21 Mar, 2023
1 commit
-
Set the default value of min_frag_size to 60, otherwise the checking of
min_frag_size would fail in stmmac_set_preempt().Signed-off-by: Tao Yang
08 Mar, 2023
1 commit
-
Add a parameter to disable the preemption and clean the configuration.
Signed-off-by: Xiaoliang Yang
08 Feb, 2023
14 commits
-
The ethtool module has added a preemption reset API, the dsa driver also
needs to add this API to support reset preemption driver.Signed-off-by: Xiaoliang Yang
-
The preemption should not be active until the lldp verify ensure that
preemption is enabled on remote port. That needs a reset function to
reset the preemption to make the preemption active. The user space
application will use this API.Signed-off-by: Xiaoliang Yang
-
In "99.4.2 Determining that the link partner supports preemption" of
IEEE 802.3-2018, it defines that the preemption needs LLDP exchange to
verify the preemption status of link partner. This patch adds lldp
verify parameter and modify some parameter to fit this feature.User space command example:
$ethtool --set-frame-preemption swp0 lldp-verify on \
preemptible-queues-mask 0x02 min-frag-size 124Signed-off-by: Xiaoliang Yang
-
Adding mdb entries on disabled ports allows you to do setup before
accepting any traffic, avoiding any time where the port is not in the
multicast group.Signed-off-by: Casper Andersson
Acked-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller -
Time-sensitive networking code needs to work with PTP times expressed in
nanoseconds, and with packet transmission times expressed in
picoseconds, since those would be fractional at higher than gigabit
speed when expressed in nanoseconds.Convert the existing uses in tc-taprio and the ocelot/felix DSA driver
to a PSEC_PER_NSEC macro. This macro is placed in include/linux/time64.h
as opposed to its relatives (PSEC_PER_SEC etc) from include/vdso/time64.h
because the vDSO library does not (yet) need/use it.Cc: Andy Lutomirski
Cc: Thomas Gleixner
Signed-off-by: Vladimir Oltean
Reviewed-by: Vincenzo Frascino # for the vDSO parts
Signed-off-by: Jakub Kicinski -
Add ETHTOOL_GFP and ETHTOOL_SFP ioctl cmd support. This can be used for
LLDP to get preemption status.Signed-off-by: Xiaoliang Yang
-
Preempt_set and preempt_get are new functions of ethtool ops, which
is to set preempt queues according to 802.1qbu and 802.3br. Add them
on slave ports of DSA framework, so that DSA devices can support to
set preempt queues.Signed-off-by: Xiaoliang Yang
-
ethtool is gaining support for using netlink as transport for its
messages, being an alternative to ioctl() calls.Frame preemption, being new, makes a good target for being added to
the list of features that are also supported via the netlink
transport.Signed-off-by: Vinicius Costa Gomes
-
Frame preemption (described in IEEE 802.3br-2016) defines the concept
of preemptible and express queues. It allows traffic from express
queues to "interrupt" traffic from preemptible queues, which are
"resumed" after the express traffic has finished transmitting.Frame preemption can only be used when both the local device and the
link partner support it.A new ethtool command was added to support the configuration
parameters.Signed-off-by: Vinicius Costa Gomes
-
This patch support to map PCP to different Cos queues by using tsntool
netlink to set it.Signed-off-by: Xiaoliang Yang
-
qci_sfi_get() function return 0 means this SFI list is disable, 1 means
enable. qci_sfi_counters_get() function only return 0 or ERR.The maxsdu obtained from netlink needs to be set in qbvconfig and
transferred to the driver to set the maximum SDU of the queue.Fixes: 68ca439c("net:tsn: netlink interface for APP layer to config TSN capability hardware ports")
Signed-off-by: Xiaoliang Yang -
An interesting possibility offered by the new thread NAPI code is to
fine-tune the affinities and priorities of different NAPI instances. In a
real-time networking context, this makes it possible to ensure packets
received in a high-priority queue are always processed, and with low
latency.However, the way the NAPI threads are named does not really expose which
one is responsible for a given queue. Assigning a more explicit name to
NAPI instances can make that determination much easier.Signed-off-by: Yannick Vignon
-
Add VLAN protocol support when adding or deleting VLAN for switchdev
port, get current bridge's VLAN protocol and pass it to port driver.Signed-off-by: hongbo.wang
-
the following command will be supported:
Set bridge's vlan protocol:
ip link set br0 type bridge vlan_protocol 802.1ad
Add VLAN:
ip link add link swp1 name swp1.100 type vlan protocol 802.1ad id 100
Delete VLAN:
ip link del link swp1 name swp1.100Signed-off-by: hongbo.wang
Signed-off-by: Xiaoliang Yang
02 Dec, 2022
1 commit
-
Signed-off-by: Xiaobo Xie
09 Nov, 2022
16 commits
-
commit 3c52c6bb831f6335c176a0fc7214e26f43adbd11 upstream.
syzbot reported a memory leak [0] related to IPV6_ADDRFORM.
The scenario is that while one thread is converting an IPv6 socket into
IPv4 with IPV6_ADDRFORM, another thread calls do_ipv6_setsockopt() and
allocates memory to inet6_sk(sk)->XXX after conversion.Then, the converted sk with (tcp|udp)_prot never frees the IPv6 resources,
which inet6_destroy_sock() should have cleaned up.setsockopt(IPV6_ADDRFORM) setsockopt(IPV6_DSTOPTS)
+-----------------------+ +----------------------+
- do_ipv6_setsockopt(sk, ...)
- sockopt_lock_sock(sk) - do_ipv6_setsockopt(sk, ...)
- lock_sock(sk) ^._ called via tcpv6_prot
- WRITE_ONCE(sk->sk_prot, &tcp_prot) before WRITE_ONCE()
- xchg(&np->opt, NULL)
- txopt_put(opt)
- sockopt_release_sock(sk)
- release_sock(sk) - sockopt_lock_sock(sk)
- lock_sock(sk)
- ipv6_set_opt_hdr(sk, ...)
- ipv6_update_options(sk, opt)
- xchg(&inet6_sk(sk)->opt, opt)
^._ opt is never freed.- sockopt_release_sock(sk)
- release_sock(sk)Since IPV6_DSTOPTS allocates options under lock_sock(), we can avoid this
memory leak by testing whether sk_family is changed by IPV6_ADDRFORM after
acquiring the lock.This issue exists from the initial commit between IPV6_ADDRFORM and
IPV6_PKTOPTIONS.[0]:
BUG: memory leak
unreferenced object 0xffff888009ab9f80 (size 96):
comm "syz-executor583", pid 328, jiffies 4294916198 (age 13.034s)
hex dump (first 32 bytes):
01 00 00 00 48 00 00 00 08 00 00 00 00 00 00 00 ....H...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[] kmalloc include/linux/slab.h:605 [inline]
[] sock_kmalloc+0xb3/0x100 net/core/sock.c:2566
[] ipv6_renew_options+0x21e/0x10b0 net/ipv6/exthdrs.c:1318
[] ipv6_set_opt_hdr net/ipv6/ipv6_sockglue.c:354 [inline]
[] do_ipv6_setsockopt.constprop.0+0x28b7/0x4350 net/ipv6/ipv6_sockglue.c:668
[] ipv6_setsockopt+0xdf/0x190 net/ipv6/ipv6_sockglue.c:1021
[] tcp_setsockopt+0x13b/0x2620 net/ipv4/tcp.c:3789
[] __sys_setsockopt+0x239/0x620 net/socket.c:2252
[] __do_sys_setsockopt net/socket.c:2263 [inline]
[] __se_sys_setsockopt net/socket.c:2260 [inline]
[] __x64_sys_setsockopt+0xbe/0x160 net/socket.c:2260
[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
[] entry_SYSCALL_64_after_hwframe+0x63/0xcdFixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot
Signed-off-by: Kuniyuki Iwashima
Signed-off-by: Jakub Kicinski
Signed-off-by: Meena Shanmugam
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 1401e9336bebaa6dd5a320f83bddc17619d4e3a6) -
Fix the race condition between the following two flows that run in
parallel:1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) ->
__sock_queue_rcv_skb.2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram.
An SKB can be queued by the first flow and immediately dequeued and
freed by the second flow, therefore the callers of l2cap_reassemble_sdu
can't use the SKB after that function returns. However, some places
continue accessing struct l2cap_ctrl that resides in the SKB's CB for a
short time after l2cap_reassemble_sdu returns, leading to a
use-after-free condition (the stack trace is below, line numbers for
kernel 5.19.8).Fix it by keeping a local copy of struct l2cap_ctrl.
BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169Workqueue: hci0 hci_rx_work [bluetooth]
Call Trace:
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)
? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth
ret_from_fork (arch/x86/entry/entry_64.S:306)
Allocated by task 43169:
kasan_save_stack (mm/kasan/common.c:39)
__kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)
__alloc_skb (net/core/skbuff.c:414)
l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth
l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth
hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth
process_one_work (kernel/workqueue.c:2289)
worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)
kthread (kernel/kthread.c:376)
ret_from_fork (arch/x86/entry/entry_64.S:306)Freed by task 27920:
kasan_save_stack (mm/kasan/common.c:39)
kasan_set_track (mm/kasan/common.c:45)
kasan_set_free_info (mm/kasan/generic.c:372)
____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)
slab_free_freelist_hook (mm/slub.c:1780)
kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)
skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)
bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth
l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth
sock_read_iter (net/socket.c:1087)
new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)
vfs_read (fs/read_write.c:482)
ksys_read (fs/read_write.c:620)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u
Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine")
Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier")
Signed-off-by: Maxim Mikityanskiy
Signed-off-by: Luiz Augusto von Dentz
(cherry picked from commit 3aff8aaca4e36dc8b17eaa011684881a80238966) -
When l2cap_recv_frame() is invoked to receive data, and the cid is
L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
However, after a channel is created, the hold operation of the channel
is not performed. In this case, the value of channel reference counting
is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
invokes the close hook function of A2MP to release the channel. Then
l2cap_chan_unlock(chan) will trigger UAF issue.The process is as follows:
Receive data:
l2cap_data_channel()
a2mp_channel_create() --->channel ref is 2
l2cap_chan_put() --->channel ref is 1Triger event:
hci_error_reset()
hci_dev_do_close()
...
l2cap_disconn_cfm()
l2cap_conn_del()
l2cap_chan_hold() --->channel ref is 2
l2cap_chan_del() --->channel ref is 1
a2mp_chan_close_cb() --->channel ref is 0, release channel
l2cap_chan_unlock() --->UAF of channelThe detailed Call Trace is as follows:
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
Workqueue: hci0 hci_error_reset
Call Trace:
dump_stack_lvl+0xcd/0x134
print_report.cold+0x2ba/0x719
kasan_report+0xb1/0x1e0
kasan_check_range+0x140/0x190
__mutex_unlock_slowpath+0xa6/0x5e0
l2cap_conn_del+0x404/0x7b0
l2cap_disconn_cfm+0x8c/0xc0
hci_conn_hash_flush+0x11f/0x260
hci_dev_close_sync+0x5f5/0x11f0
hci_dev_do_close+0x2d/0x70
hci_error_reset+0x9e/0x140
process_one_work+0x98a/0x1620
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30
Allocated by task 7593:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0xa9/0xd0
l2cap_chan_create+0x40/0x930
amp_mgr_create+0x96/0x990
a2mp_channel_create+0x7d/0x150
l2cap_recv_frame+0x51b8/0x9a70
l2cap_recv_acldata+0xaa3/0xc00
hci_rx_work+0x702/0x1220
process_one_work+0x98a/0x1620
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30Freed by task 7593:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
____kasan_slab_free+0x167/0x1c0
slab_free_freelist_hook+0x89/0x1c0
kfree+0xe2/0x580
l2cap_chan_put+0x22a/0x2d0
l2cap_conn_del+0x3fc/0x7b0
l2cap_disconn_cfm+0x8c/0xc0
hci_conn_hash_flush+0x11f/0x260
hci_dev_close_sync+0x5f5/0x11f0
hci_dev_do_close+0x2d/0x70
hci_error_reset+0x9e/0x140
process_one_work+0x98a/0x1620
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0xbe/0xd0
call_rcu+0x99/0x740
netlink_release+0xe6a/0x1cf0
__sock_release+0xcd/0x280
sock_close+0x18/0x20
__fput+0x27c/0xa90
task_work_run+0xdd/0x1a0
exit_to_user_mode_prepare+0x23c/0x250
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x42/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcdSecond to last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0xbe/0xd0
call_rcu+0x99/0x740
netlink_release+0xe6a/0x1cf0
__sock_release+0xcd/0x280
sock_close+0x18/0x20
__fput+0x27c/0xa90
task_work_run+0xdd/0x1a0
exit_to_user_mode_prepare+0x23c/0x250
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x42/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcdFixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
Signed-off-by: Zhengchao Shao
Signed-off-by: Luiz Augusto von Dentz
(cherry picked from commit 0d0e2d032811280b927650ff3c15fe5020e82533) -
commit ff05d4b45dd89b922578dac497dcabf57cf771c6
When we parse a multi-BSSID element, we might point some
element pointers into the allocated nontransmitted_profile.
However, we free this before returning, causing UAF when the
relevant pointers in the parsed elements are accessed.Fix this by not allocating the scratch buffer separately but
as part of the returned structure instead, that way, there
are no lifetime issues with it.The scratch buffer introduction as part of the returned data
here is taken from MLO feature work done by Ilan.This fixes CVE-2022-42719.
Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
Co-developed-by: Ilan Peer
Signed-off-by: Ilan Peer
Reviewed-by: Kees Cook
Signed-off-by: Johannes Berg
Cc: Felix Fietkau
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit de124365a7d2deed22cf706583930f28d537ff0f) -
commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
My previous commit 5d24828d05f3 ("mac80211: always allocate
struct ieee802_11_elems") had a few bugs and leaked the new
allocated struct in a few error cases, fix that.Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
Signed-off-by: Johannes Berg
Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
Signed-off-by: Johannes Berg
Cc: Felix Fietkau
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d) -
As the 802.11 spec evolves, we need to parse more and more
elements. This is causing the struct to grow, and we can no
longer get away with putting it on the stack.Change the API to always dynamically allocate and return an
allocated pointer that must be kfree()d later.As an alternative, I contemplated a scheme whereby we'd say
in the code which elements we needed, e.g.DECLARE_ELEMENT_PARSER(elems,
SUPPORTED_CHANNELS,
CHANNEL_SWITCH,
EXT(KEY_DELIVERY));ieee802_11_parse_elems(..., &elems, ...);
and while I think this is possible and will save us a lot
since most individual places only care about a small subset
of the elements, it ended up being a bit more work since a
lot of places do the parsing and then pass the struct to
other functions, sometimes with multiple levels.Link: https://lore.kernel.org/r/20210920154009.26caff6b5998.I05ae58768e990e611aee8eca8abefd9d7bc15e05@changeid
Signed-off-by: Johannes Berg
Cc: Felix Fietkau
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit fee48f3bdd7516bb63da507213916227cf147211) -
commit 49a765d6785e99157ff5091cc37485732496864e upstream.
There's no need to parse all elements etc. just to find the
authentication challenge - use cfg80211_find_elem() instead.
This also allows us to remove WLAN_EID_CHALLENGE handling
from the element parsing entirely.Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
Signed-off-by: Johannes Berg
Cc: Felix Fietkau
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 630060f1175676b9cb3a032767f20dbce93616c9) -
commit c6e37ed498f958254b5459253199e816b6bfc52f upstream.
We're currently returning this value, but to prepare for
returning the allocated structure, move it into there.Link: https://lore.kernel.org/r/20210920154009.479b8ebf999d.If0d4ba75ee38998dc3eeae25058aa748efcb2fc9@changeid
Signed-off-by: Johannes Berg
Cc: Felix Fietkau
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 21df3a583e8e03d8f74fa2eedbcd7a2b3f5cabc1) -
commit a5b983c6073140b624f64e79fea6d33c3e4315a0 upstream.
We currently pass the entire elements to the rx_bcn_presp()
method, but only need mesh_config. Additionally, we use the
length of the elements to calculate back the entire frame's
length, but that's confusing - just pass the length of the
frame instead.Link: https://lore.kernel.org/r/20210920154009.a18ed3d2da6c.I1824b773a0fbae4453e1433c184678ca14e8df45@changeid
Signed-off-by: Johannes Berg
Cc: Felix Fietkau
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 864f2d3482f4bd0c62b355e35ee8300be8ef488e) -
commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
When updating beacon elements in a non-transmitted BSS,
also update the hidden sub-entries to the same beacon
elements, so that a future update through other paths
won't trigger a WARN_ON().The warning is triggered because the beacon elements in
the hidden BSSes that are children of the BSS should
always be the same as in the parent.Reported-by: Sönke Huster
Tested-by: Sönke Huster
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit d15bb1f6dabe1d2a4155958111bea47db72b599c) -
commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
If beacon protection is active but the beacon cannot be
decrypted or is otherwise malformed, we call the cfg80211
API to report this to userspace, but that uses a netdev
pointer, which isn't present for P2P-Device. Fix this to
call it only conditionally to ensure cfg80211 won't crash
in the case of P2P-Device.This fixes CVE-2022-42722.
Reported-by: Sönke Huster
Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 93a3a32554079432b49cf87f326607b2a2fab4f2) -
commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.This fixes CVE-2022-42721.
Reported-by: Sönke Huster
Tested-by: Sönke Huster
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 0a8ee682e4f992eccce226b012bba600bb2251e2) -
commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
There are multiple refcounting bugs related to multi-BSSID:
- In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
the bss pointer is overwritten before checking for the
transmitted BSS, which is clearly wrong. Fix this by using
the bss_from_pub() macro.- In cfg80211_bss_update() we copy the transmitted_bss pointer
from tmp into new, but then if we release new, we'll unref
it erroneously. We already set the pointer and ref it, but
need to NULL it since it was copied from the tmp data.- In cfg80211_inform_single_bss_data(), if adding to the non-
transmitted list fails, we unlink the BSS and yet still we
return it, but this results in returning an entry without
a reference. We shouldn't return it anyway if it was broken
enough to not get added there.This fixes CVE-2022-42720.
Reported-by: Sönke Huster
Tested-by: Sönke Huster
Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit bfe29873454f38eb1a511a76144ad1a4848ca176) -
commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
When iterating the elements here, ensure the length byte is
present before checking it to see if the entire element will
fit into the buffer.Longer term, we should rewrite this code using the type-safe
element iteration macros that check all of this.Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reported-by: Soenke Huster
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 9e99ca59ed3976921f8891c103d503b6da3e78af) -
commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
and the minimum is 1 since a multiple BSSID set with just one BSSID
doesn't make sense (the # of BSSIDs is limited by 2^n).Limit this in the parsing in both cfg80211 and mac80211, rejecting
any elements with an invalid value.This fixes potentially bad shifts in the processing of these inside
the cfg80211_gen_new_bssid() function later.I found this during the investigation of CVE-2022-41674 fixed by the
previous patch.Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
Reviewed-by: Kees Cook
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 0a861bd25dad508e492c48169509d8c6b9246895) -
commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:/* copy the IEs after MBSSID */
cpy_len = mbssid[1] + 2;This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.Fix this by using size_t for the cpy_len variable.
This fixes CVE-2022-41674.
Reported-by: Soenke Huster
Tested-by: Soenke Huster
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reviewed-by: Kees Cook
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
(cherry picked from commit 9a8ef2030510a9d6ce86fd535b8d10720230811f)
26 Oct, 2022
1 commit
-
Signed-off-by: Xiaobo Xie
30 Sep, 2022
1 commit
-
This is the 5.15.71 stable release
* tag 'v5.15.71': (144 commits)
Linux 5.15.71
ext4: use locality group preallocation for small closed files
ext4: avoid unnecessary spreading of allocations among groups
...Signed-off-by: Jason Liu
Conflicts:
drivers/net/phy/aquantia_main.c
drivers/tty/serial/fsl_lpuart.c
28 Sep, 2022
5 commits
-
[ Upstream commit c2e1cfefcac35e0eea229e148c8284088ce437b5 ]
tfilter_put need to be called to put the refount got by tp->ops->get to
avoid possible refcount leak when chain->tmplt_ops != NULL and
chain->tmplt_ops != tp->ops.Fixes: 7d5509fa0d3d ("net: sched: extend proto ops with 'put' callback")
Signed-off-by: Hangyu Hua
Reviewed-by: Vlad Buslov
Link: https://lore.kernel.org/r/20220921092734.31700-1-hbh25y@gmail.com
Signed-off-by: Jakub Kicinski
Signed-off-by: Sasha Levin -
[ Upstream commit e738455b2c6dcdab03e45d97de36476f93f557d2 ]
There might be a potential race between SMC-R buffer map and
link group termination.smc_smcr_terminate_all() | smc_connect_rdma()
--------------------------------------------------------------
| smc_conn_create()
for links in smcibdev |
schedule links down |
| smc_buf_create()
| \- smcr_buf_map_usable_links()
| \- no usable links found,
| (rmb->mr = NULL)
|
| smc_clc_send_confirm()
| \- access conn->rmb_desc->mr[]->rkey
| (panic)During reboot and IB device module remove, all links will be set
down and no usable links remain in link groups. In such situation
smcr_buf_map_usable_links() should return an error and stop the
CLC flow accessing to uninitialized mr.Fixes: b9247544c1bc ("net/smc: convert static link ID instances to support multiple links")
Signed-off-by: Wen Gu
Link: https://lore.kernel.org/r/1663656189-32090-1-git-send-email-guwen@linux.alibaba.com
Signed-off-by: Paolo Abeni
Signed-off-by: Sasha Levin -
[ Upstream commit 62ce44c4fff947eebdf10bb582267e686e6835c9 ]
The bug fix was incomplete, it "replaced" crash with a memory leak.
The old code had an assignment to "ret" embedded into the conditional,
restore this.Fixes: 7997eff82828 ("netfilter: ebtables: reject blobs that don't provide all entry points")
Reported-and-tested-by: syzbot+a24c5252f3e3ab733464@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal
Signed-off-by: Sasha Levin -
[ Upstream commit 9a4d6dd554b86e65581ef6b6638a39ae079b17ac ]
It seems to me that percpu memory for chain stats started leaking since
commit 3bc158f8d0330f0a ("netfilter: nf_tables: map basechain priority to
hardware priority") when nft_chain_offload_priority() returned an error.Signed-off-by: Tetsuo Handa
Fixes: 3bc158f8d0330f0a ("netfilter: nf_tables: map basechain priority to hardware priority")
Signed-off-by: Florian Westphal
Signed-off-by: Sasha Levin -
[ Upstream commit 921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd ]
syzbot is reporting underflow of nft_counters_enabled counter at
nf_tables_addchain() [1], for commit 43eb8949cfdffa76 ("netfilter:
nf_tables: do not leave chain stats enabled on error") missed that
nf_tables_chain_destroy() after nft_basechain_init() in the error path of
nf_tables_addchain() decrements the counter because nft_basechain_init()
makes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.Increment the counter immediately after returning from
nft_basechain_init().Link: https://syzkaller.appspot.com/bug?extid=b5d82a651b71cd8a75ab [1]
Reported-by: syzbot
Signed-off-by: Tetsuo Handa
Tested-by: syzbot
Fixes: 43eb8949cfdffa76 ("netfilter: nf_tables: do not leave chain stats enabled on error")
Signed-off-by: Florian Westphal
Signed-off-by: Sasha Levin