1. 02 Dec, 2020 2 commits
    • Eric Dumazet's avatar
      geneve: pull IP header before ECN decapsulation · 4179b00c
      Eric Dumazet authored
      IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
      IP header is already pulled.
      
      geneve does not ensure this yet.
      
      Fixing this generically in IP_ECN_decapsulate() and
      IP6_ECN_decapsulate() is not possible, since callers
      pass a pointer that might be freed by pskb_may_pull()
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline]
      BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260
      CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x21c/0x280 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
       __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline]
       INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260
       geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306
       geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377
       udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093
       udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167
       udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline]
       __udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394
       udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564
       ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
       ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252
       dst_input include/net/dst.h:449 [inline]
       ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539
       __netif_receive_skb_one_core net/core/dev.c:5315 [inline]
       __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429
       process_backlog+0x523/0xc10 net/core/dev.c:6319
       napi_poll+0x420/0x1010 net/core/dev.c:6763
       net_rx_action+0x35c/0xd40 net/core/dev.c:6833
       __do_softirq+0x1a9/0x6fa kernel/softirq.c:298
       asm_call_irq_on_stack+0xf/0x20
       </IRQ>
       __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
       run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
       do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77
       do_softirq kernel/softirq.c:343 [inline]
       __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195
       local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
       rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
       __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173
       packet_snd net/packet/af_packet.c:2992 [inline]
       packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017
       sock_sendmsg_nosec net/socket.c:651 [inline]
       sock_sendmsg net/socket.c:671 [inline]
       __sys_sendto+0x9dc/0xc80 net/socket.c:1992
       __do_sys_sendto net/socket.c:2004 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2000
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2000
       do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 2d07dc79 ("geneve: add initial netdev driver for GENEVE tunnels")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4179b00c
    • Toke Høiland-Jørgensen's avatar
      inet_ecn: Fix endianness of checksum update when setting ECT(1) · 2867e1ea
      Toke Høiland-Jørgensen authored
      When adding support for propagating ECT(1) marking in IP headers it seems I
      suffered from endianness-confusion in the checksum update calculation: In
      fact the ECN field is in the *lower* bits of the first 16-bit word of the
      IP header when calculating in network byte order. This means that the
      addition performed to update the checksum field was wrong; let's fix that.
      
      Fixes: b7237487 ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040")
      Reported-by: default avatarJonathan Morton <chromatix99@gmail.com>
      Tested-by: default avatarPete Heist <pete@heistp.net>
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/r/20201130183705.17540-1-toke@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2867e1ea
  2. 01 Dec, 2020 9 commits
  3. 30 Nov, 2020 5 commits
  4. 28 Nov, 2020 17 commits
  5. 27 Nov, 2020 7 commits
    • Linus Torvalds's avatar
      Merge tag 'asm-generic-fixes-5.10-2' of... · c84e1efa
      Linus Torvalds authored
      Merge tag 'asm-generic-fixes-5.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic
      
      Pull asm-generic fix from Arnd Bergmann:
       "Add correct MAX_POSSIBLE_PHYSMEM_BITS setting to asm-generic.
      
        This is a single bugfix for a bug that Stefan Agner found on 32-bit
        Arm, but that exists on several other architectures"
      
      * tag 'asm-generic-fixes-5.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
        arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed
      c84e1efa
    • Linus Torvalds's avatar
      Merge tag 'arm-soc-fixes-v5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 303bc934
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "Another set of patches for devicetree files and Arm SoC specific
        drivers:
      
         - A fix for OP-TEE shared memory on non-SMP systems
      
         - multiple code fixes for the OMAP platform, including one regression
           for the CPSW network driver and a few runtime warning fixes
      
         - Some DT patches for the Rockchip RK3399 platform, in particular
           fixing the MMC device ordering that recently became
           nondeterministic with async probe.
      
         - Multiple DT fixes for the Tegra platform, including a regression
           fix for suspend/resume on TX2
      
         - A regression fix for a user-triggered fault in the NXP dpio driver
      
         - A regression fix for a bug caused by an earlier bug fix in the
           xilinx firmware driver
      
         - Two more DTC warning fixes
      
         - Sylvain Lemieux steps down as maintainer for the NXP LPC32xx
           platform"
      
      * tag 'arm-soc-fixes-v5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (24 commits)
        arm64: tegra: Fix Tegra234 VDK node names
        arm64: tegra: Wrong AON HSP reg property size
        arm64: tegra: Fix USB_VBUS_EN0 regulator on Jetson TX1
        arm64: tegra: Correct the UART for Jetson Xavier NX
        arm64: tegra: Disable the ACONNECT for Jetson TX2
        optee: add writeback to valid memory type
        firmware: xilinx: Use hash-table for api feature check
        firmware: xilinx: Fix SD DLL node reset issue
        soc: fsl: dpio: Get the cpumask through cpumask_of(cpu)
        ARM: dts: dra76x: m_can: fix order of clocks
        bus: ti-sysc: suppress err msg for timers used as clockevent/source
        MAINTAINERS: Remove myself as LPC32xx maintainers
        arm64: dts: qcom: clear the warnings caused by empty dma-ranges
        arm64: dts: broadcom: clear the warnings caused by empty dma-ranges
        ARM: dts: am437x-l4: fix compatible for cpsw switch dt node
        arm64: dts: rockchip: Reorder LED triggers from mmc devices on rk3399-roc-pc.
        arm64: dts: rockchip: Assign a fixed index to mmc devices on rk3399 boards.
        arm64: dts: rockchip: Remove system-power-controller from pmic on Odroid Go Advance
        arm64: dts: rockchip: fix NanoPi R2S GMAC clock name
        ARM: OMAP2+: Manage MPU state properly for omap_enter_idle_coupled()
        ...
      303bc934
    • Linus Torvalds's avatar
      Merge tag 'net-5.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 79c0c1f0
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.10-rc6, including fixes from the WiFi driver,
        and CAN subtrees.
      
        Current release - regressions:
      
         - gro_cells: reduce number of synchronize_net() calls
      
         - ch_ktls: release a lock before jumping to an error path
      
        Current release - always broken:
      
         - tcp: Allow full IP tos/IPv6 tclass to be reflected in L3 header
      
        Previous release - regressions:
      
         - net/tls: fix missing received data after fast remote close
      
         - vsock/virtio: discard packets only when socket is really closed
      
         - sock: set sk_err to ee_errno on dequeue from errq
      
         - cxgb4: fix the panic caused by non smac rewrite
      
        Previous release - always broken:
      
         - tcp: fix corner cases around setting ECN with BPF selection of
           congestion control
      
         - tcp: fix race condition when creating child sockets from syncookies
           on loopback interface
      
         - usbnet: ipheth: fix connectivity with iOS 14
      
         - tun: honor IOCB_NOWAIT flag
      
         - net/packet: fix packet receive on L3 devices without visible hard
           header
      
         - devlink: Make sure devlink instance and port are in same net
           namespace
      
         - net: openvswitch: fix TTL decrement action netlink message format
      
         - bonding: wait for sysfs kobject destruction before freeing struct
           slave
      
         - net: stmmac: fix upstream patch applied to the wrong context
      
         - bnxt_en: fix return value and unwind in probe error paths
      
        Misc:
      
         - devlink: add extra layer of categorization to the reload stats uAPI
           before it's released"
      
      * tag 'net-5.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (68 commits)
        sock: set sk_err to ee_errno on dequeue from errq
        mptcp: fix NULL ptr dereference on bad MPJ
        net: openvswitch: fix TTL decrement action netlink message format
        can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check
        can: m_can: m_can_dev_setup(): add support for bosch mcan version 3.3.0
        can: m_can: fix nominal bitiming tseg2 min for version >= 3.1
        can: m_can: m_can_open(): remove IRQF_TRIGGER_FALLING from request_threaded_irq()'s flags
        can: mcp251xfd: mcp251xfd_probe(): bail out if no IRQ was given
        can: gs_usb: fix endianess problem with candleLight firmware
        ch_ktls: lock is not freed
        net/tls: Protect from calling tls_dev_del for TLS RX twice
        devlink: Make sure devlink instance and port are in same net namespace
        devlink: Hold rtnl lock while reading netdev attributes
        ptp: clockmatrix: bug fix for idtcm_strverscmp
        enetc: Let the hardware auto-advance the taprio base-time of 0
        gro_cells: reduce number of synchronize_net() calls
        net: stmmac: fix incorrect merge of patch upstream
        ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init
        Documentation: netdev-FAQ: suggest how to post co-dependent series
        ibmvnic: enhance resetting status check during module exit
        ...
      79c0c1f0
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 80e1e176
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Three small fixes in the UFS driver: two are for power management
        issues and the third is to fix a slew of problem in the sysfs code"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ufs: Fix race between shutdown and runtime resume flow
        scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE
        scsi: ufs: Fix unexpected values from ufshcd_read_desc_param()
      80e1e176
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.10-2020-11-27' of git://git.kernel.dk/linux-block · 9223e74f
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Out of bounds fix for the cq size cap from earlier this release (Joseph)
      
       - iov_iter type check fix (Pavel)
      
       - Files grab + cancelation fix (Pavel)
      
      * tag 'io_uring-5.10-2020-11-27' of git://git.kernel.dk/linux-block:
        io_uring: fix files grab/cancel race
        io_uring: fix ITER_BVEC check
        io_uring: fix shift-out-of-bounds when round up cq size
      9223e74f
    • Linus Torvalds's avatar
      Merge tag 'block-5.10-2020-11-27' of git://git.kernel.dk/linux-block · d021c3e5
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single fix, for a crash in the keyslot manager"
      
      * tag 'block-5.10-2020-11-27' of git://git.kernel.dk/linux-block:
        block/keyslot-manager: prevent crash when num_slots=1
      d021c3e5
    • Linus Torvalds's avatar
      Merge tag 'for-5.10-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · a17a3ca5
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A few fixes for various warnings that accumulated over past two weeks:
      
         - tree-checker: add missing return values for some errors
      
         - lockdep fixes
            - when reading qgroup config and starting quota rescan
            - reverse order of quota ioctl lock and VFS freeze lock
      
         - avoid accessing potentially stale fs info during device scan,
           reported by syzbot
      
         - add scope NOFS protection around qgroup relation changes
      
         - check for running transaction before flushing qgroups
      
         - fix tracking of new delalloc ranges for some cases"
      
      * tag 'for-5.10-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix lockdep splat when enabling and disabling qgroups
        btrfs: do nofs allocations when adding and removing qgroup relations
        btrfs: fix lockdep splat when reading qgroup config on mount
        btrfs: tree-checker: add missing returns after data_ref alignment checks
        btrfs: don't access possibly stale fs_info data for printing duplicate device
        btrfs: tree-checker: add missing return after error in root_item
        btrfs: qgroup: don't commit transaction when we already hold the handle
        btrfs: fix missing delalloc new bit for new delalloc ranges
      a17a3ca5