Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.131 2021-11-07T19:25:29+00:00 2021-11-07T19:25:29+00:00 Eric Dumazet edumazet@google.com 2021-11-05T21:42:14+00:00 urn:sha1:8ac9dfd58b138f7e82098a4e0a0d46858b12215b Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed. This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative if @ifindex is negative. We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned. In this patch I chose to use hash_32() to get more entropy from @ifindex, like llc_sk_laddr_hashfn(). UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26 index -43 is out of range for type 'hlist_head [64]' CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291 llc_sk_dev_hash include/net/llc.h:75 [inline] llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697 llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404 __sys_bind+0x1e9/0x250 net/socket.c:1693 __do_sys_bind net/socket.c:1704 [inline] __se_sys_bind net/socket.c:1702 [inline] __x64_sys_bind+0x6f/0xb0 net/socket.c:1702 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa503407ae9 Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2021-10-13T16:40:46+00:00 Jakub Kicinski kuba@kernel.org 2021-10-12T15:58:37+00:00 urn:sha1:2ef6db76bac0f3006daceb9eeeaf5f09820b1caf In preparation for netdev->dev_addr being constant make all relevant arguments in LLC and SNAP constant. Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2018-09-13T16:04:58+00:00 Cong Wang xiyou.wangcong@gmail.com 2018-09-11T18:42:06+00:00 urn:sha1:9708d2b5b7c648e8e0a40d11e8cea12f6277f33c llc_sap_close() is called by llc_sap_put() which could be called in BH context in llc_rcv(). We can't block in BH. There is no reason to block it here, kfree_rcu() should be sufficient. Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-08-07T22:54:00+00:00 Cong Wang xiyou.wangcong@gmail.com 2018-08-07T19:41:38+00:00 urn:sha1:0dcb82254d65f72333aa50ad626d1e9665ad093b llc_sap_put() decreases the refcnt before deleting sap from the global list. Therefore, there is a chance llc_sap_find() could find a sap with zero refcnt in this global list. Close this race condition by checking if refcnt is zero or not in llc_sap_find(), if it is zero then it is being removed so we can just treat it as gone. Reported-by: <syzbot+278893f3f7803871f7ce@syzkaller.appspotmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2017-07-04T21:35:15+00:00 Reshetova, Elena elena.reshetova@intel.com 2017-07-04T12:52:56+00:00 urn:sha1:58951dde05fdac96a9d30805d8fa5d124dd4f92c refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-01-04T01:56:48+00:00 stephen hemminger stephen@networkplumber.org 2014-01-03T17:19:51+00:00 urn:sha1:5e419e68a6450da279e8add304629774133576a9 The llc_sap_list_lock does not need to be global, only acquired in core. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-09-21T18:01:38+00:00 Joe Perches joe@perches.com 2013-09-21T17:22:45+00:00 urn:sha1:bf3c710f71a6144bd4d3bb9efb91099863debfb8 There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-09-17T17:13:24+00:00 David S. Miller davem@davemloft.net 2012-09-17T17:13:24+00:00 urn:sha1:b4516a288e71c64d7e214902250baf78b7b3cdcf Signed-off-by: David S. Miller <davem@davemloft.net> 2012-08-14T23:51:18+00:00 Ben Hutchings ben@decadent.org.uk 2012-08-13T02:49:59+00:00 urn:sha1:6024935f5ff5f1646bce8404416318e5fd4a0c4a llc_station_init() creates and processes an event skb with no effect other than to change the state from DOWN to UP. Allocation failure is reported, but then ignored by its caller, llc2_init(). Remove this possibility by simply initialising the state as UP. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-07-26T23:49:47+00:00 Arun Sharma asharma@fb.com 2011-07-26T23:09:06+00:00 urn:sha1:60063497a95e716c9a689af3be2687d261f115b4 This allows us to move duplicated code in <asm/atomic.h> (atomic_inc_not_zero() for now) to <linux/atomic.h> Signed-off-by: Arun Sharma <asharma@fb.com> Reviewed-by: Eric Dumazet <eric.dumazet@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: David Miller <davem@davemloft.net> Cc: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>