From: Sasha Levin Date: Wed, 23 Nov 2022 00:41:30 +0000 (-0500) Subject: Drop l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch X-Git-Tag: v4.19.266~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9164c35a3ca6a23ae7fd5f96ea0322045ddfbd5b;p=thirdparty%2Fkernel%2Fstable-queue.git Drop l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch b/queue-5.10/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch deleted file mode 100644 index a219a19c8d0..00000000000 --- a/queue-5.10/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 6e121ef3f53982e168e775c4dececf3a2556c0fb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 14 Nov 2022 20:16:19 +0100 -Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock - -From: Jakub Sitnicki - -[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ] - -sk->sk_user_data has multiple users, which are not compatible with each -other. Writers must synchronize by grabbing the sk->sk_callback_lock. - -l2tp currently fails to grab the lock when modifying the underlying tunnel -socket fields. Fix it by adding appropriate locking. - -We err on the side of safety and grab the sk_callback_lock also inside the -sk_destruct callback overridden by l2tp, even though there should be no -refs allowing access to the sock at the time when sk_destruct gets called. - -v4: -- serialize write to sk_user_data in l2tp sk_destruct - -v3: -- switch from sock lock to sk_callback_lock -- document write-protection for sk_user_data - -v2: -- update Fixes to point to origin of the bug -- use real names in Reported/Tested-by tags - -Cc: Tom Parkin -Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") -Reported-by: Haowei Yan -Signed-off-by: Jakub Sitnicki -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - include/net/sock.h | 2 +- - net/l2tp/l2tp_core.c | 19 +++++++++++++------ - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/include/net/sock.h b/include/net/sock.h -index 90a8b8b26a20..69bbbe8bbf34 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -315,7 +315,7 @@ struct bpf_local_storage; - * @sk_tskey: counter to disambiguate concurrent tstamp requests - * @sk_zckey: counter to order MSG_ZEROCOPY notifications - * @sk_socket: Identd and reporting IO signals -- * @sk_user_data: RPC layer private data -+ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock. - * @sk_frag: cached page frag - * @sk_peek_off: current peek_offset value - * @sk_send_head: front of stuff to transmit -diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c -index dc8987ed08ad..e89852bc5309 100644 ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk) - } - - /* Remove hooks into tunnel socket */ -+ write_lock_bh(&sk->sk_callback_lock); - sk->sk_destruct = tunnel->old_sk_destruct; - sk->sk_user_data = NULL; -+ write_unlock_bh(&sk->sk_callback_lock); - - /* Call the original destructor */ - if (sk->sk_destruct) -@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - sock = sockfd_lookup(tunnel->fd, &ret); - if (!sock) - goto err; -- -- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); -- if (ret < 0) -- goto err_sock; - } - -+ sk = sock->sk; -+ write_lock(&sk->sk_callback_lock); -+ -+ ret = l2tp_validate_socket(sk, net, tunnel->encap); -+ if (ret < 0) -+ goto err_sock; -+ - tunnel->l2tp_net = net; - pn = l2tp_pernet(net); - -- sk = sock->sk; - sock_hold(sk); - tunnel->sock = sk; - -@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - - setup_udp_tunnel_sock(net, sock, &udp_cfg); - } else { -- sk->sk_user_data = tunnel; -+ rcu_assign_sk_user_data(sk, tunnel); - } - - tunnel->old_sk_destruct = sk->sk_destruct; -@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - if (tunnel->fd >= 0) - sockfd_put(sock); - -+ write_unlock(&sk->sk_callback_lock); - return 0; - - err_sock: -@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - sock_release(sock); - else - sockfd_put(sock); -+ -+ write_unlock(&sk->sk_callback_lock); - err: - return ret; - } --- -2.35.1 - diff --git a/queue-5.10/series b/queue-5.10/series index e909a1dcf68..f5b76aa9744 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -126,7 +126,6 @@ perf-x86-intel-pt-fix-sampling-using-single-range-output.patch nvme-restrict-management-ioctls-to-admin.patch nvme-ensure-subsystem-reset-is-single-threaded.patch net-fix-a-concurrency-bug-in-l2tp_tunnel_register.patch -l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch ring-buffer-include-dropped-pages-in-counting-dirty-.patch usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch stddef-introduce-struct_group-helper-macro.patch diff --git a/queue-5.15/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch b/queue-5.15/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch deleted file mode 100644 index 37c956483bd..00000000000 --- a/queue-5.15/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 66cc0051914a5ae7ce96f56e9cfda4edb8f8fe3f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 14 Nov 2022 20:16:19 +0100 -Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock - -From: Jakub Sitnicki - -[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ] - -sk->sk_user_data has multiple users, which are not compatible with each -other. Writers must synchronize by grabbing the sk->sk_callback_lock. - -l2tp currently fails to grab the lock when modifying the underlying tunnel -socket fields. Fix it by adding appropriate locking. - -We err on the side of safety and grab the sk_callback_lock also inside the -sk_destruct callback overridden by l2tp, even though there should be no -refs allowing access to the sock at the time when sk_destruct gets called. - -v4: -- serialize write to sk_user_data in l2tp sk_destruct - -v3: -- switch from sock lock to sk_callback_lock -- document write-protection for sk_user_data - -v2: -- update Fixes to point to origin of the bug -- use real names in Reported/Tested-by tags - -Cc: Tom Parkin -Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") -Reported-by: Haowei Yan -Signed-off-by: Jakub Sitnicki -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - include/net/sock.h | 2 +- - net/l2tp/l2tp_core.c | 19 +++++++++++++------ - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/include/net/sock.h b/include/net/sock.h -index e1a303e4f0f7..3e9db5146765 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -323,7 +323,7 @@ struct bpf_local_storage; - * @sk_tskey: counter to disambiguate concurrent tstamp requests - * @sk_zckey: counter to order MSG_ZEROCOPY notifications - * @sk_socket: Identd and reporting IO signals -- * @sk_user_data: RPC layer private data -+ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock. - * @sk_frag: cached page frag - * @sk_peek_off: current peek_offset value - * @sk_send_head: front of stuff to transmit -diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c -index 93271a2632b8..c77032638a06 100644 ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk) - } - - /* Remove hooks into tunnel socket */ -+ write_lock_bh(&sk->sk_callback_lock); - sk->sk_destruct = tunnel->old_sk_destruct; - sk->sk_user_data = NULL; -+ write_unlock_bh(&sk->sk_callback_lock); - - /* Call the original destructor */ - if (sk->sk_destruct) -@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - sock = sockfd_lookup(tunnel->fd, &ret); - if (!sock) - goto err; -- -- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); -- if (ret < 0) -- goto err_sock; - } - -+ sk = sock->sk; -+ write_lock(&sk->sk_callback_lock); -+ -+ ret = l2tp_validate_socket(sk, net, tunnel->encap); -+ if (ret < 0) -+ goto err_sock; -+ - tunnel->l2tp_net = net; - pn = l2tp_pernet(net); - -- sk = sock->sk; - sock_hold(sk); - tunnel->sock = sk; - -@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - - setup_udp_tunnel_sock(net, sock, &udp_cfg); - } else { -- sk->sk_user_data = tunnel; -+ rcu_assign_sk_user_data(sk, tunnel); - } - - tunnel->old_sk_destruct = sk->sk_destruct; -@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - if (tunnel->fd >= 0) - sockfd_put(sock); - -+ write_unlock(&sk->sk_callback_lock); - return 0; - - err_sock: -@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - sock_release(sock); - else - sockfd_put(sock); -+ -+ write_unlock(&sk->sk_callback_lock); - err: - return ret; - } --- -2.35.1 - diff --git a/queue-5.15/series b/queue-5.15/series index e38e52b982e..25923c5a455 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -158,7 +158,6 @@ nvme-restrict-management-ioctls-to-admin.patch nvme-ensure-subsystem-reset-is-single-threaded.patch serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch perf-improve-missing-sigtrap-checking.patch -l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch ring-buffer-include-dropped-pages-in-counting-dirty-.patch tracing-fix-warning-on-variable-struct-trace_array.patch net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch diff --git a/queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch b/queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch deleted file mode 100644 index 2d0eb1cec4b..00000000000 --- a/queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 1ea60c1db42da0b5b40eb7e9bf8d5937f6f475cc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 14 Nov 2022 20:16:19 +0100 -Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock - -From: Jakub Sitnicki - -[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ] - -sk->sk_user_data has multiple users, which are not compatible with each -other. Writers must synchronize by grabbing the sk->sk_callback_lock. - -l2tp currently fails to grab the lock when modifying the underlying tunnel -socket fields. Fix it by adding appropriate locking. - -We err on the side of safety and grab the sk_callback_lock also inside the -sk_destruct callback overridden by l2tp, even though there should be no -refs allowing access to the sock at the time when sk_destruct gets called. - -v4: -- serialize write to sk_user_data in l2tp sk_destruct - -v3: -- switch from sock lock to sk_callback_lock -- document write-protection for sk_user_data - -v2: -- update Fixes to point to origin of the bug -- use real names in Reported/Tested-by tags - -Cc: Tom Parkin -Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") -Reported-by: Haowei Yan -Signed-off-by: Jakub Sitnicki -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - include/net/sock.h | 2 +- - net/l2tp/l2tp_core.c | 19 +++++++++++++------ - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/include/net/sock.h b/include/net/sock.h -index f6e6838c82df..03a4ebe3ccc8 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -323,7 +323,7 @@ struct sk_filter; - * @sk_tskey: counter to disambiguate concurrent tstamp requests - * @sk_zckey: counter to order MSG_ZEROCOPY notifications - * @sk_socket: Identd and reporting IO signals -- * @sk_user_data: RPC layer private data -+ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock. - * @sk_frag: cached page frag - * @sk_peek_off: current peek_offset value - * @sk_send_head: front of stuff to transmit -diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c -index 7499c51b1850..754fdda8a5f5 100644 ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk) - } - - /* Remove hooks into tunnel socket */ -+ write_lock_bh(&sk->sk_callback_lock); - sk->sk_destruct = tunnel->old_sk_destruct; - sk->sk_user_data = NULL; -+ write_unlock_bh(&sk->sk_callback_lock); - - /* Call the original destructor */ - if (sk->sk_destruct) -@@ -1469,16 +1471,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - sock = sockfd_lookup(tunnel->fd, &ret); - if (!sock) - goto err; -- -- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); -- if (ret < 0) -- goto err_sock; - } - -+ sk = sock->sk; -+ write_lock(&sk->sk_callback_lock); -+ -+ ret = l2tp_validate_socket(sk, net, tunnel->encap); -+ if (ret < 0) -+ goto err_sock; -+ - tunnel->l2tp_net = net; - pn = l2tp_pernet(net); - -- sk = sock->sk; - sock_hold(sk); - tunnel->sock = sk; - -@@ -1504,7 +1508,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - - setup_udp_tunnel_sock(net, sock, &udp_cfg); - } else { -- sk->sk_user_data = tunnel; -+ rcu_assign_sk_user_data(sk, tunnel); - } - - tunnel->old_sk_destruct = sk->sk_destruct; -@@ -1518,6 +1522,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - if (tunnel->fd >= 0) - sockfd_put(sock); - -+ write_unlock(&sk->sk_callback_lock); - return 0; - - err_sock: -@@ -1525,6 +1530,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, - sock_release(sock); - else - sockfd_put(sock); -+ -+ write_unlock(&sk->sk_callback_lock); - err: - return ret; - } --- -2.35.1 - diff --git a/queue-6.0/series b/queue-6.0/series index f5f1295b212..cb4208817c1 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -285,7 +285,6 @@ perf-improve-missing-sigtrap-checking.patch vfio-rename-vfio_ioctl_check_extension.patch vfio-split-the-register_device-ops-call-into-functio.patch perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch -l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch ring-buffer-include-dropped-pages-in-counting-dirty-.patch tracing-fix-warning-on-variable-struct-trace_array.patch net-usb-smsc95xx-fix-external-phy-reset.patch