1. 15 Dec, 2023 11 commits
    • Eric Dumazet's avatar
      net/rose: fix races in rose_kill_by_device() · 64b8bc7d
      Eric Dumazet authored
      syzbot found an interesting netdev refcounting issue in
      net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
      
      Problem is that rose_kill_by_device() can change rose->device
      while other threads do not expect the pointer to be changed.
      
      We have to first collect sockets in a temporary array,
      then perform the changes while holding the socket
      lock and rose_list_lock spinlock (in this order)
      
      Change rose_release() to also acquire rose_list_lock
      before releasing the netdev refcount.
      
      [1]
      
      [ 1185.055088][ T7889] ref_tracker: reference already released.
      [ 1185.061476][ T7889] ref_tracker: allocated in:
      [ 1185.066081][ T7889]  rose_bind+0x4ab/0xd10
      [ 1185.070446][ T7889]  __sys_bind+0x1ec/0x220
      [ 1185.074818][ T7889]  __x64_sys_bind+0x72/0xb0
      [ 1185.079356][ T7889]  do_syscall_64+0x40/0x110
      [ 1185.083897][ T7889]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
      [ 1185.089835][ T7889] ref_tracker: freed in:
      [ 1185.094088][ T7889]  rose_release+0x2f5/0x570
      [ 1185.098629][ T7889]  __sock_release+0xae/0x260
      [ 1185.103262][ T7889]  sock_close+0x1c/0x20
      [ 1185.107453][ T7889]  __fput+0x270/0xbb0
      [ 1185.111467][ T7889]  task_work_run+0x14d/0x240
      [ 1185.116085][ T7889]  get_signal+0x106f/0x2790
      [ 1185.120622][ T7889]  arch_do_signal_or_restart+0x90/0x7f0
      [ 1185.126205][ T7889]  exit_to_user_mode_prepare+0x121/0x240
      [ 1185.131846][ T7889]  syscall_exit_to_user_mode+0x1e/0x60
      [ 1185.137293][ T7889]  do_syscall_64+0x4d/0x110
      [ 1185.141783][ T7889]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
      [ 1185.148085][ T7889] ------------[ cut here ]------------
      
      WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
      Modules linked in:
      CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
      Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
      RSP: 0018:ffffc90004917850 EFLAGS: 00010202
      RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
      RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
      RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
      R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
      R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
      FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      netdev_tracker_free include/linux/netdevice.h:4127 [inline]
      netdev_put include/linux/netdevice.h:4144 [inline]
      netdev_put include/linux/netdevice.h:4140 [inline]
      rose_kill_by_device net/rose/af_rose.c:195 [inline]
      rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
      notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
      call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
      call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
      call_netdevice_notifiers net/core/dev.c:2019 [inline]
      __dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
      dev_change_flags+0x122/0x170 net/core/dev.c:8682
      dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
      dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
      sock_do_ioctl+0x198/0x270 net/socket.c:1234
      sock_ioctl+0x22e/0x6b0 net/socket.c:1339
      vfs_ioctl fs/ioctl.c:51 [inline]
      __do_sys_ioctl fs/ioctl.c:871 [inline]
      __se_sys_ioctl fs/ioctl.c:857 [inline]
      __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f0a7147cba9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
      RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
      RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
      </TASK>
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Bernard Pidoux <f6bvp@free.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      64b8bc7d
    • Zhipeng Lu's avatar
      ethernet: atheros: fix a memleak in atl1e_setup_ring_resources · 309fdb1c
      Zhipeng Lu authored
      In the error handling of 'offset > adapter->ring_size', the
      tx_ring->tx_buffer allocated by kzalloc should be freed,
      instead of 'goto failed' instantly.
      
      Fixes: a6a53252 ("atl1e: Atheros L1E Gigabit Ethernet driver")
      Signed-off-by: default avatarZhipeng Lu <alexious@zju.edu.cn>
      Reviewed-by: default avatarSuman Ghosh <sumang@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      309fdb1c
    • Eric Dumazet's avatar
      net: sched: ife: fix potential use-after-free · 19391a2c
      Eric Dumazet authored
      ife_decode() calls pskb_may_pull() two times, we need to reload
      ifehdr after the second one, or risk use-after-free as reported
      by syzbot:
      
      BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
      BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
      Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
      
      CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:364 [inline]
      print_report+0xc4/0x620 mm/kasan/report.c:475
      kasan_report+0xda/0x110 mm/kasan/report.c:588
      __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
      ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
      tcf_ife_decode net/sched/act_ife.c:739 [inline]
      tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
      tc_act include/net/tc_wrapper.h:221 [inline]
      tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
      tcf_exts_exec include/net/pkt_cls.h:344 [inline]
      mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
      tc_classify include/net/tc_wrapper.h:227 [inline]
      __tcf_classify net/sched/cls_api.c:1703 [inline]
      tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
      hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
      hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
      dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
      __dev_xmit_skb net/core/dev.c:3828 [inline]
      __dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
      dev_queue_xmit include/linux/netdevice.h:3165 [inline]
      packet_xmit+0x237/0x350 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3081 [inline]
      packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7fe9acc7cae9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
      RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
      RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
      R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
      R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
      </TASK>
      
      Allocated by task 22323:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      ____kasan_kmalloc mm/kasan/common.c:374 [inline]
      __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
      kasan_kmalloc include/linux/kasan.h:198 [inline]
      __do_kmalloc_node mm/slab_common.c:1007 [inline]
      __kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
      kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
      __alloc_skb+0x12b/0x330 net/core/skbuff.c:651
      alloc_skb include/linux/skbuff.h:1298 [inline]
      alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
      sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
      packet_alloc_skb net/packet/af_packet.c:2930 [inline]
      packet_snd net/packet/af_packet.c:3024 [inline]
      packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      Freed by task 22323:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
      kasan_set_track+0x25/0x30 mm/kasan/common.c:52
      kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
      ____kasan_slab_free mm/kasan/common.c:236 [inline]
      ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
      kasan_slab_free include/linux/kasan.h:164 [inline]
      slab_free_hook mm/slub.c:1800 [inline]
      slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
      slab_free mm/slub.c:3809 [inline]
      __kmem_cache_free+0xc0/0x180 mm/slub.c:3822
      skb_kfree_head net/core/skbuff.c:950 [inline]
      skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
      pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
      __pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
      pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
      pskb_may_pull include/linux/skbuff.h:2693 [inline]
      ife_decode+0x394/0x4f0 net/ife/ife.c:82
      tcf_ife_decode net/sched/act_ife.c:727 [inline]
      tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
      tc_act include/net/tc_wrapper.h:221 [inline]
      tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
      tcf_exts_exec include/net/pkt_cls.h:344 [inline]
      mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
      tc_classify include/net/tc_wrapper.h:227 [inline]
      __tcf_classify net/sched/cls_api.c:1703 [inline]
      tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
      hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
      hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
      dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
      __dev_xmit_skb net/core/dev.c:3828 [inline]
      __dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
      dev_queue_xmit include/linux/netdevice.h:3165 [inline]
      packet_xmit+0x237/0x350 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3081 [inline]
      packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      The buggy address belongs to the object at ffff88802d730000
      which belongs to the cache kmalloc-8k of size 8192
      The buggy address is located 164 bytes inside of
      freed 8192-byte region [ffff88802d730000, ffff88802d732000)
      
      The buggy address belongs to the physical page:
      page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
      head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      page_type: 0xffffffff()
      raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
      set_page_owner include/linux/page_owner.h:31 [inline]
      post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
      prep_new_page mm/page_alloc.c:1551 [inline]
      get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
      __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
      alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
      alloc_slab_page mm/slub.c:1870 [inline]
      allocate_slab mm/slub.c:2017 [inline]
      new_slab+0x283/0x3c0 mm/slub.c:2070
      ___slab_alloc+0x979/0x1500 mm/slub.c:3223
      __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
      __slab_alloc_node mm/slub.c:3375 [inline]
      slab_alloc_node mm/slub.c:3468 [inline]
      __kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
      __do_kmalloc_node mm/slab_common.c:1006 [inline]
      __kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
      kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
      __alloc_skb+0x12b/0x330 net/core/skbuff.c:651
      alloc_skb include/linux/skbuff.h:1298 [inline]
      alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
      sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
      packet_alloc_skb net/packet/af_packet.c:2930 [inline]
      packet_snd net/packet/af_packet.c:3024 [inline]
      packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1144 [inline]
      free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
      free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
      __unfreeze_partials+0x226/0x240 mm/slub.c:2655
      qlink_free mm/kasan/quarantine.c:168 [inline]
      qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
      kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
      __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
      kasan_slab_alloc include/linux/kasan.h:188 [inline]
      slab_post_alloc_hook mm/slab.h:763 [inline]
      slab_alloc_node mm/slub.c:3478 [inline]
      slab_alloc mm/slub.c:3486 [inline]
      __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
      kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
      alloc_inode_sb include/linux/fs.h:2937 [inline]
      ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
      alloc_inode+0x5d/0x220 fs/inode.c:261
      new_inode_pseudo fs/inode.c:1006 [inline]
      new_inode+0x22/0x260 fs/inode.c:1032
      __ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
      ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
      vfs_symlink fs/namei.c:4464 [inline]
      vfs_symlink+0x3e5/0x620 fs/namei.c:4448
      do_symlinkat+0x25f/0x310 fs/namei.c:4490
      __do_sys_symlinkat fs/namei.c:4506 [inline]
      __se_sys_symlinkat fs/namei.c:4503 [inline]
      __x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
      do_syscall_x64 arch/x86/entry/common.c:51 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
      
      Fixes: d57493d6 ("net: sched: ife: check on metadata length")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Alexander Aring <aahringo@redhat.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19391a2c
    • Shigeru Yoshida's avatar
      net: Return error from sk_stream_wait_connect() if sk_wait_event() fails · cac23b7d
      Shigeru Yoshida authored
      The following NULL pointer dereference issue occurred:
      
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      <...>
      RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline]
      RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356
      <...>
      Call Trace:
       <TASK>
       dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801
       inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x83/0xe0 net/socket.c:745
       ____sys_sendmsg+0x443/0x510 net/socket.c:2558
       ___sys_sendmsg+0xe5/0x150 net/socket.c:2612
       __sys_sendmsg+0xa6/0x120 net/socket.c:2641
       __do_sys_sendmsg net/socket.c:2650 [inline]
       __se_sys_sendmsg net/socket.c:2648 [inline]
       __x64_sys_sendmsg+0x45/0x50 net/socket.c:2648
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x63/0x6b
      
      sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the
      socket waiting for the event. However, sk_stream_wait_connect() returns
      success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function
      that waits for a connection with sk_stream_wait_connect() may misbehave.
      
      In the case of the above DCCP issue, dccp_sendmsg() is waiting for the
      connection. If disconnect() is called in concurrently, the above issue
      occurs.
      
      This patch fixes the issue by returning error from sk_stream_wait_connect()
      if sk_wait_event() fails.
      
      Fixes: 419ce133 ("tcp: allow again tcp_disconnect() when threads are waiting")
      Signed-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cac23b7d
    • Suman Ghosh's avatar
      octeontx2-pf: Fix graceful exit during PFC configuration failure · 8c97ab54
      Suman Ghosh authored
      During PFC configuration failure the code was not handling a graceful
      exit. This patch fixes the same and add proper code for a graceful exit.
      
      Fixes: 99c969a8 ("octeontx2-pf: Add egress PFC support")
      Signed-off-by: default avatarSuman Ghosh <sumang@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c97ab54
    • duanqiangwen's avatar
      net: libwx: fix memory leak on free page · 738b54b9
      duanqiangwen authored
      ifconfig ethx up, will set page->refcount larger than 1,
      and then ifconfig ethx down, calling __page_frag_cache_drain()
      to free pages, it is not compatible with page pool.
      So deleting codes which changing page->refcount.
      
      Fixes: 3c47e8ae ("net: libwx: Support to receive packets in NAPI")
      Signed-off-by: default avatarduanqiangwen <duanqiangwen@net-swift.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      738b54b9
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 0225191a
      Jakub Kicinski authored
      Johannes Berg says:
      
      ====================
       * add (and fix) certificate for regdb handover to Chen-Yu Tsai
       * fix rfkill GPIO handling
       * a few driver (iwlwifi, mt76) crash fixes
       * logic fixes in the stack
      
      * tag 'wireless-2023-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: cfg80211: fix certs build to not depend on file order
        wifi: mt76: fix crash with WED rx support enabled
        wifi: iwlwifi: pcie: avoid a NULL pointer dereference
        wifi: mac80211: mesh_plink: fix matches_local logic
        wifi: mac80211: mesh: check element parsing succeeded
        wifi: mac80211: check defragmentation succeeded
        wifi: mac80211: don't re-add debugfs during reconfig
        net: rfkill: gpio: set GPIO direction
        wifi: mac80211: check if the existing link config remains unchanged
        wifi: cfg80211: Add my certificate
        wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
        wifi: ieee80211: don't require protected vendor action frames
      ====================
      
      Link: https://lore.kernel.org/r/20231214111515.60626-3-johannes@sipsolutions.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0225191a
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-12-13' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e9b797dc
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-12-13
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-12-13' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors
        net/mlx5e: Correct snprintf truncation handling for fw_version buffer
        net/mlx5e: Fix error codes in alloc_branch_attr()
        net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get()
        net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num
        net/mlx5: Fix fw tracer first block check
        net/mlx5e: XDP, Drop fragmented packets larger than MTU size
        net/mlx5e: Decrease num_block_tc when unblock tc offload
        net/mlx5e: Fix overrun reported by coverity
        net/mlx5e: fix a potential double-free in fs_udp_create_groups
        net/mlx5e: Fix a race in command alloc flow
        net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
        net/mlx5e: fix double free of encap_header
        Revert "net/mlx5e: fix double free of encap_header"
        Revert "net/mlx5e: fix double free of encap_header in update funcs"
      ====================
      
      Link: https://lore.kernel.org/r/20231214012505.42666-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e9b797dc
    • Jakub Kicinski's avatar
      Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 2c1a4185
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-13 (ice, i40e)
      
      This series contains updates to ice and i40e drivers.
      
      Michal Schmidt prevents possible out-of-bounds access for ice.
      
      Ivan Vecera corrects value for MDIO clause 45 on i40e.
      
      * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: Fix ST code value for Clause 45
        ice: fix theoretical out-of-bounds access in ethtool link modes
      ====================
      
      Link: https://lore.kernel.org/r/20231213220827.1311772-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2c1a4185
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 and above · 70f010da
      Vladimir Oltean authored
      The typo from ocelot_port_rmon_stats_cb() was also carried over to
      ocelot_port_pmac_rmon_stats_cb() as well, leading to incorrect TX RMON
      stats for the pMAC too.
      
      Fixes: ab3f97a9 ("net: mscc: ocelot: export ethtool MAC Merge stats for Felix VSC9959")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20231214000902.545625-2-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      70f010da
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above · 52eda464
      Vladimir Oltean authored
      There is a typo in the driver due to which we report incorrect TX RMON
      counters for the 256-511 octet bucket and all the other buckets larger
      than that.
      
      Bug found with the selftest at
      https://patchwork.kernel.org/project/netdevbpf/patch/20231211223346.2497157-9-tobias@waldekranz.com/
      
      Fixes: e32036e1 ("net: mscc: ocelot: add support for all sorts of standardized counters present in DSA")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
      Link: https://lore.kernel.org/r/20231214000902.545625-1-vladimir.oltean@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      52eda464
  2. 14 Dec, 2023 28 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · c7402612
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
      "Current release - regressions:
      
         - tcp: fix tcp_disordered_ack() vs usec TS resolution
      
        Current release - new code bugs:
      
         - dpll: sanitize possible null pointer dereference in
           dpll_pin_parent_pin_set()
      
         - eth: octeon_ep: initialise control mbox tasks before using APIs
      
        Previous releases - regressions:
      
         - io_uring/af_unix: disable sending io_uring over sockets
      
         - eth: mlx5e:
             - TC, don't offload post action rule if not supported
             - fix possible deadlock on mlx5e_tx_timeout_work
      
         - eth: iavf: fix iavf_shutdown to call iavf_remove instead iavf_close
      
         - eth: bnxt_en: fix skb recycling logic in bnxt_deliver_skb()
      
         - eth: ena: fix DMA syncing in XDP path when SWIOTLB is on
      
         - eth: team: fix use-after-free when an option instance allocation
           fails
      
        Previous releases - always broken:
      
         - neighbour: don't let neigh_forced_gc() disable preemption for long
      
         - net: prevent mss overflow in skb_segment()
      
         - ipv6: support reporting otherwise unknown prefix flags in
           RTM_NEWPREFIX
      
         - tcp: remove acked SYN flag from packet in the transmit queue
           correctly
      
         - eth: octeontx2-af:
             - fix a use-after-free in rvu_nix_register_reporters
             - fix promisc mcam entry action
      
         - eth: dwmac-loongson: make sure MDIO is initialized before use
      
         - eth: atlantic: fix double free in ring reinit logic"
      
      * tag 'net-6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        net: atlantic: fix double free in ring reinit logic
        appletalk: Fix Use-After-Free in atalk_ioctl
        net: stmmac: Handle disabled MDIO busses from devicetree
        net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
        dpaa2-switch: do not ask for MDB, VLAN and FDB replay
        dpaa2-switch: fix size of the dma_unmap
        net: prevent mss overflow in skb_segment()
        vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
        Revert "tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set"
        MIPS: dts: loongson: drop incorrect dwmac fallback compatible
        stmmac: dwmac-loongson: drop useless check for compatible fallback
        stmmac: dwmac-loongson: Make sure MDIO is initialized before use
        tcp: disable tcp_autocorking for socket when TCP_NODELAY flag is set
        dpll: sanitize possible null pointer dereference in dpll_pin_parent_pin_set()
        net: ena: Fix XDP redirection error
        net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
        net: ena: Fix xdp drops handling due to multibuf packets
        net: ena: Destroy correct number of xdp queues upon failure
        net: Remove acked SYN flag from packet in the transmit queue correctly
        qed: Fix a potential use-after-free in qed_cxt_tables_alloc
        ...
      c7402612
    • Linus Torvalds's avatar
      Merge tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · bdb2701f
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
        "Some fixes to quota accounting code, mostly around error handling and
         correctness:
      
         - free reserves on various error paths, after IO errors or
           transaction abort
      
         - don't clear reserved range at the folio release time, it'll be
           properly cleared after final write
      
         - fix integer overflow due to int used when passing around size of
           freed reservations
      
         - fix a regression in squota accounting that missed some cases with
           delayed refs"
      
      * tag 'for-6.7-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: ensure releasing squota reserve on head refs
        btrfs: don't clear qgroup reserved bit in release_folio
        btrfs: free qgroup pertrans reserve on transaction abort
        btrfs: fix qgroup_free_reserved_data int overflow
        btrfs: free qgroup reserve when ORDERED_IOERR is set
      bdb2701f
    • Igor Russkikh's avatar
      net: atlantic: fix double free in ring reinit logic · 7bb26ea7
      Igor Russkikh authored
      Driver has a logic leak in ring data allocation/free,
      where double free may happen in aq_ring_free if system is under
      stress and driver init/deinit is happening.
      
      The probability is higher to get this during suspend/resume cycle.
      
      Verification was done simulating same conditions with
      
          stress -m 2000 --vm-bytes 20M --vm-hang 10 --backoff 1000
          while true; do sudo ifconfig enp1s0 down; sudo ifconfig enp1s0 up; done
      
      Fixed by explicitly clearing pointers to NULL on deallocation
      
      Fixes: 018423e9 ("net: ethernet: aquantia: Add ring support code")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Closes: https://lore.kernel.org/netdev/CAHk-=wiZZi7FcvqVSUirHBjx0bBUZ4dFrMDVLc3+3HCrtq0rBA@mail.gmail.com/Signed-off-by: default avatarIgor Russkikh <irusskikh@marvell.com>
      Link: https://lore.kernel.org/r/20231213094044.22988-1-irusskikh@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7bb26ea7
    • Hyunwoo Kim's avatar
      appletalk: Fix Use-After-Free in atalk_ioctl · 189ff167
      Hyunwoo Kim authored
      Because atalk_ioctl() accesses sk->sk_receive_queue
      without holding a sk->sk_receive_queue.lock, it can
      cause a race with atalk_recvmsg().
      A use-after-free for skb occurs with the following flow.
      ```
      atalk_ioctl() -> skb_peek()
      atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
      ```
      Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarHyunwoo Kim <v4bel@theori.io>
      Link: https://lore.kernel.org/r/20231213041056.GA519680@v4bel-B760M-AORUS-ELITE-AXSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      189ff167
    • Andrew Halaney's avatar
      net: stmmac: Handle disabled MDIO busses from devicetree · e23c0d21
      Andrew Halaney authored
      Many hardware configurations have the MDIO bus disabled, and are instead
      using some other MDIO bus to talk to the MAC's phy.
      
      of_mdiobus_register() returns -ENODEV in this case. Let's handle it
      gracefully instead of failing to probe the MAC.
      
      Fixes: 47dd7a54 ("net: add support for STMicroelectronics Ethernet controllers.")
      Signed-off-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20231212-b4-stmmac-handle-mdio-enodev-v2-1-600171acf79f@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      e23c0d21
    • Sneh Shah's avatar
      net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX · 981d947b
      Sneh Shah authored
      In 10M SGMII mode all the packets are being dropped due to wrong Rx clock.
      SGMII 10MBPS mode needs RX clock divider programmed to avoid drops in Rx.
      Update configure SGMII function with Rx clk divider programming.
      
      Fixes: 463120c3 ("net: stmmac: dwmac-qcom-ethqos: add support for SGMII")
      Tested-by: default avatarAndrew Halaney <ahalaney@redhat.com>
      Signed-off-by: default avatarSneh Shah <quic_snehshah@quicinc.com>
      Reviewed-by: default avatarBjorn Andersson <quic_bjorande@quicinc.com>
      Link: https://lore.kernel.org/r/20231212092208.22393-1-quic_snehshah@quicinc.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      981d947b
    • Johannes Berg's avatar
      wifi: cfg80211: fix certs build to not depend on file order · 3c2a8ebe
      Johannes Berg authored
      The file for the new certificate (Chen-Yu Tsai's) didn't
      end with a comma, so depending on the file order in the
      build rule, we'd end up with invalid C when concatenating
      the (now two) certificates. Fix that.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarBiju Das <biju.das.jz@bp.renesas.com>
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Fixes: fb768d3b ("wifi: cfg80211: Add my certificate")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3c2a8ebe
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 89e0c646
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-12-12 (iavf)
      
      This series contains updates to iavf driver only.
      
      Piotr reworks Flow Director states to deal with issues in restoring
      filters.
      
      Slawomir fixes shutdown processing as it was missing needed calls.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        iavf: Fix iavf_shutdown to call iavf_remove instead iavf_close
        iavf: Handle ntuple on/off based on new state machines for flow director
        iavf: Introduce new state machines for flow director
      ====================
      
      Link: https://lore.kernel.org/r/20231212203613.513423-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      89e0c646
    • Jakub Kicinski's avatar
      Merge branch 'dpaa2-switch-various-fixes' · dc84bb19
      Jakub Kicinski authored
      Ioana Ciornei says:
      
      ====================
      dpaa2-switch: various fixes
      
      The first patch fixes the size passed to two dma_unmap_single() calls
      which was wrongly put as the size of the pointer.
      
      The second patch is new to this series and reverts the behavior of the
      dpaa2-switch driver to not ask for object replay upon offloading so that
      we avoid the errors encountered when a VLAN is installed multiple times
      on the same port.
      ====================
      
      Link: https://lore.kernel.org/r/20231212164326.2753457-1-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      dc84bb19
    • Ioana Ciornei's avatar
      dpaa2-switch: do not ask for MDB, VLAN and FDB replay · f24a49a3
      Ioana Ciornei authored
      Starting with commit 4e51bf44 ("net: bridge: move the switchdev
      object replay helpers to "push" mode") the switchdev_bridge_port_offload()
      helper was extended with the intention to provide switchdev drivers easy
      access to object addition and deletion replays. This works by calling
      the replay helpers with non-NULL notifier blocks.
      
      In the same commit, the dpaa2-switch driver was updated so that it
      passes valid notifier blocks to the helper. At that moment, no
      regression was identified through testing.
      
      In the meantime, the blamed commit changed the behavior in terms of
      which ports get hit by the replay. Before this commit, only the initial
      port which identified itself as offloaded through
      switchdev_bridge_port_offload() got a replay of all port objects and
      FDBs. After this, the newly joining port will trigger a replay of
      objects on all bridge ports and on the bridge itself.
      
      This behavior leads to errors in dpaa2_switch_port_vlans_add() when a
      VLAN gets installed on the same interface multiple times.
      
      The intended mechanism to address this is to pass a non-NULL ctx to the
      switchdev_bridge_port_offload() helper and then check it against the
      port's private structure. But since the driver does not have any use for
      the replayed port objects and FDBs until it gains support for LAG
      offload, it's better to fix the issue by reverting the dpaa2-switch
      driver to not ask for replay. The pointers will be added back when we
      are prepared to ignore replays on unrelated ports.
      
      Fixes: b28d580e ("net: bridge: switchdev: replay all VLAN groups")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-3-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f24a49a3
    • Ioana Ciornei's avatar
      dpaa2-switch: fix size of the dma_unmap · 2aad7d41
      Ioana Ciornei authored
      The size of the DMA unmap was wrongly put as a sizeof of a pointer.
      Change the value of the DMA unmap to be the actual macro used for the
      allocation and the DMA map.
      
      Fixes: 1110318d ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20231212164326.2753457-2-ioana.ciornei@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2aad7d41
    • Eric Dumazet's avatar
      net: prevent mss overflow in skb_segment() · 23d05d56
      Eric Dumazet authored
      Once again syzbot is able to crash the kernel in skb_segment() [1]
      
      GSO_BY_FRAGS is a forbidden value, but unfortunately the following
      computation in skb_segment() can reach it quite easily :
      
      	mss = mss * partial_segs;
      
      65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
      a bad final result.
      
      Make sure to limit segmentation so that the new mss value is smaller
      than GSO_BY_FRAGS.
      
      [1]
      
      general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
      CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3c #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
      ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
      skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
      __skb_gso_segment+0x339/0x710 net/core/gso.c:124
      skb_gso_segment include/net/gso.h:83 [inline]
      validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
      __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
      dev_queue_xmit include/linux/netdevice.h:3134 [inline]
      packet_xmit+0x257/0x380 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3087 [inline]
      packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0xd5/0x180 net/socket.c:745
      __sys_sendto+0x255/0x340 net/socket.c:2190
      __do_sys_sendto net/socket.c:2202 [inline]
      __se_sys_sendto net/socket.c:2198 [inline]
      __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x63/0x6b
      RIP: 0033:0x7f8692032aa9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
      RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
      RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
      R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
      </TASK>
      Modules linked in:
      ---[ end trace 0000000000000000 ]---
      RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
      Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
      RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
      RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
      RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
      R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
      FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 3953c46c ("sk_buff: allow segmenting based on frag sizes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      23d05d56
    • Nikolay Kuratov's avatar
      vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() · 60316d7f
      Nikolay Kuratov authored
      We need to do signed arithmetic if we expect condition
      `if (bytes < 0)` to be possible
      
      Found by Linux Verification Center (linuxtesting.org) with SVACE
      
      Fixes: 06a8fc78 ("VSOCK: Introduce virtio_vsock_common.ko")
      Signed-off-by: default avatarNikolay Kuratov <kniv@yandex-team.ru>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Link: https://lore.kernel.org/r/20231211162317.4116625-1-kniv@yandex-team.ruSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      60316d7f
    • Rahul Rameshbabu's avatar
      net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors · b13559b7
      Rahul Rameshbabu authored
      snprintf returns the length of the formatted string, excluding the trailing
      null, without accounting for truncation. This means that is the return
      value is greater than or equal to the size parameter, the fw_version string
      was truncated.
      
      Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
      Fixes: 1b2bd0c0 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      b13559b7
    • Rahul Rameshbabu's avatar
      net/mlx5e: Correct snprintf truncation handling for fw_version buffer · ad436b9c
      Rahul Rameshbabu authored
      snprintf returns the length of the formatted string, excluding the trailing
      null, without accounting for truncation. This means that is the return
      value is greater than or equal to the size parameter, the fw_version string
      was truncated.
      Reported-by: default avatarDavid Laight <David.Laight@ACULAB.COM>
      Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/
      Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
      Fixes: 41e63c2b ("net/mlx5e: Check return value of snprintf writing to fw_version buffer")
      Signed-off-by: default avatarRahul Rameshbabu <rrameshbabu@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ad436b9c
    • Dan Carpenter's avatar
      net/mlx5e: Fix error codes in alloc_branch_attr() · d792e5f7
      Dan Carpenter authored
      Set the error code if set_branch_dest_ft() fails.
      
      Fixes: ccbe3300 ("net/mlx5e: TC, Don't offload post action rule if not supported")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      d792e5f7
    • Dan Carpenter's avatar
      net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get() · 86d59226
      Dan Carpenter authored
      Preserve the error code if esw_add_restore_rule() fails.  Don't return
      success.
      
      Fixes: 67027828 ("net/mlx5e: TC, Set CT miss to the specific ct action instance")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      86d59226
    • Vlad Buslov's avatar
      net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num · 04ad04e4
      Vlad Buslov authored
      Currently the destination rep pointer is only used for comparisons or to
      obtain vport number from it. Since it is used both during flow creation and
      deletion it may point to representor of another eswitch instance which can
      be deallocated during driver unload even when there are rules pointing to
      it[0]. Refactor the code to store vport number and 'valid' flag instead of
      the representor pointer.
      
      [0]:
      [176805.886303] ==================================================================
      [176805.889433] BUG: KASAN: slab-use-after-free in esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.892981] Read of size 2 at addr ffff888155090aa0 by task modprobe/27280
      
      [176805.895462] CPU: 3 PID: 27280 Comm: modprobe Tainted: G    B              6.6.0-rc3+ #1
      [176805.896771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [176805.898514] Call Trace:
      [176805.899026]  <TASK>
      [176805.899519]  dump_stack_lvl+0x33/0x50
      [176805.900221]  print_report+0xc2/0x610
      [176805.900893]  ? mlx5_chains_put_table+0x33d/0x8d0 [mlx5_core]
      [176805.901897]  ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.902852]  kasan_report+0xac/0xe0
      [176805.903509]  ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.904461]  esw_cleanup_dests+0x390/0x440 [mlx5_core]
      [176805.905223]  __mlx5_eswitch_del_rule+0x1ae/0x460 [mlx5_core]
      [176805.906044]  ? esw_cleanup_dests+0x440/0x440 [mlx5_core]
      [176805.906822]  ? xas_find_conflict+0x420/0x420
      [176805.907496]  ? down_read+0x11e/0x200
      [176805.908046]  mlx5e_tc_rule_unoffload+0xc4/0x2a0 [mlx5_core]
      [176805.908844]  mlx5e_tc_del_fdb_flow+0x7da/0xb10 [mlx5_core]
      [176805.909597]  mlx5e_flow_put+0x4b/0x80 [mlx5_core]
      [176805.910275]  mlx5e_delete_flower+0x5b4/0xb70 [mlx5_core]
      [176805.911010]  tc_setup_cb_reoffload+0x27/0xb0
      [176805.911648]  fl_reoffload+0x62d/0x900 [cls_flower]
      [176805.912313]  ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
      [176805.913151]  ? __fl_put+0x230/0x230 [cls_flower]
      [176805.913768]  ? filter_irq_stacks+0x90/0x90
      [176805.914335]  ? kasan_save_stack+0x1e/0x40
      [176805.914893]  ? kasan_set_track+0x21/0x30
      [176805.915484]  ? kasan_save_free_info+0x27/0x40
      [176805.916105]  tcf_block_playback_offloads+0x79/0x1f0
      [176805.916773]  ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
      [176805.917647]  tcf_block_unbind+0x12d/0x330
      [176805.918239]  tcf_block_offload_cmd.isra.0+0x24e/0x320
      [176805.918953]  ? tcf_block_bind+0x770/0x770
      [176805.919551]  ? _raw_read_unlock_irqrestore+0x30/0x30
      [176805.920236]  ? mutex_lock+0x7d/0xd0
      [176805.920735]  ? mutex_unlock+0x80/0xd0
      [176805.921255]  tcf_block_offload_unbind+0xa5/0x120
      [176805.921909]  __tcf_block_put+0xc2/0x2d0
      [176805.922467]  ingress_destroy+0xf4/0x3d0 [sch_ingress]
      [176805.923178]  __qdisc_destroy+0x9d/0x280
      [176805.923741]  dev_shutdown+0x1c6/0x330
      [176805.924295]  unregister_netdevice_many_notify+0x6ef/0x1500
      [176805.925034]  ? netdev_freemem+0x50/0x50
      [176805.925610]  ? _raw_spin_lock_irq+0x7b/0xd0
      [176805.926235]  ? _raw_spin_lock_bh+0xe0/0xe0
      [176805.926849]  unregister_netdevice_queue+0x1e0/0x280
      [176805.927592]  ? unregister_netdevice_many+0x10/0x10
      [176805.928275]  unregister_netdev+0x18/0x20
      [176805.928835]  mlx5e_vport_rep_unload+0xc0/0x200 [mlx5_core]
      [176805.929608]  mlx5_esw_offloads_unload_rep+0x9d/0xc0 [mlx5_core]
      [176805.930492]  mlx5_eswitch_unload_vf_vports+0x108/0x1a0 [mlx5_core]
      [176805.931422]  ? mlx5_eswitch_unload_sf_vport+0x50/0x50 [mlx5_core]
      [176805.932304]  ? rwsem_down_write_slowpath+0x11f0/0x11f0
      [176805.932987]  mlx5_eswitch_disable_sriov+0x6f9/0xa60 [mlx5_core]
      [176805.933807]  ? mlx5_core_disable_hca+0xe1/0x130 [mlx5_core]
      [176805.934576]  ? mlx5_eswitch_disable_locked+0x580/0x580 [mlx5_core]
      [176805.935463]  mlx5_device_disable_sriov+0x138/0x490 [mlx5_core]
      [176805.936308]  mlx5_sriov_disable+0x8c/0xb0 [mlx5_core]
      [176805.937063]  remove_one+0x7f/0x210 [mlx5_core]
      [176805.937711]  pci_device_remove+0x96/0x1c0
      [176805.938289]  device_release_driver_internal+0x361/0x520
      [176805.938981]  ? kobject_put+0x5c/0x330
      [176805.939553]  driver_detach+0xd7/0x1d0
      [176805.940101]  bus_remove_driver+0x11f/0x290
      [176805.943847]  pci_unregister_driver+0x23/0x1f0
      [176805.944505]  mlx5_cleanup+0xc/0x20 [mlx5_core]
      [176805.945189]  __x64_sys_delete_module+0x2b3/0x450
      [176805.945837]  ? module_flags+0x300/0x300
      [176805.946377]  ? dput+0xc2/0x830
      [176805.946848]  ? __kasan_record_aux_stack+0x9c/0xb0
      [176805.947555]  ? __call_rcu_common.constprop.0+0x46c/0xb50
      [176805.948338]  ? fpregs_assert_state_consistent+0x1d/0xa0
      [176805.949055]  ? exit_to_user_mode_prepare+0x30/0x120
      [176805.949713]  do_syscall_64+0x3d/0x90
      [176805.950226]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [176805.950904] RIP: 0033:0x7f7f42c3f5ab
      [176805.951462] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48
      [176805.953710] RSP: 002b:00007fff07dc9d08 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [176805.954691] RAX: ffffffffffffffda RBX: 000055b6e91c01e0 RCX: 00007f7f42c3f5ab
      [176805.955691] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6e91c0248
      [176805.956662] RBP: 000055b6e91c01e0 R08: 0000000000000000 R09: 0000000000000000
      [176805.957601] R10: 00007f7f42d9eac0 R11: 0000000000000206 R12: 000055b6e91c0248
      [176805.958593] R13: 0000000000000000 R14: 000055b6e91bfb38 R15: 0000000000000000
      [176805.959599]  </TASK>
      
      [176805.960324] Allocated by task 20490:
      [176805.960893]  kasan_save_stack+0x1e/0x40
      [176805.961463]  kasan_set_track+0x21/0x30
      [176805.962019]  __kasan_kmalloc+0x77/0x90
      [176805.962554]  esw_offloads_init+0x1bb/0x480 [mlx5_core]
      [176805.963318]  mlx5_eswitch_init+0xc70/0x15c0 [mlx5_core]
      [176805.964092]  mlx5_init_one_devl_locked+0x366/0x1230 [mlx5_core]
      [176805.964902]  probe_one+0x6f7/0xc90 [mlx5_core]
      [176805.965541]  local_pci_probe+0xd7/0x180
      [176805.966075]  pci_device_probe+0x231/0x6f0
      [176805.966631]  really_probe+0x1d4/0xb50
      [176805.967179]  __driver_probe_device+0x18d/0x450
      [176805.967810]  driver_probe_device+0x49/0x120
      [176805.968431]  __driver_attach+0x1fb/0x490
      [176805.968976]  bus_for_each_dev+0xed/0x170
      [176805.969560]  bus_add_driver+0x21a/0x570
      [176805.970124]  driver_register+0x133/0x460
      [176805.970684]  0xffffffffa0678065
      [176805.971180]  do_one_initcall+0x92/0x2b0
      [176805.971744]  do_init_module+0x22d/0x720
      [176805.972318]  load_module+0x58c3/0x63b0
      [176805.972847]  init_module_from_file+0xd2/0x130
      [176805.973441]  __x64_sys_finit_module+0x389/0x7c0
      [176805.974045]  do_syscall_64+0x3d/0x90
      [176805.974556]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176805.975566] Freed by task 27280:
      [176805.976077]  kasan_save_stack+0x1e/0x40
      [176805.976655]  kasan_set_track+0x21/0x30
      [176805.977221]  kasan_save_free_info+0x27/0x40
      [176805.977834]  ____kasan_slab_free+0x11a/0x1b0
      [176805.978505]  __kmem_cache_free+0x163/0x2d0
      [176805.979113]  esw_offloads_cleanup_reps+0xb8/0x120 [mlx5_core]
      [176805.979963]  mlx5_eswitch_cleanup+0x182/0x270 [mlx5_core]
      [176805.980763]  mlx5_cleanup_once+0x9a/0x1e0 [mlx5_core]
      [176805.981477]  mlx5_uninit_one+0xa9/0x180 [mlx5_core]
      [176805.982196]  remove_one+0x8f/0x210 [mlx5_core]
      [176805.982868]  pci_device_remove+0x96/0x1c0
      [176805.983461]  device_release_driver_internal+0x361/0x520
      [176805.984169]  driver_detach+0xd7/0x1d0
      [176805.984702]  bus_remove_driver+0x11f/0x290
      [176805.985261]  pci_unregister_driver+0x23/0x1f0
      [176805.985847]  mlx5_cleanup+0xc/0x20 [mlx5_core]
      [176805.986483]  __x64_sys_delete_module+0x2b3/0x450
      [176805.987126]  do_syscall_64+0x3d/0x90
      [176805.987665]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176805.988667] Last potentially related work creation:
      [176805.989305]  kasan_save_stack+0x1e/0x40
      [176805.989839]  __kasan_record_aux_stack+0x9c/0xb0
      [176805.990443]  kvfree_call_rcu+0x84/0xa30
      [176805.990973]  clean_xps_maps+0x265/0x6e0
      [176805.991547]  netif_reset_xps_queues.part.0+0x3f/0x80
      [176805.992226]  unregister_netdevice_many_notify+0xfcf/0x1500
      [176805.992966]  unregister_netdevice_queue+0x1e0/0x280
      [176805.993638]  unregister_netdev+0x18/0x20
      [176805.994205]  mlx5e_remove+0xba/0x1e0 [mlx5_core]
      [176805.994872]  auxiliary_bus_remove+0x52/0x70
      [176805.995490]  device_release_driver_internal+0x361/0x520
      [176805.996196]  bus_remove_device+0x1e1/0x3d0
      [176805.996767]  device_del+0x390/0x980
      [176805.997270]  mlx5_rescan_drivers_locked.part.0+0x130/0x540 [mlx5_core]
      [176805.998195]  mlx5_unregister_device+0x77/0xc0 [mlx5_core]
      [176805.998989]  mlx5_uninit_one+0x41/0x180 [mlx5_core]
      [176805.999719]  remove_one+0x8f/0x210 [mlx5_core]
      [176806.000387]  pci_device_remove+0x96/0x1c0
      [176806.000938]  device_release_driver_internal+0x361/0x520
      [176806.001612]  unbind_store+0xd8/0xf0
      [176806.002108]  kernfs_fop_write_iter+0x2c0/0x440
      [176806.002748]  vfs_write+0x725/0xba0
      [176806.003294]  ksys_write+0xed/0x1c0
      [176806.003823]  do_syscall_64+0x3d/0x90
      [176806.004357]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      [176806.005317] The buggy address belongs to the object at ffff888155090a80
                       which belongs to the cache kmalloc-64 of size 64
      [176806.006774] The buggy address is located 32 bytes inside of
                       freed 64-byte region [ffff888155090a80, ffff888155090ac0)
      
      [176806.008773] The buggy address belongs to the physical page:
      [176806.009480] page:00000000a407e0e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155090
      [176806.010633] flags: 0x200000000000800(slab|node=0|zone=2)
      [176806.011352] page_type: 0xffffffff()
      [176806.011905] raw: 0200000000000800 ffff888100042640 ffffea000422b1c0 dead000000000004
      [176806.012949] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
      [176806.013933] page dumped because: kasan: bad access detected
      
      [176806.014935] Memory state around the buggy address:
      [176806.015601]  ffff888155090980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.016568]  ffff888155090a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.017497] >ffff888155090a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.018438]                                ^
      [176806.019007]  ffff888155090b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.020001]  ffff888155090b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [176806.020996] ==================================================================
      
      Fixes: a508728a ("net/mlx5e: VF tunnel RX traffic offloading")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      04ad04e4
    • Moshe Shemesh's avatar
      net/mlx5: Fix fw tracer first block check · 4261edf1
      Moshe Shemesh authored
      While handling new traces, to verify it is not the first block being
      written, last_timestamp is checked. But instead of checking it is non
      zero it is verified to be zero. Fix to verify last_timestamp is not
      zero.
      
      Fixes: c71ad41c ("net/mlx5: FW tracer, events handling")
      Signed-off-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Reviewed-by: default avatarFeras Daoud <ferasda@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      4261edf1
    • Carolina Jubran's avatar
      net/mlx5e: XDP, Drop fragmented packets larger than MTU size · bcaf109f
      Carolina Jubran authored
      XDP transmits fragmented packets that are larger than MTU size instead of
      dropping those packets. The drop check that checks whether a packet is larger
      than MTU is comparing MTU size against the linear part length only.
      
      Adjust the drop check to compare MTU size against both linear and non-linear
      part lengths to avoid transmitting fragmented packets larger than MTU size.
      
      Fixes: 39a1665d ("net/mlx5e: Implement sending multi buffer XDP frames")
      Signed-off-by: default avatarCarolina Jubran <cjubran@nvidia.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      bcaf109f
    • Chris Mi's avatar
      net/mlx5e: Decrease num_block_tc when unblock tc offload · be86106f
      Chris Mi authored
      The cited commit increases num_block_tc when unblock tc offload.
      Actually should decrease it.
      
      Fixes: c8e350e6 ("net/mlx5e: Make TC and IPsec offloads mutually exclusive on a netdev")
      Signed-off-by: default avatarChris Mi <cmi@nvidia.com>
      Reviewed-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      be86106f
    • Jianbo Liu's avatar
      net/mlx5e: Fix overrun reported by coverity · da75fa54
      Jianbo Liu authored
      Coverity Scan reports the following issue. But it's impossible that
      mlx5_get_dev_index returns 7 for PF, even if the index is calculated
      from PCI FUNC ID. So add the checking to make coverity slience.
      
      CID 610894 (#2 of 2): Out-of-bounds write (OVERRUN)
      Overrunning array esw->fdb_table.offloads.peer_miss_rules of 4 8-byte
      elements at element index 7 (byte offset 63) using index
      mlx5_get_dev_index(peer_dev) (which evaluates to 7).
      
      Fixes: 9bee385a ("net/mlx5: E-switch, refactor FDB miss rule add/remove")
      Signed-off-by: default avatarJianbo Liu <jianbol@nvidia.com>
      Reviewed-by: default avatarRoi Dayan <roid@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      da75fa54
    • Dinghao Liu's avatar
      net/mlx5e: fix a potential double-free in fs_udp_create_groups · e75efc64
      Dinghao Liu authored
      When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
      fs_udp_create_groups() will free ft->g. However, its caller
      fs_udp_create_table() will free ft->g again through calling
      mlx5e_destroy_flow_table(), which will lead to a double-free.
      Fix this by setting ft->g to NULL in fs_udp_create_groups().
      
      Fixes: 1c80bd68 ("net/mlx5e: Introduce Flow Steering UDP API")
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Reviewed-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      e75efc64
    • Shifeng Li's avatar
      net/mlx5e: Fix a race in command alloc flow · 8f5100da
      Shifeng Li authored
      Fix a cmd->ent use after free due to a race on command entry.
      Such race occurs when one of the commands releases its last refcount and
      frees its index and entry while another process running command flush
      flow takes refcount to this command entry. The process which handles
      commands flush may see this command as needed to be flushed if the other
      process allocated a ent->idx but didn't set ent to cmd->ent_arr in
      cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into
      the spin lock.
      
      [70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
      [70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361
      [70013.081968]
      [70013.082028] Workqueue: events aer_isr
      [70013.082053] Call Trace:
      [70013.082067]  dump_stack+0x8b/0xbb
      [70013.082086]  print_address_description+0x6a/0x270
      [70013.082102]  kasan_report+0x179/0x2c0
      [70013.082173]  mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
      [70013.082267]  mlx5_cmd_flush+0x80/0x180 [mlx5_core]
      [70013.082304]  mlx5_enter_error_state+0x106/0x1d0 [mlx5_core]
      [70013.082338]  mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core]
      [70013.082377]  remove_one+0x200/0x2b0 [mlx5_core]
      [70013.082409]  pci_device_remove+0xf3/0x280
      [70013.082439]  device_release_driver_internal+0x1c3/0x470
      [70013.082453]  pci_stop_bus_device+0x109/0x160
      [70013.082468]  pci_stop_and_remove_bus_device+0xe/0x20
      [70013.082485]  pcie_do_fatal_recovery+0x167/0x550
      [70013.082493]  aer_isr+0x7d2/0x960
      [70013.082543]  process_one_work+0x65f/0x12d0
      [70013.082556]  worker_thread+0x87/0xb50
      [70013.082571]  kthread+0x2e9/0x3a0
      [70013.082592]  ret_from_fork+0x1f/0x40
      
      The logical relationship of this error is as follows:
      
                   aer_recover_work              |          ent->work
      -------------------------------------------+------------------------------
      aer_recover_work_func                      |
      |- pcie_do_recovery                        |
        |- report_error_detected                 |
          |- mlx5_pci_err_detected               |cmd_work_handler
            |- mlx5_enter_error_state            |  |- cmd_alloc_index
              |- enter_error_state               |    |- lock cmd->alloc_lock
                |- mlx5_cmd_flush                |    |- clear_bit
                  |- mlx5_cmd_trigger_completions|    |- unlock cmd->alloc_lock
                    |- lock cmd->alloc_lock      |
                    |- vector = ~dev->cmd.vars.bitmask
                    |- for_each_set_bit          |
                      |- cmd_ent_get(cmd->ent_arr[i]) (UAF)
                    |- unlock cmd->alloc_lock    |  |- cmd->ent_arr[ent->idx]=ent
      
      The cmd->ent_arr[ent->idx] assignment and the bit clearing are not
      protected by the cmd->alloc_lock in cmd_work_handler().
      
      Fixes: 50b2412b ("net/mlx5: Avoid possible free of command entry while timeout comp handler")
      Reviewed-by: default avatarMoshe Shemesh <moshe@nvidia.com>
      Signed-off-by: default avatarShifeng Li <lishifeng@sangfor.com.cn>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8f5100da
    • Shifeng Li's avatar
      net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() · ddb38ddf
      Shifeng Li authored
      Out_sz that the size of out buffer is calculated using query_nic_vport
      _context_in structure when driver query the MAC list. However query_nic
      _vport_context_in structure is smaller than query_nic_vport_context_out.
      When allowed_list_size is greater than 96, calling ether_addr_copy() will
      trigger an slab-out-of-bounds.
      
      [ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
      [ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461
      [ 1170.055870]
      [ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
      [ 1170.055936] Call Trace:
      [ 1170.055949]  dump_stack+0x8b/0xbb
      [ 1170.055958]  print_address_description+0x6a/0x270
      [ 1170.055961]  kasan_report+0x179/0x2c0
      [ 1170.056061]  mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
      [ 1170.056162]  esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core]
      [ 1170.056257]  esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core]
      [ 1170.056377]  esw_vport_change_handler+0x6b/0x90 [mlx5_core]
      [ 1170.056381]  process_one_work+0x65f/0x12d0
      [ 1170.056383]  worker_thread+0x87/0xb50
      [ 1170.056390]  kthread+0x2e9/0x3a0
      [ 1170.056394]  ret_from_fork+0x1f/0x40
      
      Fixes: e16aea27 ("net/mlx5: Introduce access functions to modify/query vport mac lists")
      Cc: Ding Hui <dinghui@sangfor.com.cn>
      Signed-off-by: default avatarShifeng Li <lishifeng@sangfor.com.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      ddb38ddf
    • Vlad Buslov's avatar
      net/mlx5e: fix double free of encap_header · 8e13cd73
      Vlad Buslov authored
      Cited commit introduced potential double free since encap_header can be
      destroyed twice in some cases - once by error cleanup sequence in
      mlx5e_tc_tun_{create|update}_header_ipv{4|6}(), once by generic
      mlx5e_encap_put() that user calls as a result of getting an error from
      tunnel create|update. At the same time the point where e->encap_header is
      assigned can't be delayed because the function can still return non-error
      code 0 as a result of checking for NUD_VALID flag, which will cause
      neighbor update to dereference NULL encap_header.
      
      Fix the issue by:
      
      - Nulling local encap_header variables in
      mlx5e_tc_tun_{create|update}_header_ipv{4|6}() to make kfree(encap_header)
      call in error cleanup sequence noop after that point.
      
      - Assigning reformat_params.data from e->encap_header instead of local
      variable encap_header that was set to NULL pointer by previous step. Also
      assign reformat_params.size from e->encap_size for uniformity and in order
      to make the code less error-prone in the future.
      
      Fixes: d589e785 ("net/mlx5e: Allow concurrent creation of encap entries")
      Reported-by: default avatarDust Li <dust.li@linux.alibaba.com>
      Reported-by: default avatarCruz Zhao <cruzzhao@linux.alibaba.com>
      Reported-by: default avatarTianchen Ding <dtcccc@linux.alibaba.com>
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      8e13cd73
    • Vlad Buslov's avatar
      Revert "net/mlx5e: fix double free of encap_header" · 5d089684
      Vlad Buslov authored
      This reverts commit 6f9b1a07.
      
      This patch is causing a null ptr issue, the proper fix is in the next
      patch.
      
      Fixes: 6f9b1a07 ("net/mlx5e: fix double free of encap_header")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      5d089684
    • Vlad Buslov's avatar
      Revert "net/mlx5e: fix double free of encap_header in update funcs" · 66ca8d4d
      Vlad Buslov authored
      This reverts commit 3a4aa3cb.
      
      This patch is causing a null ptr issue, the proper fix is in the next
      patch.
      
      Fixes: 3a4aa3cb ("net/mlx5e: fix double free of encap_header in update funcs")
      Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
      66ca8d4d
  3. 13 Dec, 2023 1 commit