1. 10 Oct, 2019 12 commits
  2. 09 Oct, 2019 7 commits
    • Xin Long's avatar
      sctp: add chunks to sk_backlog when the newsk sk_socket is not set · 819be810
      Xin Long authored
      This patch is to fix a NULL-ptr deref in selinux_socket_connect_helper:
      
        [...] kasan: GPF could be caused by NULL-ptr deref or user memory access
        [...] RIP: 0010:selinux_socket_connect_helper+0x94/0x460
        [...] Call Trace:
        [...]  selinux_sctp_bind_connect+0x16a/0x1d0
        [...]  security_sctp_bind_connect+0x58/0x90
        [...]  sctp_process_asconf+0xa52/0xfd0 [sctp]
        [...]  sctp_sf_do_asconf+0x785/0x980 [sctp]
        [...]  sctp_do_sm+0x175/0x5a0 [sctp]
        [...]  sctp_assoc_bh_rcv+0x285/0x5b0 [sctp]
        [...]  sctp_backlog_rcv+0x482/0x910 [sctp]
        [...]  __release_sock+0x11e/0x310
        [...]  release_sock+0x4f/0x180
        [...]  sctp_accept+0x3f9/0x5a0 [sctp]
        [...]  inet_accept+0xe7/0x720
      
      It was caused by that the 'newsk' sk_socket was not set before going to
      security sctp hook when processing asconf chunk with SCTP_PARAM_ADD_IP
      or SCTP_PARAM_SET_PRIMARY:
      
        inet_accept()->
          sctp_accept():
            lock_sock():
                lock listening 'sk'
                                                do_softirq():
                                                  sctp_rcv():  <-- [1]
                                                      asconf chunk arrives and
                                                      enqueued in 'sk' backlog
            sctp_sock_migrate():
                set asoc's sk to 'newsk'
            release_sock():
                sctp_backlog_rcv():
                  lock 'newsk'
                  sctp_process_asconf()  <-- [2]
                  unlock 'newsk'
          sock_graft():
              set sk_socket  <-- [3]
      
      As it shows, at [1] the asconf chunk would be put into the listening 'sk'
      backlog, as accept() was holding its sock lock. Then at [2] asconf would
      get processed with 'newsk' as asoc's sk had been set to 'newsk'. However,
      'newsk' sk_socket is not set until [3], while selinux_sctp_bind_connect()
      would deref it, then kernel crashed.
      
      Here to fix it by adding the chunk to sk_backlog until newsk sk_socket is
      set when .accept() is done.
      
      Note that sk->sk_socket can be NULL when the sock is closed, so SOCK_DEAD
      flag is also needed to check in sctp_newsk_ready().
      
      Thanks to Ondrej for reviewing the code.
      
      Fixes: d452930f ("selinux: Add SCTP support")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      819be810
    • Eric Dumazet's avatar
      bonding: fix potential NULL deref in bond_update_slave_arr · a7137534
      Eric Dumazet authored
      syzbot got a NULL dereference in bond_update_slave_arr() [1],
      happening after a failure to allocate bond->slave_arr
      
      A workqueue (bond_slave_arr_handler) is supposed to retry
      the allocation later, but if the slave is removed before
      the workqueue had a chance to complete, bond->slave_arr
      can still be NULL.
      
      [1]
      
      Failed to build slave-array.
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      Modules linked in:
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
      RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
      RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
      RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
      FS:  00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
       [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
       [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
       [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
       [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
       [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
       [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
       [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
       [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
       [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
       [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
       [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
       [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
       [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: ee637714 ("bonding: Simplify the xmit function for modes that use xmit_hash")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a7137534
    • Antonio Borneo's avatar
      net: stmmac: fix disabling flexible PPS output · 520cf600
      Antonio Borneo authored
      Accordingly to Synopsys documentation [1] and [2], when bit PPSEN0
      in register MAC_PPS_CONTROL is set it selects the functionality
      command in the same register, otherwise selects the functionality
      control.
      Command functionality is required to either enable (command 0x2)
      and disable (command 0x5) the flexible PPS output, but the bit
      PPSEN0 is currently set only for enabling.
      
      Set the bit PPSEN0 to properly disable flexible PPS output.
      
      Tested on STM32MP15x, based on dwmac 4.10a.
      
      [1] DWC Ethernet QoS Databook 4.10a October 2014
      [2] DWC Ethernet QoS Databook 5.00a September 2017
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Fixes: 9a8a02c9 ("net: stmmac: Add Flexible PPS support")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      520cf600
    • Antonio Borneo's avatar
      net: stmmac: fix length of PTP clock's name string · 5da202c8
      Antonio Borneo authored
      The field "name" in struct ptp_clock_info has a fixed size of 16
      chars and is used as zero terminated string by clock_name_show()
      in drivers/ptp/ptp_sysfs.c
      The current initialization value requires 17 chars to fit also the
      null termination, and this causes overflow to the next bytes in
      the struct when the string is read as null terminated:
      	hexdump -C /sys/class/ptp/ptp0/clock_name
      	00000000  73 74 6d 6d 61 63 5f 70  74 70 5f 63 6c 6f 63 6b  |stmmac_ptp_clock|
      	00000010  a0 ac b9 03 0a                                    |.....|
      where the extra 4 bytes (excluding the newline) after the string
      represent the integer 0x03b9aca0 = 62500000 assigned to the field
      "max_adj" that follows "name" in the same struct.
      
      There is no strict requirement for the "name" content and in the
      comment in ptp_clock_kernel.h it's reported it should just be 'A
      short "friendly name" to identify the clock'.
      Replace it with "stmmac ptp".
      Signed-off-by: default avatarAntonio Borneo <antonio.borneo@st.com>
      Fixes: 92ba6888 ("stmmac: add the support for PTP hw clock driver")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      5da202c8
    • Haishuang Yan's avatar
      ip6erspan: remove the incorrect mtu limit for ip6erspan · 4123f637
      Haishuang Yan authored
      ip6erspan driver calls ether_setup(), after commit 61e84623
      ("net: centralize net_device min/max MTU checking"), the range
      of mtu is [min_mtu, max_mtu], which is [68, 1500] by default.
      
      It causes the dev mtu of the erspan device to not be greater
      than 1500, this limit value is not correct for ip6erspan tap
      device.
      
      Fixes: 61e84623 ("net: centralize net_device min/max MTU checking")
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Acked-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4123f637
    • Jakub Kicinski's avatar
      Merge tag 'mac80211-for-davem-2019-10-08' of... · a17fd2cf
      Jakub Kicinski authored
      Merge tag 'mac80211-for-davem-2019-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A number of fixes:
       * allow scanning when operating on radar channels in
         ETSI regdomains
       * accept deauth frames in IBSS - we have code to parse
         and handle them, but were dropping them early
       * fix an allocation failure path in hwsim
       * fix a failure path memory leak in nl80211 FTM code
       * fix RCU handling & locking in multi-BSSID parsing
       * reject malformed SSID in mac80211 (this shouldn't
         really be able to happen, but defense in depth)
       * avoid userspace buffer overrun in ancient wext code
         if SSID was too long
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      a17fd2cf
    • Randy Dunlap's avatar
      Doc: networking/device_drivers/pensando: fix ionic.rst warnings · b82316d2
      Randy Dunlap authored
      Fix documentation build warnings for Pensando ionic:
      
      Documentation/networking/device_drivers/pensando/ionic.rst:39: WARNING: Unexpected indentation.
      Documentation/networking/device_drivers/pensando/ionic.rst:43: WARNING: Unexpected indentation.
      
      Fixes: df69ba43 ("ionic: Add basic framework for IONIC Network device driver")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b82316d2
  3. 08 Oct, 2019 9 commits
    • Johan Hovold's avatar
      NFC: pn533: fix use-after-free and memleaks · 6af3aa57
      Johan Hovold authored
      The driver would fail to deregister and its class device and free
      related resources on late probe errors.
      
      Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
      Fixes: 32ecc75d ("NFC: pn533: change order operations in dev registation")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      6af3aa57
    • Cong Wang's avatar
      net_sched: fix backward compatibility for TCA_ACT_KIND · 4b793fec
      Cong Wang authored
      For TCA_ACT_KIND, we have to keep the backward compatibility too,
      and rely on nla_strlcpy() to check and terminate the string with
      a NUL.
      
      Note for TC actions, nla_strcmp() is already used to compare kind
      strings, so we don't need to fix other places.
      
      Fixes: 199ce850 ("net_sched: add policy validation for action attributes")
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      4b793fec
    • Cong Wang's avatar
      net_sched: fix backward compatibility for TCA_KIND · 6f96c3c6
      Cong Wang authored
      Marcelo noticed a backward compatibility issue of TCA_KIND
      after we move from NLA_STRING to NLA_NUL_STRING, so it is probably
      too late to change it.
      
      Instead, to make everyone happy, we can just insert a NUL to
      terminate the string with nla_strlcpy() like we do for TC actions.
      
      Fixes: 62794fc4 ("net_sched: add max len check for TCA_KIND")
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      6f96c3c6
    • Alex Vesker's avatar
      net/mlx5: DR, Allow insertion of duplicate rules · 00414126
      Alex Vesker authored
      Duplicate rules were not allowed to be configured with SW steering.
      This restriction caused failures with the replace rule logic done by
      upper layers.
      
      This fix allows for multiple rules with the same match values, in
      such case the first inserted rules will match.
      
      Fixes: 41d07074 ("net/mlx5: DR, Expose steering rule functionality")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      00414126
    • Jakub Kicinski's avatar
      Merge branch 'llc-fix-sk_buff-refcounting' · 38dc3b5f
      Jakub Kicinski authored
      Eric Biggers says:
      
      ====================
      Patches 1-2 fix the memory leaks that syzbot has reported in net/llc:
      
      	memory leak in llc_ui_create (2)
      	memory leak in llc_ui_sendmsg
      	memory leak in llc_conn_ac_send_sabme_cmd_p_set_x
      
      Patches 3-4 fix related bugs that I noticed while reading this code.
      
      Note: I've tested that this fixes the syzbot bugs, but otherwise I don't
      know of any way to test this code.
      ====================
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      38dc3b5f
    • Eric Biggers's avatar
      llc: fix sk_buff refcounting in llc_conn_state_process() · 36453c85
      Eric Biggers authored
      If llc_conn_state_process() sees that llc_conn_service() put the skb on
      a list, it will drop one fewer references to it.  This is wrong because
      the current behavior is that llc_conn_service() never consumes a
      reference to the skb.
      
      The code also makes the number of skb references being dropped
      conditional on which of ind_prim and cfm_prim are nonzero, yet neither
      of these affects how many references are *acquired*.  So there is extra
      code that tries to fix this up by sometimes taking another reference.
      
      Remove the unnecessary/broken refcounting logic and instead just add an
      skb_get() before the only two places where an extra reference is
      actually consumed.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      36453c85
    • Eric Biggers's avatar
      llc: fix another potential sk_buff leak in llc_ui_sendmsg() · fc8d5db1
      Eric Biggers authored
      All callers of llc_conn_state_process() except llc_build_and_send_pkt()
      (via llc_ui_sendmsg() -> llc_ui_send_data()) assume that it always
      consumes a reference to the skb.  Fix this caller to do the same.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      fc8d5db1
    • Eric Biggers's avatar
      llc: fix sk_buff leak in llc_conn_service() · b74555de
      Eric Biggers authored
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff88811eb3de00 (size 224):
             comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
             backtrace:
               [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
               [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
               [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
               [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
               [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
               [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
               [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
               [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
               [...]
      
      The bug is that most callers of llc_conn_send_pdu() assume it consumes a
      reference to the skb, when actually due to commit b85ab56c ("llc:
      properly handle dev_queue_xmit() return value") it doesn't.
      
      Revert most of that commit, and instead make the few places that need
      llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
      
      Fixes: b85ab56c ("llc: properly handle dev_queue_xmit() return value")
      Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b74555de
    • Eric Biggers's avatar
      llc: fix sk_buff leak in llc_sap_state_process() · c6ee11c3
      Eric Biggers authored
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff888116270800 (size 224):
             comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff  . .*.....@=*....
             backtrace:
               [<000000004d41b4cc>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250  net/core/skbuff.c:5327
               [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0  net/core/sock.c:2225
               [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
               [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
               [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
               [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
               [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
      	 [...]
      
      The bug is that llc_sap_state_process() always takes an extra reference
      to the skb, but sometimes neither llc_sap_next_state() nor
      llc_sap_state_process() itself drops this reference.
      
      Fix it by changing llc_sap_next_state() to never consume a reference to
      the skb, rather than sometimes do so and sometimes not.  Then remove the
      extra skb_get() and kfree_skb() from llc_sap_state_process().
      
      Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
      Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      c6ee11c3
  4. 07 Oct, 2019 12 commits