1. 19 Jun, 2021 11 commits
    • Pavel Skripkin's avatar
      net: can: ems_usb: fix use-after-free in ems_usb_disconnect() · ab4a0b8f
      Pavel Skripkin authored
      In ems_usb_disconnect() dev pointer, which is netdev private data, is
      used after free_candev() call:
      | 	if (dev) {
      | 		unregister_netdev(dev->netdev);
      | 		free_candev(dev->netdev);
      |
      | 		unlink_all_urbs(dev);
      |
      | 		usb_free_urb(dev->intr_urb);
      |
      | 		kfree(dev->intr_in_buffer);
      | 		kfree(dev->tx_msg_buffer);
      | 	}
      
      Fix it by simply moving free_candev() at the end of the block.
      
      Fail log:
      | BUG: KASAN: use-after-free in ems_usb_disconnect
      | Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
      |
      | CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
      | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
      | Workqueue: usb_hub_wq hub_event
      | Call Trace:
      |     dump_stack (lib/dump_stack.c:122)
      |     print_address_description.constprop.0.cold (mm/kasan/report.c:234)
      |     kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
      |     ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)
      
      Fixes: 702171ad ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
      Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ab4a0b8f
    • Oleksij Rempel's avatar
      can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done · 22c696fe
      Oleksij Rempel authored
      Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion.
      Without this patch, we will run in to j1939_can_recv() after priv was
      freed by j1939_sk_release()->j1939_sk_sock_destruct()
      
      Fixes: 25fe97cb ("can: j1939: move j1939_priv_put() into sk_destruct callback")
      Link: https://lore.kernel.org/r/20210617130623.12705-1-o.rempel@pengutronix.de
      Cc: linux-stable <stable@vger.kernel.org>
      Reported-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Reported-by: syzbot+bdf710cfc41c186fdff3@syzkaller.appspotmail.com
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      22c696fe
    • Oliver Hartkopp's avatar
      can: isotp: isotp_release(): omit unintended hrtimer restart on socket release · 14a4696b
      Oliver Hartkopp authored
      When closing the isotp socket, the potentially running hrtimers are
      canceled before removing the subscription for CAN identifiers via
      can_rx_unregister().
      
      This may lead to an unintended (re)start of a hrtimer in
      isotp_rcv_cf() and isotp_rcv_fc() in the case that a CAN frame is
      received by isotp_rcv() while the subscription removal is processed.
      
      However, isotp_rcv() is called under RCU protection, so after calling
      can_rx_unregister, we may call synchronize_rcu in order to wait for
      any RCU read-side critical sections to finish. This prevents the
      reception of CAN frames after hrtimer_cancel() and therefore the
      unintended (re)start of the hrtimers.
      
      Link: https://lore.kernel.org/r/20210618173713.2296-1-socketcan@hartkopp.net
      Fixes: e057dd3f ("can: add ISO 15765-2:2016 transport protocol")
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      14a4696b
    • Oliver Hartkopp's avatar
      can: gw: synchronize rcu operations before removing gw job entry · fb8696ab
      Oliver Hartkopp authored
      can_can_gw_rcv() is called under RCU protection, so after calling
      can_rx_unregister(), we have to call synchronize_rcu in order to wait
      for any RCU read-side critical sections to finish before removing the
      kmem_cache entry with the referenced gw job entry.
      
      Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net
      Fixes: c1aabdf3 ("can-gw: add netlink based CAN routing")
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      fb8696ab
    • Thadeu Lima de Souza Cascardo's avatar
      can: bcm: delay release of struct bcm_op after synchronize_rcu() · d5f9023f
      Thadeu Lima de Souza Cascardo authored
      can_rx_register() callbacks may be called concurrently to the call to
      can_rx_unregister(). The callbacks and callback data, though, are
      protected by RCU and the struct sock reference count.
      
      So the callback data is really attached to the life of sk, meaning
      that it should be released on sk_destruct. However, bcm_remove_op()
      calls tasklet_kill(), and RCU callbacks may be called under RCU
      softirq, so that cannot be used on kernels before the introduction of
      HRTIMER_MODE_SOFT.
      
      However, bcm_rx_handler() is called under RCU protection, so after
      calling can_rx_unregister(), we may call synchronize_rcu() in order to
      wait for any RCU read-side critical sections to finish. That is,
      bcm_rx_handler() won't be called anymore for those ops. So, we only
      free them, after we do that synchronize_rcu().
      
      Fixes: ffd980f9 ("[CAN]: Add broadcast manager (bcm) protocol")
      Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com
      Cc: linux-stable <stable@vger.kernel.org>
      Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com
      Reported-by: default avatarNorbert Slusarek <nslusarek@gmx.net>
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      d5f9023f
    • David S. Miller's avatar
      Merge branch 'ezchip-fixes' · dda2626b
      David S. Miller authored
      Pavel Skripkin says:
      
      ====================
      net: ethernat: ezchip: bug fixing and code improvments
      
      While manual code reviewing, I found some error in ezchip driver.
      Two of them looks very dangerous:
        1. use-after-free in nps_enet_remove
            Accessing netdev private data after free_netdev()
      
        2. wrong error handling of platform_get_irq()
            It can cause passing negative irq to request_irq()
      
      Also, in 2nd patch I removed redundant check to increase execution
      speed and make code more straightforward.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dda2626b
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: fix error handling · 0de449d5
      Pavel Skripkin authored
      As documented at drivers/base/platform.c for platform_get_irq:
      
       * Gets an IRQ for a platform device and prints an error message if finding the
       * IRQ fails. Device drivers should check the return value for errors so as to
       * not pass a negative integer value to the request_irq() APIs.
      
      So, the driver should check that platform_get_irq() return value
      is _negative_, not that it's equal to zero, because -ENXIO (return
      value from request_irq() if irq was not found) will
      pass this check and it leads to passing negative irq to request_irq()
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0de449d5
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: remove redundant check · 4ae85b23
      Pavel Skripkin authored
      err varibale will be set everytime, when code gets
      into this path. This check will just slowdown the execution
      and that's all.
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ae85b23
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: fix UAF in nps_enet_remove · e4b8700e
      Pavel Skripkin authored
      priv is netdev private data, but it is used
      after free_netdev(). It can cause use-after-free when accessing priv
      pointer. So, fix it by moving free_netdev() after netif_napi_del()
      call.
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4b8700e
    • Pavel Skripkin's avatar
      net: ethernet: aeroflex: fix UAF in greth_of_remove · e3a5de6d
      Pavel Skripkin authored
      static int greth_of_remove(struct platform_device *of_dev)
      {
      ...
      	struct greth_private *greth = netdev_priv(ndev);
      ...
      	unregister_netdev(ndev);
      	free_netdev(ndev);
      
      	of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
      ...
      }
      
      greth is netdev private data, but it is used
      after free_netdev(). It can cause use-after-free when accessing greth
      pointer. So, fix it by moving free_netdev() after of_iounmap()
      call.
      
      Fixes: d4c41139 ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3a5de6d
    • Linus Torvalds's avatar
      Merge tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9ed13a17
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.13-rc7, including fixes from wireless, bpf,
        bluetooth, netfilter and can.
      
        Current release - regressions:
      
         - mlxsw: spectrum_qdisc: Pass handle, not band number to find_class()
           to fix modifying offloaded qdiscs
      
         - lantiq: net: fix duplicated skb in rx descriptor ring
      
         - rtnetlink: fix regression in bridge VLAN configuration, empty info
           is not an error, bot-generated "fix" was not needed
      
         - libbpf: s/rx/tx/ typo on umem->rx_ring_setup_done to fix umem
           creation
      
        Current release - new code bugs:
      
         - ethtool: fix NULL pointer dereference during module EEPROM dump via
           the new netlink API
      
         - mlx5e: don't update netdev RQs with PTP-RQ, the special purpose
           queue should not be visible to the stack
      
         - mlx5e: select special PTP queue only for SKBTX_HW_TSTAMP skbs
      
         - mlx5e: verify dev is present in get devlink port ndo, avoid a panic
      
        Previous releases - regressions:
      
         - neighbour: allow NUD_NOARP entries to be force GCed
      
         - further fixes for fallout from reorg of WiFi locking (staging:
           rtl8723bs, mac80211, cfg80211)
      
         - skbuff: fix incorrect msg_zerocopy copy notifications
      
         - mac80211: fix NULL ptr deref for injected rate info
      
         - Revert "net/mlx5: Arm only EQs with EQEs" it may cause missed IRQs
      
        Previous releases - always broken:
      
         - bpf: more speculative execution fixes
      
         - netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local
      
         - udp: fix race between close() and udp_abort() resulting in a panic
      
         - fix out of bounds when parsing TCP options before packets are
           validated (in netfilter: synproxy, tc: sch_cake and mptcp)
      
         - mptcp: improve operation under memory pressure, add missing
           wake-ups
      
         - mptcp: fix double-lock/soft lookup in subflow_error_report()
      
         - bridge: fix races (null pointer deref and UAF) in vlan tunnel
           egress
      
         - ena: fix DMA mapping function issues in XDP
      
         - rds: fix memory leak in rds_recvmsg
      
        Misc:
      
         - vrf: allow larger MTUs
      
         - icmp: don't send out ICMP messages with a source address of 0.0.0.0
      
         - cdc_ncm: switch to eth%d interface naming"
      
      * tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (139 commits)
        net: ethernet: fix potential use-after-free in ec_bhf_remove
        selftests/net: Add icmp.sh for testing ICMP dummy address responses
        icmp: don't send out ICMP messages with a source address of 0.0.0.0
        net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
        net: ll_temac: Fix TX BD buffer overwrite
        net: ll_temac: Add memory-barriers for TX BD access
        net: ll_temac: Make sure to free skb when it is completely used
        MAINTAINERS: add Guvenc as SMC maintainer
        bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path
        bnxt_en: Fix TQM fastpath ring backing store computation
        bnxt_en: Rediscover PHY capabilities after firmware reset
        cxgb4: fix wrong shift.
        mac80211: handle various extensible elements correctly
        mac80211: reset profile_periodicity/ema_ap
        cfg80211: avoid double free of PMSR request
        cfg80211: make certificate generation more robust
        mac80211: minstrel_ht: fix sample time check
        net: qed: Fix memcpy() overflow of qed_dcbx_params()
        net: cdc_eem: fix tx fixup skb leak
        net: hamradio: fix memory leak in mkiss_close
        ...
      9ed13a17
  2. 18 Jun, 2021 29 commits