1. 15 Feb, 2024 5 commits
  2. 14 Feb, 2024 8 commits
    • Maxime Jayat's avatar
      can: netlink: Fix TDCO calculation using the old data bittiming · 2aa0a5e6
      Maxime Jayat authored
      The TDCO calculation was done using the currently applied data bittiming,
      instead of the newly computed data bittiming, which means that the TDCO
      had an invalid value unless setting the same data bittiming twice.
      
      Fixes: d99755f7 ("can: netlink: add interface for CAN-FD Transmitter Delay Compensation (TDC)")
      Signed-off-by: default avatarMaxime Jayat <maxime.jayat@mobile-devices.fr>
      Reviewed-by: default avatarVincent Mailhol <mailhol.vincent@wanadoo.fr>
      Link: https://lore.kernel.org/all/40579c18-63c0-43a4-8d4c-f3a6c1c0b417@munic.io
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      2aa0a5e6
    • Oleksij Rempel's avatar
      can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) · efe7cf82
      Oleksij Rempel authored
      Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
      modifies jsk->filters while receiving packets.
      
      Following trace was seen on affected system:
       ==================================================================
       BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
       Read of size 4 at addr ffff888012144014 by task j1939/350
      
       CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
       Call Trace:
        print_report+0xd3/0x620
        ? kasan_complete_mode_report_info+0x7d/0x200
        ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
        kasan_report+0xc2/0x100
        ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
        __asan_load4+0x84/0xb0
        j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
        j1939_sk_recv+0x20b/0x320 [can_j1939]
        ? __kasan_check_write+0x18/0x20
        ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
        ? j1939_simple_recv+0x69/0x280 [can_j1939]
        ? j1939_ac_recv+0x5e/0x310 [can_j1939]
        j1939_can_recv+0x43f/0x580 [can_j1939]
        ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
        ? raw_rcv+0x42/0x3c0 [can_raw]
        ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
        can_rcv_filter+0x11f/0x350 [can]
        can_receive+0x12f/0x190 [can]
        ? __pfx_can_rcv+0x10/0x10 [can]
        can_rcv+0xdd/0x130 [can]
        ? __pfx_can_rcv+0x10/0x10 [can]
        __netif_receive_skb_one_core+0x13d/0x150
        ? __pfx___netif_receive_skb_one_core+0x10/0x10
        ? __kasan_check_write+0x18/0x20
        ? _raw_spin_lock_irq+0x8c/0xe0
        __netif_receive_skb+0x23/0xb0
        process_backlog+0x107/0x260
        __napi_poll+0x69/0x310
        net_rx_action+0x2a1/0x580
        ? __pfx_net_rx_action+0x10/0x10
        ? __pfx__raw_spin_lock+0x10/0x10
        ? handle_irq_event+0x7d/0xa0
        __do_softirq+0xf3/0x3f8
        do_softirq+0x53/0x80
        </IRQ>
        <TASK>
        __local_bh_enable_ip+0x6e/0x70
        netif_rx+0x16b/0x180
        can_send+0x32b/0x520 [can]
        ? __pfx_can_send+0x10/0x10 [can]
        ? __check_object_size+0x299/0x410
        raw_sendmsg+0x572/0x6d0 [can_raw]
        ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
        ? apparmor_socket_sendmsg+0x2f/0x40
        ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
        sock_sendmsg+0xef/0x100
        sock_write_iter+0x162/0x220
        ? __pfx_sock_write_iter+0x10/0x10
        ? __rtnl_unlock+0x47/0x80
        ? security_file_permission+0x54/0x320
        vfs_write+0x6ba/0x750
        ? __pfx_vfs_write+0x10/0x10
        ? __fget_light+0x1ca/0x1f0
        ? __rcu_read_unlock+0x5b/0x280
        ksys_write+0x143/0x170
        ? __pfx_ksys_write+0x10/0x10
        ? __kasan_check_read+0x15/0x20
        ? fpregs_assert_state_consistent+0x62/0x70
        __x64_sys_write+0x47/0x60
        do_syscall_64+0x60/0x90
        ? do_syscall_64+0x6d/0x90
        ? irqentry_exit+0x3f/0x50
        ? exc_page_fault+0x79/0xf0
        entry_SYSCALL_64_after_hwframe+0x6e/0xd8
      
       Allocated by task 348:
        kasan_save_stack+0x2a/0x50
        kasan_set_track+0x29/0x40
        kasan_save_alloc_info+0x1f/0x30
        __kasan_kmalloc+0xb5/0xc0
        __kmalloc_node_track_caller+0x67/0x160
        j1939_sk_setsockopt+0x284/0x450 [can_j1939]
        __sys_setsockopt+0x15c/0x2f0
        __x64_sys_setsockopt+0x6b/0x80
        do_syscall_64+0x60/0x90
        entry_SYSCALL_64_after_hwframe+0x6e/0xd8
      
       Freed by task 349:
        kasan_save_stack+0x2a/0x50
        kasan_set_track+0x29/0x40
        kasan_save_free_info+0x2f/0x50
        __kasan_slab_free+0x12e/0x1c0
        __kmem_cache_free+0x1b9/0x380
        kfree+0x7a/0x120
        j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
        __sys_setsockopt+0x15c/0x2f0
        __x64_sys_setsockopt+0x6b/0x80
        do_syscall_64+0x60/0x90
        entry_SYSCALL_64_after_hwframe+0x6e/0xd8
      
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Reported-by: default avatarSili Luo <rootlab@huawei.com>
      Suggested-by: default avatarSili Luo <rootlab@huawei.com>
      Acked-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.deSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      efe7cf82
    • Ziqi Zhao's avatar
      can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock · 6cdedc18
      Ziqi Zhao authored
      The following 3 locks would race against each other, causing the
      deadlock situation in the Syzbot bug report:
      
      - j1939_socks_lock
      - active_session_list_lock
      - sk_session_queue_lock
      
      A reasonable fix is to change j1939_socks_lock to an rwlock, since in
      the rare situations where a write lock is required for the linked list
      that j1939_socks_lock is protecting, the code does not attempt to
      acquire any more locks. This would break the circular lock dependency,
      where, for example, the current thread already locks j1939_socks_lock
      and attempts to acquire sk_session_queue_lock, and at the same time,
      another thread attempts to acquire j1939_socks_lock while holding
      sk_session_queue_lock.
      
      NOTE: This patch along does not fix the unregister_netdevice bug
      reported by Syzbot; instead, it solves a deadlock situation to prepare
      for one or more further patches to actually fix the Syzbot bug, which
      appears to be a reference counting problem within the j1939 codebase.
      
      Reported-by: <syzbot+1591462f226d9cbf0564@syzkaller.appspotmail.com>
      Signed-off-by: default avatarZiqi Zhao <astrajoan@yahoo.com>
      Reviewed-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Acked-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/all/20230721162226.8639-1-astrajoan@yahoo.com
      [mkl: remove unrelated newline change]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      6cdedc18
    • Arnd Bergmann's avatar
      ethernet: cpts: fix function pointer cast warnings · 9b23fceb
      Arnd Bergmann authored
      clang-16 warns about the mismatched prototypes for the devm_* callbacks:
      
      drivers/net/ethernet/ti/cpts.c:691:12: error: cast from 'void (*)(struct clk_hw *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
        691 |                                        (void(*)(void *))clk_hw_unregister_mux,
            |                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      include/linux/device.h:406:34: note: expanded from macro 'devm_add_action_or_reset'
        406 |         __devm_add_action_or_reset(dev, action, data, #action)
            |                                         ^~~~~~
      drivers/net/ethernet/ti/cpts.c:703:12: error: cast from 'void (*)(struct device_node *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
        703 |                                        (void(*)(void *))of_clk_del_provider,
            |                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      include/linux/device.h:406:34: note: expanded from macro 'devm_add_action_or_reset'
        406 |         __devm_add_action_or_reset(dev, action, data, #action)
      
      Use separate helper functions for this instead, using the expected prototypes
      with a void* argument.
      
      Fixes: a3047a81 ("net: ethernet: ti: cpts: add support for ext rftclk selection")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b23fceb
    • Arnd Bergmann's avatar
      bnad: fix work_queue type mismatch · 5d07e432
      Arnd Bergmann authored
      clang-16 warns about a function pointer cast:
      
      drivers/net/ethernet/brocade/bna/bnad.c:1995:4: error: cast from 'void (*)(struct delayed_work *)' to 'work_func_t' (aka 'void (*)(struct work_struct *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
       1995 |                         (work_func_t)bnad_tx_cleanup);
      drivers/net/ethernet/brocade/bna/bnad.c:2252:4: error: cast from 'void (*)(void *)' to 'work_func_t' (aka 'void (*)(struct work_struct *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
       2252 |                         (work_func_t)(bnad_rx_cleanup));
      
      The problem here is mixing up work_struct and delayed_work, which relies
      the former being the first member of the latter.
      
      Change the code to use consistent types here to address the warning and
      make it more robust against workqueue interface changes.
      
      Side note: the use of a delayed workqueue for cleaning up TX descriptors
      is probably a bad idea since this introduces a noticeable delay. The
      driver currently does not appear to use BQL, but if one wanted to add
      that, this would have to be changed as well.
      
      Fixes: 01b54b14 ("bna: tx rx cleanup fix")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d07e432
    • Dmitry Antipov's avatar
      net: smc: fix spurious error message from __sock_release() · 6cf9ff46
      Dmitry Antipov authored
      Commit 67f562e3 ("net/smc: transfer fasync_list in case of fallback")
      leaves the socket's fasync list pointer within a container socket as well.
      When the latter is destroyed, '__sock_release()' warns about its non-empty
      fasync list, which is a dangling pointer to previously freed fasync list
      of an underlying TCP socket. Fix this spurious warning by nullifying
      fasync list of a container socket.
      
      Fixes: 67f562e3 ("net/smc: transfer fasync_list in case of fallback")
      Signed-off-by: default avatarDmitry Antipov <dmantipov@yandex.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cf9ff46
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · d9a31cda
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2024-02-12 (i40e)
      
      This series contains updates to i40e driver only.
      
      Ivan Vecera corrects the looping value used while waiting for queues to
      be disabled as well as an incorrect mask being used for DCB
      configuration.
      
      Maciej resolves an issue related to XDP traffic; removing a double call to
      i40e_pf_rxq_wait() and accounting for XDP rings when stopping rings.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9a31cda
    • Subbaraya Sundeep's avatar
      octeontx2-af: Remove the PF_FUNC validation for NPC transmit rules · 858b3113
      Subbaraya Sundeep authored
      NPC transmit side mcam rules can use the pcifunc (in packet metadata
      added by hardware) of transmitting device for mcam lookup similar to
      the channel of receiving device at receive side.
      The commit 18603683 ("octeontx2-af: Remove channel verification
      while installing MCAM rules") removed the receive side channel
      verification to save hardware MCAM filters while switching packets
      across interfaces but missed removing transmit side checks.
      This patch removes transmit side rules validation.
      
      Fixes: 18603683 ("octeontx2-af: Remove channel verification while installing MCAM rules")
      Signed-off-by: default avatarSubbaraya Sundeep <sbhatta@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      858b3113
  3. 13 Feb, 2024 19 commits
  4. 12 Feb, 2024 8 commits