Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
6598 commits 2 branches 0 tags 509 MiB
Commit graph

786 commits

Author SHA1 Message Date
Eric Dumazet
a687d1d501 net: do not delay dst_entries_add() in dst_release() 
commit ac888d58869bb99753e7652be19a151df9ecb35d upstream.

dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()

Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()

dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.

Decrementing the number of dsts must happen sooner.

Notes:

1) in CONFIG_XFRM case, dst_destroy() can call
   dst_release_immediate(child), this might also cause UAF
   if the child does not have DST_NOCOUNT set.
   IPSEC maintainers might take a look and see how to address this.

2) There is also discussion about removing this count of dst,
   which might happen in future kernels.

Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()")
Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ resolved conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t
  reference counting") is not in the tree ]
Signed-off-by: Abdelkareem Abdelsaamad <kareemem@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2024-11-30 02:33:26 +01:00
Nikolay Aleksandrov
84c8728074 net: bridge: xmit: make sure we have at least eth header len bytes 
commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc upstream.

syzbot triggered an uninit value[1] error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.

Tested with dropwatch:
 drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
 origin: software
 timestamp: Mon May 13 11:31:53 2024 778214037 nsec
 protocol: 0x88a8
 length: 2
 original length: 2
 drop reason: PKT_TOO_SMALL

[1]
BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 netdev_start_xmit include/linux/netdevice.h:4917 [inline]
 xmit_one net/core/dev.c:3531 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 __bpf_tx_skb net/core/filter.c:2136 [inline]
 __bpf_redirect_common net/core/filter.c:2180 [inline]
 __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
 ____bpf_clone_redirect net/core/filter.c:2460 [inline]
 bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2024-11-30 02:33:25 +01:00
Xin Long
06433495b9 sctp: properly validate chunk size in sctp_sf_ootb() 
[ Upstream commit 0ead60804b64f5bd6999eec88e503c6a1a242d41 ]

A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:

  BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
  sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
  sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
  sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
  sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
  ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233

Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2024-11-30 02:33:22 +01:00
Daniel Micay
7ff2e6fb4f add back Android paranoid check for socket creation 2024-11-30 02:17:31 +01:00
madaidan
6527a24e6f Make more sysctl constants read-only 2024-11-30 02:15:48 +01:00
Ksawlii
72abf1b25d Revert "net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP" 
This reverts commit 520a2c2f7f.
 2024-11-24 00:23:57 +01:00
Ksawlii
e913a37a4d Revert "net/smc: Allow SMC-D 1MB DMB allocations" 
This reverts commit 3ab7fb1f47.
 2024-11-24 00:23:56 +01:00
Ksawlii
43674763e3 Revert "net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined" 
This reverts commit 3bf0715dbb.
 2024-11-24 00:23:56 +01:00
Ksawlii
ddb8f59b0a Revert "netfilter: ctnetlink: use helper function to calculate expect ID" 
This reverts commit 42ea0c1913.
 2024-11-24 00:23:56 +01:00
Ksawlii
14ccccb888 Revert "ipv4: Fix incorrect source address in Record Route option" 
This reverts commit f1363b7ad0.
 2024-11-24 00:23:56 +01:00
Ksawlii
d48b5ce07c Revert "netfilter: nft_set_pipapo_avx2: disable softinterrupts" 
This reverts commit 8014af9c29.
 2024-11-24 00:23:56 +01:00
Ksawlii
9e3a5af4fc Revert "net: nexthop: Initialize all fields in dumped nexthops" 
This reverts commit ce425a0621.
 2024-11-24 00:23:55 +01:00
Ksawlii
9a94739948 Revert "net/iucv: fix use after free in iucv_sock_close()" 
This reverts commit 438fa4e57f.
 2024-11-24 00:23:55 +01:00
Ksawlii
91e81d11cd Revert "ipv6: fix ndisc_is_useropt() handling for PIO" 
This reverts commit 254636f1d3.
 2024-11-24 00:23:55 +01:00
Ksawlii
6e343e2374 Revert "netfilter: ipset: Add list flush to cancel_gc" 
This reverts commit 92bba407f6.
 2024-11-24 00:23:55 +01:00
Ksawlii
403fa37a8b Revert "net: linkwatch: use system_unbound_wq" 
This reverts commit 511ce8b5bf.
 2024-11-24 00:23:55 +01:00
Ksawlii
435344388b Revert "wifi: nl80211: don't give key data to userspace" 
This reverts commit 54fc577e27.
 2024-11-24 00:23:55 +01:00
Ksawlii
17917ff85a Revert "netfilter: nf_tables: set element extended ACK reporting support" 
This reverts commit 466cd07e9a.
 2024-11-24 00:23:55 +01:00
Ksawlii
73844bf19d Revert "netfilter: nf_tables: use timestamp to check for set element timeout" 
This reverts commit 7d64835c13.
 2024-11-24 00:23:55 +01:00
Ksawlii
c44e98a853 Revert "netfilter: nf_tables: allow clone callbacks to sleep" 
This reverts commit b2a587e7a5.
 2024-11-24 00:23:54 +01:00
Ksawlii
ebf3750840 Revert "netfilter: nf_tables: prefer nft_chain_validate" 
This reverts commit b362800323.
 2024-11-24 00:23:54 +01:00
Ksawlii
4605e59f82 Revert "mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size" 
This reverts commit 4dc41c3381.
 2024-11-24 00:23:53 +01:00
Ksawlii
33c0334ca2 Revert "netfilter: flowtable: initialise extack before use" 
This reverts commit 734d26aac7.
 2024-11-24 00:23:53 +01:00
Ksawlii
c186dd147a Revert "wifi: mac80211: fix BA session teardown race" 
This reverts commit a2036d5d3c.
 2024-11-24 00:23:53 +01:00
Ksawlii
4803ddf965 Revert "netlink: hold nlk->cb_mutex longer in __netlink_dump_start()" 
This reverts commit 6fb6379d7d.
 2024-11-24 00:23:52 +01:00
Ksawlii
f240e34e03 Revert "Bluetooth: bnep: Fix out-of-bound access" 
This reverts commit db39518d11.
 2024-11-24 00:23:52 +01:00
Ksawlii
b59cf7d671 Revert "Bluetooth: hci_core: Fix LE quote calculation" 
This reverts commit bafa10dcb6.
 2024-11-24 00:23:52 +01:00
Ksawlii
0c4e79d991 Revert "Bluetooth: SMP: Fix assumption of Central always being Initiator" 
This reverts commit 35cecaecda.
 2024-11-24 00:23:52 +01:00
Ksawlii
c322079edc Revert "netfilter: nft_counter: Synchronize nft_counter_reset() against reader." 
This reverts commit f20c3d81df.
 2024-11-24 00:23:52 +01:00
Ksawlii
de3732a8a6 Revert "ip6_tunnel: Fix broken GRO" 
This reverts commit dba9b999e6.
 2024-11-24 00:23:51 +01:00
Ksawlii
d79e44c045 Revert "netem: fix return value if duplicate enqueue fails" 
This reverts commit 14760fe3bf.
 2024-11-24 00:23:51 +01:00
Ksawlii
e14260decb Revert "ipv6: prevent UAF in ip6_send_skb()" 
This reverts commit d6266009b2.
 2024-11-24 00:23:51 +01:00
Ksawlii
859e137741 Revert "Bluetooth: MGMT: Add error handling to pair_device()" 
This reverts commit 6c918bc083.
 2024-11-24 00:23:50 +01:00
Ksawlii
9b92164945 Revert "nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg()." 
This reverts commit 64d856f842.
 2024-11-24 00:23:50 +01:00
Ksawlii
ca5fc87f0c Revert "mptcp: sched: check both backup in retrans" 
This reverts commit 772ceb7452.
 2024-11-24 00:23:50 +01:00
Ksawlii
6ab3af7f42 Revert "net:rds: Fix possible deadlock in rds_message_put" 
This reverts commit 5c07cf9908.
 2024-11-24 00:23:49 +01:00
Ksawlii
92b9ce75e1 Revert "ethtool: check device is present when getting link settings" 
This reverts commit ef4f72282f.
 2024-11-24 00:23:49 +01:00
Ksawlii
f89c56f5da Revert "wifi: cfg80211: make hash table duplicates more survivable" 
This reverts commit 7f8f7aa2eb.
 2024-11-24 00:23:47 +01:00
Ksawlii
8f420f8031 Revert "net: set SOCK_RCU_FREE before inserting socket into hashtable" 
This reverts commit 55d08f4214.
 2024-11-24 00:23:47 +01:00
Ksawlii
a588fda053 Revert "sch/netem: fix use after free in netem_dequeue" 
This reverts commit 4959125286.
 2024-11-24 00:23:46 +01:00
Ksawlii
d7c903ea5e Revert "Bluetooth: MGMT: Ignore keys being loaded with invalid type" 
This reverts commit 87cbc07db4.
 2024-11-24 00:23:46 +01:00
Ksawlii
68a9453cfd Revert "mptcp: pr_debug: add missing \n at the end" 
This reverts commit 3f56f2c382.
 2024-11-24 00:23:45 +01:00
Ksawlii
40ac982c85 Revert "mptcp: pm: avoid possible UaF when selecting endp" 
This reverts commit 7f092ac2f1.
 2024-11-24 00:23:45 +01:00
Ksawlii
f2f218a130 Revert "sunrpc: don't change ->sv_stats if it doesn't exist" 
This reverts commit e4c6a8a3a1.
 2024-11-24 00:23:45 +01:00
Ksawlii
181d28ae2b Revert "sunrpc: pass in the sv_stats struct through svc_create_pooled" 
This reverts commit bdc4a7b40a.
 2024-11-24 00:23:44 +01:00
Ksawlii
4229090b10 Revert "sunrpc: use the struct net as the svc proc private" 
This reverts commit 2877cd403d.
 2024-11-24 00:23:44 +01:00
Ksawlii
0868060b93 Revert "af_unix: Remove put_pid()/put_cred() in copy_peercred()." 
This reverts commit 7d62680ff2.
 2024-11-24 00:23:43 +01:00
Ksawlii
69247ebb18 Revert "netfilter: nf_conncount: fix wrong variable type" 
This reverts commit 10caf25e6d.
 2024-11-24 00:23:43 +01:00
Ksawlii
7a8e8ba02b Revert "can: bcm: Remove proc entry when dev is unregistered." 
This reverts commit 333529d2d4.
 2024-11-24 00:23:42 +01:00
Ksawlii
8529212e6d Revert "svcrdma: Catch another Reply chunk overflow case" 
This reverts commit 6d3cecf9a4.
 2024-11-24 00:23:42 +01:00