From 54ba9370f1f0740e08ea3e8eba0152db239f6454 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 25 Jul 2025 11:06:10 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...net-appletalk-fix-kerneldoc-warnings.patch | 83 ++++++++ ...x-use-after-free-in-aarp-proxy-probe.patch | 185 ++++++++++++++++++ ...q-avoid-triggering-might_sleep-in-at.patch | 74 +++++++ queue-5.4/series | 3 + 4 files changed, 345 insertions(+) create mode 100644 queue-5.4/net-appletalk-fix-kerneldoc-warnings.patch create mode 100644 queue-5.4/net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch create mode 100644 queue-5.4/net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch diff --git a/queue-5.4/net-appletalk-fix-kerneldoc-warnings.patch b/queue-5.4/net-appletalk-fix-kerneldoc-warnings.patch new file mode 100644 index 0000000000..4cd2cfebd5 --- /dev/null +++ b/queue-5.4/net-appletalk-fix-kerneldoc-warnings.patch @@ -0,0 +1,83 @@ +From c44da8fa2793405baf00c88284b664d7e9701b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 01:55:27 +0100 +Subject: net: appletalk: fix kerneldoc warnings + +From: Andrew Lunn + +[ Upstream commit 709565ae14aa2670d6b480be46720856e804af41 ] + +net/appletalk/aarp.c:68: warning: Function parameter or member 'dev' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'expires_at' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'hwaddr' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'last_sent' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'next' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'packet_queue' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'status' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'target_addr' not described in 'aarp_entry' +net/appletalk/aarp.c:68: warning: Function parameter or member 'xmit_count' not described in 'aarp_entry' +net/appletalk/ddp.c:1422: warning: Function parameter or member 'dev' not described in 'atalk_rcv' +net/appletalk/ddp.c:1422: warning: Function parameter or member 'orig_dev' not described in 'atalk_rcv' +net/appletalk/ddp.c:1422: warning: Function parameter or member 'pt' not described in 'atalk_rcv' +net/appletalk/ddp.c:1422: warning: Function parameter or member 'skb' not described in 'atalk_rcv' + +Signed-off-by: Andrew Lunn +Link: https://lore.kernel.org/r/20201028005527.930388-1-andrew@lunn.ch +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6c4a92d07b08 ("net: appletalk: Fix use-after-free in AARP proxy probe") +Signed-off-by: Sasha Levin +--- + net/appletalk/aarp.c | 18 +++++++++--------- + net/appletalk/ddp.c | 7 ++++--- + 2 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c +index 45f584171de79..be18af481d7d5 100644 +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -44,15 +44,15 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME; + /* Lists of aarp entries */ + /** + * struct aarp_entry - AARP entry +- * @last_sent - Last time we xmitted the aarp request +- * @packet_queue - Queue of frames wait for resolution +- * @status - Used for proxy AARP +- * expires_at - Entry expiry time +- * target_addr - DDP Address +- * dev - Device to use +- * hwaddr - Physical i/f address of target/router +- * xmit_count - When this hits 10 we give up +- * next - Next entry in chain ++ * @last_sent: Last time we xmitted the aarp request ++ * @packet_queue: Queue of frames wait for resolution ++ * @status: Used for proxy AARP ++ * @expires_at: Entry expiry time ++ * @target_addr: DDP Address ++ * @dev: Device to use ++ * @hwaddr: Physical i/f address of target/router ++ * @xmit_count: When this hits 10 we give up ++ * @next: Next entry in chain + */ + struct aarp_entry { + /* These first two are only used for unresolved entries */ +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 46ca0f1354fde..01170c4e9c6dd 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1400,9 +1400,10 @@ static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev, + + /** + * atalk_rcv - Receive a packet (in skb) from device dev +- * @skb - packet received +- * @dev - network device where the packet comes from +- * @pt - packet type ++ * @skb: packet received ++ * @dev: network device where the packet comes from ++ * @pt: packet type ++ * @orig_dev: the original receive net device + * + * Receive a packet (in skb) from device dev. This has come from the SNAP + * decoder, and on entry skb->transport_header is the DDP header, skb->len +-- +2.39.5 + diff --git a/queue-5.4/net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch b/queue-5.4/net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch new file mode 100644 index 0000000000..b6af87fb29 --- /dev/null +++ b/queue-5.4/net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch @@ -0,0 +1,185 @@ +From d6872ea84713d3c5eea52e01e3ace4ea42615fc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 01:28:43 +0000 +Subject: net: appletalk: Fix use-after-free in AARP proxy probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kito Xu (veritas501) + +[ Upstream commit 6c4a92d07b0850342d3becf2e608f805e972467c ] + +The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, +releases the aarp_lock, sleeps, then re-acquires the lock. During that +window an expire timer thread (__aarp_expire_timer) can remove and +kfree() the same entry, leading to a use-after-free. + +race condition: + + cpu 0 | cpu 1 + atalk_sendmsg() | atif_proxy_probe_device() + aarp_send_ddp() | aarp_proxy_probe_network() + mod_timer() | lock(aarp_lock) // LOCK!! + timeout around 200ms | alloc(aarp_entry) + and then call | proxies[hash] = aarp_entry + aarp_expire_timeout() | aarp_send_probe() + | unlock(aarp_lock) // UNLOCK!! + lock(aarp_lock) // LOCK!! | msleep(100); + __aarp_expire_timer(&proxies[ct]) | + free(aarp_entry) | + unlock(aarp_lock) // UNLOCK!! | + | lock(aarp_lock) // LOCK!! + | UAF aarp_entry !! + +================================================================== +BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 +Read of size 4 at addr ffff8880123aa360 by task repro/13278 + +CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0xc1/0x630 mm/kasan/report.c:521 + kasan_report+0xca/0x100 mm/kasan/report.c:634 + aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 + atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] + atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 + atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 + sock_do_ioctl+0xdc/0x260 net/socket.c:1190 + sock_ioctl+0x239/0x6a0 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl fs/ioctl.c:892 [inline] + __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Allocated: + aarp_alloc net/appletalk/aarp.c:382 [inline] + aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 + atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] + atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 + atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 + +Freed: + kfree+0x148/0x4d0 mm/slub.c:4841 + __aarp_expire net/appletalk/aarp.c:90 [inline] + __aarp_expire_timer net/appletalk/aarp.c:261 [inline] + aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 + +The buggy address belongs to the object at ffff8880123aa300 + which belongs to the cache kmalloc-192 of size 192 +The buggy address is located 96 bytes inside of + freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) + +Memory state around the buggy address: + ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kito Xu (veritas501) +Link: https://patch.msgid.link/20250717012843.880423-1-hxzene@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/appletalk/aarp.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c +index be18af481d7d5..17d9cb380e7bd 100644 +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + int sysctl_aarp_expiry_time = AARP_EXPIRY_TIME; + int sysctl_aarp_tick_time = AARP_TICK_TIME; +@@ -44,6 +45,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME; + /* Lists of aarp entries */ + /** + * struct aarp_entry - AARP entry ++ * @refcnt: Reference count + * @last_sent: Last time we xmitted the aarp request + * @packet_queue: Queue of frames wait for resolution + * @status: Used for proxy AARP +@@ -55,6 +57,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME; + * @next: Next entry in chain + */ + struct aarp_entry { ++ refcount_t refcnt; + /* These first two are only used for unresolved entries */ + unsigned long last_sent; + struct sk_buff_head packet_queue; +@@ -79,6 +82,17 @@ static DEFINE_RWLOCK(aarp_lock); + /* Used to walk the list and purge/kick entries. */ + static struct timer_list aarp_timer; + ++static inline void aarp_entry_get(struct aarp_entry *a) ++{ ++ refcount_inc(&a->refcnt); ++} ++ ++static inline void aarp_entry_put(struct aarp_entry *a) ++{ ++ if (refcount_dec_and_test(&a->refcnt)) ++ kfree(a); ++} ++ + /* + * Delete an aarp queue + * +@@ -87,7 +101,7 @@ static struct timer_list aarp_timer; + static void __aarp_expire(struct aarp_entry *a) + { + skb_queue_purge(&a->packet_queue); +- kfree(a); ++ aarp_entry_put(a); + } + + /* +@@ -380,9 +394,11 @@ static void aarp_purge(void) + static struct aarp_entry *aarp_alloc(void) + { + struct aarp_entry *a = kmalloc(sizeof(*a), GFP_ATOMIC); ++ if (!a) ++ return NULL; + +- if (a) +- skb_queue_head_init(&a->packet_queue); ++ refcount_set(&a->refcnt, 1); ++ skb_queue_head_init(&a->packet_queue); + return a; + } + +@@ -508,6 +524,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa) + entry->dev = atif->dev; + + write_lock_bh(&aarp_lock); ++ aarp_entry_get(entry); + + hash = sa->s_node % (AARP_HASH_SIZE - 1); + entry->next = proxies[hash]; +@@ -533,6 +550,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa) + retval = 1; + } + ++ aarp_entry_put(entry); + write_unlock_bh(&aarp_lock); + out: + return retval; +-- +2.39.5 + diff --git a/queue-5.4/net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch b/queue-5.4/net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch new file mode 100644 index 0000000000..9630bf62b8 --- /dev/null +++ b/queue-5.4/net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch @@ -0,0 +1,74 @@ +From f496387129e8e6016ad8ed35d4a9a4d157812392 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 16:01:28 -0700 +Subject: net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in + qfq_delete_class + +From: Xiang Mei + +[ Upstream commit cf074eca0065bc5142e6004ae236bb35a2687fdf ] + +might_sleep could be trigger in the atomic context in qfq_delete_class. + +qfq_destroy_class was moved into atomic context locked +by sch_tree_lock to avoid a race condition bug on +qfq_aggregate. However, might_sleep could be triggered by +qfq_destroy_class, which introduced sleeping in atomic context (path: +qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key +->might_sleep). + +Considering the race is on the qfq_aggregate objects, keeping +qfq_rm_from_agg in the lock but moving the left part out can solve +this issue. + +Fixes: 5e28d5a3f774 ("net/sched: sch_qfq: Fix race condition on qfq_aggregate") +Reported-by: Dan Carpenter +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain +Reviewed-by: Cong Wang +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 2a4331a084949..be04fcfcc5852 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -534,9 +534,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + + static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl) + { +- struct qfq_sched *q = qdisc_priv(sch); +- +- qfq_rm_from_agg(q, cl); + gen_kill_estimator(&cl->rate_est); + qdisc_put(cl->qdisc); + kfree(cl); +@@ -554,10 +551,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg) + + qdisc_purge_queue(cl->qdisc); + qdisc_class_hash_remove(&q->clhash, &cl->common); +- qfq_destroy_class(sch, cl); ++ qfq_rm_from_agg(q, cl); + + sch_tree_unlock(sch); + ++ qfq_destroy_class(sch, cl); + return 0; + } + +@@ -1507,6 +1505,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch) + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i], + common.hnode) { ++ qfq_rm_from_agg(q, cl); + qfq_destroy_class(sch, cl); + } + } +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 9b5cb59fd4..9575cea9de 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -54,3 +54,6 @@ net_sched-sch_sfq-reject-invalid-perturb-period.patch usb-hub-fix-detection-of-high-tier-usb3-devices-behind-suspended-hubs.patch regulator-core-fix-null-dereference-on-unbind-due-to.patch rdma-core-rate-limit-gid-cache-warning-messages.patch +net-appletalk-fix-kerneldoc-warnings.patch +net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch +net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch -- 2.47.2