1. 21 Oct, 2022 6 commits
    • taozhang's avatar
      wifi: mac80211: fix memory free error when registering wiphy fail · 50b2e871
      taozhang authored
      ieee80211_register_hw free the allocated cipher suites when
      registering wiphy fail, and ieee80211_free_hw will re-free it.
      
      set wiphy_ciphers_allocated to false after freeing allocated
      cipher suites.
      Signed-off-by: default avatartaozhang <taozhang@bestechnic.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      50b2e871
    • Johannes Berg's avatar
      wifi: cfg80211: silence a sparse RCU warning · 03c0ad4b
      Johannes Berg authored
      All we're going to do with this pointer is assign it to
      another __rcu pointer, but sparse can't see that, so
      use rcu_access_pointer() to silence the warning here.
      
      Fixes: c90b93b5 ("wifi: cfg80211: update hidden BSSes to avoid WARN_ON")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      03c0ad4b
    • Jason A. Donenfeld's avatar
      wifi: rt2x00: use explicitly signed or unsigned types · 66063033
      Jason A. Donenfeld authored
      On some platforms, `char` is unsigned, but this driver, for the most
      part, assumed it was signed. In other places, it uses `char` to mean an
      unsigned number, but only in cases when the values are small. And in
      still other places, `char` is used as a boolean. Put an end to this
      confusion by declaring explicit types, depending on the context.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Stanislaw Gruszka <stf_xl@wp.pl>
      Cc: Helmut Schaa <helmut.schaa@googlemail.com>
      Cc: Kalle Valo <kvalo@kernel.org>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarStanislaw Gruszka <stf_xl@wp.pl>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221019155541.3410813-1-Jason@zx2c4.com
      66063033
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6d36c728
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from netfilter.
      
        Current release - regressions:
      
         - revert "net: fix cpu_max_bits_warn() usage in
           netif_attrmask_next{,_and}"
      
         - revert "net: sched: fq_codel: remove redundant resource cleanup in
           fq_codel_init()"
      
         - dsa: uninitialized variable in dsa_slave_netdevice_event()
      
         - eth: sunhme: uninitialized variable in happy_meal_init()
      
        Current release - new code bugs:
      
         - eth: octeontx2: fix resource not freed after malloc
      
        Previous releases - regressions:
      
         - sched: fix return value of qdisc ingress handling on success
      
         - sched: fix race condition in qdisc_graft()
      
         - udp: update reuse->has_conns under reuseport_lock.
      
         - tls: strp: make sure the TCP skbs do not have overlapping data
      
         - hsr: avoid possible NULL deref in skb_clone()
      
         - tipc: fix an information leak in tipc_topsrv_kern_subscr
      
         - phylink: add mac_managed_pm in phylink_config structure
      
         - eth: i40e: fix DMA mappings leak
      
         - eth: hyperv: fix a RX-path warning
      
         - eth: mtk: fix memory leaks
      
        Previous releases - always broken:
      
         - sched: cake: fix null pointer access issue when cake_init() fails"
      
      * tag 'net-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (43 commits)
        net: phy: dp83822: disable MDI crossover status change interrupt
        net: sched: fix race condition in qdisc_graft()
        net: hns: fix possible memory leak in hnae_ae_register()
        wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()
        sfc: include vport_id in filter spec hash and equal()
        genetlink: fix kdoc warnings
        selftests: add selftest for chaining of tc ingress handling to egress
        net: Fix return value of qdisc ingress handling on success
        net: sched: sfb: fix null pointer access issue when sfb_init() fails
        Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()"
        net: sched: cake: fix null pointer access issue when cake_init() fails
        ethernet: marvell: octeontx2 Fix resource not freed after malloc
        netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
        netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.
        ionic: catch NULL pointer issue on reconfig
        net: hsr: avoid possible NULL deref in skb_clone()
        bnxt_en: fix memory leak in bnxt_nvm_test()
        ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
        udp: Update reuse->has_conns under reuseport_lock.
        net: ethernet: mediatek: ppe: Remove the unused function mtk_foe_entry_usable()
        ...
      6d36c728
    • Linus Torvalds's avatar
      Merge tag 'ata-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · c7b00652
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
       "Several minor fixes:
      
         - Fix the module alias for the ahci_imx driver to get autoloading to
           work (Alexander)
      
         - Fix a potential array-index-out-of-bounds problem with the
           enclosure managment support in the ahci driver (Kai-Heng)
      
         - Several patches to fix compilation warnings thrown by clang in the
           ahci_st, sata_rcar, ahci_brcm, ahci_xgene, ahci_imx and ahci_qoriq
           drivers (me)"
      
      * tag 'ata-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: ahci_qoriq: Fix compilation warning
        ata: ahci_imx: Fix compilation warning
        ata: ahci_xgene: Fix compilation warning
        ata: ahci_brcm: Fix compilation warning
        ata: sata_rcar: Fix compilation warning
        ata: ahci_st: Fix compilation warning
        ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
        ata: ahci-imx: Fix MODULE_ALIAS
      c7b00652
    • Linus Torvalds's avatar
      Merge tag 'for-6.1/dm-changes-v2' of... · a3ccea6e
      Linus Torvalds authored
      Merge tag 'for-6.1/dm-changes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper updates from Mike Snitzer:
      
       - Fix dm-bufio to use test_bit_acquire to properly test_bit on arches
         with weaker memory ordering.
      
       - DM core replace DMWARN with DMERR or DMCRIT for fatal errors.
      
       - Enable WQ_HIGHPRI on DM verity target's verify_wq.
      
       - Add documentation for DM verity's try_verify_in_tasklet option.
      
       - Various typo and redundant word fixes in code and/or comments.
      
      * tag 'for-6.1/dm-changes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm clone: Fix typo in block_device format specifier
        dm: remove unnecessary assignment statement in alloc_dev()
        dm verity: Add documentation for try_verify_in_tasklet option
        dm cache: delete the redundant word 'each' in comment
        dm raid: fix typo in analyse_superblocks code comment
        dm verity: enable WQ_HIGHPRI on verify_wq
        dm raid: delete the redundant word 'that' in comment
        dm: change from DMWARN to DMERR or DMCRIT for fatal errors
        dm bufio: use the acquire memory barrier when testing for B_READING
      a3ccea6e
  2. 20 Oct, 2022 5 commits
    • Felix Riemann's avatar
      net: phy: dp83822: disable MDI crossover status change interrupt · 7f378c03
      Felix Riemann authored
      If the cable is disconnected the PHY seems to toggle between MDI and
      MDI-X modes. With the MDI crossover status interrupt active this causes
      roughly 10 interrupts per second.
      
      As the crossover status isn't checked by the driver, the interrupt can
      be disabled to reduce the interrupt load.
      
      Fixes: 87461f7a ("net: phy: DP83822 initial driver submission")
      Signed-off-by: default avatarFelix Riemann <felix.riemann@sma.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20221018104755.30025-1-svc.sw.rte.linux@sma.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7f378c03
    • Eric Dumazet's avatar
      net: sched: fix race condition in qdisc_graft() · ebda44da
      Eric Dumazet authored
      We had one syzbot report [1] in syzbot queue for a while.
      I was waiting for more occurrences and/or a repro but
      Dmitry Vyukov spotted the issue right away.
      
      <quoting Dmitry>
      qdisc_graft() drops reference to qdisc in notify_and_destroy
      while it's still assigned to dev->qdisc
      </quoting>
      
      Indeed, RCU rules are clear when replacing a data structure.
      The visible pointer (dev->qdisc in this case) must be updated
      to the new object _before_ RCU grace period is started
      (qdisc_put(old) in this case).
      
      [1]
      BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066
      Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027
      
      CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:317 [inline]
      print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
      kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
      __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066
      __tcf_qdisc_find net/sched/cls_api.c:1051 [inline]
      tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018
      rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f5efaa89279
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f5efbc31168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f5efab9bf80 RCX: 00007f5efaa89279
      RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
      RBP: 00007f5efaae32e9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007f5efb0cfb1f R14: 00007f5efbc31300 R15: 0000000000022000
      </TASK>
      
      Allocated by task 21027:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      kasan_set_track mm/kasan/common.c:45 [inline]
      set_alloc_info mm/kasan/common.c:437 [inline]
      ____kasan_kmalloc mm/kasan/common.c:516 [inline]
      ____kasan_kmalloc mm/kasan/common.c:475 [inline]
      __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
      kmalloc_node include/linux/slab.h:623 [inline]
      kzalloc_node include/linux/slab.h:744 [inline]
      qdisc_alloc+0xb0/0xc50 net/sched/sch_generic.c:938
      qdisc_create_dflt+0x71/0x4a0 net/sched/sch_generic.c:997
      attach_one_default_qdisc net/sched/sch_generic.c:1152 [inline]
      netdev_for_each_tx_queue include/linux/netdevice.h:2437 [inline]
      attach_default_qdiscs net/sched/sch_generic.c:1170 [inline]
      dev_activate+0x760/0xcd0 net/sched/sch_generic.c:1229
      __dev_open+0x393/0x4d0 net/core/dev.c:1441
      __dev_change_flags+0x583/0x750 net/core/dev.c:8556
      rtnl_configure_link+0xee/0x240 net/core/rtnetlink.c:3189
      rtnl_newlink_create net/core/rtnetlink.c:3371 [inline]
      __rtnl_newlink+0x10b8/0x17e0 net/core/rtnetlink.c:3580
      rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
      rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 21020:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      kasan_set_track+0x21/0x30 mm/kasan/common.c:45
      kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
      ____kasan_slab_free mm/kasan/common.c:367 [inline]
      ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
      kasan_slab_free include/linux/kasan.h:200 [inline]
      slab_free_hook mm/slub.c:1754 [inline]
      slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
      slab_free mm/slub.c:3534 [inline]
      kfree+0xe2/0x580 mm/slub.c:4562
      rcu_do_batch kernel/rcu/tree.c:2245 [inline]
      rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505
      __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
      
      Last potentially related work creation:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
      call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
      qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1083
      notify_and_destroy net/sched/sch_api.c:1012 [inline]
      qdisc_graft+0xeb1/0x1270 net/sched/sch_api.c:1084
      tc_modify_qdisc+0xbb7/0x1a00 net/sched/sch_api.c:1671
      rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
      kvfree_call_rcu+0x74/0x940 kernel/rcu/tree.c:3322
      neigh_destroy+0x431/0x630 net/core/neighbour.c:912
      neigh_release include/net/neighbour.h:454 [inline]
      neigh_cleanup_and_release+0x1f8/0x330 net/core/neighbour.c:103
      neigh_del net/core/neighbour.c:225 [inline]
      neigh_remove_one+0x37d/0x460 net/core/neighbour.c:246
      neigh_forced_gc net/core/neighbour.c:276 [inline]
      neigh_alloc net/core/neighbour.c:447 [inline]
      ___neigh_create+0x18b5/0x29a0 net/core/neighbour.c:642
      ip6_finish_output2+0xfb8/0x1520 net/ipv6/ip6_output.c:125
      __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
      ip6_finish_output+0x690/0x1160 net/ipv6/ip6_output.c:206
      NF_HOOK_COND include/linux/netfilter.h:296 [inline]
      ip6_output+0x1ed/0x540 net/ipv6/ip6_output.c:227
      dst_output include/net/dst.h:451 [inline]
      NF_HOOK include/linux/netfilter.h:307 [inline]
      NF_HOOK include/linux/netfilter.h:301 [inline]
      mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
      mld_send_cr net/ipv6/mcast.c:2121 [inline]
      mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2653
      process_one_work+0x991/0x1610 kernel/workqueue.c:2289
      worker_thread+0x665/0x1080 kernel/workqueue.c:2436
      kthread+0x2e4/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      
      The buggy address belongs to the object at ffff88802065e000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 56 bytes inside of
      1024-byte region [ffff88802065e000, ffff88802065e400)
      
      The buggy address belongs to the physical page:
      page:ffffea0000819600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20658
      head:ffffea0000819600 order:3 compound_mapcount:0 compound_pincount:0
      flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3523, tgid 3523 (sshd), ts 41495190986, free_ts 41417713212
      prep_new_page mm/page_alloc.c:2532 [inline]
      get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
      __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
      alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
      alloc_slab_page mm/slub.c:1824 [inline]
      allocate_slab+0x27e/0x3d0 mm/slub.c:1969
      new_slab mm/slub.c:2029 [inline]
      ___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
      __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
      slab_alloc_node mm/slub.c:3209 [inline]
      __kmalloc_node_track_caller+0x2f2/0x380 mm/slub.c:4955
      kmalloc_reserve net/core/skbuff.c:358 [inline]
      __alloc_skb+0xd9/0x2f0 net/core/skbuff.c:430
      alloc_skb_fclone include/linux/skbuff.h:1307 [inline]
      tcp_stream_alloc_skb+0x38/0x580 net/ipv4/tcp.c:861
      tcp_sendmsg_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325
      tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483
      inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      sock_write_iter+0x291/0x3d0 net/socket.c:1108
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:578
      ksys_write+0x1e8/0x250 fs/read_write.c:631
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1449 [inline]
      free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
      free_unref_page_prepare mm/page_alloc.c:3380 [inline]
      free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
      __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2548
      qlink_free mm/kasan/quarantine.c:168 [inline]
      qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
      kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
      __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447
      kasan_slab_alloc include/linux/kasan.h:224 [inline]
      slab_post_alloc_hook mm/slab.h:727 [inline]
      slab_alloc_node mm/slub.c:3243 [inline]
      slab_alloc mm/slub.c:3251 [inline]
      __kmem_cache_alloc_lru mm/slub.c:3258 [inline]
      kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268
      kmem_cache_zalloc include/linux/slab.h:723 [inline]
      alloc_buffer_head+0x20/0x140 fs/buffer.c:2974
      alloc_page_buffers+0x280/0x790 fs/buffer.c:829
      create_empty_buffers+0x2c/0xee0 fs/buffer.c:1558
      ext4_block_write_begin+0x1004/0x1530 fs/ext4/inode.c:1074
      ext4_da_write_begin+0x422/0xae0 fs/ext4/inode.c:2996
      generic_perform_write+0x246/0x560 mm/filemap.c:3738
      ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:270
      ext4_file_write_iter+0x44a/0x1660 fs/ext4/file.c:679
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:578
      
      Fixes: af356afa ("net_sched: reintroduce dev->qdisc for use by sch_api")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Diagnosed-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221018203258.2793282-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ebda44da
    • Yang Yingliang's avatar
      net: hns: fix possible memory leak in hnae_ae_register() · ff2f5ec5
      Yang Yingliang authored
      Inject fault while probing module, if device_register() fails,
      but the refcount of kobject is not decreased to 0, the name
      allocated in dev_set_name() is leaked. Fix this by calling
      put_device(), so that name can be freed in callback function
      kobject_cleanup().
      
      unreferenced object 0xffff00c01aba2100 (size 128):
        comm "systemd-udevd", pid 1259, jiffies 4294903284 (age 294.152s)
        hex dump (first 32 bytes):
          68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff  hnae0....!......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<0000000034783f26>] slab_post_alloc_hook+0xa0/0x3e0
          [<00000000748188f2>] __kmem_cache_alloc_node+0x164/0x2b0
          [<00000000ab0743e8>] __kmalloc_node_track_caller+0x6c/0x390
          [<000000006c0ffb13>] kvasprintf+0x8c/0x118
          [<00000000fa27bfe1>] kvasprintf_const+0x60/0xc8
          [<0000000083e10ed7>] kobject_set_name_vargs+0x3c/0xc0
          [<000000000b87affc>] dev_set_name+0x7c/0xa0
          [<000000003fd8fe26>] hnae_ae_register+0xcc/0x190 [hnae]
          [<00000000fe97edc9>] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]
          [<00000000c36ff1eb>] hns_dsaf_probe+0x548/0x748 [hns_dsaf]
      
      Fixes: 6fe6611f ("net: add Hisilicon Network Subsystem hnae framework support")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20221018122451.1749171-1-yangyingliang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ff2f5ec5
    • Yang Yingliang's avatar
      wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new() · 258ad2fe
      Yang Yingliang authored
      Inject fault while probing module, if device_register() fails,
      but the refcount of kobject is not decreased to 0, the name
      allocated in dev_set_name() is leaked. Fix this by calling
      put_device(), so that name can be freed in callback function
      kobject_cleanup().
      
      unreferenced object 0xffff88810152ad20 (size 8):
        comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s)
        hex dump (first 8 bytes):
          68 77 73 69 6d 30 00 ff                          hwsim0..
        backtrace:
          [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0
          [<00000000c0228a5e>] kvasprintf+0xb5/0x140
          [<00000000cff8c21f>] kvasprintf_const+0x55/0x180
          [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150
          [<000000000a80b139>] dev_set_name+0xab/0xe0
      
      Fixes: f36a111a ("wwan_hwsim: WWAN device simulator")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Acked-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Link: https://lore.kernel.org/r/20221018131607.1901641-1-yangyingliang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      258ad2fe
    • Pieter Jansen van Vuuren's avatar
      sfc: include vport_id in filter spec hash and equal() · c2bf23e4
      Pieter Jansen van Vuuren authored
      Filters on different vports are qualified by different implicit MACs and/or
      VLANs, so shouldn't be considered equal even if their other match fields
      are identical.
      
      Fixes: 7c460d9b ("sfc: Extend and abstract efx_filter_spec to cover Huntington/EF10")
      Co-developed-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Signed-off-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Signed-off-by: default avatarPieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
      Reviewed-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/20221018092841.32206-1-pieter.jansen-van-vuuren@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c2bf23e4
  3. 19 Oct, 2022 15 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d753a050
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      1) Missing flowi uid field in nft_fib expression, from Guillaume Nault.
         This is broken since the creation of the fib expression.
      
      2) Relax sanity check to fix bogus EINVAL error when deleting elements
         belonging set intervals. Broken since 6.0-rc.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
        netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.
      ====================
      
      Link: https://lore.kernel.org/r/20221019065225.1006344-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d753a050
    • Jakub Kicinski's avatar
      genetlink: fix kdoc warnings · a1a824f4
      Jakub Kicinski authored
      Address a bunch of kdoc warnings:
      
      include/net/genetlink.h:81: warning: Function parameter or member 'module' not described in 'genl_family'
      include/net/genetlink.h:243: warning: expecting prototype for struct genl_info. Prototype was for struct genl_dumpit_info instead
      include/net/genetlink.h:419: warning: Function parameter or member 'net' not described in 'genlmsg_unicast'
      include/net/genetlink.h:438: warning: expecting prototype for gennlmsg_data(). Prototype was for genlmsg_data() instead
      include/net/genetlink.h:244: warning: Function parameter or member 'op' not described in 'genl_dumpit_info'
      
      Link: https://lore.kernel.org/r/20221018231310.1040482-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a1a824f4
    • David S. Miller's avatar
      Merge branch 'qdisc-ingress-success' · 6109ecbf
      David S. Miller authored
      Paul Blakey says:
      
      ====================
      net: Fix return value of qdisc ingress handling on success
      
      Fix patch + self-test with the currently broken scenario.
      
      v4->v3:
        Removed new line in self test and rebase (Paolo).
      
      v2->v3:
        Added DROP return to TC_ACT_SHOT case (Cong).
      
      v1->v2:
        Changed blamed commit
        Added self-test
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6109ecbf
    • Paul Blakey's avatar
      selftests: add selftest for chaining of tc ingress handling to egress · fd602f5c
      Paul Blakey authored
      This test runs a simple ingress tc setup between two veth pairs,
      then adds a egress->ingress rule to test the chaining of tc ingress
      pipeline to tc egress piepline.
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd602f5c
    • Paul Blakey's avatar
      net: Fix return value of qdisc ingress handling on success · 672e97ef
      Paul Blakey authored
      Currently qdisc ingress handling (sch_handle_ingress()) doesn't
      set a return value and it is left to the old return value of
      the caller (__netif_receive_skb_core()) which is RX drop, so if
      the packet is consumed, caller will stop and return this value
      as if the packet was dropped.
      
      This causes a problem in the kernel tcp stack when having a
      egress tc rule forwarding to a ingress tc rule.
      The tcp stack sending packets on the device having the egress rule
      will see the packets as not successfully transmitted (although they
      actually were), will not advance it's internal state of sent data,
      and packets returning on such tcp stream will be dropped by the tcp
      stack with reason ack-of-unsent-data. See reproduction in [0] below.
      
      Fix that by setting the return value to RX success if
      the packet was handled successfully.
      
      [0] Reproduction steps:
       $ ip link add veth1 type veth peer name peer1
       $ ip link add veth2 type veth peer name peer2
       $ ifconfig peer1 5.5.5.6/24 up
       $ ip netns add ns0
       $ ip link set dev peer2 netns ns0
       $ ip netns exec ns0 ifconfig peer2 5.5.5.5/24 up
       $ ifconfig veth2 0 up
       $ ifconfig veth1 0 up
      
       #ingress forwarding veth1 <-> veth2
       $ tc qdisc add dev veth2 ingress
       $ tc qdisc add dev veth1 ingress
       $ tc filter add dev veth2 ingress prio 1 proto all flower \
         action mirred egress redirect dev veth1
       $ tc filter add dev veth1 ingress prio 1 proto all flower \
         action mirred egress redirect dev veth2
      
       #steal packet from peer1 egress to veth2 ingress, bypassing the veth pipe
       $ tc qdisc add dev peer1 clsact
       $ tc filter add dev peer1 egress prio 20 proto ip flower \
         action mirred ingress redirect dev veth1
      
       #run iperf and see connection not running
       $ iperf3 -s&
       $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
      
       #delete egress rule, and run again, now should work
       $ tc filter del dev peer1 egress
       $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
      
      Fixes: f697c3e8 ("[NET]: Avoid unnecessary cloning for ingress filtering")
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      672e97ef
    • David S. Miller's avatar
      Merge branch 'qdisc-null-deref' · e38cf366
      David S. Miller authored
      Zhengchao Shao says:
      
      ====================
      net: fix null pointer access issue in qdisc
      
      These three patches fix the same type of problem. Set the default qdisc,
      and then construct an init failure scenario when the dev qdisc is
      configured on mqprio to trigger the reset process. NULL pointer access
      may occur during the reset process.
      
      ---
      v2: for fq_codel, revert the patch
      ---
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e38cf366
    • Zhengchao Shao's avatar
      net: sched: sfb: fix null pointer access issue when sfb_init() fails · 2a3fc782
      Zhengchao Shao authored
      When the default qdisc is sfb, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), sfb_reset() is invoked to clear resources.
      In this case, the q->qdisc is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	sfb_init()
      		tcf_block_get()          --->failed, q->qdisc is NULL
      	...
      	qdisc_put()
      		...
      		sfb_reset()
      			qdisc_reset(q->qdisc)    --->q->qdisc is NULL
      				ops = qdisc->ops
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
      RIP: 0010:qdisc_reset+0x2b/0x6f0
      Call Trace:
      <TASK>
      sfb_reset+0x37/0xd0
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f2164122d04
      </TASK>
      
      Fixes: e13e02a3 ("net_sched: SFB flow scheduler")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a3fc782
    • Zhengchao Shao's avatar
      Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()" · f5ffa3b1
      Zhengchao Shao authored
      This reverts commit 494f5063.
      
      When the default qdisc is fq_codel, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), fq_codel_reset() is invoked to clear
      resources. In this case, the flow is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	fq_codel_init()
      		...
      		q->flows_cnt = 1024;
      		...
      		q->flows = kvcalloc(...)      --->failed, q->flows is NULL
      	...
      	qdisc_put()
      		...
      		fq_codel_reset()
      			...
      			flow = q->flows + i   --->q->flows is NULL
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      RIP: 0010:fq_codel_reset+0x14d/0x350
      Call Trace:
      <TASK>
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7fd272b22d04
      </TASK>
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5ffa3b1
    • Zhengchao Shao's avatar
      net: sched: cake: fix null pointer access issue when cake_init() fails · 51f9a892
      Zhengchao Shao authored
      When the default qdisc is cake, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), cake_reset() is invoked to clear
      resources. In this case, the tins is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	cake_init()
      		q->tins = kvcalloc(...)        --->failed, q->tins is NULL
      	...
      	qdisc_put()
      		...
      		cake_reset()
      			...
      			cake_dequeue_one()
      				b = &q->tins[...]   --->q->tins is NULL
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      RIP: 0010:cake_dequeue_one+0xc9/0x3c0
      Call Trace:
      <TASK>
      cake_reset+0xb1/0x140
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f89e5122d04
      </TASK>
      
      Fixes: 046f6fd5 ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51f9a892
    • Manank Patel's avatar
      ethernet: marvell: octeontx2 Fix resource not freed after malloc · 7b55c2ed
      Manank Patel authored
      fix rxsc and txsc not getting freed before going out of scope
      
      Fixes: c54ffc73 ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
      Signed-off-by: default avatarManank Patel <pmanank200502@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b55c2ed
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements · 96df8360
      Pablo Neira Ayuso authored
      Otherwise EINVAL is bogusly reported to userspace when deleting a set
      element. NFTA_SET_ELEM_KEY_END does not need to be set in case of:
      
      - insertion: if not present, start key is used as end key.
      - deletion: only start key needs to be specified, end key is ignored.
      
      Hence, relax the sanity check.
      
      Fixes: 88cccd90 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      96df8360
    • Guillaume Nault's avatar
      netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces. · 1fcc064b
      Guillaume Nault authored
      Currently netfilter's rpfilter and fib modules implicitely initialise
      ->flowic_uid with 0. This is normally the root UID. However, this isn't
      the case in user namespaces, where user ID 0 is mapped to a different
      kernel UID. By initialising ->flowic_uid with sock_net_uid(), we get
      the root UID of the user namespace, thus keeping the same behaviour
      whether or not we're running in a user namepspace.
      
      Note, this is similar to commit 8bcfd092 ("ipv4: add missing
      initialization for flowi4_uid"), which fixed the rp_filter sysctl.
      
      Fixes: 622ec2c9 ("net: core: add UID to flows, rules, and routes")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1fcc064b
    • Brett Creeley's avatar
      ionic: catch NULL pointer issue on reconfig · aa1d7e12
      Brett Creeley authored
      It's possible that the driver will dereference a qcq that doesn't exist
      when calling ionic_reconfigure_queues(), which causes a page fault BUG.
      
      If a reduction in the number of queues is followed by a different
      reconfig such as changing the ring size, the driver can hit a NULL
      pointer when trying to clean up non-existent queues.
      
      Fix this by checking to make sure both the qcqs array and qcq entry
      exists bofore trying to use and free the entry.
      
      Fixes: 101b40a0 ("ionic: change queue count with no reset")
      Signed-off-by: default avatarBrett Creeley <brett@pensando.io>
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@pensando.ioSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa1d7e12
    • Eric Dumazet's avatar
      net: hsr: avoid possible NULL deref in skb_clone() · d8b57135
      Eric Dumazet authored
      syzbot got a crash [1] in skb_clone(), caused by a bug
      in hsr_get_untagged_frame().
      
      When/if create_stripped_skb_hsr() returns NULL, we must
      not attempt to call skb_clone().
      
      While we are at it, replace a WARN_ONCE() by netdev_warn_once().
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
      CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
      RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641
      Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00
      RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207
      
      RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000
      RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140
      R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640
      R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620
      FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164
      hsr_forward_do net/hsr/hsr_forward.c:461 [inline]
      hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623
      hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69
      __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379
      __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483
      __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599
      netif_receive_skb_internal net/core/dev.c:5685 [inline]
      netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744
      tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544
      tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995
      tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:584
      ksys_write+0x127/0x250 fs/read_write.c:637
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: f266a683 ("net/hsr: Better frame dispatch")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221017165928.2150130-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d8b57135
    • Vikas Gupta's avatar
      bnxt_en: fix memory leak in bnxt_nvm_test() · ba077d68
      Vikas Gupta authored
      Free the kzalloc'ed buffer before returning in the success path.
      
      Fixes: 5b6ff128 ("bnxt_en: implement callbacks for devlink selftests")
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://lore.kernel.org/r/1666020742-25834-1-git-send-email-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ba077d68
  4. 18 Oct, 2022 14 commits
    • Nikos Tsironis's avatar
      dm clone: Fix typo in block_device format specifier · 5434ee8d
      Nikos Tsironis authored
      Use %pg for printing the block device name, instead of %pd.
      
      Fixes: 385411ff ("dm: stop using bdevname")
      Cc: stable@vger.kernel.org # v5.18+
      Signed-off-by: default avatarNikos Tsironis <ntsironis@arrikto.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
      5434ee8d
    • Genjian Zhang's avatar
      dm: remove unnecessary assignment statement in alloc_dev() · 99f4f5bc
      Genjian Zhang authored
      Fixes: 74fe6ba9 ("dm: convert to blk_alloc_disk/blk_cleanup_disk")
      Signed-off-by: default avatarGenjian Zhang <zhanggenjian@kylinos.cn>
      Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
      99f4f5bc
    • Milan Broz's avatar
      dm verity: Add documentation for try_verify_in_tasklet option · dc3efedf
      Milan Broz authored
      Add documentation that was missing from commit 5721d4e5 ("dm
      verity: Add optional "try_verify_in_tasklet" feature").
      Signed-off-by: default avatarMilan Broz <gmazyland@gmail.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
      dc3efedf
    • Shaomin Deng's avatar
    • Jiangshan Yi's avatar
    • Nathan Huckleberry's avatar
      dm verity: enable WQ_HIGHPRI on verify_wq · afd41fff
      Nathan Huckleberry authored
      WQ_HIGHPRI increases throughput and decreases disk latency when using
      dm-verity. This is important in Android for camera startup speed.
      
      The following tests were run by doing 60 seconds of random reads using
      a dm-verity device backed by two ramdisks.
      
      Without WQ_HIGHPRI
      lat (usec): min=13, max=3947, avg=69.53, stdev=50.55
      READ: bw=51.1MiB/s (53.6MB/s), 51.1MiB/s-51.1MiB/s (53.6MB/s-53.6MB/s)
      
      With WQ_HIGHPRI:
      lat (usec): min=13, max=7854, avg=31.15, stdev=30.42
      READ: bw=116MiB/s (121MB/s), 116MiB/s-116MiB/s (121MB/s-121MB/s)
      
      Further testing was done by measuring how long it takes to open a
      camera on an Android device.
      
      Without WQ_HIGHPRI
      Total verity work queue wait times (ms):
      880.960, 789.517, 898.852
      
      With WQ_HIGHPRI:
      Total verity work queue wait times (ms):
      528.824, 439.191, 433.300
      
      The average time to open the camera is reduced by 350ms (or 40-50%).
      Signed-off-by: default avatarNathan Huckleberry <nhuck@google.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
      afd41fff
    • Jilin Yuan's avatar
      cea44663
    • Mikulas Patocka's avatar
      dm: change from DMWARN to DMERR or DMCRIT for fatal errors · 43e6c111
      Mikulas Patocka authored
      Change DMWARN to DMERR in cases when there is an unrecoverable error.
      Change DMWARN to DMCRIT when handling of a case is unimplemented.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
      43e6c111
    • Linus Torvalds's avatar
      Merge tag 'for-6.1-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · aae703b0
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fiemap fixes:
            - add missing path cache update
            - fix processing of delayed data and tree refs during backref
              walking, this could lead to reporting incorrect extent sharing
      
       - fix extent range locking under heavy contention to avoid deadlocks
      
       - make it possible to test send v3 in debugging mode
      
       - update links in MAINTAINERS
      
      * tag 'for-6.1-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        MAINTAINERS: update btrfs website links and files
        btrfs: ignore fiemap path cache if we have multiple leaves for a data extent
        btrfs: fix processing of delayed tree block refs during backref walking
        btrfs: fix processing of delayed data refs during backref walking
        btrfs: delete stale comments after merge conflict resolution
        btrfs: unlock locked extent area if we have contention
        btrfs: send: update command for protocol version check
        btrfs: send: allow protocol version 3 with CONFIG_BTRFS_DEBUG
        btrfs: add missing path cache update during fiemap
      aae703b0
    • Linus Torvalds's avatar
      Merge tag 'erofs-for-6.1-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs · 7ae46097
      Linus Torvalds authored
      Pull erofs fixes from Gao Xiang:
      
       - Fix invalid unmapped accesses when initializing compressed inodes
      
       - Fix up very rare hung on page lock after enabling compressed data
         deduplication
      
       - Fix up inplace decompression success rate
      
       - Take s_inode_list_lock to protect sb->s_inodes for fscache shared
         domain
      
      * tag 'erofs-for-6.1-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
        erofs: protect s_inodes with s_inode_list_lock for fscache
        erofs: fix up inplace decompression success rate
        erofs: shouldn't churn the mapping page for duplicated copies
        erofs: fix illegal unmapped accesses in z_erofs_fill_inode_lazy()
      7ae46097
    • Mikulas Patocka's avatar
      dm bufio: use the acquire memory barrier when testing for B_READING · 141b3523
      Mikulas Patocka authored
      The function test_bit doesn't provide any memory barrier. It may be
      possible that the read requests that follow test_bit(B_READING, &b->state)
      are reordered before the test, reading invalid data that existed before
      B_READING was cleared.
      
      Fix this bug by changing test_bit to test_bit_acquire. This is
      particularly important on arches with weak(er) memory ordering
      (e.g. arm64).
      
      Depends-On: 8238b457 ("wait_on_bit: add an acquire memory barrier")
      Depends-On: d6ffe606 ("provide arch_test_bit_acquire for architectures that define test_bit")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@kernel.org>
      141b3523
    • Zhengchao Shao's avatar
      ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed · 1ca69520
      Zhengchao Shao authored
      If the initialization fails in calling addrconf_init_net(), devconf_all is
      the pointer that has been released. Then ip6mr_sk_done() is called to
      release the net, accessing devconf->mc_forwarding directly causes invalid
      pointer access.
      
      The process is as follows:
      setup_net()
      	ops_init()
      		addrconf_init_net()
      		all = kmemdup(...)           ---> alloc "all"
      		...
      		net->ipv6.devconf_all = all;
      		__addrconf_sysctl_register() ---> failed
      		...
      		kfree(all);                  ---> ipv6.devconf_all invalid
      		...
      	ops_exit_list()
      		...
      		ip6mr_sk_done()
      			devconf = net->ipv6.devconf_all;
      			//devconf is invalid pointer
      			if (!devconf || !atomic_read(&devconf->mc_forwarding))
      
      The following is the Call Trace information:
      BUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0
      Read of size 4 at addr ffff888075508e88 by task ip/14554
      Call Trace:
      <TASK>
      dump_stack_lvl+0x8e/0xd1
      print_report+0x155/0x454
      kasan_report+0xba/0x1f0
      kasan_check_range+0x35/0x1b0
      ip6mr_sk_done+0x112/0x3a0
      rawv6_close+0x48/0x70
      inet_release+0x109/0x230
      inet6_release+0x4c/0x70
      sock_release+0x87/0x1b0
      igmp6_net_exit+0x6b/0x170
      ops_exit_list+0xb0/0x170
      setup_net+0x7ac/0xbd0
      copy_net_ns+0x2e6/0x6b0
      create_new_namespaces+0x382/0xa50
      unshare_nsproxy_namespaces+0xa6/0x1c0
      ksys_unshare+0x3a4/0x7e0
      __x64_sys_unshare+0x2d/0x40
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f7963322547
      
      </TASK>
      Allocated by task 14554:
      kasan_save_stack+0x1e/0x40
      kasan_set_track+0x21/0x30
      __kasan_kmalloc+0xa1/0xb0
      __kmalloc_node_track_caller+0x4a/0xb0
      kmemdup+0x28/0x60
      addrconf_init_net+0x1be/0x840
      ops_init+0xa5/0x410
      setup_net+0x5aa/0xbd0
      copy_net_ns+0x2e6/0x6b0
      create_new_namespaces+0x382/0xa50
      unshare_nsproxy_namespaces+0xa6/0x1c0
      ksys_unshare+0x3a4/0x7e0
      __x64_sys_unshare+0x2d/0x40
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      Freed by task 14554:
      kasan_save_stack+0x1e/0x40
      kasan_set_track+0x21/0x30
      kasan_save_free_info+0x2a/0x40
      ____kasan_slab_free+0x155/0x1b0
      slab_free_freelist_hook+0x11b/0x220
      __kmem_cache_free+0xa4/0x360
      addrconf_init_net+0x623/0x840
      ops_init+0xa5/0x410
      setup_net+0x5aa/0xbd0
      copy_net_ns+0x2e6/0x6b0
      create_new_namespaces+0x382/0xa50
      unshare_nsproxy_namespaces+0xa6/0x1c0
      ksys_unshare+0x3a4/0x7e0
      __x64_sys_unshare+0x2d/0x40
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      Fixes: 7d9b1b57 ("ip6mr: fix use-after-free in ip6mr_sk_done()")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221017080331.16878-1-shaozhengchao@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1ca69520
    • Kuniyuki Iwashima's avatar
      udp: Update reuse->has_conns under reuseport_lock. · 69421bf9
      Kuniyuki Iwashima authored
      When we call connect() for a UDP socket in a reuseport group, we have
      to update sk->sk_reuseport_cb->has_conns to 1.  Otherwise, the kernel
      could select a unconnected socket wrongly for packets sent to the
      connected socket.
      
      However, the current way to set has_conns is illegal and possible to
      trigger that problem.  reuseport_has_conns() changes has_conns under
      rcu_read_lock(), which upgrades the RCU reader to the updater.  Then,
      it must do the update under the updater's lock, reuseport_lock, but
      it doesn't for now.
      
      For this reason, there is a race below where we fail to set has_conns
      resulting in the wrong socket selection.  To avoid the race, let's split
      the reader and updater with proper locking.
      
       cpu1                               cpu2
      +----+                             +----+
      
      __ip[46]_datagram_connect()        reuseport_grow()
      .                                  .
      |- reuseport_has_conns(sk, true)   |- more_reuse = __reuseport_alloc(more_socks_size)
      |  .                               |
      |  |- rcu_read_lock()
      |  |- reuse = rcu_dereference(sk->sk_reuseport_cb)
      |  |
      |  |                               |  /* reuse->has_conns == 0 here */
      |  |                               |- more_reuse->has_conns = reuse->has_conns
      |  |- reuse->has_conns = 1         |  /* more_reuse->has_conns SHOULD BE 1 HERE */
      |  |                               |
      |  |                               |- rcu_assign_pointer(reuse->socks[i]->sk_reuseport_cb,
      |  |                               |                     more_reuse)
      |  `- rcu_read_unlock()            `- kfree_rcu(reuse, rcu)
      |
      |- sk->sk_state = TCP_ESTABLISHED
      
      Note the likely(reuse) in reuseport_has_conns_set() is always true,
      but we put the test there for ease of review.  [0]
      
      For the record, usually, sk_reuseport_cb is changed under lock_sock().
      The only exception is reuseport_grow() & TCP reqsk migration case.
      
        1) shutdown() TCP listener, which is moved into the latter part of
           reuse->socks[] to migrate reqsk.
      
        2) New listen() overflows reuse->socks[] and call reuseport_grow().
      
        3) reuse->max_socks overflows u16 with the new listener.
      
        4) reuseport_grow() pops the old shutdown()ed listener from the array
           and update its sk->sk_reuseport_cb as NULL without lock_sock().
      
      shutdown()ed TCP sk->sk_reuseport_cb can be changed without lock_sock(),
      but, reuseport_has_conns_set() is called only for UDP under lock_sock(),
      so likely(reuse) never be false in reuseport_has_conns_set().
      
      [0]: https://lore.kernel.org/netdev/CANn89iLja=eQHbsM_Ta2sQF0tOGU8vAGrh_izRuuHjuO1ouUag@mail.gmail.com/
      
      Fixes: acdcecc6 ("udp: correct reuseport selection with connected sockets")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20221014182625.89913-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      69421bf9
    • Linus Torvalds's avatar
      Merge tag 'cgroup-for-6.1-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · bb1a1146
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
      
       - Fix a recent regression where a sleeping kernfs function is called
         with css_set_lock (spinlock) held
      
       - Revert the commit to enable cgroup1 support for cgroup_get_from_fd/file()
      
         Multiple users assume that the lookup only works for cgroup2 and
         breaks when fed a cgroup1 file. Instead, introduce a separate set of
         functions to lookup both v1 and v2 and use them where the user
         explicitly wants to support both versions.
      
       - Compat update for tools/perf/util/bpf_skel/bperf_cgroup.bpf.c.
      
       - Add Josef Bacik as a blkcg maintainer.
      
      * tag 'cgroup-for-6.1-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        blkcg: Update MAINTAINERS entry
        mm: cgroup: fix comments for get from fd/file helpers
        perf stat: Support old kernels for bperf cgroup counting
        bpf: cgroup_iter: support cgroup1 using cgroup fd
        cgroup: add cgroup_v1v2_get_from_[fd/file]()
        Revert "cgroup: enable cgroup_get_from_file() on cgroup1"
        cgroup: Reorganize css_set_lock and kernfs path processing
      bb1a1146