From 64ec8f705a6f89d056132862122ee19682cf0b5c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 18 Feb 2022 15:54:41 +0100 Subject: [PATCH] 4.9-stable patches added patches: drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch iwlwifi-pcie-fix-locking-when-hw-not-ready.patch libsubcmd-fix-use-after-free-for-realloc-...-0.patch --- ...ropmon_net_event-trace_napi_poll_hit.patch | 103 ++++++++++++++++++ ...i-pcie-fix-locking-when-hw-not-ready.patch | 34 ++++++ ...fix-use-after-free-for-realloc-...-0.patch | 66 +++++++++++ queue-4.9/series | 3 + 4 files changed, 206 insertions(+) create mode 100644 queue-4.9/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch create mode 100644 queue-4.9/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch create mode 100644 queue-4.9/libsubcmd-fix-use-after-free-for-realloc-...-0.patch diff --git a/queue-4.9/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch b/queue-4.9/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch new file mode 100644 index 00000000000..8775d34f6eb --- /dev/null +++ b/queue-4.9/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch @@ -0,0 +1,103 @@ +From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Feb 2022 09:13:31 -0800 +Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit + +From: Eric Dumazet + +commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream. + +trace_napi_poll_hit() is reading stat->dev while another thread can write +on it from dropmon_net_event() + +Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already, +we only have to take care of load/store tearing. + +BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit + +write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1: + dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579 + notifier_call_chain kernel/notifier.c:84 [inline] + raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392 + call_netdevice_notifiers_info net/core/dev.c:1919 [inline] + call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] + call_netdevice_notifiers net/core/dev.c:1945 [inline] + unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415 + ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123 + vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515 + ops_exit_list net/core/net_namespace.c:173 [inline] + cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0: + trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292 + trace_napi_poll include/trace/events/napi.h:14 [inline] + __napi_poll+0x36b/0x3f0 net/core/dev.c:6366 + napi_poll net/core/dev.c:6432 [inline] + net_rx_action+0x29e/0x650 net/core/dev.c:6519 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + do_softirq+0xb1/0xf0 kernel/softirq.c:459 + __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:394 [inline] + ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] + wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +value changed: 0xffff88815883e000 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker + +Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -224,13 +224,17 @@ static void trace_napi_poll_hit(void *ig + + rcu_read_lock(); + list_for_each_entry_rcu(new_stat, &hw_stats_list, list) { ++ struct net_device *dev; ++ + /* + * only add a note to our monitor buffer if: + * 1) this is the dev we received on + * 2) its after the last_rx delta + * 3) our rx_dropped count has gone up + */ +- if ((new_stat->dev == napi->dev) && ++ /* Paired with WRITE_ONCE() in dropmon_net_event() */ ++ dev = READ_ONCE(new_stat->dev); ++ if ((dev == napi->dev) && + (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) && + (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) { + trace_drop_common(NULL, NULL); +@@ -345,7 +349,10 @@ static int dropmon_net_event(struct noti + mutex_lock(&trace_state_mutex); + list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) { + if (new_stat->dev == dev) { +- new_stat->dev = NULL; ++ ++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */ ++ WRITE_ONCE(new_stat->dev, NULL); ++ + if (trace_state == TRACE_OFF) { + list_del_rcu(&new_stat->list); + kfree_rcu(new_stat, rcu); diff --git a/queue-4.9/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch b/queue-4.9/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..08c73fc33ac --- /dev/null +++ b/queue-4.9/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:52 +0200 +Subject: iwlwifi: pcie: fix locking when "HW not ready" + +From: Johannes Berg + +commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this. + +Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1183,8 +1183,7 @@ static int iwl_trans_pcie_start_fw(struc + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-4.9/libsubcmd-fix-use-after-free-for-realloc-...-0.patch b/queue-4.9/libsubcmd-fix-use-after-free-for-realloc-...-0.patch new file mode 100644 index 00000000000..708aea64ce4 --- /dev/null +++ b/queue-4.9/libsubcmd-fix-use-after-free-for-realloc-...-0.patch @@ -0,0 +1,66 @@ +From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 13 Feb 2022 10:24:43 -0800 +Subject: libsubcmd: Fix use-after-free for realloc(..., 0) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream. + +GCC 12 correctly reports a potential use-after-free condition in the +xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" +when size == 0: + +In file included from help.c:12: +In function 'xrealloc', + inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 56 | ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 58 | ret = realloc(ptr, 1); + | ^~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") +Reported-by: Valdis Klētnieks +Signed-off-by: Kees Kook +Tested-by: Valdis Klētnieks +Tested-by: Justin M. Forbes +Acked-by: Josh Poimboeuf +Cc: linux-hardening@vger.kernel.org +Cc: Valdis Klētnieks +Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/subcmd/subcmd-util.h | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/tools/lib/subcmd/subcmd-util.h ++++ b/tools/lib/subcmd/subcmd-util.h +@@ -49,15 +49,8 @@ static NORETURN inline void die(const ch + static inline void *xrealloc(void *ptr, size_t size) + { + void *ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) { +- ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) +- die("Out of memory, realloc failed"); +- } ++ if (!ret) ++ die("Out of memory, realloc failed"); + return ret; + } + diff --git a/queue-4.9/series b/queue-4.9/series index 0e6a0722909..f5a2a8ab40a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,6 @@ xfrm-don-t-accidentally-set-rto_onlink-in-decode_session4.patch taskstats-cleanup-the-use-of-task-exit_code.patch vsock-correct-removal-of-socket-from-the-list.patch vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch +iwlwifi-pcie-fix-locking-when-hw-not-ready.patch +drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch +libsubcmd-fix-use-after-free-for-realloc-...-0.patch -- 2.47.3