From: Greg Kroah-Hartman Date: Mon, 4 Nov 2019 10:48:58 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.199~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8b8707d4a37aaaeec5977247bc11aac476221f5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch llc-fix-sk_buff-leak-in-llc_conn_service.patch llc-fix-sk_buff-leak-in-llc_sap_state_process.patch net-usb-sr9800-fix-uninitialized-local-variable.patch sch_netem-fix-rcu-splat-in-netem_enqueue.patch --- diff --git a/queue-4.4/bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch b/queue-4.4/bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch new file mode 100644 index 00000000000..60d4bb71a16 --- /dev/null +++ b/queue-4.4/bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch @@ -0,0 +1,75 @@ +From a7137534b597b7c303203e6bc3ed87e87a273bb8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 7 Oct 2019 15:43:01 -0700 +Subject: bonding: fix potential NULL deref in bond_update_slave_arr + +From: Eric Dumazet + +commit a7137534b597b7c303203e6bc3ed87e87a273bb8 upstream. + +syzbot got a NULL dereference in bond_update_slave_arr() [1], +happening after a failure to allocate bond->slave_arr + +A workqueue (bond_slave_arr_handler) is supposed to retry +the allocation later, but if the slave is removed before +the workqueue had a chance to complete, bond->slave_arr +can still be NULL. + +[1] + +Failed to build slave-array. +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +Modules linked in: +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039 +RSP: 0018:ffff88018fe33678 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000 +RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20 +RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0 +FS: 00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + [] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923 + [] bond_release drivers/net/bonding/bond_main.c:2039 [inline] + [] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562 + [] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328 + [] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495 + [] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088 + [] sock_ioctl+0x300/0x5d0 net/socket.c:1196 + [] vfs_ioctl fs/ioctl.c:47 [inline] + [] file_ioctl fs/ioctl.c:501 [inline] + [] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688 + [] SYSC_ioctl fs/ioctl.c:705 [inline] + [] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696 + [] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 + [] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Mahesh Bandewar +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3889,7 +3889,7 @@ out: + * this to-be-skipped slave to send a packet out. + */ + old_arr = rtnl_dereference(bond->slave_arr); +- for (idx = 0; idx < old_arr->count; idx++) { ++ for (idx = 0; old_arr != NULL && idx < old_arr->count; idx++) { + if (skipslave == old_arr->arr[idx]) { + old_arr->arr[idx] = + old_arr->arr[old_arr->count-1]; diff --git a/queue-4.4/llc-fix-sk_buff-leak-in-llc_conn_service.patch b/queue-4.4/llc-fix-sk_buff-leak-in-llc_conn_service.patch new file mode 100644 index 00000000000..7e66f9d0161 --- /dev/null +++ b/queue-4.4/llc-fix-sk_buff-leak-in-llc_conn_service.patch @@ -0,0 +1,187 @@ +From b74555de21acd791f12c4a1aeaf653dd7ac21133 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 6 Oct 2019 14:24:25 -0700 +Subject: llc: fix sk_buff leak in llc_conn_service() + +From: Eric Biggers + +commit b74555de21acd791f12c4a1aeaf653dd7ac21133 upstream. + +syzbot reported: + + BUG: memory leak + unreferenced object 0xffff88811eb3de00 (size 224): + comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff ..8$............ + backtrace: + [<000000008d1c66a1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline] + [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 + [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 + [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline] + [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54 + [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777 + [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] + [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline] + [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75 + [<00000000f27e53c1>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109 + [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477 + [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840 + [...] + +The bug is that most callers of llc_conn_send_pdu() assume it consumes a +reference to the skb, when actually due to commit b85ab56c3f81 ("llc: +properly handle dev_queue_xmit() return value") it doesn't. + +Revert most of that commit, and instead make the few places that need +llc_conn_send_pdu() to *not* consume a reference call skb_get() before. + +Fixes: b85ab56c3f81 ("llc: properly handle dev_queue_xmit() return value") +Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/llc_conn.h | 2 +- + net/llc/llc_c_ac.c | 8 ++++++-- + net/llc/llc_conn.c | 32 +++++++++----------------------- + 3 files changed, 16 insertions(+), 26 deletions(-) + +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); + + /* Access to a connection */ + int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); +-int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); ++void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); + void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -372,6 +372,7 @@ int llc_conn_ac_send_i_cmd_p_set_1(struc + llc_pdu_init_as_i_cmd(skb, 1, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { ++ skb_get(skb); + llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } +@@ -389,7 +390,8 @@ static int llc_conn_ac_send_i_cmd_p_set_ + llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- rc = llc_conn_send_pdu(sk, skb); ++ skb_get(skb); ++ llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -406,6 +408,7 @@ int llc_conn_ac_send_i_xxx_x_set_0(struc + llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { ++ skb_get(skb); + llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } +@@ -916,7 +919,8 @@ static int llc_conn_ac_send_i_rsp_f_set_ + llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- rc = llc_conn_send_pdu(sk, skb); ++ skb_get(skb); ++ llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -30,7 +30,7 @@ + #endif + + static int llc_find_offset(int state, int ev_type); +-static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb); ++static void llc_conn_send_pdus(struct sock *sk); + static int llc_conn_service(struct sock *sk, struct sk_buff *skb); + static int llc_exec_conn_trans_actions(struct sock *sk, + struct llc_conn_state_trans *trans, +@@ -193,11 +193,11 @@ out_skb_put: + return rc; + } + +-int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) ++void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) + { + /* queue PDU to send to MAC layer */ + skb_queue_tail(&sk->sk_write_queue, skb); +- return llc_conn_send_pdus(sk, skb); ++ llc_conn_send_pdus(sk); + } + + /** +@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk, NULL); ++ llc_conn_send_pdus(sk); + out:; + } + +@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk, NULL); ++ llc_conn_send_pdus(sk); + out:; + } + +@@ -340,16 +340,12 @@ out: + /** + * llc_conn_send_pdus - Sends queued PDUs + * @sk: active connection +- * @hold_skb: the skb held by caller, or NULL if does not care + * +- * Sends queued pdus to MAC layer for transmission. When @hold_skb is +- * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent +- * successfully, or 1 for failure. ++ * Sends queued pdus to MAC layer for transmission. + */ +-static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) ++static void llc_conn_send_pdus(struct sock *sk) + { + struct sk_buff *skb; +- int ret = 0; + + while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { + struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); +@@ -361,20 +357,10 @@ static int llc_conn_send_pdus(struct soc + skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); + if (!skb2) + break; +- dev_queue_xmit(skb2); +- } else { +- bool is_target = skb == hold_skb; +- int rc; +- +- if (is_target) +- skb_get(skb); +- rc = dev_queue_xmit(skb); +- if (is_target) +- ret = rc; ++ skb = skb2; + } ++ dev_queue_xmit(skb); + } +- +- return ret; + } + + /** diff --git a/queue-4.4/llc-fix-sk_buff-leak-in-llc_sap_state_process.patch b/queue-4.4/llc-fix-sk_buff-leak-in-llc_sap_state_process.patch new file mode 100644 index 00000000000..04a1615d34c --- /dev/null +++ b/queue-4.4/llc-fix-sk_buff-leak-in-llc_sap_state_process.patch @@ -0,0 +1,131 @@ +From c6ee11c39fcc1fb55130748990a8f199e76263b4 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 6 Oct 2019 14:24:24 -0700 +Subject: llc: fix sk_buff leak in llc_sap_state_process() + +From: Eric Biggers + +commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream. + +syzbot reported: + + BUG: memory leak + unreferenced object 0xffff888116270800 (size 224): + comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff . .*.....@=*.... + backtrace: + [<000000004d41b4cc>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline] + [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 + [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 + [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline] + [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 + [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 + [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 + [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 + [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline] + [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671 + [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 + [...] + +The bug is that llc_sap_state_process() always takes an extra reference +to the skb, but sometimes neither llc_sap_next_state() nor +llc_sap_state_process() itself drops this reference. + +Fix it by changing llc_sap_next_state() to never consume a reference to +the skb, rather than sometimes do so and sometimes not. Then remove the +extra skb_get() and kfree_skb() from llc_sap_state_process(). + +Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com +Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Biggers +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/llc_s_ac.c | 12 +++++++++--- + net/llc/llc_sap.c | 23 ++++++++--------------- + 2 files changed, 17 insertions(+), 18 deletions(-) + +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -58,8 +58,10 @@ int llc_sap_action_send_ui(struct llc_sa + ev->daddr.lsap, LLC_PDU_CMD); + llc_pdu_init_as_ui_cmd(skb); + rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); +- if (likely(!rc)) ++ if (likely(!rc)) { ++ skb_get(skb); + rc = dev_queue_xmit(skb); ++ } + return rc; + } + +@@ -81,8 +83,10 @@ int llc_sap_action_send_xid_c(struct llc + ev->daddr.lsap, LLC_PDU_CMD); + llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0); + rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); +- if (likely(!rc)) ++ if (likely(!rc)) { ++ skb_get(skb); + rc = dev_queue_xmit(skb); ++ } + return rc; + } + +@@ -135,8 +139,10 @@ int llc_sap_action_send_test_c(struct ll + ev->daddr.lsap, LLC_PDU_CMD); + llc_pdu_init_as_test_cmd(skb); + rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); +- if (likely(!rc)) ++ if (likely(!rc)) { ++ skb_get(skb); + rc = dev_queue_xmit(skb); ++ } + return rc; + } + +--- a/net/llc/llc_sap.c ++++ b/net/llc/llc_sap.c +@@ -197,29 +197,22 @@ out: + * After executing actions of the event, upper layer will be indicated + * if needed(on receiving an UI frame). sk can be null for the + * datalink_proto case. ++ * ++ * This function always consumes a reference to the skb. + */ + static void llc_sap_state_process(struct llc_sap *sap, struct sk_buff *skb) + { + struct llc_sap_state_ev *ev = llc_sap_ev(skb); + +- /* +- * We have to hold the skb, because llc_sap_next_state +- * will kfree it in the sending path and we need to +- * look at the skb->cb, where we encode llc_sap_state_ev. +- */ +- skb_get(skb); + ev->ind_cfm_flag = 0; + llc_sap_next_state(sap, skb); +- if (ev->ind_cfm_flag == LLC_IND) { +- if (skb->sk->sk_state == TCP_LISTEN) +- kfree_skb(skb); +- else { +- llc_save_primitive(skb->sk, skb, ev->prim); + +- /* queue skb to the user. */ +- if (sock_queue_rcv_skb(skb->sk, skb)) +- kfree_skb(skb); +- } ++ if (ev->ind_cfm_flag == LLC_IND && skb->sk->sk_state != TCP_LISTEN) { ++ llc_save_primitive(skb->sk, skb, ev->prim); ++ ++ /* queue skb to the user. */ ++ if (sock_queue_rcv_skb(skb->sk, skb) == 0) ++ return; + } + kfree_skb(skb); + } diff --git a/queue-4.4/net-usb-sr9800-fix-uninitialized-local-variable.patch b/queue-4.4/net-usb-sr9800-fix-uninitialized-local-variable.patch new file mode 100644 index 00000000000..db7e78b9cea --- /dev/null +++ b/queue-4.4/net-usb-sr9800-fix-uninitialized-local-variable.patch @@ -0,0 +1,32 @@ +From 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 Mon Sep 17 00:00:00 2001 +From: Valentin Vidic +Date: Tue, 15 Oct 2019 22:20:20 +0200 +Subject: net: usb: sr9800: fix uninitialized local variable + +From: Valentin Vidic + +commit 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 upstream. + +Make sure res does not contain random value if the call to +sr_read_cmd fails for some reason. + +Reported-by: syzbot+f1842130bbcfb335bac1@syzkaller.appspotmail.com +Signed-off-by: Valentin Vidic +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/sr9800.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -336,7 +336,7 @@ static void sr_set_multicast(struct net_ + static int sr_mdio_read(struct net_device *net, int phy_id, int loc) + { + struct usbnet *dev = netdev_priv(net); +- __le16 res; ++ __le16 res = 0; + + mutex_lock(&dev->phy_mutex); + sr_set_sw_mii(dev); diff --git a/queue-4.4/sch_netem-fix-rcu-splat-in-netem_enqueue.patch b/queue-4.4/sch_netem-fix-rcu-splat-in-netem_enqueue.patch new file mode 100644 index 00000000000..794ac9dc172 --- /dev/null +++ b/queue-4.4/sch_netem-fix-rcu-splat-in-netem_enqueue.patch @@ -0,0 +1,102 @@ +From 159d2c7d8106177bd9a986fd005a311fe0d11285 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 24 Sep 2019 13:11:26 -0700 +Subject: sch_netem: fix rcu splat in netem_enqueue() + +From: Eric Dumazet + +commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream. + +qdisc_root() use from netem_enqueue() triggers a lockdep warning. + +__dev_queue_xmit() uses rcu_read_lock_bh() which is +not equivalent to rcu_read_lock() + local_bh_disable_bh as far +as lockdep is concerned. + +WARNING: suspicious RCU usage +5.3.0-rc7+ #0 Not tainted +----------------------------- +include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +3 locks held by syz-executor427/8855: + #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] + #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214 + #1: 00000000b5525c01 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804 + #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] + #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline] + #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838 + +stack backtrace: +CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357 + qdisc_root include/net/sch_generic.h:492 [inline] + netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479 + __dev_xmit_skb net/core/dev.c:3527 [inline] + __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838 + dev_queue_xmit+0x18/0x20 net/core/dev.c:3902 + neigh_hh_output include/net/neighbour.h:500 [inline] + neigh_output include/net/neighbour.h:509 [inline] + ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228 + __ip_finish_output net/ipv4/ip_output.c:308 [inline] + __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290 + ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417 + dst_output include/net/dst.h:436 [inline] + ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125 + ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555 + udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887 + udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174 + inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 + __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 + __do_sys_sendmmsg net/socket.c:2442 [inline] + __se_sys_sendmmsg net/socket.c:2439 [inline] + __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 + do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sch_generic.h | 5 +++++ + net/sched/sch_netem.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -289,6 +289,11 @@ static inline struct Qdisc *qdisc_root(c + return q; + } + ++static inline struct Qdisc *qdisc_root_bh(const struct Qdisc *qdisc) ++{ ++ return rcu_dereference_bh(qdisc->dev_queue->qdisc); ++} ++ + static inline struct Qdisc *qdisc_root_sleeping(const struct Qdisc *qdisc) + { + return qdisc->dev_queue->qdisc_sleeping; +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -464,7 +464,7 @@ static int netem_enqueue(struct sk_buff + * skb will be queued. + */ + if (count > 1 && (skb2 = skb_clone(skb, GFP_ATOMIC)) != NULL) { +- struct Qdisc *rootq = qdisc_root(sch); ++ struct Qdisc *rootq = qdisc_root_bh(sch); + u32 dupsave = q->duplicate; /* prevent duplicating a dup... */ + + q->duplicate = 0; diff --git a/queue-4.4/series b/queue-4.4/series index c1265b077e5..5ffd462db42 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -36,3 +36,8 @@ hid-fix-error-message-in-hid_open_report.patch nl80211-fix-validation-of-mesh-path-nexthop.patch s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch rtlwifi-fix-potential-overflow-on-p2p-code.patch +llc-fix-sk_buff-leak-in-llc_sap_state_process.patch +llc-fix-sk_buff-leak-in-llc_conn_service.patch +bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch +net-usb-sr9800-fix-uninitialized-local-variable.patch +sch_netem-fix-rcu-splat-in-netem_enqueue.patch