From: Greg Kroah-Hartman Date: Thu, 6 Feb 2025 14:31:33 +0000 (+0100) Subject: drop a bunch of patches that people asked to be dropped X-Git-Tag: v6.6.76~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3995e9f81ce44a0c85154c195e94d19735162985;p=thirdparty%2Fkernel%2Fstable-queue.git drop a bunch of patches that people asked to be dropped --- diff --git a/queue-6.12/pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch b/queue-6.12/pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch deleted file mode 100644 index a3db9100c3..0000000000 --- a/queue-6.12/pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 2889b7a13a41b8018ce6f8f40145b9430f95170e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Nov 2024 15:22:02 +0800 -Subject: PCI/ASPM: Save parent L1SS config in pci_save_aspm_l1ss_state() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Jian-Hong Pan - -[ Upstream commit 1db806ec06b7c6e08e8af57088da067963ddf117 ] - -After 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for -suspend/resume"), pci_save_aspm_l1ss_state(dev) saves the L1SS state for -"dev", and pci_restore_aspm_l1ss_state(dev) restores the state for both -"dev" and its parent. - -The problem is that unless pci_save_state() has been used in some other -path and has already saved the parent L1SS state, we will restore junk to -the parent, which means the L1 Substates likely won't work correctly. - -Save the L1SS config for both the device and its parent in -pci_save_aspm_l1ss_state(). When restoring, we need both because L1SS must -be enabled at the parent (the Downstream Port) before being enabled at the -child (the Upstream Port). - -Link: https://lore.kernel.org/r/20241115072200.37509-3-jhp@endlessos.org -Fixes: 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume") -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218394 -Suggested-by: Ilpo Järvinen -Signed-off-by: Jian-Hong Pan -[bhelgaas: parallel save/restore structure, simplify commit log, patch at -https://lore.kernel.org/r/20241212230340.GA3267194@bhelgaas] -Signed-off-by: Bjorn Helgaas -Tested-by: Jian-Hong Pan # Asus B1400CEAE -Signed-off-by: Sasha Levin ---- - drivers/pci/pcie/aspm.c | 33 ++++++++++++++++++++++++++++----- - 1 file changed, 28 insertions(+), 5 deletions(-) - -diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c -index cee2365e54b8b..9bbcfc91a491e 100644 ---- a/drivers/pci/pcie/aspm.c -+++ b/drivers/pci/pcie/aspm.c -@@ -81,24 +81,47 @@ void pci_configure_aspm_l1ss(struct pci_dev *pdev) - - void pci_save_aspm_l1ss_state(struct pci_dev *pdev) - { -+ struct pci_dev *parent = pdev->bus->self; - struct pci_cap_saved_state *save_state; -- u16 l1ss = pdev->l1ss; - u32 *cap; - -+ /* -+ * If this is a Downstream Port, we never restore the L1SS state -+ * directly; we only restore it when we restore the state of the -+ * Upstream Port below it. -+ */ -+ if (pcie_downstream_port(pdev) || !parent) -+ return; -+ -+ if (!pdev->l1ss || !parent->l1ss) -+ return; -+ - /* - * Save L1 substate configuration. The ASPM L0s/L1 configuration - * in PCI_EXP_LNKCTL_ASPMC is saved by pci_save_pcie_state(). - */ -- if (!l1ss) -+ save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS); -+ if (!save_state) - return; - -- save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS); -+ cap = &save_state->cap.data[0]; -+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL2, cap++); -+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL1, cap++); -+ -+ if (parent->state_saved) -+ return; -+ -+ /* -+ * Save parent's L1 substate configuration so we have it for -+ * pci_restore_aspm_l1ss_state(pdev) to restore. -+ */ -+ save_state = pci_find_saved_ext_cap(parent, PCI_EXT_CAP_ID_L1SS); - if (!save_state) - return; - - cap = &save_state->cap.data[0]; -- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL2, cap++); -- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL1, cap++); -+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL2, cap++); -+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, cap++); - } - - void pci_restore_aspm_l1ss_state(struct pci_dev *pdev) --- -2.39.5 - diff --git a/queue-6.12/series b/queue-6.12/series index 4ecf2d5f76..f33515e641 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -406,7 +406,6 @@ of-fdt-restore-possibility-to-use-both-acpi-and-fdt-.patch media-rc-iguanair-handle-timeouts.patch media-lmedm04-handle-errors-for-lme2510_int_read.patch pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch -pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch remoteproc-mtk_scp-only-populate-devices-for-scp-cor.patch media-marvell-add-check-for-clk_enable.patch media-i2c-imx290-register-0x3011-varies-between-imx3.patch @@ -509,7 +508,6 @@ perf-test-skip-syscall-enum-test-if-no-landlock-sysc.patch pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch bluetooth-btusb-mediatek-add-locks-for-usb_driver_cl.patch bluetooth-btnxpuart-fix-glitches-seen-in-dual-a2dp-s.patch -vsock-keep-the-binding-until-socket-destruction.patch vsock-allow-retrying-on-connect-failure.patch bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch tcp-correct-handling-of-extreme-memory-squeeze.patch @@ -588,3 +586,4 @@ kvm-x86-plumb-in-the-vcpu-to-kvm_x86_ops.hwapic_isr_update.patch memcg-fix-soft-lockup-in-the-oom-process.patch loongarch-change-8-to-14-for-loongarch_max_-brp-wrp.patch btrfs-do-proper-folio-cleanup-when-run_delalloc_nocow-failed.patch +ethtool-ntuple-fix-rss-ring_cookie-check.patch diff --git a/queue-6.12/vsock-allow-retrying-on-connect-failure.patch b/queue-6.12/vsock-allow-retrying-on-connect-failure.patch index 7c6f9ad0e3..f4526b2efd 100644 --- a/queue-6.12/vsock-allow-retrying-on-connect-failure.patch +++ b/queue-6.12/vsock-allow-retrying-on-connect-failure.patch @@ -21,14 +21,12 @@ Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-2-1cf5706 Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/vmw_vsock/af_vsock.c | 5 +++++ + net/vmw_vsock/af_vsock.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 98315d9d07528..ec4c1fbbcec74 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c -@@ -1523,6 +1523,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, +@@ -1519,6 +1519,11 @@ static int vsock_connect(struct socket * if (err < 0) goto out; @@ -40,6 +38,3 @@ index 98315d9d07528..ec4c1fbbcec74 100644 /* Mark sock as connecting and set the error code to in * progress in case this is a non-blocking connect. */ --- -2.39.5 - diff --git a/queue-6.12/vsock-keep-the-binding-until-socket-destruction.patch b/queue-6.12/vsock-keep-the-binding-until-socket-destruction.patch deleted file mode 100644 index 2a3a633e80..0000000000 --- a/queue-6.12/vsock-keep-the-binding-until-socket-destruction.patch +++ /dev/null @@ -1,136 +0,0 @@ -From ee6855bca8cf3c6f172db6654df92ee8da388de3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jan 2025 14:15:27 +0100 -Subject: vsock: Keep the binding until socket destruction - -From: Michal Luczaj - -[ Upstream commit fcdd2242c0231032fc84e1404315c245ae56322a ] - -Preserve sockets bindings; this includes both resulting from an explicit -bind() and those implicitly bound through autobind during connect(). - -Prevents socket unbinding during a transport reassignment, which fixes a -use-after-free: - - 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) - 2. transport->release() calls vsock_remove_bound() without checking if - sk was bound and moved to bound list (refcnt=1) - 3. vsock_bind() assumes sk is in unbound list and before - __vsock_insert_bound(vsock_bound_sockets()) calls - __vsock_remove_bound() which does: - list_del_init(&vsk->bound_table); // nop - sock_put(&vsk->sk); // refcnt=0 - -BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 -Read of size 4 at addr ffff88816b46a74c by task a.out/2057 - dump_stack_lvl+0x68/0x90 - print_report+0x174/0x4f6 - kasan_report+0xb9/0x190 - __vsock_bind+0x62e/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Allocated by task 2057: - kasan_save_stack+0x1e/0x40 - kasan_save_track+0x10/0x30 - __kasan_slab_alloc+0x85/0x90 - kmem_cache_alloc_noprof+0x131/0x450 - sk_prot_alloc+0x5b/0x220 - sk_alloc+0x2c/0x870 - __vsock_create.constprop.0+0x2e/0xb60 - vsock_create+0xe4/0x420 - __sock_create+0x241/0x650 - __sys_socket+0xf2/0x1a0 - __x64_sys_socket+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Freed by task 2057: - kasan_save_stack+0x1e/0x40 - kasan_save_track+0x10/0x30 - kasan_save_free_info+0x37/0x60 - __kasan_slab_free+0x4b/0x70 - kmem_cache_free+0x1a1/0x590 - __sk_destruct+0x388/0x5a0 - __vsock_bind+0x5e1/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -refcount_t: addition on 0; use-after-free. -WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 -RIP: 0010:refcount_warn_saturate+0xce/0x150 - __vsock_bind+0x66d/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -refcount_t: underflow; use-after-free. -WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 -RIP: 0010:refcount_warn_saturate+0xee/0x150 - vsock_remove_bound+0x187/0x1e0 - __vsock_release+0x383/0x4a0 - vsock_release+0x90/0x120 - __sock_release+0xa3/0x250 - sock_close+0x14/0x20 - __fput+0x359/0xa80 - task_work_run+0x107/0x1d0 - do_exit+0x847/0x2560 - do_group_exit+0xb8/0x250 - __x64_sys_exit_group+0x3a/0x50 - x64_sys_call+0xfec/0x14f0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") -Reviewed-by: Stefano Garzarella -Signed-off-by: Michal Luczaj -Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/vmw_vsock/af_vsock.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 15724f171b0f9..98315d9d07528 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -337,7 +337,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_socket); - - void vsock_remove_sock(struct vsock_sock *vsk) - { -- vsock_remove_bound(vsk); -+ /* Transport reassignment must not remove the binding. */ -+ if (sock_flag(sk_vsock(vsk), SOCK_DEAD)) -+ vsock_remove_bound(vsk); -+ - vsock_remove_connected(vsk); - } - EXPORT_SYMBOL_GPL(vsock_remove_sock); -@@ -821,12 +824,13 @@ static void __vsock_release(struct sock *sk, int level) - */ - lock_sock_nested(sk, level); - -+ sock_orphan(sk); -+ - if (vsk->transport) - vsk->transport->release(vsk); - else if (sock_type_connectible(sk->sk_type)) - vsock_remove_sock(vsk); - -- sock_orphan(sk); - sk->sk_shutdown = SHUTDOWN_MASK; - - skb_queue_purge(&sk->sk_receive_queue); --- -2.39.5 - diff --git a/queue-6.13/pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch b/queue-6.13/pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch deleted file mode 100644 index aca316f73f..0000000000 --- a/queue-6.13/pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 9da96935990a075ec77d87a7306446f6107bbf50 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Nov 2024 15:22:02 +0800 -Subject: PCI/ASPM: Save parent L1SS config in pci_save_aspm_l1ss_state() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Jian-Hong Pan - -[ Upstream commit 1db806ec06b7c6e08e8af57088da067963ddf117 ] - -After 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for -suspend/resume"), pci_save_aspm_l1ss_state(dev) saves the L1SS state for -"dev", and pci_restore_aspm_l1ss_state(dev) restores the state for both -"dev" and its parent. - -The problem is that unless pci_save_state() has been used in some other -path and has already saved the parent L1SS state, we will restore junk to -the parent, which means the L1 Substates likely won't work correctly. - -Save the L1SS config for both the device and its parent in -pci_save_aspm_l1ss_state(). When restoring, we need both because L1SS must -be enabled at the parent (the Downstream Port) before being enabled at the -child (the Upstream Port). - -Link: https://lore.kernel.org/r/20241115072200.37509-3-jhp@endlessos.org -Fixes: 17423360a27a ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume") -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218394 -Suggested-by: Ilpo Järvinen -Signed-off-by: Jian-Hong Pan -[bhelgaas: parallel save/restore structure, simplify commit log, patch at -https://lore.kernel.org/r/20241212230340.GA3267194@bhelgaas] -Signed-off-by: Bjorn Helgaas -Tested-by: Jian-Hong Pan # Asus B1400CEAE -Signed-off-by: Sasha Levin ---- - drivers/pci/pcie/aspm.c | 33 ++++++++++++++++++++++++++++----- - 1 file changed, 28 insertions(+), 5 deletions(-) - -diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c -index 28567d457613b..e0bc90597dcad 100644 ---- a/drivers/pci/pcie/aspm.c -+++ b/drivers/pci/pcie/aspm.c -@@ -81,24 +81,47 @@ void pci_configure_aspm_l1ss(struct pci_dev *pdev) - - void pci_save_aspm_l1ss_state(struct pci_dev *pdev) - { -+ struct pci_dev *parent = pdev->bus->self; - struct pci_cap_saved_state *save_state; -- u16 l1ss = pdev->l1ss; - u32 *cap; - -+ /* -+ * If this is a Downstream Port, we never restore the L1SS state -+ * directly; we only restore it when we restore the state of the -+ * Upstream Port below it. -+ */ -+ if (pcie_downstream_port(pdev) || !parent) -+ return; -+ -+ if (!pdev->l1ss || !parent->l1ss) -+ return; -+ - /* - * Save L1 substate configuration. The ASPM L0s/L1 configuration - * in PCI_EXP_LNKCTL_ASPMC is saved by pci_save_pcie_state(). - */ -- if (!l1ss) -+ save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS); -+ if (!save_state) - return; - -- save_state = pci_find_saved_ext_cap(pdev, PCI_EXT_CAP_ID_L1SS); -+ cap = &save_state->cap.data[0]; -+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL2, cap++); -+ pci_read_config_dword(pdev, pdev->l1ss + PCI_L1SS_CTL1, cap++); -+ -+ if (parent->state_saved) -+ return; -+ -+ /* -+ * Save parent's L1 substate configuration so we have it for -+ * pci_restore_aspm_l1ss_state(pdev) to restore. -+ */ -+ save_state = pci_find_saved_ext_cap(parent, PCI_EXT_CAP_ID_L1SS); - if (!save_state) - return; - - cap = &save_state->cap.data[0]; -- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL2, cap++); -- pci_read_config_dword(pdev, l1ss + PCI_L1SS_CTL1, cap++); -+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL2, cap++); -+ pci_read_config_dword(parent, parent->l1ss + PCI_L1SS_CTL1, cap++); - } - - void pci_restore_aspm_l1ss_state(struct pci_dev *pdev) --- -2.39.5 - diff --git a/queue-6.13/series b/queue-6.13/series index 460b5da576..3ce4040313 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -442,7 +442,6 @@ of-fdt-restore-possibility-to-use-both-acpi-and-fdt-.patch media-rc-iguanair-handle-timeouts.patch media-lmedm04-handle-errors-for-lme2510_int_read.patch pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch -pci-aspm-save-parent-l1ss-config-in-pci_save_aspm_l1.patch remoteproc-mtk_scp-only-populate-devices-for-scp-cor.patch media-marvell-add-check-for-clk_enable.patch media-i2c-imx290-register-0x3011-varies-between-imx3.patch @@ -541,7 +540,6 @@ perf-test-skip-syscall-enum-test-if-no-landlock-sysc.patch pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch bluetooth-btusb-mediatek-add-locks-for-usb_driver_cl.patch bluetooth-btnxpuart-fix-glitches-seen-in-dual-a2dp-s.patch -vsock-keep-the-binding-until-socket-destruction.patch vsock-allow-retrying-on-connect-failure.patch bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch tcp-correct-handling-of-extreme-memory-squeeze.patch diff --git a/queue-6.13/vsock-allow-retrying-on-connect-failure.patch b/queue-6.13/vsock-allow-retrying-on-connect-failure.patch index 78110868d5..ef29565b10 100644 --- a/queue-6.13/vsock-allow-retrying-on-connect-failure.patch +++ b/queue-6.13/vsock-allow-retrying-on-connect-failure.patch @@ -21,14 +21,12 @@ Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-2-1cf5706 Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/vmw_vsock/af_vsock.c | 5 +++++ + net/vmw_vsock/af_vsock.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index cfe18bc8fdbe7..075695173648d 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c -@@ -1523,6 +1523,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, +@@ -1519,6 +1519,11 @@ static int vsock_connect(struct socket * if (err < 0) goto out; @@ -40,6 +38,3 @@ index cfe18bc8fdbe7..075695173648d 100644 /* Mark sock as connecting and set the error code to in * progress in case this is a non-blocking connect. */ --- -2.39.5 - diff --git a/queue-6.13/vsock-keep-the-binding-until-socket-destruction.patch b/queue-6.13/vsock-keep-the-binding-until-socket-destruction.patch deleted file mode 100644 index 031c88803c..0000000000 --- a/queue-6.13/vsock-keep-the-binding-until-socket-destruction.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 064221b50fd03a2a51e93e7d946a2efd486879fd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jan 2025 14:15:27 +0100 -Subject: vsock: Keep the binding until socket destruction - -From: Michal Luczaj - -[ Upstream commit fcdd2242c0231032fc84e1404315c245ae56322a ] - -Preserve sockets bindings; this includes both resulting from an explicit -bind() and those implicitly bound through autobind during connect(). - -Prevents socket unbinding during a transport reassignment, which fixes a -use-after-free: - - 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) - 2. transport->release() calls vsock_remove_bound() without checking if - sk was bound and moved to bound list (refcnt=1) - 3. vsock_bind() assumes sk is in unbound list and before - __vsock_insert_bound(vsock_bound_sockets()) calls - __vsock_remove_bound() which does: - list_del_init(&vsk->bound_table); // nop - sock_put(&vsk->sk); // refcnt=0 - -BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 -Read of size 4 at addr ffff88816b46a74c by task a.out/2057 - dump_stack_lvl+0x68/0x90 - print_report+0x174/0x4f6 - kasan_report+0xb9/0x190 - __vsock_bind+0x62e/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Allocated by task 2057: - kasan_save_stack+0x1e/0x40 - kasan_save_track+0x10/0x30 - __kasan_slab_alloc+0x85/0x90 - kmem_cache_alloc_noprof+0x131/0x450 - sk_prot_alloc+0x5b/0x220 - sk_alloc+0x2c/0x870 - __vsock_create.constprop.0+0x2e/0xb60 - vsock_create+0xe4/0x420 - __sock_create+0x241/0x650 - __sys_socket+0xf2/0x1a0 - __x64_sys_socket+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Freed by task 2057: - kasan_save_stack+0x1e/0x40 - kasan_save_track+0x10/0x30 - kasan_save_free_info+0x37/0x60 - __kasan_slab_free+0x4b/0x70 - kmem_cache_free+0x1a1/0x590 - __sk_destruct+0x388/0x5a0 - __vsock_bind+0x5e1/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -refcount_t: addition on 0; use-after-free. -WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 -RIP: 0010:refcount_warn_saturate+0xce/0x150 - __vsock_bind+0x66d/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -refcount_t: underflow; use-after-free. -WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 -RIP: 0010:refcount_warn_saturate+0xee/0x150 - vsock_remove_bound+0x187/0x1e0 - __vsock_release+0x383/0x4a0 - vsock_release+0x90/0x120 - __sock_release+0xa3/0x250 - sock_close+0x14/0x20 - __fput+0x359/0xa80 - task_work_run+0x107/0x1d0 - do_exit+0x847/0x2560 - do_group_exit+0xb8/0x250 - __x64_sys_exit_group+0x3a/0x50 - x64_sys_call+0xfec/0x14f0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") -Reviewed-by: Stefano Garzarella -Signed-off-by: Michal Luczaj -Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/vmw_vsock/af_vsock.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index fa9d1b49599bf..cfe18bc8fdbe7 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -337,7 +337,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_socket); - - void vsock_remove_sock(struct vsock_sock *vsk) - { -- vsock_remove_bound(vsk); -+ /* Transport reassignment must not remove the binding. */ -+ if (sock_flag(sk_vsock(vsk), SOCK_DEAD)) -+ vsock_remove_bound(vsk); -+ - vsock_remove_connected(vsk); - } - EXPORT_SYMBOL_GPL(vsock_remove_sock); -@@ -821,12 +824,13 @@ static void __vsock_release(struct sock *sk, int level) - */ - lock_sock_nested(sk, level); - -+ sock_orphan(sk); -+ - if (vsk->transport) - vsk->transport->release(vsk); - else if (sock_type_connectible(sk->sk_type)) - vsock_remove_sock(vsk); - -- sock_orphan(sk); - sk->sk_shutdown = SHUTDOWN_MASK; - - skb_queue_purge(&sk->sk_receive_queue); --- -2.39.5 - diff --git a/queue-6.6/series b/queue-6.6/series index 31d75647cd..89eaa3bf93 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -338,7 +338,6 @@ pm-sleep-restore-asynchronous-device-resume-optimiza.patch pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch bluetooth-btnxpuart-fix-glitches-seen-in-dual-a2dp-s.patch -vsock-keep-the-binding-until-socket-destruction.patch vsock-allow-retrying-on-connect-failure.patch bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch tcp-correct-handling-of-extreme-memory-squeeze.patch diff --git a/queue-6.6/vsock-allow-retrying-on-connect-failure.patch b/queue-6.6/vsock-allow-retrying-on-connect-failure.patch index 2729673f91..082503d18e 100644 --- a/queue-6.6/vsock-allow-retrying-on-connect-failure.patch +++ b/queue-6.6/vsock-allow-retrying-on-connect-failure.patch @@ -21,14 +21,12 @@ Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-2-1cf5706 Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/vmw_vsock/af_vsock.c | 5 +++++ + net/vmw_vsock/af_vsock.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index ea857ed57d046..df7d95b404d99 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c -@@ -1457,6 +1457,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, +@@ -1453,6 +1453,11 @@ static int vsock_connect(struct socket * if (err < 0) goto out; @@ -40,6 +38,3 @@ index ea857ed57d046..df7d95b404d99 100644 /* Mark sock as connecting and set the error code to in * progress in case this is a non-blocking connect. */ --- -2.39.5 - diff --git a/queue-6.6/vsock-keep-the-binding-until-socket-destruction.patch b/queue-6.6/vsock-keep-the-binding-until-socket-destruction.patch deleted file mode 100644 index d4e983c7d6..0000000000 --- a/queue-6.6/vsock-keep-the-binding-until-socket-destruction.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 41cc051e6272bcd02bad6ded24968eee5f7d65a5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jan 2025 14:15:27 +0100 -Subject: vsock: Keep the binding until socket destruction - -From: Michal Luczaj - -[ Upstream commit fcdd2242c0231032fc84e1404315c245ae56322a ] - -Preserve sockets bindings; this includes both resulting from an explicit -bind() and those implicitly bound through autobind during connect(). - -Prevents socket unbinding during a transport reassignment, which fixes a -use-after-free: - - 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) - 2. transport->release() calls vsock_remove_bound() without checking if - sk was bound and moved to bound list (refcnt=1) - 3. vsock_bind() assumes sk is in unbound list and before - __vsock_insert_bound(vsock_bound_sockets()) calls - __vsock_remove_bound() which does: - list_del_init(&vsk->bound_table); // nop - sock_put(&vsk->sk); // refcnt=0 - -BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 -Read of size 4 at addr ffff88816b46a74c by task a.out/2057 - dump_stack_lvl+0x68/0x90 - print_report+0x174/0x4f6 - kasan_report+0xb9/0x190 - __vsock_bind+0x62e/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Allocated by task 2057: - kasan_save_stack+0x1e/0x40 - kasan_save_track+0x10/0x30 - __kasan_slab_alloc+0x85/0x90 - kmem_cache_alloc_noprof+0x131/0x450 - sk_prot_alloc+0x5b/0x220 - sk_alloc+0x2c/0x870 - __vsock_create.constprop.0+0x2e/0xb60 - vsock_create+0xe4/0x420 - __sock_create+0x241/0x650 - __sys_socket+0xf2/0x1a0 - __x64_sys_socket+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Freed by task 2057: - kasan_save_stack+0x1e/0x40 - kasan_save_track+0x10/0x30 - kasan_save_free_info+0x37/0x60 - __kasan_slab_free+0x4b/0x70 - kmem_cache_free+0x1a1/0x590 - __sk_destruct+0x388/0x5a0 - __vsock_bind+0x5e1/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -refcount_t: addition on 0; use-after-free. -WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 -RIP: 0010:refcount_warn_saturate+0xce/0x150 - __vsock_bind+0x66d/0x730 - vsock_bind+0x97/0xe0 - __sys_bind+0x154/0x1f0 - __x64_sys_bind+0x6e/0xb0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -refcount_t: underflow; use-after-free. -WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 -RIP: 0010:refcount_warn_saturate+0xee/0x150 - vsock_remove_bound+0x187/0x1e0 - __vsock_release+0x383/0x4a0 - vsock_release+0x90/0x120 - __sock_release+0xa3/0x250 - sock_close+0x14/0x20 - __fput+0x359/0xa80 - task_work_run+0x107/0x1d0 - do_exit+0x847/0x2560 - do_group_exit+0xb8/0x250 - __x64_sys_exit_group+0x3a/0x50 - x64_sys_call+0xfec/0x14f0 - do_syscall_64+0x93/0x1b0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") -Reviewed-by: Stefano Garzarella -Signed-off-by: Michal Luczaj -Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/vmw_vsock/af_vsock.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 2050d888df2ae..ea857ed57d046 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -336,7 +336,10 @@ EXPORT_SYMBOL_GPL(vsock_find_connected_socket); - - void vsock_remove_sock(struct vsock_sock *vsk) - { -- vsock_remove_bound(vsk); -+ /* Transport reassignment must not remove the binding. */ -+ if (sock_flag(sk_vsock(vsk), SOCK_DEAD)) -+ vsock_remove_bound(vsk); -+ - vsock_remove_connected(vsk); - } - EXPORT_SYMBOL_GPL(vsock_remove_sock); -@@ -820,12 +823,13 @@ static void __vsock_release(struct sock *sk, int level) - */ - lock_sock_nested(sk, level); - -+ sock_orphan(sk); -+ - if (vsk->transport) - vsk->transport->release(vsk); - else if (sock_type_connectible(sk->sk_type)) - vsock_remove_sock(vsk); - -- sock_orphan(sk); - sk->sk_shutdown = SHUTDOWN_MASK; - - skb_queue_purge(&sk->sk_receive_queue); --- -2.39.5 -