From: Sasha Levin Date: Sun, 13 Feb 2022 05:47:36 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.9.302~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e43a6678c7bd56e77d38c6088d68eda3886220b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch b/queue-5.4/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch new file mode 100644 index 00000000000..63b6c0fc7f4 --- /dev/null +++ b/queue-5.4/arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch @@ -0,0 +1,54 @@ +From 05f3fea23cadc98f0ddf97837545ba03a1f9c31e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 19:42:15 -0300 +Subject: ARM: dts: imx6qdl-udoo: Properly describe the SD card detect + +From: Fabio Estevam + +[ Upstream commit 993d66140f8d1c1853a3b58b77b43b681eb64dee ] + +GPIO7_IO00 is used as SD card detect. + +Properly describe this in the devicetree. + +Fixes: 40cdaa542cf0 ("ARM: dts: imx6q-udoo: Add initial board support") +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-udoo.dtsi | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-udoo.dtsi b/arch/arm/boot/dts/imx6qdl-udoo.dtsi +index 16672cbada287..6c8da3f037335 100644 +--- a/arch/arm/boot/dts/imx6qdl-udoo.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-udoo.dtsi +@@ -5,6 +5,8 @@ + * Author: Fabio Estevam + */ + ++#include ++ + / { + aliases { + backlight = &backlight; +@@ -218,6 +220,7 @@ MX6QDL_PAD_SD3_DAT0__SD3_DATA0 0x17059 + MX6QDL_PAD_SD3_DAT1__SD3_DATA1 0x17059 + MX6QDL_PAD_SD3_DAT2__SD3_DATA2 0x17059 + MX6QDL_PAD_SD3_DAT3__SD3_DATA3 0x17059 ++ MX6QDL_PAD_SD3_DAT5__GPIO7_IO00 0x1b0b0 + >; + }; + +@@ -290,7 +293,7 @@ &usbh1 { + &usdhc3 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc3>; +- non-removable; ++ cd-gpios = <&gpio7 0 GPIO_ACTIVE_LOW>; + status = "okay"; + }; + +-- +2.34.1 + diff --git a/queue-5.4/arm-dts-meson-fix-the-uart-compatible-strings.patch b/queue-5.4/arm-dts-meson-fix-the-uart-compatible-strings.patch new file mode 100644 index 00000000000..c034b2a3cf5 --- /dev/null +++ b/queue-5.4/arm-dts-meson-fix-the-uart-compatible-strings.patch @@ -0,0 +1,69 @@ +From 0eae669717782b26d4bbf4ffc76d04ca0eaf55ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 19:00:24 +0100 +Subject: ARM: dts: meson: Fix the UART compatible strings + +From: Martin Blumenstingl + +[ Upstream commit 5225e1b87432dcf0d0fc3440824b91d04c1d6cc1 ] + +The dt-bindings for the UART controller only allow the following values +for Meson6 SoCs: +- "amlogic,meson6-uart", "amlogic,meson-ao-uart" +- "amlogic,meson6-uart" + +Use the correct fallback compatible string "amlogic,meson-ao-uart" for +AO UART. Drop the "amlogic,meson-uart" compatible string from the EE +domain UART controllers. + +Fixes: ec9b59162fd831 ("ARM: dts: meson6: use stable UART bindings") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20211227180026.4068352-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/meson.dtsi b/arch/arm/boot/dts/meson.dtsi +index c4447f6c8b2cb..e141ce7484841 100644 +--- a/arch/arm/boot/dts/meson.dtsi ++++ b/arch/arm/boot/dts/meson.dtsi +@@ -49,14 +49,14 @@ hwrng: rng@8100 { + }; + + uart_A: serial@84c0 { +- compatible = "amlogic,meson6-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart"; + reg = <0x84c0 0x18>; + interrupts = ; + status = "disabled"; + }; + + uart_B: serial@84dc { +- compatible = "amlogic,meson6-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart"; + reg = <0x84dc 0x18>; + interrupts = ; + status = "disabled"; +@@ -94,7 +94,7 @@ saradc: adc@8680 { + }; + + uart_C: serial@8700 { +- compatible = "amlogic,meson6-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart"; + reg = <0x8700 0x18>; + interrupts = ; + status = "disabled"; +@@ -196,7 +196,7 @@ ir_receiver: ir-receiver@480 { + }; + + uart_AO: serial@4c0 { +- compatible = "amlogic,meson6-uart", "amlogic,meson-ao-uart", "amlogic,meson-uart"; ++ compatible = "amlogic,meson6-uart", "amlogic,meson-ao-uart"; + reg = <0x4c0 0x18>; + interrupts = ; + status = "disabled"; +-- +2.34.1 + diff --git a/queue-5.4/bonding-pair-enable_port-with-slave_arr_updates.patch b/queue-5.4/bonding-pair-enable_port-with-slave_arr_updates.patch new file mode 100644 index 00000000000..de360f68079 --- /dev/null +++ b/queue-5.4/bonding-pair-enable_port-with-slave_arr_updates.patch @@ -0,0 +1,55 @@ +From 4b94543d4a670229dc940470ce052c9ff7cc8f85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 14:29:01 -0800 +Subject: bonding: pair enable_port with slave_arr_updates + +From: Mahesh Bandewar + +[ Upstream commit 23de0d7b6f0e3f9a6283a882594c479949da1120 ] + +When 803.2ad mode enables a participating port, it should update +the slave-array. I have observed that the member links are participating +and are part of the active aggregator while the traffic is egressing via +only one member link (in a case where two links are participating). Via +kprobes I discovered that slave-arr has only one link added while +the other participating link wasn't part of the slave-arr. + +I couldn't see what caused that situation but the simple code-walk +through provided me hints that the enable_port wasn't always associated +with the slave-array update. + +Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash") +Signed-off-by: Mahesh Bandewar +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20220207222901.1795287-1-maheshb@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_3ad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index e3b25f3109367..ed170d803247a 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -1013,8 +1013,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr) + if (port->aggregator && + port->aggregator->is_active && + !__port_is_enabled(port)) { +- + __enable_port(port); ++ *update_slave_arr = true; + } + } + break; +@@ -1770,6 +1770,7 @@ static void ad_agg_selection_logic(struct aggregator *agg, + port = port->next_port_in_aggregator) { + __enable_port(port); + } ++ *update_slave_arr = true; + } + } + +-- +2.34.1 + diff --git a/queue-5.4/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch b/queue-5.4/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch new file mode 100644 index 00000000000..86811474c9c --- /dev/null +++ b/queue-5.4/ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch @@ -0,0 +1,101 @@ +From 01a51d507c896a739f447ff22b3298cc704ccb13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 21:34:51 -0800 +Subject: ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on + failure path + +From: Eric Dumazet + +[ Upstream commit 5611a00697c8ecc5aad04392bea629e9d6a20463 ] + +ip[6]mr_free_table() can only be called under RTNL lock. + +RTNL: assertion failed at net/core/dev.c (10367) +WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 +Modules linked in: +CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 +Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee +RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4 +R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000 +FS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509 + ip6mr_free_table net/ipv6/ip6mr.c:389 [inline] + ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline] + ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline] + ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298 + ops_init+0xaf/0x470 net/core/net_namespace.c:140 + setup_net+0x54f/0xbb0 net/core/net_namespace.c:331 + copy_net_ns+0x318/0x760 net/core/net_namespace.c:475 + create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 + copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 + copy_process+0x2e0c/0x7300 kernel/fork.c:2167 + kernel_clone+0xe7/0xab0 kernel/fork.c:2555 + __do_sys_clone+0xc8/0x110 kernel/fork.c:2672 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f4ab89f9059 +Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f. +RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 +RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059 +RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000 +RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300 +R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000 +R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000 + + +Fixes: f243e5a7859a ("ipmr,ip6mr: call ip6mr_free_table() on failure path") +Signed-off-by: Eric Dumazet +Cc: Cong Wang +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220208053451.2885398-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ipmr.c | 2 ++ + net/ipv6/ip6mr.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index d71935618871e..2da6896080363 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -259,7 +259,9 @@ static int __net_init ipmr_rules_init(struct net *net) + return 0; + + err2: ++ rtnl_lock(); + ipmr_free_table(mrt); ++ rtnl_unlock(); + err1: + fib_rules_unregister(ops); + return err; +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index dd41313d7fa50..aee1f6bc039ab 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -246,7 +246,9 @@ static int __net_init ip6mr_rules_init(struct net *net) + return 0; + + err2: ++ rtnl_lock(); + ip6mr_free_table(mrt); ++ rtnl_unlock(); + err1: + fib_rules_unregister(ops); + return err; +-- +2.34.1 + diff --git a/queue-5.4/ixgbevf-require-large-buffers-for-build_skb-on-82599.patch b/queue-5.4/ixgbevf-require-large-buffers-for-build_skb-on-82599.patch new file mode 100644 index 00000000000..73deb18787a --- /dev/null +++ b/queue-5.4/ixgbevf-require-large-buffers-for-build_skb-on-82599.patch @@ -0,0 +1,74 @@ +From e3ca787dc4b4cfaa1de604b83a10e35d06b54b1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Feb 2022 14:49:16 -0800 +Subject: ixgbevf: Require large buffers for build_skb on 82599VF + +From: Samuel Mendoza-Jonas + +[ Upstream commit fe68195daf34d5dddacd3f93dd3eafc4beca3a0e ] + +From 4.17 onwards the ixgbevf driver uses build_skb() to build an skb +around new data in the page buffer shared with the ixgbe PF. +This uses either a 2K or 3K buffer, and offsets the DMA mapping by +NET_SKB_PAD + NET_IP_ALIGN. When using a smaller buffer RXDCTL is set to +ensure the PF does not write a full 2K bytes into the buffer, which is +actually 2K minus the offset. + +However on the 82599 virtual function, the RXDCTL mechanism is not +available. The driver attempts to work around this by using the SET_LPE +mailbox method to lower the maximm frame size, but the ixgbe PF driver +ignores this in order to keep the PF and all VFs in sync[0]. + +This means the PF will write up to the full 2K set in SRRCTL, causing it +to write NET_SKB_PAD + NET_IP_ALIGN bytes past the end of the buffer. +With 4K pages split into two buffers, this means it either writes +NET_SKB_PAD + NET_IP_ALIGN bytes past the first buffer (and into the +second), or NET_SKB_PAD + NET_IP_ALIGN bytes past the end of the DMA +mapping. + +Avoid this by only enabling build_skb when using "large" buffers (3K). +These are placed in each half of an order-1 page, preventing the PF from +writing past the end of the mapping. + +[0]: Technically it only ever raises the max frame size, see +ixgbe_set_vf_lpe() in ixgbe_sriov.c + +Fixes: f15c5ba5b6cd ("ixgbevf: add support for using order 1 pages to receive large frames") +Signed-off-by: Samuel Mendoza-Jonas +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index be8e6d4e376ec..9bd02766a4bcc 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1979,14 +1979,15 @@ static void ixgbevf_set_rx_buffer_len(struct ixgbevf_adapter *adapter, + if (adapter->flags & IXGBEVF_FLAGS_LEGACY_RX) + return; + +- set_ring_build_skb_enabled(rx_ring); ++ if (PAGE_SIZE < 8192) ++ if (max_frame > IXGBEVF_MAX_FRAME_BUILD_SKB) ++ set_ring_uses_large_buffer(rx_ring); + +- if (PAGE_SIZE < 8192) { +- if (max_frame <= IXGBEVF_MAX_FRAME_BUILD_SKB) +- return; ++ /* 82599 can't rely on RXDCTL.RLPML to restrict the size of the frame */ ++ if (adapter->hw.mac.type == ixgbe_mac_82599_vf && !ring_uses_large_buffer(rx_ring)) ++ return; + +- set_ring_uses_large_buffer(rx_ring); +- } ++ set_ring_build_skb_enabled(rx_ring); + } + + /** +-- +2.34.1 + diff --git a/queue-5.4/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch b/queue-5.4/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch new file mode 100644 index 00000000000..1728958328d --- /dev/null +++ b/queue-5.4/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch @@ -0,0 +1,58 @@ +From 501781f1f49e5a7ce1b6979561854cce8548edbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 14:02:18 +0100 +Subject: misc: fastrpc: avoid double fput() on failed usercopy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Krause + +[ Upstream commit 46963e2e0629cb31c96b1d47ddd89dc3d8990b34 ] + +If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF +ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, +dma_buf_fd() called fd_install() before, i.e. "consumed" one reference, +leaving us with none. + +Calling dma_buf_put() will therefore put a reference we no longer own, +leading to a valid file descritor table entry for an already released +'file' object which is a straight use-after-free. + +Simply avoid calling dma_buf_put() and rely on the process exit code to +do the necessary cleanup, if needed, i.e. if the file descriptor is +still valid. + +Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") +Acked-by: Christian König +Signed-off-by: Mathias Krause +Link: https://lore.kernel.org/r/20220127130218.809261-1-minipli@grsecurity.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/fastrpc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c +index f76c64084f4b2..fb5ddf3864fdd 100644 +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1245,7 +1245,14 @@ static int fastrpc_dmabuf_alloc(struct fastrpc_user *fl, char __user *argp) + } + + if (copy_to_user(argp, &bp, sizeof(bp))) { +- dma_buf_put(buf->dmabuf); ++ /* ++ * The usercopy failed, but we can't do much about it, as ++ * dma_buf_fd() already called fd_install() and made the ++ * file descriptor accessible for the current process. It ++ * might already be closed and dmabuf no longer valid when ++ * we reach this point. Therefore "leak" the fd and rely on ++ * the process exit path to do any required cleanup. ++ */ + return -EFAULT; + } + +-- +2.34.1 + diff --git a/queue-5.4/net-amd-xgbe-disable-interrupts-during-pci-removal.patch b/queue-5.4/net-amd-xgbe-disable-interrupts-during-pci-removal.patch new file mode 100644 index 00000000000..cf5254b304d --- /dev/null +++ b/queue-5.4/net-amd-xgbe-disable-interrupts-during-pci-removal.patch @@ -0,0 +1,41 @@ +From c55627b125fd54351a5915e3d6a9a9d6e6acdd91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Feb 2022 10:02:01 +0530 +Subject: net: amd-xgbe: disable interrupts during pci removal + +From: Raju Rangoju + +[ Upstream commit 68c2d6af1f1e469544d6cbe9a601d96fb9c00e7f ] + +Hardware interrupts are enabled during the pci probe, however, +they are not disabled during pci removal. + +Disable all hardware interrupts during pci removal to avoid any +issues. + +Fixes: e75377404726 ("amd-xgbe: Update PCI support to use new IRQ functions") +Suggested-by: Selwin Sebastian +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c +index 7b86240ecd5fe..c4f1fc97987ae 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c +@@ -418,6 +418,9 @@ static void xgbe_pci_remove(struct pci_dev *pdev) + + pci_free_irq_vectors(pdata->pcidev); + ++ /* Disable all interrupts in the hardware */ ++ XP_IOWRITE(pdata, XP_INT_EN, 0x0); ++ + xgbe_free_pdata(pdata); + } + +-- +2.34.1 + diff --git a/queue-5.4/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch b/queue-5.4/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch new file mode 100644 index 00000000000..68763562de1 --- /dev/null +++ b/queue-5.4/net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch @@ -0,0 +1,65 @@ +From 1d698b7f9de61225651f3c3b624d970d1408e900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 18:13:18 +0100 +Subject: net: do not keep the dst cache when uncloning an skb dst and its + metadata + +From: Antoine Tenart + +[ Upstream commit cfc56f85e72f5b9c5c5be26dc2b16518d36a7868 ] + +When uncloning an skb dst and its associated metadata a new dst+metadata +is allocated and the tunnel information from the old metadata is copied +over there. + +The issue is the tunnel metadata has references to cached dst, which are +copied along the way. When a dst+metadata refcount drops to 0 the +metadata is freed including the cached dst entries. As they are also +referenced in the initial dst+metadata, this ends up in UaFs. + +In practice the above did not happen because of another issue, the +dst+metadata was never freed because its refcount never dropped to 0 +(this will be fixed in a subsequent patch). + +Fix this by initializing the dst cache after copying the tunnel +information from the old metadata to also unshare the dst cache. + +Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") +Cc: Paolo Abeni +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Signed-off-by: Antoine Tenart +Acked-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index 14efa0ded75dd..b997e0c1e3627 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -123,6 +123,19 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb) + + memcpy(&new_md->u.tun_info, &md_dst->u.tun_info, + sizeof(struct ip_tunnel_info) + md_size); ++#ifdef CONFIG_DST_CACHE ++ /* Unclone the dst cache if there is one */ ++ if (new_md->u.tun_info.dst_cache.cache) { ++ int ret; ++ ++ ret = dst_cache_init(&new_md->u.tun_info.dst_cache, GFP_ATOMIC); ++ if (ret) { ++ metadata_dst_free(new_md); ++ return ERR_PTR(ret); ++ } ++ } ++#endif ++ + skb_dst_drop(skb); + dst_hold(&new_md->dst); + skb_dst_set(skb, &new_md->dst); +-- +2.34.1 + diff --git a/queue-5.4/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch b/queue-5.4/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch new file mode 100644 index 00000000000..10bc831e49a --- /dev/null +++ b/queue-5.4/net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch @@ -0,0 +1,49 @@ +From bb16f6b47953e7fdac19e65301970bf64d418c22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 18:13:19 +0100 +Subject: net: fix a memleak when uncloning an skb dst and its metadata + +From: Antoine Tenart + +[ Upstream commit 9eeabdf17fa0ab75381045c867c370f4cc75a613 ] + +When uncloning an skb dst and its associated metadata, a new +dst+metadata is allocated and later replaces the old one in the skb. +This is helpful to have a non-shared dst+metadata attached to a specific +skb. + +The issue is the uncloned dst+metadata is initialized with a refcount of +1, which is increased to 2 before attaching it to the skb. When +tun_dst_unclone returns, the dst+metadata is only referenced from a +single place (the skb) while its refcount is 2. Its refcount will never +drop to 0 (when the skb is consumed), leading to a memory leak. + +Fix this by removing the call to dst_hold in tun_dst_unclone, as the +dst+metadata refcount is already 1. + +Fixes: fc4099f17240 ("openvswitch: Fix egress tunnel info.") +Cc: Pravin B Shelar +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index b997e0c1e3627..adab27ba1ecbf 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -137,7 +137,6 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb) + #endif + + skb_dst_drop(skb); +- dst_hold(&new_md->dst); + skb_dst_set(skb, &new_md->dst); + return new_md; + } +-- +2.34.1 + diff --git a/queue-5.4/net-mdio-aspeed-add-missing-module_device_table.patch b/queue-5.4/net-mdio-aspeed-add-missing-module_device_table.patch new file mode 100644 index 00000000000..e1817bdd3c6 --- /dev/null +++ b/queue-5.4/net-mdio-aspeed-add-missing-module_device_table.patch @@ -0,0 +1,36 @@ +From 5eedecc6963c611392627273ebf4ba7f883e7917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Feb 2022 10:33:59 +1030 +Subject: net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE + +From: Joel Stanley + +[ Upstream commit bc1c3c3b10db4f37c41e6107751a8d450d9c431c ] + +Fix loading of the driver when built as a module. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Joel Stanley +Reviewed-by: Andrew Lunn +Acked-by: Andrew Jeffery +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio-aspeed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/mdio-aspeed.c b/drivers/net/phy/mdio-aspeed.c +index 966c3b4ad59d1..e2273588c75b6 100644 +--- a/drivers/net/phy/mdio-aspeed.c ++++ b/drivers/net/phy/mdio-aspeed.c +@@ -148,6 +148,7 @@ static const struct of_device_id aspeed_mdio_of_match[] = { + { .compatible = "aspeed,ast2600-mdio", }, + { }, + }; ++MODULE_DEVICE_TABLE(of, aspeed_mdio_of_match); + + static struct platform_driver aspeed_mdio_driver = { + .driver = { +-- +2.34.1 + diff --git a/queue-5.4/nfp-flower-fix-ida_idx-not-being-released.patch b/queue-5.4/nfp-flower-fix-ida_idx-not-being-released.patch new file mode 100644 index 00000000000..c982e3aa643 --- /dev/null +++ b/queue-5.4/nfp-flower-fix-ida_idx-not-being-released.patch @@ -0,0 +1,82 @@ +From af0537b67d54cbf18e422adf4ec1f4d22728a144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 11:14:53 +0100 +Subject: nfp: flower: fix ida_idx not being released + +From: Louis Peens + +[ Upstream commit 7db788ad627aabff2b74d4f1a3b68516d0fee0d7 ] + +When looking for a global mac index the extra NFP_TUN_PRE_TUN_IDX_BIT +that gets set if nfp_flower_is_supported_bridge is true is not taken +into account. Consequently the path that should release the ida_index +in cleanup is never triggered, causing messages like: + + nfp 0000:02:00.0: nfp: Failed to offload MAC on br-ex. + nfp 0000:02:00.0: nfp: Failed to offload MAC on br-ex. + nfp 0000:02:00.0: nfp: Failed to offload MAC on br-ex. + +after NFP_MAX_MAC_INDEX number of reconfigs. Ultimately this lead to +new tunnel flows not being offloaded. + +Fix this by unsetting the NFP_TUN_PRE_TUN_IDX_BIT before checking if +the port is of type OTHER. + +Fixes: 2e0bc7f3cb55 ("nfp: flower: encode mac indexes with pre-tunnel rule check") +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20220208101453.321949-1-simon.horman@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/netronome/nfp/flower/tunnel_conf.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +index 2600ce476d6b2..f8c8451919cb6 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +@@ -677,6 +677,7 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev, + struct nfp_flower_repr_priv *repr_priv; + struct nfp_tun_offloaded_mac *entry; + struct nfp_repr *repr; ++ u16 nfp_mac_idx; + int ida_idx; + + entry = nfp_tunnel_lookup_offloaded_macs(app, mac); +@@ -695,8 +696,6 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev, + entry->bridge_count--; + + if (!entry->bridge_count && entry->ref_count) { +- u16 nfp_mac_idx; +- + nfp_mac_idx = entry->index & ~NFP_TUN_PRE_TUN_IDX_BIT; + if (__nfp_tunnel_offload_mac(app, mac, nfp_mac_idx, + false)) { +@@ -712,7 +711,6 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev, + + /* If MAC is now used by 1 repr set the offloaded MAC index to port. */ + if (entry->ref_count == 1 && list_is_singular(&entry->repr_list)) { +- u16 nfp_mac_idx; + int port, err; + + repr_priv = list_first_entry(&entry->repr_list, +@@ -740,8 +738,14 @@ nfp_tunnel_del_shared_mac(struct nfp_app *app, struct net_device *netdev, + WARN_ON_ONCE(rhashtable_remove_fast(&priv->tun.offloaded_macs, + &entry->ht_node, + offloaded_macs_params)); ++ ++ if (nfp_flower_is_supported_bridge(netdev)) ++ nfp_mac_idx = entry->index & ~NFP_TUN_PRE_TUN_IDX_BIT; ++ else ++ nfp_mac_idx = entry->index; ++ + /* If MAC has global ID then extract and free the ida entry. */ +- if (nfp_tunnel_is_mac_idx_global(entry->index)) { ++ if (nfp_tunnel_is_mac_idx_global(nfp_mac_idx)) { + ida_idx = nfp_tunnel_get_ida_from_global_mac_idx(entry->index); + ida_simple_remove(&priv->tun.mac_off_ids, ida_idx); + } +-- +2.34.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 8a5ad030e89..94ec3f85406 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -32,3 +32,18 @@ acpi-iort-check-node-revision-for-pmcg-resources.patch pm-s2idle-acpi-fix-wakeup-interrupts-handling.patch net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch perf-probe-fix-ppc64-perf-probe-add-events-failed-case.patch +arm-dts-meson-fix-the-uart-compatible-strings.patch +staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch +arm-dts-imx6qdl-udoo-properly-describe-the-sd-card-d.patch +usb-f_fs-fix-use-after-free-for-epfile.patch +misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch +ixgbevf-require-large-buffers-for-build_skb-on-82599.patch +bonding-pair-enable_port-with-slave_arr_updates.patch +ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch +nfp-flower-fix-ida_idx-not-being-released.patch +net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch +net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch +veth-fix-races-around-rq-rx_notify_masked.patch +net-mdio-aspeed-add-missing-module_device_table.patch +tipc-rate-limit-warning-for-received-illegal-binding.patch +net-amd-xgbe-disable-interrupts-during-pci-removal.patch diff --git a/queue-5.4/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch b/queue-5.4/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch new file mode 100644 index 00000000000..74089343784 --- /dev/null +++ b/queue-5.4/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch @@ -0,0 +1,43 @@ +From 38d27eed46a244a174b9c2a6872187ac8f2e1471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 19:13:37 +0100 +Subject: staging: fbtft: Fix error path in fbtft_driver_module_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 426aca16e903b387a0b0001d62207a745c67cfd3 ] + +If registering the platform driver fails, the function must not return +without undoing the spi driver registration first. + +Fixes: c296d5f9957c ("staging: fbtft: core support") +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220118181338.207943-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fbtft/fbtft.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h +index 9b6bdb62093d7..736cd4955b733 100644 +--- a/drivers/staging/fbtft/fbtft.h ++++ b/drivers/staging/fbtft/fbtft.h +@@ -332,7 +332,10 @@ static int __init fbtft_driver_module_init(void) \ + ret = spi_register_driver(&fbtft_driver_spi_driver); \ + if (ret < 0) \ + return ret; \ +- return platform_driver_register(&fbtft_driver_platform_driver); \ ++ ret = platform_driver_register(&fbtft_driver_platform_driver); \ ++ if (ret < 0) \ ++ spi_unregister_driver(&fbtft_driver_spi_driver); \ ++ return ret; \ + } \ + \ + static void __exit fbtft_driver_module_exit(void) \ +-- +2.34.1 + diff --git a/queue-5.4/tipc-rate-limit-warning-for-received-illegal-binding.patch b/queue-5.4/tipc-rate-limit-warning-for-received-illegal-binding.patch new file mode 100644 index 00000000000..c346fba9b05 --- /dev/null +++ b/queue-5.4/tipc-rate-limit-warning-for-received-illegal-binding.patch @@ -0,0 +1,38 @@ +From a3c50b66eadb371fe50bacbc32d695a0045de313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 22:22:37 -0500 +Subject: tipc: rate limit warning for received illegal binding update + +From: Jon Maloy + +[ Upstream commit c7223d687758462826a20e9735305d55bb874c70 ] + +It would be easy to craft a message containing an illegal binding table +update operation. This is handled correctly by the code, but the +corresponding warning printout is not rate limited as is should be. +We fix this now. + +Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/name_distr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c +index 836e629e8f4ab..661bc2551a0a2 100644 +--- a/net/tipc/name_distr.c ++++ b/net/tipc/name_distr.c +@@ -290,7 +290,7 @@ static bool tipc_update_nametbl(struct net *net, struct distr_item *i, + pr_warn_ratelimited("Failed to remove binding %u,%u from %x\n", + type, lower, node); + } else { +- pr_warn("Unrecognized name table message received\n"); ++ pr_warn_ratelimited("Unknown name table message received\n"); + } + return false; + } +-- +2.34.1 + diff --git a/queue-5.4/usb-f_fs-fix-use-after-free-for-epfile.patch b/queue-5.4/usb-f_fs-fix-use-after-free-for-epfile.patch new file mode 100644 index 00000000000..d9ea0b74a4a --- /dev/null +++ b/queue-5.4/usb-f_fs-fix-use-after-free-for-epfile.patch @@ -0,0 +1,163 @@ +From 6e08c4de103d1b9693537e66405449877568cc5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 09:39:55 +0530 +Subject: usb: f_fs: Fix use-after-free for epfile + +From: Udipto Goswami + +[ Upstream commit ebe2b1add1055b903e2acd86b290a85297edc0b3 ] + +Consider a case where ffs_func_eps_disable is called from +ffs_func_disable as part of composition switch and at the +same time ffs_epfile_release get called from userspace. +ffs_epfile_release will free up the read buffer and call +ffs_data_closed which in turn destroys ffs->epfiles and +mark it as NULL. While this was happening the driver has +already initialized the local epfile in ffs_func_eps_disable +which is now freed and waiting to acquire the spinlock. Once +spinlock is acquired the driver proceeds with the stale value +of epfile and tries to free the already freed read buffer +causing use-after-free. + +Following is the illustration of the race: + + CPU1 CPU2 + + ffs_func_eps_disable + epfiles (local copy) + ffs_epfile_release + ffs_data_closed + if (last file closed) + ffs_data_reset + ffs_data_clear + ffs_epfiles_destroy +spin_lock +dereference epfiles + +Fix this races by taking epfiles local copy & assigning it under +spinlock and if epfiles(local) is null then update it in ffs->epfiles +then finally destroy it. +Extending the scope further from the race, protecting the ep related +structures, and concurrent accesses. + +Fixes: a9e6f83c2df1 ("usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable") +Co-developed-by: Udipto Goswami +Reviewed-by: John Keeping +Signed-off-by: Pratham Pratap +Signed-off-by: Udipto Goswami +Link: https://lore.kernel.org/r/1643256595-10797-1-git-send-email-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 56 ++++++++++++++++++++++-------- + 1 file changed, 42 insertions(+), 14 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 2bea33b41553b..5fd4fc49aef9f 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1729,16 +1729,24 @@ static void ffs_data_put(struct ffs_data *ffs) + + static void ffs_data_closed(struct ffs_data *ffs) + { ++ struct ffs_epfile *epfiles; ++ unsigned long flags; ++ + ENTER(); + + if (atomic_dec_and_test(&ffs->opened)) { + if (ffs->no_disconnect) { + ffs->state = FFS_DEACTIVATED; +- if (ffs->epfiles) { +- ffs_epfiles_destroy(ffs->epfiles, +- ffs->eps_count); +- ffs->epfiles = NULL; +- } ++ spin_lock_irqsave(&ffs->eps_lock, flags); ++ epfiles = ffs->epfiles; ++ ffs->epfiles = NULL; ++ spin_unlock_irqrestore(&ffs->eps_lock, ++ flags); ++ ++ if (epfiles) ++ ffs_epfiles_destroy(epfiles, ++ ffs->eps_count); ++ + if (ffs->setup_state == FFS_SETUP_PENDING) + __ffs_ep0_stall(ffs); + } else { +@@ -1785,14 +1793,27 @@ static struct ffs_data *ffs_data_new(const char *dev_name) + + static void ffs_data_clear(struct ffs_data *ffs) + { ++ struct ffs_epfile *epfiles; ++ unsigned long flags; ++ + ENTER(); + + ffs_closed(ffs); + + BUG_ON(ffs->gadget); + +- if (ffs->epfiles) { +- ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); ++ spin_lock_irqsave(&ffs->eps_lock, flags); ++ epfiles = ffs->epfiles; ++ ffs->epfiles = NULL; ++ spin_unlock_irqrestore(&ffs->eps_lock, flags); ++ ++ /* ++ * potential race possible between ffs_func_eps_disable ++ * & ffs_epfile_release therefore maintaining a local ++ * copy of epfile will save us from use-after-free. ++ */ ++ if (epfiles) { ++ ffs_epfiles_destroy(epfiles, ffs->eps_count); + ffs->epfiles = NULL; + } + +@@ -1940,12 +1961,15 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) + + static void ffs_func_eps_disable(struct ffs_function *func) + { +- struct ffs_ep *ep = func->eps; +- struct ffs_epfile *epfile = func->ffs->epfiles; +- unsigned count = func->ffs->eps_count; ++ struct ffs_ep *ep; ++ struct ffs_epfile *epfile; ++ unsigned short count; + unsigned long flags; + + spin_lock_irqsave(&func->ffs->eps_lock, flags); ++ count = func->ffs->eps_count; ++ epfile = func->ffs->epfiles; ++ ep = func->eps; + while (count--) { + /* pending requests get nuked */ + if (likely(ep->ep)) +@@ -1963,14 +1987,18 @@ static void ffs_func_eps_disable(struct ffs_function *func) + + static int ffs_func_eps_enable(struct ffs_function *func) + { +- struct ffs_data *ffs = func->ffs; +- struct ffs_ep *ep = func->eps; +- struct ffs_epfile *epfile = ffs->epfiles; +- unsigned count = ffs->eps_count; ++ struct ffs_data *ffs; ++ struct ffs_ep *ep; ++ struct ffs_epfile *epfile; ++ unsigned short count; + unsigned long flags; + int ret = 0; + + spin_lock_irqsave(&func->ffs->eps_lock, flags); ++ ffs = func->ffs; ++ ep = func->eps; ++ epfile = ffs->epfiles; ++ count = ffs->eps_count; + while(count--) { + ep->ep->driver_data = ep; + +-- +2.34.1 + diff --git a/queue-5.4/veth-fix-races-around-rq-rx_notify_masked.patch b/queue-5.4/veth-fix-races-around-rq-rx_notify_masked.patch new file mode 100644 index 00000000000..3567df3d5b4 --- /dev/null +++ b/queue-5.4/veth-fix-races-around-rq-rx_notify_masked.patch @@ -0,0 +1,156 @@ +From c3181a5d9ae7c325fa3d7ee5f933899a337c788c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 15:28:22 -0800 +Subject: veth: fix races around rq->rx_notify_masked + +From: Eric Dumazet + +[ Upstream commit 68468d8c4cd4222a4ca1f185ab5a1c14480d078c ] + +veth being NETIF_F_LLTX enabled, we need to be more careful +whenever we read/write rq->rx_notify_masked. + +BUG: KCSAN: data-race in veth_xmit / veth_xmit + +write to 0xffff888133d9a9f8 of 1 bytes by task 23552 on cpu 0: + __veth_xdp_flush drivers/net/veth.c:269 [inline] + veth_xmit+0x307/0x470 drivers/net/veth.c:350 + __netdev_start_xmit include/linux/netdevice.h:4683 [inline] + netdev_start_xmit include/linux/netdevice.h:4697 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3473 + dev_hard_start_xmit net/core/dev.c:3489 [inline] + __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4149 + br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53 + NF_HOOK include/linux/netfilter.h:307 [inline] + br_forward_finish net/bridge/br_forward.c:66 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + __br_forward+0x2e4/0x400 net/bridge/br_forward.c:115 + br_flood+0x521/0x5c0 net/bridge/br_forward.c:242 + br_dev_xmit+0x8b6/0x960 + __netdev_start_xmit include/linux/netdevice.h:4683 [inline] + netdev_start_xmit include/linux/netdevice.h:4697 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3473 + dev_hard_start_xmit net/core/dev.c:3489 [inline] + __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4149 + neigh_hh_output include/net/neighbour.h:525 [inline] + neigh_output include/net/neighbour.h:539 [inline] + ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228 + ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430 + dst_output include/net/dst.h:451 [inline] + ip_local_out net/ipv4/ip_output.c:126 [inline] + ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570 + udp_send_skb+0x641/0x880 net/ipv4/udp.c:967 + udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254 + inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553 + __do_sys_sendmmsg net/socket.c:2582 [inline] + __se_sys_sendmmsg net/socket.c:2579 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888133d9a9f8 of 1 bytes by task 23563 on cpu 1: + __veth_xdp_flush drivers/net/veth.c:268 [inline] + veth_xmit+0x2d6/0x470 drivers/net/veth.c:350 + __netdev_start_xmit include/linux/netdevice.h:4683 [inline] + netdev_start_xmit include/linux/netdevice.h:4697 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3473 + dev_hard_start_xmit net/core/dev.c:3489 [inline] + __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4149 + br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53 + NF_HOOK include/linux/netfilter.h:307 [inline] + br_forward_finish net/bridge/br_forward.c:66 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + __br_forward+0x2e4/0x400 net/bridge/br_forward.c:115 + br_flood+0x521/0x5c0 net/bridge/br_forward.c:242 + br_dev_xmit+0x8b6/0x960 + __netdev_start_xmit include/linux/netdevice.h:4683 [inline] + netdev_start_xmit include/linux/netdevice.h:4697 [inline] + xmit_one+0x105/0x2f0 net/core/dev.c:3473 + dev_hard_start_xmit net/core/dev.c:3489 [inline] + __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116 + dev_queue_xmit+0x13/0x20 net/core/dev.c:4149 + neigh_hh_output include/net/neighbour.h:525 [inline] + neigh_output include/net/neighbour.h:539 [inline] + ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228 + ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430 + dst_output include/net/dst.h:451 [inline] + ip_local_out net/ipv4/ip_output.c:126 [inline] + ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570 + udp_send_skb+0x641/0x880 net/ipv4/udp.c:967 + udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254 + inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553 + __do_sys_sendmmsg net/socket.c:2582 [inline] + __se_sys_sendmmsg net/socket.c:2579 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 23563 Comm: syz-executor.5 Not tainted 5.17.0-rc2-syzkaller-00064-gc36c04c2e132 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 948d4f214fde ("veth: Add driver XDP") +Signed-off-by: Eric Dumazet +Cc: Toshiaki Makita +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 81a79e7132483..10a876f8831c7 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -209,9 +209,10 @@ static void __veth_xdp_flush(struct veth_rq *rq) + { + /* Write ptr_ring before reading rx_notify_masked */ + smp_mb(); +- if (!rq->rx_notify_masked) { +- rq->rx_notify_masked = true; +- napi_schedule(&rq->xdp_napi); ++ if (!READ_ONCE(rq->rx_notify_masked) && ++ napi_schedule_prep(&rq->xdp_napi)) { ++ WRITE_ONCE(rq->rx_notify_masked, true); ++ __napi_schedule(&rq->xdp_napi); + } + } + +@@ -780,8 +781,10 @@ static int veth_poll(struct napi_struct *napi, int budget) + /* Write rx_notify_masked before reading ptr_ring */ + smp_store_mb(rq->rx_notify_masked, false); + if (unlikely(!__ptr_ring_empty(&rq->xdp_ring))) { +- rq->rx_notify_masked = true; +- napi_schedule(&rq->xdp_napi); ++ if (napi_schedule_prep(&rq->xdp_napi)) { ++ WRITE_ONCE(rq->rx_notify_masked, true); ++ __napi_schedule(&rq->xdp_napi); ++ } + } + } + +-- +2.34.1 +