From b0b502a8958d6b1d1a3404cf5e4afd6dbf7f8ea7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 17 Jul 2022 10:52:40 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...re-bhb-avoid-pr_info-every-time-a-cp.patch | 58 +++++++++ ...x-spi-nor-campatible-on-orange-pi-ze.patch | 40 +++++++ .../cipso-fix-data-races-around-sysctl.patch | 95 +++++++++++++++ ...ta-race-around-sysctl_icmp_ratelimit.patch | 37 ++++++ ...ata-race-around-sysctl_icmp_ratemask.patch | 36 ++++++ .../icmp-fix-data-races-around-sysctl.patch | 42 +++++++ ...netpeer-fix-data-races-around-sysctl.patch | 52 ++++++++ ...-data-races-around-sysctl_ip_dynaddr.patch | 59 +++++++++ ...net-fix-data-races-around-sysctl_mem.patch | 36 ++++++ ...cksum-evaluation-in-srh-encapsulatio.patch | 73 +++++++++++ ...cksum-in-srv6-end.b6-and-end.b6.enca.patch | 51 ++++++++ queue-4.14/series | 13 ++ ...fc-fix-kernel-panic-when-creating-vf.patch | 71 +++++++++++ ...-use-after-free-when-disabling-sriov.patch | 113 ++++++++++++++++++ 14 files changed, 776 insertions(+) create mode 100644 queue-4.14/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch create mode 100644 queue-4.14/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch create mode 100644 queue-4.14/cipso-fix-data-races-around-sysctl.patch create mode 100644 queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch create mode 100644 queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch create mode 100644 queue-4.14/icmp-fix-data-races-around-sysctl.patch create mode 100644 queue-4.14/inetpeer-fix-data-races-around-sysctl.patch create mode 100644 queue-4.14/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch create mode 100644 queue-4.14/net-fix-data-races-around-sysctl_mem.patch create mode 100644 queue-4.14/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch create mode 100644 queue-4.14/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch create mode 100644 queue-4.14/sfc-fix-kernel-panic-when-creating-vf.patch create mode 100644 queue-4.14/sfc-fix-use-after-free-when-disabling-sriov.patch diff --git a/queue-4.14/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch b/queue-4.14/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch new file mode 100644 index 00000000000..fc41f7c4104 --- /dev/null +++ b/queue-4.14/arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch @@ -0,0 +1,58 @@ +From 540c8503d6422afbd7b7eaf26e3c4e5d3a03ca86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 09:53:42 +0100 +Subject: ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out + of idle + +From: Ard Biesheuvel + +[ Upstream commit 0609e200246bfd3b7516091c491bec4308349055 ] + +Jon reports that the Spectre-BHB init code is filling up the kernel log +with spurious notifications about which mitigation has been enabled, +every time any CPU comes out of a low power state. + +Given that Spectre-BHB mitigations are system wide, only a single +mitigation can be enabled, and we already print an error if two types of +CPUs coexist in a single system that require different Spectre-BHB +mitigations. + +This means that the pr_info() that describes the selected mitigation +does not need to be emitted for each CPU anyway, and so we can simply +emit it only once. + +In order to clarify the above in the log message, update it to describe +that the selected mitigation will be enabled on all CPUs, including ones +that are unaffected. If another CPU comes up later that is affected and +requires a different mitigation, we report an error as before. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Tested-by: Jon Hunter +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 35c4660e638a..4af4195eed76 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -217,10 +217,10 @@ static int spectre_bhb_install_workaround(int method) + return SPECTRE_VULNERABLE; + + spectre_bhb_method = method; +- } + +- pr_info("CPU%u: Spectre BHB: using %s workaround\n", +- smp_processor_id(), spectre_bhb_method_name(method)); ++ pr_info("CPU%u: Spectre BHB: enabling %s workaround for all CPUs\n", ++ smp_processor_id(), spectre_bhb_method_name(method)); ++ } + + return SPECTRE_MITIGATED; + } +-- +2.35.1 + diff --git a/queue-4.14/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch b/queue-4.14/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch new file mode 100644 index 00000000000..1a9cb24284a --- /dev/null +++ b/queue-4.14/arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch @@ -0,0 +1,40 @@ +From fa499a7f8f814a24ef5adc94a882680b00b1f883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 19:45:29 +0200 +Subject: ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero + +From: Michal Suchanek + +[ Upstream commit 884b66976a7279ee889ba885fe364244d50b79e7 ] + +The device tree should include generic "jedec,spi-nor" compatible, and a +manufacturer-specific one. +The macronix part is what is shipped on the boards that come with a +flash chip. + +Fixes: 45857ae95478 ("ARM: dts: orange-pi-zero: add node for SPI NOR") +Signed-off-by: Michal Suchanek +Acked-by: Jernej Skrabec +Signed-off-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20220708174529.3360-1-msuchanek@suse.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts b/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts +index b1502df7b509..0368b73b2501 100644 +--- a/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts ++++ b/arch/arm/boot/dts/sun8i-h2-plus-orangepi-zero.dts +@@ -149,7 +149,7 @@ &spi0 { + flash@0 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "mxicy,mx25l1606e", "winbond,w25q128"; ++ compatible = "mxicy,mx25l1606e", "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <40000000>; + }; +-- +2.35.1 + diff --git a/queue-4.14/cipso-fix-data-races-around-sysctl.patch b/queue-4.14/cipso-fix-data-races-around-sysctl.patch new file mode 100644 index 00000000000..29c8e4c97d0 --- /dev/null +++ b/queue-4.14/cipso-fix-data-races-around-sysctl.patch @@ -0,0 +1,95 @@ +From 744d8b46fa2815c7507fe5325b999bb97225ba61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:01 -0700 +Subject: cipso: Fix data-races around sysctl. + +From: Kuniyuki Iwashima + +[ Upstream commit dd44f04b9214adb68ef5684ae87a81ba03632250 ] + +While reading cipso sysctl variables, they can be changed concurrently. +So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.txt | 2 +- + net/ipv4/cipso_ipv4.c | 12 +++++++----- + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 5f1e3dc567f1..0278b6d1bc71 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -781,7 +781,7 @@ cipso_cache_enable - BOOLEAN + cipso_cache_bucket_size - INTEGER + The CIPSO label cache consists of a fixed size hash table with each + hash bucket containing a number of cache entries. This variable limits +- the number of entries in each hash bucket; the larger the value the ++ the number of entries in each hash bucket; the larger the value is, the + more CIPSO label mappings that can be cached. When the number of + entries in a given hash bucket reaches this limit adding new entries + causes the oldest entry in the bucket to be removed to make room. +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index e8b8dd1cb157..8dcf9aec7b77 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -254,7 +254,7 @@ static int cipso_v4_cache_check(const unsigned char *key, + struct cipso_v4_map_cache_entry *prev_entry = NULL; + u32 hash; + +- if (!cipso_v4_cache_enabled) ++ if (!READ_ONCE(cipso_v4_cache_enabled)) + return -ENOENT; + + hash = cipso_v4_map_cache_hash(key, key_len); +@@ -311,13 +311,14 @@ static int cipso_v4_cache_check(const unsigned char *key, + int cipso_v4_cache_add(const unsigned char *cipso_ptr, + const struct netlbl_lsm_secattr *secattr) + { ++ int bkt_size = READ_ONCE(cipso_v4_cache_bucketsize); + int ret_val = -EPERM; + u32 bkt; + struct cipso_v4_map_cache_entry *entry = NULL; + struct cipso_v4_map_cache_entry *old_entry = NULL; + u32 cipso_ptr_len; + +- if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0) ++ if (!READ_ONCE(cipso_v4_cache_enabled) || bkt_size <= 0) + return 0; + + cipso_ptr_len = cipso_ptr[1]; +@@ -337,7 +338,7 @@ int cipso_v4_cache_add(const unsigned char *cipso_ptr, + + bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1); + spin_lock_bh(&cipso_v4_cache[bkt].lock); +- if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) { ++ if (cipso_v4_cache[bkt].size < bkt_size) { + list_add(&entry->list, &cipso_v4_cache[bkt].list); + cipso_v4_cache[bkt].size += 1; + } else { +@@ -1214,7 +1215,8 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def, + /* This will send packets using the "optimized" format when + * possible as specified in section 3.4.2.6 of the + * CIPSO draft. */ +- if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10) ++ if (READ_ONCE(cipso_v4_rbm_optfmt) && ret_val > 0 && ++ ret_val <= 10) + tag_len = 14; + else + tag_len = 4 + ret_val; +@@ -1617,7 +1619,7 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) + * all the CIPSO validations here but it doesn't + * really specify _exactly_ what we need to validate + * ... so, just make it a sysctl tunable. */ +- if (cipso_v4_rbm_strictvalid) { ++ if (READ_ONCE(cipso_v4_rbm_strictvalid)) { + if (cipso_v4_map_lvl_valid(doi_def, + tag[3]) < 0) { + err_offset = opt_iter + 3; +-- +2.35.1 + diff --git a/queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch b/queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch new file mode 100644 index 00000000000..86888f82145 --- /dev/null +++ b/queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch @@ -0,0 +1,37 @@ +From 09685803a908577cbfb9a05637b2c942814c24d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:27 -0700 +Subject: icmp: Fix a data-race around sysctl_icmp_ratelimit. + +From: Kuniyuki Iwashima + +[ Upstream commit 2a4eb714841f288cf51c7d942d98af6a8c6e4b01 ] + +While reading sysctl_icmp_ratelimit, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 74847996139d..e384926de46f 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -333,7 +333,8 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, + + vif = l3mdev_master_ifindex(dst->dev); + peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, vif, 1); +- rc = inet_peer_xrlim_allow(peer, net->ipv4.sysctl_icmp_ratelimit); ++ rc = inet_peer_xrlim_allow(peer, ++ READ_ONCE(net->ipv4.sysctl_icmp_ratelimit)); + if (peer) + inet_putpeer(peer); + out: +-- +2.35.1 + diff --git a/queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch b/queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch new file mode 100644 index 00000000000..a6267deaf44 --- /dev/null +++ b/queue-4.14/icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch @@ -0,0 +1,36 @@ +From bee4134e8a8e70f4dc1eecdeeec5b1b8ba7e7448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:28 -0700 +Subject: icmp: Fix a data-race around sysctl_icmp_ratemask. + +From: Kuniyuki Iwashima + +[ Upstream commit 1ebcb25ad6fc3d50fca87350acf451b9a66dd31e ] + +While reading sysctl_icmp_ratemask, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index e384926de46f..1748dfb1dc0a 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -295,7 +295,7 @@ static bool icmpv4_mask_allow(struct net *net, int type, int code) + return true; + + /* Limit if icmp type is enabled in ratemask. */ +- if (!((1 << type) & net->ipv4.sysctl_icmp_ratemask)) ++ if (!((1 << type) & READ_ONCE(net->ipv4.sysctl_icmp_ratemask))) + return true; + + return false; +-- +2.35.1 + diff --git a/queue-4.14/icmp-fix-data-races-around-sysctl.patch b/queue-4.14/icmp-fix-data-races-around-sysctl.patch new file mode 100644 index 00000000000..fd84bba4947 --- /dev/null +++ b/queue-4.14/icmp-fix-data-races-around-sysctl.patch @@ -0,0 +1,42 @@ +From 1ca090f1bfc713d48acaba396c2008c99c964acd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:02 -0700 +Subject: icmp: Fix data-races around sysctl. + +From: Kuniyuki Iwashima + +[ Upstream commit 48d7ee321ea5182c6a70782aa186422a70e67e22 ] + +While reading icmp sysctl variables, they can be changed concurrently. +So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index dc99b40da48d..74847996139d 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -266,11 +266,12 @@ bool icmp_global_allow(void) + spin_lock(&icmp_global.lock); + delta = min_t(u32, now - icmp_global.stamp, HZ); + if (delta >= HZ / 50) { +- incr = sysctl_icmp_msgs_per_sec * delta / HZ ; ++ incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; + if (incr) + WRITE_ONCE(icmp_global.stamp, now); + } +- credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); ++ credit = min_t(u32, icmp_global.credit + incr, ++ READ_ONCE(sysctl_icmp_msgs_burst)); + if (credit) { + /* We want to use a credit of one in average, but need to randomize + * it for security reasons. +-- +2.35.1 + diff --git a/queue-4.14/inetpeer-fix-data-races-around-sysctl.patch b/queue-4.14/inetpeer-fix-data-races-around-sysctl.patch new file mode 100644 index 00000000000..e6e75d7ee19 --- /dev/null +++ b/queue-4.14/inetpeer-fix-data-races-around-sysctl.patch @@ -0,0 +1,52 @@ +From 05e00a54f34e24851155b16d0a2930b4e194fcc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:39:59 -0700 +Subject: inetpeer: Fix data-races around sysctl. + +From: Kuniyuki Iwashima + +[ Upstream commit 3d32edf1f3c38d3301f6434e56316f293466d7fb ] + +While reading inetpeer sysctl variables, they can be changed +concurrently. So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/inetpeer.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c +index f94881412d5b..fcccc2f6fa9a 100644 +--- a/net/ipv4/inetpeer.c ++++ b/net/ipv4/inetpeer.c +@@ -147,16 +147,20 @@ static void inet_peer_gc(struct inet_peer_base *base, + struct inet_peer *gc_stack[], + unsigned int gc_cnt) + { ++ int peer_threshold, peer_maxttl, peer_minttl; + struct inet_peer *p; + __u32 delta, ttl; + int i; + +- if (base->total >= inet_peer_threshold) ++ peer_threshold = READ_ONCE(inet_peer_threshold); ++ peer_maxttl = READ_ONCE(inet_peer_maxttl); ++ peer_minttl = READ_ONCE(inet_peer_minttl); ++ ++ if (base->total >= peer_threshold) + ttl = 0; /* be aggressive */ + else +- ttl = inet_peer_maxttl +- - (inet_peer_maxttl - inet_peer_minttl) / HZ * +- base->total / inet_peer_threshold * HZ; ++ ttl = peer_maxttl - (peer_maxttl - peer_minttl) / HZ * ++ base->total / peer_threshold * HZ; + for (i = 0; i < gc_cnt; i++) { + p = gc_stack[i]; + +-- +2.35.1 + diff --git a/queue-4.14/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch b/queue-4.14/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch new file mode 100644 index 00000000000..ab6542bc8d6 --- /dev/null +++ b/queue-4.14/ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch @@ -0,0 +1,59 @@ +From ed6f93e0ec4fcda67d987177a924a42fa4b40d11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:15:32 -0700 +Subject: ipv4: Fix data-races around sysctl_ip_dynaddr. + +From: Kuniyuki Iwashima + +[ Upstream commit e49e4aff7ec19b2d0d0957ee30e93dade57dab9e ] + +While reading sysctl_ip_dynaddr, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.txt | 2 +- + net/ipv4/af_inet.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 0278b6d1bc71..5849c119e0ef 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -858,7 +858,7 @@ ip_nonlocal_bind - BOOLEAN + which can be quite useful - but may break some applications. + Default: 0 + +-ip_dynaddr - BOOLEAN ++ip_dynaddr - INTEGER + If set non-zero, enables support for dynamic addresses. + If set to a non-zero value larger than 1, a kernel log + message will be printed when dynamic address rewriting +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index ee42907f4827..93dea10ef9a6 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1152,7 +1152,7 @@ static int inet_sk_reselect_saddr(struct sock *sk) + if (new_saddr == old_saddr) + return 0; + +- if (sock_net(sk)->ipv4.sysctl_ip_dynaddr > 1) { ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_ip_dynaddr) > 1) { + pr_info("%s(): shifting inet->saddr from %pI4 to %pI4\n", + __func__, &old_saddr, &new_saddr); + } +@@ -1207,7 +1207,7 @@ int inet_sk_rebuild_header(struct sock *sk) + * Other protocols have to map its equivalent state to TCP_SYN_SENT. + * DCCP maps its DCCP_REQUESTING state to TCP_SYN_SENT. -acme + */ +- if (!sock_net(sk)->ipv4.sysctl_ip_dynaddr || ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_ip_dynaddr) || + sk->sk_state != TCP_SYN_SENT || + (sk->sk_userlocks & SOCK_BINDADDR_LOCK) || + (err = inet_sk_reselect_saddr(sk)) != 0) +-- +2.35.1 + diff --git a/queue-4.14/net-fix-data-races-around-sysctl_mem.patch b/queue-4.14/net-fix-data-races-around-sysctl_mem.patch new file mode 100644 index 00000000000..6a8b9a9411c --- /dev/null +++ b/queue-4.14/net-fix-data-races-around-sysctl_mem.patch @@ -0,0 +1,36 @@ +From 8df0366d865970b4b012fe89eca72088cf8ebda0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 16:40:00 -0700 +Subject: net: Fix data-races around sysctl_mem. + +From: Kuniyuki Iwashima + +[ Upstream commit 310731e2f1611d1d13aae237abcf8e66d33345d5 ] + +While reading .sysctl_mem, it can be changed concurrently. +So, we need to add READ_ONCE() to avoid data-races. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index f729ccfe756a..dfeaa8deba96 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1340,7 +1340,7 @@ void __sk_mem_reclaim(struct sock *sk, int amount); + /* sysctl_mem values are in pages, we convert them in SK_MEM_QUANTUM units */ + static inline long sk_prot_mem_limits(const struct sock *sk, int index) + { +- long val = sk->sk_prot->sysctl_mem[index]; ++ long val = READ_ONCE(sk->sk_prot->sysctl_mem[index]); + + #if PAGE_SIZE > SK_MEM_QUANTUM + val <<= PAGE_SHIFT - SK_MEM_QUANTUM_SHIFT; +-- +2.35.1 + diff --git a/queue-4.14/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch b/queue-4.14/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch new file mode 100644 index 00000000000..7a4265c9862 --- /dev/null +++ b/queue-4.14/seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch @@ -0,0 +1,73 @@ +From c2af538c78a931799244076f98dc01c2f7985d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 19:58:35 +0200 +Subject: seg6: fix skb checksum evaluation in SRH encapsulation/insertion + +From: Andrea Mayer + +[ Upstream commit df8386d13ea280d55beee1b95f61a59234a3798b ] + +Support for SRH encapsulation and insertion was introduced with +commit 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and +injection with lwtunnels"), through the seg6_do_srh_encap() and +seg6_do_srh_inline() functions, respectively. +The former encapsulates the packet in an outer IPv6 header along with +the SRH, while the latter inserts the SRH between the IPv6 header and +the payload. Then, the headers are initialized/updated according to the +operating mode (i.e., encap/inline). +Finally, the skb checksum is calculated to reflect the changes applied +to the headers. + +The IPv6 payload length ('payload_len') is not initialized +within seg6_do_srh_{inline,encap}() but is deferred in seg6_do_srh(), i.e. +the caller of seg6_do_srh_{inline,encap}(). +However, this operation invalidates the skb checksum, since the +'payload_len' is updated only after the checksum is evaluated. + +To solve this issue, the initialization of the IPv6 payload length is +moved from seg6_do_srh() directly into the seg6_do_srh_{inline,encap}() +functions and before the skb checksum update takes place. + +Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Reported-by: Paolo Abeni +Link: https://lore.kernel.org/all/20220705190727.69d532417be7438b15404ee1@uniroma2.it +Signed-off-by: Andrea Mayer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_iptunnel.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c +index 1d641e21f23f..3f43a4688602 100644 +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -156,6 +156,8 @@ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto) + } + #endif + ++ hdr->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); ++ + skb_postpush_rcsum(skb, hdr, tot_len); + + return 0; +@@ -208,6 +210,8 @@ int seg6_do_srh_inline(struct sk_buff *skb, struct ipv6_sr_hdr *osrh) + } + #endif + ++ hdr->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); ++ + skb_postpush_rcsum(skb, hdr, sizeof(struct ipv6hdr) + hdrlen); + + return 0; +@@ -269,7 +273,6 @@ static int seg6_do_srh(struct sk_buff *skb) + break; + } + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + return 0; +-- +2.35.1 + diff --git a/queue-4.14/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch b/queue-4.14/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch new file mode 100644 index 00000000000..591c3ac1b6a --- /dev/null +++ b/queue-4.14/seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch @@ -0,0 +1,51 @@ +From 8927ee79c1aba951f13f51bb24bcdf3823fbdd66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 19:58:36 +0200 +Subject: seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors + +From: Andrea Mayer + +[ Upstream commit f048880fc77058d864aff5c674af7918b30f312a ] + +The SRv6 End.B6 and End.B6.Encaps behaviors rely on functions +seg6_do_srh_{encap,inline}() to, respectively: i) encapsulate the +packet within an outer IPv6 header with the specified Segment Routing +Header (SRH); ii) insert the specified SRH directly after the IPv6 +header of the packet. + +This patch removes the initialization of the IPv6 header payload length +from the input_action_end_b6{_encap}() functions, as it is now handled +properly by seg6_do_srh_{encap,inline}() to avoid corruption of the skb +checksum. + +Fixes: 140f04c33bbc ("ipv6: sr: implement several seg6local actions") +Signed-off-by: Andrea Mayer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_local.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c +index 9a01f72d907f..8f8ea7a76b99 100644 +--- a/net/ipv6/seg6_local.c ++++ b/net/ipv6/seg6_local.c +@@ -405,7 +405,6 @@ static int input_action_end_b6(struct sk_buff *skb, struct seg6_local_lwt *slwt) + if (err) + goto drop; + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + lookup_nexthop(skb, NULL, 0); +@@ -437,7 +436,6 @@ static int input_action_end_b6_encap(struct sk_buff *skb, + if (err) + goto drop; + +- ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr)); + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + + lookup_nexthop(skb, NULL, 0); +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index c8516aa21e6..150db496388 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -9,3 +9,16 @@ nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch net-dsa-bcm_sf2-force-pause-link-settings.patch xhci-bail-out-early-if-driver-can-t-accress-host-in-resume.patch xhci-make-xhci_handshake-timeout-for-xhci_reset-adjustable.patch +arm-9209-1-spectre-bhb-avoid-pr_info-every-time-a-cp.patch +inetpeer-fix-data-races-around-sysctl.patch +net-fix-data-races-around-sysctl_mem.patch +cipso-fix-data-races-around-sysctl.patch +icmp-fix-data-races-around-sysctl.patch +arm-dts-sunxi-fix-spi-nor-campatible-on-orange-pi-ze.patch +icmp-fix-a-data-race-around-sysctl_icmp_ratelimit.patch +icmp-fix-a-data-race-around-sysctl_icmp_ratemask.patch +ipv4-fix-data-races-around-sysctl_ip_dynaddr.patch +sfc-fix-use-after-free-when-disabling-sriov.patch +seg6-fix-skb-checksum-evaluation-in-srh-encapsulatio.patch +seg6-fix-skb-checksum-in-srv6-end.b6-and-end.b6.enca.patch +sfc-fix-kernel-panic-when-creating-vf.patch diff --git a/queue-4.14/sfc-fix-kernel-panic-when-creating-vf.patch b/queue-4.14/sfc-fix-kernel-panic-when-creating-vf.patch new file mode 100644 index 00000000000..dd3ace307b8 --- /dev/null +++ b/queue-4.14/sfc-fix-kernel-panic-when-creating-vf.patch @@ -0,0 +1,71 @@ +From c4ee8716bc9e61c64c7956d0b6575e5e5f46ea1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 11:21:16 +0200 +Subject: sfc: fix kernel panic when creating VF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit ada74c5539eba06cf8b47d068f92e0b3963a9a6e ] + +When creating VFs a kernel panic can happen when calling to +efx_ef10_try_update_nic_stats_vf. + +When releasing a DMA coherent buffer, sometimes, I don't know in what +specific circumstances, it has to unmap memory with vunmap. It is +disallowed to do that in IRQ context or with BH disabled. Otherwise, we +hit this line in vunmap, causing the crash: + BUG_ON(in_interrupt()); + +This patch reenables BH to release the buffer. + +Log messages when the bug is hit: + kernel BUG at mm/vmalloc.c:2727! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1 + Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020 + RIP: 0010:vunmap+0x2e/0x30 + ...skip... + Call Trace: + __iommu_dma_free+0x96/0x100 + efx_nic_free_buffer+0x2b/0x40 [sfc] + efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc] + efx_ef10_update_stats_vf+0x18/0x40 [sfc] + efx_start_all+0x15e/0x1d0 [sfc] + efx_net_open+0x5a/0xe0 [sfc] + __dev_open+0xe7/0x1a0 + __dev_change_flags+0x1d7/0x240 + dev_change_flags+0x21/0x60 + ...skip... + +Fixes: d778819609a2 ("sfc: DMA the VF stats only when requested") +Reported-by: Ma Yuying +Signed-off-by: Íñigo Huguet +Acked-by: Edward Cree +Link: https://lore.kernel.org/r/20220713092116.21238-1-ihuguet@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 4f0da3963b01..1dfb14a035f9 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -1896,7 +1896,10 @@ static int efx_ef10_try_update_nic_stats_vf(struct efx_nic *efx) + + efx_update_sw_stats(efx, stats); + out: ++ /* releasing a DMA coherent buffer with BH disabled can panic */ ++ spin_unlock_bh(&efx->stats_lock); + efx_nic_free_buffer(efx, &stats_buf); ++ spin_lock_bh(&efx->stats_lock); + return rc; + } + +-- +2.35.1 + diff --git a/queue-4.14/sfc-fix-use-after-free-when-disabling-sriov.patch b/queue-4.14/sfc-fix-use-after-free-when-disabling-sriov.patch new file mode 100644 index 00000000000..b2f625cac5f --- /dev/null +++ b/queue-4.14/sfc-fix-use-after-free-when-disabling-sriov.patch @@ -0,0 +1,113 @@ +From 95f2a20e0f591e3ed530886e5c8dce9351887009 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 08:26:42 +0200 +Subject: sfc: fix use after free when disabling sriov +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit ebe41da5d47ac0fff877e57bd14c54dccf168827 ] + +Use after free is detected by kfence when disabling sriov. What was read +after being freed was vf->pci_dev: it was freed from pci_disable_sriov +and later read in efx_ef10_sriov_free_vf_vports, called from +efx_ef10_sriov_free_vf_vswitching. + +Set the pointer to NULL at release time to not trying to read it later. + +Reproducer and dmesg log (note that kfence doesn't detect it every time): +$ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs +$ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs + + BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] + + Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224): + efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] + efx_ef10_pci_sriov_disable+0x38/0x70 [sfc] + efx_pci_sriov_configure+0x24/0x40 [sfc] + sriov_numvfs_store+0xfe/0x140 + kernfs_fop_write_iter+0x11c/0x1b0 + new_sync_write+0x11f/0x1b0 + vfs_write+0x1eb/0x280 + ksys_write+0x5f/0xe0 + do_syscall_64+0x5c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k + + allocated by task 6771 on cpu 10 at 3137.860196s: + pci_alloc_dev+0x21/0x60 + pci_iov_add_virtfn+0x2a2/0x320 + sriov_enable+0x212/0x3e0 + efx_ef10_sriov_configure+0x67/0x80 [sfc] + efx_pci_sriov_configure+0x24/0x40 [sfc] + sriov_numvfs_store+0xba/0x140 + kernfs_fop_write_iter+0x11c/0x1b0 + new_sync_write+0x11f/0x1b0 + vfs_write+0x1eb/0x280 + ksys_write+0x5f/0xe0 + do_syscall_64+0x5c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + freed by task 6771 on cpu 12 at 3170.991309s: + device_release+0x34/0x90 + kobject_cleanup+0x3a/0x130 + pci_iov_remove_virtfn+0xd9/0x120 + sriov_disable+0x30/0xe0 + efx_ef10_pci_sriov_disable+0x57/0x70 [sfc] + efx_pci_sriov_configure+0x24/0x40 [sfc] + sriov_numvfs_store+0xfe/0x140 + kernfs_fop_write_iter+0x11c/0x1b0 + new_sync_write+0x11f/0x1b0 + vfs_write+0x1eb/0x280 + ksys_write+0x5f/0xe0 + do_syscall_64+0x5c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 3c5eb87605e85 ("sfc: create vports for VFs and assign random MAC addresses") +Reported-by: Yanghang Liu +Signed-off-by: Íñigo Huguet +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20220712062642.6915-1-ihuguet@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10_sriov.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index 2f36b18fd109..93fac5fde093 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -415,8 +415,9 @@ static int efx_ef10_pci_sriov_enable(struct efx_nic *efx, int num_vfs) + static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + { + struct pci_dev *dev = efx->pci_dev; ++ struct efx_ef10_nic_data *nic_data = efx->nic_data; + unsigned int vfs_assigned = pci_vfs_assigned(dev); +- int rc = 0; ++ int i, rc = 0; + + if (vfs_assigned && !force) { + netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; " +@@ -424,10 +425,13 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + return -EBUSY; + } + +- if (!vfs_assigned) ++ if (!vfs_assigned) { ++ for (i = 0; i < efx->vf_count; i++) ++ nic_data->vf[i].pci_dev = NULL; + pci_disable_sriov(dev); +- else ++ } else { + rc = -EBUSY; ++ } + + efx_ef10_sriov_free_vf_vswitching(efx); + efx->vf_count = 0; +-- +2.35.1 + -- 2.47.3