5.15-stable patches

added patches:
	net-fix-null-pointer-in-skb_segment_list.patch
	net-mctp-purge-receive-queues-on-sk-destruction.patch

diff --git a/queue-5.15/net-fix-null-pointer-in-skb_segment_list.patch b/queue-5.15/net-fix-null-pointer-in-skb_segment_list.patch
new file mode 100644 (file)
index 0000000..4e2eecb
--- /dev/null
+++ b/queue-5.15/net-fix-null-pointer-in-skb_segment_list.patch
@@ -0,0 +1,76 @@
+From 876e8ca8366735a604bac86ff7e2732fc9d85d2d Mon Sep 17 00:00:00 2001
+From: Yan Zhai <yan@cloudflare.com>
+Date: Mon, 30 Jan 2023 12:51:48 -0800
+Subject: net: fix NULL pointer in skb_segment_list
+
+From: Yan Zhai <yan@cloudflare.com>
+
+commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d upstream.
+
+Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
+introduced UDP listifyed GRO. The segmentation relies on frag_list being
+untouched when passing through the network stack. This assumption can be
+broken sometimes, where frag_list itself gets pulled into linear area,
+leaving frag_list being NULL. When this happens it can trigger
+following NULL pointer dereference, and panic the kernel. Reverse the
+test condition should fix it.
+
+[19185.577801][    C1] BUG: kernel NULL pointer dereference, address:
+...
+[19185.663775][    C1] RIP: 0010:skb_segment_list+0x1cc/0x390
+...
+[19185.834644][    C1] Call Trace:
+[19185.841730][    C1]  <TASK>
+[19185.848563][    C1]  __udp_gso_segment+0x33e/0x510
+[19185.857370][    C1]  inet_gso_segment+0x15b/0x3e0
+[19185.866059][    C1]  skb_mac_gso_segment+0x97/0x110
+[19185.874939][    C1]  __skb_gso_segment+0xb2/0x160
+[19185.883646][    C1]  udp_queue_rcv_skb+0xc3/0x1d0
+[19185.892319][    C1]  udp_unicast_rcv_skb+0x75/0x90
+[19185.900979][    C1]  ip_protocol_deliver_rcu+0xd2/0x200
+[19185.910003][    C1]  ip_local_deliver_finish+0x44/0x60
+[19185.918757][    C1]  __netif_receive_skb_one_core+0x8b/0xa0
+[19185.927834][    C1]  process_backlog+0x88/0x130
+[19185.935840][    C1]  __napi_poll+0x27/0x150
+[19185.943447][    C1]  net_rx_action+0x27e/0x5f0
+[19185.951331][    C1]  ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
+[19185.960848][    C1]  __do_softirq+0xbc/0x25d
+[19185.968607][    C1]  irq_exit_rcu+0x83/0xb0
+[19185.976247][    C1]  common_interrupt+0x43/0xa0
+[19185.984235][    C1]  asm_common_interrupt+0x22/0x40
+...
+[19186.094106][    C1]  </TASK>
+
+Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
+Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Yan Zhai <yan@cloudflare.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3884,7 +3884,7 @@ struct sk_buff *skb_segment_list(struct
+ 
+       skb_shinfo(skb)->frag_list = NULL;
+ 
+-      do {
++      while (list_skb) {
+               nskb = list_skb;
+               list_skb = list_skb->next;
+ 
+@@ -3930,8 +3930,7 @@ struct sk_buff *skb_segment_list(struct
+               if (skb_needs_linearize(nskb, features) &&
+                   __skb_linearize(nskb))
+                       goto err_linearize;
+-
+-      } while (list_skb);
++      }
+ 
+       skb->truesize = skb->truesize - delta_truesize;
+       skb->data_len = skb->data_len - delta_len;

diff --git a/queue-5.15/net-mctp-purge-receive-queues-on-sk-destruction.patch b/queue-5.15/net-mctp-purge-receive-queues-on-sk-destruction.patch
new file mode 100644 (file)
index 0000000..81b6de6
--- /dev/null
+++ b/queue-5.15/net-mctp-purge-receive-queues-on-sk-destruction.patch
@@ -0,0 +1,46 @@
+From 60bd1d9008a50cc78c4033a16a6f5d78210d481c Mon Sep 17 00:00:00 2001
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+Date: Thu, 26 Jan 2023 14:45:51 +0800
+Subject: net: mctp: purge receive queues on sk destruction
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+commit 60bd1d9008a50cc78c4033a16a6f5d78210d481c upstream.
+
+We may have pending skbs in the receive queue when the sk is being
+destroyed; add a destructor to purge the queue.
+
+MCTP doesn't use the error queue, so only the receive_queue is purged.
+
+Fixes: 833ef3b91de6 ("mctp: Populate socket implementation")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://lore.kernel.org/r/20230126064551.464468-1-jk@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mctp/af_mctp.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -294,6 +294,11 @@ static void mctp_sk_unhash(struct sock *
+       synchronize_rcu();
+ }
+ 
++static void mctp_sk_destruct(struct sock *sk)
++{
++      skb_queue_purge(&sk->sk_receive_queue);
++}
++
+ static struct proto mctp_proto = {
+       .name           = "MCTP",
+       .owner          = THIS_MODULE,
+@@ -330,6 +335,7 @@ static int mctp_pf_create(struct net *ne
+               return -ENOMEM;
+ 
+       sock_init_data(sock, sk);
++      sk->sk_destruct = mctp_sk_destruct;
+ 
+       rc = 0;
+       if (sk->sk_prot->init)

diff --git a/queue-5.15/series b/queue-5.15/series
index fec1903ebbefc181a1d8af300f8bdcf1da896ec4..760666f23f7f2a2d0c111575520c7331b1a191ab 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -16,3 +16,5 @@ bluetooth-fix-null-ptr-deref-on-hci_sync_conn_complete_evt.patch
 tools-fix-array_size-defines-in-tools-and-selftests-hdrs.patch
 selftests-vm-remove-array_size-define-from-individual-tests.patch
 selftests-provide-local-define-of-__cpuid_count.patch
+net-fix-null-pointer-in-skb_segment_list.patch
+net-mctp-purge-receive-queues-on-sk-destruction.patch