From: Greg Kroah-Hartman Date: Mon, 4 Oct 2021 12:18:04 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.4.286~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=204d3524e48d88e355d3f8676e4f7802b87f1d3f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: crypto-aesni-xts_crypt-return-if-walk.nbytes-is-0.patch hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch mm-don-t-allow-oversized-kvmalloc-calls.patch net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch netfilter-ipset-fix-oversized-kvmalloc-calls.patch netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch --- diff --git a/queue-5.14/crypto-aesni-xts_crypt-return-if-walk.nbytes-is-0.patch b/queue-5.14/crypto-aesni-xts_crypt-return-if-walk.nbytes-is-0.patch new file mode 100644 index 00000000000..4cc8f96130d --- /dev/null +++ b/queue-5.14/crypto-aesni-xts_crypt-return-if-walk.nbytes-is-0.patch @@ -0,0 +1,32 @@ +From 72ff2bf04db2a48840df93a461b7115900f46c05 Mon Sep 17 00:00:00 2001 +From: Shreyansh Chouhan +Date: Sun, 22 Aug 2021 09:15:14 +0530 +Subject: crypto: aesni - xts_crypt() return if walk.nbytes is 0 + +From: Shreyansh Chouhan + +commit 72ff2bf04db2a48840df93a461b7115900f46c05 upstream. + +xts_crypt() code doesn't call kernel_fpu_end() after calling +kernel_fpu_begin() if walk.nbytes is 0. The correct behavior should be +not calling kernel_fpu_begin() if walk.nbytes is 0. + +Reported-by: syzbot+20191dc583eff8602d2d@syzkaller.appspotmail.com +Signed-off-by: Shreyansh Chouhan +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/aesni-intel_glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -849,7 +849,7 @@ static int xts_crypt(struct skcipher_req + return -EINVAL; + + err = skcipher_walk_virt(&walk, req, false); +- if (err) ++ if (!walk.nbytes) + return err; + + if (unlikely(tail > 0 && walk.nbytes < walk.total)) { diff --git a/queue-5.14/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch b/queue-5.14/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch new file mode 100644 index 00000000000..317aa195d91 --- /dev/null +++ b/queue-5.14/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch @@ -0,0 +1,52 @@ +From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001 +From: "F.A.Sulaiman" +Date: Tue, 24 Aug 2021 20:37:30 +0530 +Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe + +From: F.A.Sulaiman + +commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. + +Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. +The problem is the driver assumes the device must have an input report but +some malicious devices violate this assumption. + +So this patch checks hid_device's input is non empty before it's been used. + +Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com +Signed-off-by: F.A. SULAIMAN +Reviewed-by: Pavel Skripkin +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-betopff.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -56,15 +56,22 @@ static int betopff_init(struct hid_devic + { + struct betopff_device *betopff; + struct hid_report *report; +- struct hid_input *hidinput = +- list_first_entry(&hid->inputs, struct hid_input, list); ++ struct hid_input *hidinput; + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; +- struct input_dev *dev = hidinput->input; ++ struct input_dev *dev; + int field_count = 0; + int error; + int i, j; + ++ if (list_empty(&hid->inputs)) { ++ hid_err(hid, "no inputs found\n"); ++ return -ENODEV; ++ } ++ ++ hidinput = list_first_entry(&hid->inputs, struct hid_input, list); ++ dev = hidinput->input; ++ + if (list_empty(report_list)) { + hid_err(hid, "no output reports found\n"); + return -ENODEV; diff --git a/queue-5.14/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch b/queue-5.14/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch new file mode 100644 index 00000000000..336f5fed83d --- /dev/null +++ b/queue-5.14/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch @@ -0,0 +1,55 @@ +From f7744fa16b96da57187dc8e5634152d3b63d72de Mon Sep 17 00:00:00 2001 +From: Anirudh Rayabharam +Date: Thu, 24 Jun 2021 00:10:29 +0530 +Subject: HID: usbhid: free raw_report buffers in usbhid_stop + +From: Anirudh Rayabharam + +commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream. + +Free the unsent raw_report buffers when the device is removed. + +Fixes a memory leak reported by syzbot at: +https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47 + +Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com +Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com +Signed-off-by: Anirudh Rayabharam +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/usbhid/hid-core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -505,7 +505,7 @@ static void hid_ctrl(struct urb *urb) + + if (unplug) { + usbhid->ctrltail = usbhid->ctrlhead; +- } else { ++ } else if (usbhid->ctrlhead != usbhid->ctrltail) { + usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1); + + if (usbhid->ctrlhead != usbhid->ctrltail && +@@ -1223,9 +1223,20 @@ static void usbhid_stop(struct hid_devic + mutex_lock(&usbhid->mutex); + + clear_bit(HID_STARTED, &usbhid->iofl); ++ + spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ + set_bit(HID_DISCONNECTED, &usbhid->iofl); ++ while (usbhid->ctrltail != usbhid->ctrlhead) { ++ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) { ++ kfree(usbhid->ctrl[usbhid->ctrltail].raw_report); ++ usbhid->ctrl[usbhid->ctrltail].raw_report = NULL; ++ } ++ ++ usbhid->ctrltail = (usbhid->ctrltail + 1) & ++ (HID_CONTROL_FIFO_SIZE - 1); ++ } + spin_unlock_irq(&usbhid->lock); ++ + usb_kill_urb(usbhid->urbin); + usb_kill_urb(usbhid->urbout); + usb_kill_urb(usbhid->urbctrl); diff --git a/queue-5.14/kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch b/queue-5.14/kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch new file mode 100644 index 00000000000..9bcbc6558b5 --- /dev/null +++ b/queue-5.14/kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch @@ -0,0 +1,80 @@ +From eb7511bf9182292ef1df1082d23039e856d1ddfb Mon Sep 17 00:00:00 2001 +From: Haimin Zhang +Date: Fri, 3 Sep 2021 10:37:06 +0800 +Subject: KVM: x86: Handle SRCU initialization failure during page track init + +From: Haimin Zhang + +commit eb7511bf9182292ef1df1082d23039e856d1ddfb upstream. + +Check the return of init_srcu_struct(), which can fail due to OOM, when +initializing the page track mechanism. Lack of checking leads to a NULL +pointer deref found by a modified syzkaller. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Message-Id: <1630636626-12262-1-git-send-email-tcs_kernel@tencent.com> +[Move the call towards the beginning of kvm_arch_init_vm. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_page_track.h | 2 +- + arch/x86/kvm/mmu/page_track.c | 4 ++-- + arch/x86/kvm/x86.c | 7 ++++++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/kvm_page_track.h ++++ b/arch/x86/include/asm/kvm_page_track.h +@@ -46,7 +46,7 @@ struct kvm_page_track_notifier_node { + struct kvm_page_track_notifier_node *node); + }; + +-void kvm_page_track_init(struct kvm *kvm); ++int kvm_page_track_init(struct kvm *kvm); + void kvm_page_track_cleanup(struct kvm *kvm); + + void kvm_page_track_free_memslot(struct kvm_memory_slot *slot); +--- a/arch/x86/kvm/mmu/page_track.c ++++ b/arch/x86/kvm/mmu/page_track.c +@@ -163,13 +163,13 @@ void kvm_page_track_cleanup(struct kvm * + cleanup_srcu_struct(&head->track_srcu); + } + +-void kvm_page_track_init(struct kvm *kvm) ++int kvm_page_track_init(struct kvm *kvm) + { + struct kvm_page_track_notifier_head *head; + + head = &kvm->arch.track_notifier_head; +- init_srcu_struct(&head->track_srcu); + INIT_HLIST_HEAD(&head->track_notifier_list); ++ return init_srcu_struct(&head->track_srcu); + } + + /* +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11093,9 +11093,15 @@ void kvm_arch_free_vm(struct kvm *kvm) + + int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + { ++ int ret; ++ + if (type) + return -EINVAL; + ++ ret = kvm_page_track_init(kvm); ++ if (ret) ++ return ret; ++ + INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list); + INIT_LIST_HEAD(&kvm->arch.active_mmu_pages); + INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages); +@@ -11128,7 +11134,6 @@ int kvm_arch_init_vm(struct kvm *kvm, un + + kvm_apicv_init(kvm); + kvm_hv_init_vm(kvm); +- kvm_page_track_init(kvm); + kvm_mmu_init_vm(kvm); + + return static_call(kvm_x86_vm_init)(kvm); diff --git a/queue-5.14/mm-don-t-allow-oversized-kvmalloc-calls.patch b/queue-5.14/mm-don-t-allow-oversized-kvmalloc-calls.patch new file mode 100644 index 00000000000..71d5d685058 --- /dev/null +++ b/queue-5.14/mm-don-t-allow-oversized-kvmalloc-calls.patch @@ -0,0 +1,40 @@ +From 7661809d493b426e979f39ab512e3adf41fbcc69 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 14 Jul 2021 09:45:49 -0700 +Subject: mm: don't allow oversized kvmalloc() calls + +From: Linus Torvalds + +commit 7661809d493b426e979f39ab512e3adf41fbcc69 upstream. + +'kvmalloc()' is a convenience function for people who want to do a +kmalloc() but fall back on vmalloc() if there aren't enough physically +contiguous pages, or if the allocation is larger than what kmalloc() +supports. + +However, let's make sure it doesn't get _too_ easy to do crazy things +with it. In particular, don't allow big allocations that could be due +to integer overflow or underflow. So make sure the allocation size fits +in an 'int', to protect against trivial integer conversion issues. + +Acked-by: Willy Tarreau +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/util.c ++++ b/mm/util.c +@@ -593,6 +593,10 @@ void *kvmalloc_node(size_t size, gfp_t f + if (ret || size <= PAGE_SIZE) + return ret; + ++ /* Don't even allow crazy sizes */ ++ if (WARN_ON_ONCE(size > INT_MAX)) ++ return NULL; ++ + return __vmalloc_node(size, 1, flags, node, + __builtin_return_address(0)); + } diff --git a/queue-5.14/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-5.14/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch new file mode 100644 index 00000000000..b0e31d52848 --- /dev/null +++ b/queue-5.14/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch @@ -0,0 +1,89 @@ +From ab609f25d19858513919369ff3d9a63c02cd9e2e Mon Sep 17 00:00:00 2001 +From: Yanfei Xu +Date: Sun, 26 Sep 2021 12:53:13 +0800 +Subject: net: mdiobus: Fix memory leak in __mdiobus_register + +From: Yanfei Xu + +commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream. + +Once device_register() failed, we should call put_device() to +decrement reference count for cleanup. Or it will cause memory +leak. + +BUG: memory leak +unreferenced object 0xffff888114032e00 (size 256): + comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff ................ + 08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff .........ve..... + backtrace: + [] kmalloc include/linux/slab.h:591 [inline] + [] kzalloc include/linux/slab.h:721 [inline] + [] device_private_init drivers/base/core.c:3203 [inline] + [] device_add+0x89b/0xdf0 drivers/base/core.c:3253 + [] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537 + [] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87 + [] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline] + [] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786 + [] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] call_driver_probe drivers/base/dd.c:517 [inline] + [] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596 + [] really_probe drivers/base/dd.c:558 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751 + [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781 + [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898 + [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 + [] __device_attach+0x122/0x260 drivers/base/dd.c:969 + [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 + [] device_add+0x5fb/0xdf0 drivers/base/core.c:3359 + [] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170 + [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 + +BUG: memory leak +unreferenced object 0xffff888116f06900 (size 32): + comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s) + hex dump (first 32 bytes): + 75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00 usb-001:003..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kstrdup+0x36/0x70 mm/util.c:60 + [] kstrdup_const+0x53/0x80 mm/util.c:83 + [] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48 + [] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289 + [] dev_set_name+0x63/0x90 drivers/base/core.c:3147 + [] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535 + [] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87 + [] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline] + [] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786 + [] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] call_driver_probe drivers/base/dd.c:517 [inline] + [] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596 + [] really_probe drivers/base/dd.c:558 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751 + [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781 + [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898 + [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 + [] __device_attach+0x122/0x260 drivers/base/dd.c:969 + +Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com +Signed-off-by: Yanfei Xu +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio_bus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -541,6 +541,7 @@ int __mdiobus_register(struct mii_bus *b + err = device_register(&bus->dev); + if (err) { + pr_err("mii_bus %s failed to register\n", bus->id); ++ put_device(&bus->dev); + return -EINVAL; + } + diff --git a/queue-5.14/netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch b/queue-5.14/netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch new file mode 100644 index 00000000000..0a661cd0315 --- /dev/null +++ b/queue-5.14/netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch @@ -0,0 +1,209 @@ +From e9edc188fc76499b0b9bd60364084037f6d03773 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 17 Sep 2021 15:15:56 -0700 +Subject: netfilter: conntrack: serialize hash resizes and cleanups + +From: Eric Dumazet + +commit e9edc188fc76499b0b9bd60364084037f6d03773 upstream. + +Syzbot was able to trigger the following warning [1] + +No repro found by syzbot yet but I was able to trigger similar issue +by having 2 scripts running in parallel, changing conntrack hash sizes, +and: + +for j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done + +It would take more than 5 minutes for net_namespace structures +to be cleaned up. + +This is because nf_ct_iterate_cleanup() has to restart everytime +a resize happened. + +By adding a mutex, we can serialize hash resizes and cleanups +and also make get_next_corpse() faster by skipping over empty +buckets. + +Even without resizes in the picture, this patch considerably +speeds up network namespace dismantles. + +[1] +INFO: task syz-executor.0:8312 can't die for more than 144 seconds. +task:syz-executor.0 state:R running task stack:25672 pid: 8312 ppid: 6573 flags:0x00004006 +Call Trace: + context_switch kernel/sched/core.c:4955 [inline] + __schedule+0x940/0x26f0 kernel/sched/core.c:6236 + preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408 + preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35 + __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390 + local_bh_enable include/linux/bottom_half.h:32 [inline] + get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline] + nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275 + nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469 + ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171 + setup_net+0x639/0xa30 net/core/net_namespace.c:349 + copy_net_ns+0x319/0x760 net/core/net_namespace.c:470 + create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 + unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226 + ksys_unshare+0x445/0x920 kernel/fork.c:3128 + __do_sys_unshare kernel/fork.c:3202 [inline] + __se_sys_unshare kernel/fork.c:3200 [inline] + __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f63da68e739 +RSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 +RAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 +RBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80 +R13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000 + +Showing all locks held in the system: +1 lock held by khungtaskd/27: + #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446 +2 locks held by kworker/u4:2/153: + #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] + #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] + #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] + #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] + #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] + #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 + #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 +1 lock held by systemd-udevd/2970: +1 lock held by in:imklog/6258: + #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990 +3 locks held by kworker/1:6/8158: +1 lock held by syz-executor.0/8312: +2 locks held by kworker/u4:13/9320: +1 lock held by syz-executor.5/10178: +1 lock held by syz-executor.4/10217: + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_core.c | 70 ++++++++++++++++++++------------------ + 1 file changed, 37 insertions(+), 33 deletions(-) + +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -75,6 +75,9 @@ static __read_mostly struct kmem_cache * + static DEFINE_SPINLOCK(nf_conntrack_locks_all_lock); + static __read_mostly bool nf_conntrack_locks_all; + ++/* serialize hash resizes and nf_ct_iterate_cleanup */ ++static DEFINE_MUTEX(nf_conntrack_mutex); ++ + #define GC_SCAN_INTERVAL (120u * HZ) + #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10) + +@@ -2192,28 +2195,31 @@ get_next_corpse(int (*iter)(struct nf_co + spinlock_t *lockp; + + for (; *bucket < nf_conntrack_htable_size; (*bucket)++) { ++ struct hlist_nulls_head *hslot = &nf_conntrack_hash[*bucket]; ++ ++ if (hlist_nulls_empty(hslot)) ++ continue; ++ + lockp = &nf_conntrack_locks[*bucket % CONNTRACK_LOCKS]; + local_bh_disable(); + nf_conntrack_lock(lockp); +- if (*bucket < nf_conntrack_htable_size) { +- hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[*bucket], hnnode) { +- if (NF_CT_DIRECTION(h) != IP_CT_DIR_REPLY) +- continue; +- /* All nf_conn objects are added to hash table twice, one +- * for original direction tuple, once for the reply tuple. +- * +- * Exception: In the IPS_NAT_CLASH case, only the reply +- * tuple is added (the original tuple already existed for +- * a different object). +- * +- * We only need to call the iterator once for each +- * conntrack, so we just use the 'reply' direction +- * tuple while iterating. +- */ +- ct = nf_ct_tuplehash_to_ctrack(h); +- if (iter(ct, data)) +- goto found; +- } ++ hlist_nulls_for_each_entry(h, n, hslot, hnnode) { ++ if (NF_CT_DIRECTION(h) != IP_CT_DIR_REPLY) ++ continue; ++ /* All nf_conn objects are added to hash table twice, one ++ * for original direction tuple, once for the reply tuple. ++ * ++ * Exception: In the IPS_NAT_CLASH case, only the reply ++ * tuple is added (the original tuple already existed for ++ * a different object). ++ * ++ * We only need to call the iterator once for each ++ * conntrack, so we just use the 'reply' direction ++ * tuple while iterating. ++ */ ++ ct = nf_ct_tuplehash_to_ctrack(h); ++ if (iter(ct, data)) ++ goto found; + } + spin_unlock(lockp); + local_bh_enable(); +@@ -2231,26 +2237,20 @@ found: + static void nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), + void *data, u32 portid, int report) + { +- unsigned int bucket = 0, sequence; ++ unsigned int bucket = 0; + struct nf_conn *ct; + + might_sleep(); + +- for (;;) { +- sequence = read_seqcount_begin(&nf_conntrack_generation); +- +- while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) { +- /* Time to push up daises... */ ++ mutex_lock(&nf_conntrack_mutex); ++ while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) { ++ /* Time to push up daises... */ + +- nf_ct_delete(ct, portid, report); +- nf_ct_put(ct); +- cond_resched(); +- } +- +- if (!read_seqcount_retry(&nf_conntrack_generation, sequence)) +- break; +- bucket = 0; ++ nf_ct_delete(ct, portid, report); ++ nf_ct_put(ct); ++ cond_resched(); + } ++ mutex_unlock(&nf_conntrack_mutex); + } + + struct iter_data { +@@ -2486,8 +2486,10 @@ int nf_conntrack_hash_resize(unsigned in + if (!hash) + return -ENOMEM; + ++ mutex_lock(&nf_conntrack_mutex); + old_size = nf_conntrack_htable_size; + if (old_size == hashsize) { ++ mutex_unlock(&nf_conntrack_mutex); + kvfree(hash); + return 0; + } +@@ -2523,6 +2525,8 @@ int nf_conntrack_hash_resize(unsigned in + nf_conntrack_all_unlock(); + local_bh_enable(); + ++ mutex_unlock(&nf_conntrack_mutex); ++ + synchronize_net(); + kvfree(old_hash); + return 0; diff --git a/queue-5.14/netfilter-ipset-fix-oversized-kvmalloc-calls.patch b/queue-5.14/netfilter-ipset-fix-oversized-kvmalloc-calls.patch new file mode 100644 index 00000000000..aad95175a4d --- /dev/null +++ b/queue-5.14/netfilter-ipset-fix-oversized-kvmalloc-calls.patch @@ -0,0 +1,46 @@ +From 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 Mon Sep 17 00:00:00 2001 +From: Jozsef Kadlecsik +Date: Mon, 6 Sep 2021 18:26:34 +0200 +Subject: netfilter: ipset: Fix oversized kvmalloc() calls + +From: Jozsef Kadlecsik + +commit 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 upstream. + +The commit + +commit 7661809d493b426e979f39ab512e3adf41fbcc69 +Author: Linus Torvalds +Date: Wed Jul 14 09:45:49 2021 -0700 + + mm: don't allow oversized kvmalloc() calls + +limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the +same limit in ipset. + +Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com +Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com +Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_hash_gen.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -130,11 +130,11 @@ htable_size(u8 hbits) + { + size_t hsize; + +- /* We must fit both into u32 in jhash and size_t */ ++ /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */ + if (hbits > 31) + return 0; + hsize = jhash_size(hbits); +- if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *) ++ if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *) + < hsize) + return 0; + diff --git a/queue-5.14/netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch b/queue-5.14/netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch new file mode 100644 index 00000000000..62cf00b6164 --- /dev/null +++ b/queue-5.14/netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch @@ -0,0 +1,30 @@ +From 45928afe94a094bcda9af858b96673d59bc4a0e9 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 13 Sep 2021 20:38:52 +0200 +Subject: netfilter: nf_tables: Fix oversized kvmalloc() calls + +From: Pablo Neira Ayuso + +commit 45928afe94a094bcda9af858b96673d59bc4a0e9 upstream. + +The commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") +limits the max allocatable memory via kvmalloc() to MAX_INT. + +Reported-by: syzbot+cd43695a64bcd21b8596@syzkaller.appspotmail.com +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4336,7 +4336,7 @@ static int nf_tables_newset(struct sk_bu + if (ops->privsize != NULL) + size = ops->privsize(nla, &desc); + alloc_size = sizeof(*set) + size + udlen; +- if (alloc_size < size) ++ if (alloc_size < size || alloc_size > INT_MAX) + return -ENOMEM; + set = kvzalloc(alloc_size, GFP_KERNEL); + if (!set) diff --git a/queue-5.14/series b/queue-5.14/series index fcec13b95e5..ddd2d3beeb3 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -160,3 +160,12 @@ hid-u2fzero-ignore-incomplete-packets-without-data.patch net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch nios2-setup.c-drop-unused-variable-dram_start.patch usb-hso-remove-the-bailout-parameter.patch +hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch +netfilter-ipset-fix-oversized-kvmalloc-calls.patch +mm-don-t-allow-oversized-kvmalloc-calls.patch +hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch +crypto-aesni-xts_crypt-return-if-walk.nbytes-is-0.patch +net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch +kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch +netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch +netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch