From bb11493773e9ae90ed2d848d1b5225bba886f316 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 8 Mar 2024 12:00:17 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...ialise-xdp_rxq_info-struct-before-ru.patch | 49 ++++ ...er-vma-alignment-for-memory-mapped-f.patch | 46 ++++ ...re-to-pull-inner-header-in-geneve_rx.patch | 139 ++++++++++ ...i-right-after-disabling-irqs-when-ha.patch | 41 +++ ...e-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch | 138 ++++++++++ ...ntial-null-pointer-dereference-in-ic.patch | 40 +++ ...ossible-uaf-in-ip6_route_mpath_notif.patch | 258 ++++++++++++++++++ ...runtime-pm-count-underflow-on-link-s.patch | 45 +++ ...-warning-in-rds_conn_connect_if_down.patch | 57 ++++ ...se-after-free-inside-sparx5_del_mact.patch | 46 ++++ ...ntrack_h323-add-protection-for-bmp-l.patch | 71 +++++ ...-fix-l3num-expectations-with-inet-ps.patch | 62 +++++ ...a-race-around-sysctl_netrom_default_.patch | 36 +++ ...a-race-around-sysctl_netrom_link_fai.patch | 36 +++ ...a-race-around-sysctl_netrom_obsolesc.patch | 37 +++ ...a-race-around-sysctl_netrom_routing_.patch | 36 +++ ...a-race-around-sysctl_netrom_transpor.patch | 36 +++ ...e-around-sysctl_netrom_transpor.patch-1302 | 37 +++ ...-around-sysctl_netrom_transpor.patch-15907 | 37 +++ ...e-around-sysctl_netrom_transpor.patch-1870 | 36 +++ ...-around-sysctl_netrom_transpor.patch-19374 | 36 +++ ...e-around-sysctl_netrom_transpor.patch-3139 | 37 +++ ...ta-races-around-sysctl_net_busy_read.patch | 68 +++++ ...races-around-sysctl_netrom_network_t.patch | 74 +++++ queue-5.15/series | 25 ++ ...d-fix-tracepoints-that-save-qdisc_de.patch | 92 +++++++ 26 files changed, 1615 insertions(+) create mode 100644 queue-5.15/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch create mode 100644 queue-5.15/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch create mode 100644 queue-5.15/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch create mode 100644 queue-5.15/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch create mode 100644 queue-5.15/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch create mode 100644 queue-5.15/net-ice-fix-potential-null-pointer-dereference-in-ic.patch create mode 100644 queue-5.15/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch create mode 100644 queue-5.15/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch create mode 100644 queue-5.15/net-rds-fix-warning-in-rds_conn_connect_if_down.patch create mode 100644 queue-5.15/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch create mode 100644 queue-5.15/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch create mode 100644 queue-5.15/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1302 create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-15907 create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1870 create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19374 create mode 100644 queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-3139 create mode 100644 queue-5.15/netrom-fix-data-races-around-sysctl_net_busy_read.patch create mode 100644 queue-5.15/netrom-fix-data-races-around-sysctl_netrom_network_t.patch create mode 100644 queue-5.15/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch diff --git a/queue-5.15/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch b/queue-5.15/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch new file mode 100644 index 00000000000..f91ba477b0b --- /dev/null +++ b/queue-5.15/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch @@ -0,0 +1,49 @@ +From 12adf7b08ab33203186ea02532ff09cc8e40e7a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 22:31:32 +0100 +Subject: cpumap: Zero-initialise xdp_rxq_info struct before running XDP + program +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 2487007aa3b9fafbd2cb14068f49791ce1d7ede5 ] + +When running an XDP program that is attached to a cpumap entry, we don't +initialise the xdp_rxq_info data structure being used in the xdp_buff +that backs the XDP program invocation. Tobias noticed that this leads to +random values being returned as the xdp_md->rx_queue_index value for XDP +programs running in a cpumap. + +This means we're basically returning the contents of the uninitialised +memory, which is bad. Fix this by zero-initialising the rxq data +structure before running the XDP program. + +Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap") +Reported-by: Tobias Böhm +Signed-off-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20240305213132.11955-1-toke@redhat.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/cpumap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c +index 8d1c4b3ee7604..f7de5b313cc5b 100644 +--- a/kernel/bpf/cpumap.c ++++ b/kernel/bpf/cpumap.c +@@ -221,7 +221,7 @@ static int cpu_map_bpf_prog_run_xdp(struct bpf_cpu_map_entry *rcpu, + void **frames, int n, + struct xdp_cpumap_stats *stats) + { +- struct xdp_rxq_info rxq; ++ struct xdp_rxq_info rxq = {}; + struct xdp_buff xdp; + int i, nframes = 0; + +-- +2.43.0 + diff --git a/queue-5.15/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch b/queue-5.15/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch new file mode 100644 index 00000000000..3e9f2ed5732 --- /dev/null +++ b/queue-5.15/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch @@ -0,0 +1,46 @@ +From 9deea584ddedefdec509c7736550783ec87c9920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 13:31:38 +0800 +Subject: erofs: apply proper VMA alignment for memory mapped files on THP + +From: Gao Xiang + +[ Upstream commit 4127caee89612a84adedd78c9453089138cd5afe ] + +There are mainly two reasons that thp_get_unmapped_area() should be +used for EROFS as other filesystems: + + - It's needed to enable PMD mappings as a FSDAX filesystem, see + commit 74d2fad1334d ("thp, dax: add thp_get_unmapped_area for pmd + mappings"); + + - It's useful together with large folios and + CONFIG_READ_ONLY_THP_FOR_FS which enable THPs for mmapped files + (e.g. shared libraries) even without FSDAX. See commit 1854bc6e2420 + ("mm/readahead: Align file mappings for non-DAX"). + +Fixes: 06252e9ce05b ("erofs: dax support for non-tailpacking regular file") +Fixes: ce529cc25b18 ("erofs: enable large folios for iomap mode") +Fixes: e6687b89225e ("erofs: enable large folios for fscache mode") +Reviewed-by: Jingbo Xu +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20240306053138.2240206-1-hsiangkao@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + fs/erofs/data.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/erofs/data.c b/fs/erofs/data.c +index 16a41d0db55a3..a859bf0f31df2 100644 +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -340,4 +340,5 @@ const struct file_operations erofs_file_fops = { + .read_iter = erofs_file_read_iter, + .mmap = erofs_file_mmap, + .splice_read = generic_file_splice_read, ++ .get_unmapped_area = thp_get_unmapped_area, + }; +-- +2.43.0 + diff --git a/queue-5.15/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch b/queue-5.15/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch new file mode 100644 index 00000000000..901511162e2 --- /dev/null +++ b/queue-5.15/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch @@ -0,0 +1,139 @@ +From 046cb2808ec09e0654ff3a994c7e0e3265047b46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 13:11:52 +0000 +Subject: geneve: make sure to pull inner header in geneve_rx() + +From: Eric Dumazet + +[ Upstream commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74 ] + +syzbot triggered a bug in geneve_rx() [1] + +Issue is similar to the one I fixed in commit 8d975c15c0cd +("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") + +We have to save skb->network_header in a temporary variable +in order to be able to recompute the network_header pointer +after a pskb_inet_may_pull() call. + +pskb_inet_may_pull() makes sure the needed headers are in skb->head. + +[1] +BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] + BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline] + BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 + IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] + geneve_rx drivers/net/geneve.c:279 [inline] + geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 + udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108 + udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186 + udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346 + __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422 + udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604 + ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 + NF_HOOK include/linux/netfilter.h:314 [inline] + ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 + dst_input include/net/dst.h:461 [inline] + ip_rcv_finish net/ipv4/ip_input.c:449 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core net/core/dev.c:5534 [inline] + __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 + process_backlog+0x480/0x8b0 net/core/dev.c:5976 + __napi_poll+0xe3/0x980 net/core/dev.c:6576 + napi_poll net/core/dev.c:6645 [inline] + net_rx_action+0x8b8/0x1870 net/core/dev.c:6778 + __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553 + do_softirq+0x9a/0xf0 kernel/softirq.c:454 + __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381 + local_bh_enable include/linux/bottom_half.h:33 [inline] + rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline] + __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378 + dev_queue_xmit include/linux/netdevice.h:3171 [inline] + packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3081 [inline] + packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x735/0xa10 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3819 [inline] + slab_alloc_node mm/slub.c:3860 [inline] + kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x352/0x790 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1296 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783 + packet_alloc_skb net/packet/af_packet.c:2930 [inline] + packet_snd net/packet/af_packet.c:3024 [inline] + packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x735/0xa10 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index 605332f36d9df..9569b5cc595ec 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -219,7 +219,7 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, + struct genevehdr *gnvh = geneve_hdr(skb); + struct metadata_dst *tun_dst = NULL; + unsigned int len; +- int err = 0; ++ int nh, err = 0; + void *oiph; + + if (ip_tunnel_collect_metadata() || gs->collect_md) { +@@ -263,9 +263,23 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, + goto drop; + } + +- oiph = skb_network_header(skb); ++ /* Save offset of outer header relative to skb->head, ++ * because we are going to reset the network header to the inner header ++ * and might change skb->head. ++ */ ++ nh = skb_network_header(skb) - skb->head; ++ + skb_reset_network_header(skb); + ++ if (!pskb_inet_may_pull(skb)) { ++ DEV_STATS_INC(geneve->dev, rx_length_errors); ++ DEV_STATS_INC(geneve->dev, rx_errors); ++ goto drop; ++ } ++ ++ /* Get the outer header. */ ++ oiph = skb->head + nh; ++ + if (geneve_get_sk_family(gs) == AF_INET) + err = IP_ECN_decapsulate(oiph, skb); + #if IS_ENABLED(CONFIG_IPV6) +-- +2.43.0 + diff --git a/queue-5.15/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch b/queue-5.15/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch new file mode 100644 index 00000000000..cbec1f3f116 --- /dev/null +++ b/queue-5.15/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch @@ -0,0 +1,41 @@ +From 2f0554fac8d112412955dc59bace2a59ddb29cb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 22:45:52 +0100 +Subject: i40e: disable NAPI right after disabling irqs when handling xsk_pool + +From: Maciej Fijalkowski + +[ Upstream commit d562b11c1eac7d73f4c778b4cbe5468f86b1f20d ] + +Disable NAPI before shutting down queues that this particular NAPI +contains so that the order of actions in i40e_queue_pair_disable() +mirrors what we do in i40e_queue_pair_enable(). + +Fixes: 123cecd427b6 ("i40e: added queue pair disable/enable functions") +Signed-off-by: Maciej Fijalkowski +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Acked-by: Magnus Karlsson +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 3d2b92a952a65..7b522d55f3684 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -13558,9 +13558,9 @@ int i40e_queue_pair_disable(struct i40e_vsi *vsi, int queue_pair) + return err; + + i40e_queue_pair_disable_irq(vsi, queue_pair); ++ i40e_queue_pair_toggle_napi(vsi, queue_pair, false /* off */); + err = i40e_queue_pair_toggle_rings(vsi, queue_pair, false /* off */); + i40e_clean_rx_ring(vsi->rx_rings[queue_pair]); +- i40e_queue_pair_toggle_napi(vsi, queue_pair, false /* off */); + i40e_queue_pair_clean_rings(vsi, queue_pair); + i40e_queue_pair_reset_stats(vsi, queue_pair); + +-- +2.43.0 + diff --git a/queue-5.15/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch b/queue-5.15/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch new file mode 100644 index 00000000000..f9845bf2d0f --- /dev/null +++ b/queue-5.15/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch @@ -0,0 +1,138 @@ +From aa95e962c94593f51ad267358b75b45fe45fdc51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 22:45:51 +0100 +Subject: ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able + +From: Maciej Fijalkowski + +[ Upstream commit cbf996f52c4e658b3fb4349a869a62fd2d4c3c1c ] + +Currently routines that are supposed to toggle state of ring pair do not +take care of associated interrupt with queue vector that these rings +belong to. This causes funky issues such as dead interface due to irq +misconfiguration, as per Pavel's report from Closes: tag. + +Add a function responsible for disabling single IRQ in EIMC register and +call this as a very first thing when disabling ring pair during xsk_pool +setup. For enable let's reuse ixgbe_irq_enable_queues(). Besides this, +disable/enable NAPI as first/last thing when dealing with closing or +opening ring pair that xsk_pool is being configured on. + +Reported-by: Pavel Vazharov +Closes: https://lore.kernel.org/netdev/CAJEV1ijxNyPTwASJER1bcZzS9nMoZJqfR86nu_3jFFVXzZQ4NA@mail.gmail.com/ +Fixes: 024aa5800f32 ("ixgbe: added Rx/Tx ring disable/enable functions") +Signed-off-by: Maciej Fijalkowski +Acked-by: Magnus Karlsson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 56 ++++++++++++++++--- + 1 file changed, 49 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index cb9e9d70b338c..d7eabc526f782 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -2941,8 +2941,8 @@ static void ixgbe_check_lsc(struct ixgbe_adapter *adapter) + static inline void ixgbe_irq_enable_queues(struct ixgbe_adapter *adapter, + u64 qmask) + { +- u32 mask; + struct ixgbe_hw *hw = &adapter->hw; ++ u32 mask; + + switch (hw->mac.type) { + case ixgbe_mac_82598EB: +@@ -10380,6 +10380,44 @@ static void ixgbe_reset_rxr_stats(struct ixgbe_ring *rx_ring) + memset(&rx_ring->rx_stats, 0, sizeof(rx_ring->rx_stats)); + } + ++/** ++ * ixgbe_irq_disable_single - Disable single IRQ vector ++ * @adapter: adapter structure ++ * @ring: ring index ++ **/ ++static void ixgbe_irq_disable_single(struct ixgbe_adapter *adapter, u32 ring) ++{ ++ struct ixgbe_hw *hw = &adapter->hw; ++ u64 qmask = BIT_ULL(ring); ++ u32 mask; ++ ++ switch (adapter->hw.mac.type) { ++ case ixgbe_mac_82598EB: ++ mask = qmask & IXGBE_EIMC_RTX_QUEUE; ++ IXGBE_WRITE_REG(&adapter->hw, IXGBE_EIMC, mask); ++ break; ++ case ixgbe_mac_82599EB: ++ case ixgbe_mac_X540: ++ case ixgbe_mac_X550: ++ case ixgbe_mac_X550EM_x: ++ case ixgbe_mac_x550em_a: ++ mask = (qmask & 0xFFFFFFFF); ++ if (mask) ++ IXGBE_WRITE_REG(hw, IXGBE_EIMS_EX(0), mask); ++ mask = (qmask >> 32); ++ if (mask) ++ IXGBE_WRITE_REG(hw, IXGBE_EIMS_EX(1), mask); ++ break; ++ default: ++ break; ++ } ++ IXGBE_WRITE_FLUSH(&adapter->hw); ++ if (adapter->flags & IXGBE_FLAG_MSIX_ENABLED) ++ synchronize_irq(adapter->msix_entries[ring].vector); ++ else ++ synchronize_irq(adapter->pdev->irq); ++} ++ + /** + * ixgbe_txrx_ring_disable - Disable Rx/Tx/XDP Tx rings + * @adapter: adapter structure +@@ -10396,6 +10434,11 @@ void ixgbe_txrx_ring_disable(struct ixgbe_adapter *adapter, int ring) + tx_ring = adapter->tx_ring[ring]; + xdp_ring = adapter->xdp_ring[ring]; + ++ ixgbe_irq_disable_single(adapter, ring); ++ ++ /* Rx/Tx/XDP Tx share the same napi context. */ ++ napi_disable(&rx_ring->q_vector->napi); ++ + ixgbe_disable_txr(adapter, tx_ring); + if (xdp_ring) + ixgbe_disable_txr(adapter, xdp_ring); +@@ -10404,9 +10447,6 @@ void ixgbe_txrx_ring_disable(struct ixgbe_adapter *adapter, int ring) + if (xdp_ring) + synchronize_rcu(); + +- /* Rx/Tx/XDP Tx share the same napi context. */ +- napi_disable(&rx_ring->q_vector->napi); +- + ixgbe_clean_tx_ring(tx_ring); + if (xdp_ring) + ixgbe_clean_tx_ring(xdp_ring); +@@ -10434,9 +10474,6 @@ void ixgbe_txrx_ring_enable(struct ixgbe_adapter *adapter, int ring) + tx_ring = adapter->tx_ring[ring]; + xdp_ring = adapter->xdp_ring[ring]; + +- /* Rx/Tx/XDP Tx share the same napi context. */ +- napi_enable(&rx_ring->q_vector->napi); +- + ixgbe_configure_tx_ring(adapter, tx_ring); + if (xdp_ring) + ixgbe_configure_tx_ring(adapter, xdp_ring); +@@ -10445,6 +10482,11 @@ void ixgbe_txrx_ring_enable(struct ixgbe_adapter *adapter, int ring) + clear_bit(__IXGBE_TX_DISABLED, &tx_ring->state); + if (xdp_ring) + clear_bit(__IXGBE_TX_DISABLED, &xdp_ring->state); ++ ++ /* Rx/Tx/XDP Tx share the same napi context. */ ++ napi_enable(&rx_ring->q_vector->napi); ++ ixgbe_irq_enable_queues(adapter, BIT_ULL(ring)); ++ IXGBE_WRITE_FLUSH(&adapter->hw); + } + + /** +-- +2.43.0 + diff --git a/queue-5.15/net-ice-fix-potential-null-pointer-dereference-in-ic.patch b/queue-5.15/net-ice-fix-potential-null-pointer-dereference-in-ic.patch new file mode 100644 index 00000000000..3ca3f5475df --- /dev/null +++ b/queue-5.15/net-ice-fix-potential-null-pointer-dereference-in-ic.patch @@ -0,0 +1,40 @@ +From 7b5e75a41b23316b733006709b70116ec79bbf4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 18:54:48 +0300 +Subject: net: ice: Fix potential NULL pointer dereference in + ice_bridge_setlink() + +From: Rand Deeb + +[ Upstream commit 06e456a05d669ca30b224b8ed962421770c1496c ] + +The function ice_bridge_setlink() may encounter a NULL pointer dereference +if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently +in nla_for_each_nested(). To address this issue, add a check to ensure that +br_spec is not NULL before proceeding with the nested attribute iteration. + +Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink") +Signed-off-by: Rand Deeb +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index d4c29e2562a1c..3cc344d5228b6 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -6987,6 +6987,8 @@ ice_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh, + pf_sw = pf->first_sw; + /* find the attribute in the netlink message */ + br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); ++ if (!br_spec) ++ return -EINVAL; + + nla_for_each_nested(attr, br_spec, rem) { + __u16 mode; +-- +2.43.0 + diff --git a/queue-5.15/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch b/queue-5.15/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch new file mode 100644 index 00000000000..d3ce37ed298 --- /dev/null +++ b/queue-5.15/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch @@ -0,0 +1,258 @@ +From 15f078732f056485827a1fb6180720fc5fca1023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Mar 2024 14:48:00 +0000 +Subject: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() + +From: Eric Dumazet + +[ Upstream commit 685f7d531264599b3f167f1e94bbd22f120e5fab ] + +syzbot found another use-after-free in ip6_route_mpath_notify() [1] + +Commit f7225172f25a ("net/ipv6: prevent use after free in +ip6_route_mpath_notify") was not able to fix the root cause. + +We need to defer the fib6_info_release() calls after +ip6_route_mpath_notify(), in the cleanup phase. + +[1] +BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 +Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 + +CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x167/0x540 mm/kasan/report.c:488 + kasan_report+0x142/0x180 mm/kasan/report.c:601 + rt6_fill_node+0x1460/0x1ac0 + inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 + ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] + ip6_route_multipath_add net/ipv6/route.c:5404 [inline] + inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 + rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 +RIP: 0033:0x7f73dd87dda9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 +RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 +RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 + + +Allocated by task 23037: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:372 [inline] + __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slub.c:3981 [inline] + __kmalloc+0x22e/0x490 mm/slub.c:3994 + kmalloc include/linux/slab.h:594 [inline] + kzalloc include/linux/slab.h:711 [inline] + fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 + ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 + ip6_route_multipath_add net/ipv6/route.c:5298 [inline] + inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 + rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +Freed by task 16: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 + poison_slab_object+0xa6/0xe0 mm/kasan/common.c:241 + __kasan_slab_free+0x34/0x70 mm/kasan/common.c:257 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2121 [inline] + slab_free mm/slub.c:4299 [inline] + kfree+0x14a/0x380 mm/slub.c:4409 + rcu_do_batch kernel/rcu/tree.c:2190 [inline] + rcu_core+0xd76/0x1810 kernel/rcu/tree.c:2465 + __do_softirq+0x2bb/0x942 kernel/softirq.c:553 + +Last potentially related work creation: + kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 + __kasan_record_aux_stack+0xae/0x100 mm/kasan/generic.c:586 + __call_rcu_common kernel/rcu/tree.c:2715 [inline] + call_rcu+0x167/0xa80 kernel/rcu/tree.c:2829 + fib6_info_release include/net/ip6_fib.h:341 [inline] + ip6_route_multipath_add net/ipv6/route.c:5344 [inline] + inet6_rtm_newroute+0x114d/0x2300 net/ipv6/route.c:5517 + rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +The buggy address belongs to the object at ffff88809a07fc00 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 100 bytes inside of + freed 512-byte region [ffff88809a07fc00, ffff88809a07fe00) + +The buggy address belongs to the physical page: +page:ffffea0002681f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9a07c +head:ffffea0002681f00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000840 ffff888014c41c80 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 23028, tgid 23027 (syz-executor.4), ts 2340253595219, free_ts 2339107097036 + set_page_owner include/linux/page_owner.h:31 [inline] + post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 + prep_new_page mm/page_alloc.c:1540 [inline] + get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311 + __alloc_pages+0x255/0x680 mm/page_alloc.c:4567 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + alloc_slab_page+0x5f/0x160 mm/slub.c:2190 + allocate_slab mm/slub.c:2354 [inline] + new_slab+0x84/0x2f0 mm/slub.c:2407 + ___slab_alloc+0xd17/0x13e0 mm/slub.c:3540 + __slab_alloc mm/slub.c:3625 [inline] + __slab_alloc_node mm/slub.c:3678 [inline] + slab_alloc_node mm/slub.c:3850 [inline] + __do_kmalloc_node mm/slub.c:3980 [inline] + __kmalloc+0x2e0/0x490 mm/slub.c:3994 + kmalloc include/linux/slab.h:594 [inline] + kzalloc include/linux/slab.h:711 [inline] + new_dir fs/proc/proc_sysctl.c:956 [inline] + get_subdir fs/proc/proc_sysctl.c:1000 [inline] + sysctl_mkdir_p fs/proc/proc_sysctl.c:1295 [inline] + __register_sysctl_table+0xb30/0x1440 fs/proc/proc_sysctl.c:1376 + neigh_sysctl_register+0x416/0x500 net/core/neighbour.c:3859 + devinet_sysctl_register+0xaf/0x1f0 net/ipv4/devinet.c:2644 + inetdev_init+0x296/0x4d0 net/ipv4/devinet.c:286 + inetdev_event+0x338/0x15c0 net/ipv4/devinet.c:1555 + notifier_call_chain+0x18f/0x3b0 kernel/notifier.c:93 + call_netdevice_notifiers_extack net/core/dev.c:1987 [inline] + call_netdevice_notifiers net/core/dev.c:2001 [inline] + register_netdevice+0x15b2/0x1a20 net/core/dev.c:10340 + br_dev_newlink+0x27/0x100 net/bridge/br_netlink.c:1563 + rtnl_newlink_create net/core/rtnetlink.c:3497 [inline] + __rtnl_newlink net/core/rtnetlink.c:3717 [inline] + rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3730 +page last free pid 11583 tgid 11583 stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1140 [inline] + free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346 + free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486 + kasan_depopulate_vmalloc_pte+0x74/0x90 mm/kasan/shadow.c:415 + apply_to_pte_range mm/memory.c:2619 [inline] + apply_to_pmd_range mm/memory.c:2663 [inline] + apply_to_pud_range mm/memory.c:2699 [inline] + apply_to_p4d_range mm/memory.c:2735 [inline] + __apply_to_page_range+0x8ec/0xe40 mm/memory.c:2769 + kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:532 + __purge_vmap_area_lazy+0x163f/0x1a10 mm/vmalloc.c:1770 + drain_vmap_area_work+0x40/0xd0 mm/vmalloc.c:1804 + process_one_work kernel/workqueue.c:2633 [inline] + process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 + worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 + kthread+0x2ef/0x390 kernel/kthread.c:388 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 + +Memory state around the buggy address: + ffff88809a07fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88809a07fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88809a07fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88809a07fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88809a07fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 3b1137fe7482 ("net: ipv6: Change notifications for multipath add to RTA_MULTIPATH") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240303144801.702646-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 75eab4032f017..3a95466e10a95 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5346,19 +5346,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, + err_nh = NULL; + list_for_each_entry(nh, &rt6_nh_list, next) { + err = __ip6_ins_rt(nh->fib6_info, info, extack); +- fib6_info_release(nh->fib6_info); +- +- if (!err) { +- /* save reference to last route successfully inserted */ +- rt_last = nh->fib6_info; +- +- /* save reference to first route for notification */ +- if (!rt_notif) +- rt_notif = nh->fib6_info; +- } + +- /* nh->fib6_info is used or freed at this point, reset to NULL*/ +- nh->fib6_info = NULL; + if (err) { + if (replace && nhn) + NL_SET_ERR_MSG_MOD(extack, +@@ -5366,6 +5354,12 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, + err_nh = nh; + goto add_errout; + } ++ /* save reference to last route successfully inserted */ ++ rt_last = nh->fib6_info; ++ ++ /* save reference to first route for notification */ ++ if (!rt_notif) ++ rt_notif = nh->fib6_info; + + /* Because each route is added like a single route we remove + * these flags after the first nexthop: if there is a collision, +@@ -5426,8 +5420,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, + + cleanup: + list_for_each_entry_safe(nh, nh_safe, &rt6_nh_list, next) { +- if (nh->fib6_info) +- fib6_info_release(nh->fib6_info); ++ fib6_info_release(nh->fib6_info); + list_del(&nh->next); + kfree(nh); + } +-- +2.43.0 + diff --git a/queue-5.15/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch b/queue-5.15/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch new file mode 100644 index 00000000000..8a375be6967 --- /dev/null +++ b/queue-5.15/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch @@ -0,0 +1,45 @@ +From bf862519c1cc118a6d5b2162408cafbc56fa2a46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 13:45:17 +0100 +Subject: net: lan78xx: fix runtime PM count underflow on link stop + +From: Oleksij Rempel + +[ Upstream commit 1eecc7ab82c42133b748e1895275942a054a7f67 ] + +Current driver has some asymmetry in the runtime PM calls. On lan78xx_open() +it will call usb_autopm_get() and unconditionally usb_autopm_put(). And +on lan78xx_stop() it will call only usb_autopm_put(). So far, it was +working only because this driver do not activate autosuspend by default, +so it was visible only by warning "Runtime PM usage count underflow!". + +Since, with current driver, we can't use runtime PM with active link, +execute lan78xx_open()->usb_autopm_put() only in error case. Otherwise, +keep ref counting high as long as interface is open. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Oleksij Rempel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index c8b42892655a1..77cb30259dca7 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2960,7 +2960,8 @@ static int lan78xx_open(struct net_device *net) + done: + mutex_unlock(&dev->dev_mutex); + +- usb_autopm_put_interface(dev->intf); ++ if (ret < 0) ++ usb_autopm_put_interface(dev->intf); + + return ret; + } +-- +2.43.0 + diff --git a/queue-5.15/net-rds-fix-warning-in-rds_conn_connect_if_down.patch b/queue-5.15/net-rds-fix-warning-in-rds_conn_connect_if_down.patch new file mode 100644 index 00000000000..8969bb5c898 --- /dev/null +++ b/queue-5.15/net-rds-fix-warning-in-rds_conn_connect_if_down.patch @@ -0,0 +1,57 @@ +From cb06ff3fbf3012e300b08f5512f1916d9a088116 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 08:13:08 +0800 +Subject: net/rds: fix WARNING in rds_conn_connect_if_down + +From: Edward Adam Davis + +[ Upstream commit c055fc00c07be1f0df7375ab0036cebd1106ed38 ] + +If connection isn't established yet, get_mr() will fail, trigger connection after +get_mr(). + +Fixes: 584a8279a44a ("RDS: RDMA: return appropriate error on rdma map failures") +Reported-and-tested-by: syzbot+d4faee732755bba9838e@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/rdma.c | 3 +++ + net/rds/send.c | 6 +----- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index 6f1a50d50d06d..c29c7a59f2053 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -301,6 +301,9 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args, + kfree(sg); + } + ret = PTR_ERR(trans_private); ++ /* Trigger connection so that its ready for the next retry */ ++ if (ret == -ENODEV) ++ rds_conn_connect_if_down(cp->cp_conn); + goto out; + } + +diff --git a/net/rds/send.c b/net/rds/send.c +index 53444397de669..d6462d1471c14 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -1314,12 +1314,8 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) + + /* Parse any control messages the user may have included. */ + ret = rds_cmsg_send(rs, rm, msg, &allocated_mr, &vct); +- if (ret) { +- /* Trigger connection so that its ready for the next retry */ +- if (ret == -EAGAIN) +- rds_conn_connect_if_down(conn); ++ if (ret) + goto out; +- } + + if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) { + printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n", +-- +2.43.0 + diff --git a/queue-5.15/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch b/queue-5.15/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch new file mode 100644 index 00000000000..6103df55434 --- /dev/null +++ b/queue-5.15/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch @@ -0,0 +1,46 @@ +From 950f86dc949807e2a5bcc9a672d41ff7f39ea280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 09:06:08 +0100 +Subject: net: sparx5: Fix use after free inside sparx5_del_mact_entry + +From: Horatiu Vultur + +[ Upstream commit 89d72d4125e94aa3c2140fedd97ce07ba9e37674 ] + +Based on the static analyzis of the code it looks like when an entry +from the MAC table was removed, the entry was still used after being +freed. More precise the vid of the mac_entry was used after calling +devm_kfree on the mac_entry. +The fix consists in first using the vid of the mac_entry to delete the +entry from the HW and after that to free it. + +Fixes: b37a1bae742f ("net: sparx5: add mactable support") +Signed-off-by: Horatiu Vultur +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240301080608.3053468-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c +index 9a8e4f201eb1f..6ba93fa984f26 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c +@@ -344,10 +344,10 @@ int sparx5_del_mact_entry(struct sparx5 *sparx5, + list) { + if ((vid == 0 || mact_entry->vid == vid) && + ether_addr_equal(addr, mact_entry->mac)) { ++ sparx5_mact_forget(sparx5, addr, mact_entry->vid); ++ + list_del(&mact_entry->list); + devm_kfree(sparx5->dev, mact_entry); +- +- sparx5_mact_forget(sparx5, addr, mact_entry->vid); + } + } + mutex_unlock(&sparx5->mact_lock); +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch b/queue-5.15/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch new file mode 100644 index 00000000000..68bb4b5dc5b --- /dev/null +++ b/queue-5.15/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch @@ -0,0 +1,71 @@ +From bc769854d7c63550eddeb425cd5a4418df4ca152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 11:38:55 +0000 +Subject: netfilter: nf_conntrack_h323: Add protection for bmp length out of + range + +From: Lena Wang + +[ Upstream commit 767146637efc528b5e3d31297df115e85a2fd362 ] + +UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts +that are out of bounds for their data type. + +vmlinux get_bitmap(b=75) + 712 + +vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 + +vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 + +vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 + +vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 + +vmlinux DecodeRasMessage() + 304 + +vmlinux ras_help() + 684 + +vmlinux nf_confirm() + 188 + + +Due to abnormal data in skb->data, the extension bitmap length +exceeds 32 when decoding ras message then uses the length to make +a shift operation. It will change into negative after several loop. +UBSAN load could detect a negative shift as an undefined behaviour +and reports exception. +So we add the protection to avoid the length exceeding 32. Or else +it will return out of range error and stop decoding. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Signed-off-by: Lena Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index e697a824b0018..540d97715bd23 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, + /* Get fields bitmap */ + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; ++ if (f->sz > 32) ++ return H323_ERROR_RANGE; + bmp = get_bitmap(bs, f->sz); + if (base) + *(unsigned int *)base = bmp; +@@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, + bmp2_len = get_bits(bs, 7) + 1; + if (nf_h323_error_boundary(bs, 0, bmp2_len)) + return H323_ERROR_BOUND; ++ if (bmp2_len > 32) ++ return H323_ERROR_RANGE; + bmp2 = get_bitmap(bs, bmp2_len); + bmp |= bmp2 >> f->sz; + if (base) +-- +2.43.0 + diff --git a/queue-5.15/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch b/queue-5.15/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch new file mode 100644 index 00000000000..0a73241d888 --- /dev/null +++ b/queue-5.15/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch @@ -0,0 +1,62 @@ +From 348164847ac37d11bb620b9edc2d698aceb2c27b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 13:38:15 +0100 +Subject: netfilter: nft_ct: fix l3num expectations with inet pseudo family + +From: Florian Westphal + +[ Upstream commit 99993789966a6eb4f1295193dc543686899892d3 ] + +Following is rejected but should be allowed: + +table inet t { + ct expectation exp1 { + [..] + l3proto ip + +Valid combos are: +table ip t, l3proto ip +table ip6 t, l3proto ip6 +table inet t, l3proto ip OR l3proto ip6 + +Disallow inet pseudeo family, the l3num must be a on-wire protocol known +to conntrack. + +Retain NFPROTO_INET case to make it clear its rejected +intentionally rather as oversight. + +Fixes: 8059918a1377 ("netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 7c667629c5149..69214993b5a2c 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -1192,14 +1192,13 @@ static int nft_ct_expect_obj_init(const struct nft_ctx *ctx, + switch (priv->l3num) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: +- if (priv->l3num != ctx->family) +- return -EINVAL; ++ if (priv->l3num == ctx->family || ctx->family == NFPROTO_INET) ++ break; + +- fallthrough; +- case NFPROTO_INET: +- break; ++ return -EINVAL; ++ case NFPROTO_INET: /* tuple.src.l3num supports NFPROTO_IPV4/6 only */ + default: +- return -EOPNOTSUPP; ++ return -EAFNOSUPPORT; + } + + priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]); +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch new file mode 100644 index 00000000000..b166ae57274 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch @@ -0,0 +1,36 @@ +From 29f5209934e7ec27c2802fa54018a2c5ac8408d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:35 +0800 +Subject: netrom: Fix a data-race around sysctl_netrom_default_path_quality + +From: Jason Xing + +[ Upstream commit 958d6145a6d9ba9e075c921aead8753fb91c9101 ] + +We need to protect the reader reading sysctl_netrom_default_path_quality +because the value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index ddd5cbd455e39..55cd51977fbc2 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -153,7 +153,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, + nr_neigh->digipeat = NULL; + nr_neigh->ax25 = NULL; + nr_neigh->dev = dev; +- nr_neigh->quality = sysctl_netrom_default_path_quality; ++ nr_neigh->quality = READ_ONCE(sysctl_netrom_default_path_quality); + nr_neigh->locked = 0; + nr_neigh->count = 0; + nr_neigh->number = nr_neigh_no++; +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch new file mode 100644 index 00000000000..c48edad86a7 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch @@ -0,0 +1,36 @@ +From 4f75bcebb948a63989f5125c74fe100850654ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:45 +0800 +Subject: netrom: Fix a data-race around sysctl_netrom_link_fails_count + +From: Jason Xing + +[ Upstream commit bc76645ebdd01be9b9994dac39685a3d0f6f7985 ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 56bec5b5b37c7..983c5ad9724f1 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -728,7 +728,7 @@ void nr_link_failed(ax25_cb *ax25, int reason) + nr_neigh->ax25 = NULL; + ax25_cb_put(ax25); + +- if (++nr_neigh->failed < sysctl_netrom_link_fails_count) { ++ if (++nr_neigh->failed < READ_ONCE(sysctl_netrom_link_fails_count)) { + nr_neigh_put(nr_neigh); + return; + } +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch new file mode 100644 index 00000000000..25f6e9abd90 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch @@ -0,0 +1,37 @@ +From b4f299aae09039639728a458a8b0b70a9e76bae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:36 +0800 +Subject: netrom: Fix a data-race around + sysctl_netrom_obsolescence_count_initialiser + +From: Jason Xing + +[ Upstream commit cfd9f4a740f772298308b2e6070d2c744fb5cf79 ] + +We need to protect the reader reading the sysctl value +because the value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 55cd51977fbc2..e5d24462d5100 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -766,7 +766,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) + if (ax25 != NULL) { + ret = nr_add_node(nr_src, "", &ax25->dest_addr, ax25->digipeat, + ax25->ax25_dev->dev, 0, +- sysctl_netrom_obsolescence_count_initialiser); ++ READ_ONCE(sysctl_netrom_obsolescence_count_initialiser)); + if (ret) + return ret; + } +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch new file mode 100644 index 00000000000..f9e2358bbd5 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch @@ -0,0 +1,36 @@ +From c9d7e115e8d0774f2ade431b55b903ffea4327de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:44 +0800 +Subject: netrom: Fix a data-race around sysctl_netrom_routing_control + +From: Jason Xing + +[ Upstream commit b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76 ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index e5d24462d5100..56bec5b5b37c7 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -780,7 +780,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) + return ret; + } + +- if (!sysctl_netrom_routing_control && ax25 != NULL) ++ if (!READ_ONCE(sysctl_netrom_routing_control) && ax25 != NULL) + return 0; + + /* Its Time-To-Live has expired */ +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch new file mode 100644 index 00000000000..dab721e63f5 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch @@ -0,0 +1,36 @@ +From 6ed6d5f3bdfe4fac7253d54e289528c2e77618a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:38 +0800 +Subject: netrom: Fix a data-race around sysctl_netrom_transport_timeout + +From: Jason Xing + +[ Upstream commit 60a7a152abd494ed4f69098cf0f322e6bb140612 ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 24747163122bb..6857510967448 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -453,7 +453,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, + nr_init_timers(sk); + + nr->t1 = +- msecs_to_jiffies(sysctl_netrom_transport_timeout); ++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout)); + nr->t2 = + msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay); + nr->n2 = +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1302 b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1302 new file mode 100644 index 00000000000..b3e01fedfa8 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1302 @@ -0,0 +1,37 @@ +From c07d8aa70cf25c839ab14d13cba7b6a2c959f452 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:42 +0800 +Subject: netrom: Fix a data-race around + sysctl_netrom_transport_requested_window_size + +From: Jason Xing + +[ Upstream commit a2e706841488f474c06e9b33f71afc947fb3bf56 ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 76d66eb0de255..d780adf54e19e 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -462,7 +462,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay)); + nr->idle = + msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout); +- nr->window = sysctl_netrom_transport_requested_window_size; ++ nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size); + + nr->bpqext = 1; + nr->state = NR_STATE_0; +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-15907 b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-15907 new file mode 100644 index 00000000000..48d8cf9c8b9 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-15907 @@ -0,0 +1,37 @@ +From 381ce3a5d8092aa71e5d82e5690ba42194a5c64d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:40 +0800 +Subject: netrom: Fix a data-race around + sysctl_netrom_transport_acknowledge_delay + +From: Jason Xing + +[ Upstream commit 806f462ba9029d41aadf8ec93f2f99c5305deada ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 678a7bbd84bf2..5a5cca18ae0c6 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -455,7 +455,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, + nr->t1 = + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout)); + nr->t2 = +- msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay); ++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_acknowledge_delay)); + nr->n2 = + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries)); + nr->t4 = +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1870 b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1870 new file mode 100644 index 00000000000..7b168b9b65c --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1870 @@ -0,0 +1,36 @@ +From 87eb75e8d3bfb478fc30b0ea58f2eb88e26bff8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:39 +0800 +Subject: netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries + +From: Jason Xing + +[ Upstream commit e799299aafed417cc1f32adccb2a0e5268b3f6d5 ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 6857510967448..678a7bbd84bf2 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -457,7 +457,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, + nr->t2 = + msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay); + nr->n2 = +- msecs_to_jiffies(sysctl_netrom_transport_maximum_tries); ++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries)); + nr->t4 = + msecs_to_jiffies(sysctl_netrom_transport_busy_delay); + nr->idle = +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19374 b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19374 new file mode 100644 index 00000000000..96563e29548 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19374 @@ -0,0 +1,36 @@ +From 6a815a954fed1f0f7f65b92ebf5930ea73dbb831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:41 +0800 +Subject: netrom: Fix a data-race around sysctl_netrom_transport_busy_delay + +From: Jason Xing + +[ Upstream commit 43547d8699439a67b78d6bb39015113f7aa360fd ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 5a5cca18ae0c6..76d66eb0de255 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -459,7 +459,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, + nr->n2 = + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries)); + nr->t4 = +- msecs_to_jiffies(sysctl_netrom_transport_busy_delay); ++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay)); + nr->idle = + msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout); + nr->window = sysctl_netrom_transport_requested_window_size; +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-3139 b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-3139 new file mode 100644 index 00000000000..8564f69dcb9 --- /dev/null +++ b/queue-5.15/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-3139 @@ -0,0 +1,37 @@ +From 71accbf6c38870e6951510544feaa8f18a88bc15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:43 +0800 +Subject: netrom: Fix a data-race around + sysctl_netrom_transport_no_activity_timeout + +From: Jason Xing + +[ Upstream commit f99b494b40431f0ca416859f2345746199398e2b ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index d780adf54e19e..376b6af431448 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -461,7 +461,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, + nr->t4 = + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay)); + nr->idle = +- msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout); ++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_no_activity_timeout)); + nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size); + + nr->bpqext = 1; +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-data-races-around-sysctl_net_busy_read.patch b/queue-5.15/netrom-fix-data-races-around-sysctl_net_busy_read.patch new file mode 100644 index 00000000000..aec3b46492e --- /dev/null +++ b/queue-5.15/netrom-fix-data-races-around-sysctl_net_busy_read.patch @@ -0,0 +1,68 @@ +From a4036c23e1c2f7d332ef098abf7d6e4d97a944c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:46 +0800 +Subject: netrom: Fix data-races around sysctl_net_busy_read + +From: Jason Xing + +[ Upstream commit d380ce70058a4ccddc3e5f5c2063165dc07672c6 ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 2 +- + net/netrom/nr_in.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 376b6af431448..37d0bf6cab456 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -954,7 +954,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + * G8PZT's Xrouter which is sending packets with command type 7 + * as an extension of the protocol. + */ +- if (sysctl_netrom_reset_circuit && ++ if (READ_ONCE(sysctl_netrom_reset_circuit) && + (frametype != NR_RESET || flags != 0)) + nr_transmit_reset(skb, 1); + +diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c +index 2f084b6f69d7e..97944db6b5ac6 100644 +--- a/net/netrom/nr_in.c ++++ b/net/netrom/nr_in.c +@@ -97,7 +97,7 @@ static int nr_state1_machine(struct sock *sk, struct sk_buff *skb, + break; + + case NR_RESET: +- if (sysctl_netrom_reset_circuit) ++ if (READ_ONCE(sysctl_netrom_reset_circuit)) + nr_disconnect(sk, ECONNRESET); + break; + +@@ -128,7 +128,7 @@ static int nr_state2_machine(struct sock *sk, struct sk_buff *skb, + break; + + case NR_RESET: +- if (sysctl_netrom_reset_circuit) ++ if (READ_ONCE(sysctl_netrom_reset_circuit)) + nr_disconnect(sk, ECONNRESET); + break; + +@@ -262,7 +262,7 @@ static int nr_state3_machine(struct sock *sk, struct sk_buff *skb, int frametype + break; + + case NR_RESET: +- if (sysctl_netrom_reset_circuit) ++ if (READ_ONCE(sysctl_netrom_reset_circuit)) + nr_disconnect(sk, ECONNRESET); + break; + +-- +2.43.0 + diff --git a/queue-5.15/netrom-fix-data-races-around-sysctl_netrom_network_t.patch b/queue-5.15/netrom-fix-data-races-around-sysctl_netrom_network_t.patch new file mode 100644 index 00000000000..e86aecc02de --- /dev/null +++ b/queue-5.15/netrom-fix-data-races-around-sysctl_netrom_network_t.patch @@ -0,0 +1,74 @@ +From 4ca7da94a42e87219eb49f7248ab80a16b8983f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:20:37 +0800 +Subject: netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser + +From: Jason Xing + +[ Upstream commit 119cae5ea3f9e35cdada8e572cc067f072fa825a ] + +We need to protect the reader reading the sysctl value because the +value can be changed concurrently. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_dev.c | 2 +- + net/netrom/nr_out.c | 2 +- + net/netrom/nr_subr.c | 5 +++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/netrom/nr_dev.c b/net/netrom/nr_dev.c +index 29e418c8c6c30..4caee8754b794 100644 +--- a/net/netrom/nr_dev.c ++++ b/net/netrom/nr_dev.c +@@ -81,7 +81,7 @@ static int nr_header(struct sk_buff *skb, struct net_device *dev, + buff[6] |= AX25_SSSID_SPARE; + buff += AX25_ADDR_LEN; + +- *buff++ = sysctl_netrom_network_ttl_initialiser; ++ *buff++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); + + *buff++ = NR_PROTO_IP; + *buff++ = NR_PROTO_IP; +diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c +index 44929657f5b71..5e531394a724b 100644 +--- a/net/netrom/nr_out.c ++++ b/net/netrom/nr_out.c +@@ -204,7 +204,7 @@ void nr_transmit_buffer(struct sock *sk, struct sk_buff *skb) + dptr[6] |= AX25_SSSID_SPARE; + dptr += AX25_ADDR_LEN; + +- *dptr++ = sysctl_netrom_network_ttl_initialiser; ++ *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); + + if (!nr_route_frame(skb, NULL)) { + kfree_skb(skb); +diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c +index e2d2af924cff4..c3bbd5880850b 100644 +--- a/net/netrom/nr_subr.c ++++ b/net/netrom/nr_subr.c +@@ -182,7 +182,8 @@ void nr_write_internal(struct sock *sk, int frametype) + *dptr++ = nr->my_id; + *dptr++ = frametype; + *dptr++ = nr->window; +- if (nr->bpqext) *dptr++ = sysctl_netrom_network_ttl_initialiser; ++ if (nr->bpqext) ++ *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); + break; + + case NR_DISCREQ: +@@ -236,7 +237,7 @@ void __nr_transmit_reply(struct sk_buff *skb, int mine, unsigned char cmdflags) + dptr[6] |= AX25_SSSID_SPARE; + dptr += AX25_ADDR_LEN; + +- *dptr++ = sysctl_netrom_network_ttl_initialiser; ++ *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); + + if (mine) { + *dptr++ = 0; +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 3ead0d8bfa8..9f3a73e7333 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,3 +1,28 @@ mmc-mmci-stm32-use-a-buffer-for-unaligned-dma-reques.patch mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warn.patch riscv-add-caller_addrx-support.patch +net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch +ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch +i40e-disable-napi-right-after-disabling-irqs-when-ha.patch +tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch +geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch +net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch +net-ice-fix-potential-null-pointer-dereference-in-ic.patch +net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch +cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch +net-rds-fix-warning-in-rds_conn_connect_if_down.patch +netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch +netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch +erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch +netrom-fix-a-data-race-around-sysctl_netrom_default_.patch +netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch +netrom-fix-data-races-around-sysctl_netrom_network_t.patch +netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch +netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1870 +netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-15907 +netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19374 +netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-1302 +netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-3139 +netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch +netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch +netrom-fix-data-races-around-sysctl_net_busy_read.patch diff --git a/queue-5.15/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch b/queue-5.15/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch new file mode 100644 index 00000000000..2c3184be102 --- /dev/null +++ b/queue-5.15/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch @@ -0,0 +1,92 @@ +From 9d17fa3f851080ae66e13a2960ef3bbb267e664f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 14:34:44 -0500 +Subject: tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Rostedt (Google) + +[ Upstream commit 51270d573a8d9dd5afdc7934de97d66c0e14b5fd ] + +I'm updating __assign_str() and will be removing the second parameter. To +make sure that it does not break anything, I make sure that it matches the +__string() field, as that is where the string is actually going to be +saved in. To make sure there's nothing that breaks, I added a WARN_ON() to +make sure that what was used in __string() is the same that is used in +__assign_str(). + +In doing this change, an error was triggered as __assign_str() now expects +the string passed in to be a char * value. I instead had the following +warning: + +include/trace/events/qdisc.h: In function ‘trace_event_raw_event_qdisc_reset’: +include/trace/events/qdisc.h:91:35: error: passing argument 1 of 'strcmp' from incompatible pointer type [-Werror=incompatible-pointer-types] + 91 | __assign_str(dev, qdisc_dev(q)); + +That's because the qdisc_enqueue() and qdisc_reset() pass in qdisc_dev(q) +to __assign_str() and to __string(). But that function returns a pointer +to struct net_device and not a string. + +It appears that these events are just saving the pointer as a string and +then reading it as a string as well. + +Use qdisc_dev(q)->name to save the device instead. + +Fixes: a34dac0b90552 ("net_sched: add tracepoints for qdisc_reset() and qdisc_destroy()") +Signed-off-by: Steven Rostedt (Google) +Reviewed-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/trace/events/qdisc.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h +index 59c945b66f9c7..5180da19d837f 100644 +--- a/include/trace/events/qdisc.h ++++ b/include/trace/events/qdisc.h +@@ -81,14 +81,14 @@ TRACE_EVENT(qdisc_reset, + TP_ARGS(q), + + TP_STRUCT__entry( +- __string( dev, qdisc_dev(q) ) +- __string( kind, q->ops->id ) +- __field( u32, parent ) +- __field( u32, handle ) ++ __string( dev, qdisc_dev(q)->name ) ++ __string( kind, q->ops->id ) ++ __field( u32, parent ) ++ __field( u32, handle ) + ), + + TP_fast_assign( +- __assign_str(dev, qdisc_dev(q)); ++ __assign_str(dev, qdisc_dev(q)->name); + __assign_str(kind, q->ops->id); + __entry->parent = q->parent; + __entry->handle = q->handle; +@@ -106,14 +106,14 @@ TRACE_EVENT(qdisc_destroy, + TP_ARGS(q), + + TP_STRUCT__entry( +- __string( dev, qdisc_dev(q) ) +- __string( kind, q->ops->id ) +- __field( u32, parent ) +- __field( u32, handle ) ++ __string( dev, qdisc_dev(q)->name ) ++ __string( kind, q->ops->id ) ++ __field( u32, parent ) ++ __field( u32, handle ) + ), + + TP_fast_assign( +- __assign_str(dev, qdisc_dev(q)); ++ __assign_str(dev, qdisc_dev(q)->name); + __assign_str(kind, q->ops->id); + __entry->parent = q->parent; + __entry->handle = q->handle; +-- +2.43.0 + -- 2.47.3