1. 01 Nov, 2022 2 commits
    • Dokyung Song's avatar
      wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() · 6788ba8a
      Dokyung Song authored
      This patch fixes an intra-object buffer overflow in brcmfmac that occurs
      when the device provides a 'bsscfgidx' equal to or greater than the
      buffer size. The patch adds a check that leads to a safe failure if that
      is the case.
      
      This fixes CVE-2022-3628.
      
      UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
      index 52 is out of range for type 'brcmf_if *[16]'
      CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      Workqueue: events brcmf_fweh_event_worker
      Call Trace:
       dump_stack_lvl+0x57/0x7d
       ubsan_epilogue+0x5/0x40
       __ubsan_handle_out_of_bounds+0x69/0x80
       ? memcpy+0x39/0x60
       brcmf_fweh_event_worker+0xae1/0xc00
       ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
       ? rcu_read_lock_sched_held+0xa1/0xd0
       ? rcu_read_lock_bh_held+0xb0/0xb0
       ? lockdep_hardirqs_on_prepare+0x273/0x3e0
       process_one_work+0x873/0x13e0
       ? lock_release+0x640/0x640
       ? pwq_dec_nr_in_flight+0x320/0x320
       ? rwlock_bug.part.0+0x90/0x90
       worker_thread+0x8b/0xd10
       ? __kthread_parkme+0xd9/0x1d0
       ? process_one_work+0x13e0/0x13e0
       kthread+0x379/0x450
       ? _raw_spin_unlock_irq+0x24/0x30
       ? set_kthread_struct+0x100/0x100
       ret_from_fork+0x1f/0x30
      ================================================================================
      general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN
      KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff]
      CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      Workqueue: events brcmf_fweh_event_worker
      RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100
      Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00
      RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207
      RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000
      RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50
      RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809
      R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045
      R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000
      FS:  0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       brcmf_fweh_event_worker+0x117/0xc00
       ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
       ? rcu_read_lock_sched_held+0xa1/0xd0
       ? rcu_read_lock_bh_held+0xb0/0xb0
       ? lockdep_hardirqs_on_prepare+0x273/0x3e0
       process_one_work+0x873/0x13e0
       ? lock_release+0x640/0x640
       ? pwq_dec_nr_in_flight+0x320/0x320
       ? rwlock_bug.part.0+0x90/0x90
       worker_thread+0x8b/0xd10
       ? __kthread_parkme+0xd9/0x1d0
       ? process_one_work+0x13e0/0x13e0
       kthread+0x379/0x450
       ? _raw_spin_unlock_irq+0x24/0x30
       ? set_kthread_struct+0x100/0x100
       ret_from_fork+0x1f/0x30
      Modules linked in: 88XXau(O) 88x2bu(O)
      ---[ end trace 41d302138f3ff55a ]---
      RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100
      Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00
      RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207
      RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000
      RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50
      RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809
      R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045
      R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000
      FS:  0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Kernel panic - not syncing: Fatal exception
      Reported-by: default avatarDokyung Song <dokyungs@yonsei.ac.kr>
      Reported-by: default avatarJisoo Jang <jisoo.jang@yonsei.ac.kr>
      Reported-by: default avatarMinsuk Kang <linuxlovemin@yonsei.ac.kr>
      Reviewed-by: default avatarArend van Spriel <aspriel@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDokyung Song <dokyung.song@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221021061359.GA550858@laguna
      6788ba8a
    • Jason A. Donenfeld's avatar
      wifi: airo: do not assign -1 to unsigned char · e6cb8769
      Jason A. Donenfeld authored
      With char becoming unsigned by default, and with `char` alone being
      ambiguous and based on architecture, we get a warning when assigning the
      unchecked output of hex_to_bin() to that unsigned char. Mark `key` as a
      `u8`, which matches the struct's type, and then check each call to
      hex_to_bin() before casting.
      
      Cc: Kalle Valo <kvalo@kernel.org>
      Cc: linux-wireless@vger.kernel.org
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221024162843.535921-1-Jason@zx2c4.com
      e6cb8769
  2. 21 Oct, 2022 9 commits
    • Jonas Jelonek's avatar
      wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support · 69188df5
      Jonas Jelonek authored
      Fixes a warning that occurs when rc table support is enabled
      (IEEE80211_HW_SUPPORTS_RC_TABLE) in mac80211_hwsim and the PS mode
      is changed via the exported debugfs attribute.
      
      When the PS mode is changed, a packet is broadcasted via
      hwsim_send_nullfunc by creating and transmitting a plain skb with only
      header initialized. The ieee80211 rate array in the control buffer is
      zero-initialized. When ratetbl support is enabled, ieee80211_get_tx_rates
      is called for the skb with sta parameter set to NULL and thus no
      ratetbl can be used. The final rate array then looks like
      [-1,0; 0,0; 0,0; 0,0] which causes the warning in ieee80211_get_tx_rate.
      
      The issue is fixed by setting the count of the first rate with idx '0'
      to 1 and hence ieee80211_get_tx_rates won't overwrite it with idx '-1'.
      Signed-off-by: default avatarJonas Jelonek <jelonek.jonas@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      69188df5
    • Paul Zhang's avatar
      wifi: cfg80211: Fix bitrates overflow issue · 18429c51
      Paul Zhang authored
      When invoking function cfg80211_calculate_bitrate_eht about
      (320 MHz, EHT-MCS 13, EHT-NSS 2, EHT-GI 0), which means the
      parameters as flags: 0x80, bw: 7, mcs: 13, eht_gi: 0, nss: 2,
      this formula (result * rate->nss) will overflow and causes
      the returned bitrate to be 3959 when it should be 57646.
      
      Here is the explanation:
       u64 tmp;
       u32 result;
       …
       /* tmp = result = 4 * rates_996[0]
        *     = 4 * 480388888 = 0x72889c60
        */
       tmp = result;
      
       /* tmp = 0x72889c60 * 6144 = 0xabccea90000 */
       tmp *= SCALE;
      
       /* tmp = 0xabccea90000 / mcs_divisors[13]
        *     = 0xabccea90000 / 5120 = 0x8970bba6
        */
       do_div(tmp, mcs_divisors[rate->mcs]);
      
       /* result = 0x8970bba6 */
       result = tmp;
      
       /* normally (result * rate->nss) = 0x8970bba6 * 2 = 0x112e1774c,
        * but since result is u32, (result * rate->nss) = 0x12e1774c,
        * overflow happens and it loses the highest bit.
        * Then result =  0x12e1774c / 8 = 39595753,
        */
       result = (result * rate->nss) / 8;
      Signed-off-by: default avatarPaul Zhang <quic_paulz@quicinc.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      18429c51
    • Arend van Spriel's avatar
      wifi: cfg80211: fix memory leak in query_regdb_file() · 57b962e6
      Arend van Spriel authored
      In the function query_regdb_file() the alpha2 parameter is duplicated
      using kmemdup() and subsequently freed in regdb_fw_cb(). However,
      request_firmware_nowait() can fail without calling regdb_fw_cb() and
      thus leak memory.
      
      Fixes: 007f6c5e ("cfg80211: support loading regulatory database as firmware file")
      Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      57b962e6
    • taozhang's avatar
      wifi: mac80211: fix memory free error when registering wiphy fail · 50b2e871
      taozhang authored
      ieee80211_register_hw free the allocated cipher suites when
      registering wiphy fail, and ieee80211_free_hw will re-free it.
      
      set wiphy_ciphers_allocated to false after freeing allocated
      cipher suites.
      Signed-off-by: default avatartaozhang <taozhang@bestechnic.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      50b2e871
    • Johannes Berg's avatar
      wifi: cfg80211: silence a sparse RCU warning · 03c0ad4b
      Johannes Berg authored
      All we're going to do with this pointer is assign it to
      another __rcu pointer, but sparse can't see that, so
      use rcu_access_pointer() to silence the warning here.
      
      Fixes: c90b93b5 ("wifi: cfg80211: update hidden BSSes to avoid WARN_ON")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      03c0ad4b
    • Jason A. Donenfeld's avatar
      wifi: rt2x00: use explicitly signed or unsigned types · 66063033
      Jason A. Donenfeld authored
      On some platforms, `char` is unsigned, but this driver, for the most
      part, assumed it was signed. In other places, it uses `char` to mean an
      unsigned number, but only in cases when the values are small. And in
      still other places, `char` is used as a boolean. Put an end to this
      confusion by declaring explicit types, depending on the context.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Stanislaw Gruszka <stf_xl@wp.pl>
      Cc: Helmut Schaa <helmut.schaa@googlemail.com>
      Cc: Kalle Valo <kvalo@kernel.org>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarStanislaw Gruszka <stf_xl@wp.pl>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221019155541.3410813-1-Jason@zx2c4.com
      66063033
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 6d36c728
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from netfilter.
      
        Current release - regressions:
      
         - revert "net: fix cpu_max_bits_warn() usage in
           netif_attrmask_next{,_and}"
      
         - revert "net: sched: fq_codel: remove redundant resource cleanup in
           fq_codel_init()"
      
         - dsa: uninitialized variable in dsa_slave_netdevice_event()
      
         - eth: sunhme: uninitialized variable in happy_meal_init()
      
        Current release - new code bugs:
      
         - eth: octeontx2: fix resource not freed after malloc
      
        Previous releases - regressions:
      
         - sched: fix return value of qdisc ingress handling on success
      
         - sched: fix race condition in qdisc_graft()
      
         - udp: update reuse->has_conns under reuseport_lock.
      
         - tls: strp: make sure the TCP skbs do not have overlapping data
      
         - hsr: avoid possible NULL deref in skb_clone()
      
         - tipc: fix an information leak in tipc_topsrv_kern_subscr
      
         - phylink: add mac_managed_pm in phylink_config structure
      
         - eth: i40e: fix DMA mappings leak
      
         - eth: hyperv: fix a RX-path warning
      
         - eth: mtk: fix memory leaks
      
        Previous releases - always broken:
      
         - sched: cake: fix null pointer access issue when cake_init() fails"
      
      * tag 'net-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (43 commits)
        net: phy: dp83822: disable MDI crossover status change interrupt
        net: sched: fix race condition in qdisc_graft()
        net: hns: fix possible memory leak in hnae_ae_register()
        wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()
        sfc: include vport_id in filter spec hash and equal()
        genetlink: fix kdoc warnings
        selftests: add selftest for chaining of tc ingress handling to egress
        net: Fix return value of qdisc ingress handling on success
        net: sched: sfb: fix null pointer access issue when sfb_init() fails
        Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()"
        net: sched: cake: fix null pointer access issue when cake_init() fails
        ethernet: marvell: octeontx2 Fix resource not freed after malloc
        netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
        netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.
        ionic: catch NULL pointer issue on reconfig
        net: hsr: avoid possible NULL deref in skb_clone()
        bnxt_en: fix memory leak in bnxt_nvm_test()
        ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
        udp: Update reuse->has_conns under reuseport_lock.
        net: ethernet: mediatek: ppe: Remove the unused function mtk_foe_entry_usable()
        ...
      6d36c728
    • Linus Torvalds's avatar
      Merge tag 'ata-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · c7b00652
      Linus Torvalds authored
      Pull ata fixes from Damien Le Moal:
       "Several minor fixes:
      
         - Fix the module alias for the ahci_imx driver to get autoloading to
           work (Alexander)
      
         - Fix a potential array-index-out-of-bounds problem with the
           enclosure managment support in the ahci driver (Kai-Heng)
      
         - Several patches to fix compilation warnings thrown by clang in the
           ahci_st, sata_rcar, ahci_brcm, ahci_xgene, ahci_imx and ahci_qoriq
           drivers (me)"
      
      * tag 'ata-6.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: ahci_qoriq: Fix compilation warning
        ata: ahci_imx: Fix compilation warning
        ata: ahci_xgene: Fix compilation warning
        ata: ahci_brcm: Fix compilation warning
        ata: sata_rcar: Fix compilation warning
        ata: ahci_st: Fix compilation warning
        ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
        ata: ahci-imx: Fix MODULE_ALIAS
      c7b00652
    • Linus Torvalds's avatar
      Merge tag 'for-6.1/dm-changes-v2' of... · a3ccea6e
      Linus Torvalds authored
      Merge tag 'for-6.1/dm-changes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper updates from Mike Snitzer:
      
       - Fix dm-bufio to use test_bit_acquire to properly test_bit on arches
         with weaker memory ordering.
      
       - DM core replace DMWARN with DMERR or DMCRIT for fatal errors.
      
       - Enable WQ_HIGHPRI on DM verity target's verify_wq.
      
       - Add documentation for DM verity's try_verify_in_tasklet option.
      
       - Various typo and redundant word fixes in code and/or comments.
      
      * tag 'for-6.1/dm-changes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm clone: Fix typo in block_device format specifier
        dm: remove unnecessary assignment statement in alloc_dev()
        dm verity: Add documentation for try_verify_in_tasklet option
        dm cache: delete the redundant word 'each' in comment
        dm raid: fix typo in analyse_superblocks code comment
        dm verity: enable WQ_HIGHPRI on verify_wq
        dm raid: delete the redundant word 'that' in comment
        dm: change from DMWARN to DMERR or DMCRIT for fatal errors
        dm bufio: use the acquire memory barrier when testing for B_READING
      a3ccea6e
  3. 20 Oct, 2022 5 commits
    • Felix Riemann's avatar
      net: phy: dp83822: disable MDI crossover status change interrupt · 7f378c03
      Felix Riemann authored
      If the cable is disconnected the PHY seems to toggle between MDI and
      MDI-X modes. With the MDI crossover status interrupt active this causes
      roughly 10 interrupts per second.
      
      As the crossover status isn't checked by the driver, the interrupt can
      be disabled to reduce the interrupt load.
      
      Fixes: 87461f7a ("net: phy: DP83822 initial driver submission")
      Signed-off-by: default avatarFelix Riemann <felix.riemann@sma.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20221018104755.30025-1-svc.sw.rte.linux@sma.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7f378c03
    • Eric Dumazet's avatar
      net: sched: fix race condition in qdisc_graft() · ebda44da
      Eric Dumazet authored
      We had one syzbot report [1] in syzbot queue for a while.
      I was waiting for more occurrences and/or a repro but
      Dmitry Vyukov spotted the issue right away.
      
      <quoting Dmitry>
      qdisc_graft() drops reference to qdisc in notify_and_destroy
      while it's still assigned to dev->qdisc
      </quoting>
      
      Indeed, RCU rules are clear when replacing a data structure.
      The visible pointer (dev->qdisc in this case) must be updated
      to the new object _before_ RCU grace period is started
      (qdisc_put(old) in this case).
      
      [1]
      BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066
      Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027
      
      CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:317 [inline]
      print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
      kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
      __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066
      __tcf_qdisc_find net/sched/cls_api.c:1051 [inline]
      tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018
      rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f5efaa89279
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f5efbc31168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f5efab9bf80 RCX: 00007f5efaa89279
      RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
      RBP: 00007f5efaae32e9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007f5efb0cfb1f R14: 00007f5efbc31300 R15: 0000000000022000
      </TASK>
      
      Allocated by task 21027:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      kasan_set_track mm/kasan/common.c:45 [inline]
      set_alloc_info mm/kasan/common.c:437 [inline]
      ____kasan_kmalloc mm/kasan/common.c:516 [inline]
      ____kasan_kmalloc mm/kasan/common.c:475 [inline]
      __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
      kmalloc_node include/linux/slab.h:623 [inline]
      kzalloc_node include/linux/slab.h:744 [inline]
      qdisc_alloc+0xb0/0xc50 net/sched/sch_generic.c:938
      qdisc_create_dflt+0x71/0x4a0 net/sched/sch_generic.c:997
      attach_one_default_qdisc net/sched/sch_generic.c:1152 [inline]
      netdev_for_each_tx_queue include/linux/netdevice.h:2437 [inline]
      attach_default_qdiscs net/sched/sch_generic.c:1170 [inline]
      dev_activate+0x760/0xcd0 net/sched/sch_generic.c:1229
      __dev_open+0x393/0x4d0 net/core/dev.c:1441
      __dev_change_flags+0x583/0x750 net/core/dev.c:8556
      rtnl_configure_link+0xee/0x240 net/core/rtnetlink.c:3189
      rtnl_newlink_create net/core/rtnetlink.c:3371 [inline]
      __rtnl_newlink+0x10b8/0x17e0 net/core/rtnetlink.c:3580
      rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
      rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 21020:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      kasan_set_track+0x21/0x30 mm/kasan/common.c:45
      kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
      ____kasan_slab_free mm/kasan/common.c:367 [inline]
      ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
      kasan_slab_free include/linux/kasan.h:200 [inline]
      slab_free_hook mm/slub.c:1754 [inline]
      slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
      slab_free mm/slub.c:3534 [inline]
      kfree+0xe2/0x580 mm/slub.c:4562
      rcu_do_batch kernel/rcu/tree.c:2245 [inline]
      rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505
      __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
      
      Last potentially related work creation:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
      call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
      qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1083
      notify_and_destroy net/sched/sch_api.c:1012 [inline]
      qdisc_graft+0xeb1/0x1270 net/sched/sch_api.c:1084
      tc_modify_qdisc+0xbb7/0x1a00 net/sched/sch_api.c:1671
      rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
      kvfree_call_rcu+0x74/0x940 kernel/rcu/tree.c:3322
      neigh_destroy+0x431/0x630 net/core/neighbour.c:912
      neigh_release include/net/neighbour.h:454 [inline]
      neigh_cleanup_and_release+0x1f8/0x330 net/core/neighbour.c:103
      neigh_del net/core/neighbour.c:225 [inline]
      neigh_remove_one+0x37d/0x460 net/core/neighbour.c:246
      neigh_forced_gc net/core/neighbour.c:276 [inline]
      neigh_alloc net/core/neighbour.c:447 [inline]
      ___neigh_create+0x18b5/0x29a0 net/core/neighbour.c:642
      ip6_finish_output2+0xfb8/0x1520 net/ipv6/ip6_output.c:125
      __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
      ip6_finish_output+0x690/0x1160 net/ipv6/ip6_output.c:206
      NF_HOOK_COND include/linux/netfilter.h:296 [inline]
      ip6_output+0x1ed/0x540 net/ipv6/ip6_output.c:227
      dst_output include/net/dst.h:451 [inline]
      NF_HOOK include/linux/netfilter.h:307 [inline]
      NF_HOOK include/linux/netfilter.h:301 [inline]
      mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
      mld_send_cr net/ipv6/mcast.c:2121 [inline]
      mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2653
      process_one_work+0x991/0x1610 kernel/workqueue.c:2289
      worker_thread+0x665/0x1080 kernel/workqueue.c:2436
      kthread+0x2e4/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      
      The buggy address belongs to the object at ffff88802065e000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 56 bytes inside of
      1024-byte region [ffff88802065e000, ffff88802065e400)
      
      The buggy address belongs to the physical page:
      page:ffffea0000819600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20658
      head:ffffea0000819600 order:3 compound_mapcount:0 compound_pincount:0
      flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3523, tgid 3523 (sshd), ts 41495190986, free_ts 41417713212
      prep_new_page mm/page_alloc.c:2532 [inline]
      get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
      __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
      alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
      alloc_slab_page mm/slub.c:1824 [inline]
      allocate_slab+0x27e/0x3d0 mm/slub.c:1969
      new_slab mm/slub.c:2029 [inline]
      ___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
      __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
      slab_alloc_node mm/slub.c:3209 [inline]
      __kmalloc_node_track_caller+0x2f2/0x380 mm/slub.c:4955
      kmalloc_reserve net/core/skbuff.c:358 [inline]
      __alloc_skb+0xd9/0x2f0 net/core/skbuff.c:430
      alloc_skb_fclone include/linux/skbuff.h:1307 [inline]
      tcp_stream_alloc_skb+0x38/0x580 net/ipv4/tcp.c:861
      tcp_sendmsg_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325
      tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483
      inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      sock_write_iter+0x291/0x3d0 net/socket.c:1108
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:578
      ksys_write+0x1e8/0x250 fs/read_write.c:631
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1449 [inline]
      free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
      free_unref_page_prepare mm/page_alloc.c:3380 [inline]
      free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
      __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2548
      qlink_free mm/kasan/quarantine.c:168 [inline]
      qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
      kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
      __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447
      kasan_slab_alloc include/linux/kasan.h:224 [inline]
      slab_post_alloc_hook mm/slab.h:727 [inline]
      slab_alloc_node mm/slub.c:3243 [inline]
      slab_alloc mm/slub.c:3251 [inline]
      __kmem_cache_alloc_lru mm/slub.c:3258 [inline]
      kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268
      kmem_cache_zalloc include/linux/slab.h:723 [inline]
      alloc_buffer_head+0x20/0x140 fs/buffer.c:2974
      alloc_page_buffers+0x280/0x790 fs/buffer.c:829
      create_empty_buffers+0x2c/0xee0 fs/buffer.c:1558
      ext4_block_write_begin+0x1004/0x1530 fs/ext4/inode.c:1074
      ext4_da_write_begin+0x422/0xae0 fs/ext4/inode.c:2996
      generic_perform_write+0x246/0x560 mm/filemap.c:3738
      ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:270
      ext4_file_write_iter+0x44a/0x1660 fs/ext4/file.c:679
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:578
      
      Fixes: af356afa ("net_sched: reintroduce dev->qdisc for use by sch_api")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Diagnosed-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221018203258.2793282-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ebda44da
    • Yang Yingliang's avatar
      net: hns: fix possible memory leak in hnae_ae_register() · ff2f5ec5
      Yang Yingliang authored
      Inject fault while probing module, if device_register() fails,
      but the refcount of kobject is not decreased to 0, the name
      allocated in dev_set_name() is leaked. Fix this by calling
      put_device(), so that name can be freed in callback function
      kobject_cleanup().
      
      unreferenced object 0xffff00c01aba2100 (size 128):
        comm "systemd-udevd", pid 1259, jiffies 4294903284 (age 294.152s)
        hex dump (first 32 bytes):
          68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff  hnae0....!......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<0000000034783f26>] slab_post_alloc_hook+0xa0/0x3e0
          [<00000000748188f2>] __kmem_cache_alloc_node+0x164/0x2b0
          [<00000000ab0743e8>] __kmalloc_node_track_caller+0x6c/0x390
          [<000000006c0ffb13>] kvasprintf+0x8c/0x118
          [<00000000fa27bfe1>] kvasprintf_const+0x60/0xc8
          [<0000000083e10ed7>] kobject_set_name_vargs+0x3c/0xc0
          [<000000000b87affc>] dev_set_name+0x7c/0xa0
          [<000000003fd8fe26>] hnae_ae_register+0xcc/0x190 [hnae]
          [<00000000fe97edc9>] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]
          [<00000000c36ff1eb>] hns_dsaf_probe+0x548/0x748 [hns_dsaf]
      
      Fixes: 6fe6611f ("net: add Hisilicon Network Subsystem hnae framework support")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20221018122451.1749171-1-yangyingliang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ff2f5ec5
    • Yang Yingliang's avatar
      wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new() · 258ad2fe
      Yang Yingliang authored
      Inject fault while probing module, if device_register() fails,
      but the refcount of kobject is not decreased to 0, the name
      allocated in dev_set_name() is leaked. Fix this by calling
      put_device(), so that name can be freed in callback function
      kobject_cleanup().
      
      unreferenced object 0xffff88810152ad20 (size 8):
        comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s)
        hex dump (first 8 bytes):
          68 77 73 69 6d 30 00 ff                          hwsim0..
        backtrace:
          [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0
          [<00000000c0228a5e>] kvasprintf+0xb5/0x140
          [<00000000cff8c21f>] kvasprintf_const+0x55/0x180
          [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150
          [<000000000a80b139>] dev_set_name+0xab/0xe0
      
      Fixes: f36a111a ("wwan_hwsim: WWAN device simulator")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Reviewed-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Acked-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Link: https://lore.kernel.org/r/20221018131607.1901641-1-yangyingliang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      258ad2fe
    • Pieter Jansen van Vuuren's avatar
      sfc: include vport_id in filter spec hash and equal() · c2bf23e4
      Pieter Jansen van Vuuren authored
      Filters on different vports are qualified by different implicit MACs and/or
      VLANs, so shouldn't be considered equal even if their other match fields
      are identical.
      
      Fixes: 7c460d9b ("sfc: Extend and abstract efx_filter_spec to cover Huntington/EF10")
      Co-developed-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Signed-off-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Signed-off-by: default avatarPieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
      Reviewed-by: default avatarMartin Habets <habetsm.xilinx@gmail.com>
      Link: https://lore.kernel.org/r/20221018092841.32206-1-pieter.jansen-van-vuuren@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c2bf23e4
  4. 19 Oct, 2022 15 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d753a050
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      1) Missing flowi uid field in nft_fib expression, from Guillaume Nault.
         This is broken since the creation of the fib expression.
      
      2) Relax sanity check to fix bogus EINVAL error when deleting elements
         belonging set intervals. Broken since 6.0-rc.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
        netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.
      ====================
      
      Link: https://lore.kernel.org/r/20221019065225.1006344-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d753a050
    • Jakub Kicinski's avatar
      genetlink: fix kdoc warnings · a1a824f4
      Jakub Kicinski authored
      Address a bunch of kdoc warnings:
      
      include/net/genetlink.h:81: warning: Function parameter or member 'module' not described in 'genl_family'
      include/net/genetlink.h:243: warning: expecting prototype for struct genl_info. Prototype was for struct genl_dumpit_info instead
      include/net/genetlink.h:419: warning: Function parameter or member 'net' not described in 'genlmsg_unicast'
      include/net/genetlink.h:438: warning: expecting prototype for gennlmsg_data(). Prototype was for genlmsg_data() instead
      include/net/genetlink.h:244: warning: Function parameter or member 'op' not described in 'genl_dumpit_info'
      
      Link: https://lore.kernel.org/r/20221018231310.1040482-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a1a824f4
    • David S. Miller's avatar
      Merge branch 'qdisc-ingress-success' · 6109ecbf
      David S. Miller authored
      Paul Blakey says:
      
      ====================
      net: Fix return value of qdisc ingress handling on success
      
      Fix patch + self-test with the currently broken scenario.
      
      v4->v3:
        Removed new line in self test and rebase (Paolo).
      
      v2->v3:
        Added DROP return to TC_ACT_SHOT case (Cong).
      
      v1->v2:
        Changed blamed commit
        Added self-test
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6109ecbf
    • Paul Blakey's avatar
      selftests: add selftest for chaining of tc ingress handling to egress · fd602f5c
      Paul Blakey authored
      This test runs a simple ingress tc setup between two veth pairs,
      then adds a egress->ingress rule to test the chaining of tc ingress
      pipeline to tc egress piepline.
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd602f5c
    • Paul Blakey's avatar
      net: Fix return value of qdisc ingress handling on success · 672e97ef
      Paul Blakey authored
      Currently qdisc ingress handling (sch_handle_ingress()) doesn't
      set a return value and it is left to the old return value of
      the caller (__netif_receive_skb_core()) which is RX drop, so if
      the packet is consumed, caller will stop and return this value
      as if the packet was dropped.
      
      This causes a problem in the kernel tcp stack when having a
      egress tc rule forwarding to a ingress tc rule.
      The tcp stack sending packets on the device having the egress rule
      will see the packets as not successfully transmitted (although they
      actually were), will not advance it's internal state of sent data,
      and packets returning on such tcp stream will be dropped by the tcp
      stack with reason ack-of-unsent-data. See reproduction in [0] below.
      
      Fix that by setting the return value to RX success if
      the packet was handled successfully.
      
      [0] Reproduction steps:
       $ ip link add veth1 type veth peer name peer1
       $ ip link add veth2 type veth peer name peer2
       $ ifconfig peer1 5.5.5.6/24 up
       $ ip netns add ns0
       $ ip link set dev peer2 netns ns0
       $ ip netns exec ns0 ifconfig peer2 5.5.5.5/24 up
       $ ifconfig veth2 0 up
       $ ifconfig veth1 0 up
      
       #ingress forwarding veth1 <-> veth2
       $ tc qdisc add dev veth2 ingress
       $ tc qdisc add dev veth1 ingress
       $ tc filter add dev veth2 ingress prio 1 proto all flower \
         action mirred egress redirect dev veth1
       $ tc filter add dev veth1 ingress prio 1 proto all flower \
         action mirred egress redirect dev veth2
      
       #steal packet from peer1 egress to veth2 ingress, bypassing the veth pipe
       $ tc qdisc add dev peer1 clsact
       $ tc filter add dev peer1 egress prio 20 proto ip flower \
         action mirred ingress redirect dev veth1
      
       #run iperf and see connection not running
       $ iperf3 -s&
       $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
      
       #delete egress rule, and run again, now should work
       $ tc filter del dev peer1 egress
       $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
      
      Fixes: f697c3e8 ("[NET]: Avoid unnecessary cloning for ingress filtering")
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      672e97ef
    • David S. Miller's avatar
      Merge branch 'qdisc-null-deref' · e38cf366
      David S. Miller authored
      Zhengchao Shao says:
      
      ====================
      net: fix null pointer access issue in qdisc
      
      These three patches fix the same type of problem. Set the default qdisc,
      and then construct an init failure scenario when the dev qdisc is
      configured on mqprio to trigger the reset process. NULL pointer access
      may occur during the reset process.
      
      ---
      v2: for fq_codel, revert the patch
      ---
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e38cf366
    • Zhengchao Shao's avatar
      net: sched: sfb: fix null pointer access issue when sfb_init() fails · 2a3fc782
      Zhengchao Shao authored
      When the default qdisc is sfb, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), sfb_reset() is invoked to clear resources.
      In this case, the q->qdisc is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	sfb_init()
      		tcf_block_get()          --->failed, q->qdisc is NULL
      	...
      	qdisc_put()
      		...
      		sfb_reset()
      			qdisc_reset(q->qdisc)    --->q->qdisc is NULL
      				ops = qdisc->ops
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
      RIP: 0010:qdisc_reset+0x2b/0x6f0
      Call Trace:
      <TASK>
      sfb_reset+0x37/0xd0
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f2164122d04
      </TASK>
      
      Fixes: e13e02a3 ("net_sched: SFB flow scheduler")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a3fc782
    • Zhengchao Shao's avatar
      Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()" · f5ffa3b1
      Zhengchao Shao authored
      This reverts commit 494f5063.
      
      When the default qdisc is fq_codel, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), fq_codel_reset() is invoked to clear
      resources. In this case, the flow is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	fq_codel_init()
      		...
      		q->flows_cnt = 1024;
      		...
      		q->flows = kvcalloc(...)      --->failed, q->flows is NULL
      	...
      	qdisc_put()
      		...
      		fq_codel_reset()
      			...
      			flow = q->flows + i   --->q->flows is NULL
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      RIP: 0010:fq_codel_reset+0x14d/0x350
      Call Trace:
      <TASK>
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7fd272b22d04
      </TASK>
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5ffa3b1
    • Zhengchao Shao's avatar
      net: sched: cake: fix null pointer access issue when cake_init() fails · 51f9a892
      Zhengchao Shao authored
      When the default qdisc is cake, if the qdisc of dev_queue fails to be
      inited during mqprio_init(), cake_reset() is invoked to clear
      resources. In this case, the tins is NULL, and it will cause gpf issue.
      
      The process is as follows:
      qdisc_create_dflt()
      	cake_init()
      		q->tins = kvcalloc(...)        --->failed, q->tins is NULL
      	...
      	qdisc_put()
      		...
      		cake_reset()
      			...
      			cake_dequeue_one()
      				b = &q->tins[...]   --->q->tins is NULL
      
      The following is the Call Trace information:
      general protection fault, probably for non-canonical address
      0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      RIP: 0010:cake_dequeue_one+0xc9/0x3c0
      Call Trace:
      <TASK>
      cake_reset+0xb1/0x140
      qdisc_reset+0xed/0x6f0
      qdisc_destroy+0x82/0x4c0
      qdisc_put+0x9e/0xb0
      qdisc_create_dflt+0x2c3/0x4a0
      mqprio_init+0xa71/0x1760
      qdisc_create+0x3eb/0x1000
      tc_modify_qdisc+0x408/0x1720
      rtnetlink_rcv_msg+0x38e/0xac0
      netlink_rcv_skb+0x12d/0x3a0
      netlink_unicast+0x4a2/0x740
      netlink_sendmsg+0x826/0xcc0
      sock_sendmsg+0xc5/0x100
      ____sys_sendmsg+0x583/0x690
      ___sys_sendmsg+0xe8/0x160
      __sys_sendmsg+0xbf/0x160
      do_syscall_64+0x35/0x80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      RIP: 0033:0x7f89e5122d04
      </TASK>
      
      Fixes: 046f6fd5 ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51f9a892
    • Manank Patel's avatar
      ethernet: marvell: octeontx2 Fix resource not freed after malloc · 7b55c2ed
      Manank Patel authored
      fix rxsc and txsc not getting freed before going out of scope
      
      Fixes: c54ffc73 ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
      Signed-off-by: default avatarManank Patel <pmanank200502@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b55c2ed
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements · 96df8360
      Pablo Neira Ayuso authored
      Otherwise EINVAL is bogusly reported to userspace when deleting a set
      element. NFTA_SET_ELEM_KEY_END does not need to be set in case of:
      
      - insertion: if not present, start key is used as end key.
      - deletion: only start key needs to be specified, end key is ignored.
      
      Hence, relax the sanity check.
      
      Fixes: 88cccd90 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      96df8360
    • Guillaume Nault's avatar
      netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces. · 1fcc064b
      Guillaume Nault authored
      Currently netfilter's rpfilter and fib modules implicitely initialise
      ->flowic_uid with 0. This is normally the root UID. However, this isn't
      the case in user namespaces, where user ID 0 is mapped to a different
      kernel UID. By initialising ->flowic_uid with sock_net_uid(), we get
      the root UID of the user namespace, thus keeping the same behaviour
      whether or not we're running in a user namepspace.
      
      Note, this is similar to commit 8bcfd092 ("ipv4: add missing
      initialization for flowi4_uid"), which fixed the rp_filter sysctl.
      
      Fixes: 622ec2c9 ("net: core: add UID to flows, rules, and routes")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1fcc064b
    • Brett Creeley's avatar
      ionic: catch NULL pointer issue on reconfig · aa1d7e12
      Brett Creeley authored
      It's possible that the driver will dereference a qcq that doesn't exist
      when calling ionic_reconfigure_queues(), which causes a page fault BUG.
      
      If a reduction in the number of queues is followed by a different
      reconfig such as changing the ring size, the driver can hit a NULL
      pointer when trying to clean up non-existent queues.
      
      Fix this by checking to make sure both the qcqs array and qcq entry
      exists bofore trying to use and free the entry.
      
      Fixes: 101b40a0 ("ionic: change queue count with no reset")
      Signed-off-by: default avatarBrett Creeley <brett@pensando.io>
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@pensando.ioSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aa1d7e12
    • Eric Dumazet's avatar
      net: hsr: avoid possible NULL deref in skb_clone() · d8b57135
      Eric Dumazet authored
      syzbot got a crash [1] in skb_clone(), caused by a bug
      in hsr_get_untagged_frame().
      
      When/if create_stripped_skb_hsr() returns NULL, we must
      not attempt to call skb_clone().
      
      While we are at it, replace a WARN_ONCE() by netdev_warn_once().
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
      CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
      RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641
      Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00
      RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207
      
      RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000
      RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140
      R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640
      R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620
      FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164
      hsr_forward_do net/hsr/hsr_forward.c:461 [inline]
      hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623
      hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69
      __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379
      __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483
      __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599
      netif_receive_skb_internal net/core/dev.c:5685 [inline]
      netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744
      tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544
      tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995
      tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:584
      ksys_write+0x127/0x250 fs/read_write.c:637
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: f266a683 ("net/hsr: Better frame dispatch")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221017165928.2150130-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d8b57135
    • Vikas Gupta's avatar
      bnxt_en: fix memory leak in bnxt_nvm_test() · ba077d68
      Vikas Gupta authored
      Free the kzalloc'ed buffer before returning in the success path.
      
      Fixes: 5b6ff128 ("bnxt_en: implement callbacks for devlink selftests")
      Signed-off-by: default avatarVikas Gupta <vikas.gupta@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://lore.kernel.org/r/1666020742-25834-1-git-send-email-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ba077d68
  5. 18 Oct, 2022 9 commits