1. 01 Feb, 2023 1 commit
  2. 31 Jan, 2023 5 commits
  3. 30 Jan, 2023 3 commits
    • Colin Foster's avatar
      net: phy: fix null dereference in phy_attach_direct · 73a87602
      Colin Foster authored
      Commit bc66fa87 ("net: phy: Add link between phy dev and mac dev")
      introduced a link between net devices and phy devices. It fails to check
      whether dev is NULL, leading to a NULL dereference error.
      
      Fixes: bc66fa87 ("net: phy: Add link between phy dev and mac dev")
      Signed-off-by: default avatarColin Foster <colin.foster@in-advantage.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73a87602
    • Hyunwoo Kim's avatar
      netrom: Fix use-after-free caused by accept on already connected socket · 61179292
      Hyunwoo Kim authored
      If you call listen() and accept() on an already connect()ed
      AF_NETROM socket, accept() can successfully connect.
      This is because when the peer socket sends data to sendmsg,
      the skb with its own sk stored in the connected socket's
      sk->sk_receive_queue is connected, and nr_accept() dequeues
      the skb waiting in the sk->sk_receive_queue.
      
      As a result, nr_accept() allocates and returns a sock with
      the sk of the parent AF_NETROM socket.
      
      And here use-after-free can happen through complex race conditions:
      ```
                        cpu0                                                     cpu1
                                                                     1. socket_2 = socket(AF_NETROM)
                                                                              .
                                                                              .
                                                                        listen(socket_2)
                                                                        accepted_socket = accept(socket_2)
             2. socket_1 = socket(AF_NETROM)
                  nr_create()    // sk refcount : 1
                connect(socket_1)
                                                                     3. write(accepted_socket)
                                                                          nr_sendmsg()
                                                                          nr_output()
                                                                          nr_kick()
                                                                          nr_send_iframe()
                                                                          nr_transmit_buffer()
                                                                          nr_route_frame()
                                                                          nr_loopback_queue()
                                                                          nr_loopback_timer()
                                                                          nr_rx_frame()
                                                                          nr_process_rx_frame(sk, skb);    // sk : socket_1's sk
                                                                          nr_state3_machine()
                                                                          nr_queue_rx_frame()
                                                                          sock_queue_rcv_skb()
                                                                          sock_queue_rcv_skb_reason()
                                                                          __sock_queue_rcv_skb()
                                                                          __skb_queue_tail(list, skb);    // list : socket_1's sk->sk_receive_queue
             4. listen(socket_1)
                  nr_listen()
                uaf_socket = accept(socket_1)
                  nr_accept()
                  skb_dequeue(&sk->sk_receive_queue);
                                                                     5. close(accepted_socket)
                                                                          nr_release()
                                                                          nr_write_internal(sk, NR_DISCREQ)
                                                                          nr_transmit_buffer()    // NR_DISCREQ
                                                                          nr_route_frame()
                                                                          nr_loopback_queue()
                                                                          nr_loopback_timer()
                                                                          nr_rx_frame()    // sk : socket_1's sk
                                                                          nr_process_rx_frame()  // NR_STATE_3
                                                                          nr_state3_machine()    // NR_DISCREQ
                                                                          nr_disconnect()
                                                                          nr_sk(sk)->state = NR_STATE_0;
             6. close(socket_1)    // sk refcount : 3
                  nr_release()    // NR_STATE_0
                  sock_put(sk);    // sk refcount : 0
                  sk_free(sk);
                close(uaf_socket)
                  nr_release()
                  sock_hold(sk);    // UAF
      ```
      
      KASAN report by syzbot:
      ```
      BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520
      Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128
      
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
       print_address_description mm/kasan/report.c:306 [inline]
       print_report+0x15e/0x461 mm/kasan/report.c:417
       kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
       check_region_inline mm/kasan/generic.c:183 [inline]
       kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
       instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
       atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
       __refcount_add include/linux/refcount.h:193 [inline]
       __refcount_inc include/linux/refcount.h:250 [inline]
       refcount_inc include/linux/refcount.h:267 [inline]
       sock_hold include/net/sock.h:775 [inline]
       nr_release+0x66/0x460 net/netrom/af_netrom.c:520
       __sock_release+0xcd/0x280 net/socket.c:650
       sock_close+0x1c/0x20 net/socket.c:1365
       __fput+0x27c/0xa90 fs/file_table.c:320
       task_work_run+0x16f/0x270 kernel/task_work.c:179
       exit_task_work include/linux/task_work.h:38 [inline]
       do_exit+0xaa8/0x2950 kernel/exit.c:867
       do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
       get_signal+0x21c3/0x2450 kernel/signal.c:2859
       arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
       exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
       exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
       do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f6c19e3c9b9
      Code: Unable to access opcode bytes at 0x7f6c19e3c98f.
      RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9
      RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006
      RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d
      R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0
      R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000
       </TASK>
      
      Allocated by task 5128:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       ____kasan_kmalloc mm/kasan/common.c:371 [inline]
       ____kasan_kmalloc mm/kasan/common.c:330 [inline]
       __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380
       kasan_kmalloc include/linux/kasan.h:211 [inline]
       __do_kmalloc_node mm/slab_common.c:968 [inline]
       __kmalloc+0x5a/0xd0 mm/slab_common.c:981
       kmalloc include/linux/slab.h:584 [inline]
       sk_prot_alloc+0x140/0x290 net/core/sock.c:2038
       sk_alloc+0x3a/0x7a0 net/core/sock.c:2091
       nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433
       __sock_create+0x359/0x790 net/socket.c:1515
       sock_create net/socket.c:1566 [inline]
       __sys_socket_create net/socket.c:1603 [inline]
       __sys_socket_create net/socket.c:1588 [inline]
       __sys_socket+0x133/0x250 net/socket.c:1636
       __do_sys_socket net/socket.c:1649 [inline]
       __se_sys_socket net/socket.c:1647 [inline]
       __x64_sys_socket+0x73/0xb0 net/socket.c:1647
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 5128:
       kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
       kasan_set_track+0x25/0x30 mm/kasan/common.c:52
       kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518
       ____kasan_slab_free mm/kasan/common.c:236 [inline]
       ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200
       kasan_slab_free include/linux/kasan.h:177 [inline]
       __cache_free mm/slab.c:3394 [inline]
       __do_kmem_cache_free mm/slab.c:3580 [inline]
       __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587
       sk_prot_free net/core/sock.c:2074 [inline]
       __sk_destruct+0x5df/0x750 net/core/sock.c:2166
       sk_destruct net/core/sock.c:2181 [inline]
       __sk_free+0x175/0x460 net/core/sock.c:2192
       sk_free+0x7c/0xa0 net/core/sock.c:2203
       sock_put include/net/sock.h:1991 [inline]
       nr_release+0x39e/0x460 net/netrom/af_netrom.c:554
       __sock_release+0xcd/0x280 net/socket.c:650
       sock_close+0x1c/0x20 net/socket.c:1365
       __fput+0x27c/0xa90 fs/file_table.c:320
       task_work_run+0x16f/0x270 kernel/task_work.c:179
       exit_task_work include/linux/task_work.h:38 [inline]
       do_exit+0xaa8/0x2950 kernel/exit.c:867
       do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
       get_signal+0x21c3/0x2450 kernel/signal.c:2859
       arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
       exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
       exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
       do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      ```
      
      To fix this issue, nr_listen() returns -EINVAL for sockets that
      successfully nr_connect().
      
      Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61179292
    • Andrey Konovalov's avatar
      net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC · 54aa39a5
      Andrey Konovalov authored
      Currently in phy_init_eee() the driver unconditionally configures the PHY
      to stop RX_CLK after entering Rx LPI state. This causes an LPI interrupt
      storm on my qcs404-base board.
      
      Change the PHY initialization so that for "qcom,qcs404-ethqos" compatible
      device RX_CLK continues to run even in Rx LPI state.
      Signed-off-by: default avatarAndrey Konovalov <andrey.konovalov@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      54aa39a5
  4. 28 Jan, 2023 18 commits
  5. 27 Jan, 2023 3 commits
  6. 26 Jan, 2023 6 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 28b4387f
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from netfilter.
      
        Current release - regressions:
      
         - sched: sch_taprio: do not schedule in taprio_reset()
      
        Previous releases - regressions:
      
         - core: fix UaF in netns ops registration error path
      
         - ipv4: prevent potential spectre v1 gadgets
      
         - ipv6: fix reachability confirmation with proxy_ndp
      
         - netfilter: fix for the set rbtree
      
         - eth: fec: use page_pool_put_full_page when freeing rx buffers
      
         - eth: iavf: fix temporary deadlock and failure to set MAC address
      
        Previous releases - always broken:
      
         - netlink: prevent potential spectre v1 gadgets
      
         - netfilter: fixes for SCTP connection tracking
      
         - mctp: struct sock lifetime fixes
      
         - eth: ravb: fix possible hang if RIS2_QFF1 happen
      
         - eth: tg3: resolve deadlock in tg3_reset_task() during EEH
      
        Misc:
      
         - Mat stepped out as MPTCP co-maintainer"
      
      * tag 'net-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (40 commits)
        net: mdio-mux-meson-g12a: force internal PHY off on mux switch
        docs: networking: Fix bridge documentation URL
        tsnep: Fix TX queue stop/wake for multiple queues
        net/tg3: resolve deadlock in tg3_reset_task() during EEH
        net: mctp: mark socks as dead on unhash, prevent re-add
        net: mctp: hold key reference when looking up a general key
        net: mctp: move expiry timer delete to unhash
        net: mctp: add an explicit reference from a mctp_sk_key to sock
        net: ravb: Fix possible hang if RIS2_QFF1 happen
        net: ravb: Fix lack of register setting after system resumed for Gen3
        net/x25: Fix to not accept on connected socket
        ice: move devlink port creation/deletion
        sctp: fail if no bound addresses can be used for a given scope
        net/sched: sch_taprio: do not schedule in taprio_reset()
        Revert "Merge branch 'ethtool-mac-merge'"
        netrom: Fix use-after-free of a listening socket.
        netfilter: conntrack: unify established states for SCTP paths
        Revert "netfilter: conntrack: add sctp DATA_SENT state"
        netfilter: conntrack: fix bug in for_each_sctp_chunk
        netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
        ...
      28b4387f
    • Linus Torvalds's avatar
      treewide: fix up files incorrectly marked executable · 262b42e0
      Linus Torvalds authored
      I'm not exactly clear on what strange workflow causes people to do it,
      but clearly occasionally some files end up being committed as executable
      even though they clearly aren't.
      
      This is a reprise of commit 90fda63f ("treewide: fix up files
      incorrectly marked executable"), just with a different set of files (but
      with the same trivial shell scripting).
      
      So apparently we need to re-do this every five years or so, and Joe
      needs to just keep reminding me to do so ;)
      Reported-by: default avatarJoe Perches <joe@perches.com>
      Fixes: 523375c9 ("drm/vmwgfx: Port vmwgfx to arm64")
      Fixes: 5c439937 ("ASoC: codecs: add support for ES8326")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      262b42e0
    • Jerome Brunet's avatar
      net: mdio-mux-meson-g12a: force internal PHY off on mux switch · 7083df59
      Jerome Brunet authored
      Force the internal PHY off then on when switching to the internal path.
      This fixes problems where the PHY ID is not properly set.
      
      Fixes: 70904251 ("net: phy: add amlogic g12a mdio mux support")
      Suggested-by: default avatarQi Duan <qi.duan@amlogic.com>
      Co-developed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Link: https://lore.kernel.org/r/20230124101157.232234-1-jbrunet@baylibre.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7083df59
    • Ivan Vecera's avatar
    • Gerhard Engleder's avatar
      tsnep: Fix TX queue stop/wake for multiple queues · 3d53aaef
      Gerhard Engleder authored
      netif_stop_queue() and netif_wake_queue() act on TX queue 0. This is ok
      as long as only a single TX queue is supported. But support for multiple
      TX queues was introduced with 76203137 and I missed to adapt stop
      and wake of TX queues.
      
      Use netif_stop_subqueue() and netif_tx_wake_queue() to act on specific
      TX queue.
      
      Fixes: 76203137 ("tsnep: Support multiple TX/RX queue pairs")
      Signed-off-by: default avatarGerhard Engleder <gerhard@engleder-embedded.com>
      Link: https://lore.kernel.org/r/20230124191440.56887-1-gerhard@engleder-embedded.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3d53aaef
    • David Christensen's avatar
      net/tg3: resolve deadlock in tg3_reset_task() during EEH · 6c4ca03b
      David Christensen authored
      During EEH error injection testing, a deadlock was encountered in the tg3
      driver when tg3_io_error_detected() was attempting to cancel outstanding
      reset tasks:
      
      crash> foreach UN bt
      ...
      PID: 159    TASK: c0000000067c6000  CPU: 8   COMMAND: "eehd"
      ...
       #5 [c00000000681f990] __cancel_work_timer at c00000000019fd18
       #6 [c00000000681fa30] tg3_io_error_detected at c00800000295f098 [tg3]
       #7 [c00000000681faf0] eeh_report_error at c00000000004e25c
      ...
      
      PID: 290    TASK: c000000036e5f800  CPU: 6   COMMAND: "kworker/6:1"
      ...
       #4 [c00000003721fbc0] rtnl_lock at c000000000c940d8
       #5 [c00000003721fbe0] tg3_reset_task at c008000002969358 [tg3]
       #6 [c00000003721fc60] process_one_work at c00000000019e5c4
      ...
      
      PID: 296    TASK: c000000037a65800  CPU: 21  COMMAND: "kworker/21:1"
      ...
       #4 [c000000037247bc0] rtnl_lock at c000000000c940d8
       #5 [c000000037247be0] tg3_reset_task at c008000002969358 [tg3]
       #6 [c000000037247c60] process_one_work at c00000000019e5c4
      ...
      
      PID: 655    TASK: c000000036f49000  CPU: 16  COMMAND: "kworker/16:2"
      ...:1
      
       #4 [c0000000373ebbc0] rtnl_lock at c000000000c940d8
       #5 [c0000000373ebbe0] tg3_reset_task at c008000002969358 [tg3]
       #6 [c0000000373ebc60] process_one_work at c00000000019e5c4
      ...
      
      Code inspection shows that both tg3_io_error_detected() and
      tg3_reset_task() attempt to acquire the RTNL lock at the beginning of
      their code blocks.  If tg3_reset_task() should happen to execute between
      the times when tg3_io_error_deteced() acquires the RTNL lock and
      tg3_reset_task_cancel() is called, a deadlock will occur.
      
      Moving tg3_reset_task_cancel() call earlier within the code block, prior
      to acquiring RTNL, prevents this from happening, but also exposes another
      deadlock issue where tg3_reset_task() may execute AFTER
      tg3_io_error_detected() has executed:
      
      crash> foreach UN bt
      PID: 159    TASK: c0000000067d2000  CPU: 9   COMMAND: "eehd"
      ...
       #4 [c000000006867a60] rtnl_lock at c000000000c940d8
       #5 [c000000006867a80] tg3_io_slot_reset at c0080000026c2ea8 [tg3]
       #6 [c000000006867b00] eeh_report_reset at c00000000004de88
      ...
      PID: 363    TASK: c000000037564000  CPU: 6   COMMAND: "kworker/6:1"
      ...
       #3 [c000000036c1bb70] msleep at c000000000259e6c
       #4 [c000000036c1bba0] napi_disable at c000000000c6b848
       #5 [c000000036c1bbe0] tg3_reset_task at c0080000026d942c [tg3]
       #6 [c000000036c1bc60] process_one_work at c00000000019e5c4
      ...
      
      This issue can be avoided by aborting tg3_reset_task() if EEH error
      recovery is already in progress.
      
      Fixes: db84bf43 ("tg3: tg3_reset_task() needs to use rtnl_lock to synchronize")
      Signed-off-by: default avatarDavid Christensen <drc@linux.vnet.ibm.com>
      Reviewed-by: default avatarPavan Chebbi <pavan.chebbi@broadcom.com>
      Link: https://lore.kernel.org/r/20230124185339.225806-1-drc@linux.vnet.ibm.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6c4ca03b
  7. 25 Jan, 2023 4 commits
    • Linus Torvalds's avatar
      Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping · 7c46948a
      Linus Torvalds authored
      Pull fuse ACL fix from Christian Brauner:
       "The new posix acl API doesn't depend on the xattr handler
        infrastructure anymore and instead only relies on the posix acl inode
        operations. As a result daemons without FUSE_POSIX_ACL are unable to
        use posix acls like they used to.
      
        Fix this by copying what we did for overlayfs during the posix acl api
        conversion. Make fuse implement a dedicated ->get_inode_acl() method
        as does overlayfs. Fuse can then also uses this to express different
        needs for vfs permission checking during lookup and acl based
        retrieval via the regular system call path.
      
        This allows fuse to continue to refuse retrieving posix acls for
        daemons that don't set FUSE_POSXI_ACL for permission checking while
        also allowing a fuse server to retrieve it via the usual system calls"
      
      * tag 'fs.fuse.acl.v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping:
        fuse: fixes after adapting to new posix acl api
      7c46948a
    • David S. Miller's avatar
      Merge branch 'mptcp-fixes' · ac8d986c
      David S. Miller authored
      Jeremy Kerr says:
      
      ====================
      net: mctp: struct sock lifetime fixes
      
      This series is a set of fixes for the sock lifetime handling in the
      AF_MCTP code, fixing a uaf reported by Noam Rathaus
      <noamr@ssd-disclosure.com>.
      
      The Fixes: tags indicate the original patches affected, but some
      tweaking to backport to those commits may be needed; I have a separate
      branch with backports to 5.15 if that helps with stable trees.
      
      Of course, any comments/queries most welcome.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac8d986c
    • Jeremy Kerr's avatar
      net: mctp: mark socks as dead on unhash, prevent re-add · b98e1a04
      Jeremy Kerr authored
      Once a socket has been unhashed, we want to prevent it from being
      re-used in a sk_key entry as part of a routing operation.
      
      This change marks the sk as SOCK_DEAD on unhash, which prevents addition
      into the net's key list.
      
      We need to do this during the key add path, rather than key lookup, as
      we release the net keys_lock between those operations.
      
      Fixes: 4a992bbd ("mctp: Implement message fragmentation & reassembly")
      Signed-off-by: default avatarJeremy Kerr <jk@codeconstruct.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b98e1a04
    • Paolo Abeni's avatar
      net: mctp: hold key reference when looking up a general key · 6e54ea37
      Paolo Abeni authored
      Currently, we have a race where we look up a sock through a "general"
      (ie, not directly associated with the (src,dest,tag) tuple) key, then
      drop the key reference while still holding the key's sock.
      
      This change expands the key reference until we've finished using the
      sock, and hence the sock reference too.
      
      Commit message changes from Jeremy Kerr <jk@codeconstruct.com.au>.
      Reported-by: default avatarNoam Rathaus <noamr@ssd-disclosure.com>
      Fixes: 73c61845 ("mctp: locking, lifetime and validity changes for sk_keys")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarJeremy Kerr <jk@codeconstruct.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e54ea37