[PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level
@ 2022-10-09 22:24 Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 02/25] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
                   ` (22 more replies)
  0 siblings, 23 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Wright Feng, Chi-hsien Lin, Ahmad Fatoum, Alvin Šipraga,
	Kalle Valo, Sasha Levin, aspriel, franky.lin, hante.meuleman,
	davem, edumazet, kuba, pabeni, linux-wireless,
	brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev

From: Wright Feng <wright.feng@cypress.com>

[ Upstream commit aa666b68e73fc06d83c070d96180b9010cf5a960 ]

The variable i is changed when setting random MAC address and causes
invalid address access when printing the value of pi->reqs[i]->reqid.

We replace reqs index with ri to fix the issue.

[  136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[  136.737365] Mem abort info:
[  136.740172]   ESR = 0x96000004
[  136.743359]   Exception class = DABT (current EL), IL = 32 bits
[  136.749294]   SET = 0, FnV = 0
[  136.752481]   EA = 0, S1PTW = 0
[  136.755635] Data abort info:
[  136.758514]   ISV = 0, ISS = 0x00000004
[  136.762487]   CM = 0, WnR = 0
[  136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
[  136.772265] [0000000000000000] pgd=0000000000000000
[  136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[  136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
[  136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
[  136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G           O      4.19.42-00001-g531a5f5 #1
[  136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
[  136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
[  136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[  136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
[  136.828162] sp : ffff00000e9a3880
[  136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
[  136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
[  136.842098] x25: ffff80002054345c x24: ffff800088d22400
[  136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
[  136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
[  136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
[  136.863343] x17: 0000000000000000 x16: 0000000000000000
[  136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
[  136.873966] x13: 0000000000003135 x12: 0000000000000000
[  136.879277] x11: 0000000000000000 x10: ffff000009a61888
[  136.884589] x9 : 000000000000000f x8 : 0000000000000008
[  136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
[  136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
[  136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
[  136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
[  136.911146] Call trace:
[  136.913623]  brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[  136.919658]  brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
[  136.925430]  brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
[  136.931636]  nl80211_start_sched_scan+0x140/0x308 [cfg80211]
[  136.937298]  genl_rcv_msg+0x358/0x3f4
[  136.940960]  netlink_rcv_skb+0xb4/0x118
[  136.944795]  genl_rcv+0x34/0x48
[  136.947935]  netlink_unicast+0x264/0x300
[  136.951856]  netlink_sendmsg+0x2e4/0x33c
[  136.955781]  __sys_sendto+0x120/0x19c

Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/wireless/broadcom/brcm80211/brcmfmac/pno.c   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
index ffa243e2e2d0..581a23549ee5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
@@ -163,12 +163,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
 	struct brcmf_pno_macaddr_le pfn_mac;
 	u8 *mac_addr = NULL;
 	u8 *mac_mask = NULL;
-	int err, i;
+	int err, i, ri;
 
-	for (i = 0; i < pi->n_reqs; i++)
-		if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
-			mac_addr = pi->reqs[i]->mac_addr;
-			mac_mask = pi->reqs[i]->mac_addr_mask;
+	for (ri = 0; ri < pi->n_reqs; ri++)
+		if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+			mac_addr = pi->reqs[ri]->mac_addr;
+			mac_mask = pi->reqs[ri]->mac_addr_mask;
 			break;
 		}
 
@@ -190,7 +190,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
 	pfn_mac.mac[0] |= 0x02;
 
 	brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n",
-		  pi->reqs[i]->reqid, pfn_mac.mac);
+		  pi->reqs[ri]->reqid, pfn_mac.mac);
 	err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac,
 				       sizeof(pfn_mac));
 	if (err)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 02/25] openvswitch: Fix double reporting of drops in dropwatch
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 03/25] openvswitch: Fix overreporting " Sasha Levin
                   ` (21 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Mike Pattrick, David S . Miller, Sasha Levin, pshelar, edumazet,
	kuba, pabeni, netdev, dev

From: Mike Pattrick <mkp@redhat.com>

[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ]

Frames sent to userspace can be reported as dropped in
ovs_dp_process_packet, however, if they are dropped in the netlink code
then netlink_attachskb will report the same frame as dropped.

This patch checks for error codes which indicate that the frame has
already been freed.

Signed-off-by: Mike Pattrick <mkp@redhat.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/openvswitch/datapath.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index f350faef044d..a9868e97db45 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -249,10 +249,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key)
 		upcall.portid = ovs_vport_find_upcall_portid(p, skb);
 		upcall.mru = OVS_CB(skb)->mru;
 		error = ovs_dp_upcall(dp, skb, key, &upcall, 0);
-		if (unlikely(error))
-			kfree_skb(skb);
-		else
+		switch (error) {
+		case 0:
+		case -EAGAIN:
+		case -ERESTARTSYS:
+		case -EINTR:
 			consume_skb(skb);
+			break;
+		default:
+			kfree_skb(skb);
+			break;
+		}
 		stats_counter = &stats->n_missed;
 		goto out;
 	}
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 03/25] openvswitch: Fix overreporting of drops in dropwatch
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 02/25] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 04/25] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
                   ` (20 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Mike Pattrick, David S . Miller, Sasha Levin, pshelar, edumazet,
	kuba, pabeni, netdev, dev

From: Mike Pattrick <mkp@redhat.com>

[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ]

Currently queue_userspace_packet will call kfree_skb for all frames,
whether or not an error occurred. This can result in a single dropped
frame being reported as multiple drops in dropwatch. This functions
caller may also call kfree_skb in case of an error. This patch will
consume the skbs instead and allow caller's to use kfree_skb.

Signed-off-by: Mike Pattrick <mkp@redhat.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/openvswitch/datapath.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index a9868e97db45..b4e3db194140 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -526,8 +526,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
 out:
 	if (err)
 		skb_tx_error(skb);
-	kfree_skb(user_skb);
-	kfree_skb(nskb);
+	consume_skb(user_skb);
+	consume_skb(nskb);
+
 	return err;
 }
 
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 04/25] tcp: annotate data-race around tcp_md5sig_pool_populated
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 02/25] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 03/25] openvswitch: Fix overreporting " Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 05/25] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
                   ` (19 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Eric Dumazet, Abhishek Shah, David S . Miller, Sasha Levin,
	yoshfuji, dsahern, kuba, pabeni, netdev

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ]

tcp_md5sig_pool_populated can be read while another thread
changes its value.

The race has no consequence because allocations
are protected with tcp_md5sig_mutex.

This patch adds READ_ONCE() and WRITE_ONCE() to document
the race and silence KCSAN.

Reported-by: Abhishek Shah <abhishek.shah@columbia.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 768a7daab559..73745d9e6dda 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3690,12 +3690,16 @@ static void __tcp_alloc_md5sig_pool(void)
 	 * to memory. See smp_rmb() in tcp_get_md5sig_pool()
 	 */
 	smp_wmb();
-	tcp_md5sig_pool_populated = true;
+	/* Paired with READ_ONCE() from tcp_alloc_md5sig_pool()
+	 * and tcp_get_md5sig_pool().
+	*/
+	WRITE_ONCE(tcp_md5sig_pool_populated, true);
 }
 
 bool tcp_alloc_md5sig_pool(void)
 {
-	if (unlikely(!tcp_md5sig_pool_populated)) {
+	/* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
+	if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) {
 		mutex_lock(&tcp_md5sig_mutex);
 
 		if (!tcp_md5sig_pool_populated)
@@ -3703,7 +3707,8 @@ bool tcp_alloc_md5sig_pool(void)
 
 		mutex_unlock(&tcp_md5sig_mutex);
 	}
-	return tcp_md5sig_pool_populated;
+	/* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
+	return READ_ONCE(tcp_md5sig_pool_populated);
 }
 EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
 
@@ -3719,7 +3724,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void)
 {
 	local_bh_disable();
 
-	if (tcp_md5sig_pool_populated) {
+	/* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
+	if (READ_ONCE(tcp_md5sig_pool_populated)) {
 		/* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */
 		smp_rmb();
 		return this_cpu_ptr(&tcp_md5sig_pool);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 05/25] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (2 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 04/25] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 06/25] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
                   ` (18 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Tetsuo Handa, syzbot, Toke Høiland-Jørgensen,
	Kalle Valo, Sasha Levin, kvalo, davem, edumazet, kuba, pabeni,
	linux-wireless, netdev

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

[ Upstream commit b383e8abed41cc6ff1a3b34de75df9397fa4878c ]

syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
with uninitialized memory and ath9k_htc_rx_msg() is reading from
uninitialized memory.

Since bytes accessed by ath9k_htc_rx_msg() is not known until
ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
ath9k_hif_usb_rx_stream().

We have two choices. One is to workaround by adding __GFP_ZERO so that
ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
the latter.

Note that I'm not sure threshold condition is correct, for I can't find
details on possible packet length used by this protocol.

Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1]
Reported-by: syzbot <syzbot+2ca247c2d60c7023de7f@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++---------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index e37de14bc502..6d69cf69fd86 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -367,33 +367,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
 }
 
 static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
-				      struct sk_buff *skb)
+				      struct sk_buff *skb, u32 len)
 {
 	uint32_t *pattern = (uint32_t *)skb->data;
 
-	switch (*pattern) {
-	case 0x33221199:
-		{
+	if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) {
 		struct htc_panic_bad_vaddr *htc_panic;
 		htc_panic = (struct htc_panic_bad_vaddr *) skb->data;
 		dev_err(htc_handle->dev, "ath: firmware panic! "
 			"exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n",
 			htc_panic->exccause, htc_panic->pc,
 			htc_panic->badvaddr);
-		break;
-		}
-	case 0x33221299:
-		{
+		return;
+	}
+	if (*pattern == 0x33221299) {
 		struct htc_panic_bad_epid *htc_panic;
 		htc_panic = (struct htc_panic_bad_epid *) skb->data;
 		dev_err(htc_handle->dev, "ath: firmware panic! "
 			"bad epid: 0x%08x\n", htc_panic->epid);
-		break;
-		}
-	default:
-		dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
-		break;
+		return;
 	}
+	dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
 }
 
 /*
@@ -414,16 +408,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
 	if (!htc_handle || !skb)
 		return;
 
+	/* A valid message requires len >= 8.
+	 *
+	 *   sizeof(struct htc_frame_hdr) == 8
+	 *   sizeof(struct htc_ready_msg) == 8
+	 *   sizeof(struct htc_panic_bad_vaddr) == 16
+	 *   sizeof(struct htc_panic_bad_epid) == 8
+	 */
+	if (unlikely(len < sizeof(struct htc_frame_hdr)))
+		goto invalid;
 	htc_hdr = (struct htc_frame_hdr *) skb->data;
 	epid = htc_hdr->endpoint_id;
 
 	if (epid == 0x99) {
-		ath9k_htc_fw_panic_report(htc_handle, skb);
+		ath9k_htc_fw_panic_report(htc_handle, skb, len);
 		kfree_skb(skb);
 		return;
 	}
 
 	if (epid < 0 || epid >= ENDPOINT_MAX) {
+invalid:
 		if (pipe_id != USB_REG_IN_PIPE)
 			dev_kfree_skb_any(skb);
 		else
@@ -435,21 +439,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
 
 		/* Handle trailer */
 		if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) {
-			if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000)
+			if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) {
 				/* Move past the Watchdog pattern */
 				htc_hdr = (struct htc_frame_hdr *)(skb->data + 4);
+				len -= 4;
+			}
 		}
 
 		/* Get the message ID */
+		if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16)))
+			goto invalid;
 		msg_id = (__be16 *) ((void *) htc_hdr +
 				     sizeof(struct htc_frame_hdr));
 
 		/* Now process HTC messages */
 		switch (be16_to_cpu(*msg_id)) {
 		case HTC_MSG_READY_ID:
+			if (unlikely(len < sizeof(struct htc_ready_msg)))
+				goto invalid;
 			htc_process_target_rdy(htc_handle, htc_hdr);
 			break;
 		case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID:
+			if (unlikely(len < sizeof(struct htc_frame_hdr) +
+				     sizeof(struct htc_conn_svc_rspmsg)))
+				goto invalid;
 			htc_process_conn_rsp(htc_handle, htc_hdr);
 			break;
 		default:
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 06/25] xfrm: Update ipcomp_scratches with NULL when freed
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (3 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 05/25] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 07/25] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
                   ` (17 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Khalid Masum, Herbert Xu, syzbot+5ec9bb042ddfe9644773,
	Steffen Klassert, Sasha Levin, davem, edumazet, kuba, pabeni,
	netdev

From: Khalid Masum <khalid.masum.92@gmail.com>

[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ]

Currently if ipcomp_alloc_scratches() fails to allocate memory
ipcomp_scratches holds obsolete address. So when we try to free the
percpu scratches using ipcomp_free_scratches() it tries to vfree non
existent vm area. Described below:

static void * __percpu *ipcomp_alloc_scratches(void)
{
        ...
        scratches = alloc_percpu(void *);
        if (!scratches)
                return NULL;
ipcomp_scratches does not know about this allocation failure.
Therefore holding the old obsolete address.
        ...
}

So when we free,

static void ipcomp_free_scratches(void)
{
        ...
        scratches = ipcomp_scratches;
Assigning obsolete address from ipcomp_scratches

        if (!scratches)
                return;

        for_each_possible_cpu(i)
               vfree(*per_cpu_ptr(scratches, i));
Trying to free non existent page, causing warning: trying to vfree
existent vm area.
        ...
}

Fix this breakage by updating ipcomp_scrtches with NULL when scratches
is freed

Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_ipcomp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index a00ec715aa46..32aed1d0f6ee 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -216,6 +216,7 @@ static void ipcomp_free_scratches(void)
 		vfree(*per_cpu_ptr(scratches, i));
 
 	free_percpu(scratches);
+	ipcomp_scratches = NULL;
 }
 
 static void * __percpu *ipcomp_alloc_scratches(void)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 07/25] net: xscale: Fix return type for implementation of ndo_start_xmit
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (4 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 06/25] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 08/25] net: lantiq_etop: " Sasha Levin
                   ` (16 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: GUO Zihua, Jakub Kicinski, Sasha Levin, khalasa, davem, edumazet,
	pabeni, netdev

From: GUO Zihua <guozihua@huawei.com>

[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ]

Since Linux now supports CFI, it will be a good idea to fix mismatched
return type for implementation of hooks. Otherwise this might get
cought out by CFI and cause a panic.

eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
change the return type to netdev_tx_t directly.

Signed-off-by: GUO Zihua <guozihua@huawei.com>
Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c
index aee55c03def0..d2aed667c0da 100644
--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
+++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
@@ -835,7 +835,7 @@ static void eth_txdone_irq(void *unused)
 	}
 }
 
-static int eth_xmit(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	struct port *port = netdev_priv(dev);
 	unsigned int txreadyq = port->plat->txreadyq;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 08/25] net: lantiq_etop: Fix return type for implementation of ndo_start_xmit
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (5 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 07/25] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 09/25] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
                   ` (15 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: GUO Zihua, Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
	olek2, yangyingliang, rdunlap, netdev

From: GUO Zihua <guozihua@huawei.com>

[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ]

Since Linux now supports CFI, it will be a good idea to fix mismatched
return type for implementation of hooks. Otherwise this might get
cought out by CFI and cause a panic.

ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
change the return type to netdev_tx_t directly.

Signed-off-by: GUO Zihua <guozihua@huawei.com>
Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/lantiq_etop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
index e08301d833e2..27671163151c 100644
--- a/drivers/net/ethernet/lantiq_etop.c
+++ b/drivers/net/ethernet/lantiq_etop.c
@@ -465,7 +465,7 @@ ltq_etop_stop(struct net_device *dev)
 	return 0;
 }
 
-static int
+static netdev_tx_t
 ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
 {
 	int queue = skb_get_queue_mapping(skb);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 09/25] net: ftmac100: fix endianness-related issues from 'sparse'
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (6 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 08/25] net: lantiq_etop: " Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 10/25] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
                   ` (14 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Sergei Antonov, Andrew Lunn, Paolo Abeni, Sasha Levin, davem,
	edumazet, kuba, netdev

From: Sergei Antonov <saproj@gmail.com>

[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ]

Sparse found a number of endianness-related issues of these kinds:

.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer

.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types)
.../ftmac100.c:208:23:    expected unsigned int rxdes0
.../ftmac100.c:208:23:    got restricted __le32 [usertype]

.../ftmac100.c:249:23: warning: invalid assignment: &=
.../ftmac100.c:249:23:    left side has type unsigned int
.../ftmac100.c:249:23:    right side has type restricted __le32

.../ftmac100.c:527:16: warning: cast to restricted __le32

Change type of some fields from 'unsigned int' to '__le32' to fix it.

Signed-off-by: Sergei Antonov <saproj@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h
index 46a0c47b1ee1..0731d65e856c 100644
--- a/drivers/net/ethernet/faraday/ftmac100.h
+++ b/drivers/net/ethernet/faraday/ftmac100.h
@@ -135,9 +135,9 @@
  * Transmit descriptor, aligned to 16 bytes
  */
 struct ftmac100_txdes {
-	unsigned int	txdes0;
-	unsigned int	txdes1;
-	unsigned int	txdes2;	/* TXBUF_BADR */
+	__le32		txdes0;
+	__le32		txdes1;
+	__le32		txdes2;	/* TXBUF_BADR */
 	unsigned int	txdes3;	/* not used by HW */
 } __attribute__ ((aligned(16)));
 
@@ -156,9 +156,9 @@ struct ftmac100_txdes {
  * Receive descriptor, aligned to 16 bytes
  */
 struct ftmac100_rxdes {
-	unsigned int	rxdes0;
-	unsigned int	rxdes1;
-	unsigned int	rxdes2;	/* RXBUF_BADR */
+	__le32		rxdes0;
+	__le32		rxdes1;
+	__le32		rxdes2;	/* RXBUF_BADR */
 	unsigned int	rxdes3;	/* not used by HW */
 } __attribute__ ((aligned(16)));
 
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 10/25] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (7 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 09/25] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 11/25] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
                   ` (13 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Alexander Coffin, Kalle Valo, Sasha Levin, aspriel, franky.lin,
	hante.meuleman, davem, edumazet, kuba, pabeni, hdegoede, bigeasy,
	pavel, wsa+renesas, wright.feng, linux-wireless,
	brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev

From: Alexander Coffin <alex.coffin@matician.com>

[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ]

> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);

may be schedule, and then complete before the line

> ndev->stats.tx_bytes += skb->len;

[   46.912801] ==================================================================
[   46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[   46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328
[   46.935991]
[   46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G           O      5.4.199-[REDACTED] #1
[   46.947255] Hardware name: [REDACTED]
[   46.954568] Call trace:
[   46.957037]  dump_backtrace+0x0/0x2b8
[   46.960719]  show_stack+0x24/0x30
[   46.964052]  dump_stack+0x128/0x194
[   46.967557]  print_address_description.isra.0+0x64/0x380
[   46.972877]  __kasan_report+0x1d4/0x240
[   46.976723]  kasan_report+0xc/0x18
[   46.980138]  __asan_report_load4_noabort+0x18/0x20
[   46.985027]  brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[   46.990613]  dev_hard_start_xmit+0x1bc/0xda0
[   46.994894]  sch_direct_xmit+0x198/0xd08
[   46.998827]  __qdisc_run+0x37c/0x1dc0
[   47.002500]  __dev_queue_xmit+0x1528/0x21f8
[   47.006692]  dev_queue_xmit+0x24/0x30
[   47.010366]  neigh_resolve_output+0x37c/0x678
[   47.014734]  ip_finish_output2+0x598/0x2458
[   47.018927]  __ip_finish_output+0x300/0x730
[   47.023118]  ip_output+0x2e0/0x430
[   47.026530]  ip_local_out+0x90/0x140
[   47.030117]  igmpv3_sendpack+0x14c/0x228
[   47.034049]  igmpv3_send_cr+0x384/0x6b8
[   47.037895]  igmp_ifc_timer_expire+0x4c/0x118
[   47.042262]  call_timer_fn+0x1cc/0xbe8
[   47.046021]  __run_timers+0x4d8/0xb28
[   47.049693]  run_timer_softirq+0x24/0x40
[   47.053626]  __do_softirq+0x2c0/0x117c
[   47.057387]  irq_exit+0x2dc/0x388
[   47.060715]  __handle_domain_irq+0xb4/0x158
[   47.064908]  gic_handle_irq+0x58/0xb0
[   47.068581]  el0_irq_naked+0x50/0x5c
[   47.072162]
[   47.073665] Allocated by task 328:
[   47.077083]  save_stack+0x24/0xb0
[   47.080410]  __kasan_kmalloc.isra.0+0xc0/0xe0
[   47.084776]  kasan_slab_alloc+0x14/0x20
[   47.088622]  kmem_cache_alloc+0x15c/0x468
[   47.092643]  __alloc_skb+0xa4/0x498
[   47.096142]  igmpv3_newpack+0x158/0xd78
[   47.099987]  add_grhead+0x210/0x288
[   47.103485]  add_grec+0x6b0/0xb70
[   47.106811]  igmpv3_send_cr+0x2e0/0x6b8
[   47.110657]  igmp_ifc_timer_expire+0x4c/0x118
[   47.115027]  call_timer_fn+0x1cc/0xbe8
[   47.118785]  __run_timers+0x4d8/0xb28
[   47.122457]  run_timer_softirq+0x24/0x40
[   47.126389]  __do_softirq+0x2c0/0x117c
[   47.130142]
[   47.131643] Freed by task 180:
[   47.134712]  save_stack+0x24/0xb0
[   47.138041]  __kasan_slab_free+0x108/0x180
[   47.142146]  kasan_slab_free+0x10/0x18
[   47.145904]  slab_free_freelist_hook+0xa4/0x1b0
[   47.150444]  kmem_cache_free+0x8c/0x528
[   47.154292]  kfree_skbmem+0x94/0x108
[   47.157880]  consume_skb+0x10c/0x5a8
[   47.161466]  __dev_kfree_skb_any+0x88/0xa0
[   47.165598]  brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]
[   47.171023]  brcmf_txfinalize+0xec/0x190 [brcmfmac]
[   47.176016]  brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]
[   47.182056]  brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]
[   47.187568]  brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]
[   47.192529]  brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]
[   47.197859]  process_one_work+0x7fc/0x1a80
[   47.201965]  worker_thread+0x31c/0xc40
[   47.205726]  kthread+0x2d8/0x370
[   47.208967]  ret_from_fork+0x10/0x18
[   47.212546]
[   47.214051] The buggy address belongs to the object at ffffff803f588280
[   47.214051]  which belongs to the cache skbuff_head_cache of size 208
[   47.227086] The buggy address is located 104 bytes inside of
[   47.227086]  208-byte region [ffffff803f588280, ffffff803f588350)
[   47.238814] The buggy address belongs to the page:
[   47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0
[   47.255007] flags: 0x10200(slab|head)
[   47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800
[   47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000
[   47.274180] page dumped because: kasan: bad access detected
[   47.279752]
[   47.281251] Memory state around the buggy address:
[   47.286051]  ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.293277]  ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.307723]                                                           ^
[   47.314343]  ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   47.321569]  ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   47.328789] ==================================================================

Signed-off-by: Alexander Coffin <alex.coffin@matician.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index db4c541f58ae..31bf2eb47b49 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -270,6 +270,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
 	struct brcmf_pub *drvr = ifp->drvr;
 	struct ethhdr *eh;
 	int head_delta;
+	unsigned int tx_bytes = skb->len;
 
 	brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
 
@@ -341,7 +342,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
 		ndev->stats.tx_dropped++;
 	} else {
 		ndev->stats.tx_packets++;
-		ndev->stats.tx_bytes += skb->len;
+		ndev->stats.tx_bytes += tx_bytes;
 	}
 
 	/* Return ok: we always eat the packet */
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 11/25] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (8 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 10/25] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 12/25] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
                   ` (12 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Tetsuo Handa, syzbot, Luiz Augusto von Dentz, Sasha Levin, marcel,
	johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
	linux-bluetooth, netdev

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ]

syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at
l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent
l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer
which fires before l2cap_chan_del() is called by closing file descriptor
created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP).

l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP)
are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which
clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded.

l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets
CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when
connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds
 from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4
seconds from connect() request, for l2cap_conn_start() from
l2cap_info_timeout() callback scheduled by

  schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);

in l2cap_connect() is calling l2cap_chan_ready().

Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM
mode as soon as l2cap_chan_create() allocates a channel, like I did in
commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at
l2cap_chan_create()").

Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1]
Reported-by: syzbot <syzbot+83672956c7aa6af698b3@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_core.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 65d20bdff023..7c280fcdcaa0 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -63,6 +63,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
 
 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
 		     struct sk_buff_head *skbs, u8 event);
+static void l2cap_retrans_timeout(struct work_struct *work);
+static void l2cap_monitor_timeout(struct work_struct *work);
+static void l2cap_ack_timeout(struct work_struct *work);
 
 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
 {
@@ -470,6 +473,9 @@ struct l2cap_chan *l2cap_chan_create(void)
 	write_unlock(&chan_list_lock);
 
 	INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
+	INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
+	INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
+	INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
 
 	chan->state = BT_OPEN;
 
@@ -3154,10 +3160,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan)
 	chan->rx_state = L2CAP_RX_STATE_RECV;
 	chan->tx_state = L2CAP_TX_STATE_XMIT;
 
-	INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
-	INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
-	INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
-
 	skb_queue_head_init(&chan->srej_q);
 
 	err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 12/25] net: davicom: Fix return type of dm9000_start_xmit
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (9 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 11/25] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 13/25] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
                   ` (11 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Nathan Huckleberry, Dan Carpenter, llvm, Nathan Chancellor,
	Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
	ndesaulniers, geoff, mw, dmitry.torokhov, wsa+renesas, netdev

From: Nathan Huckleberry <nhuck@google.com>

[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ]

The ndo_start_xmit field in net_device_ops is expected to be of type
netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).

The mismatched return type breaks forward edge kCFI since the underlying
function definition does not match the function hook definition.

The return type of dm9000_start_xmit should be changed from int to
netdev_tx_t.

Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/1703
Cc: llvm@lists.linux.dev
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/davicom/dm9000.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
index 8b07890b0b23..833e27ce4a57 100644
--- a/drivers/net/ethernet/davicom/dm9000.c
+++ b/drivers/net/ethernet/davicom/dm9000.c
@@ -1025,7 +1025,7 @@ static void dm9000_send_packet(struct net_device *dev,
  *  Hardware start transmission.
  *  Send a packet to media from the upper layer.
  */
-static int
+static netdev_tx_t
 dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	unsigned long flags;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 13/25] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (10 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 12/25] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 14/25] net: korina: Fix return type of korina_send_packet Sasha Levin
                   ` (10 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Nathan Huckleberry, Dan Carpenter, llvm, Nathan Chancellor,
	Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
	ndesaulniers, prabhakar.mahadev-lad.rj, geoff, shayagr,
	bigunclemax, chi.minghao, linux-omap, netdev

From: Nathan Huckleberry <nhuck@google.com>

[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ]

The ndo_start_xmit field in net_device_ops is expected to be of type
netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).

The mismatched return type breaks forward edge kCFI since the underlying
function definition does not match the function hook definition.

The return type of emac_dev_xmit should be changed from int to
netdev_tx_t.

Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/1703
Cc: llvm@lists.linux.dev
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ti/davinci_emac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
index 566da1e3cfbc..337e38b98d69 100644
--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -955,7 +955,7 @@ static void emac_tx_handler(void *token, int len, int status)
  *
  * Returns success(NETDEV_TX_OK) or error code (typically out of desc's)
  */
-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
+static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
 {
 	struct device *emac_dev = &ndev->dev;
 	int ret_code;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 14/25] net: korina: Fix return type of korina_send_packet
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (11 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 13/25] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 15/25] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
                   ` (9 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Nathan Huckleberry, Dan Carpenter, llvm, Nathan Chancellor,
	Jakub Kicinski, Sasha Levin, davem, edumazet, pabeni,
	ndesaulniers, mw, khalasa, wsa+renesas, shayagr, netdev

From: Nathan Huckleberry <nhuck@google.com>

[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ]

The ndo_start_xmit field in net_device_ops is expected to be of type
netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).

The mismatched return type breaks forward edge kCFI since the underlying
function definition does not match the function hook definition.

The return type of korina_send_packet should be changed from int to
netdev_tx_t.

Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/1703
Cc: llvm@lists.linux.dev
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/korina.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
index 9f804e2aba35..d1bd56f6eecb 100644
--- a/drivers/net/ethernet/korina.c
+++ b/drivers/net/ethernet/korina.c
@@ -196,7 +196,8 @@ static void korina_chain_rx(struct korina_private *lp,
 }
 
 /* transmit packet */
-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t korina_send_packet(struct sk_buff *skb,
+				      struct net_device *dev)
 {
 	struct korina_private *lp = netdev_priv(dev);
 	unsigned long flags;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 15/25] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (12 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 14/25] net: korina: Fix return type of korina_send_packet Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin
                   ` (8 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Luiz Augusto von Dentz, Hawkins Jiawei, Sasha Levin, marcel,
	johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
	linux-bluetooth, netdev

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ]

device_add shall not be called multiple times as stated in its
documentation:

 'Do not call this routine or device_register() more than once for
 any device structure'

Syzkaller reports a bug as follows [1]:
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:33!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[...]
Call Trace:
 <TASK>
 __list_add include/linux/list.h:69 [inline]
 list_add_tail include/linux/list.h:102 [inline]
 kobj_kset_join lib/kobject.c:164 [inline]
 kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 device_add+0x368/0x1e90 drivers/base/core.c:3452
 hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53
 hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799
 hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110
 hci_event_func net/bluetooth/hci_event.c:7440 [inline]
 hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495
 hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Hawkins Jiawei <yin31149@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/hci_sysfs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index b69d88b88d2e..ccd2c377bf83 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
 
 	BT_DBG("conn %p", conn);
 
+	if (device_is_registered(&conn->dev))
+		return;
+
 	dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
 
 	if (device_add(&conn->dev) < 0) {
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (13 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 15/25] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-18  9:53   ` Pavel Machek
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 17/25] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
                   ` (7 subsequent siblings)
  22 siblings, 1 reply; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Wen Gong, Kalle Valo, Sasha Levin, kvalo, davem, edumazet, kuba,
	pabeni, ath10k, linux-wireless, netdev

From: Wen Gong <quic_wgong@quicinc.com>

[ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]

When running suspend test, kernel crash happened in ath10k, and it is
fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
for driver state RESTARTING").

Currently the crash is fixed, but as a common code style, it is better
to set the pointer to NULL after memory is free.

This is to address the code style and it will avoid potential bug of
use-after-free.

Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 0a7551dc0f94..68728cba6df3 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -302,12 +302,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
 			  ath10k_htt_get_vaddr_ring(htt),
 			  htt->rx_ring.base_paddr);
 
+	ath10k_htt_config_paddrs_ring(htt, NULL);
+
 	dma_free_coherent(htt->ar->dev,
 			  sizeof(*htt->rx_ring.alloc_idx.vaddr),
 			  htt->rx_ring.alloc_idx.vaddr,
 			  htt->rx_ring.alloc_idx.paddr);
+	htt->rx_ring.alloc_idx.vaddr = NULL;
 
 	kfree(htt->rx_ring.netbufs_ring);
+	htt->rx_ring.netbufs_ring = NULL;
 }
 
 static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
@@ -641,8 +645,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
 			  ath10k_htt_get_rx_ring_size(htt),
 			  vaddr_ring,
 			  htt->rx_ring.base_paddr);
+	ath10k_htt_config_paddrs_ring(htt, NULL);
 err_dma_ring:
 	kfree(htt->rx_ring.netbufs_ring);
+	htt->rx_ring.netbufs_ring = NULL;
 err_netbuf:
 	return -ENOMEM;
 }
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* Re: [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin
@ 2022-10-18  9:53   ` Pavel Machek
  2022-10-18 11:10     ` Greg KH
  0 siblings, 1 reply; 26+ messages in thread
From: Pavel Machek @ 2022-10-18  9:53 UTC (permalink / raw)
  To: Sasha Levin
  Cc: linux-kernel, stable, Wen Gong, Kalle Valo, kvalo, davem,
	edumazet, kuba, pabeni, ath10k, linux-wireless, netdev

[-- Attachment #1: Type: text/plain, Size: 1991 bytes --]

Hi!

> From: Wen Gong <quic_wgong@quicinc.com>
> 
> [ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
> 
> When running suspend test, kernel crash happened in ath10k, and it is
> fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
> for driver state RESTARTING").
> 
> Currently the crash is fixed, but as a common code style, it is better
> to set the pointer to NULL after memory is free.
> 
> This is to address the code style and it will avoid potential bug of
> use-after-free.

We don't have this patch in 4.19:

b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING").

We probably should take that one, as this may depend on it. On the
other hand, we don't need this one as it is just a cleanup...

Best regards,
								Pavel
								
> +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
> @@ -302,12 +302,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
>  			  ath10k_htt_get_vaddr_ring(htt),
>  			  htt->rx_ring.base_paddr);
>  
> +	ath10k_htt_config_paddrs_ring(htt, NULL);
> +
>  	dma_free_coherent(htt->ar->dev,
>  			  sizeof(*htt->rx_ring.alloc_idx.vaddr),
>  			  htt->rx_ring.alloc_idx.vaddr,
>  			  htt->rx_ring.alloc_idx.paddr);
> +	htt->rx_ring.alloc_idx.vaddr = NULL;
>  
>  	kfree(htt->rx_ring.netbufs_ring);
> +	htt->rx_ring.netbufs_ring = NULL;
>  }
>  
>  static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
> @@ -641,8 +645,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
>  			  ath10k_htt_get_rx_ring_size(htt),
>  			  vaddr_ring,
>  			  htt->rx_ring.base_paddr);
> +	ath10k_htt_config_paddrs_ring(htt, NULL);
>  err_dma_ring:
>  	kfree(htt->rx_ring.netbufs_ring);
> +	htt->rx_ring.netbufs_ring = NULL;
>  err_netbuf:
>  	return -ENOMEM;
>  }
> -- 
> 2.35.1

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 26+ messages in thread

* Re: [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free
  2022-10-18  9:53   ` Pavel Machek
@ 2022-10-18 11:10     ` Greg KH
  0 siblings, 0 replies; 26+ messages in thread
From: Greg KH @ 2022-10-18 11:10 UTC (permalink / raw)
  To: Pavel Machek
  Cc: Sasha Levin, linux-kernel, stable, Wen Gong, Kalle Valo, kvalo,
	davem, edumazet, kuba, pabeni, ath10k, linux-wireless, netdev

On Tue, Oct 18, 2022 at 11:53:56AM +0200, Pavel Machek wrote:
> Hi!
> 
> > From: Wen Gong <quic_wgong@quicinc.com>
> > 
> > [ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
> > 
> > When running suspend test, kernel crash happened in ath10k, and it is
> > fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
> > for driver state RESTARTING").
> > 
> > Currently the crash is fixed, but as a common code style, it is better
> > to set the pointer to NULL after memory is free.
> > 
> > This is to address the code style and it will avoid potential bug of
> > use-after-free.
> 
> We don't have this patch in 4.19:
> 
> b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING").
> 
> We probably should take that one, as this may depend on it. On the
> other hand, we don't need this one as it is just a cleanup...

I've dropped this from all queues now, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 17/25] can: bcm: check the result of can_send() in bcm_can_tx()
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (14 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 18/25] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
                   ` (6 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Ziyang Xuan, Marc Kleine-Budde, Oliver Hartkopp, Sasha Levin,
	davem, edumazet, kuba, pabeni, linux-can, netdev

From: Ziyang Xuan <william.xuanziyang@huawei.com>

[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ]

If can_send() fail, it should not update frames_abs counter
in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx().

Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
Suggested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/can/bcm.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 3c825b158fb5..74e555a22de7 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -273,6 +273,7 @@ static void bcm_can_tx(struct bcm_op *op)
 	struct sk_buff *skb;
 	struct net_device *dev;
 	struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe;
+	int err;
 
 	/* no target device? => exit */
 	if (!op->ifindex)
@@ -297,11 +298,11 @@ static void bcm_can_tx(struct bcm_op *op)
 	/* send with loopback */
 	skb->dev = dev;
 	can_skb_set_owner(skb, op->sk);
-	can_send(skb, 1);
+	err = can_send(skb, 1);
+	if (!err)
+		op->frames_abs++;
 
-	/* update statistics */
 	op->currframe++;
-	op->frames_abs++;
 
 	/* reached last frame? */
 	if (op->currframe >= op->nframes)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 18/25] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (15 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 17/25] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 19/25] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
                   ` (5 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Daniel Golle, Serge Vasilugin, Kalle Valo, Sasha Levin, stf_xl,
	helmut.schaa, davem, edumazet, kuba, pabeni, linux-wireless,
	netdev

From: Daniel Golle <daniel@makrotopia.org>

[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ]

The function rt2800_iq_calibrate is intended for Rt5592 only.
Don't call it for MT7620 which has it's own calibration functions.

Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index a567bc273ffc..2a119f314c38 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -3838,7 +3838,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
 		reg += 2 * rt2x00dev->lna_gain;
 		rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg);
 
-		rt2800_iq_calibrate(rt2x00dev, rf->channel);
+		if (rt2x00_rt(rt2x00dev, RT5592))
+			rt2800_iq_calibrate(rt2x00dev, rf->channel);
 	}
 
 	bbp = rt2800_bbp_read(rt2x00dev, 4);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 19/25] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (16 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 18/25] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 20/25] wifi: rt2x00: set SoC wmac clock register Sasha Levin
                   ` (4 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Daniel Golle, Serge Vasilugin, Stanislaw Gruszka, Kalle Valo,
	Sasha Levin, helmut.schaa, davem, edumazet, kuba, pabeni,
	linux-wireless, netdev

From: Daniel Golle <daniel@makrotopia.org>

[ Upstream commit eeb50acf15762b61921f9df18663f839f387c054 ]

Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the
vendor driver[1].

[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index 2a119f314c38..b8224b215532 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -5318,7 +5318,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
 		rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404);
 	} else if (rt2x00_rt(rt2x00dev, RT6352)) {
 		rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401);
-		rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000);
+		rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001);
 		rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000);
 		rt2800_register_write(rt2x00dev, MIMO_PS_CFG, 0x00000002);
 		rt2800_register_write(rt2x00dev, TX_PIN_CFG, 0x00150F0F);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 20/25] wifi: rt2x00: set SoC wmac clock register
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (17 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 19/25] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 21/25] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
                   ` (3 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Daniel Golle, Serge Vasilugin, Stanislaw Gruszka, Kalle Valo,
	Sasha Levin, helmut.schaa, davem, edumazet, kuba, pabeni,
	linux-wireless, netdev

From: Daniel Golle <daniel@makrotopia.org>

[ Upstream commit cbde6ed406a51092d9e8a2df058f5f8490f27443 ]

Instead of using the default value 33 (pci), set US_CYC_CNT init based
on Programming guide:
If available, set chipset bus clock with fallback to cpu clock/3.

Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/wireless/ralink/rt2x00/rt2800lib.c    | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index b8224b215532..9469517ac65f 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -5570,6 +5570,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
 		reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
 		rt2x00_set_field32(&reg, US_CYC_CNT_CLOCK_CYCLE, 125);
 		rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
+	} else if (rt2x00_is_soc(rt2x00dev)) {
+		struct clk *clk = clk_get_sys("bus", NULL);
+		int rate;
+
+		if (IS_ERR(clk)) {
+			clk = clk_get_sys("cpu", NULL);
+
+			if (IS_ERR(clk)) {
+				rate = 125;
+			} else {
+				rate = clk_get_rate(clk) / 3000000;
+				clk_put(clk);
+			}
+		} else {
+			rate = clk_get_rate(clk) / 1000000;
+			clk_put(clk);
+		}
+
+		reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
+		rt2x00_set_field32(&reg, US_CYC_CNT_CLOCK_CYCLE, rate);
+		rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
 	}
 
 	reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 21/25] wifi: rt2x00: correctly set BBP register 86 for MT7620
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (18 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 20/25] wifi: rt2x00: set SoC wmac clock register Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 22/25] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
                   ` (2 subsequent siblings)
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Daniel Golle, Serge Vasilugin, Stanislaw Gruszka, Kalle Valo,
	Sasha Levin, helmut.schaa, davem, edumazet, kuba, pabeni,
	linux-wireless, netdev

From: Daniel Golle <daniel@makrotopia.org>

[ Upstream commit c9aada64fe6493461127f1522d7e2f01792d2424 ]

Instead of 0 set the correct value for BBP register 86 for MT7620.

Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
index 9469517ac65f..c9fa56b721b2 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
@@ -3658,7 +3658,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
 		rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain);
 		rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain);
 		rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain);
-		rt2800_bbp_write(rt2x00dev, 86, 0);
+		if (rt2x00_rt(rt2x00dev, RT6352))
+			rt2800_bbp_write(rt2x00dev, 86, 0x38);
+		else
+			rt2800_bbp_write(rt2x00dev, 86, 0);
 	}
 
 	if (rf->channel <= 14) {
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 22/25] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (19 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 21/25] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 23/25] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 25/25] r8152: Rate limit overflow messages Sasha Levin
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Liu Jian, Jakub Sitnicki, Daniel Borkmann, John Fastabend,
	Eric Dumazet, Sasha Levin, davem, kuba, pabeni, netdev, bpf

From: Liu Jian <liujian56@huawei.com>

[ Upstream commit 3f8ef65af927db247418d4e1db49164d7a158fc5 ]

Fixes the below NULL pointer dereference:

  [...]
  [   14.471200] Call Trace:
  [   14.471562]  <TASK>
  [   14.471882]  lock_acquire+0x245/0x2e0
  [   14.472416]  ? remove_wait_queue+0x12/0x50
  [   14.473014]  ? _raw_spin_lock_irqsave+0x17/0x50
  [   14.473681]  _raw_spin_lock_irqsave+0x3d/0x50
  [   14.474318]  ? remove_wait_queue+0x12/0x50
  [   14.474907]  remove_wait_queue+0x12/0x50
  [   14.475480]  sk_stream_wait_memory+0x20d/0x340
  [   14.476127]  ? do_wait_intr_irq+0x80/0x80
  [   14.476704]  do_tcp_sendpages+0x287/0x600
  [   14.477283]  tcp_bpf_push+0xab/0x260
  [   14.477817]  tcp_bpf_sendmsg_redir+0x297/0x500
  [   14.478461]  ? __local_bh_enable_ip+0x77/0xe0
  [   14.479096]  tcp_bpf_send_verdict+0x105/0x470
  [   14.479729]  tcp_bpf_sendmsg+0x318/0x4f0
  [   14.480311]  sock_sendmsg+0x2d/0x40
  [   14.480822]  ____sys_sendmsg+0x1b4/0x1c0
  [   14.481390]  ? copy_msghdr_from_user+0x62/0x80
  [   14.482048]  ___sys_sendmsg+0x78/0xb0
  [   14.482580]  ? vmf_insert_pfn_prot+0x91/0x150
  [   14.483215]  ? __do_fault+0x2a/0x1a0
  [   14.483738]  ? do_fault+0x15e/0x5d0
  [   14.484246]  ? __handle_mm_fault+0x56b/0x1040
  [   14.484874]  ? lock_is_held_type+0xdf/0x130
  [   14.485474]  ? find_held_lock+0x2d/0x90
  [   14.486046]  ? __sys_sendmsg+0x41/0x70
  [   14.486587]  __sys_sendmsg+0x41/0x70
  [   14.487105]  ? intel_pmu_drain_pebs_core+0x350/0x350
  [   14.487822]  do_syscall_64+0x34/0x80
  [   14.488345]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  [...]

The test scenario has the following flow:

thread1                               thread2
-----------                           ---------------
 tcp_bpf_sendmsg
  tcp_bpf_send_verdict
   tcp_bpf_sendmsg_redir              sock_close
    tcp_bpf_push_locked                 __sock_release
     tcp_bpf_push                         //inet_release
      do_tcp_sendpages                    sock->ops->release
       sk_stream_wait_memory          	   // tcp_close
          sk_wait_event                      sk->sk_prot->close
           release_sock(__sk);
            ***
                                                lock_sock(sk);
                                                  __tcp_close
                                                    sock_orphan(sk)
                                                      sk->sk_wq  = NULL
                                                release_sock
            ****
           lock_sock(__sk);
          remove_wait_queue(sk_sleep(sk), &wait);
             sk_sleep(sk)
             //NULL pointer dereference
             &rcu_dereference_raw(sk->sk_wq)->wait

While waiting for memory in thread1, the socket is released with its wait
queue because thread2 has closed it. This caused by tcp_bpf_send_verdict
didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.

We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory
before accessing the wait queue.

Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/stream.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/stream.c b/net/core/stream.c
index 3d98774cf128..7b411a91a81c 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -159,7 +159,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
 		*timeo_p = current_timeo;
 	}
 out:
-	remove_wait_queue(sk_sleep(sk), &wait);
+	if (!sock_flag(sk, SOCK_DEAD))
+		remove_wait_queue(sk_sleep(sk), &wait);
 	return err;
 
 do_error:
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 23/25] Bluetooth: L2CAP: Fix user-after-free
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (20 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 22/25] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 25/25] r8152: Rate limit overflow messages Sasha Levin
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Luiz Augusto von Dentz, Sungwoo Kim, Sasha Levin, marcel,
	johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
	linux-bluetooth, netdev

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ]

This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:

Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_core.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7c280fcdcaa0..5c965f7b1709 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4049,6 +4049,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 		}
 	}
 
+	chan = l2cap_chan_hold_unless_zero(chan);
+	if (!chan) {
+		err = -EBADSLT;
+		goto unlock;
+	}
+
 	err = 0;
 
 	l2cap_chan_lock(chan);
@@ -4078,6 +4084,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 	}
 
 	l2cap_chan_unlock(chan);
+	l2cap_chan_put(chan);
 
 unlock:
 	mutex_unlock(&conn->chan_lock);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* [PATCH AUTOSEL 4.19 25/25] r8152: Rate limit overflow messages
  2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
                   ` (21 preceding siblings ...)
  2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 23/25] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
@ 2022-10-09 22:24 ` Sasha Levin
  22 siblings, 0 replies; 26+ messages in thread
From: Sasha Levin @ 2022-10-09 22:24 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Andrew Gaul, Andrew Gaul, Jakub Kicinski, Sasha Levin, davem,
	edumazet, pabeni, hayeswang, aaron.ma, jflf_kernel, wsa+renesas,
	dober6023, svenva, linux-usb, netdev

From: Andrew Gaul <gaul@gaul.org>

[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ]

My system shows almost 10 million of these messages over a 24-hour
period which pollutes my logs.

Signed-off-by: Andrew Gaul <gaul@google.com>
Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/r8152.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 4764e4f54cef..d5a74a71bf59 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1386,7 +1386,9 @@ static void intr_callback(struct urb *urb)
 			   "Stop submitting intr, status %d\n", status);
 		return;
 	case -EOVERFLOW:
-		netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n");
+		if (net_ratelimit())
+			netif_info(tp, intr, tp->netdev,
+				   "intr status -EOVERFLOW\n");
 		goto resubmit;
 	/* -EPIPE:  should clear the halt */
 	default:
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2022-10-18 11:10 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-09 22:24 [PATCH AUTOSEL 4.19 01/25] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 02/25] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 03/25] openvswitch: Fix overreporting " Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 04/25] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 05/25] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 06/25] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 07/25] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 08/25] net: lantiq_etop: " Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 09/25] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 10/25] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 11/25] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 12/25] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 13/25] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 14/25] net: korina: Fix return type of korina_send_packet Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 15/25] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin
2022-10-18  9:53   ` Pavel Machek
2022-10-18 11:10     ` Greg KH
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 17/25] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 18/25] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 19/25] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 20/25] wifi: rt2x00: set SoC wmac clock register Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 21/25] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 22/25] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 23/25] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
2022-10-09 22:24 ` [PATCH AUTOSEL 4.19 25/25] r8152: Rate limit overflow messages Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).