From 019d800db418f23c490cbe3db2ef0f6b10df48ad Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 5 Apr 2024 12:55:52 +0200 Subject: [PATCH] 4.19-stable patches added patches: i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch ipv6-fix-infinite-recursion-in-fib6_dump_done.patch selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch --- ...initialized-in-this-function-warning.patch | 146 ++++++++++++++++++ ...infinite-recursion-in-fib6_dump_done.patch | 134 ++++++++++++++++ ...ng-new-line-at-the-end-of-the-output.patch | 39 +++++ queue-4.19/series | 3 + 4 files changed, 322 insertions(+) create mode 100644 queue-4.19/i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch create mode 100644 queue-4.19/ipv6-fix-infinite-recursion-in-fib6_dump_done.patch create mode 100644 queue-4.19/selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch diff --git a/queue-4.19/i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch b/queue-4.19/i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch new file mode 100644 index 00000000000..7e90bd037f3 --- /dev/null +++ b/queue-4.19/i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch @@ -0,0 +1,146 @@ +From f37c4eac99c258111d414d31b740437e1925b8e8 Mon Sep 17 00:00:00 2001 +From: Aleksandr Loktionov +Date: Wed, 13 Mar 2024 10:56:39 +0100 +Subject: i40e: fix vf may be used uninitialized in this function warning + +From: Aleksandr Loktionov + +commit f37c4eac99c258111d414d31b740437e1925b8e8 upstream. + +To fix the regression introduced by commit 52424f974bc5, which causes +servers hang in very hard to reproduce conditions with resets races. +Using two sources for the information is the root cause. +In this function before the fix bumping v didn't mean bumping vf +pointer. But the code used this variables interchangeably, so stale vf +could point to different/not intended vf. + +Remove redundant "v" variable and iterate via single VF pointer across +whole function instead to guarantee VF pointer validity. + +Fixes: 52424f974bc5 ("i40e: Fix VF hang when reset is triggered on another VF") +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Przemek Kitszel +Reviewed-by: Paul Menzel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 34 +++++++++------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1317,8 +1317,8 @@ bool i40e_reset_all_vfs(struct i40e_pf * + { + struct i40e_hw *hw = &pf->hw; + struct i40e_vf *vf; +- int i, v; + u32 reg; ++ int i; + + /* If we don't have any VFs, then there is nothing to reset */ + if (!pf->num_alloc_vfs) +@@ -1329,11 +1329,10 @@ bool i40e_reset_all_vfs(struct i40e_pf * + return false; + + /* Begin reset on all VFs at once */ +- for (v = 0; v < pf->num_alloc_vfs; v++) { +- vf = &pf->vf[v]; ++ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) { + /* If VF is being reset no need to trigger reset again */ + if (!test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states)) +- i40e_trigger_vf_reset(&pf->vf[v], flr); ++ i40e_trigger_vf_reset(vf, flr); + } + + /* HW requires some time to make sure it can flush the FIFO for a VF +@@ -1342,14 +1341,13 @@ bool i40e_reset_all_vfs(struct i40e_pf * + * the VFs using a simple iterator that increments once that VF has + * finished resetting. + */ +- for (i = 0, v = 0; i < 10 && v < pf->num_alloc_vfs; i++) { ++ for (i = 0, vf = &pf->vf[0]; i < 10 && vf < &pf->vf[pf->num_alloc_vfs]; ++i) { + usleep_range(10000, 20000); + + /* Check each VF in sequence, beginning with the VF to fail + * the previous check. + */ +- while (v < pf->num_alloc_vfs) { +- vf = &pf->vf[v]; ++ while (vf < &pf->vf[pf->num_alloc_vfs]) { + if (!test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states)) { + reg = rd32(hw, I40E_VPGEN_VFRSTAT(vf->vf_id)); + if (!(reg & I40E_VPGEN_VFRSTAT_VFRD_MASK)) +@@ -1359,7 +1357,7 @@ bool i40e_reset_all_vfs(struct i40e_pf * + /* If the current VF has finished resetting, move on + * to the next VF in sequence. + */ +- v++; ++ ++vf; + } + } + +@@ -1369,39 +1367,39 @@ bool i40e_reset_all_vfs(struct i40e_pf * + /* Display a warning if at least one VF didn't manage to reset in + * time, but continue on with the operation. + */ +- if (v < pf->num_alloc_vfs) ++ if (vf < &pf->vf[pf->num_alloc_vfs]) + dev_err(&pf->pdev->dev, "VF reset check timeout on VF %d\n", +- pf->vf[v].vf_id); ++ vf->vf_id); + usleep_range(10000, 20000); + + /* Begin disabling all the rings associated with VFs, but do not wait + * between each VF. + */ +- for (v = 0; v < pf->num_alloc_vfs; v++) { ++ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) { + /* On initial reset, we don't have any queues to disable */ +- if (pf->vf[v].lan_vsi_idx == 0) ++ if (vf->lan_vsi_idx == 0) + continue; + + /* If VF is reset in another thread just continue */ + if (test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states)) + continue; + +- i40e_vsi_stop_rings_no_wait(pf->vsi[pf->vf[v].lan_vsi_idx]); ++ i40e_vsi_stop_rings_no_wait(pf->vsi[vf->lan_vsi_idx]); + } + + /* Now that we've notified HW to disable all of the VF rings, wait + * until they finish. + */ +- for (v = 0; v < pf->num_alloc_vfs; v++) { ++ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) { + /* On initial reset, we don't have any queues to disable */ +- if (pf->vf[v].lan_vsi_idx == 0) ++ if (vf->lan_vsi_idx == 0) + continue; + + /* If VF is reset in another thread just continue */ + if (test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states)) + continue; + +- i40e_vsi_wait_queues_disabled(pf->vsi[pf->vf[v].lan_vsi_idx]); ++ i40e_vsi_wait_queues_disabled(pf->vsi[vf->lan_vsi_idx]); + } + + /* Hw may need up to 50ms to finish disabling the RX queues. We +@@ -1410,12 +1408,12 @@ bool i40e_reset_all_vfs(struct i40e_pf * + mdelay(50); + + /* Finish the reset on each VF */ +- for (v = 0; v < pf->num_alloc_vfs; v++) { ++ for (vf = &pf->vf[0]; vf < &pf->vf[pf->num_alloc_vfs]; ++vf) { + /* If VF is reset in another thread just continue */ + if (test_bit(I40E_VF_STATE_RESETTING, &vf->vf_states)) + continue; + +- i40e_cleanup_reset_vf(&pf->vf[v]); ++ i40e_cleanup_reset_vf(vf); + } + + i40e_flush(hw); diff --git a/queue-4.19/ipv6-fix-infinite-recursion-in-fib6_dump_done.patch b/queue-4.19/ipv6-fix-infinite-recursion-in-fib6_dump_done.patch new file mode 100644 index 00000000000..be6912cd792 --- /dev/null +++ b/queue-4.19/ipv6-fix-infinite-recursion-in-fib6_dump_done.patch @@ -0,0 +1,134 @@ +From d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Mon, 1 Apr 2024 14:10:04 -0700 +Subject: ipv6: Fix infinite recursion in fib6_dump_done(). + +From: Kuniyuki Iwashima + +commit d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae upstream. + +syzkaller reported infinite recursive calls of fib6_dump_done() during +netlink socket destruction. [1] + +From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then +the response was generated. The following recvmmsg() resumed the dump +for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due +to the fault injection. [0] + + 12:01:34 executing program 3: + r0 = socket$nl_route(0x10, 0x3, 0x0) + sendmsg$nl_route(r0, ... snip ...) + recvmmsg(r0, ... snip ...) (fail_nth: 8) + +Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call +of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped +receiving the response halfway through, and finally netlink_sock_destruct() +called nlk_sk(sk)->cb.done(). + +fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it +is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by +nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling +itself recursively and hitting the stack guard page. + +To avoid the issue, let's set the destructor after kzalloc(). + +[0]: +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 +CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:117) + should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) + should_failslab (mm/slub.c:3733) + kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) + inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) + rtnl_dump_all (net/core/rtnetlink.c:4029) + netlink_dump (net/netlink/af_netlink.c:2269) + netlink_recvmsg (net/netlink/af_netlink.c:1988) + ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) + ___sys_recvmsg (net/socket.c:2846) + do_recvmmsg (net/socket.c:2943) + __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) + +[1]: +BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) +stack guard page: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Workqueue: events netlink_sock_destruct_work +RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) +Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 +RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 +RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 +R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 +FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 +PKRU: 55555554 +Call Trace: + <#DF> + + + fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) + fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) + ... + fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) + fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) + netlink_sock_destruct (net/netlink/af_netlink.c:401) + __sk_destruct (net/core/sock.c:2177 (discriminator 2)) + sk_destruct (net/core/sock.c:2224) + __sk_free (net/core/sock.c:2235) + sk_free (net/core/sock.c:2246) + process_one_work (kernel/workqueue.c:3259) + worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) + kthread (kernel/kthread.c:388) + ret_from_fork (arch/x86/kernel/process.c:153) + ret_from_fork_asm (arch/x86/entry/entry_64.S:256) +Modules linked in: + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -587,19 +587,19 @@ static int inet6_dump_fib(struct sk_buff + if (!w) { + /* New dump: + * +- * 1. hook callback destructor. +- */ +- cb->args[3] = (long)cb->done; +- cb->done = fib6_dump_done; +- +- /* +- * 2. allocate and initialize walker. ++ * 1. allocate and initialize walker. + */ + w = kzalloc(sizeof(*w), GFP_ATOMIC); + if (!w) + return -ENOMEM; + w->func = fib6_dump_node; + cb->args[2] = (long)w; ++ ++ /* 2. hook callback destructor. ++ */ ++ cb->args[3] = (long)cb->done; ++ cb->done = fib6_dump_done; ++ + } + + arg.skb = skb; diff --git a/queue-4.19/selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch b/queue-4.19/selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch new file mode 100644 index 00000000000..dcdc3e9857f --- /dev/null +++ b/queue-4.19/selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch @@ -0,0 +1,39 @@ +From 31974122cfdeaf56abc18d8ab740d580d9833e90 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Fri, 29 Mar 2024 09:05:59 -0700 +Subject: selftests: reuseaddr_conflict: add missing new line at the end of the output + +From: Jakub Kicinski + +commit 31974122cfdeaf56abc18d8ab740d580d9833e90 upstream. + +The netdev CI runs in a VM and captures serial, so stdout and +stderr get combined. Because there's a missing new line in +stderr the test ends up corrupting KTAP: + + # Successok 1 selftests: net: reuseaddr_conflict + +which should have been: + + # Success + ok 1 selftests: net: reuseaddr_conflict + +Fixes: 422d8dc6fd3a ("selftest: add a reuseaddr test") +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/r/20240329160559.249476-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/reuseaddr_conflict.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/reuseaddr_conflict.c ++++ b/tools/testing/selftests/net/reuseaddr_conflict.c +@@ -109,6 +109,6 @@ int main(void) + fd1 = open_port(0, 1); + if (fd1 >= 0) + error(1, 0, "Was allowed to create an ipv4 reuseport on an already bound non-reuseport socket with no ipv6"); +- fprintf(stderr, "Success"); ++ fprintf(stderr, "Success\n"); + return 0; + } diff --git a/queue-4.19/series b/queue-4.19/series index 512429bcccb..10d993ab504 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -127,3 +127,6 @@ mm-vmscan-prevent-infinite-loop-for-costly-gfp_noio-__gfp_retry_mayfail-allocati netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch net-sched-act_skbmod-prevent-kernel-infoleak.patch net-stmmac-fix-rx-queue-priority-assignment.patch +selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch +ipv6-fix-infinite-recursion-in-fib6_dump_done.patch +i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch -- 2.39.5