1. 04 Apr, 2024 7 commits
    • Haiyang Zhang's avatar
      net: mana: Fix Rx DMA datasize and skb_over_panic · c0de6ab9
      Haiyang Zhang authored
      mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be
      multiple of 64. So a packet slightly bigger than mtu+14, say 1536,
      can be received and cause skb_over_panic.
      
      Sample dmesg:
      [ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:<NULL>
      [ 5325.243689] ------------[ cut here ]------------
      [ 5325.245748] kernel BUG at net/core/skbuff.c:192!
      [ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      [ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60
      [ 5325.302941] Call Trace:
      [ 5325.304389]  <IRQ>
      [ 5325.315794]  ? skb_panic+0x4f/0x60
      [ 5325.317457]  ? asm_exc_invalid_op+0x1f/0x30
      [ 5325.319490]  ? skb_panic+0x4f/0x60
      [ 5325.321161]  skb_put+0x4e/0x50
      [ 5325.322670]  mana_poll+0x6fa/0xb50 [mana]
      [ 5325.324578]  __napi_poll+0x33/0x1e0
      [ 5325.326328]  net_rx_action+0x12e/0x280
      
      As discussed internally, this alignment is not necessary. To fix
      this bug, remove it from the code. So oversized packets will be
      marked as CQE_RX_TRUNCATED by NIC, and dropped.
      
      Cc: stable@vger.kernel.org
      Fixes: 2fbbd712 ("net: mana: Enable RX path to handle various MTU sizes")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: default avatarDexuan Cui <decui@microsoft.com>
      Link: https://lore.kernel.org/r/1712087316-20886-1-git-send-email-haiyangz@microsoft.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c0de6ab9
    • Eric Dumazet's avatar
      net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() · 7eb32236
      Eric Dumazet authored
      qdisc_tree_reduce_backlog() is called with the qdisc lock held,
      not RTNL.
      
      We must use qdisc_lookup_rcu() instead of qdisc_lookup()
      
      syzbot reported:
      
      WARNING: suspicious RCU usage
      6.1.74-syzkaller #0 Not tainted
      -----------------------------
      net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      3 locks held by udevd/1142:
        #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]
        #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
        #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282
        #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
        #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297
        #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]
        #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
        #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792
      
      stack backtrace:
      CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
      Call Trace:
       <TASK>
        [<ffffffff85b85f14>] __dump_stack lib/dump_stack.c:88 [inline]
        [<ffffffff85b85f14>] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106
        [<ffffffff85b86007>] dump_stack+0x15/0x1e lib/dump_stack.c:113
        [<ffffffff81802299>] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592
        [<ffffffff84f0054c>] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305
        [<ffffffff84f037c3>] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811
        [<ffffffff84f5b78c>] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51
        [<ffffffff84fbcf63>] qdisc_enqueue include/net/sch_generic.h:833 [inline]
        [<ffffffff84fbcf63>] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723
        [<ffffffff84eecab9>] dequeue_skb net/sched/sch_generic.c:292 [inline]
        [<ffffffff84eecab9>] qdisc_restart net/sched/sch_generic.c:397 [inline]
        [<ffffffff84eecab9>] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415
        [<ffffffff84d7aa96>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
        [<ffffffff84d85d29>] net_tx_action+0x7c9/0x970 net/core/dev.c:5313
        [<ffffffff85e002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616
        [<ffffffff81568bca>] invoke_softirq kernel/softirq.c:447 [inline]
        [<ffffffff81568bca>] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700
        [<ffffffff81568ae9>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712
        [<ffffffff85b89f52>] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107
        [<ffffffff85c00ccb>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656
      
      Fixes: d636fc5d ("net: sched: add rcu annotations around qdisc->qdisc_sleeping")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Link: https://lore.kernel.org/r/20240402134133.2352776-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7eb32236
    • Horatiu Vultur's avatar
      net: phy: micrel: lan8814: Fix when enabling/disabling 1-step timestamping · de99e1ea
      Horatiu Vultur authored
      There are 2 issues with the blamed commit.
      1. When the phy is initialized, it would enable the disabled of UDPv4
         checksums. The UDPv6 checksum is already enabled by default. So when
         1-step is configured then it would clear these flags.
      2. After the 1-step is configured, then if 2-step is configured then the
         1-step would be still configured because it is not clearing the flag.
         So the sync frames will still have origin timestamps set.
      
      Fix this by reading first the value of the register and then
      just change bit 12 as this one determines if the timestamp needs to
      be inserted in the frame, without changing any other bits.
      
      Fixes: ece19502 ("net: phy: micrel: 1588 support for LAN8814 phy")
      Signed-off-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Reviewed-by: default avatarDivya Koppera <divya.koppera@microchip.com>
      Link: https://lore.kernel.org/r/20240402071634.2483524-1-horatiu.vultur@microchip.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      de99e1ea
    • Piotr Wejman's avatar
      net: stmmac: fix rx queue priority assignment · b3da86d4
      Piotr Wejman authored
      The driver should ensure that same priority is not mapped to multiple
      rx queues. From DesignWare Cores Ethernet Quality-of-Service
      Databook, section 17.1.29 MAC_RxQ_Ctrl2:
      "[...]The software must ensure that the content of this field is
      mutually exclusive to the PSRQ fields for other queues, that is,
      the same priority is not mapped to multiple Rx queues[...]"
      
      Previously rx_queue_priority() function was:
      - clearing all priorities from a queue
      - adding new priorities to that queue
      After this patch it will:
      - first assign new priorities to a queue
      - then remove those priorities from all other queues
      - keep other priorities previously assigned to that queue
      
      Fixes: a8f5102a ("net: stmmac: TX and RX queue priority configuration")
      Fixes: 2142754f ("net: stmmac: Add MAC related callbacks for XGMAC2")
      Signed-off-by: default avatarPiotr Wejman <piotrwejman90@gmail.com>
      Link: https://lore.kernel.org/r/20240401192239.33942-1-piotrwejman90@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b3da86d4
    • Duanqiang Wen's avatar
      net: txgbe: fix i2c dev name cannot match clkdev · c644920c
      Duanqiang Wen authored
      txgbe clkdev shortened clk_name, so i2c_dev info_name
      also need to shorten. Otherwise, i2c_dev cannot initialize
      clock.
      
      Fixes: e30cef00 ("net: txgbe: fix clk_name exceed MAX_DEV_ID limits")
      Signed-off-by: default avatarDuanqiang Wen <duanqiangwen@net-swift.com>
      Link: https://lore.kernel.org/r/20240402021843.126192-1-duanqiangwen@net-swift.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c644920c
    • Jakub Kicinski's avatar
      Merge branch 'net-fec-fix-to-suspend-resume-with-mac_managed_pm' · 22c5e0bc
      Jakub Kicinski authored
      John Ernberg says:
      
      ====================
      net: fec: Fix to suspend / resume with mac_managed_pm
      
      Since the introduction of mac_managed_pm in the FEC driver there were some
      discrepancies regarding power management of the PHY.
      
      This failed on our board that has a permanently powered Microchip LAN8700R
      attached to the FEC. Although the root cause of the failure can be traced
      back to f166f890 ("net: ethernet: fec: Replace interrupt driven MDIO
      with polled IO") and probably even before that, we only started noticing
      the problem going from 5.10 to 6.1.
      
      Since 557d5dc8 ("net: fec: use mac-managed PHY PM") is actually a fix
      to most of the power management sequencing problems that came with power
      managing the MDIO bus which for the FEC meant adding a race with FEC
      resume (and phy_start() if netif was running) and PHY resume.
      
      That it worked before for us was probably just luck...
      
      Thanks to Wei's response to my report at [1] I was able to pick up his
      patch and start honing in on the remaining missing details.
      
      [1]: https://lore.kernel.org/netdev/1f45bdbe-eab1-4e59-8f24-add177590d27@actia.se/
      
      v3: https://lore.kernel.org/netdev/20240306133734.4144808-1-john.ernberg@actia.se/
      v2: https://lore.kernel.org/netdev/20240229105256.2903095-1-john.ernberg@actia.se/
      v1: https://lore.kernel.org/netdev/20240212105010.2258421-1-john.ernberg@actia.se/
      ====================
      
      Link: https://lore.kernel.org/r/20240328155909.59613-1-john.ernberg@actia.seSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      22c5e0bc
    • Wei Fang's avatar
      net: fec: Set mac_managed_pm during probe · cbc17e78
      Wei Fang authored
      Setting mac_managed_pm during interface up is too late.
      
      In situations where the link is not brought up yet and the system suspends
      the regular PHY power management will run. Since the FEC ETHEREN control
      bit is cleared (automatically) on suspend the controller is off in resume.
      When the regular PHY power management resume path runs in this context it
      will write to the MII_DATA register but nothing will be transmitted on the
      MDIO bus.
      
      This can be observed by the following log:
      
          fec 5b040000.ethernet eth0: MDIO read timeout
          Microchip LAN87xx T1 5b040000.ethernet-1:04: PM: dpm_run_callback(): mdio_bus_phy_resume+0x0/0xc8 returns -110
          Microchip LAN87xx T1 5b040000.ethernet-1:04: PM: failed to resume: error -110
      
      The data written will however remain in the MII_DATA register.
      
      When the link later is set to administrative up it will trigger a call to
      fec_restart() which will restore the MII_SPEED register. This triggers the
      quirk explained in f166f890 ("net: ethernet: fec: Replace interrupt
      driven MDIO with polled IO") causing an extra MII_EVENT.
      
      This extra event desynchronizes all the MDIO register reads, causing them
      to complete too early. Leading all reads to read as 0 because
      fec_enet_mdio_wait() returns too early.
      
      When a Microchip LAN8700R PHY is connected to the FEC, the 0 reads causes
      the PHY to be initialized incorrectly and the PHY will not transmit any
      ethernet signal in this state. It cannot be brought out of this state
      without a power cycle of the PHY.
      
      Fixes: 557d5dc8 ("net: fec: use mac-managed PHY PM")
      Closes: https://lore.kernel.org/netdev/1f45bdbe-eab1-4e59-8f24-add177590d27@actia.se/Signed-off-by: default avatarWei Fang <wei.fang@nxp.com>
      [jernberg: commit message]
      Signed-off-by: default avatarJohn Ernberg <john.ernberg@actia.se>
      Link: https://lore.kernel.org/r/20240328155909.59613-2-john.ernberg@actia.seSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cbc17e78
  2. 03 Apr, 2024 7 commits
    • Phil Elwell's avatar
      net: bcmgenet: Reset RBUF on first open · 0a6380cb
      Phil Elwell authored
      If the RBUF logic is not reset when the kernel starts then there
      may be some data left over from any network boot loader. If the
      64-byte packet headers are enabled then this can be fatal.
      
      Extend bcmgenet_dma_disable to do perform the reset, but not when
      called from bcmgenet_resume in order to preserve a wake packet.
      
      N.B. This different handling of resume is just based on a hunch -
      why else wouldn't one reset the RBUF as well as the TBUF? If this
      isn't the case then it's easy to change the patch to make the RBUF
      reset unconditional.
      
      See: https://github.com/raspberrypi/linux/issues/3850
      See: https://github.com/raspberrypi/firmware/issues/1882Signed-off-by: default avatarPhil Elwell <phil@raspberrypi.com>
      Signed-off-by: default avatarMaarten Vanraes <maarten@rmail.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a6380cb
    • Aleksandr Mishin's avatar
      octeontx2-af: Add array index check · ef15ddee
      Aleksandr Mishin authored
      In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
      value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
      Fix this bug by adding 'iter' value check.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: 91c6945e ("octeontx2-af: cn10k: Add RPM MAC support")
      Signed-off-by: default avatarAleksandr Mishin <amishin@t-argos.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef15ddee
    • Tariq Toukan's avatar
      MAINTAINERS: mlx5: Add Tariq Toukan · c53fe72c
      Tariq Toukan authored
      Add myself as mlx5 core and EN maintainer.
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Link: https://lore.kernel.org/r/20240401184347.53884-1-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c53fe72c
    • Kuniyuki Iwashima's avatar
      ipv6: Fix infinite recursion in fib6_dump_done(). · d21d4060
      Kuniyuki Iwashima authored
      syzkaller reported infinite recursive calls of fib6_dump_done() during
      netlink socket destruction.  [1]
      
      From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
      the response was generated.  The following recvmmsg() resumed the dump
      for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
      to the fault injection.  [0]
      
        12:01:34 executing program 3:
        r0 = socket$nl_route(0x10, 0x3, 0x0)
        sendmsg$nl_route(r0, ... snip ...)
        recvmmsg(r0, ... snip ...) (fail_nth: 8)
      
      Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
      of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped
      receiving the response halfway through, and finally netlink_sock_destruct()
      called nlk_sk(sk)->cb.done().
      
      fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
      is still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
      nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
      itself recursively and hitting the stack guard page.
      
      To avoid the issue, let's set the destructor after kzalloc().
      
      [0]:
      FAULT_INJECTION: forcing a failure.
      name failslab, interval 1, probability 0, space 0, times 0
      CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91-dirty #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl (lib/dump_stack.c:117)
       should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
       should_failslab (mm/slub.c:3733)
       kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
       inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
       rtnl_dump_all (net/core/rtnetlink.c:4029)
       netlink_dump (net/netlink/af_netlink.c:2269)
       netlink_recvmsg (net/netlink/af_netlink.c:1988)
       ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
       ___sys_recvmsg (net/socket.c:2846)
       do_recvmmsg (net/socket.c:2943)
       __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)
      
      [1]:
      BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
      stack guard page: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91-dirty #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Workqueue: events netlink_sock_destruct_work
      RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
      Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
      RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
      RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
      RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
      R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
      FS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
      PKRU: 55555554
      Call Trace:
       <#DF>
       </#DF>
       <TASK>
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       ...
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       netlink_sock_destruct (net/netlink/af_netlink.c:401)
       __sk_destruct (net/core/sock.c:2177 (discriminator 2))
       sk_destruct (net/core/sock.c:2224)
       __sk_free (net/core/sock.c:2235)
       sk_free (net/core/sock.c:2246)
       process_one_work (kernel/workqueue.c:3259)
       worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
       kthread (kernel/kthread.c:388)
       ret_from_fork (arch/x86/kernel/process.c:153)
       ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
      Modules linked in:
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d21d4060
    • Heiner Kallweit's avatar
      r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d · 5d872c9f
      Heiner Kallweit authored
      On some boards with this chip version the BIOS is buggy and misses
      to reset the PHY page selector. This results in the PHY ID read
      accessing registers on a different page, returning a more or
      less random value. Fix this by resetting the page selector first.
      
      Fixes: f1e911d5 ("r8169: add basic phylib support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/64f2055e-98b8-45ec-8568-665e3d54d4e6@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5d872c9f
    • Marco Pinna's avatar
      vsock/virtio: fix packet delivery to tap device · b32a09ea
      Marco Pinna authored
      Commit 82dfb540 ("VSOCK: Add virtio vsock vsockmon hooks") added
      virtio_transport_deliver_tap_pkt() for handing packets to the
      vsockmon device. However, in virtio_transport_send_pkt_work(),
      the function is called before actually sending the packet (i.e.
      before placing it in the virtqueue with virtqueue_add_sgs() and checking
      whether it returned successfully).
      Queuing the packet in the virtqueue can fail even multiple times.
      However, in virtio_transport_deliver_tap_pkt() we deliver the packet
      to the monitoring tap interface only the first time we call it.
      This certainly avoids seeing the same packet replicated multiple times
      in the monitoring interface, but it can show the packet sent with the
      wrong timestamp or even before we succeed to queue it in the virtqueue.
      
      Move virtio_transport_deliver_tap_pkt() after calling virtqueue_add_sgs()
      and making sure it returned successfully.
      
      Fixes: 82dfb540 ("VSOCK: Add virtio vsock vsockmon hooks")
      Cc: stable@vge.kernel.org
      Signed-off-by: default avatarMarco Pinna <marco.pinn95@gmail.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20240329161259.411751-1-marco.pinn95@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b32a09ea
    • Duoming Zhou's avatar
      ax25: fix use-after-free bugs caused by ax25_ds_del_timer · fd819ad3
      Duoming Zhou authored
      When the ax25 device is detaching, the ax25_dev_device_down()
      calls ax25_ds_del_timer() to cleanup the slave_timer. When
      the timer handler is running, the ax25_ds_del_timer() that
      calls del_timer() in it will return directly. As a result,
      the use-after-free bugs could happen, one of the scenarios
      is shown below:
      
            (Thread 1)          |      (Thread 2)
                                | ax25_ds_timeout()
      ax25_dev_device_down()    |
        ax25_ds_del_timer()     |
          del_timer()           |
        ax25_dev_put() //FREE   |
                                |  ax25_dev-> //USE
      
      In order to mitigate bugs, when the device is detaching, use
      timer_shutdown_sync() to stop the timer.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240329015023.9223-1-duoming@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fd819ad3
  3. 02 Apr, 2024 7 commits
  4. 29 Mar, 2024 19 commits