From: Greg Kroah-Hartman Date: Mon, 15 Feb 2021 14:58:03 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.4.99~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05f34028efb3868869dd02474ec0f877e0a72834;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: net-fix-iteration-for-sctp-transport-seq_files.patch net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch ovl-expand-warning-in-ovl_d_real.patch vsock-fix-locking-in-vsock_shutdown.patch vsock-virtio-update-credit-only-if-socket-is-not-closed.patch --- diff --git a/queue-4.19/net-fix-iteration-for-sctp-transport-seq_files.patch b/queue-4.19/net-fix-iteration-for-sctp-transport-seq_files.patch new file mode 100644 index 00000000000..99665bef8ee --- /dev/null +++ b/queue-4.19/net-fix-iteration-for-sctp-transport-seq_files.patch @@ -0,0 +1,76 @@ +From af8085f3a4712c57d0dd415ad543bac85780375c Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 5 Feb 2021 11:36:30 +1100 +Subject: net: fix iteration for sctp transport seq_files + +From: NeilBrown + +commit af8085f3a4712c57d0dd415ad543bac85780375c upstream. + +The sctp transport seq_file iterators take a reference to the transport +in the ->start and ->next functions and releases the reference in the +->show function. The preferred handling for such resources is to +release them in the subsequent ->next or ->stop function call. + +Since Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration +code and interface") there is no guarantee that ->show will be called +after ->next, so this function can now leak references. + +So move the sctp_transport_put() call to ->next and ->stop. + +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Reported-by: Xin Long +Signed-off-by: NeilBrown +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/proc.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -230,6 +230,12 @@ static void sctp_transport_seq_stop(stru + { + struct sctp_ht_iter *iter = seq->private; + ++ if (v && v != SEQ_START_TOKEN) { ++ struct sctp_transport *transport = v; ++ ++ sctp_transport_put(transport); ++ } ++ + sctp_transport_walk_stop(&iter->hti); + } + +@@ -237,6 +243,12 @@ static void *sctp_transport_seq_next(str + { + struct sctp_ht_iter *iter = seq->private; + ++ if (v && v != SEQ_START_TOKEN) { ++ struct sctp_transport *transport = v; ++ ++ sctp_transport_put(transport); ++ } ++ + ++*pos; + + return sctp_transport_get_next(seq_file_net(seq), &iter->hti); +@@ -292,8 +304,6 @@ static int sctp_assocs_seq_show(struct s + sk->sk_rcvbuf); + seq_printf(seq, "\n"); + +- sctp_transport_put(transport); +- + return 0; + } + +@@ -369,8 +379,6 @@ static int sctp_remaddr_seq_show(struct + seq_printf(seq, "\n"); + } + +- sctp_transport_put(transport); +- + return 0; + } + diff --git a/queue-4.19/net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch b/queue-4.19/net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch new file mode 100644 index 00000000000..f8124afd327 --- /dev/null +++ b/queue-4.19/net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch @@ -0,0 +1,51 @@ +From 2a80c15812372e554474b1dba0b1d8e467af295d Mon Sep 17 00:00:00 2001 +From: Sabyrzhan Tasbolatov +Date: Tue, 2 Feb 2021 15:20:59 +0600 +Subject: net/qrtr: restrict user-controlled length in qrtr_tun_write_iter() + +From: Sabyrzhan Tasbolatov + +commit 2a80c15812372e554474b1dba0b1d8e467af295d upstream. + +syzbot found WARNING in qrtr_tun_write_iter [1] when write_iter length +exceeds KMALLOC_MAX_SIZE causing order >= MAX_ORDER condition. + +Additionally, there is no check for 0 length write. + +[1] +WARNING: mm/page_alloc.c:5011 +[..] +Call Trace: + alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 + alloc_pages include/linux/gfp.h:547 [inline] + kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 + kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 + kmalloc include/linux/slab.h:557 [inline] + kzalloc include/linux/slab.h:682 [inline] + qrtr_tun_write_iter+0x8a/0x180 net/qrtr/tun.c:83 + call_write_iter include/linux/fs.h:1901 [inline] + +Reported-by: syzbot+c2a7e5c5211605a90865@syzkaller.appspotmail.com +Signed-off-by: Sabyrzhan Tasbolatov +Link: https://lore.kernel.org/r/20210202092059.1361381-1-snovitoll@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/tun.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/qrtr/tun.c ++++ b/net/qrtr/tun.c +@@ -80,6 +80,12 @@ static ssize_t qrtr_tun_write_iter(struc + ssize_t ret; + void *kbuf; + ++ if (!len) ++ return -EINVAL; ++ ++ if (len > KMALLOC_MAX_SIZE) ++ return -ENOMEM; ++ + kbuf = kzalloc(len, GFP_KERNEL); + if (!kbuf) + return -ENOMEM; diff --git a/queue-4.19/net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch b/queue-4.19/net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch new file mode 100644 index 00000000000..469e724cf47 --- /dev/null +++ b/queue-4.19/net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch @@ -0,0 +1,53 @@ +From a11148e6fcce2ae53f47f0a442d098d860b4f7db Mon Sep 17 00:00:00 2001 +From: Sabyrzhan Tasbolatov +Date: Tue, 2 Feb 2021 02:32:33 +0600 +Subject: net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS + +From: Sabyrzhan Tasbolatov + +commit a11148e6fcce2ae53f47f0a442d098d860b4f7db upstream. + +syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS +control message is passed with user-controlled +0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition. + +The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400. +So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10 +is the closest limit, with 0x10 leftover. + +Same condition is currently done in rds_cmsg_rdma_args(). + +[1] WARNING: mm/page_alloc.c:5011 +[..] +Call Trace: + alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 + alloc_pages include/linux/gfp.h:547 [inline] + kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 + kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 + kmalloc_array include/linux/slab.h:592 [inline] + kcalloc include/linux/slab.h:621 [inline] + rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568 + rds_rm_size net/rds/send.c:928 [inline] + +Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com +Signed-off-by: Sabyrzhan Tasbolatov +Acked-by: Santosh Shilimkar +Link: https://lore.kernel.org/r/20210201203233.1324704-1-snovitoll@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -531,6 +531,9 @@ int rds_rdma_extra_size(struct rds_rdma_ + if (args->nr_local == 0) + return -EINVAL; + ++ if (args->nr_local > UIO_MAXIOV) ++ return -EMSGSIZE; ++ + iov->iov = kcalloc(args->nr_local, + sizeof(struct rds_iovec), + GFP_KERNEL); diff --git a/queue-4.19/net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch b/queue-4.19/net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch new file mode 100644 index 00000000000..5a58bada531 --- /dev/null +++ b/queue-4.19/net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch @@ -0,0 +1,49 @@ +From 3d0bc44d39bca615b72637e340317b7899b7f911 Mon Sep 17 00:00:00 2001 +From: Norbert Slusarek +Date: Fri, 5 Feb 2021 13:14:05 +0100 +Subject: net/vmw_vsock: improve locking in vsock_connect_timeout() + +From: Norbert Slusarek + +commit 3d0bc44d39bca615b72637e340317b7899b7f911 upstream. + +A possible locking issue in vsock_connect_timeout() was recognized by +Eric Dumazet which might cause a null pointer dereference in +vsock_transport_cancel_pkt(). This patch assures that +vsock_transport_cancel_pkt() will be called within the lock, so a race +condition won't occur which could result in vsk->transport to be set to NULL. + +Fixes: 380feae0def7 ("vsock: cancel packets when failing to connect") +Reported-by: Eric Dumazet +Signed-off-by: Norbert Slusarek +Reviewed-by: Stefano Garzarella +Link: https://lore.kernel.org/r/trinity-f8e0937a-cf0e-4d80-a76e-d9a958ba3ef1-1612535522360@3c-app-gmx-bap12 +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1107,7 +1107,6 @@ static void vsock_connect_timeout(struct + { + struct sock *sk; + struct vsock_sock *vsk; +- int cancel = 0; + + vsk = container_of(work, struct vsock_sock, connect_work.work); + sk = sk_vsock(vsk); +@@ -1118,11 +1117,9 @@ static void vsock_connect_timeout(struct + sk->sk_state = TCP_CLOSE; + sk->sk_err = ETIMEDOUT; + sk->sk_error_report(sk); +- cancel = 1; ++ vsock_transport_cancel_pkt(vsk); + } + release_sock(sk); +- if (cancel) +- vsock_transport_cancel_pkt(vsk); + + sock_put(sk); + } diff --git a/queue-4.19/net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch b/queue-4.19/net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch new file mode 100644 index 00000000000..b09b2ccec84 --- /dev/null +++ b/queue-4.19/net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch @@ -0,0 +1,47 @@ +From 3aa6bce9af0e25b735c9c1263739a5639a336ae8 Mon Sep 17 00:00:00 2001 +From: Edwin Peer +Date: Fri, 5 Feb 2021 17:37:32 -0800 +Subject: net: watchdog: hold device global xmit lock during tx disable + +From: Edwin Peer + +commit 3aa6bce9af0e25b735c9c1263739a5639a336ae8 upstream. + +Prevent netif_tx_disable() running concurrently with dev_watchdog() by +taking the device global xmit lock. Otherwise, the recommended: + + netif_carrier_off(dev); + netif_tx_disable(dev); + +driver shutdown sequence can happen after the watchdog has already +checked carrier, resulting in possible false alarms. This is because +netif_tx_lock() only sets the frozen bit without maintaining the locks +on the individual queues. + +Fixes: c3f26a269c24 ("netdev: Fix lockdep warnings in multiqueue configurations.") +Signed-off-by: Edwin Peer +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3966,6 +3966,7 @@ static inline void netif_tx_disable(stru + + local_bh_disable(); + cpu = smp_processor_id(); ++ spin_lock(&dev->tx_global_lock); + for (i = 0; i < dev->num_tx_queues; i++) { + struct netdev_queue *txq = netdev_get_tx_queue(dev, i); + +@@ -3973,6 +3974,7 @@ static inline void netif_tx_disable(stru + netif_tx_stop_queue(txq); + __netif_tx_unlock(txq); + } ++ spin_unlock(&dev->tx_global_lock); + local_bh_enable(); + } + diff --git a/queue-4.19/ovl-expand-warning-in-ovl_d_real.patch b/queue-4.19/ovl-expand-warning-in-ovl_d_real.patch new file mode 100644 index 00000000000..ce2ef834841 --- /dev/null +++ b/queue-4.19/ovl-expand-warning-in-ovl_d_real.patch @@ -0,0 +1,54 @@ +From cef4cbff06fbc3be54d6d79ee139edecc2ee8598 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 12 Nov 2020 11:31:55 +0100 +Subject: ovl: expand warning in ovl_d_real() + +From: Miklos Szeredi + +commit cef4cbff06fbc3be54d6d79ee139edecc2ee8598 upstream. + +There was a syzbot report with this warning but insufficient information... + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/super.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -82,7 +82,7 @@ static void ovl_dentry_release(struct de + static struct dentry *ovl_d_real(struct dentry *dentry, + const struct inode *inode) + { +- struct dentry *real; ++ struct dentry *real = NULL, *lower; + + /* It's an overlay file */ + if (inode && d_inode(dentry) == inode) +@@ -101,9 +101,10 @@ static struct dentry *ovl_d_real(struct + if (real && !inode && ovl_has_upperdata(d_inode(dentry))) + return real; + +- real = ovl_dentry_lowerdata(dentry); +- if (!real) ++ lower = ovl_dentry_lowerdata(dentry); ++ if (!lower) + goto bug; ++ real = lower; + + /* Handle recursion */ + real = d_real(real, inode); +@@ -111,8 +112,10 @@ static struct dentry *ovl_d_real(struct + if (!inode || inode == d_inode(real)) + return real; + bug: +- WARN(1, "ovl_d_real(%pd4, %s:%lu): real dentry not found\n", dentry, +- inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0); ++ WARN(1, "%s(%pd4, %s:%lu): real dentry (%p/%lu) not found\n", ++ __func__, dentry, inode ? inode->i_sb->s_id : "NULL", ++ inode ? inode->i_ino : 0, real, ++ real && d_inode(real) ? d_inode(real)->i_ino : 0); + return dentry; + } + diff --git a/queue-4.19/series b/queue-4.19/series index e88799d0aaf..8600d39f4c8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -26,3 +26,11 @@ i2c-stm32f7-fix-configuration-of-the-digital-filter.patch h8300-fix-preemption-build-ti_pre_count-undefined.patch usb-dwc3-ulpi-fix-checkpatch-warning.patch usb-dwc3-ulpi-replace-cpu-based-busyloop-with-protocol-based-one.patch +net-fix-iteration-for-sctp-transport-seq_files.patch +net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch +net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch +vsock-virtio-update-credit-only-if-socket-is-not-closed.patch +vsock-fix-locking-in-vsock_shutdown.patch +net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch +net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch +ovl-expand-warning-in-ovl_d_real.patch diff --git a/queue-4.19/vsock-fix-locking-in-vsock_shutdown.patch b/queue-4.19/vsock-fix-locking-in-vsock_shutdown.patch new file mode 100644 index 00000000000..d65248e57a7 --- /dev/null +++ b/queue-4.19/vsock-fix-locking-in-vsock_shutdown.patch @@ -0,0 +1,86 @@ +From 1c5fae9c9a092574398a17facc31c533791ef232 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Tue, 9 Feb 2021 09:52:19 +0100 +Subject: vsock: fix locking in vsock_shutdown() + +From: Stefano Garzarella + +commit 1c5fae9c9a092574398a17facc31c533791ef232 upstream. + +In vsock_shutdown() we touched some socket fields without holding the +socket lock, such as 'state' and 'sk_flags'. + +Also, after the introduction of multi-transport, we are accessing +'vsk->transport' in vsock_send_shutdown() without holding the lock +and this call can be made while the connection is in progress, so +the transport can change in the meantime. + +To avoid issues, we hold the socket lock when we enter in +vsock_shutdown() and release it when we leave. + +Among the transports that implement the 'shutdown' callback, only +hyperv_transport acquired the lock. Since the caller now holds it, +we no longer take it. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 8 +++++--- + net/vmw_vsock/hyperv_transport.c | 4 ---- + 2 files changed, 5 insertions(+), 7 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -816,10 +816,12 @@ static int vsock_shutdown(struct socket + */ + + sk = sock->sk; ++ ++ lock_sock(sk); + if (sock->state == SS_UNCONNECTED) { + err = -ENOTCONN; + if (sk->sk_type == SOCK_STREAM) +- return err; ++ goto out; + } else { + sock->state = SS_DISCONNECTING; + err = 0; +@@ -828,10 +830,8 @@ static int vsock_shutdown(struct socket + /* Receive and send shutdowns are treated alike. */ + mode = mode & (RCV_SHUTDOWN | SEND_SHUTDOWN); + if (mode) { +- lock_sock(sk); + sk->sk_shutdown |= mode; + sk->sk_state_change(sk); +- release_sock(sk); + + if (sk->sk_type == SOCK_STREAM) { + sock_reset_flag(sk, SOCK_DONE); +@@ -839,6 +839,8 @@ static int vsock_shutdown(struct socket + } + } + ++out: ++ release_sock(sk); + return err; + } + +--- a/net/vmw_vsock/hyperv_transport.c ++++ b/net/vmw_vsock/hyperv_transport.c +@@ -443,14 +443,10 @@ static void hvs_shutdown_lock_held(struc + + static int hvs_shutdown(struct vsock_sock *vsk, int mode) + { +- struct sock *sk = sk_vsock(vsk); +- + if (!(mode & SEND_SHUTDOWN)) + return 0; + +- lock_sock(sk); + hvs_shutdown_lock_held(vsk->trans, mode); +- release_sock(sk); + return 0; + } + diff --git a/queue-4.19/vsock-virtio-update-credit-only-if-socket-is-not-closed.patch b/queue-4.19/vsock-virtio-update-credit-only-if-socket-is-not-closed.patch new file mode 100644 index 00000000000..d6d1cbdbbdb --- /dev/null +++ b/queue-4.19/vsock-virtio-update-credit-only-if-socket-is-not-closed.patch @@ -0,0 +1,40 @@ +From ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 8 Feb 2021 15:44:54 +0100 +Subject: vsock/virtio: update credit only if socket is not closed + +From: Stefano Garzarella + +commit ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 upstream. + +If the socket is closed or is being released, some resources used by +virtio_transport_space_update() such as 'vsk->trans' may be released. + +To avoid a use after free bug we should only update the available credit +when we are sure the socket is still open and we have the lock held. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Signed-off-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20210208144454.84438-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1033,10 +1033,10 @@ void virtio_transport_recv_pkt(struct vi + + vsk = vsock_sk(sk); + +- space_available = virtio_transport_space_update(sk, pkt); +- + lock_sock(sk); + ++ space_available = virtio_transport_space_update(sk, pkt); ++ + /* Update CID in case it has changed after a transport reset event */ + vsk->local_addr.svm_cid = dst.svm_cid; +