1. 08 Jul, 2022 20 commits
  2. 07 Jul, 2022 14 commits
    • Eric Dumazet's avatar
      bpf: Make sure mac_header was set before using it · 0326195f
      Eric Dumazet authored
      Classic BPF has a way to load bytes starting from the mac header.
      
      Some skbs do not have a mac header, and skb_mac_header()
      in this case is returning a pointer that 65535 bytes after
      skb->head.
      
      Existing range check in bpf_internal_load_pointer_neg_helper()
      was properly kicking and no illegal access was happening.
      
      New sanity check in skb_mac_header() is firing, so we need
      to avoid it.
      
      WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header include/linux/skbuff.h:2785 [inline]
      WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74
      Modules linked in:
      CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-00865-g4874fb94 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
      RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline]
      RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74
      Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 96 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41
      RSP: 0018:ffffc9000309f668 EFLAGS: 00010216
      RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000
      RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003
      RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff
      R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004
      R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000
      FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      ____bpf_skb_load_helper_32 net/core/filter.c:276 [inline]
      bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264
      
      Fixes: f9aefd6b ("net: warn if mac header was not set")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.com
      0326195f
    • Linus Torvalds's avatar
      Merge tag 'net-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · ef4ab3ba
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf, netfilter, can, and bluetooth.
      
        Current release - regressions:
      
         - bluetooth: fix deadlock on hci_power_on_sync
      
        Previous releases - regressions:
      
         - sched: act_police: allow 'continue' action offload
      
         - eth: usbnet: fix memory leak in error case
      
         - eth: ibmvnic: properly dispose of all skbs during a failover
      
        Previous releases - always broken:
      
         - bpf:
             - fix insufficient bounds propagation from
               adjust_scalar_min_max_vals
             - clear page contiguity bit when unmapping pool
      
         - netfilter: nft_set_pipapo: release elements in clone from
           abort path
      
         - mptcp: netlink: issue MP_PRIO signals from userspace PMs
      
         - can:
             - rcar_canfd: fix data transmission failed on R-Car V3U
             - gs_usb: gs_usb_open/close(): fix memory leak
      
        Misc:
      
         - add Wenjia as SMC maintainer"
      
      * tag 'net-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (57 commits)
        wireguard: Kconfig: select CRYPTO_CHACHA_S390
        crypto: s390 - do not depend on CRYPTO_HW for SIMD implementations
        wireguard: selftests: use microvm on x86
        wireguard: selftests: always call kernel makefile
        wireguard: selftests: use virt machine on m68k
        wireguard: selftests: set fake real time in init
        r8169: fix accessing unset transport header
        net: rose: fix UAF bug caused by rose_t0timer_expiry
        usbnet: fix memory leak in error case
        Revert "tls: rx: move counting TlsDecryptErrors for sync"
        mptcp: update MIB_RMSUBFLOW in cmd_sf_destroy
        mptcp: fix local endpoint accounting
        selftests: mptcp: userspace PM support for MP_PRIO signals
        mptcp: netlink: issue MP_PRIO signals from userspace PMs
        mptcp: Acquire the subflow socket lock before modifying MP_PRIO flags
        mptcp: Avoid acquiring PM lock for subflow priority changes
        mptcp: fix locking in mptcp_nl_cmd_sf_destroy()
        net/mlx5e: Fix matchall police parameters validation
        net/sched: act_police: allow 'continue' action offload
        net: lan966x: hardcode the number of external ports
        ...
      ef4ab3ba
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 651a8536
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
      
       - Tag Intel pin control as supported in MAINTAINERS
      
       - Fix a NULL pointer exception in the Aspeed driver
      
       - Correct some NAND functions in the Sunxi A83T driver
      
       - Use the right offset for some Sunxi pins
      
       - Fix a zero base offset in the Freescale (NXP) i.MX93
      
       - Fix the IRQ support in the STM32 driver
      
      * tag 'pinctrl-v5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: stm32: fix optional IRQ support to gpios
        pinctrl: imx: Add the zero base flag for imx93
        pinctrl: sunxi: sunxi_pconf_set: use correct offset
        pinctrl: sunxi: a83t: Fix NAND function name for some pins
        pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()
        MAINTAINERS: Update Intel pin control to Supported
      651a8536
    • Linus Torvalds's avatar
      signal handling: don't use BUG_ON() for debugging · a382f8fe
      Linus Torvalds authored
      These are indeed "should not happen" situations, but it turns out recent
      changes made the 'task_is_stopped_or_trace()' case trigger (fix for that
      exists, is pending more testing), and the BUG_ON() makes it
      unnecessarily hard to actually debug for no good reason.
      
      It's been that way for a long time, but let's make it clear: BUG_ON() is
      not good for debugging, and should never be used in situations where you
      could just say "this shouldn't happen, but we can continue".
      
      Use WARN_ON_ONCE() instead to make sure it gets logged, and then just
      continue running.  Instead of making the system basically unusuable
      because you crashed the machine while potentially holding some very core
      locks (eg this function is commonly called while holding 'tasklist_lock'
      for writing).
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a382f8fe
    • Jakub Kicinski's avatar
      Merge branch 'wireguard-patches-for-5-19-rc6' · 07266d06
      Jakub Kicinski authored
      Jason A. Donenfeld says:
      
      ====================
      wireguard patches for 5.19-rc6
      
      1) A few small fixups to the selftests, per usual. Of particular note is
         a fix for a test flake that occurred on especially fast systems that
         boot in less than a second.
      
      2) An addition during this cycle of some s390 crypto interacted with the
         way wireguard selects dependencies, resulting in linker errors
         reported by the kernel test robot. So Vladis sent in a patch for
         that, which also required a small preparatory fix moving some Kconfig
         symbols around.
      ====================
      
      Link: https://lore.kernel.org/r/20220707003157.526645-1-Jason@zx2c4.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      07266d06
    • Vladis Dronov's avatar
      wireguard: Kconfig: select CRYPTO_CHACHA_S390 · 0d1f7008
      Vladis Dronov authored
      Select the new implementation of CHACHA20 for S390 when available.
      It is faster than the generic software implementation, but also prevents
      some linker errors in certain situations.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Link: https://lore.kernel.org/linux-kernel/202207030630.6SZVkrWf-lkp@intel.com/Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0d1f7008
    • Jason A. Donenfeld's avatar
      crypto: s390 - do not depend on CRYPTO_HW for SIMD implementations · b7133757
      Jason A. Donenfeld authored
      Various accelerated software implementation Kconfig values for S390 were
      mistakenly placed into drivers/crypto/Kconfig, even though they're
      mainly just SIMD code and live in arch/s390/crypto/ like usual. This
      gives them the very unusual dependency on CRYPTO_HW, which leads to
      problems elsewhere.
      
      This patch fixes the issue by moving the Kconfig values for non-hardware
      drivers into the usual place in crypto/Kconfig.
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b7133757
    • Jason A. Donenfeld's avatar
      wireguard: selftests: use microvm on x86 · b83fdcd9
      Jason A. Donenfeld authored
      This makes for faster tests, faster compile time, and allows us to ditch
      ACPI finally.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b83fdcd9
    • Jason A. Donenfeld's avatar
      wireguard: selftests: always call kernel makefile · 1a087eec
      Jason A. Donenfeld authored
      These selftests are used for much more extensive changes than just the
      wireguard source files. So always call the kernel's build file, which
      will do something or nothing after checking the whole tree, per usual.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1a087eec
    • Jason A. Donenfeld's avatar
      wireguard: selftests: use virt machine on m68k · 1f2f341a
      Jason A. Donenfeld authored
      This should be a bit more stable hopefully.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1f2f341a
    • Jason A. Donenfeld's avatar
      wireguard: selftests: set fake real time in init · 829be057
      Jason A. Donenfeld authored
      Not all platforms have an RTC, and rather than trying to force one into
      each, it's much easier to just set a fixed time. This is necessary
      because WireGuard's latest handshakes parameter is returned in wallclock
      time, and if the system time isn't set, and the system is really fast,
      then this returns 0, which trips the test.
      
      Turning this on requires setting CONFIG_COMPAT_32BIT_TIME=y, as musl
      doesn't support settimeofday without it.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      829be057
    • Heiner Kallweit's avatar
      r8169: fix accessing unset transport header · faa4e04e
      Heiner Kallweit authored
      66e4c8d9 ("net: warn if transport header was not set") added
      a check that triggers a warning in r8169, see [0].
      
      The commit referenced in the Fixes tag refers to the change from
      which the patch applies cleanly, there's nothing wrong with this
      commit. It seems the actual issue (not bug, because the warning
      is harmless here) was introduced with bdfa4ed6
      ("r8169: use Giant Send").
      
      [0] https://bugzilla.kernel.org/show_bug.cgi?id=216157
      
      Fixes: 8d520b4d ("r8169: work around RTL8125 UDP hw bug")
      Reported-by: default avatarErhard F. <erhard_f@mailbox.org>
      Tested-by: default avatarErhard F. <erhard_f@mailbox.org>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Link: https://lore.kernel.org/r/1b2c2b29-3dc0-f7b6-5694-97ec526d51a0@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      faa4e04e
    • Duoming Zhou's avatar
      net: rose: fix UAF bug caused by rose_t0timer_expiry · 148ca045
      Duoming Zhou authored
      There are UAF bugs caused by rose_t0timer_expiry(). The
      root cause is that del_timer() could not stop the timer
      handler that is running and there is no synchronization.
      One of the race conditions is shown below:
      
          (thread 1)             |        (thread 2)
                                 | rose_device_event
                                 |   rose_rt_device_down
                                 |     rose_remove_neigh
      rose_t0timer_expiry        |       rose_stop_t0timer(rose_neigh)
        ...                      |         del_timer(&neigh->t0timer)
                                 |         kfree(rose_neigh) //[1]FREE
        neigh->dce_mode //[2]USE |
      
      The rose_neigh is deallocated in position [1] and use in
      position [2].
      
      The crash trace triggered by POC is like below:
      
      BUG: KASAN: use-after-free in expire_timers+0x144/0x320
      Write of size 8 at addr ffff888009b19658 by task swapper/0/0
      ...
      Call Trace:
       <IRQ>
       dump_stack_lvl+0xbf/0xee
       print_address_description+0x7b/0x440
       print_report+0x101/0x230
       ? expire_timers+0x144/0x320
       kasan_report+0xed/0x120
       ? expire_timers+0x144/0x320
       expire_timers+0x144/0x320
       __run_timers+0x3ff/0x4d0
       run_timer_softirq+0x41/0x80
       __do_softirq+0x233/0x544
       ...
      
      This patch changes rose_stop_ftimer() and rose_stop_t0timer()
      in rose_remove_neigh() to del_timer_sync() in order that the
      timer handler could be finished before the resources such as
      rose_neigh and so on are deallocated. As a result, the UAF
      bugs could be mitigated.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarDuoming Zhou <duoming@zju.edu.cn>
      Link: https://lore.kernel.org/r/20220705125610.77971-1-duoming@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      148ca045
    • Oliver Neukum's avatar
      usbnet: fix memory leak in error case · b55a21b7
      Oliver Neukum authored
      usbnet_write_cmd_async() mixed up which buffers
      need to be freed in which error case.
      
      v2: add Fixes tag
      v3: fix uninitialized buf pointer
      
      Fixes: 877bd862 ("usbnet: introduce usbnet 3 command helpers")
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20220705125351.17309-1-oneukum@suse.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b55a21b7
  3. 06 Jul, 2022 6 commits