1. 03 Mar, 2022 12 commits
  2. 02 Mar, 2022 10 commits
  3. 01 Mar, 2022 14 commits
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 4761df52
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      1) Use kfree_rcu(ptr, rcu) variant, using kfree_rcu(ptr) was not
         intentional. From Eric Dumazet.
      
      2) Use-after-free in netfilter hook core, from Eric Dumazet.
      
      3) Missing rcu read lock side for netfilter egress hook,
         from Florian Westphal.
      
      4) nf_queue assume state->sk is full socket while it might not be.
         Invoke sock_gen_put(), from Florian Westphal.
      
      5) Add selftest to exercise the reported KASAN splat in 4)
      
      6) Fix possible use-after-free in nf_queue in case sk_refcnt is 0.
         Also from Florian.
      
      7) Use input interface index only for hardware offload, not for
         the software plane. This breaks tc ct action. Patch from Paul Blakey.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        net/sched: act_ct: Fix flow table lookup failure with no originating ifindex
        netfilter: nf_queue: handle socket prefetch
        netfilter: nf_queue: fix possible use-after-free
        selftests: netfilter: add nfqueue TCP_NEW_SYN_RECV socket race test
        netfilter: nf_queue: don't assume sk is full socket
        netfilter: egress: silence egress hook lockdep splats
        netfilter: fix use-after-free in __nf_register_net_hook()
        netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant
      ====================
      
      Link: https://lore.kernel.org/r/20220301215337.378405-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4761df52
    • Paul Blakey's avatar
      net/sched: act_ct: Fix flow table lookup failure with no originating ifindex · db6140e5
      Paul Blakey authored
      After cited commit optimizted hw insertion, flow table entries are
      populated with ifindex information which was intended to only be used
      for HW offload. This tuple ifindex is hashed in the flow table key, so
      it must be filled for lookup to be successful. But tuple ifindex is only
      relevant for the netfilter flowtables (nft), so it's not filled in
      act_ct flow table lookup, resulting in lookup failure, and no SW
      offload and no offload teardown for TCP connection FIN/RST packets.
      
      To fix this, add new tc ifindex field to tuple, which will
      only be used for offloading, not for lookup, as it will not be
      part of the tuple hash.
      
      Fixes: 9795ded7 ("net/sched: act_ct: Fill offloading tuple iifidx")
      Signed-off-by: default avatarPaul Blakey <paulb@nvidia.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db6140e5
    • David S. Miller's avatar
      Merge tag 'wireless-for-net-2022-03-01' of... · b8d06ce7
      David S. Miller authored
      Merge tag 'wireless-for-net-2022-03-01' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless
      
      johannes Berg says:
      
      ====================
      
      Some last-minute fixes:
       * rfkill
         - add missing rfill_soft_blocked() when disabled
      
       * cfg80211
         - handle a nla_memdup() failure correctly
         - fix CONFIG_CFG80211_EXTRA_REGDB_KEYDIR typo in
           Makefile
      
       * mac80211
         - fix EAPOL handling in 802.3 RX path
         - reject setting up aggregation sessions before
           connection is authorized to avoid timeouts or
           similar
         - handle some SAE authentication steps correctly
         - fix AC selection in mesh forwarding
      
       * iwlwifi
         - remove TWT support as it causes firmware crashes
           when the AP isn't behaving correctly
         - check debugfs pointer before dereferncing it
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8d06ce7
    • Johannes Berg's avatar
      cfg80211: fix CONFIG_CFG80211_EXTRA_REGDB_KEYDIR typo · a12f7634
      Johannes Berg authored
      The kbuild change here accidentally removed not only the
      unquoting, but also the last character of the variable
      name. Fix that.
      
      Fixes: 129ab0d2 ("kbuild: do not quote string values in include/config/auto.conf")
      Reviewed-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Link: https://lore.kernel.org/r/20220221155512.1d25895f7c5f.I50fa3d4189fcab90a2896fe8cae215035dae9508@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      a12f7634
    • Florian Westphal's avatar
      netfilter: nf_queue: handle socket prefetch · 3b836da4
      Florian Westphal authored
      In case someone combines bpf socket assign and nf_queue, then we will
      queue an skb who references a struct sock that did not have its
      reference count incremented.
      
      As we leave rcu protection, there is no guarantee that skb->sk is still
      valid.
      
      For refcount-less skb->sk case, try to increment the reference count
      and then override the destructor.
      
      In case of failure we have two choices: orphan the skb and 'delete'
      preselect or let nf_queue() drop the packet.
      
      Do the latter, it should not happen during normal operation.
      
      Fixes: cf7fbe66 ("bpf: Add socket assign support")
      Acked-by: default avatarJoe Stringer <joe@cilium.io>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      3b836da4
    • Florian Westphal's avatar
      netfilter: nf_queue: fix possible use-after-free · c3873070
      Florian Westphal authored
      Eric Dumazet says:
        The sock_hold() side seems suspect, because there is no guarantee
        that sk_refcnt is not already 0.
      
      On failure, we cannot queue the packet and need to indicate an
      error.  The packet will be dropped by the caller.
      
      v2: split skb prefetch hunk into separate change
      
      Fixes: 271b72c7 ("udp: RCU handling for Unicast packets.")
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      c3873070
    • Florian Westphal's avatar
      selftests: netfilter: add nfqueue TCP_NEW_SYN_RECV socket race test · 2e78855d
      Florian Westphal authored
      causes:
      BUG: KASAN: slab-out-of-bounds in sk_free+0x25/0x80
      Write of size 4 at addr ffff888106df0284 by task nf-queue/1459
       sk_free+0x25/0x80
       nf_queue_entry_release_refs+0x143/0x1a0
       nf_reinject+0x233/0x770
      
      ... without 'netfilter: nf_queue: don't assume sk is full socket'.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      2e78855d
    • Florian Westphal's avatar
      netfilter: nf_queue: don't assume sk is full socket · 747670fd
      Florian Westphal authored
      There is no guarantee that state->sk refers to a full socket.
      
      If refcount transitions to 0, sock_put calls sk_free which then ends up
      with garbage fields.
      
      I'd like to thank Oleksandr Natalenko and Jiri Benc for considerable
      debug work and pointing out state->sk oddities.
      
      Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener")
      Tested-by: default avatarOleksandr Natalenko <oleksandr@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      747670fd
    • Johannes Berg's avatar
      mac80211: treat some SAE auth steps as final · 94d9864c
      Johannes Berg authored
      When we get anti-clogging token required (added by the commit
      mentioned below), or the other status codes added by the later
      commit 4e56cde1 ("mac80211: Handle special status codes in
      SAE commit") we currently just pretend (towards the internal
      state machine of authentication) that we didn't receive anything.
      
      This has the undesirable consequence of retransmitting the prior
      frame, which is not expected, because the timer is still armed.
      
      If we just disarm the timer at that point, it would result in
      the undesirable side effect of being in this state indefinitely
      if userspace crashes, or so.
      
      So to fix this, reset the timer and set a new auth_data->waiting
      in order to have no more retransmissions, but to have the data
      destroyed when the timer actually fires, which will only happen
      if userspace didn't continue (i.e. crashed or abandoned it.)
      
      Fixes: a4055e74 ("mac80211: Don't destroy auth data in case of anti-clogging")
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Link: https://lore.kernel.org/r/20220224103932.75964e1d7932.Ia487f91556f29daae734bf61f8181404642e1eec@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      94d9864c
    • Jiasheng Jiang's avatar
      nl80211: Handle nla_memdup failures in handle_nan_filter · 6ad27f52
      Jiasheng Jiang authored
      As there's potential for failure of the nla_memdup(),
      check the return value.
      
      Fixes: a442b761 ("cfg80211: add add_nan_func / del_nan_func")
      Signed-off-by: default avatarJiasheng Jiang <jiasheng@iscas.ac.cn>
      Link: https://lore.kernel.org/r/20220301100020.3801187-1-jiasheng@iscas.ac.cnSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6ad27f52
    • Randy Dunlap's avatar
      iwlwifi: mvm: check debugfs_dir ptr before use · 5a6248c0
      Randy Dunlap authored
      When "debugfs=off" is used on the kernel command line, iwiwifi's
      mvm module uses an invalid/unchecked debugfs_dir pointer and causes
      a BUG:
      
       BUG: kernel NULL pointer dereference, address: 000000000000004f
       #PF: supervisor read access in kernel mode
       #PF: error_code(0x0000) - not-present page
       PGD 0 P4D 0
       Oops: 0000 [#1] PREEMPT SMP
       CPU: 1 PID: 503 Comm: modprobe Tainted: G        W         5.17.0-rc5 #7
       Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021
       RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]
       Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73
       RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246
       RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328
       RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c
       RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620
       R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000
       R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320
       FS:  00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0
       PKRU: 55555554
       Call Trace:
        <TASK>
        ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]
        iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]
        iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]
        _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]
        iwl_opmode_register+0x6a/0xe0 [iwlwifi]
        ? 0xffffffffa0231000
        iwl_mvm_init+0x35/0x1000 [iwlmvm]
        ? 0xffffffffa0231000
        do_one_initcall+0x5a/0x1b0
        ? kmem_cache_alloc+0x1e5/0x2f0
        ? do_init_module+0x1e/0x220
        do_init_module+0x48/0x220
        load_module+0x2602/0x2bc0
        ? __kernel_read+0x145/0x2e0
        ? kernel_read_file+0x229/0x290
        __do_sys_finit_module+0xc5/0x130
        ? __do_sys_finit_module+0xc5/0x130
        __x64_sys_finit_module+0x13/0x20
        do_syscall_64+0x38/0x90
        entry_SYSCALL_64_after_hwframe+0x44/0xae
       RIP: 0033:0x7f64dda564dd
       Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48
       RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
       RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd
       RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001
       RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002
       R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2
       R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018
        </TASK>
       Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev
       CR2: 000000000000004f
       ---[ end trace 0000000000000000 ]---
      
      Check the debugfs_dir pointer for an error before using it.
      
      Fixes: 8c082a99 ("iwlwifi: mvm: simplify iwl_mvm_dbgfs_register")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Luca Coelho <luciano.coelho@intel.com>
      Cc: linux-wireless@vger.kernel.org
      Cc: Kalle Valo <kvalo@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20220223030630.23241-1-rdunlap@infradead.org
      [change to make both conditional]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      5a6248c0
    • Golan Ben Ami's avatar
      iwlwifi: don't advertise TWT support · 1db5fcbb
      Golan Ben Ami authored
      Some APs misbehave when TWT is used and cause our firmware to crash.
      We don't know a reasonable way to detect and work around this problem
      in the FW yet.  To prevent these crashes, disable TWT in the driver by
      stopping to advertise TWT support.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=215523Signed-off-by: default avatarGolan Ben Ami <golan.ben.ami@intel.com>
      [reworded the commit message]
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Link: https://lore.kernel.org/r/20220301072926.153969-1-luca@coelho.fiSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1db5fcbb
    • Ben Dooks's avatar
      rfkill: define rfill_soft_blocked() if !RFKILL · 50bb467c
      Ben Dooks authored
      If CONFIG_RFKILL is not set, the Intel WiFi driver will not build
      the iw_mvm driver part due to the missing rfill_soft_blocked()
      call. Adding a inline declaration of rfill_soft_blocked() if
      CONFIG_RFKILL=n fixes the following error:
      
      drivers/net/wireless/intel/iwlwifi/mvm/mvm.h: In function 'iwl_mvm_mei_set_sw_rfkill_state':
      drivers/net/wireless/intel/iwlwifi/mvm/mvm.h:2215:38: error: implicit declaration of function 'rfkill_soft_blocked'; did you mean 'rfkill_blocked'? [-Werror=implicit-function-declaration]
       2215 |                 mvm->hw_registered ? rfkill_soft_blocked(mvm->hw->wiphy->rfkill) : false;
            |                                      ^~~~~~~~~~~~~~~~~~~
            |                                      rfkill_blocked
      Signed-off-by: default avatarBen Dooks <ben.dooks@codethink.co.uk>
      Reported-by: default avatarNeill Whillans <neill.whillans@codethink.co.uk>
      Fixes: 5bc9a9dd ("rfkill: allow to get the software rfkill state")
      Link: https://lore.kernel.org/r/20220218093858.1245677-1-ben.dooks@codethink.co.ukSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      50bb467c
    • David S. Miller's avatar
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 7cf5aa32
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2022-02-28
      
      This series contains updates to igc and e1000e drivers.
      
      Corinna Vinschen ensures release of hardware sempahore on failed
      register read in igc_read_phy_reg_gpy().
      
      Sasha does the same for the write variant, igc_write_phy_reg_gpy(). On
      e1000e, he resolves an issue with hardware unit hang on s0ix exit
      by disabling some bits and LAN connected device reset during power
      management flows. Lastly, he allows for TGP platforms to correct its
      NVM checksum.
      
      v2: Fix Fixes tag on patch 3
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cf5aa32
  4. 28 Feb, 2022 4 commits
    • Sasha Neftin's avatar
      e1000e: Correct NVM checksum verification flow · ffd24fa2
      Sasha Neftin authored
      Update MAC type check e1000_pch_tgp because for e1000_pch_cnp,
      NVM checksum update is still possible.
      Emit a more detailed warning message.
      
      Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1191663
      Fixes: 4051f683 ("e1000e: Do not take care about recovery NVM checksum")
      Reported-by: default avatarThomas Bogendoerfer <tbogendoerfer@suse.de>
      Signed-off-by: default avatarSasha Neftin <sasha.neftin@intel.com>
      Tested-by: default avatarNaama Meir <naamax.meir@linux.intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      ffd24fa2
    • Sasha Neftin's avatar
      e1000e: Fix possible HW unit hang after an s0ix exit · 1866aa0d
      Sasha Neftin authored
      Disable the OEM bit/Gig Disable/restart AN impact and disable the PHY
      LAN connected device (LCD) reset during power management flows. This
      fixes possible HW unit hangs on the s0ix exit on some corporate ADL
      platforms.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=214821
      Fixes: 3e55d231 ("e1000e: Add handshake with the CSME to support S0ix")
      Suggested-by: default avatarDima Ruinskiy <dima.ruinskiy@intel.com>
      Suggested-by: default avatarNir Efrati <nir.efrati@intel.com>
      Signed-off-by: default avatarSasha Neftin <sasha.neftin@intel.com>
      Tested-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      1866aa0d
    • Florian Westphal's avatar
      netfilter: egress: silence egress hook lockdep splats · 17a8f31b
      Florian Westphal authored
      Netfilter assumes its called with rcu_read_lock held, but in egress
      hook case it may be called with BH readlock.
      
      This triggers lockdep splat.
      
      In order to avoid to change all rcu_dereference() to
      rcu_dereference_check(..., rcu_read_lock_bh_held()), wrap nf_hook_slow
      with read lock/unlock pair.
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      17a8f31b
    • Eric Dumazet's avatar
      netfilter: fix use-after-free in __nf_register_net_hook() · 56763f12
      Eric Dumazet authored
      We must not dereference @new_hooks after nf_hook_mutex has been released,
      because other threads might have freed our allocated hooks already.
      
      BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
      BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]
      BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438
      Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430
      
      CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
       print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
       __kasan_report mm/kasan/report.c:442 [inline]
       kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
       nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
       hooks_validate net/netfilter/core.c:171 [inline]
       __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438
       nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571
       nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587
       nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218
       synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
       xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038
       check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]
       find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573
       translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735
       do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]
       do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639
       nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
       ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024
       rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084
       __sys_setsockopt+0x2db/0x610 net/socket.c:2180
       __do_sys_setsockopt net/socket.c:2191 [inline]
       __se_sys_setsockopt net/socket.c:2188 [inline]
       __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7f65a1ace7d9
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9
      RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
      RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130
      R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000
       </TASK>
      
      The buggy address belongs to the page:
      page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8
      flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as freed
      page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993
       prep_new_page mm/page_alloc.c:2434 [inline]
       get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
       __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
       __alloc_pages_node include/linux/gfp.h:572 [inline]
       alloc_pages_node include/linux/gfp.h:595 [inline]
       kmalloc_large_node+0x62/0x130 mm/slub.c:4438
       __kmalloc_node+0x35a/0x4a0 mm/slub.c:4454
       kmalloc_node include/linux/slab.h:604 [inline]
       kvmalloc_node+0x97/0x100 mm/util.c:580
       kvmalloc include/linux/slab.h:731 [inline]
       kvzalloc include/linux/slab.h:739 [inline]
       allocate_hook_entries_size net/netfilter/core.c:61 [inline]
       nf_hook_entries_grow+0x140/0x780 net/netfilter/core.c:128
       __nf_register_net_hook+0x144/0x820 net/netfilter/core.c:429
       nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571
       nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587
       nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218
       synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
       xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038
       check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]
       find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573
       translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735
       do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]
       do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639
       nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
      page last free stack trace:
       reset_page_owner include/linux/page_owner.h:24 [inline]
       free_pages_prepare mm/page_alloc.c:1352 [inline]
       free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
       free_unref_page_prepare mm/page_alloc.c:3325 [inline]
       free_unref_page+0x19/0x690 mm/page_alloc.c:3404
       kvfree+0x42/0x50 mm/util.c:613
       rcu_do_batch kernel/rcu/tree.c:2527 [inline]
       rcu_core+0x7b1/0x1820 kernel/rcu/tree.c:2778
       __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
      
      Memory state around the buggy address:
       ffff88801c1a7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88801c1a7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff88801c1a8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
       ffff88801c1a8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88801c1a8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      
      Fixes: 2420b79f ("netfilter: debug: check for sorted array")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      56763f12