--- /dev/null
+From abe3bf7425fb695a9b37394af18b9ea58a800802 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 12 Dec 2022 21:14:17 +0100
+Subject: btrfs: fix an error handling path in btrfs_rename()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit abe3bf7425fb695a9b37394af18b9ea58a800802 upstream.
+
+If new_whiteout_inode() fails, some resources need to be freed.
+Add the missing goto to the error handling path.
+
+Fixes: ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper")
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9400,8 +9400,10 @@ static int btrfs_rename(struct user_name
+
+ if (flags & RENAME_WHITEOUT) {
+ whiteout_args.inode = new_whiteout_inode(mnt_userns, old_dir);
+- if (!whiteout_args.inode)
+- return -ENOMEM;
++ if (!whiteout_args.inode) {
++ ret = -ENOMEM;
++ goto out_fscrypt_names;
++ }
+ ret = btrfs_new_inode_prepare(&whiteout_args, &trans_num_items);
+ if (ret)
+ goto out_whiteout_inode;
--- /dev/null
+From fee4c19937439693f2420a916169d08e88576e8e Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 20 Dec 2022 11:13:33 +0000
+Subject: btrfs: fix fscrypt name leak after failure to join log transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit fee4c19937439693f2420a916169d08e88576e8e upstream.
+
+When logging a new name, we don't expect to fail joining a log transaction
+since we know at least one of the inodes was logged before in the current
+transaction. However if we fail for some unexpected reason, we end up not
+freeing the fscrypt name we previously allocated. So fix that by freeing
+the name in case we failed to join a log transaction.
+
+Fixes: ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper")
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -7491,8 +7491,11 @@ void btrfs_log_new_name(struct btrfs_tra
+ * not fail, but if it does, it's not serious, just bail out and
+ * mark the log for a full commit.
+ */
+- if (WARN_ON_ONCE(ret < 0))
++ if (WARN_ON_ONCE(ret < 0)) {
++ fscrypt_free_filename(&fname);
+ goto out;
++ }
++
+ log_pinned = true;
+
+ path = btrfs_alloc_path();
--- /dev/null
+From ef1148d4487438a3408d6face2a8360d91b4af70 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 10 May 2023 15:46:46 +0000
+Subject: ipv6: remove nexthop_fib6_nh_bh()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit ef1148d4487438a3408d6face2a8360d91b4af70 upstream.
+
+After blamed commit, nexthop_fib6_nh_bh() and nexthop_fib6_nh()
+are the same.
+
+Delete nexthop_fib6_nh_bh(), and convert /proc/net/ipv6_route
+to standard rcu to avoid this splat:
+
+[ 5723.180080] WARNING: suspicious RCU usage
+[ 5723.180083] -----------------------------
+[ 5723.180084] include/net/nexthop.h:516 suspicious rcu_dereference_check() usage!
+[ 5723.180086]
+other info that might help us debug this:
+
+[ 5723.180087]
+rcu_scheduler_active = 2, debug_locks = 1
+[ 5723.180089] 2 locks held by cat/55856:
+[ 5723.180091] #0: ffff9440a582afa8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter (fs/seq_file.c:188)
+[ 5723.180100] #1: ffffffffaac07040 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire (include/linux/rcupdate.h:326)
+[ 5723.180109]
+stack backtrace:
+[ 5723.180111] CPU: 14 PID: 55856 Comm: cat Tainted: G S I 6.3.0-dbx-DEV #528
+[ 5723.180115] Call Trace:
+[ 5723.180117] <TASK>
+[ 5723.180119] dump_stack_lvl (lib/dump_stack.c:107)
+[ 5723.180124] dump_stack (lib/dump_stack.c:114)
+[ 5723.180126] lockdep_rcu_suspicious (include/linux/context_tracking.h:122)
+[ 5723.180132] ipv6_route_seq_show (include/net/nexthop.h:?)
+[ 5723.180135] ? ipv6_route_seq_next (net/ipv6/ip6_fib.c:2605)
+[ 5723.180140] seq_read_iter (fs/seq_file.c:272)
+[ 5723.180145] seq_read (fs/seq_file.c:163)
+[ 5723.180151] proc_reg_read (fs/proc/inode.c:316 fs/proc/inode.c:328)
+[ 5723.180155] vfs_read (fs/read_write.c:468)
+[ 5723.180160] ? up_read (kernel/locking/rwsem.c:1617)
+[ 5723.180164] ksys_read (fs/read_write.c:613)
+[ 5723.180168] __x64_sys_read (fs/read_write.c:621)
+[ 5723.180170] do_syscall_64 (arch/x86/entry/common.c:?)
+[ 5723.180174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+[ 5723.180177] RIP: 0033:0x7fa455677d2a
+
+Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230510154646.370659-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/nexthop.h | 23 -----------------------
+ net/ipv6/ip6_fib.c | 16 ++++++++--------
+ 2 files changed, 8 insertions(+), 31 deletions(-)
+
+--- a/include/net/nexthop.h
++++ b/include/net/nexthop.h
+@@ -497,29 +497,6 @@ static inline struct fib6_nh *nexthop_fi
+ return NULL;
+ }
+
+-/* Variant of nexthop_fib6_nh().
+- * Caller should either hold rcu_read_lock(), or RTNL.
+- */
+-static inline struct fib6_nh *nexthop_fib6_nh_bh(struct nexthop *nh)
+-{
+- struct nh_info *nhi;
+-
+- if (nh->is_group) {
+- struct nh_group *nh_grp;
+-
+- nh_grp = rcu_dereference_rtnl(nh->nh_grp);
+- nh = nexthop_mpath_select(nh_grp, 0);
+- if (!nh)
+- return NULL;
+- }
+-
+- nhi = rcu_dereference_rtnl(nh->nh_info);
+- if (nhi->family == AF_INET6)
+- return &nhi->fib6_nh;
+-
+- return NULL;
+-}
+-
+ static inline struct net_device *fib6_info_nh_dev(struct fib6_info *f6i)
+ {
+ struct fib6_nh *fib6_nh;
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -2492,7 +2492,7 @@ static int ipv6_route_native_seq_show(st
+ const struct net_device *dev;
+
+ if (rt->nh)
+- fib6_nh = nexthop_fib6_nh_bh(rt->nh);
++ fib6_nh = nexthop_fib6_nh(rt->nh);
+
+ seq_printf(seq, "%pi6 %02x ", &rt->fib6_dst.addr, rt->fib6_dst.plen);
+
+@@ -2557,14 +2557,14 @@ static struct fib6_table *ipv6_route_seq
+
+ if (tbl) {
+ h = (tbl->tb6_id & (FIB6_TABLE_HASHSZ - 1)) + 1;
+- node = rcu_dereference_bh(hlist_next_rcu(&tbl->tb6_hlist));
++ node = rcu_dereference(hlist_next_rcu(&tbl->tb6_hlist));
+ } else {
+ h = 0;
+ node = NULL;
+ }
+
+ while (!node && h < FIB6_TABLE_HASHSZ) {
+- node = rcu_dereference_bh(
++ node = rcu_dereference(
+ hlist_first_rcu(&net->ipv6.fib_table_hash[h++]));
+ }
+ return hlist_entry_safe(node, struct fib6_table, tb6_hlist);
+@@ -2594,7 +2594,7 @@ static void *ipv6_route_seq_next(struct
+ if (!v)
+ goto iter_table;
+
+- n = rcu_dereference_bh(((struct fib6_info *)v)->fib6_next);
++ n = rcu_dereference(((struct fib6_info *)v)->fib6_next);
+ if (n)
+ return n;
+
+@@ -2620,12 +2620,12 @@ iter_table:
+ }
+
+ static void *ipv6_route_seq_start(struct seq_file *seq, loff_t *pos)
+- __acquires(RCU_BH)
++ __acquires(RCU)
+ {
+ struct net *net = seq_file_net(seq);
+ struct ipv6_route_iter *iter = seq->private;
+
+- rcu_read_lock_bh();
++ rcu_read_lock();
+ iter->tbl = ipv6_route_seq_next_table(NULL, net);
+ iter->skip = *pos;
+
+@@ -2646,7 +2646,7 @@ static bool ipv6_route_iter_active(struc
+ }
+
+ static void ipv6_route_native_seq_stop(struct seq_file *seq, void *v)
+- __releases(RCU_BH)
++ __releases(RCU)
+ {
+ struct net *net = seq_file_net(seq);
+ struct ipv6_route_iter *iter = seq->private;
+@@ -2654,7 +2654,7 @@ static void ipv6_route_native_seq_stop(s
+ if (ipv6_route_iter_active(iter))
+ fib6_walker_unlink(net, &iter->w);
+
+- rcu_read_unlock_bh();
++ rcu_read_unlock();
+ }
+
+ #if IS_BUILTIN(CONFIG_IPV6) && defined(CONFIG_BPF_SYSCALL)
--- /dev/null
+From c73a72f4cbb47672c8cc7f7d7aba52f1cb15baca Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Thu, 17 Nov 2022 19:39:03 -0800
+Subject: netlink: remove the flex array from struct nlmsghdr
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit c73a72f4cbb47672c8cc7f7d7aba52f1cb15baca upstream.
+
+I've added a flex array to struct nlmsghdr in
+commit 738136a0e375 ("netlink: split up copies in the ack construction")
+to allow accessing the data easily. It leads to warnings with clang,
+if user space wraps this structure into another struct and the flex
+array is not at the end of the container.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/all/20221114023927.GA685@u2004-local/
+Link: https://lore.kernel.org/r/20221118033903.1651026-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/netlink.h | 2 --
+ net/netlink/af_netlink.c | 2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/uapi/linux/netlink.h
++++ b/include/uapi/linux/netlink.h
+@@ -48,7 +48,6 @@ struct sockaddr_nl {
+ * @nlmsg_flags: Additional flags
+ * @nlmsg_seq: Sequence number
+ * @nlmsg_pid: Sending process port ID
+- * @nlmsg_data: Message payload
+ */
+ struct nlmsghdr {
+ __u32 nlmsg_len;
+@@ -56,7 +55,6 @@ struct nlmsghdr {
+ __u16 nlmsg_flags;
+ __u32 nlmsg_seq;
+ __u32 nlmsg_pid;
+- __u8 nlmsg_data[];
+ };
+
+ /* Flags values */
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2458,7 +2458,7 @@ void netlink_ack(struct sk_buff *in_skb,
+ if (!nlmsg_append(skb, nlmsg_len(nlh)))
+ goto err_bad_put;
+
+- memcpy(errmsg->msg.nlmsg_data, nlh->nlmsg_data,
++ memcpy(nlmsg_data(&errmsg->msg), nlmsg_data(nlh),
+ nlmsg_len(nlh));
+ }
+
ksmbd-fix-race-condition-between-session-lookup-and-expire.patch
ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch
parisc-restore-__ldcw_align-for-pa-risc-2.0-processors.patch
+ipv6-remove-nexthop_fib6_nh_bh.patch
+vrf-fix-lockdep-splat-in-output-path.patch
+btrfs-fix-an-error-handling-path-in-btrfs_rename.patch
+btrfs-fix-fscrypt-name-leak-after-failure-to-join-log-transaction.patch
+netlink-remove-the-flex-array-from-struct-nlmsghdr.patch
--- /dev/null
+From 2033ab90380d46e0e9f0520fd6776a73d107fd95 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Sat, 15 Jul 2023 18:36:05 +0300
+Subject: vrf: Fix lockdep splat in output path
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 2033ab90380d46e0e9f0520fd6776a73d107fd95 upstream.
+
+Cited commit converted the neighbour code to use the standard RCU
+variant instead of the RCU-bh variant, but the VRF code still uses
+rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup
+code in its IPv4 and IPv6 output paths, resulting in lockdep splats
+[1][2]. Can be reproduced using [3].
+
+Fix by switching to rcu_read_lock() / rcu_read_unlock().
+
+[1]
+=============================
+WARNING: suspicious RCU usage
+6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted
+-----------------------------
+include/net/neighbour.h:302 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+2 locks held by ping/183:
+ #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0
+ #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030
+
+stack backtrace:
+CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xc1/0xf0
+ lockdep_rcu_suspicious+0x211/0x3b0
+ vrf_output+0x1380/0x2030
+ ip_push_pending_frames+0x125/0x2a0
+ raw_sendmsg+0x200d/0x33c0
+ inet_sendmsg+0xa2/0xe0
+ __sys_sendto+0x2aa/0x420
+ __x64_sys_sendto+0xe5/0x1c0
+ do_syscall_64+0x38/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+[2]
+=============================
+WARNING: suspicious RCU usage
+6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted
+-----------------------------
+include/net/neighbour.h:302 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+2 locks held by ping6/182:
+ #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50
+ #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310
+
+stack backtrace:
+CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xc1/0xf0
+ lockdep_rcu_suspicious+0x211/0x3b0
+ vrf_output6+0xd32/0x1310
+ ip6_local_out+0xb4/0x1a0
+ ip6_send_skb+0xbc/0x340
+ ip6_push_pending_frames+0xe5/0x110
+ rawv6_sendmsg+0x2e6e/0x3e50
+ inet_sendmsg+0xa2/0xe0
+ __sys_sendto+0x2aa/0x420
+ __x64_sys_sendto+0xe5/0x1c0
+ do_syscall_64+0x38/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+[3]
+#!/bin/bash
+
+ip link add name vrf-red up numtxqueues 2 type vrf table 10
+ip link add name swp1 up master vrf-red type dummy
+ip address add 192.0.2.1/24 dev swp1
+ip address add 2001:db8:1::1/64 dev swp1
+ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1
+ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1
+ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null
+ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null
+
+Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh")
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -664,7 +664,7 @@ static int vrf_finish_output6(struct net
+ skb->protocol = htons(ETH_P_IPV6);
+ skb->dev = dev;
+
+- rcu_read_lock_bh();
++ rcu_read_lock();
+ nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr);
+ neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop);
+ if (unlikely(!neigh))
+@@ -672,10 +672,10 @@ static int vrf_finish_output6(struct net
+ if (!IS_ERR(neigh)) {
+ sock_confirm_neigh(skb, neigh);
+ ret = neigh_output(neigh, skb, false);
+- rcu_read_unlock_bh();
++ rcu_read_unlock();
+ return ret;
+ }
+- rcu_read_unlock_bh();
++ rcu_read_unlock();
+
+ IP6_INC_STATS(dev_net(dst->dev),
+ ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
+@@ -889,7 +889,7 @@ static int vrf_finish_output(struct net
+ }
+ }
+
+- rcu_read_lock_bh();
++ rcu_read_lock();
+
+ neigh = ip_neigh_for_gw(rt, skb, &is_v6gw);
+ if (!IS_ERR(neigh)) {
+@@ -898,11 +898,11 @@ static int vrf_finish_output(struct net
+ sock_confirm_neigh(skb, neigh);
+ /* if crossing protocols, can not use the cached header */
+ ret = neigh_output(neigh, skb, is_v6gw);
+- rcu_read_unlock_bh();
++ rcu_read_unlock();
+ return ret;
+ }
+
+- rcu_read_unlock_bh();
++ rcu_read_unlock();
+ vrf_tx_error(skb->dev, skb);
+ return -EINVAL;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
