From a11c65789bcdc92d8bec04576ece5813bf6ad7c7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Sep 2021 10:42:54 +0200 Subject: [PATCH] 5.14-stable patches added patches: events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch gen_compile_commands-fix-missing-sys-package.patch net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch net-ipa-initialize-all-filter-table-slots.patch powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch vhost_net-fix-oob-on-sendmsg-failure.patch --- ...g-read_once-instead-of-re-reading-it.patch | 36 ++++ ...ile_commands-fix-missing-sys-package.patch | 31 ++++ ...x-fix-a-data-race-in-unix_dgram_poll.patch | 97 +++++++++++ ...-on-any-error-in-dsa_slave_phy_setup.patch | 57 ++++++ ...pa-initialize-all-filter-table-slots.patch | 47 +++++ ...-fix-for-corrupt-irq-soft-mask-state.patch | 163 ++++++++++++++++++ ...memory-leaks-in-ip_cmsg_send-callers.patch | 81 +++++++++ queue-5.14/series | 8 + ...vhost_net-fix-oob-on-sendmsg-failure.patch | 55 ++++++ 9 files changed, 575 insertions(+) create mode 100644 queue-5.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch create mode 100644 queue-5.14/gen_compile_commands-fix-missing-sys-package.patch create mode 100644 queue-5.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch create mode 100644 queue-5.14/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch create mode 100644 queue-5.14/net-ipa-initialize-all-filter-table-slots.patch create mode 100644 queue-5.14/powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch create mode 100644 queue-5.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch create mode 100644 queue-5.14/vhost_net-fix-oob-on-sendmsg-failure.patch diff --git a/queue-5.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch b/queue-5.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch new file mode 100644 index 00000000000..09bc3670095 --- /dev/null +++ b/queue-5.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch @@ -0,0 +1,36 @@ +From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001 +From: Baptiste Lepers +Date: Mon, 6 Sep 2021 11:53:10 +1000 +Subject: events: Reuse value read using READ_ONCE instead of re-reading it + +From: Baptiste Lepers + +commit b89a05b21f46150ac10a962aa50109250b56b03b upstream. + +In perf_event_addr_filters_apply, the task associated with +the event (event->ctx->task) is read using READ_ONCE at the beginning +of the function, checked, and then re-read from event->ctx->task, +voiding all guarantees of the checks. Reuse the value that was read by +READ_ONCE to ensure the consistency of the task struct throughout the +function. + +Fixes: 375637bc52495 ("perf/core: Introduce address range filtering") +Signed-off-by: Baptiste Lepers +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10192,7 +10192,7 @@ static void perf_event_addr_filters_appl + return; + + if (ifh->nr_file_filters) { +- mm = get_task_mm(event->ctx->task); ++ mm = get_task_mm(task); + if (!mm) + goto restart; + diff --git a/queue-5.14/gen_compile_commands-fix-missing-sys-package.patch b/queue-5.14/gen_compile_commands-fix-missing-sys-package.patch new file mode 100644 index 00000000000..4ad7ec686e7 --- /dev/null +++ b/queue-5.14/gen_compile_commands-fix-missing-sys-package.patch @@ -0,0 +1,31 @@ +From ec783c7cb2495c5a3b8ca10db8056d43c528f940 Mon Sep 17 00:00:00 2001 +From: Kortan +Date: Wed, 8 Sep 2021 11:28:48 +0800 +Subject: gen_compile_commands: fix missing 'sys' package + +From: Kortan + +commit ec783c7cb2495c5a3b8ca10db8056d43c528f940 upstream. + +We need to import the 'sys' package since the script has called +sys.exit() method. + +Fixes: 6ad7cbc01527 ("Makefile: Add clang-tidy and static analyzer support to makefile") +Signed-off-by: Kortan +Reviewed-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/clang-tools/gen_compile_commands.py | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/clang-tools/gen_compile_commands.py ++++ b/scripts/clang-tools/gen_compile_commands.py +@@ -13,6 +13,7 @@ import logging + import os + import re + import subprocess ++import sys + + _DEFAULT_OUTPUT = 'compile_commands.json' + _DEFAULT_LOG_LEVEL = 'WARNING' diff --git a/queue-5.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch b/queue-5.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch new file mode 100644 index 00000000000..4e1d6ba4a3d --- /dev/null +++ b/queue-5.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch @@ -0,0 +1,97 @@ +From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 8 Sep 2021 17:00:29 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_poll + +From: Eric Dumazet + +commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream. + +syzbot reported another data-race in af_unix [1] + +Lets change __skb_insert() to use WRITE_ONCE() when changing +skb head qlen. + +Also, change unix_dgram_poll() to use lockless version +of unix_recvq_full() + +It is verry possible we can switch all/most unix_recvq_full() +to the lockless version, this will be done in a future kernel version. + +[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1 + +BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll + +write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0: + __skb_insert include/linux/skbuff.h:1938 [inline] + __skb_queue_before include/linux/skbuff.h:2043 [inline] + __skb_queue_tail include/linux/skbuff.h:2076 [inline] + skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264 + unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg net/socket.c:723 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392 + ___sys_sendmsg net/socket.c:2446 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532 + __do_sys_sendmmsg net/socket.c:2561 [inline] + __se_sys_sendmmsg net/socket.c:2558 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1: + skb_queue_len include/linux/skbuff.h:1869 [inline] + unix_recvq_full net/unix/af_unix.c:194 [inline] + unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777 + sock_poll+0x23e/0x260 net/socket.c:1288 + vfs_poll include/linux/poll.h:90 [inline] + ep_item_poll fs/eventpoll.c:846 [inline] + ep_send_events fs/eventpoll.c:1683 [inline] + ep_poll fs/eventpoll.c:1798 [inline] + do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226 + __do_sys_epoll_wait fs/eventpoll.c:2238 [inline] + __se_sys_epoll_wait fs/eventpoll.c:2233 [inline] + __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000001b -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()") +Cc: Qian Cai +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 +- + net/unix/af_unix.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1935,7 +1935,7 @@ static inline void __skb_insert(struct s + WRITE_ONCE(newsk->prev, prev); + WRITE_ONCE(next->prev, newsk); + WRITE_ONCE(prev->next, newsk); +- list->qlen++; ++ WRITE_ONCE(list->qlen, list->qlen + 1); + } + + static inline void __skb_queue_splice(const struct sk_buff_head *list, +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2774,7 +2774,7 @@ static __poll_t unix_dgram_poll(struct f + + other = unix_peer(sk); + if (other && unix_peer(other) != sk && +- unix_recvq_full(other) && ++ unix_recvq_full_lockless(other) && + unix_dgram_peer_wake_me(sk, other)) + writable = 0; + diff --git a/queue-5.14/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch b/queue-5.14/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch new file mode 100644 index 00000000000..97b9b09240b --- /dev/null +++ b/queue-5.14/net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch @@ -0,0 +1,57 @@ +From 6a52e73368038f47f6618623d75061dc263b26ae Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 14 Sep 2021 16:43:31 +0300 +Subject: net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup + +From: Vladimir Oltean + +commit 6a52e73368038f47f6618623d75061dc263b26ae upstream. + +DSA supports connecting to a phy-handle, and has a fallback to a non-OF +based method of connecting to an internal PHY on the switch's own MDIO +bus, if no phy-handle and no fixed-link nodes were present. + +The -ENODEV error code from the first attempt (phylink_of_phy_connect) +is what triggers the second attempt (phylink_connect_phy). + +However, when the first attempt returns a different error code than +-ENODEV, this results in an unbalance of calls to phylink_create and +phylink_destroy by the time we exit the function. The phylink instance +has leaked. + +There are many other error codes that can be returned by +phylink_of_phy_connect. For example, phylink_validate returns -EINVAL. +So this is a practical issue too. + +Fixes: aab9c4067d23 ("net: dsa: Plug in PHYLINK support") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20210914134331.2303380-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1784,13 +1784,11 @@ static int dsa_slave_phy_setup(struct ne + * use the switch internal MDIO bus instead + */ + ret = dsa_slave_phy_connect(slave_dev, dp->index, phy_flags); +- if (ret) { +- netdev_err(slave_dev, +- "failed to connect to port %d: %d\n", +- dp->index, ret); +- phylink_destroy(dp->pl); +- return ret; +- } ++ } ++ if (ret) { ++ netdev_err(slave_dev, "failed to connect to PHY: %pe\n", ++ ERR_PTR(ret)); ++ phylink_destroy(dp->pl); + } + + return ret; diff --git a/queue-5.14/net-ipa-initialize-all-filter-table-slots.patch b/queue-5.14/net-ipa-initialize-all-filter-table-slots.patch new file mode 100644 index 00000000000..2aca7a27769 --- /dev/null +++ b/queue-5.14/net-ipa-initialize-all-filter-table-slots.patch @@ -0,0 +1,47 @@ +From b5c102238cea985d8126b173d06b9e1de88037ee Mon Sep 17 00:00:00 2001 +From: Alex Elder +Date: Tue, 7 Sep 2021 12:05:54 -0500 +Subject: net: ipa: initialize all filter table slots + +From: Alex Elder + +commit b5c102238cea985d8126b173d06b9e1de88037ee upstream. + +There is an off-by-one problem in ipa_table_init_add(), when +initializing filter tables. + +In that function, the number of filter table entries is determined +based on the number of set bits in the filter map. However that +count does *not* include the extra "slot" in the filter table that +holds the filter map itself. Meanwhile, ipa_table_addr() *does* +include the filter map in the memory it returns, but because the +count it's provided doesn't include it, it includes one too few +table entries. + +Fix this by including the extra slot for the filter map in the count +computed in ipa_table_init_add(). + +Note: ipa_filter_reset_table() does not have this problem; it resets +filter table entries one by one, but does not overwrite the filter +bitmap. + +Fixes: 2b9feef2b6c2 ("soc: qcom: ipa: filter and routing tables") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipa/ipa_table.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ipa/ipa_table.c ++++ b/drivers/net/ipa/ipa_table.c +@@ -430,7 +430,8 @@ static void ipa_table_init_add(struct gs + * table region determines the number of entries it has. + */ + if (filter) { +- count = hweight32(ipa->filter_map); ++ /* Include one extra "slot" to hold the filter map itself */ ++ count = 1 + hweight32(ipa->filter_map); + hash_count = hash_mem->size ? count : 0; + } else { + count = mem->size / sizeof(__le64); diff --git a/queue-5.14/powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch b/queue-5.14/powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch new file mode 100644 index 00000000000..c3814fb7a4c --- /dev/null +++ b/queue-5.14/powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch @@ -0,0 +1,163 @@ +From b871895b148256f1721bc565d803860242755a0b Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 3 Sep 2021 22:57:06 +1000 +Subject: powerpc/64s: system call scv tabort fix for corrupt irq soft-mask state + +From: Nicholas Piggin + +commit b871895b148256f1721bc565d803860242755a0b upstream. + +If a system call is made with a transaction active, the kernel +immediately aborts it and returns. scv system calls disable irqs even +earlier in their interrupt handler, and tabort_syscall does not fix this +up. + +This can result in irq soft-mask state being messed up on the next +kernel entry, and crashing at BUG_ON(arch_irq_disabled_regs(regs)) in +the kernel exit handlers, or possibly worse. + +This can't easily be fixed in asm because at this point an async irq may +have hit, which is soft-masked and marked pending. The pending interrupt +has to be replayed before returning to userspace. The fix is to move the +tabort_syscall code to C in the main syscall handler, and just skip the +system call but otherwise return as usual, which will take care of the +pending irqs. This also does a bunch of other things including possible +signal delivery to the process, but the doomed transaction should still +be aborted when it is eventually returned to. + +The sc system call path is changed to use the new C function as well to +reduce code and path differences. This slows down how quickly system +calls are aborted when called while a transaction is active, which could +potentially impact TM performance. But making any system call is already +bad for performance, and TM is on the way out, so go with simpler over +faster. + +Fixes: 7fa95f9adaee7 ("powerpc/64s: system call support for scv/rfscv instructions") +Reported-by: Eirik Fuller +Signed-off-by: Nicholas Piggin +[mpe: Use #ifdef rather than IS_ENABLED() to fix build error on 32-bit] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210903125707.1601269-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/interrupt.c | 30 +++++++++++++++++++++++++++ + arch/powerpc/kernel/interrupt_64.S | 41 ------------------------------------- + 2 files changed, 30 insertions(+), 41 deletions(-) + +--- a/arch/powerpc/kernel/interrupt.c ++++ b/arch/powerpc/kernel/interrupt.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + + #if defined(CONFIG_PPC_ADV_DEBUG_REGS) && defined(CONFIG_PPC32) +@@ -138,6 +139,35 @@ notrace long system_call_exception(long + */ + irq_soft_mask_regs_set_state(regs, IRQS_ENABLED); + ++ /* ++ * If the system call was made with a transaction active, doom it and ++ * return without performing the system call. Unless it was an ++ * unsupported scv vector, in which case it's treated like an illegal ++ * instruction. ++ */ ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ if (unlikely(MSR_TM_TRANSACTIONAL(regs->msr)) && ++ !trap_is_unsupported_scv(regs)) { ++ /* Enable TM in the kernel, and disable EE (for scv) */ ++ hard_irq_disable(); ++ mtmsr(mfmsr() | MSR_TM); ++ ++ /* tabort, this dooms the transaction, nothing else */ ++ asm volatile(".long 0x7c00071d | ((%0) << 16)" ++ :: "r"(TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)); ++ ++ /* ++ * Userspace will never see the return value. Execution will ++ * resume after the tbegin. of the aborted transaction with the ++ * checkpointed register state. A context switch could occur ++ * or signal delivered to the process before resuming the ++ * doomed transaction context, but that should all be handled ++ * as expected. ++ */ ++ return -ENOSYS; ++ } ++#endif // CONFIG_PPC_TRANSACTIONAL_MEM ++ + local_irq_enable(); + + if (unlikely(current_thread_info()->flags & _TIF_SYSCALL_DOTRACE)) { +--- a/arch/powerpc/kernel/interrupt_64.S ++++ b/arch/powerpc/kernel/interrupt_64.S +@@ -12,7 +12,6 @@ + #include + #include + #include +-#include + + .section ".toc","aw" + SYS_CALL_TABLE: +@@ -55,12 +54,6 @@ COMPAT_SYS_CALL_TABLE: + .globl system_call_vectored_\name + system_call_vectored_\name: + _ASM_NOKPROBE_SYMBOL(system_call_vectored_\name) +-#ifdef CONFIG_PPC_TRANSACTIONAL_MEM +-BEGIN_FTR_SECTION +- extrdi. r10, r12, 1, (63-MSR_TS_T_LG) /* transaction active? */ +- bne tabort_syscall +-END_FTR_SECTION_IFSET(CPU_FTR_TM) +-#endif + SCV_INTERRUPT_TO_KERNEL + mr r10,r1 + ld r1,PACAKSAVE(r13) +@@ -247,12 +240,6 @@ _ASM_NOKPROBE_SYMBOL(system_call_common_ + .globl system_call_common + system_call_common: + _ASM_NOKPROBE_SYMBOL(system_call_common) +-#ifdef CONFIG_PPC_TRANSACTIONAL_MEM +-BEGIN_FTR_SECTION +- extrdi. r10, r12, 1, (63-MSR_TS_T_LG) /* transaction active? */ +- bne tabort_syscall +-END_FTR_SECTION_IFSET(CPU_FTR_TM) +-#endif + mr r10,r1 + ld r1,PACAKSAVE(r13) + std r10,0(r1) +@@ -425,34 +412,6 @@ SOFT_MASK_TABLE(.Lsyscall_rst_start, 1b) + RESTART_TABLE(.Lsyscall_rst_start, .Lsyscall_rst_end, syscall_restart) + #endif + +-#ifdef CONFIG_PPC_TRANSACTIONAL_MEM +-tabort_syscall: +-_ASM_NOKPROBE_SYMBOL(tabort_syscall) +- /* Firstly we need to enable TM in the kernel */ +- mfmsr r10 +- li r9, 1 +- rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG +- mtmsrd r10, 0 +- +- /* tabort, this dooms the transaction, nothing else */ +- li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) +- TABORT(R9) +- +- /* +- * Return directly to userspace. We have corrupted user register state, +- * but userspace will never see that register state. Execution will +- * resume after the tbegin of the aborted transaction with the +- * checkpointed register state. +- */ +- li r9, MSR_RI +- andc r10, r10, r9 +- mtmsrd r10, 1 +- mtspr SPRN_SRR0, r11 +- mtspr SPRN_SRR1, r12 +- RFI_TO_USER +- b . /* prevent speculative execution */ +-#endif +- + /* + * If MSR EE/RI was never enabled, IRQs not reconciled, NVGPRs not + * touched, no exit work created, then this can be used. diff --git a/queue-5.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch b/queue-5.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch new file mode 100644 index 00000000000..3e6d11245b8 --- /dev/null +++ b/queue-5.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch @@ -0,0 +1,81 @@ +From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001 +From: Yajun Deng +Date: Mon, 13 Sep 2021 12:04:42 +0800 +Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers" + +From: Yajun Deng + +commit d7807a9adf4856171f8441f13078c33941df48ab upstream. + +This reverts commit 919483096bfe75dda338e98d56da91a263746a0a. + +There is only when ip_options_get() return zero need to free. +It already called kfree() when return error. + +Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ping.c | 5 ++--- + net/ipv4/raw.c | 5 ++--- + net/ipv4/udp.c | 5 ++--- + 4 files changed, 7 insertions(+), 10 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -279,7 +279,7 @@ int ip_cmsg_send(struct sock *sk, struct + case IP_RETOPTS: + err = cmsg->cmsg_len - sizeof(struct cmsghdr); + +- /* Our caller is responsible for freeing ipc->opt */ ++ /* Our caller is responsible for freeing ipc->opt when err = 0 */ + err = ip_options_get(net, &ipc->opt, + KERNEL_SOCKPTR(CMSG_DATA(cmsg)), + err < 40 ? err : 40); +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -727,10 +727,9 @@ static int ping_v4_sendmsg(struct sock * + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + return err; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -562,10 +562,9 @@ static int raw_sendmsg(struct sock *sk, + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + goto out; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1122,10 +1122,9 @@ int udp_sendmsg(struct sock *sk, struct + if (err > 0) + err = ip_cmsg_send(sk, msg, &ipc, + sk->sk_family == AF_INET6); +- if (unlikely(err < 0)) { +- kfree(ipc.opt); ++ if (unlikely(err < 0)) + return err; +- } ++ + if (ipc.opt) + free = 1; + connected = 0; diff --git a/queue-5.14/series b/queue-5.14/series index 9ffa874e4ad..e2b2be058db 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -54,3 +54,11 @@ net-mlx5-fix-potential-sleeping-in-atomic-context.patch net-stmmac-fix-system-hang-caused-by-eee_ctrl_timer-during-suspend-resume.patch igc-fix-tunnel-offloading.patch nvme-tcp-fix-io_work-priority-inversion.patch +powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch +events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch +net-ipa-initialize-all-filter-table-slots.patch +gen_compile_commands-fix-missing-sys-package.patch +vhost_net-fix-oob-on-sendmsg-failure.patch +net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch +net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch +revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch diff --git a/queue-5.14/vhost_net-fix-oob-on-sendmsg-failure.patch b/queue-5.14/vhost_net-fix-oob-on-sendmsg-failure.patch new file mode 100644 index 00000000000..d043cfe9187 --- /dev/null +++ b/queue-5.14/vhost_net-fix-oob-on-sendmsg-failure.patch @@ -0,0 +1,55 @@ +From 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 8 Sep 2021 13:42:09 +0200 +Subject: vhost_net: fix OoB on sendmsg() failure. + +From: Paolo Abeni + +commit 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c upstream. + +If the sendmsg() call in vhost_tx_batch() fails, both the 'batched_xdp' +and 'done_idx' indexes are left unchanged. If such failure happens +when batched_xdp == VHOST_NET_BATCH, the next call to +vhost_net_build_xdp() will access and write memory outside the xdp +buffers area. + +Since sendmsg() can only error with EBADFD, this change addresses the +issue explicitly freeing the XDP buffers batch on error. + +Fixes: 0a0be13b8fe2 ("vhost_net: batch submitting XDP buffers to underlayer sockets") +Suggested-by: Jason Wang +Signed-off-by: Paolo Abeni +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -467,7 +467,7 @@ static void vhost_tx_batch(struct vhost_ + .num = nvq->batched_xdp, + .ptr = nvq->xdp, + }; +- int err; ++ int i, err; + + if (nvq->batched_xdp == 0) + goto signal_used; +@@ -476,6 +476,15 @@ static void vhost_tx_batch(struct vhost_ + err = sock->ops->sendmsg(sock, msghdr, 0); + if (unlikely(err < 0)) { + vq_err(&nvq->vq, "Fail to batch sending packets\n"); ++ ++ /* free pages owned by XDP; since this is an unlikely error path, ++ * keep it simple and avoid more complex bulk update for the ++ * used pages ++ */ ++ for (i = 0; i < nvq->batched_xdp; ++i) ++ put_page(virt_to_head_page(nvq->xdp[i].data)); ++ nvq->batched_xdp = 0; ++ nvq->done_idx = 0; + return; + } + -- 2.47.2