1. 07 11月, 2022 2 次提交
    • Z
      hamradio: fix issue of dev reference count leakage in bpq_device_event() · 85cbaf03
      Zhengchao Shao 提交于
      When following tests are performed, it will cause dev reference counting
      leakage.
      a)ip link add bond2 type bond mode balance-rr
      b)ip link set bond2 up
      c)ifenslave -f bond2 rose1
      d)ip link del bond2
      
      When new bond device is created, the default type of the bond device is
      ether. And the bond device is up, bpq_device_event() receives the message
      and creates a new bpq device. In this case, the reference count value of
      dev is hold once. But after "ifenslave -f bond2 rose1" command is
      executed, the type of the bond device is changed to rose. When the bond
      device is unregistered, bpq_device_event() will not put the dev reference
      count.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      85cbaf03
    • Z
      net: lapbether: fix issue of dev reference count leakage in lapbeth_device_event() · 531705a7
      Zhengchao Shao 提交于
      When following tests are performed, it will cause dev reference counting
      leakage.
      a)ip link add bond2 type bond mode balance-rr
      b)ip link set bond2 up
      c)ifenslave -f bond2 rose1
      d)ip link del bond2
      
      When new bond device is created, the default type of the bond device is
      ether. And the bond device is up, lapbeth_device_event() receives the
      message and creates a new lapbeth device. In this case, the reference
      count value of dev is hold once. But after "ifenslave -f bond2 rose1"
      command is executed, the type of the bond device is changed to rose. When
      the bond device is unregistered, lapbeth_device_event() will not put the
      dev reference count.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      531705a7
  2. 05 11月, 2022 6 次提交
  3. 04 11月, 2022 19 次提交
    • W
      net: tun: Fix memory leaks of napi_get_frags · 1118b204
      Wang Yufen 提交于
      kmemleak reports after running test_progs:
      
      unreferenced object 0xffff8881b1672dc0 (size 232):
        comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
        hex dump (first 32 bytes):
          e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff  .........,g.....
          00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00  .@..............
        backtrace:
          [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
          [<0000000041c7fc09>] __napi_build_skb+0x15/0x50
          [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
          [<000000003ecfa30e>] napi_get_frags+0x59/0x140
          [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
          [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
          [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
          [<000000008f338ea2>] do_iter_write+0x135/0x630
          [<000000008a3377a4>] vfs_writev+0x12e/0x440
          [<00000000a6b5639a>] do_writev+0x104/0x280
          [<00000000ccf065d8>] do_syscall_64+0x3b/0x90
          [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      The issue occurs in the following scenarios:
      tun_get_user()
        napi_gro_frags()
          napi_frags_finish()
            case GRO_NORMAL:
              gro_normal_one()
                list_add_tail(&skb->list, &napi->rx_list);
                <-- While napi->rx_count < READ_ONCE(gro_normal_batch),
                <-- gro_normal_list() is not called, napi->rx_list is not empty
        <-- not ask to complete the gro work, will cause memory leaks in
        <-- following tun_napi_del()
      ...
      tun_napi_del()
        netif_napi_del()
          __netif_napi_del()
          <-- &napi->rx_list is not empty, which caused memory leaks
      
      To fix, add napi_complete() after napi_gro_frags().
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: NWang Yufen <wangyufen@huawei.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1118b204
    • R
      octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT] · 51afe902
      Ratheesh Kannoth 提交于
      In scenarios where multiple errors have occurred
      for a SQ before SW starts handling error interrupt,
      SQ_CTX[OP_INT] may get overwritten leading to
      NIX_LF_SQ_OP_INT returning incorrect value.
      To workaround this read LMT, MNQ and SQ individual
      error status registers to determine the cause of error.
      
      Fixes: 4ff7d148 ("octeontx2-pf: Error handling support")
      Signed-off-by: NRatheesh Kannoth <rkannoth@marvell.com>
      Reviewed-by: NSunil Kovvuri Goutham <sgoutham@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51afe902
    • R
      net: ethernet: ti: am65-cpsw: Fix segmentation fault at module unload · 1a0c016a
      Roger Quadros 提交于
      Move am65_cpsw_nuss_phylink_cleanup() call to after
      am65_cpsw_nuss_cleanup_ndev() so phylink is still valid
      to prevent the below Segmentation fault on module remove when
      first slave link is up.
      
      [   31.652944] Unable to handle kernel paging request at virtual address 00040008000005f4
      [   31.684627] Mem abort info:
      [   31.687446]   ESR = 0x0000000096000004
      [   31.704614]   EC = 0x25: DABT (current EL), IL = 32 bits
      [   31.720663]   SET = 0, FnV = 0
      [   31.723729]   EA = 0, S1PTW = 0
      [   31.740617]   FSC = 0x04: level 0 translation fault
      [   31.756624] Data abort info:
      [   31.759508]   ISV = 0, ISS = 0x00000004
      [   31.776705]   CM = 0, WnR = 0
      [   31.779695] [00040008000005f4] address between user and kernel address ranges
      [   31.808644] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
      [   31.814928] Modules linked in: wlcore_sdio wl18xx wlcore mac80211 libarc4 cfg80211 rfkill crct10dif_ce phy_gmii_sel ti_am65_cpsw_nuss(-) sch_fq_codel ipv6
      [   31.828776] CPU: 0 PID: 1026 Comm: modprobe Not tainted 6.1.0-rc2-00012-gfabfcf7dafdb-dirty #160
      [   31.837547] Hardware name: Texas Instruments AM625 (DT)
      [   31.842760] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      [   31.849709] pc : phy_stop+0x18/0xf8
      [   31.853202] lr : phylink_stop+0x38/0xf8
      [   31.857031] sp : ffff80000a0839f0
      [   31.860335] x29: ffff80000a0839f0 x28: ffff000000de1c80 x27: 0000000000000000
      [   31.867462] x26: 0000000000000000 x25: 0000000000000000 x24: ffff80000a083b98
      [   31.874589] x23: 0000000000000800 x22: 0000000000000001 x21: ffff000001bfba90
      [   31.881715] x20: ffff0000015ee000 x19: 0004000800000200 x18: 0000000000000000
      [   31.888842] x17: ffff800076c45000 x16: ffff800008004000 x15: 000058e39660b106
      [   31.895969] x14: 0000000000000144 x13: 0000000000000144 x12: 0000000000000000
      [   31.903095] x11: 000000000000275f x10: 00000000000009e0 x9 : ffff80000a0837d0
      [   31.910222] x8 : ffff000000de26c0 x7 : ffff00007fbd6540 x6 : ffff00007fbd64c0
      [   31.917349] x5 : ffff00007fbd0b10 x4 : ffff00007fbd0b10 x3 : ffff00007fbd3920
      [   31.924476] x2 : d0a07fcff8b8d500 x1 : 0000000000000000 x0 : 0004000800000200
      [   31.931603] Call trace:
      [   31.934042]  phy_stop+0x18/0xf8
      [   31.937177]  phylink_stop+0x38/0xf8
      [   31.940657]  am65_cpsw_nuss_ndo_slave_stop+0x28/0x1e0 [ti_am65_cpsw_nuss]
      [   31.947452]  __dev_close_many+0xa4/0x140
      [   31.951371]  dev_close_many+0x84/0x128
      [   31.955115]  unregister_netdevice_many+0x130/0x6d0
      [   31.959897]  unregister_netdevice_queue+0x94/0xd8
      [   31.964591]  unregister_netdev+0x24/0x38
      [   31.968504]  am65_cpsw_nuss_cleanup_ndev.isra.0+0x48/0x70 [ti_am65_cpsw_nuss]
      [   31.975637]  am65_cpsw_nuss_remove+0x58/0xf8 [ti_am65_cpsw_nuss]
      
      Cc: <Stable@vger.kernel.org> # v5.18+
      Fixes: e8609e69 ("net: ethernet: ti: am65-cpsw: Convert to PHYLINK")
      Signed-off-by: NRoger Quadros <rogerq@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a0c016a
    • D
      Merge branch 'macsec-offload-fixes' · f4e405f5
      David S. Miller 提交于
      Sabrina Dubroca says:
      
      ====================
      macsec: offload-related fixes
      
      I'm working on a dummy offload for macsec on netdevsim. It just has a
      small SecY and RXSC table so I can trigger failures easily on the
      ndo_* side. It has exposed a couple of issues.
      
      The first patch is a revert of commit c850240b ("net: macsec:
      report real_dev features when HW offloading is enabled"). That commit
      tried to improve the performance of macsec offload by taking advantage
      of some of the NIC's features, but in doing so, broke macsec offload
      when the lower device supports both macsec and ipsec offload, as the
      ipsec offload feature flags were copied from the real device. Since
      the macsec device doesn't provide xdo_* ops, the XFRM core rejects the
      registration of the new macsec device in xfrm_api_check.
      
      I'm working on re-adding those feature flags when offload is
      available, but I haven't fully solved that yet. I think it would be
      safer to do that second part in net-next considering how complex
      feature interactions tend to be.
      
      v2:
       - better describe the issue introduced by commit c850240b (Leon
         Romanovsky)
       - patch #3: drop unnecessary !! (Leon Romanovsky)
      
      v3:
       - patch #3: drop extra newline (Jakub Kicinski)
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4e405f5
    • S
      macsec: clear encryption keys from the stack after setting up offload · aaab73f8
      Sabrina Dubroca 提交于
      macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack
      offloading context to pass it to the drivers, but leaves it there when
      it's done. Clear it with memzero_explicit as soon as it's not needed
      anymore.
      
      Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NAntoine Tenart <atenart@kernel.org>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aaab73f8
    • S
      macsec: fix detection of RXSCs when toggling offloading · 80df4706
      Sabrina Dubroca 提交于
      macsec_is_configured incorrectly uses secy->n_rx_sc to check if some
      RXSCs exist. secy->n_rx_sc only counts the number of active RXSCs, but
      there can also be inactive SCs as well, which may be stored in the
      driver (in case we're disabling offloading), or would have to be
      pushed to the device (in case we're trying to enable offloading).
      
      As long as RXSCs active on creation and never turned off, the issue is
      not visible.
      
      Fixes: dcb780fb ("net: macsec: add nla support for changing the offloading selection")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NAntoine Tenart <atenart@kernel.org>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      80df4706
    • S
      macsec: fix secy->n_rx_sc accounting · 73a4b31c
      Sabrina Dubroca 提交于
      secy->n_rx_sc is supposed to be the number of _active_ rxsc's within a
      secy. This is then used by macsec_send_sci to help decide if we should
      add the SCI to the header or not.
      
      This logic is currently broken when we create a new RXSC and turn it
      off at creation, as create_rx_sc always sets ->active to true (and
      immediately uses that to increment n_rx_sc), and only later
      macsec_add_rxsc sets rx_sc->active.
      
      Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NAntoine Tenart <atenart@kernel.org>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      73a4b31c
    • S
      macsec: delete new rxsc when offload fails · 93a30947
      Sabrina Dubroca 提交于
      Currently we get an inconsistent state:
       - netlink returns the error to userspace
       - the RXSC is installed but not offloaded
      
      Then the device could get confused when we try to add an RXSA, because
      the RXSC isn't supposed to exist.
      
      Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NAntoine Tenart <atenart@kernel.org>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      93a30947
    • S
      Revert "net: macsec: report real_dev features when HW offloading is enabled" · 8bcd560a
      Sabrina Dubroca 提交于
      This reverts commit c850240b.
      
      That commit tried to improve the performance of macsec offload by
      taking advantage of some of the NIC's features, but in doing so, broke
      macsec offload when the lower device supports both macsec and ipsec
      offload, as the ipsec offload feature flags (mainly NETIF_F_HW_ESP)
      were copied from the real device. Since the macsec device doesn't
      provide xdo_* ops, the XFRM core rejects the registration of the new
      macsec device in xfrm_api_check.
      
      Example perf trace when running
        ip link add link eni1np1 type macsec port 4 offload mac
      
          ip   737 [003]   795.477676: probe:xfrm_dev_event__REGISTER      name="macsec0" features=0x1c000080014869
                    xfrm_dev_event+0x3a
                    notifier_call_chain+0x47
                    register_netdevice+0x846
                    macsec_newlink+0x25a
      
          ip   737 [003]   795.477687:   probe:xfrm_dev_event__return      ret=0x8002 (NOTIFY_BAD)
                   notifier_call_chain+0x47
                   register_netdevice+0x846
                   macsec_newlink+0x25a
      
      dev->features includes NETIF_F_HW_ESP (0x04000000000000), so
      xfrm_api_check returns NOTIFY_BAD because we don't have
      dev->xfrmdev_ops on the macsec device.
      
      We could probably propagate GSO and a few other features from the
      lower device, similar to macvlan. This will be done in a future patch.
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NAntoine Tenart <atenart@kernel.org>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8bcd560a
    • A
      selftests/net: give more time to udpgro bg processes to complete startup · cdb525ca
      Adrien Thierry 提交于
      In some conditions, background processes in udpgro don't have enough
      time to set up the sockets. When foreground processes start, this
      results in the test failing with "./udpgso_bench_tx: sendmsg: Connection
      refused". For instance, this happens from time to time on a Qualcomm
      SA8540P SoC running CentOS Stream 9.
      
      To fix this, increase the time given to background processes to
      complete the startup before foreground processes start.
      Signed-off-by: NAdrien Thierry <athierry@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cdb525ca
    • G
      net: hns3: fix get wrong value of function hclge_get_dscp_prio() · cfdcb075
      Guangbin Huang 提交于
      As the argument struct hnae3_handle *h of function hclge_get_dscp_prio()
      can be other client registered in hnae3 layer, we need to transform it
      into hnae3_handle of local nic client to get right dscp settings for
      other clients.
      
      Fixes: dfea275e ("net: hns3: optimize converting dscp to priority process of hns3_nic_select_queue()")
      Signed-off-by: NGuangbin Huang <huangguangbin2@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cfdcb075
    • R
      net: octeontx2-pf: mcs: consider MACSEC setting · 4581dd48
      Randy Dunlap 提交于
      Fix build errors when MACSEC=m and OCTEONTX2_PF=y by having
      OCTEONTX2_PF depend on MACSEC if it is enabled. By adding
      "|| !MACSEC", this means that MACSEC is not required -- it can
      be disabled for this driver.
      
      drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.o: in function `otx2_remove':
      ../drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c:(.text+0x2fd0): undefined reference to `cn10k_mcs_free'
      mips64-linux-ld: drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.o: in function `otx2_mbox_up_handler_mcs_intr_notify':
      ../drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c:(.text+0x4610): undefined reference to `cn10k_handle_mcs_event'
      Reported-by: Nkernel test robot <lkp@intel.com>
      Fixes: c54ffc73 ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Subbaraya Sundeep <sbhatta@marvell.com>
      Cc: Sunil Goutham <sgoutham@marvell.com>
      Cc: Geetha sowjanya <gakula@marvell.com>
      Cc: hariprasad <hkelam@marvell.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4581dd48
    • J
      Merge tag 'wireless-2022-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 91018bbc
      Jakub Kicinski 提交于
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.1
      
      Second set of fixes for v6.1. Some fixes to char type usage in
      drivers, memory leaks in the stack and also functionality fixes. The
      rt2x00 char type fix is a larger (but still simple) commit, otherwise
      the fixes are small in size.
      
      * tag 'wireless-2022-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()
        wifi: ath11k: Fix QCN9074 firmware boot on x86
        wifi: mac80211: Set TWT Information Frame Disabled bit as 1
        wifi: mac80211: Fix ack frame idr leak when mesh has no route
        wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit()
        wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
        wifi: airo: do not assign -1 to unsigned char
        wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support
        wifi: cfg80211: Fix bitrates overflow issue
        wifi: cfg80211: fix memory leak in query_regdb_file()
        wifi: mac80211: fix memory free error when registering wiphy fail
        wifi: cfg80211: silence a sparse RCU warning
        wifi: rt2x00: use explicitly signed or unsigned types
      ====================
      
      Link: https://lore.kernel.org/r/20221103125315.04E57C433C1@smtp.kernel.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      91018bbc
    • J
      net: gso: fix panic on frag_list with mixed head alloc types · 9e4b7a99
      Jiri Benc 提交于
      Since commit 3dcbdb13 ("net: gso: Fix skb_segment splat when
      splitting gso_size mangled skb having linear-headed frag_list"), it is
      allowed to change gso_size of a GRO packet. However, that commit assumes
      that "checking the first list_skb member suffices; i.e if either of the
      list_skb members have non head_frag head, then the first one has too".
      
      It turns out this assumption does not hold. We've seen BUG_ON being hit
      in skb_segment when skbs on the frag_list had differing head_frag with
      the vmxnet3 driver. This happens because __netdev_alloc_skb and
      __napi_alloc_skb can return a skb that is page backed or kmalloced
      depending on the requested size. As the result, the last small skb in
      the GRO packet can be kmalloced.
      
      There are three different locations where this can be fixed:
      
      (1) We could check head_frag in GRO and not allow GROing skbs with
          different head_frag. However, that would lead to performance
          regression on normal forward paths with unmodified gso_size, where
          !head_frag in the last packet is not a problem.
      
      (2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating
          that NETIF_F_SG is undesirable. That would need to eat a bit in
          sk_buff. Furthermore, that flag can be unset when all skbs on the
          frag_list are page backed. To retain good performance,
          bpf_skb_net_grow/shrink would have to walk the frag_list.
      
      (3) Walk the frag_list in skb_segment when determining whether
          NETIF_F_SG should be cleared. This of course slows things down.
      
      This patch implements (3). To limit the performance impact in
      skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set
      that have gso_size changed. Normal paths thus will not hit it.
      
      We could check only the last skb but since we need to walk the whole
      list anyway, let's stay on the safe side.
      
      Fixes: 3dcbdb13 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
      Signed-off-by: NJiri Benc <jbenc@redhat.com>
      Reviewed-by: NWillem de Bruijn <willemb@google.com>
      Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      9e4b7a99
    • J
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · f2c24be5
      Jakub Kicinski 提交于
      Daniel Borkmann says:
      
      ====================
      bpf 2022-11-04
      
      We've added 8 non-merge commits during the last 3 day(s) which contain
      a total of 10 files changed, 113 insertions(+), 16 deletions(-).
      
      The main changes are:
      
      1) Fix memory leak upon allocation failure in BPF verifier's stack state
         tracking, from Kees Cook.
      
      2) Fix address leakage when BPF progs release reference to an object,
         from Youlin Li.
      
      3) Fix BPF CI breakage from buggy in.h uapi header dependency,
         from Andrii Nakryiko.
      
      4) Fix bpftool pin sub-command's argument parsing, from Pu Lehui.
      
      5) Fix BPF sockmap lockdep warning by cancelling psock work outside
         of socket lock, from Cong Wang.
      
      6) Follow-up for BPF sockmap to fix sk_forward_alloc accounting,
         from Wang Yufen.
      
      bpf-for-netdev
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: Add verifier test for release_reference()
        bpf: Fix wrong reg type conversion in release_reference()
        bpf, sock_map: Move cancel_work_sync() out of sock lock
        tools/headers: Pull in stddef.h to uapi to fix BPF selftests build in CI
        net/ipv4: Fix linux/in.h header dependencies
        bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE
        bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues
        bpf, verifier: Fix memory leak in array reallocation for stack state
      ====================
      
      Link: https://lore.kernel.org/r/20221104000445.30761-1-daniel@iogearbox.netSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      f2c24be5
    • Y
      selftests/bpf: Add verifier test for release_reference() · 475244f5
      Youlin Li 提交于
      Add a test case to ensure that released pointer registers will not be
      leaked into the map.
      
      Before fix:
      
        ./test_verifier 984
          984/u reference tracking: try to leak released ptr reg FAIL
          Unexpected success to load!
          verification time 67 usec
          stack depth 4
          processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 2
          peak_states 2 mark_read 1
          984/p reference tracking: try to leak released ptr reg OK
          Summary: 1 PASSED, 0 SKIPPED, 1 FAILED
      
      After fix:
      
        ./test_verifier 984
          984/u reference tracking: try to leak released ptr reg OK
          984/p reference tracking: try to leak released ptr reg OK
          Summary: 2 PASSED, 0 SKIPPED, 0 FAILED
      Signed-off-by: NYoulin Li <liulin063@gmail.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20221103093440.3161-2-liulin063@gmail.com
      475244f5
    • Y
      bpf: Fix wrong reg type conversion in release_reference() · f1db2081
      Youlin Li 提交于
      Some helper functions will allocate memory. To avoid memory leaks, the
      verifier requires the eBPF program to release these memories by calling
      the corresponding helper functions.
      
      When a resource is released, all pointer registers corresponding to the
      resource should be invalidated. The verifier use release_references() to
      do this job, by apply  __mark_reg_unknown() to each relevant register.
      
      It will give these registers the type of SCALAR_VALUE. A register that
      will contain a pointer value at runtime, but of type SCALAR_VALUE, which
      may allow the unprivileged user to get a kernel pointer by storing this
      register into a map.
      
      Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this
      problem.
      
      Fixes: fd978bf7 ("bpf: Add reference tracking to verifier")
      Signed-off-by: NYoulin Li <liulin063@gmail.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20221103093440.3161-1-liulin063@gmail.com
      f1db2081
    • L
      Merge tag 'net-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 9521c9d6
      Linus Torvalds 提交于
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bluetooth and netfilter.
      
        Current release - regressions:
      
         - net: several zerocopy flags fixes
      
         - netfilter: fix possible memory leak in nf_nat_init()
      
         - openvswitch: add missing .resv_start_op
      
        Previous releases - regressions:
      
         - neigh: fix null-ptr-deref in neigh_table_clear()
      
         - sched: fix use after free in red_enqueue()
      
         - dsa: fall back to default tagger if we can't load the one from DT
      
         - bluetooth: fix use-after-free in l2cap_conn_del()
      
        Previous releases - always broken:
      
         - netfilter: netlink notifier might race to release objects
      
         - nfc: fix potential memory leak of skb
      
         - bluetooth: fix use-after-free caused by l2cap_reassemble_sdu
      
         - bluetooth: use skb_put to set length
      
         - eth: tun: fix bugs for oversize packet when napi frags enabled
      
         - eth: lan966x: fixes for when MTU is changed
      
         - eth: dwmac-loongson: fix invalid mdio_node"
      
      * tag 'net-6.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (53 commits)
        vsock: fix possible infinite sleep in vsock_connectible_wait_data()
        vsock: remove the unused 'wait' in vsock_connectible_recvmsg()
        ipv6: fix WARNING in ip6_route_net_exit_late()
        bridge: Fix flushing of dynamic FDB entries
        net, neigh: Fix null-ptr-deref in neigh_table_clear()
        net/smc: Fix possible leaked pernet namespace in smc_init()
        stmmac: dwmac-loongson: fix invalid mdio_node
        ibmvnic: Free rwi on reset success
        net: mdio: fix undefined behavior in bit shift for __mdiobus_register
        Bluetooth: L2CAP: Fix attempting to access uninitialized memory
        Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
        Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
        Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect
        Bluetooth: L2CAP: Fix memory leak in vhci_write
        Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
        Bluetooth: virtio_bt: Use skb_put to set length
        Bluetooth: hci_conn: Fix CIS connection dst_type handling
        Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
        netfilter: ipset: enforce documented limit to prevent allocating huge memory
        isdn: mISDN: netjet: fix wrong check of device registration
        ...
      9521c9d6
    • L
      Merge tag 'powerpc-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 4d740391
      Linus Torvalds 提交于
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix an endian thinko in the asm-generic compat_arg_u64() which led to
         syscall arguments being swapped for some compat syscalls.
      
       - Fix syscall wrapper handling of syscalls with 64-bit arguments on
         32-bit kernels, which led to syscall arguments being misplaced.
      
       - A build fix for amdgpu on Book3E with AltiVec disabled.
      
      Thanks to Andreas Schwab, Christian Zigotzky, and Arnd Bergmann.
      
      * tag 'powerpc-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/32: Select ARCH_SPLIT_ARG64
        powerpc/32: fix syscall wrappers with 64-bit arguments
        asm-generic: compat: fix compat_arg_u64() and compat_arg_u64_dual()
        powerpc/64e: Fix amdgpu build on Book3E w/o AltiVec
      4d740391
  4. 03 11月, 2022 13 次提交