes Berg authored
      This should use wiphy_lock() now instead of acquiring the
      RTNL, since cfg80211_stop_sched_scan_req() now needs that.
      
      Fixes: a05829a7 ("cfg80211: avoid holding the RTNL when calling the driver")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3e54ed82
    • Manish Chopra's avatar
      qed/qede: Fix scheduling while atomic · 42510dff
      Manish Chopra authored
      Statistics read through bond interface via sysfs causes
      below bug and traces as it triggers the bonding module to
      collect the slave device statistics while holding the spinlock,
      beneath that qede->qed driver statistics flow gets scheduled out
      due to usleep_range() used in PTT acquire logic
      
      [ 3673.988874] Hardware name: HPE ProLiant DL365 Gen10 Plus/ProLiant DL365 Gen10 Plus, BIOS A42 10/29/2021
      [ 3673.988878] Call Trace:
      [ 3673.988891]  dump_stack_lvl+0x34/0x44
      [ 3673.988908]  __schedule_bug.cold+0x47/0x53
      [ 3673.988918]  __schedule+0x3fb/0x560
      [ 3673.988929]  schedule+0x43/0xb0
      [ 3673.988932]  schedule_hrtimeout_range_clock+0xbf/0x1b0
      [ 3673.988937]  ? __hrtimer_init+0xc0/0xc0
      [ 3673.988950]  usleep_range+0x5e/0x80
      [ 3673.988955]  qed_ptt_acquire+0x2b/0xd0 [qed]
      [ 3673.988981]  _qed_get_vport_stats+0x141/0x240 [qed]
      [ 3673.989001]  qed_get_vport_stats+0x18/0x80 [qed]
      [ 3673.989016]  qede_fill_by_demand_stats+0x37/0x400 [qede]
      [ 3673.989028]  qede_get_stats64+0x19/0xe0 [qede]
      [ 3673.989034]  dev_get_stats+0x5c/0xc0
      [ 3673.989045]  netstat_show.constprop.0+0x52/0xb0
      [ 3673.989055]  dev_attr_show+0x19/0x40
      [ 3673.989065]  sysfs_kf_seq_show+0x9b/0xf0
      [ 3673.989076]  seq_read_iter+0x120/0x4b0
      [ 3673.989087]  new_sync_read+0x118/0x1a0
      [ 3673.989095]  vfs_read+0xf3/0x180
      [ 3673.989099]  ksys_read+0x5f/0xe0
      [ 3673.989102]  do_syscall_64+0x3b/0x90
      [ 3673.989109]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [ 3673.989115] RIP: 0033:0x7f8467d0b082
      [ 3673.989119] Code: c0 e9 b2 fe ff ff 50 48 8d 3d ca 05 08 00 e8 35 e7 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
      [ 3673.989121] RSP: 002b:00007ffffb21fd08 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
      [ 3673.989127] RAX: ffffffffffffffda RBX: 000000000100eca0 RCX: 00007f8467d0b082
      [ 3673.989128] RDX: 00000000000003ff RSI: 00007ffffb21fdc0 RDI: 0000000000000003
      [ 3673.989130] RBP: 00007f8467b96028 R08: 0000000000000010 R09: 00007ffffb21ec00
      [ 3673.989132] R10: 00007ffffb27b170 R11: 0000000000000246 R12: 00000000000000f0
      [ 3673.989134] R13: 0000000000000003 R14: 00007f8467b92000 R15: 0000000000045a05
      [ 3673.989139] CPU: 30 PID: 285188 Comm: read_all Kdump: loaded Tainted: G        W  OE
      
      Fix this by collecting the statistics asynchronously from a periodic
      delayed work scheduled at default stats coalescing interval and return
      the recent copy of statisitcs from .ndo_get_stats64(), also add ability
      to configure/retrieve stats coalescing interval using below commands -
      
      ethtool -C ethx stats-block-usecs <val>
      ethtool -c ethx
      
      Fixes: 133fac0e ("qede: Add basic ethtool support")
      Cc: Sudarsana Kalluru <skalluru@marvell.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Link: https://lore.kernel.org/r/20230605112600.48238-1-manishc@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      42510dff
    • Gustavo A. R. Silva's avatar
      wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif() · 7a4615b9
      Gustavo A. R. Silva authored
      kmemdup() at line 2735 is not duplicating enough memory for
      notif->tid_tear_down and notif->station_id. As it only duplicates
      612 bytes: up to offsetofend(struct iwl_wowlan_info_notif,
      received_beacons), this is the range of [0, 612) bytes.
      
      2735	notif = kmemdup(notif_v1,
      2736			offsetofend(struct iwl_wowlan_info_notif,
      2737				    received_beacons),
      2738			GFP_ATOMIC);
      
      which evidently does not cover bytes 612 and 613 for members
      tid_tear_down and station_id in struct iwl_wowlan_info_notif.
      See below:
      
      $ pahole -C iwl_wowlan_info_notif drivers/net/wireless/intel/iwlwifi/mvm/d3.o
      struct iwl_wowlan_info_notif {
      	struct iwl_wowlan_gtk_status_v3 gtk[2];          /*     0   488 */
      	/* --- cacheline 7 boundary (448 bytes) was 40 bytes ago --- */
      	struct iwl_wowlan_igtk_status igtk[2];           /*   488    80 */
      	/* --- cacheline 8 boundary (512 bytes) was 56 bytes ago --- */
      	__le64                     replay_ctr;           /*   568     8 */
      	/* --- cacheline 9 boundary (576 bytes) --- */
      	__le16                     pattern_number;       /*   576     2 */
      	__le16                     reserved1;            /*   578     2 */
      	__le16                     qos_seq_ctr[8];       /*   580    16 */
      	__le32                     wakeup_reasons;       /*   596     4 */
      	__le32                     num_of_gtk_rekeys;    /*   600     4 */
      	__le32                     transmitted_ndps;     /*   604     4 */
      	__le32                     received_beacons;     /*   608     4 */
      	u8                         tid_tear_down;        /*   612     1 */
      	u8                         station_id;           /*   613     1 */
      	u8                         reserved2[2];         /*   614     2 */
      
      	/* size: 616, cachelines: 10, members: 13 */
      	/* last cacheline: 40 bytes */
      };
      
      Therefore, when the following assignments take place, actually no memory
      has been allocated for those objects:
      
      2743	notif->tid_tear_down = notif_v1->tid_tear_down;
      2744	notif->station_id = notif_v1->station_id;
      
      Fix this by allocating space for the whole notif object and zero out the
      remaining space in memory after member station_id.
      
      This also fixes the following -Warray-bounds issues:
       CC      drivers/net/wireless/intel/iwlwifi/mvm/d3.o
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’:
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2743:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=]
       2743 |                         notif->tid_tear_down = notif_v1->tid_tear_down;
            |
                       from drivers/net/wireless/intel/iwlwifi/mvm/d3.c:7:
      In function ‘kmemdup’,
          inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12:
      include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’
        765 |         return __real_kmemdup(p, size, gfp);
            |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’:
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2744:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=]
       2744 |                         notif->station_id = notif_v1->station_id;
            |                              ^~
      In function ‘kmemdup’,
          inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12:
      include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’
        765 |         return __real_kmemdup(p, size, gfp);
            |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Link: https://github.com/KSPP/linux/issues/306
      Fixes: 905d50dd ("wifi: iwlwifi: mvm: support wowlan info notification version 2")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavoars@kernel.org>
      Acked-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/ZHpGN555FwAKGduH@workSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      7a4615b9
    • Aditya Kumar Singh's avatar
      wifi: mac80211: fix switch count in EMA beacons · 1afa18e9
      Aditya Kumar Singh authored
      Currently, whenever an EMA beacon is formed, due to is_template
      argument being false from the caller, the switch count is always
      decremented once which is wrong.
      
      Also if switch count is equal to profile periodicity, this makes
      the switch count to reach till zero which triggers a WARN_ON_ONCE.
      
      [  261.593915] CPU: 1 PID: 800 Comm: kworker/u8:3 Not tainted 5.4.213 #0
      [  261.616143] Hardware name: Qualcomm Technologies, Inc. IPQ9574
      [  261.622666] Workqueue: phy0 ath12k_get_link_bss_conf [ath12k]
      [  261.629771] pstate: 60400005 (nZCv daif +PAN -UAO)
      [  261.635595] pc : ieee80211_next_txq+0x1ac/0x1b8 [mac80211]
      [  261.640282] lr : ieee80211_beacon_update_cntdwn+0x64/0xb4 [mac80211]
      [...]
      [  261.729683] Call trace:
      [  261.734986]  ieee80211_next_txq+0x1ac/0x1b8 [mac80211]
      [  261.737156]  ieee80211_beacon_cntdwn_is_complete+0xa28/0x1194 [mac80211]
      [  261.742365]  ieee80211_beacon_cntdwn_is_complete+0xef4/0x1194 [mac80211]
      [  261.749224]  ieee80211_beacon_get_template_ema_list+0x38/0x5c [mac80211]
      [  261.755908]  ath12k_get_link_bss_conf+0xf8/0x33b4 [ath12k]
      [  261.762590]  ath12k_get_link_bss_conf+0x390/0x33b4 [ath12k]
      [  261.767881]  process_one_work+0x194/0x270
      [  261.773346]  worker_thread+0x200/0x314
      [  261.777514]  kthread+0x140/0x150
      [  261.781158]  ret_from_fork+0x10/0x18
      
      Fix this issue by making the is_template argument as true when fetching
      the EMA beacons.
      
      Fixes: bd54f3c2 ("wifi: mac80211: generate EMA beacons in AP mode")
      Signed-off-by: default avatarAditya Kumar Singh <quic_adisi@quicinc.com>
      Link: https://lore.kernel.org/r/20230531062012.4537-1-quic_adisi@quicinc.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1afa18e9
    • Johannes Berg's avatar
      wifi: mac80211: don't translate beacon/presp addrs · 47c171a4
      Johannes Berg authored
      Don't do link address translation for beacons and probe responses,
      this leads to reporting multiple scan list entries for the same AP
      (one with the MLD address) which just breaks things.
      
      We might need to extend this in the future for some other (action)
      frames that aren't MLD addressed.
      
      Fixes: 42fb9148 ("wifi: mac80211: do link->MLD address translation on RX")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.62adead1b43a.Ifc25eed26ebf3b269f60b1ec10060156d0e7ec0d@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      47c171a4
    • Johannes Berg's avatar
      wifi: mac80211: mlme: fix non-inheritence element · 68c22855
      Johannes Berg authored
      There were two bugs when creating the non-inheritence
      element:
       1) 'at_extension' needs to be declared outside the loop,
          otherwise the value resets every iteration and we
          can never really switch properly
       2) 'added' never got set to true, so we always cut off
          the extension element again at the end of the function
      
      This shows another issue that we might add a list but no
      extension list, but we need to make the extension list a
      zero-length one in that case.
      
      Fix all these issues. While at it, add a comment explaining
      the trim.
      
      Fixes: 81151ce4 ("wifi: mac80211: support MLO authentication/association with one link")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.3addaa5c4782.If3a78f9305997ad7ef4ba7ffc17a8234c956f613@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      68c22855
    • Johannes Berg's avatar
      wifi: cfg80211: reject bad AP MLD address · 727073ca
      Johannes Berg authored
      When trying to authenticate, if the AP MLD address isn't
      a valid address, mac80211 can throw a warning. Avoid that
      by rejecting such addresses.
      
      Fixes: d648c230 ("wifi: nl80211: support MLO in auth/assoc")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.89188912bd1d.I8dbc6c8ee0cb766138803eec59508ef4ce477709@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      727073ca
    • Johannes Berg's avatar
      wifi: mac80211: use correct iftype HE cap · c37ab22b
      Johannes Berg authored
      We already check that the right iftype capa exists,
      but then don't use it. Assign it to a variable so we
      can actually use it, and then do that.
      
      Fixes: bac2fd3d ("mac80211: remove use of ieee80211_get_he_sta_cap()")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.0e908e5c5fdd.Iac142549a6144ac949ebd116b921a59ae5282735@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      c37ab22b
    • Sungwoo Kim's avatar
      Bluetooth: L2CAP: Add missing checks for invalid DCID · 75767213
      Sungwoo Kim authored
      When receiving a connect response we should make sure that the DCID is
      within the valid range and that we don't already have another channel
      allocated for the same DCID.
      Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION
      Version 5.4 | Vol 3, Part A, Page 1046).
      
      Fixes: 40624183 ("Bluetooth: L2CAP: Add missing checks for invalid LE DCID")
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      75767213
    • Pauli Virtanen's avatar
      Bluetooth: ISO: use correct CIS order in Set CIG Parameters event · 71e95884
      Pauli Virtanen authored
      The order of CIS handle array in Set CIG Parameters response shall match
      the order of the CIS_ID array in the command (Core v5.3 Vol 4 Part E Sec
      7.8.97).  We send CIS_IDs mainly in the order of increasing CIS_ID (but
      with "last" CIS first if it has fixed CIG_ID).  In handling of the
      reply, we currently assume this is also the same as the order of
      hci_conn in hdev->conn_hash, but that is not true.
      
      Match the correct hci_conn to the correct handle by matching them based
      on the CIG+CIS combination.  The CIG+CIS combination shall be unique for
      ISO_LINK hci_conn at state >= BT_BOUND, which we maintain in
      hci_le_set_cig_params.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      71e95884
    • Pauli Virtanen's avatar
      Bluetooth: ISO: don't try to remove CIG if there are bound CIS left · 6c242c64
      Pauli Virtanen authored
      Consider existing BOUND & CONNECT state CIS to block CIG removal.
      Otherwise, under suitable timing conditions we may attempt to remove CIG
      while Create CIS is pending, which fails.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      6c242c64
    • Ying Hsu's avatar
      Bluetooth: Fix l2cap_disconnect_req deadlock · 02c5ea52
      Ying Hsu authored
      L2CAP assumes that the locks conn->chan_lock and chan->lock are
      acquired in the order conn->chan_lock, chan->lock to avoid
      potential deadlock.
      For example, l2sock_shutdown acquires these locks in the order:
        mutex_lock(&conn->chan_lock)
        l2cap_chan_lock(chan)
      
      However, l2cap_disconnect_req acquires chan->lock in
      l2cap_get_chan_by_scid first and then acquires conn->chan_lock
      before calling l2cap_chan_del. This means that these locks are
      acquired in unexpected order, which leads to potential deadlock:
        l2cap_chan_lock(c)
        mutex_lock(&conn->chan_lock)
      
      This patch releases chan->lock before acquiring the conn_chan_lock
      to avoid the potential deadlock.
      
      Fixes: a2a9339e ("Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}")
      Signed-off-by: default avatarYing Hsu <yinghsu@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      02c5ea52
    • Johan Hovold's avatar
      Bluetooth: hci_qca: fix debugfs registration · 47c5d829
      Johan Hovold authored
      Since commit 3e4be65e ("Bluetooth: hci_qca: Add poweroff support
      during hci down for wcn3990"), the setup callback which registers the
      debugfs interface can be called multiple times.
      
      This specifically leads to the following error when powering on the
      controller:
      
      	debugfs: Directory 'ibs' with parent 'hci0' already present!
      
      Add a driver flag to avoid trying to register the debugfs interface more
      than once.
      
      Fixes: 3e4be65e ("Bluetooth: hci_qca: Add poweroff support during hci down for wcn3990")
      Cc: stable@vger.kernel.org	# 4.20
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      47c5d829
    • Johan Hovold's avatar
      Bluetooth: fix debugfs registration · fe2ccc6c
      Johan Hovold authored
      Since commit ec6cef9c ("Bluetooth: Fix SMP channel registration for
      unconfigured controllers") the debugfs interface for unconfigured
      controllers will be created when the controller is configured.
      
      There is however currently nothing preventing a controller from being
      configured multiple time (e.g. setting the device address using btmgmt)
      which results in failed attempts to register the already registered
      debugfs entries:
      
      	debugfs: File 'features' in directory 'hci0' already present!
      	debugfs: File 'manufacturer' in directory 'hci0' already present!
      	debugfs: File 'hci_version' in directory 'hci0' already present!
      	...
      	debugfs: File 'quirk_simultaneous_discovery' in directory 'hci0' already present!
      
      Add a controller flag to avoid trying to register the debugfs interface
      more than once.
      
      Fixes: ec6cef9c ("Bluetooth: Fix SMP channel registration for unconfigured controllers")
      Cc: stable@vger.kernel.org      # 4.0
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      fe2ccc6c
    • Zhengping Jiang's avatar
      Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER · 1857c199
      Zhengping Jiang authored
      When the HCI_UNREGISTER flag is set, no jobs should be scheduled. Fix
      potential race when HCI_UNREGISTER is set after the flag is tested in
      hci_cmd_sync_queue.
      
      Fixes: 0b94f265 ("Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set")
      Signed-off-by: default avatarZhengping Jiang <jiangzp@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1857c199
    • Luiz Augusto von Dentz's avatar
      Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk · c5d2b6fa
      Luiz Augusto von Dentz authored
      Similar to commit 0f7d9b31 ("netfilter: nf_tables: fix use-after-free
      in nft_set_catchall_destroy()"). We can not access k after kfree_rcu()
      call.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMin Li <lm0963hack@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      c5d2b6fa
    • Pauli Virtanen's avatar
      Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG · e6a7a46b
      Pauli Virtanen authored
      Make CIG auto-allocation to select the first CIG_ID that is still
      configurable. Also use correct CIG_ID range (see Core v5.3 Vol 4 Part E
      Sec 7.8.97 p.2553).
      
      Previously, it would always select CIG_ID 0 regardless of anything,
      because cis_list with data.cis == 0xff (BT_ISO_QOS_CIS_UNSET) would not
      count any CIS. Since we are not adding CIS here, use find_cis instead.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e6a7a46b
    • Pauli Virtanen's avatar
      Bluetooth: ISO: consider right CIS when removing CIG at cleanup · 31c5f916
      Pauli Virtanen authored
      When looking for CIS blocking CIG removal, consider only the CIS with
      the right CIG ID. Don't try to remove CIG with unset CIG ID.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      31c5f916
  4. 05 Jun, 2023 5 commits