Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.13 2025-01-07T22:49:48Z 2025-01-07T22:49:48Z Linus Torvalds torvalds@linux-foundation.org 2025-01-07T22:49:48Z urn:sha1:09a0fa92e5b45e99cf435b2fbf5ebcf889cf8780 Pull selinux fix from Paul Moore: "A single SELinux patch to address a problem with a single domain using multiple xperm classes" * tag 'selinux-pr-20250107' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: match extended permissions to their base permissions 2025-01-05T01:58:46Z Thiébaud Weksteen tweek@google.com 2024-12-20T04:25:58Z urn:sha1:5e7f0efd23238039bcd4fc72ff28d94f364ec26b In commit d1d991efaf34 ("selinux: Add netlink xperm support") a new extended permission was added ("nlmsg"). This was the second extended permission implemented in selinux ("ioctl" being the first one). Extended permissions are associated with a base permission. It was found that, in the access vector cache (avc), the extended permission did not keep track of its base permission. This is an issue for a domain that is using both extended permissions (i.e., a domain calling ioctl() on a netlink socket). In this case, the extended permissions were overlapping. Keep track of the base permission in the cache. A new field "base_perm" is added to struct extended_perms_decision to make sure that the extended permission refers to the correct policy permission. A new field "base_perms" is added to struct extended_perms to quickly decide if extended permissions apply. While it is in theory possible to retrieve the base permission from the access vector, the same base permission may not be mapped to the same bit for each class (e.g., "nlmsg" is mapped to a different bit for "netlink_route_socket" and "netlink_audit_socket"). Instead, use a constant (AVC_EXT_IOCTL or AVC_EXT_NLMSG) provided by the caller. Fixes: d1d991efaf34 ("selinux: Add netlink xperm support") Signed-off-by: Thiébaud Weksteen <tweek@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-12-18T20:10:15Z Linus Torvalds torvalds@linux-foundation.org 2024-12-18T20:10:15Z urn:sha1:397d1d88af2670db9c73d2806ae270b147e6f949 Pull selinux fix from Paul Moore: "One small SELinux patch to get rid improve our handling of unknown extended permissions by safely ignoring them. Not only does this make it easier to support newer SELinux policy on older kernels in the future, it removes to BUG() calls from the SELinux code." * tag 'selinux-pr-20241217' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: ignore unknown extended permissions 2024-12-16T02:59:03Z Thiébaud Weksteen tweek@google.com 2024-12-05T01:09:19Z urn:sha1:900f83cf376bdaf798b6f5dcb2eae0c822e908b6 When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-12-05T18:25:06Z Linus Torvalds torvalds@linux-foundation.org 2024-12-05T18:25:06Z urn:sha1:896d8946da97332d4dc80fa1937d8dd6b1c35ad4 Pull networking fixes from Paolo Abeni: "Including fixes from can and netfilter. Current release - regressions: - rtnetlink: fix double call of rtnl_link_get_net_ifla() - tcp: populate XPS related fields of timewait sockets - ethtool: fix access to uninitialized fields in set RXNFC command - selinux: use sk_to_full_sk() in selinux_ip_output() Current release - new code bugs: - net: make napi_hash_lock irq safe - eth: - bnxt_en: support header page pool in queue API - ice: fix NULL pointer dereference in switchdev Previous releases - regressions: - core: fix icmp host relookup triggering ip_rt_bug - ipv6: - avoid possible NULL deref in modify_prefix_route() - release expired exception dst cached in socket - smc: fix LGR and link use-after-free issue - hsr: avoid potential out-of-bound access in fill_frame_info() - can: hi311x: fix potential use-after-free - eth: ice: fix VLAN pruning in switchdev mode Previous releases - always broken: - netfilter: - ipset: hold module reference while requesting a module - nft_inner: incorrect percpu area handling under softirq - can: j1939: fix skb reference counting - eth: - mlxsw: use correct key block on Spectrum-4 - mlx5: fix memory leak in mlx5hws_definer_calc_layout" * tag 'net-6.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (76 commits) net :mana :Request a V2 response version for MANA_QUERY_GF_STAT net: avoid potential UAF in default_operstate() vsock/test: verify socket options after setting them vsock/test: fix parameter types in SO_VM_SOCKETS_* calls vsock/test: fix failures due to wrong SO_RCVLOWAT parameter net/mlx5e: Remove workaround to avoid syndrome for internal port net/mlx5e: SD, Use correct mdev to build channel param net/mlx5: E-Switch, Fix switching to switchdev mode in MPV net/mlx5: E-Switch, Fix switching to switchdev mode with IB device disabled net/mlx5: HWS: Properly set bwc queue locks lock classes net/mlx5: HWS: Fix memory leak in mlx5hws_definer_calc_layout bnxt_en: handle tpa_info in queue API implementation bnxt_en: refactor bnxt_alloc_rx_rings() to call bnxt_alloc_rx_agg_bmap() bnxt_en: refactor tpa_info alloc/free into helpers geneve: do not assume mac header is set in geneve_xmit_skb() mlxsw: spectrum_acl_flex_keys: Use correct key block on Spectrum-4 ethtool: Fix wrong mod state in case of verbose and no_mask bitset ipmr: tune the ipmr_can_free_table() checks. netfilter: nft_set_hash: skip duplicated elements pending gc run netfilter: ipset: Hold module reference while requesting a module ... 2024-12-02T19:34:44Z Peter Zijlstra peterz@infradead.org 2024-12-02T14:59:47Z urn:sha1:cdd30ebb1b9f36159d66f088b61aee264e649d7a Clean up the existing export namespace code along the same lines of commit 33def8498fdd ("treewide: Convert macro and uses of __section(foo) to __section("foo")") and for the same reason, it is not desired for the namespace argument to be a macro expansion itself. Scripted using git grep -l -e MODULE_IMPORT_NS -e EXPORT_SYMBOL_NS | while read file; do awk -i inplace ' /^#define EXPORT_SYMBOL_NS/ { gsub(/__stringify\(ns\)/, "ns"); print; next; } /^#define MODULE_IMPORT_NS/ { gsub(/__stringify\(ns\)/, "ns"); print; next; } /MODULE_IMPORT_NS/ { $0 = gensub(/MODULE_IMPORT_NS\(([^)]*)\)/, "MODULE_IMPORT_NS(\"\\1\")", "g"); } /EXPORT_SYMBOL_NS/ { if ($0 ~ /(EXPORT_SYMBOL_NS[^(]*)\(([^,]+),/) { if ($0 !~ /(EXPORT_SYMBOL_NS[^(]*)\(([^,]+), ([^)]+)\)/ && $0 !~ /(EXPORT_SYMBOL_NS[^(]*)\(\)/ && $0 !~ /^my/) { getline line; gsub(/[[:space:]]*\\$/, ""); gsub(/[[:space:]]/, "", line); $0 = $0 " " line; } $0 = gensub(/(EXPORT_SYMBOL_NS[^(]*)\(([^,]+), ([^)]+)\)/, "\\1(\\2, \"\\3\")", "g"); } } { print }' $file; done Requested-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://mail.google.com/mail/u/2/#inbox/FMfcgzQXKWgMmjdFwwdsfgxzKpVHWPlc Acked-by: Greg KH <gregkh@linuxfoundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2024-12-01T02:14:56Z Linus Torvalds torvalds@linux-foundation.org 2024-12-01T02:14:56Z urn:sha1:8a6a03ad5b04a29f07fb79d2990d93c82394f730 Pull ima fix from Paul Moore: "One small patch to fix a function parameter / local variable naming snafu that went up to you in the current merge window" * tag 'lsm-pr-20241129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: ima: uncover hidden variable in ima_match_rules() 2024-11-30T21:24:33Z Eric Dumazet edumazet@google.com 2024-11-26T14:59:11Z urn:sha1:eedcad2f2a371786f8a32d0046794103dadcedf3 In blamed commit, TCP started to attach timewait sockets to some skbs. syzbot reported that selinux_ip_output() was not expecting them yet. Note that using sk_to_full_sk() is still allowing the following sk_listener() check to work as before. BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline] BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761 Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894 CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 selinux_sock security/selinux/include/objsec.h:207 [inline] selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook+0x386/0x6d0 include/linux/netfilter.h:269 __ip_local_out+0x339/0x640 net/ipv4/ip_output.c:119 ip_local_out net/ipv4/ip_output.c:128 [inline] ip_send_skb net/ipv4/ip_output.c:1505 [inline] ip_push_pending_frames+0xa0/0x5b0 net/ipv4/ip_output.c:1525 ip_send_unicast_reply+0xd0e/0x1650 net/ipv4/ip_output.c:1672 tcp_v4_send_ack+0x976/0x13f0 net/ipv4/tcp_ipv4.c:1024 tcp_v4_timewait_ack net/ipv4/tcp_ipv4.c:1077 [inline] tcp_v4_rcv+0x2f96/0x4390 net/ipv4/tcp_ipv4.c:2428 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7068 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x8af/0x43e0 net/core/dev.c:4461 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xc6c/0x2150 net/ipv4/ip_output.c:236 __ip_finish_output net/ipv4/ip_output.c:314 [inline] __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296 ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130 __ip_queue_xmit+0x777/0x1970 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2b39/0x3df0 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_write_xmit+0x12b1/0x8560 net/ipv4/tcp_output.c:2827 __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3010 tcp_send_fin+0x154/0xc70 net/ipv4/tcp_output.c:3616 __tcp_close+0x96b/0xff0 net/ipv4/tcp.c:3130 tcp_close+0x28/0x120 net/ipv4/tcp.c:3221 inet_release+0x13c/0x280 net/ipv4/af_inet.c:435 __sock_release net/socket.c:640 [inline] sock_release+0x8e/0x1d0 net/socket.c:668 smc_clcsock_release+0xb7/0xe0 net/smc/smc_close.c:34 __smc_release+0x5c2/0x880 net/smc/af_smc.c:301 smc_release+0x1fc/0x5f0 net/smc/af_smc.c:344 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 __fput+0x3f8/0xb60 fs/file_table.c:450 __fput_sync+0xa1/0xc0 fs/file_table.c:535 __do_sys_close fs/open.c:1550 [inline] __se_sys_close fs/open.c:1535 [inline] __x64_sys_close+0x86/0x100 fs/open.c:1535 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6814c9ae10 Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d b1 e2 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c RSP: 002b:00007fffb2389758 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6814c9ae10 RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000202 R12: 00007fffb23897b0 R13: 00000000000141c3 R14: 00007fffb238977c R15: 00007fffb2389790 </TASK> Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs") Reported-by: syzbot+2d9f5f948c31dcb7745e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20241126145911.4187198-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2024-11-27T03:58:03Z Casey Schaufler casey@schaufler-ca.com 2024-11-26T18:21:20Z urn:sha1:a65d9d1d893b124917141bd8cdf0e0e47ff96438 The variable name "prop" is inadvertently used twice in ima_match_rules(), resulting in incorrect use of the local variable when the function parameter should have been. Rename the local variable and correct the use of the parameter. Suggested-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Roberto Sassu <roberto.sassu@huawei.com> [PM: subj tweak, Roberto's ACK] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-11-27T03:21:06Z John Johansen john.johansen@canonical.com 2024-11-10T12:29:31Z urn:sha1:04b5f0a5bfee5a5886dc19296c90d9a6964275e4 the kernel test robot reports a C23 extension warning: label followed by a declaration is a C23 extension [-Wc23-extensions] 696 | struct aa_profile *new_profile = NULL; Instead of adding a null statement creating a C99 style inline var declaration lift the label declaration out of the block so that it no longer immediatedly follows the label. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202411101808.AI8YG6cs-lkp@intel.com/ Fixes: ee650b3820f3 ("apparmor: properly handle cx/px lookup failure for complain") Signed-off-by: John Johansen <john.johansen@canonical.com>