+++ /dev/null
-From 2889b7a13a41b8018ce6f8f40145b9430f95170e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Nov 2024 15:22:02 +0800
-Subject: PCI/ASPM: Save parent L1SS config in pci_save_aspm_l1ss_state()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Jian-Hong Pan <jhp@endlessos.org>
-
-[ Upstream commit 1db806ec06b7c6e08e8af57088da067963ddf117 ]
-
-After 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for
-suspend/resume"), pci_save_aspm_l1ss_state(dev) saves the L1SS state for
-"dev", and pci_restore_aspm_l1ss_state(dev) restores the state for both
-"dev" and its parent.
-
-The problem is that unless pci_save_state() has been used in some other
-path and has already saved the parent L1SS state, we will restore junk to
-the parent, which means the L1 Substates likely won't work correctly.
-
-Save the L1SS config for both the device and its parent in
-pci_save_aspm_l1ss_state(). When restoring, we need both because L1SS must
-be enabled at the parent (the Downstream Port) before being enabled at the
-child (the Upstream Port).
-
-Link: https://lore.kernel.org/r/20241115072200.37509-3-jhp@endlessos.org
-Fixes: 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume")
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218394
-Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
-Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
-[bhelgaas: parallel save/restore structure, simplify commit log, patch at
-https://lore.kernel.org/r/20241212230340.GA3267194@bhelgaas]
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Tested-by: Jian-Hong Pan <jhp@endlessos.org> # Asus B1400CEAE
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/pci/pcie/aspm.c | 33 ++++++++++++++++++++++++++++-----
- 1 file changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
-index cee2365e54b8b..9bbcfc91a491e 100644
---- a/drivers/pci/pcie/aspm.c
-+++ b/drivers/pci/pcie/aspm.c
-@@ -81,24 +81,47 @@ void pci_configure_aspm_l1ss(struct pci_dev *pdev)
-
- void pci_save_aspm_l1ss_state(struct pci_dev *pdev)
- {
-+ struct pci_dev *parent = pdev->bus->self;
- struct pci_cap_saved_state *save_state;
-- u16 l1ss = pdev->l1ss;
- u32 *cap;
-
-+ /*
-+ * If this is a Downstream Port, we never restore the L1SS state
-+ * directly; we only restore it when we restore the state of the
-+ * Upstream Port below it.
-+ */
-+ if (pcie_downstream_port(pdev) || !parent)
-+ return;
-+
-+ if (!pdev->l1ss || !parent->l1ss)
-+ return;
-+
- /*
- * Save L1 substate configuration. The ASPM L0s/L1 configuration
- * in PCI_EXP_LNKCTL_ASPMC is saved by pci_save_pcie_state().
- */
-- if (!l1ss)
-+ save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS);
-+ if (!save_state)
- return;
-
-- save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS);
-+ cap = &save_state->cap.data[0];
-+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL2, cap++);
-+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL1, cap++);
-+
-+ if (parent->state_saved)
-+ return;
-+
-+ /*
-+ * Save parent's L1 substate configuration so we have it for
-+ * pci_restore_aspm_l1ss_state(pdev) to restore.
-+ */
-+ save_state = pci_find_saved_ext_cap(parent, PCI_EXT_CAP_ID_L1SS);
- if (!save_state)
- return;
-
- cap = &save_state->cap.data[0];
-- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL2, cap++);
-- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL1, cap++);
-+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL2, cap++);
-+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, cap++);
- }
-
- void pci_restore_aspm_l1ss_state(struct pci_dev *pdev)
---
-2.39.5
-
media-rc-iguanair-handle-timeouts.patch
media-lmedm04-handle-errors-for-lme2510_int_read.patch
pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch
-pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch
remoteproc-mtk_scp-only-populate-devices-for-scp-cor.patch
media-marvell-add-check-for-clk_enable.patch
media-i2c-imx290-register-0x3011-varies-between-imx3.patch
pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch
bluetooth-btusb-mediatek-add-locks-for-usb_driver_cl.patch
bluetooth-btnxpuart-fix-glitches-seen-in-dual-a2dp-s.patch
-vsock-keep-the-binding-until-socket-destruction.patch
vsock-allow-retrying-on-connect-failure.patch
bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch
tcp-correct-handling-of-extreme-memory-squeeze.patch
memcg-fix-soft-lockup-in-the-oom-process.patch
loongarch-change-8-to-14-for-loongarch_max_-brp-wrp.patch
btrfs-do-proper-folio-cleanup-when-run_delalloc_nocow-failed.patch
+ethtool-ntuple-fix-rss-ring_cookie-check.patch
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/vmw_vsock/af_vsock.c | 5 +++++
+ net/vmw_vsock/af_vsock.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
-index 98315d9d07528..ec4c1fbbcec74 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
-@@ -1523,6 +1523,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+@@ -1519,6 +1519,11 @@ static int vsock_connect(struct socket *
if (err < 0)
goto out;
/* Mark sock as connecting and set the error code to in
* progress in case this is a non-blocking connect.
*/
---
-2.39.5
-
+++ /dev/null
-From ee6855bca8cf3c6f172db6654df92ee8da388de3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jan 2025 14:15:27 +0100
-Subject: vsock: Keep the binding until socket destruction
-
-From: Michal Luczaj <mhal@rbox.co>
-
-[ Upstream commit fcdd2242c0231032fc84e1404315c245ae56322a ]
-
-Preserve sockets bindings; this includes both resulting from an explicit
-bind() and those implicitly bound through autobind during connect().
-
-Prevents socket unbinding during a transport reassignment, which fixes a
-use-after-free:
-
- 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
- 2. transport->release() calls vsock_remove_bound() without checking if
- sk was bound and moved to bound list (refcnt=1)
- 3. vsock_bind() assumes sk is in unbound list and before
- __vsock_insert_bound(vsock_bound_sockets()) calls
- __vsock_remove_bound() which does:
- list_del_init(&vsk->bound_table); // nop
- sock_put(&vsk->sk); // refcnt=0
-
-BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
-Read of size 4 at addr ffff88816b46a74c by task a.out/2057
- dump_stack_lvl+0x68/0x90
- print_report+0x174/0x4f6
- kasan_report+0xb9/0x190
- __vsock_bind+0x62e/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Allocated by task 2057:
- kasan_save_stack+0x1e/0x40
- kasan_save_track+0x10/0x30
- __kasan_slab_alloc+0x85/0x90
- kmem_cache_alloc_noprof+0x131/0x450
- sk_prot_alloc+0x5b/0x220
- sk_alloc+0x2c/0x870
- __vsock_create.constprop.0+0x2e/0xb60
- vsock_create+0xe4/0x420
- __sock_create+0x241/0x650
- __sys_socket+0xf2/0x1a0
- __x64_sys_socket+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Freed by task 2057:
- kasan_save_stack+0x1e/0x40
- kasan_save_track+0x10/0x30
- kasan_save_free_info+0x37/0x60
- __kasan_slab_free+0x4b/0x70
- kmem_cache_free+0x1a1/0x590
- __sk_destruct+0x388/0x5a0
- __vsock_bind+0x5e1/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-refcount_t: addition on 0; use-after-free.
-WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
-RIP: 0010:refcount_warn_saturate+0xce/0x150
- __vsock_bind+0x66d/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-refcount_t: underflow; use-after-free.
-WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
-RIP: 0010:refcount_warn_saturate+0xee/0x150
- vsock_remove_bound+0x187/0x1e0
- __vsock_release+0x383/0x4a0
- vsock_release+0x90/0x120
- __sock_release+0xa3/0x250
- sock_close+0x14/0x20
- __fput+0x359/0xa80
- task_work_run+0x107/0x1d0
- do_exit+0x847/0x2560
- do_group_exit+0xb8/0x250
- __x64_sys_exit_group+0x3a/0x50
- x64_sys_call+0xfec/0x14f0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Signed-off-by: Michal Luczaj <mhal@rbox.co>
-Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/vmw_vsock/af_vsock.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
-index 15724f171b0f9..98315d9d07528 100644
---- a/net/vmw_vsock/af_vsock.c
-+++ b/net/vmw_vsock/af_vsock.c
-@@ -337,7 +337,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_socket);
-
- void vsock_remove_sock(struct vsock_sock *vsk)
- {
-- vsock_remove_bound(vsk);
-+ /* Transport reassignment must not remove the binding. */
-+ if (sock_flag(sk_vsock(vsk), SOCK_DEAD))
-+ vsock_remove_bound(vsk);
-+
- vsock_remove_connected(vsk);
- }
- EXPORT_SYMBOL_GPL(vsock_remove_sock);
-@@ -821,12 +824,13 @@ static void __vsock_release(struct sock *sk, int level)
- */
- lock_sock_nested(sk, level);
-
-+ sock_orphan(sk);
-+
- if (vsk->transport)
- vsk->transport->release(vsk);
- else if (sock_type_connectible(sk->sk_type))
- vsock_remove_sock(vsk);
-
-- sock_orphan(sk);
- sk->sk_shutdown = SHUTDOWN_MASK;
-
- skb_queue_purge(&sk->sk_receive_queue);
---
-2.39.5
-
+++ /dev/null
-From 9da96935990a075ec77d87a7306446f6107bbf50 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Nov 2024 15:22:02 +0800
-Subject: PCI/ASPM: Save parent L1SS config in pci_save_aspm_l1ss_state()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Jian-Hong Pan <jhp@endlessos.org>
-
-[ Upstream commit 1db806ec06b7c6e08e8af57088da067963ddf117 ]
-
-After 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for
-suspend/resume"), pci_save_aspm_l1ss_state(dev) saves the L1SS state for
-"dev", and pci_restore_aspm_l1ss_state(dev) restores the state for both
-"dev" and its parent.
-
-The problem is that unless pci_save_state() has been used in some other
-path and has already saved the parent L1SS state, we will restore junk to
-the parent, which means the L1 Substates likely won't work correctly.
-
-Save the L1SS config for both the device and its parent in
-pci_save_aspm_l1ss_state(). When restoring, we need both because L1SS must
-be enabled at the parent (the Downstream Port) before being enabled at the
-child (the Upstream Port).
-
-Link: https://lore.kernel.org/r/20241115072200.37509-3-jhp@endlessos.org
-Fixes: 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume")
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218394
-Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
-Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
-[bhelgaas: parallel save/restore structure, simplify commit log, patch at
-https://lore.kernel.org/r/20241212230340.GA3267194@bhelgaas]
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Tested-by: Jian-Hong Pan <jhp@endlessos.org> # Asus B1400CEAE
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/pci/pcie/aspm.c | 33 ++++++++++++++++++++++++++++-----
- 1 file changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
-index 28567d457613b..e0bc90597dcad 100644
---- a/drivers/pci/pcie/aspm.c
-+++ b/drivers/pci/pcie/aspm.c
-@@ -81,24 +81,47 @@ void pci_configure_aspm_l1ss(struct pci_dev *pdev)
-
- void pci_save_aspm_l1ss_state(struct pci_dev *pdev)
- {
-+ struct pci_dev *parent = pdev->bus->self;
- struct pci_cap_saved_state *save_state;
-- u16 l1ss = pdev->l1ss;
- u32 *cap;
-
-+ /*
-+ * If this is a Downstream Port, we never restore the L1SS state
-+ * directly; we only restore it when we restore the state of the
-+ * Upstream Port below it.
-+ */
-+ if (pcie_downstream_port(pdev) || !parent)
-+ return;
-+
-+ if (!pdev->l1ss || !parent->l1ss)
-+ return;
-+
- /*
- * Save L1 substate configuration. The ASPM L0s/L1 configuration
- * in PCI_EXP_LNKCTL_ASPMC is saved by pci_save_pcie_state().
- */
-- if (!l1ss)
-+ save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS);
-+ if (!save_state)
- return;
-
-- save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS);
-+ cap = &save_state->cap.data[0];
-+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL2, cap++);
-+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL1, cap++);
-+
-+ if (parent->state_saved)
-+ return;
-+
-+ /*
-+ * Save parent's L1 substate configuration so we have it for
-+ * pci_restore_aspm_l1ss_state(pdev) to restore.
-+ */
-+ save_state = pci_find_saved_ext_cap(parent, PCI_EXT_CAP_ID_L1SS);
- if (!save_state)
- return;
-
- cap = &save_state->cap.data[0];
-- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL2, cap++);
-- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL1, cap++);
-+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL2, cap++);
-+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, cap++);
- }
-
- void pci_restore_aspm_l1ss_state(struct pci_dev *pdev)
---
-2.39.5
-
media-rc-iguanair-handle-timeouts.patch
media-lmedm04-handle-errors-for-lme2510_int_read.patch
pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch
-pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch
remoteproc-mtk_scp-only-populate-devices-for-scp-cor.patch
media-marvell-add-check-for-clk_enable.patch
media-i2c-imx290-register-0x3011-varies-between-imx3.patch
pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch
bluetooth-btusb-mediatek-add-locks-for-usb_driver_cl.patch
bluetooth-btnxpuart-fix-glitches-seen-in-dual-a2dp-s.patch
-vsock-keep-the-binding-until-socket-destruction.patch
vsock-allow-retrying-on-connect-failure.patch
bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch
tcp-correct-handling-of-extreme-memory-squeeze.patch
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/vmw_vsock/af_vsock.c | 5 +++++
+ net/vmw_vsock/af_vsock.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
-index cfe18bc8fdbe7..075695173648d 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
-@@ -1523,6 +1523,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+@@ -1519,6 +1519,11 @@ static int vsock_connect(struct socket *
if (err < 0)
goto out;
/* Mark sock as connecting and set the error code to in
* progress in case this is a non-blocking connect.
*/
---
-2.39.5
-
+++ /dev/null
-From 064221b50fd03a2a51e93e7d946a2efd486879fd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jan 2025 14:15:27 +0100
-Subject: vsock: Keep the binding until socket destruction
-
-From: Michal Luczaj <mhal@rbox.co>
-
-[ Upstream commit fcdd2242c0231032fc84e1404315c245ae56322a ]
-
-Preserve sockets bindings; this includes both resulting from an explicit
-bind() and those implicitly bound through autobind during connect().
-
-Prevents socket unbinding during a transport reassignment, which fixes a
-use-after-free:
-
- 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
- 2. transport->release() calls vsock_remove_bound() without checking if
- sk was bound and moved to bound list (refcnt=1)
- 3. vsock_bind() assumes sk is in unbound list and before
- __vsock_insert_bound(vsock_bound_sockets()) calls
- __vsock_remove_bound() which does:
- list_del_init(&vsk->bound_table); // nop
- sock_put(&vsk->sk); // refcnt=0
-
-BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
-Read of size 4 at addr ffff88816b46a74c by task a.out/2057
- dump_stack_lvl+0x68/0x90
- print_report+0x174/0x4f6
- kasan_report+0xb9/0x190
- __vsock_bind+0x62e/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Allocated by task 2057:
- kasan_save_stack+0x1e/0x40
- kasan_save_track+0x10/0x30
- __kasan_slab_alloc+0x85/0x90
- kmem_cache_alloc_noprof+0x131/0x450
- sk_prot_alloc+0x5b/0x220
- sk_alloc+0x2c/0x870
- __vsock_create.constprop.0+0x2e/0xb60
- vsock_create+0xe4/0x420
- __sock_create+0x241/0x650
- __sys_socket+0xf2/0x1a0
- __x64_sys_socket+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Freed by task 2057:
- kasan_save_stack+0x1e/0x40
- kasan_save_track+0x10/0x30
- kasan_save_free_info+0x37/0x60
- __kasan_slab_free+0x4b/0x70
- kmem_cache_free+0x1a1/0x590
- __sk_destruct+0x388/0x5a0
- __vsock_bind+0x5e1/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-refcount_t: addition on 0; use-after-free.
-WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
-RIP: 0010:refcount_warn_saturate+0xce/0x150
- __vsock_bind+0x66d/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-refcount_t: underflow; use-after-free.
-WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
-RIP: 0010:refcount_warn_saturate+0xee/0x150
- vsock_remove_bound+0x187/0x1e0
- __vsock_release+0x383/0x4a0
- vsock_release+0x90/0x120
- __sock_release+0xa3/0x250
- sock_close+0x14/0x20
- __fput+0x359/0xa80
- task_work_run+0x107/0x1d0
- do_exit+0x847/0x2560
- do_group_exit+0xb8/0x250
- __x64_sys_exit_group+0x3a/0x50
- x64_sys_call+0xfec/0x14f0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Signed-off-by: Michal Luczaj <mhal@rbox.co>
-Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/vmw_vsock/af_vsock.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
-index fa9d1b49599bf..cfe18bc8fdbe7 100644
---- a/net/vmw_vsock/af_vsock.c
-+++ b/net/vmw_vsock/af_vsock.c
-@@ -337,7 +337,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_socket);
-
- void vsock_remove_sock(struct vsock_sock *vsk)
- {
-- vsock_remove_bound(vsk);
-+ /* Transport reassignment must not remove the binding. */
-+ if (sock_flag(sk_vsock(vsk), SOCK_DEAD))
-+ vsock_remove_bound(vsk);
-+
- vsock_remove_connected(vsk);
- }
- EXPORT_SYMBOL_GPL(vsock_remove_sock);
-@@ -821,12 +824,13 @@ static void __vsock_release(struct sock *sk, int level)
- */
- lock_sock_nested(sk, level);
-
-+ sock_orphan(sk);
-+
- if (vsk->transport)
- vsk->transport->release(vsk);
- else if (sock_type_connectible(sk->sk_type))
- vsock_remove_sock(vsk);
-
-- sock_orphan(sk);
- sk->sk_shutdown = SHUTDOWN_MASK;
-
- skb_queue_purge(&sk->sk_receive_queue);
---
-2.39.5
-
pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch
pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch
bluetooth-btnxpuart-fix-glitches-seen-in-dual-a2dp-s.patch
-vsock-keep-the-binding-until-socket-destruction.patch
vsock-allow-retrying-on-connect-failure.patch
bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch
tcp-correct-handling-of-extreme-memory-squeeze.patch
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/vmw_vsock/af_vsock.c | 5 +++++
+ net/vmw_vsock/af_vsock.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
-index ea857ed57d046..df7d95b404d99 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
-@@ -1457,6 +1457,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+@@ -1453,6 +1453,11 @@ static int vsock_connect(struct socket *
if (err < 0)
goto out;
/* Mark sock as connecting and set the error code to in
* progress in case this is a non-blocking connect.
*/
---
-2.39.5
-
+++ /dev/null
-From 41cc051e6272bcd02bad6ded24968eee5f7d65a5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jan 2025 14:15:27 +0100
-Subject: vsock: Keep the binding until socket destruction
-
-From: Michal Luczaj <mhal@rbox.co>
-
-[ Upstream commit fcdd2242c0231032fc84e1404315c245ae56322a ]
-
-Preserve sockets bindings; this includes both resulting from an explicit
-bind() and those implicitly bound through autobind during connect().
-
-Prevents socket unbinding during a transport reassignment, which fixes a
-use-after-free:
-
- 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
- 2. transport->release() calls vsock_remove_bound() without checking if
- sk was bound and moved to bound list (refcnt=1)
- 3. vsock_bind() assumes sk is in unbound list and before
- __vsock_insert_bound(vsock_bound_sockets()) calls
- __vsock_remove_bound() which does:
- list_del_init(&vsk->bound_table); // nop
- sock_put(&vsk->sk); // refcnt=0
-
-BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
-Read of size 4 at addr ffff88816b46a74c by task a.out/2057
- dump_stack_lvl+0x68/0x90
- print_report+0x174/0x4f6
- kasan_report+0xb9/0x190
- __vsock_bind+0x62e/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Allocated by task 2057:
- kasan_save_stack+0x1e/0x40
- kasan_save_track+0x10/0x30
- __kasan_slab_alloc+0x85/0x90
- kmem_cache_alloc_noprof+0x131/0x450
- sk_prot_alloc+0x5b/0x220
- sk_alloc+0x2c/0x870
- __vsock_create.constprop.0+0x2e/0xb60
- vsock_create+0xe4/0x420
- __sock_create+0x241/0x650
- __sys_socket+0xf2/0x1a0
- __x64_sys_socket+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Freed by task 2057:
- kasan_save_stack+0x1e/0x40
- kasan_save_track+0x10/0x30
- kasan_save_free_info+0x37/0x60
- __kasan_slab_free+0x4b/0x70
- kmem_cache_free+0x1a1/0x590
- __sk_destruct+0x388/0x5a0
- __vsock_bind+0x5e1/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-refcount_t: addition on 0; use-after-free.
-WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
-RIP: 0010:refcount_warn_saturate+0xce/0x150
- __vsock_bind+0x66d/0x730
- vsock_bind+0x97/0xe0
- __sys_bind+0x154/0x1f0
- __x64_sys_bind+0x6e/0xb0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-refcount_t: underflow; use-after-free.
-WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
-RIP: 0010:refcount_warn_saturate+0xee/0x150
- vsock_remove_bound+0x187/0x1e0
- __vsock_release+0x383/0x4a0
- vsock_release+0x90/0x120
- __sock_release+0xa3/0x250
- sock_close+0x14/0x20
- __fput+0x359/0xa80
- task_work_run+0x107/0x1d0
- do_exit+0x847/0x2560
- do_group_exit+0xb8/0x250
- __x64_sys_exit_group+0x3a/0x50
- x64_sys_call+0xfec/0x14f0
- do_syscall_64+0x93/0x1b0
- entry_SYSCALL_64_after_hwframe+0x76/0x7e
-
-Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Signed-off-by: Michal Luczaj <mhal@rbox.co>
-Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/vmw_vsock/af_vsock.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
-index 2050d888df2ae..ea857ed57d046 100644
---- a/net/vmw_vsock/af_vsock.c
-+++ b/net/vmw_vsock/af_vsock.c
-@@ -336,7 +336,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_socket);
-
- void vsock_remove_sock(struct vsock_sock *vsk)
- {
-- vsock_remove_bound(vsk);
-+ /* Transport reassignment must not remove the binding. */
-+ if (sock_flag(sk_vsock(vsk), SOCK_DEAD))
-+ vsock_remove_bound(vsk);
-+
- vsock_remove_connected(vsk);
- }
- EXPORT_SYMBOL_GPL(vsock_remove_sock);
-@@ -820,12 +823,13 @@ static void __vsock_release(struct sock *sk, int level)
- */
- lock_sock_nested(sk, level);
-
-+ sock_orphan(sk);
-+
- if (vsk->transport)
- vsk->transport->release(vsk);
- else if (sock_type_connectible(sk->sk_type))
- vsock_remove_sock(vsk);
-
-- sock_orphan(sk);
- sk->sk_shutdown = SHUTDOWN_MASK;
-
- skb_queue_purge(&sk->sk_receive_queue);
---
-2.39.5
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
