From: Greg Kroah-Hartman Date: Thu, 22 Jul 2021 15:58:25 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.135~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=068e2bb3d3c30ceec6d4a131ac27946a2620ac31;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-dts-aspeed-fix-ast2600-machines-line-names.patch arm-dts-tacoma-add-phase-corrections-for-emmc.patch bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch bpftool-properly-close-va_list-ap-by-va_end-on-error.patch drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch perf-test-bpf-free-obj_buf.patch tcp-annotate-data-races-around-tp-mtu_info.patch tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch tcp-consistently-disable-header-prediction-for-mptcp.patch tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch tools-bpf-fix-error-in-make-c-tools-bpf_install.patch udp-annotate-data-races-around-unix_sk-sk-gso_size.patch --- diff --git a/queue-5.10/arm-dts-aspeed-fix-ast2600-machines-line-names.patch b/queue-5.10/arm-dts-aspeed-fix-ast2600-machines-line-names.patch new file mode 100644 index 00000000000..3726eb2b46b --- /dev/null +++ b/queue-5.10/arm-dts-aspeed-fix-ast2600-machines-line-names.patch @@ -0,0 +1,54 @@ +From ca46ad2214473df1a6a9496be17156d65ba89b9f Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Thu, 24 Jun 2021 18:37:42 +0930 +Subject: ARM: dts: aspeed: Fix AST2600 machines line names + +From: Joel Stanley + +commit ca46ad2214473df1a6a9496be17156d65ba89b9f upstream. + +Tacoma and Rainier both have a line-names array that is too long: + + gpio gpiochip0: gpio-line-names is length 232 but should be at most length 208 + +This was probably copied from an AST2500 device tree that did have more +GPIOs on the controller. + +Fixes: e9b24b55ca4f ("ARM: dts: aspeed: rainier: Add gpio line names") +Fixes: 2f68e4e7df67 ("ARM: dts: aspeed: tacoma: Add gpio line names") +Link: https://lore.kernel.org/r/20210624090742.56640-1-joel@jms.id.au +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts | 5 +---- + arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts | 5 +---- + 2 files changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts +@@ -156,10 +156,7 @@ + /*W0-W7*/ "","","","","","","","", + /*X0-X7*/ "","","","","","","","", + /*Y0-Y7*/ "","","","","","","","", +- /*Z0-Z7*/ "","","","","","","","", +- /*AA0-AA7*/ "","","","","","","","", +- /*AB0-AB7*/ "","","","","","","","", +- /*AC0-AC7*/ "","","","","","","",""; ++ /*Z0-Z7*/ "","","","","","","",""; + + pin_mclr_vpp { + gpio-hog; +--- a/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts +@@ -127,10 +127,7 @@ + /*W0-W7*/ "","","","","","","","", + /*X0-X7*/ "","","","","","","","", + /*Y0-Y7*/ "","","","","","","","", +- /*Z0-Z7*/ "","","","","","","","", +- /*AA0-AA7*/ "","","","","","","","", +- /*AB0-AB7*/ "","","","","","","","", +- /*AC0-AC7*/ "","","","","","","",""; ++ /*Z0-Z7*/ "","","","","","","",""; + }; + + &fmc { diff --git a/queue-5.10/arm-dts-tacoma-add-phase-corrections-for-emmc.patch b/queue-5.10/arm-dts-tacoma-add-phase-corrections-for-emmc.patch new file mode 100644 index 00000000000..0d00794fc70 --- /dev/null +++ b/queue-5.10/arm-dts-tacoma-add-phase-corrections-for-emmc.patch @@ -0,0 +1,35 @@ +From 2d6608b57c50c54c3e46649110e8ea5a40959c30 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Fri, 25 Jun 2021 15:40:17 +0930 +Subject: ARM: dts: tacoma: Add phase corrections for eMMC + +From: Andrew Jeffery + +commit 2d6608b57c50c54c3e46649110e8ea5a40959c30 upstream. + +The degree values were reversed out from the magic tap values of 7 (in) +and 15 + inversion (out) initially suggested by Aspeed. + +With the patch tacoma survives several gigabytes of reads and writes +using dd while without it locks up randomly during the boot process. + +Signed-off-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20210625061017.1149942-1-andrew@aj.id.au +Fixes: 2fc88f92359d ("mmc: sdhci-of-aspeed: Expose clock phase controls") +Fixes: 961216c135a8 ("ARM: dts: aspeed: Add Rainier system") +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts +@@ -177,6 +177,7 @@ + + &emmc { + status = "okay"; ++ clk-phase-mmc-hs200 = <36>, <270>; + }; + + &fsim0 { diff --git a/queue-5.10/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch b/queue-5.10/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch new file mode 100644 index 00000000000..eb74e48ae82 --- /dev/null +++ b/queue-5.10/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch @@ -0,0 +1,229 @@ +From f263a81451c12da5a342d90572e317e611846f2c Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Wed, 7 Jul 2021 15:38:47 -0700 +Subject: bpf: Track subprog poke descriptors correctly and fix use-after-free + +From: John Fastabend + +commit f263a81451c12da5a342d90572e317e611846f2c upstream. + +Subprograms are calling map_poke_track(), but on program release there is no +hook to call map_poke_untrack(). However, on program release, the aux memory +(and poke descriptor table) is freed even though we still have a reference to +it in the element list of the map aux data. When we run map_poke_run(), we then +end up accessing free'd memory, triggering KASAN in prog_array_map_poke_run(): + + [...] + [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e + [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337 + [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399 + [ 402.824715] Call Trace: + [ 402.824719] dump_stack+0x93/0xc2 + [ 402.824727] print_address_description.constprop.0+0x1a/0x140 + [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e + [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e + [ 402.824744] kasan_report.cold+0x7c/0xd8 + [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e + [ 402.824757] prog_array_map_poke_run+0xc2/0x34e + [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0 + [...] + +The elements concerned are walked as follows: + + for (i = 0; i < elem->aux->size_poke_tab; i++) { + poke = &elem->aux->poke_tab[i]; + [...] + +The access to size_poke_tab is a 4 byte read, verified by checking offsets +in the KASAN dump: + + [ 402.825004] The buggy address belongs to the object at ffff8881905a7800 + which belongs to the cache kmalloc-1k of size 1024 + [ 402.825008] The buggy address is located 320 bytes inside of + 1024-byte region [ffff8881905a7800, ffff8881905a7c00) + +The pahole output of bpf_prog_aux: + + struct bpf_prog_aux { + [...] + /* --- cacheline 5 boundary (320 bytes) --- */ + u32 size_poke_tab; /* 320 4 */ + [...] + +In general, subprograms do not necessarily manage their own data structures. +For example, BTF func_info and linfo are just pointers to the main program +structure. This allows reference counting and cleanup to be done on the latter +which simplifies their management a bit. The aux->poke_tab struct, however, +did not follow this logic. The initial proposed fix for this use-after-free +bug further embedded poke data tracking into the subprogram with proper +reference counting. However, Daniel and Alexei questioned why we were treating +these objects special; I agree, its unnecessary. The fix here removes the per +subprogram poke table allocation and map tracking and instead simply points +the aux->poke_tab pointer at the main programs poke table. This way, map +tracking is simplified to the main program and we do not need to manage them +per subprogram. + +This also means, bpf_prog_free_deferred(), which unwinds the program reference +counting and kfrees objects, needs to ensure that we don't try to double free +the poke_tab when free'ing the subprog structures. This is easily solved by +NULL'ing the poke_tab pointer. The second detail is to ensure that per +subprogram JIT logic only does fixups on poke_tab[] entries it owns. To do +this, we add a pointer in the poke structure to point at the subprogram value +so JITs can easily check while walking the poke_tab structure if the current +entry belongs to the current program. The aux pointer is stable and therefore +suitable for such comparison. On the jit_subprogs() error path, we omit +cleaning up the poke->aux field because these are only ever referenced from +the JIT side, but on error we will never make it to the JIT, so its fine to +leave them dangling. Removing these pointers would complicate the error path +for no reason. However, we do need to untrack all poke descriptors from the +main program as otherwise they could race with the freeing of JIT memory from +the subprograms. Lastly, a748c6975dea3 ("bpf: propagate poke descriptors to +subprograms") had an off-by-one on the subprogram instruction index range +check as it was testing 'insn_idx >= subprog_start && insn_idx <= subprog_end'. +However, subprog_end is the next subprogram's start instruction. + +Fixes: a748c6975dea3 ("bpf: propagate poke descriptors to subprograms") +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210707223848.14580-2-john.fastabend@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/net/bpf_jit_comp.c | 3 ++ + include/linux/bpf.h | 1 + kernel/bpf/core.c | 8 +++++ + kernel/bpf/verifier.c | 60 +++++++++++++++----------------------------- + 4 files changed, 32 insertions(+), 40 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -564,6 +564,9 @@ static void bpf_tail_call_direct_fixup(s + + for (i = 0; i < prog->aux->size_poke_tab; i++) { + poke = &prog->aux->poke_tab[i]; ++ if (poke->aux && poke->aux != prog->aux) ++ continue; ++ + WARN_ON_ONCE(READ_ONCE(poke->tailcall_target_stable)); + + if (poke->reason != BPF_POKE_REASON_TAIL_CALL) +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -752,6 +752,7 @@ struct bpf_jit_poke_descriptor { + void *tailcall_target; + void *tailcall_bypass; + void *bypass_addr; ++ void *aux; + union { + struct { + struct bpf_map *map; +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2167,8 +2167,14 @@ static void bpf_prog_free_deferred(struc + #endif + if (aux->dst_trampoline) + bpf_trampoline_put(aux->dst_trampoline); +- for (i = 0; i < aux->func_cnt; i++) ++ for (i = 0; i < aux->func_cnt; i++) { ++ /* We can just unlink the subprog poke descriptor table as ++ * it was originally linked to the main program and is also ++ * released along with it. ++ */ ++ aux->func[i]->aux->poke_tab = NULL; + bpf_jit_free(aux->func[i]); ++ } + if (aux->func_cnt) { + kfree(aux->func); + bpf_prog_unlock_free(aux->prog); +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -11157,33 +11157,19 @@ static int jit_subprogs(struct bpf_verif + goto out_free; + func[i]->is_func = 1; + func[i]->aux->func_idx = i; +- /* the btf and func_info will be freed only at prog->aux */ ++ /* Below members will be freed only at prog->aux */ + func[i]->aux->btf = prog->aux->btf; + func[i]->aux->func_info = prog->aux->func_info; ++ func[i]->aux->poke_tab = prog->aux->poke_tab; ++ func[i]->aux->size_poke_tab = prog->aux->size_poke_tab; + + for (j = 0; j < prog->aux->size_poke_tab; j++) { +- u32 insn_idx = prog->aux->poke_tab[j].insn_idx; +- int ret; ++ struct bpf_jit_poke_descriptor *poke; + +- if (!(insn_idx >= subprog_start && +- insn_idx <= subprog_end)) +- continue; +- +- ret = bpf_jit_add_poke_descriptor(func[i], +- &prog->aux->poke_tab[j]); +- if (ret < 0) { +- verbose(env, "adding tail call poke descriptor failed\n"); +- goto out_free; +- } +- +- func[i]->insnsi[insn_idx - subprog_start].imm = ret + 1; +- +- map_ptr = func[i]->aux->poke_tab[ret].tail_call.map; +- ret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux); +- if (ret < 0) { +- verbose(env, "tracking tail call prog failed\n"); +- goto out_free; +- } ++ poke = &prog->aux->poke_tab[j]; ++ if (poke->insn_idx < subprog_end && ++ poke->insn_idx >= subprog_start) ++ poke->aux = func[i]->aux; + } + + /* Use bpf_prog_F_tag to indicate functions in stack traces. +@@ -11213,18 +11199,6 @@ static int jit_subprogs(struct bpf_verif + cond_resched(); + } + +- /* Untrack main program's aux structs so that during map_poke_run() +- * we will not stumble upon the unfilled poke descriptors; each +- * of the main program's poke descs got distributed across subprogs +- * and got tracked onto map, so we are sure that none of them will +- * be missed after the operation below +- */ +- for (i = 0; i < prog->aux->size_poke_tab; i++) { +- map_ptr = prog->aux->poke_tab[i].tail_call.map; +- +- map_ptr->ops->map_poke_untrack(map_ptr, prog->aux); +- } +- + /* at this point all bpf functions were successfully JITed + * now populate all bpf_calls with correct addresses and + * run last pass of JIT +@@ -11293,14 +11267,22 @@ static int jit_subprogs(struct bpf_verif + bpf_prog_free_unused_jited_linfo(prog); + return 0; + out_free: ++ /* We failed JIT'ing, so at this point we need to unregister poke ++ * descriptors from subprogs, so that kernel is not attempting to ++ * patch it anymore as we're freeing the subprog JIT memory. ++ */ ++ for (i = 0; i < prog->aux->size_poke_tab; i++) { ++ map_ptr = prog->aux->poke_tab[i].tail_call.map; ++ map_ptr->ops->map_poke_untrack(map_ptr, prog->aux); ++ } ++ /* At this point we're guaranteed that poke descriptors are not ++ * live anymore. We can just unlink its descriptor table as it's ++ * released with the main prog. ++ */ + for (i = 0; i < env->subprog_cnt; i++) { + if (!func[i]) + continue; +- +- for (j = 0; j < func[i]->aux->size_poke_tab; j++) { +- map_ptr = func[i]->aux->poke_tab[j].tail_call.map; +- map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux); +- } ++ func[i]->aux->poke_tab = NULL; + bpf_jit_free(func[i]); + } + kfree(func); diff --git a/queue-5.10/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch b/queue-5.10/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch new file mode 100644 index 00000000000..58b2cc932a9 --- /dev/null +++ b/queue-5.10/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch @@ -0,0 +1,40 @@ +From bc832065b60f973771ff3e657214bb21b559833c Mon Sep 17 00:00:00 2001 +From: Gu Shengxian +Date: Mon, 5 Jul 2021 18:35:43 -0700 +Subject: bpftool: Properly close va_list 'ap' by va_end() on error + +From: Gu Shengxian + +commit bc832065b60f973771ff3e657214bb21b559833c upstream. + +va_list 'ap' was opened but not closed by va_end() in error case. It should +be closed by va_end() before the return. + +Fixes: aa52bcbe0e72 ("tools: bpftool: Fix json dump crash on powerpc") +Signed-off-by: Gu Shengxian +Signed-off-by: Daniel Borkmann +Cc: Jiri Olsa +Link: https://lore.kernel.org/bpf/20210706013543.671114-1-gushengxian507419@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/bpf/bpftool/jit_disasm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/bpf/bpftool/jit_disasm.c ++++ b/tools/bpf/bpftool/jit_disasm.c +@@ -43,11 +43,13 @@ static int fprintf_json(void *out, const + { + va_list ap; + char *s; ++ int err; + + va_start(ap, fmt); +- if (vasprintf(&s, fmt, ap) < 0) +- return -1; ++ err = vasprintf(&s, fmt, ap); + va_end(ap); ++ if (err < 0) ++ return -1; + + if (!oper_count) { + int i; diff --git a/queue-5.10/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch b/queue-5.10/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch new file mode 100644 index 00000000000..faf970bf165 --- /dev/null +++ b/queue-5.10/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch @@ -0,0 +1,42 @@ +From 1988e0d84161dabd99d1c27033fbd6ee439bf432 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 4 Jun 2021 01:18:30 +0200 +Subject: drm/panel: nt35510: Do not fail if DSI read fails + +From: Linus Walleij + +commit 1988e0d84161dabd99d1c27033fbd6ee439bf432 upstream. + +Failing to read the MTP over DSI should not bring down the +system and make us bail out from using the display, it turns +out that this happens when toggling the display off and on, +and that write is often still working so the display output +is just fine. Printing an error is enough. + +Tested by killing the Gnome session repeatedly on the +Samsung Skomer. + +Fixes: 899f24ed8d3a ("drm/panel: Add driver for Novatek NT35510-based panels") +Cc: Stephan Gerhold +Reported-by: newbyte@disroot.org +Acked-by: Stefan Hansson +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20210603231830.3200040-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-novatek-nt35510.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/panel/panel-novatek-nt35510.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt35510.c +@@ -706,9 +706,7 @@ static int nt35510_power_on(struct nt355 + if (ret) + return ret; + +- ret = nt35510_read_id(nt); +- if (ret) +- return ret; ++ nt35510_read_id(nt); + + /* Set up stuff in manufacturer control, page 1 */ + ret = nt35510_send_long(nt, dsi, MCS_CMD_MAUCCTR, diff --git a/queue-5.10/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch b/queue-5.10/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch new file mode 100644 index 00000000000..e6016dc1691 --- /dev/null +++ b/queue-5.10/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch @@ -0,0 +1,130 @@ +From c7bb4b89033b764eb07db4e060548a6311d801ee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Jul 2021 00:21:09 -0700 +Subject: ipv6: tcp: drop silly ICMPv6 packet too big messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit c7bb4b89033b764eb07db4e060548a6311d801ee upstream. + +While TCP stack scales reasonably well, there is still one part that +can be used to DDOS it. + +IPv6 Packet too big messages have to lookup/insert a new route, +and if abused by attackers, can easily put hosts under high stress, +with many cpus contending on a spinlock while one is stuck in fib6_run_gc() + +ip6_protocol_deliver_rcu() + icmpv6_rcv() + icmpv6_notify() + tcp_v6_err() + tcp_v6_mtu_reduced() + inet6_csk_update_pmtu() + ip6_rt_update_pmtu() + __ip6_rt_update_pmtu() + ip6_rt_cache_alloc() + ip6_dst_alloc() + dst_alloc() + ip6_dst_gc() + fib6_run_gc() + spin_lock_bh() ... + +Some of our servers have been hit by malicious ICMPv6 packets +trying to _increase_ the MTU/MSS of TCP flows. + +We believe these ICMPv6 packets are a result of a bug in one ISP stack, +since they were blindly sent back for _every_ (small) packet sent to them. + +These packets are for one TCP flow: +09:24:36.266491 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.266509 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.316688 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.316704 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.608151 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 + +TCP stack can filter some silly requests : + +1) MTU below IPV6_MIN_MTU can be filtered early in tcp_v6_err() +2) tcp_v6_mtu_reduced() can drop requests trying to increase current MSS. + +This tests happen before the IPv6 routing stack is entered, thus +removing the potential contention and route exhaustion. + +Note that IPv6 stack was performing these checks, but too late +(ie : after the route has been added, and after the potential +garbage collect war) + +v2: fix typo caught by Martin, thanks ! +v3: exports tcp_mtu_to_mss(), caught by David, thanks ! + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reviewed-by: Maciej Żenczykowski +Cc: Martin KaFai Lau +Acked-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 1 + + net/ipv6/tcp_ipv6.c | 19 +++++++++++++++++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1730,6 +1730,7 @@ int tcp_mtu_to_mss(struct sock *sk, int + return __tcp_mtu_to_mss(sk, pmtu) - + (tcp_sk(sk)->tcp_header_len - sizeof(struct tcphdr)); + } ++EXPORT_SYMBOL(tcp_mtu_to_mss); + + /* Inverse of above */ + int tcp_mss_to_mtu(struct sock *sk, int mss) +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -348,11 +348,20 @@ failure: + static void tcp_v6_mtu_reduced(struct sock *sk) + { + struct dst_entry *dst; ++ u32 mtu; + + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) + return; + +- dst = inet6_csk_update_pmtu(sk, READ_ONCE(tcp_sk(sk)->mtu_info)); ++ mtu = READ_ONCE(tcp_sk(sk)->mtu_info); ++ ++ /* Drop requests trying to increase our current mss. ++ * Check done in __ip6_rt_update_pmtu() is too late. ++ */ ++ if (tcp_mtu_to_mss(sk, mtu) >= tcp_sk(sk)->mss_cache) ++ return; ++ ++ dst = inet6_csk_update_pmtu(sk, mtu); + if (!dst) + return; + +@@ -433,6 +442,8 @@ static int tcp_v6_err(struct sk_buff *sk + } + + if (type == ICMPV6_PKT_TOOBIG) { ++ u32 mtu = ntohl(info); ++ + /* We are not interested in TCP_LISTEN and open_requests + * (SYN-ACKs send out by Linux are always <576bytes so + * they should go through unfragmented). +@@ -443,7 +454,11 @@ static int tcp_v6_err(struct sk_buff *sk + if (!ip6_sk_accept_pmtu(sk)) + goto out; + +- WRITE_ONCE(tp->mtu_info, ntohl(info)); ++ if (mtu < IPV6_MIN_MTU) ++ goto out; ++ ++ WRITE_ONCE(tp->mtu_info, mtu); ++ + if (!sock_owned_by_user(sk)) + tcp_v6_mtu_reduced(sk); + else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, diff --git a/queue-5.10/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch b/queue-5.10/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch new file mode 100644 index 00000000000..8253c319f9c --- /dev/null +++ b/queue-5.10/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch @@ -0,0 +1,54 @@ +From d952cfaf0cffdbbb0433c67206b645131f17ca5f Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 14 Jul 2021 13:23:49 +0900 +Subject: kbuild: do not suppress Kconfig prompts for silent build + +From: Masahiro Yamada + +commit d952cfaf0cffdbbb0433c67206b645131f17ca5f upstream. + +When a new CONFIG option is available, Kbuild shows a prompt to get +the user input. + + $ make + [ snip ] + Core Scheduling for SMT (SCHED_CORE) [N/y/?] (NEW) + +This is the only interactive place in the build process. + +Commit 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build") +suppressed Kconfig prompts as well because syncconfig is invoked by +the 'cmd' macro. You cannot notice the fact that Kconfig is waiting +for the user input. + +Use 'kecho' to show the equivalent short log without suppressing stdout +from sub-make. + +Fixes: 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build") +Reported-by: Tetsuo Handa +Signed-off-by: Masahiro Yamada +Tested-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -704,11 +704,12 @@ $(KCONFIG_CONFIG): + # This exploits the 'multi-target pattern rule' trick. + # The syncconfig should be executed only once to make all the targets. + # (Note: use the grouped target '&:' when we bump to GNU Make 4.3) +-quiet_cmd_syncconfig = SYNC $@ +- cmd_syncconfig = $(MAKE) -f $(srctree)/Makefile syncconfig +- ++# ++# Do not use $(call cmd,...) here. That would suppress prompts from syncconfig, ++# so you cannot notice that Kconfig is waiting for the user input. + %/config/auto.conf %/config/auto.conf.cmd %/generated/autoconf.h: $(KCONFIG_CONFIG) +- +$(call cmd,syncconfig) ++ $(Q)$(kecho) " SYNC $@" ++ $(Q)$(MAKE) -f $(srctree)/Makefile syncconfig + else # !may-sync-config + # External modules and some install targets need include/generated/autoconf.h + # and include/config/auto.conf but do not care if they are up-to-date. diff --git a/queue-5.10/perf-test-bpf-free-obj_buf.patch b/queue-5.10/perf-test-bpf-free-obj_buf.patch new file mode 100644 index 00000000000..069b34984af --- /dev/null +++ b/queue-5.10/perf-test-bpf-free-obj_buf.patch @@ -0,0 +1,52 @@ +From 937654ce497fb6e977a8c52baee5f7d9616302d9 Mon Sep 17 00:00:00 2001 +From: Riccardo Mancini +Date: Thu, 15 Jul 2021 18:07:24 +0200 +Subject: perf test bpf: Free obj_buf + +From: Riccardo Mancini + +commit 937654ce497fb6e977a8c52baee5f7d9616302d9 upstream. + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +The first of these leaks is caused by obj_buf never being deallocated in +__test__bpf. + +This patch adds the missing free. + +Signed-off-by: Riccardo Mancini +Fixes: ba1fae431e74bb42 ("perf test: Add 'perf test BPF'") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/60f3ca935fe6672e7e866276ce6264c9e26e4c87.1626343282.git.rickyman7@gmail.com +[ Added missing stdlib.h include ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/bpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/tests/bpf.c ++++ b/tools/perf/tests/bpf.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -283,6 +284,7 @@ static int __test__bpf(int idx) + } + + out: ++ free(obj_buf); + bpf__clear(); + return ret; + } diff --git a/queue-5.10/series b/queue-5.10/series index ff25bfb8935..783622ddff3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -109,3 +109,17 @@ revert-mm-shmem-fix-shmem_swapin-race-with-swapoff.patch net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch net-fddi-fix-uaf-in-fza_probe.patch dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch +kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch +arm-dts-aspeed-fix-ast2600-machines-line-names.patch +arm-dts-tacoma-add-phase-corrections-for-emmc.patch +tcp-consistently-disable-header-prediction-for-mptcp.patch +tcp-annotate-data-races-around-tp-mtu_info.patch +tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch +ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch +tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch +tools-bpf-fix-error-in-make-c-tools-bpf_install.patch +bpftool-properly-close-va_list-ap-by-va_end-on-error.patch +bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch +perf-test-bpf-free-obj_buf.patch +drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch +udp-annotate-data-races-around-unix_sk-sk-gso_size.patch diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-mtu_info.patch b/queue-5.10/tcp-annotate-data-races-around-tp-mtu_info.patch new file mode 100644 index 00000000000..3255a797e96 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-mtu_info.patch @@ -0,0 +1,62 @@ +From 561022acb1ce62e50f7a8258687a21b84282a4cb Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 2 Jul 2021 13:09:03 -0700 +Subject: tcp: annotate data races around tp->mtu_info + +From: Eric Dumazet + +commit 561022acb1ce62e50f7a8258687a21b84282a4cb upstream. + +While tp->mtu_info is read while socket is owned, the write +sides happen from err handlers (tcp_v[46]_mtu_reduced) +which only own the socket spinlock. + +Fixes: 563d34d05786 ("tcp: dont drop MTU reduction indications") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + net/ipv6/tcp_ipv6.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -342,7 +342,7 @@ void tcp_v4_mtu_reduced(struct sock *sk) + + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) + return; +- mtu = tcp_sk(sk)->mtu_info; ++ mtu = READ_ONCE(tcp_sk(sk)->mtu_info); + dst = inet_csk_update_pmtu(sk, mtu); + if (!dst) + return; +@@ -546,7 +546,7 @@ int tcp_v4_err(struct sk_buff *skb, u32 + if (sk->sk_state == TCP_LISTEN) + goto out; + +- tp->mtu_info = info; ++ WRITE_ONCE(tp->mtu_info, info); + if (!sock_owned_by_user(sk)) { + tcp_v4_mtu_reduced(sk); + } else { +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -352,7 +352,7 @@ static void tcp_v6_mtu_reduced(struct so + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) + return; + +- dst = inet6_csk_update_pmtu(sk, tcp_sk(sk)->mtu_info); ++ dst = inet6_csk_update_pmtu(sk, READ_ONCE(tcp_sk(sk)->mtu_info)); + if (!dst) + return; + +@@ -443,7 +443,7 @@ static int tcp_v6_err(struct sk_buff *sk + if (!ip6_sk_accept_pmtu(sk)) + goto out; + +- tp->mtu_info = ntohl(info); ++ WRITE_ONCE(tp->mtu_info, ntohl(info)); + if (!sock_owned_by_user(sk)) + tcp_v6_mtu_reduced(sk); + else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, diff --git a/queue-5.10/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch b/queue-5.10/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch new file mode 100644 index 00000000000..97ed06a6fd0 --- /dev/null +++ b/queue-5.10/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch @@ -0,0 +1,43 @@ +From 358ed624207012f03318235017ac6fb41f8af592 Mon Sep 17 00:00:00 2001 +From: Talal Ahmad +Date: Fri, 9 Jul 2021 11:43:06 -0400 +Subject: tcp: call sk_wmem_schedule before sk_mem_charge in zerocopy path + +From: Talal Ahmad + +commit 358ed624207012f03318235017ac6fb41f8af592 upstream. + +sk_wmem_schedule makes sure that sk_forward_alloc has enough +bytes for charging that is going to be done by sk_mem_charge. + +In the transmit zerocopy path, there is sk_mem_charge but there was +no call to sk_wmem_schedule. This change adds that call. + +Without this call to sk_wmem_schedule, sk_forward_alloc can go +negetive which is a bug because sk_forward_alloc is a per-socket +space that has been forward charged so this can't be negative. + +Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY") +Signed-off-by: Talal Ahmad +Reviewed-by: Willem de Bruijn +Reviewed-by: Wei Wang +Reviewed-by: Soheil Hassas Yeganeh +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1361,6 +1361,9 @@ new_segment: + } + pfrag->offset += copy; + } else { ++ if (!sk_wmem_schedule(sk, copy)) ++ goto wait_for_space; ++ + err = skb_zerocopy_iter_stream(sk, skb, msg, copy, uarg); + if (err == -EMSGSIZE || err == -EEXIST) { + tcp_mark_push(tp, skb); diff --git a/queue-5.10/tcp-consistently-disable-header-prediction-for-mptcp.patch b/queue-5.10/tcp-consistently-disable-header-prediction-for-mptcp.patch new file mode 100644 index 00000000000..7993a26a535 --- /dev/null +++ b/queue-5.10/tcp-consistently-disable-header-prediction-for-mptcp.patch @@ -0,0 +1,43 @@ +From 71158bb1f2d2da61385c58fc1114e1a1c19984ba Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 30 Jun 2021 13:42:13 +0200 +Subject: tcp: consistently disable header prediction for mptcp + +From: Paolo Abeni + +commit 71158bb1f2d2da61385c58fc1114e1a1c19984ba upstream. + +The MPTCP receive path is hooked only into the TCP slow-path. +The DSS presence allows plain MPTCP traffic to hit that +consistently. + +Since commit e1ff9e82e2ea ("net: mptcp: improve fallback to TCP"), +when an MPTCP socket falls back to TCP, it can hit the TCP receive +fast-path, and delay or stop triggering the event notification. + +Address the issue explicitly disabling the header prediction +for MPTCP sockets. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/200 +Fixes: e1ff9e82e2ea ("net: mptcp: improve fallback to TCP") +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -676,6 +676,10 @@ static inline u32 __tcp_set_rto(const st + + static inline void __tcp_fast_path_on(struct tcp_sock *tp, u32 snd_wnd) + { ++ /* mptcp hooks are only on the slow path */ ++ if (sk_is_mptcp((struct sock *)tp)) ++ return; ++ + tp->pred_flags = htonl((tp->tcp_header_len << 26) | + ntohl(TCP_FLAG_ACK) | + snd_wnd); diff --git a/queue-5.10/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch b/queue-5.10/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch new file mode 100644 index 00000000000..8cd79fd8407 --- /dev/null +++ b/queue-5.10/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch @@ -0,0 +1,67 @@ +From be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Tue, 6 Jul 2021 07:19:12 +0800 +Subject: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized + +From: Nguyen Dinh Phi + +commit be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc upstream. + +This commit fixes a bug (found by syzkaller) that could cause spurious +double-initializations for congestion control modules, which could cause +memory leaks or other problems for congestion control modules (like CDG) +that allocate memory in their init functions. + +The buggy scenario constructed by syzkaller was something like: + +(1) create a TCP socket +(2) initiate a TFO connect via sendto() +(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), + which calls: + tcp_set_congestion_control() -> + tcp_reinit_congestion_control() -> + tcp_init_congestion_control() +(4) receive ACK, connection is established, call tcp_init_transfer(), + set icsk_ca_initialized=0 (without first calling cc->release()), + call tcp_init_congestion_control() again. + +Note that in this sequence tcp_init_congestion_control() is called +twice without a cc->release() call in between. Thus, for CC modules +that allocate memory in their init() function, e.g, CDG, a memory leak +may occur. The syzkaller tool managed to find a reproducer that +triggered such a leak in CDG. + +The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init +congestion control if not initialized already") +introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in +tcp_init_transfer(), missing the possibility for a sequence like the +one above, where a process could call setsockopt(TCP_CONGESTION) in +state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), +which would call tcp_init_congestion_control(). It did not intend to +reset any initialization that the user had already explicitly made; +it just missed the possibility of that particular sequence (which +syzkaller managed to find). + +Fixes: 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") +Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com +Signed-off-by: Nguyen Dinh Phi +Acked-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5911,8 +5911,8 @@ void tcp_init_transfer(struct sock *sk, + tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk)); + tp->snd_cwnd_stamp = tcp_jiffies32; + +- icsk->icsk_ca_initialized = 0; + bpf_skops_established(sk, bpf_op, skb); ++ /* Initialize congestion control unless BPF initialized it already: */ + if (!icsk->icsk_ca_initialized) + tcp_init_congestion_control(sk); + tcp_init_buffer_space(sk); diff --git a/queue-5.10/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch b/queue-5.10/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch new file mode 100644 index 00000000000..e0db7269b34 --- /dev/null +++ b/queue-5.10/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch @@ -0,0 +1,53 @@ +From 1d719254c139fb62fb8056fb496b6fd007e71550 Mon Sep 17 00:00:00 2001 +From: Wei Li +Date: Mon, 28 Jun 2021 11:04:09 +0800 +Subject: tools: bpf: Fix error in 'make -C tools/ bpf_install' + +From: Wei Li + +commit 1d719254c139fb62fb8056fb496b6fd007e71550 upstream. + +make[2]: *** No rule to make target 'install'. Stop. +make[1]: *** [Makefile:122: runqslower_install] Error 2 +make: *** [Makefile:116: bpf_install] Error 2 + +There is no rule for target 'install' in tools/bpf/runqslower/Makefile, +and there is no need to install it, so just remove 'runqslower_install'. + +Fixes: 9c01546d26d2 ("tools/bpf: Add runqslower tool to tools/bpf") +Signed-off-by: Wei Li +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210628030409.3459095-1-liwei391@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/bpf/Makefile | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/tools/bpf/Makefile ++++ b/tools/bpf/Makefile +@@ -97,7 +97,7 @@ clean: bpftool_clean runqslower_clean re + $(Q)$(RM) -- $(OUTPUT)FEATURE-DUMP.bpf + $(Q)$(RM) -r -- $(OUTPUT)feature + +-install: $(PROGS) bpftool_install runqslower_install ++install: $(PROGS) bpftool_install + $(call QUIET_INSTALL, bpf_jit_disasm) + $(Q)$(INSTALL) -m 0755 -d $(DESTDIR)$(prefix)/bin + $(Q)$(INSTALL) $(OUTPUT)bpf_jit_disasm $(DESTDIR)$(prefix)/bin/bpf_jit_disasm +@@ -118,9 +118,6 @@ bpftool_clean: + runqslower: + $(call descend,runqslower) + +-runqslower_install: +- $(call descend,runqslower,install) +- + runqslower_clean: + $(call descend,runqslower,clean) + +@@ -131,5 +128,5 @@ resolve_btfids_clean: + $(call descend,resolve_btfids,clean) + + .PHONY: all install clean bpftool bpftool_install bpftool_clean \ +- runqslower runqslower_install runqslower_clean \ ++ runqslower runqslower_clean \ + resolve_btfids resolve_btfids_clean diff --git a/queue-5.10/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch b/queue-5.10/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch new file mode 100644 index 00000000000..c64fdb53911 --- /dev/null +++ b/queue-5.10/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch @@ -0,0 +1,96 @@ +From 18a419bad63b7f68a1979e28459782518e7b6bbe Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 30 Jun 2021 09:42:44 -0700 +Subject: udp: annotate data races around unix_sk(sk)->gso_size + +From: Eric Dumazet + +commit 18a419bad63b7f68a1979e28459782518e7b6bbe upstream. + +Accesses to unix_sk(sk)->gso_size are lockless. +Add READ_ONCE()/WRITE_ONCE() around them. + +BUG: KCSAN: data-race in udp_lib_setsockopt / udpv6_sendmsg + +write to 0xffff88812d78f47c of 2 bytes by task 10849 on cpu 1: + udp_lib_setsockopt+0x3b3/0x710 net/ipv4/udp.c:2696 + udpv6_setsockopt+0x63/0x90 net/ipv6/udp.c:1630 + sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3265 + __sys_setsockopt+0x18f/0x200 net/socket.c:2104 + __do_sys_setsockopt net/socket.c:2115 [inline] + __se_sys_setsockopt net/socket.c:2112 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2112 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88812d78f47c of 2 bytes by task 10852 on cpu 0: + udpv6_sendmsg+0x161/0x16b0 net/ipv6/udp.c:1299 + inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2337 + ___sys_sendmsg net/socket.c:2391 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2477 + __do_sys_sendmmsg net/socket.c:2506 [inline] + __se_sys_sendmmsg net/socket.c:2503 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2503 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000 -> 0x0005 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 10852 Comm: syz-executor.0 Not tainted 5.13.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: bec1f6f69736 ("udp: generate gso with UDP_SEGMENT") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 6 +++--- + net/ipv6/udp.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1097,7 +1097,7 @@ int udp_sendmsg(struct sock *sk, struct + } + + ipcm_init_sk(&ipc, inet); +- ipc.gso_size = up->gso_size; ++ ipc.gso_size = READ_ONCE(up->gso_size); + + if (msg->msg_controllen) { + err = udp_cmsg_send(sk, msg, &ipc.gso_size); +@@ -2655,7 +2655,7 @@ int udp_lib_setsockopt(struct sock *sk, + case UDP_SEGMENT: + if (val < 0 || val > USHRT_MAX) + return -EINVAL; +- up->gso_size = val; ++ WRITE_ONCE(up->gso_size, val); + break; + + case UDP_GRO: +@@ -2750,7 +2750,7 @@ int udp_lib_getsockopt(struct sock *sk, + break; + + case UDP_SEGMENT: +- val = up->gso_size; ++ val = READ_ONCE(up->gso_size); + break; + + case UDP_GRO: +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1294,7 +1294,7 @@ int udpv6_sendmsg(struct sock *sk, struc + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); + + ipcm6_init(&ipc6); +- ipc6.gso_size = up->gso_size; ++ ipc6.gso_size = READ_ONCE(up->gso_size); + ipc6.sockc.tsflags = sk->sk_tsflags; + ipc6.sockc.mark = sk->sk_mark; +