From 677b2bae73f32df16d7ffef142c846a3b4aacde3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 22 Dec 2023 17:48:15 -0500 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...fs-fix-dynamic-root-lookup-dns-check.patch | 75 +++++ ...x-overwriting-of-result-of-dns-query.patch | 58 ++++ ...mic-root-s-d_delete-to-always-delete.patch | 53 ++++ ...ll-pointer-dereference-and-memory-le.patch | 50 ++++ ...-fix-a-memleak-in-atl1e_setup_ring_r.patch | 44 +++ ...ey-types-eg.-dns-to-be-reclaimed-imm.patch | 281 ++++++++++++++++++ ...v-gso_max_size-in-gso_features_check.patch | 49 +++ ...ilter-feature-in-vlan_vids_add_by_de.patch | 99 ++++++ ...mlx5-fix-fw-tracer-first-block-check.patch | 39 +++ ...t-snprintf-truncation-handling-for-f.patch | 41 +++ ...ab-out-of-bounds-in-mlx5_query_nic_v.patch | 58 ++++ ...ose-fix-races-in-rose_kill_by_device.patch | 177 +++++++++++ ...hed-ife-fix-potential-use-after-free.patch | 238 +++++++++++++++ ...-if-gso_type-isn-t-set-for-a-gso-skb.patch | 49 +++ ...when-freeing-non-existent-optional-r.patch | 50 ++++ ...lx5e-fix-double-free-of-encap_header.patch | 67 +++++ ...x-save-restore-of-fpu-kernel-context.patch | 49 +++ queue-5.10/series | 18 ++ ...1-mesh_plink-fix-matches_local-logic.patch | 52 ++++ 19 files changed, 1547 insertions(+) create mode 100644 queue-5.10/afs-fix-dynamic-root-lookup-dns-check.patch create mode 100644 queue-5.10/afs-fix-overwriting-of-result-of-dns-query.patch create mode 100644 queue-5.10/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch create mode 100644 queue-5.10/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch create mode 100644 queue-5.10/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch create mode 100644 queue-5.10/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch create mode 100644 queue-5.10/net-check-dev-gso_max_size-in-gso_features_check.patch create mode 100644 queue-5.10/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch create mode 100644 queue-5.10/net-mlx5-fix-fw-tracer-first-block-check.patch create mode 100644 queue-5.10/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch create mode 100644 queue-5.10/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch create mode 100644 queue-5.10/net-rose-fix-races-in-rose_kill_by_device.patch create mode 100644 queue-5.10/net-sched-ife-fix-potential-use-after-free.patch create mode 100644 queue-5.10/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch create mode 100644 queue-5.10/reset-fix-crash-when-freeing-non-existent-optional-r.patch create mode 100644 queue-5.10/revert-net-mlx5e-fix-double-free-of-encap_header.patch create mode 100644 queue-5.10/s390-vx-fix-save-restore-of-fpu-kernel-context.patch create mode 100644 queue-5.10/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch diff --git a/queue-5.10/afs-fix-dynamic-root-lookup-dns-check.patch b/queue-5.10/afs-fix-dynamic-root-lookup-dns-check.patch new file mode 100644 index 00000000000..b1613ce4edd --- /dev/null +++ b/queue-5.10/afs-fix-dynamic-root-lookup-dns-check.patch @@ -0,0 +1,75 @@ +From c52c7a33b1269f7dd3e06d04f2cd591f62fe0f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:15:02 +0000 +Subject: afs: Fix dynamic root lookup DNS check + +From: David Howells + +[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ] + +In the afs dynamic root directory, the ->lookup() function does a DNS check +on the cell being asked for and if the DNS upcall reports an error it will +report an error back to userspace (typically ENOENT). + +However, if a failed DNS upcall returns a new-style result, it will return +a valid result, with the status field set appropriately to indicate the +type of failure - and in that case, dns_query() doesn't return an error and +we let stat() complete with no error - which can cause confusion in +userspace as subsequent calls that trigger d_automount then fail with +ENOENT. + +Fix this by checking the status result from a valid dns_query() and +returning an error if it indicates a failure. + +Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set") +Reported-by: Markus Suvanto +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637 +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 4ddc4846a8072..96b404d9e13ac 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -113,6 +113,7 @@ static int afs_probe_cell_name(struct dentry *dentry) + struct afs_net *net = afs_d2net(dentry); + const char *name = dentry->d_name.name; + size_t len = dentry->d_name.len; ++ char *result = NULL; + int ret; + + /* Names prefixed with a dot are R/W mounts. */ +@@ -130,9 +131,22 @@ static int afs_probe_cell_name(struct dentry *dentry) + } + + ret = dns_query(net->net, "afsdb", name, len, "srv=1", +- NULL, NULL, false); +- if (ret == -ENODATA || ret == -ENOKEY) ++ &result, NULL, false); ++ if (ret == -ENODATA || ret == -ENOKEY || ret == 0) + ret = -ENOENT; ++ if (ret > 0 && ret >= sizeof(struct dns_server_list_v1_header)) { ++ struct dns_server_list_v1_header *v1 = (void *)result; ++ ++ if (v1->hdr.zero == 0 && ++ v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST && ++ v1->hdr.version == 1 && ++ (v1->status != DNS_LOOKUP_GOOD && ++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) ++ return -ENOENT; ++ ++ } ++ ++ kfree(result); + return ret; + } + +-- +2.43.0 + diff --git a/queue-5.10/afs-fix-overwriting-of-result-of-dns-query.patch b/queue-5.10/afs-fix-overwriting-of-result-of-dns-query.patch new file mode 100644 index 00000000000..10096214c37 --- /dev/null +++ b/queue-5.10/afs-fix-overwriting-of-result-of-dns-query.patch @@ -0,0 +1,58 @@ +From 5461bb133951d651bff380d069289a9defbf2241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:09:31 +0000 +Subject: afs: Fix overwriting of result of DNS query + +From: David Howells + +[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ] + +In afs_update_cell(), ret is the result of the DNS lookup and the errors +are to be handled by a switch - however, the value gets clobbered in +between by setting it to -ENOMEM in case afs_alloc_vlserver_list() +fails. + +Fix this by moving the setting of -ENOMEM into the error handling for +OOM failure. Further, only do it if we don't have an alternative error +to return. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. Based +on a patch from Anastasia Belova [1]. + +Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup") +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Anastasia Belova +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: lvc-project@linuxtesting.org +Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1] +Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 887b673f62230..cfd3c4dabdb2c 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -407,10 +407,12 @@ static int afs_update_cell(struct afs_cell *cell) + if (ret == -ENOMEM) + goto out_wake; + +- ret = -ENOMEM; + vllist = afs_alloc_vlserver_list(0); +- if (!vllist) ++ if (!vllist) { ++ if (ret >= 0) ++ ret = -ENOMEM; + goto out_wake; ++ } + + switch (ret) { + case -ENODATA: +-- +2.43.0 + diff --git a/queue-5.10/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch b/queue-5.10/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch new file mode 100644 index 00000000000..341e3f19d79 --- /dev/null +++ b/queue-5.10/afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch @@ -0,0 +1,53 @@ +From 5a0facad5660e910f9a957be1a0b60e6d342baa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 15:08:57 +0000 +Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries + +From: David Howells + +[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ] + +Fix the afs dynamic root's d_delete function to always delete unused +dentries rather than only deleting them if they're positive. With things +as they stand upstream, negative dentries stemming from failed DNS lookups +stick around preventing retries. + +Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index b35c6081dbfe1..4ddc4846a8072 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -251,20 +251,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags) + return 1; + } + +-/* +- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't +- * sleep) +- * - called from dput() when d_count is going to 0. +- * - return 1 to request dentry be unhashed, 0 otherwise +- */ +-static int afs_dynroot_d_delete(const struct dentry *dentry) +-{ +- return d_really_is_positive(dentry); +-} +- + const struct dentry_operations afs_dynroot_dentry_operations = { + .d_revalidate = afs_dynroot_d_revalidate, +- .d_delete = afs_dynroot_d_delete, ++ .d_delete = always_delete_dentry, + .d_release = afs_d_release, + .d_automount = afs_d_automount, + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch b/queue-5.10/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch new file mode 100644 index 00000000000..28cc430f50f --- /dev/null +++ b/queue-5.10/arm-omap2-fix-null-pointer-dereference-and-memory-le.patch @@ -0,0 +1,50 @@ +From 2bbe5299177d5c678ea6abf77d93071128fb6fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 22:52:37 +0800 +Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in + omap_soc_device_init + +From: Kunwu Chan + +[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ] + +kasprintf() returns a pointer to dynamically allocated memory which can +be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger +the null pointer dereference issue, such as in 'soc_info_show'. + +And when 'soc_device_register' fails, it's necessary to release +'soc_dev_attr->family' to avoid memory leaks. + +Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace") +Signed-off-by: Kunwu Chan +Message-ID: <20231123145237.609442-1-chentao@kylinos.cn> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/id.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c +index 59755b5a1ad7a..75091aa7269ae 100644 +--- a/arch/arm/mach-omap2/id.c ++++ b/arch/arm/mach-omap2/id.c +@@ -793,11 +793,16 @@ void __init omap_soc_device_init(void) + + soc_dev_attr->machine = soc_name; + soc_dev_attr->family = omap_get_family(); ++ if (!soc_dev_attr->family) { ++ kfree(soc_dev_attr); ++ return; ++ } + soc_dev_attr->revision = soc_rev; + soc_dev_attr->custom_attr_group = omap_soc_groups[0]; + + soc_dev = soc_device_register(soc_dev_attr); + if (IS_ERR(soc_dev)) { ++ kfree(soc_dev_attr->family); + kfree(soc_dev_attr); + return; + } +-- +2.43.0 + diff --git a/queue-5.10/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch b/queue-5.10/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch new file mode 100644 index 00000000000..419114ef5be --- /dev/null +++ b/queue-5.10/ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch @@ -0,0 +1,44 @@ +From 0da3760a9ddabcc3f9c0200132d03b0e77ea6761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 21:04:04 +0800 +Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources + +From: Zhipeng Lu + +[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ] + +In the error handling of 'offset > adapter->ring_size', the +tx_ring->tx_buffer allocated by kzalloc should be freed, +instead of 'goto failed' instantly. + +Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver") +Signed-off-by: Zhipeng Lu +Reviewed-by: Suman Ghosh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 696ce3c5a8ba3..e8772972bc2f0 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -866,10 +866,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter) + netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n", + offset, adapter->ring_size); + err = -1; +- goto failed; ++ goto free_buffer; + } + + return 0; ++free_buffer: ++ kfree(tx_ring->tx_buffer); ++ tx_ring->tx_buffer = NULL; + failed: + if (adapter->ring_vir_addr != NULL) { + dma_free_coherent(&pdev->dev, adapter->ring_size, +-- +2.43.0 + diff --git a/queue-5.10/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch b/queue-5.10/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch new file mode 100644 index 00000000000..0895c284ece --- /dev/null +++ b/queue-5.10/keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch @@ -0,0 +1,281 @@ +From 44c3ac48d31fcd4fdaab9b73670f653c7ce083cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 00:41:55 +0000 +Subject: keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on + expiry + +From: David Howells + +[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ] + +If a key has an expiration time, then when that time passes, the key is +left around for a certain amount of time before being collected (5 mins by +default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a +problem for DNS keys because we want to redo the DNS lookup immediately at +that point. + +Fix this by allowing key types to be marked such that keys of that type +don't have this extra period, but are reclaimed as soon as they expire and +turn this on for dns_resolver-type keys. To make this easier to handle, +key->expiry is changed to be permanent if TIME64_MAX rather than 0. + +Furthermore, give such new-style negative DNS results a 1s default expiry +if no other expiry time is set rather than allowing it to stick around +indefinitely. This shouldn't be zero as ls will follow a failing stat call +immediately with a second with AT_SYMLINK_NOFOLLOW added. + +Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code") +Signed-off-by: David Howells +Tested-by: Markus Suvanto +cc: Wang Lei +cc: Jeff Layton +cc: Steve French +cc: Marc Dionne +cc: Jarkko Sakkinen +cc: "David S. Miller" +cc: Eric Dumazet +cc: Jakub Kicinski +cc: Paolo Abeni +cc: linux-afs@lists.infradead.org +cc: linux-cifs@vger.kernel.org +cc: linux-nfs@vger.kernel.org +cc: ceph-devel@vger.kernel.org +cc: keyrings@vger.kernel.org +cc: netdev@vger.kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/key-type.h | 1 + + net/dns_resolver/dns_key.c | 10 +++++++++- + security/keys/gc.c | 31 +++++++++++++++++++++---------- + security/keys/internal.h | 11 ++++++++++- + security/keys/key.c | 15 +++++---------- + security/keys/proc.c | 2 +- + 6 files changed, 47 insertions(+), 23 deletions(-) + +diff --git a/include/linux/key-type.h b/include/linux/key-type.h +index 2ab2d6d6aeab8..7de851a9af8f3 100644 +--- a/include/linux/key-type.h ++++ b/include/linux/key-type.h +@@ -72,6 +72,7 @@ struct key_type { + + unsigned int flags; + #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */ ++#define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */ + + /* vet a description */ + int (*vet_description)(const char *description); +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index 3aced951d5ab8..03f8f33dc134c 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache; + static int + dns_resolver_preparse(struct key_preparsed_payload *prep) + { ++ const struct dns_server_list_v1_header *v1; + const struct dns_payload_header *bin; + struct user_key_payload *upayload; + unsigned long derrno; +@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) + return -EINVAL; + } + ++ v1 = (const struct dns_server_list_v1_header *)bin; ++ if ((v1->status != DNS_LOOKUP_GOOD && ++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) { ++ if (prep->expiry == TIME64_MAX) ++ prep->expiry = ktime_get_real_seconds() + 1; ++ } ++ + result_len = datalen; + goto store_result; + } +@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key, + + struct key_type key_type_dns_resolver = { + .name = "dns_resolver", +- .flags = KEY_TYPE_NET_DOMAIN, ++ .flags = KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP, + .preparse = dns_resolver_preparse, + .free_preparse = dns_resolver_free_preparse, + .instantiate = generic_key_instantiate, +diff --git a/security/keys/gc.c b/security/keys/gc.c +index 3c90807476eb0..eaddaceda14ea 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at) + } + } + ++/* ++ * Set the expiration time on a key. ++ */ ++void key_set_expiry(struct key *key, time64_t expiry) ++{ ++ key->expiry = expiry; ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ key_schedule_gc(expiry); ++ } ++} ++ + /* + * Schedule a dead links collection run. + */ +@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work) + static u8 gc_state; /* Internal persistent state */ + #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ + #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ +-#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */ + #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */ + #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */ + #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */ +@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work) + + struct rb_node *cursor; + struct key *key; +- time64_t new_timer, limit; ++ time64_t new_timer, limit, expiry; + + kenter("[%lx,%x]", key_gc_flags, gc_state); + + limit = ktime_get_real_seconds(); +- if (limit > key_gc_delay) +- limit -= key_gc_delay; +- else +- limit = key_gc_delay; + + /* Work out what we're going to be doing in this pass */ + gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2; + gc_state <<= 1; + if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags)) +- gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER; ++ gc_state |= KEY_GC_REAPING_LINKS; + + if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) + gc_state |= KEY_GC_REAPING_DEAD_1; +@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work) + } + } + +- if (gc_state & KEY_GC_SET_TIMER) { +- if (key->expiry > limit && key->expiry < new_timer) { ++ expiry = key->expiry; ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ if (expiry > limit && expiry < new_timer) { + kdebug("will expire %x in %lld", + key_serial(key), key->expiry - limit); + new_timer = key->expiry; +@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work) + */ + kdebug("pass complete"); + +- if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) { ++ if (new_timer != TIME64_MAX) { + new_timer += key_gc_delay; + key_schedule_gc(new_timer); + } +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 9b9cf3b6fcbb4..bede6c71ffd97 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -176,6 +176,7 @@ extern unsigned key_gc_delay; + extern void keyring_gc(struct key *keyring, time64_t limit); + extern void keyring_restriction_gc(struct key *keyring, + struct key_type *dead_type); ++void key_set_expiry(struct key *key, time64_t expiry); + extern void key_schedule_gc(time64_t gc_at); + extern void key_schedule_gc_links(void); + extern void key_gc_keytype(struct key_type *ktype); +@@ -224,10 +225,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id); + */ + static inline bool key_is_dead(const struct key *key, time64_t limit) + { ++ time64_t expiry = key->expiry; ++ ++ if (expiry != TIME64_MAX) { ++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) ++ expiry += key_gc_delay; ++ if (expiry <= limit) ++ return true; ++ } ++ + return + key->flags & ((1 << KEY_FLAG_DEAD) | + (1 << KEY_FLAG_INVALIDATED)) || +- (key->expiry > 0 && key->expiry <= limit) || + key->domain_tag->removed; + } + +diff --git a/security/keys/key.c b/security/keys/key.c +index 151ff39b68030..67ad0826e385c 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, + key->uid = uid; + key->gid = gid; + key->perm = perm; ++ key->expiry = TIME64_MAX; + key->restrict_link = restrict_link; + key->last_used_at = ktime_get_real_seconds(); + +@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key, + if (authkey) + key_invalidate(authkey); + +- if (prep->expiry != TIME64_MAX) { +- key->expiry = prep->expiry; +- key_schedule_gc(prep->expiry + key_gc_delay); +- } ++ key_set_expiry(key, prep->expiry); + } + } + +@@ -605,8 +603,7 @@ int key_reject_and_link(struct key *key, + atomic_inc(&key->user->nikeys); + mark_key_instantiated(key, -error); + notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); +- key->expiry = ktime_get_real_seconds() + timeout; +- key_schedule_gc(key->expiry + key_gc_delay); ++ key_set_expiry(key, ktime_get_real_seconds() + timeout); + + if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) + awaken = 1; +@@ -721,16 +718,14 @@ struct key_type *key_type_lookup(const char *type) + + void key_set_timeout(struct key *key, unsigned timeout) + { +- time64_t expiry = 0; ++ time64_t expiry = TIME64_MAX; + + /* make the changes with the locks held to prevent races */ + down_write(&key->sem); + + if (timeout > 0) + expiry = ktime_get_real_seconds() + timeout; +- +- key->expiry = expiry; +- key_schedule_gc(key->expiry + key_gc_delay); ++ key_set_expiry(key, expiry); + + up_write(&key->sem); + } +diff --git a/security/keys/proc.c b/security/keys/proc.c +index d0cde6685627f..4f4e2c1824f18 100644 +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v) + + /* come up with a suitable timeout value */ + expiry = READ_ONCE(key->expiry); +- if (expiry == 0) { ++ if (expiry == TIME64_MAX) { + memcpy(xbuf, "perm", 5); + } else if (now >= expiry) { + memcpy(xbuf, "expd", 5); +-- +2.43.0 + diff --git a/queue-5.10/net-check-dev-gso_max_size-in-gso_features_check.patch b/queue-5.10/net-check-dev-gso_max_size-in-gso_features_check.patch new file mode 100644 index 00000000000..c2bf2c1bcf2 --- /dev/null +++ b/queue-5.10/net-check-dev-gso_max_size-in-gso_features_check.patch @@ -0,0 +1,49 @@ +From 1015b4ae9f14105eae11809c14beb381b0054a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 12:53:31 +0000 +Subject: net: check dev->gso_max_size in gso_features_check() + +From: Eric Dumazet + +[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ] + +Some drivers might misbehave if TSO packets get too big. + +GVE for instance uses a 16bit field in its TX descriptor, +and will do bad things if a packet is bigger than 2^16 bytes. + +Linux TCP stack honors dev->gso_max_size, but there are +other ways for too big packets to reach an ndo_start_xmit() +handler : virtio_net, af_packet, GRO... + +Add a generic check in gso_features_check() and fallback +to GSO when needed. + +gso_max_size was added in the blamed commit. + +Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 34f80946d2c72..fc881d60a9dcc 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3523,6 +3523,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > dev->gso_max_segs) + return features & ~NETIF_F_GSO_MASK; + ++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size))) ++ return features & ~NETIF_F_GSO_MASK; ++ + if (!skb_shinfo(skb)->gso_type) { + skb_warn_bad_offload(skb); + return features & ~NETIF_F_GSO_MASK; +-- +2.43.0 + diff --git a/queue-5.10/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch b/queue-5.10/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch new file mode 100644 index 00000000000..91a11fd7935 --- /dev/null +++ b/queue-5.10/net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch @@ -0,0 +1,99 @@ +From a20d243e2e0a8471a92accfe9912c39c0d564413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 15:52:18 +0800 +Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and + vlan_vids_del_by_dev() + +From: Liu Jian + +[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ] + +I got the below warning trace: + +WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify +CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0 +Call Trace: + rtnl_dellink + rtnetlink_rcv_msg + netlink_rcv_skb + netlink_unicast + netlink_sendmsg + __sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +It can be repoduced via: + + ip netns add ns1 + ip netns exec ns1 ip link add bond0 type bond mode 0 + ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 + ip netns exec ns1 ip link set bond_slave_1 master bond0 +[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off +[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0 +[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0 +[4] ip netns exec ns1 ip link set bond_slave_1 nomaster +[5] ip netns exec ns1 ip link del veth2 + ip netns del ns1 + +This is all caused by command [1] turning off the rx-vlan-filter function +of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix +incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands +[2] [3] add the same vid to slave and master respectively, causing +command [4] to empty slave->vlan_info. The following command [5] triggers +this problem. + +To fix this problem, we should add VLAN_FILTER feature checks in +vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect +addition or deletion of vlan_vid information. + +Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device") +Signed-off-by: Liu Jian +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 78ec2e1b14d15..43aea97c57620 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -406,6 +406,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + return 0; + + list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + err = vlan_vid_add(dev, vid_info->proto, vid_info->vid); + if (err) + goto unwind; +@@ -416,6 +418,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, + list_for_each_entry_continue_reverse(vid_info, + &vlan_info->vid_list, + list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); + } + +@@ -435,8 +439,11 @@ void vlan_vids_del_by_dev(struct net_device *dev, + if (!vlan_info) + return; + +- list_for_each_entry(vid_info, &vlan_info->vid_list, list) ++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) { ++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) ++ continue; + vlan_vid_del(dev, vid_info->proto, vid_info->vid); ++ } + } + EXPORT_SYMBOL(vlan_vids_del_by_dev); + +-- +2.43.0 + diff --git a/queue-5.10/net-mlx5-fix-fw-tracer-first-block-check.patch b/queue-5.10/net-mlx5-fix-fw-tracer-first-block-check.patch new file mode 100644 index 00000000000..204d4c96aad --- /dev/null +++ b/queue-5.10/net-mlx5-fix-fw-tracer-first-block-check.patch @@ -0,0 +1,39 @@ +From 9a52f55deb620ca900cfa0e50952b05edf92a631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 11:30:34 +0200 +Subject: net/mlx5: Fix fw tracer first block check + +From: Moshe Shemesh + +[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ] + +While handling new traces, to verify it is not the first block being +written, last_timestamp is checked. But instead of checking it is non +zero it is verified to be zero. Fix to verify last_timestamp is not +zero. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 86088ccab23aa..d49fd21f49637 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -691,7 +691,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work) + + while (block_timestamp > tracer->last_timestamp) { + /* Check block override if it's not the first block */ +- if (!tracer->last_timestamp) { ++ if (tracer->last_timestamp) { + u64 *ts_event; + /* To avoid block override be the HW in case of buffer + * wraparound, the time stamp of the previous block +-- +2.43.0 + diff --git a/queue-5.10/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch b/queue-5.10/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch new file mode 100644 index 00000000000..d1bc74638c9 --- /dev/null +++ b/queue-5.10/net-mlx5e-correct-snprintf-truncation-handling-for-f.patch @@ -0,0 +1,41 @@ +From a451fbf08db3fb8d7583f25df0198c82efe073af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 15:00:22 -0800 +Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer + used by representors + +From: Rahul Rameshbabu + +[ Upstream commit b13559b76157de9d74f04d3ca0e49d69de3b5675 ] + +snprintf returns the length of the formatted string, excluding the trailing +null, without accounting for truncation. This means that is the return +value is greater than or equal to the size parameter, the fw_version string +was truncated. + +Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf +Fixes: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index f9f1a79d6bddb..6512bb231e7e0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -68,7 +68,7 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev, + count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d (%.16s)", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id); +- if (count == sizeof(drvinfo->fw_version)) ++ if (count >= sizeof(drvinfo->fw_version)) + snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version), + "%d.%d.%04d", fw_rev_maj(mdev), + fw_rev_min(mdev), fw_rev_sub(mdev)); +-- +2.43.0 + diff --git a/queue-5.10/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch b/queue-5.10/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch new file mode 100644 index 00000000000..22b7edd7ca4 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch @@ -0,0 +1,58 @@ +From 2088cdde47fa2ae96685a91481b19cb027fb7eb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 01:46:56 -0800 +Subject: net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() + +From: Shifeng Li + +[ Upstream commit ddb38ddff9c71026bad481b791a94d446ee37603 ] + +Out_sz that the size of out buffer is calculated using query_nic_vport +_context_in structure when driver query the MAC list. However query_nic +_vport_context_in structure is smaller than query_nic_vport_context_out. +When allowed_list_size is greater than 96, calling ether_addr_copy() will +trigger an slab-out-of-bounds. + +[ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core] +[ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461 +[ 1170.055870] +[ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core] +[ 1170.055936] Call Trace: +[ 1170.055949] dump_stack+0x8b/0xbb +[ 1170.055958] print_address_description+0x6a/0x270 +[ 1170.055961] kasan_report+0x179/0x2c0 +[ 1170.056061] mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core] +[ 1170.056162] esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core] +[ 1170.056257] esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core] +[ 1170.056377] esw_vport_change_handler+0x6b/0x90 [mlx5_core] +[ 1170.056381] process_one_work+0x65f/0x12d0 +[ 1170.056383] worker_thread+0x87/0xb50 +[ 1170.056390] kthread+0x2e9/0x3a0 +[ 1170.056394] ret_from_fork+0x1f/0x40 + +Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists") +Cc: Ding Hui +Signed-off-by: Shifeng Li +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +index fc91bbf7d0c37..e77cf11356c07 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -276,7 +276,7 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev, + req_list_size = max_list_size; + } + +- out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_in) + ++ out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) + + req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout); + + out = kzalloc(out_sz, GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-5.10/net-rose-fix-races-in-rose_kill_by_device.patch b/queue-5.10/net-rose-fix-races-in-rose_kill_by_device.patch new file mode 100644 index 00000000000..6c3709f79b9 --- /dev/null +++ b/queue-5.10/net-rose-fix-races-in-rose_kill_by_device.patch @@ -0,0 +1,177 @@ +From c661049eea0de8d8cc5c09056285593cf3c26b82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 15:27:47 +0000 +Subject: net/rose: fix races in rose_kill_by_device() + +From: Eric Dumazet + +[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ] + +syzbot found an interesting netdev refcounting issue in +net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1] + +Problem is that rose_kill_by_device() can change rose->device +while other threads do not expect the pointer to be changed. + +We have to first collect sockets in a temporary array, +then perform the changes while holding the socket +lock and rose_list_lock spinlock (in this order) + +Change rose_release() to also acquire rose_list_lock +before releasing the netdev refcount. + +[1] + +[ 1185.055088][ T7889] ref_tracker: reference already released. +[ 1185.061476][ T7889] ref_tracker: allocated in: +[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10 +[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220 +[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0 +[ 1185.079356][ T7889] do_syscall_64+0x40/0x110 +[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.089835][ T7889] ref_tracker: freed in: +[ 1185.094088][ T7889] rose_release+0x2f5/0x570 +[ 1185.098629][ T7889] __sock_release+0xae/0x260 +[ 1185.103262][ T7889] sock_close+0x1c/0x20 +[ 1185.107453][ T7889] __fput+0x270/0xbb0 +[ 1185.111467][ T7889] task_work_run+0x14d/0x240 +[ 1185.116085][ T7889] get_signal+0x106f/0x2790 +[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0 +[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240 +[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60 +[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110 +[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b +[ 1185.148085][ T7889] ------------[ cut here ]------------ + +WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Modules linked in: +CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255 +Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44 +RSP: 0018:ffffc90004917850 EFLAGS: 00010202 +RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000 +RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001 +RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6 +R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c +R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff +FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +netdev_tracker_free include/linux/netdevice.h:4127 [inline] +netdev_put include/linux/netdevice.h:4144 [inline] +netdev_put include/linux/netdevice.h:4140 [inline] +rose_kill_by_device net/rose/af_rose.c:195 [inline] +rose_device_event+0x25d/0x330 net/rose/af_rose.c:218 +notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93 +call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967 +call_netdevice_notifiers_extack net/core/dev.c:2005 [inline] +call_netdevice_notifiers net/core/dev.c:2019 [inline] +__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646 +dev_change_flags+0x122/0x170 net/core/dev.c:8682 +dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529 +dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786 +sock_do_ioctl+0x198/0x270 net/socket.c:1234 +sock_ioctl+0x22e/0x6b0 net/socket.c:1339 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:871 [inline] +__se_sys_ioctl fs/ioctl.c:857 [inline] +__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7f0a7147cba9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9 +RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004 +RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Bernard Pidoux +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index b3e7a92f1ec19..1d95ff34b13c9 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -181,21 +181,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh) + */ + static void rose_kill_by_device(struct net_device *dev) + { +- struct sock *s; ++ struct sock *sk, *array[16]; ++ struct rose_sock *rose; ++ bool rescan; ++ int i, cnt; + ++start: ++ rescan = false; ++ cnt = 0; + spin_lock_bh(&rose_list_lock); +- sk_for_each(s, &rose_list) { +- struct rose_sock *rose = rose_sk(s); ++ sk_for_each(sk, &rose_list) { ++ rose = rose_sk(sk); ++ if (rose->device == dev) { ++ if (cnt == ARRAY_SIZE(array)) { ++ rescan = true; ++ break; ++ } ++ sock_hold(sk); ++ array[cnt++] = sk; ++ } ++ } ++ spin_unlock_bh(&rose_list_lock); + ++ for (i = 0; i < cnt; i++) { ++ sk = array[cnt]; ++ rose = rose_sk(sk); ++ lock_sock(sk); ++ spin_lock_bh(&rose_list_lock); + if (rose->device == dev) { +- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); ++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); + if (rose->neighbour) + rose->neighbour->use--; + dev_put(rose->device); + rose->device = NULL; + } ++ spin_unlock_bh(&rose_list_lock); ++ release_sock(sk); ++ sock_put(sk); ++ cond_resched(); + } +- spin_unlock_bh(&rose_list_lock); ++ if (rescan) ++ goto start; + } + + /* +@@ -655,7 +681,10 @@ static int rose_release(struct socket *sock) + break; + } + ++ spin_lock_bh(&rose_list_lock); + dev_put(rose->device); ++ rose->device = NULL; ++ spin_unlock_bh(&rose_list_lock); + sock->sk = NULL; + release_sock(sk); + sock_put(sk); +-- +2.43.0 + diff --git a/queue-5.10/net-sched-ife-fix-potential-use-after-free.patch b/queue-5.10/net-sched-ife-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..09de2c249ef --- /dev/null +++ b/queue-5.10/net-sched-ife-fix-potential-use-after-free.patch @@ -0,0 +1,238 @@ +From 913eb40ba063c90d0c14ede11d96167bf6750eb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:30:38 +0000 +Subject: net: sched: ife: fix potential use-after-free + +From: Eric Dumazet + +[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ] + +ife_decode() calls pskb_may_pull() two times, we need to reload +ifehdr after the second one, or risk use-after-free as reported +by syzbot: + +BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline] +BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323 + +CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:364 [inline] +print_report+0xc4/0x620 mm/kasan/report.c:475 +kasan_report+0xda/0x110 mm/kasan/report.c:588 +__ife_tlv_meta_valid net/ife/ife.c:108 [inline] +ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131 +tcf_ife_decode net/sched/act_ife.c:739 [inline] +tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fe9acc7cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9 +RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014 +R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78 + + +Allocated by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +____kasan_kmalloc mm/kasan/common.c:374 [inline] +__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 +kasan_kmalloc include/linux/kasan.h:198 [inline] +__do_kmalloc_node mm/slab_common.c:1007 [inline] +__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Freed by task 22323: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 +____kasan_slab_free mm/kasan/common.c:236 [inline] +____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 +kasan_slab_free include/linux/kasan.h:164 [inline] +slab_free_hook mm/slub.c:1800 [inline] +slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 +slab_free mm/slub.c:3809 [inline] +__kmem_cache_free+0xc0/0x180 mm/slub.c:3822 +skb_kfree_head net/core/skbuff.c:950 [inline] +skb_free_head+0x110/0x1b0 net/core/skbuff.c:962 +pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130 +__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2685 [inline] +pskb_may_pull include/linux/skbuff.h:2693 [inline] +ife_decode+0x394/0x4f0 net/ife/ife.c:82 +tcf_ife_decode net/sched/act_ife.c:727 [inline] +tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879 +tc_act include/net/tc_wrapper.h:221 [inline] +tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079 +tcf_exts_exec include/net/pkt_cls.h:344 [inline] +mall_classify+0x201/0x310 net/sched/cls_matchall.c:42 +tc_classify include/net/tc_wrapper.h:227 [inline] +__tcf_classify net/sched/cls_api.c:1703 [inline] +tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800 +hfsc_classify net/sched/sch_hfsc.c:1147 [inline] +hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546 +dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739 +__dev_xmit_skb net/core/dev.c:3828 [inline] +__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311 +dev_queue_xmit include/linux/netdevice.h:3165 [inline] +packet_xmit+0x237/0x350 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3081 [inline] +packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +The buggy address belongs to the object at ffff88802d730000 +which belongs to the cache kmalloc-8k of size 8192 +The buggy address is located 164 bytes inside of +freed 8192-byte region [ffff88802d730000, ffff88802d732000) + +The buggy address belongs to the physical page: +page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730 +head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461 +set_page_owner include/linux/page_owner.h:31 [inline] +post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544 +prep_new_page mm/page_alloc.c:1551 [inline] +get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319 +__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575 +alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 +alloc_slab_page mm/slub.c:1870 [inline] +allocate_slab mm/slub.c:2017 [inline] +new_slab+0x283/0x3c0 mm/slub.c:2070 +___slab_alloc+0x979/0x1500 mm/slub.c:3223 +__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 +__slab_alloc_node mm/slub.c:3375 [inline] +slab_alloc_node mm/slub.c:3468 [inline] +__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027 +kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582 +__alloc_skb+0x12b/0x330 net/core/skbuff.c:651 +alloc_skb include/linux/skbuff.h:1298 [inline] +alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 +sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 +packet_alloc_skb net/packet/af_packet.c:2930 [inline] +packet_snd net/packet/af_packet.c:3024 [inline] +packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1144 [inline] +free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354 +free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494 +__unfreeze_partials+0x226/0x240 mm/slub.c:2655 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 +kasan_slab_alloc include/linux/kasan.h:188 [inline] +slab_post_alloc_hook mm/slab.h:763 [inline] +slab_alloc_node mm/slub.c:3478 [inline] +slab_alloc mm/slub.c:3486 [inline] +__kmem_cache_alloc_lru mm/slub.c:3493 [inline] +kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509 +alloc_inode_sb include/linux/fs.h:2937 [inline] +ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408 +alloc_inode+0x5d/0x220 fs/inode.c:261 +new_inode_pseudo fs/inode.c:1006 [inline] +new_inode+0x22/0x260 fs/inode.c:1032 +__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958 +ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398 +vfs_symlink fs/namei.c:4464 [inline] +vfs_symlink+0x3e5/0x620 fs/namei.c:4448 +do_symlinkat+0x25f/0x310 fs/namei.c:4490 +__do_sys_symlinkat fs/namei.c:4506 [inline] +__se_sys_symlinkat fs/namei.c:4503 [inline] +__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + +Fixes: d57493d6d1be ("net: sched: ife: check on metadata length") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jamal Hadi Salim +Cc: Alexander Aring +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ife/ife.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ife/ife.c b/net/ife/ife.c +index 13bbf8cb6a396..be05b690b9ef2 100644 +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) + if (unlikely(!pskb_may_pull(skb, total_pull))) + return NULL; + ++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len); + skb_set_mac_header(skb, total_pull); + __skb_pull(skb, total_pull); + *metalen = ifehdrln - IFE_METAHDRLEN; +-- +2.43.0 + diff --git a/queue-5.10/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch b/queue-5.10/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch new file mode 100644 index 00000000000..7f588b0e86e --- /dev/null +++ b/queue-5.10/net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch @@ -0,0 +1,49 @@ +From aaf62dd7819e63cd17e9c5254fc7f5cdc70bab72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Nov 2020 00:22:20 +0100 +Subject: net: warn if gso_type isn't set for a GSO SKB + +From: Heiner Kallweit + +[ Upstream commit 1d155dfdf50efc2b0793bce93c06d1a5b23d0877 ] + +In bug report [0] a warning in r8169 driver was reported that was +caused by an invalid GSO SKB (gso_type was 0). See [1] for a discussion +about this issue. Still the origin of the invalid GSO SKB isn't clear. + +It shouldn't be a network drivers task to check for invalid GSO SKB's. +Also, even if issue [0] can be fixed, we can't be sure that a +similar issue doesn't pop up again at another place. +Therefore let gso_features_check() check for such invalid GSO SKB's. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=209423 +[1] https://www.spinics.net/lists/netdev/msg690794.html + +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/97c78d21-7f0b-d843-df17-3589f224d2cf@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()") +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 3fc27b52bf429..34f80946d2c72 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3523,6 +3523,11 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > dev->gso_max_segs) + return features & ~NETIF_F_GSO_MASK; + ++ if (!skb_shinfo(skb)->gso_type) { ++ skb_warn_bad_offload(skb); ++ return features & ~NETIF_F_GSO_MASK; ++ } ++ + /* Support for GSO partial features requires software + * intervention before we can actually process the packets + * so we need to strip support for any partial features now +-- +2.43.0 + diff --git a/queue-5.10/reset-fix-crash-when-freeing-non-existent-optional-r.patch b/queue-5.10/reset-fix-crash-when-freeing-non-existent-optional-r.patch new file mode 100644 index 00000000000..d5a95edcd0b --- /dev/null +++ b/queue-5.10/reset-fix-crash-when-freeing-non-existent-optional-r.patch @@ -0,0 +1,50 @@ +From ef8d1293922abb236a75eec67fe405cad069ee97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:55:33 +0100 +Subject: reset: Fix crash when freeing non-existent optional resets + +From: Geert Uytterhoeven + +[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ] + +When obtaining one or more optional resets, non-existent resets are +stored as NULL pointers, and all related error and cleanup paths need to +take this into account. + +Currently only reset_control_put() and reset_control_bulk_put() +get this right. All of __reset_control_bulk_get(), +of_reset_control_array_get(), and reset_control_array_put() lack the +proper checking, causing NULL pointer dereferences on failure or +release. + +Fix this by moving the existing check from reset_control_bulk_put() to +__reset_control_put_internal(), so it applies to all callers. +The double check in reset_control_put() doesn't hurt. + +Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets") +Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/reset/core.c b/drivers/reset/core.c +index f93388b9a4a1f..662867435fbe8 100644 +--- a/drivers/reset/core.c ++++ b/drivers/reset/core.c +@@ -599,6 +599,9 @@ static void __reset_control_put_internal(struct reset_control *rstc) + { + lockdep_assert_held(&reset_list_mutex); + ++ if (IS_ERR_OR_NULL(rstc)) ++ return; ++ + kref_put(&rstc->refcnt, __reset_control_release); + } + +-- +2.43.0 + diff --git a/queue-5.10/revert-net-mlx5e-fix-double-free-of-encap_header.patch b/queue-5.10/revert-net-mlx5e-fix-double-free-of-encap_header.patch new file mode 100644 index 00000000000..0b6061f1b64 --- /dev/null +++ b/queue-5.10/revert-net-mlx5e-fix-double-free-of-encap_header.patch @@ -0,0 +1,67 @@ +From c7e683aaaf6e3037be820c297419395bc80ebdc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 13:52:28 +0100 +Subject: Revert "net/mlx5e: fix double free of encap_header" + +From: Vlad Buslov + +[ Upstream commit 5d089684dc434a31e08d32f0530066d0025c52e4 ] + +This reverts commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1. + +This patch is causing a null ptr issue, the proper fix is in the next +patch. + +Fixes: 6f9b1a073166 ("net/mlx5e: fix double free of encap_header") +Signed-off-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +index 05bcd69994eca..90930e54b6f28 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -267,6 +267,9 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + ++ e->encap_size = ipv4_encap_size; ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -283,8 +286,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + +- e->encap_size = ipv4_encap_size; +- e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(out_dev)); + mlx5e_route_lookup_ipv4_put(route_dev, n); +@@ -430,6 +431,9 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + if (err) + goto destroy_neigh_entry; + ++ e->encap_size = ipv6_encap_size; ++ e->encap_header = encap_header; ++ + if (!(nud_state & NUD_VALID)) { + neigh_event_send(n, NULL); + /* the encap entry will be made valid on neigh update event +@@ -447,8 +451,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv, + goto destroy_neigh_entry; + } + +- e->encap_size = ipv6_encap_size; +- e->encap_header = encap_header; + e->flags |= MLX5_ENCAP_ENTRY_VALID; + mlx5e_rep_queue_neigh_stats_work(netdev_priv(out_dev)); + mlx5e_route_lookup_ipv6_put(route_dev, n); +-- +2.43.0 + diff --git a/queue-5.10/s390-vx-fix-save-restore-of-fpu-kernel-context.patch b/queue-5.10/s390-vx-fix-save-restore-of-fpu-kernel-context.patch new file mode 100644 index 00000000000..456bd5e4ce2 --- /dev/null +++ b/queue-5.10/s390-vx-fix-save-restore-of-fpu-kernel-context.patch @@ -0,0 +1,49 @@ +From 43401f771c415e2dd4a2c538b0c450ca51714e75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:03:15 +0100 +Subject: s390/vx: fix save/restore of fpu kernel context + +From: Heiko Carstens + +[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ] + +The KERNEL_FPR mask only contains a flag for the first eight vector +registers. However floating point registers overlay parts of the first +sixteen vector registers. + +This could lead to vector register corruption if a kernel fpu context uses +any of the vector registers 8 to 15 and is interrupted or calls a +KERNEL_FPR context. If that context uses also vector registers 8 to 15, +their contents will be corrupted on return. + +Luckily this is currently not a real bug, since the kernel has only one +KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating +point registers 0 to 2. + +Fix this by using the correct bits for KERNEL_FPR. + +Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]") +Signed-off-by: Heiko Carstens +Reviewed-by: Hendrik Brueckner +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/fpu/api.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h +index 34a7ae68485c6..be16a6c0f1276 100644 +--- a/arch/s390/include/asm/fpu/api.h ++++ b/arch/s390/include/asm/fpu/api.h +@@ -76,7 +76,7 @@ static inline int test_fp_ctl(u32 fpc) + #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31) + + #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH) +-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7) ++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW) + + struct kernel_fpu; + +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index c947eec3dbc..41866c3d8e0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,2 +1,20 @@ ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch smb-client-fix-oob-in-smb2_query_reparse_point.patch +arm-omap2-fix-null-pointer-dereference-and-memory-le.patch +reset-fix-crash-when-freeing-non-existent-optional-r.patch +s390-vx-fix-save-restore-of-fpu-kernel-context.patch +wifi-mac80211-mesh_plink-fix-matches_local-logic.patch +revert-net-mlx5e-fix-double-free-of-encap_header.patch +net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch +net-mlx5-fix-fw-tracer-first-block-check.patch +net-mlx5e-correct-snprintf-truncation-handling-for-f.patch +net-sched-ife-fix-potential-use-after-free.patch +ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch +net-rose-fix-races-in-rose_kill_by_device.patch +net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch +afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch +afs-fix-dynamic-root-lookup-dns-check.patch +net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch +net-check-dev-gso_max_size-in-gso_features_check.patch +keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch +afs-fix-overwriting-of-result-of-dns-query.patch diff --git a/queue-5.10/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch b/queue-5.10/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch new file mode 100644 index 00000000000..f6208ec0903 --- /dev/null +++ b/queue-5.10/wifi-mac80211-mesh_plink-fix-matches_local-logic.patch @@ -0,0 +1,52 @@ +From bc4996831337ddbcab7ebf6270245a3cff872c0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 09:05:31 +0200 +Subject: wifi: mac80211: mesh_plink: fix matches_local logic + +From: Johannes Berg + +[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ] + +During refactoring the "else" here got lost, add it back. + +Fixes: c99a89edb106 ("mac80211: factor out plink event gathering") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_plink.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index aca26df7587dc..ee8b5013d67d7 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -1050,8 +1050,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_OPEN: + if (!matches_local) + event = OPN_RJCT; +- if (!mesh_plink_free_count(sdata) || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = OPN_IGNR; + else + event = OPN_ACPT; +@@ -1059,9 +1059,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata, + case WLAN_SP_MESH_PEERING_CONFIRM: + if (!matches_local) + event = CNF_RJCT; +- if (!mesh_plink_free_count(sdata) || +- sta->mesh->llid != llid || +- (sta->mesh->plid && sta->mesh->plid != plid)) ++ else if (!mesh_plink_free_count(sdata) || ++ sta->mesh->llid != llid || ++ (sta->mesh->plid && sta->mesh->plid != plid)) + event = CNF_IGNR; + else + event = CNF_ACPT; +-- +2.43.0 + -- 2.47.3