--- /dev/null
+From 031ae72825cef43e4650140b800ad58bf7a6a466 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Sep 2024 14:44:18 +0000
+Subject: ila: call nf_unregister_net_hooks() sooner
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 031ae72825cef43e4650140b800ad58bf7a6a466 upstream.
+
+syzbot found an use-after-free Read in ila_nf_input [1]
+
+Issue here is that ila_xlat_exit_net() frees the rhashtable,
+then call nf_unregister_net_hooks().
+
+It should be done in the reverse way, with a synchronize_rcu().
+
+This is a good match for a pre_exit() method.
+
+[1]
+ BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
+ BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
+ BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
+Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16
+
+CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
+ rhashtable_lookup include/linux/rhashtable.h:646 [inline]
+ rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
+ ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
+ ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
+ ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775
+ process_backlog+0x662/0x15b0 net/core/dev.c:6108
+ __napi_poll+0xcb/0x490 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0x89b/0x1240 net/core/dev.c:6963
+ handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
+ run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
+ smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+The buggy address belongs to the physical page:
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620
+flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xbfffffff(buddy)
+raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000
+raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as freed
+page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
+ prep_new_page mm/page_alloc.c:1501 [inline]
+ get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
+ __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
+ __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
+ alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
+ ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103
+ __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130
+ __do_kmalloc_node mm/slub.c:4146 [inline]
+ __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164
+ __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
+ bucket_table_alloc lib/rhashtable.c:186 [inline]
+ rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071
+ ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613
+ ops_init+0x359/0x610 net/core/net_namespace.c:139
+ setup_net+0x515/0xca0 net/core/net_namespace.c:343
+ copy_net_ns+0x4e2/0x7b0 net/core/net_namespace.c:508
+ create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
+ unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228
+ ksys_unshare+0x619/0xc10 kernel/fork.c:3328
+ __do_sys_unshare kernel/fork.c:3399 [inline]
+ __se_sys_unshare kernel/fork.c:3397 [inline]
+ __x64_sys_unshare+0x38/0x40 kernel/fork.c:3397
+page last free pid 11846 tgid 11846 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1094 [inline]
+ free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
+ __folio_put+0x2c8/0x440 mm/swap.c:128
+ folio_put include/linux/mm.h:1486 [inline]
+ free_large_kmalloc+0x105/0x1c0 mm/slub.c:4565
+ kfree+0x1c4/0x360 mm/slub.c:4588
+ rhashtable_free_and_destroy+0x7c6/0x920 lib/rhashtable.c:1169
+ ila_xlat_exit_net+0x55/0x110 net/ipv6/ila/ila_xlat.c:626
+ ops_exit_list net/core/net_namespace.c:173 [inline]
+ cleanup_net+0x802/0xcc0 net/core/net_namespace.c:640
+ process_one_work kernel/workqueue.c:3231 [inline]
+ process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
+ worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Memory state around the buggy address:
+ ffff88806461ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88806461ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff888064620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff888064620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888064620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Tom Herbert <tom@herbertland.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Link: https://patch.msgid.link/20240904144418.1162839-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ila/ila.h | 1 +
+ net/ipv6/ila/ila_main.c | 6 ++++++
+ net/ipv6/ila/ila_xlat.c | 13 +++++++++----
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ila/ila.h
++++ b/net/ipv6/ila/ila.h
+@@ -108,6 +108,7 @@ int ila_lwt_init(void);
+ void ila_lwt_fini(void);
+
+ int ila_xlat_init_net(struct net *net);
++void ila_xlat_pre_exit_net(struct net *net);
+ void ila_xlat_exit_net(struct net *net);
+
+ int ila_xlat_nl_cmd_add_mapping(struct sk_buff *skb, struct genl_info *info);
+--- a/net/ipv6/ila/ila_main.c
++++ b/net/ipv6/ila/ila_main.c
+@@ -71,6 +71,11 @@ ila_xlat_init_fail:
+ return err;
+ }
+
++static __net_exit void ila_pre_exit_net(struct net *net)
++{
++ ila_xlat_pre_exit_net(net);
++}
++
+ static __net_exit void ila_exit_net(struct net *net)
+ {
+ ila_xlat_exit_net(net);
+@@ -78,6 +83,7 @@ static __net_exit void ila_exit_net(stru
+
+ static struct pernet_operations ila_net_ops = {
+ .init = ila_init_net,
++ .pre_exit = ila_pre_exit_net,
+ .exit = ila_exit_net,
+ .id = &ila_net_id,
+ .size = sizeof(struct ila_net),
+--- a/net/ipv6/ila/ila_xlat.c
++++ b/net/ipv6/ila/ila_xlat.c
+@@ -616,6 +616,15 @@ int ila_xlat_init_net(struct net *net)
+ return 0;
+ }
+
++void ila_xlat_pre_exit_net(struct net *net)
++{
++ struct ila_net *ilan = net_generic(net, ila_net_id);
++
++ if (ilan->xlat.hooks_registered)
++ nf_unregister_net_hooks(net, ila_nf_hook_ops,
++ ARRAY_SIZE(ila_nf_hook_ops));
++}
++
+ void ila_xlat_exit_net(struct net *net)
+ {
+ struct ila_net *ilan = net_generic(net, ila_net_id);
+@@ -623,10 +632,6 @@ void ila_xlat_exit_net(struct net *net)
+ rhashtable_free_and_destroy(&ilan->xlat.rhash_table, ila_free_cb, NULL);
+
+ free_bucket_spinlocks(ilan->xlat.locks);
+-
+- if (ilan->xlat.hooks_registered)
+- nf_unregister_net_hooks(net, ila_nf_hook_ops,
+- ARRAY_SIZE(ila_nf_hook_ops));
+ }
+
+ static int ila_xlat_addr(struct sk_buff *skb, bool sir2ila)
--- /dev/null
+From 5787fcaab9eb5930f5378d6a1dd03d916d146622 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Sat, 10 Aug 2024 15:52:42 +0900
+Subject: nilfs2: fix missing cleanup on rollforward recovery error
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 5787fcaab9eb5930f5378d6a1dd03d916d146622 upstream.
+
+In an error injection test of a routine for mount-time recovery, KASAN
+found a use-after-free bug.
+
+It turned out that if data recovery was performed using partial logs
+created by dsync writes, but an error occurred before starting the log
+writer to create a recovered checkpoint, the inodes whose data had been
+recovered were left in the ns_dirty_files list of the nilfs object and
+were not freed.
+
+Fix this issue by cleaning up inodes that have read the recovery data if
+the recovery routine fails midway before the log writer starts.
+
+Link: https://lkml.kernel.org/r/20240810065242.3701-1-konishi.ryusuke@gmail.com
+Fixes: 0f3e1c7f23f8 ("nilfs2: recovery functions")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/recovery.c | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/recovery.c
++++ b/fs/nilfs2/recovery.c
+@@ -709,6 +709,33 @@ static void nilfs_finish_roll_forward(st
+ }
+
+ /**
++ * nilfs_abort_roll_forward - cleaning up after a failed rollforward recovery
++ * @nilfs: nilfs object
++ */
++static void nilfs_abort_roll_forward(struct the_nilfs *nilfs)
++{
++ struct nilfs_inode_info *ii, *n;
++ LIST_HEAD(head);
++
++ /* Abandon inodes that have read recovery data */
++ spin_lock(&nilfs->ns_inode_lock);
++ list_splice_init(&nilfs->ns_dirty_files, &head);
++ spin_unlock(&nilfs->ns_inode_lock);
++ if (list_empty(&head))
++ return;
++
++ set_nilfs_purging(nilfs);
++ list_for_each_entry_safe(ii, n, &head, i_dirty) {
++ spin_lock(&nilfs->ns_inode_lock);
++ list_del_init(&ii->i_dirty);
++ spin_unlock(&nilfs->ns_inode_lock);
++
++ iput(&ii->vfs_inode);
++ }
++ clear_nilfs_purging(nilfs);
++}
++
++/**
+ * nilfs_salvage_orphan_logs - salvage logs written after the latest checkpoint
+ * @nilfs: nilfs object
+ * @sb: super block instance
+@@ -766,15 +793,19 @@ int nilfs_salvage_orphan_logs(struct the
+ if (unlikely(err)) {
+ nilfs_err(sb, "error %d writing segment for recovery",
+ err);
+- goto failed;
++ goto put_root;
+ }
+
+ nilfs_finish_roll_forward(nilfs, ri);
+ }
+
+- failed:
++put_root:
+ nilfs_put_root(root);
+ return err;
++
++failed:
++ nilfs_abort_roll_forward(nilfs);
++ goto put_root;
+ }
+
+ /**
--- /dev/null
+From 6576dd6695f2afca3f4954029ac4a64f82ba60ab Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 14 Aug 2024 19:11:19 +0900
+Subject: nilfs2: fix state management in error path of log writing function
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 6576dd6695f2afca3f4954029ac4a64f82ba60ab upstream.
+
+After commit a694291a6211 ("nilfs2: separate wait function from
+nilfs_segctor_write") was applied, the log writing function
+nilfs_segctor_do_construct() was able to issue I/O requests continuously
+even if user data blocks were split into multiple logs across segments,
+but two potential flaws were introduced in its error handling.
+
+First, if nilfs_segctor_begin_construction() fails while creating the
+second or subsequent logs, the log writing function returns without
+calling nilfs_segctor_abort_construction(), so the writeback flag set on
+pages/folios will remain uncleared. This causes page cache operations to
+hang waiting for the writeback flag. For example,
+truncate_inode_pages_final(), which is called via nilfs_evict_inode() when
+an inode is evicted from memory, will hang.
+
+Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared.
+As a result, if the next log write involves checkpoint creation, that's
+fine, but if a partial log write is performed that does not, inodes with
+NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files"
+list, and their data and b-tree blocks may not be written to the device,
+corrupting the block mapping.
+
+Fix these issues by uniformly calling nilfs_segctor_abort_construction()
+on failure of each step in the loop in nilfs_segctor_do_construct(),
+having it clean up logs and segment usages according to progress, and
+correcting the conditions for calling nilfs_redirty_inodes() to ensure
+that the NILFS_I_COLLECTED flag is cleared.
+
+Link: https://lkml.kernel.org/r/20240814101119.4070-1-konishi.ryusuke@gmail.com
+Fixes: a694291a6211 ("nilfs2: separate wait function from nilfs_segctor_write")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/segment.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1833,6 +1833,9 @@ static void nilfs_segctor_abort_construc
+ nilfs_abort_logs(&logs, ret ? : err);
+
+ list_splice_tail_init(&sci->sc_segbufs, &logs);
++ if (list_empty(&logs))
++ return; /* if the first segment buffer preparation failed */
++
+ nilfs_cancel_segusage(&logs, nilfs->ns_sufile);
+ nilfs_free_incomplete_logs(&logs, nilfs);
+
+@@ -2077,7 +2080,7 @@ static int nilfs_segctor_do_construct(st
+
+ err = nilfs_segctor_begin_construction(sci, nilfs);
+ if (unlikely(err))
+- goto out;
++ goto failed;
+
+ /* Update time stamp */
+ sci->sc_seg_ctime = ktime_get_real_seconds();
+@@ -2140,10 +2143,9 @@ static int nilfs_segctor_do_construct(st
+ return err;
+
+ failed_to_write:
+- if (sci->sc_stage.flags & NILFS_CF_IFILE_STARTED)
+- nilfs_redirty_inodes(&sci->sc_dirty_files);
+-
+ failed:
++ if (mode == SC_LSEG_SR && nilfs_sc_cstage_get(sci) >= NILFS_ST_IFILE)
++ nilfs_redirty_inodes(&sci->sc_dirty_files);
+ if (nilfs_doing_gc())
+ nilfs_redirty_inodes(&sci->sc_gc_inodes);
+ nilfs_segctor_abort_construction(sci, nilfs, err);
--- /dev/null
+From 546ea84d07e3e324644025e2aae2d12ea4c5896e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
+Date: Tue, 3 Sep 2024 18:08:45 +0200
+Subject: sched: sch_cake: fix bulk flow accounting logic for host fairness
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+commit 546ea84d07e3e324644025e2aae2d12ea4c5896e upstream.
+
+In sch_cake, we keep track of the count of active bulk flows per host,
+when running in dst/src host fairness mode, which is used as the
+round-robin weight when iterating through flows. The count of active
+bulk flows is updated whenever a flow changes state.
+
+This has a peculiar interaction with the hash collision handling: when a
+hash collision occurs (after the set-associative hashing), the state of
+the hash bucket is simply updated to match the new packet that collided,
+and if host fairness is enabled, that also means assigning new per-host
+state to the flow. For this reason, the bulk flow counters of the
+host(s) assigned to the flow are decremented, before new state is
+assigned (and the counters, which may not belong to the same host
+anymore, are incremented again).
+
+Back when this code was introduced, the host fairness mode was always
+enabled, so the decrement was unconditional. When the configuration
+flags were introduced the *increment* was made conditional, but
+the *decrement* was not. Which of course can lead to a spurious
+decrement (and associated wrap-around to U16_MAX).
+
+AFAICT, when host fairness is disabled, the decrement and wrap-around
+happens as soon as a hash collision occurs (which is not that common in
+itself, due to the set-associative hashing). However, in most cases this
+is harmless, as the value is only used when host fairness mode is
+enabled. So in order to trigger an array overflow, sch_cake has to first
+be configured with host fairness disabled, and while running in this
+mode, a hash collision has to occur to cause the overflow. Then, the
+qdisc has to be reconfigured to enable host fairness, which leads to the
+array out-of-bounds because the wrapped-around value is retained and
+used as an array index. It seems that syzbot managed to trigger this,
+which is quite impressive in its own right.
+
+This patch fixes the issue by introducing the same conditional check on
+decrement as is used on increment.
+
+The original bug predates the upstreaming of cake, but the commit listed
+in the Fixes tag touched that code, meaning that this patch won't apply
+before that.
+
+Fixes: 712639929912 ("sch_cake: Make the dual modes fairer")
+Reported-by: syzbot+7fe7b81d602cc1e6b94d@syzkaller.appspotmail.com
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://patch.msgid.link/20240903160846.20909-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cake.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -785,12 +785,15 @@ skip_hash:
+ * queue, accept the collision, update the host tags.
+ */
+ q->way_collisions++;
+- if (q->flows[outer_hash + k].set == CAKE_SET_BULK) {
+- q->hosts[q->flows[reduced_hash].srchost].srchost_bulk_flow_count--;
+- q->hosts[q->flows[reduced_hash].dsthost].dsthost_bulk_flow_count--;
+- }
+ allocate_src = cake_dsrc(flow_mode);
+ allocate_dst = cake_ddst(flow_mode);
++
++ if (q->flows[outer_hash + k].set == CAKE_SET_BULK) {
++ if (allocate_src)
++ q->hosts[q->flows[reduced_hash].srchost].srchost_bulk_flow_count--;
++ if (allocate_dst)
++ q->hosts[q->flows[reduced_hash].dsthost].dsthost_bulk_flow_count--;
++ }
+ found:
+ /* reserve queue for future packets in same flow */
+ reduced_hash = outer_hash + k;
clk-qcom-clk-alpha-pll-update-set_rate-for-zonda-pll.patch
can-mcp251x-fix-deadlock-if-an-interrupt-occurs-during-mcp251x_open.patch
tracing-avoid-possible-softlockup-in-tracing_iter_reset.patch
+tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch
+ila-call-nf_unregister_net_hooks-sooner.patch
+sched-sch_cake-fix-bulk-flow-accounting-logic-for-host-fairness.patch
+nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch
+nilfs2-fix-state-management-in-error-path-of-log-writing-function.patch
--- /dev/null
+From fe1910f9337bd46a9343967b547ccab26b4b2c6e Mon Sep 17 00:00:00 2001
+From: Cong Wang <cong.wang@bytedance.com>
+Date: Tue, 20 Aug 2024 20:07:44 -0700
+Subject: tcp_bpf: fix return value of tcp_bpf_sendmsg()
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+commit fe1910f9337bd46a9343967b547ccab26b4b2c6e upstream.
+
+When we cork messages in psock->cork, the last message triggers the
+flushing will result in sending a sk_msg larger than the current
+message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
+negative at least in the following case:
+
+468 case __SK_DROP:
+469 default:
+470 sk_msg_free_partial(sk, msg, tosend);
+471 sk_msg_apply_bytes(psock, tosend);
+472 *copied -= (tosend + delta); // <==== HERE
+473 return -EACCES;
+
+Therefore, it could lead to the following BUG with a proper value of
+'copied' (thanks to syzbot). We should not use negative 'copied' as a
+return value here.
+
+ ------------[ cut here ]------------
+ kernel BUG at net/socket.c:733!
+ Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+ pc : sock_sendmsg_nosec net/socket.c:733 [inline]
+ pc : sock_sendmsg_nosec net/socket.c:728 [inline]
+ pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
+ lr : sock_sendmsg_nosec net/socket.c:730 [inline]
+ lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
+ sp : ffff800088ea3b30
+ x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
+ x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
+ x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
+ x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
+ x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
+ x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
+ x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
+ x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
+ x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
+ Call trace:
+ sock_sendmsg_nosec net/socket.c:733 [inline]
+ __sock_sendmsg+0x5c/0x60 net/socket.c:745
+ ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
+ ___sys_sendmsg+0xac/0x100 net/socket.c:2651
+ __sys_sendmsg+0x84/0xe0 net/socket.c:2680
+ __do_sys_sendmsg net/socket.c:2689 [inline]
+ __se_sys_sendmsg net/socket.c:2687 [inline]
+ __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
+ el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
+ el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
+ el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
+ Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
+Reported-by: syzbot+58c03971700330ce14d8@syzkaller.appspotmail.com
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20240821030744.320934-1-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -581,7 +581,7 @@ static int tcp_bpf_sendpage(struct sock
+ out_err:
+ release_sock(sk);
+ sk_psock_put(sk, psock);
+- return copied ? copied : err;
++ return copied > 0 ? copied : err;
+ }
+
+ enum {
projects / thirdparty / kernel / stable-queue.git / commitdiff
