1. 15 May, 2024 3 commits
    • Nikolay Aleksandrov's avatar
      net: bridge: mst: fix vlan use-after-free · 3a7c1661
      Nikolay Aleksandrov authored
      syzbot reported a suspicious rcu usage[1] in bridge's mst code. While
      fixing it I noticed that nothing prevents a vlan to be freed while
      walking the list from the same path (br forward delay timer). Fix the rcu
      usage and also make sure we are not accessing freed memory by making
      br_mst_vlan_set_state use rcu read lock.
      
      [1]
       WARNING: suspicious RCU usage
       6.9.0-rc6-syzkaller #0 Not tainted
       -----------------------------
       net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!
       ...
       stack backtrace:
       CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
       Call Trace:
        <IRQ>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
        lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
        nbp_vlan_group net/bridge/br_private.h:1599 [inline]
        br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105
        br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47
        br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88
        call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
        expire_timers kernel/time/timer.c:1844 [inline]
        __run_timers kernel/time/timer.c:2418 [inline]
        __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429
        run_timer_base kernel/time/timer.c:2438 [inline]
        run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
        __do_softirq+0x2c6/0x980 kernel/softirq.c:554
        invoke_softirq kernel/softirq.c:428 [inline]
        __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
        irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
        instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
        sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
        </IRQ>
        <TASK>
       asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
       RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758
       Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
       RSP: 0018:ffffc90013657100 EFLAGS: 00000206
       RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001
       RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60
       RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0
       R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28
       R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246
      
      Fixes: ec7328b5 ("net: bridge: mst: Multiple Spanning Tree (MST) mode")
      Reported-by: syzbot+fa04eb8a56fd923fc5d8@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=fa04eb8a56fd923fc5d8Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a7c1661
    • Nikolay Aleksandrov's avatar
      selftests: net: bridge: increase IGMP/MLD exclude timeout membership interval · 06080ea2
      Nikolay Aleksandrov authored
      When running the bridge IGMP/MLD selftests on debug kernels we can get
      spurious errors when setting up the IGMP/MLD exclude timeout tests
      because the membership interval is just 3 seconds and the setup has 2
      seconds of sleep plus various validations, the one second that is left
      is not enough. Increase the membership interval from 3 to 5 seconds to
      make room for the setup validation and 2 seconds of sleep.
      
      Fixes: 34d7ecb3 ("selftests: net: bridge: update IGMP/MLD membership interval value")
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      06080ea2
    • Nikolay Aleksandrov's avatar
      net: bridge: xmit: make sure we have at least eth header len bytes · 8bd67ebb
      Nikolay Aleksandrov authored
      syzbot triggered an uninit value[1] error in bridge device's xmit path
      by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
      we can actually pull that amount instead of assuming.
      
      Tested with dropwatch:
       drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
       origin: software
       timestamp: Mon May 13 11:31:53 2024 778214037 nsec
       protocol: 0x88a8
       length: 2
       original length: 2
       drop reason: PKT_TOO_SMALL
      
      [1]
      BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
       br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
       __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
       netdev_start_xmit include/linux/netdevice.h:4917 [inline]
       xmit_one net/core/dev.c:3531 [inline]
       dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
       __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
       dev_queue_xmit include/linux/netdevice.h:3091 [inline]
       __bpf_tx_skb net/core/filter.c:2136 [inline]
       __bpf_redirect_common net/core/filter.c:2180 [inline]
       __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
       ____bpf_clone_redirect net/core/filter.c:2460 [inline]
       bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
       ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
       __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
       bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
       __bpf_prog_run include/linux/filter.h:657 [inline]
       bpf_prog_run include/linux/filter.h:664 [inline]
       bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
       bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
       bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
       __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
       __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
       __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
       __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
       x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com
      Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8bd67ebb
  2. 14 May, 2024 2 commits
  3. 13 May, 2024 10 commits
  4. 11 May, 2024 19 commits
  5. 10 May, 2024 1 commit
  6. 09 May, 2024 5 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 8c3b7565
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bluetooth and IPsec.
      
        The bridge patch is actually a follow-up to a recent fix in the same
        area. We have a pending v6.8 AF_UNIX regression; it should be solved
        soon, but not in time for this PR.
      
        Current release - regressions:
      
         - eth: ks8851: Queue RX packets in IRQ handler instead of disabling
           BHs
      
         - net: bridge: fix corrupted ethernet header on multicast-to-unicast
      
        Current release - new code bugs:
      
         - xfrm: fix possible bad pointer derferencing in error path
      
        Previous releases - regressionis:
      
         - core: fix out-of-bounds access in ops_init
      
         - ipv6:
            - fix potential uninit-value access in __ip6_make_skb()
            - fib6_rules: avoid possible NULL dereference in fib6_rule_action()
      
         - tcp: use refcount_inc_not_zero() in tcp_twsk_unique().
      
         - rtnetlink: correct nested IFLA_VF_VLAN_LIST attribute validation
      
         - rxrpc: fix congestion control algorithm
      
         - bluetooth:
            - l2cap: fix slab-use-after-free in l2cap_connect()
            - msft: fix slab-use-after-free in msft_do_close()
      
         - eth: hns3: fix kernel crash when devlink reload during
           initialization
      
         - eth: dsa: mv88e6xxx: add phylink_get_caps for the mv88e6320/21
           family
      
        Previous releases - always broken:
      
         - xfrm: preserve vlan tags for transport mode software GRO
      
         - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
      
         - eth: hns3: keep using user config after hardware reset"
      
      * tag 'net-6.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (47 commits)
        net: dsa: mv88e6xxx: read cmode on mv88e6320/21 serdes only ports
        net: dsa: mv88e6xxx: add phylink_get_caps for the mv88e6320/21 family
        net: hns3: fix kernel crash when devlink reload during initialization
        net: hns3: fix port vlan filter not disabled issue
        net: hns3: use appropriate barrier function after setting a bit value
        net: hns3: release PTP resources if pf initialization failed
        net: hns3: change type of numa_node_mask as nodemask_t
        net: hns3: direct return when receive a unknown mailbox message
        net: hns3: using user configure after hardware reset
        net/smc: fix neighbour and rtable leak in smc_ib_find_route()
        ipv6: prevent NULL dereference in ip6_output()
        hsr: Simplify code for announcing HSR nodes timer setup
        ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
        dt-bindings: net: mediatek: remove wrongly added clocks and SerDes
        rxrpc: Only transmit one ACK per jumbo packet received
        rxrpc: Fix congestion control algorithm
        selftests: test_bridge_neigh_suppress.sh: Fix failures due to duplicate MAC
        ipv6: Fix potential uninit-value access in __ip6_make_skb()
        net: phy: marvell-88q2xxx: add support for Rev B1 and B2
        appletalk: Improve handling of broadcast packets
        ...
      8c3b7565
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux · 62788b0f
      Linus Torvalds authored
      Pull ARM fix from Russell King:
      
       - clear stale KASan stack poison when a CPU resumes
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux:
        ARM: 9381/1: kasan: clear stale stack poison
      62788b0f
    • Linus Torvalds's avatar
      Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 1bbc9915
      Linus Torvalds authored
      Pull dentry leak fix from Al Viro:
       "Dentry leak fix in the qibfs driver that I forgot to send a pull
        request for ;-/
      
        My apologies - it actually sat in vfs.git#fixes for more than two
        months..."
      
      * tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        qibfs: fix dentry leak
      1bbc9915
    • Steffen Bätz's avatar
      net: dsa: mv88e6xxx: read cmode on mv88e6320/21 serdes only ports · 6e7ffa18
      Steffen Bätz authored
      On the mv88e6320 and 6321 switch family, port 0/1 are serdes only ports.
      Modified the mv88e6352_get_port4_serdes_cmode function to pass a port
      number since the register set of the 6352 is equal on the 6320/21.
      Signed-off-by: default avatarSteffen Bätz <steffen@innosonix.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFabio Estevam <festevam@gmail.com>
      Link: https://lore.kernel.org/r/20240508072944.54880-3-steffen@innosonix.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6e7ffa18
    • Steffen Bätz's avatar
      net: dsa: mv88e6xxx: add phylink_get_caps for the mv88e6320/21 family · f39bf3cf
      Steffen Bätz authored
      As of commit de5c9bf4 ("net: phylink: require supported_interfaces to
      be filled")
      Marvell 88e6320/21 switches fail to be probed:
      
      ...
      mv88e6085 30be0000.ethernet-1:00: phylink: error: empty supported_interfaces
      error creating PHYLINK: -22
      ...
      
      The problem stems from the use of mv88e6185_phylink_get_caps() to get
      the device capabilities.
      Since there are serdes only ports 0/1 included, create a new dedicated
      phylink_get_caps for the 6320 and 6321 to properly support their
      set of capabilities.
      
      Fixes: de5c9bf4 ("net: phylink: require supported_interfaces to be filled")
      Signed-off-by: default avatarSteffen Bätz <steffen@innosonix.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFabio Estevam <festevam@gmail.com>
      Link: https://lore.kernel.org/r/20240508072944.54880-2-steffen@innosonix.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f39bf3cf