From: Greg Kroah-Hartman Date: Tue, 14 May 2024 08:35:01 +0000 (+0200) Subject: clean up some 5.15 dependencies X-Git-Tag: v4.19.314~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c50e2c4a851ef7951b098b66dcac2e3fdd7d2171;p=thirdparty%2Fkernel%2Fstable-queue.git clean up some 5.15 dependencies --- diff --git a/queue-5.15/bpf-skmsg-fix-null-pointer-dereference-in-sk_psock_s.patch b/queue-5.15/bpf-skmsg-fix-null-pointer-dereference-in-sk_psock_s.patch index c8ae8952e59..13676054126 100644 --- a/queue-5.15/bpf-skmsg-fix-null-pointer-dereference-in-sk_psock_s.patch +++ b/queue-5.15/bpf-skmsg-fix-null-pointer-dereference-in-sk_psock_s.patch @@ -77,15 +77,12 @@ Link: https://lore.kernel.org/all/20240329134037.92124-1-kerneljasonxing@gmail.c Link: https://lore.kernel.org/bpf/20240404021001.94815-1-kerneljasonxing@gmail.com Signed-off-by: Sasha Levin --- - include/linux/skmsg.h | 2 ++ - net/core/skmsg.c | 5 +---- - 2 files changed, 3 insertions(+), 4 deletions(-) + include/linux/skmsg.h | 2 ++ + 1 file changed, 2 insertions(+) -diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h -index 4273505d309a7..f18eb6a6f7631 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h -@@ -462,10 +462,12 @@ static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock) +@@ -462,10 +462,12 @@ static inline void sk_psock_put(struct s static inline void sk_psock_data_ready(struct sock *sk, struct sk_psock *psock) { @@ -98,23 +95,3 @@ index 4273505d309a7..f18eb6a6f7631 100644 } static inline void psock_set_prog(struct bpf_prog **pprog, -diff --git a/net/core/skmsg.c b/net/core/skmsg.c -index 349a1d055a064..6bdb15b05a78d 100644 ---- a/net/core/skmsg.c -+++ b/net/core/skmsg.c -@@ -1223,11 +1223,8 @@ static void sk_psock_verdict_data_ready(struct sock *sk) - - rcu_read_lock(); - psock = sk_psock(sk); -- if (psock) { -- read_lock_bh(&sk->sk_callback_lock); -+ if (psock) - sk_psock_data_ready(sk, psock); -- read_unlock_bh(&sk->sk_callback_lock); -- } - rcu_read_unlock(); - } - } --- -2.43.0 - diff --git a/queue-5.15/bpf-sockmap-avoid-potential-null-dereference-in-sk_p.patch b/queue-5.15/bpf-sockmap-avoid-potential-null-dereference-in-sk_p.patch deleted file mode 100644 index 660e4e5adfb..00000000000 --- a/queue-5.15/bpf-sockmap-avoid-potential-null-dereference-in-sk_p.patch +++ /dev/null @@ -1,93 +0,0 @@ -From b8beca67eaa0d62d309047f1e0474ac189cf61f5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 19:51:49 +0000 -Subject: bpf, sockmap: Avoid potential NULL dereference in - sk_psock_verdict_data_ready() - -From: Eric Dumazet - -[ Upstream commit b320a45638296b63be8d9a901ca8bc43716b1ae1 ] - -syzbot found sk_psock(sk) could return NULL when called -from sk_psock_verdict_data_ready(). - -Just make sure to handle this case. - -[1] -general protection fault, probably for non-canonical address 0xdffffc000000005c: 0000 [#1] PREEMPT SMP KASAN -KASAN: null-ptr-deref in range [0x00000000000002e0-0x00000000000002e7] -CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.4.0-rc3-syzkaller-00588-g4781e965e655 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023 -RIP: 0010:sk_psock_verdict_data_ready+0x19f/0x3c0 net/core/skmsg.c:1213 -Code: 4c 89 e6 e8 63 70 5e f9 4d 85 e4 75 75 e8 19 74 5e f9 48 8d bb e0 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 07 02 00 00 48 89 ef ff 93 e0 02 00 00 e8 29 fd -RSP: 0018:ffffc90000147688 EFLAGS: 00010206 -RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100 -RDX: 000000000000005c RSI: ffffffff8825ceb7 RDI: 00000000000002e0 -RBP: ffff888076518c40 R08: 0000000000000007 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 -R13: 0000000000000000 R14: 0000000000008000 R15: ffff888076518c40 -FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007f901375bab0 CR3: 000000004bf26000 CR4: 00000000003506f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - -tcp_data_ready+0x10a/0x520 net/ipv4/tcp_input.c:5006 -tcp_data_queue+0x25d3/0x4c50 net/ipv4/tcp_input.c:5080 -tcp_rcv_established+0x829/0x1f90 net/ipv4/tcp_input.c:6019 -tcp_v4_do_rcv+0x65a/0x9c0 net/ipv4/tcp_ipv4.c:1726 -tcp_v4_rcv+0x2cbf/0x3340 net/ipv4/tcp_ipv4.c:2148 -ip_protocol_deliver_rcu+0x9f/0x480 net/ipv4/ip_input.c:205 -ip_local_deliver_finish+0x2ec/0x520 net/ipv4/ip_input.c:233 -NF_HOOK include/linux/netfilter.h:303 [inline] -NF_HOOK include/linux/netfilter.h:297 [inline] -ip_local_deliver+0x1ae/0x200 net/ipv4/ip_input.c:254 -dst_input include/net/dst.h:468 [inline] -ip_rcv_finish+0x1cf/0x2f0 net/ipv4/ip_input.c:449 -NF_HOOK include/linux/netfilter.h:303 [inline] -NF_HOOK include/linux/netfilter.h:297 [inline] -ip_rcv+0xae/0xd0 net/ipv4/ip_input.c:569 -__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491 -__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605 -process_backlog+0x101/0x670 net/core/dev.c:5933 -__napi_poll+0xb7/0x6f0 net/core/dev.c:6499 -napi_poll net/core/dev.c:6566 [inline] -net_rx_action+0x8a9/0xcb0 net/core/dev.c:6699 -__do_softirq+0x1d4/0x905 kernel/softirq.c:571 -run_ksoftirqd kernel/softirq.c:939 [inline] -run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 -smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 -kthread+0x344/0x440 kernel/kthread.c:379 -ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 - - -Fixes: 6df7f764cd3c ("bpf, sockmap: Wake up polling after data copy") -Reported-by: syzbot -Signed-off-by: Eric Dumazet -Signed-off-by: Daniel Borkmann -Reviewed-by: John Fastabend -Link: https://lore.kernel.org/bpf/20230530195149.68145-1-edumazet@google.com -Stable-dep-of: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") -Signed-off-by: Sasha Levin ---- - net/core/skmsg.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/core/skmsg.c b/net/core/skmsg.c -index 75554adef5df9..4b851a43cb0b7 100644 ---- a/net/core/skmsg.c -+++ b/net/core/skmsg.c -@@ -1223,7 +1223,8 @@ static void sk_psock_verdict_data_ready(struct sock *sk) - - rcu_read_lock(); - psock = sk_psock(sk); -- psock->saved_data_ready(sk); -+ if (psock) -+ psock->saved_data_ready(sk); - rcu_read_unlock(); - } - } --- -2.43.0 - diff --git a/queue-5.15/bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch b/queue-5.15/bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch deleted file mode 100644 index ffd54ac4069..00000000000 --- a/queue-5.15/bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch +++ /dev/null @@ -1,70 +0,0 @@ -From b7955538434060b99101a56673962f0695f0da85 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Feb 2024 00:09:33 +0900 -Subject: bpf, sockmap: Fix NULL pointer dereference in - sk_psock_verdict_data_ready() - -From: Shigeru Yoshida - -[ Upstream commit 4cd12c6065dfcdeba10f49949bffcf383b3952d8 ] - -syzbot reported the following NULL pointer dereference issue [1]: - - BUG: kernel NULL pointer dereference, address: 0000000000000000 - [...] - RIP: 0010:0x0 - [...] - Call Trace: - - sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230 - unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293 - sock_sendmsg_nosec net/socket.c:730 [inline] - __sock_sendmsg+0x221/0x270 net/socket.c:745 - ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 - ___sys_sendmsg net/socket.c:2638 [inline] - __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 - do_syscall_64+0xf9/0x240 - entry_SYSCALL_64_after_hwframe+0x6f/0x77 - -If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called -concurrently, psock->saved_data_ready can be NULL, causing the above issue. - -This patch fixes this issue by calling the appropriate data ready function -using the sk_psock_data_ready() helper and protecting it from concurrency -with sk->sk_callback_lock. - -Fixes: 6df7f764cd3c ("bpf, sockmap: Wake up polling after data copy") -Reported-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com -Signed-off-by: Shigeru Yoshida -Signed-off-by: Daniel Borkmann -Tested-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com -Acked-by: John Fastabend -Closes: https://syzkaller.appspot.com/bug?extid=fd7b34375c1c8ce29c93 [1] -Link: https://lore.kernel.org/bpf/20240218150933.6004-1-syoshida@redhat.com -Stable-dep-of: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") -Signed-off-by: Sasha Levin ---- - net/core/skmsg.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/net/core/skmsg.c b/net/core/skmsg.c -index 4b851a43cb0b7..349a1d055a064 100644 ---- a/net/core/skmsg.c -+++ b/net/core/skmsg.c -@@ -1223,8 +1223,11 @@ static void sk_psock_verdict_data_ready(struct sock *sk) - - rcu_read_lock(); - psock = sk_psock(sk); -- if (psock) -- psock->saved_data_ready(sk); -+ if (psock) { -+ read_lock_bh(&sk->sk_callback_lock); -+ sk_psock_data_ready(sk, psock); -+ read_unlock_bh(&sk->sk_callback_lock); -+ } - rcu_read_unlock(); - } - } --- -2.43.0 - diff --git a/queue-5.15/bpf-sockmap-wake-up-polling-after-data-copy.patch b/queue-5.15/bpf-sockmap-wake-up-polling-after-data-copy.patch deleted file mode 100644 index b00ac6a392f..00000000000 --- a/queue-5.15/bpf-sockmap-wake-up-polling-after-data-copy.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 345ad8e80d4dd3f71799f527f3eabb77d9429e2a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 May 2023 19:56:11 -0700 -Subject: bpf, sockmap: Wake up polling after data copy - -From: John Fastabend - -[ Upstream commit 6df7f764cd3cf5a03a4a47b23be47e57e41fcd85 ] - -When TCP stack has data ready to read sk_data_ready() is called. Sockmap -overwrites this with its own handler to call into BPF verdict program. -But, the original TCP socket had sock_def_readable that would additionally -wake up any user space waiters with sk_wake_async(). - -Sockmap saved the callback when the socket was created so call the saved -data ready callback and then we can wake up any epoll() logic waiting -on the read. - -Note we call on 'copied >= 0' to account for returning 0 when a FIN is -received because we need to wake up user for this as well so they -can do the recvmsg() -> 0 and detect the shutdown. - -Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") -Signed-off-by: John Fastabend -Signed-off-by: Daniel Borkmann -Reviewed-by: Jakub Sitnicki -Link: https://lore.kernel.org/bpf/20230523025618.113937-8-john.fastabend@gmail.com -Stable-dep-of: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") -Signed-off-by: Sasha Levin ---- - net/core/skmsg.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/net/core/skmsg.c b/net/core/skmsg.c -index 68418954ac492..75554adef5df9 100644 ---- a/net/core/skmsg.c -+++ b/net/core/skmsg.c -@@ -1213,10 +1213,19 @@ static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb) - static void sk_psock_verdict_data_ready(struct sock *sk) - { - struct socket *sock = sk->sk_socket; -+ int copied; - - if (unlikely(!sock || !sock->ops || !sock->ops->read_skb)) - return; -- sock->ops->read_skb(sk, sk_psock_verdict_recv); -+ copied = sock->ops->read_skb(sk, sk_psock_verdict_recv); -+ if (copied >= 0) { -+ struct sk_psock *psock; -+ -+ rcu_read_lock(); -+ psock = sk_psock(sk); -+ psock->saved_data_ready(sk); -+ rcu_read_unlock(); -+ } - } - - void sk_psock_start_verdict(struct sock *sk, struct sk_psock *psock) --- -2.43.0 - diff --git a/queue-5.15/net-introduce-a-new-proto_ops-read_skb.patch b/queue-5.15/net-introduce-a-new-proto_ops-read_skb.patch deleted file mode 100644 index 7c7a4b1cafd..00000000000 --- a/queue-5.15/net-introduce-a-new-proto_ops-read_skb.patch +++ /dev/null @@ -1,333 +0,0 @@ -From 2e55a8ad6cdcf880e5bae3a674eafefb0ac63458 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 09:20:12 -0700 -Subject: net: Introduce a new proto_ops ->read_skb() - -From: Cong Wang - -[ Upstream commit 965b57b469a589d64d81b1688b38dcb537011bb0 ] - -Currently both splice() and sockmap use ->read_sock() to -read skb from receive queue, but for sockmap we only read -one entire skb at a time, so ->read_sock() is too conservative -to use. Introduce a new proto_ops ->read_skb() which supports -this sematic, with this we can finally pass the ownership of -skb to recv actors. - -For non-TCP protocols, all ->read_sock() can be simply -converted to ->read_skb(). - -Signed-off-by: Cong Wang -Signed-off-by: Daniel Borkmann -Reviewed-by: John Fastabend -Link: https://lore.kernel.org/bpf/20220615162014.89193-3-xiyou.wangcong@gmail.com -Stable-dep-of: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") -Signed-off-by: Sasha Levin ---- - include/linux/net.h | 4 ++++ - include/net/tcp.h | 3 +-- - include/net/udp.h | 3 +-- - net/core/skmsg.c | 20 +++++--------------- - net/ipv4/af_inet.c | 3 ++- - net/ipv4/tcp.c | 9 +++------ - net/ipv4/udp.c | 10 ++++------ - net/ipv6/af_inet6.c | 3 ++- - net/unix/af_unix.c | 23 +++++++++-------------- - 9 files changed, 31 insertions(+), 47 deletions(-) - -diff --git a/include/linux/net.h b/include/linux/net.h -index ba736b457a068..3e000dadeb8f3 100644 ---- a/include/linux/net.h -+++ b/include/linux/net.h -@@ -133,6 +133,8 @@ struct module; - struct sk_buff; - typedef int (*sk_read_actor_t)(read_descriptor_t *, struct sk_buff *, - unsigned int, size_t); -+typedef int (*skb_read_actor_t)(struct sock *, struct sk_buff *); -+ - - struct proto_ops { - int family; -@@ -195,6 +197,8 @@ struct proto_ops { - */ - int (*read_sock)(struct sock *sk, read_descriptor_t *desc, - sk_read_actor_t recv_actor); -+ /* This is different from read_sock(), it reads an entire skb at a time. */ -+ int (*read_skb)(struct sock *sk, skb_read_actor_t recv_actor); - int (*sendpage_locked)(struct sock *sk, struct page *page, - int offset, size_t size, int flags); - int (*sendmsg_locked)(struct sock *sk, struct msghdr *msg, -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 3047a8b3dbd1c..bdc5a16af8190 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -663,8 +663,7 @@ void tcp_get_info(struct sock *, struct tcp_info *); - /* Read 'sendfile()'-style from a TCP socket */ - int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, - sk_read_actor_t recv_actor); --int tcp_read_skb(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor); -+int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor); - - void tcp_initialize_rcv_mss(struct sock *sk); - -diff --git a/include/net/udp.h b/include/net/udp.h -index 10508c66e7a19..20ae344bc1082 100644 ---- a/include/net/udp.h -+++ b/include/net/udp.h -@@ -329,8 +329,7 @@ struct sock *__udp6_lib_lookup(struct net *net, - struct sk_buff *skb); - struct sock *udp6_lib_lookup_skb(const struct sk_buff *skb, - __be16 sport, __be16 dport); --int udp_read_sock(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor); -+int udp_read_skb(struct sock *sk, skb_read_actor_t recv_actor); - - /* UDP uses skb->dev_scratch to cache as much information as possible and avoid - * possibly multiple cache miss on dequeue() -diff --git a/net/core/skmsg.c b/net/core/skmsg.c -index 9cd14212dcd0b..68418954ac492 100644 ---- a/net/core/skmsg.c -+++ b/net/core/skmsg.c -@@ -1173,21 +1173,17 @@ static void sk_psock_done_strp(struct sk_psock *psock) - } - #endif /* CONFIG_BPF_STREAM_PARSER */ - --static int sk_psock_verdict_recv(read_descriptor_t *desc, struct sk_buff *skb, -- unsigned int offset, size_t orig_len) -+static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb) - { -- struct sock *sk = (struct sock *)desc->arg.data; - struct sk_psock *psock; - struct bpf_prog *prog; - int ret = __SK_DROP; -- int len = orig_len; -+ int len = skb->len; - - /* clone here so sk_eat_skb() in tcp_read_sock does not drop our data */ - skb = skb_clone(skb, GFP_ATOMIC); -- if (!skb) { -- desc->error = -ENOMEM; -+ if (!skb) - return 0; -- } - - rcu_read_lock(); - psock = sk_psock(sk); -@@ -1217,16 +1213,10 @@ static int sk_psock_verdict_recv(read_descriptor_t *desc, struct sk_buff *skb, - static void sk_psock_verdict_data_ready(struct sock *sk) - { - struct socket *sock = sk->sk_socket; -- read_descriptor_t desc; - -- if (unlikely(!sock || !sock->ops || !sock->ops->read_sock)) -+ if (unlikely(!sock || !sock->ops || !sock->ops->read_skb)) - return; -- -- desc.arg.data = sk; -- desc.error = 0; -- desc.count = 1; -- -- sock->ops->read_sock(sk, &desc, sk_psock_verdict_recv); -+ sock->ops->read_skb(sk, sk_psock_verdict_recv); - } - - void sk_psock_start_verdict(struct sock *sk, struct sk_psock *psock) -diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c -index 487f75993bf4f..f931d2534ab42 100644 ---- a/net/ipv4/af_inet.c -+++ b/net/ipv4/af_inet.c -@@ -1050,6 +1050,7 @@ const struct proto_ops inet_stream_ops = { - .sendpage = inet_sendpage, - .splice_read = tcp_splice_read, - .read_sock = tcp_read_sock, -+ .read_skb = tcp_read_skb, - .sendmsg_locked = tcp_sendmsg_locked, - .sendpage_locked = tcp_sendpage_locked, - .peek_len = tcp_peek_len, -@@ -1077,7 +1078,7 @@ const struct proto_ops inet_dgram_ops = { - .setsockopt = sock_common_setsockopt, - .getsockopt = sock_common_getsockopt, - .sendmsg = inet_sendmsg, -- .read_sock = udp_read_sock, -+ .read_skb = udp_read_skb, - .recvmsg = inet_recvmsg, - .mmap = sock_no_mmap, - .sendpage = inet_sendpage, -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 3647a5f08c22d..3fd4de1961a62 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -1705,8 +1705,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, - } - EXPORT_SYMBOL(tcp_read_sock); - --int tcp_read_skb(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor) -+int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor) - { - struct tcp_sock *tp = tcp_sk(sk); - u32 seq = tp->copied_seq; -@@ -1721,7 +1720,7 @@ int tcp_read_skb(struct sock *sk, read_descriptor_t *desc, - int used; - - __skb_unlink(skb, &sk->sk_receive_queue); -- used = recv_actor(desc, skb, 0, skb->len); -+ used = recv_actor(sk, skb); - if (used <= 0) { - if (!copied) - copied = used; -@@ -1736,9 +1735,7 @@ int tcp_read_skb(struct sock *sk, read_descriptor_t *desc, - break; - } - consume_skb(skb); -- if (!desc->count) -- break; -- WRITE_ONCE(tp->copied_seq, seq); -+ break; - } - WRITE_ONCE(tp->copied_seq, seq); - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index d0387e5eee5b5..6a054bfb17850 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1819,8 +1819,7 @@ struct sk_buff *__skb_recv_udp(struct sock *sk, unsigned int flags, - } - EXPORT_SYMBOL(__skb_recv_udp); - --int udp_read_sock(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor) -+int udp_read_skb(struct sock *sk, skb_read_actor_t recv_actor) - { - int copied = 0; - -@@ -1842,7 +1841,7 @@ int udp_read_sock(struct sock *sk, read_descriptor_t *desc, - continue; - } - -- used = recv_actor(desc, skb, 0, skb->len); -+ used = recv_actor(sk, skb); - if (used <= 0) { - if (!copied) - copied = used; -@@ -1853,13 +1852,12 @@ int udp_read_sock(struct sock *sk, read_descriptor_t *desc, - } - - kfree_skb(skb); -- if (!desc->count) -- break; -+ break; - } - - return copied; - } --EXPORT_SYMBOL(udp_read_sock); -+EXPORT_SYMBOL(udp_read_skb); - - /* - * This should be easy, if there is something there we -diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c -index 8e0c33b683010..1b7749882c7ab 100644 ---- a/net/ipv6/af_inet6.c -+++ b/net/ipv6/af_inet6.c -@@ -707,6 +707,7 @@ const struct proto_ops inet6_stream_ops = { - .sendpage_locked = tcp_sendpage_locked, - .splice_read = tcp_splice_read, - .read_sock = tcp_read_sock, -+ .read_skb = tcp_read_skb, - .peek_len = tcp_peek_len, - #ifdef CONFIG_COMPAT - .compat_ioctl = inet6_compat_ioctl, -@@ -732,7 +733,7 @@ const struct proto_ops inet6_dgram_ops = { - .getsockopt = sock_common_getsockopt, /* ok */ - .sendmsg = inet6_sendmsg, /* retpoline's sake */ - .recvmsg = inet6_recvmsg, /* retpoline's sake */ -- .read_sock = udp_read_sock, -+ .read_skb = udp_read_skb, - .mmap = sock_no_mmap, - .sendpage = sock_no_sendpage, - .set_peek_off = sk_set_peek_off, -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index f66f867049015..bf610fad8775d 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -700,10 +700,8 @@ static ssize_t unix_stream_splice_read(struct socket *, loff_t *ppos, - unsigned int flags); - static int unix_dgram_sendmsg(struct socket *, struct msghdr *, size_t); - static int unix_dgram_recvmsg(struct socket *, struct msghdr *, size_t, int); --static int unix_read_sock(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor); --static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor); -+static int unix_read_skb(struct sock *sk, skb_read_actor_t recv_actor); -+static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor); - static int unix_dgram_connect(struct socket *, struct sockaddr *, - int, int); - static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t); -@@ -757,7 +755,7 @@ static const struct proto_ops unix_stream_ops = { - .shutdown = unix_shutdown, - .sendmsg = unix_stream_sendmsg, - .recvmsg = unix_stream_recvmsg, -- .read_sock = unix_stream_read_sock, -+ .read_skb = unix_stream_read_skb, - .mmap = sock_no_mmap, - .sendpage = unix_stream_sendpage, - .splice_read = unix_stream_splice_read, -@@ -782,7 +780,7 @@ static const struct proto_ops unix_dgram_ops = { - .listen = sock_no_listen, - .shutdown = unix_shutdown, - .sendmsg = unix_dgram_sendmsg, -- .read_sock = unix_read_sock, -+ .read_skb = unix_read_skb, - .recvmsg = unix_dgram_recvmsg, - .mmap = sock_no_mmap, - .sendpage = sock_no_sendpage, -@@ -2412,8 +2410,7 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, size_t si - return __unix_dgram_recvmsg(sk, msg, size, flags); - } - --static int unix_read_sock(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor) -+static int unix_read_skb(struct sock *sk, skb_read_actor_t recv_actor) - { - int copied = 0; - -@@ -2428,7 +2425,7 @@ static int unix_read_sock(struct sock *sk, read_descriptor_t *desc, - if (!skb) - return err; - -- used = recv_actor(desc, skb, 0, skb->len); -+ used = recv_actor(sk, skb); - if (used <= 0) { - if (!copied) - copied = used; -@@ -2439,8 +2436,7 @@ static int unix_read_sock(struct sock *sk, read_descriptor_t *desc, - } - - kfree_skb(skb); -- if (!desc->count) -- break; -+ break; - } - - return copied; -@@ -2580,13 +2576,12 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, - } - #endif - --static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc, -- sk_read_actor_t recv_actor) -+static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor) - { - if (unlikely(sk->sk_state != TCP_ESTABLISHED)) - return -ENOTCONN; - -- return unix_read_sock(sk, desc, recv_actor); -+ return unix_read_skb(sk, recv_actor); - } - - static int unix_stream_read_generic(struct unix_stream_read_state *state, --- -2.43.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 8089fc2bde9..c5c06491a00 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -22,11 +22,6 @@ power-supply-mt6360_charger-fix-of_match-for-usb-otg.patch pinctrl-devicetree-fix-refcount-leak-in-pinctrl_dt_t.patch regulator-mt6360-de-capitalize-devicetree-regulator-.patch bpf-kconfig-fix-debug_info_btf_modules-kconfig-defin.patch -tcp-introduce-tcp_read_skb.patch -net-introduce-a-new-proto_ops-read_skb.patch -bpf-sockmap-wake-up-polling-after-data-copy.patch -bpf-sockmap-avoid-potential-null-dereference-in-sk_p.patch -bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch bpf-skmsg-fix-null-pointer-dereference-in-sk_psock_s.patch bpf-fix-a-verifier-verbose-message.patch spi-hisi-kunpeng-delete-the-dump-interface-of-data-r.patch @@ -97,7 +92,6 @@ clk-don-t-hold-prepare_lock-when-calling-kref_put.patch fs-9p-drop-inodes-immediately-on-non-.l-too.patch drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch net-usb-qmi_wwan-support-rolling-modules.patch -tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch bpf-sockmap-tcp-data-stall-on-recv-before-accept.patch bpf-sockmap-handle-fin-correctly.patch bpf-sockmap-convert-schedule_work-into-delayed_work.patch diff --git a/queue-5.15/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch b/queue-5.15/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch index 193c0c4a5e7..342a55c4b9d 100644 --- a/queue-5.15/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch +++ b/queue-5.15/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch @@ -85,16 +85,14 @@ Link: https://lore.kernel.org/r/20240501125448.896529-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/ipv4/tcp.c | 4 ++-- - net/ipv4/tcp_input.c | 2 ++ - net/ipv4/tcp_output.c | 4 +++- + net/ipv4/tcp.c | 4 ++-- + net/ipv4/tcp_input.c | 2 ++ + net/ipv4/tcp_output.c | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index c826db961fc08..1f858b3c9ac38 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c -@@ -2737,7 +2737,7 @@ void tcp_shutdown(struct sock *sk, int how) +@@ -2692,7 +2692,7 @@ void tcp_shutdown(struct sock *sk, int h /* If we've already sent a FIN, or it's a closed state, skip this. */ if ((1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_SYN_SENT | @@ -103,7 +101,7 @@ index c826db961fc08..1f858b3c9ac38 100644 /* Clear out any half completed packets. FIN if needed. */ if (tcp_close_state(sk)) tcp_send_fin(sk); -@@ -2848,7 +2848,7 @@ void __tcp_close(struct sock *sk, long timeout) +@@ -2803,7 +2803,7 @@ void __tcp_close(struct sock *sk, long t * machine. State transitions: * * TCP_ESTABLISHED -> TCP_FIN_WAIT1 @@ -112,11 +110,9 @@ index c826db961fc08..1f858b3c9ac38 100644 * TCP_CLOSE_WAIT -> TCP_LAST_ACK * * are legal only when FIN has been sent (i.e. in window), -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index e51b5d887c24b..52a9d7f96da43 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -6543,6 +6543,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) +@@ -6543,6 +6543,8 @@ int tcp_rcv_state_process(struct sock *s tcp_initialize_rcv_mss(sk); tcp_fast_path_on(tp); @@ -125,8 +121,6 @@ index e51b5d887c24b..52a9d7f96da43 100644 break; case TCP_FIN_WAIT1: { -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index d8817d6c7b96f..0fb84e57a2d49 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3441,7 +3441,9 @@ void tcp_send_fin(struct sock *sk) @@ -140,6 +134,3 @@ index d8817d6c7b96f..0fb84e57a2d49 100644 if (unlikely(!skb)) return; --- -2.43.0 - diff --git a/queue-5.15/tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch b/queue-5.15/tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch deleted file mode 100644 index 68375c58694..00000000000 --- a/queue-5.15/tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4920db06394f041b049e3d13016d15577051471d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Aug 2022 12:54:42 -0700 -Subject: tcp: fix sock skb accounting in tcp_read_skb() - -From: Cong Wang - -[ Upstream commit e9c6e79760265f019cde39d3f2c443dfbc1395b0 ] - -Before commit 965b57b469a5 ("net: Introduce a new proto_ops -->read_skb()"), skb was not dequeued from receive queue hence -when we close TCP socket skb can be just flushed synchronously. - -After this commit, we have to uncharge skb immediately after being -dequeued, otherwise it is still charged in the original sock. And we -still need to retain skb->sk, as eBPF programs may extract sock -information from skb->sk. Therefore, we have to call -skb_set_owner_sk_safe() here. - -Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()") -Reported-and-tested-by: syzbot+a0e6f8738b58f7654417@syzkaller.appspotmail.com -Tested-by: Stanislav Fomichev -Cc: Eric Dumazet -Cc: John Fastabend -Cc: Jakub Sitnicki -Signed-off-by: Cong Wang -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 3fd4de1961a62..c826db961fc08 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -1720,6 +1720,7 @@ int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor) - int used; - - __skb_unlink(skb, &sk->sk_receive_queue); -+ WARN_ON(!skb_set_owner_sk_safe(skb, sk)); - used = recv_actor(sk, skb); - if (used <= 0) { - if (!copied) --- -2.43.0 - diff --git a/queue-5.15/tcp-introduce-tcp_read_skb.patch b/queue-5.15/tcp-introduce-tcp_read_skb.patch deleted file mode 100644 index 34e02a29153..00000000000 --- a/queue-5.15/tcp-introduce-tcp_read_skb.patch +++ /dev/null @@ -1,103 +0,0 @@ -From a6e53a6990372e5fcf04b80c77bcf3eb99f7dd5f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 09:20:11 -0700 -Subject: tcp: Introduce tcp_read_skb() - -From: Cong Wang - -[ Upstream commit 04919bed948dc22a0032a9da867b7dcb8aece4ca ] - -This patch inroduces tcp_read_skb() based on tcp_read_sock(), -a preparation for the next patch which actually introduces -a new sock ops. - -TCP is special here, because it has tcp_read_sock() which is -mainly used by splice(). tcp_read_sock() supports partial read -and arbitrary offset, neither of them is needed for sockmap. - -Signed-off-by: Cong Wang -Signed-off-by: Daniel Borkmann -Reviewed-by: Eric Dumazet -Reviewed-by: John Fastabend -Link: https://lore.kernel.org/bpf/20220615162014.89193-2-xiyou.wangcong@gmail.com -Stable-dep-of: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue") -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 2 ++ - net/ipv4/tcp.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 49 insertions(+) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 08923ed4278f0..3047a8b3dbd1c 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -663,6 +663,8 @@ void tcp_get_info(struct sock *, struct tcp_info *); - /* Read 'sendfile()'-style from a TCP socket */ - int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, - sk_read_actor_t recv_actor); -+int tcp_read_skb(struct sock *sk, read_descriptor_t *desc, -+ sk_read_actor_t recv_actor); - - void tcp_initialize_rcv_mss(struct sock *sk); - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 16fd3da68e9f6..3647a5f08c22d 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -1705,6 +1705,53 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, - } - EXPORT_SYMBOL(tcp_read_sock); - -+int tcp_read_skb(struct sock *sk, read_descriptor_t *desc, -+ sk_read_actor_t recv_actor) -+{ -+ struct tcp_sock *tp = tcp_sk(sk); -+ u32 seq = tp->copied_seq; -+ struct sk_buff *skb; -+ int copied = 0; -+ u32 offset; -+ -+ if (sk->sk_state == TCP_LISTEN) -+ return -ENOTCONN; -+ -+ while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) { -+ int used; -+ -+ __skb_unlink(skb, &sk->sk_receive_queue); -+ used = recv_actor(desc, skb, 0, skb->len); -+ if (used <= 0) { -+ if (!copied) -+ copied = used; -+ break; -+ } -+ seq += used; -+ copied += used; -+ -+ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) { -+ consume_skb(skb); -+ ++seq; -+ break; -+ } -+ consume_skb(skb); -+ if (!desc->count) -+ break; -+ WRITE_ONCE(tp->copied_seq, seq); -+ } -+ WRITE_ONCE(tp->copied_seq, seq); -+ -+ tcp_rcv_space_adjust(sk); -+ -+ /* Clean up data we have read: This will do ACK frames. */ -+ if (copied > 0) -+ tcp_cleanup_rbuf(sk, copied); -+ -+ return copied; -+} -+EXPORT_SYMBOL(tcp_read_skb); -+ - int tcp_peek_len(struct socket *sock) - { - return tcp_inq(sock->sk); --- -2.43.0 -