From: Greg Kroah-Hartman Date: Mon, 20 Sep 2021 08:46:02 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.284~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=14261d0f02d3e2f88d4c1ddd719bee29a5ee377d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch --- diff --git a/queue-4.9/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch b/queue-4.9/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch new file mode 100644 index 00000000000..0abe49d9f17 --- /dev/null +++ b/queue-4.9/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch @@ -0,0 +1,36 @@ +From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001 +From: Baptiste Lepers +Date: Mon, 6 Sep 2021 11:53:10 +1000 +Subject: events: Reuse value read using READ_ONCE instead of re-reading it + +From: Baptiste Lepers + +commit b89a05b21f46150ac10a962aa50109250b56b03b upstream. + +In perf_event_addr_filters_apply, the task associated with +the event (event->ctx->task) is read using READ_ONCE at the beginning +of the function, checked, and then re-read from event->ctx->task, +voiding all guarantees of the checks. Reuse the value that was read by +READ_ONCE to ensure the consistency of the task struct throughout the +function. + +Fixes: 375637bc52495 ("perf/core: Introduce address range filtering") +Signed-off-by: Baptiste Lepers +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8115,7 +8115,7 @@ static void perf_event_addr_filters_appl + if (task == TASK_TOMBSTONE) + return; + +- mm = get_task_mm(event->ctx->task); ++ mm = get_task_mm(task); + if (!mm) + goto restart; + diff --git a/queue-4.9/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch b/queue-4.9/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch new file mode 100644 index 00000000000..bf582b830e2 --- /dev/null +++ b/queue-4.9/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch @@ -0,0 +1,97 @@ +From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 8 Sep 2021 17:00:29 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_poll + +From: Eric Dumazet + +commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream. + +syzbot reported another data-race in af_unix [1] + +Lets change __skb_insert() to use WRITE_ONCE() when changing +skb head qlen. + +Also, change unix_dgram_poll() to use lockless version +of unix_recvq_full() + +It is verry possible we can switch all/most unix_recvq_full() +to the lockless version, this will be done in a future kernel version. + +[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1 + +BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll + +write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0: + __skb_insert include/linux/skbuff.h:1938 [inline] + __skb_queue_before include/linux/skbuff.h:2043 [inline] + __skb_queue_tail include/linux/skbuff.h:2076 [inline] + skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264 + unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg net/socket.c:723 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392 + ___sys_sendmsg net/socket.c:2446 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532 + __do_sys_sendmmsg net/socket.c:2561 [inline] + __se_sys_sendmmsg net/socket.c:2558 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1: + skb_queue_len include/linux/skbuff.h:1869 [inline] + unix_recvq_full net/unix/af_unix.c:194 [inline] + unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777 + sock_poll+0x23e/0x260 net/socket.c:1288 + vfs_poll include/linux/poll.h:90 [inline] + ep_item_poll fs/eventpoll.c:846 [inline] + ep_send_events fs/eventpoll.c:1683 [inline] + ep_poll fs/eventpoll.c:1798 [inline] + do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226 + __do_sys_epoll_wait fs/eventpoll.c:2238 [inline] + __se_sys_epoll_wait fs/eventpoll.c:2233 [inline] + __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000001b -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()") +Cc: Qian Cai +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 +- + net/unix/af_unix.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1613,7 +1613,7 @@ static inline void __skb_insert(struct s + newsk->next = next; + newsk->prev = prev; + next->prev = prev->next = newsk; +- list->qlen++; ++ WRITE_ONCE(list->qlen, list->qlen + 1); + } + + static inline void __skb_queue_splice(const struct sk_buff_head *list, +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2694,7 +2694,7 @@ static unsigned int unix_dgram_poll(stru + + other = unix_peer(sk); + if (other && unix_peer(other) != sk && +- unix_recvq_full(other) && ++ unix_recvq_full_lockless(other) && + unix_dgram_peer_wake_me(sk, other)) + writable = 0; + diff --git a/queue-4.9/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch b/queue-4.9/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch new file mode 100644 index 00000000000..60dbab6dda4 --- /dev/null +++ b/queue-4.9/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch @@ -0,0 +1,80 @@ +From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001 +From: Yajun Deng +Date: Mon, 13 Sep 2021 12:04:42 +0800 +Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers" + +From: Yajun Deng + +commit d7807a9adf4856171f8441f13078c33941df48ab upstream. + +This reverts commit 919483096bfe75dda338e98d56da91a263746a0a. + +There is only when ip_options_get() return zero need to free. +It already called kfree() when return error. + +Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ping.c | 5 ++--- + net/ipv4/raw.c | 5 ++--- + net/ipv4/udp.c | 4 +--- + 4 files changed, 6 insertions(+), 10 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -261,7 +261,7 @@ int ip_cmsg_send(struct sock *sk, struct + case IP_RETOPTS: + err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr)); + +- /* Our caller is responsible for freeing ipc->opt */ ++ /* Our caller is responsible for freeing ipc->opt when err = 0 */ + err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg), + err < 40 ? err : 40); + if (err) +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -749,10 +749,9 @@ static int ping_v4_sendmsg(struct sock * + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + return err; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -560,10 +560,9 @@ static int raw_sendmsg(struct sock *sk, + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + goto out; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -959,10 +959,8 @@ int udp_sendmsg(struct sock *sk, struct + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, sk->sk_family == AF_INET6); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + return err; +- } + if (ipc.opt) + free = 1; + connected = 0; diff --git a/queue-4.9/series b/queue-4.9/series index 692a7d4e63e..5a2d57ae7b3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -159,3 +159,6 @@ net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch parisc-declare-pci_iounmap-parisc-version-only-when-config_pci-enabled.patch r6040-restore-mdio-clock-frequency-after-mac-reset.patch tipc-increase-timeout-in-tipc_sk_enqueue.patch +events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch +net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch +revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch