1. 03 11月, 2022 13 次提交
    • G
      net: mdio: fix undefined behavior in bit shift for __mdiobus_register · 40e4eb32
      Gaosheng Cui 提交于
      Shifting signed 32-bit value by 31 bits is undefined, so changing
      significant bit to unsigned. The UBSAN warning calltrace like below:
      
      UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27
      left shift of 1 by 31 places cannot be represented in type 'int'
      Call Trace:
       <TASK>
       dump_stack_lvl+0x7d/0xa5
       dump_stack+0x15/0x1b
       ubsan_epilogue+0xe/0x4e
       __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
       __mdiobus_register+0x49d/0x4e0
       fixed_mdio_bus_init+0xd8/0x12d
       do_one_initcall+0x76/0x430
       kernel_init_freeable+0x3b3/0x422
       kernel_init+0x24/0x1e0
       ret_from_fork+0x1f/0x30
       </TASK>
      
      Fixes: 4fd5f812 ("phylib: allow incremental scanning of an mii bus")
      Signed-off-by: NGaosheng Cui <cuigaosheng1@huawei.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Link: https://lore.kernel.org/r/20221031132645.168421-1-cuigaosheng1@huawei.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      40e4eb32
    • J
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · dac1dc7e
      Jakub Kicinski 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      1) netlink socket notifier might win race to release objects that are
         already pending to be released via commit release path, reported by
         syzbot.
      
      2) No need to postpone flow rule release to commit release path, this
         triggered the syzbot report, complementary fix to previous patch.
      
      3) Use explicit signed chars in IPVS to unbreak arm, from Jason A. Donenfeld.
      
      4) Missing check for proc entry creation failure in IPVS, from Zhengchao Shao.
      
      5) Incorrect error path handling when BPF NAT fails to register, from
         Chen Zhongjin.
      
      6) Prevent huge memory allocation in ipset hash types, from Jozsef Kadlecsik.
      
      Except the incorrect BPF NAT error path which is broken in 6.1-rc, anything
      else has been broken for several releases.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: ipset: enforce documented limit to prevent allocating huge memory
        netfilter: nf_nat: Fix possible memory leak in nf_nat_init()
        ipvs: fix WARNING in ip_vs_app_net_cleanup()
        ipvs: fix WARNING in __ip_vs_cleanup_batch()
        ipvs: use explicitly signed chars
        netfilter: nf_tables: release flow rule object from commit path
        netfilter: nf_tables: netlink notifier might race to release objects
      ====================
      
      Link: https://lore.kernel.org/r/20221102184659.2502-1-pablo@netfilter.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      dac1dc7e
    • J
      Merge tag 'for-net-2022-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · ef1fdc93
      Jakub Kicinski 提交于
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth 2022-11-02
      
       - Fix memory leak in hci_vhci driver
       - Fix handling of skb on virtio_bt driver
       - Fix accepting connection for invalid L2CAP PSM
       - Fix attemting to access uninitialized memory
       - Fix use-after-free in l2cap_reassemble_sdu
       - Fix use-after-free in l2cap_conn_del
       - Fix handling of destination address type for CIS
       - Fix not restoring ISO buffer count on disconnect
      
      * tag 'for-net-2022-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: L2CAP: Fix attempting to access uninitialized memory
        Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
        Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
        Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect
        Bluetooth: L2CAP: Fix memory leak in vhci_write
        Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
        Bluetooth: virtio_bt: Use skb_put to set length
        Bluetooth: hci_conn: Fix CIS connection dst_type handling
        Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
      ====================
      
      Link: https://lore.kernel.org/r/20221102235927.3324891-1-luiz.dentz@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      ef1fdc93
    • L
      Bluetooth: L2CAP: Fix attempting to access uninitialized memory · b1a2cd50
      Luiz Augusto von Dentz 提交于
      On l2cap_parse_conf_req the variable efs is only initialized if
      remote_efs has been set.
      
      CVE: CVE-2022-42895
      CC: stable@vger.kernel.org
      Reported-by: NTamás Koczka <poprdi@google.com>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: NTedd Ho-Jeong An <tedd.an@intel.com>
      b1a2cd50
    • L
      Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm · f937b758
      Luiz Augusto von Dentz 提交于
      l2cap_global_chan_by_psm shall not return fixed channels as they are not
      meant to be connected by (S)PSM.
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: NTedd Ho-Jeong An <tedd.an@intel.com>
      f937b758
    • L
      Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM · 711f8c3f
      Luiz Augusto von Dentz 提交于
      The Bluetooth spec states that the valid range for SPSM is from
      0x0001-0x00ff so it is invalid to accept values outside of this range:
      
        BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
        page 1059:
        Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
      
      CVE: CVE-2022-42896
      CC: stable@vger.kernel.org
      Reported-by: NTamás Koczka <poprdi@google.com>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: NTedd Ho-Jeong An <tedd.an@intel.com>
      711f8c3f
    • L
      Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect · 5638d9ea
      Luiz Augusto von Dentz 提交于
      When disconnecting an ISO link the controller may not generate
      HCI_EV_NUM_COMP_PKTS for unacked packets which needs to be restored in
      hci_conn_del otherwise the host would assume they are still in use and
      would not be able to use all the buffers available.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Tested-by: NFrédéric Danis <frederic.danis@collabora.com>
      5638d9ea
    • H
      Bluetooth: L2CAP: Fix memory leak in vhci_write · 7c9524d9
      Hawkins Jiawei 提交于
      Syzkaller reports a memory leak as follows:
      ====================================
      BUG: memory leak
      unreferenced object 0xffff88810d81ac00 (size 240):
        [...]
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418
          [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]
          [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]
          [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]
          [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511
          [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]
          [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]
          [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578
          [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631
          [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
          [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      ====================================
      
      HCI core will uses hci_rx_work() to process frame, which is queued to
      the hdev->rx_q tail in hci_recv_frame() by HCI driver.
      
      Yet the problem is that, HCI core may not free the skb after handling
      ACL data packets. To be more specific, when start fragment does not
      contain the L2CAP length, HCI core just copies skb into conn->rx_skb and
      finishes frame process in l2cap_recv_acldata(), without freeing the skb,
      which triggers the above memory leak.
      
      This patch solves it by releasing the relative skb, after processing
      the above case in l2cap_recv_acldata().
      
      Fixes: 4d7ea8ee ("Bluetooth: L2CAP: Fix handling fragmented length")
      Link: https://lore.kernel.org/all/0000000000000d0b1905e6aaef64@google.com/
      Reported-and-tested-by: syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com
      Signed-off-by: NHawkins Jiawei <yin31149@gmail.com>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7c9524d9
    • Z
      Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() · 0d0e2d03
      Zhengchao Shao 提交于
      When l2cap_recv_frame() is invoked to receive data, and the cid is
      L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
      However, after a channel is created, the hold operation of the channel
      is not performed. In this case, the value of channel reference counting
      is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
      invokes the close hook function of A2MP to release the channel. Then
       l2cap_chan_unlock(chan) will trigger UAF issue.
      
      The process is as follows:
      Receive data:
      l2cap_data_channel()
          a2mp_channel_create()  --->channel ref is 2
          l2cap_chan_put()       --->channel ref is 1
      
      Triger event:
          hci_error_reset()
              hci_dev_do_close()
              ...
              l2cap_disconn_cfm()
                  l2cap_conn_del()
                      l2cap_chan_hold()    --->channel ref is 2
                      l2cap_chan_del()     --->channel ref is 1
                      a2mp_chan_close_cb() --->channel ref is 0, release channel
                      l2cap_chan_unlock()  --->UAF of channel
      
      The detailed Call Trace is as follows:
      BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
      Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
      Workqueue: hci0 hci_error_reset
      Call Trace:
       <TASK>
       dump_stack_lvl+0xcd/0x134
       print_report.cold+0x2ba/0x719
       kasan_report+0xb1/0x1e0
       kasan_check_range+0x140/0x190
       __mutex_unlock_slowpath+0xa6/0x5e0
       l2cap_conn_del+0x404/0x7b0
       l2cap_disconn_cfm+0x8c/0xc0
       hci_conn_hash_flush+0x11f/0x260
       hci_dev_close_sync+0x5f5/0x11f0
       hci_dev_do_close+0x2d/0x70
       hci_error_reset+0x9e/0x140
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
       </TASK>
      
      Allocated by task 7593:
       kasan_save_stack+0x1e/0x40
       __kasan_kmalloc+0xa9/0xd0
       l2cap_chan_create+0x40/0x930
       amp_mgr_create+0x96/0x990
       a2mp_channel_create+0x7d/0x150
       l2cap_recv_frame+0x51b8/0x9a70
       l2cap_recv_acldata+0xaa3/0xc00
       hci_rx_work+0x702/0x1220
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
      
      Freed by task 7593:
       kasan_save_stack+0x1e/0x40
       kasan_set_track+0x21/0x30
       kasan_set_free_info+0x20/0x30
       ____kasan_slab_free+0x167/0x1c0
       slab_free_freelist_hook+0x89/0x1c0
       kfree+0xe2/0x580
       l2cap_chan_put+0x22a/0x2d0
       l2cap_conn_del+0x3fc/0x7b0
       l2cap_disconn_cfm+0x8c/0xc0
       hci_conn_hash_flush+0x11f/0x260
       hci_dev_close_sync+0x5f5/0x11f0
       hci_dev_do_close+0x2d/0x70
       hci_error_reset+0x9e/0x140
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
      
      Last potentially related work creation:
       kasan_save_stack+0x1e/0x40
       __kasan_record_aux_stack+0xbe/0xd0
       call_rcu+0x99/0x740
       netlink_release+0xe6a/0x1cf0
       __sock_release+0xcd/0x280
       sock_close+0x18/0x20
       __fput+0x27c/0xa90
       task_work_run+0xdd/0x1a0
       exit_to_user_mode_prepare+0x23c/0x250
       syscall_exit_to_user_mode+0x19/0x50
       do_syscall_64+0x42/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
       kasan_save_stack+0x1e/0x40
       __kasan_record_aux_stack+0xbe/0xd0
       call_rcu+0x99/0x740
       netlink_release+0xe6a/0x1cf0
       __sock_release+0xcd/0x280
       sock_close+0x18/0x20
       __fput+0x27c/0xa90
       task_work_run+0xdd/0x1a0
       exit_to_user_mode_prepare+0x23c/0x250
       syscall_exit_to_user_mode+0x19/0x50
       do_syscall_64+0x42/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: d0be8347 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      0d0e2d03
    • S
      Bluetooth: virtio_bt: Use skb_put to set length · 160fbcf3
      Soenke Huster 提交于
      By using skb_put we ensure that skb->tail is set
      correctly. Currently, skb->tail is always zero, which
      leads to errors, such as the following page fault in
      rfcomm_recv_frame:
      
          BUG: unable to handle page fault for address: ffffed1021de29ff
          #PF: supervisor read access in kernel mode
          #PF: error_code(0x0000) - not-present page
          RIP: 0010:rfcomm_run+0x831/0x4040 (net/bluetooth/rfcomm/core.c:1751)
      
      Fixes: afd2daa2 ("Bluetooth: Add support for virtio transport driver")
      Signed-off-by: NSoenke Huster <soenke.huster@eknoes.de>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      160fbcf3
    • P
      Bluetooth: hci_conn: Fix CIS connection dst_type handling · b36a234d
      Pauli Virtanen 提交于
      hci_connect_cis and iso_connect_cis call hci_bind_cis inconsistently
      with dst_type being either ISO socket address type or the HCI type, but
      these values cannot be mixed like this. Fix this by using only the HCI
      type.
      
      CIS connection dst_type was also not initialized in hci_bind_cis, even
      though it is used in hci_conn_hash_lookup_cis to find existing
      connections.  Set the value in hci_bind_cis, so that existing CIS
      connections are found e.g. when doing deferred socket connections, also
      when dst_type is not 0 (ADDR_LE_DEV_PUBLIC).
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: NPauli Virtanen <pav@iki.fi>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      b36a234d
    • M
      Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu · 3aff8aac
      Maxim Mikityanskiy 提交于
      Fix the race condition between the following two flows that run in
      parallel:
      
      1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) ->
         __sock_queue_rcv_skb.
      
      2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram.
      
      An SKB can be queued by the first flow and immediately dequeued and
      freed by the second flow, therefore the callers of l2cap_reassemble_sdu
      can't use the SKB after that function returns. However, some places
      continue accessing struct l2cap_ctrl that resides in the SKB's CB for a
      short time after l2cap_reassemble_sdu returns, leading to a
      use-after-free condition (the stack trace is below, line numbers for
      kernel 5.19.8).
      
      Fix it by keeping a local copy of struct l2cap_ctrl.
      
      BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
      Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169
      
      Workqueue: hci0 hci_rx_work [bluetooth]
      Call Trace:
       <TASK>
       dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
       print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)
       ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
       kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
       ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
       l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
       l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth
       ret_from_fork (arch/x86/entry/entry_64.S:306)
       </TASK>
      
      Allocated by task 43169:
       kasan_save_stack (mm/kasan/common.c:39)
       __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
       kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)
       __alloc_skb (net/core/skbuff.c:414)
       l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth
       l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth
       hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth
       process_one_work (kernel/workqueue.c:2289)
       worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)
       kthread (kernel/kthread.c:376)
       ret_from_fork (arch/x86/entry/entry_64.S:306)
      
      Freed by task 27920:
       kasan_save_stack (mm/kasan/common.c:39)
       kasan_set_track (mm/kasan/common.c:45)
       kasan_set_free_info (mm/kasan/generic.c:372)
       ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)
       slab_free_freelist_hook (mm/slub.c:1780)
       kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)
       skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)
       bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth
       l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth
       sock_read_iter (net/socket.c:1087)
       new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)
       vfs_read (fs/read_write.c:482)
       ksys_read (fs/read_write.c:620)
       do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      
      Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u
      Fixes: d2a7ac5d ("Bluetooth: Add the ERTM receive state machine")
      Fixes: 4b51dae9 ("Bluetooth: Add streaming mode receive and incoming packet classifier")
      Signed-off-by: NMaxim Mikityanskiy <maxtram95@gmail.com>
      Signed-off-by: NLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      3aff8aac
    • J
      netfilter: ipset: enforce documented limit to prevent allocating huge memory · 510841da
      Jozsef Kadlecsik 提交于
      Daniel Xu reported that the hash:net,iface type of the ipset subsystem does
      not limit adding the same network with different interfaces to a set, which
      can lead to huge memory usage or allocation failure.
      
      The quick reproducer is
      
      $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0
      $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done
      
      The backtrace when vmalloc fails:
      
              [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages
              <...>
              [Tue Oct 25 00:13:08 2022] Call Trace:
              [Tue Oct 25 00:13:08 2022]  <TASK>
              [Tue Oct 25 00:13:08 2022]  dump_stack_lvl+0x48/0x60
              [Tue Oct 25 00:13:08 2022]  warn_alloc+0x155/0x180
              [Tue Oct 25 00:13:08 2022]  __vmalloc_node_range+0x72a/0x760
              [Tue Oct 25 00:13:08 2022]  ? hash_netiface4_add+0x7c0/0xb20
              [Tue Oct 25 00:13:08 2022]  ? __kmalloc_large_node+0x4a/0x90
              [Tue Oct 25 00:13:08 2022]  kvmalloc_node+0xa6/0xd0
              [Tue Oct 25 00:13:08 2022]  ? hash_netiface4_resize+0x99/0x710
              <...>
      
      The fix is to enforce the limit documented in the ipset(8) manpage:
      
      >  The internal restriction of the hash:net,iface set type is that the same
      >  network prefix cannot be stored with more than 64 different interfaces
      >  in a single set.
      
      Fixes: ccf0a4b7 ("netfilter: ipset: Add bucketsize parameter to all hash types")
      Reported-by: NDaniel Xu <dxu@dxuuu.xyz>
      Signed-off-by: NJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      510841da
  2. 02 11月, 2022 15 次提交
  3. 01 11月, 2022 4 次提交
    • P
      netfilter: nf_tables: release flow rule object from commit path · 26b5934f
      Pablo Neira Ayuso 提交于
      No need to postpone this to the commit release path, since no packets
      are walking over this object, this is accessed from control plane only.
      This helped uncovered UAF triggered by races with the netlink notifier.
      
      Fixes: 9dd732e0 ("netfilter: nf_tables: memleak flow rule from commit path")
      Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      26b5934f
    • P
      netfilter: nf_tables: netlink notifier might race to release objects · d4bc8271
      Pablo Neira Ayuso 提交于
      commit release path is invoked via call_rcu and it runs lockless to
      release the objects after rcu grace period. The netlink notifier handler
      might win race to remove objects that the transaction context is still
      referencing from the commit release path.
      
      Call rcu_barrier() to ensure pending rcu callbacks run to completion
      if the list of transactions to be destroyed is not empty.
      
      Fixes: 6001a930 ("netfilter: nftables: introduce table ownership")
      Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      d4bc8271
    • Z
      net: tun: fix bugs for oversize packet when napi frags enabled · 363a5328
      Ziyang Xuan 提交于
      Recently, we got two syzkaller problems because of oversize packet
      when napi frags enabled.
      
      One of the problems is because the first seg size of the iov_iter
      from user space is very big, it is 2147479538 which is bigger than
      the threshold value for bail out early in __alloc_pages(). And
      skb->pfmemalloc is true, __kmalloc_reserve() would use pfmemalloc
      reserves without __GFP_NOWARN flag. Thus we got a warning as following:
      
      ========================================================
      WARNING: CPU: 1 PID: 17965 at mm/page_alloc.c:5295 __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295
      ...
      Call trace:
       __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295
       __alloc_pages_node include/linux/gfp.h:550 [inline]
       alloc_pages_node include/linux/gfp.h:564 [inline]
       kmalloc_large_node+0x94/0x350 mm/slub.c:4038
       __kmalloc_node_track_caller+0x620/0x8e4 mm/slub.c:4545
       __kmalloc_reserve.constprop.0+0x1e4/0x2b0 net/core/skbuff.c:151
       pskb_expand_head+0x130/0x8b0 net/core/skbuff.c:1654
       __skb_grow include/linux/skbuff.h:2779 [inline]
       tun_napi_alloc_frags+0x144/0x610 drivers/net/tun.c:1477
       tun_get_user+0x31c/0x2010 drivers/net/tun.c:1835
       tun_chr_write_iter+0x98/0x100 drivers/net/tun.c:2036
      
      The other problem is because odd IPv6 packets without NEXTHDR_NONE
      extension header and have big packet length, it is 2127925 which is
      bigger than ETH_MAX_MTU(65535). After ipv6_gso_pull_exthdrs() in
      ipv6_gro_receive(), network_header offset and transport_header offset
      are all bigger than U16_MAX. That would trigger skb->network_header
      and skb->transport_header overflow error, because they are all '__u16'
      type. Eventually, it would affect the value for __skb_push(skb, value),
      and make it be a big value. After __skb_push() in ipv6_gro_receive(),
      skb->data would less than skb->head, an out of bounds memory bug occurred.
      That would trigger the problem as following:
      
      ==================================================================
      BUG: KASAN: use-after-free in eth_type_trans+0x100/0x260
      ...
      Call trace:
       dump_backtrace+0xd8/0x130
       show_stack+0x1c/0x50
       dump_stack_lvl+0x64/0x7c
       print_address_description.constprop.0+0xbc/0x2e8
       print_report+0x100/0x1e4
       kasan_report+0x80/0x120
       __asan_load8+0x78/0xa0
       eth_type_trans+0x100/0x260
       napi_gro_frags+0x164/0x550
       tun_get_user+0xda4/0x1270
       tun_chr_write_iter+0x74/0x130
       do_iter_readv_writev+0x130/0x1ec
       do_iter_write+0xbc/0x1e0
       vfs_writev+0x13c/0x26c
      
      To fix the problems, restrict the packet size less than
      (ETH_MAX_MTU - NET_SKB_PAD - NET_IP_ALIGN) which has considered reserved
      skb space in napi_alloc_skb() because transport_header is an offset from
      skb->head. Add len check in tun_napi_alloc_frags() simply.
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221029094101.1653855-1-william.xuanziyang@huawei.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      363a5328
    • R
      ibmvnic: change maintainers for vnic driver · e230d36f
      Rick Lindsley 提交于
      Changed maintainers for vnic driver, since Dany has new responsibilities.
      Also added Nick Child as reviewer.
      Signed-off-by: NRick Lindsley <ricklind@us.ibm.com>
      Link: https://lore.kernel.org/r/20221028203509.4070154-1-ricklind@us.ibm.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      e230d36f
  4. 31 10月, 2022 7 次提交
  5. 29 10月, 2022 1 次提交
    • V
      net: dsa: fall back to default tagger if we can't load the one from DT · a2c65a9d
      Vladimir Oltean 提交于
      DSA tagging protocol drivers can be changed at runtime through sysfs and
      at probe time through the device tree (support for the latter was added
      later).
      
      When changing through sysfs, it is assumed that the module for the new
      tagging protocol was already loaded into the kernel (in fact this is
      only a concern for Ocelot/Felix switches, where we have tag_ocelot.ko
      and tag_ocelot_8021q.ko; for every other switch, the default and
      alternative protocols are compiled within the same .ko, so there is
      nothing for the user to load).
      
      The kernel cannot currently call request_module(), because it has no way
      of constructing the modalias name of the tagging protocol driver
      ("dsa_tag-%d", where the number is one of DSA_TAG_PROTO_*_VALUE).
      The device tree only contains the string name of the tagging protocol
      ("ocelot-8021q"), and the only mapping between the string and the
      DSA_TAG_PROTO_OCELOT_8021Q_VALUE is present in tag_ocelot_8021q.ko.
      So this is a chicken-and-egg situation and dsa_core.ko has nothing based
      on which it can automatically request the insertion of the module.
      
      As a consequence, if CONFIG_NET_DSA_TAG_OCELOT_8021Q is built as module,
      the switch will forever defer probing.
      
      The long-term solution is to make DSA call request_module() somehow,
      but that probably needs some refactoring.
      
      What we can do to keep operating with existing device tree blobs is to
      cancel the attempt to change the tagging protocol with the one specified
      there, and to remain operating with the default one. Depending on the
      situation, the default protocol might still allow some functionality
      (in the case of ocelot, it does), and it's better to have that than to
      fail to probe.
      
      Fixes: deff7107 ("net: dsa: Allow default tag protocol to be overridden from DT")
      Link: https://lore.kernel.org/lkml/20221027113248.420216-1-michael@walle.cc/Reported-by: NHeiko Thiery <heiko.thiery@gmail.com>
      Reported-by: NMichael Walle <michael@walle.cc>
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Tested-by: NMichael Walle <michael@walle.cc>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/20221027145439.3086017-1-vladimir.oltean@nxp.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      a2c65a9d