1. 07 Jun, 2023 13 commits
    • Michal Schmidt's avatar
      ice: make writes to /dev/gnssX synchronous · bf15bb38
      Michal Schmidt authored
      The current ice driver's GNSS write implementation buffers writes and
      works through them asynchronously in a kthread. That's bad because:
       - The GNSS write_raw operation is supposed to be synchronous[1][2].
       - There is no upper bound on the number of pending writes.
         Userspace can submit writes much faster than the driver can process,
         consuming unlimited amounts of kernel memory.
      
      A patch that's currently on review[3] ("[v3,net] ice: Write all GNSS
      buffers instead of first one") would add one more problem:
       - The possibility of waiting for a very long time to flush the write
         work when doing rmmod, softlockups.
      
      To fix these issues, simplify the implementation: Drop the buffering,
      the write_work, and make the writes synchronous.
      
      I tested this with gpsd and ubxtool.
      
      [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/12/The-GNSS-Subsystem-Johan-Hovold-Hovold-Consulting-AB.pdf
          "User interface" slide.
      [2] A comment in drivers/gnss/core.c:gnss_write():
              /* Ignoring O_NONBLOCK, write_raw() is synchronous. */
      [3] https://patchwork.ozlabs.org/project/intel-wired-lan/patch/20230217120541.16745-1-karol.kolacinski@intel.com/
      
      Fixes: d6b98c8d ("ice: add write functionality for GNSS TTY")
      Signed-off-by: default avatarMichal Schmidt <mschmidt@redhat.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf15bb38
    • Eric Dumazet's avatar
      net: sched: add rcu annotations around qdisc->qdisc_sleeping · d636fc5d
      Eric Dumazet authored
      syzbot reported a race around qdisc->qdisc_sleeping [1]
      
      It is time we add proper annotations to reads and writes to/from
      qdisc->qdisc_sleeping.
      
      [1]
      BUG: KCSAN: data-race in dev_graft_qdisc / qdisc_lookup_rcu
      
      read to 0xffff8881286fc618 of 8 bytes by task 6928 on cpu 1:
      qdisc_lookup_rcu+0x192/0x2c0 net/sched/sch_api.c:331
      __tcf_qdisc_find+0x74/0x3c0 net/sched/cls_api.c:1174
      tc_get_tfilter+0x18f/0x990 net/sched/cls_api.c:2547
      rtnetlink_rcv_msg+0x7af/0x8c0 net/core/rtnetlink.c:6386
      netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2546
      rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6413
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1913
      sock_sendmsg_nosec net/socket.c:724 [inline]
      sock_sendmsg net/socket.c:747 [inline]
      ____sys_sendmsg+0x375/0x4c0 net/socket.c:2503
      ___sys_sendmsg net/socket.c:2557 [inline]
      __sys_sendmsg+0x1e3/0x270 net/socket.c:2586
      __do_sys_sendmsg net/socket.c:2595 [inline]
      __se_sys_sendmsg net/socket.c:2593 [inline]
      __x64_sys_sendmsg+0x46/0x50 net/socket.c:2593
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      write to 0xffff8881286fc618 of 8 bytes by task 6912 on cpu 0:
      dev_graft_qdisc+0x4f/0x80 net/sched/sch_generic.c:1115
      qdisc_graft+0x7d0/0xb60 net/sched/sch_api.c:1103
      tc_modify_qdisc+0x712/0xf10 net/sched/sch_api.c:1693
      rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6395
      netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2546
      rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6413
      netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
      netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
      netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1913
      sock_sendmsg_nosec net/socket.c:724 [inline]
      sock_sendmsg net/socket.c:747 [inline]
      ____sys_sendmsg+0x375/0x4c0 net/socket.c:2503
      ___sys_sendmsg net/socket.c:2557 [inline]
      __sys_sendmsg+0x1e3/0x270 net/socket.c:2586
      __do_sys_sendmsg net/socket.c:2595 [inline]
      __se_sys_sendmsg net/socket.c:2593 [inline]
      __x64_sys_sendmsg+0x46/0x50 net/socket.c:2593
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 6912 Comm: syz-executor.5 Not tainted 6.4.0-rc3-syzkaller-00190-g0d85b27b #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
      
      Fixes: 3a7d0d07 ("net: sched: extend Qdisc with rcu")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Vlad Buslov <vladbu@nvidia.com>
      Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d636fc5d
    • David S. Miller's avatar
      Merge branch 'rfs-lockless-annotate' · e3144ff5
      David S. Miller authored
      Eric Dumazet says:
      
      ====================
      rfs: annotate lockless accesses
      
      rfs runs without locks held, so we should annotate
      read and writes to shared variables.
      
      It should prevent compilers forcing writes
      in the following situation:
      
        if (var != val)
           var = val;
      
      A compiler could indeed simply avoid the conditional:
      
          var = val;
      
      This matters if var is shared between many cpus.
      
      v2: aligns one closing bracket (Simon)
          adds Fixes: tags (Jakub)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3144ff5
    • Eric Dumazet's avatar
      rfs: annotate lockless accesses to RFS sock flow table · 5c3b74a9
      Eric Dumazet authored
      Add READ_ONCE()/WRITE_ONCE() on accesses to the sock flow table.
      
      This also prevents a (smart ?) compiler to remove the condition in:
      
      if (table->ents[index] != newval)
              table->ents[index] = newval;
      
      We need the condition to avoid dirtying a shared cache line.
      
      Fixes: fec5e652 ("rfs: Receive Flow Steering")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c3b74a9
    • Eric Dumazet's avatar
      rfs: annotate lockless accesses to sk->sk_rxhash · 1e5c647c
      Eric Dumazet authored
      Add READ_ONCE()/WRITE_ONCE() on accesses to sk->sk_rxhash.
      
      This also prevents a (smart ?) compiler to remove the condition in:
      
      if (sk->sk_rxhash != newval)
      	sk->sk_rxhash = newval;
      
      We need the condition to avoid dirtying a shared cache line.
      
      Fixes: fec5e652 ("rfs: Receive Flow Steering")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e5c647c
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · ab39b113
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fixes to debugfs registration
       - Fix use-after-free in hci_remove_ltk/hci_remove_irk
       - Fixes to ISO channel support
       - Fix missing checks for invalid L2CAP DCID
       - Fix l2cap_disconnect_req deadlock
       - Add lock to protect HCI_UNREGISTER
      
      * tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: L2CAP: Add missing checks for invalid DCID
        Bluetooth: ISO: use correct CIS order in Set CIG Parameters event
        Bluetooth: ISO: don't try to remove CIG if there are bound CIS left
        Bluetooth: Fix l2cap_disconnect_req deadlock
        Bluetooth: hci_qca: fix debugfs registration
        Bluetooth: fix debugfs registration
        Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER
        Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
        Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG
        Bluetooth: ISO: consider right CIS when removing CIG at cleanup
      ====================
      
      Link: https://lore.kernel.org/r/20230606003454.2392552-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ab39b113
    • Jakub Kicinski's avatar
      Merge tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 20c47646
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Missing nul-check in basechain hook netlink dump path, from Gavrilov Ilia.
      
      2) Fix bitwise register tracking, from Jeremy Sowden.
      
      3) Null pointer dereference when accessing conntrack helper,
         from Tijs Van Buggenhout.
      
      4) Add schedule point to ipset's call_ad, from Kuniyuki Iwashima.
      
      5) Incorrect boundary check when building chain blob.
      
      * tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: out-of-bound check in chain blob
        netfilter: ipset: Add schedule point in call_ad().
        netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
        netfilter: nft_bitwise: fix register tracking
        netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()
      ====================
      
      Link: https://lore.kernel.org/r/20230606225851.67394-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      20c47646
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · e684ab76
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.4
      
      Both rtw88 and rtw89 have a 802.11 powersave fix for a regression
      introduced in v6.0. mt76 fixes a race and a null pointer dereference.
      iwlwifi fixes an issue where not enough memory was allocated for a
      firmware event. And finally the stack has several smaller fixes all
      over.
      
      * tag 'wireless-2023-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: cfg80211: fix locking in regulatory disconnect
        wifi: cfg80211: fix locking in sched scan stop work
        wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()
        wifi: mac80211: fix switch count in EMA beacons
        wifi: mac80211: don't translate beacon/presp addrs
        wifi: mac80211: mlme: fix non-inheritence element
        wifi: cfg80211: reject bad AP MLD address
        wifi: mac80211: use correct iftype HE cap
        wifi: mt76: mt7996: fix possible NULL pointer dereference in mt7996_mac_write_txwi()
        wifi: rtw89: remove redundant check of entering LPS
        wifi: rtw89: correct PS calculation for SUPPORTS_DYNAMIC_PS
        wifi: rtw88: correct PS calculation for SUPPORTS_DYNAMIC_PS
        wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll
      ====================
      
      Link: https://lore.kernel.org/r/20230606150817.EC133C433D2@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e684ab76
    • Brett Creeley's avatar
      virtio_net: use control_buf for coalesce params · accc1bf2
      Brett Creeley authored
      Commit 699b045a ("net: virtio_net: notifications coalescing
      support") added coalescing command support for virtio_net. However,
      the coalesce commands are using buffers on the stack, which is causing
      the device to see DMA errors. There should also be a complaint from
      check_for_stack() in debug_dma_map_xyz(). Fix this by adding and using
      coalesce params from the control_buf struct, which aligns with other
      commands.
      
      Cc: stable@vger.kernel.org
      Fixes: 699b045a ("net: virtio_net: notifications coalescing support")
      Reviewed-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarAllen Hubbe <allen.hubbe@amd.com>
      Signed-off-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Link: https://lore.kernel.org/r/20230605195925.51625-1-brett.creeley@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      accc1bf2
    • Brett Creeley's avatar
      pds_core: Fix FW recovery detection · 4f48c303
      Brett Creeley authored
      Commit 523847df ("pds_core: add devcmd device interfaces") included
      initial support for FW recovery detection. Unfortunately, the ordering
      in pdsc_is_fw_good() was incorrect, which was causing FW recovery to be
      undetected by the driver. Fix this by making sure to update the cached
      fw_status by calling pdsc_is_fw_running() before setting the local FW
      gen.
      
      Fixes: 523847df ("pds_core: add devcmd device interfaces")
      Signed-off-by: default avatarShannon Nelson <shannon.nelson@amd.com>
      Signed-off-by: default avatarBrett Creeley <brett.creeley@amd.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230605195116.49653-1-brett.creeley@amd.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f48c303
    • Eric Dumazet's avatar
      tcp: gso: really support BIG TCP · 82a01ab3
      Eric Dumazet authored
      We missed that tcp_gso_segment() was assuming skb->len was smaller than 65535 :
      
      oldlen = (u16)~skb->len;
      
      This part came with commit 0718bcc0 ("[NET]: Fix CHECKSUM_HW GSO problems.")
      
      This leads to wrong TCP checksum.
      
      Adapt the code to accept arbitrary packet length.
      
      v2:
        - use two csum_add() instead of csum_fold() (Alexander Duyck)
        - Change delta type to __wsum to reduce casts (Alexander Duyck)
      
      Fixes: 09f3d1a3 ("ipv6/gso: remove temporary HBH/jumbo header")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarAlexander Duyck <alexanderduyck@fb.com>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20230605161647.3624428-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      82a01ab3
    • Kuniyuki Iwashima's avatar
      ipv6: rpl: Fix Route of Death. · a2f4c143
      Kuniyuki Iwashima authored
      A remote DoS vulnerability of RPL Source Routing is assigned CVE-2023-2156.
      
      The Source Routing Header (SRH) has the following format:
      
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Next Header  |  Hdr Ext Len  | Routing Type  | Segments Left |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | CmprI | CmprE |  Pad  |               Reserved                |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                                                               |
        .                                                               .
        .                        Addresses[1..n]                        .
        .                                                               .
        |                                                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      
      The originator of an SRH places the first hop's IPv6 address in the IPv6
      header's IPv6 Destination Address and the second hop's IPv6 address as
      the first address in Addresses[1..n].
      
      The CmprI and CmprE fields indicate the number of prefix octets that are
      shared with the IPv6 Destination Address.  When CmprI or CmprE is not 0,
      Addresses[1..n] are compressed as follows:
      
        1..n-1 : (16 - CmprI) bytes
             n : (16 - CmprE) bytes
      
      Segments Left indicates the number of route segments remaining.  When the
      value is not zero, the SRH is forwarded to the next hop.  Its address
      is extracted from Addresses[n - Segment Left + 1] and swapped with IPv6
      Destination Address.
      
      When Segment Left is greater than or equal to 2, the size of SRH is not
      changed because Addresses[1..n-1] are decompressed and recompressed with
      CmprI.
      
      OTOH, when Segment Left changes from 1 to 0, the new SRH could have a
      different size because Addresses[1..n-1] are decompressed with CmprI and
      recompressed with CmprE.
      
      Let's say CmprI is 15 and CmprE is 0.  When we receive SRH with Segment
      Left >= 2, Addresses[1..n-1] have 1 byte for each, and Addresses[n] has
      16 bytes.  When Segment Left is 1, Addresses[1..n-1] is decompressed to
      16 bytes and not recompressed.  Finally, the new SRH will need more room
      in the header, and the size is (16 - 1) * (n - 1) bytes.
      
      Here the max value of n is 255 as Segment Left is u8, so in the worst case,
      we have to allocate 3825 bytes in the skb headroom.  However, now we only
      allocate a small fixed buffer that is IPV6_RPL_SRH_WORST_SWAP_SIZE (16 + 7
      bytes).  If the decompressed size overflows the room, skb_push() hits BUG()
      below [0].
      
      Instead of allocating the fixed buffer for every packet, let's allocate
      enough headroom only when we receive SRH with Segment Left 1.
      
      [0]:
      skbuff: skb_under_panic: text:ffffffff81c9f6e2 len:576 put:576 head:ffff8880070b5180 data:ffff8880070b4fb0 tail:0x70 end:0x140 dev:lo
      kernel BUG at net/core/skbuff.c:200!
      invalid opcode: 0000 [#1] PREEMPT SMP PTI
      CPU: 0 PID: 154 Comm: python3 Not tainted 6.4.0-rc4-00190-gc308e9ec #7
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      RIP: 0010:skb_panic (net/core/skbuff.c:200)
      Code: 4f 70 50 8b 87 bc 00 00 00 50 8b 87 b8 00 00 00 50 ff b7 c8 00 00 00 4c 8b 8f c0 00 00 00 48 c7 c7 80 6e 77 82 e8 ad 8b 60 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
      RSP: 0018:ffffc90000003da0 EFLAGS: 00000246
      RAX: 0000000000000085 RBX: ffff8880058a6600 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff88807dc1c540 RDI: ffff88807dc1c540
      RBP: ffffc90000003e48 R08: ffffffff82b392c8 R09: 00000000ffffdfff
      R10: ffffffff82a592e0 R11: ffffffff82b092e0 R12: ffff888005b1c800
      R13: ffff8880070b51b8 R14: ffff888005b1ca18 R15: ffff8880070b5190
      FS:  00007f4539f0b740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000055670baf3000 CR3: 0000000005b0e000 CR4: 00000000007506f0
      PKRU: 55555554
      Call Trace:
       <IRQ>
       skb_push (net/core/skbuff.c:210)
       ipv6_rthdr_rcv (./include/linux/skbuff.h:2880 net/ipv6/exthdrs.c:634 net/ipv6/exthdrs.c:718)
       ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
       ip6_input_finish (./include/linux/rcupdate.h:805 net/ipv6/ip6_input.c:483)
       __netif_receive_skb_one_core (net/core/dev.c:5494)
       process_backlog (./include/linux/rcupdate.h:805 net/core/dev.c:5934)
       __napi_poll (net/core/dev.c:6496)
       net_rx_action (net/core/dev.c:6565 net/core/dev.c:6696)
       __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)
       do_softirq (kernel/softirq.c:472 kernel/softirq.c:459)
       </IRQ>
       <TASK>
       __local_bh_enable_ip (kernel/softirq.c:396)
       __dev_queue_xmit (net/core/dev.c:4272)
       ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:134)
       rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
       sock_sendmsg (net/socket.c:724 net/socket.c:747)
       __sys_sendto (net/socket.c:2144)
       __x64_sys_sendto (net/socket.c:2156 net/socket.c:2152 net/socket.c:2152)
       do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      RIP: 0033:0x7f453a138aea
      Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
      RSP: 002b:00007ffcc212a1c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007ffcc212a288 RCX: 00007f453a138aea
      RDX: 0000000000000060 RSI: 00007f4539084c20 RDI: 0000000000000003
      RBP: 00007f4538308e80 R08: 00007ffcc212a300 R09: 000000000000001c
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f4539712d1b
       </TASK>
      Modules linked in:
      
      Fixes: 8610c7c6 ("net: ipv6: add support for rpl sr exthdr")
      Reported-by: Max VA
      Closes: https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-deathSigned-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20230605180617.67284-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a2f4c143
    • Jakub Kicinski's avatar
      netlink: specs: ethtool: fix random typos · f6ca5baf
      Jakub Kicinski authored
      Working on the code gen for C reveals typos in the ethtool spec
      as the compiler tries to find the names in the existing uAPI
      header. Fix the mistakes.
      
      Fixes: a353318e ("tools: ynl: populate most of the ethtool spec")
      Acked-by: default avatarStanislav Fomichev <sdf@google.com>
      Link: https://lore.kernel.org/r/20230605233257.843977-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f6ca5baf
  2. 06 Jun, 2023 24 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: out-of-bound check in chain blob · 08e42a0d
      Pablo Neira Ayuso authored
      Add current size of rule expressions to the boundary check.
      
      Fixes: 2c865a8a ("netfilter: nf_tables: add rule blob layout")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      08e42a0d
    • Kuniyuki Iwashima's avatar
      netfilter: ipset: Add schedule point in call_ad(). · 24e22789
      Kuniyuki Iwashima authored
      syzkaller found a repro that causes Hung Task [0] with ipset.  The repro
      first creates an ipset and then tries to delete a large number of IPs
      from the ipset concurrently:
      
        IPSET_ATTR_IPADDR_IPV4 : 172.20.20.187
        IPSET_ATTR_CIDR        : 2
      
      The first deleting thread hogs a CPU with nfnl_lock(NFNL_SUBSYS_IPSET)
      held, and other threads wait for it to be released.
      
      Previously, the same issue existed in set->variant->uadt() that could run
      so long under ip_set_lock(set).  Commit 5e29dc36 ("netfilter: ipset:
      Rework long task execution when adding/deleting entries") tried to fix it,
      but the issue still exists in the caller with another mutex.
      
      While adding/deleting many IPs, we should release the CPU periodically to
      prevent someone from abusing ipset to hang the system.
      
      Note we need to increment the ipset's refcnt to prevent the ipset from
      being destroyed while rescheduling.
      
      [0]:
      INFO: task syz-executor174:268 blocked for more than 143 seconds.
            Not tainted 6.4.0-rc1-00145-gba79e9a7 #1
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      task:syz-executor174 state:D stack:0     pid:268   ppid:260    flags:0x0000000d
      Call trace:
       __switch_to+0x308/0x714 arch/arm64/kernel/process.c:556
       context_switch kernel/sched/core.c:5343 [inline]
       __schedule+0xd84/0x1648 kernel/sched/core.c:6669
       schedule+0xf0/0x214 kernel/sched/core.c:6745
       schedule_preempt_disabled+0x58/0xf0 kernel/sched/core.c:6804
       __mutex_lock_common kernel/locking/mutex.c:679 [inline]
       __mutex_lock+0x6fc/0xdb0 kernel/locking/mutex.c:747
       __mutex_lock_slowpath+0x14/0x20 kernel/locking/mutex.c:1035
       mutex_lock+0x98/0xf0 kernel/locking/mutex.c:286
       nfnl_lock net/netfilter/nfnetlink.c:98 [inline]
       nfnetlink_rcv_msg+0x480/0x70c net/netfilter/nfnetlink.c:295
       netlink_rcv_skb+0x1c0/0x350 net/netlink/af_netlink.c:2546
       nfnetlink_rcv+0x18c/0x199c net/netfilter/nfnetlink.c:658
       netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
       netlink_unicast+0x664/0x8cc net/netlink/af_netlink.c:1365
       netlink_sendmsg+0x6d0/0xa4c net/netlink/af_netlink.c:1913
       sock_sendmsg_nosec net/socket.c:724 [inline]
       sock_sendmsg net/socket.c:747 [inline]
       ____sys_sendmsg+0x4b8/0x810 net/socket.c:2503
       ___sys_sendmsg net/socket.c:2557 [inline]
       __sys_sendmsg+0x1f8/0x2a4 net/socket.c:2586
       __do_sys_sendmsg net/socket.c:2595 [inline]
       __se_sys_sendmsg net/socket.c:2593 [inline]
       __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2593
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall+0x84/0x270 arch/arm64/kernel/syscall.c:52
       el0_svc_common+0x134/0x24c arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
       el0_svc+0x2c/0x7c arch/arm64/kernel/entry-common.c:637
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
       el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Fixes: a7b4f989 ("netfilter: ipset: IP set core support")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      24e22789
    • Tijs Van Buggenhout's avatar
      netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper · e1f543dc
      Tijs Van Buggenhout authored
      An nf_conntrack_helper from nf_conn_help may become NULL after DNAT.
      
      Observed when TCP port 1720 (Q931_PORT), associated with h323 conntrack
      helper, is DNAT'ed to another destination port (e.g. 1730), while
      nfqueue is being used for final acceptance (e.g. snort).
      
      This happenned after transition from kernel 4.14 to 5.10.161.
      
      Workarounds:
       * keep the same port (1720) in DNAT
       * disable nfqueue
       * disable/unload h323 NAT helper
      
      $ linux-5.10/scripts/decode_stacktrace.sh vmlinux < /tmp/kernel.log
      BUG: kernel NULL pointer dereference, address: 0000000000000084
      [..]
      RIP: 0010:nf_conntrack_update (net/netfilter/nf_conntrack_core.c:2080 net/netfilter/nf_conntrack_core.c:2134) nf_conntrack
      [..]
      nfqnl_reinject (net/netfilter/nfnetlink_queue.c:237) nfnetlink_queue
      nfqnl_recv_verdict (net/netfilter/nfnetlink_queue.c:1230) nfnetlink_queue
      nfnetlink_rcv_msg (net/netfilter/nfnetlink.c:241) nfnetlink
      [..]
      
      Fixes: ee04805f ("netfilter: conntrack: make conntrack userspace helpers work again")
      Signed-off-by: default avatarTijs Van Buggenhout <tijs.van.buggenhout@axsguard.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e1f543dc
    • Jeremy Sowden's avatar
      netfilter: nft_bitwise: fix register tracking · 14e8b293
      Jeremy Sowden authored
      At the end of `nft_bitwise_reduce`, there is a loop which is intended to
      update the bitwise expression associated with each tracked destination
      register.  However, currently, it just updates the first register
      repeatedly.  Fix it.
      
      Fixes: 34cc9e52 ("netfilter: nf_tables: cancel tracking for clobbered destination registers")
      Signed-off-by: default avatarJeremy Sowden <jeremy@azazel.net>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      14e8b293
    • Gavrilov Ilia's avatar
      netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook() · bd058763
      Gavrilov Ilia authored
      The nla_nest_start_noflag() function may fail and return NULL;
      the return value needs to be checked.
      
      Found by InfoTeCS on behalf of Linux Verification Center
      (linuxtesting.org) with SVACE.
      
      Fixes: d54725cd ("netfilter: nf_tables: support for multiple devices per netdev hook")
      Signed-off-by: default avatarGavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bd058763
    • Johannes Berg's avatar
      wifi: cfg80211: fix locking in regulatory disconnect · f7e60032
      Johannes Berg authored
      This should use wiphy_lock() now instead of requiring the
      RTNL, since __cfg80211_leave() via cfg80211_leave() is now
      requiring that lock to be held.
      
      Fixes: a05829a7 ("cfg80211: avoid holding the RTNL when calling the driver")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      f7e60032
    • Johannes Berg's avatar
      wifi: cfg80211: fix locking in sched scan stop work · 3e54ed82
      Johannes Berg authored
      This should use wiphy_lock() now instead of acquiring the
      RTNL, since cfg80211_stop_sched_scan_req() now needs that.
      
      Fixes: a05829a7 ("cfg80211: avoid holding the RTNL when calling the driver")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3e54ed82
    • Manish Chopra's avatar
      qed/qede: Fix scheduling while atomic · 42510dff
      Manish Chopra authored
      Statistics read through bond interface via sysfs causes
      below bug and traces as it triggers the bonding module to
      collect the slave device statistics while holding the spinlock,
      beneath that qede->qed driver statistics flow gets scheduled out
      due to usleep_range() used in PTT acquire logic
      
      [ 3673.988874] Hardware name: HPE ProLiant DL365 Gen10 Plus/ProLiant DL365 Gen10 Plus, BIOS A42 10/29/2021
      [ 3673.988878] Call Trace:
      [ 3673.988891]  dump_stack_lvl+0x34/0x44
      [ 3673.988908]  __schedule_bug.cold+0x47/0x53
      [ 3673.988918]  __schedule+0x3fb/0x560
      [ 3673.988929]  schedule+0x43/0xb0
      [ 3673.988932]  schedule_hrtimeout_range_clock+0xbf/0x1b0
      [ 3673.988937]  ? __hrtimer_init+0xc0/0xc0
      [ 3673.988950]  usleep_range+0x5e/0x80
      [ 3673.988955]  qed_ptt_acquire+0x2b/0xd0 [qed]
      [ 3673.988981]  _qed_get_vport_stats+0x141/0x240 [qed]
      [ 3673.989001]  qed_get_vport_stats+0x18/0x80 [qed]
      [ 3673.989016]  qede_fill_by_demand_stats+0x37/0x400 [qede]
      [ 3673.989028]  qede_get_stats64+0x19/0xe0 [qede]
      [ 3673.989034]  dev_get_stats+0x5c/0xc0
      [ 3673.989045]  netstat_show.constprop.0+0x52/0xb0
      [ 3673.989055]  dev_attr_show+0x19/0x40
      [ 3673.989065]  sysfs_kf_seq_show+0x9b/0xf0
      [ 3673.989076]  seq_read_iter+0x120/0x4b0
      [ 3673.989087]  new_sync_read+0x118/0x1a0
      [ 3673.989095]  vfs_read+0xf3/0x180
      [ 3673.989099]  ksys_read+0x5f/0xe0
      [ 3673.989102]  do_syscall_64+0x3b/0x90
      [ 3673.989109]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [ 3673.989115] RIP: 0033:0x7f8467d0b082
      [ 3673.989119] Code: c0 e9 b2 fe ff ff 50 48 8d 3d ca 05 08 00 e8 35 e7 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
      [ 3673.989121] RSP: 002b:00007ffffb21fd08 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
      [ 3673.989127] RAX: ffffffffffffffda RBX: 000000000100eca0 RCX: 00007f8467d0b082
      [ 3673.989128] RDX: 00000000000003ff RSI: 00007ffffb21fdc0 RDI: 0000000000000003
      [ 3673.989130] RBP: 00007f8467b96028 R08: 0000000000000010 R09: 00007ffffb21ec00
      [ 3673.989132] R10: 00007ffffb27b170 R11: 0000000000000246 R12: 00000000000000f0
      [ 3673.989134] R13: 0000000000000003 R14: 00007f8467b92000 R15: 0000000000045a05
      [ 3673.989139] CPU: 30 PID: 285188 Comm: read_all Kdump: loaded Tainted: G        W  OE
      
      Fix this by collecting the statistics asynchronously from a periodic
      delayed work scheduled at default stats coalescing interval and return
      the recent copy of statisitcs from .ndo_get_stats64(), also add ability
      to configure/retrieve stats coalescing interval using below commands -
      
      ethtool -C ethx stats-block-usecs <val>
      ethtool -c ethx
      
      Fixes: 133fac0e ("qede: Add basic ethtool support")
      Cc: Sudarsana Kalluru <skalluru@marvell.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Link: https://lore.kernel.org/r/20230605112600.48238-1-manishc@marvell.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      42510dff
    • Gustavo A. R. Silva's avatar
      wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif() · 7a4615b9
      Gustavo A. R. Silva authored
      kmemdup() at line 2735 is not duplicating enough memory for
      notif->tid_tear_down and notif->station_id. As it only duplicates
      612 bytes: up to offsetofend(struct iwl_wowlan_info_notif,
      received_beacons), this is the range of [0, 612) bytes.
      
      2735	notif = kmemdup(notif_v1,
      2736			offsetofend(struct iwl_wowlan_info_notif,
      2737				    received_beacons),
      2738			GFP_ATOMIC);
      
      which evidently does not cover bytes 612 and 613 for members
      tid_tear_down and station_id in struct iwl_wowlan_info_notif.
      See below:
      
      $ pahole -C iwl_wowlan_info_notif drivers/net/wireless/intel/iwlwifi/mvm/d3.o
      struct iwl_wowlan_info_notif {
      	struct iwl_wowlan_gtk_status_v3 gtk[2];          /*     0   488 */
      	/* --- cacheline 7 boundary (448 bytes) was 40 bytes ago --- */
      	struct iwl_wowlan_igtk_status igtk[2];           /*   488    80 */
      	/* --- cacheline 8 boundary (512 bytes) was 56 bytes ago --- */
      	__le64                     replay_ctr;           /*   568     8 */
      	/* --- cacheline 9 boundary (576 bytes) --- */
      	__le16                     pattern_number;       /*   576     2 */
      	__le16                     reserved1;            /*   578     2 */
      	__le16                     qos_seq_ctr[8];       /*   580    16 */
      	__le32                     wakeup_reasons;       /*   596     4 */
      	__le32                     num_of_gtk_rekeys;    /*   600     4 */
      	__le32                     transmitted_ndps;     /*   604     4 */
      	__le32                     received_beacons;     /*   608     4 */
      	u8                         tid_tear_down;        /*   612     1 */
      	u8                         station_id;           /*   613     1 */
      	u8                         reserved2[2];         /*   614     2 */
      
      	/* size: 616, cachelines: 10, members: 13 */
      	/* last cacheline: 40 bytes */
      };
      
      Therefore, when the following assignments take place, actually no memory
      has been allocated for those objects:
      
      2743	notif->tid_tear_down = notif_v1->tid_tear_down;
      2744	notif->station_id = notif_v1->station_id;
      
      Fix this by allocating space for the whole notif object and zero out the
      remaining space in memory after member station_id.
      
      This also fixes the following -Warray-bounds issues:
       CC      drivers/net/wireless/intel/iwlwifi/mvm/d3.o
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’:
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2743:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=]
       2743 |                         notif->tid_tear_down = notif_v1->tid_tear_down;
            |
                       from drivers/net/wireless/intel/iwlwifi/mvm/d3.c:7:
      In function ‘kmemdup’,
          inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12:
      include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’
        765 |         return __real_kmemdup(p, size, gfp);
            |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’:
      drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2744:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=]
       2744 |                         notif->station_id = notif_v1->station_id;
            |                              ^~
      In function ‘kmemdup’,
          inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12:
      include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’
        765 |         return __real_kmemdup(p, size, gfp);
            |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Link: https://github.com/KSPP/linux/issues/306
      Fixes: 905d50dd ("wifi: iwlwifi: mvm: support wowlan info notification version 2")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavoars@kernel.org>
      Acked-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/ZHpGN555FwAKGduH@workSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      7a4615b9
    • Aditya Kumar Singh's avatar
      wifi: mac80211: fix switch count in EMA beacons · 1afa18e9
      Aditya Kumar Singh authored
      Currently, whenever an EMA beacon is formed, due to is_template
      argument being false from the caller, the switch count is always
      decremented once which is wrong.
      
      Also if switch count is equal to profile periodicity, this makes
      the switch count to reach till zero which triggers a WARN_ON_ONCE.
      
      [  261.593915] CPU: 1 PID: 800 Comm: kworker/u8:3 Not tainted 5.4.213 #0
      [  261.616143] Hardware name: Qualcomm Technologies, Inc. IPQ9574
      [  261.622666] Workqueue: phy0 ath12k_get_link_bss_conf [ath12k]
      [  261.629771] pstate: 60400005 (nZCv daif +PAN -UAO)
      [  261.635595] pc : ieee80211_next_txq+0x1ac/0x1b8 [mac80211]
      [  261.640282] lr : ieee80211_beacon_update_cntdwn+0x64/0xb4 [mac80211]
      [...]
      [  261.729683] Call trace:
      [  261.734986]  ieee80211_next_txq+0x1ac/0x1b8 [mac80211]
      [  261.737156]  ieee80211_beacon_cntdwn_is_complete+0xa28/0x1194 [mac80211]
      [  261.742365]  ieee80211_beacon_cntdwn_is_complete+0xef4/0x1194 [mac80211]
      [  261.749224]  ieee80211_beacon_get_template_ema_list+0x38/0x5c [mac80211]
      [  261.755908]  ath12k_get_link_bss_conf+0xf8/0x33b4 [ath12k]
      [  261.762590]  ath12k_get_link_bss_conf+0x390/0x33b4 [ath12k]
      [  261.767881]  process_one_work+0x194/0x270
      [  261.773346]  worker_thread+0x200/0x314
      [  261.777514]  kthread+0x140/0x150
      [  261.781158]  ret_from_fork+0x10/0x18
      
      Fix this issue by making the is_template argument as true when fetching
      the EMA beacons.
      
      Fixes: bd54f3c2 ("wifi: mac80211: generate EMA beacons in AP mode")
      Signed-off-by: default avatarAditya Kumar Singh <quic_adisi@quicinc.com>
      Link: https://lore.kernel.org/r/20230531062012.4537-1-quic_adisi@quicinc.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1afa18e9
    • Johannes Berg's avatar
      wifi: mac80211: don't translate beacon/presp addrs · 47c171a4
      Johannes Berg authored
      Don't do link address translation for beacons and probe responses,
      this leads to reporting multiple scan list entries for the same AP
      (one with the MLD address) which just breaks things.
      
      We might need to extend this in the future for some other (action)
      frames that aren't MLD addressed.
      
      Fixes: 42fb9148 ("wifi: mac80211: do link->MLD address translation on RX")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.62adead1b43a.Ifc25eed26ebf3b269f60b1ec10060156d0e7ec0d@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      47c171a4
    • Johannes Berg's avatar
      wifi: mac80211: mlme: fix non-inheritence element · 68c22855
      Johannes Berg authored
      There were two bugs when creating the non-inheritence
      element:
       1) 'at_extension' needs to be declared outside the loop,
          otherwise the value resets every iteration and we
          can never really switch properly
       2) 'added' never got set to true, so we always cut off
          the extension element again at the end of the function
      
      This shows another issue that we might add a list but no
      extension list, but we need to make the extension list a
      zero-length one in that case.
      
      Fix all these issues. While at it, add a comment explaining
      the trim.
      
      Fixes: 81151ce4 ("wifi: mac80211: support MLO authentication/association with one link")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.3addaa5c4782.If3a78f9305997ad7ef4ba7ffc17a8234c956f613@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      68c22855
    • Johannes Berg's avatar
      wifi: cfg80211: reject bad AP MLD address · 727073ca
      Johannes Berg authored
      When trying to authenticate, if the AP MLD address isn't
      a valid address, mac80211 can throw a warning. Avoid that
      by rejecting such addresses.
      
      Fixes: d648c230 ("wifi: nl80211: support MLO in auth/assoc")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.89188912bd1d.I8dbc6c8ee0cb766138803eec59508ef4ce477709@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      727073ca
    • Johannes Berg's avatar
      wifi: mac80211: use correct iftype HE cap · c37ab22b
      Johannes Berg authored
      We already check that the right iftype capa exists,
      but then don't use it. Assign it to a variable so we
      can actually use it, and then do that.
      
      Fixes: bac2fd3d ("mac80211: remove use of ieee80211_get_he_sta_cap()")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Link: https://lore.kernel.org/r/20230604120651.0e908e5c5fdd.Iac142549a6144ac949ebd116b921a59ae5282735@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      c37ab22b
    • Sungwoo Kim's avatar
      Bluetooth: L2CAP: Add missing checks for invalid DCID · 75767213
      Sungwoo Kim authored
      When receiving a connect response we should make sure that the DCID is
      within the valid range and that we don't already have another channel
      allocated for the same DCID.
      Missing checks may violate the specification (BLUETOOTH CORE SPECIFICATION
      Version 5.4 | Vol 3, Part A, Page 1046).
      
      Fixes: 40624183 ("Bluetooth: L2CAP: Add missing checks for invalid LE DCID")
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      75767213
    • Pauli Virtanen's avatar
      Bluetooth: ISO: use correct CIS order in Set CIG Parameters event · 71e95884
      Pauli Virtanen authored
      The order of CIS handle array in Set CIG Parameters response shall match
      the order of the CIS_ID array in the command (Core v5.3 Vol 4 Part E Sec
      7.8.97).  We send CIS_IDs mainly in the order of increasing CIS_ID (but
      with "last" CIS first if it has fixed CIG_ID).  In handling of the
      reply, we currently assume this is also the same as the order of
      hci_conn in hdev->conn_hash, but that is not true.
      
      Match the correct hci_conn to the correct handle by matching them based
      on the CIG+CIS combination.  The CIG+CIS combination shall be unique for
      ISO_LINK hci_conn at state >= BT_BOUND, which we maintain in
      hci_le_set_cig_params.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      71e95884
    • Pauli Virtanen's avatar
      Bluetooth: ISO: don't try to remove CIG if there are bound CIS left · 6c242c64
      Pauli Virtanen authored
      Consider existing BOUND & CONNECT state CIS to block CIG removal.
      Otherwise, under suitable timing conditions we may attempt to remove CIG
      while Create CIS is pending, which fails.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      6c242c64
    • Ying Hsu's avatar
      Bluetooth: Fix l2cap_disconnect_req deadlock · 02c5ea52
      Ying Hsu authored
      L2CAP assumes that the locks conn->chan_lock and chan->lock are
      acquired in the order conn->chan_lock, chan->lock to avoid
      potential deadlock.
      For example, l2sock_shutdown acquires these locks in the order:
        mutex_lock(&conn->chan_lock)
        l2cap_chan_lock(chan)
      
      However, l2cap_disconnect_req acquires chan->lock in
      l2cap_get_chan_by_scid first and then acquires conn->chan_lock
      before calling l2cap_chan_del. This means that these locks are
      acquired in unexpected order, which leads to potential deadlock:
        l2cap_chan_lock(c)
        mutex_lock(&conn->chan_lock)
      
      This patch releases chan->lock before acquiring the conn_chan_lock
      to avoid the potential deadlock.
      
      Fixes: a2a9339e ("Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}")
      Signed-off-by: default avatarYing Hsu <yinghsu@chromium.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      02c5ea52
    • Johan Hovold's avatar
      Bluetooth: hci_qca: fix debugfs registration · 47c5d829
      Johan Hovold authored
      Since commit 3e4be65e ("Bluetooth: hci_qca: Add poweroff support
      during hci down for wcn3990"), the setup callback which registers the
      debugfs interface can be called multiple times.
      
      This specifically leads to the following error when powering on the
      controller:
      
      	debugfs: Directory 'ibs' with parent 'hci0' already present!
      
      Add a driver flag to avoid trying to register the debugfs interface more
      than once.
      
      Fixes: 3e4be65e ("Bluetooth: hci_qca: Add poweroff support during hci down for wcn3990")
      Cc: stable@vger.kernel.org	# 4.20
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      47c5d829
    • Johan Hovold's avatar
      Bluetooth: fix debugfs registration · fe2ccc6c
      Johan Hovold authored
      Since commit ec6cef9c ("Bluetooth: Fix SMP channel registration for
      unconfigured controllers") the debugfs interface for unconfigured
      controllers will be created when the controller is configured.
      
      There is however currently nothing preventing a controller from being
      configured multiple time (e.g. setting the device address using btmgmt)
      which results in failed attempts to register the already registered
      debugfs entries:
      
      	debugfs: File 'features' in directory 'hci0' already present!
      	debugfs: File 'manufacturer' in directory 'hci0' already present!
      	debugfs: File 'hci_version' in directory 'hci0' already present!
      	...
      	debugfs: File 'quirk_simultaneous_discovery' in directory 'hci0' already present!
      
      Add a controller flag to avoid trying to register the debugfs interface
      more than once.
      
      Fixes: ec6cef9c ("Bluetooth: Fix SMP channel registration for unconfigured controllers")
      Cc: stable@vger.kernel.org      # 4.0
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      fe2ccc6c
    • Zhengping Jiang's avatar
      Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER · 1857c199
      Zhengping Jiang authored
      When the HCI_UNREGISTER flag is set, no jobs should be scheduled. Fix
      potential race when HCI_UNREGISTER is set after the flag is tested in
      hci_cmd_sync_queue.
      
      Fixes: 0b94f265 ("Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set")
      Signed-off-by: default avatarZhengping Jiang <jiangzp@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1857c199
    • Luiz Augusto von Dentz's avatar
      Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk · c5d2b6fa
      Luiz Augusto von Dentz authored
      Similar to commit 0f7d9b31 ("netfilter: nf_tables: fix use-after-free
      in nft_set_catchall_destroy()"). We can not access k after kfree_rcu()
      call.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMin Li <lm0963hack@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      c5d2b6fa
    • Pauli Virtanen's avatar
      Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG · e6a7a46b
      Pauli Virtanen authored
      Make CIG auto-allocation to select the first CIG_ID that is still
      configurable. Also use correct CIG_ID range (see Core v5.3 Vol 4 Part E
      Sec 7.8.97 p.2553).
      
      Previously, it would always select CIG_ID 0 regardless of anything,
      because cis_list with data.cis == 0xff (BT_ISO_QOS_CIS_UNSET) would not
      count any CIS. Since we are not adding CIS here, use find_cis instead.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e6a7a46b
    • Pauli Virtanen's avatar
      Bluetooth: ISO: consider right CIS when removing CIG at cleanup · 31c5f916
      Pauli Virtanen authored
      When looking for CIS blocking CIG removal, consider only the CIS with
      the right CIG ID. Don't try to remove CIG with unset CIG ID.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      31c5f916
  3. 05 Jun, 2023 3 commits