1. 05 Mar, 2024 5 commits
  2. 04 Mar, 2024 6 commits
    • David S. Miller's avatar
      Merge branch 'mptcp-test-fixes' · 948abb59
      David S. Miller authored
      Matthieu Baerts says:
      
      ====================
      selftests: mptcp: fixes for diag.sh
      
      Here are two patches fixing issues in MPTCP diag.sh kselftest:
      
      - Patch 1 makes sure the exit code is '1' in case of error, and not the
        test ID, not to return an exit code that would be wrongly interpreted
        by the ksefltests framework, e.g. '4' means 'skip'.
      
      - Patch 2 avoids waiting for unnecessary conditions, which can cause
        timeouts in some very slow environments.
      ====================
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      948abb59
    • Matthieu Baerts (NGI0)'s avatar
      selftests: mptcp: diag: avoid extra waiting · f05d2283
      Matthieu Baerts (NGI0) authored
      When creating a lot of listener sockets, it is enough to wait only for
      the last one, like we are doing before in diag.sh for other subtests.
      
      If we do a check for each listener sockets, each time listing all
      available sockets, it can take a very long time in very slow
      environments, at the point we can reach some timeout.
      
      When using the debug kconfig, the waiting time switches from more than
      8 sec to 0.1 sec on my side. In slow/busy environments, and with a poll
      timeout set to 30 ms, the waiting time could go up to ~100 sec because
      the listener socket would timeout and stop, while the script would still
      be checking one by one if all sockets are ready. The result is that
      after having waited for everything to be ready, all sockets have been
      stopped due to a timeout, and it is too late for the script to check how
      many there were.
      
      While at it, also removed ss options we don't need: we only need the
      filtering options, to count how many listener sockets have been created.
      We don't need to ask ss to display internal TCP information, and the
      memory if the output is dropped by the 'wc -l' command anyway.
      
      Fixes: b4b51d36 ("selftests: mptcp: explicitly trigger the listener diag code-path")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Closes: https://lore.kernel.org/r/20240301063754.2ecefecf@kernel.orgSigned-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f05d2283
    • Geliang Tang's avatar
      selftests: mptcp: diag: return KSFT_FAIL not test_cnt · 45bcc034
      Geliang Tang authored
      The test counter 'test_cnt' should not be returned in diag.sh, e.g. what
      if only the 4th test fail? Will do 'exit 4' which is 'exit ${KSFT_SKIP}',
      the whole test will be marked as skipped instead of 'failed'!
      
      So we should do ret=${KSFT_FAIL} instead.
      
      Fixes: df62f2ec ("selftests/mptcp: add diag interface tests")
      Cc: stable@vger.kernel.org
      Fixes: 42fb6cdd ("selftests: mptcp: more stable diag tests")
      Signed-off-by: default avatarGeliang Tang <tanggeliang@kylinos.cn>
      Reviewed-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45bcc034
    • Jakub Kicinski's avatar
      page_pool: fix netlink dump stop/resume · 429679dc
      Jakub Kicinski authored
      If message fills up we need to stop writing. 'break' will
      only get us out of the iteration over pools of a single
      netdev, we need to also stop walking netdevs.
      
      This results in either infinite dump, or missing pools,
      depending on whether message full happens on the last
      netdev (infinite dump) or non-last (missing pools).
      
      Fixes: 950ab53b ("net: page_pool: implement GET in the netlink API")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      429679dc
    • Eric Dumazet's avatar
      geneve: make sure to pull inner header in geneve_rx() · 1ca1ba46
      Eric Dumazet authored
      syzbot triggered a bug in geneve_rx() [1]
      
      Issue is similar to the one I fixed in commit 8d975c15
      ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
      
      We have to save skb->network_header in a temporary variable
      in order to be able to recompute the network_header pointer
      after a pskb_inet_may_pull() call.
      
      pskb_inet_may_pull() makes sure the needed headers are in skb->head.
      
      [1]
      BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
       BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
       BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
        IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
        geneve_rx drivers/net/geneve.c:279 [inline]
        geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
        udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
        udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
        udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
        __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
        udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
        ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
        ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
        NF_HOOK include/linux/netfilter.h:314 [inline]
        ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
        dst_input include/net/dst.h:461 [inline]
        ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
        NF_HOOK include/linux/netfilter.h:314 [inline]
        ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
        __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
        __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
        process_backlog+0x480/0x8b0 net/core/dev.c:5976
        __napi_poll+0xe3/0x980 net/core/dev.c:6576
        napi_poll net/core/dev.c:6645 [inline]
        net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
        __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
        do_softirq+0x9a/0xf0 kernel/softirq.c:454
        __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
        local_bh_enable include/linux/bottom_half.h:33 [inline]
        rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
        __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
        dev_queue_xmit include/linux/netdevice.h:3171 [inline]
        packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
        packet_snd net/packet/af_packet.c:3081 [inline]
        packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg net/socket.c:745 [inline]
        __sys_sendto+0x735/0xa10 net/socket.c:2191
        __do_sys_sendto net/socket.c:2203 [inline]
        __se_sys_sendto net/socket.c:2199 [inline]
        __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Uninit was created at:
        slab_post_alloc_hook mm/slub.c:3819 [inline]
        slab_alloc_node mm/slub.c:3860 [inline]
        kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
        kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
        __alloc_skb+0x352/0x790 net/core/skbuff.c:651
        alloc_skb include/linux/skbuff.h:1296 [inline]
        alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
        sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
        packet_alloc_skb net/packet/af_packet.c:2930 [inline]
        packet_snd net/packet/af_packet.c:3024 [inline]
        packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
        sock_sendmsg_nosec net/socket.c:730 [inline]
        __sock_sendmsg net/socket.c:745 [inline]
        __sys_sendto+0x735/0xa10 net/socket.c:2191
        __do_sys_sendto net/socket.c:2203 [inline]
        __se_sys_sendto net/socket.c:2199 [inline]
        __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Fixes: 2d07dc79 ("geneve: add initial netdev driver for GENEVE tunnels")
      Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ca1ba46
    • Steven Rostedt (Google)'s avatar
      tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string · 51270d57
      Steven Rostedt (Google) authored
      I'm updating __assign_str() and will be removing the second parameter. To
      make sure that it does not break anything, I make sure that it matches the
      __string() field, as that is where the string is actually going to be
      saved in. To make sure there's nothing that breaks, I added a WARN_ON() to
      make sure that what was used in __string() is the same that is used in
      __assign_str().
      
      In doing this change, an error was triggered as __assign_str() now expects
      the string passed in to be a char * value. I instead had the following
      warning:
      
      include/trace/events/qdisc.h: In function ‘trace_event_raw_event_qdisc_reset’:
      include/trace/events/qdisc.h:91:35: error: passing argument 1 of 'strcmp' from incompatible pointer type [-Werror=incompatible-pointer-types]
         91 |                 __assign_str(dev, qdisc_dev(q));
      
      That's because the qdisc_enqueue() and qdisc_reset() pass in qdisc_dev(q)
      to __assign_str() and to __string(). But that function returns a pointer
      to struct net_device and not a string.
      
      It appears that these events are just saving the pointer as a string and
      then reading it as a string as well.
      
      Use qdisc_dev(q)->name to save the device instead.
      
      Fixes: a34dac0b ("net_sched: add tracepoints for qdisc_reset() and qdisc_destroy()")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51270d57
  3. 02 Mar, 2024 9 commits
  4. 01 Mar, 2024 8 commits
  5. 29 Feb, 2024 12 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 87adedeb
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, WiFi and netfilter.
      
        We have one outstanding issue with the stmmac driver, which may be a
        LOCKDEP false positive, not a blocker.
      
        Current release - regressions:
      
         - netfilter: nf_tables: re-allow NFPROTO_INET in
           nft_(match/target)_validate()
      
         - eth: ionic: fix error handling in PCI reset code
      
        Current release - new code bugs:
      
         - eth: stmmac: complete meta data only when enabled, fix null-deref
      
         - kunit: fix again checksum tests on big endian CPUs
      
        Previous releases - regressions:
      
         - veth: try harder when allocating queue memory
      
         - Bluetooth:
            - hci_bcm4377: do not mark valid bd_addr as invalid
            - hci_event: fix handling of HCI_EV_IO_CAPA_REQUEST
      
        Previous releases - always broken:
      
         - info leak in __skb_datagram_iter() on netlink socket
      
         - mptcp:
            - map v4 address to v6 when destroying subflow
            - fix potential wake-up event loss due to sndbuf auto-tuning
            - fix double-free on socket dismantle
      
         - wifi: nl80211: reject iftype change with mesh ID change
      
         - fix small out-of-bound read when validating netlink be16/32 types
      
         - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
      
         - ipv6: fix potential "struct net" ref-leak in inet6_rtm_getaddr()
      
         - ip_tunnel: prevent perpetual headroom growth with huge number of
           tunnels on top of each other
      
         - mctp: fix skb leaks on error paths of mctp_local_output()
      
         - eth: ice: fixes for DPLL state reporting
      
         - dpll: rely on rcu for netdev_dpll_pin() to prevent UaF
      
         - eth: dpaa: accept phy-interface-type = '10gbase-r' in the device
           tree"
      
      * tag 'net-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (73 commits)
        dpll: fix build failure due to rcu_dereference_check() on unknown type
        kunit: Fix again checksum tests on big endian CPUs
        tls: fix use-after-free on failed backlog decryption
        tls: separate no-async decryption request handling from async
        tls: fix peeking with sync+async decryption
        tls: decrement decrypt_pending if no async completion will be called
        gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
        net: hsr: Use correct offset for HSR TLV values in supervisory HSR frames
        igb: extend PTP timestamp adjustments to i211
        rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
        tools: ynl: fix handling of multiple mcast groups
        selftests: netfilter: add bridge conntrack + multicast test case
        netfilter: bridge: confirm multicast packets before passing them up the stack
        netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
        Bluetooth: qca: Fix triggering coredump implementation
        Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT
        Bluetooth: qca: Fix wrong event type for patch config command
        Bluetooth: Enforce validation on max value of connection interval
        Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
        Bluetooth: mgmt: Fix limited discoverable off timeout
        ...
      87adedeb
    • Linus Torvalds's avatar
      Merge tag 'landlock-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux · d4f76f80
      Linus Torvalds authored
      Pull Landlock fix from Mickaël Salaün:
       "Fix a potential issue when handling inodes with inconsistent
        properties"
      
      * tag 'landlock-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
        landlock: Fix asymmetric private inodes referring
      d4f76f80
    • Eric Dumazet's avatar
      dpll: fix build failure due to rcu_dereference_check() on unknown type · 640f41ed
      Eric Dumazet authored
      Tasmiya reports that their compiler complains that we deref
      a pointer to unknown type with rcu_dereference_rtnl():
      
      include/linux/rcupdate.h:439:9: error: dereferencing pointer to incomplete type ‘struct dpll_pin’
      
      Unclear what compiler it is, at the moment, and we can't report
      but since DPLL can't be a module - move the code from the header
      into the source file.
      
      Fixes: 0d60d8df ("dpll: rely on rcu for netdev_dpll_pin()")
      Reported-by: default avatarTasmiya Nalatwad <tasmiya@linux.vnet.ibm.com>
      Link: https://lore.kernel.org/all/3fcf3a2c-1c1b-42c1-bacb-78fdcd700389@linux.vnet.ibm.com/Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240229190515.2740221-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      640f41ed
    • Christophe Leroy's avatar
      kunit: Fix again checksum tests on big endian CPUs · 3d6423ef
      Christophe Leroy authored
      Commit b38460bc ("kunit: Fix checksum tests on big endian CPUs")
      fixed endianness issues with kunit checksum tests, but then
      commit 6f4c45cb ("kunit: Add tests for csum_ipv6_magic and
      ip_fast_csum") introduced new issues on big endian CPUs. Those issues
      are once again reflected by the warnings reported by sparse.
      
      So, fix them with the same approach, perform proper conversion in
      order to support both little and big endian CPUs. Once the conversions
      are properly done and the right types used, the sparse warnings are
      cleared as well.
      Reported-by: default avatarErhard Furtner <erhard_f@mailbox.org>
      Fixes: 6f4c45cb ("kunit: Add tests for csum_ipv6_magic and ip_fast_csum")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      Tested-by: default avatarCharlie Jenkins <charlie@rivosinc.com>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
      Link: https://lore.kernel.org/r/73df3a9e95c2179119398ad1b4c84cdacbd8dfb6.1708684443.git.christophe.leroy@csgroup.euSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3d6423ef
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2024-02-28' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 244b96c2
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - mgmt: Fix limited discoverable off timeout
       - hci_qca: Set BDA quirk bit if fwnode exists in DT
       - hci_bcm4377: do not mark valid bd_addr as invalid
       - hci_sync: Check the correct flag before starting a scan
       - Enforce validation on max value of connection interval
       - hci_sync: Fix accept_list when attempting to suspend
       - hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
       - Avoid potential use-after-free in hci_error_reset
       - rfcomm: Fix null-ptr-deref in rfcomm_check_security
       - hci_event: Fix wrongly recorded wakeup BD_ADDR
       - qca: Fix wrong event type for patch config command
       - qca: Fix triggering coredump implementation
      
      * tag 'for-net-2024-02-28' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: qca: Fix triggering coredump implementation
        Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT
        Bluetooth: qca: Fix wrong event type for patch config command
        Bluetooth: Enforce validation on max value of connection interval
        Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
        Bluetooth: mgmt: Fix limited discoverable off timeout
        Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR
        Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
        Bluetooth: hci_sync: Fix accept_list when attempting to suspend
        Bluetooth: Avoid potential use-after-free in hci_error_reset
        Bluetooth: hci_sync: Check the correct flag before starting a scan
        Bluetooth: hci_bcm4377: do not mark valid bd_addr as invalid
      ====================
      
      Link: https://lore.kernel.org/r/20240228145644.2269088-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      244b96c2
    • Jakub Kicinski's avatar
      Merge branch 'tls-a-few-more-fixes-for-async-decrypt' · 8f5afe41
      Jakub Kicinski authored
      Sabrina Dubroca says:
      
      ====================
      tls: a few more fixes for async decrypt
      
      The previous patchset [1] took care of "full async". This adds a few
      fixes for cases where only part of the crypto operations go the async
      route, found by extending my previous debug patch [2] to do N
      synchronous operations followed by M asynchronous ops (with N and M
      configurable).
      
      [1] https://patchwork.kernel.org/project/netdevbpf/list/?series=823784&state=*
      [2] https://lore.kernel.org/all/9d664093b1bf7f47497b2c40b3a085b45f3274a2.1694021240.git.sd@queasysnail.net/
      ====================
      
      Link: https://lore.kernel.org/r/cover.1709132643.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8f5afe41
    • Sabrina Dubroca's avatar
      tls: fix use-after-free on failed backlog decryption · 13114dc5
      Sabrina Dubroca authored
      When the decrypt request goes to the backlog and crypto_aead_decrypt
      returns -EBUSY, tls_do_decryption will wait until all async
      decryptions have completed. If one of them fails, tls_do_decryption
      will return -EBADMSG and tls_decrypt_sg jumps to the error path,
      releasing all the pages. But the pages have been passed to the async
      callback, and have already been released by tls_decrypt_done.
      
      The only true async case is when crypto_aead_decrypt returns
       -EINPROGRESS. With -EBUSY, we already waited so we can tell
      tls_sw_recvmsg that the data is available for immediate copy, but we
      need to notify tls_decrypt_sg (via the new ->async_done flag) that the
      memory has already been released.
      
      Fixes: 85905414 ("net: tls: handle backlogging of crypto requests")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/4755dd8d9bebdefaa19ce1439b833d6199d4364c.1709132643.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      13114dc5
    • Sabrina Dubroca's avatar
      tls: separate no-async decryption request handling from async · 41532b78
      Sabrina Dubroca authored
      If we're not doing async, the handling is much simpler. There's no
      reference counting, we just need to wait for the completion to wake us
      up and return its result.
      
      We should preferably also use a separate crypto_wait. I'm not seeing a
      UAF as I did in the past, I think aec79619 ("tls: fix race between
      async notify and socket close") took care of it.
      
      This will make the next fix easier.
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/47bde5f649707610eaef9f0d679519966fc31061.1709132643.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      41532b78
    • Sabrina Dubroca's avatar
      tls: fix peeking with sync+async decryption · 6caaf104
      Sabrina Dubroca authored
      If we peek from 2 records with a currently empty rx_list, and the
      first record is decrypted synchronously but the second record is
      decrypted async, the following happens:
        1. decrypt record 1 (sync)
        2. copy from record 1 to the userspace's msg
        3. queue the decrypted record to rx_list for future read(!PEEK)
        4. decrypt record 2 (async)
        5. queue record 2 to rx_list
        6. call process_rx_list to copy data from the 2nd record
      
      We currently pass copied=0 as skip offset to process_rx_list, so we
      end up copying once again from the first record. We should skip over
      the data we've already copied.
      
      Seen with selftest tls.12_aes_gcm.recv_peek_large_buf_mult_recs
      
      Fixes: 692d7b5d ("tls: Fix recvmsg() to be able to peek across multiple records")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/1b132d2b2b99296bfde54e8a67672d90d6d16e71.1709132643.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6caaf104
    • Sabrina Dubroca's avatar
      tls: decrement decrypt_pending if no async completion will be called · f7fa16d4
      Sabrina Dubroca authored
      With mixed sync/async decryption, or failures of crypto_aead_decrypt,
      we increment decrypt_pending but we never do the corresponding
      decrement since tls_decrypt_done will not be called. In this case, we
      should decrement decrypt_pending immediately to avoid getting stuck.
      
      For example, the prequeue prequeue test gets stuck with mixed
      modes (one async decrypt + one sync decrypt).
      
      Fixes: 94524d8f ("net/tls: Add support for async decryption of tls records")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Link: https://lore.kernel.org/r/c56d5fc35543891d5319f834f25622360e1bfbec.1709132643.git.sd@queasysnail.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f7fa16d4
    • Alexander Ofitserov's avatar
      gtp: fix use-after-free and null-ptr-deref in gtp_newlink() · 616d82c3
      Alexander Ofitserov authored
      The gtp_link_ops operations structure for the subsystem must be
      registered after registering the gtp_net_ops pernet operations structure.
      
      Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:
      
      [ 1010.702740] gtp: GTP module unloaded
      [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
      [ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      [ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1
      [ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014
      [ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]
      [ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00
      [ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203
      [ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000
      [ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282
      [ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000
      [ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80
      [ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400
      [ 1010.715953] FS:  00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000
      [ 1010.715958] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0
      [ 1010.715968] PKRU: 55555554
      [ 1010.715972] Call Trace:
      [ 1010.715985]  ? __die_body.cold+0x1a/0x1f
      [ 1010.715995]  ? die_addr+0x43/0x70
      [ 1010.716002]  ? exc_general_protection+0x199/0x2f0
      [ 1010.716016]  ? asm_exc_general_protection+0x1e/0x30
      [ 1010.716026]  ? gtp_newlink+0x4d7/0x9c0 [gtp]
      [ 1010.716034]  ? gtp_net_exit+0x150/0x150 [gtp]
      [ 1010.716042]  __rtnl_newlink+0x1063/0x1700
      [ 1010.716051]  ? rtnl_setlink+0x3c0/0x3c0
      [ 1010.716063]  ? is_bpf_text_address+0xc0/0x1f0
      [ 1010.716070]  ? kernel_text_address.part.0+0xbb/0xd0
      [ 1010.716076]  ? __kernel_text_address+0x56/0xa0
      [ 1010.716084]  ? unwind_get_return_address+0x5a/0xa0
      [ 1010.716091]  ? create_prof_cpu_mask+0x30/0x30
      [ 1010.716098]  ? arch_stack_walk+0x9e/0xf0
      [ 1010.716106]  ? stack_trace_save+0x91/0xd0
      [ 1010.716113]  ? stack_trace_consume_entry+0x170/0x170
      [ 1010.716121]  ? __lock_acquire+0x15c5/0x5380
      [ 1010.716139]  ? mark_held_locks+0x9e/0xe0
      [ 1010.716148]  ? kmem_cache_alloc_trace+0x35f/0x3c0
      [ 1010.716155]  ? __rtnl_newlink+0x1700/0x1700
      [ 1010.716160]  rtnl_newlink+0x69/0xa0
      [ 1010.716166]  rtnetlink_rcv_msg+0x43b/0xc50
      [ 1010.716172]  ? rtnl_fdb_dump+0x9f0/0x9f0
      [ 1010.716179]  ? lock_acquire+0x1fe/0x560
      [ 1010.716188]  ? netlink_deliver_tap+0x12f/0xd50
      [ 1010.716196]  netlink_rcv_skb+0x14d/0x440
      [ 1010.716202]  ? rtnl_fdb_dump+0x9f0/0x9f0
      [ 1010.716208]  ? netlink_ack+0xab0/0xab0
      [ 1010.716213]  ? netlink_deliver_tap+0x202/0xd50
      [ 1010.716220]  ? netlink_deliver_tap+0x218/0xd50
      [ 1010.716226]  ? __virt_addr_valid+0x30b/0x590
      [ 1010.716233]  netlink_unicast+0x54b/0x800
      [ 1010.716240]  ? netlink_attachskb+0x870/0x870
      [ 1010.716248]  ? __check_object_size+0x2de/0x3b0
      [ 1010.716254]  netlink_sendmsg+0x938/0xe40
      [ 1010.716261]  ? netlink_unicast+0x800/0x800
      [ 1010.716269]  ? __import_iovec+0x292/0x510
      [ 1010.716276]  ? netlink_unicast+0x800/0x800
      [ 1010.716284]  __sock_sendmsg+0x159/0x190
      [ 1010.716290]  ____sys_sendmsg+0x712/0x880
      [ 1010.716297]  ? sock_write_iter+0x3d0/0x3d0
      [ 1010.716304]  ? __ia32_sys_recvmmsg+0x270/0x270
      [ 1010.716309]  ? lock_acquire+0x1fe/0x560
      [ 1010.716315]  ? drain_array_locked+0x90/0x90
      [ 1010.716324]  ___sys_sendmsg+0xf8/0x170
      [ 1010.716331]  ? sendmsg_copy_msghdr+0x170/0x170
      [ 1010.716337]  ? lockdep_init_map_type+0x2c7/0x860
      [ 1010.716343]  ? lockdep_hardirqs_on_prepare+0x430/0x430
      [ 1010.716350]  ? debug_mutex_init+0x33/0x70
      [ 1010.716360]  ? percpu_counter_add_batch+0x8b/0x140
      [ 1010.716367]  ? lock_acquire+0x1fe/0x560
      [ 1010.716373]  ? find_held_lock+0x2c/0x110
      [ 1010.716384]  ? __fd_install+0x1b6/0x6f0
      [ 1010.716389]  ? lock_downgrade+0x810/0x810
      [ 1010.716396]  ? __fget_light+0x222/0x290
      [ 1010.716403]  __sys_sendmsg+0xea/0x1b0
      [ 1010.716409]  ? __sys_sendmsg_sock+0x40/0x40
      [ 1010.716419]  ? lockdep_hardirqs_on_prepare+0x2b3/0x430
      [ 1010.716425]  ? syscall_enter_from_user_mode+0x1d/0x60
      [ 1010.716432]  do_syscall_64+0x30/0x40
      [ 1010.716438]  entry_SYSCALL_64_after_hwframe+0x62/0xc7
      [ 1010.716444] RIP: 0033:0x7fd1508cbd49
      [ 1010.716452] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
      [ 1010.716456] RSP: 002b:00007fff18872348 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
      [ 1010.716463] RAX: ffffffffffffffda RBX: 000055f72bf0eac0 RCX: 00007fd1508cbd49
      [ 1010.716468] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006
      [ 1010.716473] RBP: 00007fff18872360 R08: 00007fff18872360 R09: 00007fff18872360
      [ 1010.716478] R10: 00007fff18872360 R11: 0000000000000202 R12: 000055f72bf0e1b0
      [ 1010.716482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      [ 1010.716491] Modules linked in: gtp(+) udp_tunnel ib_core uinput af_packet rfkill qrtr joydev hid_generic usbhid hid kvm_intel iTCO_wdt intel_pmc_bxt iTCO_vendor_support kvm snd_hda_codec_generic ledtrig_audio irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_intel nls_utf8 snd_intel_dspcfg nls_cp866 psmouse aesni_intel vfat crypto_simd fat cryptd glue_helper snd_hda_codec pcspkr snd_hda_core i2c_i801 snd_hwdep i2c_smbus xhci_pci snd_pcm lpc_ich xhci_pci_renesas xhci_hcd qemu_fw_cfg tiny_power_button button sch_fq_codel vboxvideo drm_vram_helper drm_ttm_helper ttm vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore msr fuse efi_pstore dm_mod ip_tables x_tables autofs4 virtio_gpu virtio_dma_buf drm_kms_helper cec rc_core drm virtio_rng virtio_scsi rng_core virtio_balloon virtio_blk virtio_net virtio_console net_failover failover ahci libahci libata evdev scsi_mod input_leds serio_raw virtio_pci intel_agp
      [ 1010.716674]  virtio_ring intel_gtt virtio [last unloaded: gtp]
      [ 1010.716693] ---[ end trace 04990a4ce61e174b ]---
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlexander Ofitserov <oficerovas@altlinux.org>
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/20240228114703.465107-1-oficerovas@altlinux.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      616d82c3
    • Paolo Abeni's avatar
      Merge tag 'nf-24-02-29' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · b611b776
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      Patch #1 restores NFPROTO_INET with nft_compat, from Ignat Korchagin.
      
      Patch #2 fixes an issue with bridge netfilter and broadcast/multicast
      packets.
      
      There is a day 0 bug in br_netfilter when used with connection tracking.
      
      Conntrack assumes that an nf_conn structure that is not yet added to
      hash table ("unconfirmed"), is only visible by the current cpu that is
      processing the sk_buff.
      
      For bridge this isn't true, sk_buff can get cloned in between, and
      clones can be processed in parallel on different cpu.
      
      This patch disables NAT and conntrack helpers for multicast packets.
      
      Patch #3 adds a selftest to cover for the br_netfilter bug.
      
      netfilter pull request 24-02-29
      
      * tag 'nf-24-02-29' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        selftests: netfilter: add bridge conntrack + multicast test case
        netfilter: bridge: confirm multicast packets before passing them up the stack
        netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
      ====================
      
      Link: https://lore.kernel.org/r/20240229000135.8780-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b611b776