1. 02 Aug, 2023 2 commits
    • Laszlo Ersek's avatar
      net: tun_chr_open(): set sk_uid from current_fsuid() · 9bc30473
      Laszlo Ersek authored
      Commit a096ccca initializes the "sk_uid" field in the protocol socket
      (struct sock) from the "/dev/net/tun" device node's owner UID. Per
      original commit 86741ec2 ("net: core: Add a UID field to struct
      sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the
      userspace process that creates the socket. Commit 86741ec2 mentions
      socket() and accept(); with "tun", the action that creates the socket is
      open("/dev/net/tun").
      
      Therefore the device node's owner UID is irrelevant. In most cases,
      "/dev/net/tun" will be owned by root, so in practice, commit a096ccca
      has no observable effect:
      
      - before, "sk_uid" would be zero, due to undefined behavior
        (CVE-2023-1076),
      
      - after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root.
      
      What matters is the (fs)UID of the process performing the open(), so cache
      that in "sk_uid".
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: a096ccca ("tun: tun_chr_open(): correctly initialize socket uid")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: default avatarLaszlo Ersek <lersek@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bc30473
    • Lin Ma's avatar
      net: dcb: choose correct policy to parse DCB_ATTR_BCN · 31d49ba0
      Lin Ma authored
      The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],
      which is introduced in commit 859ee3c4 ("DCB: Add support for DCB
      BCN"). Please see the comment in below code
      
      static int dcbnl_bcn_setcfg(...)
      {
        ...
        ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )
        // !!! dcbnl_pfc_up_nest for attributes
        //  DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs
        ...
        for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {
        // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs
          ...
          value_byte = nla_get_u8(data[i]);
          ...
        }
        ...
        for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {
        // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs
        ...
          value_int = nla_get_u32(data[i]);
        ...
        }
        ...
      }
      
      That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest
      attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the
      following access code fetch each nlattr as dcbnl_bcn_attrs attributes.
      By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find
      the beginning part of these two policies are "same".
      
      static const struct nla_policy dcbnl_pfc_up_nest[...] = {
              [DCB_PFC_UP_ATTR_0]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_1]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_2]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_3]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_4]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_5]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_6]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_7]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},
      };
      
      static const struct nla_policy dcbnl_bcn_nest[...] = {
              [DCB_BCN_ATTR_RP_0]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_1]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_2]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_3]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_4]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_5]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_6]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_7]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_ALL]       = {.type = NLA_FLAG},
              // from here is somewhat different
              [DCB_BCN_ATTR_BCNA_0]       = {.type = NLA_U32},
              ...
              [DCB_BCN_ATTR_ALL]          = {.type = NLA_FLAG},
      };
      
      Therefore, the current code is buggy and this
      nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use
      the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.
      
      Hence use the correct policy dcbnl_bcn_nest to parse the nested
      tb[DCB_ATTR_BCN] TLV.
      
      Fixes: 859ee3c4 ("DCB: Add support for DCB BCN")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230801013248.87240-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31d49ba0
  2. 01 Aug, 2023 13 commits
  3. 31 Jul, 2023 8 commits
    • Michal Schmidt's avatar
      octeon_ep: initialize mbox mutexes · 611e1b01
      Michal Schmidt authored
      The two mbox-related mutexes are destroyed in octep_ctrl_mbox_uninit(),
      but the corresponding mutex_init calls were missing.
      A "DEBUG_LOCKS_WARN_ON(lock->magic != lock)" warning was emitted with
      CONFIG_DEBUG_MUTEXES on.
      
      Initialize the two mutexes in octep_ctrl_mbox_init().
      
      Fixes: 577f0d1b ("octeon_ep: add separate mailbox command and response queues")
      Signed-off-by: default avatarMichal Schmidt <mschmidt@redhat.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20230729151516.24153-1-mschmidt@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      611e1b01
    • Jakub Kicinski's avatar
      bnxt: don't handle XDP in netpoll · 37b61cda
      Jakub Kicinski authored
      Similarly to other recently fixed drivers make sure we don't
      try to access XDP or page pool APIs when NAPI budget is 0.
      NAPI budget of 0 may mean that we are in netpoll.
      
      This may result in running software IRQs in hard IRQ context,
      leading to deadlocks or crashes.
      
      To make sure bnapi->tx_pkts don't get wiped without handling
      the events, move clearing the field into the handler itself.
      Remember to clear tx_pkts after reset (bnxt_enable_napi())
      as it's technically possible that netpoll will accumulate
      some tx_pkts and then a reset will happen, leaving tx_pkts
      out of sync with reality.
      
      Fixes: 322b87ca ("bnxt_en: add page_pool support")
      Reviewed-by: default avatarAndy Gospodarek <gospo@broadcom.com>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Link: https://lore.kernel.org/r/20230728205020.2784844-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      37b61cda
    • Rafal Rogalski's avatar
      ice: Fix RDMA VSI removal during queue rebuild · 4b31fd4d
      Rafal Rogalski authored
      During qdisc create/delete, it is necessary to rebuild the queue
      of VSIs. An error occurred because the VSIs created by RDMA were
      still active.
      
      Added check if RDMA is active. If yes, it disallows qdisc changes
      and writes a message in the system logs.
      
      Fixes: 348048e7 ("ice: Implement iidc operations")
      Signed-off-by: default avatarRafal Rogalski <rafalx.rogalski@intel.com>
      Signed-off-by: default avatarMateusz Palczewski <mateusz.palczewski@intel.com>
      Signed-off-by: default avatarKamil Maziarz <kamil.maziarz@intel.com>
      Tested-by: default avatarBharathi Sreenivas <bharathi.sreenivas@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20230728171243.2446101-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4b31fd4d
    • Edward Cree's avatar
      sfc: fix field-spanning memcpy in selftest · 55c1528f
      Edward Cree authored
      Add a struct_group for the whole packet body so we can copy it in one
       go without triggering FORTIFY_SOURCE complaints.
      
      Fixes: cf60ed46 ("sfc: use padding to fix alignment in loopback test")
      Fixes: 30c24dd8 ("sfc: siena: use padding to fix alignment in loopback test")
      Fixes: 1186c6b3 ("sfc: falcon: use padding to fix alignment in loopback test")
      Reviewed-by: default avatarAndy Moreton <andy.moreton@amd.com>
      Tested-by: default avatarAndy Moreton <andy.moreton@amd.com>
      Signed-off-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230728165528.59070-1-edward.cree@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      55c1528f
    • Martin Kohn's avatar
      net: usb: qmi_wwan: add Quectel EM05GV2 · d4480c9b
      Martin Kohn authored
      Add support for Quectel EM05GV2 (G=global) with vendor ID
      0x2c7c and product ID 0x030e
      
      Enabling DTR on this modem was necessary to ensure stable operation.
      Patch for usb: serial: option: is also in progress.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2c7c ProdID=030e Rev= 3.18
      S:  Manufacturer=Quectel
      S:  Product=Quectel EM05-G
      C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Signed-off-by: default avatarMartin Kohn <m.kohn@welotec.com>
      Link: https://lore.kernel.org/r/AM0PR04MB57648219DE893EE04FA6CC759701A@AM0PR04MB5764.eurprd04.prod.outlook.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d4480c9b
    • Duoming Zhou's avatar
      net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs · 1e7417c1
      Duoming Zhou authored
      The timer dev->stat_monitor can schedule the delayed work dev->wq and
      the delayed work dev->wq can also arm the dev->stat_monitor timer.
      
      When the device is detaching, the net_device will be deallocated. but
      the net_device private data could still be dereferenced in delayed work
      or timer handler. As a result, the UAF bugs will happen.
      
      One racy situation is shown below:
      
            (Thread 1)                 |      (Thread 2)
      lan78xx_stat_monitor()           |
       ...                             |  lan78xx_disconnect()
       lan78xx_defer_kevent()          |    ...
        ...                            |    cancel_delayed_work_sync(&dev->wq);
        schedule_delayed_work()        |    ...
        (wait some time)               |    free_netdev(net); //free net_device
        lan78xx_delayedwork()          |
        //use net_device private data  |
        dev-> //use                    |
      
      Although we use cancel_delayed_work_sync() to cancel the delayed work
      in lan78xx_disconnect(), it could still be scheduled in timer handler
      lan78xx_stat_monitor().
      
      Another racy situation is shown below:
      
            (Thread 1)                |      (Thread 2)
      lan78xx_delayedwork             |
       mod_timer()                    |  lan78xx_disconnect()
                                      |   cancel_delayed_work_sync()
       (wait some time)               |   if (timer_pending(&dev->stat_monitor))
                   	                |       del_timer_sync(&dev->stat_monitor);
       lan78xx_stat_monitor()         |   ...
        lan78xx_defer_kevent()        |   free_netdev(net); //free
         //use net_device private data|
         dev-> //use                  |
      
      Although we use del_timer_sync() to delete the timer, the function
      timer_pending() returns 0 when the timer is activated. As a result,
      the del_timer_sync() will not be executed and the timer could be
      re-armed.
      
      In order to mitigate this bug, We use timer_shutdown_sync() to shutdown
      the timer and then use cancel_delayed_work_sync() to cancel the delayed
      work. As a result, the net_device could be deallocated safely.
      
      What's more, the dev->flags is set to EVENT_DEV_DISCONNECT in
      lan78xx_disconnect(). But it could still be set to EVENT_STAT_UPDATE
      in lan78xx_stat_monitor(). So this patch put the set_bit() behind
      timer_shutdown_sync().
      
      Fixes: 77dfff5b ("lan78xx: Fix race condition in disconnect handling")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e7417c1
    • Rafał Miłecki's avatar
      dt-bindings: net: mediatek,net: fixup MAC binding · 8469c7f5
      Rafał Miłecki authored
      1. Use unevaluatedProperties
      It's needed to allow ethernet-controller.yaml properties work correctly.
      
      2. Drop unneeded phy-handle/phy-mode
      
      3. Don't require phy-handle
      Some SoCs may use fixed link.
      
      For in-kernel MT7621 DTS files this fixes following errors:
      arch/mips/boot/dts/ralink/mt7621-tplink-hc220-g5-v1.dtb: ethernet@1e100000: mac@0: 'fixed-link' does not match any of the regexes: 'pinctrl-[0-9]+'
              From schema: Documentation/devicetree/bindings/net/mediatek,net.yaml
      arch/mips/boot/dts/ralink/mt7621-tplink-hc220-g5-v1.dtb: ethernet@1e100000: mac@0: 'phy-handle' is a required property
              From schema: Documentation/devicetree/bindings/net/mediatek,net.yaml
      arch/mips/boot/dts/ralink/mt7621-tplink-hc220-g5-v1.dtb: ethernet@1e100000: mac@1: 'fixed-link' does not match any of the regexes: 'pinctrl-[0-9]+'
              From schema: Documentation/devicetree/bindings/net/mediatek,net.yaml
      arch/mips/boot/dts/ralink/mt7621-tplink-hc220-g5-v1.dtb: ethernet@1e100000: mac@1: 'phy-handle' is a required property
              From schema: Documentation/devicetree/bindings/net/mediatek,net.yaml
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8469c7f5
    • Kuniyuki Iwashima's avatar
      net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. · e7397184
      Kuniyuki Iwashima authored
      syzkaller found zero division error [0] in div_s64_rem() called from
      get_cycle_time_elapsed(), where sched->cycle_time is the divisor.
      
      We have tests in parse_taprio_schedule() so that cycle_time will never
      be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().
      
      The problem is that the types of divisor are different; cycle_time is
      s64, but the argument of div_s64_rem() is s32.
      
      syzkaller fed this input and 0x100000000 is cast to s32 to be 0.
      
        @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}
      
      We use s64 for cycle_time to cast it to ktime_t, so let's keep it and
      set max for cycle_time.
      
      While at it, we prevent overflow in setup_txtime() and add another
      test in parse_taprio_schedule() to check if cycle_time overflows.
      
      Also, we add a new tdc test case for this issue.
      
      [0]:
      divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
      CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Workqueue: ipv6_addrconf addrconf_dad_work
      RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]
      RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]
      RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344
      Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10
      RSP: 0018:ffffc90000acf260 EFLAGS: 00010206
      RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000
      RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934
      R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800
      R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0
      PKRU: 55555554
      Call Trace:
       <TASK>
       get_packet_txtime net/sched/sch_taprio.c:508 [inline]
       taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577
       taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658
       dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732
       __dev_xmit_skb net/core/dev.c:3821 [inline]
       __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169
       dev_queue_xmit include/linux/netdevice.h:3088 [inline]
       neigh_resolve_output net/core/neighbour.c:1552 [inline]
       neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532
       neigh_output include/net/neighbour.h:544 [inline]
       ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135
       __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196
       ip6_finish_output net/ipv6/ip6_output.c:207 [inline]
       NF_HOOK_COND include/linux/netfilter.h:292 [inline]
       ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228
       dst_output include/net/dst.h:458 [inline]
       NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303
       ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508
       ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666
       addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175
       process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597
       worker_thread+0x60f/0x1240 kernel/workqueue.c:2748
       kthread+0x2fe/0x3f0 kernel/kthread.c:389
       ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
       </TASK>
      Modules linked in:
      
      Fixes: 4cfd5779 ("taprio: Add support for txtime-assist mode")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Co-developed-by: default avatarEric Dumazet <edumazet@google.com>
      Co-developed-by: default avatarPedro Tammela <pctammela@mojatatu.com>
      Acked-by: default avatarVinicius Costa Gomes <vinicius.gomes@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7397184
  4. 29 Jul, 2023 17 commits