1. 03 Oct, 2024 18 commits
    • Xin Long's avatar
      sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start · 8beee4d8
      Xin Long authored
      In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
      sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
      
      Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
      is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
      be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
      is NULL.
      
        KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
        RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
        Call Trace:
         <TASK>
         __sys_listen_socket net/socket.c:1883 [inline]
         __sys_listen+0x1b7/0x230 net/socket.c:1894
         __do_sys_listen net/socket.c:1902 [inline]
      
      Fixes: 5e8f3f70 ("sctp: simplify sctp listening code")
      Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8beee4d8
    • Ravikanth Tuniki's avatar
      dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems · c6929644
      Ravikanth Tuniki authored
      Add missing reg minItems as based on current binding document
      only ethernet MAC IO space is a supported configuration.
      
      There is a bug in schema, current examples contain 64-bit
      addressing as well as 32-bit addressing. The schema validation
      does pass incidentally considering one 64-bit reg address as
      two 32-bit reg address entries. If we change axi_ethernet_eth1
      example node reg addressing to 32-bit schema validation reports:
      
      Documentation/devicetree/bindings/net/xlnx,axi-ethernet.example.dtb:
      ethernet@40000000: reg: [[1073741824, 262144]] is too short
      
      To fix it add missing reg minItems constraints and to make things clearer
      stick to 32-bit addressing in examples.
      
      Fixes: cbb1ca6d ("dt-bindings: net: xlnx,axi-ethernet: convert bindings document to yaml")
      Signed-off-by: default avatarRavikanth Tuniki <ravikanth.tuniki@amd.com>
      Signed-off-by: default avatarRadhey Shyam Pandey <radhey.shyam.pandey@amd.com>
      Acked-by: default avatarConor Dooley <conor.dooley@microchip.com>
      Link: https://patch.msgid.link/1727723615-2109795-1-git-send-email-radhey.shyam.pandey@amd.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c6929644
    • Sean Anderson's avatar
      doc: net: napi: Update documentation for napi_schedule_irqoff · b63ad06d
      Sean Anderson authored
      Since commit 8380c81d ("net: Treat __napi_schedule_irqoff() as
      __napi_schedule() on PREEMPT_RT"), napi_schedule_irqoff will do the
      right thing if IRQs are threaded. Therefore, there is no need to use
      IRQF_NO_THREAD.
      Signed-off-by: default avatarSean Anderson <sean.anderson@linux.dev>
      Reviewed-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
      Reviewed-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Link: https://patch.msgid.link/20240930153955.971657-1-sean.anderson@linux.devSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b63ad06d
    • Paolo Abeni's avatar
      Merge tag 'nf-24-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 1127c73a
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Fix incorrect documentation in uapi/linux/netfilter/nf_tables.h
         regarding flowtable hooks, from Phil Sutter.
      
      2) Fix nft_audit.sh selftests with newer nft binaries, due to different
         (valid) audit output, also from Phil.
      
      3) Disable BH when duplicating packets via nf_dup infrastructure,
         otherwise race on nf_skb_duplicated for locally generated traffic.
         From Eric.
      
      4) Missing return in callback of selftest C program, from zhang jiao.
      
      netfilter pull request 24-10-02
      
      * tag 'nf-24-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        selftests: netfilter: Add missing return value
        netfilter: nf_tables: prevent nf_skb_duplicated corruption
        selftests: netfilter: Fix nft_audit.sh for newer nft binaries
        netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
      ====================
      
      Link: https://patch.msgid.link/20241002202421.1281311-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1127c73a
    • Eddie James's avatar
      net/ncsi: Disable the ncsi work before freeing the associated structure · a0ffa68c
      Eddie James authored
      The work function can run after the ncsi device is freed, resulting
      in use-after-free bugs or kernel panic.
      
      Fixes: 2d283bdd ("net/ncsi: Resource management")
      Signed-off-by: default avatarEddie James <eajames@linux.ibm.com>
      Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a0ffa68c
    • FUJITA Tomonori's avatar
      net: phy: qt2025: Fix warning: unused import DeviceId · fa7dfeae
      FUJITA Tomonori authored
      Fix the following warning when the driver is compiled as built-in:
      
            warning: unused import: `DeviceId`
            --> drivers/net/phy/qt2025.rs:18:5
            |
         18 |     DeviceId, Driver,
            |     ^^^^^^^^
            |
            = note: `#[warn(unused_imports)]` on by default
      
      device_table in module_phy_driver macro is defined only when the
      driver is built as a module. Use phy::DeviceId in the macro instead of
      importing `DeviceId` since `phy` is always used.
      
      Fixes: fd3eaad8 ("net: phy: add Applied Micro QT2025 PHY driver")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202409190717.i135rfVo-lkp@intel.com/Reviewed-by: default avatarAlice Ryhl <aliceryhl@google.com>
      Reviewed-by: default avatarTrevor Gross <tmgross@umich.edu>
      Signed-off-by: default avatarFUJITA Tomonori <fujita.tomonori@gmail.com>
      Reviewed-by: default avatarFiona Behrens <me@kloenk.dev>
      Acked-by: default avatarMiguel Ojeda <ojeda@kernel.org>
      Link: https://patch.msgid.link/20240926121404.242092-1-fujita.tomonori@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa7dfeae
    • Willem de Bruijn's avatar
      gso: fix udp gso fraglist segmentation after pull from frag_list · a1e40ac5
      Willem de Bruijn authored
      Detect gso fraglist skbs with corrupted geometry (see below) and
      pass these to skb_segment instead of skb_segment_list, as the first
      can segment them correctly.
      
      Valid SKB_GSO_FRAGLIST skbs
      - consist of two or more segments
      - the head_skb holds the protocol headers plus first gso_size
      - one or more frag_list skbs hold exactly one segment
      - all but the last must be gso_size
      
      Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
      modify these skbs, breaking these invariants.
      
      In extreme cases they pull all data into skb linear. For UDP, this
      causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
      udp_hdr(seg->next)->dest.
      
      Detect invalid geometry due to pull, by checking head_skb size.
      Don't just drop, as this may blackhole a destination. Convert to be
      able to pass to regular skb_segment.
      
      Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/
      Fixes: 9fd1ff5d ("udp: Support UDP fraglist GRO/GSO.")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Cc: stable@vger.kernel.org
      Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a1e40ac5
    • Ido Schimmel's avatar
      bridge: mcast: Fail MDB get request on empty entry · 555f45d2
      Ido Schimmel authored
      When user space deletes a port from an MDB entry, the port is removed
      synchronously. If this was the last port in the entry and the entry is
      not joined by the host itself, then the entry is scheduled for deletion
      via a timer.
      
      The above means that it is possible for the MDB get netlink request to
      retrieve an empty entry which is scheduled for deletion. This is
      problematic as after deleting the last port in an entry, user space
      cannot rely on a non-zero return code from the MDB get request as an
      indication that the port was successfully removed.
      
      Fix by returning an error when the entry's port list is empty and the
      entry is not joined by the host.
      
      Fixes: 68b380a3 ("bridge: mcast: Add MDB get support")
      Reported-by: default avatarJamie Bainbridge <jamie.bainbridge@gmail.com>
      Closes: https://lore.kernel.org/netdev/c92569919307749f879b9482b0f3e125b7d9d2e3.1726480066.git.jamie.bainbridge@gmail.com/Tested-by: default avatarJamie Bainbridge <jamie.bainbridge@gmail.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://patch.msgid.link/20240929123640.558525-1-idosch@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      555f45d2
    • Willem de Bruijn's avatar
      vrf: revert "vrf: Remove unnecessary RCU-bh critical section" · b04c4d9e
      Willem de Bruijn authored
      This reverts commit 504fc6f4.
      
      dev_queue_xmit_nit is expected to be called with BH disabled.
      __dev_queue_xmit has the following:
      
              /* Disable soft irqs for various locks below. Also
               * stops preemption for RCU.
               */
              rcu_read_lock_bh();
      
      VRF must follow this invariant. The referenced commit removed this
      protection. Which triggered a lockdep warning:
      
      	================================
      	WARNING: inconsistent lock state
      	6.11.0 #1 Tainted: G        W
      	--------------------------------
      	inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
      	btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
      	ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
      	{IN-SOFTIRQ-W} state was registered at:
      	  lock_acquire+0x19a/0x4f0
      	  _raw_spin_lock+0x27/0x40
      	  packet_rcv+0xa33/0x1320
      	  __netif_receive_skb_core.constprop.0+0xcb0/0x3a90
      	  __netif_receive_skb_list_core+0x2c9/0x890
      	  netif_receive_skb_list_internal+0x610/0xcc0
                [...]
      
      	other info that might help us debug this:
      	 Possible unsafe locking scenario:
      
      	       CPU0
      	       ----
      	  lock(rlock-AF_PACKET);
      	  <Interrupt>
      	    lock(rlock-AF_PACKET);
      
      	 *** DEADLOCK ***
      
      	Call Trace:
      	 <TASK>
      	 dump_stack_lvl+0x73/0xa0
      	 mark_lock+0x102e/0x16b0
      	 __lock_acquire+0x9ae/0x6170
      	 lock_acquire+0x19a/0x4f0
      	 _raw_spin_lock+0x27/0x40
      	 tpacket_rcv+0x863/0x3b30
      	 dev_queue_xmit_nit+0x709/0xa40
      	 vrf_finish_direct+0x26e/0x340 [vrf]
      	 vrf_l3_out+0x5f4/0xe80 [vrf]
      	 __ip_local_out+0x51e/0x7a0
                [...]
      
      Fixes: 504fc6f4 ("vrf: Remove unnecessary RCU-bh critical section")
      Link: https://lore.kernel.org/netdev/20240925185216.1990381-1-greearb@candelatech.com/Reported-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Tested-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://patch.msgid.link/20240929061839.1175300-1-willemdebruijn.kernel@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b04c4d9e
    • Dan Carpenter's avatar
      net: ethernet: ti: am65-cpsw: Fix forever loop in cleanup code · 3c97fe4f
      Dan Carpenter authored
      This error handling has a typo.  It should i++ instead of i--.  In the
      original code the error handling will loop until it crashes.
      
      Fixes: da70d184 ("net: ethernet: ti: am65-cpsw: Introduce multi queue Rx")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarAlexander Sverdlin <alexander.sverdlin@siemens.com>
      Reviewed-by: default avatarRoger Quadros <rogerq@kernel.org>
      Link: https://patch.msgid.link/8e7960cc-415d-48d7-99ce-f623022ec7b5@stanley.mountainSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3c97fe4f
    • Hui Wang's avatar
      net: phy: realtek: Check the index value in led_hw_control_get · c283782f
      Hui Wang authored
      Just like rtl8211f_led_hw_is_supported() and
      rtl8211f_led_hw_control_set(), the rtl8211f_led_hw_control_get() also
      needs to check the index value, otherwise the caller is likely to get
      an incorrect rules.
      
      Fixes: 17784801 ("net: phy: realtek: Add support for PHY LEDs on RTL8211F")
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Reviewed-by: default avatarMarek Vasut <marex@denx.de>
      Link: https://patch.msgid.link/20240927114610.1278935-1-hui.wang@canonical.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c283782f
    • Eric Dumazet's avatar
      ppp: do not assume bh is held in ppp_channel_bridge_input() · aec72910
      Eric Dumazet authored
      Networking receive path is usually handled from BH handler.
      However, some protocols need to acquire the socket lock, and
      packets might be stored in the socket backlog is the socket was
      owned by a user process.
      
      In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
      might call the sk->sk_backlog_rcv() handler in process context.
      
      sybot caught ppp was not considering this case in
      ppp_channel_bridge_input() :
      
      WARNING: inconsistent lock state
      6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
      --------------------------------
      inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
       ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
       ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
       ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
      {SOFTIRQ-ON-W} state was registered at:
         lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
         __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
         _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
         spin_lock include/linux/spinlock.h:351 [inline]
         ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
         ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
         pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
         sk_backlog_rcv include/net/sock.h:1111 [inline]
         __release_sock+0x1a8/0x3d8 net/core/sock.c:3004
         release_sock+0x68/0x1b8 net/core/sock.c:3558
         pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
         sock_sendmsg_nosec net/socket.c:730 [inline]
         __sock_sendmsg net/socket.c:745 [inline]
         __sys_sendto+0x374/0x4f4 net/socket.c:2204
         __do_sys_sendto net/socket.c:2216 [inline]
         __se_sys_sendto net/socket.c:2212 [inline]
         __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
         __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
         invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
         el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
         do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
         el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
         el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
         el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
      irq event stamp: 282914
       hardirqs last  enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
       hardirqs last  enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
       hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
       hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
       softirqs last  enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]
       softirqs last  enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582
       softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&pch->downl);
        <Interrupt>
          lock(&pch->downl);
      
       *** DEADLOCK ***
      
      1 lock held by ksoftirqd/1/24:
        #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325
      
      stack backtrace:
      CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
      Call trace:
        dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
        show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
        __dump_stack lib/dump_stack.c:93 [inline]
        dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
        dump_stack+0x1c/0x28 lib/dump_stack.c:128
        print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000
       mark_lock_irq+0x980/0xd2c
        mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677
        __lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096
        lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
        __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
        _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
        spin_lock include/linux/spinlock.h:351 [inline]
        ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
        ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
        ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495
        tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785
        tasklet_action+0x68/0x8c kernel/softirq.c:811
        handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554
        run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
        smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164
        kthread+0x288/0x310 kernel/kthread.c:389
        ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
      
      Fixes: 4cf476ce ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls")
      Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com
      Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#uSigned-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Tom Parkin <tparkin@katalix.com>
      Cc: James Chapman <jchapman@katalix.com>
      Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      aec72910
    • Hangbin Liu's avatar
      selftests: rds: move include.sh to TEST_FILES · 8ed7cf66
      Hangbin Liu authored
      The include.sh file is generated for inclusion and should not be executable.
      Otherwise, it will be added to kselftest-list.txt. Additionally, add the
      executable bit for test.py at the same time to ensure proper functionality.
      
      Fixes: 3ade6ce1 ("selftests: rds: add testing infrastructure")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://patch.msgid.link/20240927041349.81216-1-liuhangbin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8ed7cf66
    • Eric Dumazet's avatar
      net: test for not too small csum_start in virtio_net_hdr_to_skb() · 49d14b54
      Eric Dumazet authored
      syzbot was able to trigger this warning [1], after injecting a
      malicious packet through af_packet, setting skb->csum_start and thus
      the transport header to an incorrect value.
      
      We can at least make sure the transport header is after
      the end of the network header (with a estimated minimal size).
      
      [1]
      [   67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0
      mac=(-1,-1) mac_len=0 net=(16,-6) trans=10
      shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
      csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)
      hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0
      priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0
      encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
      [   67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9
      [   67.877764] sk family=17 type=3 proto=0
      [   67.878279] skb linear:   00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00
      [   67.879128] skb frag:     00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02
      [   67.879877] skb frag:     00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.880647] skb frag:     00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00
      [   67.881156] skb frag:     00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.881753] skb frag:     00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.882173] skb frag:     00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.882790] skb frag:     00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.883171] skb frag:     00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.883733] skb frag:     00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.884206] skb frag:     00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e
      [   67.884704] skb frag:     000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00
      [   67.885139] skb frag:     000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.885677] skb frag:     000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.886042] skb frag:     000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.886408] skb frag:     000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.887020] skb frag:     000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   67.887384] skb frag:     00000100: 00 00
      [   67.887878] ------------[ cut here ]------------
      [   67.887908] offset (-6) >= skb_headlen() (14)
      [   67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs
      [   67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011
      [   67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
      [   67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891043] Call Trace:
      [   67.891173]  <TASK>
      [   67.891274] ? __warn (kernel/panic.c:741)
      [   67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)
      [   67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)
      [   67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
      [   67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
      [   67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
      [   67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))
      [   67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:113)
      [   67.891459] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200)
      [   67.891470] ? ip_route_output_flow (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:96 (discriminator 13) ./include/linux/rcupdate.h:871 (discriminator 13) net/ipv4/route.c:2625 (discriminator 13) ./include/net/route.h:141 (discriminator 13) net/ipv4/route.c:2852 (discriminator 13))
      [   67.891484] ipvlan_process_v4_outbound (drivers/net/ipvlan/ipvlan_core.c:445 (discriminator 1))
      [   67.891581] ipvlan_queue_xmit (drivers/net/ipvlan/ipvlan_core.c:542 drivers/net/ipvlan/ipvlan_core.c:604 drivers/net/ipvlan/ipvlan_core.c:670)
      [   67.891596] ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:227)
      [   67.891607] dev_hard_start_xmit (./include/linux/netdevice.h:4916 ./include/linux/netdevice.h:4925 net/core/dev.c:3588 net/core/dev.c:3604)
      [   67.891620] __dev_queue_xmit (net/core/dev.h:168 (discriminator 25) net/core/dev.c:4425 (discriminator 25))
      [   67.891630] ? skb_copy_bits (./include/linux/uaccess.h:233 (discriminator 1) ./include/linux/uaccess.h:260 (discriminator 1) ./include/linux/highmem-internal.h:230 (discriminator 1) net/core/skbuff.c:3018 (discriminator 1))
      [   67.891645] ? __pskb_pull_tail (net/core/skbuff.c:2848 (discriminator 4))
      [   67.891655] ? skb_partial_csum_set (net/core/skbuff.c:5657)
      [   67.891666] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/skbuff.h:2791 (discriminator 3) ./include/linux/skbuff.h:2799 (discriminator 3) ./include/linux/virtio_net.h:109 (discriminator 3))
      [   67.891684] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
      [   67.891700] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
      [   67.891716] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
      [   67.891734] ? do_sock_setsockopt (net/socket.c:2335)
      [   67.891747] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
      [   67.891761] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
      [   67.891772] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
      [   67.891785] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
      
      Fixes: 9181d6f8 ("net: add more sanity check in virtio_net_hdr_to_skb()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://patch.msgid.link/20240926165836.3797406-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      49d14b54
    • Felix Fietkau's avatar
      net: gso: fix tcp fraglist segmentation after pull from frag_list · 17bd3bd8
      Felix Fietkau authored
      Detect tcp gso fraglist skbs with corrupted geometry (see below) and
      pass these to skb_segment instead of skb_segment_list, as the first
      can segment them correctly.
      
      Valid SKB_GSO_FRAGLIST skbs
      - consist of two or more segments
      - the head_skb holds the protocol headers plus first gso_size
      - one or more frag_list skbs hold exactly one segment
      - all but the last must be gso_size
      
      Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
      modify these skbs, breaking these invariants.
      
      In extreme cases they pull all data into skb linear. For TCP, this
      causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at
      tcp_hdr(seg->next).
      
      Detect invalid geometry due to pull, by checking head_skb size.
      Don't just drop, as this may blackhole a destination. Convert to be
      able to pass to regular skb_segment.
      
      Approach and description based on a patch by Willem de Bruijn.
      
      Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/
      Link: https://lore.kernel.org/netdev/20240922150450.3873767-1-willemdebruijn.kernel@gmail.com/
      Fixes: bee88cd5 ("net: add support for segmenting TCP fraglist GSO packets")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://patch.msgid.link/20240926085315.51524-1-nbd@nbd.nameSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      17bd3bd8
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2024-09-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 854e9bf5
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2024-09-25
      
      * tag 'mlx5-fixes-2024-09-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
        net/mlx5e: SHAMPO, Fix overflow of hd_per_wq
        net/mlx5: HWS, changed E2BIG error to a negative return code
        net/mlx5: HWS, fixed double-free in error flow of creating SQ
        net/mlx5: Fix wrong reserved field in hca_cap_2 in mlx5_ifc
        net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
        net/mlx5: Added cond_resched() to crdump collection
        net/mlx5: Fix error path in multi-packet WQE transmit
      ====================
      
      Link: https://patch.msgid.link/20240925202013.45374-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      854e9bf5
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · e5e3f369
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
       - MGMT: Fix possible crash on mgmt_index_removed
       - L2CAP: Fix uaf in l2cap_connect
       - Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
      
      * tag 'for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
        Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
        Bluetooth: L2CAP: Fix uaf in l2cap_connect
        Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
      ====================
      
      Link: https://patch.msgid.link/20240927145730.2452175-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e5e3f369
    • Jakub Kicinski's avatar
      Merge tag 'ieee802154-for-net-2024-09-27' of... · cb3ad113
      Jakub Kicinski authored
      Merge tag 'ieee802154-for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan
      
      Stefan Schmidt says:
      
      ====================
      pull-request: ieee802154 for net 2024-09-27
      
      Jinjie Ruan added the use of IRQF_NO_AUTOEN in the mcr20a driver and fixed
      and addiotinal build dependency problem while doing so.
      
      Jiawei Ye, ensured a correct RCU handling in mac802154_scan_worker.
      
      * tag 'ieee802154-for-net-2024-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan:
        net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()
        mac802154: Fix potential RCU dereference issue in mac802154_scan_worker
        ieee802154: Fix build error
      ====================
      
      Link: https://patch.msgid.link/20240927094351.3865511-1-stefan@datenfreihafen.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cb3ad113
  2. 01 Oct, 2024 14 commits
    • Anton Danilov's avatar
      ipv4: ip_gre: Fix drops of small packets in ipgre_xmit · c4a14f6d
      Anton Danilov authored
      Regression Description:
      
      Depending on the options specified for the GRE tunnel device, small
      packets may be dropped. This occurs because the pskb_network_may_pull
      function fails due to the packet's insufficient length.
      
      For example, if only the okey option is specified for the tunnel device,
      original (before encapsulation) packets smaller than 28 bytes (including
      the IPv4 header) will be dropped. This happens because the required
      length is calculated relative to the network header, not the skb->head.
      
      Here is how the required length is computed and checked:
      
      * The pull_len variable is set to 28 bytes, consisting of:
        * IPv4 header: 20 bytes
        * GRE header with Key field: 8 bytes
      
      * The pskb_network_may_pull function adds the network offset, shifting
      the checkable space further to the beginning of the network header and
      extending it to the beginning of the packet. As a result, the end of
      the checkable space occurs beyond the actual end of the packet.
      
      Instead of ensuring that 28 bytes are present in skb->head, the function
      is requesting these 28 bytes starting from the network header. For small
      packets, this requested length exceeds the actual packet size, causing
      the check to fail and the packets to be dropped.
      
      This issue affects both locally originated and forwarded packets in
      DMVPN-like setups.
      
      How to reproduce (for local originated packets):
      
        ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \
                local <your-ip> remote 0.0.0.0
      
        ip link set mtu 1400 dev gre1
        ip link set up dev gre1
        ip address add 192.168.13.1/24 dev gre1
        ip neighbor add 192.168.13.2 lladdr <remote-ip> dev gre1
        ping -s 1374 -c 10 192.168.13.2
        tcpdump -vni gre1
        tcpdump -vni <your-ext-iface> 'ip proto 47'
        ip -s -s -d link show dev gre1
      
      Solution:
      
      Use the pskb_may_pull function instead the pskb_network_may_pull.
      
      Fixes: 80d875cf ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()")
      Signed-off-by: default avatarAnton Danilov <littlesmilingcloud@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c4a14f6d
    • Shenwei Wang's avatar
      net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check · 4c1b5667
      Shenwei Wang authored
      Increase the timeout for checking the busy bit of the VLAN Tag register
      from 10µs to 500ms. This change is necessary to accommodate scenarios
      where Energy Efficient Ethernet (EEE) is enabled.
      
      Overnight testing revealed that when EEE is active, the busy bit can
      remain set for up to approximately 300ms. The new 500ms timeout provides
      a safety margin.
      
      Fixes: ed64639b ("net: stmmac: Add support for VLAN Rx filtering")
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarShenwei Wang <shenwei.wang@nxp.com>
      Link: https://patch.msgid.link/20240924205424.573913-1-shenwei.wang@nxp.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4c1b5667
    • Paolo Abeni's avatar
      Merge branch 'net-two-fixes-for-qdisc_pkt_len_init' · 23e19f24
      Paolo Abeni authored
      Eric Dumazet says:
      
      ====================
      net: two fixes for qdisc_pkt_len_init()
      
      Inspired by one syzbot report.
      
      At least one qdisc (fq_codel) depends on qdisc_skb_cb(skb)->pkt_len
      having a sane value (not zero)
      
      With the help of af_packet, syzbot was able to fool qdisc_pkt_len_init()
      to precisely set qdisc_skb_cb(skb)->pkt_len to zero.
      
      First patch fixes this issue.
      
      Second one (a separate one to help future bisections) adds
      more sanity check to SKB_GSO_DODGY users.
      ====================
      
      Link: https://patch.msgid.link/20240924150257.1059524-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      23e19f24
    • Eric Dumazet's avatar
      net: add more sanity checks to qdisc_pkt_len_init() · ab9a9a9e
      Eric Dumazet authored
      One path takes care of SKB_GSO_DODGY, assuming
      skb->len is bigger than hdr_len.
      
      virtio_net_hdr_to_skb() does not fully dissect TCP headers,
      it only make sure it is at least 20 bytes.
      
      It is possible for an user to provide a malicious 'GSO' packet,
      total length of 80 bytes.
      
      - 20 bytes of IPv4 header
      - 60 bytes TCP header
      - a small gso_size like 8
      
      virtio_net_hdr_to_skb() would declare this packet as a normal
      GSO packet, because it would see 40 bytes of payload,
      bigger than gso_size.
      
      We need to make detect this case to not underflow
      qdisc_skb_cb(skb)->pkt_len.
      
      Fixes: 1def9238 ("net_sched: more precise pkt_len computation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ab9a9a9e
    • Eric Dumazet's avatar
      net: avoid potential underflow in qdisc_pkt_len_init() with UFO · c20029db
      Eric Dumazet authored
      After commit 7c6d2ecb ("net: be more gentle about silly gso
      requests coming from user") virtio_net_hdr_to_skb() had sanity check
      to detect malicious attempts from user space to cook a bad GSO packet.
      
      Then commit cf9acc90 ("net: virtio_net_hdr_to_skb: count
      transport header in UFO") while fixing one issue, allowed user space
      to cook a GSO packet with the following characteristic :
      
      IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
      
      When this packet arrives in qdisc_pkt_len_init(), we end up
      with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
      
      Then the following sets gso_segs to 0 :
      
      gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
                              shinfo->gso_size);
      
      Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
      
      qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
      
      This leads to the following crash in fq_codel [1]
      
      qdisc_pkt_len_init() is best effort, we only want an estimation
      of the bytes sent on the wire, not crashing the kernel.
      
      This patch is fixing this particular issue, a following one
      adds more sanity checks for another potential bug.
      
      [1]
      [   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [   70.724561] #PF: supervisor read access in kernel mode
      [   70.724561] #PF: error_code(0x0000) - not-present page
      [   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
      [   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
      [   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
      [   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
      [   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
      [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
      All code
      ========
         0:	24 08                	and    $0x8,%al
         2:	49 c1 e1 06          	shl    $0x6,%r9
         6:	44 89 7c 24 18       	mov    %r15d,0x18(%rsp)
         b:	45 31 ed             	xor    %r13d,%r13d
         e:	45 31 c0             	xor    %r8d,%r8d
        11:	31 ff                	xor    %edi,%edi
        13:	89 44 24 14          	mov    %eax,0x14(%rsp)
        17:	4c 03 8b 90 01 00 00 	add    0x190(%rbx),%r9
        1e:	eb 04                	jmp    0x24
        20:	39 ca                	cmp    %ecx,%edx
        22:	73 37                	jae    0x5b
        24:	4d 8b 39             	mov    (%r9),%r15
        27:	83 c7 01             	add    $0x1,%edi
        2a:*	49 8b 17             	mov    (%r15),%rdx		<-- trapping instruction
        2d:	49 89 11             	mov    %rdx,(%r9)
        30:	41 8b 57 28          	mov    0x28(%r15),%edx
        34:	45 8b 5f 34          	mov    0x34(%r15),%r11d
        38:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
        3f:	49                   	rex.WB
      
      Code starting with the faulting instruction
      ===========================================
         0:	49 8b 17             	mov    (%r15),%rdx
         3:	49 89 11             	mov    %rdx,(%r9)
         6:	41 8b 57 28          	mov    0x28(%r15),%edx
         a:	45 8b 5f 34          	mov    0x34(%r15),%r11d
         e:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
        15:	49                   	rex.WB
      [   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
      [   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
      [   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
      [   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
      [   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
      [   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
      [   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
      [   70.724561] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
      [   70.724561] Call Trace:
      [   70.724561]  <TASK>
      [   70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
      [   70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
      [   70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
      [   70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
      [   70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
      [   70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
      [   70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
      [   70.724561] ? irqentry_enter (kernel/entry/common.c:237)
      [   70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
      [   70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
      [   70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
      [   70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
      [   70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
      [   70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
      [   70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
      [   70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
      [   70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
      [   70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
      [   70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
      [   70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
      [   70.724561] RIP: 0033:0x41ae09
      
      Fixes: cf9acc90 ("net: virtio_net_hdr_to_skb: count transport header in UFO")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jonathan Davies <jonathan.davies@nutanix.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarJonathan Davies <jonathan.davies@nutanix.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c20029db
    • Roger Quadros's avatar
      net: ethernet: ti: cpsw_ale: Fix warning on some platforms · e9d591b1
      Roger Quadros authored
      The number of register fields cannot be assumed to be ALE_FIELDS_MAX
      as some platforms can have lesser fields.
      
      Solve this by embedding the actual number of fields available
      in platform data and use that instead of ALE_FIELDS_MAX.
      
      Gets rid of the below warning on BeagleBone Black
      
      [    1.007735] WARNING: CPU: 0 PID: 33 at drivers/base/regmap/regmap.c:1208 regmap_field_init+0x88/0x9c
      [    1.007802] invalid empty mask defined
      [    1.007812] Modules linked in:
      [    1.007842] CPU: 0 UID: 0 PID: 33 Comm: kworker/u4:3 Not tainted 6.11.0-01459-g508403ab7b74-dirty #840
      [    1.007867] Hardware name: Generic AM33XX (Flattened Device Tree)
      [    1.007890] Workqueue: events_unbound deferred_probe_work_func
      [    1.007935] Call trace:
      [    1.007957]  unwind_backtrace from show_stack+0x10/0x14
      [    1.007999]  show_stack from dump_stack_lvl+0x50/0x64
      [    1.008033]  dump_stack_lvl from __warn+0x70/0x124
      [    1.008077]  __warn from warn_slowpath_fmt+0x194/0x1a8
      [    1.008113]  warn_slowpath_fmt from regmap_field_init+0x88/0x9c
      [    1.008154]  regmap_field_init from devm_regmap_field_alloc+0x48/0x64
      [    1.008193]  devm_regmap_field_alloc from cpsw_ale_create+0xfc/0x320
      [    1.008251]  cpsw_ale_create from cpsw_init_common+0x214/0x354
      [    1.008286]  cpsw_init_common from cpsw_probe+0x4ac/0xb88
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Closes: https://lore.kernel.org/netdev/CAMuHMdUf-tKRDzkz2_m8qdFTFutefddU0NTratVrEjRTzA3yQQ@mail.gmail.com/
      Fixes: 11cbcfea ("net: ethernet: ti: cpsw_ale: use regfields for number of Entries and Policers")
      Signed-off-by: default avatarRoger Quadros <rogerq@kernel.org>
      Tested-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://patch.msgid.link/20240924-am65-cpsw-multi-rx-fix-v1-1-0ca3fa9a1398@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e9d591b1
    • Geert Uytterhoeven's avatar
      net: microchip: Make FDMA config symbol invisible · 1910bd47
      Geert Uytterhoeven authored
      There is no need to ask the user about enabling Microchip FDMA
      functionality, as all drivers that use it select the FDMA symbol.
      Hence make the symbol invisible, unless when compile-testing.
      
      Fixes: 30e48a75 ("net: microchip: add FDMA library")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarDaniel Machon <daniel.machon@microchip.com>
      Link: https://patch.msgid.link/8e2bcd8899c417a962b7ee3f75b29f35b25d7933.1727171879.git.geert+renesas@glider.beSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1910bd47
    • Csókás, Bence's avatar
      net: fec: Reload PTP registers after link-state change · d9335d02
      Csókás, Bence authored
      On link-state change, the controller gets reset,
      which clears all PTP registers, including PHC time,
      calibrated clock correction values etc. For correct
      IEEE 1588 operation we need to restore these after
      the reset.
      
      Fixes: 6605b730 ("FEC: Add time stamping code and a PTP hardware clock")
      Signed-off-by: default avatarCsókás, Bence <csokas.bence@prolan.hu>
      Reviewed-by: default avatarWei Fang <wei.fang@nxp.com>
      Link: https://patch.msgid.link/20240924093705.2897329-2-csokas.bence@prolan.huSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d9335d02
    • Csókás, Bence's avatar
      net: fec: Restart PPS after link state change · a1477dc8
      Csókás, Bence authored
      On link state change, the controller gets reset,
      causing PPS to drop out. Re-enable PPS if it was
      enabled before the controller reset.
      
      Fixes: 6605b730 ("FEC: Add time stamping code and a PTP hardware clock")
      Signed-off-by: default avatarCsókás, Bence <csokas.bence@prolan.hu>
      Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.huSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a1477dc8
    • Jiawen Wu's avatar
      net: pcs: xpcs: fix the wrong register that was written back · 93ef6ee5
      Jiawen Wu authored
      The value is read from the register TXGBE_RX_GEN_CTL3, and it should be
      written back to TXGBE_RX_GEN_CTL3 when it changes some fields.
      
      Cc: stable@vger.kernel.org
      Fixes: f629acc6 ("net: pcs: xpcs: support to switch mode for Wangxun NICs")
      Signed-off-by: default avatarJiawen Wu <jiawenwu@trustnetic.com>
      Reported-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Link: https://patch.msgid.link/20240924022857.865422-1-jiawenwu@trustnetic.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      93ef6ee5
    • Aleksander Jan Bajkowski's avatar
      net: ethernet: lantiq_etop: fix memory disclosure · 45c0de18
      Aleksander Jan Bajkowski authored
      When applying padding, the buffer is not zeroed, which results in memory
      disclosure. The mentioned data is observed on the wire. This patch uses
      skb_put_padto() to pad Ethernet frames properly. The mentioned function
      zeroes the expanded buffer.
      
      In case the packet cannot be padded it is silently dropped. Statistics
      are also not incremented. This driver does not support statistics in the
      old 32-bit format or the new 64-bit format. These will be added in the
      future. In its current form, the patch should be easily backported to
      stable versions.
      
      Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
      in hardware, so software padding must be applied.
      
      Fixes: 504d4721 ("MIPS: Lantiq: Add ethernet driver")
      Signed-off-by: default avatarAleksander Jan Bajkowski <olek2@wp.pl>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.plSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      45c0de18
    • Daniel Borkmann's avatar
      net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size · e609c959
      Daniel Borkmann authored
      Commit 24ab059d ("net: check dev->gso_max_size in gso_features_check()")
      added a dev->gso_max_size test to gso_features_check() in order to fall
      back to GSO when needed.
      
      This was added as it was noticed that some drivers could misbehave if TSO
      packets get too big. However, the check doesn't respect dev->gso_ipv4_max_size
      limit. For instance, a device could be configured with BIG TCP for IPv4,
      but not IPv6.
      
      Therefore, add a netif_get_gso_max_size() equivalent to netif_get_gro_max_size()
      and use the helper to respect both limits before falling back to GSO engine.
      
      Fixes: 24ab059d ("net: check dev->gso_max_size in gso_features_check()")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://patch.msgid.link/20240923212242.15669-2-daniel@iogearbox.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e609c959
    • Daniel Borkmann's avatar
      net: Add netif_get_gro_max_size helper for GRO · e8d4d34d
      Daniel Borkmann authored
      Add a small netif_get_gro_max_size() helper which returns the maximum IPv4
      or IPv6 GRO size of the netdevice.
      
      We later add a netif_get_gso_max_size() equivalent as well for GSO, so that
      these helpers can be used consistently instead of open-coded checks.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://patch.msgid.link/20240923212242.15669-1-daniel@iogearbox.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e8d4d34d
    • Vladimir Oltean's avatar
      net: dsa: improve shutdown sequence · 6c24a03a
      Vladimir Oltean authored
      Alexander Sverdlin presents 2 problems during shutdown with the
      lan9303 driver. One is specific to lan9303 and the other just happens
      to reproduce there.
      
      The first problem is that lan9303 is unique among DSA drivers in that it
      calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown,
      not remove):
      
      phy_state_machine()
      -> ...
         -> dsa_user_phy_read()
            -> ds->ops->phy_read()
               -> lan9303_phy_read()
                  -> chip->ops->phy_read()
                     -> lan9303_mdio_phy_read()
                        -> dev_get_drvdata()
      
      But we never stop the phy_state_machine(), so it may continue to run
      after dsa_switch_shutdown(). Our common pattern in all DSA drivers is
      to set drvdata to NULL to suppress the remove() method that may come
      afterwards. But in this case it will result in an NPD.
      
      The second problem is that the way in which we set
      dp->conduit->dsa_ptr = NULL; is concurrent with receive packet
      processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,
      but afterwards, rather than continuing to use that non-NULL value,
      dev->dsa_ptr is dereferenced again and again without NULL checks:
      dsa_conduit_find_user() and many other places. In between dereferences,
      there is no locking to ensure that what was valid once continues to be
      valid.
      
      Both problems have the common aspect that closing the conduit interface
      solves them.
      
      In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN
      event in dsa_user_netdevice_event() which closes user ports as well.
      dsa_port_disable_rt() calls phylink_stop(), which synchronously stops
      the phylink state machine, and ds->ops->phy_read() will thus no longer
      call into the driver after this point.
      
      In the second case, dev_close(conduit) should do this, as per
      Documentation/networking/driver.rst:
      
      | Quiescence
      | ----------
      |
      | After the ndo_stop routine has been called, the hardware must
      | not receive or transmit any data.  All in flight packets must
      | be aborted. If necessary, poll or wait for completion of
      | any reset commands.
      
      So it should be sufficient to ensure that later, when we zeroize
      conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call
      on this conduit.
      
      The addition of the netif_device_detach() function is to ensure that
      ioctls, rtnetlinks and ethtool requests on the user ports no longer
      propagate down to the driver - we're no longer prepared to handle them.
      
      The race condition actually did not exist when commit 0650bf52
      ("net: dsa: be compatible with masters which unregister on shutdown")
      first introduced dsa_switch_shutdown(). It was created later, when we
      stopped unregistering the user interfaces from a bad spot, and we just
      replaced that sequence with a racy zeroization of conduit->dsa_ptr
      (one which doesn't ensure that the interfaces aren't up).
      Reported-by: default avatarAlexander Sverdlin <alexander.sverdlin@siemens.com>
      Closes: https://lore.kernel.org/netdev/2d2e3bba17203c14a5ffdabc174e3b6bbb9ad438.camel@siemens.com/
      Closes: https://lore.kernel.org/netdev/c1bf4de54e829111e0e4a70e7bd1cf523c9550ff.camel@siemens.com/
      Fixes: ee534378 ("net: dsa: fix panic when DSA master device unbinds on shutdown")
      Reviewed-by: default avatarAlexander Sverdlin <alexander.sverdlin@siemens.com>
      Tested-by: default avatarAlexander Sverdlin <alexander.sverdlin@siemens.com>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://patch.msgid.link/20240913203549.3081071-1-vladimir.oltean@nxp.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6c24a03a
  3. 27 Sep, 2024 8 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE · b25e11f9
      Luiz Augusto von Dentz authored
      This aligned BR/EDR JUST_WORKS method with LE which since 92516cd9
      ("Bluetooth: Always request for user confirmation for Just Works")
      always request user confirmation with confirm_hint set since the
      likes of bluetoothd have dedicated policy around JUST_WORKS method
      (e.g. main.conf:JustWorksRepairing).
      
      CVE: CVE-2024-8805
      Cc: stable@vger.kernel.org
      Fixes: ba15a58b ("Bluetooth: Fix SSP acceptor just-works confirmation without MITM")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Tested-by: default avatarKiran K <kiran.k@intel.com>
      b25e11f9
    • Jinjie Ruan's avatar
      Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() · 7b1ab460
      Jinjie Ruan authored
      disable_irq() after request_irq() still has a time gap in which
      interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
      disable IRQ auto-enable when request IRQ.
      
      Fixes: bb7f4f0b ("btmrvl: add platform specific wakeup interrupt support")
      Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7b1ab460
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix uaf in l2cap_connect · 333b4fd1
      Luiz Augusto von Dentz authored
      [Syzbot reported]
      BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
      Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54
      
      CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220ee #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
      Workqueue: hci2 hci_rx_work
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:93 [inline]
       dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
       print_address_description mm/kasan/report.c:377 [inline]
       print_report+0xc3/0x620 mm/kasan/report.c:488
       kasan_report+0xd9/0x110 mm/kasan/report.c:601
       l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
       l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
       l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
       l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
       l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
       l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
       hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
       hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
       process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
       process_scheduled_works kernel/workqueue.c:3312 [inline]
       worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
       kthread+0x2c1/0x3a0 kernel/kthread.c:389
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
      ...
      
      Freed by task 5245:
       kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
       kasan_save_track+0x14/0x30 mm/kasan/common.c:68
       kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
       poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
       __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
       kasan_slab_free include/linux/kasan.h:184 [inline]
       slab_free_hook mm/slub.c:2256 [inline]
       slab_free mm/slub.c:4477 [inline]
       kfree+0x12a/0x3b0 mm/slub.c:4598
       l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
       kref_put include/linux/kref.h:65 [inline]
       l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
       l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
       l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
       hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
       hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
       hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
       abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
       hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
       process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
       process_scheduled_works kernel/workqueue.c:3312 [inline]
       worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
       kthread+0x2c1/0x3a0 kernel/kthread.c:389
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
      
      Reported-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
      Tested-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
      Fixes: 7b064eda ("Bluetooth: Fix authentication if acl data comes before remote feature evt")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      333b4fd1
    • Luiz Augusto von Dentz's avatar
      Bluetooth: MGMT: Fix possible crash on mgmt_index_removed · f53e1c9c
      Luiz Augusto von Dentz authored
      If mgmt_index_removed is called while there are commands queued on
      cmd_sync it could lead to crashes like the bellow trace:
      
      0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc
      0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]
      0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]
      0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]
      
      So while handling mgmt_index_removed this attempts to dequeue
      commands passed as user_data to cmd_sync.
      
      Fixes: 7cf5c297 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
      Reported-by: default avatarjiaymao <quic_jiaymao@quicinc.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      f53e1c9c
    • zhang jiao's avatar
      selftests: netfilter: Add missing return value · 10dbd236
      zhang jiao authored
      There is no return value in count_entries, just add it.
      
      Fixes: eff3c558 ("netfilter: ctnetlink: support filtering by zone")
      Signed-off-by: default avatarzhang jiao <zhangjiao2@cmss.chinamobile.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      10dbd236
    • Eric Dumazet's avatar
      netfilter: nf_tables: prevent nf_skb_duplicated corruption · 92ceba94
      Eric Dumazet authored
      syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
      per-cpu variable nf_skb_duplicated in an unsafe way [1].
      
      Disabling preemption as hinted by the splat is not enough,
      we have to disable soft interrupts as well.
      
      [1]
      BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
       caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
      CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622f #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
      Call Trace:
       <TASK>
        __dump_stack lib/dump_stack.c:93 [inline]
        dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
        check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
        nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
        nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
        expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
        nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
        nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
        nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
        nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
        nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
        NF_HOOK_COND include/linux/netfilter.h:302 [inline]
        ip_output+0x185/0x230 net/ipv4/ip_output.c:433
        ip_local_out net/ipv4/ip_output.c:129 [inline]
        ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
        udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
        udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg+0x1a6/0x270 net/socket.c:745
        ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
        ___sys_sendmsg net/socket.c:2651 [inline]
        __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
        __do_sys_sendmmsg net/socket.c:2766 [inline]
        __se_sys_sendmmsg net/socket.c:2763 [inline]
        __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      RIP: 0033:0x7f4ce4f7def9
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
      RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
      RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
       </TASK>
      
      Fixes: d877f071 ("netfilter: nf_tables: add nft_dup expression")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      92ceba94
    • Phil Sutter's avatar
      selftests: netfilter: Fix nft_audit.sh for newer nft binaries · 8a890156
      Phil Sutter authored
      As a side-effect of nftables' commit dbff26bfba833 ("cache: consolidate
      reset command"), audit logs changed when more objects were reset than
      fit into a single netlink message.
      
      Since the objects' distribution in netlink messages is not relevant,
      implement a summarizing function which combines repeated audit logs into
      a single one with summed up 'entries=' value.
      
      Fixes: 203bb9d3 ("selftests: netfilter: Extend nft_audit.sh")
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8a890156
    • Jinjie Ruan's avatar
      net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() · d505d359
      Jinjie Ruan authored
      It's important to undo pm_runtime_use_autosuspend() with
      pm_runtime_dont_use_autosuspend() at driver exit time.
      
      But the pm_runtime_disable() and pm_runtime_dont_use_autosuspend()
      is missing in the error path for bam_dmux_probe(). So add it.
      
      Found by code review. Compile-tested only.
      
      Fixes: 21a0ffd9 ("net: wwan: Add Qualcomm BAM-DMUX WWAN network driver")
      Suggested-by: default avatarStephan Gerhold <stephan.gerhold@linaro.org>
      Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
      Reviewed-by: default avatarStephan Gerhold <stephan.gerhold@linaro.org>
      Reviewed-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d505d359