1. 12 Mar, 2019 11 commits
    • Jack Morgenstein's avatar
      net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling · c07d2792
      Jack Morgenstein authored
      In procedures mlx4_cmd_use_events() and mlx4_cmd_use_polling(), we need to
      guarantee that there are no FW commands in progress on the comm channel
      (for VFs) or wrapped FW commands (on the PF) when SRIOV is active.
      
      We do this by also taking the slave_cmd_mutex when SRIOV is active.
      
      This is especially important when switching from event to polling, since we
      free the command-context array during the switch.  If there are FW commands
      in progress (e.g., waiting for a completion event), the completion event
      handler will access freed memory.
      
      Since the decision to use comm_wait or comm_poll is taken before grabbing
      the event_sem/poll_sem in mlx4_comm_cmd_wait/poll, we must take the
      slave_cmd_mutex as well (to guarantee that the decision to use events or
      polling and the call to the appropriate cmd function are atomic).
      
      Fixes: a7e1f049 ("net/mlx4_core: Fix deadlock when switching between polling and event fw commands")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c07d2792
    • Jack Morgenstein's avatar
      net/mlx4_core: Fix reset flow when in command polling mode · e15ce4b8
      Jack Morgenstein authored
      As part of unloading a device, the driver switches from
      FW command event mode to FW command polling mode.
      
      Part of switching over to polling mode is freeing the command context array
      memory (unfortunately, currently, without NULLing the command context array
      pointer).
      
      The reset flow calls "complete" to complete all outstanding fw commands
      (if we are in event mode). The check for event vs. polling mode here
      is to test if the command context array pointer is NULL.
      
      If the reset flow is activated after the switch to polling mode, it will
      attempt (incorrectly) to complete all the commands in the context array --
      because the pointer was not NULLed when the driver switched over to polling
      mode.
      
      As a result, we have a use-after-free situation, which results in a
      kernel crash.
      
      For example:
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff876c4a8e>] __wake_up_common+0x2e/0x90
      PGD 0
      Oops: 0000 [#1] SMP
      Modules linked in: netconsole nfsv3 nfs_acl nfs lockd grace ...
      CPU: 2 PID: 940 Comm: kworker/2:3 Kdump: loaded Not tainted 3.10.0-862.el7.x86_64 #1
      Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090006  04/28/2016
      Workqueue: events hv_eject_device_work [pci_hyperv]
      task: ffff8d1734ca0fd0 ti: ffff8d17354bc000 task.ti: ffff8d17354bc000
      RIP: 0010:[<ffffffff876c4a8e>]  [<ffffffff876c4a8e>] __wake_up_common+0x2e/0x90
      RSP: 0018:ffff8d17354bfa38  EFLAGS: 00010082
      RAX: 0000000000000000 RBX: ffff8d17362d42c8 RCX: 0000000000000000
      RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8d17362d42c8
      RBP: ffff8d17354bfa70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000298 R11: ffff8d173610e000 R12: ffff8d17362d42d0
      R13: 0000000000000246 R14: 0000000000000000 R15: 0000000000000003
      FS:  0000000000000000(0000) GS:ffff8d1802680000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 00000000f16d8000 CR4: 00000000001406e0
      Call Trace:
       [<ffffffff876c7adc>] complete+0x3c/0x50
       [<ffffffffc04242f0>] mlx4_cmd_wake_completions+0x70/0x90 [mlx4_core]
       [<ffffffffc041e7b1>] mlx4_enter_error_state+0xe1/0x380 [mlx4_core]
       [<ffffffffc041fa4b>] mlx4_comm_cmd+0x29b/0x360 [mlx4_core]
       [<ffffffffc041ff51>] __mlx4_cmd+0x441/0x920 [mlx4_core]
       [<ffffffff877f62b1>] ? __slab_free+0x81/0x2f0
       [<ffffffff87951384>] ? __radix_tree_lookup+0x84/0xf0
       [<ffffffffc043a8eb>] mlx4_free_mtt_range+0x5b/0xb0 [mlx4_core]
       [<ffffffffc043a957>] mlx4_mtt_cleanup+0x17/0x20 [mlx4_core]
       [<ffffffffc04272c7>] mlx4_free_eq+0xa7/0x1c0 [mlx4_core]
       [<ffffffffc042803e>] mlx4_cleanup_eq_table+0xde/0x130 [mlx4_core]
       [<ffffffffc0433e08>] mlx4_unload_one+0x118/0x300 [mlx4_core]
       [<ffffffffc0434191>] mlx4_remove_one+0x91/0x1f0 [mlx4_core]
      
      The fix is to set the command context array pointer to NULL after freeing
      the array.
      
      Fixes: f5aef5aa ("net/mlx4_core: Activate reset flow upon fatal command cases")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e15ce4b8
    • David S. Miller's avatar
      Merge branch 'mlxsw-Various-fixes' · c7fce569
      David S. Miller authored
      Ido Schimmel says:
      
      ====================
      mlxsw: Various fixes
      
      Patch #1 fixes the recently introduced QSFP thermal zones to correctly
      work with split ports, where several ports are mapped to the same
      module.
      
      Patch #2 initializes the base MAC in the minimal driver. The driver is
      using the base MAC as its parent ID and without initializing it, it is
      reported as all zeroes to user space.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7fce569
    • Jiri Pirko's avatar
      mlxsw: minimal: Initialize base_mac · 426aa1fc
      Jiri Pirko authored
      Currently base_mac is not initialized which causes wrong reporting of
      zeroed parent_id to userspace. Fix this by initializing base_mac
      properly.
      
      Fixes: c100e47c ("mlxsw: minimal: Add ethtool support")
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      426aa1fc
    • Vadim Pasternak's avatar
      mlxsw: core: Prevent duplication during QSFP module initialization · 6bab45b4
      Vadim Pasternak authored
      Verify during thermal initialization if QSFP module's entry is already
      configured in order to prevent duplication.
      Such scenario could happen in case two switch drivers (PCI and I2C
      based) coexist and if after boot, splitting configuration is applied
      for some ports and then I2C based driver is re-probed.
      In such case after reboot same QSFP module, associated with split will
      be discovered by I2C based driver few times, and it will cause a crash.
      
      It could happen for example on system equipped with BMC (Baseboard
      Management Controller), running I2C based driver, when the next steps
      are performed:
      - System boot
      - Host side configures port spilt.
      - BMC side is rebooted.
      
      Fixes: 6a79507c ("mlxsw: core: Extend thermal module with per QSFP module thermal zones")
      Signed-off-by: default avatarVadim Pasternak <vadimp@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6bab45b4
    • Kangjie Lu's avatar
      net: dwmac-sun8i: fix a missing check of of_get_phy_mode · 4ec850e5
      Kangjie Lu authored
      of_get_phy_mode may fail and return a negative error code;
      the fix checks the return value of of_get_phy_mode and
      returns -EINVAL of it fails.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ec850e5
    • Kangjie Lu's avatar
      net: sh_eth: fix a missing check of of_get_phy_mode · 035a14e7
      Kangjie Lu authored
      of_get_phy_mode may fail and return a negative error code;
      the fix checks the return value of of_get_phy_mode and
      returns NULL of it fails.
      
      Fixes: b356e978 ("sh_eth: add device tree support")
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Tested-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      035a14e7
    • Kangjie Lu's avatar
      net: 8390: fix potential NULL pointer dereferences · c7cbc3e9
      Kangjie Lu authored
      In case ioremap fails, the fix releases resources and returns
      to avoid NULL pointer dereferences.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7cbc3e9
    • Kangjie Lu's avatar
      net: fujitsu: fix a potential NULL pointer dereference · 9f4d6358
      Kangjie Lu authored
      In case ioremap fails, the fix releases the pcmcia window and
      returns -ENOMEM to avoid the NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f4d6358
    • Kangjie Lu's avatar
      net: qlogic: fix a potential NULL pointer dereference · eb32cfcd
      Kangjie Lu authored
      In case create_singlethread_workqueue fails, the fix returns
      -ENOMEM to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb32cfcd
    • Kangjie Lu's avatar
      isdn: hfcpci: fix potential NULL pointer dereference · 10010493
      Kangjie Lu authored
      In case ioremap fails, the fix releases resources and returns.
      The following printk is for logging purpose and thus is
      preserved.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      10010493
  2. 11 Mar, 2019 26 commits
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2019-03-11' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · a3b1933d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2019-03-11
      
      For -stable v5.0:
      ('net/mlx5e: Fix access to non-existing receive queue')
      ('net/mlx5e: Properly get the PF number phys port name ndo')
      ('net/mlx5: Fix multiple updates of steering rules in parallel')
      ('net/mlx5: Avoid panic when setting vport mac, getting vport config')
      ('net/mlx5: Avoid panic when setting vport rate')
      ('net/mlx5e: IPoIB, Fix RX checksum statistics update')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3b1933d
    • xiaofeis's avatar
      Documentation: devicetree: add a new optional property for port mac address · c6873d18
      xiaofeis authored
      Add documentation for a new optional property local-mac-address which
      is described in ethernet.txt.
      Signed-off-by: default avatarxiaofeis <xiaofeis@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6873d18
    • Kangjie Lu's avatar
      net: rocker: fix a potential NULL pointer dereference · 5c149314
      Kangjie Lu authored
      In case kzalloc fails, the fix releases resources and returns
      NOTIFY_BAD to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c149314
    • Kangjie Lu's avatar
      net: qlge: fix a potential NULL pointer dereference · 4280b730
      Kangjie Lu authored
      In case alloc_ordered_workqueue fails, the fix returns
      -ENOMEM to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4280b730
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · ab0891f5
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree:
      
      1) Fix list corruption in device notifier in the masquerade
         infrastructure, from Florian Westphal.
      
      2) Fix double-free of sets and use-after-free when deleting elements.
      
      3) Don't bogusly return EBUSY when removing a set after flush command.
      
      4) Use-after-free in dynamically allocate operations.
      
      5) Don't report a new ruleset generation to userspace if transaction
         list is empty, this invalidates the userspace cache innecessarily.
         From Florian Westphal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab0891f5
    • Eric Dumazet's avatar
      net/x25: reset state in x25_connect() · ee74d0bd
      Eric Dumazet authored
      In case x25_connect() fails and frees the socket neighbour,
      we also need to undo the change done to x25->state.
      
      Before my last bug fix, we had use-after-free so this
      patch fixes a latent bug.
      
      syzbot report :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 16137 Comm: syz-executor.1 Not tainted 5.0.0+ #117
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:x25_write_internal+0x1e8/0xdf0 net/x25/x25_subr.c:173
      Code: 00 40 88 b5 e0 fe ff ff 0f 85 01 0b 00 00 48 8b 8b 80 04 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 79 1c 48 89 fe 48 c1 ee 03 <0f> b6 34 16 48 89 fa 83 e2 07 83 c2 03 40 38 f2 7c 09 40 84 f6 0f
      RSP: 0018:ffff888076717a08 EFLAGS: 00010207
      RAX: ffff88805f2f2292 RBX: ffff8880a0ae6000 RCX: 0000000000000000
      kobject: 'loop5' (0000000018d0d0ee): kobject_uevent_env
      RDX: dffffc0000000000 RSI: 0000000000000003 RDI: 000000000000001c
      RBP: ffff888076717b40 R08: ffff8880950e0580 R09: ffffed100be5e46d
      R10: ffffed100be5e46c R11: ffff88805f2f2363 R12: ffff888065579840
      kobject: 'loop5' (0000000018d0d0ee): fill_kobj_path: path = '/devices/virtual/block/loop5'
      R13: 1ffff1100ece2f47 R14: 0000000000000013 R15: 0000000000000013
      FS:  00007fb88cf43700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f9a42a41028 CR3: 0000000087a67000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       x25_release+0xd0/0x340 net/x25/af_x25.c:658
       __sock_release+0xd3/0x2b0 net/socket.c:579
       sock_close+0x1b/0x30 net/socket.c:1162
       __fput+0x2df/0x8d0 fs/file_table.c:278
       ____fput+0x16/0x20 fs/file_table.c:309
       task_work_run+0x14a/0x1c0 kernel/task_work.c:113
       get_signal+0x1961/0x1d50 kernel/signal.c:2388
       do_signal+0x87/0x1940 arch/x86/kernel/signal.c:816
       exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:162
       prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
       do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x457f29
      Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fb88cf42c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
      RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 0000000000457f29
      RDX: 0000000000000012 RSI: 0000000020000080 RDI: 0000000000000004
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb88cf436d4
      R13: 00000000004be462 R14: 00000000004cec98 R15: 00000000ffffffff
      Modules linked in:
      
      Fixes: 95d6ebd5 ("net/x25: fix use-after-free in x25_device_event()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: andrew hendry <andrew.hendry@gmail.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee74d0bd
    • Christoph Paasch's avatar
      tcp: Don't access TCP_SKB_CB before initializing it · f2feaefd
      Christoph Paasch authored
      Since commit eeea10b8 ("tcp: add
      tcp_v4_fill_cb()/tcp_v4_restore_cb()"), tcp_vX_fill_cb is only called
      after tcp_filter(). That means, TCP_SKB_CB(skb)->end_seq still points to
      the IP-part of the cb.
      
      We thus should not mock with it, as this can trigger bugs (thanks
      syzkaller):
      [   12.349396] ==================================================================
      [   12.350188] BUG: KASAN: slab-out-of-bounds in ip6_datagram_recv_specific_ctl+0x19b3/0x1a20
      [   12.351035] Read of size 1 at addr ffff88006adbc208 by task test_ip6_datagr/1799
      
      Setting end_seq is actually no more necessary in tcp_filter as it gets
      initialized later on in tcp_vX_fill_cb.
      
      Cc: Eric Dumazet <edumazet@google.com>
      Fixes: eeea10b8 ("tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb()")
      Signed-off-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2feaefd
    • Kangjie Lu's avatar
      net: thunder: fix a potential NULL pointer dereference · 0b31d98d
      Kangjie Lu authored
      In case alloc_ordered_workqueue fails, the fix reports the error
      and returns -ENOMEM.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b31d98d
    • Kangjie Lu's avatar
      net: lio_core: fix two NULL pointer dereferences · 41af8b3a
      Kangjie Lu authored
      In case octeon_alloc_soft_command fails, the fix reports the
      error and returns to avoid NULL pointer dereferences.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41af8b3a
    • Bryan Whitehead's avatar
      lan743x: Fix RX Kernel Panic · dd9d9f59
      Bryan Whitehead authored
      It has been noticed that running the speed test at
      www.speedtest.net occasionally causes a kernel panic.
      
      Investigation revealed that under this test RX buffer allocation
      sometimes fails and returns NULL. But the lan743x driver did
      not handle this case.
      
      This patch fixes this issue by attempting to allocate a buffer
      before sending the new rx packet to the OS. If the allocation
      fails then the new rx packet is dropped and the existing buffer
      is reused in the DMA ring.
      
      Updates for v2:
          Additional 2 locations where allocation was not checked,
              has been changed to reuse existing buffer.
      
      Fixes: 23f0703c ("lan743x: Add main source files for new lan743x driver")
      Signed-off-by: default avatarBryan Whitehead <Bryan.Whitehead@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dd9d9f59
    • Florian Westphal's avatar
      netfilter: nf_tables: return immediately on empty commit · b8b27498
      Florian Westphal authored
      When running 'nft flush ruleset' while no rules exist, we will increment
      the generation counter and announce a new genid to userspace, yet
      nothing had changed in the first place.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b8b27498
    • Kangjie Lu's avatar
      net: liquidio: fix a NULL pointer dereference · fe543b2f
      Kangjie Lu authored
      In case octeon_alloc_soft_command fails, the fix reports the
      error and returns to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fe543b2f
    • Tonghao Zhang's avatar
      net/mlx5: Avoid panic when setting vport rate · 24319258
      Tonghao Zhang authored
      If we try to set VFs rate on a VF (not PF) net device, the kernel
      will be crash. The commands are show as below:
      
      $ echo 2 > /sys/class/net/$MLX_PF0/device/sriov_numvfs
      $ ip link set $MLX_VF0 vf 0 max_tx_rate 2 min_tx_rate 1
      
      If not applied the first patch ("net/mlx5: Avoid panic when setting
      vport mac, getting vport config"), the command:
      
      $ ip link set $MLX_VF0 vf 0 rate 100
      
      can also crash the kernel.
      
      [ 1650.006388] RIP: 0010:mlx5_eswitch_set_vport_rate+0x1f/0x260 [mlx5_core]
      [ 1650.007092]  do_setlink+0x982/0xd20
      [ 1650.007129]  __rtnl_newlink+0x528/0x7d0
      [ 1650.007374]  rtnl_newlink+0x43/0x60
      [ 1650.007407]  rtnetlink_rcv_msg+0x2a2/0x320
      [ 1650.007484]  netlink_rcv_skb+0xcb/0x100
      [ 1650.007519]  netlink_unicast+0x17f/0x230
      [ 1650.007554]  netlink_sendmsg+0x2d2/0x3d0
      [ 1650.007592]  sock_sendmsg+0x36/0x50
      [ 1650.007625]  ___sys_sendmsg+0x280/0x2a0
      [ 1650.007963]  __sys_sendmsg+0x58/0xa0
      [ 1650.007998]  do_syscall_64+0x5b/0x180
      [ 1650.009438]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c9497c98 ("net/mlx5: Add support for setting VF min rate")
      Cc: Mohamad Haj Yahia <mohamad@mellanox.com>
      Signed-off-by: default avatarTonghao Zhang <xiangxia.m.yue@gmail.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      24319258
    • Tonghao Zhang's avatar
      net/mlx5: Avoid panic when setting vport mac, getting vport config · 6e77c413
      Tonghao Zhang authored
      If we try to set VFs mac address on a VF (not PF) net device,
      the kernel will be crash. The commands are show as below:
      
      $ echo 2 > /sys/class/net/$MLX_PF0/device/sriov_numvfs
      $ ip link set $MLX_VF0 vf 0 mac 00:11:22:33:44:00
      
      [exception RIP: mlx5_eswitch_set_vport_mac+41]
      [ffffb8b7079e3688] do_setlink at ffffffff8f67f85b
      [ffffb8b7079e37a8] __rtnl_newlink at ffffffff8f683778
      [ffffb8b7079e3b68] rtnl_newlink at ffffffff8f683a63
      [ffffb8b7079e3b90] rtnetlink_rcv_msg at ffffffff8f67d812
      [ffffb8b7079e3c10] netlink_rcv_skb at ffffffff8f6b88ab
      [ffffb8b7079e3c60] netlink_unicast at ffffffff8f6b808f
      [ffffb8b7079e3ca0] netlink_sendmsg at ffffffff8f6b8412
      [ffffb8b7079e3d18] sock_sendmsg at ffffffff8f6452f6
      [ffffb8b7079e3d30] ___sys_sendmsg at ffffffff8f645860
      [ffffb8b7079e3eb0] __sys_sendmsg at ffffffff8f647a38
      [ffffb8b7079e3f38] do_syscall_64 at ffffffff8f00401b
      [ffffb8b7079e3f50] entry_SYSCALL_64_after_hwframe at ffffffff8f80008c
      
      and
      
      [exception RIP: mlx5_eswitch_get_vport_config+12]
      [ffffa70607e57678] mlx5e_get_vf_config at ffffffffc03c7f8f [mlx5_core]
      [ffffa70607e57688] do_setlink at ffffffffbc67fa59
      [ffffa70607e577a8] __rtnl_newlink at ffffffffbc683778
      [ffffa70607e57b68] rtnl_newlink at ffffffffbc683a63
      [ffffa70607e57b90] rtnetlink_rcv_msg at ffffffffbc67d812
      [ffffa70607e57c10] netlink_rcv_skb at ffffffffbc6b88ab
      [ffffa70607e57c60] netlink_unicast at ffffffffbc6b808f
      [ffffa70607e57ca0] netlink_sendmsg at ffffffffbc6b8412
      [ffffa70607e57d18] sock_sendmsg at ffffffffbc6452f6
      [ffffa70607e57d30] ___sys_sendmsg at ffffffffbc645860
      [ffffa70607e57eb0] __sys_sendmsg at ffffffffbc647a38
      [ffffa70607e57f38] do_syscall_64 at ffffffffbc00401b
      [ffffa70607e57f50] entry_SYSCALL_64_after_hwframe at ffffffffbc80008c
      
      Fixes: a8d70a05 ("net/mlx5: E-Switch, Disallow vlan/spoofcheck setup if not being esw manager")
      Cc: Eli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarTonghao Zhang <xiangxia.m.yue@gmail.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      6e77c413
    • Tariq Toukan's avatar
      net/mlx5e: Fix access to non-existing receive queue · c475e11e
      Tariq Toukan authored
      In case number of channels is changed while interface is down,
      RSS indirection table is mistakenly not modified accordingly,
      causing access to out-of-range non-existing object.
      
      Fix by updating the RSS indireciton table also in the early
      return flow of interface down.
      
      Fixes: fb35c534 ("net/mlx5e: Fix NULL pointer derefernce in set channels error flow")
      Fixes: bbeb53b8 ("net/mlx5e: Move RSS params to a dedicated struct")
      Reported-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Tested-by: default avatarMaria Pasechnik <mariap@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reviewed-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      c475e11e
    • Feras Daoud's avatar
      net/mlx5e: IPoIB, Fix RX checksum statistics update · 3d6f3cdf
      Feras Daoud authored
      Update the RX checksum only if the feature is enabled.
      
      Fixes: 9d6bd752 ("net/mlx5e: IPoIB, RX handler")
      Signed-off-by: default avatarFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      3d6f3cdf
    • Roi Dayan's avatar
      net/mlx5: Remove redundant lag function to get pf num · 6ffb6303
      Roi Dayan authored
      The function is not being used.
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      6ffb6303
    • Roi Dayan's avatar
      net/mlx5e: Properly get the PF number phys port name ndo · 5b33eba9
      Roi Dayan authored
      Currently, we fail to retrieve the PF number in some cases (e.g
      single ported cards, lag capability), this further results in a
      call trace issued by the rtnetlink code, since the error value
      is not -EOPNOTSUPP. Change the implementation to be independent
      from the lag code and function properly on both two ports and
      single ported cards.
      
      Call Trace:
      
      [  194.525057] mlx5_core 0000:82:00.0: mlx5_lag_get_pf_num:605:(pid 837): no lag device, can't get pf num
      [  194.525804] WARNING: CPU: 7 PID: 837 at net/core/rtnetlink.c:3457 rtmsg_ifinfo_build_skb+0x131/0x160
      [  194.529952] CPU: 7 PID: 837 Comm: kworker/7:3 Tainted: G        W  O      5.0.0-rc7+ #3
      [  194.531307] Workqueue: events linkwatch_event
      [  194.531697] RIP: 0010:rtmsg_ifinfo_build_skb+0x131/0x160
      [  194.545007] Call Trace:
      [  194.545406]  rtmsg_ifinfo_event.part.29+0x1b/0xb0
      [  194.545810]  rtmsg_ifinfo+0x51/0x80
      [  194.546209]  netdev_state_change+0xc7/0x110
      [  194.546608]  ? dev_valid_name+0x1b0/0x1b0
      [  194.547010]  ? __local_bh_enable_ip+0xef/0x1d0
      [  194.547411]  ? lockdep_hardirqs_on+0x3ea/0x560
      [  194.547811]  ? linkwatch_do_dev+0x9b/0x100
      [  194.548207]  linkwatch_do_dev+0x9b/0x100
      [  194.548605]  __linkwatch_run_queue+0x244/0x430
      [  194.549014]  ? linkwatch_schedule_work+0x100/0x100
      [  194.549412]  ? lock_acquire+0x10f/0x2d0
      [  194.549816]  linkwatch_event+0x3f/0x50
      [  194.550212]  process_one_work+0x7d3/0x1460
      
      Fixes: c12ecc23 ("net/mlx5e: Move to use common phys port names for vport representors")
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Acked-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      5b33eba9
    • Eli Britstein's avatar
      net/mlx5: Consolidate update FTE for all removal changes · 718ce4d6
      Eli Britstein authored
      With commit a18e879d ("net/mlx5e: Annul encap action ordering
      requirement") and a use-case of e-switch remote mirroring, the
      incremental/stepped FTE removal process done by the fs core got us to
      illegal transient states and FW errors:
      
      SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad
      parameter(0x3), syndrome (0x9c2e40)
      
      To avoid that and improve FTE removal performance, aggregate the FTE's
      updates that should be applied. Remove the FTE if it is empty, or apply
      one FW update command with the aggregated updates.
      
      Fixes: a18e879d ("net/mlx5e: Annul encap action ordering requirement")
      Signed-off-by: default avatarEli Britstein <elibr@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Reviewed-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      718ce4d6
    • Eli Britstein's avatar
      net/mlx5: Add a locked flag to node removal functions · 476d61b7
      Eli Britstein authored
      Add a locked flag to the node removal functions to signal if the
      parent is already locked from the caller function or not as a pre-step
      towards outside lock. Currently always use false with no functional
      change.
      Signed-off-by: default avatarEli Britstein <elibr@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Reviewed-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      476d61b7
    • Eli Britstein's avatar
      net/mlx5: Add modify FTE helper function · e7aafc8f
      Eli Britstein authored
      Add modify FTE helper function and use it when deleting a rule, as a
      pre-step towards consolidated FTE modification, with no functional
      change.
      Signed-off-by: default avatarEli Britstein <elibr@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Reviewed-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e7aafc8f
    • Eli Britstein's avatar
      net/mlx5: Fix multiple updates of steering rules in parallel · 6237634d
      Eli Britstein authored
      There might be a condition where the fte found is not active yet. In
      this case we should not use it, but continue to search for another, or
      allocate a new one.
      
      Fixes: bd71b08e ("net/mlx5: Support multiple updates of steering rules in parallel")
      Signed-off-by: default avatarEli Britstein <elibr@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      6237634d
    • Arnd Bergmann's avatar
      y2038: fix socket.h header inclusion · a623a7a1
      Arnd Bergmann authored
      Referencing the __kernel_long_t type caused some user space applications
      to stop compiling when they had not already included linux/posix_types.h,
      e.g.
      
      s/multicast.c -o ext/sockets/multicast.lo
      In file included from /builddir/build/BUILD/php-7.3.3/main/php.h:468,
                       from /builddir/build/BUILD/php-7.3.3/ext/sockets/sockets.c:27:
      /builddir/build/BUILD/php-7.3.3/ext/sockets/sockets.c: In function 'zm_startup_sockets':
      /builddir/build/BUILD/php-7.3.3/ext/sockets/sockets.c:776:40: error: '__kernel_long_t' undeclared (first use in this function)
        776 |  REGISTER_LONG_CONSTANT("SO_SNDTIMEO", SO_SNDTIMEO, CONST_CS | CONST_PERSISTENT);
      
      It is safe to include that header here, since it only contains kernel
      internal types that do not conflict with other user space types.
      
      It's still possible that some related build failures remain, but those
      are likely to be for code that is not already y2038 safe.
      Reported-by: default avatarLaura Abbott <labbott@redhat.com>
      Fixes: a9beb86a ("sock: Add SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a623a7a1
    • Miaohe Lin's avatar
      net: sit: fix UBSAN Undefined behaviour in check_6rd · a843dc4e
      Miaohe Lin authored
      In func check_6rd,tunnel->ip6rd.relay_prefixlen may equal to
      32,so UBSAN complain about it.
      
      UBSAN: Undefined behaviour in net/ipv6/sit.c:781:47
      shift exponent 32 is too large for 32-bit type 'unsigned int'
      CPU: 6 PID: 20036 Comm: syz-executor.0 Not tainted 4.19.27 #2
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
      04/01/2014
      Call Trace:
      __dump_stack lib/dump_stack.c:77 [inline]
      dump_stack+0xca/0x13e lib/dump_stack.c:113
      ubsan_epilogue+0xe/0x81 lib/ubsan.c:159
      __ubsan_handle_shift_out_of_bounds+0x293/0x2e8 lib/ubsan.c:425
      check_6rd.constprop.9+0x433/0x4e0 net/ipv6/sit.c:781
      try_6rd net/ipv6/sit.c:806 [inline]
      ipip6_tunnel_xmit net/ipv6/sit.c:866 [inline]
      sit_tunnel_xmit+0x141c/0x2720 net/ipv6/sit.c:1033
      __netdev_start_xmit include/linux/netdevice.h:4300 [inline]
      netdev_start_xmit include/linux/netdevice.h:4309 [inline]
      xmit_one net/core/dev.c:3243 [inline]
      dev_hard_start_xmit+0x17c/0x780 net/core/dev.c:3259
      __dev_queue_xmit+0x1656/0x2500 net/core/dev.c:3829
      neigh_output include/net/neighbour.h:501 [inline]
      ip6_finish_output2+0xa36/0x2290 net/ipv6/ip6_output.c:120
      ip6_finish_output+0x3e7/0xa20 net/ipv6/ip6_output.c:154
      NF_HOOK_COND include/linux/netfilter.h:278 [inline]
      ip6_output+0x1e2/0x720 net/ipv6/ip6_output.c:171
      dst_output include/net/dst.h:444 [inline]
      ip6_local_out+0x99/0x170 net/ipv6/output_core.c:176
      ip6_send_skb+0x9d/0x2f0 net/ipv6/ip6_output.c:1697
      ip6_push_pending_frames+0xc0/0x100 net/ipv6/ip6_output.c:1717
      rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
      rawv6_sendmsg+0x2435/0x3530 net/ipv6/raw.c:946
      inet_sendmsg+0xf8/0x5c0 net/ipv4/af_inet.c:798
      sock_sendmsg_nosec net/socket.c:621 [inline]
      sock_sendmsg+0xc8/0x110 net/socket.c:631
      ___sys_sendmsg+0x6cf/0x890 net/socket.c:2114
      __sys_sendmsg+0xf0/0x1b0 net/socket.c:2152
      do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: default avatarlinmiaohe <linmiaohe@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a843dc4e
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: use-after-free in dynamic operations · 3f3a390d
      Pablo Neira Ayuso authored
      Smatch reports:
      
             net/netfilter/nf_tables_api.c:2167 nf_tables_expr_destroy()
              error: dereferencing freed memory 'expr->ops'
      
      net/netfilter/nf_tables_api.c
          2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
          2163                                   struct nft_expr *expr)
          2164 {
          2165        if (expr->ops->destroy)
          2166                expr->ops->destroy(ctx, expr);
                                                      ^^^^
      --> 2167        module_put(expr->ops->type->owner);
                                 ^^^^^^^^^
          2168 }
      
      Smatch says there are three functions which free expr->ops.
      
      Fixes: b8e20400 ("netfilter: nft_compat: use .release_ops and remove list of extension")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3f3a390d
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: bogus EBUSY when deleting set after flush · 273fe3f1
      Pablo Neira Ayuso authored
      Set deletion after flush coming in the same batch results in EBUSY. Add
      set use counter to track the number of references to this set from
      rules. We cannot rely on the list of bindings for this since such list
      is still populated from the preparation phase.
      Reported-by: default avatarVáclav Zindulka <vaclav.zindulka@tlapnet.cz>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      273fe3f1
  3. 10 Mar, 2019 3 commits
    • Eric Dumazet's avatar
      gro_cells: make sure device is up in gro_cells_receive() · 2a5ff07a
      Eric Dumazet authored
      We keep receiving syzbot reports [1] that show that tunnels do not play
      the rcu/IFF_UP rules properly.
      
      At device dismantle phase, gro_cells_destroy() will be called
      only after a full rcu grace period is observed after IFF_UP
      has been cleared.
      
      This means that IFF_UP needs to be tested before queueing packets
      into netif_rx() or gro_cells.
      
      This patch implements the test in gro_cells_receive() because
      too many callers do not seem to bother enough.
      
      [1]
      BUG: unable to handle kernel paging request at fffff4ca0b9ffffe
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: netns cleanup_net
      RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
      RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
      RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
      RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
      RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
      Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
      RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
      RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
      RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
      RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
      R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
      R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
      kobject: 'loop2' (000000004bd7d84a): kobject_uevent_env
      FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
      Call Trace:
      kobject: 'loop2' (000000004bd7d84a): fill_kobj_path: path = '/devices/virtual/block/loop2'
       ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010
       netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970
       rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
       ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124
       vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495
       ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
       cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
       process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
       worker_thread+0x98/0xe40 kernel/workqueue.c:2319
       kthread+0x357/0x430 kernel/kthread.c:246
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      Modules linked in:
      CR2: fffff4ca0b9ffffe
         [ end trace 513fc9c1338d1cb3 ]
      RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
      RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
      RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
      RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
      RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
      Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
      RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
      RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
      RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
      RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
      R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
      kobject: 'loop3' (00000000e4ee57a6): kobject_uevent_env
      R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
      FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
      
      Fixes: c9e6bc64 ("net: add gro_cells infrastructure")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a5ff07a
    • Eric Dumazet's avatar
      vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() · 59cbf56f
      Eric Dumazet authored
      Same reasons than the ones explained in commit 4179cb5a
      ("vxlan: test dev->flags & IFF_UP before calling netif_rx()")
      
      netif_rx() or gro_cells_receive() must be called under a strict contract.
      
      At device dismantle phase, core networking clears IFF_UP
      and flush_all_backlogs() is called after rcu grace period
      to make sure no incoming packet might be in a cpu backlog
      and still referencing the device.
      
      A similar protocol is used for gro_cells infrastructure, as
      gro_cells_destroy() will be called only after a full rcu
      grace period is observed after IFF_UP has been cleared.
      
      Most drivers call netif_rx() from their interrupt handler,
      and since the interrupts are disabled at device dismantle,
      netif_rx() does not have to check dev->flags & IFF_UP
      
      Virtual drivers do not have this guarantee, and must
      therefore make the check themselves.
      
      Otherwise we risk use-after-free and/or crashes.
      
      Fixes: d342894c ("vxlan: virtual extensible lan")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59cbf56f
    • Eric Dumazet's avatar
      net/x25: fix use-after-free in x25_device_event() · 95d6ebd5
      Eric Dumazet authored
      In case of failure x25_connect() does a x25_neigh_put(x25->neighbour)
      but forgets to clear x25->neighbour pointer, thus triggering use-after-free.
      
      Since the socket is visible in x25_list, we need to hold x25_list_lock
      to protect the operation.
      
      syzbot report :
      
      BUG: KASAN: use-after-free in x25_kill_by_device net/x25/af_x25.c:217 [inline]
      BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 net/x25/af_x25.c:252
      Read of size 8 at addr ffff8880a030edd0 by task syz-executor003/7854
      
      CPU: 0 PID: 7854 Comm: syz-executor003 Not tainted 5.0.0+ #97
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
       kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       x25_kill_by_device net/x25/af_x25.c:217 [inline]
       x25_device_event+0x296/0x2b0 net/x25/af_x25.c:252
       notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
       call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
       call_netdevice_notifiers net/core/dev.c:1765 [inline]
       __dev_notify_flags+0x1e9/0x2c0 net/core/dev.c:7607
       dev_change_flags+0x10d/0x170 net/core/dev.c:7643
       dev_ifsioc+0x2b0/0x940 net/core/dev_ioctl.c:237
       dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:488
       sock_do_ioctl+0x1bd/0x300 net/socket.c:995
       sock_ioctl+0x32b/0x610 net/socket.c:1096
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:509 [inline]
       do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:696
       ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
       __do_sys_ioctl fs/ioctl.c:720 [inline]
       __se_sys_ioctl fs/ioctl.c:718 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x4467c9
      Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fdbea222d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9
      RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003
      RBP: 00000000006dbc50 R08: 00007fdbea223700 R09: 0000000000000000
      R10: 00007fdbea223700 R11: 0000000000000246 R12: 00000000006dbc5c
      R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669
      
      Allocated by task 7843:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_kmalloc mm/kasan/common.c:495 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509
       kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3615
       kmalloc include/linux/slab.h:545 [inline]
       x25_link_device_up+0x46/0x3f0 net/x25/x25_link.c:249
       x25_device_event+0x116/0x2b0 net/x25/af_x25.c:242
       notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
       call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
       call_netdevice_notifiers net/core/dev.c:1765 [inline]
       __dev_notify_flags+0x121/0x2c0 net/core/dev.c:7605
       dev_change_flags+0x10d/0x170 net/core/dev.c:7643
       dev_ifsioc+0x2b0/0x940 net/core/dev_ioctl.c:237
       dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:488
       sock_do_ioctl+0x1bd/0x300 net/socket.c:995
       sock_ioctl+0x32b/0x610 net/socket.c:1096
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:509 [inline]
       do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:696
       ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
       __do_sys_ioctl fs/ioctl.c:720 [inline]
       __se_sys_ioctl fs/ioctl.c:718 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 7865:
       save_stack+0x45/0xd0 mm/kasan/common.c:73
       set_track mm/kasan/common.c:85 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:457
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:465
       __cache_free mm/slab.c:3494 [inline]
       kfree+0xcf/0x230 mm/slab.c:3811
       x25_neigh_put include/net/x25.h:253 [inline]
       x25_connect+0x8d8/0xde0 net/x25/af_x25.c:824
       __sys_connect+0x266/0x330 net/socket.c:1685
       __do_sys_connect net/socket.c:1696 [inline]
       __se_sys_connect net/socket.c:1693 [inline]
       __x64_sys_connect+0x73/0xb0 net/socket.c:1693
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8880a030edc0
       which belongs to the cache kmalloc-256 of size 256
      The buggy address is located 16 bytes inside of
       256-byte region [ffff8880a030edc0, ffff8880a030eec0)
      The buggy address belongs to the page:
      page:ffffea000280c380 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0
      flags: 0x1fffc0000000200(slab)
      raw: 01fffc0000000200 ffffea0002806788 ffffea00027f0188 ffff88812c3f07c0
      raw: 0000000000000000 ffff8880a030e000 000000010000000c 0000000000000000
      page dumped because: kasan: bad access detected
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: syzbot+04babcefcd396fabec37@syzkaller.appspotmail.com
      Cc: andrew hendry <andrew.hendry@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95d6ebd5