From 17f44cfcb10e5714a75cf51e1fa9161ca6f42dba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 4 Feb 2022 09:50:56 +0100 Subject: [PATCH] 4.9-stable patches added patches: af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch net-amd-xgbe-fix-skb-data-length-underflow.patch rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch --- ...-packet_setsockopt-packet_setsockopt.patch | 80 +++++++++++++++++++ ...eoverflow-in-ipheth_rcvbulk_callback.patch | 57 +++++++++++++ ...re-to-reset-the-tx_timer_active-flag.patch | 37 +++++++++ ...d-xgbe-fix-skb-data-length-underflow.patch | 55 +++++++++++++ ...h-master_dev-m_ops-in-__rtnl_newlink.patch | 48 +++++++++++ queue-4.9/series | 5 ++ 6 files changed, 282 insertions(+) create mode 100644 queue-4.9/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch create mode 100644 queue-4.9/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch create mode 100644 queue-4.9/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch create mode 100644 queue-4.9/net-amd-xgbe-fix-skb-data-length-underflow.patch create mode 100644 queue-4.9/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch diff --git a/queue-4.9/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch b/queue-4.9/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch new file mode 100644 index 00000000000..724181a2320 --- /dev/null +++ b/queue-4.9/af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch @@ -0,0 +1,80 @@ +From e42e70ad6ae2ae511a6143d2e8da929366e58bd9 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Jan 2022 18:23:58 -0800 +Subject: af_packet: fix data-race in packet_setsockopt / packet_setsockopt + +From: Eric Dumazet + +commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream. + +When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout, +no lock is held, meaning that another thread can change po->fanout. + +Given that po->fanout can only be set once during the socket lifetime +(it is only cleared from fanout_release()), we can use +READ_ONCE()/WRITE_ONCE() to document the race. + +BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt + +write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0: + fanout_add net/packet/af_packet.c:1791 [inline] + packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931 + __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 + __do_sys_setsockopt net/socket.c:2191 [inline] + __se_sys_setsockopt net/socket.c:2188 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1: + packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935 + __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 + __do_sys_setsockopt net/socket.c:2191 [inline] + __se_sys_setsockopt net/socket.c:2188 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000000000000000 -> 0xffff888106f8c000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1719,7 +1719,10 @@ static int fanout_add(struct sock *sk, u + err = -ENOSPC; + if (atomic_read(&match->sk_ref) < PACKET_FANOUT_MAX) { + __dev_remove_pack(&po->prot_hook); +- po->fanout = match; ++ ++ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */ ++ WRITE_ONCE(po->fanout, match); ++ + po->rollover = rollover; + rollover = NULL; + atomic_inc(&match->sk_ref); +@@ -3895,7 +3898,8 @@ packet_setsockopt(struct socket *sock, i + } + case PACKET_FANOUT_DATA: + { +- if (!po->fanout) ++ /* Paired with the WRITE_ONCE() in fanout_add() */ ++ if (!READ_ONCE(po->fanout)) + return -EINVAL; + + return fanout_set_data(po, optval, optlen); diff --git a/queue-4.9/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch b/queue-4.9/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch new file mode 100644 index 00000000000..5967eb49892 --- /dev/null +++ b/queue-4.9/ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch @@ -0,0 +1,57 @@ +From 63e4b45c82ed1bde979da7052229a4229ce9cabf Mon Sep 17 00:00:00 2001 +From: Georgi Valkov +Date: Tue, 1 Feb 2022 08:16:18 +0100 +Subject: ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback + +From: Georgi Valkov + +commit 63e4b45c82ed1bde979da7052229a4229ce9cabf upstream. + +When rx_buf is allocated we need to account for IPHETH_IP_ALIGN, +which reduces the usable size by 2 bytes. Otherwise we have 1512 +bytes usable instead of 1514, and if we receive more than 1512 +bytes, ipheth_rcvbulk_callback is called with status -EOVERFLOW, +after which the driver malfunctiones and all communication stops. + +Resolves ipheth 2-1:4.2: ipheth_rcvbulk_callback: urb status: -75 + +Fixes: f33d9e2b48a3 ("usbnet: ipheth: fix connectivity with iOS 14") +Signed-off-by: Georgi Valkov +Tested-by: Jan Kiszka +Link: https://lore.kernel.org/all/B60B8A4B-92A0-49B3-805D-809A2433B46C@abv.bg/ +Link: https://lore.kernel.org/all/24851bd2769434a5fc24730dce8e8a984c5a4505.1643699778.git.jan.kiszka@siemens.com/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -173,7 +173,7 @@ static int ipheth_alloc_urbs(struct iphe + if (tx_buf == NULL) + goto free_rx_urb; + +- rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE, ++ rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, + GFP_KERNEL, &rx_urb->transfer_dma); + if (rx_buf == NULL) + goto free_tx_buf; +@@ -198,7 +198,7 @@ error_nomem: + + static void ipheth_free_urbs(struct ipheth_device *iphone) + { +- usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf, ++ usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf, + iphone->rx_urb->transfer_dma); + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf, + iphone->tx_urb->transfer_dma); +@@ -371,7 +371,7 @@ static int ipheth_rx_submit(struct iphet + + usb_fill_bulk_urb(dev->rx_urb, udev, + usb_rcvbulkpipe(udev, dev->bulk_in), +- dev->rx_buf, IPHETH_BUF_SIZE, ++ dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, + ipheth_rcvbulk_callback, + dev); + dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; diff --git a/queue-4.9/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch b/queue-4.9/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch new file mode 100644 index 00000000000..76e1d96ff1c --- /dev/null +++ b/queue-4.9/net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch @@ -0,0 +1,37 @@ +From 7674b7b559b683478c3832527c59bceb169e701d Mon Sep 17 00:00:00 2001 +From: Raju Rangoju +Date: Thu, 27 Jan 2022 11:32:22 +0530 +Subject: net: amd-xgbe: ensure to reset the tx_timer_active flag + +From: Raju Rangoju + +commit 7674b7b559b683478c3832527c59bceb169e701d upstream. + +Ensure to reset the tx_timer_active flag in xgbe_stop(), +otherwise a port restart may result in tx timeout due to +uncleared flag. + +Fixes: c635eaacbf77 ("amd-xgbe: Remove Tx coalescing") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Raju Rangoju +Acked-by: Tom Lendacky +Link: https://lore.kernel.org/r/20220127060222.453371-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -494,7 +494,9 @@ static void xgbe_stop_timers(struct xgbe + if (!channel->tx_ring) + break; + ++ /* Deactivate the Tx timer */ + del_timer_sync(&channel->tx_timer); ++ channel->tx_timer_active = 0; + } + } + diff --git a/queue-4.9/net-amd-xgbe-fix-skb-data-length-underflow.patch b/queue-4.9/net-amd-xgbe-fix-skb-data-length-underflow.patch new file mode 100644 index 00000000000..37839a66dd2 --- /dev/null +++ b/queue-4.9/net-amd-xgbe-fix-skb-data-length-underflow.patch @@ -0,0 +1,55 @@ +From 5aac9108a180fc06e28d4e7fb00247ce603b72ee Mon Sep 17 00:00:00 2001 +From: Shyam Sundar S K +Date: Thu, 27 Jan 2022 14:50:03 +0530 +Subject: net: amd-xgbe: Fix skb data length underflow + +From: Shyam Sundar S K + +commit 5aac9108a180fc06e28d4e7fb00247ce603b72ee upstream. + +There will be BUG_ON() triggered in include/linux/skbuff.h leading to +intermittent kernel panic, when the skb length underflow is detected. + +Fix this by dropping the packet if such length underflows are seen +because of inconsistencies in the hardware descriptors. + +Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware") +Suggested-by: Tom Lendacky +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Link: https://lore.kernel.org/r/20220127092003.2812745-1-Shyam-sundar.S-k@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1968,6 +1968,14 @@ read_again: + buf2_len = xgbe_rx_buf2_len(rdata, packet, len); + len += buf2_len; + ++ if (buf2_len > rdata->rx.buf.dma_len) { ++ /* Hardware inconsistency within the descriptors ++ * that has resulted in a length underflow. ++ */ ++ error = 1; ++ goto skip_data; ++ } ++ + if (!skb) { + skb = xgbe_create_skb(pdata, napi, rdata, + buf1_len); +@@ -1997,8 +2005,10 @@ skip_data: + if (!last || context_next) + goto read_again; + +- if (!skb) ++ if (!skb || error) { ++ dev_kfree_skb(skb); + goto next_packet; ++ } + + /* Be sure we don't exceed the configured MTU */ + max_len = netdev->mtu + ETH_HLEN; diff --git a/queue-4.9/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch b/queue-4.9/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch new file mode 100644 index 00000000000..b7c39b46a2f --- /dev/null +++ b/queue-4.9/rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch @@ -0,0 +1,48 @@ +From c6f6f2444bdbe0079e41914a35081530d0409963 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Jan 2022 17:21:06 -0800 +Subject: rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() + +From: Eric Dumazet + +commit c6f6f2444bdbe0079e41914a35081530d0409963 upstream. + +While looking at one unrelated syzbot bug, I found the replay logic +in __rtnl_newlink() to potentially trigger use-after-free. + +It is better to clear master_dev and m_ops inside the loop, +in case we have to replay it. + +Fixes: ba7d49b1f0f8 ("rtnetlink: provide api for getting and setting slave info") +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Link: https://lore.kernel.org/r/20220201012106.216495-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2454,9 +2454,9 @@ static int rtnl_newlink(struct sk_buff * + { + struct net *net = sock_net(skb->sk); + const struct rtnl_link_ops *ops; +- const struct rtnl_link_ops *m_ops = NULL; ++ const struct rtnl_link_ops *m_ops; + struct net_device *dev; +- struct net_device *master_dev = NULL; ++ struct net_device *master_dev; + struct ifinfomsg *ifm; + char kind[MODULE_NAME_LEN]; + char ifname[IFNAMSIZ]; +@@ -2487,6 +2487,8 @@ replay: + dev = NULL; + } + ++ master_dev = NULL; ++ m_ops = NULL; + if (dev) { + master_dev = netdev_master_upper_dev_get(dev); + if (master_dev) diff --git a/queue-4.9/series b/queue-4.9/series index 3e603b281c6..0f1cf4b31c0 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -25,3 +25,8 @@ ipv4-raw-lock-the-socket-in-raw_bind.patch ipv4-tcp-send-zero-ipid-in-synack-messages.patch netfilter-nat-remove-l4-protocol-port-rovers.patch netfilter-nat-limit-port-clash-resolution-attempts.patch +ipheth-fix-eoverflow-in-ipheth_rcvbulk_callback.patch +net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch +net-amd-xgbe-fix-skb-data-length-underflow.patch +rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch +af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch -- 2.47.3