1. 14 Aug, 2020 3 commits
    • Oleksij Rempel's avatar
      can: j1939: transport: j1939_session_tx_dat(): fix use-after-free read in j1939_tp_txtimer() · cd3b3636
      Oleksij Rempel authored
      The current stack implementation do not support ECTS requests of not
      aligned TP sized blocks.
      
      If ECTS will request a block with size and offset spanning two TP
      blocks, this will cause memcpy() to read beyond the queued skb (which
      does only contain one TP sized block).
      
      Sometimes KASAN will detect this read if the memory region beyond the
      skb was previously allocated and freed. In other situations it will stay
      undetected. The ETP transfer in any case will be corrupted.
      
      This patch adds a sanity check to avoid this kind of read and abort the
      session with error J1939_XTP_ABORT_ECTS_TOO_BIG.
      
      Reported-by: syzbot+5322482fe520b02aea30@syzkaller.appspotmail.com
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/r/20200807105200.26441-3-o.rempel@pengutronix.deSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      cd3b3636
    • Oleksij Rempel's avatar
      can: j1939: transport: j1939_simple_recv(): ignore local J1939 messages send not by J1939 stack · b43e3a82
      Oleksij Rempel authored
      In current J1939 stack implementation, we process all locally send
      messages as own messages. Even if it was send by CAN_RAW socket.
      
      To reproduce it use following commands:
      testj1939 -P -r can0:0x80 &
      cansend can0 18238040#0123
      
      This step will trigger false positive not critical warning:
      j1939_simple_recv: Received already invalidated message
      
      With this patch we add additional check to make sure, related skb is own
      echo message.
      
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/r/20200807105200.26441-2-o.rempel@pengutronix.deSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      b43e3a82
    • Eric Dumazet's avatar
      can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can() · 38ba8b92
      Eric Dumazet authored
      syzbot found that at least 2 bytes of kernel information
      were leaked during getsockname() on AF_CAN CAN_J1939 socket.
      
      Since struct sockaddr_can has in fact two holes, simply
      clear the whole area before filling it with useful data.
      
      BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
      CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x21c/0x280 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
       kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
       kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
       instrument_copy_to_user include/linux/instrumented.h:91 [inline]
       _copy_to_user+0x18e/0x260 lib/usercopy.c:39
       copy_to_user include/linux/uaccess.h:186 [inline]
       move_addr_to_user+0x3de/0x670 net/socket.c:237
       __sys_getsockname+0x407/0x5e0 net/socket.c:1909
       __do_sys_getsockname net/socket.c:1920 [inline]
       __se_sys_getsockname+0x91/0xb0 net/socket.c:1917
       __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917
       do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x440219
      Code: Bad RIP value.
      RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
      RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20
      R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000
      
      Local variable ----address@__sys_getsockname created at:
       __sys_getsockname+0x91/0x5e0 net/socket.c:1894
       __sys_getsockname+0x91/0x5e0 net/socket.c:1894
      
      Bytes 2-3 of 24 are uninitialized
      Memory access of size 24 starts at ffff8880ba2c7de8
      Data copied to user address 0000000020000100
      
      Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Robin van der Gracht <robin@protonic.nl>
      Cc: Oleksij Rempel <o.rempel@pengutronix.de>
      Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
      Cc: linux-can@vger.kernel.org
      Acked-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Link: https://lore.kernel.org/r/20200813161834.4021638-1-edumazet@google.comSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      38ba8b92
  2. 12 Aug, 2020 8 commits
  3. 11 Aug, 2020 11 commits
    • David S. Miller's avatar
      Merge branch 'net-initialize-fastreuse-on-inet_inherit_port' · 633f5b6b
      David S. Miller authored
      Tim Froidcoeur says:
      
      ====================
      net: initialize fastreuse on inet_inherit_port
      
      In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or
      SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind
      behaviour or in the incorrect reuse of a bind.
      
      the kernel keeps track for each bind_bucket if all sockets in the
      bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags.
      These flags allow skipping the costly bind_conflict check when possible
      (meaning when all sockets have the proper SO_REUSE option).
      
      For every socket added to a bind_bucket, these flags need to be updated.
      As soon as a socket that does not support reuse is added, the flag is
      set to false and will never go back to true, unless the bind_bucket is
      deleted.
      
      Note that there is no mechanism to re-evaluate these flags when a socket
      is removed (this might make sense when removing a socket that would not
      allow reuse; this leaves room for a future patch).
      
      For this optimization to work, it is mandatory that these flags are
      properly initialized and updated.
      
      When a child socket is created from a listen socket in
      __inet_inherit_port, the TPROXY case could create a new bind bucket
      without properly initializing these flags, thus preventing the
      optimization to work. Alternatively, a socket not allowing reuse could
      be added to an existing bind bucket without updating the flags, causing
      bind_conflict to never be called as it should.
      
      Patch 1/2 refactors the fastreuse update code in inet_csk_get_port into a
      small helper function, making the actual fix tiny and easier to understand.
      
      Patch 2/2 calls this new helper when __inet_inherit_port decides to create
      a new bind_bucket or use a different bind_bucket than the one of the listen
      socket.
      
      v4: - rebase on latest linux/net master branch
      v3: - remove company disclaimer from automatic signature
      v2: - remove unnecessary cast
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      633f5b6b
    • Tim Froidcoeur's avatar
      net: initialize fastreuse on inet_inherit_port · d76f3351
      Tim Froidcoeur authored
      In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or
      SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind
      behaviour or in the incorrect reuse of a bind.
      
      the kernel keeps track for each bind_bucket if all sockets in the
      bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags.
      These flags allow skipping the costly bind_conflict check when possible
      (meaning when all sockets have the proper SO_REUSE option).
      
      For every socket added to a bind_bucket, these flags need to be updated.
      As soon as a socket that does not support reuse is added, the flag is
      set to false and will never go back to true, unless the bind_bucket is
      deleted.
      
      Note that there is no mechanism to re-evaluate these flags when a socket
      is removed (this might make sense when removing a socket that would not
      allow reuse; this leaves room for a future patch).
      
      For this optimization to work, it is mandatory that these flags are
      properly initialized and updated.
      
      When a child socket is created from a listen socket in
      __inet_inherit_port, the TPROXY case could create a new bind bucket
      without properly initializing these flags, thus preventing the
      optimization to work. Alternatively, a socket not allowing reuse could
      be added to an existing bind bucket without updating the flags, causing
      bind_conflict to never be called as it should.
      
      Call inet_csk_update_fastreuse when __inet_inherit_port decides to create
      a new bind_bucket or use a different bind_bucket than the one of the
      listen socket.
      
      Fixes: 093d2823 ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()")
      Acked-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarTim Froidcoeur <tim.froidcoeur@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d76f3351
    • Tim Froidcoeur's avatar
      net: refactor bind_bucket fastreuse into helper · 62ffc589
      Tim Froidcoeur authored
      Refactor the fastreuse update code in inet_csk_get_port into a small
      helper function that can be called from other places.
      Acked-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarTim Froidcoeur <tim.froidcoeur@tessares.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62ffc589
    • Marek Behún's avatar
      net: phy: marvell10g: fix null pointer dereference · 1b8ef142
      Marek Behún authored
      Commit c3e302ed ("net: phy: marvell10g: fix temperature sensor on 2110")
      added a check for PHY ID via phydev->drv->phy_id in a function which is
      called by devres at a time when phydev->drv is already set to null by
      phy_remove function.
      
      This null pointer dereference can be triggered via SFP subsystem with a
      SFP module containing this Marvell PHY. When the SFP interface is put
      down, the SFP subsystem removes the PHY.
      
      Fixes: c3e302ed ("net: phy: marvell10g: fix temperature sensor on 2110")
      Signed-off-by: default avatarMarek Behún <marek.behun@nic.cz>
      Cc: Maxime Chevallier <maxime.chevallier@bootlin.com>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Baruch Siach <baruch@tkos.co.il>
      Cc: Russell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b8ef142
    • Miaohe Lin's avatar
      net: Fix potential memory leak in proto_register() · 0f5907af
      Miaohe Lin authored
      If we failed to assign proto idx, we free the twsk_slab_name but forget to
      free the twsk_slab. Add a helper function tw_prot_cleanup() to free these
      together and also use this helper function in proto_unregister().
      
      Fixes: b45ce321 ("sock: fix potential memory leak in proto_register()")
      Signed-off-by: default avatarMiaohe Lin <linmiaohe@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0f5907af
    • Wang Hai's avatar
      net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init · 50caa777
      Wang Hai authored
      Fix the missing clk_disable_unprepare() before return
      from emac_clks_phase1_init() in the error handling case.
      
      Fixes: b9b17deb ("net: emac: emac gigabit ethernet controller driver")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Acked-by: default avatarTimur Tabi <timur@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50caa777
    • Xu Wang's avatar
      ionic_lif: Use devm_kcalloc() in ionic_qcq_alloc() · e7164200
      Xu Wang authored
      A multiplication for the size determination of a memory allocation
      indicated that an array data structure should be processed.
      Thus use the corresponding function "devm_kcalloc".
      Signed-off-by: default avatarXu Wang <vulab@iscas.ac.cn>
      Acked-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7164200
    • Qingyu Li's avatar
      net/nfc/rawsock.c: add CAP_NET_RAW check. · 26896f01
      Qingyu Li authored
      When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.
      Signed-off-by: default avatarQingyu Li <ieatmuttonchuan@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26896f01
    • Luo bin's avatar
      hinic: fix strncpy output truncated compile warnings · 1dab5877
      Luo bin authored
      fix the compile warnings of 'strncpy' output truncated before
      terminating nul copying N bytes from a string of the same length
      Signed-off-by: default avatarLuo bin <luobin9@huawei.com>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1dab5877
    • Xie He's avatar
      drivers/net/wan/x25_asy: Added needed_headroom and a skb->len check · c79f428d
      Xie He authored
      1. Added a skb->len check
      
      This driver expects upper layers to include a pseudo header of 1 byte
      when passing down a skb for transmission. This driver will read this
      1-byte header. This patch added a skb->len check before reading the
      header to make sure the header exists.
      
      2. Added needed_headroom
      
      When this driver transmits data,
        first this driver will remove a pseudo header of 1 byte,
        then the lapb module will prepend the LAPB header of 2 or 3 bytes.
      So the value of needed_headroom in this driver should be 3 - 1.
      
      Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
      Cc: Martin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarXie He <xie.he.0141@gmail.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c79f428d
    • Ira Weiny's avatar
      net/tls: Fix kmap usage · b06c19d9
      Ira Weiny authored
      When MSG_OOB is specified to tls_device_sendpage() the mapped page is
      never unmapped.
      
      Hold off mapping the page until after the flags are checked and the page
      is actually needed.
      
      Fixes: e8f69799 ("net/tls: Add generic NIC offload infrastructure")
      Signed-off-by: default avatarIra Weiny <ira.weiny@intel.com>
      Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b06c19d9
  4. 10 Aug, 2020 5 commits
  5. 08 Aug, 2020 12 commits
  6. 07 Aug, 2020 1 commit