1. 10 Aug, 2023 4 commits
    • Xu Kuohai's avatar
      selftests/bpf: fix a CI failure caused by vsock sockmap test · 90f0074c
      Xu Kuohai authored
      BPF CI has reported the following failure:
      
      Error: #200/79 sockmap_listen/sockmap VSOCK test_vsock_redir
        Error: #200/79 sockmap_listen/sockmap VSOCK test_vsock_redir
        ./test_progs:vsock_unix_redir_connectible:1506: egress: write: Transport endpoint is not connected
        vsock_unix_redir_connectible:FAIL:1506
        ./test_progs:vsock_unix_redir_connectible:1506: ingress: write: Transport endpoint is not connected
        vsock_unix_redir_connectible:FAIL:1506
        ./test_progs:vsock_unix_redir_connectible:1506: egress: write: Transport endpoint is not connected
        vsock_unix_redir_connectible:FAIL:1506
        ./test_progs:vsock_unix_redir_connectible:1514: ingress: recv() err, errno=11
        vsock_unix_redir_connectible:FAIL:1514
        ./test_progs:vsock_unix_redir_connectible:1518: ingress: vsock socket map failed, a != b
        vsock_unix_redir_connectible:FAIL:1518
        ./test_progs:vsock_unix_redir_connectible:1525: ingress: want pass count 1, have 0
      
      It’s because the recv(... MSG_DONTWAIT) syscall in the test case is
      called before the queued work sk_psock_backlog() in the kernel finishes
      executing. So the data to be read is still queued in psock->ingress_skb
      and cannot be read by the user program. Therefore, the non-blocking
      recv() reads nothing and reports an EAGAIN error.
      
      So replace recv(... MSG_DONTWAIT) with xrecv_nonblock(), which calls
      select() to wait for data to be readable or timeout before calls recv().
      
      Fixes: d61bd8c1 ("selftests/bpf: add a test case for vsock sockmap")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Link: https://lore.kernel.org/r/20230804073740.194770-4-xukuohai@huaweicloud.comSigned-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      90f0074c
    • Xu Kuohai's avatar
      bpf, sockmap: Fix bug that strp_done cannot be called · 809e4dc7
      Xu Kuohai authored
      strp_done is only called when psock->progs.stream_parser is not NULL,
      but stream_parser was set to NULL by sk_psock_stop_strp(), called
      by sk_psock_drop() earlier. So, strp_done can never be called.
      
      Introduce SK_PSOCK_RX_ENABLED to mark whether there is strp on psock.
      Change the condition for calling strp_done from judging whether
      stream_parser is set to judging whether this flag is set. This flag is
      only set once when strp_init() succeeds, and will never be cleared later.
      
      Fixes: c0d95d33 ("bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/r/20230804073740.194770-3-xukuohai@huaweicloud.comSigned-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      809e4dc7
    • Xu Kuohai's avatar
      bpf, sockmap: Fix map type error in sock_map_del_link · 7e96ec0e
      Xu Kuohai authored
      sock_map_del_link() operates on both SOCKMAP and SOCKHASH, although
      both types have member named "progs", the offset of "progs" member in
      these two types is different, so "progs" should be accessed with the
      real map type.
      
      Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/r/20230804073740.194770-2-xukuohai@huaweicloud.comSigned-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      7e96ec0e
    • Magnus Karlsson's avatar
      xsk: fix refcount underflow in error path · 85c2c79a
      Magnus Karlsson authored
      Fix a refcount underflow problem reported by syzbot that can happen
      when a system is running out of memory. If xp_alloc_tx_descs() fails,
      and it can only fail due to not having enough memory, then the error
      path is triggered. In this error path, the refcount of the pool is
      decremented as it has incremented before. However, the reference to
      the pool in the socket was not nulled. This means that when the socket
      is closed later, the socket teardown logic will think that there is a
      pool attached to the socket and try to decrease the refcount again,
      leading to a refcount underflow.
      
      I chose this fix as it involved adding just a single line. Another
      option would have been to move xp_get_pool() and the assignment of
      xs->pool to after the if-statement and using xs_umem->pool instead of
      xs->pool in the whole if-statement resulting in somewhat simpler code,
      but this would have led to much more churn in the code base perhaps
      making it harder to backport.
      
      Fixes: ba3beec2 ("xsk: Fix possible crash when multiple sockets are created")
      Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
      Signed-off-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.comSigned-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      85c2c79a
  2. 03 Aug, 2023 23 commits
  3. 02 Aug, 2023 11 commits
    • Linus Torvalds's avatar
      Merge tag 'exfat-for-6.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat · 4b954598
      Linus Torvalds authored
      Pull exfat fixes from Namjae Jeon:
      
       - Fix page allocation failure from allocation bitmap by using
         kvmalloc_array/kvfree
      
       - Add the check to validate if filename entries exceeds max filename
         length
      
       - Fix potential deadlock condition from dir_emit*()
      
      * tag 'exfat-for-6.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat:
        exfat: release s_lock before calling dir_emit()
        exfat: check if filename entries exceeds max filename length
        exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
      4b954598
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 79d65ee5
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Three small fixes, all in drivers"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: pm80xx: Fix error return code in pm8001_pci_probe()
        scsi: zfcp: Defer fc_rport blocking until after ADISC response
        scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices
      79d65ee5
    • ndesaulniers@google.com's avatar
      word-at-a-time: use the same return type for has_zero regardless of endianness · 79e8328e
      ndesaulniers@google.com authored
      Compiling big-endian targets with Clang produces the diagnostic:
      
        fs/namei.c:2173:13: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical]
      	} while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));
      	          ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                                     ||
        fs/namei.c:2173:13: note: cast one or both operands to int to silence this warning
      
      It appears that when has_zero was introduced, two definitions were
      produced with different signatures (in particular different return
      types).
      
      Looking at the usage in hash_name() in fs/namei.c, I suspect that
      has_zero() is meant to be invoked twice per while loop iteration; using
      logical-or would not update `bdata` when `a` did not have zeros.  So I
      think it's preferred to always return an unsigned long rather than a
      bool than update the while loop in hash_name() to use a logical-or
      rather than bitwise-or.
      
      [ Also changed powerpc version to do the same  - Linus ]
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/1832
      Link: https://lore.kernel.org/lkml/20230801-bitwise-v1-1-799bec468dc4@google.com/
      Fixes: 36126f8f ("word-at-a-time: make the interfaces truly generic")
      Debugged-by: default avatarNathan Chancellor <nathan@kernel.org>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Acked-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      79e8328e
    • Hans de Goede's avatar
      wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() · 16e455a4
      Hans de Goede authored
      Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
      a backtrace caused by the following field-spanning warning:
      
      memcpy: detected field-spanning write (size 120) of single field
        "&params_le->channel_list[0]" at
        drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
      
      The driver still works after this warning. The warning was introduced by the
      new field-spanning write checks which were enabled recently.
      
      Fix this by replacing the channel_list[1] declaration at the end of
      the struct with a flexible array declaration.
      
      Most users of struct brcmf_scan_params_le calculate the size to alloc
      using the size of the non flex-array part of the struct + needed extra
      space, so they do not care about sizeof(struct brcmf_scan_params_le).
      
      brcmf_notify_escan_complete() however uses the struct on the stack,
      expecting there to be room for at least 1 entry in the channel-list
      to store the special -1 abort channel-id.
      
      To make this work use an anonymous union with a padding member
      added + the actual channel_list flexible array.
      
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20230729140500.27892-1-hdegoede@redhat.com
      16e455a4
    • Benjamin Poirier's avatar
      vxlan: Fix nexthop hash size · 0756384f
      Benjamin Poirier authored
      The nexthop code expects a 31 bit hash, such as what is returned by
      fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash
      returned by skb_get_hash() can lead to problems related to the fact that
      'int hash' is a negative number when the MSB is set.
      
      In the case of hash threshold nexthop groups, nexthop_select_path_hthr()
      will disproportionately select the first nexthop group entry. In the case
      of resilient nexthop groups, nexthop_select_path_res() may do an out of
      bounds access in nh_buckets[], for example:
          hash = -912054133
          num_nh_buckets = 2
          bucket_index = 65535
      
      which leads to the following panic:
      
      BUG: unable to handle page fault for address: ffffc900025910c8
      PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0
      Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
      CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
      Workqueue: ipv6_addrconf addrconf_dad_work
      RIP: 0010:nexthop_select_path+0x197/0xbf0
      Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85
      RSP: 0018:ffff88810c36f260 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77
      RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8
      RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219
      R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0
      R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900
      FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die+0x23/0x70
       ? page_fault_oops+0x1ee/0x5c0
       ? __pfx_is_prefetch.constprop.0+0x10/0x10
       ? __pfx_page_fault_oops+0x10/0x10
       ? search_bpf_extables+0xfe/0x1c0
       ? fixup_exception+0x3b/0x470
       ? exc_page_fault+0xf6/0x110
       ? asm_exc_page_fault+0x26/0x30
       ? nexthop_select_path+0x197/0xbf0
       ? nexthop_select_path+0x197/0xbf0
       ? lock_is_held_type+0xe7/0x140
       vxlan_xmit+0x5b2/0x2340
       ? __lock_acquire+0x92b/0x3370
       ? __pfx_vxlan_xmit+0x10/0x10
       ? __pfx___lock_acquire+0x10/0x10
       ? __pfx_register_lock_class+0x10/0x10
       ? skb_network_protocol+0xce/0x2d0
       ? dev_hard_start_xmit+0xca/0x350
       ? __pfx_vxlan_xmit+0x10/0x10
       dev_hard_start_xmit+0xca/0x350
       __dev_queue_xmit+0x513/0x1e20
       ? __pfx___dev_queue_xmit+0x10/0x10
       ? __pfx_lock_release+0x10/0x10
       ? mark_held_locks+0x44/0x90
       ? skb_push+0x4c/0x80
       ? eth_header+0x81/0xe0
       ? __pfx_eth_header+0x10/0x10
       ? neigh_resolve_output+0x215/0x310
       ? ip6_finish_output2+0x2ba/0xc90
       ip6_finish_output2+0x2ba/0xc90
       ? lock_release+0x236/0x3e0
       ? ip6_mtu+0xbb/0x240
       ? __pfx_ip6_finish_output2+0x10/0x10
       ? find_held_lock+0x83/0xa0
       ? lock_is_held_type+0xe7/0x140
       ip6_finish_output+0x1ee/0x780
       ip6_output+0x138/0x460
       ? __pfx_ip6_output+0x10/0x10
       ? __pfx___lock_acquire+0x10/0x10
       ? __pfx_ip6_finish_output+0x10/0x10
       NF_HOOK.constprop.0+0xc0/0x420
       ? __pfx_NF_HOOK.constprop.0+0x10/0x10
       ? ndisc_send_skb+0x2c0/0x960
       ? __pfx_lock_release+0x10/0x10
       ? __local_bh_enable_ip+0x93/0x110
       ? lock_is_held_type+0xe7/0x140
       ndisc_send_skb+0x4be/0x960
       ? __pfx_ndisc_send_skb+0x10/0x10
       ? mark_held_locks+0x65/0x90
       ? find_held_lock+0x83/0xa0
       ndisc_send_ns+0xb0/0x110
       ? __pfx_ndisc_send_ns+0x10/0x10
       addrconf_dad_work+0x631/0x8e0
       ? lock_acquire+0x180/0x3f0
       ? __pfx_addrconf_dad_work+0x10/0x10
       ? mark_held_locks+0x24/0x90
       process_one_work+0x582/0x9c0
       ? __pfx_process_one_work+0x10/0x10
       ? __pfx_do_raw_spin_lock+0x10/0x10
       ? mark_held_locks+0x24/0x90
       worker_thread+0x93/0x630
       ? __kthread_parkme+0xdc/0x100
       ? __pfx_worker_thread+0x10/0x10
       kthread+0x1a5/0x1e0
       ? __pfx_kthread+0x10/0x10
       ret_from_fork+0x34/0x60
       ? __pfx_kthread+0x10/0x10
       ret_from_fork_asm+0x1b/0x30
      RIP: 0000:0x0
      Code: Unable to access opcode bytes at 0xffffffffffffffd6.
      RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       </TASK>
      Modules linked in:
      CR2: ffffc900025910c8
      ---[ end trace 0000000000000000 ]---
      RIP: 0010:nexthop_select_path+0x197/0xbf0
      Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85
      RSP: 0018:ffff88810c36f260 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77
      RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8
      RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219
      R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0
      R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900
      FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffffffffd6 CR3: 0000000129d00000 CR4: 0000000000750ee0
      PKRU: 55555554
      Kernel panic - not syncing: Fatal exception in interrupt
      Kernel Offset: 0x2ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fix this problem by ensuring the MSB of hash is 0 using a right shift - the
      same approach used in fib_multipath_hash() and rt6_multipath_hash().
      
      Fixes: 1274e1cc ("vxlan: ecmp support for mac fdb entries")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@nvidia.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0756384f
    • Yue Haibing's avatar
      ip6mr: Fix skb_under_panic in ip6mr_cache_report() · 30e0191b
      Yue Haibing authored
      skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4
       head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg
       ------------[ cut here ]------------
       kernel BUG at net/core/skbuff.c:192!
       invalid opcode: 0000 [#1] PREEMPT SMP KASAN
       CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b #236
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
       Workqueue: ipv6_addrconf addrconf_dad_work
       RIP: 0010:skb_panic+0x152/0x1d0
       Call Trace:
        <TASK>
        skb_push+0xc4/0xe0
        ip6mr_cache_report+0xd69/0x19b0
        reg_vif_xmit+0x406/0x690
        dev_hard_start_xmit+0x17e/0x6e0
        __dev_queue_xmit+0x2d6a/0x3d20
        vlan_dev_hard_start_xmit+0x3ab/0x5c0
        dev_hard_start_xmit+0x17e/0x6e0
        __dev_queue_xmit+0x2d6a/0x3d20
        neigh_connected_output+0x3ed/0x570
        ip6_finish_output2+0x5b5/0x1950
        ip6_finish_output+0x693/0x11c0
        ip6_output+0x24b/0x880
        NF_HOOK.constprop.0+0xfd/0x530
        ndisc_send_skb+0x9db/0x1400
        ndisc_send_rs+0x12a/0x6c0
        addrconf_dad_completed+0x3c9/0xea0
        addrconf_dad_work+0x849/0x1420
        process_one_work+0xa22/0x16e0
        worker_thread+0x679/0x10c0
        ret_from_fork+0x28/0x60
        ret_from_fork_asm+0x11/0x20
      
      When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().
      reg_vif_xmit()
          ip6mr_cache_report()
              skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4
      And skb_push declared as:
      	void *skb_push(struct sk_buff *skb, unsigned int len);
      		skb->data -= len;
      		//0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850
      skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.
      
      Fixes: 14fb64e1 ("[IPV6] MROUTE: Support PIM-SM (SSM).")
      Signed-off-by: default avatarYue Haibing <yuehaibing@huawei.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30e0191b
    • Alexandra Winter's avatar
      s390/qeth: Don't call dev_close/dev_open (DOWN/UP) · 1cfef80d
      Alexandra Winter authored
      dev_close() and dev_open() are issued to change the interface state to DOWN
      or UP (dev->flags IFF_UP). When the netdev is set DOWN it loses e.g its
      Ipv6 addresses and routes. We don't want this in cases of device recovery
      (triggered by hardware or software) or when the qeth device is set
      offline.
      
      Setting a qeth device offline or online and device recovery actions call
      netif_device_detach() and/or netif_device_attach(). That will reset or
      set the LOWER_UP indication i.e. change the dev->state Bit
      __LINK_STATE_PRESENT. That is enough to e.g. cause bond failovers, and
      still preserves the interface settings that are handled by the network
      stack.
      
      Don't call dev_open() nor dev_close() from the qeth device driver. Let the
      network stack handle this.
      
      Fixes: d4560150 ("s390/qeth: call dev_close() during recovery")
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1cfef80d
    • David S. Miller's avatar
      Merge branch 'tun-tap-uid' · 666c135b
      David S. Miller authored
      Laszlo Ersek says:
      
      ====================
      tun/tap: set sk_uid from current_fsuid()
      
      The original patches fixing CVE-2023-1076 are incorrect in my opinion.
      This small series fixes them up; see the individual commit messages for
      explanation.
      
      I have a very elaborate test procedure demonstrating the problem for
      both tun and tap; it involves libvirt, qemu, and "crash". I can share
      that procedure if necessary, but it's indeed quite long (I wrote it
      originally for our QE team).
      
      The patches in this series are supposed to "re-fix" CVE-2023-1076; given
      that said CVE is classified as Low Impact (CVSSv3=5.5), I'm posting this
      publicly, and not suggesting any embargo. Red Hat Product Security may
      assign a new CVE number later.
      
      I've tested the patches on top of v6.5-rc4, with "crash" built at commit
      c74f375e0ef7.
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      666c135b
    • Laszlo Ersek's avatar
      net: tap_open(): set sk_uid from current_fsuid() · 5c9241f3
      Laszlo Ersek authored
      Commit 66b2c338 initializes the "sk_uid" field in the protocol socket
      (struct sock) from the "/dev/tapX" device node's owner UID. Per original
      commit 86741ec2 ("net: core: Add a UID field to struct sock.",
      2016-11-04), that's wrong: the idea is to cache the UID of the userspace
      process that creates the socket. Commit 86741ec2 mentions socket() and
      accept(); with "tap", the action that creates the socket is
      open("/dev/tapX").
      
      Therefore the device node's owner UID is irrelevant. In most cases,
      "/dev/tapX" will be owned by root, so in practice, commit 66b2c338 has
      no observable effect:
      
      - before, "sk_uid" would be zero, due to undefined behavior
        (CVE-2023-1076),
      
      - after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root.
      
      What matters is the (fs)UID of the process performing the open(), so cache
      that in "sk_uid".
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: 66b2c338 ("tap: tap_open(): correctly initialize socket uid")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: default avatarLaszlo Ersek <lersek@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c9241f3
    • Laszlo Ersek's avatar
      net: tun_chr_open(): set sk_uid from current_fsuid() · 9bc30473
      Laszlo Ersek authored
      Commit a096ccca initializes the "sk_uid" field in the protocol socket
      (struct sock) from the "/dev/net/tun" device node's owner UID. Per
      original commit 86741ec2 ("net: core: Add a UID field to struct
      sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the
      userspace process that creates the socket. Commit 86741ec2 mentions
      socket() and accept(); with "tun", the action that creates the socket is
      open("/dev/net/tun").
      
      Therefore the device node's owner UID is irrelevant. In most cases,
      "/dev/net/tun" will be owned by root, so in practice, commit a096ccca
      has no observable effect:
      
      - before, "sk_uid" would be zero, due to undefined behavior
        (CVE-2023-1076),
      
      - after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root.
      
      What matters is the (fs)UID of the process performing the open(), so cache
      that in "sk_uid".
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: a096ccca ("tun: tun_chr_open(): correctly initialize socket uid")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: default avatarLaszlo Ersek <lersek@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bc30473
    • Lin Ma's avatar
      net: dcb: choose correct policy to parse DCB_ATTR_BCN · 31d49ba0
      Lin Ma authored
      The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],
      which is introduced in commit 859ee3c4 ("DCB: Add support for DCB
      BCN"). Please see the comment in below code
      
      static int dcbnl_bcn_setcfg(...)
      {
        ...
        ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )
        // !!! dcbnl_pfc_up_nest for attributes
        //  DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs
        ...
        for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {
        // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs
          ...
          value_byte = nla_get_u8(data[i]);
          ...
        }
        ...
        for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {
        // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs
        ...
          value_int = nla_get_u32(data[i]);
        ...
        }
        ...
      }
      
      That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest
      attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the
      following access code fetch each nlattr as dcbnl_bcn_attrs attributes.
      By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find
      the beginning part of these two policies are "same".
      
      static const struct nla_policy dcbnl_pfc_up_nest[...] = {
              [DCB_PFC_UP_ATTR_0]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_1]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_2]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_3]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_4]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_5]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_6]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_7]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},
      };
      
      static const struct nla_policy dcbnl_bcn_nest[...] = {
              [DCB_BCN_ATTR_RP_0]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_1]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_2]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_3]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_4]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_5]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_6]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_7]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_ALL]       = {.type = NLA_FLAG},
              // from here is somewhat different
              [DCB_BCN_ATTR_BCNA_0]       = {.type = NLA_U32},
              ...
              [DCB_BCN_ATTR_ALL]          = {.type = NLA_FLAG},
      };
      
      Therefore, the current code is buggy and this
      nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use
      the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.
      
      Hence use the correct policy dcbnl_bcn_nest to parse the nested
      tb[DCB_ATTR_BCN] TLV.
      
      Fixes: 859ee3c4 ("DCB: Add support for DCB BCN")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230801013248.87240-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31d49ba0
  4. 01 Aug, 2023 2 commits