1. 29 Jul, 2023 13 commits
    • Eric Dumazet's avatar
      net: add missing READ_ONCE(sk->sk_rcvbuf) annotation · b4b55325
      Eric Dumazet authored
      In a prior commit, I forgot to change sk_getsockopt()
      when reading sk->sk_rcvbuf locklessly.
      
      Fixes: ebb3b78d ("tcp: annotate sk->sk_rcvbuf lockless reads")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4b55325
    • Eric Dumazet's avatar
      net: add missing READ_ONCE(sk->sk_sndbuf) annotation · 74bc0843
      Eric Dumazet authored
      In a prior commit, I forgot to change sk_getsockopt()
      when reading sk->sk_sndbuf locklessly.
      
      Fixes: e292f05e ("tcp: annotate sk->sk_sndbuf lockless reads")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74bc0843
    • Eric Dumazet's avatar
      net: annotate data-races around sk->sk_{rcv|snd}timeo · 285975dd
      Eric Dumazet authored
      sk_getsockopt() runs without locks, we must add annotations
      to sk->sk_rcvtimeo and sk->sk_sndtimeo.
      
      In the future we might allow fetching these fields before
      we lock the socket in TCP fast path.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      285975dd
    • Eric Dumazet's avatar
      net: add missing READ_ONCE(sk->sk_rcvlowat) annotation · e6d12bdb
      Eric Dumazet authored
      In a prior commit, I forgot to change sk_getsockopt()
      when reading sk->sk_rcvlowat locklessly.
      
      Fixes: eac66402 ("net: annotate sk->sk_rcvlowat lockless reads")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6d12bdb
    • Eric Dumazet's avatar
      net: annotate data-races around sk->sk_max_pacing_rate · ea7f45ef
      Eric Dumazet authored
      sk_getsockopt() runs locklessly. This means sk->sk_max_pacing_rate
      can be read while other threads are changing its value.
      
      Fixes: 62748f32 ("net: introduce SO_MAX_PACING_RATE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ea7f45ef
    • Eric Dumazet's avatar
      net: annotate data-race around sk->sk_txrehash · c76a0328
      Eric Dumazet authored
      sk_getsockopt() runs locklessly. This means sk->sk_txrehash
      can be read while other threads are changing its value.
      
      Other locations were handled in commit cb6cd2ce
      ("tcp: Change SYN ACK retransmit behaviour to account for rehash")
      
      Fixes: 26859240 ("txhash: Add socket option to control TX hash rethink behavior")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Akhmat Karakotov <hmukos@yandex-team.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c76a0328
    • Eric Dumazet's avatar
      net: annotate data-races around sk->sk_reserved_mem · fe11fdcb
      Eric Dumazet authored
      sk_getsockopt() runs locklessly. This means sk->sk_reserved_mem
      can be read while other threads are changing its value.
      
      Add missing annotations where they are needed.
      
      Fixes: 2bb2f5fb ("net: add new socket option SO_RESERVE_MEM")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Wei Wang <weiwan@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fe11fdcb
    • Richard Gobert's avatar
      net: gro: fix misuse of CB in udp socket lookup · 7938cd15
      Richard Gobert authored
      This patch fixes a misuse of IP{6}CB(skb) in GRO, while calling to
      `udp6_lib_lookup2` when handling udp tunnels. `udp6_lib_lookup2` fetch the
      device from CB. The fix changes it to fetch the device from `skb->dev`.
      l3mdev case requires special attention since it has a master and a slave
      device.
      
      Fixes: a6024562 ("udp: Add GRO functions to UDP socket")
      Reported-by: default avatarGal Pressman <gal@nvidia.com>
      Signed-off-by: default avatarRichard Gobert <richardbgobert@gmail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7938cd15
    • Konstantin Khorenko's avatar
      qed: Fix scheduling in a tasklet while getting stats · e346e231
      Konstantin Khorenko authored
      Here we've got to a situation when tasklet called usleep_range() in PTT
      acquire logic, thus welcome to the "scheduling while atomic" BUG().
      
        BUG: scheduling while atomic: swapper/24/0/0x00000100
      
         [<ffffffffb41c6199>] schedule+0x29/0x70
         [<ffffffffb41c5512>] schedule_hrtimeout_range_clock+0xb2/0x150
         [<ffffffffb41c55c3>] schedule_hrtimeout_range+0x13/0x20
         [<ffffffffb41c3bcf>] usleep_range+0x4f/0x70
         [<ffffffffc08d3e58>] qed_ptt_acquire+0x38/0x100 [qed]
         [<ffffffffc08eac48>] _qed_get_vport_stats+0x458/0x580 [qed]
         [<ffffffffc08ead8c>] qed_get_vport_stats+0x1c/0xd0 [qed]
         [<ffffffffc08dffd3>] qed_get_protocol_stats+0x93/0x100 [qed]
                              qed_mcp_send_protocol_stats
                  case MFW_DRV_MSG_GET_LAN_STATS:
                  case MFW_DRV_MSG_GET_FCOE_STATS:
                  case MFW_DRV_MSG_GET_ISCSI_STATS:
                  case MFW_DRV_MSG_GET_RDMA_STATS:
         [<ffffffffc08e36d8>] qed_mcp_handle_events+0x2d8/0x890 [qed]
                              qed_int_assertion
                              qed_int_attentions
         [<ffffffffc08d9490>] qed_int_sp_dpc+0xa50/0xdc0 [qed]
         [<ffffffffb3aa7623>] tasklet_action+0x83/0x140
         [<ffffffffb41d9125>] __do_softirq+0x125/0x2bb
         [<ffffffffb41d560c>] call_softirq+0x1c/0x30
         [<ffffffffb3a30645>] do_softirq+0x65/0xa0
         [<ffffffffb3aa78d5>] irq_exit+0x105/0x110
         [<ffffffffb41d8996>] do_IRQ+0x56/0xf0
      
      Fix this by making caller to provide the context whether it could be in
      atomic context flow or not when getting stats from QED driver.
      QED driver based on the context provided decide to schedule out or not
      when acquiring the PTT BAR window.
      
      We faced the BUG_ON() while getting vport stats, but according to the
      code same issue could happen for fcoe and iscsi statistics as well, so
      fixing them too.
      
      Fixes: 6c754246 ("qed: Add support for NCSI statistics.")
      Fixes: 1e128c81 ("qed: Add support for hardware offloaded FCoE.")
      Fixes: 2f2b2614 ("qed: Provide iSCSI statistics to management")
      Cc: Sudarsana Kalluru <skalluru@marvell.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: Manish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarKonstantin Khorenko <khorenko@virtuozzo.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e346e231
    • Lukasz Majewski's avatar
      net: dsa: microchip: KSZ9477 register regmap alignment to 32 bit boundaries · 8d7ae22a
      Lukasz Majewski authored
      The commit (SHA1: 5c844d57) provided code
      to apply "Module 6: Certain PHY registers must be written as pairs instead
      of singly" errata for KSZ9477 as this chip for certain PHY registers
      (0xN120 to 0xN13F, N=1,2,3,4,5) must be accesses as 32 bit words instead
      of 16 or 8 bit access.
      Otherwise, adjacent registers (no matter if reserved or not) are
      overwritten with 0x0.
      
      Without this patch some registers (e.g. 0x113c or 0x1134) required for 32
      bit access are out of valid regmap ranges.
      
      As a result, following error is observed and KSZ9477 is not properly
      configured:
      
      ksz-switch spi1.0: can't rmw 32bit reg 0x113c: -EIO
      ksz-switch spi1.0: can't rmw 32bit reg 0x1134: -EIO
      ksz-switch spi1.0 lan1 (uninitialized): failed to connect to PHY: -EIO
      ksz-switch spi1.0 lan1 (uninitialized): error -5 setting up PHY for tree 0, switch 0, port 0
      
      The solution is to modify regmap_reg_range to allow accesses with 4 bytes
      boundaries.
      Signed-off-by: default avatarLukasz Majewski <lukma@denx.de>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d7ae22a
    • Thierry Reding's avatar
      net: stmmac: tegra: Properly allocate clock bulk data · a0b1b205
      Thierry Reding authored
      The clock data is an array of struct clk_bulk_data, so make sure to
      allocate enough memory.
      
      Fixes: d8ca1137 ("net: stmmac: tegra: Add MGBE support")
      Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0b1b205
    • Chengfeng Ye's avatar
      mISDN: hfcpci: Fix potential deadlock on &hc->lock · 56c6be35
      Chengfeng Ye authored
      As &hc->lock is acquired by both timer _hfcpci_softirq() and hardirq
      hfcpci_int(), the timer should disable irq before lock acquisition
      otherwise deadlock could happen if the timmer is preemtped by the hadr irq.
      
      Possible deadlock scenario:
      hfcpci_softirq() (timer)
          -> _hfcpci_softirq()
          -> spin_lock(&hc->lock);
              <irq interruption>
              -> hfcpci_int()
              -> spin_lock(&hc->lock); (deadlock here)
      
      This flaw was found by an experimental static analysis tool I am developing
      for irq-related deadlock.
      
      The tentative patch fixes the potential deadlock by spin_lock_irq()
      in timer.
      
      Fixes: b36b654a ("mISDN: Create /sys/class/mISDN")
      Signed-off-by: default avatarChengfeng Ye <dg573847474@gmail.com>
      Link: https://lore.kernel.org/r/20230727085619.7419-1-dg573847474@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      56c6be35
    • Jamal Hadi Salim's avatar
      net: sched: cls_u32: Fix match key mis-addressing · e68409db
      Jamal Hadi Salim authored
      A match entry is uniquely identified with an "address" or "path" in the
      form of: hashtable ID(12b):bucketid(8b):nodeid(12b).
      
      When creating table match entries all of hash table id, bucket id and
      node (match entry id) are needed to be either specified by the user or
      reasonable in-kernel defaults are used. The in-kernel default for a table id is
      0x800(omnipresent root table); for bucketid it is 0x0. Prior to this fix there
      was none for a nodeid i.e. the code assumed that the user passed the correct
      nodeid and if the user passes a nodeid of 0 (as Mingi Cho did) then that is what
      was used. But nodeid of 0 is reserved for identifying the table. This is not
      a problem until we dump. The dump code notices that the nodeid is zero and
      assumes it is referencing a table and therefore references table struct
      tc_u_hnode instead of what was created i.e match entry struct tc_u_knode.
      
      Ming does an equivalent of:
      tc filter add dev dummy0 parent 10: prio 1 handle 0x1000 \
      protocol ip u32 match ip src 10.0.0.1/32 classid 10:1 action ok
      
      Essentially specifying a table id 0, bucketid 1 and nodeid of zero
      Tableid 0 is remapped to the default of 0x800.
      Bucketid 1 is ignored and defaults to 0x00.
      Nodeid was assumed to be what Ming passed - 0x000
      
      dumping before fix shows:
      ~$ tc filter ls dev dummy0 parent 10:
      filter protocol ip pref 1 u32 chain 0
      filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1
      filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor -30591
      
      Note that the last line reports a table instead of a match entry
      (you can tell this because it says "ht divisor...").
      As a result of reporting the wrong data type (misinterpretting of struct
      tc_u_knode as being struct tc_u_hnode) the divisor is reported with value
      of -30591. Ming identified this as part of the heap address
      (physmap_base is 0xffff8880 (-30591 - 1)).
      
      The fix is to ensure that when table entry matches are added and no
      nodeid is specified (i.e nodeid == 0) then we get the next available
      nodeid from the table's pool.
      
      After the fix, this is what the dump shows:
      $ tc filter ls dev dummy0 parent 10:
      filter protocol ip pref 1 u32 chain 0
      filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1
      filter protocol ip pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 10:1 not_in_hw
        match 0a000001/ffffffff at 12
      	action order 1: gact action pass
      	 random type none pass val 0
      	 index 1 ref 1 bind 1
      Reported-by: default avatarMingi Cho <mgcho.minic@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Link: https://lore.kernel.org/r/20230726135151.416917-1-jhs@mojatatu.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e68409db
  2. 28 Jul, 2023 7 commits
    • Eugen Hristev's avatar
      dt-bindings: net: rockchip-dwmac: fix {tx|rx}-delay defaults/range in schema · 5416d792
      Eugen Hristev authored
      The range and the defaults are specified in the description instead of
      being specified in the schema.
      Fix it by adding the default value in the `default` field and specifying
      the range as `minimum` and `maximum`.
      
      Fixes: b331b8ef ("dt-bindings: net: convert rockchip-dwmac to json-schema")
      Signed-off-by: default avatarEugen Hristev <eugen.hristev@collabora.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5416d792
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 4a082260
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-07-26
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5: Unregister devlink params in case interface is down
        net/mlx5: DR, Fix peer domain namespace setting
        net/mlx5: fs_chains: Fix ft prio if ignore_flow_level is not supported
        net/mlx5e: kTLS, Fix protection domain in use syndrome when devlink reload
        net/mlx5: Bridge, set debugfs access right to root-only
        net/mlx5e: xsk: Fix crash on regular rq reactivation
        net/mlx5e: xsk: Fix invalid buffer access for legacy rq
        net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
        net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is set
        net/mlx5e: Don't hold encap tbl lock if there is no encap action
        net/mlx5: Honor user input for migratable port fn attr
        net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
        net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
        net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
        net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups
      ====================
      
      Link: https://lore.kernel.org/r/20230726213206.47022-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4a082260
    • Yuanjun Gong's avatar
      net: dsa: fix value check in bcm_sf2_sw_probe() · dadc5b86
      Yuanjun Gong authored
      in bcm_sf2_sw_probe(), check the return value of clk_prepare_enable()
      and return the error code if clk_prepare_enable() returns an
      unexpected value.
      
      Fixes: e9ec5c3b ("net: dsa: bcm_sf2: request and handle clocks")
      Signed-off-by: default avatarYuanjun Gong <ruc_gongyuanjun@163.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20230726170506.16547-1-ruc_gongyuanjun@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dadc5b86
    • Eric Dumazet's avatar
      net: flower: fix stack-out-of-bounds in fl_set_key_cfm() · 4d50e500
      Eric Dumazet authored
      Typical misuse of
      
      	nla_parse_nested(array, XXX_MAX, ...);
      
      array must be declared as
      
      	struct nlattr *array[XXX_MAX + 1];
      
      v2: Based on feedbacks from Ido Schimmel and Zahari Doychev,
      I also changed TCA_FLOWER_KEY_CFM_OPT_MAX and cfm_opt_policy
      definitions.
      
      syzbot reported:
      
      BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
      Write of size 32 at addr ffffc90003a0ee20 by task syz-executor296/5014
      
      CPU: 0 PID: 5014 Comm: syz-executor296 Not tainted 6.5.0-rc2-syzkaller-00307-gd192f538 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0x163/0x540 mm/kasan/report.c:475
      kasan_report+0x175/0x1b0 mm/kasan/report.c:588
      kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
      __asan_memset+0x23/0x40 mm/kasan/shadow.c:84
      __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
      __nla_parse+0x40/0x50 lib/nlattr.c:700
      nla_parse_nested include/net/netlink.h:1262 [inline]
      fl_set_key_cfm+0x1e3/0x440 net/sched/cls_flower.c:1718
      fl_set_key+0x2168/0x6620 net/sched/cls_flower.c:1884
      fl_tmplt_create+0x1fe/0x510 net/sched/cls_flower.c:2666
      tc_chain_tmplt_add net/sched/cls_api.c:2959 [inline]
      tc_ctl_chain+0x131d/0x1ac0 net/sched/cls_api.c:3068
      rtnetlink_rcv_msg+0x82b/0xf50 net/core/rtnetlink.c:6424
      netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2549
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x7c3/0x990 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0xa2a/0xd60 net/netlink/af_netlink.c:1914
      sock_sendmsg_nosec net/socket.c:725 [inline]
      sock_sendmsg net/socket.c:748 [inline]
      ____sys_sendmsg+0x592/0x890 net/socket.c:2494
      ___sys_sendmsg net/socket.c:2548 [inline]
      __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2577
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f54c6150759
      Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007ffe06c30578 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f54c619902d RCX: 00007f54c6150759
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007ffe06c30590 R08: 0000000000000000 R09: 00007ffe06c305f0
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54c61c35f0
      R13: 00007ffe06c30778 R14: 0000000000000001 R15: 0000000000000001
      </TASK>
      
      The buggy address belongs to stack of task syz-executor296/5014
      and is located at offset 32 in frame:
      fl_set_key_cfm+0x0/0x440 net/sched/cls_flower.c:374
      
      This frame has 1 object:
      [32, 56) 'nla_cfm_opt'
      
      The buggy address belongs to the virtual mapping at
      [ffffc90003a08000, ffffc90003a11000) created by:
      copy_process+0x5c8/0x4290 kernel/fork.c:2330
      
      Fixes: 7cfffd5f ("net: flower: add support for matching cfm fields")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Simon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarZahari Doychev <zdoychev@maxlinear.com>
      Link: https://lore.kernel.org/r/20230726145815.943910-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4d50e500
    • Jakub Kicinski's avatar
      MAINTAINERS: stmmac: retire Giuseppe Cavallaro · fa467226
      Jakub Kicinski authored
      I tried to get stmmac maintainers to be more active by agreeing with
      them off-list on a review rotation. I pinged Peppe 3 times over 2 weeks
      during his "shift month", no reviews are flowing.
      
      All the contributions are much appreciated! But stmmac is quite
      active, we need participating maintainers :(
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230726151120.1649474-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fa467226
    • Russell King (Oracle)'s avatar
      net: dsa: fix older DSA drivers using phylink · 9945c1fb
      Russell King (Oracle) authored
      Older DSA drivers that do not provide an dsa_ops adjust_link method end
      up using phylink. Unfortunately, a recent phylink change that requires
      its supported_interfaces bitmap to be filled breaks these drivers
      because the bitmap remains empty.
      
      Rather than fixing each driver individually, fix it in the core code so
      we have a sensible set of defaults.
      Reported-by: default avatarSergei Antonov <saproj@gmail.com>
      Fixes: de5c9bf4 ("net: phylink: require supported_interfaces to be filled")
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Tested-by: Vladimir Oltean <olteanv@gmail.com> # dsa_loop
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/E1qOflM-001AEz-D3@rmk-PC.armlinux.org.ukSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9945c1fb
    • Lin Ma's avatar
      rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length · d73ef2d6
      Lin Ma authored
      There are totally 9 ndo_bridge_setlink handlers in the current kernel,
      which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3)
      i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5)
      ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7)
      nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink.
      
      By investigating the code, we find that 1-7 parse and use nlattr
      IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can
      lead to an out-of-attribute read and allow a malformed nlattr (e.g.,
      length 0) to be viewed as a 2 byte integer.
      
      To avoid such issues, also for other ndo_bridge_setlink handlers in the
      future. This patch adds the nla_len check in rtnl_bridge_setlink and
      does an early error return if length mismatches. To make it works, the
      break is removed from the parsing for IFLA_BRIDGE_FLAGS to make sure
      this nla_for_each_nested iterates every attribute.
      
      Fixes: b1edc14a ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
      Fixes: 51616018 ("i40e: Add support for getlink, setlink ndo ops")
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://lore.kernel.org/r/20230726075314.1059224-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d73ef2d6
  3. 27 Jul, 2023 15 commits
  4. 26 Jul, 2023 5 commits