From 2f1a218ef3f0efdcb245e9d8d22ca80066c6af1b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 14:50:41 +0200 Subject: [PATCH] 5.10-stable patches added patches: net-defer-final-struct-net-free-in-netns-dismantle.patch scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch --- ...l-struct-net-free-in-netns-dismantle.patch | 217 ++++++++++++++++++ ...a-race-in-lpfc_unregister_fcf_rescan.patch | 50 ++++ ...-set-bsg_queue-to-null-after-removal.patch | 34 +++ queue-5.10/series | 3 + 4 files changed, 304 insertions(+) create mode 100644 queue-5.10/net-defer-final-struct-net-free-in-netns-dismantle.patch create mode 100644 queue-5.10/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch create mode 100644 queue-5.10/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch diff --git a/queue-5.10/net-defer-final-struct-net-free-in-netns-dismantle.patch b/queue-5.10/net-defer-final-struct-net-free-in-netns-dismantle.patch new file mode 100644 index 0000000000..b7f0532dee --- /dev/null +++ b/queue-5.10/net-defer-final-struct-net-free-in-netns-dismantle.patch @@ -0,0 +1,217 @@ +From 0f6ede9fbc747e2553612271bce108f7517e7a45 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 4 Dec 2024 12:54:55 +0000 +Subject: net: defer final 'struct net' free in netns dismantle + +From: Eric Dumazet + +commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream. + +Ilya reported a slab-use-after-free in dst_destroy [1] + +Issue is in xfrm6_net_init() and xfrm4_net_init() : + +They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. + +But net structure might be freed before all the dst callbacks are +called. So when dst_destroy() calls later : + +if (dst->ops->destroy) + dst->ops->destroy(dst); + +dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. + +See a relevant issue fixed in : + +ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") + +A fix is to queue the 'struct net' to be freed after one +another cleanup_net() round (and existing rcu_barrier()) + +[1] + +BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) +Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 +Dec 03 05:46:18 kernel: +CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 +Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:124) +print_address_description.constprop.0 (mm/kasan/report.c:378) +? dst_destroy (net/core/dst.c:112) +print_report (mm/kasan/report.c:489) +? dst_destroy (net/core/dst.c:112) +? kasan_addr_to_slab (mm/kasan/common.c:37) +kasan_report (mm/kasan/report.c:603) +? dst_destroy (net/core/dst.c:112) +? rcu_do_batch (kernel/rcu/tree.c:2567) +dst_destroy (net/core/dst.c:112) +rcu_do_batch (kernel/rcu/tree.c:2567) +? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) +? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) +rcu_core (kernel/rcu/tree.c:2825) +handle_softirqs (kernel/softirq.c:554) +__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) +irq_exit_rcu (kernel/softirq.c:651) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) + + +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) +RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) +Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 +RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 +RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 +RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d +R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 +R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 +? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) +? cpuidle_idle_call (kernel/sched/idle.c:186) +default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) +cpuidle_idle_call (kernel/sched/idle.c:186) +? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) +? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) +? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) +? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) +do_idle (kernel/sched/idle.c:326) +cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) +? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) +? soft_restart_cpu (arch/x86/kernel/head_64.S:452) +common_startup_64 (arch/x86/kernel/head_64.S:414) + +Dec 03 05:46:18 kernel: +Allocated by task 12184: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) +__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) +kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) +copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) +create_new_namespaces (kernel/nsproxy.c:110) +unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) +ksys_unshare (kernel/fork.c:3313) +__x64_sys_unshare (kernel/fork.c:3382) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +Dec 03 05:46:18 kernel: +Freed by task 11: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) +kasan_save_free_info (mm/kasan/generic.c:582) +__kasan_slab_free (mm/kasan/common.c:271) +kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681) +cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647) +process_one_work (kernel/workqueue.c:3229) +worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) +kthread (kernel/kthread.c:389) +ret_from_fork (arch/x86/kernel/process.c:147) +ret_from_fork_asm (arch/x86/entry/entry_64.S:257) +Dec 03 05:46:18 kernel: +Last potentially related work creation: +kasan_save_stack (mm/kasan/common.c:48) +__kasan_record_aux_stack (mm/kasan/generic.c:541) +insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) +__queue_work (kernel/workqueue.c:2340) +queue_work_on (kernel/workqueue.c:2391) +xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610) +xfrm_add_policy (net/xfrm/xfrm_user.c:2116) +xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) +netlink_rcv_skb (net/netlink/af_netlink.c:2536) +xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) +netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) +netlink_sendmsg (net/netlink/af_netlink.c:1886) +sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) +vfs_write (fs/read_write.c:590 fs/read_write.c:683) +ksys_write (fs/read_write.c:736) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +Dec 03 05:46:18 kernel: +Second to last potentially related work creation: +kasan_save_stack (mm/kasan/common.c:48) +__kasan_record_aux_stack (mm/kasan/generic.c:541) +insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) +__queue_work (kernel/workqueue.c:2340) +queue_work_on (kernel/workqueue.c:2391) +__xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513) +xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940) +xfrm_add_sa (net/xfrm/xfrm_user.c:912) +xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) +netlink_rcv_skb (net/netlink/af_netlink.c:2536) +xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) +netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) +netlink_sendmsg (net/netlink/af_netlink.c:1886) +sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) +vfs_write (fs/read_write.c:590 fs/read_write.c:683) +ksys_write (fs/read_write.c:736) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops") +Reported-by: Ilya Maximets +Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY_tO8WQg@mail.gmail.com/T/#m02c98c3009fe66382b73cfb4db9cf1df6fab3fbf +Signed-off-by: Eric Dumazet +Acked-by: Paolo Abeni +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +[Minor conflict resolved due to code context change.] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + include/net/net_namespace.h | 1 + + net/core/net_namespace.c | 21 ++++++++++++++++++++- + 2 files changed, 21 insertions(+), 1 deletion(-) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -80,6 +80,7 @@ struct net { + * or to unregister pernet ops + * (pernet_ops_rwsem write locked). + */ ++ struct llist_node defer_free_list; + struct llist_node cleanup_list; /* namespaces on death row */ + + #ifdef CONFIG_KEYS +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -455,11 +455,28 @@ out_free: + goto out; + } + ++static LLIST_HEAD(defer_free_list); ++ ++static void net_complete_free(void) ++{ ++ struct llist_node *kill_list; ++ struct net *net, *next; ++ ++ /* Get the list of namespaces to free from last round. */ ++ kill_list = llist_del_all(&defer_free_list); ++ ++ llist_for_each_entry_safe(net, next, kill_list, defer_free_list) ++ kmem_cache_free(net_cachep, net); ++ ++} ++ + static void net_free(struct net *net) + { + if (refcount_dec_and_test(&net->passive)) { + kfree(rcu_access_pointer(net->gen)); +- kmem_cache_free(net_cachep, net); ++ ++ /* Wait for an extra rcu_barrier() before final free. */ ++ llist_add(&net->defer_free_list, &defer_free_list); + } + } + +@@ -643,6 +660,8 @@ static void cleanup_net(struct work_stru + */ + rcu_barrier(); + ++ net_complete_free(); ++ + /* Finally it is safe to free my network namespace structure */ + list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { + list_del_init(&net->exit_list); diff --git a/queue-5.10/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch b/queue-5.10/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch new file mode 100644 index 0000000000..b7a5ebfdb1 --- /dev/null +++ b/queue-5.10/scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch @@ -0,0 +1,50 @@ +From 0e881c0a4b6146b7e856735226208f48251facd8 Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Fri, 30 Jun 2023 10:47:48 +0800 +Subject: scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() + +From: Tuo Li + +commit 0e881c0a4b6146b7e856735226208f48251facd8 upstream. + +The variable phba->fcf.fcf_flag is often protected by the lock +phba->hbalock() when is accessed. Here is an example in +lpfc_unregister_fcf_rescan(): + + spin_lock_irq(&phba->hbalock); + phba->fcf.fcf_flag |= FCF_INIT_DISC; + spin_unlock_irq(&phba->hbalock); + +However, in the same function, phba->fcf.fcf_flag is assigned with 0 +without holding the lock, and thus can cause a data race: + + phba->fcf.fcf_flag = 0; + +To fix this possible data race, a lock and unlock pair is added when +accessing the variable phba->fcf.fcf_flag. + +Reported-by: BassCheck +Signed-off-by: Tuo Li +Link: https://lore.kernel.org/r/20230630024748.1035993-1-islituo@gmail.com +Reviewed-by: Justin Tee +Reviewed-by: Laurence Oberman +Signed-off-by: Martin K. Petersen +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -6790,7 +6790,9 @@ lpfc_unregister_fcf_rescan(struct lpfc_h + if (rc) + return; + /* Reset HBA FCF states after successful unregister FCF */ ++ spin_lock_irq(&phba->hbalock); + phba->fcf.fcf_flag = 0; ++ spin_unlock_irq(&phba->hbalock); + phba->fcf.current_rec.flag = 0; + + /* diff --git a/queue-5.10/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch b/queue-5.10/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch new file mode 100644 index 0000000000..d89acc576f --- /dev/null +++ b/queue-5.10/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch @@ -0,0 +1,34 @@ +From 1e95c798d8a7f70965f0f88d4657b682ff0ec75f Mon Sep 17 00:00:00 2001 +From: Guixin Liu +Date: Wed, 18 Dec 2024 09:42:14 +0800 +Subject: scsi: ufs: bsg: Set bsg_queue to NULL after removal + +From: Guixin Liu + +commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f upstream. + +Currently, this does not cause any issues, but I believe it is necessary to +set bsg_queue to NULL after removing it to prevent potential use-after-free +(UAF) access. + +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@linux.alibaba.com +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Xiangyu Chen +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs_bsg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/ufs/ufs_bsg.c ++++ b/drivers/scsi/ufs/ufs_bsg.c +@@ -175,6 +175,7 @@ void ufs_bsg_remove(struct ufs_hba *hba) + return; + + bsg_remove_queue(hba->bsg_queue); ++ hba->bsg_queue = NULL; + + device_del(bsg_dev); + put_device(bsg_dev); diff --git a/queue-5.10/series b/queue-5.10/series index 78b11ed419..b7b967a910 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -175,3 +175,6 @@ net-mlx5e-fix-use-after-free-of-encap-entry-in-neigh-update-handler.patch ipvs-properly-dereference-pe-in-ip_vs_add_service.patch net-openvswitch-fix-race-on-port-output.patch openvswitch-fix-lockup-on-tx-to-unregistering-netdev-with-carrier.patch +scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch +scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch +net-defer-final-struct-net-free-in-netns-dismantle.patch -- 2.47.3