1. 20 Jul, 2023 18 commits
    • Tomasz Moń's avatar
      Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014 · 95b70154
      Tomasz Moń authored
      Commit c13380a5 ("Bluetooth: btusb: Do not require hardcoded
      interface numbers") inadvertedly broke bluetooth on Intel Macbook 2014.
      The intention was to keep behavior intact when BTUSB_IFNUM_2 is set and
      otherwise allow any interface numbers. The problem is that the new logic
      condition omits the case where bInterfaceNumber is 0.
      
      Fix BTUSB_IFNUM_2 handling by allowing both interface number 0 and 2
      when the flag is set.
      
      Fixes: c13380a5 ("Bluetooth: btusb: Do not require hardcoded interface numbers")
      Reported-by: default avatarJohn Holland <johnbholland@icloud.com>
      Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217651Signed-off-by: default avatarTomasz Moń <tomasz.mon@nordicsemi.no>
      Tested-by: John Holland<johnbholland@icloud.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      95b70154
    • Pauli Virtanen's avatar
      Bluetooth: SCO: fix sco_conn related locking and validity issues · 3dcaa192
      Pauli Virtanen authored
      Operations that check/update sk_state and access conn should hold
      lock_sock, otherwise they can race.
      
      The order of taking locks is hci_dev_lock > lock_sock > sco_conn_lock,
      which is how it is in connect/disconnect_cfm -> sco_conn_del ->
      sco_chan_del.
      
      Fix locking in sco_connect to take lock_sock around updating sk_state
      and conn.
      
      sco_conn_del must not occur during sco_connect, as it frees the
      sco_conn. Hold hdev->lock longer to prevent that.
      
      sco_conn_add shall return sco_conn with valid hcon. Make it so also when
      reusing an old SCO connection waiting for disconnect timeout (see
      __sco_sock_close where conn->hcon is set to NULL).
      
      This should not reintroduce the issue fixed in the earlier
      commit 9a8ec9e8 ("Bluetooth: SCO: Fix possible circular locking
      dependency on sco_connect_cfm"), the relevant fix of releasing lock_sock
      in sco_sock_connect before acquiring hdev->lock is retained.
      
      These changes mirror similar fixes earlier in ISO sockets.
      
      Fixes: 9a8ec9e8 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      3dcaa192
    • Siddh Raman Pant's avatar
      Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link · b4066eb0
      Siddh Raman Pant authored
      hci_connect_sco currently returns NULL when there is no link (i.e. when
      hci_conn_link() returns NULL).
      
      sco_connect() expects an ERR_PTR in case of any error (see line 266 in
      sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which
      tries to get hcon->hdev, resulting in dereferencing a NULL pointer as
      reported by syzkaller.
      
      The same issue exists for iso_connect_cis() calling hci_connect_cis().
      
      Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR
      instead of NULL.
      
      Reported-and-tested-by: syzbot+37acd5d80d00d609d233@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=37acd5d80d00d609d233
      Fixes: 06149746 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
      Signed-off-by: default avatarSiddh Raman Pant <code@siddh.me>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      b4066eb0
    • Douglas Anderson's avatar
      Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() · de6dfcef
      Douglas Anderson authored
      KASAN reports that there's a use-after-free in
      hci_remove_adv_monitor(). Trawling through the disassembly, you can
      see that the complaint is from the access in bt_dev_dbg() under the
      HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because
      msft_remove_monitor() can end up freeing the monitor
      structure. Specifically:
        hci_remove_adv_monitor() ->
        msft_remove_monitor() ->
        msft_remove_monitor_sync() ->
        msft_le_cancel_monitor_advertisement_cb() ->
        hci_free_adv_monitor()
      
      Let's fix the problem by just stashing the relevant data when it's
      still valid.
      
      Fixes: 7cf5c297 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      de6dfcef
    • Arnd Bergmann's avatar
      Bluetooth: coredump: fix building with coredump disabled · 6910e2eb
      Arnd Bergmann authored
      The btmtk driver uses an IS_ENABLED() check to conditionally compile
      the coredump support, but this fails to build because the hdev->dump
      member is in an #ifdef:
      
      drivers/bluetooth/btmtk.c: In function 'btmtk_process_coredump':
      drivers/bluetooth/btmtk.c:386:30: error: 'struct hci_dev' has no member named 'dump'
        386 |   schedule_delayed_work(&hdev->dump.dump_timeout,
            |                              ^~
      
      The struct member doesn't really make a huge difference in the total size,
      so just remove the #ifdef around it to avoid adding similar checks
      around each user.
      
      Fixes: 872f8c253cb9e ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
      Fixes: 9695ef87 ("Bluetooth: Add support for hci devcoredump")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      6910e2eb
    • Pauli Virtanen's avatar
      Bluetooth: ISO: fix iso_conn related locking and validity issues · d40ae85e
      Pauli Virtanen authored
      sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations
      that check/update sk_state and access conn should hold lock_sock,
      otherwise they can race.
      
      The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock,
      which is how it is in connect/disconnect_cfm -> iso_conn_del ->
      iso_chan_del.
      
      Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock
      around updating sk_state and conn.
      
      iso_conn_del must not occur during iso_connect_cis/bis, as it frees the
      iso_conn. Hold hdev->lock longer to prevent that.
      
      This should not reintroduce the issue fixed in commit 241f5193
      ("Bluetooth: ISO: Avoid circular locking dependency"), since the we
      acquire locks in order. We retain the fix in iso_sock_connect to release
      lock_sock before iso_connect_* acquires hdev->lock.
      
      Similarly for commit 6a5ad251 ("Bluetooth: ISO: Fix possible
      circular locking dependency"). We retain the fix in iso_conn_ready to
      not acquire iso_conn_lock before lock_sock.
      
      iso_conn_add shall return iso_conn with valid hcon. Make it so also when
      reusing an old CIS connection waiting for disconnect timeout (see
      __iso_sock_close where conn->hcon is set to NULL).
      
      Trace with iso_conn_del after iso_chan_add in iso_connect_cis:
      ===============================================================
      iso_sock_create:771: sock 00000000be9b69b7
      iso_sock_init:693: sk 000000004dff667e
      iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1
      iso_sock_setsockopt:1289: sk 000000004dff667e
      iso_sock_setsockopt:1289: sk 000000004dff667e
      iso_sock_setsockopt:1289: sk 000000004dff667e
      iso_sock_connect:875: sk 000000004dff667e
      iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da
      iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e
      __iso_chan_add:214: conn 00000000daf8625e
      iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12
      iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16
      iso_sock_clear_timer:117: sock 000000004dff667e state 3
          <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still
          running at this point>
      iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16
      hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535
      hci_conn_unlink:1102: hci0: hcon 000000007b65d182
      hci_chan_list_flush:2780: hcon 000000007b65d182
      iso_sock_getsockopt:1376: sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_getsockopt:1376: sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
      iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1
      __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7
           <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets
           BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it
           must be that iso_chan_del occurred between iso_chan_add and end of
           iso_connect_cis.>
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth
      ===============================================================
      
      Trace with iso_conn_del before iso_chan_add in iso_connect_cis:
      ===============================================================
      iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      ...
      iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504
      hci_dev_put:1487: hci0 orig refcnt 21
      hci_event_packet:7607: hci0: event 0x0e
      hci_cmd_complete_evt:4231: hci0: opcode 0x2062
      hci_cc_le_set_cig_params:3846: hci0: status 0x07
      hci_sent_cmd_data:3107: hci0 opcode 0x2062
      iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7
      iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12
      hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535
      hci_conn_unlink:1102: hci0: hcon 0000000093bc551f
      hci_chan_list_flush:2780: hcon 0000000093bc551f
      __iso_chan_add:214: conn 00000000768ae504
          <Note: this conn was already freed in iso_conn_del above>
      iso_sock_clear_timer:117: sock 0000000098323f95 state 3
      general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI
      CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G            E      6.3.0-rc7+ #4
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:detach_if_pending+0x28/0xd0
      Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <>
      RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007
      RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000
      RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8
      RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88
      R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80
      R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338
      FS:  00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0
      Call Trace:
       <TASK>
       timer_delete+0x48/0x80
       try_to_grab_pending+0xdf/0x170
       __cancel_work+0x37/0xb0
       iso_connect_cis+0x141/0x400 [bluetooth]
      ===============================================================
      
      Trace with NULL conn->hcon in state BT_CONNECT:
      ===============================================================
      __iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5
      ...
      __iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5
      iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104
      ...
      iso_sock_connect:862: sk 00000000129b56c3
      iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a
      hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a
      hci_dev_hold:1495: hci0 orig refcnt 19
      __iso_chan_add:214: conn 0000000022c03a7e
          <Note: reusing old conn>
      iso_sock_clear_timer:117: sock 00000000129b56c3 state 3
      ...
      iso_sock_ready:1485: sk 00000000129b56c3
      ...
      iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3
      BUG: kernel NULL pointer dereference, address: 00000000000006a8
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      CPU: 1 PID: 1403 Comm: wireplumber Tainted: G            E      6.3.0-rc7+ #4
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth]
      ===============================================================
      
      Fixes: 241f5193 ("Bluetooth: ISO: Avoid circular locking dependency")
      Fixes: 6a5ad251 ("Bluetooth: ISO: Fix possible circular locking dependency")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      d40ae85e
    • Pauli Virtanen's avatar
      Bluetooth: hci_event: call disconnect callback before deleting conn · 7f7cfcb6
      Pauli Virtanen authored
      In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
      
      ISO, L2CAP and SCO connections refer to the hci_conn without
      hci_conn_get, so disconn_cfm must be called so they can clean up their
      conn, otherwise use-after-free occurs.
      
      ISO:
      ==========================================================
      iso_sock_connect:880: sk 00000000eabd6557
      iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
      ...
      iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
      hci_dev_put:1487: hci0 orig refcnt 17
      __iso_chan_add:214: conn 00000000b6251073
      iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
      ...
      hci_rx_work:4085: hci0 Event packet
      hci_event_packet:7601: hci0: event 0x0f
      hci_cmd_status_evt:4346: hci0: opcode 0x0406
      hci_cs_disconnect:2760: hci0: status 0x0c
      hci_sent_cmd_data:3107: hci0 opcode 0x0406
      hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
      hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
      hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
      hci_chan_list_flush:2780: hcon 000000001696f1fd
      hci_dev_put:1487: hci0 orig refcnt 21
      hci_dev_put:1487: hci0 orig refcnt 20
      hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
      ... <no iso_* activity on sk/conn> ...
      iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
      BUG: kernel NULL pointer dereference, address: 0000000000000668
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
      ==========================================================
      
      L2CAP:
      ==================================================================
      hci_cmd_status_evt:4359: hci0: opcode 0x0406
      hci_cs_disconnect:2760: hci0: status 0x0c
      hci_sent_cmd_data:3085: hci0 opcode 0x0406
      hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
      hci_conn_unlink:1102: hci0: hcon ffff88800c999000
      hci_chan_list_flush:2780: hcon ffff88800c999000
      hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
      ...
      BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
      Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
      
      CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G            E      6.4.0-rc4+ #2
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x5b/0x90
       print_report+0xcf/0x670
       ? __virt_addr_valid+0xf8/0x180
       ? hci_send_acl+0x2d/0x540 [bluetooth]
       kasan_report+0xa8/0xe0
       ? hci_send_acl+0x2d/0x540 [bluetooth]
       hci_send_acl+0x2d/0x540 [bluetooth]
       ? __pfx___lock_acquire+0x10/0x10
       l2cap_chan_send+0x1fd/0x1300 [bluetooth]
       ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
       ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
       ? lock_release+0x1d5/0x3c0
       ? mark_held_locks+0x1a/0x90
       l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
       sock_write_iter+0x275/0x280
       ? __pfx_sock_write_iter+0x10/0x10
       ? __pfx___lock_acquire+0x10/0x10
       do_iter_readv_writev+0x176/0x220
       ? __pfx_do_iter_readv_writev+0x10/0x10
       ? find_held_lock+0x83/0xa0
       ? selinux_file_permission+0x13e/0x210
       do_iter_write+0xda/0x340
       vfs_writev+0x1b4/0x400
       ? __pfx_vfs_writev+0x10/0x10
       ? __seccomp_filter+0x112/0x750
       ? populate_seccomp_data+0x182/0x220
       ? __fget_light+0xdf/0x100
       ? do_writev+0x19d/0x210
       do_writev+0x19d/0x210
       ? __pfx_do_writev+0x10/0x10
       ? mark_held_locks+0x1a/0x90
       do_syscall_64+0x60/0x90
       ? lockdep_hardirqs_on_prepare+0x149/0x210
       ? do_syscall_64+0x6c/0x90
       ? lockdep_hardirqs_on_prepare+0x149/0x210
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
      RIP: 0033:0x7ff45cb23e64
      Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
      RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64
      RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017
      RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40
      R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0
      R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040
       </TASK>
      
      Allocated by task 771:
       kasan_save_stack+0x33/0x60
       kasan_set_track+0x25/0x30
       __kasan_kmalloc+0xaa/0xb0
       hci_chan_create+0x67/0x1b0 [bluetooth]
       l2cap_conn_add.part.0+0x17/0x590 [bluetooth]
       l2cap_connect_cfm+0x266/0x6b0 [bluetooth]
       hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth]
       hci_event_packet+0x38d/0x800 [bluetooth]
       hci_rx_work+0x287/0xb20 [bluetooth]
       process_one_work+0x4f7/0x970
       worker_thread+0x8f/0x620
       kthread+0x17f/0x1c0
       ret_from_fork+0x2c/0x50
      
      Freed by task 771:
       kasan_save_stack+0x33/0x60
       kasan_set_track+0x25/0x30
       kasan_save_free_info+0x2e/0x50
       ____kasan_slab_free+0x169/0x1c0
       slab_free_freelist_hook+0x9e/0x1c0
       __kmem_cache_free+0xc0/0x310
       hci_chan_list_flush+0x46/0x90 [bluetooth]
       hci_conn_cleanup+0x7d/0x330 [bluetooth]
       hci_cs_disconnect+0x35d/0x530 [bluetooth]
       hci_cmd_status_evt+0xef/0x2b0 [bluetooth]
       hci_event_packet+0x38d/0x800 [bluetooth]
       hci_rx_work+0x287/0xb20 [bluetooth]
       process_one_work+0x4f7/0x970
       worker_thread+0x8f/0x620
       kthread+0x17f/0x1c0
       ret_from_fork+0x2c/0x50
      ==================================================================
      
      Fixes: b8d29052 ("Bluetooth: clean up connection in hci_cs_disconnect")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7f7cfcb6
    • Pauli Virtanen's avatar
      Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync · 195ef75e
      Pauli Virtanen authored
      hci_update_accept_list_sync iterates over hdev->pend_le_conns and
      hdev->pend_le_reports, and waits for controller events in the loop body,
      without holding hdev lock.
      
      Meanwhile, these lists and the items may be modified e.g. by
      le_scan_cleanup. This can invalidate the list cursor or any other item
      in the list, resulting to invalid behavior (eg use-after-free).
      
      Use RCU for the hci_conn_params action lists. Since the loop bodies in
      hci_sync block and we cannot use RCU or hdev->lock for the whole loop,
      copy list items first and then iterate on the copy. Only the flags field
      is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we
      read valid values.
      
      Free params everywhere with hci_conn_params_free so the cleanup is
      guaranteed to be done properly.
      
      This fixes the following, which can be triggered e.g. by BlueZ new
      mgmt-tester case "Add + Remove Device Nowait - Success", or by changing
      hci_le_set_cig_params to always return false, and running iso-tester:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32
      
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
      Workqueue: hci0 hci_cmd_sync_work
      Call Trace:
      <TASK>
      dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)
      print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
      ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)
      ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      kasan_report (mm/kasan/report.c:538)
      ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)
      ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)
      ? mutex_lock (kernel/locking/mutex.c:282)
      ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
      ? __pfx_mutex_unlock (kernel/locking/mutex.c:538)
      ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)
      hci_cmd_sync_work (net/bluetooth/hci_sync.c:306)
      process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
      worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
      ? __pfx_worker_thread (kernel/workqueue.c:2480)
      kthread (kernel/kthread.c:376)
      ? __pfx_kthread (kernel/kthread.c:331)
      ret_from_fork (arch/x86/entry/entry_64.S:314)
      </TASK>
      
      Allocated by task 31:
      kasan_save_stack (mm/kasan/common.c:46)
      kasan_set_track (mm/kasan/common.c:52)
      __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)
      hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)
      hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)
      hci_connect_cis (net/bluetooth/hci_conn.c:2266)
      iso_connect_cis (net/bluetooth/iso.c:390)
      iso_sock_connect (net/bluetooth/iso.c:899)
      __sys_connect (net/socket.c:2003 net/socket.c:2020)
      __x64_sys_connect (net/socket.c:2027)
      do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
      entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      
      Freed by task 15:
      kasan_save_stack (mm/kasan/common.c:46)
      kasan_set_track (mm/kasan/common.c:52)
      kasan_save_free_info (mm/kasan/generic.c:523)
      __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
      __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
      hci_conn_params_del (net/bluetooth/hci_core.c:2323)
      le_scan_cleanup (net/bluetooth/hci_conn.c:202)
      process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)
      worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)
      kthread (kernel/kthread.c:376)
      ret_from_fork (arch/x86/entry/entry_64.S:314)
      ==================================================================
      
      Fixes: e8907f76 ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      195ef75e
    • Paolo Abeni's avatar
      Merge branch 'net-support-stp-on-bridge-in-non-root-netns' · ac528649
      Paolo Abeni authored
      Kuniyuki Iwashima says:
      
      ====================
      net: Support STP on bridge in non-root netns.
      
      Currently, STP does not work in non-root netns as llc_rcv() drops
      packets from non-root netns.
      
      This series fixes it by making some protocol handlers netns-aware,
      which are called from llc_rcv() as follows:
      
        llc_rcv()
        |
        |- sap->rcv_func : registered by llc_sap_open()
        |
        |  * functions : regsitered by register_8022_client()
        |    -> No in-kernel user call register_8022_client()
        |
        |  * snap_rcv()
        |    |
        |    `- proto->rcvfunc() : registered by register_snap_client()
        |
        |       * aarp_rcv()  : drop packets from non-root netns
        |       * atalk_rcv() : drop packets from non-root netns
        |
        |  * stp_pdu_rcv()
        |    |
        |    `- garp_protos[]->rcv() : registered by stp_proto_register()
        |
        |       * garp_pdu_rcv() : netns-aware
        |       * br_stp_rcv()   : netns-aware
        |
        |- llc_type_handlers[llc_pdu_type(skb) - 1]
        |
        |  * llc_sap_handler()  : NOT netns-aware (Patch 1)
        |  * llc_conn_handler() : NOT netns-aware (Patch 2)
        |
        `- llc_station_handler
      
           * llc_station_rcv() : netns-aware
      
      Patch 1 & 2 convert not-netns-aware functions and Patch 3 remove the
      netns restriction in llc_rcv().
      
      Note this series does not namespacify AF_LLC so that these patches
      can be backported to stable without conflicts (at least to 4.14.y).
      
      Another series that adds netns support for AF_LLC will be targeted
      to net-next later.
      ====================
      
      Link: https://lore.kernel.org/r/20230718174152.57408-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac528649
    • Kuniyuki Iwashima's avatar
      Revert "bridge: Add extack warning when enabling STP in netns." · 7ebd00a5
      Kuniyuki Iwashima authored
      This reverts commit 56a16035.
      
      Since the previous commit, STP works on bridge in netns.
      
        # unshare -n
        # ip link add br0 type bridge
        # ip link add veth0 type veth peer name veth1
      
        # ip link set veth0 master br0 up
        [   50.558135] br0: port 1(veth0) entered blocking state
        [   50.558366] br0: port 1(veth0) entered disabled state
        [   50.558798] veth0: entered allmulticast mode
        [   50.564401] veth0: entered promiscuous mode
      
        # ip link set veth1 master br0 up
        [   54.215487] br0: port 2(veth1) entered blocking state
        [   54.215657] br0: port 2(veth1) entered disabled state
        [   54.215848] veth1: entered allmulticast mode
        [   54.219577] veth1: entered promiscuous mode
      
        # ip link set br0 type bridge stp_state 1
        # ip link set br0 up
        [   61.960726] br0: port 2(veth1) entered blocking state
        [   61.961097] br0: port 2(veth1) entered listening state
        [   61.961495] br0: port 1(veth0) entered blocking state
        [   61.961653] br0: port 1(veth0) entered listening state
        [   63.998835] br0: port 2(veth1) entered blocking state
        [   77.437113] br0: port 1(veth0) entered learning state
        [   86.653501] br0: received packet on veth0 with own address as source address (addr:6e:0f:e7:6f:5f:5f, vlan:0)
        [   92.797095] br0: port 1(veth0) entered forwarding state
        [   92.797398] br0: topology change detected, propagating
      
      Let's remove the warning.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7ebd00a5
    • Kuniyuki Iwashima's avatar
      llc: Don't drop packet from non-root netns. · 6631463b
      Kuniyuki Iwashima authored
      Now these upper layer protocol handlers can be called from llc_rcv()
      as sap->rcv_func(), which is registered by llc_sap_open().
      
        * function which is passed to register_8022_client()
          -> no in-kernel user calls register_8022_client().
      
        * snap_rcv()
          `- proto->rcvfunc() : registered by register_snap_client()
             -> aarp_rcv() and atalk_rcv() drop packets from non-root netns
      
        * stp_pdu_rcv()
          `- garp_protos[]->rcv() : registered by stp_proto_register()
             -> garp_pdu_rcv() and br_stp_rcv() are netns-aware
      
      So, we can safely remove the netns restriction in llc_rcv().
      
      Fixes: e730c155 ("[NET]: Make packet reception network namespace safe")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6631463b
    • Kuniyuki Iwashima's avatar
      llc: Check netns in llc_estab_match() and llc_listener_match(). · 97b1d320
      Kuniyuki Iwashima authored
      We will remove this restriction in llc_rcv() in the following patch,
      which means that the protocol handler must be aware of netns.
      
              if (!net_eq(dev_net(dev), &init_net))
                      goto drop;
      
      llc_rcv() fetches llc_type_handlers[llc_pdu_type(skb) - 1] and calls it
      if not NULL.
      
      If the PDU type is LLC_DEST_CONN, llc_conn_handler() is called to pass
      skb to corresponding sockets.  Then, we must look up a proper socket in
      the same netns with skb->dev.
      
      llc_conn_handler() calls __llc_lookup() to look up a established or
      litening socket by __llc_lookup_established() and llc_lookup_listener().
      
      Both functions iterate on a list and call llc_estab_match() or
      llc_listener_match() to check if the socket is the correct destination.
      However, these functions do not check netns.
      
      Also, bind() and connect() call llc_establish_connection(), which
      finally calls __llc_lookup_established(), to check if there is a
      conflicting socket.
      
      Let's test netns in llc_estab_match() and llc_listener_match().
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      97b1d320
    • Kuniyuki Iwashima's avatar
      llc: Check netns in llc_dgram_match(). · 9b64e93e
      Kuniyuki Iwashima authored
      We will remove this restriction in llc_rcv() soon, which means that the
      protocol handler must be aware of netns.
      
      	if (!net_eq(dev_net(dev), &init_net))
      		goto drop;
      
      llc_rcv() fetches llc_type_handlers[llc_pdu_type(skb) - 1] and calls it
      if not NULL.
      
      If the PDU type is LLC_DEST_SAP, llc_sap_handler() is called to pass skb
      to corresponding sockets.  Then, we must look up a proper socket in the
      same netns with skb->dev.
      
      If the destination is a multicast address, llc_sap_handler() calls
      llc_sap_mcast().  It calculates a hash based on DSAP and skb->dev->ifindex,
      iterates on a socket list, and calls llc_mcast_match() to check if the
      socket is the correct destination.  Then, llc_mcast_match() checks if
      skb->dev matches with llc_sk(sk)->dev.  So, we need not check netns here.
      
      OTOH, if the destination is a unicast address, llc_sap_handler() calls
      llc_lookup_dgram() to look up a socket, but it does not check the netns.
      
      Therefore, we need to add netns check in llc_lookup_dgram().
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      9b64e93e
    • Daniel Golle's avatar
      net: ethernet: mtk_eth_soc: always mtk_get_ib1_pkt_type · 9f9d4c1a
      Daniel Golle authored
      entries and bind debugfs files would display wrong data on NETSYS_V2 and
      later because instead of using mtk_get_ib1_pkt_type the driver would use
      MTK_FOE_IB1_PACKET_TYPE which corresponds to NETSYS_V1(.x) SoCs.
      Use mtk_get_ib1_pkt_type so entries and bind records display correctly.
      
      Fixes: 03a3180e ("net: ethernet: mtk_eth_soc: introduce flow offloading support for mt7986")
      Signed-off-by: default avatarDaniel Golle <daniel@makrotopia.org>
      Acked-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Link: https://lore.kernel.org/r/c0ae03d0182f4d27b874cbdf0059bc972c317f3c.1689727134.git.daniel@makrotopia.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9f9d4c1a
    • Jakub Kicinski's avatar
      Merge branch 'r8169-revert-two-changes-that-caused-regressions' · 88f2e009
      Jakub Kicinski authored
      Heiner Kallweit says:
      
      ====================
      r8169: revert two changes that caused regressions
      
      This reverts two changes that caused regressions.
      ====================
      
      Link: https://lore.kernel.org/r/ddadceae-19c9-81b8-47b5-a4ff85e2563a@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      88f2e009
    • Heiner Kallweit's avatar
      Revert "r8169: disable ASPM during NAPI poll" · e31a9fed
      Heiner Kallweit authored
      This reverts commit e1ed3e4d.
      
      Turned out the change causes a performance regression.
      
      Link: https://lore.kernel.org/netdev/20230713124914.GA12924@green245/T/
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/055c6bc2-74fa-8c67-9897-3f658abb5ae7@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e31a9fed
    • Heiner Kallweit's avatar
      r8169: revert 2ab19de6 ("r8169: remove ASPM restrictions now that ASPM is... · cf2ffdea
      Heiner Kallweit authored
      r8169: revert 2ab19de6 ("r8169: remove ASPM restrictions now that ASPM is disabled during NAPI poll")
      
      There have been reports that on a number of systems this change breaks
      network connectivity. Therefore effectively revert it. Mainly affected
      seem to be systems where BIOS denies ASPM access to OS.
      Due to later changes we can't do a direct revert.
      
      Fixes: 2ab19de6 ("r8169: remove ASPM restrictions now that ASPM is disabled during NAPI poll")
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/netdev/e47bac0d-e802-65e1-b311-6acb26d5cf10@freenet.de/T/
      Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217596Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/57f13ec0-b216-d5d8-363d-5b05528ec5fb@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cf2ffdea
    • Kuniyuki Iwashima's avatar
      Revert "tcp: avoid the lookup process failing to get sk in ehash table" · 81b3ade5
      Kuniyuki Iwashima authored
      This reverts commit 3f4ca5fa.
      
      Commit 3f4ca5fa ("tcp: avoid the lookup process failing to get sk in
      ehash table") reversed the order in how a socket is inserted into ehash
      to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are
      swapped.  However, it introduced another lookup failure.
      
      The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU
      and does not have SOCK_RCU_FREE, so the socket could be reused even while
      it is being referenced on another CPU doing RCU lookup.
      
      Let's say a socket is reused and inserted into the same hash bucket during
      lookup.  After the blamed commit, a new socket is inserted at the end of
      the list.  If that happens, we will skip sockets placed after the previous
      position of the reused socket, resulting in ehash lookup failure.
      
      As described in Documentation/RCU/rculist_nulls.rst, we should insert a
      new socket at the head of the list to avoid such an issue.
      
      This issue, the swap-lookup-failure, and another variant reported in [0]
      can all be handled properly by adding a locked ehash lookup suggested by
      Eric Dumazet [1].
      
      However, this issue could occur for every packet, thus more likely than
      the other two races, so let's revert the change for now.
      
      Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0]
      Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1]
      Fixes: 3f4ca5fa ("tcp: avoid the lookup process failing to get sk in ehash table")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      81b3ade5
  2. 19 Jul, 2023 16 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · e80698b7
      Jakub Kicinski authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2023-07-19
      
      We've added 4 non-merge commits during the last 1 day(s) which contain
      a total of 3 files changed, 55 insertions(+), 10 deletions(-).
      
      The main changes are:
      
      1) Fix stack depth check in presence of async callbacks,
         from Kumar Kartikeya Dwivedi.
      
      2) Fix BTI type used for freplace attached functions,
         from Alexander Duyck.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, arm64: Fix BTI type used for freplace attached functions
        selftests/bpf: Add more tests for check_max_stack_depth bug
        bpf: Repeat check_max_stack_depth for async callbacks
        bpf: Fix subprog idx logic in check_max_stack_depth
      ====================
      
      Link: https://lore.kernel.org/r/20230719174502.74023-1-alexei.starovoitov@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e80698b7
    • Yuanjun Gong's avatar
      ipv4: ip_gre: fix return value check in erspan_xmit() · aa7cb378
      Yuanjun Gong authored
      goto free_skb if an unexpected result is returned by pskb_tirm()
      in erspan_xmit().
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa7cb378
    • Yuanjun Gong's avatar
      ipv4: ip_gre: fix return value check in erspan_fb_xmit() · 02d84f3e
      Yuanjun Gong authored
      goto err_free_skb if an unexpected result is returned by pskb_tirm()
      in erspan_fb_xmit().
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02d84f3e
    • Yuanjun Gong's avatar
      drivers:net: fix return value check in ocelot_fdma_receive_skb · bce56033
      Yuanjun Gong authored
      ocelot_fdma_receive_skb should return false if an unexpected
      value is returned by pskb_trim.
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bce56033
    • Yuanjun Gong's avatar
      drivers: net: fix return value check in emac_tso_csum() · 78a93c31
      Yuanjun Gong authored
      in emac_tso_csum(), return an error code if an unexpected value
      is returned by pskb_trim().
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      78a93c31
    • Yuanjun Gong's avatar
      net:ipv6: check return value of pskb_trim() · 4258faa1
      Yuanjun Gong authored
      goto tx_err if an unexpected result is returned by pskb_tirm()
      in ip6erspan_tunnel_xmit().
      
      Fixes: 5a963eb6 ("ip6_gre: Add ERSPAN native tunnel support")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4258faa1
    • Wang Ming's avatar
      net: ipv4: Use kfree_sensitive instead of kfree · daa75144
      Wang Ming authored
      key might contain private part of the key, so better use
      kfree_sensitive to free it.
      
      Fixes: 38320c70 ("[IPSEC]: Use crypto_aead and authenc in ESP")
      Signed-off-by: default avatarWang Ming <machel@vivo.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      daa75144
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 7f5acea7
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-07-17 (iavf)
      
      This series contains updates to iavf driver only.
      
      Ding Hui fixes use-after-free issue by calling netif_napi_del() for all
      allocated q_vectors. He also resolves out-of-bounds issue by not
      updating to new values when timeout is encountered.
      
      Marcin and Ahmed change the way resets are handled so that the callback
      operating under the RTNL lock will wait for the reset to finish, the
      rtnl_lock sensitive functions in reset flow will schedule the netdev update
      for later in order to remove circular dependency with the critical lock.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        iavf: fix reset task race with iavf_remove()
        iavf: fix a deadlock caused by rtnl and driver's lock circular dependencies
        Revert "iavf: Do not restart Tx queues after reset task failure"
        Revert "iavf: Detach device during reset task"
        iavf: Wait for reset in callbacks which trigger it
        iavf: use internal state to free traffic IRQs
        iavf: Fix out-of-bounds when setting channels on remove
        iavf: Fix use-after-free in free_netdev
      ====================
      
      Link: https://lore.kernel.org/r/20230717175205.3217774-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7f5acea7
    • Jakub Kicinski's avatar
      Merge branch 'tcp-annotate-data-races-in-tcp_rsk-req' · e9b2bd96
      Jakub Kicinski authored
      Eric Dumazet says:
      
      ====================
      tcp: annotate data-races in tcp_rsk(req)
      
      Small series addressing two syzbot reports around tcp_rsk(req)
      ====================
      
      Link: https://lore.kernel.org/r/20230717144445.653164-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e9b2bd96
    • Eric Dumazet's avatar
      tcp: annotate data-races around tcp_rsk(req)->ts_recent · eba20811
      Eric Dumazet authored
      TCP request sockets are lockless, tcp_rsk(req)->ts_recent
      can change while being read by another cpu as syzbot noticed.
      
      This is harmless, but we should annotate the known races.
      
      Note that tcp_check_req() changes req->ts_recent a bit early,
      we might change this in the future.
      
      BUG: KCSAN: data-race in tcp_check_req / tcp_check_req
      
      write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1:
      tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762
      tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071
      ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205
      ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254
      dst_input include/net/dst.h:468 [inline]
      ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569
      __netif_receive_skb_one_core net/core/dev.c:5493 [inline]
      __netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607
      process_backlog+0x21f/0x380 net/core/dev.c:5935
      __napi_poll+0x60/0x3b0 net/core/dev.c:6498
      napi_poll net/core/dev.c:6565 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6698
      __do_softirq+0xc1/0x265 kernel/softirq.c:571
      do_softirq+0x7e/0xb0 kernel/softirq.c:472
      __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396
      local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33
      rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline]
      __dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271
      dev_queue_xmit include/linux/netdevice.h:3088 [inline]
      neigh_hh_output include/net/neighbour.h:528 [inline]
      neigh_output include/net/neighbour.h:542 [inline]
      ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229
      ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317
      NF_HOOK_COND include/linux/netfilter.h:292 [inline]
      ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431
      dst_output include/net/dst.h:458 [inline]
      ip_local_out net/ipv4/ip_output.c:126 [inline]
      __ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533
      ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547
      __tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399
      tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]
      tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693
      __tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877
      tcp_push_pending_frames include/net/tcp.h:1952 [inline]
      __tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline]
      tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343
      rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52
      rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422
      rds_send_worker+0x42/0x1d0 net/rds/threads.c:200
      process_one_work+0x3e6/0x750 kernel/workqueue.c:2408
      worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555
      kthread+0x1d7/0x210 kernel/kthread.c:379
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
      
      read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0:
      tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622
      tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071
      ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205
      ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254
      dst_input include/net/dst.h:468 [inline]
      ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569
      __netif_receive_skb_one_core net/core/dev.c:5493 [inline]
      __netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607
      process_backlog+0x21f/0x380 net/core/dev.c:5935
      __napi_poll+0x60/0x3b0 net/core/dev.c:6498
      napi_poll net/core/dev.c:6565 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6698
      __do_softirq+0xc1/0x265 kernel/softirq.c:571
      run_ksoftirqd+0x17/0x20 kernel/softirq.c:939
      smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
      kthread+0x1d7/0x210 kernel/kthread.c:379
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
      
      value changed: 0x1cd237f1 -> 0x1cd237f2
      
      Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      eba20811
    • Eric Dumazet's avatar
      tcp: annotate data-races around tcp_rsk(req)->txhash · 5e526552
      Eric Dumazet authored
      TCP request sockets are lockless, some of their fields
      can change while being read by another cpu as syzbot noticed.
      
      This is usually harmless, but we should annotate the known
      races.
      
      This patch takes care of tcp_rsk(req)->txhash,
      a separate one is needed for tcp_rsk(req)->ts_recent.
      
      BUG: KCSAN: data-race in tcp_make_synack / tcp_rtx_synack
      
      write to 0xffff8881362304bc of 4 bytes by task 32083 on cpu 1:
      tcp_rtx_synack+0x9d/0x2a0 net/ipv4/tcp_output.c:4213
      inet_rtx_syn_ack+0x38/0x80 net/ipv4/inet_connection_sock.c:880
      tcp_check_req+0x379/0xc70 net/ipv4/tcp_minisocks.c:665
      tcp_v6_rcv+0x125b/0x1b20 net/ipv6/tcp_ipv6.c:1673
      ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437
      ip6_input_finish net/ipv6/ip6_input.c:482 [inline]
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491
      dst_input include/net/dst.h:468 [inline]
      ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309
      __netif_receive_skb_one_core net/core/dev.c:5452 [inline]
      __netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566
      netif_receive_skb_internal net/core/dev.c:5652 [inline]
      netif_receive_skb+0x4a/0x310 net/core/dev.c:5711
      tun_rx_batched+0x3bf/0x400
      tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997
      tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043
      call_write_iter include/linux/fs.h:1871 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x4ab/0x7d0 fs/read_write.c:584
      ksys_write+0xeb/0x1a0 fs/read_write.c:637
      __do_sys_write fs/read_write.c:649 [inline]
      __se_sys_write fs/read_write.c:646 [inline]
      __x64_sys_write+0x42/0x50 fs/read_write.c:646
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      read to 0xffff8881362304bc of 4 bytes by task 32078 on cpu 0:
      tcp_make_synack+0x367/0xb40 net/ipv4/tcp_output.c:3663
      tcp_v6_send_synack+0x72/0x420 net/ipv6/tcp_ipv6.c:544
      tcp_conn_request+0x11a8/0x1560 net/ipv4/tcp_input.c:7059
      tcp_v6_conn_request+0x13f/0x180 net/ipv6/tcp_ipv6.c:1175
      tcp_rcv_state_process+0x156/0x1de0 net/ipv4/tcp_input.c:6494
      tcp_v6_do_rcv+0x98a/0xb70 net/ipv6/tcp_ipv6.c:1509
      tcp_v6_rcv+0x17b8/0x1b20 net/ipv6/tcp_ipv6.c:1735
      ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437
      ip6_input_finish net/ipv6/ip6_input.c:482 [inline]
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491
      dst_input include/net/dst.h:468 [inline]
      ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79
      NF_HOOK include/linux/netfilter.h:303 [inline]
      ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309
      __netif_receive_skb_one_core net/core/dev.c:5452 [inline]
      __netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566
      netif_receive_skb_internal net/core/dev.c:5652 [inline]
      netif_receive_skb+0x4a/0x310 net/core/dev.c:5711
      tun_rx_batched+0x3bf/0x400
      tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997
      tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043
      call_write_iter include/linux/fs.h:1871 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x4ab/0x7d0 fs/read_write.c:584
      ksys_write+0xeb/0x1a0 fs/read_write.c:637
      __do_sys_write fs/read_write.c:649 [inline]
      __se_sys_write fs/read_write.c:646 [inline]
      __x64_sys_write+0x42/0x50 fs/read_write.c:646
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      value changed: 0x91d25731 -> 0xe79325cd
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 32078 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller-00033-geb26cbb1 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
      
      Fixes: 58d607d3 ("tcp: provide skb->hash to synack packets")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Link: https://lore.kernel.org/r/20230717144445.653164-2-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5e526552
    • Subbaraya Sundeep's avatar
      octeontx2-pf: mcs: Generate hash key using ecb(aes) · e7002b3b
      Subbaraya Sundeep authored
      Hardware generated encryption and ICV tags are found to
      be wrong when tested with IEEE MACSEC test vectors.
      This is because as per the HRM, the hash key (derived by
      AES-ECB block encryption of an all 0s block with the SAK)
      has to be programmed by the software in
      MCSX_RS_MCS_CPM_TX_SLAVE_SA_PLCY_MEM_4X register.
      Hence fix this by generating hash key in software and
      configuring in hardware.
      
      Fixes: c54ffc73 ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
      Signed-off-by: default avatarSubbaraya Sundeep <sbhatta@marvell.com>
      Reviewed-by: default avatarKalesh AP <kalesh-anakkur.purayil@broadcom.com>
      Link: https://lore.kernel.org/r/1689574603-28093-1-git-send-email-sbhatta@marvell.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e7002b3b
    • Florian Kauer's avatar
      igc: Prevent garbled TX queue with XDP ZEROCOPY · 78adb4bc
      Florian Kauer authored
      In normal operation, each populated queue item has
      next_to_watch pointing to the last TX desc of the packet,
      while each cleaned item has it set to 0. In particular,
      next_to_use that points to the next (necessarily clean)
      item to use has next_to_watch set to 0.
      
      When the TX queue is used both by an application using
      AF_XDP with ZEROCOPY as well as a second non-XDP application
      generating high traffic, the queue pointers can get in
      an invalid state where next_to_use points to an item
      where next_to_watch is NOT set to 0.
      
      However, the implementation assumes at several places
      that this is never the case, so if it does hold,
      bad things happen. In particular, within the loop inside
      of igc_clean_tx_irq(), next_to_clean can overtake next_to_use.
      Finally, this prevents any further transmission via
      this queue and it never gets unblocked or signaled.
      Secondly, if the queue is in this garbled state,
      the inner loop of igc_clean_tx_ring() will never terminate,
      completely hogging a CPU core.
      
      The reason is that igc_xdp_xmit_zc() reads next_to_use
      before acquiring the lock, and writing it back
      (potentially unmodified) later. If it got modified
      before locking, the outdated next_to_use is written
      pointing to an item that was already used elsewhere
      (and thus next_to_watch got written).
      
      Fixes: 9acf59a7 ("igc: Enable TX via AF_XDP zero-copy")
      Signed-off-by: default avatarFlorian Kauer <florian.kauer@linutronix.de>
      Reviewed-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Tested-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Acked-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Tested-by: default avatarNaama Meir <naamax.meir@linux.intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      78adb4bc
    • Jakub Kicinski's avatar
      Merge tag 'linux-can-fixes-for-6.5-20230717' of... · 936fd2c5
      Jakub Kicinski authored
      Merge tag 'linux-can-fixes-for-6.5-20230717' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2023-07-17
      
      The 1st patch is by Ziyang Xuan and fixes a possible memory leak in
      the receiver handling in the CAN RAW protocol.
      
      YueHaibing contributes a use after free in bcm_proc_show() of the
      Broad Cast Manager (BCM) CAN protocol.
      
      The next 2 patches are by me and fix a possible null pointer
      dereference in the RX path of the gs_usb driver with activated
      hardware timestamps and the candlelight firmware.
      
      The last patch is by Fedor Ross, Marek Vasut and me and targets the
      mcp251xfd driver. The polling timeout of __mcp251xfd_chip_set_mode()
      is increased to fix bus joining on busy CAN buses and very low bit
      rate.
      
      * tag 'linux-can-fixes-for-6.5-20230717' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
        can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout
        can: gs_usb: fix time stamp counter initialization
        can: gs_usb: gs_can_open(): improve error handling
        can: bcm: Fix UAF in bcm_proc_show()
        can: raw: fix receiver memory leak
      ====================
      
      Link: https://lore.kernel.org/r/20230717180938.230816-1-mkl@pengutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      936fd2c5
    • John Fastabend's avatar
      mailmap: Add entry for old intel email · 195e903b
      John Fastabend authored
      Fix old email to avoid bouncing email from net/drivers and older
      netdev work. Anyways my @intel email hasn't been active for years.
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/r/20230717173306.38407-1-john.fastabend@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      195e903b
    • Shannon Nelson's avatar
      mailmap: add entries for past lives · d1998e50
      Shannon Nelson authored
      Update old emails for my current work email.
      Signed-off-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Link: https://lore.kernel.org/r/20230717193242.43670-1-shannon.nelson@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d1998e50
  3. 18 Jul, 2023 6 commits