From: Sasha Levin Date: Thu, 14 Sep 2023 01:14:27 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.10.195~53^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2637e921e0c120ff03a93d2255cf453f731e4a68;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/af_unix-fix-data-race-around-sk-sk_err.patch b/queue-4.14/af_unix-fix-data-race-around-sk-sk_err.patch new file mode 100644 index 00000000000..3927d24da17 --- /dev/null +++ b/queue-4.14/af_unix-fix-data-race-around-sk-sk_err.patch @@ -0,0 +1,42 @@ +From 2507a0e1bd9752ccbbbd20f37be29d674b6dfc94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:08 -0700 +Subject: af_unix: Fix data race around sk->sk_err. + +From: Kuniyuki Iwashima + +[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ] + +As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be +read locklessly by unix_dgram_sendmsg(). + +Let's use READ_ONCE() for sk_err as well. + +Note that the writer side is marked by commit cc04410af7de ("af_unix: +annotate lockless accesses to sk->sk_err"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 846d4cec79903..5b9f51a27dc0d 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2067,7 +2067,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + break; + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; +- if (sk->sk_err) ++ if (READ_ONCE(sk->sk_err)) + break; + timeo = schedule_timeout(timeo); + } +-- +2.40.1 + diff --git a/queue-4.14/af_unix-fix-data-race-around-unix_tot_inflight.patch b/queue-4.14/af_unix-fix-data-race-around-unix_tot_inflight.patch new file mode 100644 index 00000000000..af69573056e --- /dev/null +++ b/queue-4.14/af_unix-fix-data-race-around-unix_tot_inflight.patch @@ -0,0 +1,84 @@ +From b49b5522bdfb511a9665a890a9f6a50f123b8dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:06 -0700 +Subject: af_unix: Fix data-race around unix_tot_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ] + +unix_tot_inflight is changed under spin_lock(unix_gc_lock), but +unix_release_sock() reads it locklessly. + +Let's use READ_ONCE() for unix_tot_inflight. + +Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: +annote lockless accesses to unix_tot_inflight & gc_in_progress") + +BUG: KCSAN: data-race in unix_inflight / unix_release_sock + +write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: + unix_inflight+0x130/0x180 net/unix/scm.c:64 + unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1832 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:747 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 + __sys_sendmsg+0x94/0x140 net/socket.c:2576 + __do_sys_sendmsg net/socket.c:2585 [inline] + __se_sys_sendmsg net/socket.c:2583 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: + unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 + unix_release+0x59/0x80 net/unix/af_unix.c:1058 + __sock_release+0x7d/0x170 net/socket.c:653 + sock_close+0x19/0x30 net/socket.c:1385 + __fput+0x179/0x5e0 fs/file_table.c:321 + ____fput+0x15/0x20 fs/file_table.c:349 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x00000000 -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 4def6e954e486..8d25d50f916ea 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -589,7 +589,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + * What the above comment does talk about? --ANK(980817) + */ + +- if (unix_tot_inflight) ++ if (READ_ONCE(unix_tot_inflight)) + unix_gc(); /* Garbage collect fds */ + } + +-- +2.40.1 + diff --git a/queue-4.14/af_unix-fix-data-races-around-sk-sk_shutdown.patch b/queue-4.14/af_unix-fix-data-races-around-sk-sk_shutdown.patch new file mode 100644 index 00000000000..a2c049e47d5 --- /dev/null +++ b/queue-4.14/af_unix-fix-data-races-around-sk-sk_shutdown.patch @@ -0,0 +1,96 @@ +From 0614712b6765d099067f600b9eb80464d2e7a74b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:07 -0700 +Subject: af_unix: Fix data-races around sk->sk_shutdown. + +From: Kuniyuki Iwashima + +[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ] + +sk->sk_shutdown is changed under unix_state_lock(sk), but +unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly. + + sock_alloc_send_pskb + `- sock_wait_for_wmem + +Let's use READ_ONCE() there. + +Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix: +Fix data races around sk->sk_shutdown."). + +BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock + +write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1: + unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 + unix_release+0x59/0x80 net/unix/af_unix.c:1053 + __sock_release+0x7d/0x170 net/socket.c:654 + sock_close+0x19/0x30 net/socket.c:1386 + __fput+0x2a3/0x680 fs/file_table.c:384 + ____fput+0x15/0x20 fs/file_table.c:412 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0: + sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767 + unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x00 -> 0x03 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 1f76e7a78a8d1..846d4cec79903 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2065,7 +2065,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + if (refcount_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) + break; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; + if (sk->sk_err) + break; +@@ -2095,7 +2095,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + goto failure; + + err = -EPIPE; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto failure; + + if (sk_wmem_alloc_get(sk) < sk->sk_sndbuf) +-- +2.40.1 + diff --git a/queue-4.14/af_unix-fix-data-races-around-user-unix_inflight.patch b/queue-4.14/af_unix-fix-data-races-around-user-unix_inflight.patch new file mode 100644 index 00000000000..26228538557 --- /dev/null +++ b/queue-4.14/af_unix-fix-data-races-around-user-unix_inflight.patch @@ -0,0 +1,105 @@ +From 0bdfc88ad5da504c2b44e08cd503b3ce35e602d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:05 -0700 +Subject: af_unix: Fix data-races around user->unix_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ] + +user->unix_inflight is changed under spin_lock(unix_gc_lock), +but too_many_unix_fds() reads it locklessly. + +Let's annotate the write/read accesses to user->unix_inflight. + +BUG: KCSAN: data-race in unix_attach_fds / unix_inflight + +write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: + unix_inflight+0x157/0x180 net/unix/scm.c:66 + unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: + too_many_unix_fds net/unix/scm.c:101 [inline] + unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x000000000000000c -> 0x000000000000000d + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Acked-by: Willy Tarreau +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/scm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/unix/scm.c b/net/unix/scm.c +index 6c10af6037e39..c4dde276fea56 100644 +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -60,7 +60,7 @@ void unix_inflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } +- user->unix_inflight++; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1); + spin_unlock(&unix_gc_lock); + } + +@@ -81,7 +81,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); + } +- user->unix_inflight--; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1); + spin_unlock(&unix_gc_lock); + } + +@@ -95,7 +95,7 @@ static inline bool too_many_unix_fds(struct task_struct *p) + { + struct user_struct *user = current_user(); + +- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) ++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE))) + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return false; + } +-- +2.40.1 + diff --git a/queue-4.14/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch b/queue-4.14/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..5e8c3f0e3fc --- /dev/null +++ b/queue-4.14/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From 9debcb65f35b9b54ae45ff24e2f524189566e7bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:58 +0200 +Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igb devices can use as low as 64 descriptors. +This change will unify igb with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Olga Zaborska +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h +index 1113bf322f45b..a1e924391ae5b 100644 +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -52,11 +52,11 @@ struct igb_adapter; + /* TX/RX descriptor defines */ + #define IGB_DEFAULT_TXD 256 + #define IGB_DEFAULT_TX_WORK 128 +-#define IGB_MIN_TXD 80 ++#define IGB_MIN_TXD 64 + #define IGB_MAX_TXD 4096 + + #define IGB_DEFAULT_RXD 256 +-#define IGB_MIN_RXD 80 ++#define IGB_MIN_RXD 64 + #define IGB_MAX_RXD 4096 + + #define IGB_DEFAULT_ITR 3 /* dynamic */ +-- +2.40.1 + diff --git a/queue-4.14/igb-disable-virtualization-features-on-82580.patch b/queue-4.14/igb-disable-virtualization-features-on-82580.patch new file mode 100644 index 00000000000..d393794be41 --- /dev/null +++ b/queue-4.14/igb-disable-virtualization-features-on-82580.patch @@ -0,0 +1,40 @@ +From 127e10260aadcd58fda09839fe03c6ff24cdb6d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 14:19:13 +0200 +Subject: igb: disable virtualization features on 82580 + +From: Corinna Vinschen + +[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ] + +Disable virtualization features on 82580 just as on i210/i211. +This avoids that virt functions are acidentally called on 82850. + +Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices") +Signed-off-by: Corinna Vinschen +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 3ea1265a3a443..d679b31c9a138 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3026,8 +3026,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter) + struct pci_dev *pdev = adapter->pdev; + struct e1000_hw *hw = &adapter->hw; + +- /* Virtualization features not supported on i210 family. */ +- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211)) ++ /* Virtualization features not supported on i210 and 82580 family. */ ++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) || ++ (hw->mac.type == e1000_82580)) + return; + + /* Of the below we really only want the effect of getting +-- +2.40.1 + diff --git a/queue-4.14/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch b/queue-4.14/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch new file mode 100644 index 00000000000..0daf4ee96c7 --- /dev/null +++ b/queue-4.14/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch @@ -0,0 +1,44 @@ +From c031ad5f7bceaebd9490d3cb07500e0553fbccbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:57 +0200 +Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igbvf devices can use as low as 64 descriptors. +This change will unify igbvf with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions") +Signed-off-by: Olga Zaborska +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h +index bf69f01f84677..f69a7787a590d 100644 +--- a/drivers/net/ethernet/intel/igbvf/igbvf.h ++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h +@@ -62,11 +62,11 @@ enum latency_range { + /* Tx/Rx descriptor defines */ + #define IGBVF_DEFAULT_TXD 256 + #define IGBVF_MAX_TXD 4096 +-#define IGBVF_MIN_TXD 80 ++#define IGBVF_MIN_TXD 64 + + #define IGBVF_DEFAULT_RXD 256 + #define IGBVF_MAX_RXD 4096 +-#define IGBVF_MIN_RXD 80 ++#define IGBVF_MIN_RXD 64 + + #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */ + #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */ +-- +2.40.1 + diff --git a/queue-4.14/ip_tunnels-use-dev_stats_inc.patch b/queue-4.14/ip_tunnels-use-dev_stats_inc.patch new file mode 100644 index 00000000000..487280e10aa --- /dev/null +++ b/queue-4.14/ip_tunnels-use-dev_stats_inc.patch @@ -0,0 +1,128 @@ +From 4cb7f33912da15f44684f84b10c19213182b03eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 13:40:46 +0000 +Subject: ip_tunnels: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ] + +syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1] + +This can run from multiple cpus without mutual exclusion. + +Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. + +[1] +BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit + +read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000018830 -> 0x0000000000018831 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0 + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index eb2321a135068..0dd2eb4c61f12 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -409,15 +409,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len) + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); + put_cpu_ptr(tstats); ++ return; ++ } ++ ++ if (pkt_len < 0) { ++ DEV_STATS_INC(dev, tx_errors); ++ DEV_STATS_INC(dev, tx_aborted_errors); + } else { +- struct net_device_stats *err_stats = &dev->stats; +- +- if (pkt_len < 0) { +- err_stats->tx_errors++; +- err_stats->tx_aborted_errors++; +- } else { +- err_stats->tx_dropped++; +- } ++ DEV_STATS_INC(dev, tx_dropped); + } + } + +-- +2.40.1 + diff --git a/queue-4.14/kcm-destroy-mutex-in-kcm_exit_net.patch b/queue-4.14/kcm-destroy-mutex-in-kcm_exit_net.patch new file mode 100644 index 00000000000..0c10e68f9c2 --- /dev/null +++ b/queue-4.14/kcm-destroy-mutex-in-kcm_exit_net.patch @@ -0,0 +1,37 @@ +From 6828e7533d719090d2ea51837bf0bc7797af6a4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 02:07:08 +0900 +Subject: kcm: Destroy mutex in kcm_exit_net() + +From: Shigeru Yoshida + +[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ] + +kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially +needed if CONFIG_DEBUG_MUTEXES is enabled. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index fdce053f1099d..0589b6b560eca 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1988,6 +1988,8 @@ static __net_exit void kcm_exit_net(struct net *net) + * that all multiplexors and psocks have been destroyed. + */ + WARN_ON(!list_empty(&knet->mux_list)); ++ ++ mutex_destroy(&knet->mutex); + } + + static struct pernet_operations kcm_net_ops = { +-- +2.40.1 + diff --git a/queue-4.14/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch b/queue-4.14/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch new file mode 100644 index 00000000000..d3f28885fb2 --- /dev/null +++ b/queue-4.14/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch @@ -0,0 +1,40 @@ +From df31a502af0ce34cfa8836a229702b0114e617f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 22:41:27 -0600 +Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr + +From: Alex Henrie + +[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ] + +The existing code incorrectly casted a negative value (the result of a +subtraction) to an unsigned value without checking. For example, if +/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred +lifetime would jump to 4 billion seconds. On my machine and network the +shortest lifetime that avoided underflow was 3 seconds. + +Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") +Signed-off-by: Alex Henrie +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 893b93cc5221a..288e270bd0176 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1283,7 +1283,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i + * idev->desync_factor if it's larger + */ + cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft); +- max_desync_factor = min_t(__u32, ++ max_desync_factor = min_t(long, + idev->cnf.max_desync_factor, + cnf_temp_preferred_lft - regen_advance); + +-- +2.40.1 + diff --git a/queue-4.14/net-read-sk-sk_family-once-in-sk_mc_loop.patch b/queue-4.14/net-read-sk-sk_family-once-in-sk_mc_loop.patch new file mode 100644 index 00000000000..595720229d5 --- /dev/null +++ b/queue-4.14/net-read-sk-sk_family-once-in-sk_mc_loop.patch @@ -0,0 +1,87 @@ +From b8bf0998960077a7030e3079c652666759f3a654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 10:12:44 +0000 +Subject: net: read sk->sk_family once in sk_mc_loop() + +From: Eric Dumazet + +[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ] + +syzbot is playing with IPV6_ADDRFORM quite a lot these days, +and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() + +We have many more similar issues to fix. + +WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 +Modules linked in: +CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +Workqueue: events_power_efficient gc_worker +RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 +Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 +RSP: 0018:ffffc90000388530 EFLAGS: 00010246 +RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 +RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 +RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 +R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 +R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 +FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +[] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4925 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 +[] qdisc_restart net/sched/sch_generic.c:407 [inline] +[] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 +[] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 +[] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 +[] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 +[] invoke_softirq kernel/softirq.c:430 [inline] +[] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 +[] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 + +Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index a7a0bc9c2a9f0..1f76e7a78a8d1 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -670,7 +670,8 @@ bool sk_mc_loop(struct sock *sk) + return false; + if (!sk) + return true; +- switch (sk->sk_family) { ++ /* IPV6_ADDRFORM can change sk->sk_family under us. */ ++ switch (READ_ONCE(sk->sk_family)) { + case AF_INET: + return inet_sk(sk)->mc_loop; + #if IS_ENABLED(CONFIG_IPV6) +-- +2.40.1 + diff --git a/queue-4.14/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch b/queue-4.14/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch new file mode 100644 index 00000000000..9353b734cb7 --- /dev/null +++ b/queue-4.14/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch @@ -0,0 +1,242 @@ +From 6a44c875e16ba6ec6ad305198c5155cf3d8c458f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:22:37 -0400 +Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue() + +From: valis + +[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ] + +When the plug qdisc is used as a class of the qfq qdisc it could trigger a +UAF. This issue can be reproduced with following commands: + + tc qdisc add dev lo root handle 1: qfq + tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 + tc qdisc add dev lo parent 1:1 handle 2: plug + tc filter add dev lo parent 1: basic classid 1:1 + ping -c1 127.0.0.1 + +and boom: + +[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0 +[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144 +[ 285.355903] +[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4 +[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +[ 285.358376] Call Trace: +[ 285.358773] +[ 285.359109] dump_stack_lvl+0x44/0x60 +[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0 +[ 285.360611] kasan_report+0x10c/0x120 +[ 285.361195] ? qfq_dequeue+0xa7/0x7f0 +[ 285.361780] qfq_dequeue+0xa7/0x7f0 +[ 285.362342] __qdisc_run+0xf1/0x970 +[ 285.362903] net_tx_action+0x28e/0x460 +[ 285.363502] __do_softirq+0x11b/0x3de +[ 285.364097] do_softirq.part.0+0x72/0x90 +[ 285.364721] +[ 285.365072] +[ 285.365422] __local_bh_enable_ip+0x77/0x90 +[ 285.366079] __dev_queue_xmit+0x95f/0x1550 +[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10 +[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 285.368259] ? __build_skb_around+0x129/0x190 +[ 285.368960] ? ip_generic_getfrag+0x12c/0x170 +[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10 +[ 285.370390] ? csum_partial+0x8/0x20 +[ 285.370961] ? raw_getfrag+0xe5/0x140 +[ 285.371559] ip_finish_output2+0x539/0xa40 +[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10 +[ 285.372954] ip_output+0x113/0x1e0 +[ 285.373512] ? __pfx_ip_output+0x10/0x10 +[ 285.374130] ? icmp_out_count+0x49/0x60 +[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10 +[ 285.375457] ip_push_pending_frames+0xf3/0x100 +[ 285.376173] raw_sendmsg+0xef5/0x12d0 +[ 285.376760] ? do_syscall_64+0x40/0x90 +[ 285.377359] ? __static_call_text_end+0x136578/0x136578 +[ 285.378173] ? do_syscall_64+0x40/0x90 +[ 285.378772] ? kasan_enable_current+0x11/0x20 +[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10 +[ 285.380137] ? __sock_create+0x13e/0x270 +[ 285.380673] ? __sys_socket+0xf3/0x180 +[ 285.381174] ? __x64_sys_socket+0x3d/0x50 +[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.382425] ? __rcu_read_unlock+0x48/0x70 +[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380 +[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10 +[ 285.384295] ? preempt_count_sub+0x14/0xc0 +[ 285.384844] ? __list_del_entry_valid+0x76/0x140 +[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0 +[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10 +[ 285.386645] ? release_sock+0xa0/0xd0 +[ 285.387148] ? preempt_count_sub+0x14/0xc0 +[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0 +[ 285.388341] ? aa_sk_perm+0x177/0x390 +[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10 +[ 285.389441] ? check_stack_object+0x22/0x70 +[ 285.390032] ? inet_send_prepare+0x2f/0x120 +[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10 +[ 285.391172] sock_sendmsg+0xcc/0xe0 +[ 285.391667] __sys_sendto+0x190/0x230 +[ 285.392168] ? __pfx___sys_sendto+0x10/0x10 +[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30 +[ 285.393328] ? set_normalized_timespec64+0x57/0x70 +[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40 +[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160 +[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10 +[ 285.395908] ? _copy_to_user+0x3e/0x60 +[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.397734] ? do_syscall_64+0x71/0x90 +[ 285.398258] __x64_sys_sendto+0x74/0x90 +[ 285.398786] do_syscall_64+0x64/0x90 +[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.400605] ? do_syscall_64+0x71/0x90 +[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.401807] RIP: 0033:0x495726 +[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09 +[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726 +[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000 +[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c +[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634 +[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000 +[ 285.410403] +[ 285.410704] +[ 285.410929] Allocated by task 144: +[ 285.411402] kasan_save_stack+0x1e/0x40 +[ 285.411926] kasan_set_track+0x21/0x30 +[ 285.412442] __kasan_slab_alloc+0x55/0x70 +[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0 +[ 285.413567] __alloc_skb+0x1b4/0x230 +[ 285.414060] __ip_append_data+0x17f7/0x1b60 +[ 285.414633] ip_append_data+0x97/0xf0 +[ 285.415144] raw_sendmsg+0x5a8/0x12d0 +[ 285.415640] sock_sendmsg+0xcc/0xe0 +[ 285.416117] __sys_sendto+0x190/0x230 +[ 285.416626] __x64_sys_sendto+0x74/0x90 +[ 285.417145] do_syscall_64+0x64/0x90 +[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.418306] +[ 285.418531] Freed by task 144: +[ 285.418960] kasan_save_stack+0x1e/0x40 +[ 285.419469] kasan_set_track+0x21/0x30 +[ 285.419988] kasan_save_free_info+0x27/0x40 +[ 285.420556] ____kasan_slab_free+0x109/0x1a0 +[ 285.421146] kmem_cache_free+0x1c2/0x450 +[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870 +[ 285.422333] __netif_receive_skb_one_core+0x97/0x140 +[ 285.423003] process_backlog+0x100/0x2f0 +[ 285.423537] __napi_poll+0x5c/0x2d0 +[ 285.424023] net_rx_action+0x2be/0x560 +[ 285.424510] __do_softirq+0x11b/0x3de +[ 285.425034] +[ 285.425254] The buggy address belongs to the object at ffff8880bad31280 +[ 285.425254] which belongs to the cache skbuff_head_cache of size 224 +[ 285.426993] The buggy address is located 40 bytes inside of +[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360) +[ 285.428572] +[ 285.428798] The buggy address belongs to the physical page: +[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31 +[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1) +[ 285.431447] page_type: 0xffffffff() +[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000 +[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +[ 285.433562] page dumped because: kasan: bad access detected +[ 285.434144] +[ 285.434320] Memory state around the buggy address: +[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 285.436777] ^ +[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.438126] ================================================================== +[ 285.438662] Disabling lock debugging due to kernel taint + +Fix this by: +1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a +function compatible with non-work-conserving qdiscs +2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: valis +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_plug.c | 2 +- + net/sched/sch_qfq.c | 22 +++++++++++++++++----- + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c +index 1c6cbab3e7b99..27a0c028ba338 100644 +--- a/net/sched/sch_plug.c ++++ b/net/sched/sch_plug.c +@@ -212,7 +212,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = { + .priv_size = sizeof(struct plug_sched_data), + .enqueue = plug_enqueue, + .dequeue = plug_dequeue, +- .peek = qdisc_peek_head, ++ .peek = qdisc_peek_dequeued, + .init = plug_init, + .change = plug_change, + .reset = qdisc_reset_queue, +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 1a1366b037fb7..594c2ac319e02 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -984,10 +984,13 @@ static void qfq_update_eligible(struct qfq_sched *q) + } + + /* Dequeue head packet of the head class in the DRR queue of the aggregate. */ +-static void agg_dequeue(struct qfq_aggregate *agg, +- struct qfq_class *cl, unsigned int len) ++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, ++ struct qfq_class *cl, unsigned int len) + { +- qdisc_dequeue_peeked(cl->qdisc); ++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc); ++ ++ if (!skb) ++ return NULL; + + cl->deficit -= (int) len; + +@@ -997,6 +1000,8 @@ static void agg_dequeue(struct qfq_aggregate *agg, + cl->deficit += agg->lmax; + list_move_tail(&cl->alist, &agg->active); + } ++ ++ return skb; + } + + static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, +@@ -1142,11 +1147,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch) + if (!skb) + return NULL; + +- qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; ++ ++ skb = agg_dequeue(in_serv_agg, cl, len); ++ ++ if (!skb) { ++ sch->q.qlen++; ++ return NULL; ++ } ++ ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + +- agg_dequeue(in_serv_agg, cl, len); + /* If lmax is lowered, through qfq_change_class, for a class + * owning pending packets with larger size than the new value + * of lmax, then the following condition may hold. +-- +2.40.1 + diff --git a/queue-4.14/pwm-lpc32xx-remove-handling-of-pwm-channels.patch b/queue-4.14/pwm-lpc32xx-remove-handling-of-pwm-channels.patch new file mode 100644 index 00000000000..4845c672c0b --- /dev/null +++ b/queue-4.14/pwm-lpc32xx-remove-handling-of-pwm-channels.patch @@ -0,0 +1,88 @@ +From 658d9e37cb2c7da51caed06e1a3229faf9f2acc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:52:57 +0200 +Subject: pwm: lpc32xx: Remove handling of PWM channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Zapolskiy + +[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ] + +Because LPC32xx PWM controllers have only a single output which is +registered as the only PWM device/channel per controller, it is known in +advance that pwm->hwpwm value is always 0. On basis of this fact +simplify the code by removing operations with pwm->hwpwm, there is no +controls which require channel number as input. + +Even though I wasn't aware at the time when I forward ported that patch, +this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL +before devm_pwmchip_add() is called. + +Reported-by: Dan Carpenter +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Uwe Kleine-König +Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered") +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpc32xx.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c +index ed8e9406b4af2..b5f8b86b328af 100644 +--- a/drivers/pwm/pwm-lpc32xx.c ++++ b/drivers/pwm/pwm-lpc32xx.c +@@ -55,10 +55,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + if (duty_cycles > 255) + duty_cycles = 255; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~0xFFFF; + val |= (period_cycles << 8) | duty_cycles; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -73,9 +73,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm) + if (ret) + return ret; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val |= PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -85,9 +85,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) + struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip); + u32 val; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + clk_disable_unprepare(lpc32xx->clk); + } +@@ -125,9 +125,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev) + lpc32xx->chip.base = -1; + + /* If PWM is disabled, configure the output to the default value */ +- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_PIN_LEVEL; +- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ writel(val, lpc32xx->base); + + ret = pwmchip_add(&lpc32xx->chip); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-4.14/series b/queue-4.14/series index f20e845a31e..1f260e7ac1d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -125,3 +125,18 @@ parisc-led-fix-lan-receive-and-transmit-leds.patch parisc-led-reduce-cpu-overhead-for-disk-lan-led-computation.patch clk-qcom-gcc-mdm9615-use-proper-parent-for-pll0_vote-clock.patch nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch +x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch +watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch +pwm-lpc32xx-remove-handling-of-pwm-channels.patch +net-read-sk-sk_family-once-in-sk_mc_loop.patch +igb-disable-virtualization-features-on-82580.patch +net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch +af_unix-fix-data-races-around-user-unix_inflight.patch +af_unix-fix-data-race-around-unix_tot_inflight.patch +af_unix-fix-data-races-around-sk-sk_shutdown.patch +af_unix-fix-data-race-around-sk-sk_err.patch +net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch +kcm-destroy-mutex-in-kcm_exit_net.patch +igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch +igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch +ip_tunnels-use-dev_stats_inc.patch diff --git a/queue-4.14/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch b/queue-4.14/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch new file mode 100644 index 00000000000..cc1fb3d747e --- /dev/null +++ b/queue-4.14/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch @@ -0,0 +1,40 @@ +From 87f8da3e95f4c5be5e60d44705d8ed696768b238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:32:20 +0530 +Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load + +From: Raag Jadav + +[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ] + +When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver +needs to be loaded manually, for the lack of module alias. +This causes unintended resets in cases where watchdog timer is +set-up by bootloader and the driver is not explicitly loaded. +Add MODULE_ALIAS() to load the driver automatically at boot and +avoid this issue. + +Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support") +Signed-off-by: Raag Jadav +Reviewed-by: Andy Shevchenko +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/intel-mid_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c +index 72c108a12c19d..0dec3fba02b99 100644 +--- a/drivers/watchdog/intel-mid_wdt.c ++++ b/drivers/watchdog/intel-mid_wdt.c +@@ -186,3 +186,4 @@ module_platform_driver(mid_wdt_driver); + MODULE_AUTHOR("David Cohen "); + MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:intel_mid_wdt"); +-- +2.40.1 + diff --git a/queue-4.14/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch b/queue-4.14/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch new file mode 100644 index 00000000000..1766c901d14 --- /dev/null +++ b/queue-4.14/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch @@ -0,0 +1,45 @@ +From afd38285761ffed4b5746ebd7de13fbd0c8274f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 13:18:52 -0700 +Subject: x86/virt: Drop unnecessary check on extended CPUID level in + cpu_has_svm() + +From: Sean Christopherson + +[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ] + +Drop the explicit check on the extended CPUID level in cpu_has_svm(), the +kernel's cached CPUID info will leave the entire SVM leaf unset if said +leaf is not supported by hardware. Prior to using cached information, +the check was needed to avoid false positives due to Intel's rather crazy +CPUID behavior of returning the values of the maximum supported leaf if +the specified leaf is unsupported. + +Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()") +Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/virtext.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h +index 4699acd602af4..62810550024d3 100644 +--- a/arch/x86/include/asm/virtext.h ++++ b/arch/x86/include/asm/virtext.h +@@ -89,12 +89,6 @@ static inline int cpu_has_svm(const char **msg) + return 0; + } + +- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) { +- if (msg) +- *msg = "can't execute cpuid_8000000a"; +- return 0; +- } +- + if (!boot_cpu_has(X86_FEATURE_SVM)) { + if (msg) + *msg = "svm not available"; +-- +2.40.1 +