clk-qcom-clk-alpha-pll-fix-the-trion-pll-postdiv-set-rate-api.patch
can-mcp251x-fix-deadlock-if-an-interrupt-occurs-during-mcp251x_open.patch
tracing-avoid-possible-softlockup-in-tracing_iter_reset.patch
-tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch
ila-call-nf_unregister_net_hooks-sooner.patch
sched-sch_cake-fix-bulk-flow-accounting-logic-for-host-fairness.patch
nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch
+++ /dev/null
-From fe1910f9337bd46a9343967b547ccab26b4b2c6e Mon Sep 17 00:00:00 2001
-From: Cong Wang <cong.wang@bytedance.com>
-Date: Tue, 20 Aug 2024 20:07:44 -0700
-Subject: tcp_bpf: fix return value of tcp_bpf_sendmsg()
-
-From: Cong Wang <cong.wang@bytedance.com>
-
-commit fe1910f9337bd46a9343967b547ccab26b4b2c6e upstream.
-
-When we cork messages in psock->cork, the last message triggers the
-flushing will result in sending a sk_msg larger than the current
-message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
-negative at least in the following case:
-
-468 case __SK_DROP:
-469 default:
-470 sk_msg_free_partial(sk, msg, tosend);
-471 sk_msg_apply_bytes(psock, tosend);
-472 *copied -= (tosend + delta); // <==== HERE
-473 return -EACCES;
-
-Therefore, it could lead to the following BUG with a proper value of
-'copied' (thanks to syzbot). We should not use negative 'copied' as a
-return value here.
-
- ------------[ cut here ]------------
- kernel BUG at net/socket.c:733!
- Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
- Modules linked in:
- CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
- Hardware name: linux,dummy-virt (DT)
- pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
- pc : sock_sendmsg_nosec net/socket.c:733 [inline]
- pc : sock_sendmsg_nosec net/socket.c:728 [inline]
- pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
- lr : sock_sendmsg_nosec net/socket.c:730 [inline]
- lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
- sp : ffff800088ea3b30
- x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
- x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
- x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
- x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
- x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
- x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
- x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
- x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
- x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
- x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
- Call trace:
- sock_sendmsg_nosec net/socket.c:733 [inline]
- __sock_sendmsg+0x5c/0x60 net/socket.c:745
- ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
- ___sys_sendmsg+0xac/0x100 net/socket.c:2651
- __sys_sendmsg+0x84/0xe0 net/socket.c:2680
- __do_sys_sendmsg net/socket.c:2689 [inline]
- __se_sys_sendmsg net/socket.c:2687 [inline]
- __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
- __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
- invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
- el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
- do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
- el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
- el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
- el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
- Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
- ---[ end trace 0000000000000000 ]---
-
-Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
-Reported-by: syzbot+58c03971700330ce14d8@syzkaller.appspotmail.com
-Cc: Jakub Sitnicki <jakub@cloudflare.com>
-Signed-off-by: Cong Wang <cong.wang@bytedance.com>
-Reviewed-by: John Fastabend <john.fastabend@gmail.com>
-Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
-Link: https://patch.msgid.link/20240821030744.320934-1-xiyou.wangcong@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/tcp_bpf.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/ipv4/tcp_bpf.c
-+++ b/net/ipv4/tcp_bpf.c
-@@ -559,7 +559,7 @@ static int tcp_bpf_sendpage(struct sock
- out_err:
- release_sock(sk);
- sk_psock_put(sk, psock);
-- return copied ? copied : err;
-+ return copied > 0 ? copied : err;
- }
-
- enum {
clk-qcom-clk-alpha-pll-update-set_rate-for-zonda-pll.patch
can-mcp251x-fix-deadlock-if-an-interrupt-occurs-during-mcp251x_open.patch
tracing-avoid-possible-softlockup-in-tracing_iter_reset.patch
-tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch
ila-call-nf_unregister_net_hooks-sooner.patch
sched-sch_cake-fix-bulk-flow-accounting-logic-for-host-fairness.patch
nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch
+++ /dev/null
-From fe1910f9337bd46a9343967b547ccab26b4b2c6e Mon Sep 17 00:00:00 2001
-From: Cong Wang <cong.wang@bytedance.com>
-Date: Tue, 20 Aug 2024 20:07:44 -0700
-Subject: tcp_bpf: fix return value of tcp_bpf_sendmsg()
-
-From: Cong Wang <cong.wang@bytedance.com>
-
-commit fe1910f9337bd46a9343967b547ccab26b4b2c6e upstream.
-
-When we cork messages in psock->cork, the last message triggers the
-flushing will result in sending a sk_msg larger than the current
-message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
-negative at least in the following case:
-
-468 case __SK_DROP:
-469 default:
-470 sk_msg_free_partial(sk, msg, tosend);
-471 sk_msg_apply_bytes(psock, tosend);
-472 *copied -= (tosend + delta); // <==== HERE
-473 return -EACCES;
-
-Therefore, it could lead to the following BUG with a proper value of
-'copied' (thanks to syzbot). We should not use negative 'copied' as a
-return value here.
-
- ------------[ cut here ]------------
- kernel BUG at net/socket.c:733!
- Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
- Modules linked in:
- CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
- Hardware name: linux,dummy-virt (DT)
- pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
- pc : sock_sendmsg_nosec net/socket.c:733 [inline]
- pc : sock_sendmsg_nosec net/socket.c:728 [inline]
- pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
- lr : sock_sendmsg_nosec net/socket.c:730 [inline]
- lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
- sp : ffff800088ea3b30
- x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
- x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
- x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
- x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
- x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
- x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
- x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
- x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
- x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
- x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
- Call trace:
- sock_sendmsg_nosec net/socket.c:733 [inline]
- __sock_sendmsg+0x5c/0x60 net/socket.c:745
- ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
- ___sys_sendmsg+0xac/0x100 net/socket.c:2651
- __sys_sendmsg+0x84/0xe0 net/socket.c:2680
- __do_sys_sendmsg net/socket.c:2689 [inline]
- __se_sys_sendmsg net/socket.c:2687 [inline]
- __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
- __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
- invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
- el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
- do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
- el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
- el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
- el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
- Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
- ---[ end trace 0000000000000000 ]---
-
-Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
-Reported-by: syzbot+58c03971700330ce14d8@syzkaller.appspotmail.com
-Cc: Jakub Sitnicki <jakub@cloudflare.com>
-Signed-off-by: Cong Wang <cong.wang@bytedance.com>
-Reviewed-by: John Fastabend <john.fastabend@gmail.com>
-Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
-Link: https://patch.msgid.link/20240821030744.320934-1-xiyou.wangcong@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/tcp_bpf.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/ipv4/tcp_bpf.c
-+++ b/net/ipv4/tcp_bpf.c
-@@ -581,7 +581,7 @@ static int tcp_bpf_sendpage(struct sock
- out_err:
- release_sock(sk);
- sk_psock_put(sk, psock);
-- return copied ? copied : err;
-+ return copied > 0 ? copied : err;
- }
-
- enum {
projects / thirdparty / kernel / stable-queue.git / commitdiff
