1. 20 Jun, 2022 3 commits
    • Ziyang Xuan's avatar
      net/tls: fix tls_sk_proto_close executed repeatedly · 69135c57
      Ziyang Xuan authored
      After setting the sock ktls, update ctx->sk_proto to sock->sk_prot by
      tls_update(), so now ctx->sk_proto->close is tls_sk_proto_close(). When
      close the sock, tls_sk_proto_close() is called for sock->sk_prot->close
      is tls_sk_proto_close(). But ctx->sk_proto->close() will be executed later
      in tls_sk_proto_close(). Thus tls_sk_proto_close() executed repeatedly
      occurred. That will trigger the following bug.
      
      =================================================================
      KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
      RIP: 0010:tls_sk_proto_close+0xd8/0xaf0 net/tls/tls_main.c:306
      Call Trace:
       <TASK>
       tls_sk_proto_close+0x356/0xaf0 net/tls/tls_main.c:329
       inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
       __sock_release+0xcd/0x280 net/socket.c:650
       sock_close+0x18/0x20 net/socket.c:1365
      
      Updating a proto which is same with sock->sk_prot is incorrect. Add proto
      and sock->sk_prot equality check at the head of tls_update() to fix it.
      
      Fixes: 95fa1454 ("bpf: sockmap/tls, close can race with map free")
      Reported-by: syzbot+29c3c12f3214b85ad081@syzkaller.appspotmail.com
      Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69135c57
    • Eric Dumazet's avatar
      erspan: do not assume transport header is always set · 301bd140
      Eric Dumazet authored
      Rewrite tests in ip6erspan_tunnel_xmit() and
      erspan_fb_xmit() to not assume transport header is set.
      
      syzbot reported:
      
      WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skb_transport_header include/linux/skbuff.h:2911 [inline]
      WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963
      Modules linked in:
      CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6 #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
      RIP: 0010:skb_transport_header include/linux/skbuff.h:2911 [inline]
      RIP: 0010:ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963
      Code: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00
      RSP: 0018:ffffc90005daf910 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000
      RDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003
      RBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40
      R13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000
      FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0
      Call Trace:
      <TASK>
      __netdev_start_xmit include/linux/netdevice.h:4805 [inline]
      netdev_start_xmit include/linux/netdevice.h:4819 [inline]
      xmit_one net/core/dev.c:3588 [inline]
      dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3604
      sch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342
      __dev_xmit_skb net/core/dev.c:3815 [inline]
      __dev_queue_xmit+0x14a1/0x3900 net/core/dev.c:4219
      dev_queue_xmit include/linux/netdevice.h:2994 [inline]
      tx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63
      kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229
      kthread+0x2e9/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
      </TASK>
      
      Fixes: d5db21a3 ("erspan: auto detect truncated ipv6 packets.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: William Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      301bd140
    • Riccardo Paolo Bestetti's avatar
      ipv4: fix bind address validity regression tests · 313c502f
      Riccardo Paolo Bestetti authored
      Commit 8ff978b8 ("ipv4/raw: support binding to nonlocal addresses")
      introduces support for binding to nonlocal addresses, as well as some
      basic test coverage for some of the related cases.
      
      Commit b4a028c4 ("ipv4: ping: fix bind address validity check")
      fixes a regression which incorrectly removed some checks for bind
      address validation. In addition, it introduces regression tests for
      those specific checks. However, those regression tests are defective, in
      that they perform the tests using an incorrect combination of bind
      flags. As a result, those tests fail when they should succeed.
      
      This commit introduces additional regression tests for nonlocal binding
      and fixes the defective regression tests. It also introduces new
      set_sysctl calls for the ipv4_bind test group, as to perform the ICMP
      binding tests it is necessary to allow ICMP socket creation by setting
      the net.ipv4.ping_group_range knob.
      
      Fixes: b4a028c4 ("ipv4: ping: fix bind address validity check")
      Reported-by: default avatarRiccardo Paolo Bestetti <pbl@bestov.io>
      Signed-off-by: default avatarRiccardo Paolo Bestetti <pbl@bestov.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      313c502f
  2. 19 Jun, 2022 2 commits
    • Oleksij Rempel's avatar
      net: phy: at803x: fix NULL pointer dereference on AR9331 PHY · 9926de73
      Oleksij Rempel authored
      Latest kernel will explode on the PHY interrupt config, since it depends
      now on allocated priv. So, run probe to allocate priv to fix it.
      
       ar9331_switch ethernet.1:10 lan0 (uninitialized): PHY [!ahb!ethernet@1a000000!mdio!switch@10:00] driver [Qualcomm Atheros AR9331 built-in PHY] (irq=13)
       CPU 0 Unable to handle kernel paging request at virtual address 0000000a, epc == 8050e8a8, ra == 80504b34
               ...
       Call Trace:
       [<8050e8a8>] at803x_config_intr+0x5c/0xd0
       [<80504b34>] phy_request_interrupt+0xa8/0xd0
       [<8050289c>] phylink_bringup_phy+0x2d8/0x3ac
       [<80502b68>] phylink_fwnode_phy_connect+0x118/0x130
       [<8074d8ec>] dsa_slave_create+0x270/0x420
       [<80743b04>] dsa_port_setup+0x12c/0x148
       [<8074580c>] dsa_register_switch+0xaf0/0xcc0
       [<80511344>] ar9331_sw_probe+0x370/0x388
       [<8050cb78>] mdio_probe+0x44/0x70
       [<804df300>] really_probe+0x200/0x424
       [<804df7b4>] __driver_probe_device+0x290/0x298
       [<804df810>] driver_probe_device+0x54/0xe4
       [<804dfd50>] __device_attach_driver+0xe4/0x130
       [<804dcb00>] bus_for_each_drv+0xb4/0xd8
       [<804dfac4>] __device_attach+0x104/0x1a4
       [<804ddd24>] bus_probe_device+0x48/0xc4
       [<804deb44>] deferred_probe_work_func+0xf0/0x10c
       [<800a0ffc>] process_one_work+0x314/0x4d4
       [<800a17fc>] worker_thread+0x2a4/0x354
       [<800a9a54>] kthread+0x134/0x13c
       [<8006306c>] ret_from_kernel_thread+0x14/0x1c
      
      Same Issue would affect some other PHYs (QCA8081, QCA9561), so fix it
      too.
      
      Fixes: 3265f421 ("net: phy: at803x: add fiber support")
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9926de73
    • Wentao_Liang's avatar
      drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in vxge-main.c · 8fc74d18
      Wentao_Liang authored
      The pointer vdev points to a memory region adjacent to a net_device
      structure ndev, which is a field of hldev. At line 4740, the invocation
      to vxge_device_unregister unregisters device hldev, and it also releases
      the memory region pointed by vdev->bar0. At line 4743, the freed memory
      region is referenced (i.e., iounmap(vdev->bar0)), resulting in a
      use-after-free vulnerability. We can fix the bug by calling iounmap
      before vxge_device_unregister.
      
      4721.      static void vxge_remove(struct pci_dev *pdev)
      4722.      {
      4723.             struct __vxge_hw_device *hldev;
      4724.             struct vxgedev *vdev;
      …
      4731.             vdev = netdev_priv(hldev->ndev);
      …
      4740.             vxge_device_unregister(hldev);
      4741.             /* Do not call pci_disable_sriov here, as it
      						will break child devices */
      4742.             vxge_hw_device_terminate(hldev);
      4743.             iounmap(vdev->bar0);
      …
      4749              vxge_debug_init(vdev->level_trace, "%s:%d
      								Device unregistered",
      4750                            __func__, __LINE__);
      4751              vxge_debug_entryexit(vdev->level_trace, "%s:%d
      								Exiting...", __func__,
      4752                          __LINE__);
      4753.      }
      
      This is the screenshot when the vulnerability is triggered by using
      KASAN. We can see that there is a use-after-free reported by KASAN.
      
      /***************************start**************************/
      
      root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove
      [  178.296316] vxge_remove
      [  182.057081]
       ==================================================================
      [  182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c
      [  182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119
      [  182.057983]
      [  182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5
      [  182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
      rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      [  182.059463] Call Trace:
      [  182.059726]  <TASK>
      [  182.060017]  dump_stack_lvl+0x34/0x44
      [  182.060316]  print_report.cold+0xb2/0x6b7
      [  182.060401]  ? kfree+0x89/0x290
      [  182.060478]  ? vxge_remove+0xe0/0x15c
      [  182.060545]  kasan_report+0xa9/0x120
      [  182.060629]  ? vxge_remove+0xe0/0x15c
      [  182.060706]  vxge_remove+0xe0/0x15c
      [  182.060793]  pci_device_remove+0x5d/0xe0
      [  182.060968]  device_release_driver_internal+0xf1/0x180
      [  182.061063]  pci_stop_bus_device+0xae/0xe0
      [  182.061150]  pci_stop_and_remove_bus_device_locked+0x11/0x20
      [  182.061236]  remove_store+0xc6/0xe0
      [  182.061297]  ? subordinate_bus_number_show+0xc0/0xc0
      [  182.061359]  ? __mutex_lock_slowpath+0x10/0x10
      [  182.061438]  ? sysfs_kf_write+0x6d/0xa0
      [  182.061525]  kernfs_fop_write_iter+0x1b0/0x260
      [  182.061610]  ? sysfs_kf_bin_read+0xf0/0xf0
      [  182.061695]  new_sync_write+0x209/0x310
      [  182.061789]  ? new_sync_read+0x310/0x310
      [  182.061865]  ? cgroup_rstat_updated+0x5c/0x170
      [  182.061937]  ? preempt_count_sub+0xf/0xb0
      [  182.061995]  ? pick_next_entity+0x13a/0x220
      [  182.062063]  ? __inode_security_revalidate+0x44/0x80
      [  182.062155]  ? security_file_permission+0x46/0x2a0
      [  182.062230]  vfs_write+0x33f/0x3e0
      [  182.062303]  ksys_write+0xb4/0x150
      [  182.062369]  ? __ia32_sys_read+0x40/0x40
      [  182.062451]  do_syscall_64+0x3b/0x90
      [  182.062531]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
      [  182.062894] RIP: 0033:0x7f3f37d17274
      [  182.063558] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f
      80 00 00 00 00 48 8d 05 89 54 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f
      05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53
      [  182.063797] RSP: 002b:00007ffd5ba9e178 EFLAGS: 00000246
      ORIG_RAX: 0000000000000001
      [  182.064117] RAX: ffffffffffffffda RBX: 0000000000000002
      RCX: 00007f3f37d17274
      [  182.064219] RDX: 0000000000000002 RSI: 000055bbec327180
      RDI: 0000000000000001
      [  182.064315] RBP: 000055bbec327180 R08: 000000000000000a
      R09: 00007f3f37de7cf0
      [  182.064414] R10: 000000000000000a R11: 0000000000000246
      R12: 00007f3f37de8760
      [  182.064513] R13: 0000000000000002 R14: 00007f3f37de3760
      R15: 0000000000000002
      [  182.064691]  </TASK>
      [  182.064916]
      [  182.065224] The buggy address belongs to the physical page:
      [  182.065804] page:00000000ef31e4f4 refcount:0 mapcount:0
      mapping:0000000000000000 index:0x0 pfn:0x6c76
      [  182.067419] flags: 0x100000000000000(node=0|zone=1)
      [  182.068997] raw: 0100000000000000 0000000000000000
      ffffea00001b1d88 0000000000000000
      [  182.069118] raw: 0000000000000000 0000000000000000
      00000000ffffffff 0000000000000000
      [  182.069294] page dumped because: kasan: bad access detected
      [  182.069331]
      [  182.069360] Memory state around the buggy address:
      [  182.070006]  ffff888006c76480: ff ff ff ff ff ff ff ff ff ff ff
       ff ff ff ff ff
      [  182.070136]  ffff888006c76500: ff ff ff ff ff ff ff ff ff ff ff
       ff ff ff ff ff
      [  182.070230] >ffff888006c76580: ff ff ff ff ff ff ff ff ff ff ff
       ff ff ff ff ff
      [  182.070305]                             ^
      [  182.070456]  ffff888006c76600: ff ff ff ff ff ff ff ff ff ff ff
       ff ff ff ff ff
      [  182.070505]  ffff888006c76680: ff ff ff ff ff ff ff ff ff ff ff
       ff ff ff ff ff
      [  182.070606]
      ==================================================================
      [  182.071374] Disabling lock debugging due to kernel taint
      
      /*****************************end*****************************/
      
      After fixing the bug as done in the patch, we can find KASAN do not report
       the bug and the device(00:03.0) has been successfully removed.
      
      /*****************************start***************************/
      
      root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove
      root@kernel:~#
      
      /******************************end****************************/
      Signed-off-by: default avatarWentao_Liang <Wentao_Liang_g@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8fc74d18
  3. 18 Jun, 2022 5 commits
    • Peilin Ye's avatar
      net/sched: sch_netem: Fix arithmetic in netem_dump() for 32-bit platforms · a2b1a5d4
      Peilin Ye authored
      As reported by Yuming, currently tc always show a latency of UINT_MAX
      for netem Qdisc's on 32-bit platforms:
      
          $ tc qdisc add dev dummy0 root netem latency 100ms
          $ tc qdisc show dev dummy0
          qdisc netem 8001: root refcnt 2 limit 1000 delay 275s  275s
                                                     ^^^^^^^^^^^^^^^^
      
      Let us take a closer look at netem_dump():
      
              qopt.latency = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->latency,
                                   UINT_MAX);
      
      qopt.latency is __u32, psched_tdiff_t is signed long,
      (psched_tdiff_t)(UINT_MAX) is negative for 32-bit platforms, so
      qopt.latency is always UINT_MAX.
      
      Fix it by using psched_time_t (u64) instead.
      
      Note: confusingly, users have two ways to specify 'latency':
      
        1. normally, via '__u32 latency' in struct tc_netem_qopt;
        2. via the TCA_NETEM_LATENCY64 attribute, which is s64.
      
      For the second case, theoretically 'latency' could be negative.  This
      patch ignores that corner case, since it is broken (i.e. assigning a
      negative s64 to __u32) anyways, and should be handled separately.
      
      Thanks Ted Lin for the analysis [1] .
      
      [1] https://github.com/raspberrypi/linux/issues/3512Reported-by: default avatarYuming Chen <chenyuming.junnan@bytedance.com>
      Fixes: 112f9cb6 ("netem: convert to qdisc_watchdog_schedule_ns")
      Reviewed-by: default avatarCong Wang <cong.wang@bytedance.com>
      Signed-off-by: default avatarPeilin Ye <peilin.ye@bytedance.com>
      Acked-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Link: https://lore.kernel.org/r/20220616234336.2443-1-yepeilin.cs@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a2b1a5d4
    • Ivan Vecera's avatar
      ethtool: Fix get module eeprom fallback · a3bb7b63
      Ivan Vecera authored
      Function fallback_set_params() checks if the module type returned
      by a driver is ETH_MODULE_SFF_8079 and in this case it assumes
      that buffer returns a concatenated content of page  A0h and A2h.
      The check is wrong because the correct type is ETH_MODULE_SFF_8472.
      
      Fixes: 96d971e3 ("ethtool: Add fallback to get_module_eeprom from netlink command")
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Link: https://lore.kernel.org/r/20220616160856.3623273-1-ivecera@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a3bb7b63
    • Jay Vosburgh's avatar
      bonding: ARP monitor spams NETDEV_NOTIFY_PEERS notifiers · 7a9214f3
      Jay Vosburgh authored
      The bonding ARP monitor fails to decrement send_peer_notif, the
      number of peer notifications (gratuitous ARP or ND) to be sent. This
      results in a continuous series of notifications.
      
      Correct this by decrementing the counter for each notification.
      Reported-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Fixes: b0929915 ("bonding: Fix RTNL: assertion failed at net/core/rtnetlink.c for ab arp monitor")
      Link: https://lore.kernel.org/netdev/b2fd4147-8f50-bebd-963a-1a3e8d1d9715@redhat.com/Tested-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Reviewed-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Link: https://lore.kernel.org/r/9400.1655407960@famineSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7a9214f3
    • Lorenzo Bianconi's avatar
      igb: fix a use-after-free issue in igb_clean_tx_ring · 3f6a57ee
      Lorenzo Bianconi authored
      Fix the following use-after-free bug in igb_clean_tx_ring routine when
      the NIC is running in XDP mode. The issue can be triggered redirecting
      traffic into the igb NIC and then closing the device while the traffic
      is flowing.
      
      [   73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9
      [   73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017
      [   73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0
      [   73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282
      [   73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000
      [   73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0
      [   73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058
      [   73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090
      [   73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000
      [   73.404806] FS:  00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000
      [   73.413129] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0
      [   73.426565] Call Trace:
      [   73.429087]  <TASK>
      [   73.431314]  igb_clean_tx_ring+0x43/0x140 [igb]
      [   73.436002]  igb_down+0x1d7/0x220 [igb]
      [   73.439974]  __igb_close+0x3c/0x120 [igb]
      [   73.444118]  igb_xdp+0x10c/0x150 [igb]
      [   73.447983]  ? igb_pci_sriov_configure+0x70/0x70 [igb]
      [   73.453362]  dev_xdp_install+0xda/0x110
      [   73.457371]  dev_xdp_attach+0x1da/0x550
      [   73.461369]  do_setlink+0xfd0/0x10f0
      [   73.465166]  ? __nla_validate_parse+0x89/0xc70
      [   73.469714]  rtnl_setlink+0x11a/0x1e0
      [   73.473547]  rtnetlink_rcv_msg+0x145/0x3d0
      [   73.477709]  ? rtnl_calcit.isra.0+0x130/0x130
      [   73.482258]  netlink_rcv_skb+0x8d/0x110
      [   73.486229]  netlink_unicast+0x230/0x340
      [   73.490317]  netlink_sendmsg+0x215/0x470
      [   73.494395]  __sys_sendto+0x179/0x190
      [   73.498268]  ? move_addr_to_user+0x37/0x70
      [   73.502547]  ? __sys_getsockname+0x84/0xe0
      [   73.506853]  ? netlink_setsockopt+0x1c1/0x4a0
      [   73.511349]  ? __sys_setsockopt+0xc8/0x1d0
      [   73.515636]  __x64_sys_sendto+0x20/0x30
      [   73.519603]  do_syscall_64+0x3b/0x80
      [   73.523399]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [   73.528712] RIP: 0033:0x7ff38d41f20c
      [   73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [   73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c
      [   73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003
      [   73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
      [   73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0
      [   73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30
      [   73.596545]  </TASK>
      [   73.598842] ---[ end trace 0000000000000000 ]---
      
      Fixes: 9cbc948b ("igb: add XDP support")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Link: https://lore.kernel.org/r/e5c01d549dc37bff18e46aeabd6fb28a7bcf84be.1655388571.git.lorenzo@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3f6a57ee
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 582573f1
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2022-06-17
      
      We've added 12 non-merge commits during the last 4 day(s) which contain
      a total of 14 files changed, 305 insertions(+), 107 deletions(-).
      
      The main changes are:
      
      1) Fix x86 JIT tailcall count offset on BPF-2-BPF call, from Jakub Sitnicki.
      
      2) Fix a kprobe_multi link bug which misplaces BPF cookies, from Jiri Olsa.
      
      3) Fix an infinite loop when processing a module's BTF, from Kumar Kartikeya Dwivedi.
      
      4) Fix getting a rethook only in RCU available context, from Masami Hiramatsu.
      
      5) Fix request socket refcount leak in sk lookup helpers, from Jon Maxwell.
      
      6) Fix xsk xmit behavior which wrongly adds skb to already full cq, from Ciara Loftus.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        rethook: Reject getting a rethook if RCU is not watching
        fprobe, samples: Add use_trace option and show hit/missed counter
        bpf, docs: Update some of the JIT/maintenance entries
        selftest/bpf: Fix kprobe_multi bench test
        bpf: Force cookies array to follow symbols sorting
        ftrace: Keep address offset in ftrace_lookup_symbols
        selftests/bpf: Shuffle cookies symbols in kprobe multi test
        selftests/bpf: Test tail call counting with bpf2bpf and data on stack
        bpf, x86: Fix tail call count offset calculation on bpf2bpf call
        bpf: Limit maximum modifier chain length in btf_check_type_tags
        bpf: Fix request_sock leak in sk lookup helpers
        xsk: Fix generic transmit when completion queue reservation fails
      ====================
      
      Link: https://lore.kernel.org/r/20220617202119.2421-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      582573f1
  4. 17 Jun, 2022 14 commits
    • Masami Hiramatsu (Google)'s avatar
      rethook: Reject getting a rethook if RCU is not watching · c0f3bb40
      Masami Hiramatsu (Google) authored
      Since the rethook_recycle() will involve the call_rcu() for reclaiming
      the rethook_instance, the rethook must be set up at the RCU available
      context (non idle). This rethook_recycle() in the rethook trampoline
      handler is inevitable, thus the RCU available check must be done before
      setting the rethook trampoline.
      
      This adds a rcu_is_watching() check in the rethook_try_get() so that
      it will return NULL if it is called when !rcu_is_watching().
      
      Fixes: 54ecbe6f ("rethook: Add a generic return hook")
      Signed-off-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: https://lore.kernel.org/bpf/165461827269.280167.7379263615545598958.stgit@devnote2
      c0f3bb40
    • Masami Hiramatsu (Google)'s avatar
      fprobe, samples: Add use_trace option and show hit/missed counter · c88dbbcd
      Masami Hiramatsu (Google) authored
      Add use_trace option to use trace_printk() instead of pr_info()
      so that the handler doesn't involve the RCU operations.
      And show the hit and missed counter so that the user can check
      how many times the probe handler hit and missed.
      Signed-off-by: default avatarMasami Hiramatsu (Google) <mhiramat@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: https://lore.kernel.org/bpf/165461826247.280167.11939123218334322352.stgit@devnote2
      c88dbbcd
    • Daniel Borkmann's avatar
      bpf, docs: Update some of the JIT/maintenance entries · 63ce81d1
      Daniel Borkmann authored
      Various minor updates around some of the BPF-related entries:
      
      JITs for ARM32/NFP/SPARC/X86-32 haven't seen updates in quite a while, thus
      for now, mark them as 'Odd Fixes' until they become more actively developed.
      
      JITs for POWERPC/S390 are in good shape and receive active development and
      review, thus bump to 'Supported' similar as we have with X86-64/ARM64.
      
      JITs for MIPS/RISC-V are in similar good shape as the ones mentioned above,
      but looked after mostly in spare time, thus leave for now in 'Maintained' state.
      
      Add Michael to PPC JIT given he's picking up the patches there, so it better
      reflects today's state.
      
      Also, I haven't done much reviewing around BPF sockmap/kTLS after John and I
      did the big rework back in the days to integrate sockmap with kTLS.
      
      These days, most of this is taken care by John, Jakub {Sitnicki,Kicinski} and
      others in the community, so remove myself from these two.
      
      Lastly, move all BPF-related entries into one place, that is, move the sockmap
      one over near rest of BPF.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/r/f9b8a63a0b48dc764bd4c50f87632889f5813f69.1655494758.git.daniel@iogearbox.netSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      63ce81d1
    • Riccardo Paolo Bestetti's avatar
      ipv4: ping: fix bind address validity check · b4a028c4
      Riccardo Paolo Bestetti authored
      Commit 8ff978b8 ("ipv4/raw: support binding to nonlocal addresses")
      introduced a helper function to fold duplicated validity checks of bind
      addresses into inet_addr_valid_or_nonlocal(). However, this caused an
      unintended regression in ping_check_bind_addr(), which previously would
      reject binding to multicast and broadcast addresses, but now these are
      both incorrectly allowed as reported in [1].
      
      This patch restores the original check. A simple reordering is done to
      improve readability and make it evident that multicast and broadcast
      addresses should not be allowed. Also, add an early exit for INADDR_ANY
      which replaces lost behavior added by commit 0ce779a9 ("net: Avoid
      unnecessary inet_addr_type() call when addr is INADDR_ANY").
      
      Furthermore, this patch introduces regression selftests to catch these
      specific cases.
      
      [1] https://lore.kernel.org/netdev/CANP3RGdkAcDyAZoT1h8Gtuu0saq+eOrrTiWbxnOs+5zn+cpyKg@mail.gmail.com/
      
      Fixes: 8ff978b8 ("ipv4/raw: support binding to nonlocal addresses")
      Cc: Miaohe Lin <linmiaohe@huawei.com>
      Reported-by: default avatarMaciej Żenczykowski <maze@google.com>
      Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>
      Signed-off-by: default avatarRiccardo Paolo Bestetti <pbl@bestov.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4a028c4
    • Xu Jia's avatar
      hamradio: 6pack: fix array-index-out-of-bounds in decode_std_command() · 2b04495e
      Xu Jia authored
      Hulk Robot reports incorrect sp->rx_count_cooked value in decode_std_command().
      This should be caused by the subtracting from sp->rx_count_cooked before.
      It seems that sp->rx_count_cooked value is changed to 0, which bypassed the
      previous judgment.
      
      The situation is shown below:
      
               (Thread 1)			|  (Thread 2)
      decode_std_command()		| resync_tnc()
      ...					|
      if (rest == 2)			|
      	sp->rx_count_cooked -= 2;	|
      else if (rest == 3)			| ...
      					| sp->rx_count_cooked = 0;
      	sp->rx_count_cooked -= 1;	|
      for (i = 0; i < sp->rx_count_cooked; i++) // report error
      	checksum += sp->cooked_buf[i];
      
      sp->rx_count_cooked is a shared variable but is not protected by a lock.
      The same applies to sp->rx_count. This patch adds a lock to fix the bug.
      
      The fail log is shown below:
      =======================================================================
      UBSAN: array-index-out-of-bounds in drivers/net/hamradio/6pack.c:925:31
      index 400 is out of range for type 'unsigned char [400]'
      CPU: 3 PID: 7433 Comm: kworker/u10:1 Not tainted 5.18.0-rc5-00163-g4b97bac0 #2
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
      Workqueue: events_unbound flush_to_ldisc
      Call Trace:
       <TASK>
       dump_stack_lvl+0xcd/0x134
       ubsan_epilogue+0xb/0x50
       __ubsan_handle_out_of_bounds.cold+0x62/0x6c
       sixpack_receive_buf+0xfda/0x1330
       tty_ldisc_receive_buf+0x13e/0x180
       tty_port_default_receive_buf+0x6d/0xa0
       flush_to_ldisc+0x213/0x3f0
       process_one_work+0x98f/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e9/0x3a0
       ret_from_fork+0x1f/0x30
       ...
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarXu Jia <xujia39@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b04495e
    • Hoang Le's avatar
      tipc: fix use-after-free Read in tipc_named_reinit · 911600bf
      Hoang Le authored
      syzbot found the following issue on:
      ==================================================================
      BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0
      net/tipc/name_distr.c:413
      Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764
      
      CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted
      5.18.0-rc4-syzkaller-00878-g17d49e6e #0
      Hardware name: Google Compute Engine/Google Compute Engine,
      BIOS Google 01/01/2011
      Workqueue: events tipc_net_finalize_work
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
       print_address_description.constprop.0.cold+0xeb/0x495
      mm/kasan/report.c:313
       print_report mm/kasan/report.c:429 [inline]
       kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
       tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413
       tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138
       process_one_work+0x996/0x1610 kernel/workqueue.c:2289
       worker_thread+0x665/0x1080 kernel/workqueue.c:2436
       kthread+0x2e9/0x3a0 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
       </TASK>
      [...]
      ==================================================================
      
      In the commit
      d966ddcc ("tipc: fix a deadlock when flushing scheduled work"),
      the cancel_work_sync() function just to make sure ONLY the work
      tipc_net_finalize_work() is executing/pending on any CPU completed before
      tipc namespace is destroyed through tipc_exit_net(). But this function
      is not guaranteed the work is the last queued. So, the destroyed instance
      may be accessed in the work which will try to enqueue later.
      
      In order to completely fix, we re-order the calling of cancel_work_sync()
      to make sure the work tipc_net_finalize_work() was last queued and it
      must be completed by calling cancel_work_sync().
      
      Reported-by: syzbot+47af19f3307fc9c5c82e@syzkaller.appspotmail.com
      Fixes: d966ddcc ("tipc: fix a deadlock when flushing scheduled work")
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarHoang Le <hoang.h.le@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      911600bf
    • Jay Vosburgh's avatar
      veth: Add updating of trans_start · e66e257a
      Jay Vosburgh authored
      Since commit 21a75f09 ("bonding: Fix ARP monitor validation"),
      the bonding ARP / ND link monitors depend on the trans_start time to
      determine link availability.  NETIF_F_LLTX drivers must update trans_start
      directly, which veth does not do.  This prevents use of the ARP or ND link
      monitors with veth interfaces in a bond.
      
      	Resolve this by having veth_xmit update the trans_start time.
      Reported-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Tested-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Fixes: 21a75f09 ("bonding: Fix ARP monitor validation")
      Link: https://lore.kernel.org/netdev/b2fd4147-8f50-bebd-963a-1a3e8d1d9715@redhat.com/Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e66e257a
    • Eric Dumazet's avatar
      net: fix data-race in dev_isalive() · cc26c266
      Eric Dumazet authored
      dev_isalive() is called under RTNL or dev_base_lock protection.
      
      This means that changes to dev->reg_state should be done with both locks held.
      
      syzbot reported:
      
      BUG: KCSAN: data-race in register_netdevice / type_show
      
      write to 0xffff888144ecf518 of 1 bytes by task 20886 on cpu 0:
      register_netdevice+0xb9f/0xdf0 net/core/dev.c:10050
      lapbeth_new_device drivers/net/wan/lapbether.c:414 [inline]
      lapbeth_device_event+0x4a0/0x6c0 drivers/net/wan/lapbether.c:456
      notifier_call_chain kernel/notifier.c:87 [inline]
      raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:455
      __dev_notify_flags+0x1d6/0x3a0
      dev_change_flags+0xa2/0xc0 net/core/dev.c:8607
      do_setlink+0x778/0x2230 net/core/rtnetlink.c:2780
      __rtnl_newlink net/core/rtnetlink.c:3546 [inline]
      rtnl_newlink+0x114c/0x16a0 net/core/rtnetlink.c:3593
      rtnetlink_rcv_msg+0x811/0x8c0 net/core/rtnetlink.c:6089
      netlink_rcv_skb+0x13e/0x240 net/netlink/af_netlink.c:2501
      rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6107
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x58a/0x660 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x661/0x750 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg net/socket.c:734 [inline]
      __sys_sendto+0x21e/0x2c0 net/socket.c:2119
      __do_sys_sendto net/socket.c:2131 [inline]
      __se_sys_sendto net/socket.c:2127 [inline]
      __x64_sys_sendto+0x74/0x90 net/socket.c:2127
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      read to 0xffff888144ecf518 of 1 bytes by task 20423 on cpu 1:
      dev_isalive net/core/net-sysfs.c:38 [inline]
      netdev_show net/core/net-sysfs.c:50 [inline]
      type_show+0x24/0x90 net/core/net-sysfs.c:112
      dev_attr_show+0x35/0x90 drivers/base/core.c:2095
      sysfs_kf_seq_show+0x175/0x240 fs/sysfs/file.c:59
      kernfs_seq_show+0x75/0x80 fs/kernfs/file.c:162
      seq_read_iter+0x2c3/0x8e0 fs/seq_file.c:230
      kernfs_fop_read_iter+0xd1/0x2f0 fs/kernfs/file.c:235
      call_read_iter include/linux/fs.h:2052 [inline]
      new_sync_read fs/read_write.c:401 [inline]
      vfs_read+0x5a5/0x6a0 fs/read_write.c:482
      ksys_read+0xe8/0x1a0 fs/read_write.c:620
      __do_sys_read fs/read_write.c:630 [inline]
      __se_sys_read fs/read_write.c:628 [inline]
      __x64_sys_read+0x3e/0x50 fs/read_write.c:628
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x46/0xb0
      
      value changed: 0x00 -> 0x01
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 20423 Comm: udevd Tainted: G W 5.19.0-rc2-syzkaller-dirty #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc26c266
    • Claudiu Manoil's avatar
      phy: aquantia: Fix AN when higher speeds than 1G are not advertised · 9b7fd167
      Claudiu Manoil authored
      Even when the eth port is resticted to work with speeds not higher than 1G,
      and so the eth driver is requesting the phy (via phylink) to advertise up
      to 1000BASET support, the aquantia phy device is still advertising for 2.5G
      and 5G speeds.
      Clear these advertising defaults when requested.
      
      Cc: Ondrej Spacek <ondrej.spacek@nxp.com>
      Fixes: 09c4c57f ("net: phy: aquantia: add support for auto-negotiation configuration")
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@nxp.com>
      Link: https://lore.kernel.org/r/20220610084037.7625-1-claudiu.manoil@nxp.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      9b7fd167
    • Alexei Starovoitov's avatar
      Merge branch 'bpf: Fix cookie values for kprobe multi' · a4a8b2ee
      Alexei Starovoitov authored
      Jiri Olsa says:
      
      ====================
      
      hi,
      there's bug in kprobe_multi link that makes cookies misplaced when
      using symbols to attach. The reason is that we sort symbols by name
      but not adjacent cookie values. Current test did not find it because
      bpf_fentry_test* are already sorted by name.
      
      v3 changes:
        - fixed kprobe_multi bench test to filter out invalid entries
          from available_filter_functions
      
      v2 changes:
        - rebased on top of bpf/master
        - checking if cookies are defined later in swap function [Andrii]
        - added acks
      
      thanks,
      jirka
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a4a8b2ee
    • Jiri Olsa's avatar
      selftest/bpf: Fix kprobe_multi bench test · 73006702
      Jiri Olsa authored
      With [1] the available_filter_functions file contains records
      starting with __ftrace_invalid_address___ and marking disabled
      entries.
      
      We need to filter them out for the bench test to pass only
      resolvable symbols to kernel.
      
      [1] commit b39181f7 ("ftrace: Add FTRACE_MCOUNT_MAX_OFFSET to avoid adding weak function")
      
      Fixes: b39181f7 ("ftrace: Add FTRACE_MCOUNT_MAX_OFFSET to avoid adding weak function")
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: https://lore.kernel.org/r/20220615112118.497303-5-jolsa@kernel.orgSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      73006702
    • Jiri Olsa's avatar
      bpf: Force cookies array to follow symbols sorting · eb5fb032
      Jiri Olsa authored
      When user specifies symbols and cookies for kprobe_multi link
      interface it's very likely the cookies will be misplaced and
      returned to wrong functions (via get_attach_cookie helper).
      
      The reason is that to resolve the provided functions we sort
      them before passing them to ftrace_lookup_symbols, but we do
      not do the same sort on the cookie values.
      
      Fixing this by using sort_r function with custom swap callback
      that swaps cookie values as well.
      
      Fixes: 0236fec5 ("bpf: Resolve symbols with ftrace_lookup_symbols for kprobe multi link")
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: https://lore.kernel.org/r/20220615112118.497303-4-jolsa@kernel.orgSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      eb5fb032
    • Jiri Olsa's avatar
      ftrace: Keep address offset in ftrace_lookup_symbols · eb1b2985
      Jiri Olsa authored
      We want to store the resolved address on the same index as
      the symbol string, because that's the user (bpf kprobe link)
      code assumption.
      
      Also making sure we don't store duplicates that might be
      present in kallsyms.
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Acked-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      Fixes: bed0d9a5 ("ftrace: Add ftrace_lookup_symbols function")
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: https://lore.kernel.org/r/20220615112118.497303-3-jolsa@kernel.orgSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      eb1b2985
    • Jiri Olsa's avatar
      selftests/bpf: Shuffle cookies symbols in kprobe multi test · ad884853
      Jiri Olsa authored
      There's a kernel bug that causes cookies to be misplaced and
      the reason we did not catch this with this test is that we
      provide bpf_fentry_test* functions already sorted by name.
      
      Shuffling function bpf_fentry_test2 deeper in the list and
      keeping the current cookie values as before will trigger
      the bug.
      
      The kernel fix is coming in following changes.
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Link: https://lore.kernel.org/r/20220615112118.497303-2-jolsa@kernel.orgSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      ad884853
  5. 16 Jun, 2022 5 commits
  6. 15 Jun, 2022 11 commits