1. 21 Sep, 2023 7 commits
  2. 20 Sep, 2023 7 commits
    • Jinjie Ruan's avatar
      net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() · 4a0f07d7
      Jinjie Ruan authored
      When making CONFIG_DEBUG_KMEMLEAK=y and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y,
      modprobe handshake-test and then rmmmod handshake-test, the below memory
      leak is detected.
      
      The struct socket_alloc which is allocated by alloc_inode_sb() in
      __sock_create() is not freed. And the struct dentry which is allocated
      by __d_alloc() in sock_alloc_file() is not freed.
      
      Since fput() will call file->f_op->release() which is sock_close() here and
      it will call __sock_release(). and fput() will call dput(dentry) to free
      the struct dentry. So replace sock_release() with fput() to fix the
      below memory leak. After applying this patch, the following memory leak is
      never detected.
      
      unreferenced object 0xffff888109165840 (size 768):
        comm "kunit_try_catch", pid 1852, jiffies 4294685807 (age 976.262s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa0209ba2>] 0xffffffffa0209ba2
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810f472008 (size 192):
        comm "kunit_try_catch", pid 1852, jiffies 4294685808 (age 976.261s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 08 20 47 0f 81 88 ff ff  ......... G.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0209bbb>] 0xffffffffa0209bbb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810958e580 (size 224):
        comm "kunit_try_catch", pid 1852, jiffies 4294685808 (age 976.261s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0209bbb>] 0xffffffffa0209bbb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926dc88 (size 192):
        comm "kunit_try_catch", pid 1854, jiffies 4294685809 (age 976.271s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 88 dc 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208fdc>] 0xffffffffa0208fdc
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a241380 (size 224):
        comm "kunit_try_catch", pid 1854, jiffies 4294685809 (age 976.271s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208fdc>] 0xffffffffa0208fdc
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109165040 (size 768):
        comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.269s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa0208860>] 0xffffffffa0208860
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926d568 (size 192):
        comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.269s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 68 d5 26 09 81 88 ff ff  ........h.&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208879>] 0xffffffffa0208879
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a240580 (size 224):
        comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.347s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208879>] 0xffffffffa0208879
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109164c40 (size 768):
        comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa0208541>] 0xffffffffa0208541
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926cd18 (size 192):
        comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 18 cd 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa020855a>] 0xffffffffa020855a
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a240200 (size 224):
        comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa020855a>] 0xffffffffa020855a
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109164840 (size 768):
        comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa02093e2>] 0xffffffffa02093e2
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926cab8 (size 192):
        comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 b8 ca 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02093fb>] 0xffffffffa02093fb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810a240040 (size 224):
        comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02093fb>] 0xffffffffa02093fb
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109166440 (size 768):
        comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa02097c1>] 0xffffffffa02097c1
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810926c398 (size 192):
        comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 98 c3 26 09 81 88 ff ff  ..........&.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02097da>] 0xffffffffa02097da
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888107e0b8c0 (size 224):
        comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa02097da>] 0xffffffffa02097da
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888109164440 (size 768):
        comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.487s)
        hex dump (first 32 bytes):
          01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00  ......ZZ .......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
          [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
          [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
          [<ffffffff8397889c>] sock_alloc+0x3c/0x260
          [<ffffffff83979b46>] __sock_create+0x66/0x3d0
          [<ffffffffa020824e>] 0xffffffffa020824e
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff88810f4cf698 (size 192):
        comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.501s)
        hex dump (first 32 bytes):
          00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00  ..P@............
          00 00 00 00 00 00 00 00 98 f6 4c 0f 81 88 ff ff  ..........L.....
        backtrace:
          [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
          [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
          [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208267>] 0xffffffffa0208267
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      unreferenced object 0xffff888107e0b000 (size 224):
        comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.501s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
          [<ffffffff819d4cf9>] alloc_file+0x59/0x730
          [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
          [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
          [<ffffffffa0208267>] 0xffffffffa0208267
          [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
          [<ffffffff81236fc6>] kthread+0x2b6/0x380
          [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
          [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
      
      Fixes: 88232ec1 ("net/handshake: Add Kunit tests for the handshake consumer API")
      Signed-off-by: default avatarJinjie Ruan <ruanjinjie@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a0f07d7
    • Cai Huoqing's avatar
      net: hinic: Fix warning-hinic_set_vlan_fliter() warn: variable dereferenced before check 'hwdev' · 22b6e7f3
      Cai Huoqing authored
      'hwdev' is checked too late and hwdev will not be NULL, so remove the check
      
      Fixes: 2acf960e ("net: hinic: Add support for configuration of rx-vlan-filter by ethtool")
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Closes: https://lore.kernel.org/r/202309112354.pikZCmyk-lkp@intel.com/Signed-off-by: default avatarCai Huoqing <cai.huoqing@linux.dev>
      Reviewed-by: default avatarVadim Fedorenko <vadim.fedorenko@linux.dev>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22b6e7f3
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP · 7433b6d2
      Jozsef Kadlecsik authored
      Kyle Zeng reported that there is a race between IPSET_CMD_ADD and IPSET_CMD_SWAP
      in netfilter/ip_set, which can lead to the invocation of `__ip_set_put` on a
      wrong `set`, triggering the `BUG_ON(set->ref == 0);` check in it.
      
      The race is caused by using the wrong reference counter, i.e. the ref counter instead
      of ref_netlink.
      
      Fixes: 24e22789 ("netfilter: ipset: Add schedule point in call_ad().")
      Reported-by: default avatarKyle Zeng <zengyhkyle@gmail.com>
      Closes: https://lore.kernel.org/netfilter-devel/ZPZqetxOmH+w%2Fmyc@westworld/#rTested-by: default avatarKyle Zeng <zengyhkyle@gmail.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      7433b6d2
    • Florian Westphal's avatar
      netfilter: nf_tables: fix memleak when more than 255 elements expired · cf5000a7
      Florian Westphal authored
      When more than 255 elements expired we're supposed to switch to a new gc
      container structure.
      
      This never happens: u8 type will wrap before reaching the boundary
      and nft_trans_gc_space() always returns true.
      
      This means we recycle the initial gc container structure and
      lose track of the elements that came before.
      
      While at it, don't deref 'gc' after we've passed it to call_rcu.
      
      Fixes: 5f68718b ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
      Reported-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      cf5000a7
    • Florian Westphal's avatar
      netfilter: nf_tables: disable toggling dormant table state more than once · c9bd2651
      Florian Westphal authored
      nft -f -<<EOF
      add table ip t
      add table ip t { flags dormant; }
      add chain ip t c { type filter hook input priority 0; }
      add table ip t
      EOF
      
      Triggers a splat from nf core on next table delete because we lose
      track of right hook register state:
      
      WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
      RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
       nf_unregister_net_hook+0xb4/0xf0
       __nf_tables_unregister_hook+0x160/0x1d0
      [..]
      
      The above should have table in *active* state, but in fact no
      hooks were registered.
      
      Reject on/off/on games rather than attempting to fix this.
      
      Fixes: 179d9ba5 ("netfilter: nf_tables: fix table flag updates")
      Reported-by: default avatar"Lee, Cherie-Anne" <cherie.lee@starlabs.sg>
      Cc: Bing-Jhong Billy Jheng <billy@starlabs.sg>
      Cc: info@starlabs.sg
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      c9bd2651
    • Benjamin Poirier's avatar
      vxlan: Add missing entries to vxlan_get_size() · 4e4b1798
      Benjamin Poirier authored
      There are some attributes added by vxlan_fill_info() which are not
      accounted for in vxlan_get_size(). Add them.
      
      I didn't find a way to trigger an actual problem from this miscalculation
      since there is usually extra space in netlink size calculations like
      if_nlmsg_size(); but maybe I just didn't search long enough.
      
      Fixes: 3511494c ("vxlan: Group Policy extension")
      Fixes: e1e5314d ("vxlan: implement GPE")
      Fixes: 0ace2ca8 ("vxlan: Use checksum partial with remote checksum offload")
      Fixes: f9c4bb0b ("vxlan: vni filtering support on collect metadata device")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@nvidia.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e4b1798
    • Artem Chernyshev's avatar
      net: rds: Fix possible NULL-pointer dereference · f1d95df0
      Artem Chernyshev authored
      In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists
      before dereferencing it as rdma_set_service_type() argument
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: fd261ce6 ("rds: rdma: update rdma transport for tos")
      Signed-off-by: default avatarArtem Chernyshev <artem.chernyshev@red-soft.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f1d95df0
  3. 19 Sep, 2023 9 commits
    • Ziyang Xuan's avatar
      team: fix null-ptr-deref when team device type is changed · 49203276
      Ziyang Xuan authored
      Get a null-ptr-deref bug as follows with reproducer [1].
      
      BUG: kernel NULL pointer dereference, address: 0000000000000228
      ...
      RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]
      ...
      Call Trace:
       <TASK>
       ? __die+0x24/0x70
       ? page_fault_oops+0x82/0x150
       ? exc_page_fault+0x69/0x150
       ? asm_exc_page_fault+0x26/0x30
       ? vlan_dev_hard_header+0x35/0x140 [8021q]
       ? vlan_dev_hard_header+0x8e/0x140 [8021q]
       neigh_connected_output+0xb2/0x100
       ip6_finish_output2+0x1cb/0x520
       ? nf_hook_slow+0x43/0xc0
       ? ip6_mtu+0x46/0x80
       ip6_finish_output+0x2a/0xb0
       mld_sendpack+0x18f/0x250
       mld_ifc_work+0x39/0x160
       process_one_work+0x1e6/0x3f0
       worker_thread+0x4d/0x2f0
       ? __pfx_worker_thread+0x10/0x10
       kthread+0xe5/0x120
       ? __pfx_kthread+0x10/0x10
       ret_from_fork+0x34/0x50
       ? __pfx_kthread+0x10/0x10
       ret_from_fork_asm+0x1b/0x30
      
      [1]
      $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}'
      $ ip link add name t-dummy type dummy
      $ ip link add link t-dummy name t-dummy.100 type vlan id 100
      $ ip link add name t-nlmon type nlmon
      $ ip link set t-nlmon master team0
      $ ip link set t-nlmon nomaster
      $ ip link set t-dummy up
      $ ip link set team0 up
      $ ip link set t-dummy.100 down
      $ ip link set t-dummy.100 master team0
      
      When enslave a vlan device to team device and team device type is changed
      from non-ether to ether, header_ops of team device is changed to
      vlan_header_ops. That is incorrect and will trigger null-ptr-deref
      for vlan->real_dev in vlan_dev_hard_header() because team device is not
      a vlan device.
      
      Cache eth_header_ops in team_setup(), then assign cached header_ops to
      header_ops of team net device when its type is changed from non-ether
      to ether to fix the bug.
      
      Fixes: 1d76efe1 ("team: add support for non-ethernet devices")
      Suggested-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      49203276
    • Eric Dumazet's avatar
      net: bridge: use DEV_STATS_INC() · 44bdb313
      Eric Dumazet authored
      syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
      This function can run from multiple cpus without mutual exclusion.
      
      Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
      
      Handles updates to dev->stats.tx_dropped while we are at it.
      
      [1]
      BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
      
      read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
      br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
      br_nf_hook_thresh+0x1ed/0x220
      br_nf_pre_routing_finish_ipv6+0x50f/0x540
      NF_HOOK include/linux/netfilter.h:304 [inline]
      br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
      br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
      nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
      br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
      __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
      __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
      __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
      process_backlog+0x21f/0x380 net/core/dev.c:5965
      __napi_poll+0x60/0x3b0 net/core/dev.c:6527
      napi_poll net/core/dev.c:6594 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6727
      __do_softirq+0xc1/0x265 kernel/softirq.c:553
      run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
      smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
      kthread+0x1d7/0x210 kernel/kthread.c:388
      ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
      br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
      br_nf_hook_thresh+0x1ed/0x220
      br_nf_pre_routing_finish_ipv6+0x50f/0x540
      NF_HOOK include/linux/netfilter.h:304 [inline]
      br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
      br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
      nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
      br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
      __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
      __netif_receive_skb_one_core net/core/dev.c:5521 [inline]
      __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
      process_backlog+0x21f/0x380 net/core/dev.c:5965
      __napi_poll+0x60/0x3b0 net/core/dev.c:6527
      napi_poll net/core/dev.c:6594 [inline]
      net_rx_action+0x32b/0x750 net/core/dev.c:6727
      __do_softirq+0xc1/0x265 kernel/softirq.c:553
      do_softirq+0x5e/0x90 kernel/softirq.c:454
      __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
      __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
      _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
      spin_unlock_bh include/linux/spinlock.h:396 [inline]
      batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
      batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
      process_one_work kernel/workqueue.c:2630 [inline]
      process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
      worker_thread+0x525/0x730 kernel/workqueue.c:2784
      kthread+0x1d7/0x210 kernel/kthread.c:388
      ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
      
      value changed: 0x00000000000d7190 -> 0x00000000000d7191
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f3 #0
      
      Fixes: 1c29fc49 ("[BRIDGE]: keep track of received multicast packets")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Roopa Prabhu <roopa@nvidia.com>
      Cc: Nikolay Aleksandrov <razor@blackwall.org>
      Cc: bridge@lists.linux-foundation.org
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/20230918091351.1356153-1-edumazet@google.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      44bdb313
    • Paolo Abeni's avatar
      Merge branch 'there-are-some-bugfix-for-the-hns3-ethernet-driver' · 5f8621c1
      Paolo Abeni authored
      Jijie Shao says:
      
      ====================
      There are some bugfix for the HNS3 ethernet driver
      ====================
      
      Link: https://lore.kernel.org/r/20230918074840.2650978-1-shaojijie@huawei.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5f8621c1
    • Jie Wang's avatar
      net: hns3: add 5ms delay before clear firmware reset irq source · 07700630
      Jie Wang authored
      Currently the reset process in hns3 and firmware watchdog init process is
      asynchronous. we think firmware watchdog initialization is completed
      before hns3 clear the firmware interrupt source. However, firmware
      initialization may not complete early.
      
      so we add delay before hns3 clear firmware interrupt source and 5 ms delay
      is enough to avoid second firmware reset interrupt.
      
      Fixes: c1a81619 ("net: hns3: Add mailbox interrupt handling to PF driver")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      07700630
    • Jijie Shao's avatar
      net: hns3: fix fail to delete tc flower rules during reset issue · 1a7be66e
      Jijie Shao authored
      Firmware does not respond driver commands during reset
      Therefore, rule will fail to delete while the firmware is resetting
      
      So, if failed to delete rule, set rule state to TO_DEL,
      and the rule will be deleted when periodic task being scheduled.
      
      Fixes: 0205ec04 ("net: hns3: add support for hw tc offload of tc flower")
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      1a7be66e
    • Jian Shen's avatar
      net: hns3: only enable unicast promisc when mac table full · f2ed3049
      Jian Shen authored
      Currently, the driver will enable unicast promisc for the function
      once configure mac address fail. It's unreasonable when the failure
      is caused by using same mac address with other functions. So only
      enable unicast promisc when mac table full.
      
      Fixes: c631c696 ("net: hns3: refactor the promisc mode setting")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f2ed3049
    • Jie Wang's avatar
      net: hns3: fix GRE checksum offload issue · f9f65126
      Jie Wang authored
      The device_version V3 hardware can't offload the checksum for IP in GRE
      packets, but can do it for NvGRE. So default to disable the checksum and
      GSO offload for GRE, but keep the ability to enable it when only using
      NvGRE.
      
      Fixes: 76ad4f0e ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f9f65126
    • Jie Wang's avatar
      net: hns3: add cmdq check for vf periodic service task · bd3caddf
      Jie Wang authored
      When the vf cmdq is disabled, there is no need to keep these task running.
      So this patch skip these task when the cmdq is disabled.
      
      Fixes: ff200099 ("net: hns3: remove unnecessary work in hclgevf_main")
      Signed-off-by: default avatarJie Wang <wangjie125@huawei.com>
      Signed-off-by: default avatarJijie Shao <shaojijie@huawei.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      bd3caddf
    • Jisheng Zhang's avatar
      net: stmmac: fix incorrect rxq|txq_stats reference · 8070274b
      Jisheng Zhang authored
      commit 133466c3 ("net: stmmac: use per-queue 64 bit statistics
      where necessary") caused one regression as found by Uwe, the backtrace
      looks like:
      
      	INFO: trying to register non-static key.
      	The code is fine but needs lockdep annotation, or maybe
      	you didn't initialize this object before use?
      	turning off the locking correctness validator.
      	CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc1-00449-g133466c3-dirty #21
      	Hardware name: STM32 (Device Tree Support)
      	 unwind_backtrace from show_stack+0x18/0x1c
      	 show_stack from dump_stack_lvl+0x60/0x90
      	 dump_stack_lvl from register_lock_class+0x98c/0x99c
      	 register_lock_class from __lock_acquire+0x74/0x293c
      	 __lock_acquire from lock_acquire+0x134/0x398
      	 lock_acquire from stmmac_get_stats64+0x2ac/0x2fc
      	 stmmac_get_stats64 from dev_get_stats+0x44/0x130
      	 dev_get_stats from rtnl_fill_stats+0x38/0x120
      	 rtnl_fill_stats from rtnl_fill_ifinfo+0x834/0x17f4
      	 rtnl_fill_ifinfo from rtmsg_ifinfo_build_skb+0xc0/0x144
      	 rtmsg_ifinfo_build_skb from rtmsg_ifinfo+0x50/0x88
      	 rtmsg_ifinfo from __dev_notify_flags+0xc0/0xec
      	 __dev_notify_flags from dev_change_flags+0x50/0x5c
      	 dev_change_flags from ip_auto_config+0x2f4/0x1260
      	 ip_auto_config from do_one_initcall+0x70/0x35c
      	 do_one_initcall from kernel_init_freeable+0x2ac/0x308
      	 kernel_init_freeable from kernel_init+0x1c/0x138
      	 kernel_init from ret_from_fork+0x14/0x2c
      
      The reason is the rxq|txq_stats structures are not what expected
      because stmmac_open() -> __stmmac_open() the structure is overwritten
      by "memcpy(&priv->dma_conf, dma_conf, sizeof(*dma_conf));"
      This causes the well initialized syncp member of rxq|txq_stats is
      overwritten unexpectedly as pointed out by Johannes and Uwe.
      
      Fix this issue by moving rxq|txq_stats back to stmmac_extra_stats. For
      SMP cache friendly, we also mark stmmac_txq_stats and stmmac_rxq_stats
      as ____cacheline_aligned_in_smp.
      
      Fixes: 133466c3 ("net: stmmac: use per-queue 64 bit statistics where necessary")
      Signed-off-by: default avatarJisheng Zhang <jszhang@kernel.org>
      Reported-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Tested-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Link: https://lore.kernel.org/r/20230917165328.3403-1-jszhang@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      8070274b
  4. 18 Sep, 2023 17 commits