From 9ce93b517410a5134bfdba4ea7ab9d80d7d56330 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 10 May 2024 17:35:09 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...e-after-free-bugs-caused-by-sco_sock.patch | 145 ++++++++++++++++++ ...fix-null-ptr-deref-in-l2cap_chan_tim.patch | 136 ++++++++++++++++ ...avoid-possible-null-dereference-in-f.patch | 92 +++++++++++ ...orrupted-ethernet-header-on-multicas.patch | 56 +++++++ ...fix-rtm_phonet_notify-skb-allocation.patch | 50 ++++++ ...t-nested-ifla_vf_vlan_list-attribute.patch | 44 ++++++ queue-4.19/series | 9 ++ ...wn-send_shutdown-for-tcp_syn_recv-so.patch | 145 ++++++++++++++++++ .../tcp-remove-redundant-check-on-tskb.patch | 65 ++++++++ ...ount_inc_not_zero-in-tcp_twsk_unique.patch | 118 ++++++++++++++ 10 files changed, 860 insertions(+) create mode 100644 queue-4.19/bluetooth-fix-use-after-free-bugs-caused-by-sco_sock.patch create mode 100644 queue-4.19/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_chan_tim.patch create mode 100644 queue-4.19/ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch create mode 100644 queue-4.19/net-bridge-fix-corrupted-ethernet-header-on-multicas.patch create mode 100644 queue-4.19/phonet-fix-rtm_phonet_notify-skb-allocation.patch create mode 100644 queue-4.19/rtnetlink-correct-nested-ifla_vf_vlan_list-attribute.patch create mode 100644 queue-4.19/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch create mode 100644 queue-4.19/tcp-remove-redundant-check-on-tskb.patch create mode 100644 queue-4.19/tcp-use-refcount_inc_not_zero-in-tcp_twsk_unique.patch diff --git a/queue-4.19/bluetooth-fix-use-after-free-bugs-caused-by-sco_sock.patch b/queue-4.19/bluetooth-fix-use-after-free-bugs-caused-by-sco_sock.patch new file mode 100644 index 00000000000..f1969675144 --- /dev/null +++ b/queue-4.19/bluetooth-fix-use-after-free-bugs-caused-by-sco_sock.patch @@ -0,0 +1,145 @@ +From 3efd6b22305bb3775a3b28167f806e3ede6b2d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 22:23:45 +0800 +Subject: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout + +From: Duoming Zhou + +[ Upstream commit 483bc08181827fc475643272ffb69c533007e546 ] + +When the sco connection is established and then, the sco socket +is releasing, timeout_work will be scheduled to judge whether +the sco disconnection is timeout. The sock will be deallocated +later, but it is dereferenced again in sco_sock_timeout. As a +result, the use-after-free bugs will happen. The root cause is +shown below: + + Cleanup Thread | Worker Thread +sco_sock_release | + sco_sock_close | + __sco_sock_close | + sco_sock_set_timer | + schedule_delayed_work | + sco_sock_kill | (wait a time) + sock_put(sk) //FREE | sco_sock_timeout + | sock_hold(sk) //USE + +The KASAN report triggered by POC is shown below: + +[ 95.890016] ================================================================== +[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 +[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 +... +[ 95.890755] Workqueue: events sco_sock_timeout +[ 95.890755] Call Trace: +[ 95.890755] +[ 95.890755] dump_stack_lvl+0x45/0x110 +[ 95.890755] print_address_description+0x78/0x390 +[ 95.890755] print_report+0x11b/0x250 +[ 95.890755] ? __virt_addr_valid+0xbe/0xf0 +[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 +[ 95.890755] kasan_report+0x139/0x170 +[ 95.890755] ? update_load_avg+0xe5/0x9f0 +[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 +[ 95.890755] kasan_check_range+0x2c3/0x2e0 +[ 95.890755] sco_sock_timeout+0x5e/0x1c0 +[ 95.890755] process_one_work+0x561/0xc50 +[ 95.890755] worker_thread+0xab2/0x13c0 +[ 95.890755] ? pr_cont_work+0x490/0x490 +[ 95.890755] kthread+0x279/0x300 +[ 95.890755] ? pr_cont_work+0x490/0x490 +[ 95.890755] ? kthread_blkcg+0xa0/0xa0 +[ 95.890755] ret_from_fork+0x34/0x60 +[ 95.890755] ? kthread_blkcg+0xa0/0xa0 +[ 95.890755] ret_from_fork_asm+0x11/0x20 +[ 95.890755] +[ 95.890755] +[ 95.890755] Allocated by task 506: +[ 95.890755] kasan_save_track+0x3f/0x70 +[ 95.890755] __kasan_kmalloc+0x86/0x90 +[ 95.890755] __kmalloc+0x17f/0x360 +[ 95.890755] sk_prot_alloc+0xe1/0x1a0 +[ 95.890755] sk_alloc+0x31/0x4e0 +[ 95.890755] bt_sock_alloc+0x2b/0x2a0 +[ 95.890755] sco_sock_create+0xad/0x320 +[ 95.890755] bt_sock_create+0x145/0x320 +[ 95.890755] __sock_create+0x2e1/0x650 +[ 95.890755] __sys_socket+0xd0/0x280 +[ 95.890755] __x64_sys_socket+0x75/0x80 +[ 95.890755] do_syscall_64+0xc4/0x1b0 +[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f +[ 95.890755] +[ 95.890755] Freed by task 506: +[ 95.890755] kasan_save_track+0x3f/0x70 +[ 95.890755] kasan_save_free_info+0x40/0x50 +[ 95.890755] poison_slab_object+0x118/0x180 +[ 95.890755] __kasan_slab_free+0x12/0x30 +[ 95.890755] kfree+0xb2/0x240 +[ 95.890755] __sk_destruct+0x317/0x410 +[ 95.890755] sco_sock_release+0x232/0x280 +[ 95.890755] sock_close+0xb2/0x210 +[ 95.890755] __fput+0x37f/0x770 +[ 95.890755] task_work_run+0x1ae/0x210 +[ 95.890755] get_signal+0xe17/0xf70 +[ 95.890755] arch_do_signal_or_restart+0x3f/0x520 +[ 95.890755] syscall_exit_to_user_mode+0x55/0x120 +[ 95.890755] do_syscall_64+0xd1/0x1b0 +[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f +[ 95.890755] +[ 95.890755] The buggy address belongs to the object at ffff88800c388000 +[ 95.890755] which belongs to the cache kmalloc-1k of size 1024 +[ 95.890755] The buggy address is located 128 bytes inside of +[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) +[ 95.890755] +[ 95.890755] The buggy address belongs to the physical page: +[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 +[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 95.890755] anon flags: 0x100000000000840(slab|head|node=0|zone=1) +[ 95.890755] page_type: 0xffffffff() +[ 95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001 +[ 95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000 +[ 95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001 +[ 95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000 +[ 95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff +[ 95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 95.890755] page dumped because: kasan: bad access detected +[ 95.890755] +[ 95.890755] Memory state around the buggy address: +[ 95.890755] ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 95.890755] ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 95.890755] ^ +[ 95.890755] ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 95.890755] ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 95.890755] ================================================================== + +Fix this problem by adding a check protected by sco_conn_lock to judget +whether the conn->hcon is null. Because the conn->hcon will be set to null, +when the sock is releasing. + +Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") +Signed-off-by: Duoming Zhou +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index d8726327bc05e..42b5d56d85a56 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -82,6 +82,10 @@ static void sco_sock_timeout(struct work_struct *work) + struct sock *sk; + + sco_conn_lock(conn); ++ if (!conn->hcon) { ++ sco_conn_unlock(conn); ++ return; ++ } + sk = conn->sk; + if (sk) + sock_hold(sk); +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_chan_tim.patch b/queue-4.19/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_chan_tim.patch new file mode 100644 index 00000000000..8d0d72dad7b --- /dev/null +++ b/queue-4.19/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_chan_tim.patch @@ -0,0 +1,136 @@ +From 8c5e5421aecb2878f20f26376d5d93753f245c18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 20:57:36 +0800 +Subject: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout + +From: Duoming Zhou + +[ Upstream commit adf0398cee86643b8eacde95f17d073d022f782c ] + +There is a race condition between l2cap_chan_timeout() and +l2cap_chan_del(). When we use l2cap_chan_del() to delete the +channel, the chan->conn will be set to null. But the conn could +be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). +As a result the null pointer dereference bug will happen. The +KASAN report triggered by POC is shown below: + +[ 472.074580] ================================================================== +[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 +[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 +[ 472.075308] +[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 +[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 +[ 472.075308] Workqueue: events l2cap_chan_timeout +[ 472.075308] Call Trace: +[ 472.075308] +[ 472.075308] dump_stack_lvl+0x137/0x1a0 +[ 472.075308] print_report+0x101/0x250 +[ 472.075308] ? __virt_addr_valid+0x77/0x160 +[ 472.075308] ? mutex_lock+0x68/0xc0 +[ 472.075308] kasan_report+0x139/0x170 +[ 472.075308] ? mutex_lock+0x68/0xc0 +[ 472.075308] kasan_check_range+0x2c3/0x2e0 +[ 472.075308] mutex_lock+0x68/0xc0 +[ 472.075308] l2cap_chan_timeout+0x181/0x300 +[ 472.075308] process_one_work+0x5d2/0xe00 +[ 472.075308] worker_thread+0xe1d/0x1660 +[ 472.075308] ? pr_cont_work+0x5e0/0x5e0 +[ 472.075308] kthread+0x2b7/0x350 +[ 472.075308] ? pr_cont_work+0x5e0/0x5e0 +[ 472.075308] ? kthread_blkcg+0xd0/0xd0 +[ 472.075308] ret_from_fork+0x4d/0x80 +[ 472.075308] ? kthread_blkcg+0xd0/0xd0 +[ 472.075308] ret_from_fork_asm+0x11/0x20 +[ 472.075308] +[ 472.075308] ================================================================== +[ 472.094860] Disabling lock debugging due to kernel taint +[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 +[ 472.096136] #PF: supervisor write access in kernel mode +[ 472.096136] #PF: error_code(0x0002) - not-present page +[ 472.096136] PGD 0 P4D 0 +[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI +[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 +[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 +[ 472.096136] Workqueue: events l2cap_chan_timeout +[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 +[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 +[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 +[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 +[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 +[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f +[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 +[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 +[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 +[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 +[ 472.096136] Call Trace: +[ 472.096136] +[ 472.096136] ? __die_body+0x8d/0xe0 +[ 472.096136] ? page_fault_oops+0x6b8/0x9a0 +[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 +[ 472.096136] ? do_user_addr_fault+0x1027/0x1340 +[ 472.096136] ? _printk+0x7a/0xa0 +[ 472.096136] ? mutex_lock+0x68/0xc0 +[ 472.096136] ? add_taint+0x42/0xd0 +[ 472.096136] ? exc_page_fault+0x6a/0x1b0 +[ 472.096136] ? asm_exc_page_fault+0x26/0x30 +[ 472.096136] ? mutex_lock+0x75/0xc0 +[ 472.096136] ? mutex_lock+0x88/0xc0 +[ 472.096136] ? mutex_lock+0x75/0xc0 +[ 472.096136] l2cap_chan_timeout+0x181/0x300 +[ 472.096136] process_one_work+0x5d2/0xe00 +[ 472.096136] worker_thread+0xe1d/0x1660 +[ 472.096136] ? pr_cont_work+0x5e0/0x5e0 +[ 472.096136] kthread+0x2b7/0x350 +[ 472.096136] ? pr_cont_work+0x5e0/0x5e0 +[ 472.096136] ? kthread_blkcg+0xd0/0xd0 +[ 472.096136] ret_from_fork+0x4d/0x80 +[ 472.096136] ? kthread_blkcg+0xd0/0xd0 +[ 472.096136] ret_from_fork_asm+0x11/0x20 +[ 472.096136] +[ 472.096136] Modules linked in: +[ 472.096136] CR2: 0000000000000158 +[ 472.096136] ---[ end trace 0000000000000000 ]--- +[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 +[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 +[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 +[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 +[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 +[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f +[ 472.132932] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 +[ 472.132932] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 +[ 472.132932] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 +[ 472.132932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 472.132932] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 +[ 472.132932] Kernel panic - not syncing: Fatal exception +[ 472.132932] Kernel Offset: disabled +[ 472.132932] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Add a check to judge whether the conn is null in l2cap_chan_timeout() +in order to mitigate the bug. + +Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list") +Signed-off-by: Duoming Zhou +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index b6c726976d1bb..3c6e72c4fdde3 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -429,6 +429,9 @@ static void l2cap_chan_timeout(struct work_struct *work) + + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + ++ if (!conn) ++ return; ++ + mutex_lock(&conn->chan_lock); + /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling + * this work. No need to call l2cap_chan_hold(chan) here again. +-- +2.43.0 + diff --git a/queue-4.19/ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch b/queue-4.19/ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch new file mode 100644 index 00000000000..ba176e7365e --- /dev/null +++ b/queue-4.19/ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch @@ -0,0 +1,92 @@ +From e02a7c98113c52c04296e7d152c928c4e2150b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 16:31:45 +0000 +Subject: ipv6: fib6_rules: avoid possible NULL dereference in + fib6_rule_action() + +From: Eric Dumazet + +[ Upstream commit d101291b2681e5ab938554e3e323f7a7ee33e3aa ] + +syzbot is able to trigger the following crash [1], +caused by unsafe ip6_dst_idev() use. + +Indeed ip6_dst_idev() can return NULL, and must always be checked. + +[1] + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 + RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline] + RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 +Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c +RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 +RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 +RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd +R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 +R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 +FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 + fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 + ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline] + ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 + ip6_route_output include/net/ip6_route.h:93 [inline] + ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 + ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 + sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 + sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 + sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 + sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 + __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 + sctp_connect net/sctp/socket.c:4819 [inline] + sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 + __sys_connect_file net/socket.c:2048 [inline] + __sys_connect+0x2df/0x310 net/socket.c:2065 + __do_sys_connect net/socket.c:2075 [inline] + __se_sys_connect net/socket.c:2072 [inline] + __x64_sys_connect+0x7a/0x90 net/socket.c:2072 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 5e5f3f0f8013 ("[IPV6] ADDRCONF: Convert ipv6_get_saddr() to ipv6_dev_get_saddr().") +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240507163145.835254-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/fib6_rules.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c +index 1913801f4273c..4171ebaeb6088 100644 +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -232,8 +232,12 @@ static int __fib6_rule_action(struct fib_rule *rule, struct flowi *flp, + + rt = lookup(net, table, flp6, arg->lookup_data, flags); + if (rt != net->ipv6.ip6_null_entry) { ++ struct inet6_dev *idev = ip6_dst_idev(&rt->dst); ++ ++ if (!idev) ++ goto again; + err = fib6_rule_saddr(net, rule, flags, flp6, +- ip6_dst_idev(&rt->dst)->dev); ++ idev->dev); + + if (err == -EAGAIN) + goto again; +-- +2.43.0 + diff --git a/queue-4.19/net-bridge-fix-corrupted-ethernet-header-on-multicas.patch b/queue-4.19/net-bridge-fix-corrupted-ethernet-header-on-multicas.patch new file mode 100644 index 00000000000..275f2902a90 --- /dev/null +++ b/queue-4.19/net-bridge-fix-corrupted-ethernet-header-on-multicas.patch @@ -0,0 +1,56 @@ +From 43bb2f9efab422243be2801d29b3f153408291e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 May 2024 20:42:38 +0200 +Subject: net: bridge: fix corrupted ethernet header on multicast-to-unicast + +From: Felix Fietkau + +[ Upstream commit 86b29d830ad69eecff25b22dc96c14c6573718e6 ] + +The change from skb_copy to pskb_copy unfortunately changed the data +copying to omit the ethernet header, since it was pulled before reaching +this point. Fix this by calling __skb_push/pull around pskb_copy. + +Fixes: 59c878cbcdd8 ("net: bridge: fix multicast-to-unicast with fraglist GSO") +Signed-off-by: Felix Fietkau +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_forward.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index fc2ebd732098f..a300ef6fb8ffa 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -251,6 +251,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb, + { + struct net_device *dev = BR_INPUT_SKB_CB(skb)->brdev; + const unsigned char *src = eth_hdr(skb)->h_source; ++ struct sk_buff *nskb; + + if (!should_deliver(p, skb)) + return; +@@ -259,12 +260,16 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb, + if (skb->dev == p->dev && ether_addr_equal(src, addr)) + return; + +- skb = pskb_copy(skb, GFP_ATOMIC); +- if (!skb) { ++ __skb_push(skb, ETH_HLEN); ++ nskb = pskb_copy(skb, GFP_ATOMIC); ++ __skb_pull(skb, ETH_HLEN); ++ if (!nskb) { + DEV_STATS_INC(dev, tx_dropped); + return; + } + ++ skb = nskb; ++ __skb_pull(skb, ETH_HLEN); + if (!is_broadcast_ether_addr(addr)) + memcpy(eth_hdr(skb)->h_dest, addr, ETH_ALEN); + +-- +2.43.0 + diff --git a/queue-4.19/phonet-fix-rtm_phonet_notify-skb-allocation.patch b/queue-4.19/phonet-fix-rtm_phonet_notify-skb-allocation.patch new file mode 100644 index 00000000000..28c80ca053b --- /dev/null +++ b/queue-4.19/phonet-fix-rtm_phonet_notify-skb-allocation.patch @@ -0,0 +1,50 @@ +From 01ef6ce3fdd317b82d37b274e03c922d443fa264 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 16:17:00 +0000 +Subject: phonet: fix rtm_phonet_notify() skb allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit d8cac8568618dcb8a51af3db1103e8d4cc4aeea7 ] + +fill_route() stores three components in the skb: + +- struct rtmsg +- RTA_DST (u8) +- RTA_OIF (u32) + +Therefore, rtm_phonet_notify() should use + +NLMSG_ALIGN(sizeof(struct rtmsg)) + +nla_total_size(1) + +nla_total_size(4) + +Fixes: f062f41d0657 ("Phonet: routing table Netlink interface") +Signed-off-by: Eric Dumazet +Acked-by: Rémi Denis-Courmont +Link: https://lore.kernel.org/r/20240502161700.1804476-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/phonet/pn_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c +index 871eaf2cb85e4..5e50f9ea7484f 100644 +--- a/net/phonet/pn_netlink.c ++++ b/net/phonet/pn_netlink.c +@@ -206,7 +206,7 @@ void rtm_phonet_notify(int event, struct net_device *dev, u8 dst) + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(NLMSG_ALIGN(sizeof(struct ifaddrmsg)) + ++ skb = nlmsg_new(NLMSG_ALIGN(sizeof(struct rtmsg)) + + nla_total_size(1) + nla_total_size(4), GFP_KERNEL); + if (skb == NULL) + goto errout; +-- +2.43.0 + diff --git a/queue-4.19/rtnetlink-correct-nested-ifla_vf_vlan_list-attribute.patch b/queue-4.19/rtnetlink-correct-nested-ifla_vf_vlan_list-attribute.patch new file mode 100644 index 00000000000..b776269377c --- /dev/null +++ b/queue-4.19/rtnetlink-correct-nested-ifla_vf_vlan_list-attribute.patch @@ -0,0 +1,44 @@ +From f96d66e52eeb7c7322e08aa400acc256e5b5e9f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 18:57:51 +0300 +Subject: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation + +From: Roded Zats + +[ Upstream commit 1aec77b2bb2ed1db0f5efc61c4c1ca3813307489 ] + +Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a +struct ifla_vf_vlan_info so the size of such attribute needs to be at least +of sizeof(struct ifla_vf_vlan_info) which is 14 bytes. +The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes) +which is less than sizeof(struct ifla_vf_vlan_info) so this validation +is not enough and a too small attribute might be cast to a +struct ifla_vf_vlan_info, this might result in an out of bands +read access when accessing the saved (casted) entry in ivvl. + +Fixes: 79aab093a0b5 ("net: Update API for VF vlan protocol 802.1ad support") +Signed-off-by: Roded Zats +Reviewed-by: Donald Hunter +Link: https://lore.kernel.org/r/20240502155751.75705-1-rzats@paloaltonetworks.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 0d3f724da78ba..9209623ab6445 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2167,7 +2167,7 @@ static int do_setvfinfo(struct net_device *dev, struct nlattr **tb) + + nla_for_each_nested(attr, tb[IFLA_VF_VLAN_LIST], rem) { + if (nla_type(attr) != IFLA_VF_VLAN_INFO || +- nla_len(attr) < NLA_HDRLEN) { ++ nla_len(attr) < sizeof(struct ifla_vf_vlan_info)) { + return -EINVAL; + } + if (len >= MAX_VLAN_LIST_LEN) +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 04431dfd9fa..dc22b8b5400 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -42,3 +42,12 @@ gpio-crystalcove-use-enotsupp-consistently.patch fs-9p-drop-inodes-immediately-on-non-.l-too.patch net-usb-qmi_wwan-support-rolling-modules.patch asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch +tcp-remove-redundant-check-on-tskb.patch +tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch +tcp-use-refcount_inc_not_zero-in-tcp_twsk_unique.patch +bluetooth-fix-use-after-free-bugs-caused-by-sco_sock.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_chan_tim.patch +rtnetlink-correct-nested-ifla_vf_vlan_list-attribute.patch +phonet-fix-rtm_phonet_notify-skb-allocation.patch +net-bridge-fix-corrupted-ethernet-header-on-multicas.patch +ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch diff --git a/queue-4.19/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch b/queue-4.19/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch new file mode 100644 index 00000000000..64c734e3fe9 --- /dev/null +++ b/queue-4.19/tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch @@ -0,0 +1,145 @@ +From 6cc4fd2e54211da833ac8c78a58d59bd4bb7e4cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 12:54:48 +0000 +Subject: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets + +From: Eric Dumazet + +[ Upstream commit 94062790aedb505bdda209b10bea47b294d6394f ] + +TCP_SYN_RECV state is really special, it is only used by +cross-syn connections, mostly used by fuzzers. + +In the following crash [1], syzbot managed to trigger a divide +by zero in tcp_rcv_space_adjust() + +A socket makes the following state transitions, +without ever calling tcp_init_transfer(), +meaning tcp_init_buffer_space() is also not called. + + TCP_CLOSE +connect() + TCP_SYN_SENT + TCP_SYN_RECV +shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN) + TCP_FIN_WAIT1 + +To fix this issue, change tcp_shutdown() to not +perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition, +which makes no sense anyway. + +When tcp_rcv_state_process() later changes socket state +from TCP_SYN_RECV to TCP_ESTABLISH, then look at +sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state, +and send a FIN packet from a sane socket state. + +This means tcp_send_fin() can now be called from BH +context, and must use GFP_ATOMIC allocations. + +[1] +divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 + RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767 +Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48 +RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246 +RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7 +R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30 +R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da +FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0 +Call Trace: + + tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513 + tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578 + inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680 + sock_recvmsg_nosec net/socket.c:1046 [inline] + sock_recvmsg+0x109/0x280 net/socket.c:1068 + ____sys_recvmsg+0x1db/0x470 net/socket.c:2803 + ___sys_recvmsg net/socket.c:2845 [inline] + do_recvmmsg+0x474/0xae0 net/socket.c:2939 + __sys_recvmmsg net/socket.c:3018 [inline] + __do_sys_recvmmsg net/socket.c:3041 [inline] + __se_sys_recvmmsg net/socket.c:3034 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7faeb6363db9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9 +RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c +R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Link: https://lore.kernel.org/r/20240501125448.896529-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + net/ipv4/tcp_input.c | 2 ++ + net/ipv4/tcp_output.c | 4 +++- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 54d6058dcb5cc..e3475f833f8fe 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2319,7 +2319,7 @@ void tcp_shutdown(struct sock *sk, int how) + /* If we've already sent a FIN, or it's a closed state, skip this. */ + if ((1 << sk->sk_state) & + (TCPF_ESTABLISHED | TCPF_SYN_SENT | +- TCPF_SYN_RECV | TCPF_CLOSE_WAIT)) { ++ TCPF_CLOSE_WAIT)) { + /* Clear out any half completed packets. FIN if needed. */ + if (tcp_close_state(sk)) + tcp_send_fin(sk); +@@ -2404,7 +2404,7 @@ void __tcp_close(struct sock *sk, long timeout) + * machine. State transitions: + * + * TCP_ESTABLISHED -> TCP_FIN_WAIT1 +- * TCP_SYN_RECV -> TCP_FIN_WAIT1 (forget it, it's impossible) ++ * TCP_SYN_RECV -> TCP_FIN_WAIT1 (it is difficult) + * TCP_CLOSE_WAIT -> TCP_LAST_ACK + * + * are legal only when FIN has been sent (i.e. in window), +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 407ad07dc5985..6a8c7c521d36e 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6212,6 +6212,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + + tcp_initialize_rcv_mss(sk); + tcp_fast_path_on(tp); ++ if (sk->sk_shutdown & SEND_SHUTDOWN) ++ tcp_shutdown(sk, SEND_SHUTDOWN); + break; + + case TCP_FIN_WAIT1: { +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 8b78cb96a8461..fbeb40a481fcb 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3146,7 +3146,9 @@ void tcp_send_fin(struct sock *sk) + return; + } + } else { +- skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation); ++ skb = alloc_skb_fclone(MAX_TCP_HEADER, ++ sk_gfp_mask(sk, GFP_ATOMIC | ++ __GFP_NOWARN)); + if (unlikely(!skb)) + return; + +-- +2.43.0 + diff --git a/queue-4.19/tcp-remove-redundant-check-on-tskb.patch b/queue-4.19/tcp-remove-redundant-check-on-tskb.patch new file mode 100644 index 00000000000..15438ad012a --- /dev/null +++ b/queue-4.19/tcp-remove-redundant-check-on-tskb.patch @@ -0,0 +1,65 @@ +From ca7efda8d271d45d41a4d997721a19de258545f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2019 15:46:03 +0100 +Subject: tcp: remove redundant check on tskb + +From: Colin Ian King + +[ Upstream commit d1edc085559744fbda7a55e97eeae8bd6135a11b ] + +The non-null check on tskb is always false because it is in an else +path of a check on tskb and hence tskb is null in this code block. +This is check is therefore redundant and can be removed as well +as the label coalesc. + +if (tsbk) { + ... +} else { + ... + if (unlikely(!skb)) { + if (tskb) /* can never be true, redundant code */ + goto coalesc; + return; + } +} + +Addresses-Coverity: ("Logically dead code") +Signed-off-by: Colin Ian King +Reviewed-by: Mukesh Ojha +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets") +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 670804d4c1690..8b78cb96a8461 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3132,7 +3132,6 @@ void tcp_send_fin(struct sock *sk) + tskb = skb_rb_last(&sk->tcp_rtx_queue); + + if (tskb) { +-coalesce: + TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; + TCP_SKB_CB(tskb)->end_seq++; + tp->write_seq++; +@@ -3148,11 +3147,9 @@ void tcp_send_fin(struct sock *sk) + } + } else { + skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation); +- if (unlikely(!skb)) { +- if (tskb) +- goto coalesce; ++ if (unlikely(!skb)) + return; +- } ++ + INIT_LIST_HEAD(&skb->tcp_tsorted_anchor); + skb_reserve(skb, MAX_TCP_HEADER); + sk_forced_mem_schedule(sk, skb->truesize); +-- +2.43.0 + diff --git a/queue-4.19/tcp-use-refcount_inc_not_zero-in-tcp_twsk_unique.patch b/queue-4.19/tcp-use-refcount_inc_not_zero-in-tcp_twsk_unique.patch new file mode 100644 index 00000000000..d5fca9c534a --- /dev/null +++ b/queue-4.19/tcp-use-refcount_inc_not_zero-in-tcp_twsk_unique.patch @@ -0,0 +1,118 @@ +From 32ce9eac7e3c9f856741adf80cab86fe06f044a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 14:31:45 -0700 +Subject: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). + +From: Kuniyuki Iwashima + +[ Upstream commit f2db7230f73a80dbb179deab78f88a7947f0ab7e ] + +Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() +with nice analysis. + +Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for +timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's +sk_refcnt after putting it into ehash and releasing the bucket lock. + +Thus, there is a small race window where other threads could try to +reuse the port during connect() and call sock_hold() in tcp_twsk_unique() +for the TIME-WAIT socket with zero refcnt. + +If that happens, the refcnt taken by tcp_twsk_unique() is overwritten +and sock_put() will cause underflow, triggering a real use-after-free +somewhere else. + +To avoid the use-after-free, we need to use refcount_inc_not_zero() in +tcp_twsk_unique() and give up on reusing the port if it returns false. + +[0]: +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 +CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 +Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 +RIP: 0010:refcount_warn_saturate+0xe5/0x110 +Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 +RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 +RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 +RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 +R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 +R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 +FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 +PKRU: 55555554 +Call Trace: + + ? refcount_warn_saturate+0xe5/0x110 + ? __warn+0x81/0x130 + ? refcount_warn_saturate+0xe5/0x110 + ? report_bug+0x171/0x1a0 + ? refcount_warn_saturate+0xe5/0x110 + ? handle_bug+0x3c/0x80 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? refcount_warn_saturate+0xe5/0x110 + tcp_twsk_unique+0x186/0x190 + __inet_check_established+0x176/0x2d0 + __inet_hash_connect+0x74/0x7d0 + ? __pfx___inet_check_established+0x10/0x10 + tcp_v4_connect+0x278/0x530 + __inet_stream_connect+0x10f/0x3d0 + inet_stream_connect+0x3a/0x60 + __sys_connect+0xa8/0xd0 + __x64_sys_connect+0x18/0x20 + do_syscall_64+0x83/0x170 + entry_SYSCALL_64_after_hwframe+0x78/0x80 +RIP: 0033:0x7f62c11a885d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 +RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d +RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 +RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 +R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 + + +Fixes: ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance") +Reported-by: Anderson Nascimento +Closes: https://lore.kernel.org/netdev/37a477a6-d39e-486b-9577-3463f655a6b7@allelesecurity.com/ +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240501213145.62261-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index bd374eac9a75f..aa9aa38471f95 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -157,6 +157,12 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) + if (tcptw->tw_ts_recent_stamp && + (!twp || (reuse && time_after32(ktime_get_seconds(), + tcptw->tw_ts_recent_stamp)))) { ++ /* inet_twsk_hashdance() sets sk_refcnt after putting twsk ++ * and releasing the bucket lock. ++ */ ++ if (unlikely(!refcount_inc_not_zero(&sktw->sk_refcnt))) ++ return 0; ++ + /* In case of repair and re-using TIME-WAIT sockets we still + * want to be sure that it is safe as above but honor the + * sequence numbers and time stamps set as part of the repair +@@ -177,7 +183,7 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) + tp->rx_opt.ts_recent = tcptw->tw_ts_recent; + tp->rx_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp; + } +- sock_hold(sktw); ++ + return 1; + } + +-- +2.43.0 + -- 2.47.2