1. 26 Jul, 2023 6 commits
    • Christian Marangi's avatar
      net: dsa: qca8k: enable use_single_write for qca8xxx · 2c39dd02
      Christian Marangi authored
      The qca8xxx switch supports 2 way to write reg values, a slow way using
      mdio and a fast way by sending specially crafted mgmt packet to
      read/write reg.
      
      The fast way can support up to 32 bytes of data as eth packet are used
      to send/receive.
      
      This correctly works for almost the entire regmap of the switch but with
      the use of some kernel selftests for dsa drivers it was found a funny
      and interesting hw defect/limitation.
      
      For some specific reg, bulk write won't work and will result in writing
      only part of the requested regs resulting in half data written. This was
      especially hard to track and discover due to the total strangeness of
      the problem and also by the specific regs where this occurs.
      
      This occurs in the specific regs of the ATU table, where multiple entry
      needs to be written to compose the entire entry.
      It was discovered that with a bulk write of 12 bytes on
      QCA8K_REG_ATU_DATA0 only QCA8K_REG_ATU_DATA0 and QCA8K_REG_ATU_DATA2
      were written, but QCA8K_REG_ATU_DATA1 was always zero.
      Tcpdump was used to make sure the specially crafted packet was correct
      and this was confirmed.
      
      The problem was hard to track as the lack of QCA8K_REG_ATU_DATA1
      resulted in an entry somehow possible as the first bytes of the mac
      address are set in QCA8K_REG_ATU_DATA0 and the entry type is set in
      QCA8K_REG_ATU_DATA2.
      
      Funlly enough writing QCA8K_REG_ATU_DATA1 results in the same problem
      with QCA8K_REG_ATU_DATA2 empty and QCA8K_REG_ATU_DATA1 and
      QCA8K_REG_ATU_FUNC correctly written.
      A speculation on the problem might be that there are some kind of
      indirection internally when accessing these regs and they can't be
      accessed all together, due to the fact that it's really a table mapped
      somewhere in the switch SRAM.
      
      Even more funny is the fact that every other reg was tested with all
      kind of combination and they are not affected by this problem. Read
      operation was also tested and always worked so it's not affected by this
      problem.
      
      The problem is not present if we limit writing a single reg at times.
      
      To handle this hardware defect, enable use_single_write so that bulk
      api can correctly split the write in multiple different operation
      effectively reverting to a non-bulk write.
      
      Cc: Mark Brown <broonie@kernel.org>
      Fixes: c766e077 ("net: dsa: qca8k: convert to regmap read/write API")
      Signed-off-by: default avatarChristian Marangi <ansuelsmth@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c39dd02
    • Alex Elder's avatar
      net: ipa: only reset hashed tables when supported · e11ec2b8
      Alex Elder authored
      Last year, the code that manages GSI channel transactions switched
      from using spinlock-protected linked lists to using indexes into the
      ring buffer used for a channel.  Recently, Google reported seeing
      transaction reference count underflows occasionally during shutdown.
      
      Doug Anderson found a way to reproduce the issue reliably, and
      bisected the issue to the commit that eliminated the linked lists
      and the lock.  The root cause was ultimately determined to be
      related to unused transactions being committed as part of the modem
      shutdown cleanup activity.  Unused transactions are not normally
      expected (except in error cases).
      
      The modem uses some ranges of IPA-resident memory, and whenever it
      shuts down we zero those ranges.  In ipa_filter_reset_table() a
      transaction is allocated to zero modem filter table entries.  If
      hashing is not supported, hashed table memory should not be zeroed.
      But currently nothing prevents that, and the result is an unused
      transaction.  Something similar occurs when we zero routing table
      entries for the modem.
      
      By preventing any attempt to clear hashed tables when hashing is not
      supported, the reference count underflow is avoided in this case.
      
      Note that there likely remains an issue with properly freeing unused
      transactions (if they occur due to errors).  This patch addresses
      only the underflows that Google originally reported.
      
      Cc: <stable@vger.kernel.org> # 6.1.x
      Fixes: d338ae28 ("net: ipa: kill all other transaction lists")
      Tested-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Link: https://lore.kernel.org/r/20230724224055.1688854-1-elder@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e11ec2b8
    • Jakub Kicinski's avatar
      Merge branch 'net-fix-error-warning-by-fstrict-flex-arrays-3' · a49441c9
      Jakub Kicinski authored
      Kuniyuki Iwashima says:
      
      ====================
      net: Fix error/warning by -fstrict-flex-arrays=3.
      
      df8fc4e9 ("kbuild: Enable -fstrict-flex-arrays=3") started applying
      strict rules for standard string functions (strlen(), memcpy(), etc.) if
      CONFIG_FORTIFY_SOURCE=y.
      
      This series fixes two false positives caught by syzkaller.
      
      v2: https://lore.kernel.org/netdev/20230720004410.87588-1-kuniyu@amazon.com/
      v1: https://lore.kernel.org/netdev/20230719185322.44255-1-kuniyu@amazon.com/
      ====================
      
      Link: https://lore.kernel.org/r/20230724213425.22920-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a49441c9
    • Kuniyuki Iwashima's avatar
      af_packet: Fix warning of fortified memcpy() in packet_getname(). · a0ade840
      Kuniyuki Iwashima authored
      syzkaller found a warning in packet_getname() [0], where we try to
      copy 16 bytes to sockaddr_ll.sll_addr[8].
      
      Some devices (ip6gre, vti6, ip6tnl) have 16 bytes address expressed
      by struct in6_addr.  Also, Infiniband has 32 bytes as MAX_ADDR_LEN.
      
      The write seems to overflow, but actually not since we use struct
      sockaddr_storage defined in __sys_getsockname() and its size is 128
      (_K_SS_MAXSIZE) bytes.  Thus, we have sufficient room after sll_addr[]
      as __data[].
      
      To avoid the warning, let's add a flex array member union-ed with
      sll_addr.
      
      Another option would be to use strncpy() and limit the copied length
      to sizeof(sll_addr), but it will return the partial address and break
      an application that passes sockaddr_storage to getsockname().
      
      [0]:
      memcpy: detected field-spanning write (size 16) of single field "sll->sll_addr" at net/packet/af_packet.c:3604 (size 8)
      WARNING: CPU: 0 PID: 255 at net/packet/af_packet.c:3604 packet_getname+0x25c/0x3a0 net/packet/af_packet.c:3604
      Modules linked in:
      CPU: 0 PID: 255 Comm: syz-executor750 Not tainted 6.5.0-rc1-00330-g60cc1f7d #4
      Hardware name: linux,dummy-virt (DT)
      pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : packet_getname+0x25c/0x3a0 net/packet/af_packet.c:3604
      lr : packet_getname+0x25c/0x3a0 net/packet/af_packet.c:3604
      sp : ffff800089887bc0
      x29: ffff800089887bc0 x28: ffff000010f80f80 x27: 0000000000000003
      x26: dfff800000000000 x25: ffff700011310f80 x24: ffff800087d55000
      x23: dfff800000000000 x22: ffff800089887c2c x21: 0000000000000010
      x20: ffff00000de08310 x19: ffff800089887c20 x18: ffff800086ab1630
      x17: 20646c6569662065 x16: 6c676e697320666f x15: 0000000000000001
      x14: 1fffe0000d56d7ca x13: 0000000000000000 x12: 0000000000000000
      x11: 0000000000000000 x10: 0000000000000000 x9 : 3e60944c3da92b00
      x8 : 3e60944c3da92b00 x7 : 0000000000000001 x6 : 0000000000000001
      x5 : ffff8000898874f8 x4 : ffff800086ac99e0 x3 : ffff8000803f8808
      x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
      Call trace:
       packet_getname+0x25c/0x3a0 net/packet/af_packet.c:3604
       __sys_getsockname+0x168/0x24c net/socket.c:2042
       __do_sys_getsockname net/socket.c:2057 [inline]
       __se_sys_getsockname net/socket.c:2054 [inline]
       __arm64_sys_getsockname+0x7c/0x94 net/socket.c:2054
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
       el0_svc_common+0x134/0x240 arch/arm64/kernel/syscall.c:139
       do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188
       el0_svc+0x2c/0x7c arch/arm64/kernel/entry-common.c:647
       el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
       el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      
      Fixes: df8fc4e9 ("kbuild: Enable -fstrict-flex-arrays=3")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230724213425.22920-3-kuniyu@amazon.comReviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a0ade840
    • Kuniyuki Iwashima's avatar
      af_unix: Fix fortify_panic() in unix_bind_bsd(). · 06d4c8a8
      Kuniyuki Iwashima authored
      syzkaller found a bug in unix_bind_bsd() [0].  We can reproduce it
      by bind()ing a socket on a path with length 108.
      
      108 is the size of sun_addr of struct sockaddr_un and is the maximum
      valid length for the pathname socket.  When calling bind(), we use
      struct sockaddr_storage as the actual buffer size, so terminating
      sun_addr[108] with null is legitimate as done in unix_mkname_bsd().
      
      However, strlen(sunaddr) for such a case causes fortify_panic() if
      CONFIG_FORTIFY_SOURCE=y.  __fortify_strlen() has no idea about the
      actual buffer size and see the string as unterminated.
      
      Let's use strnlen() to allow sun_addr to be unterminated at 107.
      
      [0]:
      detected buffer overflow in __fortify_strlen
      kernel BUG at lib/string_helpers.c:1031!
      Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 0 PID: 255 Comm: syz-executor296 Not tainted 6.5.0-rc1-00330-g60cc1f7d #4
      Hardware name: linux,dummy-virt (DT)
      pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : fortify_panic+0x1c/0x20 lib/string_helpers.c:1030
      lr : fortify_panic+0x1c/0x20 lib/string_helpers.c:1030
      sp : ffff800089817af0
      x29: ffff800089817af0 x28: ffff800089817b40 x27: 1ffff00011302f68
      x26: 000000000000006e x25: 0000000000000012 x24: ffff800087e60140
      x23: dfff800000000000 x22: ffff800089817c20 x21: ffff800089817c8e
      x20: 000000000000006c x19: ffff00000c323900 x18: ffff800086ab1630
      x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000001
      x14: 1ffff00011302eb8 x13: 0000000000000000 x12: 0000000000000000
      x11: 0000000000000000 x10: 0000000000000000 x9 : 64a26b65474d2a00
      x8 : 64a26b65474d2a00 x7 : 0000000000000001 x6 : 0000000000000001
      x5 : ffff800089817438 x4 : ffff800086ac99e0 x3 : ffff800080f19e8c
      x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000002c
      Call trace:
       fortify_panic+0x1c/0x20 lib/string_helpers.c:1030
       _Z16__fortify_strlenPKcU25pass_dynamic_object_size1 include/linux/fortify-string.h:217 [inline]
       unix_bind_bsd net/unix/af_unix.c:1212 [inline]
       unix_bind+0xba8/0xc58 net/unix/af_unix.c:1326
       __sys_bind+0x1ac/0x248 net/socket.c:1792
       __do_sys_bind net/socket.c:1803 [inline]
       __se_sys_bind net/socket.c:1801 [inline]
       __arm64_sys_bind+0x7c/0x94 net/socket.c:1801
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
       el0_svc_common+0x134/0x240 arch/arm64/kernel/syscall.c:139
       do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188
       el0_svc+0x2c/0x7c arch/arm64/kernel/entry-common.c:647
       el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
       el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      Code: aa0003e1 d0000e80 91030000 97ffc91a (d4210000)
      
      Fixes: df8fc4e9 ("kbuild: Enable -fstrict-flex-arrays=3")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230724213425.22920-2-kuniyu@amazon.comReviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      06d4c8a8
    • Lin Ma's avatar
      macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF · 55cef78c
      Lin Ma authored
      The previous commit 954d1fa1 ("macvlan: Add netlink attribute for
      broadcast cutoff") added one additional attribute named
      IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.
      
      However, it forgot to describe the nla_policy at macvlan_policy
      (drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer
      can be faked as empty (0 bytes) by a malicious user, which could leads
      to OOB in heap just like CVE-2023-3773.
      
      To fix it, this commit just completes the nla_policy description for
      IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the
      potential OOB read.
      
      Fixes: 954d1fa1 ("macvlan: Add netlink attribute for broadcast cutoff")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230723080205.3715164-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      55cef78c
  2. 25 Jul, 2023 8 commits
  3. 24 Jul, 2023 15 commits
  4. 23 Jul, 2023 1 commit
  5. 22 Jul, 2023 1 commit
  6. 21 Jul, 2023 3 commits
  7. 20 Jul, 2023 6 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 57f1f9dd
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from BPF, netfilter, bluetooth and CAN.
      
        Current release - regressions:
      
         - eth: r8169: multiple fixes for PCIe ASPM-related problems
      
         - vrf: fix RCU lockdep splat in output path
      
        Previous releases - regressions:
      
         - gso: fall back to SW segmenting with GSO_UDP_L4 dodgy bit set
      
         - dsa: mv88e6xxx: do a final check before timing out when polling
      
         - nf_tables: fix sleep in atomic in nft_chain_validate
      
        Previous releases - always broken:
      
         - sched: fix undoing tcf_bind_filter() in multiple classifiers
      
         - bpf, arm64: fix BTI type used for freplace attached functions
      
         - can: gs_usb: fix time stamp counter initialization
      
         - nft_set_pipapo: fix improper element removal (leading to UAF)
      
        Misc:
      
         - net: support STP on bridge in non-root netns, STP prevents packet
           loops so not supporting it results in freezing systems of
           unsuspecting users, and in turn very upset noises being made
      
         - fix kdoc warnings
      
         - annotate various bits of TCP state to prevent data races"
      
      * tag 'net-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (95 commits)
        net: phy: prevent stale pointer dereference in phy_init()
        tcp: annotate data-races around fastopenq.max_qlen
        tcp: annotate data-races around icsk->icsk_user_timeout
        tcp: annotate data-races around tp->notsent_lowat
        tcp: annotate data-races around rskq_defer_accept
        tcp: annotate data-races around tp->linger2
        tcp: annotate data-races around icsk->icsk_syn_retries
        tcp: annotate data-races around tp->keepalive_probes
        tcp: annotate data-races around tp->keepalive_intvl
        tcp: annotate data-races around tp->keepalive_time
        tcp: annotate data-races around tp->tsoffset
        tcp: annotate data-races around tp->tcp_tx_delay
        Bluetooth: MGMT: Use correct address for memcpy()
        Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014
        Bluetooth: SCO: fix sco_conn related locking and validity issues
        Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
        Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
        Bluetooth: coredump: fix building with coredump disabled
        Bluetooth: ISO: fix iso_conn related locking and validity issues
        Bluetooth: hci_event: call disconnect callback before deleting conn
        ...
      57f1f9dd
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-07-20' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 75d42b35
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix building with coredump disabled
       - Fix use-after-free in hci_remove_adv_monitor
       - Use RCU for hci_conn_params and iterate safely in hci_sync
       - Fix locking issues on ISO and SCO
       - Fix bluetooth on Intel Macbook 2014
      
      * tag 'for-net-2023-07-20' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: MGMT: Use correct address for memcpy()
        Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014
        Bluetooth: SCO: fix sco_conn related locking and validity issues
        Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
        Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
        Bluetooth: coredump: fix building with coredump disabled
        Bluetooth: ISO: fix iso_conn related locking and validity issues
        Bluetooth: hci_event: call disconnect callback before deleting conn
        Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
      ====================
      
      Link: https://lore.kernel.org/r/20230720190201.446469-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      75d42b35
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-07-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 9b39f758
      Jakub Kicinski authored
      Florian Westphal says:
      
      ====================
      Netfilter fixes for net:
      
      The following patchset contains Netfilter fixes for net:
      
      1. Fix spurious -EEXIST error from userspace due to
         padding holes, this was broken since 4.9 days
         when 'ignore duplicate entries on insert' feature was
         added.
      
      2. Fix a sched-while-atomic bug, present since 5.19.
      
      3. Properly remove elements if they lack an "end range".
         nft userspace always sets an end range attribute, even
         when its the same as the start, but the abi doesn't
         have such a restriction. Always broken since it was
         added in 5.6, all three from myself.
      
      4 + 5: Bound chain needs to be skipped in netns release
         and on rule flush paths, from Pablo Neira.
      
      * tag 'nf-23-07-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: skip bound chain on rule flush
        netfilter: nf_tables: skip bound chain in netns release path
        netfilter: nft_set_pipapo: fix improper element removal
        netfilter: nf_tables: can't schedule in nft_chain_validate
        netfilter: nf_tables: fix spurious set element insertion failure
      ====================
      
      Link: https://lore.kernel.org/r/20230720165143.30208-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9b39f758
    • Vladimir Oltean's avatar
      net: phy: prevent stale pointer dereference in phy_init() · 1c613bea
      Vladimir Oltean authored
      mdio_bus_init() and phy_driver_register() both have error paths, and if
      those are ever hit, ethtool will have a stale pointer to the
      phy_ethtool_phy_ops stub structure, which references memory from a
      module that failed to load (phylib).
      
      It is probably hard to force an error in this code path even manually,
      but the error teardown path of phy_init() should be the same as
      phy_exit(), which is now simply not the case.
      
      Fixes: 55d8f053 ("net: phy: Register ethtool PHY operations")
      Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/Suggested-by: default avatarRussell King (Oracle) <linux@armlinux.org.uk>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1c613bea
    • Jakub Kicinski's avatar
      Merge branch 'tcp-add-missing-annotations' · 7998c0ad
      Jakub Kicinski authored
      Eric Dumazet says:
      
      ====================
      tcp: add missing annotations
      
      This series was inspired by one syzbot (KCSAN) report.
      
      do_tcp_getsockopt() does not lock the socket, we need to
      annotate most of the reads there (and other places as well).
      
      This is a first round, another series will come later.
      ====================
      
      Link: https://lore.kernel.org/r/20230719212857.3943972-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7998c0ad
    • Eric Dumazet's avatar
      tcp: annotate data-races around fastopenq.max_qlen · 70f360dd
      Eric Dumazet authored
      This field can be read locklessly.
      
      Fixes: 1536e285 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      70f360dd