--- /dev/null
+From 5c9934b6767b16ba60be22ec3cbd4379ad64170d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 12 Dec 2019 10:32:13 -0800
+Subject: 6pack,mkiss: fix possible deadlock
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream.
+
+We got another syzbot report [1] that tells us we must use
+write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
+
+[1]
+
+WARNING: inconsistent lock state
+5.5.0-rc1-syzkaller #0 Not tainted
+--------------------------------
+inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
+syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
+ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+{HARDIRQ-ON-W} state was registered at:
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
+ _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
+ sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
+ tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
+ tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
+ tiocsetd drivers/tty/tty_io.c:2337 [inline]
+ tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ file_ioctl fs/ioctl.c:545 [inline]
+ do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
+ __do_sys_ioctl fs/ioctl.c:756 [inline]
+ __se_sys_ioctl fs/ioctl.c:754 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+irq event stamp: 3946
+hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
+hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
+hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
+softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
+softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(disc_data_lock);
+ <Interrupt>
+ lock(disc_data_lock);
+
+ *** DEADLOCK ***
+
+5 locks held by syz-executor826/9605:
+ #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
+ #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
+ #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
+
+stack backtrace:
+CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
+ valid_state kernel/locking/lockdep.c:3112 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
+ mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
+ mark_usage kernel/locking/lockdep.c:3554 [inline]
+ __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
+ _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
+ sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+ sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
+ tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
+ tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
+ tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
+ uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
+ serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
+ serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
+ serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
+ serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
+ serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
+ __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
+ handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
+ handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
+ handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
+ generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
+ do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
+ </IRQ>
+RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
+RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
+Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
+RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
+RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
+RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
+RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
+R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
+R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
+ mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
+ __mutex_lock_common kernel/locking/mutex.c:962 [inline]
+ __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
+ tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
+ __fput+0x2ff/0x890 fs/file_table.c:280
+ ____fput+0x16/0x20 fs/file_table.c:313
+ task_work_run+0x145/0x1c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x8e7/0x2ef0 kernel/exit.c:797
+ do_group_exit+0x135/0x360 kernel/exit.c:895
+ __do_sys_exit_group kernel/exit.c:906 [inline]
+ __se_sys_exit_group kernel/exit.c:904 [inline]
+ __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x43fef8
+Code: Bad RIP value.
+RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
+RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
+RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
+R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
+R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -669,10 +669,10 @@ static void sixpack_close(struct tty_str
+ {
+ struct sixpack *sp;
+
+- write_lock_bh(&disc_data_lock);
++ write_lock_irq(&disc_data_lock);
+ sp = tty->disc_data;
+ tty->disc_data = NULL;
+- write_unlock_bh(&disc_data_lock);
++ write_unlock_irq(&disc_data_lock);
+ if (!sp)
+ return;
+
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -783,10 +783,10 @@ static void mkiss_close(struct tty_struc
+ {
+ struct mkiss *ax;
+
+- write_lock_bh(&disc_data_lock);
++ write_lock_irq(&disc_data_lock);
+ ax = tty->disc_data;
+ tty->disc_data = NULL;
+- write_unlock_bh(&disc_data_lock);
++ write_unlock_irq(&disc_data_lock);
+
+ if (!ax)
+ return;
--- /dev/null
+From 56144737e67329c9aaed15f942d46a6302e2e3d8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 6 Nov 2019 09:48:04 -0800
+Subject: hrtimer: Annotate lockless access to timer->state
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 56144737e67329c9aaed15f942d46a6302e2e3d8 upstream.
+
+syzbot reported various data-race caused by hrtimer_is_queued() reading
+timer->state. A READ_ONCE() is required there to silence the warning.
+
+Also add the corresponding WRITE_ONCE() when timer->state is set.
+
+In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid
+loading timer->state twice.
+
+KCSAN reported these cases:
+
+BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check
+
+write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0:
+ __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
+ __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
+ __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
+ hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
+ smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1:
+ tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline]
+ tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225
+ tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044
+ tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558
+ tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717
+ tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
+ tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
+ sk_backlog_rcv include/net/sock.h:945 [inline]
+ __release_sock+0x135/0x1e0 net/core/sock.c:2435
+ release_sock+0x61/0x160 net/core/sock.c:2951
+ sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
+ tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
+ tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
+ inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0x9f/0xc0 net/socket.c:657
+
+BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check
+
+write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0:
+ __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
+ __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
+ __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
+ hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+
+read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1:
+ __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265
+ tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline]
+ tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708
+ tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
+ sk_backlog_rcv include/net/sock.h:945 [inline]
+ __release_sock+0x135/0x1e0 net/core/sock.c:2435
+ release_sock+0x61/0x160 net/core/sock.c:2951
+ sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
+ tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
+ tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
+ inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0x9f/0xc0 net/socket.c:657
+ __sys_sendto+0x21f/0x320 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto net/socket.c:1960 [inline]
+ __x64_sys_sendto+0x89/0xb0 net/socket.c:1960
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+[ tglx: Added comments ]
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/hrtimer.h | 14 ++++++++++----
+ kernel/time/hrtimer.c | 11 +++++++----
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -424,12 +424,18 @@ extern u64 hrtimer_get_next_event(void);
+
+ extern bool hrtimer_active(const struct hrtimer *timer);
+
+-/*
+- * Helper function to check, whether the timer is on one of the queues
++/**
++ * hrtimer_is_queued = check, whether the timer is on one of the queues
++ * @timer: Timer to check
++ *
++ * Returns: True if the timer is queued, false otherwise
++ *
++ * The function can be used lockless, but it gives only a current snapshot.
+ */
+-static inline int hrtimer_is_queued(struct hrtimer *timer)
++static inline bool hrtimer_is_queued(struct hrtimer *timer)
+ {
+- return timer->state & HRTIMER_STATE_ENQUEUED;
++ /* The READ_ONCE pairs with the update functions of timer->state */
++ return !!(READ_ONCE(timer->state) & HRTIMER_STATE_ENQUEUED);
+ }
+
+ /*
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -887,7 +887,8 @@ static int enqueue_hrtimer(struct hrtime
+
+ base->cpu_base->active_bases |= 1 << base->index;
+
+- timer->state = HRTIMER_STATE_ENQUEUED;
++ /* Pairs with the lockless read in hrtimer_is_queued() */
++ WRITE_ONCE(timer->state, HRTIMER_STATE_ENQUEUED);
+
+ return timerqueue_add(&base->active, &timer->node);
+ }
+@@ -909,7 +910,8 @@ static void __remove_hrtimer(struct hrti
+ struct hrtimer_cpu_base *cpu_base = base->cpu_base;
+ u8 state = timer->state;
+
+- timer->state = newstate;
++ /* Pairs with the lockless read in hrtimer_is_queued() */
++ WRITE_ONCE(timer->state, newstate);
+ if (!(state & HRTIMER_STATE_ENQUEUED))
+ return;
+
+@@ -936,8 +938,9 @@ static void __remove_hrtimer(struct hrti
+ static inline int
+ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool restart)
+ {
+- if (hrtimer_is_queued(timer)) {
+- u8 state = timer->state;
++ u8 state = timer->state;
++
++ if (state & HRTIMER_STATE_ENQUEUED) {
+ int reprogram;
+
+ /*
--- /dev/null
+From bbab7ef235031f6733b5429ae7877bfa22339712 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 8 Nov 2019 10:34:47 -0800
+Subject: net: icmp: fix data-race in cmp_global_allow()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit bbab7ef235031f6733b5429ae7877bfa22339712 upstream.
+
+This code reads two global variables without protection
+of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
+avoid load/store-tearing and better document the intent.
+
+KCSAN reported :
+BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow
+
+read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
+ icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
+ icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
+ icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
+ icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
+ icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
+ ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
+ dst_link_failure include/net/dst.h:419 [inline]
+ vti_xmit net/ipv4/ip_vti.c:243 [inline]
+ vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
+ __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4434 [inline]
+ xmit_one net/core/dev.c:3280 [inline]
+ dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
+ __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
+ neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
+
+write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
+ icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
+ icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
+ icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
+ icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
+ icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
+ ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
+ dst_link_failure include/net/dst.h:419 [inline]
+ vti_xmit net/ipv4/ip_vti.c:243 [inline]
+ vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
+ __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4434 [inline]
+ xmit_one net/core/dev.c:3280 [inline]
+ dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
+ __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
+ neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/icmp.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -256,10 +256,11 @@ bool icmp_global_allow(void)
+ bool rc = false;
+
+ /* Check if token bucket is empty and cannot be refilled
+- * without taking the spinlock.
++ * without taking the spinlock. The READ_ONCE() are paired
++ * with the following WRITE_ONCE() in this same function.
+ */
+- if (!icmp_global.credit) {
+- delta = min_t(u32, now - icmp_global.stamp, HZ);
++ if (!READ_ONCE(icmp_global.credit)) {
++ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ);
+ if (delta < HZ / 50)
+ return false;
+ }
+@@ -269,14 +270,14 @@ bool icmp_global_allow(void)
+ if (delta >= HZ / 50) {
+ incr = sysctl_icmp_msgs_per_sec * delta / HZ ;
+ if (incr)
+- icmp_global.stamp = now;
++ WRITE_ONCE(icmp_global.stamp, now);
+ }
+ credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
+ if (credit) {
+ credit--;
+ rc = true;
+ }
+- icmp_global.credit = credit;
++ WRITE_ONCE(icmp_global.credit, credit);
+ spin_unlock(&icmp_global.lock);
+ return rc;
+ }
--- /dev/null
+From 5604285839aaedfb23ebe297799c6e558939334d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Dec 2019 14:43:39 -0800
+Subject: netfilter: bridge: make sure to pull arp header in br_nf_forward_arp()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5604285839aaedfb23ebe297799c6e558939334d upstream.
+
+syzbot is kind enough to remind us we need to call skb_may_pull()
+
+BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
+ __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
+ br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+ nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
+ nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
+ nf_hook include/linux/netfilter.h:260 [inline]
+ NF_HOOK include/linux/netfilter.h:303 [inline]
+ __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
+ br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
+ br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
+ nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
+ br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
+ __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
+ __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
+ __netif_receive_skb net/core/dev.c:5043 [inline]
+ process_backlog+0x610/0x13c0 net/core/dev.c:5874
+ napi_poll net/core/dev.c:6311 [inline]
+ net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
+ __do_softirq+0x4a1/0x83a kernel/softirq.c:293
+ do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
+ </IRQ>
+ do_softirq kernel/softirq.c:338 [inline]
+ __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
+ local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
+ rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
+ __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
+ packet_snd net/packet/af_packet.c:2959 [inline]
+ packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45a679
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
+RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
+R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
+ kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
+ kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
+ slab_alloc_node mm/slub.c:2773 [inline]
+ __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
+ sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
+ packet_alloc_skb net/packet/af_packet.c:2807 [inline]
+ packet_snd net/packet/af_packet.c:2902 [inline]
+ packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/br_netfilter_hooks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -638,6 +638,9 @@ static unsigned int br_nf_forward_arp(vo
+ nf_bridge_pull_encap_header(skb);
+ }
+
++ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
++ return NF_DROP;
++
+ if (arp_hdr(skb)->ar_pln != 4) {
+ if (IS_VLAN_ARP(skb))
+ nf_bridge_push_encap_header(skb);
--- /dev/null
+From e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 15 Dec 2019 03:49:25 +0100
+Subject: netfilter: ebtables: compat: reject all padding in matches/watchers
+
+From: Florian Westphal <fw@strlen.de>
+
+commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe upstream.
+
+syzbot reported following splat:
+
+BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
+
+CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+ compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+ compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
+ compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
+ [..]
+
+Because padding isn't considered during computation of ->buf_user_offset,
+"total" is decremented by fewer bytes than it should.
+
+Therefore, the first part of
+
+if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
+
+will pass, -- it should not have. This causes oob access:
+entry->next_offset is past the vmalloced size.
+
+Reject padding and check that computed user offset (sum of ebt_entry
+structure plus all individual matches/watchers/targets) is same
+value that userspace gave us as the offset of the next entry.
+
+Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1883,7 +1883,7 @@ static int ebt_buf_count(struct ebt_entr
+ }
+
+ static int ebt_buf_add(struct ebt_entries_buf_state *state,
+- void *data, unsigned int sz)
++ const void *data, unsigned int sz)
+ {
+ if (state->buf_kern_start == NULL)
+ goto count_only;
+@@ -1917,7 +1917,7 @@ enum compat_mwt {
+ EBT_COMPAT_TARGET,
+ };
+
+-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
+ enum compat_mwt compat_mwt,
+ struct ebt_entries_buf_state *state,
+ const unsigned char *base)
+@@ -1994,22 +1994,23 @@ static int compat_mtw_from_user(struct c
+ * return size of all matches, watchers or target, including necessary
+ * alignment and padding.
+ */
+-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
+ unsigned int size_left, enum compat_mwt type,
+ struct ebt_entries_buf_state *state, const void *base)
+ {
++ const char *buf = (const char *)match32;
+ int growth = 0;
+- char *buf;
+
+ if (size_left == 0)
+ return 0;
+
+- buf = (char *) match32;
+-
+- while (size_left >= sizeof(*match32)) {
++ do {
+ struct ebt_entry_match *match_kern;
+ int ret;
+
++ if (size_left < sizeof(*match32))
++ return -EINVAL;
++
+ match_kern = (struct ebt_entry_match *) state->buf_kern_start;
+ if (match_kern) {
+ char *tmp;
+@@ -2046,22 +2047,18 @@ static int ebt_size_mwt(struct compat_eb
+ if (match_kern)
+ match_kern->match_size = ret;
+
+- /* rule should have no remaining data after target */
+- if (type == EBT_COMPAT_TARGET && size_left)
+- return -EINVAL;
+-
+ match32 = (struct compat_ebt_entry_mwt *) buf;
+- }
++ } while (size_left);
+
+ return growth;
+ }
+
+ /* called for all ebt_entry structures. */
+-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
+ unsigned int *total,
+ struct ebt_entries_buf_state *state)
+ {
+- unsigned int i, j, startoff, new_offset = 0;
++ unsigned int i, j, startoff, next_expected_off, new_offset = 0;
+ /* stores match/watchers/targets & offset of next struct ebt_entry: */
+ unsigned int offsets[4];
+ unsigned int *offsets_update = NULL;
+@@ -2149,11 +2146,13 @@ static int size_entry_mwt(struct ebt_ent
+ return ret;
+ }
+
+- startoff = state->buf_user_offset - startoff;
++ next_expected_off = state->buf_user_offset - startoff;
++ if (next_expected_off != entry->next_offset)
++ return -EINVAL;
+
+- if (WARN_ON(*total < startoff))
++ if (*total < entry->next_offset)
+ return -EINVAL;
+- *total -= startoff;
++ *total -= entry->next_offset;
+ return 0;
+ }
+
make-filldir-verify-the-directory-entry-filename-is-valid.patch
filldir-remove-warn_on_once-for-bad-directory-entries.patch
net-davinci_cpdma-use-dma_addr_t-for-dma-address.patch
+netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
+6pack-mkiss-fix-possible-deadlock.patch
+netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch
+net-icmp-fix-data-race-in-cmp_global_allow.patch
+hrtimer-annotate-lockless-access-to-timer-state.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
