<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v4.9.282</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net/rds: dma_map_sg is entitled to merge entries</title>
<updated>2021-09-03T07:44:40+00:00</updated>
<author>
<name>Gerd Rausch</name>
<email>gerd.rausch@oracle.com</email>
</author>
<published>2021-08-17T17:04:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=706938b1d0e23da591cc999c902351229b1d8c97'/>
<id>706938b1d0e23da591cc999c902351229b1d8c97</id>
<content type='text'>
[ Upstream commit fb4b1373dcab086d0619c29310f0466a0b2ceb8a ]

Function "dma_map_sg" is entitled to merge adjacent entries
and return a value smaller than what was passed as "nents".

Subsequently "ib_map_mr_sg" needs to work with this value ("sg_dma_len")
rather than the original "nents" parameter ("sg_len").

This old RDS bug was exposed and reliably causes kernel panics
(using RDMA operations "rds-stress -D") on x86_64 starting with:
commit c588072bba6b ("iommu/vt-d: Convert intel iommu driver to the iommu ops")

Simply put: Linux 5.11 and later.

Signed-off-by: Gerd Rausch &lt;gerd.rausch@oracle.com&gt;
Acked-by: Santosh Shilimkar &lt;santosh.shilimkar@oracle.com&gt;
Link: https://lore.kernel.org/r/60efc69f-1f35-529d-a7ef-da0549cad143@oracle.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit fb4b1373dcab086d0619c29310f0466a0b2ceb8a ]

Function "dma_map_sg" is entitled to merge adjacent entries
and return a value smaller than what was passed as "nents".

Subsequently "ib_map_mr_sg" needs to work with this value ("sg_dma_len")
rather than the original "nents" parameter ("sg_len").

This old RDS bug was exposed and reliably causes kernel panics
(using RDMA operations "rds-stress -D") on x86_64 starting with:
commit c588072bba6b ("iommu/vt-d: Convert intel iommu driver to the iommu ops")

Simply put: Linux 5.11 and later.

Signed-off-by: Gerd Rausch &lt;gerd.rausch@oracle.com&gt;
Acked-by: Santosh Shilimkar &lt;santosh.shilimkar@oracle.com&gt;
Link: https://lore.kernel.org/r/60efc69f-1f35-529d-a7ef-da0549cad143@oracle.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ip_gre: add validation for csum_start</title>
<updated>2021-09-03T07:44:40+00:00</updated>
<author>
<name>Shreyansh Chouhan</name>
<email>chouhan.shreyansh630@gmail.com</email>
</author>
<published>2021-08-21T07:14:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=41d5dfa408130433cc5f037ad89bed854bf936f7'/>
<id>41d5dfa408130433cc5f037ad89bed854bf936f7</id>
<content type='text'>
[ Upstream commit 1d011c4803c72f3907eccfc1ec63caefb852fcbf ]

Validate csum_start in gre_handle_offloads before we call _gre_xmit so
that we do not crash later when the csum_start value is used in the
lco_csum function call.

This patch deals with ipv4 code.

Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan &lt;chouhan.shreyansh630@gmail.com&gt;
Reviewed-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1d011c4803c72f3907eccfc1ec63caefb852fcbf ]

Validate csum_start in gre_handle_offloads before we call _gre_xmit so
that we do not crash later when the csum_start value is used in the
lco_csum function call.

This patch deals with ipv4 code.

Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan &lt;chouhan.shreyansh630@gmail.com&gt;
Reviewed-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dccp: add do-while-0 stubs for dccp_pr_debug macros</title>
<updated>2021-08-26T12:37:27+00:00</updated>
<author>
<name>Randy Dunlap</name>
<email>rdunlap@infradead.org</email>
</author>
<published>2021-08-08T23:04:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=adc3308f9af34e0a16cbad19dfe000983d4fe93b'/>
<id>adc3308f9af34e0a16cbad19dfe000983d4fe93b</id>
<content type='text'>
[ Upstream commit 86aab09a4870bb8346c9579864588c3d7f555299 ]

GCC complains about empty macros in an 'if' statement, so convert
them to 'do {} while (0)' macros.

Fixes these build warnings:

net/dccp/output.c: In function 'dccp_xmit_packet':
../net/dccp/output.c:283:71: warning: suggest braces around empty body in an 'if' statement [-Wempty-body]
  283 |                 dccp_pr_debug("transmit_skb() returned err=%d\n", err);
net/dccp/ackvec.c: In function 'dccp_ackvec_update_old':
../net/dccp/ackvec.c:163:80: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
  163 |                                               (unsigned long long)seqno, state);

Fixes: dc841e30eaea ("dccp: Extend CCID packet dequeueing interface")
Fixes: 380240864451 ("dccp ccid-2: Update code for the Ack Vector input/registration routine")
Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Cc: dccp@vger.kernel.org
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Jakub Kicinski &lt;kuba@kernel.org&gt;
Cc: Gerrit Renker &lt;gerrit@erg.abdn.ac.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 86aab09a4870bb8346c9579864588c3d7f555299 ]

GCC complains about empty macros in an 'if' statement, so convert
them to 'do {} while (0)' macros.

Fixes these build warnings:

net/dccp/output.c: In function 'dccp_xmit_packet':
../net/dccp/output.c:283:71: warning: suggest braces around empty body in an 'if' statement [-Wempty-body]
  283 |                 dccp_pr_debug("transmit_skb() returned err=%d\n", err);
net/dccp/ackvec.c: In function 'dccp_ackvec_update_old':
../net/dccp/ackvec.c:163:80: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
  163 |                                               (unsigned long long)seqno, state);

Fixes: dc841e30eaea ("dccp: Extend CCID packet dequeueing interface")
Fixes: 380240864451 ("dccp ccid-2: Update code for the Ack Vector input/registration routine")
Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Cc: dccp@vger.kernel.org
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Jakub Kicinski &lt;kuba@kernel.org&gt;
Cc: Gerrit Renker &lt;gerrit@erg.abdn.ac.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: use correct wait queue when removing ctrl_wait</title>
<updated>2021-08-26T12:37:27+00:00</updated>
<author>
<name>Ole Bjørn Midtbø</name>
<email>omidtbo@cisco.com</email>
</author>
<published>2020-10-17T11:15:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b8c000ef69cedec78a83832c8fa615872151e9fa'/>
<id>b8c000ef69cedec78a83832c8fa615872151e9fa</id>
<content type='text'>
[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]

A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next-&gt;prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [&lt;ffffffc000443f78&gt;] __list_add+0x38/0xb0
 [&lt;ffffffc0000f0d04&gt;] add_wait_queue+0x4c/0x68
 [&lt;ffffffc00020eecc&gt;] __pollwait+0xec/0x100
 [&lt;ffffffc000d1556c&gt;] bt_sock_poll+0x74/0x200
 [&lt;ffffffc000bdb8a8&gt;] sock_poll+0x110/0x128
 [&lt;ffffffc000210378&gt;] do_sys_poll+0x220/0x480
 [&lt;ffffffc0002106f0&gt;] SyS_poll+0x80/0x138
 [&lt;ffffffc00008510c&gt;] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [&lt;ffffffc0000f079c&gt;] __wake_up_common+0x7c/0xa8
  [&lt;ffffffc0000f0818&gt;] __wake_up+0x50/0x70
  [&lt;ffffffc000be11b0&gt;] sock_def_wakeup+0x58/0x60
  [&lt;ffffffc000de5e10&gt;] l2cap_sock_teardown_cb+0x200/0x224
  [&lt;ffffffc000d3f2ac&gt;] l2cap_chan_del+0xa4/0x298
  [&lt;ffffffc000d45ea0&gt;] l2cap_conn_del+0x118/0x198
  [&lt;ffffffc000d45f8c&gt;] l2cap_disconn_cfm+0x6c/0x78
  [&lt;ffffffc000d29934&gt;] hci_event_packet+0x564/0x2e30
  [&lt;ffffffc000d19b0c&gt;] hci_rx_work+0x10c/0x360
  [&lt;ffffffc0000c2218&gt;] process_one_work+0x268/0x460
  [&lt;ffffffc0000c2678&gt;] worker_thread+0x268/0x480
  [&lt;ffffffc0000c94e0&gt;] kthread+0x118/0x128
  [&lt;ffffffc000085070&gt;] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø &lt;omidtbo@cisco.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]

A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next-&gt;prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [&lt;ffffffc000443f78&gt;] __list_add+0x38/0xb0
 [&lt;ffffffc0000f0d04&gt;] add_wait_queue+0x4c/0x68
 [&lt;ffffffc00020eecc&gt;] __pollwait+0xec/0x100
 [&lt;ffffffc000d1556c&gt;] bt_sock_poll+0x74/0x200
 [&lt;ffffffc000bdb8a8&gt;] sock_poll+0x110/0x128
 [&lt;ffffffc000210378&gt;] do_sys_poll+0x220/0x480
 [&lt;ffffffc0002106f0&gt;] SyS_poll+0x80/0x138
 [&lt;ffffffc00008510c&gt;] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [&lt;ffffffc0000f079c&gt;] __wake_up_common+0x7c/0xa8
  [&lt;ffffffc0000f0818&gt;] __wake_up+0x50/0x70
  [&lt;ffffffc000be11b0&gt;] sock_def_wakeup+0x58/0x60
  [&lt;ffffffc000de5e10&gt;] l2cap_sock_teardown_cb+0x200/0x224
  [&lt;ffffffc000d3f2ac&gt;] l2cap_chan_del+0xa4/0x298
  [&lt;ffffffc000d45ea0&gt;] l2cap_conn_del+0x118/0x198
  [&lt;ffffffc000d45f8c&gt;] l2cap_disconn_cfm+0x6c/0x78
  [&lt;ffffffc000d29934&gt;] hci_event_packet+0x564/0x2e30
  [&lt;ffffffc000d19b0c&gt;] hci_rx_work+0x10c/0x360
  [&lt;ffffffc0000c2218&gt;] process_one_work+0x268/0x460
  [&lt;ffffffc0000c2678&gt;] worker_thread+0x268/0x480
  [&lt;ffffffc0000c94e0&gt;] kthread+0x118/0x128
  [&lt;ffffffc000085070&gt;] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø &lt;omidtbo@cisco.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: drop data frames without key on encrypted links</title>
<updated>2021-08-26T12:37:25+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2020-03-26T13:09:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ca37ab969cce230dce0d478d46c4dc7db8d3a267'/>
<id>ca37ab969cce230dce0d478d46c4dc7db8d3a267</id>
<content type='text'>
commit a0761a301746ec2d92d7fcb82af69c0a6a4339aa upstream.

If we know that we have an encrypted link (based on having had
a key configured for TX in the past) then drop all data frames
in the key selection handler if there's no key anymore.

This fixes an issue with mac80211 internal TXQs - there we can
buffer frames for an encrypted link, but then if the key is no
longer there when they're dequeued, the frames are sent without
encryption. This happens if a station is disconnected while the
frames are still on the TXQ.

Detecting that a link should be encrypted based on a first key
having been configured for TX is fine as there are no use cases
for a connection going from with encryption to no encryption.
With extended key IDs, however, there is a case of having a key
configured for only decryption, so we can't just trigger this
behaviour on a key being configured.

Cc: stable@vger.kernel.org
Reported-by: Jouni Malinen &lt;j@w1.fi&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
Link: https://lore.kernel.org/r/iwlwifi.20200326150855.6865c7f28a14.I9fb1d911b064262d33e33dfba730cdeef83926ca@changeid
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
[pali: Backported to 4.19 and older versions]
Signed-off-by: Pali Rohár &lt;pali@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a0761a301746ec2d92d7fcb82af69c0a6a4339aa upstream.

If we know that we have an encrypted link (based on having had
a key configured for TX in the past) then drop all data frames
in the key selection handler if there's no key anymore.

This fixes an issue with mac80211 internal TXQs - there we can
buffer frames for an encrypted link, but then if the key is no
longer there when they're dequeued, the frames are sent without
encryption. This happens if a station is disconnected while the
frames are still on the TXQ.

Detecting that a link should be encrypted based on a first key
having been configured for TX is fine as there are no use cases
for a connection going from with encryption to no encryption.
With extended key IDs, however, there is a case of having a key
configured for only decryption, so we can't just trigger this
behaviour on a key being configured.

Cc: stable@vger.kernel.org
Reported-by: Jouni Malinen &lt;j@w1.fi&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
Link: https://lore.kernel.org/r/iwlwifi.20200326150855.6865c7f28a14.I9fb1d911b064262d33e33dfba730cdeef83926ca@changeid
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
[pali: Backported to 4.19 and older versions]
Signed-off-by: Pali Rohár &lt;pali@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets</title>
<updated>2021-08-26T12:37:23+00:00</updated>
<author>
<name>Neal Cardwell</name>
<email>ncardwell@google.com</email>
</author>
<published>2021-08-11T02:40:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=347bebf79545e2f1c8dedd1ace02d15f3837eed8'/>
<id>347bebf79545e2f1c8dedd1ace02d15f3837eed8</id>
<content type='text'>
[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]

Currently if BBR congestion control is initialized after more than 2B
packets have been delivered, depending on the phase of the
tp-&gt;delivered counter the tracking of BBR round trips can get stuck.

The bug arises because if tp-&gt;delivered is between 2^31 and 2^32 at
the time the BBR congestion control module is initialized, then the
initialization of bbr-&gt;next_rtt_delivered to 0 will cause the logic to
believe that the end of the round trip is still billions of packets in
the future. More specifically, the following check will fail
repeatedly:

  !before(rs-&gt;prior_delivered, bbr-&gt;next_rtt_delivered)

and thus the connection will take up to 2B packets delivered before
that check will pass and the connection will set:

  bbr-&gt;round_start = 1;

This could cause many mechanisms in BBR to fail to trigger, for
example bbr_check_full_bw_reached() would likely never exit STARTUP.

This bug is 5 years old and has not been observed, and as a practical
matter this would likely rarely trigger, since it would require
transferring at least 2B packets, or likely more than 3 terabytes of
data, before switching congestion control algorithms to BBR.

This patch is a stable candidate for kernels as far back as v4.9,
when tcp_bbr.c was added.

Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Reviewed-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Reviewed-by: Kevin Yang &lt;yyd@google.com&gt;
Reviewed-by: Eric Dumazet &lt;edumazet@google.com&gt;
Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]

Currently if BBR congestion control is initialized after more than 2B
packets have been delivered, depending on the phase of the
tp-&gt;delivered counter the tracking of BBR round trips can get stuck.

The bug arises because if tp-&gt;delivered is between 2^31 and 2^32 at
the time the BBR congestion control module is initialized, then the
initialization of bbr-&gt;next_rtt_delivered to 0 will cause the logic to
believe that the end of the round trip is still billions of packets in
the future. More specifically, the following check will fail
repeatedly:

  !before(rs-&gt;prior_delivered, bbr-&gt;next_rtt_delivered)

and thus the connection will take up to 2B packets delivered before
that check will pass and the connection will set:

  bbr-&gt;round_start = 1;

This could cause many mechanisms in BBR to fail to trigger, for
example bbr_check_full_bw_reached() would likely never exit STARTUP.

This bug is 5 years old and has not been observed, and as a practical
matter this would likely rarely trigger, since it would require
transferring at least 2B packets, or likely more than 3 terabytes of
data, before switching congestion control algorithms to BBR.

This patch is a stable candidate for kernels as far back as v4.9,
when tcp_bbr.c was added.

Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Reviewed-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Reviewed-by: Kevin Yang &lt;yyd@google.com&gt;
Reviewed-by: Eric Dumazet &lt;edumazet@google.com&gt;
Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: bridge: fix memleak in br_add_if()</title>
<updated>2021-08-26T12:37:22+00:00</updated>
<author>
<name>Yang Yingliang</name>
<email>yangyingliang@huawei.com</email>
</author>
<published>2021-08-09T13:20:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59ef9eb17186ebc99108ef7429e6c9da38c86a29'/>
<id>59ef9eb17186ebc99108ef7429e6c9da38c86a29</id>
<content type='text'>
[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ]

I got a memleak report:

BUG: memory leak
unreferenced object 0x607ee521a658 (size 240):
comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s)
hex dump (first 32 bytes, cpu 1):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[&lt;00000000d830ea5a&gt;] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693
[&lt;00000000274d9a71&gt;] new_nbp net/bridge/br_if.c:435 [inline]
[&lt;00000000274d9a71&gt;] br_add_if+0x670/0x1740 net/bridge/br_if.c:611
[&lt;0000000012ce888e&gt;] do_set_master net/core/rtnetlink.c:2513 [inline]
[&lt;0000000012ce888e&gt;] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487
[&lt;0000000099d1cafc&gt;] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457
[&lt;00000000a01facc0&gt;] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
[&lt;00000000acc9186c&gt;] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550
[&lt;00000000d4aabb9c&gt;] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
[&lt;00000000bc2e12a3&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
[&lt;00000000bc2e12a3&gt;] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
[&lt;00000000e4dc2d0e&gt;] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
[&lt;000000000d22c8b3&gt;] sock_sendmsg_nosec net/socket.c:654 [inline]
[&lt;000000000d22c8b3&gt;] sock_sendmsg+0x139/0x170 net/socket.c:674
[&lt;00000000e281417a&gt;] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
[&lt;00000000237aa2ab&gt;] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
[&lt;000000004f2dc381&gt;] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
[&lt;0000000005feca6c&gt;] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
[&lt;000000007304477d&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xae

On error path of br_add_if(), p-&gt;mcast_stats allocated in
new_nbp() need be freed, or it will be leaked.

Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Yang Yingliang &lt;yangyingliang@huawei.com&gt;
Acked-by: Nikolay Aleksandrov &lt;nikolay@nvidia.com&gt;
Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ]

I got a memleak report:

BUG: memory leak
unreferenced object 0x607ee521a658 (size 240):
comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s)
hex dump (first 32 bytes, cpu 1):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[&lt;00000000d830ea5a&gt;] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693
[&lt;00000000274d9a71&gt;] new_nbp net/bridge/br_if.c:435 [inline]
[&lt;00000000274d9a71&gt;] br_add_if+0x670/0x1740 net/bridge/br_if.c:611
[&lt;0000000012ce888e&gt;] do_set_master net/core/rtnetlink.c:2513 [inline]
[&lt;0000000012ce888e&gt;] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487
[&lt;0000000099d1cafc&gt;] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457
[&lt;00000000a01facc0&gt;] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
[&lt;00000000acc9186c&gt;] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550
[&lt;00000000d4aabb9c&gt;] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
[&lt;00000000bc2e12a3&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
[&lt;00000000bc2e12a3&gt;] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
[&lt;00000000e4dc2d0e&gt;] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
[&lt;000000000d22c8b3&gt;] sock_sendmsg_nosec net/socket.c:654 [inline]
[&lt;000000000d22c8b3&gt;] sock_sendmsg+0x139/0x170 net/socket.c:674
[&lt;00000000e281417a&gt;] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
[&lt;00000000237aa2ab&gt;] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
[&lt;000000004f2dc381&gt;] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
[&lt;0000000005feca6c&gt;] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
[&lt;000000007304477d&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xae

On error path of br_add_if(), p-&gt;mcast_stats allocated in
new_nbp() need be freed, or it will be leaked.

Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Yang Yingliang &lt;yangyingliang@huawei.com&gt;
Acked-by: Nikolay Aleksandrov &lt;nikolay@nvidia.com&gt;
Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Fix memory leak in ieee802154_raw_deliver</title>
<updated>2021-08-26T12:37:22+00:00</updated>
<author>
<name>Takeshi Misawa</name>
<email>jeliantsurux@gmail.com</email>
</author>
<published>2021-08-05T07:54:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2d661ed3573c9ba0a1f75b5587974a054ed8a142'/>
<id>2d661ed3573c9ba0a1f75b5587974a054ed8a142</id>
<content type='text'>
[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]

If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
Fix this, by freeing sk_receive_queue in sk-&gt;sk_destruct().

syzbot report:
BUG: memory leak
unreferenced object 0xffff88810f644600 (size 232):
  comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
  hex dump (first 32 bytes):
    10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff  .}K......}K.....
    00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff  ........@|K.....
  backtrace:
    [&lt;ffffffff83651d4a&gt;] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
    [&lt;ffffffff83fe1b80&gt;] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
    [&lt;ffffffff83fe1b80&gt;] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
    [&lt;ffffffff8367cc7a&gt;] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
    [&lt;ffffffff8367cd07&gt;] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
    [&lt;ffffffff8367cdd9&gt;] netif_receive_skb_internal net/core/dev.c:5603 [inline]
    [&lt;ffffffff8367cdd9&gt;] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
    [&lt;ffffffff83fe6302&gt;] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
    [&lt;ffffffff83fe6302&gt;] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
    [&lt;ffffffff83fe6302&gt;] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
    [&lt;ffffffff83fe6302&gt;] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
    [&lt;ffffffff83fe59a6&gt;] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
    [&lt;ffffffff81232aab&gt;] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
    [&lt;ffffffff846000bf&gt;] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
    [&lt;ffffffff81232f4c&gt;] do_softirq kernel/softirq.c:248 [inline]
    [&lt;ffffffff81232f4c&gt;] do_softirq+0x5c/0x80 kernel/softirq.c:235
    [&lt;ffffffff81232fc1&gt;] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
    [&lt;ffffffff8367a9a4&gt;] local_bh_enable include/linux/bottom_half.h:32 [inline]
    [&lt;ffffffff8367a9a4&gt;] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
    [&lt;ffffffff8367a9a4&gt;] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
    [&lt;ffffffff83fe2db4&gt;] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
    [&lt;ffffffff8363af16&gt;] sock_sendmsg_nosec net/socket.c:654 [inline]
    [&lt;ffffffff8363af16&gt;] sock_sendmsg+0x56/0x80 net/socket.c:674
    [&lt;ffffffff8363deec&gt;] __sys_sendto+0x15c/0x200 net/socket.c:1977
    [&lt;ffffffff8363dfb6&gt;] __do_sys_sendto net/socket.c:1989 [inline]
    [&lt;ffffffff8363dfb6&gt;] __se_sys_sendto net/socket.c:1985 [inline]
    [&lt;ffffffff8363dfb6&gt;] __x64_sys_sendto+0x26/0x30 net/socket.c:1985

Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
Signed-off-by: Takeshi Misawa &lt;jeliantsurux@gmail.com&gt;
Acked-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
Signed-off-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]

If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
Fix this, by freeing sk_receive_queue in sk-&gt;sk_destruct().

syzbot report:
BUG: memory leak
unreferenced object 0xffff88810f644600 (size 232):
  comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
  hex dump (first 32 bytes):
    10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff  .}K......}K.....
    00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff  ........@|K.....
  backtrace:
    [&lt;ffffffff83651d4a&gt;] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
    [&lt;ffffffff83fe1b80&gt;] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
    [&lt;ffffffff83fe1b80&gt;] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
    [&lt;ffffffff8367cc7a&gt;] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
    [&lt;ffffffff8367cd07&gt;] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
    [&lt;ffffffff8367cdd9&gt;] netif_receive_skb_internal net/core/dev.c:5603 [inline]
    [&lt;ffffffff8367cdd9&gt;] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
    [&lt;ffffffff83fe6302&gt;] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
    [&lt;ffffffff83fe6302&gt;] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
    [&lt;ffffffff83fe6302&gt;] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
    [&lt;ffffffff83fe6302&gt;] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
    [&lt;ffffffff83fe59a6&gt;] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
    [&lt;ffffffff81232aab&gt;] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
    [&lt;ffffffff846000bf&gt;] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
    [&lt;ffffffff81232f4c&gt;] do_softirq kernel/softirq.c:248 [inline]
    [&lt;ffffffff81232f4c&gt;] do_softirq+0x5c/0x80 kernel/softirq.c:235
    [&lt;ffffffff81232fc1&gt;] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
    [&lt;ffffffff8367a9a4&gt;] local_bh_enable include/linux/bottom_half.h:32 [inline]
    [&lt;ffffffff8367a9a4&gt;] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
    [&lt;ffffffff8367a9a4&gt;] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
    [&lt;ffffffff83fe2db4&gt;] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
    [&lt;ffffffff8363af16&gt;] sock_sendmsg_nosec net/socket.c:654 [inline]
    [&lt;ffffffff8363af16&gt;] sock_sendmsg+0x56/0x80 net/socket.c:674
    [&lt;ffffffff8363deec&gt;] __sys_sendto+0x15c/0x200 net/socket.c:1977
    [&lt;ffffffff8363dfb6&gt;] __do_sys_sendto net/socket.c:1989 [inline]
    [&lt;ffffffff8363dfb6&gt;] __se_sys_sendto net/socket.c:1985 [inline]
    [&lt;ffffffff8363dfb6&gt;] __x64_sys_sendto+0x26/0x30 net/socket.c:1985

Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
Signed-off-by: Takeshi Misawa &lt;jeliantsurux@gmail.com&gt;
Acked-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
Signed-off-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: defer cleanup of resources in hci_unregister_dev()</title>
<updated>2021-08-15T11:01:02+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@i-love.sakura.ne.jp</email>
</author>
<published>2021-08-04T10:26:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0e77f979a97d3d517fad0b51249ba6fb8ae2d365'/>
<id>0e77f979a97d3d517fad0b51249ba6fb8ae2d365</id>
<content type='text'>
[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]

syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
calling lock_sock() with rw spinlock held [1].

It seems that history of this locking problem is a trial and error.

Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
lock_sock() as an attempt to fix lockdep warning.

Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
sleep in atomic context warning.

Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
hci_sock.c") in 3.3-rc1 removed local_bh_disable().

Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
lock_sock() as an attempt to fix CVE-2021-3573.

This difficulty comes from current implementation that
hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
references from sockets because hci_unregister_dev() immediately
reclaims resources as soon as returning from
hci_sock_dev_event(HCI_DEV_UNREG).

But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
doing what it should do.

Therefore, instead of trying to detach sockets from device, let's accept
not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
by moving actual cleanup of resources from hci_unregister_dev() to
hci_cleanup_dev() which is called by bt_host_release() when all
references to this unregistered device (which is a kobject) are gone.

Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
hci_pi(sk)-&gt;hdev, we need to check whether this device was unregistered
and return an error based on HCI_UNREGISTER flag.  There might be subtle
behavioral difference in "monitor the hdev" functionality; please report
if you found something went wrong due to this patch.

Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
Reported-by: syzbot &lt;syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com&gt;
Suggested-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
Acked-by: Luiz Augusto von Dentz &lt;luiz.von.dentz@intel.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]

syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
calling lock_sock() with rw spinlock held [1].

It seems that history of this locking problem is a trial and error.

Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
lock_sock() as an attempt to fix lockdep warning.

Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
sleep in atomic context warning.

Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
hci_sock.c") in 3.3-rc1 removed local_bh_disable().

Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
lock_sock() as an attempt to fix CVE-2021-3573.

This difficulty comes from current implementation that
hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
references from sockets because hci_unregister_dev() immediately
reclaims resources as soon as returning from
hci_sock_dev_event(HCI_DEV_UNREG).

But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
doing what it should do.

Therefore, instead of trying to detach sockets from device, let's accept
not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
by moving actual cleanup of resources from hci_unregister_dev() to
hci_cleanup_dev() which is called by bt_host_release() when all
references to this unregistered device (which is a kobject) are gone.

Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
hci_pi(sk)-&gt;hdev, we need to check whether this device was unregistered
and return an error based on HCI_UNREGISTER flag.  There might be subtle
behavioral difference in "monitor the hdev" functionality; please report
if you found something went wrong due to this patch.

Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
Reported-by: syzbot &lt;syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com&gt;
Suggested-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
Acked-by: Luiz Augusto von Dentz &lt;luiz.von.dentz@intel.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF</title>
<updated>2021-08-08T06:38:54+00:00</updated>
<author>
<name>Ziyang Xuan</name>
<email>william.xuanziyang@huawei.com</email>
</author>
<published>2021-07-22T07:08:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ce223e0c0a30800a10d2b5d4ac576ea71f869b55'/>
<id>ce223e0c0a30800a10d2b5d4ac576ea71f869b55</id>
<content type='text'>
commit 54f93336d000229f72c26d8a3f69dd256b744528 upstream.

We get a bug during ltp can_filter test as following.

===========================================
[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0
[60919.265443] Oops: 0000 [#1] SMP PTI
[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G        W         4.19.90+ #1
[60919.266068] RIP: 0010:selinux_socket_sock_rcv_skb+0x3e/0x200
[60919.293289] RSP: 0018:ffff8d53bfc03cf8 EFLAGS: 00010246
[60919.307140] RAX: 0000000000000000 RBX: 000000000000001d RCX: 0000000000000007
[60919.320756] RDX: 0000000000000001 RSI: ffff8d5104a8ed00 RDI: ffff8d53bfc03d30
[60919.334319] RBP: ffff8d9338056800 R08: ffff8d53bfc29d80 R09: 0000000000000001
[60919.347969] R10: ffff8d53bfc03ec0 R11: ffffb8526ef47c98 R12: ffff8d53bfc03d30
[60919.350320] perf: interrupt took too long (3063 &gt; 2500), lowering kernel.perf_event_max_sample_rate to 65000
[60919.361148] R13: 0000000000000001 R14: ffff8d53bcf90000 R15: 0000000000000000
[60919.361151] FS:  00007fb78b6b3600(0000) GS:ffff8d53bfc00000(0000) knlGS:0000000000000000
[60919.400812] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[60919.413730] CR2: 0000000000000010 CR3: 0000003e3f784006 CR4: 00000000007606e0
[60919.426479] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[60919.439339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[60919.451608] PKRU: 55555554
[60919.463622] Call Trace:
[60919.475617]  &lt;IRQ&gt;
[60919.487122]  ? update_load_avg+0x89/0x5d0
[60919.498478]  ? update_load_avg+0x89/0x5d0
[60919.509822]  ? account_entity_enqueue+0xc5/0xf0
[60919.520709]  security_sock_rcv_skb+0x2a/0x40
[60919.531413]  sk_filter_trim_cap+0x47/0x1b0
[60919.542178]  ? kmem_cache_alloc+0x38/0x1b0
[60919.552444]  sock_queue_rcv_skb+0x17/0x30
[60919.562477]  raw_rcv+0x110/0x190 [can_raw]
[60919.572539]  can_rcv_filter+0xbc/0x1b0 [can]
[60919.582173]  can_receive+0x6b/0xb0 [can]
[60919.591595]  can_rcv+0x31/0x70 [can]
[60919.600783]  __netif_receive_skb_one_core+0x5a/0x80
[60919.609864]  process_backlog+0x9b/0x150
[60919.618691]  net_rx_action+0x156/0x400
[60919.627310]  ? sched_clock_cpu+0xc/0xa0
[60919.635714]  __do_softirq+0xe8/0x2e9
[60919.644161]  do_softirq_own_stack+0x2a/0x40
[60919.652154]  &lt;/IRQ&gt;
[60919.659899]  do_softirq.part.17+0x4f/0x60
[60919.667475]  __local_bh_enable_ip+0x60/0x70
[60919.675089]  __dev_queue_xmit+0x539/0x920
[60919.682267]  ? finish_wait+0x80/0x80
[60919.689218]  ? finish_wait+0x80/0x80
[60919.695886]  ? sock_alloc_send_pskb+0x211/0x230
[60919.702395]  ? can_send+0xe5/0x1f0 [can]
[60919.708882]  can_send+0xe5/0x1f0 [can]
[60919.715037]  raw_sendmsg+0x16d/0x268 [can_raw]

It's because raw_setsockopt() concurrently with
unregister_netdevice_many(). Concurrent scenario as following.

	cpu0						cpu1
raw_bind
raw_setsockopt					unregister_netdevice_many
						unlist_netdevice
dev_get_by_index				raw_notifier
raw_enable_filters				......
can_rx_register
can_rcv_list_find(..., net-&gt;can.rx_alldev_list)

......

sock_close
raw_release(sock_a)

......

can_receive
can_rcv_filter(net-&gt;can.rx_alldev_list, ...)
raw_rcv(skb, sock_a)
BUG

After unlist_netdevice(), dev_get_by_index() return NULL in
raw_setsockopt(). Function raw_enable_filters() will add sock
and can_filter to net-&gt;can.rx_alldev_list. Then the sock is closed.
Followed by, we sock_sendmsg() to a new vcan device use the same
can_filter. Protocol stack match the old receiver whose sock has
been released on net-&gt;can.rx_alldev_list in can_rcv_filter().
Function raw_rcv() uses the freed sock. UAF BUG is triggered.

We can find that the key issue is that net_device has not been
protected in raw_setsockopt(). Use rtnl_lock to protect net_device
in raw_setsockopt().

Fixes: c18ce101f2e4 ("[CAN]: Add raw protocol")
Link: https://lore.kernel.org/r/20210722070819.1048263-1-william.xuanziyang@huawei.com
Cc: linux-stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ziyang Xuan &lt;william.xuanziyang@huawei.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 54f93336d000229f72c26d8a3f69dd256b744528 upstream.

We get a bug during ltp can_filter test as following.

===========================================
[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0
[60919.265443] Oops: 0000 [#1] SMP PTI
[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G        W         4.19.90+ #1
[60919.266068] RIP: 0010:selinux_socket_sock_rcv_skb+0x3e/0x200
[60919.293289] RSP: 0018:ffff8d53bfc03cf8 EFLAGS: 00010246
[60919.307140] RAX: 0000000000000000 RBX: 000000000000001d RCX: 0000000000000007
[60919.320756] RDX: 0000000000000001 RSI: ffff8d5104a8ed00 RDI: ffff8d53bfc03d30
[60919.334319] RBP: ffff8d9338056800 R08: ffff8d53bfc29d80 R09: 0000000000000001
[60919.347969] R10: ffff8d53bfc03ec0 R11: ffffb8526ef47c98 R12: ffff8d53bfc03d30
[60919.350320] perf: interrupt took too long (3063 &gt; 2500), lowering kernel.perf_event_max_sample_rate to 65000
[60919.361148] R13: 0000000000000001 R14: ffff8d53bcf90000 R15: 0000000000000000
[60919.361151] FS:  00007fb78b6b3600(0000) GS:ffff8d53bfc00000(0000) knlGS:0000000000000000
[60919.400812] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[60919.413730] CR2: 0000000000000010 CR3: 0000003e3f784006 CR4: 00000000007606e0
[60919.426479] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[60919.439339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[60919.451608] PKRU: 55555554
[60919.463622] Call Trace:
[60919.475617]  &lt;IRQ&gt;
[60919.487122]  ? update_load_avg+0x89/0x5d0
[60919.498478]  ? update_load_avg+0x89/0x5d0
[60919.509822]  ? account_entity_enqueue+0xc5/0xf0
[60919.520709]  security_sock_rcv_skb+0x2a/0x40
[60919.531413]  sk_filter_trim_cap+0x47/0x1b0
[60919.542178]  ? kmem_cache_alloc+0x38/0x1b0
[60919.552444]  sock_queue_rcv_skb+0x17/0x30
[60919.562477]  raw_rcv+0x110/0x190 [can_raw]
[60919.572539]  can_rcv_filter+0xbc/0x1b0 [can]
[60919.582173]  can_receive+0x6b/0xb0 [can]
[60919.591595]  can_rcv+0x31/0x70 [can]
[60919.600783]  __netif_receive_skb_one_core+0x5a/0x80
[60919.609864]  process_backlog+0x9b/0x150
[60919.618691]  net_rx_action+0x156/0x400
[60919.627310]  ? sched_clock_cpu+0xc/0xa0
[60919.635714]  __do_softirq+0xe8/0x2e9
[60919.644161]  do_softirq_own_stack+0x2a/0x40
[60919.652154]  &lt;/IRQ&gt;
[60919.659899]  do_softirq.part.17+0x4f/0x60
[60919.667475]  __local_bh_enable_ip+0x60/0x70
[60919.675089]  __dev_queue_xmit+0x539/0x920
[60919.682267]  ? finish_wait+0x80/0x80
[60919.689218]  ? finish_wait+0x80/0x80
[60919.695886]  ? sock_alloc_send_pskb+0x211/0x230
[60919.702395]  ? can_send+0xe5/0x1f0 [can]
[60919.708882]  can_send+0xe5/0x1f0 [can]
[60919.715037]  raw_sendmsg+0x16d/0x268 [can_raw]

It's because raw_setsockopt() concurrently with
unregister_netdevice_many(). Concurrent scenario as following.

	cpu0						cpu1
raw_bind
raw_setsockopt					unregister_netdevice_many
						unlist_netdevice
dev_get_by_index				raw_notifier
raw_enable_filters				......
can_rx_register
can_rcv_list_find(..., net-&gt;can.rx_alldev_list)

......

sock_close
raw_release(sock_a)

......

can_receive
can_rcv_filter(net-&gt;can.rx_alldev_list, ...)
raw_rcv(skb, sock_a)
BUG

After unlist_netdevice(), dev_get_by_index() return NULL in
raw_setsockopt(). Function raw_enable_filters() will add sock
and can_filter to net-&gt;can.rx_alldev_list. Then the sock is closed.
Followed by, we sock_sendmsg() to a new vcan device use the same
can_filter. Protocol stack match the old receiver whose sock has
been released on net-&gt;can.rx_alldev_list in can_rcv_filter().
Function raw_rcv() uses the freed sock. UAF BUG is triggered.

We can find that the key issue is that net_device has not been
protected in raw_setsockopt(). Use rtnl_lock to protect net_device
in raw_setsockopt().

Fixes: c18ce101f2e4 ("[CAN]: Add raw protocol")
Link: https://lore.kernel.org/r/20210722070819.1048263-1-william.xuanziyang@huawei.com
Cc: linux-stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ziyang Xuan &lt;william.xuanziyang@huawei.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
