--- /dev/null
+From 876e8ca8366735a604bac86ff7e2732fc9d85d2d Mon Sep 17 00:00:00 2001
+From: Yan Zhai <yan@cloudflare.com>
+Date: Mon, 30 Jan 2023 12:51:48 -0800
+Subject: net: fix NULL pointer in skb_segment_list
+
+From: Yan Zhai <yan@cloudflare.com>
+
+commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d upstream.
+
+Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
+introduced UDP listifyed GRO. The segmentation relies on frag_list being
+untouched when passing through the network stack. This assumption can be
+broken sometimes, where frag_list itself gets pulled into linear area,
+leaving frag_list being NULL. When this happens it can trigger
+following NULL pointer dereference, and panic the kernel. Reverse the
+test condition should fix it.
+
+[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:
+...
+[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390
+...
+[19185.834644][ C1] Call Trace:
+[19185.841730][ C1] <TASK>
+[19185.848563][ C1] __udp_gso_segment+0x33e/0x510
+[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0
+[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110
+[19185.874939][ C1] __skb_gso_segment+0xb2/0x160
+[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0
+[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90
+[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200
+[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60
+[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0
+[19185.927834][ C1] process_backlog+0x88/0x130
+[19185.935840][ C1] __napi_poll+0x27/0x150
+[19185.943447][ C1] net_rx_action+0x27e/0x5f0
+[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
+[19185.960848][ C1] __do_softirq+0xbc/0x25d
+[19185.968607][ C1] irq_exit_rcu+0x83/0xb0
+[19185.976247][ C1] common_interrupt+0x43/0xa0
+[19185.984235][ C1] asm_common_interrupt+0x22/0x40
+...
+[19186.094106][ C1] </TASK>
+
+Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
+Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Yan Zhai <yan@cloudflare.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4034,7 +4034,7 @@ struct sk_buff *skb_segment_list(struct
+
+ skb_shinfo(skb)->frag_list = NULL;
+
+- do {
++ while (list_skb) {
+ nskb = list_skb;
+ list_skb = list_skb->next;
+
+@@ -4080,8 +4080,7 @@ struct sk_buff *skb_segment_list(struct
+ if (skb_needs_linearize(nskb, features) &&
+ __skb_linearize(nskb))
+ goto err_linearize;
+-
+- } while (list_skb);
++ }
+
+ skb->truesize = skb->truesize - delta_truesize;
+ skb->data_len = skb->data_len - delta_len;
--- /dev/null
+From 60bd1d9008a50cc78c4033a16a6f5d78210d481c Mon Sep 17 00:00:00 2001
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+Date: Thu, 26 Jan 2023 14:45:51 +0800
+Subject: net: mctp: purge receive queues on sk destruction
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+commit 60bd1d9008a50cc78c4033a16a6f5d78210d481c upstream.
+
+We may have pending skbs in the receive queue when the sk is being
+destroyed; add a destructor to purge the queue.
+
+MCTP doesn't use the error queue, so only the receive_queue is purged.
+
+Fixes: 833ef3b91de6 ("mctp: Populate socket implementation")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://lore.kernel.org/r/20230126064551.464468-1-jk@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mctp/af_mctp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -587,6 +587,11 @@ static void mctp_sk_unhash(struct sock *
+ del_timer_sync(&msk->key_expiry);
+ }
+
++static void mctp_sk_destruct(struct sock *sk)
++{
++ skb_queue_purge(&sk->sk_receive_queue);
++}
++
+ static struct proto mctp_proto = {
+ .name = "MCTP",
+ .owner = THIS_MODULE,
+@@ -623,6 +628,7 @@ static int mctp_pf_create(struct net *ne
+ return -ENOMEM;
+
+ sock_init_data(sock, sk);
++ sk->sk_destruct = mctp_sk_destruct;
+
+ rc = 0;
+ if (sk->sk_prot->init)
--- /dev/null
+From 6618d69aa129a8fc613e64775d5019524c6f231b Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Tue, 13 Dec 2022 19:03:55 +0100
+Subject: rust: print: avoid evaluating arguments in `pr_*` macros in `unsafe` blocks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 6618d69aa129a8fc613e64775d5019524c6f231b upstream.
+
+At the moment it is possible to perform unsafe operations in
+the arguments of `pr_*` macros since they are evaluated inside
+an `unsafe` block:
+
+ let x = &10u32 as *const u32;
+ pr_info!("{}", *x);
+
+In other words, this is a soundness issue.
+
+Fix it so that it requires an explicit `unsafe` block.
+
+Reported-by: Wedson Almeida Filho <wedsonaf@gmail.com>
+Reported-by: Domen Puncer Kugler <domen.puncerkugler@nccgroup.com>
+Link: https://github.com/Rust-for-Linux/linux/issues/479
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Reviewed-by: Björn Roy Baron <bjorn3_gh@protonmail.com>
+Reviewed-by: Vincenzo Palazzo <vincenzopalazzodev@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/print.rs | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+--- a/rust/kernel/print.rs
++++ b/rust/kernel/print.rs
+@@ -115,17 +115,24 @@ pub unsafe fn call_printk(
+ macro_rules! print_macro (
+ // The non-continuation cases (most of them, e.g. `INFO`).
+ ($format_string:path, $($arg:tt)+) => (
+- // SAFETY: This hidden macro should only be called by the documented
+- // printing macros which ensure the format string is one of the fixed
+- // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
+- // by the `module!` proc macro or fixed values defined in a kernel
+- // crate.
+- unsafe {
+- $crate::print::call_printk(
+- &$format_string,
+- crate::__LOG_PREFIX,
+- format_args!($($arg)+),
+- );
++ // To remain sound, `arg`s must be expanded outside the `unsafe` block.
++ // Typically one would use a `let` binding for that; however, `format_args!`
++ // takes borrows on the arguments, but does not extend the scope of temporaries.
++ // Therefore, a `match` expression is used to keep them around, since
++ // the scrutinee is kept until the end of the `match`.
++ match format_args!($($arg)+) {
++ // SAFETY: This hidden macro should only be called by the documented
++ // printing macros which ensure the format string is one of the fixed
++ // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
++ // by the `module!` proc macro or fixed values defined in a kernel
++ // crate.
++ args => unsafe {
++ $crate::print::call_printk(
++ &$format_string,
++ crate::__LOG_PREFIX,
++ args,
++ );
++ }
+ }
+ );
+ );
nvme-apple-only-reset-the-controller-when-rtkit-is-r.patch
gpiolib-acpi-add-a-ignore-wakeup-quirk-for-clevo-nl5.patch
gpiolib-acpi-don-t-set-gpios-for-wakeup-in-s3-mode.patch
+net-fix-null-pointer-in-skb_segment_list.patch
+rust-print-avoid-evaluating-arguments-in-pr_-macros-in-unsafe-blocks.patch
+net-mctp-purge-receive-queues-on-sk-destruction.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
