From: Sasha Levin Date: Thu, 18 May 2023 01:37:40 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.3.4~53 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87c227bbdc673c33d9a5df9b5ede75ad2378afe5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_unix-fix-a-data-race-of-sk-sk_receive_queue-qlen.patch b/queue-5.4/af_unix-fix-a-data-race-of-sk-sk_receive_queue-qlen.patch new file mode 100644 index 00000000000..bd96c35c53e --- /dev/null +++ b/queue-5.4/af_unix-fix-a-data-race-of-sk-sk_receive_queue-qlen.patch @@ -0,0 +1,84 @@ +From f7b46039fa3c9962eded2597c45cf48d9d44f189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 17:34:55 -0700 +Subject: af_unix: Fix a data race of sk->sk_receive_queue->qlen. + +From: Kuniyuki Iwashima + +[ Upstream commit 679ed006d416ea0cecfe24a99d365d1dea69c683 ] + +KCSAN found a data race of sk->sk_receive_queue->qlen where recvmsg() +updates qlen under the queue lock and sendmsg() checks qlen under +unix_state_sock(), not the queue lock, so the reader side needs +READ_ONCE(). + +BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_wait_for_peer + +write (marked) to 0xffff888019fe7c68 of 4 bytes by task 49792 on cpu 0: + __skb_unlink include/linux/skbuff.h:2347 [inline] + __skb_try_recv_from_queue+0x3de/0x470 net/core/datagram.c:197 + __skb_try_recv_datagram+0xf7/0x390 net/core/datagram.c:263 + __unix_dgram_recvmsg+0x109/0x8a0 net/unix/af_unix.c:2452 + unix_dgram_recvmsg+0x94/0xa0 net/unix/af_unix.c:2549 + sock_recvmsg_nosec net/socket.c:1019 [inline] + ____sys_recvmsg+0x3a3/0x3b0 net/socket.c:2720 + ___sys_recvmsg+0xc8/0x150 net/socket.c:2764 + do_recvmmsg+0x182/0x560 net/socket.c:2858 + __sys_recvmmsg net/socket.c:2937 [inline] + __do_sys_recvmmsg net/socket.c:2960 [inline] + __se_sys_recvmmsg net/socket.c:2953 [inline] + __x64_sys_recvmmsg+0x153/0x170 net/socket.c:2953 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff888019fe7c68 of 4 bytes by task 49793 on cpu 1: + skb_queue_len include/linux/skbuff.h:2127 [inline] + unix_recvq_full net/unix/af_unix.c:229 [inline] + unix_wait_for_peer+0x154/0x1a0 net/unix/af_unix.c:1445 + unix_dgram_sendmsg+0x13bc/0x14b0 net/unix/af_unix.c:2048 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:747 + ____sys_sendmsg+0x20e/0x620 net/socket.c:2503 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2557 + __sys_sendmmsg+0x11d/0x370 net/socket.c:2643 + __do_sys_sendmmsg net/socket.c:2672 [inline] + __se_sys_sendmmsg net/socket.c:2669 [inline] + __x64_sys_sendmmsg+0x58/0x70 net/socket.c:2669 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x0000000b -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 49793 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Michal Kubiak +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index f33e90bd0683b..35a941684f16e 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1227,7 +1227,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo) + + sched = !sock_flag(other, SOCK_DEAD) && + !(other->sk_shutdown & RCV_SHUTDOWN) && +- unix_recvq_full(other); ++ unix_recvq_full_lockless(other); + + unix_state_unlock(other); + +-- +2.39.2 + diff --git a/queue-5.4/af_unix-fix-data-races-around-sk-sk_shutdown.patch b/queue-5.4/af_unix-fix-data-races-around-sk-sk_shutdown.patch new file mode 100644 index 00000000000..79784d73d8c --- /dev/null +++ b/queue-5.4/af_unix-fix-data-races-around-sk-sk_shutdown.patch @@ -0,0 +1,153 @@ +From e4179c95c380b64519c1ec6fedc7295a3270ff1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 17:34:56 -0700 +Subject: af_unix: Fix data races around sk->sk_shutdown. + +From: Kuniyuki Iwashima + +[ Upstream commit e1d09c2c2f5793474556b60f83900e088d0d366d ] + +KCSAN found a data race around sk->sk_shutdown where unix_release_sock() +and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() +and unix_dgram_poll() read it locklessly. + +We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE(). + +BUG: KCSAN: data-race in unix_poll / unix_release_sock + +write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: + unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 + unix_release+0x59/0x80 net/unix/af_unix.c:1042 + __sock_release+0x7d/0x170 net/socket.c:653 + sock_close+0x19/0x30 net/socket.c:1397 + __fput+0x179/0x5e0 fs/file_table.c:321 + ____fput+0x15/0x20 fs/file_table.c:349 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: + unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 + sock_poll+0xcf/0x2b0 net/socket.c:1385 + vfs_poll include/linux/poll.h:88 [inline] + ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 + ep_send_events fs/eventpoll.c:1694 [inline] + ep_poll fs/eventpoll.c:1823 [inline] + do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 + __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] + __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] + __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x00 -> 0x03 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Michal Kubiak +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 35a941684f16e..01fd049da104a 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -531,7 +531,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + /* Clear state */ + unix_state_lock(sk); + sock_orphan(sk); +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + path = u->path; + u->path.dentry = NULL; + u->path.mnt = NULL; +@@ -549,7 +549,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); + /* No more writes */ +- skpair->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); + if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) + skpair->sk_err = ECONNRESET; + unix_state_unlock(skpair); +@@ -2546,7 +2546,7 @@ static int unix_shutdown(struct socket *sock, int mode) + ++mode; + + unix_state_lock(sk); +- sk->sk_shutdown |= mode; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | mode); + other = unix_peer(sk); + if (other) + sock_hold(other); +@@ -2563,7 +2563,7 @@ static int unix_shutdown(struct socket *sock, int mode) + if (mode&SEND_SHUTDOWN) + peer_mode |= RCV_SHUTDOWN; + unix_state_lock(other); +- other->sk_shutdown |= peer_mode; ++ WRITE_ONCE(other->sk_shutdown, other->sk_shutdown | peer_mode); + unix_state_unlock(other); + other->sk_state_change(other); + if (peer_mode == SHUTDOWN_MASK) +@@ -2682,16 +2682,18 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa + { + struct sock *sk = sock->sk; + __poll_t mask; ++ u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; ++ shutdown = READ_ONCE(sk->sk_shutdown); + + /* exceptional events? */ + if (sk->sk_err) + mask |= EPOLLERR; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; + + /* readable? */ +@@ -2719,18 +2721,20 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, + struct sock *sk = sock->sk, *other; + unsigned int writable; + __poll_t mask; ++ u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; ++ shutdown = READ_ONCE(sk->sk_shutdown); + + /* exceptional events? */ + if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= EPOLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0); + +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; + + /* readable? */ +-- +2.39.2 + diff --git a/queue-5.4/arm-9296-1-hp-jornada-7xx-fix-kernel-doc-warnings.patch b/queue-5.4/arm-9296-1-hp-jornada-7xx-fix-kernel-doc-warnings.patch new file mode 100644 index 00000000000..0cbef82e5a9 --- /dev/null +++ b/queue-5.4/arm-9296-1-hp-jornada-7xx-fix-kernel-doc-warnings.patch @@ -0,0 +1,69 @@ +From 15dcb48f3ee65f7054021922f45c5820015d4a81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Apr 2023 06:48:45 +0100 +Subject: ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 46dd6078dbc7e363a8bb01209da67015a1538929 ] + +Fix kernel-doc warnings from the kernel test robot: + +jornada720_ssp.c:24: warning: Function parameter or member 'jornada_ssp_lock' not described in 'DEFINE_SPINLOCK' +jornada720_ssp.c:24: warning: expecting prototype for arch/arm/mac(). Prototype was for DEFINE_SPINLOCK() instead +jornada720_ssp.c:34: warning: Function parameter or member 'byte' not described in 'jornada_ssp_reverse' +jornada720_ssp.c:57: warning: Function parameter or member 'byte' not described in 'jornada_ssp_byte' +jornada720_ssp.c:85: warning: Function parameter or member 'byte' not described in 'jornada_ssp_inout' + +Link: lore.kernel.org/r/202304210535.tWby3jWF-lkp@intel.com + +Fixes: 69ebb22277a5 ("[ARM] 4506/1: HP Jornada 7XX: Addition of SSP Platform Driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Arnd Bergmann +Cc: Kristoffer Ericson +Cc: patches@armlinux.org.uk +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mach-sa1100/jornada720_ssp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-sa1100/jornada720_ssp.c b/arch/arm/mach-sa1100/jornada720_ssp.c +index 1dbe98948ce30..9627c4cf3e41d 100644 +--- a/arch/arm/mach-sa1100/jornada720_ssp.c ++++ b/arch/arm/mach-sa1100/jornada720_ssp.c +@@ -1,5 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0-only +-/** ++/* + * arch/arm/mac-sa1100/jornada720_ssp.c + * + * Copyright (C) 2006/2007 Kristoffer Ericson +@@ -26,6 +26,7 @@ static unsigned long jornada_ssp_flags; + + /** + * jornada_ssp_reverse - reverses input byte ++ * @byte: input byte to reverse + * + * we need to reverse all data we receive from the mcu due to its physical location + * returns : 01110111 -> 11101110 +@@ -46,6 +47,7 @@ EXPORT_SYMBOL(jornada_ssp_reverse); + + /** + * jornada_ssp_byte - waits for ready ssp bus and sends byte ++ * @byte: input byte to transmit + * + * waits for fifo buffer to clear and then transmits, if it doesn't then we will + * timeout after rounds. Needs mcu running before its called. +@@ -77,6 +79,7 @@ EXPORT_SYMBOL(jornada_ssp_byte); + + /** + * jornada_ssp_inout - decide if input is command or trading byte ++ * @byte: input byte to send (may be %TXDUMMY) + * + * returns : (jornada_ssp_byte(byte)) on success + * : %-ETIMEDOUT on timeout failure +-- +2.39.2 + diff --git a/queue-5.4/driver-core-add-a-helper-to-setup-both-the-of_node-a.patch b/queue-5.4/driver-core-add-a-helper-to-setup-both-the-of_node-a.patch new file mode 100644 index 00000000000..90770b31a8d --- /dev/null +++ b/queue-5.4/driver-core-add-a-helper-to-setup-both-the-of_node-a.patch @@ -0,0 +1,58 @@ +From 4a8a6ce917c2bdc36f645e1e21fa17c1df3ee5f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 15:29:04 +0300 +Subject: driver core: add a helper to setup both the of_node and fwnode of a + device + +From: Ioana Ciornei + +[ Upstream commit 43e76d463c09a0272b84775bcc727c1eb8b384b2 ] + +There are many places where both the fwnode_handle and the of_node of a +device need to be populated. Add a function which does both so that we +have consistency. + +Suggested-by: Andrew Lunn +Signed-off-by: Ioana Ciornei +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Stable-dep-of: a26cc2934331 ("drm/mipi-dsi: Set the fwnode for mipi_dsi_device") +Signed-off-by: Sasha Levin +--- + drivers/base/core.c | 7 +++++++ + include/linux/device.h | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 1b016fdd1a750..f8e157ede44f8 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -3474,6 +3474,13 @@ void device_set_of_node_from_dev(struct device *dev, const struct device *dev2) + } + EXPORT_SYMBOL_GPL(device_set_of_node_from_dev); + ++void device_set_node(struct device *dev, struct fwnode_handle *fwnode) ++{ ++ dev->fwnode = fwnode; ++ dev->of_node = to_of_node(fwnode); ++} ++EXPORT_SYMBOL_GPL(device_set_node); ++ + int device_match_name(struct device *dev, const void *name) + { + return sysfs_streq(dev_name(dev), name); +diff --git a/include/linux/device.h b/include/linux/device.h +index 3414b5a67b466..d74275e2047a4 100644 +--- a/include/linux/device.h ++++ b/include/linux/device.h +@@ -1528,6 +1528,7 @@ extern int device_online(struct device *dev); + extern void set_primary_fwnode(struct device *dev, struct fwnode_handle *fwnode); + extern void set_secondary_fwnode(struct device *dev, struct fwnode_handle *fwnode); + void device_set_of_node_from_dev(struct device *dev, const struct device *dev2); ++void device_set_node(struct device *dev, struct fwnode_handle *fwnode); + + static inline int dev_num_vf(struct device *dev) + { +-- +2.39.2 + diff --git a/queue-5.4/drm-mipi-dsi-set-the-fwnode-for-mipi_dsi_device.patch b/queue-5.4/drm-mipi-dsi-set-the-fwnode-for-mipi_dsi_device.patch new file mode 100644 index 00000000000..cc38c10e337 --- /dev/null +++ b/queue-5.4/drm-mipi-dsi-set-the-fwnode-for-mipi_dsi_device.patch @@ -0,0 +1,48 @@ +From a7ada865b95d1d14035a1fecb4e4bd656638a3da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 22:39:09 -0800 +Subject: drm/mipi-dsi: Set the fwnode for mipi_dsi_device + +From: Saravana Kannan + +[ Upstream commit a26cc2934331b57b5a7164bff344f0a2ec245fc0 ] + +After commit 3fb16866b51d ("driver core: fw_devlink: Make cycle +detection more robust"), fw_devlink prints an error when consumer +devices don't have their fwnode set. This used to be ignored silently. + +Set the fwnode mipi_dsi_device so fw_devlink can find them and properly +track their dependencies. + +This fixes errors like this: +[ 0.334054] nwl-dsi 30a00000.mipi-dsi: Failed to create device link with regulator-lcd-1v8 +[ 0.346964] nwl-dsi 30a00000.mipi-dsi: Failed to create device link with backlight-dsi + +Reported-by: Martin Kepplinger +Link: https://lore.kernel.org/lkml/2a8e407f4f18c9350f8629a2b5fa18673355b2ae.camel@puri.sm/ +Fixes: 068a00233969 ("drm: Add MIPI DSI bus support") +Signed-off-by: Saravana Kannan +Tested-by: Martin Kepplinger +Link: https://lore.kernel.org/r/20230310063910.2474472-1-saravanak@google.com +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index b942c69e9b489..17a96f1d9234c 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -221,7 +221,7 @@ mipi_dsi_device_register_full(struct mipi_dsi_host *host, + return dsi; + } + +- dsi->dev.of_node = info->node; ++ device_set_node(&dsi->dev, of_fwnode_handle(info->node)); + dsi->channel = info->channel; + strlcpy(dsi->name, info->type, sizeof(dsi->name)); + +-- +2.39.2 + diff --git a/queue-5.4/ipvlan-fix-out-of-bounds-caused-by-unclear-skb-cb.patch b/queue-5.4/ipvlan-fix-out-of-bounds-caused-by-unclear-skb-cb.patch new file mode 100644 index 00000000000..234abf6212b --- /dev/null +++ b/queue-5.4/ipvlan-fix-out-of-bounds-caused-by-unclear-skb-cb.patch @@ -0,0 +1,172 @@ +From 9976ba3a8a23587b1c412e28c521c1171cf64192 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 11:50:44 +0800 +Subject: ipvlan:Fix out-of-bounds caused by unclear skb->cb + +From: t.feng + +[ Upstream commit 90cbed5247439a966b645b34eb0a2e037836ea8e ] + +If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which +is actually skb->cb, and IPCB(skb_in)->opt will be used in +__ip_options_echo. It is possible that memcpy is out of bounds and lead +to stack overflow. +We should clear skb->cb before ip_local_out or ip6_local_out. + +v2: +1. clean the stack info +2. use IPCB/IP6CB instead of skb->cb + +crash on stable-5.10(reproduce in kasan kernel). +Stack info: +[ 2203.651571] BUG: KASAN: stack-out-of-bounds in +__ip_options_echo+0x589/0x800 +[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task +swapper/3/0 +[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted +5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 +[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 +[ 2203.655475] Call Trace: +[ 2203.655481] +[ 2203.655501] dump_stack+0x9c/0xd3 +[ 2203.655514] print_address_description.constprop.0+0x19/0x170 +[ 2203.655530] __kasan_report.cold+0x6c/0x84 +[ 2203.655586] kasan_report+0x3a/0x50 +[ 2203.655594] check_memory_region+0xfd/0x1f0 +[ 2203.655601] memcpy+0x39/0x60 +[ 2203.655608] __ip_options_echo+0x589/0x800 +[ 2203.655654] __icmp_send+0x59a/0x960 +[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] +[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] +[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] +[ 2203.655821] nf_hook_slow+0x69/0x100 +[ 2203.655828] __ip_local_out+0x21e/0x2b0 +[ 2203.655857] ip_local_out+0x28/0x90 +[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] +[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] +[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] +[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] +[ 2203.655984] xmit_one.constprop.0+0xe1/0x280 +[ 2203.655992] dev_hard_start_xmit+0x62/0x100 +[ 2203.656000] sch_direct_xmit+0x215/0x640 +[ 2203.656028] __qdisc_run+0x153/0x1f0 +[ 2203.656069] __dev_queue_xmit+0x77f/0x1030 +[ 2203.656173] ip_finish_output2+0x59b/0xc20 +[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 +[ 2203.656312] ip_finish_output+0x168/0x190 +[ 2203.656320] ip_output+0x12d/0x220 +[ 2203.656357] __ip_queue_xmit+0x392/0x880 +[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 +[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 +[ 2203.656505] tcp_retransmit_skb+0x2d/0x190 +[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 +[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 +[ 2203.656529] tcp_write_timer+0x55/0x180 +[ 2203.656542] call_timer_fn+0x3f/0x1d0 +[ 2203.656555] expire_timers+0x160/0x200 +[ 2203.656562] run_timer_softirq+0x1f4/0x480 +[ 2203.656606] __do_softirq+0xfd/0x402 +[ 2203.656613] asm_call_irq_on_stack+0x12/0x20 +[ 2203.656617] +[ 2203.656623] do_softirq_own_stack+0x37/0x50 +[ 2203.656631] irq_exit_rcu+0x134/0x1a0 +[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 +[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 +[ 2203.656654] RIP: 0010:default_idle+0x13/0x20 +[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc +cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb +f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 +[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 +[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: +ffffffffaf290191 +[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: +ffff88811a3c4f60 +[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: +ffff88811a3c4f63 +[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: +0000000000000003 +[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: +0000000000000000 +[ 2203.656729] default_idle_call+0x5a/0x150 +[ 2203.656735] cpuidle_idle_call+0x1c6/0x220 +[ 2203.656780] do_idle+0xab/0x100 +[ 2203.656786] cpu_startup_entry+0x19/0x20 +[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb + +[ 2203.657409] The buggy address belongs to the page: +[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0x11a388 +[ 2203.658665] flags: +0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) +[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 +0000000000000000 +[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff +0000000000000000 +[ 2203.658686] page dumped because: kasan: bad access detected + +To reproduce(ipvlan with IPVLAN_MODE_L3): +Env setting: +======================================================= +modprobe ipvlan ipvlan_default_mode=1 +sysctl net.ipv4.conf.eth0.forwarding=1 +iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j +MASQUERADE +ip link add gw link eth0 type ipvlan +ip -4 addr add 20.0.0.254/24 dev gw +ip netns add net1 +ip link add ipv1 link eth0 type ipvlan +ip link set ipv1 netns net1 +ip netns exec net1 ip link set ipv1 up +ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 +ip netns exec net1 route add default gw 20.0.0.254 +ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% +ifconfig gw up +iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with +icmp-port-unreachable +======================================================= +And then excute the shell(curl any address of eth0 can reach): + +for((i=1;i<=100000;i++)) +do + ip netns exec net1 curl x.x.x.x:8888 +done +======================================================= + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: "t.feng" +Suggested-by: Florian Westphal +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index a33149ee0ddcf..0a5b5ff597c6f 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -437,6 +437,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, &rt->dst); ++ ++ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ + err = ip_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +@@ -475,6 +478,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, dst); ++ ++ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ + err = ip6_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +-- +2.39.2 + diff --git a/queue-5.4/linux-dim-do-nothing-if-no-time-delta-between-sample.patch b/queue-5.4/linux-dim-do-nothing-if-no-time-delta-between-sample.patch new file mode 100644 index 00000000000..95ca8c1d294 --- /dev/null +++ b/queue-5.4/linux-dim-do-nothing-if-no-time-delta-between-sample.patch @@ -0,0 +1,108 @@ +From b33bc9ccf3422c8d0d1aa57d2759c37e46655d9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 16:57:43 +0300 +Subject: linux/dim: Do nothing if no time delta between samples + +From: Roy Novich + +[ Upstream commit 162bd18eb55adf464a0fa2b4144b8d61c75ff7c2 ] + +Add return value for dim_calc_stats. This is an indication for the +caller if curr_stats was assigned by the function. Avoid using +curr_stats uninitialized over {rdma/net}_dim, when no time delta between +samples. Coverity reported this potential use of an uninitialized +variable. + +Fixes: 4c4dbb4a7363 ("net/mlx5e: Move dynamic interrupt coalescing code to include/linux") +Fixes: cb3c7fd4f839 ("net/mlx5e: Support adaptive RX coalescing") +Signed-off-by: Roy Novich +Reviewed-by: Aya Levin +Reviewed-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Reviewed-by: Leon Romanovsky +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230507135743.138993-1-tariqt@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/dim.h | 3 ++- + lib/dim/dim.c | 5 +++-- + lib/dim/net_dim.c | 3 ++- + lib/dim/rdma_dim.c | 3 ++- + 4 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/include/linux/dim.h b/include/linux/dim.h +index 2571da63877c5..ad5f219ce2ff2 100644 +--- a/include/linux/dim.h ++++ b/include/linux/dim.h +@@ -233,8 +233,9 @@ void dim_park_tired(struct dim *dim); + * + * Calculate the delta between two samples (in data rates). + * Takes into consideration counter wrap-around. ++ * Returned boolean indicates whether curr_stats are reliable. + */ +-void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, ++bool dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + struct dim_stats *curr_stats); + + /** +diff --git a/lib/dim/dim.c b/lib/dim/dim.c +index 38045d6d05381..e89aaf07bde50 100644 +--- a/lib/dim/dim.c ++++ b/lib/dim/dim.c +@@ -54,7 +54,7 @@ void dim_park_tired(struct dim *dim) + } + EXPORT_SYMBOL(dim_park_tired); + +-void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, ++bool dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + struct dim_stats *curr_stats) + { + /* u32 holds up to 71 minutes, should be enough */ +@@ -66,7 +66,7 @@ void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + start->comp_ctr); + + if (!delta_us) +- return; ++ return false; + + curr_stats->ppms = DIV_ROUND_UP(npkts * USEC_PER_MSEC, delta_us); + curr_stats->bpms = DIV_ROUND_UP(nbytes * USEC_PER_MSEC, delta_us); +@@ -79,5 +79,6 @@ void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + else + curr_stats->cpe_ratio = 0; + ++ return true; + } + EXPORT_SYMBOL(dim_calc_stats); +diff --git a/lib/dim/net_dim.c b/lib/dim/net_dim.c +index dae3b51ac3d9b..0e4f3a686f1de 100644 +--- a/lib/dim/net_dim.c ++++ b/lib/dim/net_dim.c +@@ -227,7 +227,8 @@ void net_dim(struct dim *dim, struct dim_sample end_sample) + dim->start_sample.event_ctr); + if (nevents < DIM_NEVENTS) + break; +- dim_calc_stats(&dim->start_sample, &end_sample, &curr_stats); ++ if (!dim_calc_stats(&dim->start_sample, &end_sample, &curr_stats)) ++ break; + if (net_dim_decision(&curr_stats, dim)) { + dim->state = DIM_APPLY_NEW_PROFILE; + schedule_work(&dim->work); +diff --git a/lib/dim/rdma_dim.c b/lib/dim/rdma_dim.c +index f7e26c7b4749f..d32c8b105adc9 100644 +--- a/lib/dim/rdma_dim.c ++++ b/lib/dim/rdma_dim.c +@@ -88,7 +88,8 @@ void rdma_dim(struct dim *dim, u64 completions) + nevents = curr_sample->event_ctr - dim->start_sample.event_ctr; + if (nevents < DIM_NEVENTS) + break; +- dim_calc_stats(&dim->start_sample, curr_sample, &curr_stats); ++ if (!dim_calc_stats(&dim->start_sample, curr_sample, &curr_stats)) ++ break; + if (rdma_dim_decision(&curr_stats, dim)) { + dim->state = DIM_APPLY_NEW_PROFILE; + schedule_work(&dim->work); +-- +2.39.2 + diff --git a/queue-5.4/net-add-vlan_get_protocol_and_depth-helper.patch b/queue-5.4/net-add-vlan_get_protocol_and_depth-helper.patch new file mode 100644 index 00000000000..bac337fa1d8 --- /dev/null +++ b/queue-5.4/net-add-vlan_get_protocol_and_depth-helper.patch @@ -0,0 +1,174 @@ +From 64afb2f2efc91de7e182f52993175ed622ba5ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 13:18:57 +0000 +Subject: net: add vlan_get_protocol_and_depth() helper +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit 4063384ef762cc5946fc7a3f89879e76c6ec51e2 ] + +Before blamed commit, pskb_may_pull() was used instead +of skb_header_pointer() in __vlan_get_protocol() and friends. + +Few callers depended on skb->head being populated with MAC header, +syzbot caught one of them (skb_mac_gso_segment()) + +Add vlan_get_protocol_and_depth() to make the intent clearer +and use it where sensible. + +This is a more generic fix than commit e9d3f80935b6 +("net/af_packet: make sure to pull mac header") which was +dealing with a similar issue. + +kernel BUG at include/linux/skbuff.h:2655 ! +invalid opcode: 0000 [#1] SMP KASAN +CPU: 0 PID: 1441 Comm: syz-executor199 Not tainted 6.1.24-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +RIP: 0010:__skb_pull include/linux/skbuff.h:2655 [inline] +RIP: 0010:skb_mac_gso_segment+0x68f/0x6a0 net/core/gro.c:136 +Code: fd 48 8b 5c 24 10 44 89 6b 70 48 c7 c7 c0 ae 0d 86 44 89 e6 e8 a1 91 d0 00 48 c7 c7 00 af 0d 86 48 89 de 31 d2 e8 d1 4a e9 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 +RSP: 0018:ffffc90001bd7520 EFLAGS: 00010286 +RAX: ffffffff8469736a RBX: ffff88810f31dac0 RCX: ffff888115a18b00 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc90001bd75e8 R08: ffffffff84697183 R09: fffff5200037adf9 +R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000012 +R13: 000000000000fee5 R14: 0000000000005865 R15: 000000000000fed7 +FS: 000055555633f300(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000000 CR3: 0000000116fea000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +[] __skb_gso_segment+0x32d/0x4c0 net/core/dev.c:3419 +[] skb_gso_segment include/linux/netdevice.h:4819 [inline] +[] validate_xmit_skb+0x3aa/0xee0 net/core/dev.c:3725 +[] __dev_queue_xmit+0x1332/0x3300 net/core/dev.c:4313 +[] dev_queue_xmit+0x17/0x20 include/linux/netdevice.h:3029 +[] packet_snd net/packet/af_packet.c:3111 [inline] +[] packet_sendmsg+0x49d2/0x6470 net/packet/af_packet.c:3142 +[] sock_sendmsg_nosec net/socket.c:716 [inline] +[] sock_sendmsg net/socket.c:736 [inline] +[] __sys_sendto+0x472/0x5f0 net/socket.c:2139 +[] __do_sys_sendto net/socket.c:2151 [inline] +[] __se_sys_sendto net/socket.c:2147 [inline] +[] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147 +[] do_syscall_x64 arch/x86/entry/common.c:50 [inline] +[] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80 +[] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 469aceddfa3e ("vlan: consolidate VLAN parsing code and limit max parsing depth") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Toke Høiland-Jørgensen +Cc: Willem de Bruijn +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/tap.c | 4 ++-- + include/linux/if_vlan.h | 17 +++++++++++++++++ + net/bridge/br_forward.c | 2 +- + net/core/dev.c | 2 +- + net/packet/af_packet.c | 6 ++---- + 5 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index ffdf0e165930c..574c17aa4b09a 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -716,7 +716,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control, + + /* Move network header to the right position for VLAN tagged packets */ + if (eth_type_vlan(skb->protocol) && +- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) ++ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0) + skb_set_network_header(skb, depth); + + rcu_read_lock(); +@@ -1177,7 +1177,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) + + /* Move network header to the right position for VLAN tagged packets */ + if (eth_type_vlan(skb->protocol) && +- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) ++ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0) + skb_set_network_header(skb, depth); + + rcu_read_lock(); +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 41a518336673b..4e7e72f3da5bd 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -626,6 +626,23 @@ static inline __be16 vlan_get_protocol(const struct sk_buff *skb) + return __vlan_get_protocol(skb, skb->protocol, NULL); + } + ++/* This version of __vlan_get_protocol() also pulls mac header in skb->head */ ++static inline __be16 vlan_get_protocol_and_depth(struct sk_buff *skb, ++ __be16 type, int *depth) ++{ ++ int maclen; ++ ++ type = __vlan_get_protocol(skb, type, &maclen); ++ ++ if (type) { ++ if (!pskb_may_pull(skb, maclen)) ++ type = 0; ++ else if (depth) ++ *depth = maclen; ++ } ++ return type; ++} ++ + /* A getter for the SKB protocol field which will handle VLAN tags consistently + * whether VLAN acceleration is enabled or not. + */ +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index 86637000f275d..a92d5359b5c0c 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -43,7 +43,7 @@ int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb + skb->protocol == htons(ETH_P_8021AD))) { + int depth; + +- if (!__vlan_get_protocol(skb, skb->protocol, &depth)) ++ if (!vlan_get_protocol_and_depth(skb, skb->protocol, &depth)) + goto drop; + + skb_set_network_header(skb, depth); +diff --git a/net/core/dev.c b/net/core/dev.c +index 1a4e20c4ba053..c5561c88a8364 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2936,7 +2936,7 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth) + type = eth->h_proto; + } + +- return __vlan_get_protocol(skb, type, depth); ++ return vlan_get_protocol_and_depth(skb, type, depth); + } + + /** +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 109a848aca151..7a940f2f30671 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1876,10 +1876,8 @@ static void packet_parse_headers(struct sk_buff *skb, struct socket *sock) + /* Move network header to the right position for VLAN tagged packets */ + if (likely(skb->dev->type == ARPHRD_ETHER) && + eth_type_vlan(skb->protocol) && +- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) { +- if (pskb_may_pull(skb, depth)) +- skb_set_network_header(skb, depth); +- } ++ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0) ++ skb_set_network_header(skb, depth); + + skb_probe_transport_header(skb); + } +-- +2.39.2 + diff --git a/queue-5.4/net-annotate-sk-sk_err-write-from-do_recvmmsg.patch b/queue-5.4/net-annotate-sk-sk_err-write-from-do_recvmmsg.patch new file mode 100644 index 00000000000..b0192bbfe79 --- /dev/null +++ b/queue-5.4/net-annotate-sk-sk_err-write-from-do_recvmmsg.patch @@ -0,0 +1,40 @@ +From 19ff7ee77b98d1294051f9a2a3a7ba96963951fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 16:35:53 +0000 +Subject: net: annotate sk->sk_err write from do_recvmmsg() + +From: Eric Dumazet + +[ Upstream commit e05a5f510f26607616fecdd4ac136310c8bea56b ] + +do_recvmmsg() can write to sk->sk_err from multiple threads. + +As said before, many other points reading or writing sk_err +need annotations. + +Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/socket.c b/net/socket.c +index 02feaf5bd84a3..9dd4c7ce8343a 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2723,7 +2723,7 @@ static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg, + * error to return on the next call or if the + * app asks about it using getsockopt(SO_ERROR). + */ +- sock->sk->sk_err = -err; ++ WRITE_ONCE(sock->sk->sk_err, -err); + } + out_put: + fput_light(sock->file, fput_needed); +-- +2.39.2 + diff --git a/queue-5.4/net-datagram-fix-data-races-in-datagram_poll.patch b/queue-5.4/net-datagram-fix-data-races-in-datagram_poll.patch new file mode 100644 index 00000000000..c9591fe929e --- /dev/null +++ b/queue-5.4/net-datagram-fix-data-races-in-datagram_poll.patch @@ -0,0 +1,69 @@ +From 021c354160e601e96e1e68abeb3296b30aaa5a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 17:31:31 +0000 +Subject: net: datagram: fix data-races in datagram_poll() + +From: Eric Dumazet + +[ Upstream commit 5bca1d081f44c9443e61841842ce4e9179d327b6 ] + +datagram_poll() runs locklessly, we should add READ_ONCE() +annotations while reading sk->sk_err, sk->sk_shutdown and sk->sk_state. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230509173131.3263780-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/datagram.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/core/datagram.c b/net/core/datagram.c +index b0488f30f2c4e..a5fc44448d600 100644 +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -778,18 +778,21 @@ __poll_t datagram_poll(struct file *file, struct socket *sock, + { + struct sock *sk = sock->sk; + __poll_t mask; ++ u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; + + /* exceptional events? */ +- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) ++ if (READ_ONCE(sk->sk_err) || ++ !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= EPOLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0); + +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ shutdown = READ_ONCE(sk->sk_shutdown); ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; + + /* readable? */ +@@ -798,10 +801,12 @@ __poll_t datagram_poll(struct file *file, struct socket *sock, + + /* Connection-based need to check for termination and startup */ + if (connection_based(sk)) { +- if (sk->sk_state == TCP_CLOSE) ++ int state = READ_ONCE(sk->sk_state); ++ ++ if (state == TCP_CLOSE) + mask |= EPOLLHUP; + /* connection hasn't started yet? */ +- if (sk->sk_state == TCP_SYN_SENT) ++ if (state == TCP_SYN_SENT) + return mask; + } + +-- +2.39.2 + diff --git a/queue-5.4/net-fix-load-tearing-on-sk-sk_stamp-in-sock_recv_cms.patch b/queue-5.4/net-fix-load-tearing-on-sk-sk_stamp-in-sock_recv_cms.patch new file mode 100644 index 00000000000..4bc679fcc46 --- /dev/null +++ b/queue-5.4/net-fix-load-tearing-on-sk-sk_stamp-in-sock_recv_cms.patch @@ -0,0 +1,82 @@ +From 630974577e55d07c8e56fe112ff7358fd9d8d018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 10:55:43 -0700 +Subject: net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). + +From: Kuniyuki Iwashima + +[ Upstream commit dfd9248c071a3710c24365897459538551cb7167 ] + +KCSAN found a data race in sock_recv_cmsgs() where the read access +to sk->sk_stamp needs READ_ONCE(). + +BUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg + +write (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0: + sock_write_timestamp include/net/sock.h:2670 [inline] + sock_recv_cmsgs include/net/sock.h:2722 [inline] + packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489 + sock_recvmsg_nosec net/socket.c:1019 [inline] + sock_recvmsg+0x11a/0x130 net/socket.c:1040 + sock_read_iter+0x176/0x220 net/socket.c:1118 + call_read_iter include/linux/fs.h:1845 [inline] + new_sync_read fs/read_write.c:389 [inline] + vfs_read+0x5e0/0x630 fs/read_write.c:470 + ksys_read+0x163/0x1a0 fs/read_write.c:613 + __do_sys_read fs/read_write.c:623 [inline] + __se_sys_read fs/read_write.c:621 [inline] + __x64_sys_read+0x41/0x50 fs/read_write.c:621 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1: + sock_recv_cmsgs include/net/sock.h:2721 [inline] + packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489 + sock_recvmsg_nosec net/socket.c:1019 [inline] + sock_recvmsg+0x11a/0x130 net/socket.c:1040 + sock_read_iter+0x176/0x220 net/socket.c:1118 + call_read_iter include/linux/fs.h:1845 [inline] + new_sync_read fs/read_write.c:389 [inline] + vfs_read+0x5e0/0x630 fs/read_write.c:470 + ksys_read+0x163/0x1a0 fs/read_write.c:613 + __do_sys_read fs/read_write.c:623 [inline] + __se_sys_read fs/read_write.c:621 [inline] + __x64_sys_read+0x41/0x50 fs/read_write.c:621 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0xffffffffc4653600 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 6c7c98bad488 ("sock: avoid dirtying sk_stamp, if possible") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230508175543.55756-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 26dd07e47a7c7..fa19c6ba24441 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2448,7 +2448,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk, + __sock_recv_ts_and_drops(msg, sk, skb); + else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP))) + sock_write_timestamp(sk, skb->tstamp); +- else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP)) ++ else if (unlikely(sock_read_timestamp(sk) == SK_DEFAULT_STAMP)) + sock_write_timestamp(sk, 0); + } + +-- +2.39.2 + diff --git a/queue-5.4/net-tap-check-vlan-with-eth_type_vlan-method.patch b/queue-5.4/net-tap-check-vlan-with-eth_type_vlan-method.patch new file mode 100644 index 00000000000..e0dd36c79ee --- /dev/null +++ b/queue-5.4/net-tap-check-vlan-with-eth_type_vlan-method.patch @@ -0,0 +1,48 @@ +From a32d59acac9e839183bc41e6c3062b8d07c745b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jan 2021 18:32:38 -0800 +Subject: net: tap: check vlan with eth_type_vlan() method + +From: Menglong Dong + +[ Upstream commit b69df2608281b71575fbb3b9f426dbcc4be8a700 ] + +Replace some checks for ETH_P_8021Q and ETH_P_8021AD in +drivers/net/tap.c with eth_type_vlan. + +Signed-off-by: Menglong Dong +Link: https://lore.kernel.org/r/20210115023238.4681-1-dong.menglong@zte.com.cn +Signed-off-by: Jakub Kicinski +Stable-dep-of: 4063384ef762 ("net: add vlan_get_protocol_and_depth() helper") +Signed-off-by: Sasha Levin +--- + drivers/net/tap.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index a522d1673fa87..ffdf0e165930c 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -715,8 +715,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control, + skb_probe_transport_header(skb); + + /* Move network header to the right position for VLAN tagged packets */ +- if ((skb->protocol == htons(ETH_P_8021Q) || +- skb->protocol == htons(ETH_P_8021AD)) && ++ if (eth_type_vlan(skb->protocol) && + __vlan_get_protocol(skb, skb->protocol, &depth) != 0) + skb_set_network_header(skb, depth); + +@@ -1177,8 +1176,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) + } + + /* Move network header to the right position for VLAN tagged packets */ +- if ((skb->protocol == htons(ETH_P_8021Q) || +- skb->protocol == htons(ETH_P_8021AD)) && ++ if (eth_type_vlan(skb->protocol) && + __vlan_get_protocol(skb, skb->protocol, &depth) != 0) + skb_set_network_header(skb, depth); + +-- +2.39.2 + diff --git a/queue-5.4/netfilter-conntrack-fix-possible-bug_on-with-enable_.patch b/queue-5.4/netfilter-conntrack-fix-possible-bug_on-with-enable_.patch new file mode 100644 index 00000000000..858c4d534bb --- /dev/null +++ b/queue-5.4/netfilter-conntrack-fix-possible-bug_on-with-enable_.patch @@ -0,0 +1,77 @@ +From e0935f4084a56daa446d2eeb35df403e4b73ddf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 14:55:02 +0200 +Subject: netfilter: conntrack: fix possible bug_on with enable_hooks=1 + +From: Florian Westphal + +[ Upstream commit e72eeab542dbf4f544e389e64fa13b82a1b6d003 ] + +I received a bug report (no reproducer so far) where we trip over + +712 rcu_read_lock(); +713 ct_hook = rcu_dereference(nf_ct_hook); +714 BUG_ON(ct_hook == NULL); // here + +In nf_conntrack_destroy(). + +First turn this BUG_ON into a WARN. I think it was triggered +via enable_hooks=1 flag. + +When this flag is turned on, the conntrack hooks are registered +before nf_ct_hook pointer gets assigned. +This opens a short window where packets enter the conntrack machinery, +can have skb->_nfct set up and a subsequent kfree_skb might occur +before nf_ct_hook is set. + +Call nf_conntrack_init_end() to set nf_ct_hook before we register the +pernet ops. + +Fixes: ba3fbe663635 ("netfilter: nf_conntrack: provide modparam to always register conntrack hooks") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/core.c | 6 ++++-- + net/netfilter/nf_conntrack_standalone.c | 3 ++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/core.c b/net/netfilter/core.c +index 451b2df998ea7..c35f45afd394d 100644 +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -577,9 +577,11 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct) + + rcu_read_lock(); + ct_hook = rcu_dereference(nf_ct_hook); +- BUG_ON(ct_hook == NULL); +- ct_hook->destroy(nfct); ++ if (ct_hook) ++ ct_hook->destroy(nfct); + rcu_read_unlock(); ++ ++ WARN_ON(!ct_hook); + } + EXPORT_SYMBOL(nf_conntrack_destroy); + +diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c +index 43c3c3be6defc..1e3dbed9d7840 100644 +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -1180,11 +1180,12 @@ static int __init nf_conntrack_standalone_init(void) + nf_conntrack_htable_size_user = nf_conntrack_htable_size; + #endif + ++ nf_conntrack_init_end(); ++ + ret = register_pernet_subsys(&nf_conntrack_net_ops); + if (ret < 0) + goto out_pernet; + +- nf_conntrack_init_end(); + return 0; + + out_pernet: +-- +2.39.2 + diff --git a/queue-5.4/netlink-annotate-accesses-to-nlk-cb_running.patch b/queue-5.4/netlink-annotate-accesses-to-nlk-cb_running.patch new file mode 100644 index 00000000000..013b1e3bcd4 --- /dev/null +++ b/queue-5.4/netlink-annotate-accesses-to-nlk-cb_running.patch @@ -0,0 +1,109 @@ +From ca1270c53be34901ceab21a51b44286d7bca8a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 16:56:34 +0000 +Subject: netlink: annotate accesses to nlk->cb_running + +From: Eric Dumazet + +[ Upstream commit a939d14919b799e6fff8a9c80296ca229ba2f8a4 ] + +Both netlink_recvmsg() and netlink_native_seq_show() read +nlk->cb_running locklessly. Use READ_ONCE() there. + +Add corresponding WRITE_ONCE() to netlink_dump() and +__netlink_dump_start() + +syzbot reported: +BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg + +write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0: +__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399 +netlink_dump_start include/linux/netlink.h:308 [inline] +rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130 +netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577 +rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +sock_write_iter+0x1aa/0x230 net/socket.c:1138 +call_write_iter include/linux/fs.h:1851 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x463/0x760 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1: +netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022 +sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017 +____sys_recvmsg+0x2db/0x310 net/socket.c:2718 +___sys_recvmsg net/socket.c:2762 [inline] +do_recvmmsg+0x2e5/0x710 net/socket.c:2856 +__sys_recvmmsg net/socket.c:2935 [inline] +__do_sys_recvmmsg net/socket.c:2958 [inline] +__se_sys_recvmmsg net/socket.c:2951 [inline] +__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00 -> 0x01 + +Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 00f040fb46b9c..31a3a562854fc 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1991,7 +1991,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + + skb_free_datagram(sk, skb); + +- if (nlk->cb_running && ++ if (READ_ONCE(nlk->cb_running) && + atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) { + ret = netlink_dump(sk); + if (ret) { +@@ -2284,7 +2284,7 @@ static int netlink_dump(struct sock *sk) + if (cb->done) + cb->done(cb); + +- nlk->cb_running = false; ++ WRITE_ONCE(nlk->cb_running, false); + module = cb->module; + skb = cb->skb; + mutex_unlock(nlk->cb_mutex); +@@ -2347,7 +2347,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + goto error_put; + } + +- nlk->cb_running = true; ++ WRITE_ONCE(nlk->cb_running, true); + nlk->dump_done_errno = INT_MAX; + + mutex_unlock(nlk->cb_mutex); +@@ -2636,7 +2636,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) + nlk->groups ? (u32)nlk->groups[0] : 0, + sk_rmem_alloc_get(s), + sk_wmem_alloc_get(s), +- nlk->cb_running, ++ READ_ONCE(nlk->cb_running), + refcount_read(&s->sk_refcnt), + atomic_read(&s->sk_drops), + sock_i_ino(s) +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index e69de29bb2d..6384f2e7478 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -0,0 +1,14 @@ +driver-core-add-a-helper-to-setup-both-the-of_node-a.patch +drm-mipi-dsi-set-the-fwnode-for-mipi_dsi_device.patch +arm-9296-1-hp-jornada-7xx-fix-kernel-doc-warnings.patch +linux-dim-do-nothing-if-no-time-delta-between-sample.patch +net-fix-load-tearing-on-sk-sk_stamp-in-sock_recv_cms.patch +netfilter-conntrack-fix-possible-bug_on-with-enable_.patch +netlink-annotate-accesses-to-nlk-cb_running.patch +net-annotate-sk-sk_err-write-from-do_recvmmsg.patch +net-tap-check-vlan-with-eth_type_vlan-method.patch +net-add-vlan_get_protocol_and_depth-helper.patch +ipvlan-fix-out-of-bounds-caused-by-unclear-skb-cb.patch +net-datagram-fix-data-races-in-datagram_poll.patch +af_unix-fix-a-data-race-of-sk-sk_receive_queue-qlen.patch +af_unix-fix-data-races-around-sk-sk_shutdown.patch