1. 09 Dec, 2023 15 commits
  2. 08 Dec, 2023 5 commits
    • Florent Revest's avatar
      team: Fix use-after-free when an option instance allocation fails · c12296bb
      Florent Revest authored
      In __team_options_register, team_options are allocated and appended to
      the team's option_list.
      If one option instance allocation fails, the "inst_rollback" cleanup
      path frees the previously allocated options but doesn't remove them from
      the team's option_list.
      This leaves dangling pointers that can be dereferenced later by other
      parts of the team driver that iterate over options.
      
      This patch fixes the cleanup path to remove the dangling pointers from
      the list.
      
      As far as I can tell, this uaf doesn't have much security implications
      since it would be fairly hard to exploit (an attacker would need to make
      the allocation of that specific small object fail) but it's still nice
      to fix.
      
      Cc: stable@vger.kernel.org
      Fixes: 80f7c668 ("team: add support for per-port options")
      Signed-off-by: default avatarFlorent Revest <revest@chromium.org>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Reviewed-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Link: https://lore.kernel.org/r/20231206123719.1963153-1-revest@chromium.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c12296bb
    • Maciej Żenczykowski's avatar
      net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX · bd4a8167
      Maciej Żenczykowski authored
      Lorenzo points out that we effectively clear all unknown
      flags from PIO when copying them to userspace in the netlink
      RTM_NEWPREFIX notification.
      
      We could fix this one at a time as new flags are defined,
      or in one fell swoop - I choose the latter.
      
      We could either define 6 new reserved flags (reserved1..6) and handle
      them individually (and rename them as new flags are defined), or we
      could simply copy the entire unmodified byte over - I choose the latter.
      
      This unfortunately requires some anonymous union/struct magic,
      so we add a static assert on the struct size for a little extra safety.
      
      Cc: David Ahern <dsahern@kernel.org>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd4a8167
    • Judy Hsiao's avatar
      neighbour: Don't let neigh_forced_gc() disable preemption for long · e5dc5aff
      Judy Hsiao authored
      We are seeing cases where neigh_cleanup_and_release() is called by
      neigh_forced_gc() many times in a row with preemption turned off.
      When running on a low powered CPU at a low CPU frequency, this has
      been measured to keep preemption off for ~10 ms. That's not great on a
      system with HZ=1000 which expects tasks to be able to schedule in
      with ~1ms latency.
      Suggested-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarJudy Hsiao <judyhsiao@chromium.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e5dc5aff
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2023-12-04' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 179a8b51
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-12-04
      
      This series provides bug fixes to mlx5 driver.
      
      V1->V2:
        - Drop commit #9 ("net/mlx5e: Forbid devlink reload if IPSec rules are
          offloaded"), we are working on a better fix
      
      Please pull and let me know if there is any problem.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      179a8b51
    • Linus Torvalds's avatar
      Merge tag 'net-6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 5e3f5b81
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf and netfilter.
      
        Current release - regressions:
      
         - veth: fix packet segmentation in veth_convert_skb_to_xdp_buff
      
        Current release - new code bugs:
      
         - tcp: assorted fixes to the new Auth Option support
      
        Older releases - regressions:
      
         - tcp: fix mid stream window clamp
      
         - tls: fix incorrect splice handling
      
         - ipv4: ip_gre: handle skb_pull() failure in ipgre_xmit()
      
         - dsa: mv88e6xxx: restore USXGMII support for 6393X
      
         - arcnet: restore support for multiple Sohard Arcnet cards
      
        Older releases - always broken:
      
         - tcp: do not accept ACK of bytes we never sent
      
         - require admin privileges to receive packet traces via netlink
      
         - packet: move reference count in packet_sock to atomic_long_t
      
         - bpf:
            - fix incorrect branch offset comparison with cpu=v4
            - fix prog_array_map_poke_run map poke update
      
         - netfilter:
            - three fixes for crashes on bad admin commands
            - xt_owner: fix race accessing sk->sk_socket, TOCTOU null-deref
            - nf_tables: fix 'exist' matching on bigendian arches
      
         - leds: netdev: fix RTNL handling to prevent potential deadlock
      
         - eth: tg3: prevent races in error/reset handling
      
         - eth: r8169: fix rtl8125b PAUSE storm when suspended
      
         - eth: r8152: improve reset and surprise removal handling
      
         - eth: hns: fix race between changing features and sending
      
         - eth: nfp: fix sleep in atomic for bonding offload"
      
      * tag 'net-6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (62 commits)
        vsock/virtio: fix "comparison of distinct pointer types lacks a cast" warning
        net/smc: fix missing byte order conversion in CLC handshake
        net: dsa: microchip: provide a list of valid protocols for xmit handler
        drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
        psample: Require 'CAP_NET_ADMIN' when joining "packets" group
        bpf: sockmap, updating the sg structure should also update curr
        net: tls, update curr on splice as well
        nfp: flower: fix for take a mutex lock in soft irq context and rcu lock
        net: dsa: mv88e6xxx: Restore USXGMII support for 6393X
        tcp: do not accept ACK of bytes we never sent
        selftests/bpf: Add test for early update in prog_array_map_poke_run
        bpf: Fix prog_array_map_poke_run map poke update
        netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
        netfilter: nf_tables: validate family when identifying table via handle
        netfilter: nf_tables: bail out on mismatching dynset and set expressions
        netfilter: nf_tables: fix 'exist' matching on bigendian arches
        netfilter: nft_set_pipapo: skip inactive elements during set walk
        netfilter: bpf: fix bad registration on nf_defrag
        leds: trigger: netdev: fix RTNL handling to prevent potential deadlock
        octeontx2-af: Update Tx link register range
        ...
      5e3f5b81
  3. 07 Dec, 2023 20 commits