From 6092349cb15d316db3057a329d0b765ddfc2056f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 5 Apr 2024 12:04:58 +0200 Subject: [PATCH] 6.1-stable patches added patches: bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch netfilter-validate-user-input-for-expected-length.patch vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch --- ...nversion-deadlock-in-map-delete-elem.patch | 74 +++++ ...ata-race-in-__nft_flowtable_type_get.patch | 58 ++++ ...destroy-work-before-exit_net-release.patch | 125 +++++++++ ...ew-basechain-after-table-flag-update.patch | 59 ++++ ...idate-user-input-for-expected-length.patch | 253 ++++++++++++++++++ queue-6.1/series | 6 + ...urious-warning-if-load_nls_xxx-fails.patch | 46 ++++ 7 files changed, 621 insertions(+) create mode 100644 queue-6.1/bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch create mode 100644 queue-6.1/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch create mode 100644 queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch create mode 100644 queue-6.1/netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch create mode 100644 queue-6.1/netfilter-validate-user-input-for-expected-length.patch create mode 100644 queue-6.1/vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch diff --git a/queue-6.1/bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch b/queue-6.1/bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch new file mode 100644 index 00000000000..14aeb8aa990 --- /dev/null +++ b/queue-6.1/bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch @@ -0,0 +1,74 @@ +From ff91059932401894e6c86341915615c5eb0eca48 Mon Sep 17 00:00:00 2001 +From: Jakub Sitnicki +Date: Tue, 2 Apr 2024 12:46:21 +0200 +Subject: bpf, sockmap: Prevent lock inversion deadlock in map delete elem + +From: Jakub Sitnicki + +commit ff91059932401894e6c86341915615c5eb0eca48 upstream. + +syzkaller started using corpuses where a BPF tracing program deletes +elements from a sockmap/sockhash map. Because BPF tracing programs can be +invoked from any interrupt context, locks taken during a map_delete_elem +operation must be hardirq-safe. Otherwise a deadlock due to lock inversion +is possible, as reported by lockdep: + + CPU0 CPU1 + ---- ---- + lock(&htab->buckets[i].lock); + local_irq_disable(); + lock(&host->lock); + lock(&htab->buckets[i].lock); + + lock(&host->lock); + +Locks in sockmap are hardirq-unsafe by design. We expects elements to be +deleted from sockmap/sockhash only in task (normal) context with interrupts +enabled, or in softirq context. + +Detect when map_delete_elem operation is invoked from a context which is +_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an +error. + +Note that map updates are not affected by this issue. BPF verifier does not +allow updating sockmap/sockhash from a BPF tracing program today. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Reported-by: xingwei lee +Reported-by: yue sun +Reported-by: syzbot+bc922f476bd65abbd466@syzkaller.appspotmail.com +Reported-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com +Signed-off-by: Jakub Sitnicki +Signed-off-by: Daniel Borkmann +Tested-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com +Acked-by: John Fastabend +Closes: https://syzkaller.appspot.com/bug?extid=d4066896495db380182e +Closes: https://syzkaller.appspot.com/bug?extid=bc922f476bd65abbd466 +Link: https://lore.kernel.org/bpf/20240402104621.1050319-1-jakub@cloudflare.com +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock_map.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -413,6 +413,9 @@ static int __sock_map_delete(struct bpf_ + struct sock *sk; + int err = 0; + ++ if (irqs_disabled()) ++ return -EOPNOTSUPP; /* locks here are hardirq-unsafe */ ++ + raw_spin_lock_bh(&stab->lock); + sk = *psk; + if (!sk_test || sk_test == sk) +@@ -926,6 +929,9 @@ static int sock_hash_delete_elem(struct + struct bpf_shtab_elem *elem; + int ret = -ENOENT; + ++ if (irqs_disabled()) ++ return -EOPNOTSUPP; /* locks here are hardirq-unsafe */ ++ + hash = sock_hash_bucket_hash(key, key_size); + bucket = sock_hash_select_bucket(htab, hash); + diff --git a/queue-6.1/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch b/queue-6.1/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch new file mode 100644 index 00000000000..89834a4721f --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch @@ -0,0 +1,58 @@ +From 24225011d81b471acc0e1e315b7d9905459a6304 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 3 Apr 2024 15:22:04 +0800 +Subject: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() + +From: Ziyang Xuan + +commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream. + +nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can +concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). +And thhere is not any protection when iterate over nf_tables_flowtables +list in __nft_flowtable_type_get(). Therefore, there is pertential +data-race of nf_tables_flowtables list entry. + +Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list +in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller +nft_flowtable_type_get() to protect the entire type query process. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Ziyang Xuan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7841,11 +7841,12 @@ static int nft_flowtable_parse_hook(cons + return err; + } + ++/* call under rcu_read_lock */ + static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) + { + const struct nf_flowtable_type *type; + +- list_for_each_entry(type, &nf_tables_flowtables, list) { ++ list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { + if (family == type->family) + return type; + } +@@ -7857,9 +7858,13 @@ nft_flowtable_type_get(struct net *net, + { + const struct nf_flowtable_type *type; + ++ rcu_read_lock(); + type = __nft_flowtable_type_get(family); +- if (type != NULL && try_module_get(type->owner)) ++ if (type != NULL && try_module_get(type->owner)) { ++ rcu_read_unlock(); + return type; ++ } ++ rcu_read_unlock(); + + lockdep_nfnl_nft_mutex_not_held(); + #ifdef CONFIG_MODULES diff --git a/queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch b/queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch new file mode 100644 index 00000000000..20ead0d2c51 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch @@ -0,0 +1,125 @@ +From 24cea9677025e0de419989ecb692acd4bb34cac2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 2 Apr 2024 18:04:36 +0200 +Subject: netfilter: nf_tables: flush pending destroy work before exit_net release + +From: Pablo Neira Ayuso + +commit 24cea9677025e0de419989ecb692acd4bb34cac2 upstream. + +Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy +work before netlink notifier") to address a race between exit_net and +the destroy workqueue. + +The trace below shows an element to be released via destroy workqueue +while exit_net path (triggered via module removal) has already released +the set that is used in such transaction. + +[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] +[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 +[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 +[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables] +[ 1360.547984] Call Trace: +[ 1360.547991] +[ 1360.547998] dump_stack_lvl+0x53/0x70 +[ 1360.548014] print_report+0xc4/0x610 +[ 1360.548026] ? __virt_addr_valid+0xba/0x160 +[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] +[ 1360.548176] kasan_report+0xae/0xe0 +[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] +[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] +[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables] +[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30 +[ 1360.548591] process_one_work+0x2f1/0x670 +[ 1360.548610] worker_thread+0x4d3/0x760 +[ 1360.548627] ? __pfx_worker_thread+0x10/0x10 +[ 1360.548640] kthread+0x16b/0x1b0 +[ 1360.548653] ? __pfx_kthread+0x10/0x10 +[ 1360.548665] ret_from_fork+0x2f/0x50 +[ 1360.548679] ? __pfx_kthread+0x10/0x10 +[ 1360.548690] ret_from_fork_asm+0x1a/0x30 +[ 1360.548707] + +[ 1360.548719] Allocated by task 192061: +[ 1360.548726] kasan_save_stack+0x20/0x40 +[ 1360.548739] kasan_save_track+0x14/0x30 +[ 1360.548750] __kasan_kmalloc+0x8f/0xa0 +[ 1360.548760] __kmalloc_node+0x1f1/0x450 +[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables] +[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink] +[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] +[ 1360.548927] netlink_unicast+0x367/0x4f0 +[ 1360.548935] netlink_sendmsg+0x34b/0x610 +[ 1360.548944] ____sys_sendmsg+0x4d4/0x510 +[ 1360.548953] ___sys_sendmsg+0xc9/0x120 +[ 1360.548961] __sys_sendmsg+0xbe/0x140 +[ 1360.548971] do_syscall_64+0x55/0x120 +[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d + +[ 1360.548994] Freed by task 192222: +[ 1360.548999] kasan_save_stack+0x20/0x40 +[ 1360.549009] kasan_save_track+0x14/0x30 +[ 1360.549019] kasan_save_free_info+0x3b/0x60 +[ 1360.549028] poison_slab_object+0x100/0x180 +[ 1360.549036] __kasan_slab_free+0x14/0x30 +[ 1360.549042] kfree+0xb6/0x260 +[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables] +[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables] +[ 1360.549221] ops_exit_list+0x50/0xa0 +[ 1360.549229] free_exit_list+0x101/0x140 +[ 1360.549236] unregister_pernet_operations+0x107/0x160 +[ 1360.549245] unregister_pernet_subsys+0x1c/0x30 +[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables] +[ 1360.549345] __do_sys_delete_module+0x253/0x370 +[ 1360.549352] do_syscall_64+0x55/0x120 +[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d + +(gdb) list *__nft_release_table+0x473 +0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354). +11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { +11350 list_del(&flowtable->list); +11351 nft_use_dec(&table->use); +11352 nf_tables_flowtable_destroy(flowtable); +11353 } +11354 list_for_each_entry_safe(set, ns, &table->sets, list) { +11355 list_del(&set->list); +11356 nft_use_dec(&table->use); +11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) +11358 nft_map_deactivate(&ctx, set); +(gdb) + +[ 1360.549372] Last potentially related work creation: +[ 1360.549376] kasan_save_stack+0x20/0x40 +[ 1360.549384] __kasan_record_aux_stack+0x9b/0xb0 +[ 1360.549392] __queue_work+0x3fb/0x780 +[ 1360.549399] queue_work_on+0x4f/0x60 +[ 1360.549407] nft_rhash_remove+0x33b/0x340 [nf_tables] +[ 1360.549516] nf_tables_commit+0x1c6a/0x2620 [nf_tables] +[ 1360.549625] nfnetlink_rcv_batch+0x728/0xdc0 [nfnetlink] +[ 1360.549647] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] +[ 1360.549671] netlink_unicast+0x367/0x4f0 +[ 1360.549680] netlink_sendmsg+0x34b/0x610 +[ 1360.549690] ____sys_sendmsg+0x4d4/0x510 +[ 1360.549697] ___sys_sendmsg+0xc9/0x120 +[ 1360.549706] __sys_sendmsg+0xbe/0x140 +[ 1360.549715] do_syscall_64+0x55/0x120 +[ 1360.549725] entry_SYSCALL_64_after_hwframe+0x55/0x5d + +Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10981,6 +10981,7 @@ static void __exit nf_tables_module_exit + unregister_netdevice_notifier(&nf_tables_flowtable_notifier); + nft_chain_filter_fini(); + nft_chain_route_fini(); ++ nf_tables_trans_destroy_flush_work(); + unregister_pernet_subsys(&nf_tables_net_ops); + cancel_work_sync(&trans_gc_work); + cancel_work_sync(&trans_destroy_work); diff --git a/queue-6.1/netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch b/queue-6.1/netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch new file mode 100644 index 00000000000..86ed53fbf27 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch @@ -0,0 +1,59 @@ +From 994209ddf4f430946f6247616b2e33d179243769 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 1 Apr 2024 00:33:02 +0200 +Subject: netfilter: nf_tables: reject new basechain after table flag update + +From: Pablo Neira Ayuso + +commit 994209ddf4f430946f6247616b2e33d179243769 upstream. + +When dormant flag is toggled, hooks are disabled in the commit phase by +iterating over current chains in table (existing and new). + +The following configuration allows for an inconsistent state: + + add table x + add chain x y { type filter hook input priority 0; } + add table x { flags dormant; } + add chain x w { type filter hook input priority 1; } + +which triggers the following warning when trying to unregister chain w +which is already unregistered. + +[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260 +[...] +[ 127.322519] Call Trace: +[ 127.322521] +[ 127.322524] ? __warn+0x9f/0x1a0 +[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260 +[ 127.322537] ? report_bug+0x1b1/0x1e0 +[ 127.322545] ? handle_bug+0x3c/0x70 +[ 127.322552] ? exc_invalid_op+0x17/0x40 +[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20 +[ 127.322563] ? kasan_save_free_info+0x3b/0x60 +[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260 +[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260 +[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260 +[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables] +[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables] +[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables] + +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2372,6 +2372,9 @@ static int nf_tables_addchain(struct nft + struct nft_stats __percpu *stats = NULL; + struct nft_chain_hook hook; + ++ if (table->flags & __NFT_TABLE_F_UPDATE) ++ return -EINVAL; ++ + if (flags & NFT_CHAIN_BINDING) + return -EOPNOTSUPP; + diff --git a/queue-6.1/netfilter-validate-user-input-for-expected-length.patch b/queue-6.1/netfilter-validate-user-input-for-expected-length.patch new file mode 100644 index 00000000000..31692a776c5 --- /dev/null +++ b/queue-6.1/netfilter-validate-user-input-for-expected-length.patch @@ -0,0 +1,253 @@ +From 0c83842df40f86e529db6842231154772c20edcc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 4 Apr 2024 12:20:51 +0000 +Subject: netfilter: validate user input for expected length + +From: Eric Dumazet + +commit 0c83842df40f86e529db6842231154772c20edcc upstream. + +I got multiple syzbot reports showing old bugs exposed +by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc +in cgroup/{s,g}etsockopt") + +setsockopt() @optlen argument should be taken into account +before copying data. + + BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] + BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] + BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] + BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 +Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238 + +CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] + copy_from_sockptr include/linux/sockptr.h:55 [inline] + do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] + do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 + nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 + do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 + __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x72/0x7a +RIP: 0033:0x7fd22067dde9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 +RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 + + +Allocated by task 7238: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:370 [inline] + __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slub.c:4069 [inline] + __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 + kmalloc_noprof include/linux/slab.h:664 [inline] + __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 + do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 + __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x72/0x7a + +The buggy address belongs to the object at ffff88802cd73da0 + which belongs to the cache kmalloc-8 of size 8 +The buggy address is located 0 bytes inside of + allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1) + +The buggy address belongs to the physical page: +page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 +flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) +page_type: 0xffffefff(slab) +raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 +raw: ffff88802cd73020 000000008080007f 00000001ffffefff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5103, tgid 2119833701 (syz-executor.4), ts 5103, free_ts 70804600828 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1490 + prep_new_page mm/page_alloc.c:1498 [inline] + get_page_from_freelist+0x2e7e/0x2f40 mm/page_alloc.c:3454 + __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4712 + __alloc_pages_node_noprof include/linux/gfp.h:244 [inline] + alloc_pages_node_noprof include/linux/gfp.h:271 [inline] + alloc_slab_page+0x5f/0x120 mm/slub.c:2249 + allocate_slab+0x5a/0x2e0 mm/slub.c:2412 + new_slab mm/slub.c:2465 [inline] + ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3615 + __slab_alloc+0x58/0xa0 mm/slub.c:3705 + __slab_alloc_node mm/slub.c:3758 [inline] + slab_alloc_node mm/slub.c:3936 [inline] + __do_kmalloc_node mm/slub.c:4068 [inline] + kmalloc_node_track_caller_noprof+0x286/0x450 mm/slub.c:4089 + kstrdup+0x3a/0x80 mm/util.c:62 + device_rename+0xb5/0x1b0 drivers/base/core.c:4558 + dev_change_name+0x275/0x860 net/core/dev.c:1232 + do_setlink+0xa4b/0x41f0 net/core/rtnetlink.c:2864 + __rtnl_newlink net/core/rtnetlink.c:3680 [inline] + rtnl_newlink+0x180b/0x20a0 net/core/rtnetlink.c:3727 + rtnetlink_rcv_msg+0x89b/0x10d0 net/core/rtnetlink.c:6594 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2559 + netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361 +page last free pid 5146 tgid 5146 stack trace: + reset_page_owner include/linux/page_owner.h:25 [inline] + free_pages_prepare mm/page_alloc.c:1110 [inline] + free_unref_page+0xd3c/0xec0 mm/page_alloc.c:2617 + discard_slab mm/slub.c:2511 [inline] + __put_partials+0xeb/0x130 mm/slub.c:2980 + put_cpu_partial+0x17c/0x250 mm/slub.c:3055 + __slab_free+0x2ea/0x3d0 mm/slub.c:4254 + qlink_free mm/kasan/quarantine.c:163 [inline] + qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179 + kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 + __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slub.c:3888 [inline] + slab_alloc_node mm/slub.c:3948 [inline] + __do_kmalloc_node mm/slub.c:4068 [inline] + __kmalloc_node_noprof+0x1d7/0x450 mm/slub.c:4076 + kmalloc_node_noprof include/linux/slab.h:681 [inline] + kvmalloc_node_noprof+0x72/0x190 mm/util.c:634 + bucket_table_alloc lib/rhashtable.c:186 [inline] + rhashtable_rehash_alloc+0x9e/0x290 lib/rhashtable.c:367 + rht_deferred_worker+0x4e1/0x2440 lib/rhashtable.c:427 + process_one_work kernel/workqueue.c:3218 [inline] + process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299 + worker_thread+0x86d/0xd70 kernel/workqueue.c:3380 + kthread+0x2f0/0x390 kernel/kthread.c:388 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 + +Memory state around the buggy address: + ffff88802cd73c80: 07 fc fc fc 05 fc fc fc 05 fc fc fc fa fc fc fc + ffff88802cd73d00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc +>ffff88802cd73d80: fa fc fc fc 01 fc fc fc fa fc fc fc fa fc fc fc + ^ + ffff88802cd73e00: fa fc fc fc fa fc fc fc 05 fc fc fc 07 fc fc fc + ffff88802cd73e80: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20240404122051.2303764-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 6 ++++++ + net/ipv4/netfilter/arp_tables.c | 4 ++++ + net/ipv4/netfilter/ip_tables.c | 4 ++++ + net/ipv6/netfilter/ip6_tables.c | 4 ++++ + 4 files changed, 18 insertions(+) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1111,6 +1111,8 @@ static int do_replace(struct net *net, s + struct ebt_table_info *newinfo; + struct ebt_replace tmp; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + +@@ -1423,6 +1425,8 @@ static int update_counters(struct net *n + { + struct ebt_replace hlp; + ++ if (len < sizeof(hlp)) ++ return -EINVAL; + if (copy_from_sockptr(&hlp, arg, sizeof(hlp))) + return -EFAULT; + +@@ -2352,6 +2356,8 @@ static int compat_update_counters(struct + { + struct compat_ebt_replace hlp; + ++ if (len < sizeof(hlp)) ++ return -EINVAL; + if (copy_from_sockptr(&hlp, arg, sizeof(hlp))) + return -EFAULT; + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -956,6 +956,8 @@ static int do_replace(struct net *net, s + void *loc_cpu_entry; + struct arpt_entry *iter; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + +@@ -1254,6 +1256,8 @@ static int compat_do_replace(struct net + void *loc_cpu_entry; + struct arpt_entry *iter; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1110,6 +1110,8 @@ do_replace(struct net *net, sockptr_t ar + void *loc_cpu_entry; + struct ipt_entry *iter; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + +@@ -1494,6 +1496,8 @@ compat_do_replace(struct net *net, sockp + void *loc_cpu_entry; + struct ipt_entry *iter; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1127,6 +1127,8 @@ do_replace(struct net *net, sockptr_t ar + void *loc_cpu_entry; + struct ip6t_entry *iter; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + +@@ -1503,6 +1505,8 @@ compat_do_replace(struct net *net, sockp + void *loc_cpu_entry; + struct ip6t_entry *iter; + ++ if (len < sizeof(tmp)) ++ return -EINVAL; + if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + return -EFAULT; + diff --git a/queue-6.1/series b/queue-6.1/series index 3b846debae3..94645404027 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -37,3 +37,9 @@ net-rds-fix-possible-cp-null-dereference.patch net-usb-ax88179_178a-avoid-the-interface-always-configured-as-random-address.patch vsock-virtio-fix-packet-delivery-to-tap-device.patch revert-x86-mm-ident_map-use-gbpages-only-where-full-gb-page-should-be-mapped.patch +netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch +netfilter-nf_tables-flush-pending-destroy-work-before-exit_net-release.patch +netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch +netfilter-validate-user-input-for-expected-length.patch +vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch +bpf-sockmap-prevent-lock-inversion-deadlock-in-map-delete-elem.patch diff --git a/queue-6.1/vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch b/queue-6.1/vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch new file mode 100644 index 00000000000..9779b79eac3 --- /dev/null +++ b/queue-6.1/vboxsf-avoid-an-spurious-warning-if-load_nls_xxx-fails.patch @@ -0,0 +1,46 @@ +From de3f64b738af57e2732b91a0774facc675b75b54 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 1 Nov 2023 11:49:48 +0100 +Subject: vboxsf: Avoid an spurious warning if load_nls_xxx() fails + +From: Christophe JAILLET + +commit de3f64b738af57e2732b91a0774facc675b75b54 upstream. + +If an load_nls_xxx() function fails a few lines above, the 'sbi->bdi_id' is +still 0. +So, in the error handling path, we will call ida_simple_remove(..., 0) +which is not allocated yet. + +In order to prevent a spurious "ida_free called for id=0 which is not +allocated." message, tweak the error handling path and add a new label. + +Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/d09eaaa4e2e08206c58a1a27ca9b3e81dc168773.1698835730.git.christophe.jaillet@wanadoo.fr +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + fs/vboxsf/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/vboxsf/super.c ++++ b/fs/vboxsf/super.c +@@ -151,7 +151,7 @@ static int vboxsf_fill_super(struct supe + if (!sbi->nls) { + vbg_err("vboxsf: Count not load '%s' nls\n", nls_name); + err = -EINVAL; +- goto fail_free; ++ goto fail_destroy_idr; + } + } + +@@ -224,6 +224,7 @@ fail_free: + ida_simple_remove(&vboxsf_bdi_ida, sbi->bdi_id); + if (sbi->nls) + unload_nls(sbi->nls); ++fail_destroy_idr: + idr_destroy(&sbi->ino_idr); + kfree(sbi); + return err; -- 2.39.5