1. 11 2月, 2022 6 次提交
  2. 10 2月, 2022 9 次提交
  3. 09 2月, 2022 25 次提交
    • D
      Merge branch 'vlan-QinQ-leak-fix' · 3bed06e3
      David S. Miller 提交于
      Xin Long says:
      
      ====================
      vlan: fix a netdev refcnt leak for QinQ
      
      This issue can be simply reproduced by:
      
        # ip link add dummy0 type dummy
        # ip link add link dummy0 name dummy0.1 type vlan id 1
        # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
        # rmmod 8021q
      
       unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
      
      So as to fix it, adjust vlan_dev_uninit() in Patch 1/1 so that it won't
      be called twice for the same device, then do the fix in vlan_dev_uninit()
      in Patch 2/2.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3bed06e3
    • X
      vlan: move dev_put into vlan_dev_uninit · d6ff94af
      Xin Long 提交于
      Shuang Li reported an QinQ issue by simply doing:
      
        # ip link add dummy0 type dummy
        # ip link add link dummy0 name dummy0.1 type vlan id 1
        # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
        # rmmod 8021q
      
       unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
      
      When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp
      and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered
      before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links().
      
      When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of
      NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However,
      due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in
      netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and
      release dummy0.1, as it delays dev_put until calling dev->priv_destructor,
      vlan_dev_free().
      
      This issue was introduced by Commit 563bcbae ("net: vlan: fix a UAF in
      vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into
      vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before
      netdev_wait_allrefs().
      
      Fixes: 563bcbae ("net: vlan: fix a UAF in vlan_dev_real_dev()")
      Reported-by: NShuang Li <shuali@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d6ff94af
    • X
      vlan: introduce vlan_dev_free_egress_priority · 37aa50c5
      Xin Long 提交于
      This patch is to introduce vlan_dev_free_egress_priority() to
      free egress priority for vlan dev, and keep vlan_dev_uninit()
      static as .ndo_uninit. It makes the code more clear and safer
      when adding new code in vlan_dev_uninit() in the future.
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37aa50c5
    • D
      ax25: fix UAF bugs of net_device caused by rebinding operation · feef318c
      Duoming Zhou 提交于
      The ax25_kill_by_device() will set s->ax25_dev = NULL and
      call ax25_disconnect() to change states of ax25_cb and
      sock, if we call ax25_bind() before ax25_kill_by_device().
      
      However, if we call ax25_bind() again between the window of
      ax25_kill_by_device() and ax25_dev_device_down(), the values
      and states changed by ax25_kill_by_device() will be reassigned.
      
      Finally, ax25_dev_device_down() will deallocate net_device.
      If we dereference net_device in syscall functions such as
      ax25_release(), ax25_sendmsg(), ax25_getsockopt(), ax25_getname()
      and ax25_info_show(), a UAF bug will occur.
      
      One of the possible race conditions is shown below:
      
            (USE)                   |      (FREE)
      ax25_bind()                   |
                                    |  ax25_kill_by_device()
      ax25_bind()                   |
      ax25_connect()                |    ...
                                    |  ax25_dev_device_down()
                                    |    ...
                                    |    dev_put_track(dev, ...) //FREE
      ax25_release()                |    ...
        ax25_send_control()         |
          alloc_skb()      //USE    |
      
      the corresponding fail log is shown below:
      ===============================================================
      BUG: KASAN: use-after-free in ax25_send_control+0x43/0x210
      ...
      Call Trace:
        ...
        ax25_send_control+0x43/0x210
        ax25_release+0x2db/0x3b0
        __sock_release+0x6d/0x120
        sock_close+0xf/0x20
        __fput+0x11f/0x420
        ...
      Allocated by task 1283:
        ...
        __kasan_kmalloc+0x81/0xa0
        alloc_netdev_mqs+0x5a/0x680
        mkiss_open+0x6c/0x380
        tty_ldisc_open+0x55/0x90
        ...
      Freed by task 1969:
        ...
        kfree+0xa3/0x2c0
        device_release+0x54/0xe0
        kobject_put+0xa5/0x120
        tty_ldisc_kill+0x3e/0x80
        ...
      
      In order to fix these UAF bugs caused by rebinding operation,
      this patch adds dev_hold_track() into ax25_bind() and
      corresponding dev_put_track() into ax25_kill_by_device().
      Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      feef318c
    • V
      net: dsa: fix panic when DSA master device unbinds on shutdown · ee534378
      Vladimir Oltean 提交于
      Rafael reports that on a system with LX2160A and Marvell DSA switches,
      if a reboot occurs while the DSA master (dpaa2-eth) is up, the following
      panic can be seen:
      
      systemd-shutdown[1]: Rebooting.
      Unable to handle kernel paging request at virtual address 00a0000800000041
      [00a0000800000041] address between user and kernel address ranges
      Internal error: Oops: 96000004 [#1] PREEMPT SMP
      CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32
      pc : dsa_slave_netdevice_event+0x130/0x3e4
      lr : raw_notifier_call_chain+0x50/0x6c
      Call trace:
       dsa_slave_netdevice_event+0x130/0x3e4
       raw_notifier_call_chain+0x50/0x6c
       call_netdevice_notifiers_info+0x54/0xa0
       __dev_close_many+0x50/0x130
       dev_close_many+0x84/0x120
       unregister_netdevice_many+0x130/0x710
       unregister_netdevice_queue+0x8c/0xd0
       unregister_netdev+0x20/0x30
       dpaa2_eth_remove+0x68/0x190
       fsl_mc_driver_remove+0x20/0x5c
       __device_release_driver+0x21c/0x220
       device_release_driver_internal+0xac/0xb0
       device_links_unbind_consumers+0xd4/0x100
       __device_release_driver+0x94/0x220
       device_release_driver+0x28/0x40
       bus_remove_device+0x118/0x124
       device_del+0x174/0x420
       fsl_mc_device_remove+0x24/0x40
       __fsl_mc_device_remove+0xc/0x20
       device_for_each_child+0x58/0xa0
       dprc_remove+0x90/0xb0
       fsl_mc_driver_remove+0x20/0x5c
       __device_release_driver+0x21c/0x220
       device_release_driver+0x28/0x40
       bus_remove_device+0x118/0x124
       device_del+0x174/0x420
       fsl_mc_bus_remove+0x80/0x100
       fsl_mc_bus_shutdown+0xc/0x1c
       platform_shutdown+0x20/0x30
       device_shutdown+0x154/0x330
       __do_sys_reboot+0x1cc/0x250
       __arm64_sys_reboot+0x20/0x30
       invoke_syscall.constprop.0+0x4c/0xe0
       do_el0_svc+0x4c/0x150
       el0_svc+0x24/0xb0
       el0t_64_sync_handler+0xa8/0xb0
       el0t_64_sync+0x178/0x17c
      
      It can be seen from the stack trace that the problem is that the
      deregistration of the master causes a dev_close(), which gets notified
      as NETDEV_GOING_DOWN to dsa_slave_netdevice_event().
      But dsa_switch_shutdown() has already run, and this has unregistered the
      DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to
      call dev_close_many() on those slave interfaces, leading to the problem.
      
      The previous attempt to avoid the NETDEV_GOING_DOWN on the master after
      dsa_switch_shutdown() was called seems improper. Unregistering the slave
      interfaces is unnecessary and unhelpful. Instead, after the slaves have
      stopped being uppers of the DSA master, we can now reset to NULL the
      master->dsa_ptr pointer, which will make DSA start ignoring all future
      notifier events on the master.
      
      Fixes: 0650bf52 ("net: dsa: be compatible with masters which unregister on shutdown")
      Reported-by: NRafael Richter <rafael.richter@gin.de>
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee534378
    • R
      net: amd-xgbe: disable interrupts during pci removal · 68c2d6af
      Raju Rangoju 提交于
      Hardware interrupts are enabled during the pci probe, however,
      they are not disabled during pci removal.
      
      Disable all hardware interrupts during pci removal to avoid any
      issues.
      
      Fixes: e7537740 ("amd-xgbe: Update PCI support to use new IRQ functions")
      Suggested-by: NSelwin Sebastian <Selwin.Sebastian@amd.com>
      Signed-off-by: NRaju Rangoju <Raju.Rangoju@amd.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      68c2d6af
    • J
      tipc: rate limit warning for received illegal binding update · c7223d68
      Jon Maloy 提交于
      It would be easy to craft a message containing an illegal binding table
      update operation. This is handled correctly by the code, but the
      corresponding warning printout is not rate limited as is should be.
      We fix this now.
      
      Fixes: b97bf3fd ("[TIPC] Initial merge")
      Signed-off-by: NJon Maloy <jmaloy@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c7223d68
    • J
      net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE · bc1c3c3b
      Joel Stanley 提交于
      Fix loading of the driver when built as a module.
      
      Fixes: f160e994 ("net: phy: Add mdio-aspeed")
      Signed-off-by: NJoel Stanley <joel@jms.id.au>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Acked-by: NAndrew Jeffery <andrew@aj.id.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bc1c3c3b
    • E
      veth: fix races around rq->rx_notify_masked · 68468d8c
      Eric Dumazet 提交于
      veth being NETIF_F_LLTX enabled, we need to be more careful
      whenever we read/write rq->rx_notify_masked.
      
      BUG: KCSAN: data-race in veth_xmit / veth_xmit
      
      write to 0xffff888133d9a9f8 of 1 bytes by task 23552 on cpu 0:
       __veth_xdp_flush drivers/net/veth.c:269 [inline]
       veth_xmit+0x307/0x470 drivers/net/veth.c:350
       __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
       netdev_start_xmit include/linux/netdevice.h:4697 [inline]
       xmit_one+0x105/0x2f0 net/core/dev.c:3473
       dev_hard_start_xmit net/core/dev.c:3489 [inline]
       __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
       dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
       br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53
       NF_HOOK include/linux/netfilter.h:307 [inline]
       br_forward_finish net/bridge/br_forward.c:66 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       __br_forward+0x2e4/0x400 net/bridge/br_forward.c:115
       br_flood+0x521/0x5c0 net/bridge/br_forward.c:242
       br_dev_xmit+0x8b6/0x960
       __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
       netdev_start_xmit include/linux/netdevice.h:4697 [inline]
       xmit_one+0x105/0x2f0 net/core/dev.c:3473
       dev_hard_start_xmit net/core/dev.c:3489 [inline]
       __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
       dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
       neigh_hh_output include/net/neighbour.h:525 [inline]
       neigh_output include/net/neighbour.h:539 [inline]
       ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228
       ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316
       NF_HOOK_COND include/linux/netfilter.h:296 [inline]
       ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
       dst_output include/net/dst.h:451 [inline]
       ip_local_out net/ipv4/ip_output.c:126 [inline]
       ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570
       udp_send_skb+0x641/0x880 net/ipv4/udp.c:967
       udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254
       inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819
       sock_sendmsg_nosec net/socket.c:705 [inline]
       sock_sendmsg net/socket.c:725 [inline]
       ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
       ___sys_sendmsg net/socket.c:2467 [inline]
       __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553
       __do_sys_sendmmsg net/socket.c:2582 [inline]
       __se_sys_sendmmsg net/socket.c:2579 [inline]
       __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      read to 0xffff888133d9a9f8 of 1 bytes by task 23563 on cpu 1:
       __veth_xdp_flush drivers/net/veth.c:268 [inline]
       veth_xmit+0x2d6/0x470 drivers/net/veth.c:350
       __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
       netdev_start_xmit include/linux/netdevice.h:4697 [inline]
       xmit_one+0x105/0x2f0 net/core/dev.c:3473
       dev_hard_start_xmit net/core/dev.c:3489 [inline]
       __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
       dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
       br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53
       NF_HOOK include/linux/netfilter.h:307 [inline]
       br_forward_finish net/bridge/br_forward.c:66 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       __br_forward+0x2e4/0x400 net/bridge/br_forward.c:115
       br_flood+0x521/0x5c0 net/bridge/br_forward.c:242
       br_dev_xmit+0x8b6/0x960
       __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
       netdev_start_xmit include/linux/netdevice.h:4697 [inline]
       xmit_one+0x105/0x2f0 net/core/dev.c:3473
       dev_hard_start_xmit net/core/dev.c:3489 [inline]
       __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
       dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
       neigh_hh_output include/net/neighbour.h:525 [inline]
       neigh_output include/net/neighbour.h:539 [inline]
       ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228
       ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316
       NF_HOOK_COND include/linux/netfilter.h:296 [inline]
       ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
       dst_output include/net/dst.h:451 [inline]
       ip_local_out net/ipv4/ip_output.c:126 [inline]
       ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570
       udp_send_skb+0x641/0x880 net/ipv4/udp.c:967
       udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254
       inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819
       sock_sendmsg_nosec net/socket.c:705 [inline]
       sock_sendmsg net/socket.c:725 [inline]
       ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
       ___sys_sendmsg net/socket.c:2467 [inline]
       __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553
       __do_sys_sendmmsg net/socket.c:2582 [inline]
       __se_sys_sendmmsg net/socket.c:2579 [inline]
       __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      value changed: 0x00 -> 0x01
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 23563 Comm: syz-executor.5 Not tainted 5.17.0-rc2-syzkaller-00064-gc36c04c2 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 948d4f21 ("veth: Add driver XDP")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      68468d8c
    • D
      Merge tag 'linux-can-fixes-for-5.17-20220209' of... · 6d072066
      David S. Miller 提交于
      Merge tag 'linux-can-fixes-for-5.17-20220209' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2022-02-09
      
      this is a pull request of 2 patches for net/master.
      
      Oliver Hartkopp contributes 2 fixes for the CAN ISOTP protocol.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6d072066
    • D
      ax25: fix NPD bug in ax25_disconnect · 7ec02f5a
      Duoming Zhou 提交于
      The ax25_disconnect() in ax25_kill_by_device() is not
      protected by any locks, thus there is a race condition
      between ax25_disconnect() and ax25_destroy_socket().
      when ax25->sk is assigned as NULL by ax25_destroy_socket(),
      a NULL pointer dereference bug will occur if site (1) or (2)
      dereferences ax25->sk.
      
      ax25_kill_by_device()                | ax25_release()
        ax25_disconnect()                  |   ax25_destroy_socket()
          ...                              |
          if(ax25->sk != NULL)             |     ...
            ...                            |     ax25->sk = NULL;
            bh_lock_sock(ax25->sk); //(1)  |     ...
            ...                            |
            bh_unlock_sock(ax25->sk); //(2)|
      
      This patch moves ax25_disconnect() into lock_sock(), which can
      synchronize with ax25_destroy_socket() in ax25_release().
      
      Fail log:
      ===============================================================
      BUG: kernel NULL pointer dereference, address: 0000000000000088
      ...
      RIP: 0010:_raw_spin_lock+0x7e/0xd0
      ...
      Call Trace:
      ax25_disconnect+0xf6/0x220
      ax25_device_event+0x187/0x250
      raw_notifier_call_chain+0x5e/0x70
      dev_close_many+0x17d/0x230
      rollback_registered_many+0x1f1/0x950
      unregister_netdevice_queue+0x133/0x200
      unregister_netdev+0x13/0x20
      ...
      Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ec02f5a
    • D
      Merge branch 'net-fix-skb-unclone-issues' · 676b4936
      David S. Miller 提交于
      Antoine Tenart says:
      
      ====================
      net: fix issues when uncloning an skb dst+metadata
      
      This fixes two issues when uncloning an skb dst+metadata in
      tun_dst_unclone; this was initially reported by Vlad Buslov[1]. Because
      of the memory leak fixed by patch 2, the issue in patch 1 never happened
      in practice.
      
      tun_dst_unclone is called from two different places, one in geneve/vxlan
      to handle PMTU and one in net/openvswitch/actions.c where it is used to
      retrieve tunnel information. While both Vlad and I tested the former, we
      could not for the latter. I did spend quite some time trying to, but
      that code path is not easy to trigger. Code inspection shows this should
      be fine, the tunnel information (dst+metadata) is uncloned and the skb
      it is referenced from is only consumed after all accesses to the tunnel
      information are done:
      
        do_execute_actions
          output_userspace
            dev_fill_metadata_dst         <- dst+metadata is uncloned
            ovs_dp_upcall
              queue_userspace_packet
                ovs_nla_put_tunnel_info   <- metadata (tunnel info) is accessed
          consume_skb                     <- dst+metadata is freed
      
      Thanks!
      Antoine
      
      [1] https://lore.kernel.org/all/ygnhh79yluw2.fsf@nvidia.com/T/#m2f814614a4f5424cea66bbff7297f692b59b69a0
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      676b4936
    • A
      net: fix a memleak when uncloning an skb dst and its metadata · 9eeabdf1
      Antoine Tenart 提交于
      When uncloning an skb dst and its associated metadata, a new
      dst+metadata is allocated and later replaces the old one in the skb.
      This is helpful to have a non-shared dst+metadata attached to a specific
      skb.
      
      The issue is the uncloned dst+metadata is initialized with a refcount of
      1, which is increased to 2 before attaching it to the skb. When
      tun_dst_unclone returns, the dst+metadata is only referenced from a
      single place (the skb) while its refcount is 2. Its refcount will never
      drop to 0 (when the skb is consumed), leading to a memory leak.
      
      Fix this by removing the call to dst_hold in tun_dst_unclone, as the
      dst+metadata refcount is already 1.
      
      Fixes: fc4099f1 ("openvswitch: Fix egress tunnel info.")
      Cc: Pravin B Shelar <pshelar@ovn.org>
      Reported-by: NVlad Buslov <vladbu@nvidia.com>
      Tested-by: NVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: NAntoine Tenart <atenart@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9eeabdf1
    • A
      net: do not keep the dst cache when uncloning an skb dst and its metadata · cfc56f85
      Antoine Tenart 提交于
      When uncloning an skb dst and its associated metadata a new dst+metadata
      is allocated and the tunnel information from the old metadata is copied
      over there.
      
      The issue is the tunnel metadata has references to cached dst, which are
      copied along the way. When a dst+metadata refcount drops to 0 the
      metadata is freed including the cached dst entries. As they are also
      referenced in the initial dst+metadata, this ends up in UaFs.
      
      In practice the above did not happen because of another issue, the
      dst+metadata was never freed because its refcount never dropped to 0
      (this will be fixed in a subsequent patch).
      
      Fix this by initializing the dst cache after copying the tunnel
      information from the old metadata to also unshare the dst cache.
      
      Fixes: d71785ff ("net: add dst_cache to ovs vxlan lwtunnel")
      Cc: Paolo Abeni <pabeni@redhat.com>
      Reported-by: NVlad Buslov <vladbu@nvidia.com>
      Tested-by: NVlad Buslov <vladbu@nvidia.com>
      Signed-off-by: NAntoine Tenart <atenart@kernel.org>
      Acked-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cfc56f85
    • O
      can: isotp: fix error path in isotp_sendmsg() to unlock wait queue · 8375dfac
      Oliver Hartkopp 提交于
      Commit 43a08c3b ("can: isotp: isotp_sendmsg(): fix TX buffer concurrent
      access in isotp_sendmsg()") introduced a new locking scheme that may render
      the userspace application in a locking state when an error is detected.
      This issue shows up under high load on simultaneously running isotp channels
      with identical configuration which is against the ISO specification and
      therefore breaks any reasonable PDU communication anyway.
      
      Fixes: 43a08c3b ("can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()")
      Link: https://lore.kernel.org/all/20220209073601.25728-1-socketcan@hartkopp.net
      Cc: stable@vger.kernel.org
      Cc: Ziyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: NOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      8375dfac
    • O
      can: isotp: fix potential CAN frame reception race in isotp_rcv() · 7c759040
      Oliver Hartkopp 提交于
      When receiving a CAN frame the current code logic does not consider
      concurrently receiving processes which do not show up in real world
      usage.
      
      Ziyang Xuan writes:
      
      The following syz problem is one of the scenarios. so->rx.len is
      changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals
      0 before alloc_skb() and equals 4096 after alloc_skb(). That will
      trigger skb_over_panic() in skb_put().
      
      =======================================================
      CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0
      RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113
      Call Trace:
       <TASK>
       skb_over_panic net/core/skbuff.c:118 [inline]
       skb_put.cold+0x24/0x24 net/core/skbuff.c:1990
       isotp_rcv_cf net/can/isotp.c:570 [inline]
       isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668
       deliver net/can/af_can.c:574 [inline]
       can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635
       can_receive+0x31d/0x580 net/can/af_can.c:665
       can_rcv+0x120/0x1c0 net/can/af_can.c:696
       __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465
       __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579
      
      Therefore we make sure the state changes and data structures stay
      consistent at CAN frame reception time by adding a spin_lock in
      isotp_rcv(). This fixes the issue reported by syzkaller but does not
      affect real world operation.
      
      Fixes: e057dd3f ("can: add ISO 15765-2:2016 transport protocol")
      Link: https://lore.kernel.org/linux-can/d7e69278-d741-c706-65e1-e87623d9a8e8@huawei.com/T/
      Link: https://lore.kernel.org/all/20220208200026.13783-1-socketcan@hartkopp.net
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com
      Reported-by: NZiyang Xuan <william.xuanziyang@huawei.com>
      Signed-off-by: NOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      7c759040
    • L
      nfp: flower: fix ida_idx not being released · 7db788ad
      Louis Peens 提交于
      When looking for a global mac index the extra NFP_TUN_PRE_TUN_IDX_BIT
      that gets set if nfp_flower_is_supported_bridge is true is not taken
      into account. Consequently the path that should release the ida_index
      in cleanup is never triggered, causing messages like:
      
          nfp 0000:02:00.0: nfp: Failed to offload MAC on br-ex.
          nfp 0000:02:00.0: nfp: Failed to offload MAC on br-ex.
          nfp 0000:02:00.0: nfp: Failed to offload MAC on br-ex.
      
      after NFP_MAX_MAC_INDEX number of reconfigs. Ultimately this lead to
      new tunnel flows not being offloaded.
      
      Fix this by unsetting the NFP_TUN_PRE_TUN_IDX_BIT before checking if
      the port is of type OTHER.
      
      Fixes: 2e0bc7f3 ("nfp: flower: encode mac indexes with pre-tunnel rule check")
      Signed-off-by: NLouis Peens <louis.peens@corigine.com>
      Signed-off-by: NSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20220208101453.321949-1-simon.horman@corigine.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      7db788ad
    • E
      ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path · 5611a006
      Eric Dumazet 提交于
      ip[6]mr_free_table() can only be called under RTNL lock.
      
      RTNL: assertion failed at net/core/dev.c (10367)
      WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367
      Modules linked in:
      CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367
      Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee
      RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4
      R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000
      FS:  00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509
       ip6mr_free_table net/ipv6/ip6mr.c:389 [inline]
       ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline]
       ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline]
       ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298
       ops_init+0xaf/0x470 net/core/net_namespace.c:140
       setup_net+0x54f/0xbb0 net/core/net_namespace.c:331
       copy_net_ns+0x318/0x760 net/core/net_namespace.c:475
       create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
       copy_namespaces+0x391/0x450 kernel/nsproxy.c:178
       copy_process+0x2e0c/0x7300 kernel/fork.c:2167
       kernel_clone+0xe7/0xab0 kernel/fork.c:2555
       __do_sys_clone+0xc8/0x110 kernel/fork.c:2672
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7f4ab89f9059
      Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f.
      RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
      RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059
      RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000
      RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300
      R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000
      R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000
       </TASK>
      
      Fixes: f243e5a7 ("ipmr,ip6mr: call ip6mr_free_table() on failure path")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Cong Wang <cong.wang@bytedance.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20220208053451.2885398-1-eric.dumazet@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      5611a006
    • C
      net: ethernet: litex: Add the dependency on HAS_IOMEM · 2427f03f
      Cai Huoqing 提交于
      The LiteX driver uses devm io function API which
      needs HAS_IOMEM enabled, so add the dependency on HAS_IOMEM.
      
      Fixes: ee7da21a ("net: Add driver for LiteX's LiteETH network interface")
      Signed-off-by: NCai Huoqing <cai.huoqing@linux.dev>
      Link: https://lore.kernel.org/r/20220208013308.6563-1-cai.huoqing@linux.devSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      2427f03f
    • S
      ibmvnic: don't release napi in __ibmvnic_open() · 61772b09
      Sukadev Bhattiprolu 提交于
      If __ibmvnic_open() encounters an error such as when setting link state,
      it calls release_resources() which frees the napi structures needlessly.
      Instead, have __ibmvnic_open() only clean up the work it did so far (i.e.
      disable napi and irqs) and leave the rest to the callers.
      
      If caller of __ibmvnic_open() is ibmvnic_open(), it should release the
      resources immediately. If the caller is do_reset() or do_hard_reset(),
      they will release the resources on the next reset.
      
      This fixes following crash that occurred when running the drmgr command
      several times to add/remove a vnic interface:
      
      	[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq
      	[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq
      	[102056] ibmvnic 30000003 env3: Replenished 8 pools
      	Kernel attempted to read user page (10) - exploit attempt? (uid: 0)
      	BUG: Kernel NULL pointer dereference on read at 0x00000010
      	Faulting instruction address: 0xc000000000a3c840
      	Oops: Kernel access of bad area, sig: 11 [#1]
      	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
      	...
      	CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e #1
      	Workqueue: events_long __ibmvnic_reset [ibmvnic]
      	NIP:  c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820
      	REGS: c0000000548e37e0 TRAP: 0300   Not tainted  (5.16.0-rc5-autotest-g6441998e)
      	MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28248484  XER: 00000004
      	CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0
      	GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000
      	...
      	NIP [c000000000a3c840] napi_enable+0x20/0xc0
      	LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]
      	Call Trace:
      	[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)
      	[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]
      	[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]
      	[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570
      	[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660
      	[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0
      	[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
      	Instruction dump:
      	7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010
      	38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020
      	---[ end trace 5f8033b08fd27706 ]---
      
      Fixes: ed651a10 ("ibmvnic: Updated reset handling")
      Reported-by: NAbdul Haleem <abdhalee@linux.vnet.ibm.com>
      Signed-off-by: NSukadev Bhattiprolu <sukadev@linux.ibm.com>
      Reviewed-by: NDany Madden <drt@linux.ibm.com>
      Link: https://lore.kernel.org/r/20220208001918.900602-1-sukadev@linux.ibm.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      61772b09
    • J
      Merge branch 'more-dsa-fixes-for-devres-mdiobus_-alloc-register' · 1335648f
      Jakub Kicinski 提交于
      Vladimir Oltean says:
      
      ====================
      More DSA fixes for devres + mdiobus_{alloc,register}
      
      The initial patch series "[net,0/2] Fix mdiobus users with devres"
      https://patchwork.kernel.org/project/netdevbpf/cover/20210920214209.1733768-1-vladimir.oltean@nxp.com/
      fixed some instances where DSA drivers on slow buses (SPI, I2C) trigger
      a panic (changed since then to a warn) in mdiobus_free. That was due to
      devres calling mdiobus_free() with no prior mdiobus_unregister(), which
      again was due to commit ac3a68d5 ("net: phy: don't abuse devres in
      devm_mdiobus_register()") by Bartosz Golaszewski.
      
      Rafael Richter and Daniel Klauer report yet another variation on that
      theme, but this time it applies to any DSA switch driver, not just those
      on buses which have a "->shutdown() calls ->remove() which unregisters
      children" sequence.
      
      Their setup is that of an LX2160A DPAA2 SoC driving a Marvell DSA switch
      (MDIO). DPAA2 Ethernet drivers probe on the "fsl-mc" bus
      (drivers/bus/fsl-mc/fsl-mc-bus.c). This bus is meant to be the
      kernel-side representation of the networking objects kept by the
      Management Complex (MC) firmware.
      
      The fsl-mc bus driver has this pattern:
      
      static void fsl_mc_bus_shutdown(struct platform_device *pdev)
      {
      	fsl_mc_bus_remove(pdev);
      }
      
      which proceeds to remove the children on the bus. Among those children,
      the dpaa2-eth network driver.
      
      When dpaa2-eth is a DSA master, this removal of the master on shutdown
      trips up the device link created by dsa_master_setup(), and as such, the
      Marvell switch is also removed.
      
      From this point on, readers can revisit the description of commits
      74b6d7d1 ("net: dsa: realtek: register the MDIO bus under devres")
      5135e96a ("net: dsa: don't allocate the slave_mii_bus using devres")
      
      since the prerequisites for the BUG_ON in mdiobus_free() have been
      accomplished if there is a devres mismatch between mdiobus_alloc() and
      mdiobus_register().
      
      Most DSA drivers have this kind of mismatch, and upon my initial
      assessment I had not realized the possibility described above, so I
      didn't fix it. This patch series walks through all drivers and makes
      them use either fully devres, or no devres.
      
      I am aware that there are DSA drivers that are only known to be tested
      with a single DSA master, so some patches are probably overkill for
      them. But code is copy-pasted from so many sources without fully
      understanding the differences, that I think it's better to not leave an
      in-tree source of inspiration that may lead to subtle breakage if not
      adapted properly.
      ====================
      
      Link: https://lore.kernel.org/r/20220207161553.579933-1-vladimir.oltean@nxp.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      1335648f
    • V
      net: dsa: lantiq_gswip: don't use devres for mdiobus · 0d120dfb
      Vladimir Oltean 提交于
      As explained in commits:
      74b6d7d1 ("net: dsa: realtek: register the MDIO bus under devres")
      5135e96a ("net: dsa: don't allocate the slave_mii_bus using devres")
      
      mdiobus_free() will panic when called from devm_mdiobus_free() <-
      devres_release_all() <- __device_release_driver(), and that mdiobus was
      not previously unregistered.
      
      The GSWIP switch is a platform device, so the initial set of constraints
      that I thought would cause this (I2C or SPI buses which call ->remove on
      ->shutdown) do not apply. But there is one more which applies here.
      
      If the DSA master itself is on a bus that calls ->remove from ->shutdown
      (like dpaa2-eth, which is on the fsl-mc bus), there is a device link
      between the switch and the DSA master, and device_links_unbind_consumers()
      will unbind the GSWIP switch driver on shutdown.
      
      So the same treatment must be applied to all DSA switch drivers, which
      is: either use devres for both the mdiobus allocation and registration,
      or don't use devres at all.
      
      The gswip driver has the code structure in place for orderly mdiobus
      removal, so just replace devm_mdiobus_alloc() with the non-devres
      variant, and add manual free where necessary, to ensure that we don't
      let devres free a still-registered bus.
      
      Fixes: ac3a68d5 ("net: phy: don't abuse devres in devm_mdiobus_register()")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NJakub Kicinski <kuba@kernel.org>
      0d120dfb
    • V
      net: dsa: mt7530: fix kernel bug in mdiobus_free() when unbinding · 9ffe3d09
      Vladimir Oltean 提交于
      Nobody in this driver calls mdiobus_unregister(), which is necessary if
      mdiobus_register() completes successfully. So if the devres callbacks
      that free the mdiobus get invoked (this is the case when unbinding the
      driver), mdiobus_free() will BUG if the mdiobus is still registered,
      which it is.
      
      My speculation is that this is due to the fact that prior to commit
      ac3a68d5 ("net: phy: don't abuse devres in devm_mdiobus_register()")
      from June 2020, _devm_mdiobus_free() used to call mdiobus_unregister().
      But at the time that the mt7530 support was introduced in May 2021, the
      API was already changed. It's therefore likely that the blamed patch was
      developed on an older tree, and incorrectly adapted to net-next. This
      makes the Fixes: tag correct.
      
      Fix the problem by using the devres variant of mdiobus_register.
      
      Fixes: ba751e28 ("net: dsa: mt7530: add interrupt support")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NJakub Kicinski <kuba@kernel.org>
      9ffe3d09
    • V
      net: dsa: seville: register the mdiobus under devres · bd488afc
      Vladimir Oltean 提交于
      As explained in commits:
      74b6d7d1 ("net: dsa: realtek: register the MDIO bus under devres")
      5135e96a ("net: dsa: don't allocate the slave_mii_bus using devres")
      
      mdiobus_free() will panic when called from devm_mdiobus_free() <-
      devres_release_all() <- __device_release_driver(), and that mdiobus was
      not previously unregistered.
      
      The Seville VSC9959 switch is a platform device, so the initial set of
      constraints that I thought would cause this (I2C or SPI buses which call
      ->remove on ->shutdown) do not apply. But there is one more which
      applies here.
      
      If the DSA master itself is on a bus that calls ->remove from ->shutdown
      (like dpaa2-eth, which is on the fsl-mc bus), there is a device link
      between the switch and the DSA master, and device_links_unbind_consumers()
      will unbind the seville switch driver on shutdown.
      
      So the same treatment must be applied to all DSA switch drivers, which
      is: either use devres for both the mdiobus allocation and registration,
      or don't use devres at all.
      
      The seville driver has a code structure that could accommodate both the
      mdiobus_unregister and mdiobus_free calls, but it has an external
      dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls
      devm_mdiobus_alloc_size() on its behalf. So rather than restructuring
      that, and exporting yet one more symbol mscc_miim_teardown(), let's work
      with devres and replace of_mdiobus_register with the devres variant.
      When we use all-devres, we can ensure that devres doesn't free a
      still-registered bus (it either runs both callbacks, or none).
      
      Fixes: ac3a68d5 ("net: phy: don't abuse devres in devm_mdiobus_register()")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NJakub Kicinski <kuba@kernel.org>
      bd488afc
    • V
      net: dsa: felix: don't use devres for mdiobus · 209bdb7e
      Vladimir Oltean 提交于
      As explained in commits:
      74b6d7d1 ("net: dsa: realtek: register the MDIO bus under devres")
      5135e96a ("net: dsa: don't allocate the slave_mii_bus using devres")
      
      mdiobus_free() will panic when called from devm_mdiobus_free() <-
      devres_release_all() <- __device_release_driver(), and that mdiobus was
      not previously unregistered.
      
      The Felix VSC9959 switch is a PCI device, so the initial set of
      constraints that I thought would cause this (I2C or SPI buses which call
      ->remove on ->shutdown) do not apply. But there is one more which
      applies here.
      
      If the DSA master itself is on a bus that calls ->remove from ->shutdown
      (like dpaa2-eth, which is on the fsl-mc bus), there is a device link
      between the switch and the DSA master, and device_links_unbind_consumers()
      will unbind the felix switch driver on shutdown.
      
      So the same treatment must be applied to all DSA switch drivers, which
      is: either use devres for both the mdiobus allocation and registration,
      or don't use devres at all.
      
      The felix driver has the code structure in place for orderly mdiobus
      removal, so just replace devm_mdiobus_alloc_size() with the non-devres
      variant, and add manual free where necessary, to ensure that we don't
      let devres free a still-registered bus.
      
      Fixes: ac3a68d5 ("net: phy: don't abuse devres in devm_mdiobus_register()")
      Signed-off-by: NVladimir Oltean <vladimir.oltean@nxp.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NJakub Kicinski <kuba@kernel.org>
      209bdb7e