1. 04 Jan, 2022 9 commits
    • Pavel Skripkin's avatar
      ieee802154: atusb: fix uninit value in atusb_set_extended_addr · 754e4382
      Pavel Skripkin authored
      Alexander reported a use of uninitialized value in
      atusb_set_extended_addr(), that is caused by reading 0 bytes via
      usb_control_msg().
      
      Fix it by validating if the number of bytes transferred is actually
      correct, since usb_control_msg() may read less bytes, than was requested
      by caller.
      
      Fail log:
      
      BUG: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
      BUG: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
      BUG: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
      Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd
       ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
       atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
       atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
       usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396
      
      Fixes: 7490b008 ("ieee802154: add support for atusb transceiver")
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Acked-by: default avatarAlexander Aring <aahringo@redhat.com>
      Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
      Link: https://lore.kernel.org/r/20220104182806.7188-1-paskripkin@gmail.comSigned-off-by: default avatarStefan Schmidt <stefan@datenfreihafen.org>
      754e4382
    • Eric Dumazet's avatar
      sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc · 7d18a078
      Eric Dumazet authored
      tx_queue_len can be set to ~0U, we need to be more
      careful about overflows.
      
      __fls(0) is undefined, as this report shows:
      
      UBSAN: shift-out-of-bounds in net/sched/sch_qfq.c:1430:24
      shift exponent 51770272 is too large for 32-bit type 'int'
      CPU: 0 PID: 25574 Comm: syz-executor.0 Not tainted 5.16.0-rc7-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0x201/0x2d8 lib/dump_stack.c:106
       ubsan_epilogue lib/ubsan.c:151 [inline]
       __ubsan_handle_shift_out_of_bounds+0x494/0x530 lib/ubsan.c:330
       qfq_init_qdisc+0x43f/0x450 net/sched/sch_qfq.c:1430
       qdisc_create+0x895/0x1430 net/sched/sch_api.c:1253
       tc_modify_qdisc+0x9d9/0x1e20 net/sched/sch_api.c:1660
       rtnetlink_rcv_msg+0x934/0xe60 net/core/rtnetlink.c:5571
       netlink_rcv_skb+0x200/0x470 net/netlink/af_netlink.c:2496
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0x814/0x9f0 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0xaea/0xe60 net/netlink/af_netlink.c:1921
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       ____sys_sendmsg+0x5b9/0x910 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       __sys_sendmsg+0x280/0x370 net/socket.c:2492
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 462dbc91 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d18a078
    • Christoph Hellwig's avatar
      netrom: fix copying in user data in nr_setsockopt · 3087a6f3
      Christoph Hellwig authored
      This code used to copy in an unsigned long worth of data before
      the sockptr_t conversion, so restore that.
      
      Fixes: a7b75c5a ("net: pass a sockptr_t into ->setsockopt")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3087a6f3
    • David S. Miller's avatar
      Merge branch 'srv6-traceroute' · d2d9a6d0
      David S. Miller authored
      Andrew Lunn says:
      
      ====================
      Fix traceroute in the presence of SRv6
      
      When using SRv6 the destination IP address in the IPv6 header is not
      always the true destination, it can be a router along the path that
      SRv6 is using.
      
      When ICMP reports an error, e.g, time exceeded, which is what
      traceroute uses, it included the packet which invoked the error into
      the ICMP message body. Upon receiving such an ICMP packet, the
      invoking packet is examined and an attempt is made to find the socket
      which sent the packet, so the error can be reported. Lookup is
      performed using the source and destination address. If the
      intermediary router IP address from the IP header is used, the lookup
      fails. It is necessary to dig into the header and find the true
      destination address in the Segment Router header, SRH.
      
      v2:
      Play games with the skb->network_header rather than clone the skb
      v3:
      Move helpers into seg6.c
      v4:
      Move short helper into header file.
      Rework getting SRH destination address
      v5:
      Fix comment to describe function, not caller
      
      Patch 1 exports a helper which can find the SRH in a packet
      Patch 2 does the actual examination of the invoking packet
      Patch 3 makes use of the results when trying to find the socket.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2d9a6d0
    • Andrew Lunn's avatar
      udp6: Use Segment Routing Header for dest address if present · 222a011e
      Andrew Lunn authored
      When finding the socket to report an error on, if the invoking packet
      is using Segment Routing, the IPv6 destination address is that of an
      intermediate router, not the end destination. Extract the ultimate
      destination address from the segment address.
      
      This change allows traceroute to function in the presence of Segment
      Routing.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      222a011e
    • Andrew Lunn's avatar
      icmp: ICMPV6: Examine invoking packet for Segment Route Headers. · e4129440
      Andrew Lunn authored
      RFC8754 says:
      
      ICMP error packets generated within the SR domain are sent to source
      nodes within the SR domain.  The invoking packet in the ICMP error
      message may contain an SRH.  Since the destination address of a packet
      with an SRH changes as each segment is processed, it may not be the
      destination used by the socket or application that generated the
      invoking packet.
      
      For the source of an invoking packet to process the ICMP error
      message, the ultimate destination address of the IPv6 header may be
      required.  The following logic is used to determine the destination
      address for use by protocol-error handlers.
      
      *  Walk all extension headers of the invoking IPv6 packet to the
         routing extension header preceding the upper-layer header.
      
         -  If routing header is type 4 Segment Routing Header (SRH)
      
            o  The SID at Segment List[0] may be used as the destination
               address of the invoking packet.
      
      Mangle the skb so the network header points to the invoking packet
      inside the ICMP packet. The seg6 helpers can then be used on the skb
      to find any segment routing headers. If found, mark this fact in the
      IPv6 control block of the skb, and store the offset into the packet of
      the SRH. Then restore the skb back to its old state.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4129440
    • Andrew Lunn's avatar
      seg6: export get_srh() for ICMP handling · fa55a7d7
      Andrew Lunn authored
      An ICMP error message can contain in its message body part of an IPv6
      packet which invoked the error. Such a packet might contain a segment
      router header. Export get_srh() so the ICMP code can make use of it.
      
      Since his changes the scope of the function from local to global, add
      the seg6_ prefix to keep the namespace clean. And move it into seg6.c
      so it is always available, not just when IPV6_SEG6_LWTUNNEL is
      enabled.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa55a7d7
    • Jakub Kicinski's avatar
      Merge tag 'batadv-net-pullrequest-20220103' of git://git.open-mesh.org/linux-merge · e8fe9e83
      Jakub Kicinski authored
      Simon Wunderlich says:
      
      ====================
      Here is a batman-adv bugfix:
      
       - avoid sending link-local multicast to multicast routers,
         by Linus Lüssing
      
      * tag 'batadv-net-pullrequest-20220103' of git://git.open-mesh.org/linux-merge:
        batman-adv: mcast: don't send link-local multicast to mcast routers
      ====================
      
      Link: https://lore.kernel.org/r/20220103171203.1124980-1-sw@simonwunderlich.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e8fe9e83
    • Florian Fainelli's avatar
      Revert "net: phy: fixed_phy: Fix NULL vs IS_ERR() checking in __fixed_phy_register" · 065e1ae0
      Florian Fainelli authored
      This reverts commit b45396af ("net: phy:
      fixed_phy: Fix NULL vs IS_ERR() checking in __fixed_phy_register")
      since it prevents any system that uses a fixed PHY without a GPIO
      descriptor from properly working:
      
      [    5.971952] brcm-systemport 9300000.ethernet: failed to register fixed PHY
      [    5.978854] brcm-systemport: probe of 9300000.ethernet failed with error -22
      [    5.986047] brcm-systemport 9400000.ethernet: failed to register fixed PHY
      [    5.992947] brcm-systemport: probe of 9400000.ethernet failed with error -22
      
      Fixes: b45396af ("net: phy: fixed_phy: Fix NULL vs IS_ERR() checking in __fixed_phy_register")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20220103193453.1214961-1-f.fainelli@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      065e1ae0
  2. 03 Jan, 2022 2 commits
  3. 02 Jan, 2022 9 commits
  4. 01 Jan, 2022 3 commits
    • Haimin Zhang's avatar
      net ticp:fix a kernel-infoleak in __tipc_sendmsg() · d6d86830
      Haimin Zhang authored
      struct tipc_socket_addr.ref has a 4-byte hole,and __tipc_getname() currently
      copying it to user space,causing kernel-infoleak.
      
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] lib/usercopy.c:33
      BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 lib/usercopy.c:33
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       instrument_copy_to_user include/linux/instrumented.h:121 [inline] lib/usercopy.c:33
       _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 lib/usercopy.c:33
       copy_to_user include/linux/uaccess.h:209 [inline]
       copy_to_user include/linux/uaccess.h:209 [inline] net/socket.c:287
       move_addr_to_user+0x3f6/0x600 net/socket.c:287 net/socket.c:287
       __sys_getpeername+0x470/0x6b0 net/socket.c:1987 net/socket.c:1987
       __do_sys_getpeername net/socket.c:1997 [inline]
       __se_sys_getpeername net/socket.c:1994 [inline]
       __do_sys_getpeername net/socket.c:1997 [inline] net/socket.c:1994
       __se_sys_getpeername net/socket.c:1994 [inline] net/socket.c:1994
       __x64_sys_getpeername+0xda/0x120 net/socket.c:1994 net/socket.c:1994
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_x64 arch/x86/entry/common.c:51 [inline] arch/x86/entry/common.c:82
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was stored to memory at:
       tipc_getname+0x575/0x5e0 net/tipc/socket.c:757 net/tipc/socket.c:757
       __sys_getpeername+0x3b3/0x6b0 net/socket.c:1984 net/socket.c:1984
       __do_sys_getpeername net/socket.c:1997 [inline]
       __se_sys_getpeername net/socket.c:1994 [inline]
       __do_sys_getpeername net/socket.c:1997 [inline] net/socket.c:1994
       __se_sys_getpeername net/socket.c:1994 [inline] net/socket.c:1994
       __x64_sys_getpeername+0xda/0x120 net/socket.c:1994 net/socket.c:1994
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_x64 arch/x86/entry/common.c:51 [inline] arch/x86/entry/common.c:82
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Uninit was stored to memory at:
       msg_set_word net/tipc/msg.h:212 [inline]
       msg_set_destport net/tipc/msg.h:619 [inline]
       msg_set_word net/tipc/msg.h:212 [inline] net/tipc/socket.c:1486
       msg_set_destport net/tipc/msg.h:619 [inline] net/tipc/socket.c:1486
       __tipc_sendmsg+0x44fa/0x5890 net/tipc/socket.c:1486 net/tipc/socket.c:1486
       tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1402 net/tipc/socket.c:1402
       sock_sendmsg_nosec net/socket.c:704 [inline]
       sock_sendmsg net/socket.c:724 [inline]
       sock_sendmsg_nosec net/socket.c:704 [inline] net/socket.c:2409
       sock_sendmsg net/socket.c:724 [inline] net/socket.c:2409
       ____sys_sendmsg+0xe11/0x12c0 net/socket.c:2409 net/socket.c:2409
       ___sys_sendmsg net/socket.c:2463 [inline]
       ___sys_sendmsg net/socket.c:2463 [inline] net/socket.c:2492
       __sys_sendmsg+0x704/0x840 net/socket.c:2492 net/socket.c:2492
       __do_sys_sendmsg net/socket.c:2501 [inline]
       __se_sys_sendmsg net/socket.c:2499 [inline]
       __do_sys_sendmsg net/socket.c:2501 [inline] net/socket.c:2499
       __se_sys_sendmsg net/socket.c:2499 [inline] net/socket.c:2499
       __x64_sys_sendmsg+0xe2/0x120 net/socket.c:2499 net/socket.c:2499
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_x64 arch/x86/entry/common.c:51 [inline] arch/x86/entry/common.c:82
       do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 arch/x86/entry/common.c:82
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Local variable skaddr created at:
       __tipc_sendmsg+0x2d0/0x5890 net/tipc/socket.c:1419 net/tipc/socket.c:1419
       tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1402 net/tipc/socket.c:1402
      
      Bytes 4-7 of 16 are uninitialized
      Memory access of size 16 starts at ffff888113753e00
      Data copied to user address 0000000020000280
      
      Reported-by: syzbot+cdbd40e0c3ca02cae3b7@syzkaller.appspotmail.com
      Signed-off-by: default avatarHaimin Zhang <tcs_kernel@tencent.com>
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Link: https://lore.kernel.org/r/1640918123-14547-1-git-send-email-tcs.kernel@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d6d86830
    • Jianguo Wu's avatar
      selftests: net: udpgro_fwd.sh: explicitly checking the available ping feature · 5e75d0b2
      Jianguo Wu authored
      As Paolo pointed out, the result of ping IPv6 address depends on
      the running distro. So explicitly checking the available ping feature,
      as e.g. do the bareudp.sh self-tests.
      
      Fixes: 8b3170e0 ("selftests: net: using ping6 for IPv6 in udpgro_fwd.sh")
      Signed-off-by: default avatarJianguo Wu <wujianguo@chinatelecom.cn>
      Link: https://lore.kernel.org/r/825ee22b-4245-dbf7-d2f7-a230770d6e21@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5e75d0b2
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 0f1fe7b8
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-12-31
      
      We've added 2 non-merge commits during the last 14 day(s) which contain
      a total of 2 files changed, 3 insertions(+), 3 deletions(-).
      
      The main changes are:
      
      1) Revert of an earlier attempt to fix xsk's poll() behavior where it
         turned out that the fix for a rare problem made it much worse in
         general, from Magnus Karlsson. (Fyi, Magnus mentioned that a proper
         fix is coming early next year, so the revert is mainly to avoid
         slipping the behavior into 5.16.)
      
      2) Minor misc spell fix in BPF selftests, from Colin Ian King.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, selftests: Fix spelling mistake "tained" -> "tainted"
        Revert "xsk: Do not sleep in poll() when need_wakeup set"
      ====================
      
      Link: https://lore.kernel.org/r/20211231160050.16105-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0f1fe7b8
  5. 31 Dec, 2021 6 commits
  6. 30 Dec, 2021 11 commits