--- /dev/null
+From ff91059932401894e6c86341915615c5eb0eca48 Mon Sep 17 00:00:00 2001
+From: Jakub Sitnicki <jakub@cloudflare.com>
+Date: Tue, 2 Apr 2024 12:46:21 +0200
+Subject: bpf, sockmap: Prevent lock inversion deadlock in map delete elem
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+commit ff91059932401894e6c86341915615c5eb0eca48 upstream.
+
+syzkaller started using corpuses where a BPF tracing program deletes
+elements from a sockmap/sockhash map. Because BPF tracing programs can be
+invoked from any interrupt context, locks taken during a map_delete_elem
+operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
+is possible, as reported by lockdep:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&htab->buckets[i].lock);
+ local_irq_disable();
+ lock(&host->lock);
+ lock(&htab->buckets[i].lock);
+ <Interrupt>
+ lock(&host->lock);
+
+Locks in sockmap are hardirq-unsafe by design. We expects elements to be
+deleted from sockmap/sockhash only in task (normal) context with interrupts
+enabled, or in softirq context.
+
+Detect when map_delete_elem operation is invoked from a context which is
+_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
+error.
+
+Note that map updates are not affected by this issue. BPF verifier does not
+allow updating sockmap/sockhash from a BPF tracing program today.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Reported-by: xingwei lee <xrivendell7@gmail.com>
+Reported-by: yue sun <samsun1006219@gmail.com>
+Reported-by: syzbot+bc922f476bd65abbd466@syzkaller.appspotmail.com
+Reported-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=d4066896495db380182e
+Closes: https://syzkaller.appspot.com/bug?extid=bc922f476bd65abbd466
+Link: https://lore.kernel.org/bpf/20240402104621.1050319-1-jakub@cloudflare.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_map.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -422,6 +422,9 @@ static int __sock_map_delete(struct bpf_
+ struct sock *sk;
+ int err = 0;
+
++ if (irqs_disabled())
++ return -EOPNOTSUPP; /* locks here are hardirq-unsafe */
++
+ raw_spin_lock_bh(&stab->lock);
+ sk = *psk;
+ if (!sk_test || sk_test == sk)
+@@ -955,6 +958,9 @@ static int sock_hash_delete_elem(struct
+ struct bpf_shtab_elem *elem;
+ int ret = -ENOENT;
+
++ if (irqs_disabled())
++ return -EOPNOTSUPP; /* locks here are hardirq-unsafe */
++
+ hash = sock_hash_bucket_hash(key, key_size);
+ bucket = sock_hash_select_bucket(htab, hash);
+
--- /dev/null
+From 24225011d81b471acc0e1e315b7d9905459a6304 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 3 Apr 2024 15:22:04 +0800
+Subject: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream.
+
+nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can
+concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().
+And thhere is not any protection when iterate over nf_tables_flowtables
+list in __nft_flowtable_type_get(). Therefore, there is pertential
+data-race of nf_tables_flowtables list entry.
+
+Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list
+in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller
+nft_flowtable_type_get() to protect the entire type query process.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6879,11 +6879,12 @@ static int nft_flowtable_parse_hook(cons
+ return err;
+ }
+
++/* call under rcu_read_lock */
+ static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
+ {
+ const struct nf_flowtable_type *type;
+
+- list_for_each_entry(type, &nf_tables_flowtables, list) {
++ list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
+ if (family == type->family)
+ return type;
+ }
+@@ -6895,9 +6896,13 @@ nft_flowtable_type_get(struct net *net,
+ {
+ const struct nf_flowtable_type *type;
+
++ rcu_read_lock();
+ type = __nft_flowtable_type_get(family);
+- if (type != NULL && try_module_get(type->owner))
++ if (type != NULL && try_module_get(type->owner)) {
++ rcu_read_unlock();
+ return type;
++ }
++ rcu_read_unlock();
+
+ lockdep_nfnl_nft_mutex_not_held();
+ #ifdef CONFIG_MODULES
--- /dev/null
+From 24cea9677025e0de419989ecb692acd4bb34cac2 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 2 Apr 2024 18:04:36 +0200
+Subject: netfilter: nf_tables: flush pending destroy work before exit_net release
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 24cea9677025e0de419989ecb692acd4bb34cac2 upstream.
+
+Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy
+work before netlink notifier") to address a race between exit_net and
+the destroy workqueue.
+
+The trace below shows an element to be released via destroy workqueue
+while exit_net path (triggered via module removal) has already released
+the set that is used in such transaction.
+
+[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
+[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465
+[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359
+[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
+[ 1360.547984] Call Trace:
+[ 1360.547991] <TASK>
+[ 1360.547998] dump_stack_lvl+0x53/0x70
+[ 1360.548014] print_report+0xc4/0x610
+[ 1360.548026] ? __virt_addr_valid+0xba/0x160
+[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
+[ 1360.548176] kasan_report+0xae/0xe0
+[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
+[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
+[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]
+[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30
+[ 1360.548591] process_one_work+0x2f1/0x670
+[ 1360.548610] worker_thread+0x4d3/0x760
+[ 1360.548627] ? __pfx_worker_thread+0x10/0x10
+[ 1360.548640] kthread+0x16b/0x1b0
+[ 1360.548653] ? __pfx_kthread+0x10/0x10
+[ 1360.548665] ret_from_fork+0x2f/0x50
+[ 1360.548679] ? __pfx_kthread+0x10/0x10
+[ 1360.548690] ret_from_fork_asm+0x1a/0x30
+[ 1360.548707] </TASK>
+
+[ 1360.548719] Allocated by task 192061:
+[ 1360.548726] kasan_save_stack+0x20/0x40
+[ 1360.548739] kasan_save_track+0x14/0x30
+[ 1360.548750] __kasan_kmalloc+0x8f/0xa0
+[ 1360.548760] __kmalloc_node+0x1f1/0x450
+[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]
+[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]
+[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]
+[ 1360.548927] netlink_unicast+0x367/0x4f0
+[ 1360.548935] netlink_sendmsg+0x34b/0x610
+[ 1360.548944] ____sys_sendmsg+0x4d4/0x510
+[ 1360.548953] ___sys_sendmsg+0xc9/0x120
+[ 1360.548961] __sys_sendmsg+0xbe/0x140
+[ 1360.548971] do_syscall_64+0x55/0x120
+[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d
+
+[ 1360.548994] Freed by task 192222:
+[ 1360.548999] kasan_save_stack+0x20/0x40
+[ 1360.549009] kasan_save_track+0x14/0x30
+[ 1360.549019] kasan_save_free_info+0x3b/0x60
+[ 1360.549028] poison_slab_object+0x100/0x180
+[ 1360.549036] __kasan_slab_free+0x14/0x30
+[ 1360.549042] kfree+0xb6/0x260
+[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]
+[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]
+[ 1360.549221] ops_exit_list+0x50/0xa0
+[ 1360.549229] free_exit_list+0x101/0x140
+[ 1360.549236] unregister_pernet_operations+0x107/0x160
+[ 1360.549245] unregister_pernet_subsys+0x1c/0x30
+[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]
+[ 1360.549345] __do_sys_delete_module+0x253/0x370
+[ 1360.549352] do_syscall_64+0x55/0x120
+[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d
+
+(gdb) list *__nft_release_table+0x473
+0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).
+11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
+11350 list_del(&flowtable->list);
+11351 nft_use_dec(&table->use);
+11352 nf_tables_flowtable_destroy(flowtable);
+11353 }
+11354 list_for_each_entry_safe(set, ns, &table->sets, list) {
+11355 list_del(&set->list);
+11356 nft_use_dec(&table->use);
+11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
+11358 nft_map_deactivate(&ctx, set);
+(gdb)
+
+[ 1360.549372] Last potentially related work creation:
+[ 1360.549376] kasan_save_stack+0x20/0x40
+[ 1360.549384] __kasan_record_aux_stack+0x9b/0xb0
+[ 1360.549392] __queue_work+0x3fb/0x780
+[ 1360.549399] queue_work_on+0x4f/0x60
+[ 1360.549407] nft_rhash_remove+0x33b/0x340 [nf_tables]
+[ 1360.549516] nf_tables_commit+0x1c6a/0x2620 [nf_tables]
+[ 1360.549625] nfnetlink_rcv_batch+0x728/0xdc0 [nfnetlink]
+[ 1360.549647] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]
+[ 1360.549671] netlink_unicast+0x367/0x4f0
+[ 1360.549680] netlink_sendmsg+0x34b/0x610
+[ 1360.549690] ____sys_sendmsg+0x4d4/0x510
+[ 1360.549697] ___sys_sendmsg+0xc9/0x120
+[ 1360.549706] __sys_sendmsg+0xbe/0x140
+[ 1360.549715] do_syscall_64+0x55/0x120
+[ 1360.549725] entry_SYSCALL_64_after_hwframe+0x55/0x5d
+
+Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9796,6 +9796,7 @@ static void __exit nf_tables_module_exit
+ unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
+ nft_chain_filter_fini();
+ nft_chain_route_fini();
++ nf_tables_trans_destroy_flush_work();
+ unregister_pernet_subsys(&nf_tables_net_ops);
+ cancel_work_sync(&trans_gc_work);
+ cancel_work_sync(&trans_destroy_work);
--- /dev/null
+From 994209ddf4f430946f6247616b2e33d179243769 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 1 Apr 2024 00:33:02 +0200
+Subject: netfilter: nf_tables: reject new basechain after table flag update
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 994209ddf4f430946f6247616b2e33d179243769 upstream.
+
+When dormant flag is toggled, hooks are disabled in the commit phase by
+iterating over current chains in table (existing and new).
+
+The following configuration allows for an inconsistent state:
+
+ add table x
+ add chain x y { type filter hook input priority 0; }
+ add table x { flags dormant; }
+ add chain x w { type filter hook input priority 1; }
+
+which triggers the following warning when trying to unregister chain w
+which is already unregistered.
+
+[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260
+[...]
+[ 127.322519] Call Trace:
+[ 127.322521] <TASK>
+[ 127.322524] ? __warn+0x9f/0x1a0
+[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260
+[ 127.322537] ? report_bug+0x1b1/0x1e0
+[ 127.322545] ? handle_bug+0x3c/0x70
+[ 127.322552] ? exc_invalid_op+0x17/0x40
+[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20
+[ 127.322563] ? kasan_save_free_info+0x3b/0x60
+[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260
+[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260
+[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260
+[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]
+[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]
+[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]
+
+Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2225,6 +2225,9 @@ static int nf_tables_addchain(struct nft
+ struct nft_stats __percpu *stats = NULL;
+ struct nft_chain_hook hook;
+
++ if (table->flags & __NFT_TABLE_F_UPDATE)
++ return -EINVAL;
++
+ if (flags & NFT_CHAIN_BINDING)
+ return -EOPNOTSUPP;
+
--- /dev/null
+From 0c83842df40f86e529db6842231154772c20edcc Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 4 Apr 2024 12:20:51 +0000
+Subject: netfilter: validate user input for expected length
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 0c83842df40f86e529db6842231154772c20edcc upstream.
+
+I got multiple syzbot reports showing old bugs exposed
+by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc
+in cgroup/{s,g}etsockopt")
+
+setsockopt() @optlen argument should be taken into account
+before copying data.
+
+ BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
+ BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
+ BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
+ BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
+Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238
+
+CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
+ copy_from_sockptr include/linux/sockptr.h:55 [inline]
+ do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
+ do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
+ nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101
+ do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
+ __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
+ __do_sys_setsockopt net/socket.c:2343 [inline]
+ __se_sys_setsockopt net/socket.c:2340 [inline]
+ __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
+ do_syscall_64+0xfb/0x240
+ entry_SYSCALL_64_after_hwframe+0x72/0x7a
+RIP: 0033:0x7fd22067dde9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9
+RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8
+ </TASK>
+
+Allocated by task 7238:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
+ __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
+ kasan_kmalloc include/linux/kasan.h:211 [inline]
+ __do_kmalloc_node mm/slub.c:4069 [inline]
+ __kmalloc_noprof+0x200/0x410 mm/slub.c:4082
+ kmalloc_noprof include/linux/slab.h:664 [inline]
+ __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869
+ do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
+ __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
+ __do_sys_setsockopt net/socket.c:2343 [inline]
+ __se_sys_setsockopt net/socket.c:2340 [inline]
+ __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
+ do_syscall_64+0xfb/0x240
+ entry_SYSCALL_64_after_hwframe+0x72/0x7a
+
+The buggy address belongs to the object at ffff88802cd73da0
+ which belongs to the cache kmalloc-8 of size 8
+The buggy address is located 0 bytes inside of
+ allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)
+
+The buggy address belongs to the physical page:
+page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73
+flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)
+page_type: 0xffffefff(slab)
+raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122
+raw: ffff88802cd73020 000000008080007f 00000001ffffefff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5103, tgid 2119833701 (syz-executor.4), ts 5103, free_ts 70804600828
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1490
+ prep_new_page mm/page_alloc.c:1498 [inline]
+ get_page_from_freelist+0x2e7e/0x2f40 mm/page_alloc.c:3454
+ __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4712
+ __alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
+ alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
+ alloc_slab_page+0x5f/0x120 mm/slub.c:2249
+ allocate_slab+0x5a/0x2e0 mm/slub.c:2412
+ new_slab mm/slub.c:2465 [inline]
+ ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3615
+ __slab_alloc+0x58/0xa0 mm/slub.c:3705
+ __slab_alloc_node mm/slub.c:3758 [inline]
+ slab_alloc_node mm/slub.c:3936 [inline]
+ __do_kmalloc_node mm/slub.c:4068 [inline]
+ kmalloc_node_track_caller_noprof+0x286/0x450 mm/slub.c:4089
+ kstrdup+0x3a/0x80 mm/util.c:62
+ device_rename+0xb5/0x1b0 drivers/base/core.c:4558
+ dev_change_name+0x275/0x860 net/core/dev.c:1232
+ do_setlink+0xa4b/0x41f0 net/core/rtnetlink.c:2864
+ __rtnl_newlink net/core/rtnetlink.c:3680 [inline]
+ rtnl_newlink+0x180b/0x20a0 net/core/rtnetlink.c:3727
+ rtnetlink_rcv_msg+0x89b/0x10d0 net/core/rtnetlink.c:6594
+ netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2559
+ netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
+ netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361
+page last free pid 5146 tgid 5146 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1110 [inline]
+ free_unref_page+0xd3c/0xec0 mm/page_alloc.c:2617
+ discard_slab mm/slub.c:2511 [inline]
+ __put_partials+0xeb/0x130 mm/slub.c:2980
+ put_cpu_partial+0x17c/0x250 mm/slub.c:3055
+ __slab_free+0x2ea/0x3d0 mm/slub.c:4254
+ qlink_free mm/kasan/quarantine.c:163 [inline]
+ qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
+ kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
+ __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook mm/slub.c:3888 [inline]
+ slab_alloc_node mm/slub.c:3948 [inline]
+ __do_kmalloc_node mm/slub.c:4068 [inline]
+ __kmalloc_node_noprof+0x1d7/0x450 mm/slub.c:4076
+ kmalloc_node_noprof include/linux/slab.h:681 [inline]
+ kvmalloc_node_noprof+0x72/0x190 mm/util.c:634
+ bucket_table_alloc lib/rhashtable.c:186 [inline]
+ rhashtable_rehash_alloc+0x9e/0x290 lib/rhashtable.c:367
+ rht_deferred_worker+0x4e1/0x2440 lib/rhashtable.c:427
+ process_one_work kernel/workqueue.c:3218 [inline]
+ process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299
+ worker_thread+0x86d/0xd70 kernel/workqueue.c:3380
+ kthread+0x2f0/0x390 kernel/kthread.c:388
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
+
+Memory state around the buggy address:
+ ffff88802cd73c80: 07 fc fc fc 05 fc fc fc 05 fc fc fc fa fc fc fc
+ ffff88802cd73d00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
+>ffff88802cd73d80: fa fc fc fc 01 fc fc fc fa fc fc fc fa fc fc fc
+ ^
+ ffff88802cd73e00: fa fc fc fc fa fc fc fc 05 fc fc fc 07 fc fc fc
+ ffff88802cd73e80: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://lore.kernel.org/r/20240404122051.2303764-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/ebtables.c | 6 ++++++
+ net/ipv4/netfilter/arp_tables.c | 4 ++++
+ net/ipv4/netfilter/ip_tables.c | 4 ++++
+ net/ipv6/netfilter/ip6_tables.c | 4 ++++
+ 4 files changed, 18 insertions(+)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1070,6 +1070,8 @@ static int do_replace(struct net *net, s
+ struct ebt_table_info *newinfo;
+ struct ebt_replace tmp;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
+@@ -1309,6 +1311,8 @@ static int update_counters(struct net *n
+ {
+ struct ebt_replace hlp;
+
++ if (len < sizeof(hlp))
++ return -EINVAL;
+ if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
+ return -EFAULT;
+
+@@ -2238,6 +2242,8 @@ static int compat_update_counters(struct
+ {
+ struct compat_ebt_replace hlp;
+
++ if (len < sizeof(hlp))
++ return -EINVAL;
+ if (copy_from_sockptr(&hlp, arg, sizeof(hlp)))
+ return -EFAULT;
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -955,6 +955,8 @@ static int do_replace(struct net *net, s
+ void *loc_cpu_entry;
+ struct arpt_entry *iter;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
+@@ -1253,6 +1255,8 @@ static int compat_do_replace(struct net
+ void *loc_cpu_entry;
+ struct arpt_entry *iter;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1109,6 +1109,8 @@ do_replace(struct net *net, sockptr_t ar
+ void *loc_cpu_entry;
+ struct ipt_entry *iter;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
+@@ -1493,6 +1495,8 @@ compat_do_replace(struct net *net, sockp
+ void *loc_cpu_entry;
+ struct ipt_entry *iter;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1127,6 +1127,8 @@ do_replace(struct net *net, sockptr_t ar
+ void *loc_cpu_entry;
+ struct ip6t_entry *iter;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
+@@ -1503,6 +1505,8 @@ compat_do_replace(struct net *net, sockp
+ void *loc_cpu_entry;
+ struct ip6t_entry *iter;
+
++ if (len < sizeof(tmp))
++ return -EINVAL;
+ if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
+ return -EFAULT;
+
mm-vmscan-prevent-infinite-loop-for-costly-gfp_noio-__gfp_retry_mayfail-allocations.patch
x86-srso-add-srso-mitigation-for-hygon-processors.patch
block-add-check-that-partition-length-needs-to-be-aligned-with-block-size.patch
+netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch
+netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch
+netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch
+netfilter-validate-user-input-for-expected-length.patch
+vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch
+bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch
--- /dev/null
+From de3f64b738af57e2732b91a0774facc675b75b54 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 1 Nov 2023 11:49:48 +0100
+Subject: vboxsf: Avoid an spurious warning if load_nls_xxx() fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit de3f64b738af57e2732b91a0774facc675b75b54 upstream.
+
+If an load_nls_xxx() function fails a few lines above, the 'sbi->bdi_id' is
+still 0.
+So, in the error handling path, we will call ida_simple_remove(..., 0)
+which is not allocated yet.
+
+In order to prevent a spurious "ida_free called for id=0 which is not
+allocated." message, tweak the error handling path and add a new label.
+
+Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/d09eaaa4e2e08206c58a1a27ca9b3e81dc168773.1698835730.git.christophe.jaillet@wanadoo.fr
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/vboxsf/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/vboxsf/super.c
++++ b/fs/vboxsf/super.c
+@@ -151,7 +151,7 @@ static int vboxsf_fill_super(struct supe
+ if (!sbi->nls) {
+ vbg_err("vboxsf: Count not load '%s' nls\n", nls_name);
+ err = -EINVAL;
+- goto fail_free;
++ goto fail_destroy_idr;
+ }
+ }
+
+@@ -224,6 +224,7 @@ fail_free:
+ ida_simple_remove(&vboxsf_bdi_ida, sbi->bdi_id);
+ if (sbi->nls)
+ unload_nls(sbi->nls);
++fail_destroy_idr:
+ idr_destroy(&sbi->ino_idr);
+ kfree(sbi);
+ return err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
