From: Greg Kroah-Hartman Date: Sat, 30 Jul 2022 15:31:48 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.209~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=85f81eed30441055b7ca3155a2323b2512d60c03;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch ice-do-not-setup-vlan-for-loopback-vsi.patch ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch net-ping6-fix-memleak-in-ipv6_renew_options.patch scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch --- diff --git a/queue-5.4/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch b/queue-5.4/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch new file mode 100644 index 00000000000..755f0629483 --- /dev/null +++ b/queue-5.4/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch @@ -0,0 +1,41 @@ +From 283d736ff7c7e96ac5b32c6c0de40372f8eb171e Mon Sep 17 00:00:00 2001 +From: Maciej Fijalkowski +Date: Thu, 7 Jul 2022 12:20:42 +0200 +Subject: ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) + +From: Maciej Fijalkowski + +commit 283d736ff7c7e96ac5b32c6c0de40372f8eb171e upstream. + +Tx side sets EOP and RS bits on descriptors to indicate that a +particular descriptor is the last one and needs to generate an irq when +it was sent. These bits should not be checked on completion path +regardless whether it's the Tx or the Rx. DD bit serves this purpose and +it indicates that a particular descriptor is either for Rx or was +successfully Txed. EOF is also set as loopback test does not xmit +fragmented frames. + +Look at (DD | EOF) bits setting in ice_lbtest_receive_frames() instead +of EOP and RS pair. + +Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") +Signed-off-by: Maciej Fijalkowski +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -619,7 +619,8 @@ static int ice_lbtest_receive_frames(str + rx_desc = ICE_RX_DESC(rx_ring, i); + + if (!(rx_desc->wb.status_error0 & +- cpu_to_le16(ICE_TX_DESC_CMD_EOP | ICE_TX_DESC_CMD_RS))) ++ (cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_DD_S)) | ++ cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_EOF_S))))) + continue; + + rx_buf = &rx_ring->rx_buf[i]; diff --git a/queue-5.4/ice-do-not-setup-vlan-for-loopback-vsi.patch b/queue-5.4/ice-do-not-setup-vlan-for-loopback-vsi.patch new file mode 100644 index 00000000000..96373f293f4 --- /dev/null +++ b/queue-5.4/ice-do-not-setup-vlan-for-loopback-vsi.patch @@ -0,0 +1,39 @@ +From cc019545a238518fa9da1e2a889f6e1bb1005a63 Mon Sep 17 00:00:00 2001 +From: Maciej Fijalkowski +Date: Thu, 7 Jul 2022 12:20:43 +0200 +Subject: ice: do not setup vlan for loopback VSI + +From: Maciej Fijalkowski + +commit cc019545a238518fa9da1e2a889f6e1bb1005a63 upstream. + +Currently loopback test is failiing due to the error returned from +ice_vsi_vlan_setup(). Skip calling it when preparing loopback VSI. + +Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") +Signed-off-by: Maciej Fijalkowski +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3495,10 +3495,12 @@ int ice_vsi_cfg(struct ice_vsi *vsi) + if (vsi->netdev) { + ice_set_rx_mode(vsi->netdev); + +- err = ice_vsi_vlan_setup(vsi); ++ if (vsi->type != ICE_VSI_LB) { ++ err = ice_vsi_vlan_setup(vsi); + +- if (err) +- return err; ++ if (err) ++ return err; ++ } + } + ice_vsi_cfg_dcb_rings(vsi); + diff --git a/queue-5.4/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch b/queue-5.4/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch new file mode 100644 index 00000000000..ee7cb2b8c83 --- /dev/null +++ b/queue-5.4/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch @@ -0,0 +1,97 @@ +From 85f0173df35e5462d89947135a6a5599c6c3ef6f Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Thu, 28 Jul 2022 09:33:07 +0800 +Subject: ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr + +From: Ziyang Xuan + +commit 85f0173df35e5462d89947135a6a5599c6c3ef6f upstream. + +Change net device's MTU to smaller than IPV6_MIN_MTU or unregister +device while matching route. That may trigger null-ptr-deref bug +for ip6_ptr probability as following. + +========================================================= +BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134 +Read of size 4 at addr 0000000000000308 by task ping6/263 + +CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14 +Call trace: + dump_backtrace+0x1a8/0x230 + show_stack+0x20/0x70 + dump_stack_lvl+0x68/0x84 + print_report+0xc4/0x120 + kasan_report+0x84/0x120 + __asan_load4+0x94/0xd0 + find_match.part.0+0x70/0x134 + __find_rr_leaf+0x408/0x470 + fib6_table_lookup+0x264/0x540 + ip6_pol_route+0xf4/0x260 + ip6_pol_route_output+0x58/0x70 + fib6_rule_lookup+0x1a8/0x330 + ip6_route_output_flags_noref+0xd8/0x1a0 + ip6_route_output_flags+0x58/0x160 + ip6_dst_lookup_tail+0x5b4/0x85c + ip6_dst_lookup_flow+0x98/0x120 + rawv6_sendmsg+0x49c/0xc70 + inet_sendmsg+0x68/0x94 + +Reproducer as following: +Firstly, prepare conditions: +$ip netns add ns1 +$ip netns add ns2 +$ip link add veth1 type veth peer name veth2 +$ip link set veth1 netns ns1 +$ip link set veth2 netns ns2 +$ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1 +$ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2 +$ip netns exec ns1 ifconfig veth1 up +$ip netns exec ns2 ifconfig veth2 up +$ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1 +$ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1 + +Secondly, execute the following two commands in two ssh windows +respectively: +$ip netns exec ns1 sh +$while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done + +$ip netns exec ns1 sh +$while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done + +It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly, +then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check. + + cpu0 cpu1 +fib6_table_lookup +__find_rr_leaf + addrconf_notify [ NETDEV_CHANGEMTU ] + addrconf_ifdown + RCU_INIT_POINTER(dev->ip6_ptr, NULL) +find_match +ip6_ignore_linkdown + +So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to +fix the null-ptr-deref bug. + +Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev") +Signed-off-by: Ziyang Xuan +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/addrconf.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -399,6 +399,9 @@ static inline bool ip6_ignore_linkdown(c + { + const struct inet6_dev *idev = __in6_dev_get(dev); + ++ if (unlikely(!idev)) ++ return true; ++ + return !!idev->cnf.ignore_routes_with_linkdown; + } + diff --git a/queue-5.4/net-ping6-fix-memleak-in-ipv6_renew_options.patch b/queue-5.4/net-ping6-fix-memleak-in-ipv6_renew_options.patch new file mode 100644 index 00000000000..010b1732c7e --- /dev/null +++ b/queue-5.4/net-ping6-fix-memleak-in-ipv6_renew_options.patch @@ -0,0 +1,105 @@ +From e27326009a3d247b831eda38878c777f6f4eb3d1 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 27 Jul 2022 18:22:20 -0700 +Subject: net: ping6: Fix memleak in ipv6_renew_options(). + +From: Kuniyuki Iwashima + +commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream. + +When we close ping6 sockets, some resources are left unfreed because +pingv6_prot is missing sk->sk_prot->destroy(). As reported by +syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. + + struct ipv6_sr_hdr *hdr; + char data[24] = {0}; + int fd; + + hdr = (struct ipv6_sr_hdr *)data; + hdr->hdrlen = 2; + hdr->type = IPV6_SRCRT_TYPE_4; + + fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); + setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); + close(fd); + +To fix memory leaks, let's add a destroy function. + +Note the socket() syscall checks if the GID is within the range of +net.ipv4.ping_group_range. The default value is [1, 0] so that no +GID meets the condition (1 <= GID <= 0). Thus, the local DoS does +not succeed until we change the default value. However, at least +Ubuntu/Fedora/RHEL loosen it. + + $ cat /usr/lib/sysctl.d/50-default.conf + ... + -net.ipv4.ping_group_range = 0 2147483647 + +Also, there could be another path reported with these options, and +some of them require CAP_NET_RAW. + + setsockopt + IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) + IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) + IPV6_HOPOPTS (inet6_sk(sk)->opt) + IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) + IPV6_RTHDR (inet6_sk(sk)->opt) + IPV6_DSTOPTS (inet6_sk(sk)->opt) + IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) + + getsockopt + IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) + +For the record, I left a different splat with syzbot's one. + + unreferenced object 0xffff888006270c60 (size 96): + comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) + hex dump (first 32 bytes): + 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554) + [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715) + [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) + [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) + [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262) + [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176 + +Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") +Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com +Reported-by: Ayushman Dutta +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ping.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -22,6 +22,11 @@ + #include + #include + ++static void ping_v6_destroy(struct sock *sk) ++{ ++ inet6_destroy_sock(sk); ++} ++ + /* Compatibility glue so we can support IPv6 when it's compiled as a module */ + static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, + int *addr_len) +@@ -165,6 +170,7 @@ struct proto pingv6_prot = { + .owner = THIS_MODULE, + .init = ping_init_sock, + .close = ping_close, ++ .destroy = ping_v6_destroy, + .connect = ip6_datagram_connect_v6_only, + .disconnect = __udp_disconnect, + .setsockopt = ipv6_setsockopt, diff --git a/queue-5.4/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch b/queue-5.4/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch new file mode 100644 index 00000000000..c6d43124a57 --- /dev/null +++ b/queue-5.4/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch @@ -0,0 +1,56 @@ +From a3435afba87dc6cd83f5595e7607f3c40f93ef01 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Tue, 19 Jul 2022 15:15:29 +0800 +Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle() + +From: Liang He + +commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream. + +In ufshcd_populate_vreg(), we should hold the reference returned by +of_parse_phandle() and then use it to call of_node_put() for refcount +balance. + +Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com +Fixes: aa4976130934 ("ufs: Add regulator enable support") +Reviewed-by: Bart Van Assche +Signed-off-by: Liang He +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufshcd-pltfrm.c ++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c +@@ -125,9 +125,20 @@ out: + return ret; + } + ++static bool phandle_exists(const struct device_node *np, ++ const char *phandle_name, int index) ++{ ++ struct device_node *parse_np = of_parse_phandle(np, phandle_name, index); ++ ++ if (parse_np) ++ of_node_put(parse_np); ++ ++ return parse_np != NULL; ++} ++ + #define MAX_PROP_SIZE 32 + static int ufshcd_populate_vreg(struct device *dev, const char *name, +- struct ufs_vreg **out_vreg) ++ struct ufs_vreg **out_vreg) + { + int ret = 0; + char prop_name[MAX_PROP_SIZE]; +@@ -140,7 +151,7 @@ static int ufshcd_populate_vreg(struct d + } + + snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name); +- if (!of_parse_phandle(np, prop_name, 0)) { ++ if (!phandle_exists(np, prop_name, 0)) { + dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n", + __func__, prop_name); + goto out; diff --git a/queue-5.4/series b/queue-5.4/series index 1d38e2c05b4..e951aa5752b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,10 @@ tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch tcp-fix-a-data-race-around-sysctl_tcp_frto.patch tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch +ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch +ice-do-not-setup-vlan-for-loopback-vsi.patch +scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch +tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch +tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch +net-ping6-fix-memleak-in-ipv6_renew_options.patch +ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch diff --git a/queue-5.4/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch b/queue-5.4/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch new file mode 100644 index 00000000000..a84fa54ca0e --- /dev/null +++ b/queue-5.4/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch @@ -0,0 +1,31 @@ +From db3815a2fa691da145cfbe834584f31ad75df9ff Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:21 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. + +From: Kuniyuki Iwashima + +commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream. + +While reading sysctl_tcp_challenge_ack_limit, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3484,7 +3484,7 @@ static void tcp_send_challenge_ack(struc + /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; + if (now != challenge_timestamp) { +- u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit; ++ u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); + u32 half = (ack_limit + 1) >> 1; + + challenge_timestamp = now; diff --git a/queue-5.4/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch b/queue-5.4/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch new file mode 100644 index 00000000000..38c82a46a4b --- /dev/null +++ b/queue-5.4/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch @@ -0,0 +1,31 @@ +From 9fb90193fbd66b4c5409ef729fd081861f8b6351 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:20 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. + +From: Kuniyuki Iwashima + +commit 9fb90193fbd66b4c5409ef729fd081861f8b6351 upstream. + +While reading sysctl_tcp_limit_output_bytes, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: 46d3ceabd8d9 ("tcp: TCP Small Queues") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2276,7 +2276,7 @@ static bool tcp_small_queue_check(struct + sk->sk_pacing_rate >> READ_ONCE(sk->sk_pacing_shift)); + if (sk->sk_pacing_status == SK_PACING_NONE) + limit = min_t(unsigned long, limit, +- sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes); ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes)); + limit <<= factor; + + if (static_branch_unlikely(&tcp_tx_delay_enabled) &&