--- /dev/null
+From 7f700334be9aeb91d5d86ef9ad2d901b9b453e9b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 29 Mar 2021 11:39:51 -0700
+Subject: ip6_gre: proper dev_{hold|put} in ndo_[un]init methods
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 7f700334be9aeb91d5d86ef9ad2d901b9b453e9b upstream.
+
+After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
+a warning [1]
+
+Issue here is that:
+
+- all dev_put() should be paired with a corresponding dev_hold(),
+ and vice versa.
+
+- A driver doing a dev_put() in its ndo_uninit() MUST also
+ do a dev_hold() in its ndo_init(), only when ndo_init()
+ is returning 0.
+
+Otherwise, register_netdevice() would call ndo_uninit()
+in its error path and release a refcount too soon.
+
+ip6_gre for example (among others problematic drivers)
+has to use dev_hold() in ip6gre_tunnel_init_common()
+instead of from ip6gre_newlink_common(), covering
+both ip6gre_tunnel_init() and ip6gre_tap_init()/
+
+Note that ip6gre_tunnel_init_common() is not called from
+ip6erspan_tap_init() thus we also need to add a dev_hold() there,
+as ip6erspan_tunnel_uninit() does call dev_put()
+
+[1]
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 0 PID: 8422 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Modules linked in:
+CPU: 1 PID: 8422 Comm: syz-executor854 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
+RSP: 0018:ffffc900018befd0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff88801ef19c40 RSI: ffffffff815c51f5 RDI: fffff52000317dec
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff888018cf4568
+R13: ffff888018cf4c00 R14: ffff8880228f2000 R15: ffffffff8d659b80
+FS: 00000000014eb300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055d7bf2b3138 CR3: 0000000014933000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __refcount_dec include/linux/refcount.h:344 [inline]
+ refcount_dec include/linux/refcount.h:359 [inline]
+ dev_put include/linux/netdevice.h:4135 [inline]
+ ip6gre_tunnel_uninit+0x3d7/0x440 net/ipv6/ip6_gre.c:420
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10308
+ ip6gre_newlink_common.constprop.0+0x158/0x410 net/ipv6/ip6_gre.c:1984
+ ip6gre_newlink+0x275/0x7a0 net/ipv6/ip6_gre.c:2017
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+
+Fixes: 919067cc845f ("net: add CONFIG_PCPU_DEV_REFCNT")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1496,6 +1496,7 @@ static int ip6gre_tunnel_init_common(str
+ }
+ ip6gre_tnl_init_features(dev);
+
++ dev_hold(dev);
+ return 0;
+
+ cleanup_dst_cache_init:
+@@ -1889,6 +1890,7 @@ static int ip6erspan_tap_init(struct net
+ dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
+ ip6erspan_tnl_link_config(tunnel, 1);
+
++ dev_hold(dev);
+ return 0;
+
+ cleanup_dst_cache_init:
+@@ -1988,8 +1990,6 @@ static int ip6gre_newlink_common(struct
+ if (tb[IFLA_MTU])
+ ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
+
+- dev_hold(dev);
+-
+ out:
+ return err;
+ }
--- /dev/null
+From 48bb5697269a7cbe5194dbb044dc38c517e34c58 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 29 Mar 2021 23:45:51 -0700
+Subject: ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 48bb5697269a7cbe5194dbb044dc38c517e34c58 upstream.
+
+Same reasons than for the previous commits :
+6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init methods")
+40cb881b5aaa ("ip6_vti: proper dev_{hold|put} in ndo_[un]init methods")
+7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init methods")
+
+After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
+a warning [1]
+
+Issue here is that:
+
+- all dev_put() should be paired with a corresponding prior dev_hold().
+
+- A driver doing a dev_put() in its ndo_uninit() MUST also
+ do a dev_hold() in its ndo_init(), only when ndo_init()
+ is returning 0.
+
+Otherwise, register_netdevice() would call ndo_uninit()
+in its error path and release a refcount too soon.
+
+[1]
+WARNING: CPU: 1 PID: 21059 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Modules linked in:
+CPU: 1 PID: 21059 Comm: syz-executor.4 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
+RSP: 0018:ffffc900025aefe8 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520004b5def
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff888023488568
+R13: ffff8880254e9000 R14: 00000000dfd82cfd R15: ffff88802ee2d7c0
+FS: 00007f13bc590700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f0943e74000 CR3: 0000000025273000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __refcount_dec include/linux/refcount.h:344 [inline]
+ refcount_dec include/linux/refcount.h:359 [inline]
+ dev_put include/linux/netdevice.h:4135 [inline]
+ ip6_tnl_dev_uninit+0x370/0x3d0 net/ipv6/ip6_tunnel.c:387
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10308
+ ip6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_tunnel.c:263
+ ip6_tnl_newlink+0x312/0x580 net/ipv6/ip6_tunnel.c:2052
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 919067cc845f ("net: add CONFIG_PCPU_DEV_REFCNT")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -266,7 +266,6 @@ static int ip6_tnl_create2(struct net_de
+
+ strcpy(t->parms.name, dev->name);
+
+- dev_hold(dev);
+ ip6_tnl_link(ip6n, t);
+ return 0;
+
+@@ -1882,6 +1881,7 @@ ip6_tnl_dev_init_gen(struct net_device *
+ dev->min_mtu = ETH_MIN_MTU;
+ dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len;
+
++ dev_hold(dev);
+ return 0;
+
+ destroy_dst:
--- /dev/null
+From 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 31 Mar 2021 14:38:11 -0700
+Subject: ipv6: remove extra dev_hold() for fallback tunnels
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf upstream.
+
+My previous commits added a dev_hold() in tunnels ndo_init(),
+but forgot to remove it from special functions setting up fallback tunnels.
+
+Fallback tunnels do call their respective ndo_init()
+
+This leads to various reports like :
+
+unregister_netdevice: waiting for ip6gre0 to become free. Usage count = 2
+
+Fixes: 48bb5697269a ("ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods")
+Fixes: 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init methods")
+Fixes: 40cb881b5aaa ("ip6_vti: proper dev_{hold|put} in ndo_[un]init methods")
+Fixes: 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init methods")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 3 ---
+ net/ipv6/ip6_tunnel.c | 1 -
+ net/ipv6/ip6_vti.c | 1 -
+ net/ipv6/sit.c | 1 -
+ 4 files changed, 6 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -387,7 +387,6 @@ static struct ip6_tnl *ip6gre_tunnel_loc
+ if (!(nt->parms.o_flags & TUNNEL_SEQ))
+ dev->features |= NETIF_F_LLTX;
+
+- dev_hold(dev);
+ ip6gre_tunnel_link(ign, nt);
+ return nt;
+
+@@ -1539,8 +1538,6 @@ static void ip6gre_fb_tunnel_init(struct
+ strcpy(tunnel->parms.name, dev->name);
+
+ tunnel->hlen = sizeof(struct ipv6hdr) + 4;
+-
+- dev_hold(dev);
+ }
+
+ static struct inet6_protocol ip6gre_protocol __read_mostly = {
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1925,7 +1925,6 @@ static int __net_init ip6_fb_tnl_dev_ini
+ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
+
+ t->parms.proto = IPPROTO_IPV6;
+- dev_hold(dev);
+
+ rcu_assign_pointer(ip6n->tnls_wc[0], t);
+ return 0;
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -965,7 +965,6 @@ static int __net_init vti6_fb_tnl_dev_in
+ struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+
+ t->parms.proto = IPPROTO_IPV6;
+- dev_hold(dev);
+
+ rcu_assign_pointer(ip6n->tnls_wc[0], t);
+ return 0;
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1470,7 +1470,6 @@ static void __net_init ipip6_fb_tunnel_i
+ iph->ihl = 5;
+ iph->ttl = 64;
+
+- dev_hold(dev);
+ rcu_assign_pointer(sitn->tunnels_wc[0], tunnel);
+ }
+
block-reexpand-iov_iter-after-read-write.patch
lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch
net-stmmac-do-not-enable-rx-fifo-overflow-interrupts.patch
+ip6_gre-proper-dev_-hold-put-in-ndo_init-methods.patch
+sit-proper-dev_-hold-put-in-ndo_init-methods.patch
+ip6_tunnel-sit-proper-dev_-hold-put-in-ndo_init-methods.patch
+ipv6-remove-extra-dev_hold-for-fallback-tunnels.patch
--- /dev/null
+From 6289a98f0817a4a457750d6345e754838eae9439 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 29 Mar 2021 12:25:22 -0700
+Subject: sit: proper dev_{hold|put} in ndo_[un]init methods
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6289a98f0817a4a457750d6345e754838eae9439 upstream.
+
+After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
+a warning [1]
+
+Issue here is that:
+
+- all dev_put() should be paired with a corresponding prior dev_hold().
+
+- A driver doing a dev_put() in its ndo_uninit() MUST also
+ do a dev_hold() in its ndo_init(), only when ndo_init()
+ is returning 0.
+
+Otherwise, register_netdevice() would call ndo_uninit()
+in its error path and release a refcount too soon.
+
+Fixes: 919067cc845f ("net: add CONFIG_PCPU_DEV_REFCNT")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -218,8 +218,6 @@ static int ipip6_tunnel_create(struct ne
+
+ ipip6_tunnel_clone_6rd(dev, sitn);
+
+- dev_hold(dev);
+-
+ ipip6_tunnel_link(sitn, t);
+ return 0;
+
+@@ -1456,7 +1454,7 @@ static int ipip6_tunnel_init(struct net_
+ dev->tstats = NULL;
+ return err;
+ }
+-
++ dev_hold(dev);
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
