1. 21 Jun, 2021 6 commits
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.13-20210619' of... · d52f9b22
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.13-20210619' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2021-06-19
      
      this is a pull request of 5 patches for net/master.
      
      The first patch is by Thadeu Lima de Souza Cascardo and fixes a
      potential use-after-free in the CAN broadcast manager socket, by
      delaying the release of struct bcm_op after synchronize_rcu().
      
      Oliver Hartkopp's patch fixes a similar potential user-after-free in
      the CAN gateway socket by synchronizing RCU operations before removing
      gw job entry.
      
      Another patch by Oliver Hartkopp fixes a potential use-after-free in
      the ISOTP socket by omitting unintended hrtimer restarts on socket
      release.
      
      Oleksij Rempel's patch for the j1939 socket fixes a potential
      use-after-free by setting the SOCK_RCU_FREE flag on the socket.
      
      The last patch is by Pavel Skripkin and fixes a use-after-free in the
      ems_usb CAN driver.
      
      All patches are intended for stable and have stable@v.k.o on Cc.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d52f9b22
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2021-06-19' of... · 0d98ec87
      David S. Miller authored
      Merge tag 'wireless-drivers-2021-06-19' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.13
      
      Only one important fix for an mwifiex regression.
      
      mwifiex
      
      * fix deadlock during rmmod or firmware reset, regression from
        cfg80211 RTNL changes in v5.12-rc1
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d98ec87
    • Haiyang Zhang's avatar
      hv_netvsc: Set needed_headroom according to VF · 536ba2e0
      Haiyang Zhang authored
      Set needed_headroom according to VF if VF needs a bigger
      headroom.
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      536ba2e0
    • Sebastian Andrzej Siewior's avatar
      net/netif_receive_skb_core: Use migrate_disable() · 2b4cd14f
      Sebastian Andrzej Siewior authored
      The preempt disable around do_xdp_generic() has been introduced in
      commit
         bbbe211c ("net: rcu lock and preempt disable missing around generic xdp")
      
      For BPF it is enough to use migrate_disable() and the code was updated
      as it can be seen in commit
         3c58482a ("bpf: Provide bpf_prog_run_pin_on_cpu() helper")
      
      This is a leftover which was not converted.
      
      Use migrate_disable() before invoking do_xdp_generic().
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b4cd14f
    • Yunsheng Lin's avatar
      net: sched: add barrier to ensure correct ordering for lockless qdisc · 89837eb4
      Yunsheng Lin authored
      The spin_trylock() was assumed to contain the implicit
      barrier needed to ensure the correct ordering between
      STATE_MISSED setting/clearing and STATE_MISSED checking
      in commit a90c57f2 ("net: sched: fix packet stuck
      problem for lockless qdisc").
      
      But it turns out that spin_trylock() only has load-acquire
      semantic, for strongly-ordered system(like x86), the compiler
      barrier implicitly contained in spin_trylock() seems enough
      to ensure the correct ordering. But for weakly-orderly system
      (like arm64), the store-release semantic is needed to ensure
      the correct ordering as clear_bit() and test_bit() is store
      operation, see queued_spin_lock().
      
      So add the explicit barrier to ensure the correct ordering
      for the above case.
      
      Fixes: a90c57f2 ("net: sched: fix packet stuck problem for lockless qdisc")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Acked-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89837eb4
    • Antoine Tenart's avatar
      vrf: do not push non-ND strict packets with a source LLA through packet taps again · 603113c5
      Antoine Tenart authored
      Non-ND strict packets with a source LLA go through the packet taps
      again, while non-ND strict packets with other source addresses do not,
      and we can see a clone of those packets on the vrf interface (we should
      not). This is due to a series of changes:
      
      Commit 6f12fa77[1] made non-ND strict packets not being pushed again
      in the packet taps. This changed with commit 205704c6[2] for those
      packets having a source LLA, as they need a lookup with the orig_iif.
      
      The issue now is those packets do not skip the 'vrf_ip6_rcv' function to
      the end (as the ones without a source LLA) and go through the check to
      call packet taps again. This check was changed by commit 6f12fa77[1]
      and do not exclude non-strict packets anymore. Packets matching
      'need_strict && !is_ndisc && is_ll_src' are now being sent through the
      packet taps again. This can be seen by dumping packets on the vrf
      interface.
      
      Fix this by having the same code path for all non-ND strict packets and
      selectively lookup with the orig_iif for those with a source LLA. This
      has the effect to revert to the pre-205704c6[2] condition, which
      should also be easier to maintain.
      
      [1] 6f12fa77 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
      [2] 205704c6 ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
      
      Fixes: 205704c6 ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
      Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
      Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarAntoine Tenart <atenart@kernel.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      603113c5
  2. 19 Jun, 2021 11 commits
    • Pavel Skripkin's avatar
      net: can: ems_usb: fix use-after-free in ems_usb_disconnect() · ab4a0b8f
      Pavel Skripkin authored
      In ems_usb_disconnect() dev pointer, which is netdev private data, is
      used after free_candev() call:
      | 	if (dev) {
      | 		unregister_netdev(dev->netdev);
      | 		free_candev(dev->netdev);
      |
      | 		unlink_all_urbs(dev);
      |
      | 		usb_free_urb(dev->intr_urb);
      |
      | 		kfree(dev->intr_in_buffer);
      | 		kfree(dev->tx_msg_buffer);
      | 	}
      
      Fix it by simply moving free_candev() at the end of the block.
      
      Fail log:
      | BUG: KASAN: use-after-free in ems_usb_disconnect
      | Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
      |
      | CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
      | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
      | Workqueue: usb_hub_wq hub_event
      | Call Trace:
      |     dump_stack (lib/dump_stack.c:122)
      |     print_address_description.constprop.0.cold (mm/kasan/report.c:234)
      |     kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
      |     ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)
      
      Fixes: 702171ad ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
      Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ab4a0b8f
    • Oleksij Rempel's avatar
      can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done · 22c696fe
      Oleksij Rempel authored
      Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion.
      Without this patch, we will run in to j1939_can_recv() after priv was
      freed by j1939_sk_release()->j1939_sk_sock_destruct()
      
      Fixes: 25fe97cb ("can: j1939: move j1939_priv_put() into sk_destruct callback")
      Link: https://lore.kernel.org/r/20210617130623.12705-1-o.rempel@pengutronix.de
      Cc: linux-stable <stable@vger.kernel.org>
      Reported-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Reported-by: syzbot+bdf710cfc41c186fdff3@syzkaller.appspotmail.com
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      22c696fe
    • Oliver Hartkopp's avatar
      can: isotp: isotp_release(): omit unintended hrtimer restart on socket release · 14a4696b
      Oliver Hartkopp authored
      When closing the isotp socket, the potentially running hrtimers are
      canceled before removing the subscription for CAN identifiers via
      can_rx_unregister().
      
      This may lead to an unintended (re)start of a hrtimer in
      isotp_rcv_cf() and isotp_rcv_fc() in the case that a CAN frame is
      received by isotp_rcv() while the subscription removal is processed.
      
      However, isotp_rcv() is called under RCU protection, so after calling
      can_rx_unregister, we may call synchronize_rcu in order to wait for
      any RCU read-side critical sections to finish. This prevents the
      reception of CAN frames after hrtimer_cancel() and therefore the
      unintended (re)start of the hrtimers.
      
      Link: https://lore.kernel.org/r/20210618173713.2296-1-socketcan@hartkopp.net
      Fixes: e057dd3f ("can: add ISO 15765-2:2016 transport protocol")
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      14a4696b
    • Oliver Hartkopp's avatar
      can: gw: synchronize rcu operations before removing gw job entry · fb8696ab
      Oliver Hartkopp authored
      can_can_gw_rcv() is called under RCU protection, so after calling
      can_rx_unregister(), we have to call synchronize_rcu in order to wait
      for any RCU read-side critical sections to finish before removing the
      kmem_cache entry with the referenced gw job entry.
      
      Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net
      Fixes: c1aabdf3 ("can-gw: add netlink based CAN routing")
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      fb8696ab
    • Thadeu Lima de Souza Cascardo's avatar
      can: bcm: delay release of struct bcm_op after synchronize_rcu() · d5f9023f
      Thadeu Lima de Souza Cascardo authored
      can_rx_register() callbacks may be called concurrently to the call to
      can_rx_unregister(). The callbacks and callback data, though, are
      protected by RCU and the struct sock reference count.
      
      So the callback data is really attached to the life of sk, meaning
      that it should be released on sk_destruct. However, bcm_remove_op()
      calls tasklet_kill(), and RCU callbacks may be called under RCU
      softirq, so that cannot be used on kernels before the introduction of
      HRTIMER_MODE_SOFT.
      
      However, bcm_rx_handler() is called under RCU protection, so after
      calling can_rx_unregister(), we may call synchronize_rcu() in order to
      wait for any RCU read-side critical sections to finish. That is,
      bcm_rx_handler() won't be called anymore for those ops. So, we only
      free them, after we do that synchronize_rcu().
      
      Fixes: ffd980f9 ("[CAN]: Add broadcast manager (bcm) protocol")
      Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com
      Cc: linux-stable <stable@vger.kernel.org>
      Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com
      Reported-by: default avatarNorbert Slusarek <nslusarek@gmx.net>
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      d5f9023f
    • David S. Miller's avatar
      Merge branch 'ezchip-fixes' · dda2626b
      David S. Miller authored
      Pavel Skripkin says:
      
      ====================
      net: ethernat: ezchip: bug fixing and code improvments
      
      While manual code reviewing, I found some error in ezchip driver.
      Two of them looks very dangerous:
        1. use-after-free in nps_enet_remove
            Accessing netdev private data after free_netdev()
      
        2. wrong error handling of platform_get_irq()
            It can cause passing negative irq to request_irq()
      
      Also, in 2nd patch I removed redundant check to increase execution
      speed and make code more straightforward.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dda2626b
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: fix error handling · 0de449d5
      Pavel Skripkin authored
      As documented at drivers/base/platform.c for platform_get_irq:
      
       * Gets an IRQ for a platform device and prints an error message if finding the
       * IRQ fails. Device drivers should check the return value for errors so as to
       * not pass a negative integer value to the request_irq() APIs.
      
      So, the driver should check that platform_get_irq() return value
      is _negative_, not that it's equal to zero, because -ENXIO (return
      value from request_irq() if irq was not found) will
      pass this check and it leads to passing negative irq to request_irq()
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0de449d5
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: remove redundant check · 4ae85b23
      Pavel Skripkin authored
      err varibale will be set everytime, when code gets
      into this path. This check will just slowdown the execution
      and that's all.
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ae85b23
    • Pavel Skripkin's avatar
      net: ethernet: ezchip: fix UAF in nps_enet_remove · e4b8700e
      Pavel Skripkin authored
      priv is netdev private data, but it is used
      after free_netdev(). It can cause use-after-free when accessing priv
      pointer. So, fix it by moving free_netdev() after netif_napi_del()
      call.
      
      Fixes: 0dd07709 ("NET: Add ezchip ethernet driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4b8700e
    • Pavel Skripkin's avatar
      net: ethernet: aeroflex: fix UAF in greth_of_remove · e3a5de6d
      Pavel Skripkin authored
      static int greth_of_remove(struct platform_device *of_dev)
      {
      ...
      	struct greth_private *greth = netdev_priv(ndev);
      ...
      	unregister_netdev(ndev);
      	free_netdev(ndev);
      
      	of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
      ...
      }
      
      greth is netdev private data, but it is used
      after free_netdev(). It can cause use-after-free when accessing greth
      pointer. So, fix it by moving free_netdev() after of_iounmap()
      call.
      
      Fixes: d4c41139 ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3a5de6d
    • Linus Torvalds's avatar
      Merge tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9ed13a17
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.13-rc7, including fixes from wireless, bpf,
        bluetooth, netfilter and can.
      
        Current release - regressions:
      
         - mlxsw: spectrum_qdisc: Pass handle, not band number to find_class()
           to fix modifying offloaded qdiscs
      
         - lantiq: net: fix duplicated skb in rx descriptor ring
      
         - rtnetlink: fix regression in bridge VLAN configuration, empty info
           is not an error, bot-generated "fix" was not needed
      
         - libbpf: s/rx/tx/ typo on umem->rx_ring_setup_done to fix umem
           creation
      
        Current release - new code bugs:
      
         - ethtool: fix NULL pointer dereference during module EEPROM dump via
           the new netlink API
      
         - mlx5e: don't update netdev RQs with PTP-RQ, the special purpose
           queue should not be visible to the stack
      
         - mlx5e: select special PTP queue only for SKBTX_HW_TSTAMP skbs
      
         - mlx5e: verify dev is present in get devlink port ndo, avoid a panic
      
        Previous releases - regressions:
      
         - neighbour: allow NUD_NOARP entries to be force GCed
      
         - further fixes for fallout from reorg of WiFi locking (staging:
           rtl8723bs, mac80211, cfg80211)
      
         - skbuff: fix incorrect msg_zerocopy copy notifications
      
         - mac80211: fix NULL ptr deref for injected rate info
      
         - Revert "net/mlx5: Arm only EQs with EQEs" it may cause missed IRQs
      
        Previous releases - always broken:
      
         - bpf: more speculative execution fixes
      
         - netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local
      
         - udp: fix race between close() and udp_abort() resulting in a panic
      
         - fix out of bounds when parsing TCP options before packets are
           validated (in netfilter: synproxy, tc: sch_cake and mptcp)
      
         - mptcp: improve operation under memory pressure, add missing
           wake-ups
      
         - mptcp: fix double-lock/soft lookup in subflow_error_report()
      
         - bridge: fix races (null pointer deref and UAF) in vlan tunnel
           egress
      
         - ena: fix DMA mapping function issues in XDP
      
         - rds: fix memory leak in rds_recvmsg
      
        Misc:
      
         - vrf: allow larger MTUs
      
         - icmp: don't send out ICMP messages with a source address of 0.0.0.0
      
         - cdc_ncm: switch to eth%d interface naming"
      
      * tag 'net-5.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (139 commits)
        net: ethernet: fix potential use-after-free in ec_bhf_remove
        selftests/net: Add icmp.sh for testing ICMP dummy address responses
        icmp: don't send out ICMP messages with a source address of 0.0.0.0
        net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
        net: ll_temac: Fix TX BD buffer overwrite
        net: ll_temac: Add memory-barriers for TX BD access
        net: ll_temac: Make sure to free skb when it is completely used
        MAINTAINERS: add Guvenc as SMC maintainer
        bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path
        bnxt_en: Fix TQM fastpath ring backing store computation
        bnxt_en: Rediscover PHY capabilities after firmware reset
        cxgb4: fix wrong shift.
        mac80211: handle various extensible elements correctly
        mac80211: reset profile_periodicity/ema_ap
        cfg80211: avoid double free of PMSR request
        cfg80211: make certificate generation more robust
        mac80211: minstrel_ht: fix sample time check
        net: qed: Fix memcpy() overflow of qed_dcbx_params()
        net: cdc_eem: fix tx fixup skb leak
        net: hamradio: fix memory leak in mkiss_close
        ...
      9ed13a17
  3. 18 Jun, 2021 23 commits