From: Greg Kroah-Hartman Date: Fri, 4 Feb 2022 08:51:48 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.177~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4295a370da3b0edacfc55299f7109db2404dc61c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch cgroup-v1-require-capabilities-to-set-release_agent.patch cpuset-fix-the-bug-that-subpart_cpus-updated-wrongly-in-update_cpumask.patch ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch net-amd-xgbe-fix-skb-data-length-underflow.patch net-sched-fix-use-after-free-in-tc_new_tfilter.patch rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch --- diff --git a/queue-5.4/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch b/queue-5.4/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch new file mode 100644 index 00000000000..284a540341c --- /dev/null +++ b/queue-5.4/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch @@ -0,0 +1,80 @@ +From e42e70ad6ae2ae511a6143d2e8da929366e58bd9 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Jan 2022 18:23:58 -0800 +Subject: af_packet: fix data-race in packet_setsockopt / packet_setsockopt + +From: Eric Dumazet + +commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream. + +When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout, +no lock is held, meaning that another thread can change po->fanout. + +Given that po->fanout can only be set once during the socket lifetime +(it is only cleared from fanout_release()), we can use +READ_ONCE()/WRITE_ONCE() to document the race. + +BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt + +write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0: + fanout_add net/packet/af_packet.c:1791 [inline] + packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931 + __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 + __do_sys_setsockopt net/socket.c:2191 [inline] + __se_sys_setsockopt net/socket.c:2188 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1: + packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935 + __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 + __do_sys_setsockopt net/socket.c:2191 [inline] + __se_sys_setsockopt net/socket.c:2188 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000000000000000 -> 0xffff888106f8c000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1729,7 +1729,10 @@ static int fanout_add(struct sock *sk, u + err = -ENOSPC; + if (refcount_read(&match->sk_ref) < PACKET_FANOUT_MAX) { + __dev_remove_pack(&po->prot_hook); +- po->fanout = match; ++ ++ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */ ++ WRITE_ONCE(po->fanout, match); ++ + po->rollover = rollover; + rollover = NULL; + refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1); +@@ -3876,7 +3879,8 @@ packet_setsockopt(struct socket *sock, i + } + case PACKET_FANOUT_DATA: + { +- if (!po->fanout) ++ /* Paired with the WRITE_ONCE() in fanout_add() */ ++ if (!READ_ONCE(po->fanout)) + return -EINVAL; + + return fanout_set_data(po, optval, optlen); diff --git a/queue-5.4/cgroup-v1-require-capabilities-to-set-release_agent.patch b/queue-5.4/cgroup-v1-require-capabilities-to-set-release_agent.patch new file mode 100644 index 00000000000..6797f0989d3 --- /dev/null +++ b/queue-5.4/cgroup-v1-require-capabilities-to-set-release_agent.patch @@ -0,0 +1,54 @@ +From 24f6008564183aa120d07c03d9289519c2fe02af Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 20 Jan 2022 11:04:01 -0600 +Subject: cgroup-v1: Require capabilities to set release_agent + +From: Eric W. Biederman + +commit 24f6008564183aa120d07c03d9289519c2fe02af upstream. + +The cgroup release_agent is called with call_usermodehelper. The function +call_usermodehelper starts the release_agent with a full set fo capabilities. +Therefore require capabilities when setting the release_agaent. + +Reported-by: Tabitha Sable +Tested-by: Tabitha Sable +Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") +Cc: stable@vger.kernel.org # v2.6.24+ +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup-v1.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -549,6 +549,14 @@ static ssize_t cgroup_release_agent_writ + + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if ((of->file->f_cred->user_ns != &init_user_ns) || ++ !capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + cgrp = cgroup_kn_lock_live(of->kn, false); + if (!cgrp) + return -ENODEV; +@@ -961,6 +969,12 @@ int cgroup1_parse_param(struct fs_contex + /* Specifying two release agents is forbidden */ + if (ctx->release_agent) + return cg_invalf(fc, "cgroup1: release_agent respecified"); ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN)) ++ return cg_invalf(fc, "cgroup1: Setting release_agent not allowed"); + ctx->release_agent = param->string; + param->string = NULL; + break; diff --git a/queue-5.4/cpuset-fix-the-bug-that-subpart_cpus-updated-wrongly-in-update_cpumask.patch b/queue-5.4/cpuset-fix-the-bug-that-subpart_cpus-updated-wrongly-in-update_cpumask.patch new file mode 100644 index 00000000000..6e60eb1a0d2 --- /dev/null +++ b/queue-5.4/cpuset-fix-the-bug-that-subpart_cpus-updated-wrongly-in-update_cpumask.patch @@ -0,0 +1,34 @@ +From c80d401c52a2d1baf2a5afeb06f0ffe678e56d23 Mon Sep 17 00:00:00 2001 +From: Tianchen Ding +Date: Tue, 18 Jan 2022 18:05:18 +0800 +Subject: cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() + +From: Tianchen Ding + +commit c80d401c52a2d1baf2a5afeb06f0ffe678e56d23 upstream. + +subparts_cpus should be limited as a subset of cpus_allowed, but it is +updated wrongly by using cpumask_andnot(). Use cpumask_and() instead to +fix it. + +Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") +Signed-off-by: Tianchen Ding +Reviewed-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1558,8 +1558,7 @@ static int update_cpumask(struct cpuset + * Make sure that subparts_cpus is a subset of cpus_allowed. + */ + if (cs->nr_subparts_cpus) { +- cpumask_andnot(cs->subparts_cpus, cs->subparts_cpus, +- cs->cpus_allowed); ++ cpumask_and(cs->subparts_cpus, cs->subparts_cpus, cs->cpus_allowed); + cs->nr_subparts_cpus = cpumask_weight(cs->subparts_cpus); + } + spin_unlock_irq(&callback_lock); diff --git a/queue-5.4/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch b/queue-5.4/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch new file mode 100644 index 00000000000..8e58fd6e2d8 --- /dev/null +++ b/queue-5.4/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch @@ -0,0 +1,57 @@ +From 63e4b45c82ed1bde979da7052229a4229ce9cabf Mon Sep 17 00:00:00 2001 +From: Georgi Valkov +Date: Tue, 1 Feb 2022 08:16:18 +0100 +Subject: ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback + +From: Georgi Valkov + +commit 63e4b45c82ed1bde979da7052229a4229ce9cabf upstream. + +When rx_buf is allocated we need to account for IPHETH_IP_ALIGN, +which reduces the usable size by 2 bytes. Otherwise we have 1512 +bytes usable instead of 1514, and if we receive more than 1512 +bytes, ipheth_rcvbulk_callback is called with status -EOVERFLOW, +after which the driver malfunctiones and all communication stops. + +Resolves ipheth 2-1:4.2: ipheth_rcvbulk_callback: urb status: -75 + +Fixes: f33d9e2b48a3 ("usbnet: ipheth: fix connectivity with iOS 14") +Signed-off-by: Georgi Valkov +Tested-by: Jan Kiszka +Link: https://lore.kernel.org/all/B60B8A4B-92A0-49B3-805D-809A2433B46C@abv.bg/ +Link: https://lore.kernel.org/all/24851bd2769434a5fc24730dce8e8a984c5a4505.1643699778.git.jan.kiszka@siemens.com/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -121,7 +121,7 @@ static int ipheth_alloc_urbs(struct iphe + if (tx_buf == NULL) + goto free_rx_urb; + +- rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE, ++ rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, + GFP_KERNEL, &rx_urb->transfer_dma); + if (rx_buf == NULL) + goto free_tx_buf; +@@ -146,7 +146,7 @@ error_nomem: + + static void ipheth_free_urbs(struct ipheth_device *iphone) + { +- usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf, ++ usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf, + iphone->rx_urb->transfer_dma); + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf, + iphone->tx_urb->transfer_dma); +@@ -317,7 +317,7 @@ static int ipheth_rx_submit(struct iphet + + usb_fill_bulk_urb(dev->rx_urb, udev, + usb_rcvbulkpipe(udev, dev->bulk_in), +- dev->rx_buf, IPHETH_BUF_SIZE, ++ dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, + ipheth_rcvbulk_callback, + dev); + dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; diff --git a/queue-5.4/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch b/queue-5.4/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch new file mode 100644 index 00000000000..88e7ce5a478 --- /dev/null +++ b/queue-5.4/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch @@ -0,0 +1,37 @@ +From 7674b7b559b683478c3832527c59bceb169e701d Mon Sep 17 00:00:00 2001 +From: Raju Rangoju +Date: Thu, 27 Jan 2022 11:32:22 +0530 +Subject: net: amd-xgbe: ensure to reset the tx_timer_active flag + +From: Raju Rangoju + +commit 7674b7b559b683478c3832527c59bceb169e701d upstream. + +Ensure to reset the tx_timer_active flag in xgbe_stop(), +otherwise a port restart may result in tx timeout due to +uncleared flag. + +Fixes: c635eaacbf77 ("amd-xgbe: Remove Tx coalescing") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Raju Rangoju +Acked-by: Tom Lendacky +Link: https://lore.kernel.org/r/20220127060222.453371-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -721,7 +721,9 @@ static void xgbe_stop_timers(struct xgbe + if (!channel->tx_ring) + break; + ++ /* Deactivate the Tx timer */ + del_timer_sync(&channel->tx_timer); ++ channel->tx_timer_active = 0; + } + } + diff --git a/queue-5.4/net-amd-xgbe-fix-skb-data-length-underflow.patch b/queue-5.4/net-amd-xgbe-fix-skb-data-length-underflow.patch new file mode 100644 index 00000000000..9d7ab350e48 --- /dev/null +++ b/queue-5.4/net-amd-xgbe-fix-skb-data-length-underflow.patch @@ -0,0 +1,55 @@ +From 5aac9108a180fc06e28d4e7fb00247ce603b72ee Mon Sep 17 00:00:00 2001 +From: Shyam Sundar S K +Date: Thu, 27 Jan 2022 14:50:03 +0530 +Subject: net: amd-xgbe: Fix skb data length underflow + +From: Shyam Sundar S K + +commit 5aac9108a180fc06e28d4e7fb00247ce603b72ee upstream. + +There will be BUG_ON() triggered in include/linux/skbuff.h leading to +intermittent kernel panic, when the skb length underflow is detected. + +Fix this by dropping the packet if such length underflows are seen +because of inconsistencies in the hardware descriptors. + +Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware") +Suggested-by: Tom Lendacky +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Link: https://lore.kernel.org/r/20220127092003.2812745-1-Shyam-sundar.S-k@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2767,6 +2767,14 @@ read_again: + buf2_len = xgbe_rx_buf2_len(rdata, packet, len); + len += buf2_len; + ++ if (buf2_len > rdata->rx.buf.dma_len) { ++ /* Hardware inconsistency within the descriptors ++ * that has resulted in a length underflow. ++ */ ++ error = 1; ++ goto skip_data; ++ } ++ + if (!skb) { + skb = xgbe_create_skb(pdata, napi, rdata, + buf1_len); +@@ -2796,8 +2804,10 @@ skip_data: + if (!last || context_next) + goto read_again; + +- if (!skb) ++ if (!skb || error) { ++ dev_kfree_skb(skb); + goto next_packet; ++ } + + /* Be sure we don't exceed the configured MTU */ + max_len = netdev->mtu + ETH_HLEN; diff --git a/queue-5.4/net-sched-fix-use-after-free-in-tc_new_tfilter.patch b/queue-5.4/net-sched-fix-use-after-free-in-tc_new_tfilter.patch new file mode 100644 index 00000000000..48b0d621d3f --- /dev/null +++ b/queue-5.4/net-sched-fix-use-after-free-in-tc_new_tfilter.patch @@ -0,0 +1,259 @@ +From 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Jan 2022 09:20:18 -0800 +Subject: net: sched: fix use-after-free in tc_new_tfilter() + +From: Eric Dumazet + +commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 upstream. + +Whenever tc_new_tfilter() jumps back to replay: label, +we need to make sure @q and @chain local variables are cleared again, +or risk use-after-free as in [1] + +For consistency, apply the same fix in tc_ctl_chain() + +BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581 +Write of size 8 at addr ffff8880985c4b08 by task syz-executor.4/1945 + +CPU: 0 PID: 1945 Comm: syz-executor.4 Not tainted 5.17.0-rc1-syzkaller-00495-gff58831fa02d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 + __kasan_report mm/kasan/report.c:442 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 + mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581 + tcf_chain_head_change_item net/sched/cls_api.c:372 [inline] + tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:386 + tcf_chain_tp_insert net/sched/cls_api.c:1657 [inline] + tcf_chain_tp_insert_unique net/sched/cls_api.c:1707 [inline] + tc_new_tfilter+0x1e67/0x2350 net/sched/cls_api.c:2086 + rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x331/0x810 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmmsg+0x195/0x470 net/socket.c:2553 + __do_sys_sendmmsg net/socket.c:2582 [inline] + __se_sys_sendmmsg net/socket.c:2579 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f2647172059 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f2645aa5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00007f2647285100 RCX: 00007f2647172059 +RDX: 040000000000009f RSI: 00000000200002c0 RDI: 0000000000000006 +RBP: 00007f26471cc08d R08: 0000000000000000 R09: 0000000000000000 +R10: 9e00000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fffb3f7f02f R14: 00007f2645aa5300 R15: 0000000000022000 + + +Allocated by task 1944: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:436 [inline] + ____kasan_kmalloc mm/kasan/common.c:515 [inline] + ____kasan_kmalloc mm/kasan/common.c:474 [inline] + __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 + kmalloc_node include/linux/slab.h:604 [inline] + kzalloc_node include/linux/slab.h:726 [inline] + qdisc_alloc+0xac/0xa10 net/sched/sch_generic.c:941 + qdisc_create.constprop.0+0xce/0x10f0 net/sched/sch_api.c:1211 + tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5592 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x331/0x810 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmmsg+0x195/0x470 net/socket.c:2553 + __do_sys_sendmmsg net/socket.c:2582 [inline] + __se_sys_sendmmsg net/socket.c:2579 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Freed by task 3609: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:45 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:366 [inline] + ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328 + kasan_slab_free include/linux/kasan.h:236 [inline] + slab_free_hook mm/slub.c:1728 [inline] + slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 + slab_free mm/slub.c:3509 [inline] + kfree+0xcb/0x280 mm/slub.c:4562 + rcu_do_batch kernel/rcu/tree.c:2527 [inline] + rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 + __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 + __call_rcu kernel/rcu/tree.c:3026 [inline] + call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106 + qdisc_put_unlocked+0x6f/0x90 net/sched/sch_generic.c:1109 + tcf_block_release+0x86/0x90 net/sched/cls_api.c:1238 + tc_new_tfilter+0xc0d/0x2350 net/sched/cls_api.c:2148 + rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:725 + ____sys_sendmsg+0x331/0x810 net/socket.c:2413 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 + __sys_sendmmsg+0x195/0x470 net/socket.c:2553 + __do_sys_sendmmsg net/socket.c:2582 [inline] + __se_sys_sendmmsg net/socket.c:2579 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff8880985c4800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 776 bytes inside of + 1024-byte region [ffff8880985c4800, ffff8880985c4c00) +The buggy address belongs to the page: +page:ffffea0002617000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x985c0 +head:ffffea0002617000 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 1941, ts 1038999441284, free_ts 1033444432829 + prep_new_page mm/page_alloc.c:2434 [inline] + get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 + __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 + alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271 + alloc_slab_page mm/slub.c:1799 [inline] + allocate_slab mm/slub.c:1944 [inline] + new_slab+0x28a/0x3b0 mm/slub.c:2004 + ___slab_alloc+0x87c/0xe90 mm/slub.c:3018 + __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 + slab_alloc_node mm/slub.c:3196 [inline] + slab_alloc mm/slub.c:3238 [inline] + __kmalloc+0x2fb/0x340 mm/slub.c:4420 + kmalloc include/linux/slab.h:586 [inline] + kzalloc include/linux/slab.h:715 [inline] + __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1335 + neigh_sysctl_register+0x2c8/0x5e0 net/core/neighbour.c:3787 + devinet_sysctl_register+0xb1/0x230 net/ipv4/devinet.c:2618 + inetdev_init+0x286/0x580 net/ipv4/devinet.c:278 + inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:84 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919 + call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] + call_netdevice_notifiers net/core/dev.c:1945 [inline] + register_netdevice+0x1073/0x1500 net/core/dev.c:9698 + veth_newlink+0x59c/0xa90 drivers/net/veth.c:1722 +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1352 [inline] + free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 + free_unref_page_prepare mm/page_alloc.c:3325 [inline] + free_unref_page+0x19/0x690 mm/page_alloc.c:3404 + release_pages+0x748/0x1220 mm/swap.c:956 + tlb_batch_pages_flush mm/mmu_gather.c:50 [inline] + tlb_flush_mmu_free mm/mmu_gather.c:243 [inline] + tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:250 + zap_pte_range mm/memory.c:1441 [inline] + zap_pmd_range mm/memory.c:1490 [inline] + zap_pud_range mm/memory.c:1519 [inline] + zap_p4d_range mm/memory.c:1540 [inline] + unmap_page_range+0x1d1d/0x2a30 mm/memory.c:1561 + unmap_single_vma+0x198/0x310 mm/memory.c:1606 + unmap_vmas+0x16b/0x2f0 mm/memory.c:1638 + exit_mmap+0x201/0x670 mm/mmap.c:3178 + __mmput+0x122/0x4b0 kernel/fork.c:1114 + mmput+0x56/0x60 kernel/fork.c:1135 + exit_mm kernel/exit.c:507 [inline] + do_exit+0xa3c/0x2a30 kernel/exit.c:793 + do_group_exit+0xd2/0x2f0 kernel/exit.c:935 + __do_sys_exit_group kernel/exit.c:946 [inline] + __se_sys_exit_group kernel/exit.c:944 [inline] + __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Memory state around the buggy address: + ffff8880985c4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880985c4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880985c4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880985c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880985c4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 470502de5bdb ("net: sched: unlock rules update API") +Signed-off-by: Eric Dumazet +Cc: Vlad Buslov +Cc: Jiri Pirko +Cc: Cong Wang +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220131172018.3704490-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_api.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1928,9 +1928,9 @@ static int tc_new_tfilter(struct sk_buff + bool prio_allocate; + u32 parent; + u32 chain_index; +- struct Qdisc *q = NULL; ++ struct Qdisc *q; + struct tcf_chain_info chain_info; +- struct tcf_chain *chain = NULL; ++ struct tcf_chain *chain; + struct tcf_block *block; + struct tcf_proto *tp; + unsigned long cl; +@@ -1958,6 +1958,8 @@ replay: + tp = NULL; + cl = 0; + block = NULL; ++ q = NULL; ++ chain = NULL; + + if (prio == 0) { + /* If no priority is provided by the user, +@@ -2764,8 +2766,8 @@ static int tc_ctl_chain(struct sk_buff * + struct tcmsg *t; + u32 parent; + u32 chain_index; +- struct Qdisc *q = NULL; +- struct tcf_chain *chain = NULL; ++ struct Qdisc *q; ++ struct tcf_chain *chain; + struct tcf_block *block; + unsigned long cl; + int err; +@@ -2775,6 +2777,7 @@ static int tc_ctl_chain(struct sk_buff * + return -EPERM; + + replay: ++ q = NULL; + err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX, + rtm_tca_policy, extack); + if (err < 0) diff --git a/queue-5.4/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch b/queue-5.4/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch new file mode 100644 index 00000000000..c1618486471 --- /dev/null +++ b/queue-5.4/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch @@ -0,0 +1,47 @@ +From c6f6f2444bdbe0079e41914a35081530d0409963 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Jan 2022 17:21:06 -0800 +Subject: rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() + +From: Eric Dumazet + +commit c6f6f2444bdbe0079e41914a35081530d0409963 upstream. + +While looking at one unrelated syzbot bug, I found the replay logic +in __rtnl_newlink() to potentially trigger use-after-free. + +It is better to clear master_dev and m_ops inside the loop, +in case we have to replay it. + +Fixes: ba7d49b1f0f8 ("rtnetlink: provide api for getting and setting slave info") +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Link: https://lore.kernel.org/r/20220201012106.216495-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3022,8 +3022,8 @@ static int __rtnl_newlink(struct sk_buff + struct nlattr *slave_attr[RTNL_SLAVE_MAX_TYPE + 1]; + unsigned char name_assign_type = NET_NAME_USER; + struct nlattr *linkinfo[IFLA_INFO_MAX + 1]; +- const struct rtnl_link_ops *m_ops = NULL; +- struct net_device *master_dev = NULL; ++ const struct rtnl_link_ops *m_ops; ++ struct net_device *master_dev; + struct net *net = sock_net(skb->sk); + const struct rtnl_link_ops *ops; + struct nlattr *tb[IFLA_MAX + 1]; +@@ -3063,6 +3063,8 @@ replay: + dev = NULL; + } + ++ master_dev = NULL; ++ m_ops = NULL; + if (dev) { + master_dev = netdev_master_upper_dev_get(dev); + if (master_dev) diff --git a/queue-5.4/series b/queue-5.4/series index 7efbade1399..0a6215b175e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,2 +1,10 @@ pci-pciehp-fix-infinite-loop-in-irq-handler-upon-power-fault.patch psi-fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled.patch +cgroup-v1-require-capabilities-to-set-release_agent.patch +ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch +net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch +net-amd-xgbe-fix-skb-data-length-underflow.patch +net-sched-fix-use-after-free-in-tc_new_tfilter.patch +rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch +cpuset-fix-the-bug-that-subpart_cpus-updated-wrongly-in-update_cpumask.patch +af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch