korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-21 12:11:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
linux-6.1.y
linux/net
History
Eric Dumazet 3fc06f6d14 wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values 
[ Upstream commit d1cba2ea81 ]

syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM
to 2^31.

We had a similar issue in sch_fq, fixed with commit
d9e15a2733 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM")

watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]
Modules linked in:
irq event stamp: 131135
 hardirqs last  enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
 hardirqs last  enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95
 hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
 hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
 softirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline]
 softirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553
 softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: mld mld_ifc_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : __list_del include/linux/list.h:195 [inline]
 pc : __list_del_entry include/linux/list.h:218 [inline]
 pc : list_move_tail include/linux/list.h:310 [inline]
 pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
 pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
 lr : __list_del_entry include/linux/list.h:218 [inline]
 lr : list_move_tail include/linux/list.h:310 [inline]
 lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
 lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854
sp : ffff800093d36700
x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000
x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0
x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0
x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0
x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8
x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc
x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470
Call trace:
  __list_del include/linux/list.h:195 [inline]
  __list_del_entry include/linux/list.h:218 [inline]
  list_move_tail include/linux/list.h:310 [inline]
  fq_tin_dequeue include/net/fq_impl.h:112 [inline]
  ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
  wake_tx_push_queue net/mac80211/util.c:294 [inline]
  ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315
  drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
  schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
  ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664
  ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966
  ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062
  __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338
  ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532
  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
  netdev_start_xmit include/linux/netdevice.h:4917 [inline]
  xmit_one net/core/dev.c:3531 [inline]
  dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547
  __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341
  dev_queue_xmit include/linux/netdevice.h:3091 [inline]
  neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563
  neigh_output include/net/neighbour.h:542 [inline]
  ip6_finish_output2+0x104c/0x1ee8 net/ipv6/ip6_output.c:137
  ip6_finish_output+0x428/0x7a0 net/ipv6/ip6_output.c:222
  NF_HOOK_COND include/linux/netfilter.h:303 [inline]
  ip6_output+0x270/0x594 net/ipv6/ip6_output.c:243
  dst_output include/net/dst.h:450 [inline]
  NF_HOOK+0x160/0x4f0 include/linux/netfilter.h:314
  mld_sendpack+0x7b4/0x10f4 net/ipv6/mcast.c:1818
  mld_send_cr net/ipv6/mcast.c:2119 [inline]
  mld_ifc_work+0x840/0xd0c net/ipv6/mcast.c:2650
  process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3267
  process_scheduled_works kernel/workqueue.c:3348 [inline]
  worker_thread+0x938/0xef4 kernel/workqueue.c:3429
  kthread+0x288/0x310 kernel/kthread.c:388
  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Fixes: 52539ca89f ("cfg80211: Expose TXQ stats and parameters to userspace")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240615160800.250667-1-edumazet@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-08-19 06:00:07 +02:00
..
6lowpan
9p net/9p: fix uninit-value in p9_client_rpc() 2024-06-16 13:41:38 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
8021q vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING 2024-01-31 16:17:04 -08:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 17:00:19 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-20 17:00:17 +01:00
ax25 ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() 2024-06-21 14:35:32 +02:00
batman-adv batman-adv: Don't accept TT entries for out-of-spec VIDs 2024-07-05 09:31:58 +02:00
bluetooth Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor 2024-08-14 13:52:44 +02:00
bpf bpf: Set run context for rawtp test_run callback 2024-06-21 14:35:33 +02:00
bpfilter
bridge net: bridge: mcast: wait for previous gc cycles when removing port 2024-08-14 13:52:43 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:50:24 +01:00
can net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new 2024-07-05 09:31:56 +02:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-07-18 13:18:41 +02:00
core net: linkwatch: use system_unbound_wq 2024-08-14 13:52:44 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 12:08:17 +02:00
dccp Fix race for duplicate reqsk on identical SYN 2024-07-05 09:31:46 +02:00
devlink devlink: remove reload failed checks in params get/set callbacks 2023-09-23 11:11:01 +02:00
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-01-25 15:27:38 -08:00
dsa net: dsa: introduce preferred_default_local_cpu_port and use on MT7530 2024-04-27 17:07:17 +02:00
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-05-02 16:29:29 +02:00
ethtool ethtool: netlink: do not return SQI value if link is down 2024-07-18 13:18:35 +02:00
hsr hsr: Simplify code for announcing HSR nodes timer setup 2024-05-17 11:56:13 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife net: sched: ife: fix potential use-after-free 2024-01-01 12:38:56 +00:00
ipv4 netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). 2024-08-11 12:35:58 +02:00
ipv6 ipv6: fix source address selection with route leak 2024-08-14 13:53:02 +02:00
iucv net/iucv: fix use after free in iucv_sock_close() 2024-08-11 12:35:58 +02:00
kcm net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function 2024-03-26 18:20:42 -04:00
key net: af_key: fix sadb_x_filter validation 2023-08-23 17:52:32 +02:00
l2tp l2tp: fix lockdep splat 2024-08-14 13:52:44 +02:00
l3mdev
lapb
llc llc: call sock_orphan() at release time 2024-02-05 20:13:01 +00:00
mac80211 wifi: mac80211: check basic rates validity 2024-08-03 08:49:47 +02:00
mac802154 net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() 2024-07-25 09:49:17 +02:00
mctp net: mctp: copy skb ext data when fragmenting 2024-03-26 18:20:37 -04:00
mpls net: mpls: error out if inner headers are not set 2024-04-13 13:05:27 +02:00
mptcp mptcp: fully established after ADD_ADDR echo on MPJ 2024-08-19 06:00:06 +02:00
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-06-21 14:35:33 +02:00
netfilter netfilter: nf_tables: prefer nft_chain_validate 2024-08-14 13:53:03 +02:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-01-25 15:27:20 -08:00
netlink netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter 2024-03-06 14:45:06 +00:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-06-27 13:46:18 +02:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-06-12 11:03:53 +02:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-05-17 11:55:59 +02:00
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-06-12 11:03:51 +02:00
packet af_packet: Handle outgoing VLAN packets without hardware offloading 2024-08-03 08:49:31 +02:00
phonet phonet: fix rtm_phonet_notify() skb allocation 2024-05-17 11:56:12 +02:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:39:11 +01:00
qrtr net: qrtr: ns: Fix module refcnt 2024-06-12 11:03:32 +02:00
rds net/rds: fix possible cp null dereference 2024-04-10 16:28:25 +02:00
rfkill net: rfkill: gpio: set GPIO direction 2024-01-01 12:39:04 +00:00
rose net/rose: fix races in rose_kill_by_device() 2024-01-01 12:38:57 +00:00
rxrpc rxrpc: Fix response to PING RESPONSE ACKs to a dead call 2024-02-16 19:06:27 +01:00
sched sched: act_ct: take care of padding in struct zones_ht_key 2024-08-11 12:35:56 +02:00
sctp sctp: Fix null-ptr-deref in reuseport_add_sock(). 2024-08-14 13:52:43 +02:00
smc net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined 2024-08-03 08:49:04 +02:00
strparser
sunrpc sunrpc: use the struct net as the svc proc private 2024-08-19 06:00:05 +02:00
switchdev net: bridge: switchdev: Skip MDB replays of deferred events on offload 2024-03-01 13:26:35 +01:00
tipc tipc: Return non-zero value from tipc_udp_addr2str() on error 2024-08-03 08:49:50 +02:00
tls tls: fix missing memory barrier in tls_init 2024-06-12 11:03:53 +02:00
unix af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect(). 2024-08-14 13:52:46 +02:00
vmw_vsock vsock/virtio: fix packet delivery to tap device 2024-04-10 16:28:25 +02:00
wireless wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values 2024-08-19 06:00:07 +02:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-03-26 18:20:42 -04:00
xdp xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING 2024-04-17 11:18:23 +02:00
xfrm net: fix __dst_negative_advice() race 2024-06-16 13:41:40 +02:00
compat.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
devres.c
Kconfig
Kconfig.debug
Makefile devlink: move code to a dedicated directory 2023-08-30 16:11:00 +02:00
socket.c splice, net: Add a splice_eof op to file-ops and socket-ops 2024-01-10 17:10:27 +01:00
sysctl_net.c sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table) 2024-08-11 12:35:51 +02:00