1. 24 Jan, 2019 1 commit
    • ZhangXiaoxu's avatar
      ipvs: Fix signed integer overflow when setsockopt timeout · 53ab60ba
      ZhangXiaoxu authored
      There is a UBSAN bug report as below:
      UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
      signed integer overflow:
      -2147483647 * 1000 cannot be represented in type 'int'
      
      Reproduce program:
      	#include <stdio.h>
      	#include <sys/types.h>
      	#include <sys/socket.h>
      
      	#define IPPROTO_IP 0
      	#define IPPROTO_RAW 255
      
      	#define IP_VS_BASE_CTL		(64+1024+64)
      	#define IP_VS_SO_SET_TIMEOUT	(IP_VS_BASE_CTL+10)
      
      	/* The argument to IP_VS_SO_GET_TIMEOUT */
      	struct ipvs_timeout_t {
      		int tcp_timeout;
      		int tcp_fin_timeout;
      		int udp_timeout;
      	};
      
      	int main() {
      		int ret = -1;
      		int sockfd = -1;
      		struct ipvs_timeout_t to;
      
      		sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
      		if (sockfd == -1) {
      			printf("socket init error\n");
      			return -1;
      		}
      
      		to.tcp_timeout = -2147483647;
      		to.tcp_fin_timeout = -2147483647;
      		to.udp_timeout = -2147483647;
      
      		ret = setsockopt(sockfd,
      				 IPPROTO_IP,
      				 IP_VS_SO_SET_TIMEOUT,
      				 (char *)(&to),
      				 sizeof(to));
      
      		printf("setsockopt return %d\n", ret);
      		return ret;
      	}
      
      Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.
      Signed-off-by: default avatarZhangXiaoxu <zhangxiaoxu5@huawei.com>
      Acked-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      53ab60ba
  2. 18 Jan, 2019 3 commits
    • Florian Westphal's avatar
      netfilter: nft_compat: destroy function must not have side effects · b2e3d68d
      Florian Westphal authored
      The nft_compat destroy function deletes the nft_xt object from a list.
      This isn't allowed anymore. Destroy functions are called asynchronously,
      i.e. next batch can find the object that has a pending ->destroy()
      invocation:
      
      cpu0                       cpu1
       worker
         ->destroy               for_each_entry()
      	                     if (x == ...
      			        return x->ops;
           list_del(x)
           kfree_rcu(x)
                                 expr->ops->... // ops was free'd
      
      To resolve this, the list_del needs to occur before the transaction
      mutex gets released.  nf_tables has a 'deactivate' hook for this
      purpose, so use that to unlink the object from the list.
      
      Fixes: 0935d558 ("netfilter: nf_tables: asynchronous release")
      Reported-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b2e3d68d
    • Florian Westphal's avatar
      netfilter: nft_compat: make lists per netns · cf52572e
      Florian Westphal authored
      There are two problems with nft_compat since the netlink config
      plane uses a per-netns mutex:
      
      1. Concurrent add/del accesses to the same list
      2. accesses to a list element after it has been free'd already.
      
      This patch fixes the first problem.
      
      Freeing occurs from a work queue, after transaction mutexes have been
      released, i.e., it still possible for a new transaction (even from
      same net ns) to find the to-be-deleted expression in the list.
      
      The ->destroy functions are not allowed to have any such side effects,
      i.e. the list_del() in the destroy function is not allowed.
      
      This part of the problem is solved in the next patch.
      I tried to make this work by serializing list access via mutex
      and by moving list_del() to a deactivate callback, but
      Taehee spotted following race on this approach:
      
        NET #0                          NET #1
         >select_ops()
         ->init()
                                         ->select_ops()
         ->deactivate()
         ->destroy()
            nft_xt_put()
             kfree_rcu(xt, rcu_head);
                                         ->init() <-- use-after-free occurred.
      
      Unfortunately, we can't increment reference count in
      select_ops(), because we can't undo the refcount increase in
      case a different expression fails in the same batch.
      
      (The destroy hook will only be called in case the expression
       was initialized successfully).
      
      Fixes: f102d66b ("netfilter: nf_tables: use dedicated mutex to guard transactions")
      Reported-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cf52572e
    • Florian Westphal's avatar
      netfilter: nft_compat: use refcnt_t type for nft_xt reference count · 12c44aba
      Florian Westphal authored
      Using standard integer type was fine while all operations on it were
      guarded by the nftnl subsys mutex.
      
      This isn't true anymore:
      1. transactions are guarded only by a pernet mutex, so concurrent
         rule manipulation in different netns is racy
      2. the ->destroy hook runs from a work queue after the transaction
         mutex has been released already.
      
      cpu0                           cpu1 (net 1)        cpu2 (net 2)
       kworker
          nft_compat->destroy        nft_compat->init    nft_compat->init
            if (--nft_xt->ref == 0)   nft_xt->ref++        nft_xt->ref++
      
      Switch to refcount_t.  Doing this however only fixes a minor aspect,
      nft_compat also performs linked-list operations in an unsafe way.
      
      This is addressed in the next two patches.
      
      Fixes: f102d66b ("netfilter: nf_tables: use dedicated mutex to guard transactions")
      Fixes: 0935d558 ("netfilter: nf_tables: asynchronous release")
      Reported-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      12c44aba
  3. 17 Jan, 2019 6 commits
  4. 16 Jan, 2019 30 commits
    • Willem de Bruijn's avatar
      udp: with udp_segment release on error path · 0f149c9f
      Willem de Bruijn authored
      Failure __ip_append_data triggers udp_flush_pending_frames, but these
      tests happen later. The skb must be freed directly.
      
      Fixes: bec1f6f6 ("udp: generate gso with UDP_SEGMENT")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f149c9f
    • Taehee Yoo's avatar
      net: bpfilter: change section name of bpfilter UMH blob. · 1a935268
      Taehee Yoo authored
      The section of bpfilter UMH blob is the ".bpfilter_umh". but this is not
      an explicit section. so linking warning occurred at compile time for the
      powerpc.
      So, this patch makes use of the ".rodata" instead of the ".bpfilter_umh".
      
      Config condition:
      
      CONFIG_BPFILTER=y
      CONFIG_BPFILTER_UMH=y
      
      Result:
      
      ld: warning: orphan section `.bpfilter_umh' from
      `net/bpfilter/bpfilter_umh_blob.o' being placed in section `.bpfilter_umh'
      
      Fixes: 61fbf593 ("net: bpfilter: restart bpfilter_umh when error occurred")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a935268
    • Andrew Lunn's avatar
      net: phy: Add missing features to PHY drivers · 9e857a40
      Andrew Lunn authored
      The bcm87xx and micrel driver has PHYs which are missing the .features
      value. Add them. The bcm87xx is a 10G FEC only PHY. Add the needed
      features definition of this PHY.
      
      Fixes: 719655a1 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
      Reported-by: default avatarScott Wood <oss@buserror.net>
      Reported-by: default avatarCamelia Groza <camelia.groza@nxp.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e857a40
    • Jakub Kicinski's avatar
      ipv6: route: place a warning with duplicated string with correct extack · a5a82d84
      Jakub Kicinski authored
      "IPv6: " prefix is already added by pr_fmt, no need to include
      it again in the pr_warn() format.  The message predates extack
      support, we can replace the whole thing with an extack message.
      Suggested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5a82d84
    • Davide Caratti's avatar
      selftests: tc-testing: fix parsing of ife type · 91fa038d
      Davide Caratti authored
      In iproute2 commit 90c5c969f0b9 ("fix print_0xhex on 32 bit"), the format
      specifier for the ife type changed from 0x%X to %#llX, causing systematic
      failures in the following TDC test cases:
      
       7682 - Create valid ife encode action with mark and pass control
       ef47 - Create valid ife encode action with mark and pipe control
       df43 - Create valid ife encode action with mark and continue control
       e4cf - Create valid ife encode action with mark and drop control
       ccba - Create valid ife encode action with mark and reclassify control
       a1cf - Create valid ife encode action with mark and jump control
       cb3d - Create valid ife encode action with mark value at 32-bit maximum
       95ed - Create valid ife encode action with prio and pass control
       aa17 - Create valid ife encode action with prio and pipe control
       74c7 - Create valid ife encode action with prio and continue control
       7a97 - Create valid ife encode action with prio and drop control
       f66b - Create valid ife encode action with prio and reclassify control
       3056 - Create valid ife encode action with prio and jump control
       7dd3 - Create valid ife encode action with prio value at 32-bit maximum
       05bb - Create valid ife encode action with tcindex and pass control
       ce65 - Create valid ife encode action with tcindex and pipe control
       09cd - Create valid ife encode action with tcindex and continue control
       8eb5 - Create valid ife encode action with tcindex and continue control
       451a - Create valid ife encode action with tcindex and drop control
       d76c - Create valid ife encode action with tcindex and reclassify control
       e731 - Create valid ife encode action with tcindex and jump control
       b7b8 - Create valid ife encode action with tcindex value at 16-bit maximum
       2a9c - Create valid ife encode action with mac src parameter
       cf5c - Create valid ife encode action with mac dst parameter
       2353 - Create valid ife encode action with mac src and mac dst parameters
       552c - Create valid ife encode action with mark and type parameters
       0421 - Create valid ife encode action with prio and type parameters
       4017 - Create valid ife encode action with tcindex and type parameters
       fac3 - Create valid ife encode action with index at 32-bit maximnum
       7c25 - Create valid ife decode action with pass control
       dccb - Create valid ife decode action with pipe control
       7bb9 - Create valid ife decode action with continue control
       d9ad - Create valid ife decode action with drop control
       219f - Create valid ife decode action with reclassify control
       8f44 - Create valid ife decode action with jump control
       b330 - Create ife encode action with cookie
      
      Change 'matchPattern' values, allowing '0' and '0x0' if ife type is equal
      to 0, and accepting both '0x' and '0X' otherwise, to let these tests pass
      both with old and new tc binaries.
      While at it, fix a small typo in test case fac3 ('maximnum'->'maximum').
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      91fa038d
    • Konstantin Khlebnikov's avatar
      net/core/neighbour: fix kmemleak minimal reference count for hash tables · 01b833ab
      Konstantin Khlebnikov authored
      This should be 1 for normal allocations, 0 disables leak reporting.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Reported-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Fixes: 85704cb8 ("net/core/neighbour: tell kmemleak about hash tables")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01b833ab
    • Xin Long's avatar
      sctp: allocate sctp_sockaddr_entry with kzalloc · 400b8b9a
      Xin Long authored
      The similar issue as fixed in Commit 4a2eb0c3 ("sctp: initialize
      sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
      in sctp_inetaddr_event, as Alexander noticed.
      
      To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
      ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      400b8b9a
    • Xin Long's avatar
      erspan: build the header with the right proto according to erspan_ver · 20704bd1
      Xin Long authored
      As said in draft-foschiano-erspan-03#section4:
      
         Different frame variants known as "ERSPAN Types" can be
         distinguished based on the GRE "Protocol Type" field value: Type I
         and II's value is 0x88BE while Type III's is 0x22EB [ETYPES].
      
      So set it properly in erspan_xmit() according to erspan_ver. While at
      it, also remove the unused parameter 'proto' in erspan_fb_xmit().
      
      Fixes: 94d7d8f2 ("ip6_gre: add erspan v2 support")
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20704bd1
    • Ross Lagerwall's avatar
      openvswitch: Avoid OOB read when parsing flow nlattrs · 04a4af33
      Ross Lagerwall authored
      For nested and variable attributes, the expected length of an attribute
      is not known and marked by a negative number.  This results in an OOB
      read when the expected length is later used to check if the attribute is
      all zeros. Fix this by using the actual length of the attribute rather
      than the expected length.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      04a4af33
    • Dmitry Bezrukov's avatar
      net: usb: aqc111: Extend HWID table by TRENDnet device · 9098f21f
      Dmitry Bezrukov authored
      New device of TRENDnet based on aqc111u
      Add this ID to blacklist of cdc_ether driver as well
      Signed-off-by: default avatarDmitry Bezrukov <dmitry.bezrukov@aquantia.com>
      Signed-off-by: default avatarIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9098f21f
    • Cong Wang's avatar
      net_sched: refetch skb protocol for each filter · cd0c4e70
      Cong Wang authored
      Martin reported a set of filters don't work after changing
      from reclassify to continue. Looking into the code, it
      looks like skb protocol is not always fetched for each
      iteration of the filters. But, as demonstrated by Martin,
      TC actions could modify skb->protocol, for example act_vlan,
      this means we have to refetch skb protocol in each iteration,
      rather than using the one we fetch in the beginning of the loop.
      
      This bug is _not_ introduced by commit 3b3ae880
      ("net: sched: consolidate tc_classify{,_compat}"), technically,
      if act_vlan is the only action that modifies skb protocol, then
      it is commit c7e2b968 ("sched: introduce vlan action") which
      introduced this bug.
      Reported-by: default avatarMartin Olsson <martin.olsson+netdev@sentorsecurity.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd0c4e70
    • Timotej Lazar's avatar
      net: phy: meson-gxl: Use the genphy_soft_reset callback · f2f98c1d
      Timotej Lazar authored
      Since the referenced commit, Ethernet fails to come up at boot on the
      board meson-gxl-s905x-libretech-cc. Fix this by re-enabling the
      genphy_soft_reset callback for the Amlogic Meson GXL PHY driver.
      
      Fixes: 6e2d85ec ("net: phy: Stop with excessive soft reset")
      Signed-off-by: default avatarTimotej Lazar <timotej.lazar@araneo.si>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2f98c1d
    • yupeng's avatar
      net: add document for several snmp counters · a6c7c7aa
      yupeng authored
      add document for below counters:
      TcpEstabResets
      TcpAttemptFails
      TcpOutRsts
      TcpExtTCPSACKDiscard
      TcpExtTCPDSACKIgnoredOld
      TcpExtTCPDSACKIgnoredNoUndo
      TcpExtTCPSackShifted
      TcpExtTCPSackMerged
      TcpExtTCPSackShiftFallback
      TcpExtTCPWantZeroWindowAdv
      TcpExtTCPToZeroWindowAdv
      TcpExtTCPFromZeroWindowAdv
      TcpExtDelayedACKs
      TcpExtDelayedACKLocked
      TcpExtDelayedACKLost
      TcpExtTCPLossProbes
      TcpExtTCPLossProbeRecovery
      Signed-off-by: default avataryupeng <yupeng0921@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6c7c7aa
    • Eric Dumazet's avatar
      fou, fou6: do not assume linear skbs · 26fc181e
      Eric Dumazet authored
      Both gue_err() and gue6_err() incorrectly assume
      linear skbs. Fix them to use pskb_may_pull().
      
      BUG: KMSAN: uninit-value in gue6_err+0x475/0xc40 net/ipv6/fou6.c:101
      CPU: 0 PID: 18083 Comm: syz-executor1 Not tainted 5.0.0-rc1+ #7
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
       __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
       gue6_err+0x475/0xc40 net/ipv6/fou6.c:101
       __udp6_lib_err_encap_no_sk net/ipv6/udp.c:434 [inline]
       __udp6_lib_err_encap net/ipv6/udp.c:491 [inline]
       __udp6_lib_err+0x18d0/0x2590 net/ipv6/udp.c:522
       udplitev6_err+0x118/0x130 net/ipv6/udplite.c:27
       icmpv6_notify+0x462/0x9f0 net/ipv6/icmp.c:784
       icmpv6_rcv+0x18ac/0x3fa0 net/ipv6/icmp.c:872
       ip6_protocol_deliver_rcu+0xb5a/0x23a0 net/ipv6/ip6_input.c:394
       ip6_input_finish net/ipv6/ip6_input.c:434 [inline]
       NF_HOOK include/linux/netfilter.h:289 [inline]
       ip6_input+0x2b6/0x350 net/ipv6/ip6_input.c:443
       dst_input include/net/dst.h:450 [inline]
       ip6_rcv_finish+0x4e7/0x6d0 net/ipv6/ip6_input.c:76
       NF_HOOK include/linux/netfilter.h:289 [inline]
       ipv6_rcv+0x34b/0x3f0 net/ipv6/ip6_input.c:272
       __netif_receive_skb_one_core net/core/dev.c:4973 [inline]
       __netif_receive_skb net/core/dev.c:5083 [inline]
       process_backlog+0x756/0x10e0 net/core/dev.c:5923
       napi_poll net/core/dev.c:6346 [inline]
       net_rx_action+0x78b/0x1a60 net/core/dev.c:6412
       __do_softirq+0x53f/0x93a kernel/softirq.c:293
       do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1039
       </IRQ>
       do_softirq kernel/softirq.c:338 [inline]
       __local_bh_enable_ip+0x16f/0x1a0 kernel/softirq.c:190
       local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
       rcu_read_unlock_bh include/linux/rcupdate.h:696 [inline]
       ip6_finish_output2+0x1d64/0x25f0 net/ipv6/ip6_output.c:121
       ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:154
       NF_HOOK_COND include/linux/netfilter.h:278 [inline]
       ip6_output+0x5ca/0x710 net/ipv6/ip6_output.c:171
       dst_output include/net/dst.h:444 [inline]
       ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
       ip6_send_skb+0xfa/0x390 net/ipv6/ip6_output.c:1727
       udp_v6_send_skb+0x1733/0x1d20 net/ipv6/udp.c:1169
       udpv6_sendmsg+0x424e/0x45d0 net/ipv6/udp.c:1466
       inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmmsg+0x580/0xad0 net/socket.c:2211
       __do_sys_sendmmsg net/socket.c:2240 [inline]
       __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2237
       __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2237
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x457ec9
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f4a5204fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457ec9
      RDX: 00000000040001ab RSI: 0000000020000240 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4a520506d4
      R13: 00000000004c4ce5 R14: 00000000004d85d8 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
       kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
       kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
       kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2754 [inline]
       __kmalloc_node_track_caller+0xe9e/0xff0 mm/slub.c:4377
       __kmalloc_reserve net/core/skbuff.c:140 [inline]
       __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
       alloc_skb include/linux/skbuff.h:1012 [inline]
       alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5288
       sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2091
       sock_alloc_send_skb+0xca/0xe0 net/core/sock.c:2108
       __ip6_append_data+0x42ed/0x5dc0 net/ipv6/ip6_output.c:1443
       ip6_append_data+0x3c2/0x650 net/ipv6/ip6_output.c:1619
       icmp6_send+0x2f5c/0x3c40 net/ipv6/icmp.c:574
       icmpv6_send+0xe5/0x110 net/ipv6/ip6_icmp.c:43
       ip6_link_failure+0x5c/0x2c0 net/ipv6/route.c:2231
       dst_link_failure include/net/dst.h:427 [inline]
       vti_xmit net/ipv4/ip_vti.c:229 [inline]
       vti_tunnel_xmit+0xf3b/0x1ea0 net/ipv4/ip_vti.c:265
       __netdev_start_xmit include/linux/netdevice.h:4382 [inline]
       netdev_start_xmit include/linux/netdevice.h:4391 [inline]
       xmit_one net/core/dev.c:3278 [inline]
       dev_hard_start_xmit+0x604/0xc40 net/core/dev.c:3294
       __dev_queue_xmit+0x2e48/0x3b80 net/core/dev.c:3864
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:3897
       neigh_direct_output+0x42/0x50 net/core/neighbour.c:1511
       neigh_output include/net/neighbour.h:508 [inline]
       ip6_finish_output2+0x1d4e/0x25f0 net/ipv6/ip6_output.c:120
       ip6_finish_output+0xae4/0xbc0 net/ipv6/ip6_output.c:154
       NF_HOOK_COND include/linux/netfilter.h:278 [inline]
       ip6_output+0x5ca/0x710 net/ipv6/ip6_output.c:171
       dst_output include/net/dst.h:444 [inline]
       ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176
       ip6_send_skb+0xfa/0x390 net/ipv6/ip6_output.c:1727
       udp_v6_send_skb+0x1733/0x1d20 net/ipv6/udp.c:1169
       udpv6_sendmsg+0x424e/0x45d0 net/ipv6/udp.c:1466
       inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmmsg+0x580/0xad0 net/socket.c:2211
       __do_sys_sendmmsg net/socket.c:2240 [inline]
       __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2237
       __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2237
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Fixes: b8a51b38 ("fou, fou6: ICMP error handlers for FoU and GUE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Stefano Brivio <sbrivio@redhat.com>
      Cc: Sabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26fc181e
    • Davide Caratti's avatar
      selftests: tc-testing: fix tunnel_key failure if dst_port is unspecified · 5216bd77
      Davide Caratti authored
      After commit 1c25324c ("net/sched: act_tunnel_key: Don't dump dst port
      if it wasn't set"), act_tunnel_key doesn't dump anymore the destination
      port, unless it was explicitly configured. This caused systematic failures
      in the following TDC test case:
      
       7a88 - Add tunnel_key action with cookie parameter
      
      Avoid matching zero values of TCA_TUNNEL_KEY_ENC_DST_PORT to let the test
      pass again.
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5216bd77
    • Davide Caratti's avatar
      selftests: tc-testing: drop test on missing tunnel key id · e4136155
      Davide Caratti authored
      After merge of commit 80ef0f22 ("net/sched: act_tunnel_key: Allow
      key-less tunnels"), act_tunnel_key does not reject anymore requests to
      install 'set' rules where the key id is missing. Therefore, drop the
      following TDC testcase:
      
       ba4e - Add tunnel_key set action with missing mandatory id parameter
      
      because it's going to become a systematic fail as soon as userspace
      iproute2 will start supporting key-less tunnels.
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4136155
    • Andrew Lunn's avatar
      net: phy: marvell: Fix deadlock from wrong locking · e0a7328f
      Andrew Lunn authored
      m88e1318_set_wol() takes the lock as part of phy_select_page(). Don't
      take the lock again with phy_read(), use the unlocked __phy_read().
      
      Fixes: 424ca4c5 ("net: phy: marvell: fix paged access races")
      Reported-by: default avatarÅke Rehnman <ake.rehnman@gmail.com>
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0a7328f
    • Andrew Lunn's avatar
      net: phy: marvell: Errata for mv88e6390 internal PHYs · 8cbcdc1a
      Andrew Lunn authored
      The VOD can be out of spec, unless some magic value is poked into an
      undocumented register in an undocumented page.
      
      Fixes: e4cf8a38 ("net: phy: Marvell: Add mv88e6390 internal PHY")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8cbcdc1a
    • Greg Kroah-Hartman's avatar
      IN_BADCLASS: fix macro to actually work · f275ee0f
      Greg Kroah-Hartman authored
      Commit 65cab850 ("net: Allow class-e address assignment via ifconfig
      ioctl") modified the IN_BADCLASS macro a bit, but unfortunatly one too
      many '(' characters were added to the line, making any code that used
      it, not build properly.
      
      Also, the macro now compares an unsigned with a signed value, which
      isn't ok, so fix that up by making both types match properly.
      Reported-by: default avatarChristopher Ferris <cferris@google.com>
      Fixes: 65cab850 ("net: Allow class-e address assignment via ifconfig ioctl")
      Cc: Dave Taht <dave.taht@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f275ee0f
    • Willem de Bruijn's avatar
      tcp: allow MSG_ZEROCOPY transmission also in CLOSE_WAIT state · 13d7f463
      Willem de Bruijn authored
      TCP transmission with MSG_ZEROCOPY fails if the peer closes its end of
      the connection and so transitions this socket to CLOSE_WAIT state.
      
      Transmission in close wait state is acceptable. Other similar tests in
      the stack (e.g., in FastOpen) accept both states. Relax this test, too.
      
      Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg276886.html
      Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg227390.html
      Fixes: f214f915 ("tcp: enable MSG_ZEROCOPY")
      Reported-by: default avatarMarek Majkowski <marek@cloudflare.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      CC: Yuchung Cheng <ycheng@google.com>
      CC: Neal Cardwell <ncardwell@google.com>
      CC: Soheil Hassas Yeganeh <soheil@google.com>
      CC: Alexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13d7f463
    • Heiner Kallweit's avatar
      net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031 · 1d16073a
      Heiner Kallweit authored
      So far genphy_soft_reset was used automatically if the PHY driver
      didn't implement the soft_reset callback. This changed with the
      mentioned commit and broke KSZ9031. To fix this configure the
      KSZ9031 PHY driver to use genphy_soft_reset.
      
      Fixes: 6e2d85ec ("net: phy: Stop with excessive soft reset")
      Reported-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Tested-by: default avatarTony Lindgren <tony@atomide.com>
      Tested-by: default avatarSekhar Nori <nsekhar@ti.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d16073a
    • Davide Caratti's avatar
      net/sched: act_tunnel_key: fix memory leak in case of action replace · 9174c3df
      Davide Caratti authored
      running the following TDC test cases:
      
       7afc - Replace tunnel_key set action with all parameters
       364d - Replace tunnel_key set action with all parameters and cookie
      
      it's possible to trigger kmemleak warnings like:
      
        unreferenced object 0xffff94797127ab40 (size 192):
        comm "tc", pid 3248, jiffies 4300565293 (age 1006.862s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 c0 93 f9 8a ff ff ff ff  ................
          41 84 ee 89 ff ff ff ff 00 00 00 00 00 00 00 00  A...............
        backtrace:
          [<000000001e85b61c>] tunnel_key_init+0x31d/0x820 [act_tunnel_key]
          [<000000007f3f6ee7>] tcf_action_init_1+0x384/0x4c0
          [<00000000e89e3ded>] tcf_action_init+0x12b/0x1a0
          [<00000000c1c8c0f8>] tcf_action_add+0x73/0x170
          [<0000000095a9fc28>] tc_ctl_action+0x122/0x160
          [<000000004bebeac5>] rtnetlink_rcv_msg+0x263/0x2d0
          [<000000009fd862dd>] netlink_rcv_skb+0x4a/0x110
          [<00000000b55199e7>] netlink_unicast+0x1a0/0x250
          [<000000004996cd21>] netlink_sendmsg+0x2c1/0x3c0
          [<000000004d6a94b4>] sock_sendmsg+0x36/0x40
          [<000000005d9f0208>] ___sys_sendmsg+0x280/0x2f0
          [<00000000dec19023>] __sys_sendmsg+0x5e/0xa0
          [<000000004b82ac81>] do_syscall_64+0x5b/0x180
          [<00000000a0f1209a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<000000002926b2ab>] 0xffffffffffffffff
      
      when the tunnel_key action is replaced, the kernel forgets to release the
      dst metadata: ensure they are released by tunnel_key_init(), the same way
      it's done in tunnel_key_release().
      
      Fixes: d0f6dd8a ("net/sched: Introduce act_tunnel_key")
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9174c3df
    • David Howells's avatar
      Revert "rxrpc: Allow failed client calls to be retried" · e122d845
      David Howells authored
      The changes introduced to allow rxrpc calls to be retried creates an issue
      when it comes to refcounting afs_call structs.  The problem is that when
      rxrpc_send_data() queues the last packet for an asynchronous call, the
      following sequence can occur:
      
       (1) The notify_end_tx callback is invoked which causes the state in the
           afs_call to be changed from AFS_CALL_CL_REQUESTING or
           AFS_CALL_SV_REPLYING.
      
       (2) afs_deliver_to_call() can then process event notifications from rxrpc
           on the async_work queue.
      
       (3) Delivery of events, such as an abort from the server, can cause the
           afs_call state to be changed to AFS_CALL_COMPLETE on async_work.
      
       (4) For an asynchronous call, afs_process_async_call() notes that the call
           is complete and tried to clean up all the refs on async_work.
      
       (5) rxrpc_send_data() might return the amount of data transferred
           (success) or an error - which could in turn reflect a local error or a
           received error.
      
      Synchronising the clean up after rxrpc_kernel_send_data() returns an error
      with the asynchronous cleanup is then tricky to get right.
      
      Mostly revert commit c038a58c.  The two API
      functions the original commit added aren't currently used.  This makes
      rxrpc_kernel_send_data() always return successfully if it queued the data
      it was given.
      
      Note that this doesn't affect synchronous calls since their Rx notification
      function merely pokes a wait queue and does not refcounting.  The
      asynchronous call notification function *has* to do refcounting and pass a
      ref over the work item to avoid the need to sync the workqueue in call
      cleanup.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e122d845
    • David S. Miller's avatar
      Merge branch 'tipc-uninit-values' · 70a44f9f
      David S. Miller authored
      Ying Xue says:
      
      ====================
      tipc: fix uninit-value issues reported by syzbot
      
      Recently, syzbot complained that TIPC module exits several issues
      associated with uninit-value type. So, in this series, we try to
      fix them as many as possible.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70a44f9f
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_doit · 2753ca5d
      Ying Xue authored
      BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
      CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
       tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153
       genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
       genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
       netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
       netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
       netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x43fda9
      RSP: 002b:00007ffd0c184ba8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9
      RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000004002c8 R11: 0000000000000213 R12: 00000000004016d0
      R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
       slab_post_alloc_hook mm/slab.h:445 [inline]
       slab_alloc_node mm/slub.c:2737 [inline]
       __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:984 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
       netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      In tipc_nl_compat_recv(), when the len variable returned by
      nlmsg_attrlen() is 0, the message is still treated as a valid one,
      which is obviously unresonable. When len is zero, it means the
      message not only doesn't contain any valid TLV payload, but also
      TLV header is not included. Under this stituation, tlv_type field
      in TLV header is still accessed in tipc_nl_compat_dumpit() or
      tipc_nl_compat_doit(), but the field space is obviously illegal.
      Of course, it is not initialized.
      
      Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com
      Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2753ca5d
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_name_table_dump · 974cb0e3
      Ying Xue authored
      syzbot reported:
      
      BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
      BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
      BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
      CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x306/0x460 lib/dump_stack.c:113
       kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
       __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
       __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
       __fswab32 include/uapi/linux/swab.h:59 [inline]
       tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
       __tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205
       tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270
       tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline]
       tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffecec49318 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
      R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
       kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
       kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2727 [inline]
       __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:996 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
       netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      We cannot take for granted the thing that the length of data contained
      in TLV is longer than the size of struct tipc_name_table_query in
      tipc_nl_compat_name_table_dump().
      
      Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      974cb0e3
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_link_set · edf5ff04
      Ying Xue authored
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
      CPU: 1 PID: 9306 Comm: syz-executor172 Not tainted 4.20.0-rc7+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x173/0x1d0 lib/dump_stack.c:113
        kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
        __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
        strlen+0x3b/0xa0 lib/string.c:486
        nla_put_string include/net/netlink.h:1154 [inline]
        __tipc_nl_compat_link_set net/tipc/netlink_compat.c:708 [inline]
        tipc_nl_compat_link_set+0x929/0x1220 net/tipc/netlink_compat.c:744
        __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
        tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
        tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
        genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
        genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
        netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
        netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
        netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
        netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:621 [inline]
        sock_sendmsg net/socket.c:631 [inline]
        ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
        __sys_sendmsg net/socket.c:2154 [inline]
        __do_sys_sendmsg net/socket.c:2163 [inline]
        __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
        __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
        do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
        entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The uninitialised access happened in
          nla_put_string(skb, TIPC_NLA_LINK_NAME, lc->name)
      
      This is because lc->name string is not validated before it's used.
      
      Reported-by: syzbot+d78b8a29241a195aefb8@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      edf5ff04
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_bearer_enable · 0762216c
      Ying Xue authored
      syzbot reported:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484
      CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x306/0x460 lib/dump_stack.c:113
       kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
       __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
       strlen+0x3b/0xa0 lib/string.c:484
       nla_put_string include/net/netlink.h:1011 [inline]
       tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389
       __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
       tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344
       tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
      R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
       kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
       kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2727 [inline]
       __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:996 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
       netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The root cause is that we don't validate whether bear name is a valid
      string in tipc_nl_compat_bearer_enable().
      
      Meanwhile, we also fix the same issue in the following functions:
      tipc_nl_compat_bearer_disable()
      tipc_nl_compat_link_stat_dump()
      tipc_nl_compat_media_set()
      tipc_nl_compat_bearer_set()
      
      Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0762216c
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_link_reset_stats · 8b66fee7
      Ying Xue authored
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
      CPU: 1 PID: 11057 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
       __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
       strlen+0x3b/0xa0 lib/string.c:486
       nla_put_string include/net/netlink.h:1154 [inline]
       tipc_nl_compat_link_reset_stats+0x1f0/0x360 net/tipc/netlink_compat.c:760
       __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
       tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
       tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
       tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x457ec9
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f2557338c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f25573396d4
      R13: 00000000004cb478 R14: 00000000004d86c8 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
       kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
       kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
       kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2759 [inline]
       __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
       __kmalloc_reserve net/core/skbuff.c:137 [inline]
       __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
       alloc_skb include/linux/skbuff.h:998 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
       netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The uninitialised access happened in tipc_nl_compat_link_reset_stats:
          nla_put_string(skb, TIPC_NLA_LINK_NAME, name)
      
      This is because name string is not validated before it's used.
      
      Reported-by: syzbot+e01d94b5a4c266be6e4c@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b66fee7
    • Ying Xue's avatar
      tipc: fix uninit-value in in tipc_conn_rcv_sub · a88289f4
      Ying Xue authored
      syzbot reported:
      
      BUG: KMSAN: uninit-value in tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
      CPU: 0 PID: 66 Comm: kworker/u4:4 Not tainted 4.17.0-rc3+ #88
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: tipc_rcv tipc_conn_recv_work
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
       tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline]
       tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424
       process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
       worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279
       kthread+0x539/0x720 kernel/kthread.c:239
       ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412
      
      Local variable description: ----s.i@tipc_conn_recv_work
      Variable was created at:
       tipc_conn_recv_work+0x65/0x560 net/tipc/topsrv.c:419
       process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
      
      In tipc_conn_rcv_from_sock(), it always supposes the length of message
      received from sock_recvmsg() is not smaller than the size of struct
      tipc_subscr. However, this assumption is false. Especially when the
      length of received message is shorter than struct tipc_subscr size,
      we will end up touching uninitialized fields in tipc_conn_rcv_sub().
      
      Reported-by: syzbot+8951a3065ee7fd6d6e23@syzkaller.appspotmail.com
      Reported-by: syzbot+75e6e042c5bbf691fc82@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a88289f4