From 31351adb7b222a7e506f53b067d637c2a00530d3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 27 Mar 2024 15:49:34 +0100 Subject: [PATCH] 5.10-stable patches added patches: drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch netfilter-nf_tables-reject-constant-set-with-timeout.patch xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch --- ...k-for-cpufreq_cpu_get-s-return-value.patch | 1 - ...ize-for-more-efficient-use-of-memory.patch | 89 +++++++++++++++++++ ...llow-anonymous-set-with-timeout-flag.patch | 33 +++++++ ...unbinding-anonymous-set-with-timeout.patch | 45 ++++++++++ ...les-reject-constant-set-with-timeout.patch | 34 +++++++ queue-5.10/series | 5 ++ ...fortify-warning-in-copy_to_user_tmpl.patch | 56 ++++++++++++ 7 files changed, 262 insertions(+), 1 deletion(-) create mode 100644 queue-5.10/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch create mode 100644 queue-5.10/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch create mode 100644 queue-5.10/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch create mode 100644 queue-5.10/netfilter-nf_tables-reject-constant-set-with-timeout.patch create mode 100644 queue-5.10/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch diff --git a/queue-5.10/cpufreq-brcmstb-avs-cpufreq-fix-up-add-check-for-cpufreq_cpu_get-s-return-value.patch b/queue-5.10/cpufreq-brcmstb-avs-cpufreq-fix-up-add-check-for-cpufreq_cpu_get-s-return-value.patch index 4963cee7ce7..d2c71bfacd3 100644 --- a/queue-5.10/cpufreq-brcmstb-avs-cpufreq-fix-up-add-check-for-cpufreq_cpu_get-s-return-value.patch +++ b/queue-5.10/cpufreq-brcmstb-avs-cpufreq-fix-up-add-check-for-cpufreq_cpu_get-s-return-value.patch @@ -32,7 +32,6 @@ Cc: Anastasia Belova Cc: Viresh Kumar Cc: Sasha Levin Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman --- drivers/cpufreq/brcmstb-avs-cpufreq.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/queue-5.10/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch b/queue-5.10/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch new file mode 100644 index 00000000000..9de3d300cac --- /dev/null +++ b/queue-5.10/drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch @@ -0,0 +1,89 @@ +From b8209544296edbd1af186e2ea9c648642c37b18c Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Wed, 28 Feb 2024 16:45:33 -0800 +Subject: Drivers: hv: vmbus: Calculate ring buffer size for more efficient use of memory + +From: Michael Kelley + +commit b8209544296edbd1af186e2ea9c648642c37b18c upstream. + +The VMBUS_RING_SIZE macro adds space for a ring buffer header to the +requested ring buffer size. The header size is always 1 page, and so +its size varies based on the PAGE_SIZE for which the kernel is built. +If the requested ring buffer size is a large power-of-2 size and the header +size is small, the resulting size is inefficient in its use of memory. +For example, a 512 Kbyte ring buffer with a 4 Kbyte page size results in +a 516 Kbyte allocation, which is rounded to up 1 Mbyte by the memory +allocator, and wastes 508 Kbytes of memory. + +In such situations, the exact size of the ring buffer isn't that important, +and it's OK to allocate the 4 Kbyte header at the beginning of the 512 +Kbytes, leaving the ring buffer itself with just 508 Kbytes. The memory +allocation can be 512 Kbytes instead of 1 Mbyte and nothing is wasted. + +Update VMBUS_RING_SIZE to implement this approach for "large" ring buffer +sizes. "Large" is somewhat arbitrarily defined as 8 times the size of +the ring buffer header (which is of size PAGE_SIZE). For example, for +4 Kbyte PAGE_SIZE, ring buffers of 32 Kbytes and larger use the first +4 Kbytes as the ring buffer header. For 64 Kbyte PAGE_SIZE, ring buffers +of 512 Kbytes and larger use the first 64 Kbytes as the ring buffer +header. In both cases, smaller sizes add space for the header so +the ring size isn't reduced too much by using part of the space for +the header. For example, with a 64 Kbyte page size, we don't want +a 128 Kbyte ring buffer to be reduced to 64 Kbytes by allocating half +of the space for the header. In such a case, the memory allocation +is less efficient, but it's the best that can be done. + +While the new algorithm slightly changes the amount of space allocated +for ring buffers by drivers that use VMBUS_RING_SIZE, the devices aren't +known to be sensitive to small changes in ring buffer size, so there +shouldn't be any effect. + +Fixes: c1135c7fd0e9 ("Drivers: hv: vmbus: Introduce types of GPADL") +Fixes: 6941f67ad37d ("hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218502 +Cc: stable@vger.kernel.org +Signed-off-by: Michael Kelley +Reviewed-by: Saurabh Sengar +Reviewed-by: Dexuan Cui +Tested-by: Souradeep Chakrabarti +Link: https://lore.kernel.org/r/20240229004533.313662-1-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20240229004533.313662-1-mhklinux@outlook.com> +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hyperv.h | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -164,8 +164,28 @@ struct hv_ring_buffer { + u8 buffer[]; + } __packed; + ++ ++/* ++ * If the requested ring buffer size is at least 8 times the size of the ++ * header, steal space from the ring buffer for the header. Otherwise, add ++ * space for the header so that is doesn't take too much of the ring buffer ++ * space. ++ * ++ * The factor of 8 is somewhat arbitrary. The goal is to prevent adding a ++ * relatively small header (4 Kbytes on x86) to a large-ish power-of-2 ring ++ * buffer size (such as 128 Kbytes) and so end up making a nearly twice as ++ * large allocation that will be almost half wasted. As a contrasting example, ++ * on ARM64 with 64 Kbyte page size, we don't want to take 64 Kbytes for the ++ * header from a 128 Kbyte allocation, leaving only 64 Kbytes for the ring. ++ * In this latter case, we must add 64 Kbytes for the header and not worry ++ * about what's wasted. ++ */ ++#define VMBUS_HEADER_ADJ(payload_sz) \ ++ ((payload_sz) >= 8 * sizeof(struct hv_ring_buffer) ? \ ++ 0 : sizeof(struct hv_ring_buffer)) ++ + /* Calculate the proper size of a ringbuffer, it must be page-aligned */ +-#define VMBUS_RING_SIZE(payload_sz) PAGE_ALIGN(sizeof(struct hv_ring_buffer) + \ ++#define VMBUS_RING_SIZE(payload_sz) PAGE_ALIGN(VMBUS_HEADER_ADJ(payload_sz) + \ + (payload_sz)) + + struct hv_ring_buffer_info { diff --git a/queue-5.10/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch b/queue-5.10/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch new file mode 100644 index 00000000000..f1f2aa1b088 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch @@ -0,0 +1,33 @@ +From 16603605b667b70da974bea8216c93e7db043bf1 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 1 Mar 2024 00:11:10 +0100 +Subject: netfilter: nf_tables: disallow anonymous set with timeout flag + +From: Pablo Neira Ayuso + +commit 16603605b667b70da974bea8216c93e7db043bf1 upstream. + +Anonymous sets are never used with timeout from userspace, reject this. +Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. + +Cc: stable@vger.kernel.org +Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support") +Reported-by: lonial con +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4410,6 +4410,9 @@ static int nf_tables_newset(struct net * + if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == + (NFT_SET_EVAL | NFT_SET_OBJECT)) + return -EOPNOTSUPP; ++ if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == ++ (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) ++ return -EOPNOTSUPP; + } + + dtype = 0; diff --git a/queue-5.10/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch b/queue-5.10/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch new file mode 100644 index 00000000000..6835ef24702 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch @@ -0,0 +1,45 @@ +From 552705a3650bbf46a22b1adedc1b04181490fc36 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 4 Mar 2024 14:22:12 +0100 +Subject: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout + +From: Pablo Neira Ayuso + +commit 552705a3650bbf46a22b1adedc1b04181490fc36 upstream. + +While the rhashtable set gc runs asynchronously, a race allows it to +collect elements from anonymous sets with timeouts while it is being +released from the commit path. + +Mingi Cho originally reported this issue in a different path in 6.1.x +with a pipapo set with low timeouts which is not possible upstream since +7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set +element timeout"). + +Fix this by setting on the dead flag for anonymous sets to skip async gc +in this case. + +According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on +transaction abort"), Florian plans to accelerate abort path by releasing +objects via workqueue, therefore, this sets on the dead flag for abort +path too. + +Cc: stable@vger.kernel.org +Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") +Reported-by: Mingi Cho +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4754,6 +4754,7 @@ static void nf_tables_unbind_set(const s + + if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { + list_del_rcu(&set->list); ++ set->dead = 1; + if (event) + nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, + GFP_KERNEL); diff --git a/queue-5.10/netfilter-nf_tables-reject-constant-set-with-timeout.patch b/queue-5.10/netfilter-nf_tables-reject-constant-set-with-timeout.patch new file mode 100644 index 00000000000..9651831229b --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-reject-constant-set-with-timeout.patch @@ -0,0 +1,34 @@ +From 5f4fc4bd5cddb4770ab120ce44f02695c4505562 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 1 Mar 2024 01:04:11 +0100 +Subject: netfilter: nf_tables: reject constant set with timeout + +From: Pablo Neira Ayuso + +commit 5f4fc4bd5cddb4770ab120ce44f02695c4505562 upstream. + +This set combination is weird: it allows for elements to be +added/deleted, but once bound to the rule it cannot be updated anymore. +Eventually, all elements expire, leading to an empty set which cannot +be updated anymore. Reject this flags combination. + +Cc: stable@vger.kernel.org +Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4413,6 +4413,9 @@ static int nf_tables_newset(struct net * + if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) == + (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT)) + return -EOPNOTSUPP; ++ if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) == ++ (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ++ return -EOPNOTSUPP; + } + + dtype = 0; diff --git a/queue-5.10/series b/queue-5.10/series index a627752125a..c4caa157f1e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -116,3 +116,8 @@ x86-pm-work-around-false-positive-kmemleak-report-in.patch scripts-kernel-doc-fix-syntax-error-due-to-undeclared-args-variable.patch comedi-comedi_test-prevent-timers-rescheduling-during-deletion.patch cpufreq-brcmstb-avs-cpufreq-fix-up-add-check-for-cpufreq_cpu_get-s-return-value.patch +netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch +netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch +netfilter-nf_tables-reject-constant-set-with-timeout.patch +drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch +xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch diff --git a/queue-5.10/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch b/queue-5.10/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch new file mode 100644 index 00000000000..1089c6dd987 --- /dev/null +++ b/queue-5.10/xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch @@ -0,0 +1,56 @@ +From 1a807e46aa93ebad1dfbed4f82dc3bf779423a6e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 21 Feb 2024 14:46:21 -0700 +Subject: xfrm: Avoid clang fortify warning in copy_to_user_tmpl() + +From: Nathan Chancellor + +commit 1a807e46aa93ebad1dfbed4f82dc3bf779423a6e upstream. + +After a couple recent changes in LLVM, there is a warning (or error with +CONFIG_WERROR=y or W=e) from the compile time fortify source routines, +specifically the memset() in copy_to_user_tmpl(). + + In file included from net/xfrm/xfrm_user.c:14: + ... + include/linux/fortify-string.h:438:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 438 | __write_overflow_field(p_size_field, size); + | ^ + 1 error generated. + +While ->xfrm_nr has been validated against XFRM_MAX_DEPTH when its value +is first assigned in copy_templates() by calling validate_tmpl() first +(so there should not be any issue in practice), LLVM/clang cannot really +deduce that across the boundaries of these functions. Without that +knowledge, it cannot assume that the loop stops before i is greater than +XFRM_MAX_DEPTH, which would indeed result a stack buffer overflow in the +memset(). + +To make the bounds of ->xfrm_nr clear to the compiler and add additional +defense in case copy_to_user_tmpl() is ever used in a path where +->xfrm_nr has not been properly validated against XFRM_MAX_DEPTH first, +add an explicit bound check and early return, which clears up the +warning. + +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1985 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1753,6 +1753,9 @@ static int copy_to_user_tmpl(struct xfrm + if (xp->xfrm_nr == 0) + return 0; + ++ if (xp->xfrm_nr > XFRM_MAX_DEPTH) ++ return -ENOBUFS; ++ + for (i = 0; i < xp->xfrm_nr; i++) { + struct xfrm_user_tmpl *up = &vec[i]; + struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; -- 2.47.2