From: Greg Kroah-Hartman Date: Wed, 19 Jun 2019 14:21:06 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.1.13~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1666ad2c1d5dad24a60fae72840164c3a2c862d9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch lapb-fixed-leak-of-control-blocks.patch neigh-fix-use-after-free-read-in-pneigh_get_next.patch sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch --- diff --git a/queue-4.4/ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch b/queue-4.4/ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch new file mode 100644 index 00000000000..e012cd4afcc --- /dev/null +++ b/queue-4.4/ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch @@ -0,0 +1,117 @@ +From foo@baz Wed 19 Jun 2019 04:10:50 PM CEST +From: Eric Dumazet +Date: Sat, 15 Jun 2019 16:40:52 -0700 +Subject: ax25: fix inconsistent lock state in ax25_destroy_timer + +From: Eric Dumazet + +[ Upstream commit d4d5d8e83c9616aeef28a2869cea49cc3fb35526 ] + +Before thread in process context uses bh_lock_sock() +we must disable bh. + +sysbot reported : + +WARNING: inconsistent lock state +5.2.0-rc3+ #32 Not tainted + +inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes: +00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline] +00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275 +{SOFTIRQ-ON-W} state was registered at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429 + ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221 + __sys_connect+0x264/0x330 net/socket.c:1834 + __do_sys_connect net/socket.c:1845 [inline] + __se_sys_connect net/socket.c:1842 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:1842 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +irq event stamp: 2272 +hardirqs last enabled at (2272): [] trace_hardirqs_on_thunk+0x1a/0x1c +hardirqs last disabled at (2271): [] trace_hardirqs_off_thunk+0x1a/0x1c +softirqs last enabled at (1522): [] __do_softirq+0x654/0x94c kernel/softirq.c:320 +softirqs last disabled at (2267): [] invoke_softirq kernel/softirq.c:374 [inline] +softirqs last disabled at (2267): [] irq_exit+0x180/0x1d0 kernel/softirq.c:414 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(slock-AF_AX25); + + lock(slock-AF_AX25); + + *** DEADLOCK *** + +1 lock held by blkid/26581: + #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:175 [inline] + #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: call_timer_fn+0xe0/0x720 kernel/time/timer.c:1312 + +stack backtrace: +CPU: 1 PID: 26581 Comm: blkid Not tainted 5.2.0-rc3+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_usage_bug.cold+0x393/0x4a2 kernel/locking/lockdep.c:2935 + valid_state kernel/locking/lockdep.c:2948 [inline] + mark_lock_irq kernel/locking/lockdep.c:3138 [inline] + mark_lock+0xd46/0x1370 kernel/locking/lockdep.c:3513 + mark_irqflags kernel/locking/lockdep.c:3391 [inline] + __lock_acquire+0x159f/0x5490 kernel/locking/lockdep.c:3745 + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275 + call_timer_fn+0x193/0x720 kernel/time/timer.c:1322 + expire_timers kernel/time/timer.c:1366 [inline] + __run_timers kernel/time/timer.c:1685 [inline] + __run_timers kernel/time/timer.c:1653 [inline] + run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698 + __do_softirq+0x25c/0x94c kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:374 [inline] + irq_exit+0x180/0x1d0 kernel/softirq.c:414 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806 + +RIP: 0033:0x7f858d5c3232 +Code: 8b 61 08 48 8b 84 24 d8 00 00 00 4c 89 44 24 28 48 8b ac 24 d0 00 00 00 4c 8b b4 24 e8 00 00 00 48 89 7c 24 68 48 89 4c 24 78 <48> 89 44 24 58 8b 84 24 e0 00 00 00 89 84 24 84 00 00 00 8b 84 24 +RSP: 002b:00007ffcaf0cf5c0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 +RAX: 00007f858d7d27a8 RBX: 00007f858d7d8820 RCX: 00007f858d3940d8 +RDX: 00007ffcaf0cf798 RSI: 00000000f5e616f3 RDI: 00007f858d394fee +RBP: 0000000000000000 R08: 00007ffcaf0cf780 R09: 00007f858d7db480 +R10: 0000000000000000 R11: 0000000009691a75 R12: 0000000000000005 +R13: 00000000f5e616f3 R14: 0000000000000000 R15: 00007ffcaf0cf798 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/ax25_route.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ax25/ax25_route.c ++++ b/net/ax25/ax25_route.c +@@ -443,9 +443,11 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25 + } + + if (ax25->sk != NULL) { ++ local_bh_disable(); + bh_lock_sock(ax25->sk); + sock_reset_flag(ax25->sk, SOCK_ZAPPED); + bh_unlock_sock(ax25->sk); ++ local_bh_enable(); + } + + put: diff --git a/queue-4.4/be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch b/queue-4.4/be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch new file mode 100644 index 00000000000..02f5253e794 --- /dev/null +++ b/queue-4.4/be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch @@ -0,0 +1,74 @@ +From foo@baz Wed 19 Jun 2019 04:10:50 PM CEST +From: Ivan Vecera +Date: Fri, 14 Jun 2019 17:48:36 +0200 +Subject: be2net: Fix number of Rx queues used for flow hashing + +From: Ivan Vecera + +[ Upstream commit 718f4a2537089ea41903bf357071306163bc7c04 ] + +Number of Rx queues used for flow hashing returned by the driver is +incorrect and this bug prevents user to use the last Rx queue in +indirection table. + +Let's say we have a NIC with 6 combined queues: + +[root@sm-03 ~]# ethtool -l enp4s0f0 +Channel parameters for enp4s0f0: +Pre-set maximums: +RX: 5 +TX: 5 +Other: 0 +Combined: 6 +Current hardware settings: +RX: 0 +TX: 0 +Other: 0 +Combined: 6 + +Default indirection table maps all (6) queues equally but the driver +reports only 5 rings available. + +[root@sm-03 ~]# ethtool -x enp4s0f0 +RX flow hash indirection table for enp4s0f0 with 5 RX ring(s): + 0: 0 1 2 3 4 5 0 1 + 8: 2 3 4 5 0 1 2 3 + 16: 4 5 0 1 2 3 4 5 + 24: 0 1 2 3 4 5 0 1 +... + +Now change indirection table somehow: + +[root@sm-03 ~]# ethtool -X enp4s0f0 weight 1 1 +[root@sm-03 ~]# ethtool -x enp4s0f0 +RX flow hash indirection table for enp4s0f0 with 6 RX ring(s): + 0: 0 0 0 0 0 0 0 0 +... + 64: 1 1 1 1 1 1 1 1 +... + +Now it is not possible to change mapping back to equal (default) state: + +[root@sm-03 ~]# ethtool -X enp4s0f0 equal 6 +Cannot set RX flow hash configuration: Invalid argument + +Fixes: 594ad54a2c3b ("be2net: Add support for setting and getting rx flow hash options") +Reported-by: Tianhao +Signed-off-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c ++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c +@@ -1050,7 +1050,7 @@ static int be_get_rxnfc(struct net_devic + cmd->data = be_get_rss_hash_opts(adapter, cmd->flow_type); + break; + case ETHTOOL_GRXRINGS: +- cmd->data = adapter->num_rx_qs - 1; ++ cmd->data = adapter->num_rx_qs; + break; + default: + return -EINVAL; diff --git a/queue-4.4/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch b/queue-4.4/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch new file mode 100644 index 00000000000..4f6a9c396d7 --- /dev/null +++ b/queue-4.4/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch @@ -0,0 +1,47 @@ +From foo@baz Wed 19 Jun 2019 04:10:50 PM CEST +From: Eric Dumazet +Date: Thu, 6 Jun 2019 14:32:34 -0700 +Subject: ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero + +From: Eric Dumazet + +[ Upstream commit 65a3c497c0e965a552008db8bc2653f62bc925a1 ] + +Before taking a refcount, make sure the object is not already +scheduled for deletion. + +Same fix is needed in ipv6_flowlabel_opt() + +Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_flowlabel.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(st + rcu_read_lock_bh(); + for_each_sk_fl_rcu(np, sfl) { + struct ip6_flowlabel *fl = sfl->fl; +- if (fl->label == label) { ++ ++ if (fl->label == label && atomic_inc_not_zero(&fl->users)) { + fl->lastuse = jiffies; +- atomic_inc(&fl->users); + rcu_read_unlock_bh(); + return fl; + } +@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk, + goto done; + } + fl1 = sfl->fl; +- atomic_inc(&fl1->users); ++ if (!atomic_inc_not_zero(&fl1->users)) ++ fl1 = NULL; + break; + } + } diff --git a/queue-4.4/lapb-fixed-leak-of-control-blocks.patch b/queue-4.4/lapb-fixed-leak-of-control-blocks.patch new file mode 100644 index 00000000000..f578b8804b7 --- /dev/null +++ b/queue-4.4/lapb-fixed-leak-of-control-blocks.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 19 Jun 2019 04:10:50 PM CEST +From: Jeremy Sowden +Date: Sun, 16 Jun 2019 16:54:37 +0100 +Subject: lapb: fixed leak of control-blocks. + +From: Jeremy Sowden + +[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ] + +lapb_register calls lapb_create_cb, which initializes the control- +block's ref-count to one, and __lapb_insert_cb, which increments it when +adding the new block to the list of blocks. + +lapb_unregister calls __lapb_remove_cb, which decrements the ref-count +when removing control-block from the list of blocks, and calls lapb_put +itself to decrement the ref-count before returning. + +However, lapb_unregister also calls __lapb_devtostruct to look up the +right control-block for the given net_device, and __lapb_devtostruct +also bumps the ref-count, which means that when lapb_unregister returns +the ref-count is still 1 and the control-block is leaked. + +Call lapb_put after __lapb_devtostruct to fix leak. + +Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/lapb/lapb_iface.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/lapb/lapb_iface.c ++++ b/net/lapb/lapb_iface.c +@@ -182,6 +182,7 @@ int lapb_unregister(struct net_device *d + lapb = __lapb_devtostruct(dev); + if (!lapb) + goto out; ++ lapb_put(lapb); + + lapb_stop_t1timer(lapb); + lapb_stop_t2timer(lapb); diff --git a/queue-4.4/neigh-fix-use-after-free-read-in-pneigh_get_next.patch b/queue-4.4/neigh-fix-use-after-free-read-in-pneigh_get_next.patch new file mode 100644 index 00000000000..5b5318bb8fd --- /dev/null +++ b/queue-4.4/neigh-fix-use-after-free-read-in-pneigh_get_next.patch @@ -0,0 +1,185 @@ +From foo@baz Wed 19 Jun 2019 04:10:50 PM CEST +From: Eric Dumazet +Date: Sat, 15 Jun 2019 16:28:48 -0700 +Subject: neigh: fix use-after-free read in pneigh_get_next + +From: Eric Dumazet + +[ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ] + +Nine years ago, I added RCU handling to neighbours, not pneighbours. +(pneigh are not commonly used) + +Unfortunately I missed that /proc dump operations would use a +common entry and exit point : neigh_seq_start() and neigh_seq_stop() + +We need to read_lock(tbl->lock) or risk use-after-free while +iterating the pneigh structures. + +We might later convert pneigh to RCU and revert this patch. + +sysbot reported : + +BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 +Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825 + +CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 + __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + kasan_report+0x12/0x20 mm/kasan/common.c:614 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 + pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 + neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240 + seq_read+0x9cf/0x1110 fs/seq_file.c:258 + proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221 + do_loop_readv_writev fs/read_write.c:714 [inline] + do_loop_readv_writev fs/read_write.c:701 [inline] + do_iter_read+0x4a4/0x660 fs/read_write.c:935 + vfs_readv+0xf0/0x160 fs/read_write.c:997 + kernel_readv fs/splice.c:359 [inline] + default_file_splice_read+0x475/0x890 fs/splice.c:414 + do_splice_to+0x127/0x180 fs/splice.c:877 + splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1063 + do_sendfile+0x597/0xd00 fs/read_write.c:1464 + __do_sys_sendfile64 fs/read_write.c:1525 [inline] + __se_sys_sendfile64 fs/read_write.c:1511 [inline] + __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4592c9 +Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4 +R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff + +Allocated by task 9827: + save_stack+0x23/0x90 mm/kasan/common.c:71 + set_track mm/kasan/common.c:79 [inline] + __kasan_kmalloc mm/kasan/common.c:489 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 + __do_kmalloc mm/slab.c:3660 [inline] + __kmalloc+0x15c/0x740 mm/slab.c:3669 + kmalloc include/linux/slab.h:552 [inline] + pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731 + arp_req_set_public net/ipv4/arp.c:1010 [inline] + arp_req_set+0x613/0x720 net/ipv4/arp.c:1026 + arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226 + inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926 + sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043 + sock_ioctl+0x3ed/0x780 net/socket.c:1194 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9824: + save_stack+0x23/0x90 mm/kasan/common.c:71 + set_track mm/kasan/common.c:79 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 + __cache_free mm/slab.c:3432 [inline] + kfree+0xcf/0x220 mm/slab.c:3755 + pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline] + __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356 + neigh_ifdown+0x20/0x30 net/core/neighbour.c:372 + arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274 + inetdev_destroy net/ipv4/devinet.c:319 [inline] + inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544 + notifier_call_chain+0xc2/0x230 kernel/notifier.c:95 + __raw_notifier_call_chain kernel/notifier.c:396 [inline] + raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403 + call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749 + call_netdevice_notifiers_extack net/core/dev.c:1761 [inline] + call_netdevice_notifiers net/core/dev.c:1775 [inline] + rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178 + rollback_registered+0x109/0x1d0 net/core/dev.c:8220 + unregister_netdevice_queue net/core/dev.c:9267 [inline] + unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260 + unregister_netdevice include/linux/netdevice.h:2631 [inline] + __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724 + tun_detach drivers/net/tun.c:741 [inline] + tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + tracehook_notify_resume include/linux/tracehook.h:185 [inline] + exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168 + prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] + syscall_return_slowpath arch/x86/entry/common.c:279 [inline] + do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff888097f2a700 + which belongs to the cache kmalloc-64 of size 64 +The buggy address is located 0 bytes inside of + 64-byte region [ffff888097f2a700, ffff888097f2a740) +The buggy address belongs to the page: +page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 +flags: 0x1fffc0000000200(slab) +raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340 +raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ^ + ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + +Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2705,6 +2705,7 @@ static void *neigh_get_idx_any(struct se + } + + void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags) ++ __acquires(tbl->lock) + __acquires(rcu_bh) + { + struct neigh_seq_state *state = seq->private; +@@ -2715,6 +2716,7 @@ void *neigh_seq_start(struct seq_file *s + + rcu_read_lock_bh(); + state->nht = rcu_dereference_bh(tbl->nht); ++ read_lock(&tbl->lock); + + return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN; + } +@@ -2748,8 +2750,13 @@ out: + EXPORT_SYMBOL(neigh_seq_next); + + void neigh_seq_stop(struct seq_file *seq, void *v) ++ __releases(tbl->lock) + __releases(rcu_bh) + { ++ struct neigh_seq_state *state = seq->private; ++ struct neigh_table *tbl = state->tbl; ++ ++ read_unlock(&tbl->lock); + rcu_read_unlock_bh(); + } + EXPORT_SYMBOL(neigh_seq_stop); diff --git a/queue-4.4/series b/queue-4.4/series index 38f44942535..1b2796f5e72 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -60,3 +60,9 @@ usb-usb-storage-add-new-id-to-ums-realtek.patch usb-serial-pl2303-add-allied-telesis-vt-kit3.patch usb-serial-option-add-support-for-simcom-sim7500-sim7600-rndis-mode.patch usb-serial-option-add-telit-0x1260-and-0x1261-compositions.patch +ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch +be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch +ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch +lapb-fixed-leak-of-control-blocks.patch +neigh-fix-use-after-free-read-in-pneigh_get_next.patch +sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch diff --git a/queue-4.4/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch b/queue-4.4/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch new file mode 100644 index 00000000000..f7e315efe2a --- /dev/null +++ b/queue-4.4/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch @@ -0,0 +1,61 @@ +From foo@baz Wed 19 Jun 2019 04:10:50 PM CEST +From: John Paul Adrian Glaubitz +Date: Tue, 11 Jun 2019 17:38:37 +0200 +Subject: sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg + +From: John Paul Adrian Glaubitz + +[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ] + +In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS" +to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged. + +This results in the hypervisor console device to be listed as "ttyHV0" under +/proc/consoles while the device node is still named "ttyS0": + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyS0 +root@osaka:~# + +This means that any userland code which tries to determine the name of the +device file of the hypervisor console device can not rely on the information +provided by /proc/consoles. In particular, booting current versions of debian- +installer inside a SPARC LDOM will fail with the installer unable to determine +the console device. + +After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well, +the inconsistency is fixed and it is possible again to determine the name +of the device file of the hypervisor console device by reading the contents +of /proc/console: + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyHV0 +root@osaka:~# + +With this change, debian-installer works correctly when installing inside +a SPARC LDOM. + +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sunhv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sunhv.c ++++ b/drivers/tty/serial/sunhv.c +@@ -392,7 +392,7 @@ static struct uart_ops sunhv_pops = { + static struct uart_driver sunhv_reg = { + .owner = THIS_MODULE, + .driver_name = "sunhv", +- .dev_name = "ttyS", ++ .dev_name = "ttyHV", + .major = TTY_MAJOR, + }; +