From: Sasha Levin Date: Mon, 11 Aug 2025 04:39:22 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.148~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=60457dad2e68e20841cb336fed5cc94d96bb3935;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/benet-fix-bug-when-creating-vfs.patch b/queue-5.4/benet-fix-bug-when-creating-vfs.patch new file mode 100644 index 0000000000..1a98825349 --- /dev/null +++ b/queue-5.4/benet-fix-bug-when-creating-vfs.patch @@ -0,0 +1,61 @@ +From ac70131757d8987561cd648ad2cab4cfc1961140 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 12:13:37 +0200 +Subject: benet: fix BUG when creating VFs + +From: Michal Schmidt + +[ Upstream commit 5a40f8af2ba1b9bdf46e2db10e8c9710538fbc63 ] + +benet crashes as soon as SRIOV VFs are created: + + kernel BUG at mm/vmalloc.c:3457! + Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI + CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) + [...] + RIP: 0010:vunmap+0x5f/0x70 + [...] + Call Trace: + + __iommu_dma_free+0xe8/0x1c0 + be_cmd_set_mac_list+0x3fe/0x640 [be2net] + be_cmd_set_mac+0xaf/0x110 [be2net] + be_vf_eth_addr_config+0x19f/0x330 [be2net] + be_vf_setup+0x4f7/0x990 [be2net] + be_pci_sriov_configure+0x3a1/0x470 [be2net] + sriov_numvfs_store+0x20b/0x380 + kernfs_fop_write_iter+0x354/0x530 + vfs_write+0x9b9/0xf60 + ksys_write+0xf3/0x1d0 + do_syscall_64+0x8c/0x3d0 + +be_cmd_set_mac_list() calls dma_free_coherent() under a spin_lock_bh. +Fix it by freeing only after the lock has been released. + +Fixes: 1a82d19ca2d6 ("be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink") +Signed-off-by: Michal Schmidt +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250801101338.72502-1-mschmidt@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index d9bceb26f4e5..d6984c179bae 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3851,8 +3851,8 @@ int be_cmd_set_mac_list(struct be_adapter *adapter, u8 *mac_array, + status = be_mcc_notify_wait(adapter); + + err: +- dma_free_coherent(&adapter->pdev->dev, cmd.size, cmd.va, cmd.dma); + spin_unlock_bh(&adapter->mcc_lock); ++ dma_free_coherent(&adapter->pdev->dev, cmd.size, cmd.va, cmd.dma); + return status; + } + +-- +2.39.5 + diff --git a/queue-5.4/ipv6-reject-malicious-packets-in-ipv6_gso_segment.patch b/queue-5.4/ipv6-reject-malicious-packets-in-ipv6_gso_segment.patch new file mode 100644 index 0000000000..53eee038a6 --- /dev/null +++ b/queue-5.4/ipv6-reject-malicious-packets-in-ipv6_gso_segment.patch @@ -0,0 +1,103 @@ +From b84c4891e8c2dbfda152844aba74eea4f0f6704c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jul 2025 13:17:38 +0000 +Subject: ipv6: reject malicious packets in ipv6_gso_segment() + +From: Eric Dumazet + +[ Upstream commit d45cf1e7d7180256e17c9ce88e32e8061a7887fe ] + +syzbot was able to craft a packet with very long IPv6 extension headers +leading to an overflow of skb->transport_header. + +This 16bit field has a limited range. + +Add skb_reset_transport_header_careful() helper and use it +from ipv6_gso_segment() + +WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] +WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 +Modules linked in: +CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 + RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] + RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 +Call Trace: + + skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 + nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 + skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 + __skb_gso_segment+0x342/0x510 net/core/gso.c:124 + skb_gso_segment include/net/gso.h:83 [inline] + validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 + validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 + sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 + __dev_xmit_skb net/core/dev.c:4102 [inline] + __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 + +Fixes: d1da932ed4ec ("ipv6: Separate ipv6 offload support") +Reported-by: syzbot+af43e647fd835acc02df@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/688a1a05.050a0220.5d226.0008.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Dawid Osuchowski +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250730131738.3385939-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 23 +++++++++++++++++++++++ + net/ipv6/ip6_offload.c | 4 +++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 4edce28fb454..d9abd9e6833e 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2493,6 +2493,29 @@ static inline void skb_reset_transport_header(struct sk_buff *skb) + skb->transport_header = skb->data - skb->head; + } + ++/** ++ * skb_reset_transport_header_careful - conditionally reset transport header ++ * @skb: buffer to alter ++ * ++ * Hardened version of skb_reset_transport_header(). ++ * ++ * Returns: true if the operation was a success. ++ */ ++static inline bool __must_check ++skb_reset_transport_header_careful(struct sk_buff *skb) ++{ ++ long offset = skb->data - skb->head; ++ ++ if (unlikely(offset != (typeof(skb->transport_header))offset)) ++ return false; ++ ++ if (unlikely(offset == (typeof(skb->transport_header))~0U)) ++ return false; ++ ++ skb->transport_header = offset; ++ return true; ++} ++ + static inline void skb_set_transport_header(struct sk_buff *skb, + const int offset) + { +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c +index b7b4ba68f3a2..0d9d11902b1b 100644 +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -109,7 +109,9 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + + ops = rcu_dereference(inet6_offloads[proto]); + if (likely(ops && ops->callbacks.gso_segment)) { +- skb_reset_transport_header(skb); ++ if (!skb_reset_transport_header_careful(skb)) ++ goto out; ++ + segs = ops->callbacks.gso_segment(skb, features); + if (!segs) + skb->network_header = skb_mac_header(skb) + nhoff - skb->head; +-- +2.39.5 + diff --git a/queue-5.4/net-drop-ufo-packets-in-udp_rcv_segment.patch b/queue-5.4/net-drop-ufo-packets-in-udp_rcv_segment.patch new file mode 100644 index 0000000000..54e713eab3 --- /dev/null +++ b/queue-5.4/net-drop-ufo-packets-in-udp_rcv_segment.patch @@ -0,0 +1,122 @@ +From d44697d85399d2dfd451d6df24c42619aa265380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jul 2025 18:14:58 +0800 +Subject: net: drop UFO packets in udp_rcv_segment() + +From: Wang Liang + +[ Upstream commit d46e51f1c78b9ab9323610feb14238d06d46d519 ] + +When sending a packet with virtio_net_hdr to tun device, if the gso_type +in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr +size, below crash may happen. + + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:4572! + Oops: invalid opcode: 0000 [#1] SMP NOPTI + CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:skb_pull_rcsum+0x8e/0xa0 + Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000 + RSP: 0018:ffffc900001fba38 EFLAGS: 00000297 + RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948 + RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062 + RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001 + R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000 + R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900 + FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0 + Call Trace: + + udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445 + udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475 + udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626 + __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690 + ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233 + ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579 + ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636 + ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670 + __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067 + netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210 + napi_complete_done+0x78/0x180 net/core/dev.c:6580 + tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909 + tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984 + vfs_write+0x300/0x420 fs/read_write.c:593 + ksys_write+0x60/0xd0 fs/read_write.c:686 + do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63 + + +To trigger gso segment in udp_queue_rcv_skb(), we should also set option +UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv +hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try +to pull udphdr, but the skb size has been segmented to gso size, which +leads to this crash. + +Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection") +introduces segmentation in UDP receive path only for GRO, which was never +intended to be used for UFO, so drop UFO packets in udp_rcv_segment(). + +Link: https://lore.kernel.org/netdev/20250724083005.3918375-1-wangliang74@huawei.com/ +Link: https://lore.kernel.org/netdev/20250729123907.3318425-1-wangliang74@huawei.com/ +Fixes: cf329aa42b66 ("udp: cope with UDP GRO packet misdirection") +Suggested-by: Willem de Bruijn +Signed-off-by: Wang Liang +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250730101458.3470788-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp.h | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/include/net/udp.h b/include/net/udp.h +index 7323f72fed70..bab7b68c5f6d 100644 +--- a/include/net/udp.h ++++ b/include/net/udp.h +@@ -471,6 +471,16 @@ static inline struct sk_buff *udp_rcv_segment(struct sock *sk, + { + netdev_features_t features = NETIF_F_SG; + struct sk_buff *segs; ++ int drop_count; ++ ++ /* ++ * Segmentation in UDP receive path is only for UDP GRO, drop udp ++ * fragmentation offload (UFO) packets. ++ */ ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP) { ++ drop_count = 1; ++ goto drop; ++ } + + /* Avoid csum recalculation by skb_segment unless userspace explicitly + * asks for the final checksum values +@@ -494,16 +504,18 @@ static inline struct sk_buff *udp_rcv_segment(struct sock *sk, + */ + segs = __skb_gso_segment(skb, features, false); + if (IS_ERR_OR_NULL(segs)) { +- int segs_nr = skb_shinfo(skb)->gso_segs; +- +- atomic_add(segs_nr, &sk->sk_drops); +- SNMP_ADD_STATS(__UDPX_MIB(sk, ipv4), UDP_MIB_INERRORS, segs_nr); +- kfree_skb(skb); +- return NULL; ++ drop_count = skb_shinfo(skb)->gso_segs; ++ goto drop; + } + + consume_skb(skb); + return segs; ++ ++drop: ++ atomic_add(drop_count, &sk->sk_drops); ++ SNMP_ADD_STATS(__UDPX_MIB(sk, ipv4), UDP_MIB_INERRORS, drop_count); ++ kfree_skb(skb); ++ return NULL; + } + + #endif /* _UDP_H */ +-- +2.39.5 + diff --git a/queue-5.4/netpoll-prevent-hanging-napi-when-netcons-gets-enabl.patch b/queue-5.4/netpoll-prevent-hanging-napi-when-netcons-gets-enabl.patch new file mode 100644 index 0000000000..34fa390b10 --- /dev/null +++ b/queue-5.4/netpoll-prevent-hanging-napi-when-netcons-gets-enabl.patch @@ -0,0 +1,95 @@ +From 0e81632c194f016a4819b527c8e651149cf821a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 18:08:46 -0700 +Subject: netpoll: prevent hanging NAPI when netcons gets enabled + +From: Jakub Kicinski + +[ Upstream commit 2da4def0f487f24bbb0cece3bb2bcdcb918a0b72 ] + +Paolo spotted hangs in NIPA running driver tests against virtio. +The tests hang in virtnet_close() -> virtnet_napi_tx_disable(). + +The problem is only reproducible if running multiple of our tests +in sequence (I used TEST_PROGS="xdp.py ping.py netcons_basic.sh \ +netpoll_basic.py stats.py"). Initial suspicion was that this is +a simple case of double-disable of NAPI, but instrumenting the +code reveals: + + Deadlocked on NAPI ffff888007cd82c0 (virtnet_poll_tx): + state: 0x37, disabled: false, owner: 0, listed: false, weight: 64 + +The NAPI was not in fact disabled, owner is 0 (rather than -1), +so the NAPI "thinks" it's scheduled for CPU 0 but it's not listed +(!list_empty(&n->poll_list) => false). It seems odd that normal NAPI +processing would wedge itself like this. + +Better suspicion is that netpoll gets enabled while NAPI is polling, +and also grabs the NAPI instance. This confuses napi_complete_done(): + + [netpoll] [normal NAPI] + napi_poll() + have = netpoll_poll_lock() + rcu_access_pointer(dev->npinfo) + return NULL # no netpoll + __napi_poll() + ->poll(->weight) + poll_napi() + cmpxchg(->poll_owner, -1, cpu) + poll_one_napi() + set_bit(NAPI_STATE_NPSVC, ->state) + napi_complete_done() + if (NAPIF_STATE_NPSVC) + return false + # exit without clearing SCHED + +This feels very unlikely, but perhaps virtio has some interactions +with the hypervisor in the NAPI ->poll that makes the race window +larger? + +Best I could to to prove the theory was to add and trigger this +warning in napi_poll (just before netpoll_poll_unlock()): + + WARN_ONCE(!have && rcu_access_pointer(n->dev->npinfo) && + napi_is_scheduled(n) && list_empty(&n->poll_list), + "NAPI race with netpoll %px", n); + +If this warning hits the next virtio_close() will hang. + +This patch survived 30 test iterations without a hang (without it +the longest clean run was around 10). Credit for triggering this +goes to Breno's recent netconsole tests. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Paolo Abeni +Link: https://lore.kernel.org/c5a93ed1-9abe-4880-a3bb-8d1678018b1d@redhat.com +Acked-by: Jason Wang +Reviewed-by: Xuan Zhuo +Link: https://patch.msgid.link/20250726010846.1105875-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 940d371f5f3b..09ae2fc41fa9 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -807,6 +807,13 @@ int netpoll_setup(struct netpoll *np) + goto put; + + rtnl_unlock(); ++ ++ /* Make sure all NAPI polls which started before dev->npinfo ++ * was visible have exited before we start calling NAPI poll. ++ * NAPI skips locking if dev->npinfo is NULL. ++ */ ++ synchronize_rcu(); ++ + return 0; + + put: +-- +2.39.5 + diff --git a/queue-5.4/nfs-fix-filehandle-bounds-checking-in-nfs_fh_to_dent.patch b/queue-5.4/nfs-fix-filehandle-bounds-checking-in-nfs_fh_to_dent.patch new file mode 100644 index 0000000000..3db272ca16 --- /dev/null +++ b/queue-5.4/nfs-fix-filehandle-bounds-checking-in-nfs_fh_to_dent.patch @@ -0,0 +1,51 @@ +From b188937554023509bfaf36ce4149c6fc9b201555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 09:24:58 -0400 +Subject: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() + +From: Trond Myklebust + +[ Upstream commit ef93a685e01a281b5e2a25ce4e3428cf9371a205 ] + +The function needs to check the minimal filehandle length before it can +access the embedded filehandle. + +Reported-by: zhangjian +Fixes: 20fa19027286 ("nfs: add export operations") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/export.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/export.c b/fs/nfs/export.c +index deecb67638aa..97b6fa0adb57 100644 +--- a/fs/nfs/export.c ++++ b/fs/nfs/export.c +@@ -67,14 +67,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid, + struct nfs4_label *label = NULL; + struct nfs_fattr *fattr = NULL; + struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw); +- size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size; ++ size_t fh_size = offsetof(struct nfs_fh, data); + const struct nfs_rpc_ops *rpc_ops; + struct dentry *dentry; + struct inode *inode; +- int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size); ++ int len = EMBED_FH_OFF; + u32 *p = fid->raw; + int ret; + ++ /* Initial check of bounds */ ++ if (fh_len < len + XDR_QUADLEN(fh_size) || ++ fh_len > XDR_QUADLEN(NFS_MAXFHSIZE)) ++ return NULL; ++ /* Calculate embedded filehandle size */ ++ fh_size += server_fh->size; ++ len += XDR_QUADLEN(fh_size); + /* NULL translates to ESTALE */ + if (fh_len < len || fh_type != len) + return NULL; +-- +2.39.5 + diff --git a/queue-5.4/pptp-ensure-minimal-skb-length-in-pptp_xmit.patch b/queue-5.4/pptp-ensure-minimal-skb-length-in-pptp_xmit.patch new file mode 100644 index 0000000000..9ec4349961 --- /dev/null +++ b/queue-5.4/pptp-ensure-minimal-skb-length-in-pptp_xmit.patch @@ -0,0 +1,92 @@ +From 55162eeacf4bb7fa635b1714b79eb8e030c108a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 08:02:07 +0000 +Subject: pptp: ensure minimal skb length in pptp_xmit() + +From: Eric Dumazet + +[ Upstream commit de9c4861fb42f0cd72da844c3c34f692d5895b7b ] + +Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data +on ppp_sync_txmung") fixed ppp_sync_txmunge() + +We need a similar fix in pptp_xmit(), otherwise we might +read uninit data as reported by syzbot. + +BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 + pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline] + ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314 + pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379 + sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 + __release_sock+0x1d3/0x330 net/core/sock.c:3213 + release_sock+0x6b/0x270 net/core/sock.c:3767 + pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904 + sock_sendmsg_nosec net/socket.c:712 [inline] + __sock_sendmsg+0x330/0x3d0 net/socket.c:727 + ____sys_sendmsg+0x893/0xd80 net/socket.c:2566 + ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 + __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+afad90ffc8645324afe5@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68887d86.a00a0220.b12ec.00cd.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Dawid Osuchowski +Link: https://patch.msgid.link/20250729080207.1863408-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/pptp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index e1fabb3e3246..5e2f4702aa2b 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -141,9 +141,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + int len; + unsigned char *data; + __u32 seq_recv; +- +- +- struct rtable *rt; ++ struct rtable *rt = NULL; + struct net_device *tdev; + struct iphdr *iph; + int max_headroom; +@@ -165,16 +163,20 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + + if (skb_headroom(skb) < max_headroom || skb_cloned(skb) || skb_shared(skb)) { + struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom); +- if (!new_skb) { +- ip_rt_put(rt); ++ ++ if (!new_skb) + goto tx_error; +- } ++ + if (skb->sk) + skb_set_owner_w(new_skb, skb->sk); + consume_skb(skb); + skb = new_skb; + } + ++ /* Ensure we can safely access protocol field and LCP code */ ++ if (!pskb_may_pull(skb, 3)) ++ goto tx_error; ++ + data = skb->data; + islcp = ((data[0] << 8) + data[1]) == PPP_LCP && 1 <= data[2] && data[2] <= 7; + +@@ -248,6 +250,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + return 1; + + tx_error: ++ ip_rt_put(rt); + kfree_skb(skb); + return 1; + } +-- +2.39.5 + diff --git a/queue-5.4/pptp-fix-pptp_xmit-error-path.patch b/queue-5.4/pptp-fix-pptp_xmit-error-path.patch new file mode 100644 index 0000000000..13f47a581e --- /dev/null +++ b/queue-5.4/pptp-fix-pptp_xmit-error-path.patch @@ -0,0 +1,88 @@ +From 0b5afbd82d4bb52761b5cba83d48e458a7bd6be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 14:21:46 +0000 +Subject: pptp: fix pptp_xmit() error path + +From: Eric Dumazet + +[ Upstream commit ae633388cae349886f1a3cfb27aa092854b24c1b ] + +I accidentally added a bug in pptp_xmit() that syzbot caught for us. + +Only call ip_rt_put() if a route has been allocated. + +BUG: unable to handle page fault for address: ffffffffffffffdb +PGD df3b067 P4D df3b067 PUD df3d067 PMD 0 +Oops: Oops: 0002 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 6346 Comm: syz.0.336 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline] +RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline] +RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline] +RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline] +RIP: 0010:rcuref_put+0x172/0x210 include/linux/rcuref.h:173 +Call Trace: + + dst_release+0x24/0x1b0 net/core/dst.c:167 + ip_rt_put include/net/route.h:285 [inline] + pptp_xmit+0x14b/0x1a90 drivers/net/ppp/pptp.c:267 + __ppp_channel_push+0xf2/0x1c0 drivers/net/ppp/ppp_generic.c:2166 + ppp_channel_push+0x123/0x660 drivers/net/ppp/ppp_generic.c:2198 + ppp_write+0x2b0/0x400 drivers/net/ppp/ppp_generic.c:544 + vfs_write+0x27b/0xb30 fs/read_write.c:684 + ksys_write+0x145/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: de9c4861fb42 ("pptp: ensure minimal skb length in pptp_xmit()") +Reported-by: syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/689095a5.050a0220.1fc43d.0009.GAE@google.com/ +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250807142146.2877060-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/pptp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 5e2f4702aa2b..83541444bc8c 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -141,13 +141,13 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + int len; + unsigned char *data; + __u32 seq_recv; +- struct rtable *rt = NULL; ++ struct rtable *rt; + struct net_device *tdev; + struct iphdr *iph; + int max_headroom; + + if (sk_pppox(po)->sk_state & PPPOX_DEAD) +- goto tx_error; ++ goto tx_drop; + + rt = ip_route_output_ports(net, &fl4, NULL, + opt->dst_addr.sin_addr.s_addr, +@@ -155,7 +155,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + 0, 0, IPPROTO_GRE, + RT_TOS(0), 0); + if (IS_ERR(rt)) +- goto tx_error; ++ goto tx_drop; + + tdev = rt->dst.dev; + +@@ -251,6 +251,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + + tx_error: + ip_rt_put(rt); ++tx_drop: + kfree_skb(skb); + return 1; + } +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index d938c7beab..6f09203052 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -136,3 +136,11 @@ f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch usb-chipidea-udc-fix-sleeping-function-called-from-i.patch pci-hotplug-pnv-php-improve-error-msg-on-power-state.patch pci-hotplug-pnv-php-wrap-warnings-in-macro.patch +nfs-fix-filehandle-bounds-checking-in-nfs_fh_to_dent.patch +netpoll-prevent-hanging-napi-when-netcons-gets-enabl.patch +pptp-ensure-minimal-skb-length-in-pptp_xmit.patch +ipv6-reject-malicious-packets-in-ipv6_gso_segment.patch +net-drop-ufo-packets-in-udp_rcv_segment.patch +benet-fix-bug-when-creating-vfs.patch +smb-client-let-recv_done-cleanup-before-notifying-th.patch +pptp-fix-pptp_xmit-error-path.patch diff --git a/queue-5.4/smb-client-let-recv_done-cleanup-before-notifying-th.patch b/queue-5.4/smb-client-let-recv_done-cleanup-before-notifying-th.patch new file mode 100644 index 0000000000..8634b7afab --- /dev/null +++ b/queue-5.4/smb-client-let-recv_done-cleanup-before-notifying-th.patch @@ -0,0 +1,79 @@ +From 38ab59bbb67497a725d957c12700923a87cb7b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Aug 2025 14:10:15 +0200 +Subject: smb: client: let recv_done() cleanup before notifying the callers. + +From: Stefan Metzmacher + +[ Upstream commit bdd7afc6dca5e0ebbb75583484aa6ea9e03fbb13 ] + +We should call put_receive_buffer() before waking up the callers. + +For the internal error case of response->type being unexpected, +we now also call smbd_disconnect_rdma_connection() instead +of not waking up the callers at all. + +Note that the SMBD_TRANSFER_DATA case still has problems, +which will be addressed in the next commit in order to make +it easier to review this one. + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index 0842a1af0b98..72df002e8ae3 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -495,7 +495,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) { + log_rdma_recv(INFO, "wc->status=%d opcode=%d\n", + wc->status, wc->opcode); +- smbd_disconnect_rdma_connection(info); + goto error; + } + +@@ -512,8 +511,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + info->full_packet_received = true; + info->negotiate_done = + process_negotiation_response(response, wc->byte_len); ++ put_receive_buffer(info, response); + complete(&info->negotiate_completion); +- break; ++ return; + + /* SMBD data transfer packet */ + case SMBD_TRANSFER_DATA: +@@ -565,14 +565,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + + queue_work(info->workqueue, &info->recv_done_work); + return; +- +- default: +- log_rdma_recv(ERR, +- "unexpected response type=%d\n", response->type); + } + ++ /* ++ * This is an internal error! ++ */ ++ log_rdma_recv(ERR, "unexpected response type=%d\n", response->type); ++ WARN_ON_ONCE(response->type != SMBD_TRANSFER_DATA); + error: + put_receive_buffer(info, response); ++ smbd_disconnect_rdma_connection(info); + } + + static struct rdma_cm_id *smbd_create_id( +-- +2.39.5 +