1. 21 Nov, 2022 22 commits
  2. 19 Nov, 2022 8 commits
  3. 18 Nov, 2022 10 commits
    • Schspa Shi's avatar
      mrp: introduce active flags to prevent UAF when applicant uninit · ab037780
      Schspa Shi authored
      The caller of del_timer_sync must prevent restarting of the timer, If
      we have no this synchronization, there is a small probability that the
      cancellation will not be successful.
      
      And syzbot report the fellowing crash:
      ==================================================================
      BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
      BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
      Write at addr f9ff000024df6058 by task syz-fuzzer/2256
      Pointer tag: [f9], memory tag: [fe]
      
      CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
      ge01d50cb #0
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
       dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
       show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
       print_address_description mm/kasan/report.c:284 [inline]
       print_report+0x1a8/0x4a0 mm/kasan/report.c:395
       kasan_report+0x94/0xb4 mm/kasan/report.c:495
       __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
       do_bad_area arch/arm64/mm/fault.c:473 [inline]
       do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
       do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
       el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
       el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
       el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
       hlist_add_head include/linux/list.h:929 [inline]
       enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
       mod_timer+0x14/0x20 kernel/time/timer.c:1161
       mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
       mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
       call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
       expire_timers+0x98/0xc4 kernel/time/timer.c:1519
      
      To fix it, we can introduce a new active flags to make sure the timer will
      not restart.
      
      Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com
      Signed-off-by: default avatarSchspa Shi <schspa@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab037780
    • David S. Miller's avatar
      Merge tag 'rxrpc-next-20221116' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 8cf4f8c7
      David S. Miller authored
      David Howells says:
      
      ====================
      rxrpc: Fix oops and missing config conditionals
      
      The patches that were pulled into net-next previously[1] had some issues
      that this patchset fixes:
      
       (1) Fix missing IPV6 config conditionals.
      
       (2) Fix an oops caused by calling udpv6_sendmsg() directly on an AF_INET
           socket.
      
       (3) Fix the validation of network addresses on entry to socket functions
           so that we don't allow an AF_INET6 address if we've selected an
           AF_INET transport socket.
      
      Link: https://lore.kernel.org/r/166794587113.2389296.16484814996876530222.stgit@warthog.procyon.org.uk/ [1]
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8cf4f8c7
    • Eric Dumazet's avatar
      net: fix napi_disable() logic error · fd896e38
      Eric Dumazet authored
      Dan reported a new warning after my recent patch:
      
      New smatch warnings:
      net/core/dev.c:6409 napi_disable() error: uninitialized symbol 'new'.
      
      Indeed, we must first wait for STATE_SCHED and STATE_NPSVC to be cleared,
      to make sure @new variable has been initialized properly.
      
      Fixes: 4ffa1d1c ("net: adopt try_cmpxchg() in napi_{enable|disable}()")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Reported-by: default avatarDan Carpenter <error27@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd896e38
    • Dan Carpenter's avatar
      rxrpc: uninitialized variable in rxrpc_send_ack_packet() · 38461894
      Dan Carpenter authored
      The "pkt" was supposed to have been deleted in a previous patch.  It
      leads to an uninitialized variable bug.
      
      Fixes: 72f0c6fb ("rxrpc: Allocate ACK records at proposal and queue for transmission")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      38461894
    • Dan Carpenter's avatar
      rxrpc: fix rxkad_verify_response() · 101c1bb6
      Dan Carpenter authored
      The error handling for if skb_copy_bits() fails was accidentally deleted
      so the rxkad_decrypt_ticket() function is not called.
      
      Fixes: 5d7edbc9 ("rxrpc: Get rid of the Rx ring")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      101c1bb6
    • Lorenzo Bianconi's avatar
      net: ethernet: mtk_eth_soc: remove cpu_relax in mtk_pending_work · ec8cd134
      Lorenzo Bianconi authored
      Get rid of cpu_relax in mtk_pending_work routine since MTK_RESETTING is
      set only in mtk_pending_work() and it runs holding rtnl lock
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ec8cd134
    • Lorenzo Bianconi's avatar
      net: ethernet: mtk_eth_soc: do not overwrite mtu configuration running reset routine · b677d6c7
      Lorenzo Bianconi authored
      Restore user configured MTU running mtk_hw_init() during tx timeout routine
      since it will be overwritten after a hw reset.
      Reported-by: default avatarFelix Fietkau <nbd@nbd.name>
      Fixes: 9ea4d311 ("net: ethernet: mediatek: add the whole ethernet reset into the reset process")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b677d6c7
    • Alex Elder's avatar
      net: ipa: avoid a null pointer dereference · 15b4f993
      Alex Elder authored
      Dan Carpenter reported that Smatch found an instance where a pointer
      which had previously been assumed could be null (as indicated by a
      null check) was later dereferenced without a similar check.
      
      In practice this doesn't lead to a problem because currently the
      pointers used are all non-null.  Nevertheless this patch addresses
      the reported problem.
      
      In addition, I spotted another bug that arose in the same commit.
      When the command to initialize a routing table memory region was
      added, the number of entries computed for the non-hashed table
      was wrong (it ended up being a Boolean rather than the count
      intended).  This bug is fixed here as well.
      Reported-by: default avatarDan Carpenter <error27@gmail.com>
      Link: https://lore.kernel.org/kernel-janitors/Y3OOP9dXK6oEydkf@kiliTested-by: default avatarCaleb Connolly <caleb.connolly@linaro.com>
      Fixes: 5cb76899 ("net: ipa: reduce arguments to ipa_table_init_add()")
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15b4f993
    • David S. Miller's avatar
      Merge tag 'wireless-next-2022-11-18' of... · c609d739
      David S. Miller authored
      Merge tag 'wireless-next-2022-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next
      
      Kalle Valo says:
      
      ====================
      wireless-next patches for v6.2
      
      Second set of patches for v6.2. Only driver patches this time, nothing
      really special. Unused platform data support was removed from wl1251
      and rtw89 got WoWLAN support.
      
      Major changes:
      
      ath11k
      
      * support configuring channel dwell time during scan
      
      rtw89
      
      * new dynamic header firmware format support
      
      * Wake-over-WLAN support
      
      rtl8xxxu
      
      * enable IEEE80211_HW_SUPPORT_FAST_XMIT
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c609d739
    • David S. Miller's avatar
      Merge branch 'sctp-vrf' · 22700706
      David S. Miller authored
      Xin Long says:
      
      ====================
      sctp: support vrf processing
      
      This patchset adds the VRF processing in SCTP. Simliar to TCP/UDP,
      it includes socket bind and socket/association lookup changes.
      
      For socket bind change, it allows sockets to bind to a VRF device
      and allows multiple sockets with the same IP and PORT to bind to
      different interfaces in patch 1-3.
      
      For socket/association lookup change, it adds dif and sdif check
      in both asoc and ep lookup in patch 4 and 5, and when binding to
      nodev, users can decide if accept the packets received from one
      l3mdev by setup a sysctl option in patch 6.
      
      Note with VRF support, in a netns, an association will be decided
      by src ip + src port + dst ip + dst port + bound_dev_if, and it's
      possible for ss to have:
      
        State       Local Address:Port      Peer Address:Port
         ESTAB     192.168.1.2%vrf-s1:1234
         `- ESTAB   192.168.1.2%veth1:1234   192.168.1.1:1234
         ESTAB     192.168.1.2%vrf-s2:1234
         `- ESTAB   192.168.1.2%veth2:1234   192.168.1.1:1234
      
      See the selftest in patch 7 for more usage.
      
      Also, thanks Carlo for testing this patch series on their use.
      
      v1->v2:
        - In Patch 5, move sctp_sk_bound_dev_eq() definition to net/sctp/
          input.c to avoid a build error when IP_SCTP is disabled, as Paolo
          suggested.
        - In Patch 7, avoid one sleep by disabling the IPv6 dad, and remove
          another sleep by using ss to check if the server's ready, and also
          delete two unncessary sleeps in sctp_hello.c, as Paolo suggested.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22700706