1. 21 Jul, 2021 2 commits
    • Xin Long's avatar
      sctp: update active_key for asoc when old key is being replaced · 58acd100
      Xin Long authored
      syzbot reported a call trace:
      
        BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
        Call Trace:
         sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
         sctp_set_owner_w net/sctp/socket.c:131 [inline]
         sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
         sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
         inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
         sock_sendmsg_nosec net/socket.c:703 [inline]
         sock_sendmsg+0xcf/0x120 net/socket.c:723
      
      This is an use-after-free issue caused by not updating asoc->shkey after
      it was replaced in the key list asoc->endpoint_shared_keys, and the old
      key was freed.
      
      This patch is to fix by also updating active_key for asoc when old key is
      being replaced with a new one. Note that this issue doesn't exist in
      sctp_auth_del_key_id(), as it's not allowed to delete the active_key
      from the asoc.
      
      Fixes: 1b1e0bc9 ("sctp: add refcnt support for sh_key")
      Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58acd100
    • Sayanta Pattanayak's avatar
      r8169: Avoid duplicate sysfs entry creation error · e9a72f87
      Sayanta Pattanayak authored
      When registering the MDIO bus for a r8169 device, we use the PCI
      bus/device specifier as a (seemingly) unique device identifier.
      However the very same BDF number can be used on another PCI segment,
      which makes the driver fail probing:
      
      [ 27.544136] r8169 0002:07:00.0: enabling device (0000 -> 0003)
      [ 27.559734] sysfs: cannot create duplicate filename '/class/mdio_bus/r8169-700'
      ....
      [ 27.684858] libphy: mii_bus r8169-700 failed to register
      [ 27.695602] r8169: probe of 0002:07:00.0 failed with error -22
      
      Add the segment number to the device name to make it more unique.
      
      This fixes operation on ARM N1SDP boards, with two boards connected
      together to form an SMP system, and all on-board devices showing up
      twice, just on different PCI segments. A similar issue would occur on
      large systems with many PCI slots and multiple RTL8169 NICs.
      
      Fixes: f1e911d5 ("r8169: add basic phylib support")
      Signed-off-by: default avatarSayanta Pattanayak <sayanta.pattanayak@arm.com>
      [Andre: expand commit message, use pci_domain_nr()]
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      Acked-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9a72f87
  2. 20 Jul, 2021 16 commits
  3. 19 Jul, 2021 19 commits
  4. 18 Jul, 2021 3 commits
    • Nguyen Dinh Phi's avatar
      netrom: Decrease sock refcount when sock timers expire · 517a16b1
      Nguyen Dinh Phi authored
      Commit 63346650 ("netrom: switch to sock timer API") switched to use
      sock timer API. It replaces mod_timer() by sk_reset_timer(), and
      del_timer() by sk_stop_timer().
      
      Function sk_reset_timer() will increase the refcount of sock if it is
      called on an inactive timer, hence, in case the timer expires, we need to
      decrease the refcount ourselves in the handler, otherwise, the sock
      refcount will be unbalanced and the sock will never be freed.
      Signed-off-by: default avatarNguyen Dinh Phi <phind.uet@gmail.com>
      Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
      Fixes: 63346650 ("netrom: switch to sock timer API")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      517a16b1
    • Xin Long's avatar
      sctp: trim optlen when it's a huge value in sctp_setsockopt · 2f3fdd8d
      Xin Long authored
      After commit ca84bd05 ("sctp: copy the optval from user space in
      sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
      the optlen, and it would fail the allocation and return error if the
      optlen from user space is a huge value.
      
      This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
      SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
      be trimmed to a biggest value it needs when optlen is a huge value,
      instead of failing the allocation and returning error.
      
      This patch is to fix the allocation failure when it's a huge optlen from
      user space by trimming it to the biggest size sctp sockopt may need when
      necessary, and this biggest size is from sctp_setsockopt_reset_streams()
      for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT
      and SCTP_AUTH_KEY.
      
      Fixes: ca84bd05 ("sctp: copy the optval from user space in sctp_setsockopt")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f3fdd8d
    • Pavel Skripkin's avatar
      net: sched: fix memory leak in tcindex_partial_destroy_work · f5051bce
      Pavel Skripkin authored
      Syzbot reported memory leak in tcindex_set_parms(). The problem was in
      non-freed perfect hash in tcindex_partial_destroy_work().
      
      In tcindex_set_parms() new tcindex_data is allocated and some fields from
      old one are copied to new one, but not the perfect hash. Since
      tcindex_partial_destroy_work() is the destroy function for old
      tcindex_data, we need to free perfect hash to avoid memory leak.
      
      Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5051bce