From: Sasha Levin Date: Thu, 14 Sep 2023 01:14:25 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.10.195~53^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2686566282c704f65ec40d588bac4345c9e47bfa;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_unix-fix-data-race-around-sk-sk_err.patch b/queue-5.4/af_unix-fix-data-race-around-sk-sk_err.patch new file mode 100644 index 00000000000..27c4078b8cd --- /dev/null +++ b/queue-5.4/af_unix-fix-data-race-around-sk-sk_err.patch @@ -0,0 +1,42 @@ +From 1904f848a471f68b12b5a82641909e69bc252d78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:08 -0700 +Subject: af_unix: Fix data race around sk->sk_err. + +From: Kuniyuki Iwashima + +[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ] + +As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be +read locklessly by unix_dgram_sendmsg(). + +Let's use READ_ONCE() for sk_err as well. + +Note that the writer side is marked by commit cc04410af7de ("af_unix: +annotate lockless accesses to sk->sk_err"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 79d61be285186..9979cd602dfac 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2225,7 +2225,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + break; + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; +- if (sk->sk_err) ++ if (READ_ONCE(sk->sk_err)) + break; + timeo = schedule_timeout(timeo); + } +-- +2.40.1 + diff --git a/queue-5.4/af_unix-fix-data-race-around-unix_tot_inflight.patch b/queue-5.4/af_unix-fix-data-race-around-unix_tot_inflight.patch new file mode 100644 index 00000000000..e70dcebbf13 --- /dev/null +++ b/queue-5.4/af_unix-fix-data-race-around-unix_tot_inflight.patch @@ -0,0 +1,84 @@ +From e55c243e26b2263a11a4b72d0a4e1530a177b173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:06 -0700 +Subject: af_unix: Fix data-race around unix_tot_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ] + +unix_tot_inflight is changed under spin_lock(unix_gc_lock), but +unix_release_sock() reads it locklessly. + +Let's use READ_ONCE() for unix_tot_inflight. + +Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: +annote lockless accesses to unix_tot_inflight & gc_in_progress") + +BUG: KCSAN: data-race in unix_inflight / unix_release_sock + +write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: + unix_inflight+0x130/0x180 net/unix/scm.c:64 + unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1832 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:747 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 + __sys_sendmsg+0x94/0x140 net/socket.c:2576 + __do_sys_sendmsg net/socket.c:2585 [inline] + __se_sys_sendmsg net/socket.c:2583 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: + unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 + unix_release+0x59/0x80 net/unix/af_unix.c:1058 + __sock_release+0x7d/0x170 net/socket.c:653 + sock_close+0x19/0x30 net/socket.c:1385 + __fput+0x179/0x5e0 fs/file_table.c:321 + ____fput+0x15/0x20 fs/file_table.c:349 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x00000000 -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index baf0af49c5bd4..304eb26b34dca 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -589,7 +589,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + * What the above comment does talk about? --ANK(980817) + */ + +- if (unix_tot_inflight) ++ if (READ_ONCE(unix_tot_inflight)) + unix_gc(); /* Garbage collect fds */ + } + +-- +2.40.1 + diff --git a/queue-5.4/af_unix-fix-data-races-around-sk-sk_shutdown.patch b/queue-5.4/af_unix-fix-data-races-around-sk-sk_shutdown.patch new file mode 100644 index 00000000000..4a0598c9f35 --- /dev/null +++ b/queue-5.4/af_unix-fix-data-races-around-sk-sk_shutdown.patch @@ -0,0 +1,96 @@ +From 8cd54cceef555142c1e70cc257265af7b2c47c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:07 -0700 +Subject: af_unix: Fix data-races around sk->sk_shutdown. + +From: Kuniyuki Iwashima + +[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ] + +sk->sk_shutdown is changed under unix_state_lock(sk), but +unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly. + + sock_alloc_send_pskb + `- sock_wait_for_wmem + +Let's use READ_ONCE() there. + +Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix: +Fix data races around sk->sk_shutdown."). + +BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock + +write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1: + unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 + unix_release+0x59/0x80 net/unix/af_unix.c:1053 + __sock_release+0x7d/0x170 net/socket.c:654 + sock_close+0x19/0x30 net/socket.c:1386 + __fput+0x2a3/0x680 fs/file_table.c:384 + ____fput+0x15/0x20 fs/file_table.c:412 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0: + sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767 + unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x00 -> 0x03 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 1fed45f29e0ec..79d61be285186 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2223,7 +2223,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf)) + break; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; + if (sk->sk_err) + break; +@@ -2253,7 +2253,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + goto failure; + + err = -EPIPE; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto failure; + + if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf)) +-- +2.40.1 + diff --git a/queue-5.4/af_unix-fix-data-races-around-user-unix_inflight.patch b/queue-5.4/af_unix-fix-data-races-around-user-unix_inflight.patch new file mode 100644 index 00000000000..e841f388dda --- /dev/null +++ b/queue-5.4/af_unix-fix-data-races-around-user-unix_inflight.patch @@ -0,0 +1,105 @@ +From 25db5c8048418970d07ddf92853ae8e404a0a65c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:05 -0700 +Subject: af_unix: Fix data-races around user->unix_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ] + +user->unix_inflight is changed under spin_lock(unix_gc_lock), +but too_many_unix_fds() reads it locklessly. + +Let's annotate the write/read accesses to user->unix_inflight. + +BUG: KCSAN: data-race in unix_attach_fds / unix_inflight + +write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: + unix_inflight+0x157/0x180 net/unix/scm.c:66 + unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: + too_many_unix_fds net/unix/scm.c:101 [inline] + unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x000000000000000c -> 0x000000000000000d + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Acked-by: Willy Tarreau +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/scm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/unix/scm.c b/net/unix/scm.c +index ce700b22eccee..e881a6e78af53 100644 +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -62,7 +62,7 @@ void unix_inflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } +- user->unix_inflight++; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1); + spin_unlock(&unix_gc_lock); + } + +@@ -83,7 +83,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); + } +- user->unix_inflight--; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1); + spin_unlock(&unix_gc_lock); + } + +@@ -97,7 +97,7 @@ static inline bool too_many_unix_fds(struct task_struct *p) + { + struct user_struct *user = current_user(); + +- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) ++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE))) + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return false; + } +-- +2.40.1 + diff --git a/queue-5.4/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch b/queue-5.4/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch new file mode 100644 index 00000000000..2a72073d4cf --- /dev/null +++ b/queue-5.4/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch @@ -0,0 +1,35 @@ +From 011d1bd7ed567d42834d7387d2a3fda34c3f2692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 20:33:17 +0300 +Subject: idr: fix param name in idr_alloc_cyclic() doc + +From: Ariel Marcovitch + +[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ] + +The relevant parameter is 'start' and not 'nextid' + +Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext") +Signed-off-by: Ariel Marcovitch +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + lib/idr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/idr.c b/lib/idr.c +index b2bc190431ddf..a91ca1dfe1431 100644 +--- a/lib/idr.c ++++ b/lib/idr.c +@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(idr_alloc); + * @end: The maximum ID (exclusive). + * @gfp: Memory allocation flags. + * +- * Allocates an unused ID in the range specified by @nextid and @end. If ++ * Allocates an unused ID in the range specified by @start and @end. If + * @end is <= 0, it is treated as one larger than %INT_MAX. This allows + * callers to use @start + N as @end as long as N is within integer range. + * The search for an unused ID will start at the last ID allocated and will +-- +2.40.1 + diff --git a/queue-5.4/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch b/queue-5.4/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..f500161a2a0 --- /dev/null +++ b/queue-5.4/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From 979222eedefcbc5ff9983a83e66f0f57f55c48e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:58 +0200 +Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igb devices can use as low as 64 descriptors. +This change will unify igb with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Olga Zaborska +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h +index 33cbe4f70d590..e6d99759d95a1 100644 +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -32,11 +32,11 @@ struct igb_adapter; + /* TX/RX descriptor defines */ + #define IGB_DEFAULT_TXD 256 + #define IGB_DEFAULT_TX_WORK 128 +-#define IGB_MIN_TXD 80 ++#define IGB_MIN_TXD 64 + #define IGB_MAX_TXD 4096 + + #define IGB_DEFAULT_RXD 256 +-#define IGB_MIN_RXD 80 ++#define IGB_MIN_RXD 64 + #define IGB_MAX_RXD 4096 + + #define IGB_DEFAULT_ITR 3 /* dynamic */ +-- +2.40.1 + diff --git a/queue-5.4/igb-disable-virtualization-features-on-82580.patch b/queue-5.4/igb-disable-virtualization-features-on-82580.patch new file mode 100644 index 00000000000..de6d5bac132 --- /dev/null +++ b/queue-5.4/igb-disable-virtualization-features-on-82580.patch @@ -0,0 +1,40 @@ +From c7407d6196afd8b29aa8361bfbf9a1c70481faf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 14:19:13 +0200 +Subject: igb: disable virtualization features on 82580 + +From: Corinna Vinschen + +[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ] + +Disable virtualization features on 82580 just as on i210/i211. +This avoids that virt functions are acidentally called on 82850. + +Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices") +Signed-off-by: Corinna Vinschen +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b8113235f281f..6638d314c811c 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3710,8 +3710,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter) + struct pci_dev *pdev = adapter->pdev; + struct e1000_hw *hw = &adapter->hw; + +- /* Virtualization features not supported on i210 family. */ +- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211)) ++ /* Virtualization features not supported on i210 and 82580 family. */ ++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) || ++ (hw->mac.type == e1000_82580)) + return; + + /* Of the below we really only want the effect of getting +-- +2.40.1 + diff --git a/queue-5.4/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch b/queue-5.4/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch new file mode 100644 index 00000000000..cc3d5081f8d --- /dev/null +++ b/queue-5.4/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch @@ -0,0 +1,44 @@ +From 849a1b41d97763266fa638080e08d1f65e304fcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:57 +0200 +Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igbvf devices can use as low as 64 descriptors. +This change will unify igbvf with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions") +Signed-off-by: Olga Zaborska +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h +index eee26a3be90ba..52545cb25d058 100644 +--- a/drivers/net/ethernet/intel/igbvf/igbvf.h ++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h +@@ -39,11 +39,11 @@ enum latency_range { + /* Tx/Rx descriptor defines */ + #define IGBVF_DEFAULT_TXD 256 + #define IGBVF_MAX_TXD 4096 +-#define IGBVF_MIN_TXD 80 ++#define IGBVF_MIN_TXD 64 + + #define IGBVF_DEFAULT_RXD 256 + #define IGBVF_MAX_RXD 4096 +-#define IGBVF_MIN_RXD 80 ++#define IGBVF_MIN_RXD 64 + + #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */ + #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */ +-- +2.40.1 + diff --git a/queue-5.4/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch b/queue-5.4/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..916217ab53b --- /dev/null +++ b/queue-5.4/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From 300fecc3fb55817665b18ffe3270c50712c8f225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:56 +0200 +Subject: igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 5aa48279712e1f134aac908acde4df798955a955 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igc devices can use as low as 64 descriptors. +This change will unify igc with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Olga Zaborska +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index aec998c82b694..a46eca3ffbcc5 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -78,11 +78,11 @@ extern char igc_driver_version[]; + /* TX/RX descriptor defines */ + #define IGC_DEFAULT_TXD 256 + #define IGC_DEFAULT_TX_WORK 128 +-#define IGC_MIN_TXD 80 ++#define IGC_MIN_TXD 64 + #define IGC_MAX_TXD 4096 + + #define IGC_DEFAULT_RXD 256 +-#define IGC_MIN_RXD 80 ++#define IGC_MIN_RXD 64 + #define IGC_MAX_RXD 4096 + + /* Transmit and receive queues */ +-- +2.40.1 + diff --git a/queue-5.4/ip_tunnels-use-dev_stats_inc.patch b/queue-5.4/ip_tunnels-use-dev_stats_inc.patch new file mode 100644 index 00000000000..b093ae6b42d --- /dev/null +++ b/queue-5.4/ip_tunnels-use-dev_stats_inc.patch @@ -0,0 +1,128 @@ +From 66208d1f38815591f91443859c2a6563a087e625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 13:40:46 +0000 +Subject: ip_tunnels: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ] + +syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1] + +This can run from multiple cpus without mutual exclusion. + +Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. + +[1] +BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit + +read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000018830 -> 0x0000000000018831 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0 + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 8d063e23aa408..36376f8b84dac 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -449,15 +449,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len) + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); + put_cpu_ptr(tstats); ++ return; ++ } ++ ++ if (pkt_len < 0) { ++ DEV_STATS_INC(dev, tx_errors); ++ DEV_STATS_INC(dev, tx_aborted_errors); + } else { +- struct net_device_stats *err_stats = &dev->stats; +- +- if (pkt_len < 0) { +- err_stats->tx_errors++; +- err_stats->tx_aborted_errors++; +- } else { +- err_stats->tx_dropped++; +- } ++ DEV_STATS_INC(dev, tx_dropped); + } + } + +-- +2.40.1 + diff --git a/queue-5.4/ipv4-annotate-data-races-around-fi-fib_dead.patch b/queue-5.4/ipv4-annotate-data-races-around-fi-fib_dead.patch new file mode 100644 index 00000000000..8c8c88bd314 --- /dev/null +++ b/queue-5.4/ipv4-annotate-data-races-around-fi-fib_dead.patch @@ -0,0 +1,136 @@ +From e3547e0a317b660f8b368aa8f602c426f413fe45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 09:55:20 +0000 +Subject: ipv4: annotate data-races around fi->fib_dead + +From: Eric Dumazet + +[ Upstream commit fce92af1c29d90184dfec638b5738831097d66e9 ] + +syzbot complained about a data-race in fib_table_lookup() [1] + +Add appropriate annotations to document it. + +[1] +BUG: KCSAN: data-race in fib_release_info / fib_table_lookup + +write to 0xffff888150f31744 of 1 bytes by task 1189 on cpu 0: +fib_release_info+0x3a0/0x460 net/ipv4/fib_semantics.c:281 +fib_table_delete+0x8d2/0x900 net/ipv4/fib_trie.c:1777 +fib_magic+0x1c1/0x1f0 net/ipv4/fib_frontend.c:1106 +fib_del_ifaddr+0x8cf/0xa60 net/ipv4/fib_frontend.c:1317 +fib_inetaddr_event+0x77/0x200 net/ipv4/fib_frontend.c:1448 +notifier_call_chain kernel/notifier.c:93 [inline] +blocking_notifier_call_chain+0x90/0x200 kernel/notifier.c:388 +__inet_del_ifa+0x4df/0x800 net/ipv4/devinet.c:432 +inet_del_ifa net/ipv4/devinet.c:469 [inline] +inetdev_destroy net/ipv4/devinet.c:322 [inline] +inetdev_event+0x553/0xaf0 net/ipv4/devinet.c:1606 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1962 [inline] +call_netdevice_notifiers_mtu+0xd2/0x130 net/core/dev.c:2037 +dev_set_mtu_ext+0x30b/0x3e0 net/core/dev.c:8673 +do_setlink+0x5be/0x2430 net/core/rtnetlink.c:2837 +rtnl_setlink+0x255/0x300 net/core/rtnetlink.c:3177 +rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6445 +netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2549 +rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6463 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1914 +sock_sendmsg_nosec net/socket.c:725 [inline] +sock_sendmsg net/socket.c:748 [inline] +sock_write_iter+0x1aa/0x230 net/socket.c:1129 +do_iter_write+0x4b4/0x7b0 fs/read_write.c:860 +vfs_writev+0x1a8/0x320 fs/read_write.c:933 +do_writev+0xf8/0x220 fs/read_write.c:976 +__do_sys_writev fs/read_write.c:1049 [inline] +__se_sys_writev fs/read_write.c:1046 [inline] +__x64_sys_writev+0x45/0x50 fs/read_write.c:1046 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888150f31744 of 1 bytes by task 21839 on cpu 1: +fib_table_lookup+0x2bf/0xd50 net/ipv4/fib_trie.c:1585 +fib_lookup include/net/ip_fib.h:383 [inline] +ip_route_output_key_hash_rcu+0x38c/0x12c0 net/ipv4/route.c:2751 +ip_route_output_key_hash net/ipv4/route.c:2641 [inline] +__ip_route_output_key include/net/route.h:134 [inline] +ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2869 +send4+0x1e7/0x500 drivers/net/wireguard/socket.c:61 +wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175 +wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200 +wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] +wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51 +process_one_work+0x434/0x860 kernel/workqueue.c:2600 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2751 +kthread+0x1d7/0x210 kernel/kthread.c:389 +ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +value changed: 0x00 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 21839 Comm: kworker/u4:18 Tainted: G W 6.5.0-syzkaller #0 + +Fixes: dccd9ecc3744 ("ipv4: Do not use dead fib_info entries.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230830095520.1046984-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 5 ++++- + net/ipv4/fib_trie.c | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 42a4ee192f8dc..51cfb650060ba 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -275,7 +275,8 @@ void fib_release_info(struct fib_info *fi) + hlist_del(&nexthop_nh->nh_hash); + } endfor_nexthops(fi) + } +- fi->fib_dead = 1; ++ /* Paired with READ_ONCE() from fib_table_lookup() */ ++ WRITE_ONCE(fi->fib_dead, 1); + fib_info_put(fi); + } + spin_unlock_bh(&fib_info_lock); +@@ -1586,6 +1587,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + link_it: + ofi = fib_find_info(fi); + if (ofi) { ++ /* fib_table_lookup() should not see @fi yet. */ + fi->fib_dead = 1; + free_fib_info(fi); + ofi->fib_treeref++; +@@ -1623,6 +1625,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + + failure: + if (fi) { ++ /* fib_table_lookup() should not see @fi yet. */ + fi->fib_dead = 1; + free_fib_info(fi); + } +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index a1f830da4ad30..7f933ead3bf4c 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1448,7 +1448,8 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp, + } + if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos) + continue; +- if (fi->fib_dead) ++ /* Paired with WRITE_ONCE() in fib_release_info() */ ++ if (READ_ONCE(fi->fib_dead)) + continue; + if (fa->fa_info->fib_scope < flp->flowi4_scope) + continue; +-- +2.40.1 + diff --git a/queue-5.4/kcm-destroy-mutex-in-kcm_exit_net.patch b/queue-5.4/kcm-destroy-mutex-in-kcm_exit_net.patch new file mode 100644 index 00000000000..9d19ec3d1cd --- /dev/null +++ b/queue-5.4/kcm-destroy-mutex-in-kcm_exit_net.patch @@ -0,0 +1,37 @@ +From f6c21a27f36ea9cfb88bc60eff74aeb3ac982f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 02:07:08 +0900 +Subject: kcm: Destroy mutex in kcm_exit_net() + +From: Shigeru Yoshida + +[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ] + +kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially +needed if CONFIG_DEBUG_MUTEXES is enabled. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 1975403ce8bee..50bcfc71389ab 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1984,6 +1984,8 @@ static __net_exit void kcm_exit_net(struct net *net) + * that all multiplexors and psocks have been destroyed. + */ + WARN_ON(!list_empty(&knet->mux_list)); ++ ++ mutex_destroy(&knet->mutex); + } + + static struct pernet_operations kcm_net_ops = { +-- +2.40.1 + diff --git a/queue-5.4/kconfig-fix-possible-buffer-overflow.patch b/queue-5.4/kconfig-fix-possible-buffer-overflow.patch new file mode 100644 index 00000000000..1d64e88ffac --- /dev/null +++ b/queue-5.4/kconfig-fix-possible-buffer-overflow.patch @@ -0,0 +1,38 @@ +From 8ef64e4ea07d5ca53e6337b099278b92ac0e57b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 17:59:14 +0800 +Subject: kconfig: fix possible buffer overflow + +From: Konstantin Meskhidze + +[ Upstream commit a3b7039bb2b22fcd2ad20d59c00ed4e606ce3754 ] + +Buffer 'new_argv' is accessed without bound check after accessing with +bound check via 'new_argc' index. + +Fixes: e298f3b49def ("kconfig: add built-in function support") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/preprocess.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c +index 748da578b418c..d1f5bcff4b62d 100644 +--- a/scripts/kconfig/preprocess.c ++++ b/scripts/kconfig/preprocess.c +@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[]) + + p++; + } ++ ++ if (new_argc >= FUNCTION_MAX_ARGS) ++ pperror("too many function arguments"); + new_argv[new_argc++] = prev; + + /* +-- +2.40.1 + diff --git a/queue-5.4/net-hns3-fix-the-port-information-display-when-sfp-i.patch b/queue-5.4/net-hns3-fix-the-port-information-display-when-sfp-i.patch new file mode 100644 index 00000000000..fcc1518f27a --- /dev/null +++ b/queue-5.4/net-hns3-fix-the-port-information-display-when-sfp-i.patch @@ -0,0 +1,39 @@ +From 4a6237411af7421f4c7e040fb124cacf28d9ca36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:17 +0800 +Subject: net: hns3: fix the port information display when sfp is absent + +From: Yisen Zhuang + +[ Upstream commit 674d9591a32d01df75d6b5fffed4ef942a294376 ] + +When sfp is absent or unidentified, the port type should be +displayed as PORT_OTHERS, rather than PORT_FIBRE. + +Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type") +Signed-off-by: Yisen Zhuang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index 34e5448d59f6f..4ea19f546df08 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -676,7 +676,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev, + hns3_get_ksettings(h, cmd); + break; + case HNAE3_MEDIA_TYPE_FIBER: +- if (module_type == HNAE3_MODULE_TYPE_CR) ++ if (module_type == HNAE3_MODULE_TYPE_UNKNOWN) ++ cmd->base.port = PORT_OTHER; ++ else if (module_type == HNAE3_MODULE_TYPE_CR) + cmd->base.port = PORT_DA; + else + cmd->base.port = PORT_FIBRE; +-- +2.40.1 + diff --git a/queue-5.4/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch b/queue-5.4/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch new file mode 100644 index 00000000000..13491a7cb8b --- /dev/null +++ b/queue-5.4/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch @@ -0,0 +1,40 @@ +From 57a7da80df2a092390f7dd1794f4b8896e5e7667 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 22:41:27 -0600 +Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr + +From: Alex Henrie + +[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ] + +The existing code incorrectly casted a negative value (the result of a +subtraction) to an unsigned value without checking. For example, if +/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred +lifetime would jump to 4 billion seconds. On my machine and network the +shortest lifetime that avoided underflow was 3 seconds. + +Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") +Signed-off-by: Alex Henrie +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index a4c3cb72bdc6a..c523236d934eb 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1367,7 +1367,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, + * idev->desync_factor if it's larger + */ + cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft); +- max_desync_factor = min_t(__u32, ++ max_desync_factor = min_t(long, + idev->cnf.max_desync_factor, + cnf_temp_preferred_lft - regen_advance); + +-- +2.40.1 + diff --git a/queue-5.4/net-read-sk-sk_family-once-in-sk_mc_loop.patch b/queue-5.4/net-read-sk-sk_family-once-in-sk_mc_loop.patch new file mode 100644 index 00000000000..d29a4a8a304 --- /dev/null +++ b/queue-5.4/net-read-sk-sk_family-once-in-sk_mc_loop.patch @@ -0,0 +1,87 @@ +From 411bf23be9b5b5b8ec530c0014648a30a4c29a27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 10:12:44 +0000 +Subject: net: read sk->sk_family once in sk_mc_loop() + +From: Eric Dumazet + +[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ] + +syzbot is playing with IPV6_ADDRFORM quite a lot these days, +and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() + +We have many more similar issues to fix. + +WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 +Modules linked in: +CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +Workqueue: events_power_efficient gc_worker +RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 +Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 +RSP: 0018:ffffc90000388530 EFLAGS: 00010246 +RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 +RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 +RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 +R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 +R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 +FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +[] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4925 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 +[] qdisc_restart net/sched/sch_generic.c:407 [inline] +[] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 +[] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 +[] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 +[] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 +[] invoke_softirq kernel/softirq.c:430 [inline] +[] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 +[] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 + +Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 69b4158a29f74..1fed45f29e0ec 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -701,7 +701,8 @@ bool sk_mc_loop(struct sock *sk) + return false; + if (!sk) + return true; +- switch (sk->sk_family) { ++ /* IPV6_ADDRFORM can change sk->sk_family under us. */ ++ switch (READ_ONCE(sk->sk_family)) { + case AF_INET: + return inet_sk(sk)->mc_loop; + #if IS_ENABLED(CONFIG_IPV6) +-- +2.40.1 + diff --git a/queue-5.4/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch b/queue-5.4/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch new file mode 100644 index 00000000000..47041840fb4 --- /dev/null +++ b/queue-5.4/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch @@ -0,0 +1,242 @@ +From 02c51dff80c18d2f5fef12430c8db633b8af6751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:22:37 -0400 +Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue() + +From: valis + +[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ] + +When the plug qdisc is used as a class of the qfq qdisc it could trigger a +UAF. This issue can be reproduced with following commands: + + tc qdisc add dev lo root handle 1: qfq + tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 + tc qdisc add dev lo parent 1:1 handle 2: plug + tc filter add dev lo parent 1: basic classid 1:1 + ping -c1 127.0.0.1 + +and boom: + +[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0 +[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144 +[ 285.355903] +[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4 +[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +[ 285.358376] Call Trace: +[ 285.358773] +[ 285.359109] dump_stack_lvl+0x44/0x60 +[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0 +[ 285.360611] kasan_report+0x10c/0x120 +[ 285.361195] ? qfq_dequeue+0xa7/0x7f0 +[ 285.361780] qfq_dequeue+0xa7/0x7f0 +[ 285.362342] __qdisc_run+0xf1/0x970 +[ 285.362903] net_tx_action+0x28e/0x460 +[ 285.363502] __do_softirq+0x11b/0x3de +[ 285.364097] do_softirq.part.0+0x72/0x90 +[ 285.364721] +[ 285.365072] +[ 285.365422] __local_bh_enable_ip+0x77/0x90 +[ 285.366079] __dev_queue_xmit+0x95f/0x1550 +[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10 +[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 285.368259] ? __build_skb_around+0x129/0x190 +[ 285.368960] ? ip_generic_getfrag+0x12c/0x170 +[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10 +[ 285.370390] ? csum_partial+0x8/0x20 +[ 285.370961] ? raw_getfrag+0xe5/0x140 +[ 285.371559] ip_finish_output2+0x539/0xa40 +[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10 +[ 285.372954] ip_output+0x113/0x1e0 +[ 285.373512] ? __pfx_ip_output+0x10/0x10 +[ 285.374130] ? icmp_out_count+0x49/0x60 +[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10 +[ 285.375457] ip_push_pending_frames+0xf3/0x100 +[ 285.376173] raw_sendmsg+0xef5/0x12d0 +[ 285.376760] ? do_syscall_64+0x40/0x90 +[ 285.377359] ? __static_call_text_end+0x136578/0x136578 +[ 285.378173] ? do_syscall_64+0x40/0x90 +[ 285.378772] ? kasan_enable_current+0x11/0x20 +[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10 +[ 285.380137] ? __sock_create+0x13e/0x270 +[ 285.380673] ? __sys_socket+0xf3/0x180 +[ 285.381174] ? __x64_sys_socket+0x3d/0x50 +[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.382425] ? __rcu_read_unlock+0x48/0x70 +[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380 +[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10 +[ 285.384295] ? preempt_count_sub+0x14/0xc0 +[ 285.384844] ? __list_del_entry_valid+0x76/0x140 +[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0 +[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10 +[ 285.386645] ? release_sock+0xa0/0xd0 +[ 285.387148] ? preempt_count_sub+0x14/0xc0 +[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0 +[ 285.388341] ? aa_sk_perm+0x177/0x390 +[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10 +[ 285.389441] ? check_stack_object+0x22/0x70 +[ 285.390032] ? inet_send_prepare+0x2f/0x120 +[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10 +[ 285.391172] sock_sendmsg+0xcc/0xe0 +[ 285.391667] __sys_sendto+0x190/0x230 +[ 285.392168] ? __pfx___sys_sendto+0x10/0x10 +[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30 +[ 285.393328] ? set_normalized_timespec64+0x57/0x70 +[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40 +[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160 +[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10 +[ 285.395908] ? _copy_to_user+0x3e/0x60 +[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.397734] ? do_syscall_64+0x71/0x90 +[ 285.398258] __x64_sys_sendto+0x74/0x90 +[ 285.398786] do_syscall_64+0x64/0x90 +[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.400605] ? do_syscall_64+0x71/0x90 +[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.401807] RIP: 0033:0x495726 +[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09 +[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726 +[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000 +[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c +[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634 +[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000 +[ 285.410403] +[ 285.410704] +[ 285.410929] Allocated by task 144: +[ 285.411402] kasan_save_stack+0x1e/0x40 +[ 285.411926] kasan_set_track+0x21/0x30 +[ 285.412442] __kasan_slab_alloc+0x55/0x70 +[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0 +[ 285.413567] __alloc_skb+0x1b4/0x230 +[ 285.414060] __ip_append_data+0x17f7/0x1b60 +[ 285.414633] ip_append_data+0x97/0xf0 +[ 285.415144] raw_sendmsg+0x5a8/0x12d0 +[ 285.415640] sock_sendmsg+0xcc/0xe0 +[ 285.416117] __sys_sendto+0x190/0x230 +[ 285.416626] __x64_sys_sendto+0x74/0x90 +[ 285.417145] do_syscall_64+0x64/0x90 +[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.418306] +[ 285.418531] Freed by task 144: +[ 285.418960] kasan_save_stack+0x1e/0x40 +[ 285.419469] kasan_set_track+0x21/0x30 +[ 285.419988] kasan_save_free_info+0x27/0x40 +[ 285.420556] ____kasan_slab_free+0x109/0x1a0 +[ 285.421146] kmem_cache_free+0x1c2/0x450 +[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870 +[ 285.422333] __netif_receive_skb_one_core+0x97/0x140 +[ 285.423003] process_backlog+0x100/0x2f0 +[ 285.423537] __napi_poll+0x5c/0x2d0 +[ 285.424023] net_rx_action+0x2be/0x560 +[ 285.424510] __do_softirq+0x11b/0x3de +[ 285.425034] +[ 285.425254] The buggy address belongs to the object at ffff8880bad31280 +[ 285.425254] which belongs to the cache skbuff_head_cache of size 224 +[ 285.426993] The buggy address is located 40 bytes inside of +[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360) +[ 285.428572] +[ 285.428798] The buggy address belongs to the physical page: +[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31 +[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1) +[ 285.431447] page_type: 0xffffffff() +[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000 +[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +[ 285.433562] page dumped because: kasan: bad access detected +[ 285.434144] +[ 285.434320] Memory state around the buggy address: +[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 285.436777] ^ +[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.438126] ================================================================== +[ 285.438662] Disabling lock debugging due to kernel taint + +Fix this by: +1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a +function compatible with non-work-conserving qdiscs +2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: valis +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_plug.c | 2 +- + net/sched/sch_qfq.c | 22 +++++++++++++++++----- + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c +index cbc2ebca4548c..339990bb59817 100644 +--- a/net/sched/sch_plug.c ++++ b/net/sched/sch_plug.c +@@ -210,7 +210,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = { + .priv_size = sizeof(struct plug_sched_data), + .enqueue = plug_enqueue, + .dequeue = plug_dequeue, +- .peek = qdisc_peek_head, ++ .peek = qdisc_peek_dequeued, + .init = plug_init, + .change = plug_change, + .reset = qdisc_reset_queue, +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 34a54dcd95f23..6e9e3405f26b9 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -975,10 +975,13 @@ static void qfq_update_eligible(struct qfq_sched *q) + } + + /* Dequeue head packet of the head class in the DRR queue of the aggregate. */ +-static void agg_dequeue(struct qfq_aggregate *agg, +- struct qfq_class *cl, unsigned int len) ++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, ++ struct qfq_class *cl, unsigned int len) + { +- qdisc_dequeue_peeked(cl->qdisc); ++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc); ++ ++ if (!skb) ++ return NULL; + + cl->deficit -= (int) len; + +@@ -988,6 +991,8 @@ static void agg_dequeue(struct qfq_aggregate *agg, + cl->deficit += agg->lmax; + list_move_tail(&cl->alist, &agg->active); + } ++ ++ return skb; + } + + static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, +@@ -1133,11 +1138,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch) + if (!skb) + return NULL; + +- qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; ++ ++ skb = agg_dequeue(in_serv_agg, cl, len); ++ ++ if (!skb) { ++ sch->q.qlen++; ++ return NULL; ++ } ++ ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + +- agg_dequeue(in_serv_agg, cl, len); + /* If lmax is lowered, through qfq_change_class, for a class + * owning pending packets with larger size than the new value + * of lmax, then the following condition may hold. +-- +2.40.1 + diff --git a/queue-5.4/netfilter-nfnetlink_osf-avoid-oob-read.patch b/queue-5.4/netfilter-nfnetlink_osf-avoid-oob-read.patch new file mode 100644 index 00000000000..2ea8e690144 --- /dev/null +++ b/queue-5.4/netfilter-nfnetlink_osf-avoid-oob-read.patch @@ -0,0 +1,59 @@ +From d6b63b4d34b921939304640d770854524687ce9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 10:50:20 -0300 +Subject: netfilter: nfnetlink_osf: avoid OOB read + +From: Wander Lairson Costa + +[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ] + +The opt_num field is controlled by user mode and is not currently +validated inside the kernel. An attacker can take advantage of this to +trigger an OOB read and potentially leak information. + +BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88 +Read of size 2 at addr ffff88804bc64272 by task poc/6431 + +CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1 +Call Trace: + nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88 + nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281 + nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47 + expr_call_ops_eval net/netfilter/nf_tables_core.c:214 + nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264 + nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23 + [..] + +Also add validation to genre, subtype and version fields. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Lucas Leong +Signed-off-by: Wander Lairson Costa +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 9dbaa5ce24e51..573a372e760f4 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -316,6 +316,14 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl, + + f = nla_data(osf_attrs[OSF_ATTR_FINGER]); + ++ if (f->opt_num > ARRAY_SIZE(f->opt)) ++ return -EINVAL; ++ ++ if (!memchr(f->genre, 0, MAXGENRELEN) || ++ !memchr(f->subtype, 0, MAXGENRELEN) || ++ !memchr(f->version, 0, MAXGENRELEN)) ++ return -EINVAL; ++ + kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL); + if (!kf) + return -ENOMEM; +-- +2.40.1 + diff --git a/queue-5.4/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch b/queue-5.4/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch new file mode 100644 index 00000000000..35b9e33b336 --- /dev/null +++ b/queue-5.4/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch @@ -0,0 +1,114 @@ +From 3c220cba19878ea475edbdad098dbe867c45c149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 18:22:14 -0300 +Subject: perf annotate bpf: Don't enclose non-debug code with an assert() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 979e9c9fc9c2a761303585e07fe2699bdd88182f ] + +In 616b14b47a86d880 ("perf build: Conditionally define NDEBUG") we +started using NDEBUG=1 when DEBUG=1 isn't present, so code that is +enclosed with assert() is not called. + +In dd317df072071903 ("perf build: Make binutil libraries opt in") we +stopped linking against binutils-devel, for licensing reasons. + +Recently people asked me why annotation of BPF programs wasn't working, +i.e. this: + + $ perf annotate bpf_prog_5280546344e3f45c_kfree_skb + +was returning: + + case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF: + scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation"); + +This was on a fedora rpm, so its new enough that I had to try to test by +rebuilding using BUILD_NONDISTRO=1, only to get it segfaulting on me. + +This combination made this libopcode function not to be called: + + assert(bfd_check_format(bfdf, bfd_object)); + +Changing it to: + + if (!bfd_check_format(bfdf, bfd_object)) + abort(); + +Made it work, looking at this "check" function made me realize it +changes the 'bfdf' internal state, i.e. we better call it. + +So stop using assert() on it, just call it and abort if it fails. + +Probably it is better to propagate the error, etc, but it seems it is +unlikely to fail from the usage done so far and we really need to stop +using libopcodes, so do the quick fix above and move on. + +With it we have BPF annotation back working when built with +BUILD_NONDISTRO=1: + + ⬢[acme@toolbox perf-tools-next]$ perf annotate --stdio2 bpf_prog_5280546344e3f45c_kfree_skb | head + No kallsyms or vmlinux with build-id 939bc71a1a51cdc434e60af93c7e734f7d5c0e7e was found + Samples: 12 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 3000000, [percent: local period] + bpf_prog_5280546344e3f45c_kfree_skb() bpf_prog_5280546344e3f45c_kfree_skb + Percent int kfree_skb(struct trace_event_raw_kfree_skb *args) { + nop + 33.33 xchg %ax,%ax + push %rbp + mov %rsp,%rbp + sub $0x180,%rsp + push %rbx + push %r13 + ⬢[acme@toolbox perf-tools-next]$ + +Fixes: 6987561c9e86eace ("perf annotate: Enable annotation of BPF programs") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mohamed Mahmoud +Cc: Namhyung Kim +Cc: Dave Tucker +Cc: Derek Barbosa +Cc: Song Liu +Link: https://lore.kernel.org/lkml/ZMrMzoQBe0yqMek1@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index e42bf572358c7..bd71cb0b52cf6 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1741,8 +1741,11 @@ static int symbol__disassemble_bpf(struct symbol *sym, + perf_exe(tpath, sizeof(tpath)); + + bfdf = bfd_openr(tpath, NULL); +- assert(bfdf); +- assert(bfd_check_format(bfdf, bfd_object)); ++ if (bfdf == NULL) ++ abort(); ++ ++ if (!bfd_check_format(bfdf, bfd_object)) ++ abort(); + + s = open_memstream(&buf, &buf_size); + if (!s) { +@@ -1790,7 +1793,8 @@ static int symbol__disassemble_bpf(struct symbol *sym, + #else + disassemble = disassembler(bfdf); + #endif +- assert(disassemble); ++ if (disassemble == NULL) ++ abort(); + + fflush(s); + do { +-- +2.40.1 + diff --git a/queue-5.4/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch b/queue-5.4/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch new file mode 100644 index 00000000000..48331852599 --- /dev/null +++ b/queue-5.4/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch @@ -0,0 +1,85 @@ +From 5bd4daf266ccd0a4ce1023e96c7b672be53f8ce5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 09:11:21 -0300 +Subject: perf top: Don't pass an ERR_PTR() directly to perf_session__delete() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit ef23cb593304bde0cc046fd4cc83ae7ea2e24f16 ] + +While debugging a segfault on 'perf lock contention' without an +available perf.data file I noticed that it was basically calling: + + perf_session__delete(ERR_PTR(-1)) + +Resulting in: + + (gdb) run lock contention + Starting program: /root/bin/perf lock contention + [Thread debugging using libthread_db enabled] + Using host libthread_db library "/lib64/libthread_db.so.1". + failed to open perf.data: No such file or directory (try 'perf record' first) + Initializing perf session failed + + Program received signal SIGSEGV, Segmentation fault. + 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858 + 2858 if (!session->auxtrace) + (gdb) p session + $1 = (struct perf_session *) 0xffffffffffffffff + (gdb) bt + #0 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858 + #1 0x000000000057bb4d in perf_session__delete (session=0xffffffffffffffff) at util/session.c:300 + #2 0x000000000047c421 in __cmd_contention (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2161 + #3 0x000000000047dc95 in cmd_lock (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2604 + #4 0x0000000000501466 in run_builtin (p=0xe597a8 , argc=2, argv=0x7fffffffe200) at perf.c:322 + #5 0x00000000005016d5 in handle_internal_command (argc=2, argv=0x7fffffffe200) at perf.c:375 + #6 0x0000000000501824 in run_argv (argcp=0x7fffffffe02c, argv=0x7fffffffe020) at perf.c:419 + #7 0x0000000000501b11 in main (argc=2, argv=0x7fffffffe200) at perf.c:535 + (gdb) + +So just set it to NULL after using PTR_ERR(session) to decode the error +as perf_session__delete(NULL) is supported. + +The same problem was found in 'perf top' after an audit of all +perf_session__new() failure handling. + +Fixes: 6ef81c55a2b6584c ("perf session: Return error code for perf_session__new() function on failure") +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Greg Kroah-Hartman +Cc: Jeremie Galarneau +Cc: Jiri Olsa +Cc: Kate Stewart +Cc: Mamatha Inamdar +Cc: Mukesh Ojha +Cc: Nageswara R Sastry +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Shawn Landden +Cc: Song Liu +Cc: Thomas Gleixner +Cc: Tzvetomir Stoyanov +Link: https://lore.kernel.org/lkml/ZN4Q2rxxsL08A8rd@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index a30d62186f5e9..b83a861fab2ed 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1679,6 +1679,7 @@ int cmd_top(int argc, const char **argv) + top.session = perf_session__new(NULL, false, NULL); + if (IS_ERR(top.session)) { + status = PTR_ERR(top.session); ++ top.session = NULL; + goto out_delete_evlist; + } + +-- +2.40.1 + diff --git a/queue-5.4/pwm-lpc32xx-remove-handling-of-pwm-channels.patch b/queue-5.4/pwm-lpc32xx-remove-handling-of-pwm-channels.patch new file mode 100644 index 00000000000..3781b04436f --- /dev/null +++ b/queue-5.4/pwm-lpc32xx-remove-handling-of-pwm-channels.patch @@ -0,0 +1,88 @@ +From 283e2a60cf3d29f60a0b160a179b621bb2799e97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:52:57 +0200 +Subject: pwm: lpc32xx: Remove handling of PWM channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Zapolskiy + +[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ] + +Because LPC32xx PWM controllers have only a single output which is +registered as the only PWM device/channel per controller, it is known in +advance that pwm->hwpwm value is always 0. On basis of this fact +simplify the code by removing operations with pwm->hwpwm, there is no +controls which require channel number as input. + +Even though I wasn't aware at the time when I forward ported that patch, +this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL +before devm_pwmchip_add() is called. + +Reported-by: Dan Carpenter +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Uwe Kleine-König +Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered") +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpc32xx.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c +index 522f862eca526..504a8f506195a 100644 +--- a/drivers/pwm/pwm-lpc32xx.c ++++ b/drivers/pwm/pwm-lpc32xx.c +@@ -51,10 +51,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + if (duty_cycles > 255) + duty_cycles = 255; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~0xFFFF; + val |= (period_cycles << 8) | duty_cycles; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -69,9 +69,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm) + if (ret) + return ret; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val |= PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -81,9 +81,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) + struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip); + u32 val; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + clk_disable_unprepare(lpc32xx->clk); + } +@@ -121,9 +121,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev) + lpc32xx->chip.base = -1; + + /* If PWM is disabled, configure the output to the default value */ +- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_PIN_LEVEL; +- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ writel(val, lpc32xx->base); + + ret = pwmchip_add(&lpc32xx->chip); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-5.4/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch b/queue-5.4/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch new file mode 100644 index 00000000000..bd7abc511ac --- /dev/null +++ b/queue-5.4/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch @@ -0,0 +1,37 @@ +From 709f0f747fa789234d55ef19d897aeae12471703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 13:59:59 +0300 +Subject: s390/zcrypt: don't leak memory if dev_set_name() fails + +From: Andy Shevchenko + +[ Upstream commit 6252f47b78031979ad919f971dc8468b893488bd ] + +When dev_set_name() fails, zcdn_create() doesn't free the newly +allocated resources. Do it. + +Fixes: 00fab2350e6b ("s390/zcrypt: multiple zcrypt device nodes support") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230831110000.24279-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Harald Freudenberger +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c +index ec41a8a76398c..f376dfcd7dbeb 100644 +--- a/drivers/s390/crypto/zcrypt_api.c ++++ b/drivers/s390/crypto/zcrypt_api.c +@@ -397,6 +397,7 @@ static int zcdn_create(const char *name) + ZCRYPT_NAME "_%d", (int) MINOR(devt)); + nodename[sizeof(nodename)-1] = '\0'; + if (dev_set_name(&zcdndev->device, nodename)) { ++ kfree(zcdndev); + rc = -EINVAL; + goto unlockout; + } +-- +2.40.1 + diff --git a/queue-5.4/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch b/queue-5.4/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch new file mode 100644 index 00000000000..8ba290c453b --- /dev/null +++ b/queue-5.4/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch @@ -0,0 +1,152 @@ +From a5be0f12ac8a474d8cfbeded6864272c0f00f1f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 09:45:19 +0000 +Subject: sctp: annotate data-races around sk->sk_wmem_queued + +From: Eric Dumazet + +[ Upstream commit dc9511dd6f37fe803f6b15b61b030728d7057417 ] + +sk->sk_wmem_queued can be read locklessly from sctp_poll() + +Use sk_wmem_queued_add() when the field is changed, +and add READ_ONCE() annotations in sctp_writeable() +and sctp_assocs_seq_show() + +syzbot reported: + +BUG: KCSAN: data-race in sctp_poll / sctp_wfree + +read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0: +sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147 +skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988 +skb_release_all net/core/skbuff.c:1000 [inline] +__kfree_skb+0x16/0x140 net/core/skbuff.c:1016 +consume_skb+0x57/0x180 net/core/skbuff.c:1232 +sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline] +sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530 +sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128 +sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515 +sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381 +sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline] +sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline] +sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] +sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169 +sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051 +sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80 +sctp_rcv+0x116e/0x1340 net/sctp/input.c:243 +sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +process_backlog+0x21f/0x380 net/core/dev.c:5894 +__napi_poll+0x60/0x3b0 net/core/dev.c:6460 +napi_poll net/core/dev.c:6527 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6660 +__do_softirq+0xc1/0x265 kernel/softirq.c:553 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:921 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:389 +ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1: +sctp_writeable net/sctp/socket.c:9304 [inline] +sctp_poll+0x265/0x410 net/sctp/socket.c:8671 +sock_poll+0x253/0x270 net/socket.c:1374 +vfs_poll include/linux/poll.h:88 [inline] +do_pollfd fs/select.c:873 [inline] +do_poll fs/select.c:921 [inline] +do_sys_poll+0x636/0xc00 fs/select.c:1015 +__do_sys_ppoll fs/select.c:1121 [inline] +__se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101 +__x64_sys_ppoll+0x67/0x80 fs/select.c:1101 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00019e80 -> 0x0000cc80 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://lore.kernel.org/r/20230830094519.950007-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/proc.c | 2 +- + net/sctp/socket.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/proc.c b/net/sctp/proc.c +index 982a87b3e11f8..963b94517ec20 100644 +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -284,7 +284,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v) + assoc->init_retries, assoc->shutdown_retries, + assoc->rtx_data_chunks, + refcount_read(&sk->sk_wmem_alloc), +- sk->sk_wmem_queued, ++ READ_ONCE(sk->sk_wmem_queued), + sk->sk_sndbuf, + sk->sk_rcvbuf); + seq_printf(seq, "\n"); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 431b9399a781f..d1dd261e8b010 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -68,7 +68,7 @@ + #include + + /* Forward declarations for internal helper functions. */ +-static bool sctp_writeable(struct sock *sk); ++static bool sctp_writeable(const struct sock *sk); + static void sctp_wfree(struct sk_buff *skb); + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + size_t msg_len); +@@ -138,7 +138,7 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk) + + refcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc); + asoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk); +- sk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk); ++ sk_wmem_queued_add(sk, chunk->skb->truesize + sizeof(struct sctp_chunk)); + sk_mem_charge(sk, chunk->skb->truesize); + } + +@@ -8997,7 +8997,7 @@ static void sctp_wfree(struct sk_buff *skb) + struct sock *sk = asoc->base.sk; + + sk_mem_uncharge(sk, skb->truesize); +- sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk); ++ sk_wmem_queued_add(sk, -(skb->truesize + sizeof(struct sctp_chunk))); + asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk); + WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk), + &sk->sk_wmem_alloc)); +@@ -9152,9 +9152,9 @@ void sctp_write_space(struct sock *sk) + * UDP-style sockets or TCP-style sockets, this code should work. + * - Daisy + */ +-static bool sctp_writeable(struct sock *sk) ++static bool sctp_writeable(const struct sock *sk) + { +- return sk->sk_sndbuf > sk->sk_wmem_queued; ++ return READ_ONCE(sk->sk_sndbuf) > READ_ONCE(sk->sk_wmem_queued); + } + + /* Wait for an association to go into ESTABLISHED state. If timeout is 0, +-- +2.40.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 3ff5e35dca2..138b0849d9f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -250,3 +250,30 @@ parisc-led-reduce-cpu-overhead-for-disk-lan-led-computation.patch clk-qcom-gcc-mdm9615-use-proper-parent-for-pll0_vote-clock.patch soc-qcom-qmi_encdec-restrict-string-length-in-decode.patch nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch +kconfig-fix-possible-buffer-overflow.patch +perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch +x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch +perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch +watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch +pwm-lpc32xx-remove-handling-of-pwm-channels.patch +sctp-annotate-data-races-around-sk-sk_wmem_queued.patch +ipv4-annotate-data-races-around-fi-fib_dead.patch +net-read-sk-sk_family-once-in-sk_mc_loop.patch +igb-disable-virtualization-features-on-82580.patch +veth-fixing-transmit-return-status-for-dropped-packe.patch +net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch +af_unix-fix-data-races-around-user-unix_inflight.patch +af_unix-fix-data-race-around-unix_tot_inflight.patch +af_unix-fix-data-races-around-sk-sk_shutdown.patch +af_unix-fix-data-race-around-sk-sk_err.patch +net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch +kcm-destroy-mutex-in-kcm_exit_net.patch +igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch +igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch +igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch +s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch +idr-fix-param-name-in-idr_alloc_cyclic-doc.patch +ip_tunnels-use-dev_stats_inc.patch +netfilter-nfnetlink_osf-avoid-oob-read.patch +net-hns3-fix-the-port-information-display-when-sfp-i.patch +sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch diff --git a/queue-5.4/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch b/queue-5.4/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch new file mode 100644 index 00000000000..7343bd3157b --- /dev/null +++ b/queue-5.4/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch @@ -0,0 +1,121 @@ +From 98e2baf62307ac799d9bce88112b9e2908309e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:07:42 +0200 +Subject: sh: boards: Fix CEU buffer size passed to + dma_declare_coherent_memory() + +From: Petr Tesarik + +[ Upstream commit fb60211f377b69acffead3147578f86d0092a7a5 ] + +In all these cases, the last argument to dma_declare_coherent_memory() is +the buffer end address, but the expected value should be the size of the +reserved region. + +Fixes: 39fb993038e1 ("media: arch: sh: ap325rxa: Use new renesas-ceu camera driver") +Fixes: c2f9b05fd5c1 ("media: arch: sh: ecovec: Use new renesas-ceu camera driver") +Fixes: f3590dc32974 ("media: arch: sh: kfr2r09: Use new renesas-ceu camera driver") +Fixes: 186c446f4b84 ("media: arch: sh: migor: Use new renesas-ceu camera driver") +Fixes: 1a3c230b4151 ("media: arch: sh: ms7724se: Use new renesas-ceu camera driver") +Signed-off-by: Petr Tesarik +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Jacopo Mondi +Reviewed-by: John Paul Adrian Glaubitz +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20230724120742.2187-1-petrtesarik@huaweicloud.com +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/boards/mach-ap325rxa/setup.c | 2 +- + arch/sh/boards/mach-ecovec24/setup.c | 6 ++---- + arch/sh/boards/mach-kfr2r09/setup.c | 2 +- + arch/sh/boards/mach-migor/setup.c | 2 +- + arch/sh/boards/mach-se/7724/setup.c | 6 ++---- + 5 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/arch/sh/boards/mach-ap325rxa/setup.c b/arch/sh/boards/mach-ap325rxa/setup.c +index 665cad452798b..a80e2369f42b2 100644 +--- a/arch/sh/boards/mach-ap325rxa/setup.c ++++ b/arch/sh/boards/mach-ap325rxa/setup.c +@@ -529,7 +529,7 @@ static int __init ap325rxa_devices_setup(void) + device_initialize(&ap325rxa_ceu_device.dev); + dma_declare_coherent_memory(&ap325rxa_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&ap325rxa_ceu_device); + +diff --git a/arch/sh/boards/mach-ecovec24/setup.c b/arch/sh/boards/mach-ecovec24/setup.c +index acaa97459531c..3286afe2ea3dc 100644 +--- a/arch/sh/boards/mach-ecovec24/setup.c ++++ b/arch/sh/boards/mach-ecovec24/setup.c +@@ -1442,15 +1442,13 @@ static int __init arch_setup(void) + device_initialize(&ecovec_ceu_devices[0]->dev); + dma_declare_coherent_memory(&ecovec_ceu_devices[0]->dev, + ceu0_dma_membase, ceu0_dma_membase, +- ceu0_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ecovec_ceu_devices[0]); + + device_initialize(&ecovec_ceu_devices[1]->dev); + dma_declare_coherent_memory(&ecovec_ceu_devices[1]->dev, + ceu1_dma_membase, ceu1_dma_membase, +- ceu1_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ecovec_ceu_devices[1]); + + gpiod_add_lookup_table(&cn12_power_gpiod_table); +diff --git a/arch/sh/boards/mach-kfr2r09/setup.c b/arch/sh/boards/mach-kfr2r09/setup.c +index 96538ba3aa323..90b876194124f 100644 +--- a/arch/sh/boards/mach-kfr2r09/setup.c ++++ b/arch/sh/boards/mach-kfr2r09/setup.c +@@ -603,7 +603,7 @@ static int __init kfr2r09_devices_setup(void) + device_initialize(&kfr2r09_ceu_device.dev); + dma_declare_coherent_memory(&kfr2r09_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&kfr2r09_ceu_device); + +diff --git a/arch/sh/boards/mach-migor/setup.c b/arch/sh/boards/mach-migor/setup.c +index 9ed369dad62df..8598290932eab 100644 +--- a/arch/sh/boards/mach-migor/setup.c ++++ b/arch/sh/boards/mach-migor/setup.c +@@ -604,7 +604,7 @@ static int __init migor_devices_setup(void) + device_initialize(&migor_ceu_device.dev); + dma_declare_coherent_memory(&migor_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&migor_ceu_device); + +diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c +index 32f5dd9448894..9e7b7cac36dc8 100644 +--- a/arch/sh/boards/mach-se/7724/setup.c ++++ b/arch/sh/boards/mach-se/7724/setup.c +@@ -939,15 +939,13 @@ static int __init devices_setup(void) + device_initialize(&ms7724se_ceu_devices[0]->dev); + dma_declare_coherent_memory(&ms7724se_ceu_devices[0]->dev, + ceu0_dma_membase, ceu0_dma_membase, +- ceu0_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ms7724se_ceu_devices[0]); + + device_initialize(&ms7724se_ceu_devices[1]->dev); + dma_declare_coherent_memory(&ms7724se_ceu_devices[1]->dev, + ceu1_dma_membase, ceu1_dma_membase, +- ceu1_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ms7724se_ceu_devices[1]); + + return platform_add_devices(ms7724se_devices, +-- +2.40.1 + diff --git a/queue-5.4/veth-fixing-transmit-return-status-for-dropped-packe.patch b/queue-5.4/veth-fixing-transmit-return-status-for-dropped-packe.patch new file mode 100644 index 00000000000..2f6bc1ba10b --- /dev/null +++ b/queue-5.4/veth-fixing-transmit-return-status-for-dropped-packe.patch @@ -0,0 +1,54 @@ +From fa322c58585ba8213fde6d5d3bc971b9ff72985c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:09:21 +0800 +Subject: veth: Fixing transmit return status for dropped packets + +From: Liang Chen + +[ Upstream commit 151e887d8ff97e2e42110ffa1fb1e6a2128fb364 ] + +The veth_xmit function returns NETDEV_TX_OK even when packets are dropped. +This behavior leads to incorrect calculations of statistics counts, as +well as things like txq->trans_start updates. + +Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.") +Signed-off-by: Liang Chen +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index a6445bba4f942..cae7247a397aa 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -238,6 +238,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct veth_priv *rcv_priv, *priv = netdev_priv(dev); + struct veth_rq *rq = NULL; ++ int ret = NETDEV_TX_OK; + struct net_device *rcv; + int length = skb->len; + bool rcv_xdp = false; +@@ -270,6 +271,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + } else { + drop: + atomic64_inc(&priv->dropped); ++ ret = NET_XMIT_DROP; + } + + if (rcv_xdp) +@@ -277,7 +279,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + + rcu_read_unlock(); + +- return NETDEV_TX_OK; ++ return ret; + } + + static u64 veth_stats_tx(struct pcpu_lstats *result, struct net_device *dev) +-- +2.40.1 + diff --git a/queue-5.4/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch b/queue-5.4/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch new file mode 100644 index 00000000000..266b9a83fbe --- /dev/null +++ b/queue-5.4/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch @@ -0,0 +1,40 @@ +From ea92b4f921e1a18fd82170d032fe52bd0446a4ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:32:20 +0530 +Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load + +From: Raag Jadav + +[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ] + +When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver +needs to be loaded manually, for the lack of module alias. +This causes unintended resets in cases where watchdog timer is +set-up by bootloader and the driver is not explicitly loaded. +Add MODULE_ALIAS() to load the driver automatically at boot and +avoid this issue. + +Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support") +Signed-off-by: Raag Jadav +Reviewed-by: Andy Shevchenko +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/intel-mid_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c +index 2cdbd37c700cf..7ee355c286284 100644 +--- a/drivers/watchdog/intel-mid_wdt.c ++++ b/drivers/watchdog/intel-mid_wdt.c +@@ -181,3 +181,4 @@ module_platform_driver(mid_wdt_driver); + MODULE_AUTHOR("David Cohen "); + MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:intel_mid_wdt"); +-- +2.40.1 + diff --git a/queue-5.4/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch b/queue-5.4/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch new file mode 100644 index 00000000000..445c2d4ae4f --- /dev/null +++ b/queue-5.4/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch @@ -0,0 +1,45 @@ +From a7d3b61723614d33e31796a8aaadacb2b75188b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 13:18:52 -0700 +Subject: x86/virt: Drop unnecessary check on extended CPUID level in + cpu_has_svm() + +From: Sean Christopherson + +[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ] + +Drop the explicit check on the extended CPUID level in cpu_has_svm(), the +kernel's cached CPUID info will leave the entire SVM leaf unset if said +leaf is not supported by hardware. Prior to using cached information, +the check was needed to avoid false positives due to Intel's rather crazy +CPUID behavior of returning the values of the maximum supported leaf if +the specified leaf is unsupported. + +Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()") +Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/virtext.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h +index 8eefa3386d8ce..331474296e6f1 100644 +--- a/arch/x86/include/asm/virtext.h ++++ b/arch/x86/include/asm/virtext.h +@@ -95,12 +95,6 @@ static inline int cpu_has_svm(const char **msg) + return 0; + } + +- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) { +- if (msg) +- *msg = "can't execute cpuid_8000000a"; +- return 0; +- } +- + if (!boot_cpu_has(X86_FEATURE_SVM)) { + if (msg) + *msg = "svm not available"; +-- +2.40.1 +