1. 04 Apr, 2024 10 commits
  2. 03 Apr, 2024 7 commits
    • Phil Elwell's avatar
      net: bcmgenet: Reset RBUF on first open · 0a6380cb
      Phil Elwell authored
      If the RBUF logic is not reset when the kernel starts then there
      may be some data left over from any network boot loader. If the
      64-byte packet headers are enabled then this can be fatal.
      
      Extend bcmgenet_dma_disable to do perform the reset, but not when
      called from bcmgenet_resume in order to preserve a wake packet.
      
      N.B. This different handling of resume is just based on a hunch -
      why else wouldn't one reset the RBUF as well as the TBUF? If this
      isn't the case then it's easy to change the patch to make the RBUF
      reset unconditional.
      
      See: https://github.com/raspberrypi/linux/issues/3850
      See: https://github.com/raspberrypi/firmware/issues/1882Signed-off-by: default avatarPhil Elwell <phil@raspberrypi.com>
      Signed-off-by: default avatarMaarten Vanraes <maarten@rmail.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a6380cb
    • Aleksandr Mishin's avatar
      octeontx2-af: Add array index check · ef15ddee
      Aleksandr Mishin authored
      In rvu_map_cgx_lmac_pf() the 'iter', which is used as an array index, can reach
      value (up to 14) that exceed the size (MAX_LMAC_COUNT = 8) of the array.
      Fix this bug by adding 'iter' value check.
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE.
      
      Fixes: 91c6945e ("octeontx2-af: cn10k: Add RPM MAC support")
      Signed-off-by: default avatarAleksandr Mishin <amishin@t-argos.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef15ddee
    • Tariq Toukan's avatar
      MAINTAINERS: mlx5: Add Tariq Toukan · c53fe72c
      Tariq Toukan authored
      Add myself as mlx5 core and EN maintainer.
      Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarGal Pressman <gal@nvidia.com>
      Acked-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      Link: https://lore.kernel.org/r/20240401184347.53884-1-tariqt@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c53fe72c
    • Kuniyuki Iwashima's avatar
      ipv6: Fix infinite recursion in fib6_dump_done(). · d21d4060
      Kuniyuki Iwashima authored
      syzkaller reported infinite recursive calls of fib6_dump_done() during
      netlink socket destruction.  [1]
      
      From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
      the response was generated.  The following recvmmsg() resumed the dump
      for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
      to the fault injection.  [0]
      
        12:01:34 executing program 3:
        r0 = socket$nl_route(0x10, 0x3, 0x0)
        sendmsg$nl_route(r0, ... snip ...)
        recvmmsg(r0, ... snip ...) (fail_nth: 8)
      
      Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
      of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped
      receiving the response halfway through, and finally netlink_sock_destruct()
      called nlk_sk(sk)->cb.done().
      
      fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
      is still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
      nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
      itself recursively and hitting the stack guard page.
      
      To avoid the issue, let's set the destructor after kzalloc().
      
      [0]:
      FAULT_INJECTION: forcing a failure.
      name failslab, interval 1, probability 0, space 0, times 0
      CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91-dirty #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl (lib/dump_stack.c:117)
       should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
       should_failslab (mm/slub.c:3733)
       kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
       inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
       rtnl_dump_all (net/core/rtnetlink.c:4029)
       netlink_dump (net/netlink/af_netlink.c:2269)
       netlink_recvmsg (net/netlink/af_netlink.c:1988)
       ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
       ___sys_recvmsg (net/socket.c:2846)
       do_recvmmsg (net/socket.c:2943)
       __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)
      
      [1]:
      BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
      stack guard page: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91-dirty #11
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      Workqueue: events netlink_sock_destruct_work
      RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
      Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
      RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
      RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
      RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
      R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
      FS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
      PKRU: 55555554
      Call Trace:
       <#DF>
       </#DF>
       <TASK>
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       ...
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
       netlink_sock_destruct (net/netlink/af_netlink.c:401)
       __sk_destruct (net/core/sock.c:2177 (discriminator 2))
       sk_destruct (net/core/sock.c:2224)
       __sk_free (net/core/sock.c:2235)
       sk_free (net/core/sock.c:2246)
       process_one_work (kernel/workqueue.c:3259)
       worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
       kthread (kernel/kthread.c:388)
       ret_from_fork (arch/x86/kernel/process.c:153)
       ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
      Modules linked in:
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d21d4060
    • Heiner Kallweit's avatar
      r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d · 5d872c9f
      Heiner Kallweit authored
      On some boards with this chip version the BIOS is buggy and misses
      to reset the PHY page selector. This results in the PHY ID read
      accessing registers on a different page, returning a more or
      less random value. Fix this by resetting the page selector first.
      
      Fixes: f1e911d5 ("r8169: add basic phylib support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/64f2055e-98b8-45ec-8568-665e3d54d4e6@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5d872c9f
    • Marco Pinna's avatar
      vsock/virtio: fix packet delivery to tap device · b32a09ea
      Marco Pinna authored
      Commit 82dfb540 ("VSOCK: Add virtio vsock vsockmon hooks") added
      virtio_transport_deliver_tap_pkt() for handing packets to the
      vsockmon device. However, in virtio_transport_send_pkt_work(),
      the function is called before actually sending the packet (i.e.
      before placing it in the virtqueue with virtqueue_add_sgs() and checking
      whether it returned successfully).
      Queuing the packet in the virtqueue can fail even multiple times.
      However, in virtio_transport_deliver_tap_pkt() we deliver the packet
      to the monitoring tap interface only the first time we call it.
      This certainly avoids seeing the same packet replicated multiple times
      in the monitoring interface, but it can show the packet sent with the
      wrong timestamp or even before we succeed to queue it in the virtqueue.
      
      Move virtio_transport_deliver_tap_pkt() after calling virtqueue_add_sgs()
      and making sure it returned successfully.
      
      Fixes: 82dfb540 ("VSOCK: Add virtio vsock vsockmon hooks")
      Cc: stable@vge.kernel.org
      Signed-off-by: default avatarMarco Pinna <marco.pinn95@gmail.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20240329161259.411751-1-marco.pinn95@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b32a09ea
    • Duoming Zhou's avatar
      ax25: fix use-after-free bugs caused by ax25_ds_del_timer · fd819ad3
      Duoming Zhou authored
      When the ax25 device is detaching, the ax25_dev_device_down()
      calls ax25_ds_del_timer() to cleanup the slave_timer. When
      the timer handler is running, the ax25_ds_del_timer() that
      calls del_timer() in it will return directly. As a result,
      the use-after-free bugs could happen, one of the scenarios
      is shown below:
      
            (Thread 1)          |      (Thread 2)
                                | ax25_ds_timeout()
      ax25_dev_device_down()    |
        ax25_ds_del_timer()     |
          del_timer()           |
        ax25_dev_put() //FREE   |
                                |  ax25_dev-> //USE
      
      In order to mitigate bugs, when the device is detaching, use
      timer_shutdown_sync() to stop the timer.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240329015023.9223-1-duoming@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      fd819ad3
  3. 02 Apr, 2024 7 commits
  4. 29 Mar, 2024 16 commits