1. 07 Aug, 2021 1 commit
  2. 06 Aug, 2021 22 commits
  3. 05 Aug, 2021 17 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 0ca8d3ca
      Jakub Kicinski authored
      Build failure in drivers/net/wwan/mhi_wwan_mbim.c:
      add missing parameter (0, assuming we don't want buffer pre-alloc).
      
      Conflict in drivers/net/dsa/sja1105/sja1105_main.c between:
        589918df ("net: dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too")
        0fac6aa0 ("net: dsa: sja1105: delete the best_effort_vlan_filtering mode")
      
      Follow the instructions from the commit message of the former commit
      - removed the if conditions. When looking at commit 589918df ("net:
      dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too")
      note that the mask_iotag fields get removed by the following patch.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0ca8d3ca
    • Linus Torvalds's avatar
      Merge tag 'net-5.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 902e7f37
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from ipsec.
      
        Current release - regressions:
      
         - sched: taprio: fix init procedure to avoid inf loop when dumping
      
         - sctp: move the active_key update after sh_keys is added
      
        Current release - new code bugs:
      
         - sparx5: fix build with old GCC & bitmask on 32-bit targets
      
        Previous releases - regressions:
      
         - xfrm: redo the PREEMPT_RT RCU vs hash_resize_mutex deadlock fix
      
         - xfrm: fixes for the compat netlink attribute translator
      
         - phy: micrel: Fix detection of ksz87xx switch
      
        Previous releases - always broken:
      
         - gro: set inner transport header offset in tcp/udp GRO hook to avoid
           crashes when such packets reach GSO
      
         - vsock: handle VIRTIO_VSOCK_OP_CREDIT_REQUEST, as required by spec
      
         - dsa: sja1105: fix static FDB entries on SJA1105P/Q/R/S and SJA1110
      
         - bridge: validate the NUD_PERMANENT bit when adding an extern_learn
           FDB entry
      
         - usb: lan78xx: don't modify phy_device state concurrently
      
         - usb: pegasus: check for errors of IO routines"
      
      * tag 'net-5.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (48 commits)
        net: vxge: fix use-after-free in vxge_device_unregister
        net: fec: fix use-after-free in fec_drv_remove
        net: pegasus: fix uninit-value in get_interrupt_interval
        net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update()
        bnx2x: fix an error code in bnx2x_nic_load()
        net: wwan: iosm: fix recursive lock acquire in unregister
        net: wwan: iosm: correct data protocol mask bit
        net: wwan: iosm: endianness type correction
        net: wwan: iosm: fix lkp buildbot warning
        net: usb: lan78xx: don't modify phy_device state concurrently
        docs: networking: netdevsim rules
        net: usb: pegasus: Remove the changelog and DRIVER_VERSION.
        net: usb: pegasus: Check the return value of get_geristers() and friends;
        net/prestera: Fix devlink groups leakage in error flow
        net: sched: fix lockdep_set_class() typo error for sch->seqlock
        net: dsa: qca: ar9331: reorder MDIO write sequence
        VSOCK: handle VIRTIO_VSOCK_OP_CREDIT_REQUEST
        mptcp: drop unused rcu member in mptcp_pm_addr_entry
        net: ipv6: fix returned variable type in ip6_skb_dst_mtu
        nfp: update ethtool reporting of pauseframe control
        ...
      902e7f37
    • Tetsuo Handa's avatar
      Bluetooth: defer cleanup of resources in hci_unregister_dev() · e0448092
      Tetsuo Handa authored
      syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
      calling lock_sock() with rw spinlock held [1].
      
      It seems that history of this locking problem is a trial and error.
      
      Commit b40df574 ("[PATCH] bluetooth: fix socket locking in
      hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
      lock_sock() as an attempt to fix lockdep warning.
      
      Then, commit 4ce61d1c ("[BLUETOOTH]: Fix locking in
      hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
      local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
      sleep in atomic context warning.
      
      Then, commit 4b5dd696 ("Bluetooth: Remove local_bh_disable() from
      hci_sock.c") in 3.3-rc1 removed local_bh_disable().
      
      Then, commit e305509e ("Bluetooth: use correct lock to prevent UAF
      of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
      lock_sock() as an attempt to fix CVE-2021-3573.
      
      This difficulty comes from current implementation that
      hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
      references from sockets because hci_unregister_dev() immediately
      reclaims resources as soon as returning from
      hci_sock_dev_event(HCI_DEV_UNREG).
      
      But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
      doing what it should do.
      
      Therefore, instead of trying to detach sockets from device, let's accept
      not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
      by moving actual cleanup of resources from hci_unregister_dev() to
      hci_cleanup_dev() which is called by bt_host_release() when all
      references to this unregistered device (which is a kobject) are gone.
      
      Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
      hci_pi(sk)->hdev, we need to check whether this device was unregistered
      and return an error based on HCI_UNREGISTER flag.  There might be subtle
      behavioral difference in "monitor the hdev" functionality; please report
      if you found something went wrong due to this patch.
      
      Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
      Reported-by: default avatarsyzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Fixes: e305509e ("Bluetooth: use correct lock to prevent UAF of hdev object")
      Acked-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e0448092
    • Linus Torvalds's avatar
      Merge tag 'selinux-pr-20210805' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · 0b53abfc
      Linus Torvalds authored
      Pull selinux fix from Paul Moore:
       "One small SELinux fix for a problem where an error code was not being
        propagated back up to userspace when a bogus SELinux policy is loaded
        into the kernel"
      
      * tag 'selinux-pr-20210805' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        selinux: correct the return value when loads initial sids
      0b53abfc
    • Linus Torvalds's avatar
      Merge branch 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 6209049e
      Linus Torvalds authored
      Pull ucounts fix from Eric Biederman:
       "Fix a subtle locking versus reference counting bug in the ucount
        changes, found by syzbot"
      
      * 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        ucounts: Fix race condition between alloc_ucounts and put_ucounts
      6209049e
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 3c3e9027
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Various tracing fixes:
      
         - Fix NULL pointer dereference caused by an error path
      
         - Give histogram calculation fields a size, otherwise it breaks
           synthetic creation based on them.
      
         - Reject strings being used for number calculations.
      
         - Fix recordmcount.pl warning on llvm building RISC-V allmodconfig
      
         - Fix the draw_functrace.py script to handle the new trace output
      
         - Fix warning of smp_processor_id() in preemptible code"
      
      * tag 'trace-v5.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Quiet smp_processor_id() use in preemptable warning in hwlat
        scripts/tracing: fix the bug that can't parse raw_trace_func
        scripts/recordmcount.pl: Remove check_objcopy() and $can_use_local
        tracing: Reject string operand in the histogram expression
        tracing / histogram: Give calculation hist_fields a size
        tracing: Fix NULL pointer dereference in start_creating
      3c3e9027
    • Linus Torvalds's avatar
      Merge tag 's390-5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 130951bb
      Linus Torvalds authored
      Pull s390 fixes from Heiko Carstens:
      
       - fix zstd build for -march=z900 (undefined reference to __clzdi2)
      
       - add missing .got.plts to vdso linker scripts to fix kpatch build
         errors
      
       - update defconfigs
      
      * tag 's390-5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390/boot: fix zstd build for -march=z900
        s390/vdso: add .got.plt in vdso linker script
      130951bb
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 97fcc07b
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "Mostly bugfixes; plus, support for XMM arguments to Hyper-V hypercalls
        now obeys KVM_CAP_HYPERV_ENFORCE_CPUID.
      
        Both the XMM arguments feature and KVM_CAP_HYPERV_ENFORCE_CPUID are
        new in 5.14, and each did not know of the other"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
        KVM: selftests: fix hyperv_clock test
        KVM: SVM: improve the code readability for ASID management
        KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB
        KVM: Do not leak memory for duplicate debugfs directories
        KVM: selftests: Test access to XMM fast hypercalls
        KVM: x86: hyper-v: Check if guest is allowed to use XMM registers for hypercall input
        KVM: x86: Introduce trace_kvm_hv_hypercall_done()
        KVM: x86: hyper-v: Check access to hypercall before reading XMM registers
        KVM: x86: accept userspace interrupt only if no event is injected
      97fcc07b
    • Linus Torvalds's avatar
      Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux · 611ffd8a
      Linus Torvalds authored
      Pull pcmcia fix from Dominik Brodowski:
       "Zheyu Ma found and fixed a null pointer dereference bug in the device
        driver for the i82092 card reader"
      
      * 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux:
        pcmcia: i82092: fix a null pointer dereference bug
      611ffd8a
    • Alex Xu (Hello71)'s avatar
      pipe: increase minimum default pipe size to 2 pages · 46c4c9d1
      Alex Xu (Hello71) authored
      This program always prints 4096 and hangs before the patch, and always
      prints 8192 and exits successfully after:
      
        int main()
        {
            int pipefd[2];
            for (int i = 0; i < 1025; i++)
                if (pipe(pipefd) == -1)
                    return 1;
            size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ);
            printf("%zd\n", bufsz);
            char *buf = calloc(bufsz, 1);
            write(pipefd[1], buf, bufsz);
            read(pipefd[0], buf, bufsz-1);
            write(pipefd[1], buf, 1);
        }
      
      Note that you may need to increase your RLIMIT_NOFILE before running the
      program.
      
      Fixes: 759c0114 ("pipe: limit the per-user amount of pages allocated in pipes")
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/
      Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/Signed-off-by: default avatarAlex Xu (Hello71) <alex_y_xu@yahoo.ca>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      46c4c9d1
    • Jakub Kicinski's avatar
      Merge branch 'net-fix-use-after-free-bugs' · 6bb5318c
      Jakub Kicinski authored
      Pavel Skripkin says:
      
      ====================
      net: fix use-after-free bugs
      
      I've added new checker to smatch yesterday. It warns about using
      netdev_priv() pointer after free_{netdev,candev}() call. I hope, it will
      get into next smatch release.
      
      Some of the reported bugs are fixed and upstreamed already, but Dan ran new
      smatch with allmodconfig and found 2 more. Big thanks to Dan for doing it,
      because I totally forgot to do it.
      ====================
      
      Link: https://lore.kernel.org/r/cover.1628091954.git.paskripkin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6bb5318c
    • Pavel Skripkin's avatar
      net: vxge: fix use-after-free in vxge_device_unregister · 942e560a
      Pavel Skripkin authored
      Smatch says:
      drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
      drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
      drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
      drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
      
      Since vdev pointer is netdev private data accessing it after free_netdev()
      call can cause use-after-free bug. Fix it by moving free_netdev() call at
      the end of the function
      
      Fixes: 6cca2003 ("vxge: cleanup probe error paths")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      942e560a
    • Pavel Skripkin's avatar
      net: fec: fix use-after-free in fec_drv_remove · 44712965
      Pavel Skripkin authored
      Smatch says:
      	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
      	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
      
      Since fep pointer is netdev private data, accessing it after free_netdev()
      call can cause use-after-free bug. Fix it by moving free_netdev() call at
      the end of the function
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: a31eda65 ("net: fec: fix clock count mis-match")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Reviewed-by: default avatarJoakim Zhang <qiangqing.zhang@nxp.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      44712965
    • Pavel Skripkin's avatar
      net: pegasus: fix uninit-value in get_interrupt_interval · af35fc37
      Pavel Skripkin authored
      Syzbot reported uninit value pegasus_probe(). The problem was in missing
      error handling.
      
      get_interrupt_interval() internally calls read_eprom_word() which can
      fail in some cases. For example: failed to receive usb control message.
      These cases should be handled to prevent uninit value bug, since
      read_eprom_word() will not initialize passed stack variable in case of
      internal failure.
      
      Fail log:
      
      BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
      BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
      CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0
      ...
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
       kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197
       get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
       pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
      ....
      
      Local variable ----data.i@pegasus_probe created at:
       get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
       pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
       get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
       pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
      
      Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Link: https://lore.kernel.org/r/20210804143005.439-1-paskripkin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      af35fc37
    • Steven Rostedt (VMware)'s avatar
      tracing: Quiet smp_processor_id() use in preemptable warning in hwlat · 51397dc6
      Steven Rostedt (VMware) authored
      The hardware latency detector (hwlat) has a mode that it runs one thread
      across CPUs. The logic to move from the currently running CPU to the next
      one in the list does a smp_processor_id() to find where it currently is.
      Unfortunately, it's done with preemption enabled, and this triggers a
      warning for using smp_processor_id() in a preempt enabled section.
      
      As it is only using smp_processor_id() to get information on where it
      currently is in order to simply move it to the next CPU, it doesn't really
      care if it got moved in the mean time. It will simply balance out later if
      such a case arises.
      
      Switch smp_processor_id() to raw_smp_processor_id() to quiet that warning.
      
      Link: https://lkml.kernel.org/r/20210804141848.79edadc0@oasis.local.homeAcked-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      Fixes: 8fa826b7 ("trace/hwlat: Implement the mode config option")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      51397dc6
    • Grygorii Strashko's avatar
      net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update() · ae03d189
      Grygorii Strashko authored
      The am65_cpsw_port_offload_fwd_mark_update() causes NULL exception crash
      when there is at least one disabled port and any other port added to the
      bridge first time.
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000858
      pc : am65_cpsw_port_offload_fwd_mark_update+0x54/0x68
      lr : am65_cpsw_netdevice_event+0x8c/0xf0
      Call trace:
      am65_cpsw_port_offload_fwd_mark_update+0x54/0x68
      notifier_call_chain+0x54/0x98
      raw_notifier_call_chain+0x14/0x20
      call_netdevice_notifiers_info+0x34/0x78
      __netdev_upper_dev_link+0x1c8/0x290
      netdev_master_upper_dev_link+0x1c/0x28
      br_add_if+0x3f0/0x6d0 [bridge]
      
      Fix it by adding proper check for port->ndev != NULL.
      
      Fixes: 2934db9b ("net: ti: am65-cpsw-nuss: Add netdevice notifiers")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae03d189
    • Dan Carpenter's avatar
      bnx2x: fix an error code in bnx2x_nic_load() · fb653827
      Dan Carpenter authored
      Set the error code if bnx2x_alloc_fw_stats_mem() fails.  The current
      code returns success.
      
      Fixes: ad5afc89 ("bnx2x: Separate VF and PF logic")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fb653827