From: Sasha Levin <sashal@kernel.org>
Date: Thu, 29 Jul 2021 18:18:16 +0000 (-0400)
Subject: Fixes for 5.4
X-Git-Tag: v5.13.7~13
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4624bd274d54759ab67c6e8d0e8a8713903e83d4;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.4/net_sched-check-error-pointer-in-tcf_dump_walker.patch b/queue-5.4/net_sched-check-error-pointer-in-tcf_dump_walker.patch
new file mode 100644
index 00000000000..991e14fc1af
--- /dev/null
+++ b/queue-5.4/net_sched-check-error-pointer-in-tcf_dump_walker.patch
@@ -0,0 +1,51 @@
+From 29fab1449162184edd9029e4a1efc1f59f66b446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 12:13:34 -0700
+Subject: net_sched: check error pointer in tcf_dump_walker()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 580e4273d7a883ececfefa692c1f96bdbacb99b5 ]
+
+Although we take RTNL on dump path, it is possible to
+skip RTNL on insertion path. So the following race condition
+is possible:
+
+rtnl_lock()		// no rtnl lock
+			mutex_lock(&idrinfo->lock);
+			// insert ERR_PTR(-EBUSY)
+			mutex_unlock(&idrinfo->lock);
+tc_dump_action()
+rtnl_unlock()
+
+So we have to skip those temporary -EBUSY entries on dump path
+too.
+
+Reported-and-tested-by: syzbot+b47bc4f247856fb4d9e1@syzkaller.appspotmail.com
+Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
+Cc: Vlad Buslov <vladbu@mellanox.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 17e5cd9ebd89..75132d0ca887 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -231,6 +231,8 @@ static int tcf_dump_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
+ 		index++;
+ 		if (index < s_i)
+ 			continue;
++		if (IS_ERR(p))
++			continue;
+ 
+ 		if (jiffy_since &&
+ 		    time_after(jiffy_since,
+-- 
+2.30.2
+
diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644
index 00000000000..5874203adb3
--- /dev/null
+++ b/queue-5.4/series
@@ -0,0 +1 @@
+net_sched-check-error-pointer-in-tcf_dump_walker.patch