From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 17 Dec 2024 16:34:12 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v5.4.288~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=61de26513246ed77ea2c6b57b5386050a30b8d91;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	mptcp-fix-tracking-issue-in-mptcp_subflow_create_socket.patch
	net-initialize-net-notrefcnt_tracker-earlier.patch
---

diff --git a/queue-6.1/mptcp-fix-tracking-issue-in-mptcp_subflow_create_socket.patch b/queue-6.1/mptcp-fix-tracking-issue-in-mptcp_subflow_create_socket.patch
new file mode 100644
index 00000000000..4c42237c376
--- /dev/null
+++ b/queue-6.1/mptcp-fix-tracking-issue-in-mptcp_subflow_create_socket.patch
@@ -0,0 +1,37 @@
+From d1e96cc4fbe031c19d6fd9d8d2e63c03452fa290 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 25 Oct 2022 18:05:46 +0000
+Subject: mptcp: fix tracking issue in mptcp_subflow_create_socket()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d1e96cc4fbe031c19d6fd9d8d2e63c03452fa290 upstream.
+
+My recent patch missed that mptcp_subflow_create_socket()
+was creating a 'kernel' socket, then converted it to 'user' socket.
+
+Fixes: 0cafd77dcd03 ("net: add a refcount tracker for kernel sockets")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Matthieu Baerts <matthieu.baerts@tessares.net>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Link: https://lore.kernel.org/r/20221025180546.652251-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/subflow.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -1616,7 +1616,9 @@ int mptcp_subflow_create_socket(struct s
+ 
+ 	/* kernel sockets do not by default acquire net ref, but TCP timer
+ 	 * needs it.
++	 * Update ns_tracker to current stack trace and refcounted tracker.
+ 	 */
++	__netns_tracker_free(net, &sf->sk->ns_tracker, false);
+ 	sf->sk->sk_net_refcnt = 1;
+ 	get_net_track(net, &sf->sk->ns_tracker, GFP_KERNEL);
+ 	sock_inuse_add(net, 1);
diff --git a/queue-6.1/net-initialize-net-notrefcnt_tracker-earlier.patch b/queue-6.1/net-initialize-net-notrefcnt_tracker-earlier.patch
new file mode 100644
index 00000000000..281f683bb48
--- /dev/null
+++ b/queue-6.1/net-initialize-net-notrefcnt_tracker-earlier.patch
@@ -0,0 +1,101 @@
+From 6e77a5a4af05d5e7391c841a4a4f3e4cadf72c25 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 8 Feb 2023 18:21:23 +0000
+Subject: net: initialize net->notrefcnt_tracker earlier
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6e77a5a4af05d5e7391c841a4a4f3e4cadf72c25 upstream.
+
+syzbot was able to trigger a warning [1] from net_free()
+calling ref_tracker_dir_exit(&net->notrefcnt_tracker)
+while the corresponding ref_tracker_dir_init() has not been
+done yet.
+
+copy_net_ns() can indeed bypass the call to setup_net()
+in some error conditions.
+
+Note:
+
+We might factorize/move more code in preinit_net() in the future.
+
+[1]
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 0 PID: 5817 Comm: syz-executor.3 Not tainted 6.2.0-rc7-next-20230208-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
+assign_lock_key kernel/locking/lockdep.c:982 [inline]
+register_lock_class+0xdb6/0x1120 kernel/locking/lockdep.c:1295
+__lock_acquire+0x10a/0x5df0 kernel/locking/lockdep.c:4951
+lock_acquire.part.0+0x11c/0x370 kernel/locking/lockdep.c:5691
+__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
+ref_tracker_dir_exit+0x52/0x600 lib/ref_tracker.c:24
+net_free net/core/net_namespace.c:442 [inline]
+net_free+0x98/0xd0 net/core/net_namespace.c:436
+copy_net_ns+0x4f3/0x6b0 net/core/net_namespace.c:493
+create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
+unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:228
+ksys_unshare+0x449/0x920 kernel/fork.c:3205
+__do_sys_unshare kernel/fork.c:3276 [inline]
+__se_sys_unshare kernel/fork.c:3274 [inline]
+__x64_sys_unshare+0x31/0x40 kernel/fork.c:3274
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+
+Fixes: 0cafd77dcd03 ("net: add a refcount tracker for kernel sockets")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230208182123.3821604-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net_namespace.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -307,6 +307,12 @@ struct net *get_net_ns_by_id(const struc
+ }
+ EXPORT_SYMBOL_GPL(get_net_ns_by_id);
+ 
++/* init code that must occur even if setup_net() is not called. */
++static __net_init void preinit_net(struct net *net)
++{
++	ref_tracker_dir_init(&net->notrefcnt_tracker, 128);
++}
++
+ /*
+  * setup_net runs the initializers for the network namespace object.
+  */
+@@ -319,7 +325,6 @@ static __net_init int setup_net(struct n
+ 
+ 	refcount_set(&net->ns.count, 1);
+ 	ref_tracker_dir_init(&net->refcnt_tracker, 128);
+-	ref_tracker_dir_init(&net->notrefcnt_tracker, 128);
+ 
+ 	refcount_set(&net->passive, 1);
+ 	get_random_bytes(&net->hash_mix, sizeof(u32));
+@@ -491,6 +496,8 @@ struct net *copy_net_ns(unsigned long fl
+ 		rv = -ENOMEM;
+ 		goto dec_ucounts;
+ 	}
++
++	preinit_net(net);
+ 	refcount_set(&net->passive, 1);
+ 	net->ucounts = ucounts;
+ 	get_user_ns(user_ns);
+@@ -1144,6 +1151,7 @@ void __init net_ns_init(void)
+ 	init_net.key_domain = &init_net_key_domain;
+ #endif
+ 	down_write(&pernet_ops_rwsem);
++	preinit_net(&init_net);
+ 	if (setup_net(&init_net, &init_user_ns))
+ 		panic("Could not setup the initial network namespace");
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index 8b412e5b7cd..8d568651b63 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -75,3 +75,5 @@ x86-xen-add-central-hypercall-functions.patch
 x86-xen-use-new-hypercall-functions-instead-of-hypercall-page.patch
 x86-xen-remove-hypercall-page.patch
 alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch
+mptcp-fix-tracking-issue-in-mptcp_subflow_create_socket.patch
+net-initialize-net-notrefcnt_tracker-earlier.patch