From: Sasha Levin Date: Sat, 22 Jun 2024 23:36:21 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.96~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0b19b94a06e187b9b1fa260d0f5d70e0581edfa;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/cipso-fix-total-option-length-computation.patch b/queue-4.19/cipso-fix-total-option-length-computation.patch new file mode 100644 index 00000000000..2ef9025da92 --- /dev/null +++ b/queue-4.19/cipso-fix-total-option-length-computation.patch @@ -0,0 +1,52 @@ +From f6c91a2ce9f5a2ac04b38e68c0d5de05a8ddb251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 18:07:52 +0200 +Subject: cipso: fix total option length computation + +From: Ondrej Mosnacek + +[ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ] + +As evident from the definition of ip_options_get(), the IP option +IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet +the loop that walks the IP options to determine the total IP options +length in cipso_v4_delopt() doesn't take IPOPT_END into account. + +Fix it by recognizing the IPOPT_END value as the end of actual options. + +Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/cipso_ipv4.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 8dcf9aec7b77d..4a86cf05a3480 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -2029,12 +2029,16 @@ static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr) + * from there we can determine the new total option length */ + iter = 0; + optlen_new = 0; +- while (iter < opt->opt.optlen) +- if (opt->opt.__data[iter] != IPOPT_NOP) { ++ while (iter < opt->opt.optlen) { ++ if (opt->opt.__data[iter] == IPOPT_END) { ++ break; ++ } else if (opt->opt.__data[iter] == IPOPT_NOP) { ++ iter++; ++ } else { + iter += opt->opt.__data[iter + 1]; + optlen_new = iter; +- } else +- iter++; ++ } ++ } + hdr_delta = opt->opt.optlen; + opt->opt.optlen = (optlen_new + 3) & ~3; + hdr_delta -= opt->opt.optlen; +-- +2.43.0 + diff --git a/queue-4.19/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch b/queue-4.19/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch new file mode 100644 index 00000000000..73b521c9921 --- /dev/null +++ b/queue-4.19/ipv6-prevent-possible-null-dereference-in-rt6_probe.patch @@ -0,0 +1,86 @@ +From 4d931db27634cbed86aa7cdb593dbeceee5b53d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 15:14:54 +0000 +Subject: ipv6: prevent possible NULL dereference in rt6_probe() + +From: Eric Dumazet + +[ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ] + +syzbot caught a NULL dereference in rt6_probe() [1] + +Bail out if __in6_dev_get() returns NULL. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] +CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 + RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] + RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 +Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 +RSP: 0018:ffffc900034af070 EFLAGS: 00010203 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 +RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c +RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a +R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 +FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 + nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 + __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 + find_rr_leaf net/ipv6/route.c:853 [inline] + rt6_select net/ipv6/route.c:897 [inline] + fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 + ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 + pol_lookup_func include/net/ip6_fib.h:616 [inline] + fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 + ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] + ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 + ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 + ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 + rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 + inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0x6b6/0x1140 fs/read_write.c:590 + ksys_write+0x1f8/0x260 fs/read_write.c:643 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.") +Signed-off-by: Eric Dumazet +Reviewed-by: Jason Xing +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240615151454.166404-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index d060b22554a22..e6e401990e050 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -546,6 +546,8 @@ static void rt6_probe(struct fib6_info *rt) + rcu_read_lock_bh(); + last_probe = READ_ONCE(rt->last_probe); + idev = __in6_dev_get(dev); ++ if (!idev) ++ goto out; + neigh = __ipv6_neigh_lookup_noref(dev, nh_gw); + if (neigh) { + if (neigh->nud_state & NUD_VALID) +-- +2.43.0 + diff --git a/queue-4.19/mips-routerboard-532-fix-vendor-retry-check-code.patch b/queue-4.19/mips-routerboard-532-fix-vendor-retry-check-code.patch new file mode 100644 index 00000000000..8580db7d4bb --- /dev/null +++ b/queue-4.19/mips-routerboard-532-fix-vendor-retry-check-code.patch @@ -0,0 +1,46 @@ +From 231391e103de6841f8104265a9f8d310714859c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 15:07:00 +0300 +Subject: MIPS: Routerboard 532: Fix vendor retry check code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ] + +read_config_dword() contains strange condition checking ret for a +number of values. The ret variable, however, is always zero because +config_access() never returns anything else. Thus, the retry is always +taken until number of tries is exceeded. + +The code looks like it wants to check *val instead of ret to see if the +read gave an error response. + +Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/pci/ops-rc32434.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/pci/ops-rc32434.c b/arch/mips/pci/ops-rc32434.c +index 874ed6df97683..34b9323bdabb0 100644 +--- a/arch/mips/pci/ops-rc32434.c ++++ b/arch/mips/pci/ops-rc32434.c +@@ -112,8 +112,8 @@ static int read_config_dword(struct pci_bus *bus, unsigned int devfn, + * gives them time to settle + */ + if (where == PCI_VENDOR_ID) { +- if (ret == 0xffffffff || ret == 0x00000000 || +- ret == 0x0000ffff || ret == 0xffff0000) { ++ if (*val == 0xffffffff || *val == 0x00000000 || ++ *val == 0x0000ffff || *val == 0xffff0000) { + if (delay > 4) + return 0; + delay *= 2; +-- +2.43.0 + diff --git a/queue-4.19/net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch b/queue-4.19/net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch new file mode 100644 index 00000000000..53705bea77b --- /dev/null +++ b/queue-4.19/net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch @@ -0,0 +1,41 @@ +From dde77b402a0a727ea1ae67131109c12476ea876c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 15:28:03 +0200 +Subject: net: usb: rtl8150 fix unintiatilzed variables in + rtl8150_get_link_ksettings + +From: Oliver Neukum + +[ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ] + +This functions retrieves values by passing a pointer. As the function +that retrieves them can fail before touching the pointers, the variables +must be initialized. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20240619132816.11526-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 933d1a74bcdb3..9534c2f6dcef6 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -804,7 +804,8 @@ static int rtl8150_get_link_ksettings(struct net_device *netdev, + struct ethtool_link_ksettings *ecmd) + { + rtl8150_t *dev = netdev_priv(netdev); +- short lpa, bmcr; ++ short lpa = 0; ++ short bmcr = 0; + u32 supported; + + supported = (SUPPORTED_10baseT_Half | +-- +2.43.0 + diff --git a/queue-4.19/netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch b/queue-4.19/netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch new file mode 100644 index 00000000000..ad9380a9ca5 --- /dev/null +++ b/queue-4.19/netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch @@ -0,0 +1,83 @@ +From 22033205f236f15a1a28afbaa2df5f5ccb86c5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 08:23:00 +0000 +Subject: netrom: Fix a memory leak in nr_heartbeat_expiry() + +From: Gavrilov Ilia + +[ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ] + +syzbot reported a memory leak in nr_create() [0]. + +Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") +added sock_hold() to the nr_heartbeat_expiry() function, where +a) a socket has a SOCK_DESTROY flag or +b) a listening socket has a SOCK_DEAD flag. + +But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor +has already been closed and the nr_release() function has been called. +So it makes no sense to hold the reference count because no one will +call another nr_destroy_socket() and put it as in the case "b." + +nr_connect + nr_establish_data_link + nr_start_heartbeat + +nr_release + switch (nr->state) + case NR_STATE_3 + nr->state = NR_STATE_2 + sock_set_flag(sk, SOCK_DESTROY); + + nr_rx_frame + nr_process_rx_frame + switch (nr->state) + case NR_STATE_2 + nr_state2_machine() + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0 + sock_set_flag(sk, SOCK_DEAD) + + nr_heartbeat_expiry + switch (nr->state) + case NR_STATE_0 + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN + && sock_flag(sk, SOCK_DEAD))) + sock_hold() // ( !!! ) + nr_destroy_socket() + +To fix the memory leak, let's call sock_hold() only for a listening socket. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller. + +[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 + +Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 +Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 2bf99bd5be58c..67d012e0badeb 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -124,7 +124,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { +- sock_hold(sk); ++ if (sk->sk_state == TCP_LISTEN) ++ sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); + goto out; +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 9baefe272ef..eeaec3435c5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -72,3 +72,11 @@ usb-misc-uss720-check-for-incompatible-versions-of-t.patch udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch mips-octeon-add-pcie-link-status-check.patch +mips-routerboard-532-fix-vendor-retry-check-code.patch +cipso-fix-total-option-length-computation.patch +netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch +ipv6-prevent-possible-null-dereference-in-rt6_probe.patch +xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch +virtio-net-ethtool-configurable-lro.patch +virtio_net-checksum-offloading-handling-fix.patch +net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch diff --git a/queue-4.19/virtio-net-ethtool-configurable-lro.patch b/queue-4.19/virtio-net-ethtool-configurable-lro.patch new file mode 100644 index 00000000000..21e00ece786 --- /dev/null +++ b/queue-4.19/virtio-net-ethtool-configurable-lro.patch @@ -0,0 +1,115 @@ +From 2ca7d15d6339c81cb8fca2e218f99ef724fd85fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Dec 2018 17:14:54 -0500 +Subject: virtio-net: ethtool configurable LRO + +From: Willem de Bruijn + +[ Upstream commit a02e8964eaf9271a8a5fcc0c55bd13f933bafc56 ] + +Virtio-net devices negotiate LRO support with the host. +Display the initially negotiated state with ethtool -k. + +Also allow configuring it with ethtool -K, reusing the existing +virtnet_set_guest_offloads helper that configures LRO for XDP. +This is conditional on VIRTIO_NET_F_CTRL_GUEST_OFFLOADS. + +Virtio-net negotiates TSO4 and TSO6 separately, but ethtool does not +distinguish between the two. Display LRO as on only if any offload +is active. + +RTNL is held while calling virtnet_set_features, same as on the path +from virtnet_xdp_set. + +Changes v1 -> v2 + - allow ethtool config (-K) only if VIRTIO_NET_F_CTRL_GUEST_OFFLOADS + - show LRO as enabled if any LRO variant is enabled + - do not allow configuration while XDP is active + - differentiate current features from the capable set, to restore + on XDP down only those features that were active on XDP up + - move test out of VIRTIO_NET_F_CSUM/TSO branch, which is tx only + +Signed-off-by: Willem de Bruijn +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Stable-dep-of: 604141c036e1 ("virtio_net: checksum offloading handling fix") +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 2b012d7165cd0..cbe7be1b8452e 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -238,6 +238,7 @@ struct virtnet_info { + u32 speed; + + unsigned long guest_offloads; ++ unsigned long guest_offloads_capable; + + /* failover when STANDBY feature enabled */ + struct failover *failover; +@@ -2548,6 +2549,31 @@ static int virtnet_get_phys_port_name(struct net_device *dev, char *buf, + return 0; + } + ++static int virtnet_set_features(struct net_device *dev, ++ netdev_features_t features) ++{ ++ struct virtnet_info *vi = netdev_priv(dev); ++ u64 offloads; ++ int err; ++ ++ if ((dev->features ^ features) & NETIF_F_LRO) { ++ if (vi->xdp_queue_pairs) ++ return -EBUSY; ++ ++ if (features & NETIF_F_LRO) ++ offloads = vi->guest_offloads_capable; ++ else ++ offloads = 0; ++ ++ err = virtnet_set_guest_offloads(vi, offloads); ++ if (err) ++ return err; ++ vi->guest_offloads = offloads; ++ } ++ ++ return 0; ++} ++ + static const struct net_device_ops virtnet_netdev = { + .ndo_open = virtnet_open, + .ndo_stop = virtnet_close, +@@ -2562,6 +2588,7 @@ static const struct net_device_ops virtnet_netdev = { + .ndo_xdp_xmit = virtnet_xdp_xmit, + .ndo_features_check = passthru_features_check, + .ndo_get_phys_port_name = virtnet_get_phys_port_name, ++ .ndo_set_features = virtnet_set_features, + }; + + static void virtnet_config_changed_work(struct work_struct *work) +@@ -3022,6 +3049,11 @@ static int virtnet_probe(struct virtio_device *vdev) + } + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) + dev->features |= NETIF_F_RXCSUM; ++ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6)) ++ dev->features |= NETIF_F_LRO; ++ if (virtio_has_feature(vdev, VIRTIO_NET_F_CTRL_GUEST_OFFLOADS)) ++ dev->hw_features |= NETIF_F_LRO; + + dev->vlan_features = dev->features; + +@@ -3157,6 +3189,7 @@ static int virtnet_probe(struct virtio_device *vdev) + for (i = 0; i < ARRAY_SIZE(guest_offloads); i++) + if (virtio_has_feature(vi->vdev, guest_offloads[i])) + set_bit(guest_offloads[i], &vi->guest_offloads); ++ vi->guest_offloads_capable = vi->guest_offloads; + + pr_debug("virtnet: registered device %s with %d RX and TX vq's\n", + dev->name, max_queue_pairs); +-- +2.43.0 + diff --git a/queue-4.19/virtio_net-checksum-offloading-handling-fix.patch b/queue-4.19/virtio_net-checksum-offloading-handling-fix.patch new file mode 100644 index 00000000000..ff4a5440c39 --- /dev/null +++ b/queue-4.19/virtio_net-checksum-offloading-handling-fix.patch @@ -0,0 +1,64 @@ +From e222186d033fae45916f846b0301b2fcc2c0c089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 21:15:23 +0800 +Subject: virtio_net: checksum offloading handling fix + +From: Heng Qi + +[ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ] + +In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle +partially checksummed packets, and the validation of fully checksummed +packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM +negotiation. However, the specification erroneously stated: + + "If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags + to zero and SHOULD supply a fully checksummed packet to the driver." + +This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM +negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag. +Essentially, the device can facilitate the validation of these packets' +checksums - a process known as RX checksum offloading - removing the need +for the driver to do so. + +This scenario is currently not implemented in the driver and requires +correction. The necessary specification correction[1] has been made and +approved in the virtio TC vote. +[1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html + +Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available") +Signed-off-by: Heng Qi +Reviewed-by: Jiri Pirko +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index cbe7be1b8452e..7a6ebd2400526 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3047,8 +3047,16 @@ static int virtnet_probe(struct virtio_device *vdev) + dev->features |= dev->hw_features & NETIF_F_ALL_TSO; + /* (!csum && gso) case will be fixed by register_netdev() */ + } +- if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) +- dev->features |= NETIF_F_RXCSUM; ++ ++ /* 1. With VIRTIO_NET_F_GUEST_CSUM negotiation, the driver doesn't ++ * need to calculate checksums for partially checksummed packets, ++ * as they're considered valid by the upper layer. ++ * 2. Without VIRTIO_NET_F_GUEST_CSUM negotiation, the driver only ++ * receives fully checksummed packets. The device may assist in ++ * validating these packets' checksums, so the driver won't have to. ++ */ ++ dev->features |= NETIF_F_RXCSUM; ++ + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6)) + dev->features |= NETIF_F_LRO; +-- +2.43.0 + diff --git a/queue-4.19/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch b/queue-4.19/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch new file mode 100644 index 00000000000..5378bf0356f --- /dev/null +++ b/queue-4.19/xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch @@ -0,0 +1,92 @@ +From fe40d3a30c259998628335f8899c5ac98c50a912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 15:42:31 +0000 +Subject: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() + +From: Eric Dumazet + +[ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ] + +ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker + RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 +Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 +RSP: 0018:ffffc90000117378 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 +RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 +RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 +R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] + xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] + xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 + xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 + xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] + xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 + xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] + xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 + ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 + send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 + wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 + wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 + wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 + wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 + process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240615154231.234442-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_policy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index a1dfe4f5ed3a4..086f34d2051a1 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -60,12 +60,18 @@ static int xfrm6_get_saddr(struct net *net, int oif, + { + struct dst_entry *dst; + struct net_device *dev; ++ struct inet6_dev *idev; + + dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr, mark); + if (IS_ERR(dst)) + return -EHOSTUNREACH; + +- dev = ip6_dst_idev(dst)->dev; ++ idev = ip6_dst_idev(dst); ++ if (!idev) { ++ dst_release(dst); ++ return -EHOSTUNREACH; ++ } ++ dev = idev->dev; + ipv6_dev_get_saddr(dev_net(dev), dev, &daddr->in6, 0, &saddr->in6); + dst_release(dst); + return 0; +-- +2.43.0 +