1. 15 Dec, 2023 20 commits
    • Hyunwoo Kim's avatar
      Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg · 2e07e834
      Hyunwoo Kim authored
      This can cause a race with bt_sock_ioctl() because
      bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
      and then frees it without holding lock_sock.
      A use-after-free for a skb occurs with the following flow.
      ```
      bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
      bt_sock_ioctl() -> skb_peek()
      ```
      Add lock_sock to bt_sock_recvmsg() to fix this issue.
      
      Cc: stable@vger.kernel.org
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      2e07e834
    • Alex Lu's avatar
      Bluetooth: Add more enc key size check · 04a342cc
      Alex Lu authored
      When we are slave role and receives l2cap conn req when encryption has
      started, we should check the enc key size to avoid KNOB attack or BLUFFS
      attack.
      From SIG recommendation, implementations are advised to reject
      service-level connections on an encrypted baseband link with key
      strengths below 7 octets.
      A simple and clear way to achieve this is to place the enc key size
      check in hci_cc_read_enc_key_size()
      
      The btmon log below shows the case that lacks enc key size check.
      
      > HCI Event: Connect Request (0x04) plen 10
              Address: BB:22:33:44:55:99 (OUI BB-22-33)
              Class: 0x480104
                Major class: Computer (desktop, notebook, PDA, organizers)
                Minor class: Desktop workstation
                Capturing (Scanner, Microphone)
                Telephony (Cordless telephony, Modem, Headset)
              Link type: ACL (0x01)
      < HCI Command: Accept Connection Request (0x01|0x0009) plen 7
              Address: BB:22:33:44:55:99 (OUI BB-22-33)
              Role: Peripheral (0x01)
      > HCI Event: Command Status (0x0f) plen 4
            Accept Connection Request (0x01|0x0009) ncmd 2
              Status: Success (0x00)
      > HCI Event: Connect Complete (0x03) plen 11
              Status: Success (0x00)
              Handle: 1
              Address: BB:22:33:44:55:99 (OUI BB-22-33)
              Link type: ACL (0x01)
              Encryption: Disabled (0x00)
      ...
      
      > HCI Event: Encryption Change (0x08) plen 4
              Status: Success (0x00)
              Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
              Encryption: Enabled with E0 (0x01)
      < HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
              Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
      > HCI Event: Command Complete (0x0e) plen 7
            Read Encryption Key Size (0x05|0x0008) ncmd 2
              Status: Success (0x00)
              Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
              Key size: 6
      // We should check the enc key size
      ...
      
      > ACL Data RX: Handle 1 flags 0x02 dlen 12
            L2CAP: Connection Request (0x02) ident 3 len 4
              PSM: 25 (0x0019)
              Source CID: 64
      < ACL Data TX: Handle 1 flags 0x00 dlen 16
            L2CAP: Connection Response (0x03) ident 3 len 8
              Destination CID: 64
              Source CID: 64
              Result: Connection pending (0x0001)
              Status: Authorization pending (0x0002)
      > HCI Event: Number of Completed Packets (0x13) plen 5
              Num handles: 1
              Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
              Count: 1
              #35: len 16 (25 Kb/s)
              Latency: 5 msec (2-7 msec ~4 msec)
      < ACL Data TX: Handle 1 flags 0x00 dlen 16
            L2CAP: Connection Response (0x03) ident 3 len 8
              Destination CID: 64
              Source CID: 64
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Lu <alex_lu@realsil.com.cn>
      Signed-off-by: default avatarMax Chou <max.chou@realtek.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      04a342cc
    • Xiao Yao's avatar
      Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE · 59b047bc
      Xiao Yao authored
      If two Bluetooth devices both support BR/EDR and BLE, and also
      support Secure Connections, then they only need to pair once.
      The LTK generated during the LE pairing process may be converted
      into a BR/EDR link key for BR/EDR transport, and conversely, a
      link key generated during the BR/EDR SSP pairing process can be
      converted into an LTK for LE transport. Hence, the link type of
      the link key and LTK is not fixed, they can be either an LE LINK
      or an ACL LINK.
      
      Currently, in the mgmt_new_irk/ltk/crsk/link_key functions, the
      link type is fixed, which could lead to incorrect address types
      being reported to the application layer. Therefore, it is necessary
      to add link_type/addr_type to the smp_irk/ltk/crsk and link_key,
      to ensure the generation of the correct address type.
      
      SMP over BREDR:
      Before Fix:
      > ACL Data RX: Handle 11 flags 0x02 dlen 12
              BR/EDR SMP: Identity Address Information (0x09) len 7
              Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
      @ MGMT Event: New Identity Resolving Key (0x0018) plen 30
              Random address: 00:00:00:00:00:00 (Non-Resolvable)
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
      @ MGMT Event: New Long Term Key (0x000a) plen 37
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
              Key type: Authenticated key from P-256 (0x03)
      
      After Fix:
      > ACL Data RX: Handle 11 flags 0x02 dlen 12
            BR/EDR SMP: Identity Address Information (0x09) len 7
              Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
      @ MGMT Event: New Identity Resolving Key (0x0018) plen 30
              Random address: 00:00:00:00:00:00 (Non-Resolvable)
              BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
      @ MGMT Event: New Long Term Key (0x000a) plen 37
              BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
              Key type: Authenticated key from P-256 (0x03)
      
      SMP over LE:
      Before Fix:
      @ MGMT Event: New Identity Resolving Key (0x0018) plen 30
              Random address: 5F:5C:07:37:47:D5 (Resolvable)
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
      @ MGMT Event: New Long Term Key (0x000a) plen 37
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
              Key type: Authenticated key from P-256 (0x03)
      @ MGMT Event: New Link Key (0x0009) plen 26
              BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
              Key type: Authenticated Combination key from P-256 (0x08)
      
      After Fix:
      @ MGMT Event: New Identity Resolving Key (0x0018) plen 30
              Random address: 5E:03:1C:00:38:21 (Resolvable)
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
      @ MGMT Event: New Long Term Key (0x000a) plen 37
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
              Key type: Authenticated key from P-256 (0x03)
      @ MGMT Event: New Link Key (0x0009) plen 26
              Store hint: Yes (0x01)
              LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
              Key type: Authenticated Combination key from P-256 (0x08)
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarXiao Yao <xiaoyao@rock-chips.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      59b047bc
    • Frédéric Danis's avatar
      Bluetooth: L2CAP: Send reject on command corrupted request · 78b99eb1
      Frédéric Danis authored
      L2CAP/COS/CED/BI-02-C PTS test send a malformed L2CAP signaling packet
      with 2 commands in it (a connection request and an unknown command) and
      expect to get a connection response packet and a command reject packet.
      The second is currently not sent.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFrédéric Danis <frederic.danis@collabora.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      78b99eb1
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_core: Fix hci_conn_hash_lookup_cis · 50efc63d
      Luiz Augusto von Dentz authored
      hci_conn_hash_lookup_cis shall always match the requested CIG and CIS
      ids even when they are unset as otherwise it result in not being able
      to bind/connect different sockets to the same address as that would
      result in having multiple sockets mapping to the same hci_conn which
      doesn't really work and prevents BAP audio configuration such as
      AC 6(i) when CIG and CIS are left unset.
      
      Fixes: c14516fa ("Bluetooth: hci_conn: Fix not matching by CIS ID")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      50efc63d
    • Arnd Bergmann's avatar
      Bluetooth: hci_event: shut up a false-positive warning · a5812c68
      Arnd Bergmann authored
      Turning on -Wstringop-overflow globally exposed a misleading compiler
      warning in bluetooth:
      
      net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev':
      net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a
      region of size 0 overflows the destination [-Werror=stringop-overflow=]
        524 |         memcpy(hdev->dev_class, rp->dev_class, 3);
            |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      The problem here is the check for hdev being NULL in bt_dev_dbg() that
      leads the compiler to conclude that hdev->dev_class might be an invalid
      pointer access.
      
      Add another explicit check for the same condition to make sure gcc sees
      this cannot happen.
      
      Fixes: a9de9248 ("[Bluetooth] Switch from OGF+OCF to using only opcodes")
      Fixes: 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      a5812c68
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent · 99e67d46
      Luiz Augusto von Dentz authored
      Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent
      otherwise the controller maybe be generating invalid events or, more
      likely, it is a result of fuzzing tools attempting to test the right
      behavior of the stack when unexpected events are generated.
      
      Cc: stable@vger.kernel.org
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      99e67d46
    • Ying Hsu's avatar
      Bluetooth: Fix deadlock in vhci_send_frame · 769bf60e
      Ying Hsu authored
      syzbot found a potential circular dependency leading to a deadlock:
          -> #3 (&hdev->req_lock){+.+.}-{3:3}:
          __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
          __mutex_lock kernel/locking/mutex.c:732 [inline]
          mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
          hci_dev_do_close+0x3f/0x9f net/bluetooth/hci_core.c:551
          hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
          rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
          rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
          vfs_write+0x277/0xcf5 fs/read_write.c:594
          ksys_write+0x19b/0x2bd fs/read_write.c:650
          do_syscall_x64 arch/x86/entry/common.c:55 [inline]
          do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
          entry_SYSCALL_64_after_hwframe+0x61/0xcb
      
          -> #2 (rfkill_global_mutex){+.+.}-{3:3}:
          __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
          __mutex_lock kernel/locking/mutex.c:732 [inline]
          mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
          rfkill_register+0x30/0x7e3 net/rfkill/core.c:1045
          hci_register_dev+0x48f/0x96d net/bluetooth/hci_core.c:2622
          __vhci_create_device drivers/bluetooth/hci_vhci.c:341 [inline]
          vhci_create_device+0x3ad/0x68f drivers/bluetooth/hci_vhci.c:374
          vhci_get_user drivers/bluetooth/hci_vhci.c:431 [inline]
          vhci_write+0x37b/0x429 drivers/bluetooth/hci_vhci.c:511
          call_write_iter include/linux/fs.h:2109 [inline]
          new_sync_write fs/read_write.c:509 [inline]
          vfs_write+0xaa8/0xcf5 fs/read_write.c:596
          ksys_write+0x19b/0x2bd fs/read_write.c:650
          do_syscall_x64 arch/x86/entry/common.c:55 [inline]
          do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
          entry_SYSCALL_64_after_hwframe+0x61/0xcb
      
          -> #1 (&data->open_mutex){+.+.}-{3:3}:
          __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
          __mutex_lock kernel/locking/mutex.c:732 [inline]
          mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
          vhci_send_frame+0x68/0x9c drivers/bluetooth/hci_vhci.c:75
          hci_send_frame+0x1cc/0x2ff net/bluetooth/hci_core.c:2989
          hci_sched_acl_pkt net/bluetooth/hci_core.c:3498 [inline]
          hci_sched_acl net/bluetooth/hci_core.c:3583 [inline]
          hci_tx_work+0xb94/0x1a60 net/bluetooth/hci_core.c:3654
          process_one_work+0x901/0xfb8 kernel/workqueue.c:2310
          worker_thread+0xa67/0x1003 kernel/workqueue.c:2457
          kthread+0x36a/0x430 kernel/kthread.c:319
          ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
      
          -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
          check_prev_add kernel/locking/lockdep.c:3053 [inline]
          check_prevs_add kernel/locking/lockdep.c:3172 [inline]
          validate_chain kernel/locking/lockdep.c:3787 [inline]
          __lock_acquire+0x2d32/0x77fa kernel/locking/lockdep.c:5011
          lock_acquire+0x273/0x4d5 kernel/locking/lockdep.c:5622
          __flush_work+0xee/0x19f kernel/workqueue.c:3090
          hci_dev_close_sync+0x32f/0x1113 net/bluetooth/hci_sync.c:4352
          hci_dev_do_close+0x47/0x9f net/bluetooth/hci_core.c:553
          hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
          rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
          rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
          vfs_write+0x277/0xcf5 fs/read_write.c:594
          ksys_write+0x19b/0x2bd fs/read_write.c:650
          do_syscall_x64 arch/x86/entry/common.c:55 [inline]
          do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
          entry_SYSCALL_64_after_hwframe+0x61/0xcb
      
      This change removes the need for acquiring the open_mutex in
      vhci_send_frame, thus eliminating the potential deadlock while
      maintaining the required packet ordering.
      
      Fixes: 92d4abd6 ("Bluetooth: vhci: Fix race when opening vhci device")
      Signed-off-by: default avatarYing Hsu <yinghsu@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      769bf60e
    • Luiz Augusto von Dentz's avatar
      Bluetooth: Fix not notifying when connection encryption changes · f67eabff
      Luiz Augusto von Dentz authored
      Some layers such as SMP depend on getting notified about encryption
      changes immediately as they only allow certain PDU to be transmitted
      over an encrypted link which may cause SMP implementation to reject
      valid PDUs received thus causing pairing to fail when it shouldn't.
      
      Fixes: 7aca0ac4 ("Bluetooth: Wait for HCI_OP_WRITE_AUTH_PAYLOAD_TO to complete")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      f67eabff
    • Eric Dumazet's avatar
      net/rose: fix races in rose_kill_by_device() · 64b8bc7d
      Eric Dumazet authored
      syzbot found an interesting netdev refcounting issue in
      net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
      
      Problem is that rose_kill_by_device() can change rose->device
      while other threads do not expect the pointer to be changed.
      
      We have to first collect sockets in a temporary array,
      then perform the changes while holding the socket
      lock and rose_list_lock spinlock (in this order)
      
      Change rose_release() to also acquire rose_list_lock
      before releasing the netdev refcount.
      
      [1]
      
      [ 1185.055088][ T7889] ref_tracker: reference already released.
      [ 1185.061476][ T7889] ref_tracker: allocated in:
      [ 1185.066081][ T7889]  rose_bind+0x4ab/0xd10
      [ 1185.070446][ T7889]  __sys_bind+0x1ec/0x220
      [ 1185.074818][ T7889]  __x64_sys_bind+0x72/0xb0
      [ 1185.079356][ T7889]  do_syscall_64+0x40/0x110
      [ 1185.083897][ T7889]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
      [ 1185.089835][ T7889] ref_tracker: freed in:
      [ 1185.094088][ T7889]  rose_release+0x2f5/0x570
      [ 1185.098629][ T7889]  __sock_release+0xae/0x260
      [ 1185.103262][ T7889]  sock_close+0x1c/0x20
      [ 1185.107453][ T7889]  __fput+0x270/0xbb0
      [ 1185.111467][ T7889]  task_work_run+0x14d/0x240
      [ 1185.116085][ T7889]  get_signal+0x106f/0x2790
      [ 1185.120622][ T7889]  arch_do_signal_or_restart+0x90/0x7f0
      [ 1185.126205][ T7889]  exit_to_user_mode_prepare+0x121/0x240
      [ 1185.131846][ T7889]  syscall_exit_to_user_mode+0x1e/0x60
      [ 1185.137293][ T7889]  do_syscall_64+0x4d/0x110
      [ 1185.141783][ T7889]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
      [ 1185.148085][ T7889] ------------[ cut here ]------------
      
      WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
      Modules linked in:
      CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
      Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
      RSP: 0018:ffffc90004917850 EFLAGS: 00010202
      RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
      RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
      RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
      R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
      R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
      FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      netdev_tracker_free include/linux/netdevice.h:4127 [inline]
      netdev_put include/linux/netdevice.h:4144 [inline]
      netdev_put include/linux/netdevice.h:4140 [inline]
      rose_kill_by_device net/rose/af_rose.c:195 [inline]
      rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
      notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
      call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
      call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
      call_netdevice_notifiers net/core/dev.c:2019 [inline]
      __dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
      dev_change_flags+0x122/0x170 net/core/dev.c:8682
      dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
      dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
      sock_do_ioctl+0x198/0x270 net/socket.c:1234
      sock_ioctl+0x22e/0x6b0 net/socket.c:1339
      vfs_ioctl fs/ioctl.c:51 [inline]
      __do_sys_ioctl fs/ioctl.c:871 [inline]
      __se_sys_ioctl fs/ioctl.c:857 [inline]
      __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f0a7147cba9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
      RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
      RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
      </TASK>
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Bernard Pidoux <f6bvp@free.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      64b8bc7d
    • Zhipeng Lu's avatar
      ethernet: atheros: fix a memleak in atl1e_setup_ring_resources · 309fdb1c
      Zhipeng Lu authored
      In the error handling of 'offset > adapter->ring_size', the
      tx_ring->tx_buffer allocated by kzalloc should be freed,
      instead of 'goto failed' instantly.
      
      Fixes: a6a53252 ("atl1e: Atheros L1E Gigabit Ethernet driver")
      Signed-off-by: default avatarZhipeng Lu <alexious@zju.edu.cn>
      Reviewed-by: default avatarSuman Ghosh <sumang@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      309fdb1c
    • Eric Dumazet's avatar
      net: sched: ife: fix potential use-after-free · 19391a2c
      Eric Dumazet authored
      ife_decode() calls pskb_may_pull() two times, we need to reload
      ifehdr after the second one, or risk use-after-free as reported
      by syzbot:
      
      BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
      BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
      Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
      
      CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0xc4/0x620 mm/kasan/report.c:475
      kasan_report+0xda/0x110 mm/kasan/report.c:588
      __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
      ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
      tcf_ife_decode net/sched/act_ife.c:739 [inline]
      tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
      tc_act include/net/tc_wrapper.h:221 [inline]
      tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
      tcf_exts_exec include/net/pkt_cls.h:344 [inline]
      mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
      tc_classify include/net/tc_wrapper.h:227 [inline]
      __tcf_classify net/sched/cls_api.c:1703 [inline]
      tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
      hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
      hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
      dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
      __dev_xmit_skb net/core/dev.c:3828 [inline]
      __dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
      dev_queue_xmit include/linux/netdevice.h:3165 [inline]
      packet_xmit+0x237/0x350 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3081 [inline]
      packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7fe9acc7cae9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
      RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
      RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
      R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
      </TASK>
      
      Allocated by task 22323:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      ____kasan_kmalloc mm/kasan/common.c:374 [inline]
      __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
      kasan_kmalloc include/linux/kasan.h:198 [inline]
      __do_kmalloc_node mm/slab_common.c:1007 [inline]
      __kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
      kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
      __alloc_skb+0x12b/0x330 net/core/skbuff.c:651
      alloc_skb include/linux/skbuff.h:1298 [inline]
      alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
      sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
      packet_alloc_skb net/packet/af_packet.c:2930 [inline]
      packet_snd net/packet/af_packet.c:3024 [inline]
      packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Freed by task 22323:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
      ____kasan_slab_free mm/kasan/common.c:236 [inline]
      ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
      kasan_slab_free include/linux/kasan.h:164 [inline]
      slab_free_hook mm/slub.c:1800 [inline]
      slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
      slab_free mm/slub.c:3809 [inline]
      __kmem_cache_free+0xc0/0x180 mm/slub.c:3822
      skb_kfree_head net/core/skbuff.c:950 [inline]
      skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
      pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
      __pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
      pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
      pskb_may_pull include/linux/skbuff.h:2693 [inline]
      ife_decode+0x394/0x4f0 net/ife/ife.c:82
      tcf_ife_decode net/sched/act_ife.c:727 [inline]
      tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
      tc_act include/net/tc_wrapper.h:221 [inline]
      tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
      tcf_exts_exec include/net/pkt_cls.h:344 [inline]
      mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
      tc_classify include/net/tc_wrapper.h:227 [inline]
      __tcf_classify net/sched/cls_api.c:1703 [inline]
      tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
      hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
      hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
      dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
      __dev_xmit_skb net/core/dev.c:3828 [inline]
      __dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
      dev_queue_xmit include/linux/netdevice.h:3165 [inline]
      packet_xmit+0x237/0x350 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3081 [inline]
      packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      The buggy address belongs to the object at ffff88802d730000
      which belongs to the cache kmalloc-8k of size 8192
      The buggy address is located 164 bytes inside of
      freed 8192-byte region [ffff88802d730000, ffff88802d732000)
      
      The buggy address belongs to the physical page:
      page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
      head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      page_type: 0xffffffff()
      raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
      set_page_owner include/linux/page_owner.h:31 [inline]
      post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
      prep_new_page mm/page_alloc.c:1551 [inline]
      get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
      __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
      alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
      alloc_slab_page mm/slub.c:1870 [inline]
      allocate_slab mm/slub.c:2017 [inline]
      new_slab+0x283/0x3c0 mm/slub.c:2070
      ___slab_alloc+0x979/0x1500 mm/slub.c:3223
      __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
      __slab_alloc_node mm/slub.c:3375 [inline]
      slab_alloc_node mm/slub.c:3468 [inline]
      __kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
      __do_kmalloc_node mm/slab_common.c:1006 [inline]
      __kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
      kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
      __alloc_skb+0x12b/0x330 net/core/skbuff.c:651
      alloc_skb include/linux/skbuff.h:1298 [inline]
      alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
      sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
      packet_alloc_skb net/packet/af_packet.c:2930 [inline]
      packet_snd net/packet/af_packet.c:3024 [inline]
      packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1144 [inline]
      free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
      free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
      __unfreeze_partials+0x226/0x240 mm/slub.c:2655
      qlink_free mm/kasan/quarantine.c:168 [inline]
      qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
      kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
      __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
      kasan_slab_alloc include/linux/kasan.h:188 [inline]
      slab_post_alloc_hook mm/slab.h:763 [inline]
      slab_alloc_node mm/slub.c:3478 [inline]
      slab_alloc mm/slub.c:3486 [inline]
      __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
      kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
      alloc_inode_sb include/linux/fs.h:2937 [inline]
      ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
      alloc_inode+0x5d/0x220 fs/inode.c:261
      new_inode_pseudo fs/inode.c:1006 [inline]
      new_inode+0x22/0x260 fs/inode.c:1032
      __ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
      ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
      vfs_symlink fs/namei.c:4464 [inline]
      vfs_symlink+0x3e5/0x620 fs/namei.c:4448
      do_symlinkat+0x25f/0x310 fs/namei.c:4490
      __do_sys_symlinkat fs/namei.c:4506 [inline]
      __se_sys_symlinkat fs/namei.c:4503 [inline]
      __x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      
      Fixes: d57493d6 ("net: sched: ife: check on metadata length")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Alexander Aring <aahringo@redhat.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19391a2c
    • Shigeru Yoshida's avatar
      net: Return error from sk_stream_wait_connect() if sk_wait_event() fails · cac23b7d
      Shigeru Yoshida authored
      The following NULL pointer dereference issue occurred:
      
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      <...>
      RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline]
      RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356
      <...>
      Call Trace:
       <TASK>
       dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801
       inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x83/0xe0 net/socket.c:745
       ____sys_sendmsg+0x443/0x510 net/socket.c:2558
       ___sys_sendmsg+0xe5/0x150 net/socket.c:2612
       __sys_sendmsg+0xa6/0x120 net/socket.c:2641
       __do_sys_sendmsg net/socket.c:2650 [inline]
       __se_sys_sendmsg net/socket.c:2648 [inline]
       __x64_sys_sendmsg+0x45/0x50 net/socket.c:2648
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the
      socket waiting for the event. However, sk_stream_wait_connect() returns
      success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function
      that waits for a connection with sk_stream_wait_connect() may misbehave.
      
      In the case of the above DCCP issue, dccp_sendmsg() is waiting for the
      connection. If disconnect() is called in concurrently, the above issue
      occurs.
      
      This patch fixes the issue by returning error from sk_stream_wait_connect()
      if sk_wait_event() fails.
      
      Fixes: 419ce133 ("tcp: allow again tcp_disconnect() when threads are waiting")
      Signed-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cac23b7d
    • Suman Ghosh's avatar
      octeontx2-pf: Fix graceful exit during PFC configuration failure · 8c97ab54
      Suman Ghosh authored
      During PFC configuration failure the code was not handling a graceful
      exit. This patch fixes the same and add proper code for a graceful exit.
      
      Fixes: 99c969a8 ("octeontx2-pf: Add egress PFC support")
      Signed-off-by: default avatarSuman Ghosh <sumang@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c97ab54
    • duanqiangwen's avatar
      net: libwx: fix memory leak on free page · 738b54b9
      duanqiangwen authored
      ifconfig ethx up, will set page->refcount larger than 1,
      and then ifconfig ethx down, calling __page_frag_cache_drain()
      to free pages, it is not compatible with page pool.
      So deleting codes which changing page->refcount.
      
      Fixes: 3c47e8ae ("net: libwx: Support to receive packets in NAPI")
      Signed-off-by: default avatarduanqiangwen <duanqiangwen@net-swift.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      738b54b9
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 0225191a
      Jakub Kicinski authored
      Johannes Berg says:
      
      ====================
       * add (and fix) certificate for regdb handover to Chen-Yu Tsai
       * fix rfkill GPIO handling
       * a few driver (iwlwifi, mt76) crash fixes
       * logic fixes in the stack
      
      * tag 'wireless-2023-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: cfg80211: fix certs build to not depend on file order
        wifi: mt76: fix crash with WED rx support enabled
        wifi: iwlwifi: pcie: avoid a NULL pointer dereference
        wifi: mac80211: mesh_plink: fix matches_local logic
        wifi: mac80211: mesh: check element parsing succeeded
        wifi: mac80211: check defragmentation succeeded
        wifi: mac80211: don't re-add debugfs during reconfig
        net: rfkill: gpio: set GPIO direction
        wifi: mac80211: check if the existing link config remains unchanged
        wifi: cfg80211: Add my certificate
        wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
        wifi: ieee80211: don't require protected vendor action frames
      ====================
      
      Link: https://lore.kernel.org/r/20231214111515.60626-3-johannes@sipsolutions.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0225191a
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-12-13' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e9b797dc
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-12-13
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-12-13' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors
        net/mlx5e: Correct snprintf truncation handling for fw_version buffer
        net/mlx5e: Fix error codes in alloc_branch_attr()
        net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get()
        net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num
        net/mlx5: Fix fw tracer first block check
        net/mlx5e: XDP, Drop fragmented packets larger than MTU size
        net/mlx5e: Decrease num_block_tc when unblock tc offload
        net/mlx5e: Fix overrun reported by coverity
        net/mlx5e: fix a potential double-free in fs_udp_create_groups
        net/mlx5e: Fix a race in command alloc flow
        net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
        net/mlx5e: fix double free of encap_header
        Revert "net/mlx5e: fix double free of encap_header"
        Revert "net/mlx5e: fix double free of encap_header in update funcs"
      ====================
      
      Link: https://lore.kernel.org/r/20231214012505.42666-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e9b797dc
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 2c1a4185
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-13 (ice, i40e)
      
      This series contains updates to ice and i40e drivers.
      
      Michal Schmidt prevents possible out-of-bounds access for ice.
      
      Ivan Vecera corrects value for MDIO clause 45 on i40e.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: Fix ST code value for Clause 45
        ice: fix theoretical out-of-bounds access in ethtool link modes
      ====================
      
      Link: https://lore.kernel.org/r/20231213220827.1311772-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2c1a4185
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 and above · 70f010da
      Vladimir Oltean authored
      The typo from ocelot_port_rmon_stats_cb() was also carried over to
      ocelot_port_pmac_rmon_stats_cb() as well, leading to incorrect TX RMON
      stats for the pMAC too.
      
      Fixes: ab3f97a9 ("net: mscc: ocelot: export ethtool MAC Merge stats for Felix VSC9959")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20231214000902.545625-2-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      70f010da
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above · 52eda464
      Vladimir Oltean authored
      There is a typo in the driver due to which we report incorrect TX RMON
      counters for the 256-511 octet bucket and all the other buckets larger
      than that.
      
      Bug found with the selftest at
      https://patchwork.kernel.org/project/netdevbpf/patch/20231211223346.2497157-9-tobias@waldekranz.com/
      
      Fixes: e32036e1 ("net: mscc: ocelot: add support for all sorts of standardized counters present in DSA")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20231214000902.545625-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      52eda464
  2. 14 Dec, 2023 20 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c7402612
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
      "Current release - regressions:
      
         - tcp: fix tcp_disordered_ack() vs usec TS resolution
      
        Current release - new code bugs:
      
         - dpll: sanitize possible null pointer dereference in
           dpll_pin_parent_pin_set()
      
         - eth: octeon_ep: initialise control mbox tasks before using APIs
      
        Previous releases - regressions:
      
         - io_uring/af_unix: disable sending io_uring over sockets
      
         - eth: mlx5e:
             - TC, don't offload post action rule if not supported
             - fix possible deadlock on mlx5e_tx_timeout_work
      
         - eth: iavf: fix iavf_shutdown to call iavf_remove instead iavf_close
      
         - eth: bnxt_en: fix skb recycling logic in bnxt_deliver_skb()
      
         - eth: ena: fix DMA syncing in XDP path when SWIOTLB is on
      
         - eth: team: fix use-after-free when an option instance allocation
           fails
      
        Previous releases - always broken:
      
         - neighbour: don't let neigh_forced_gc() disable preemption for long
      
         - net: prevent mss overflow in skb_segment()
      
         - ipv6: support reporting otherwise unknown prefix flags in
           RTM_NEWPREFIX
      
         - tcp: remove acked SYN flag from packet in the transmit queue
           correctly
      
         - eth: octeontx2-af:
             - fix a use-after-free in rvu_nix_register_reporters
             - fix promisc mcam entry action
      
         - eth: dwmac-loongson: make sure MDIO is initialized before use
      
         - eth: atlantic: fix double free in ring reinit logic"
      
      * tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        net: atlantic: fix double free in ring reinit logic
        appletalk: Fix Use-After-Free in atalk_ioctl
        net: stmmac: Handle disabled MDIO busses from devicetree
        net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
        dpaa2-switch: do not ask for MDB, VLAN and FDB replay
        dpaa2-switch: fix size of the dma_unmap
        net: prevent mss overflow in skb_segment()
        vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
        Revert "tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set"
        MIPS: dts: loongson: drop incorrect dwmac fallback compatible
        stmmac: dwmac-loongson: drop useless check for compatible fallback
        stmmac: dwmac-loongson: Make sure MDIO is initialized before use
        tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set
        dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
        net: ena: Fix XDP redirection error
        net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
        net: ena: Fix xdp drops handling due to multibuf packets
        net: ena: Destroy correct number of xdp queues upon failure
        net: Remove acked SYN flag from packet in the transmit queue correctly
        qed: Fix a potential use-after-free in qed_cxt_tables_alloc
        ...
      c7402612
    • Linus Torvalds's avatar
      Merge tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · bdb2701f
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
        "Some fixes to quota accounting code, mostly around error handling and
         correctness:
      
         - free reserves on various error paths, after IO errors or
           transaction abort
      
         - don't clear reserved range at the folio release time, it'll be
           properly cleared after final write
      
         - fix integer overflow due to int used when passing around size of
           freed reservations
      
         - fix a regression in squota accounting that missed some cases with
           delayed refs"
      
      * tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: ensure releasing squota reserve on head refs
        btrfs: don't clear qgroup reserved bit in release_folio
        btrfs: free qgroup pertrans reserve on transaction abort
        btrfs: fix qgroup_free_reserved_data int overflow
        btrfs: free qgroup reserve when ORDERED_IOERR is set
      bdb2701f
    • Igor Russkikh's avatar
      net: atlantic: fix double free in ring reinit logic · 7bb26ea7
      Igor Russkikh authored
      Driver has a logic leak in ring data allocation/free,
      where double free may happen in aq_ring_free if system is under
      stress and driver init/deinit is happening.
      
      The probability is higher to get this during suspend/resume cycle.
      
      Verification was done simulating same conditions with
      
          stress -m 2000 --vm-bytes 20M --vm-hang 10 --backoff 1000
          while true; do sudo ifconfig enp1s0 down; sudo ifconfig enp1s0 up; done
      
      Fixed by explicitly clearing pointers to NULL on deallocation
      
      Fixes: 018423e9 ("net: ethernet: aquantia: Add ring support code")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Closes: https://lore.kernel.org/netdev/CAHk-=wiZZi7FcvqVSUirHBjx0bBUZ4dFrMDVLc3+3HCrtq0rBA@mail.gmail.com/Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Link: https://lore.kernel.org/r/20231213094044.22988-1-irusskikh@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7bb26ea7
    • Hyunwoo Kim's avatar
      appletalk: Fix Use-After-Free in atalk_ioctl · 189ff167
      Hyunwoo Kim authored
      Because atalk_ioctl() accesses sk->sk_receive_queue
      without holding a sk->sk_receive_queue.lock, it can
      cause a race with atalk_recvmsg().
      A use-after-free for skb occurs with the following flow.
      ```
      atalk_ioctl() -> skb_peek()
      atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
      ```
      Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      189ff167
    • Andrew Halaney's avatar
      net: stmmac: Handle disabled MDIO busses from devicetree · e23c0d21
      Andrew Halaney authored
      Many hardware configurations have the MDIO bus disabled, and are instead
      using some other MDIO bus to talk to the MAC's phy.
      
      of_mdiobus_register() returns -ENODEV in this case. Let's handle it
      gracefully instead of failing to probe the MAC.
      
      Fixes: 47dd7a54 ("net: add support for STMicroelectronics Ethernet controllers.")
      Signed-off-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20231212-b4-stmmac-handle-mdio-enodev-v2-1-600171acf79f@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e23c0d21
    • Sneh Shah's avatar
      net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX · 981d947b
      Sneh Shah authored
      In 10M SGMII mode all the packets are being dropped due to wrong Rx clock.
      SGMII 10MBPS mode needs RX clock divider programmed to avoid drops in Rx.
      Update configure SGMII function with Rx clk divider programming.
      
      Fixes: 463120c3 ("net: stmmac: dwmac-qcom-ethqos: add support for SGMII")
      Tested-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Signed-off-by: default avatarSneh Shah <quic_snehshah@quicinc.com>
      Reviewed-by: default avatarBjorn Andersson <quic_bjorande@quicinc.com>
      Link: https://lore.kernel.org/r/20231212092208.22393-1-quic_snehshah@quicinc.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      981d947b
    • Johannes Berg's avatar
      wifi: cfg80211: fix certs build to not depend on file order · 3c2a8ebe
      Johannes Berg authored
      The file for the new certificate (Chen-Yu Tsai's) didn't
      end with a comma, so depending on the file order in the
      build rule, we'd end up with invalid C when concatenating
      the (now two) certificates. Fix that.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarBiju Das <biju.das.jz@bp.renesas.com>
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Fixes: fb768d3b ("wifi: cfg80211: Add my certificate")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3c2a8ebe
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 89e0c646
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-12 (iavf)
      
      This series contains updates to iavf driver only.
      
      Piotr reworks Flow Director states to deal with issues in restoring
      filters.
      
      Slawomir fixes shutdown processing as it was missing needed calls.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        iavf: Fix iavf_shutdown to call iavf_remove instead iavf_close
        iavf: Handle ntuple on/off based on new state machines for flow director
        iavf: Introduce new state machines for flow director
      ====================
      
      Link: https://lore.kernel.org/r/20231212203613.513423-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      89e0c646
    • Jakub Kicinski's avatar
      Merge branch 'dpaa2-switch-various-fixes' · dc84bb19
      Jakub Kicinski authored
      Ioana Ciornei says:
      
      ====================
      dpaa2-switch: various fixes
      
      The first patch fixes the size passed to two dma_unmap_single() calls
      which was wrongly put as the size of the pointer.
      
      The second patch is new to this series and reverts the behavior of the
      dpaa2-switch driver to not ask for object replay upon offloading so that
      we avoid the errors encountered when a VLAN is installed multiple times
      on the same port.
      ====================
      
      Link: https://lore.kernel.org/r/20231212164326.2753457-1-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dc84bb19
    • Ioana Ciornei's avatar
      dpaa2-switch: do not ask for MDB, VLAN and FDB replay · f24a49a3
      Ioana Ciornei authored
      Starting with commit 4e51bf44 ("net: bridge: move the switchdev
      object replay helpers to "push" mode") the switchdev_bridge_port_offload()
      helper was extended with the intention to provide switchdev drivers easy
      access to object addition and deletion replays. This works by calling
      the replay helpers with non-NULL notifier blocks.
      
      In the same commit, the dpaa2-switch driver was updated so that it
      passes valid notifier blocks to the helper. At that moment, no
      regression was identified through testing.
      
      In the meantime, the blamed commit changed the behavior in terms of
      which ports get hit by the replay. Before this commit, only the initial
      port which identified itself as offloaded through
      switchdev_bridge_port_offload() got a replay of all port objects and
      FDBs. After this, the newly joining port will trigger a replay of
      objects on all bridge ports and on the bridge itself.
      
      This behavior leads to errors in dpaa2_switch_port_vlans_add() when a
      VLAN gets installed on the same interface multiple times.
      
      The intended mechanism to address this is to pass a non-NULL ctx to the
      switchdev_bridge_port_offload() helper and then check it against the
      port's private structure. But since the driver does not have any use for
      the replayed port objects and FDBs until it gains support for LAG
      offload, it's better to fix the issue by reverting the dpaa2-switch
      driver to not ask for replay. The pointers will be added back when we
      are prepared to ignore replays on unrelated ports.
      
      Fixes: b28d580e ("net: bridge: switchdev: replay all VLAN groups")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-3-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f24a49a3
    • Ioana Ciornei's avatar
      dpaa2-switch: fix size of the dma_unmap · 2aad7d41
      Ioana Ciornei authored
      The size of the DMA unmap was wrongly put as a sizeof of a pointer.
      Change the value of the DMA unmap to be the actual macro used for the
      allocation and the DMA map.
      
      Fixes: 1110318d ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-2-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2aad7d41
    • Eric Dumazet's avatar
      net: prevent mss overflow in skb_segment() · 23d05d56
      Eric Dumazet authored
      Once again syzbot is able to crash the kernel in skb_segment() [1]
      
      GSO_BY_FRAGS is a forbidden value, but unfortunately the following
      computation in skb_segment() can reach it quite easily :
      
      	mss = mss * partial_segs;
      
      65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
      a bad final result.
      
      Make sure to limit segmentation so that the new mss value is smaller
      than GSO_BY_FRAGS.
      
      [1]
      
      general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
      CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3c #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
      ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
      skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
      __skb_gso_segment+0x339/0x710 net/core/gso.c:124
      skb_gso_segment include/net/gso.h:83 [inline]
      validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
      __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
      dev_queue_xmit include/linux/netdevice.h:3134 [inline]
      packet_xmit+0x257/0x380 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3087 [inline]
      packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f8692032aa9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
      RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
      R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
      </TASK>
      Modules linked in:
      ---[ end trace 0000000000000000 ]---
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 3953c46c ("sk_buff: allow segmenting based on frag sizes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      23d05d56
    • Nikolay Kuratov's avatar
      vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() · 60316d7f
      Nikolay Kuratov authored
      We need to do signed arithmetic if we expect condition
      `if (bytes < 0)` to be possible
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE
      
      Fixes: 06a8fc78 ("VSOCK: Introduce virtio_vsock_common.ko")
      Signed-off-by: default avatarNikolay Kuratov <kniv@yandex-team.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20231211162317.4116625-1-kniv@yandex-team.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      60316d7f
    • Rahul Rameshbabu's avatar
      net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors · b13559b7
      Rahul Rameshbabu authored
      snprintf returns the length of the formatted string, excluding the trailing
      null, without accounting for truncation. This means that is the return
      value is greater than or equal to the size parameter, the fw_version string
      was truncated.
      
      Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
      Fixes: 1b2bd0c0 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      b13559b7
    • Rahul Rameshbabu's avatar
      net/mlx5e: Correct snprintf truncation handling for fw_version buffer · ad436b9c
      Rahul Rameshbabu authored
      snprintf returns the length of the formatted string, excluding the trailing
      null, without accounting for truncation. This means that is the return
      value is greater than or equal to the size parameter, the fw_version string
      was truncated.
      Reported-by: default avatarDavid Laight <David.Laight@ACULAB.COM>
      Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/
      Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
      Fixes: 41e63c2b ("net/mlx5e: Check return value of snprintf writing to fw_version buffer")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ad436b9c
    • Dan Carpenter's avatar
      net/mlx5e: Fix error codes in alloc_branch_attr() · d792e5f7
      Dan Carpenter authored
      Set the error code if set_branch_dest_ft() fails.
      
      Fixes: ccbe3300 ("net/mlx5e: TC, Don't offload post action rule if not supported")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      d792e5f7
    • Dan Carpenter's avatar
      net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get() · 86d59226
      Dan Carpenter authored
      Preserve the error code if esw_add_restore_rule() fails.  Don't return
      success.
      
      Fixes: 67027828 ("net/mlx5e: TC, Set CT miss to the specific ct action instance")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      86d59226
    • Vlad Buslov's avatar
      net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num · 04ad04e4
      Vlad Buslov authored
      Currently the destination rep pointer is only used for comparisons or to
      obtain vport number from it. Since it is used both during flow creation and
      deletion it may point to representor of another eswitch instance which can
      be deallocated during driver unload even when there are rules pointing to
      it[0]. Refactor the code to store vport number and 'valid' flag instead of
      the representor pointer.
      
      [0]:
      [176805.886303] ==================================================================
      [176805.889433] BUG: KASAN: slab-use-after-free in esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.892981] Read of size 2 at addr ffff888155090aa0 by task modprobe/27280
      
      [176805.895462] CPU: 3 PID: 27280 Comm: modprobe Tainted: G    B              6.6.0-rc3+ #1
      [176805.896771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [176805.898514] Call Trace:
      [176805.899026]  <TASK>
      [176805.899519]  dump_stack_lvl+0x33/0x50
      [176805.900221]  print_report+0xc2/0x610
      [176805.900893]  ? mlx5_chains_put_table+0x33d/0x8d0 [mlx5_core]
      [176805.901897]  ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.902852]  kasan_report+0xac/0xe0
      [176805.903509]  ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.904461]  esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.905223]  __mlx5_eswitch_del_rule+0x1ae/0x460 [mlx5_core]
      [176805.906044]  ? esw_cleanup_dests+0x440/0x440 [mlx5_core]
      [176805.906822]  ? xas_find_conflict+0x420/0x420
      [176805.907496]  ? down_read+0x11e/0x200
      [176805.908046]  mlx5e_tc_rule_unoffload+0xc4/0x2a0 [mlx5_core]
      [176805.908844]  mlx5e_tc_del_fdb_flow+0x7da/0xb10 [mlx5_core]
      [176805.909597]  mlx5e_flow_put+0x4b/0x80 [mlx5_core]
      [176805.910275]  mlx5e_delete_flower+0x5b4/0xb70 [mlx5_core]
      [176805.911010]  tc_setup_cb_reoffload+0x27/0xb0
      [176805.911648]  fl_reoffload+0x62d/0x900 [cls_flower]
      [176805.912313]  ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
      [176805.913151]  ? __fl_put+0x230/0x230 [cls_flower]
      [176805.913768]  ? filter_irq_stacks+0x90/0x90
      [176805.914335]  ? kasan_save_stack+0x1e/0x40
      [176805.914893]  ? kasan_set_track+0x21/0x30
      [176805.915484]  ? kasan_save_free_info+0x27/0x40
      [176805.916105]  tcf_block_playback_offloads+0x79/0x1f0
      [176805.916773]  ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
      [176805.917647]  tcf_block_unbind+0x12d/0x330
      [176805.918239]  tcf_block_offload_cmd.isra.0+0x24e/0x320
      [176805.918953]  ? tcf_block_bind+0x770/0x770
      [176805.919551]  ? _raw_read_unlock_irqrestore+0x30/0x30
      [176805.920236]  ? mutex_lock+0x7d/0xd0
      [176805.920735]  ? mutex_unlock+0x80/0xd0
      [176805.921255]  tcf_block_offload_unbind+0xa5/0x120
      [176805.921909]  __tcf_block_put+0xc2/0x2d0
      [176805.922467]  ingress_destroy+0xf4/0x3d0 [sch_ingress]
      [176805.923178]  __qdisc_destroy+0x9d/0x280
      [176805.923741]  dev_shutdown+0x1c6/0x330
      [176805.924295]  unregister_netdevice_many_notify+0x6ef/0x1500
      [176805.925034]  ? netdev_freemem+0x50/0x50
      [176805.925610]  ? _raw_spin_lock_irq+0x7b/0xd0
      [176805.926235]  ? _raw_spin_lock_bh+0xe0/0xe0
      [176805.926849]  unregister_netdevice_queue+0x1e0/0x280
      [176805.927592]  ? unregister_netdevice_many+0x10/0x10
      [176805.928275]  unregister_netdev+0x18/0x20
      [176805.928835]  mlx5e_vport_rep_unload+0xc0/0x200 [mlx5_core]
      [176805.929608]  mlx5_esw_offloads_unload_rep+0x9d/0xc0 [mlx5_core]
      [176805.930492]  mlx5_eswitch_unload_vf_vports+0x108/0x1a0 [mlx5_core]
      [176805.931422]  ? mlx5_eswitch_unload_sf_vport+0x50/0x50 [mlx5_core]
      [176805.932304]  ? rwsem_down_write_slowpath+0x11f0/0x11f0
      [176805.932987]  mlx5_eswitch_disable_sriov+0x6f9/0xa60 [mlx5_core]
      [176805.933807]  ? mlx5_core_disable_hca+0xe1/0x130 [mlx5_core]
      [176805.934576]  ? mlx5_eswitch_disable_locked+0x580/0x580 [mlx5_core]
      [176805.935463]  mlx5_device_disable_sriov+0x138/0x490 [mlx5_core]
      [176805.936308]  mlx5_sriov_disable+0x8c/0xb0 [mlx5_core]
      [176805.937063]  remove_one+0x7f/0x210 [mlx5_core]
      [176805.937711]  pci_device_remove+0x96/0x1c0
      [176805.938289]  device_release_driver_internal+0x361/0x520
      [176805.938981]  ? kobject_put+0x5c/0x330
      [176805.939553]  driver_detach+0xd7/0x1d0
      [176805.940101]  bus_remove_driver+0x11f/0x290
      [176805.943847]  pci_unregister_driver+0x23/0x1f0
      [176805.944505]  mlx5_cleanup+0xc/0x20 [mlx5_core]
      [176805.945189]  __x64_sys_delete_module+0x2b3/0x450
      [176805.945837]  ? module_flags+0x300/0x300
      [176805.946377]  ? dput+0xc2/0x830
      [176805.946848]  ? __kasan_record_aux_stack+0x9c/0xb0
      [176805.947555]  ? __call_rcu_common.constprop.0+0x46c/0xb50
      [176805.948338]  ? fpregs_assert_state_consistent+0x1d/0xa0
      [176805.949055]  ? exit_to_user_mode_prepare+0x30/0x120
      [176805.949713]  do_syscall_64+0x3d/0x90
      [176805.950226]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [176805.950904] RIP: 0033:0x7f7f42c3f5ab
      [176805.951462] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48
      [176805.953710] RSP: 002b:00007fff07dc9d08 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [176805.954691] RAX: ffffffffffffffda RBX: 000055b6e91c01e0 RCX: 00007f7f42c3f5ab
      [176805.955691] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6e91c0248
      [176805.956662] RBP: 000055b6e91c01e0 R08: 0000000000000000 R09: 0000000000000000
      [176805.957601] R10: 00007f7f42d9eac0 R11: 0000000000000206 R12: 000055b6e91c0248
      [176805.958593] R13: 0000000000000000 R14: 000055b6e91bfb38 R15: 0000000000000000
      [176805.959599]  </TASK>
      
      [176805.960324] Allocated by task 20490:
      [176805.960893]  kasan_save_stack+0x1e/0x40
      [176805.961463]  kasan_set_track+0x21/0x30
      [176805.962019]  __kasan_kmalloc+0x77/0x90
      [176805.962554]  esw_offloads_init+0x1bb/0x480 [mlx5_core]
      [176805.963318]  mlx5_eswitch_init+0xc70/0x15c0 [mlx5_core]
      [176805.964092]  mlx5_init_one_devl_locked+0x366/0x1230 [mlx5_core]
      [176805.964902]  probe_one+0x6f7/0xc90 [mlx5_core]
      [176805.965541]  local_pci_probe+0xd7/0x180
      [176805.966075]  pci_device_probe+0x231/0x6f0
      [176805.966631]  really_probe+0x1d4/0xb50
      [176805.967179]  __driver_probe_device+0x18d/0x450
      [176805.967810]  driver_probe_device+0x49/0x120
      [176805.968431]  __driver_attach+0x1fb/0x490
      [176805.968976]  bus_for_each_dev+0xed/0x170
      [176805.969560]  bus_add_driver+0x21a/0x570
      [176805.970124]  driver_register+0x133/0x460
      [176805.970684]  0xffffffffa0678065
      [176805.971180]  do_one_initcall+0x92/0x2b0
      [176805.971744]  do_init_module+0x22d/0x720
      [176805.972318]  load_module+0x58c3/0x63b0
      [176805.972847]  init_module_from_file+0xd2/0x130
      [176805.973441]  __x64_sys_finit_module+0x389/0x7c0
      [176805.974045]  do_syscall_64+0x3d/0x90
      [176805.974556]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176805.975566] Freed by task 27280:
      [176805.976077]  kasan_save_stack+0x1e/0x40
      [176805.976655]  kasan_set_track+0x21/0x30
      [176805.977221]  kasan_save_free_info+0x27/0x40
      [176805.977834]  ____kasan_slab_free+0x11a/0x1b0
      [176805.978505]  __kmem_cache_free+0x163/0x2d0
      [176805.979113]  esw_offloads_cleanup_reps+0xb8/0x120 [mlx5_core]
      [176805.979963]  mlx5_eswitch_cleanup+0x182/0x270 [mlx5_core]
      [176805.980763]  mlx5_cleanup_once+0x9a/0x1e0 [mlx5_core]
      [176805.981477]  mlx5_uninit_one+0xa9/0x180 [mlx5_core]
      [176805.982196]  remove_one+0x8f/0x210 [mlx5_core]
      [176805.982868]  pci_device_remove+0x96/0x1c0
      [176805.983461]  device_release_driver_internal+0x361/0x520
      [176805.984169]  driver_detach+0xd7/0x1d0
      [176805.984702]  bus_remove_driver+0x11f/0x290
      [176805.985261]  pci_unregister_driver+0x23/0x1f0
      [176805.985847]  mlx5_cleanup+0xc/0x20 [mlx5_core]
      [176805.986483]  __x64_sys_delete_module+0x2b3/0x450
      [176805.987126]  do_syscall_64+0x3d/0x90
      [176805.987665]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176805.988667] Last potentially related work creation:
      [176805.989305]  kasan_save_stack+0x1e/0x40
      [176805.989839]  __kasan_record_aux_stack+0x9c/0xb0
      [176805.990443]  kvfree_call_rcu+0x84/0xa30
      [176805.990973]  clean_xps_maps+0x265/0x6e0
      [176805.991547]  netif_reset_xps_queues.part.0+0x3f/0x80
      [176805.992226]  unregister_netdevice_many_notify+0xfcf/0x1500
      [176805.992966]  unregister_netdevice_queue+0x1e0/0x280
      [176805.993638]  unregister_netdev+0x18/0x20
      [176805.994205]  mlx5e_remove+0xba/0x1e0 [mlx5_core]
      [176805.994872]  auxiliary_bus_remove+0x52/0x70
      [176805.995490]  device_release_driver_internal+0x361/0x520
      [176805.996196]  bus_remove_device+0x1e1/0x3d0
      [176805.996767]  device_del+0x390/0x980
      [176805.997270]  mlx5_rescan_drivers_locked.part.0+0x130/0x540 [mlx5_core]
      [176805.998195]  mlx5_unregister_device+0x77/0xc0 [mlx5_core]
      [176805.998989]  mlx5_uninit_one+0x41/0x180 [mlx5_core]
      [176805.999719]  remove_one+0x8f/0x210 [mlx5_core]
      [176806.000387]  pci_device_remove+0x96/0x1c0
      [176806.000938]  device_release_driver_internal+0x361/0x520
      [176806.001612]  unbind_store+0xd8/0xf0
      [176806.002108]  kernfs_fop_write_iter+0x2c0/0x440
      [176806.002748]  vfs_write+0x725/0xba0
      [176806.003294]  ksys_write+0xed/0x1c0
      [176806.003823]  do_syscall_64+0x3d/0x90
      [176806.004357]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176806.005317] The buggy address belongs to the object at ffff888155090a80
                       which belongs to the cache kmalloc-64 of size 64
      [176806.006774] The buggy address is located 32 bytes inside of
                       freed 64-byte region [ffff888155090a80, ffff888155090ac0)
      
      [176806.008773] The buggy address belongs to the physical page:
      [176806.009480] page:00000000a407e0e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155090
      [176806.010633] flags: 0x200000000000800(slab|node=0|zone=2)
      [176806.011352] page_type: 0xffffffff()
      [176806.011905] raw: 0200000000000800 ffff888100042640 ffffea000422b1c0 dead000000000004
      [176806.012949] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
      [176806.013933] page dumped because: kasan: bad access detected
      
      [176806.014935] Memory state around the buggy address:
      [176806.015601]  ffff888155090980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.016568]  ffff888155090a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.017497] >ffff888155090a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.018438]                                ^
      [176806.019007]  ffff888155090b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.020001]  ffff888155090b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.020996] ==================================================================
      
      Fixes: a508728a ("net/mlx5e: VF tunnel RX traffic offloading")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      04ad04e4
    • Moshe Shemesh's avatar
      net/mlx5: Fix fw tracer first block check · 4261edf1
      Moshe Shemesh authored
      While handling new traces, to verify it is not the first block being
      written, last_timestamp is checked. But instead of checking it is non
      zero it is verified to be zero. Fix to verify last_timestamp is not
      zero.
      
      Fixes: c71ad41c ("net/mlx5: FW tracer, events handling")
      Signed-off-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Reviewed-by: default avatarFeras Daoud <ferasda@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      4261edf1
    • Carolina Jubran's avatar
      net/mlx5e: XDP, Drop fragmented packets larger than MTU size · bcaf109f
      Carolina Jubran authored
      XDP transmits fragmented packets that are larger than MTU size instead of
      dropping those packets. The drop check that checks whether a packet is larger
      than MTU is comparing MTU size against the linear part length only.
      
      Adjust the drop check to compare MTU size against both linear and non-linear
      part lengths to avoid transmitting fragmented packets larger than MTU size.
      
      Fixes: 39a1665d ("net/mlx5e: Implement sending multi buffer XDP frames")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      bcaf109f