From: Greg Kroah-Hartman Date: Mon, 9 Oct 2023 10:48:56 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.327~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab6e52bd0520b7830dc81ce2b6746d26baf508ed;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: btrfs-fix-an-error-handling-path-in-btrfs_rename.patch btrfs-fix-fscrypt-name-leak-after-failure-to-join-log-transaction.patch ipv6-remove-nexthop_fib6_nh_bh.patch netlink-remove-the-flex-array-from-struct-nlmsghdr.patch vrf-fix-lockdep-splat-in-output-path.patch --- diff --git a/queue-6.1/btrfs-fix-an-error-handling-path-in-btrfs_rename.patch b/queue-6.1/btrfs-fix-an-error-handling-path-in-btrfs_rename.patch new file mode 100644 index 00000000000..a8a3b7b5545 --- /dev/null +++ b/queue-6.1/btrfs-fix-an-error-handling-path-in-btrfs_rename.patch @@ -0,0 +1,37 @@ +From abe3bf7425fb695a9b37394af18b9ea58a800802 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Mon, 12 Dec 2022 21:14:17 +0100 +Subject: btrfs: fix an error handling path in btrfs_rename() + +From: Christophe JAILLET + +commit abe3bf7425fb695a9b37394af18b9ea58a800802 upstream. + +If new_whiteout_inode() fails, some resources need to be freed. +Add the missing goto to the error handling path. + +Fixes: ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Christophe JAILLET +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9400,8 +9400,10 @@ static int btrfs_rename(struct user_name + + if (flags & RENAME_WHITEOUT) { + whiteout_args.inode = new_whiteout_inode(mnt_userns, old_dir); +- if (!whiteout_args.inode) +- return -ENOMEM; ++ if (!whiteout_args.inode) { ++ ret = -ENOMEM; ++ goto out_fscrypt_names; ++ } + ret = btrfs_new_inode_prepare(&whiteout_args, &trans_num_items); + if (ret) + goto out_whiteout_inode; diff --git a/queue-6.1/btrfs-fix-fscrypt-name-leak-after-failure-to-join-log-transaction.patch b/queue-6.1/btrfs-fix-fscrypt-name-leak-after-failure-to-join-log-transaction.patch new file mode 100644 index 00000000000..925c1605afd --- /dev/null +++ b/queue-6.1/btrfs-fix-fscrypt-name-leak-after-failure-to-join-log-transaction.patch @@ -0,0 +1,40 @@ +From fee4c19937439693f2420a916169d08e88576e8e Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 20 Dec 2022 11:13:33 +0000 +Subject: btrfs: fix fscrypt name leak after failure to join log transaction + +From: Filipe Manana + +commit fee4c19937439693f2420a916169d08e88576e8e upstream. + +When logging a new name, we don't expect to fail joining a log transaction +since we know at least one of the inodes was logged before in the current +transaction. However if we fail for some unexpected reason, we end up not +freeing the fscrypt name we previously allocated. So fix that by freeing +the name in case we failed to join a log transaction. + +Fixes: ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -7491,8 +7491,11 @@ void btrfs_log_new_name(struct btrfs_tra + * not fail, but if it does, it's not serious, just bail out and + * mark the log for a full commit. + */ +- if (WARN_ON_ONCE(ret < 0)) ++ if (WARN_ON_ONCE(ret < 0)) { ++ fscrypt_free_filename(&fname); + goto out; ++ } ++ + log_pinned = true; + + path = btrfs_alloc_path(); diff --git a/queue-6.1/ipv6-remove-nexthop_fib6_nh_bh.patch b/queue-6.1/ipv6-remove-nexthop_fib6_nh_bh.patch new file mode 100644 index 00000000000..dc045df9e3f --- /dev/null +++ b/queue-6.1/ipv6-remove-nexthop_fib6_nh_bh.patch @@ -0,0 +1,161 @@ +From ef1148d4487438a3408d6face2a8360d91b4af70 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 10 May 2023 15:46:46 +0000 +Subject: ipv6: remove nexthop_fib6_nh_bh() + +From: Eric Dumazet + +commit ef1148d4487438a3408d6face2a8360d91b4af70 upstream. + +After blamed commit, nexthop_fib6_nh_bh() and nexthop_fib6_nh() +are the same. + +Delete nexthop_fib6_nh_bh(), and convert /proc/net/ipv6_route +to standard rcu to avoid this splat: + +[ 5723.180080] WARNING: suspicious RCU usage +[ 5723.180083] ----------------------------- +[ 5723.180084] include/net/nexthop.h:516 suspicious rcu_dereference_check() usage! +[ 5723.180086] +other info that might help us debug this: + +[ 5723.180087] +rcu_scheduler_active = 2, debug_locks = 1 +[ 5723.180089] 2 locks held by cat/55856: +[ 5723.180091] #0: ffff9440a582afa8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter (fs/seq_file.c:188) +[ 5723.180100] #1: ffffffffaac07040 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire (include/linux/rcupdate.h:326) +[ 5723.180109] +stack backtrace: +[ 5723.180111] CPU: 14 PID: 55856 Comm: cat Tainted: G S I 6.3.0-dbx-DEV #528 +[ 5723.180115] Call Trace: +[ 5723.180117] +[ 5723.180119] dump_stack_lvl (lib/dump_stack.c:107) +[ 5723.180124] dump_stack (lib/dump_stack.c:114) +[ 5723.180126] lockdep_rcu_suspicious (include/linux/context_tracking.h:122) +[ 5723.180132] ipv6_route_seq_show (include/net/nexthop.h:?) +[ 5723.180135] ? ipv6_route_seq_next (net/ipv6/ip6_fib.c:2605) +[ 5723.180140] seq_read_iter (fs/seq_file.c:272) +[ 5723.180145] seq_read (fs/seq_file.c:163) +[ 5723.180151] proc_reg_read (fs/proc/inode.c:316 fs/proc/inode.c:328) +[ 5723.180155] vfs_read (fs/read_write.c:468) +[ 5723.180160] ? up_read (kernel/locking/rwsem.c:1617) +[ 5723.180164] ksys_read (fs/read_write.c:613) +[ 5723.180168] __x64_sys_read (fs/read_write.c:621) +[ 5723.180170] do_syscall_64 (arch/x86/entry/common.c:?) +[ 5723.180174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +[ 5723.180177] RIP: 0033:0x7fa455677d2a + +Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230510154646.370659-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/nexthop.h | 23 ----------------------- + net/ipv6/ip6_fib.c | 16 ++++++++-------- + 2 files changed, 8 insertions(+), 31 deletions(-) + +--- a/include/net/nexthop.h ++++ b/include/net/nexthop.h +@@ -497,29 +497,6 @@ static inline struct fib6_nh *nexthop_fi + return NULL; + } + +-/* Variant of nexthop_fib6_nh(). +- * Caller should either hold rcu_read_lock(), or RTNL. +- */ +-static inline struct fib6_nh *nexthop_fib6_nh_bh(struct nexthop *nh) +-{ +- struct nh_info *nhi; +- +- if (nh->is_group) { +- struct nh_group *nh_grp; +- +- nh_grp = rcu_dereference_rtnl(nh->nh_grp); +- nh = nexthop_mpath_select(nh_grp, 0); +- if (!nh) +- return NULL; +- } +- +- nhi = rcu_dereference_rtnl(nh->nh_info); +- if (nhi->family == AF_INET6) +- return &nhi->fib6_nh; +- +- return NULL; +-} +- + static inline struct net_device *fib6_info_nh_dev(struct fib6_info *f6i) + { + struct fib6_nh *fib6_nh; +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -2492,7 +2492,7 @@ static int ipv6_route_native_seq_show(st + const struct net_device *dev; + + if (rt->nh) +- fib6_nh = nexthop_fib6_nh_bh(rt->nh); ++ fib6_nh = nexthop_fib6_nh(rt->nh); + + seq_printf(seq, "%pi6 %02x ", &rt->fib6_dst.addr, rt->fib6_dst.plen); + +@@ -2557,14 +2557,14 @@ static struct fib6_table *ipv6_route_seq + + if (tbl) { + h = (tbl->tb6_id & (FIB6_TABLE_HASHSZ - 1)) + 1; +- node = rcu_dereference_bh(hlist_next_rcu(&tbl->tb6_hlist)); ++ node = rcu_dereference(hlist_next_rcu(&tbl->tb6_hlist)); + } else { + h = 0; + node = NULL; + } + + while (!node && h < FIB6_TABLE_HASHSZ) { +- node = rcu_dereference_bh( ++ node = rcu_dereference( + hlist_first_rcu(&net->ipv6.fib_table_hash[h++])); + } + return hlist_entry_safe(node, struct fib6_table, tb6_hlist); +@@ -2594,7 +2594,7 @@ static void *ipv6_route_seq_next(struct + if (!v) + goto iter_table; + +- n = rcu_dereference_bh(((struct fib6_info *)v)->fib6_next); ++ n = rcu_dereference(((struct fib6_info *)v)->fib6_next); + if (n) + return n; + +@@ -2620,12 +2620,12 @@ iter_table: + } + + static void *ipv6_route_seq_start(struct seq_file *seq, loff_t *pos) +- __acquires(RCU_BH) ++ __acquires(RCU) + { + struct net *net = seq_file_net(seq); + struct ipv6_route_iter *iter = seq->private; + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + iter->tbl = ipv6_route_seq_next_table(NULL, net); + iter->skip = *pos; + +@@ -2646,7 +2646,7 @@ static bool ipv6_route_iter_active(struc + } + + static void ipv6_route_native_seq_stop(struct seq_file *seq, void *v) +- __releases(RCU_BH) ++ __releases(RCU) + { + struct net *net = seq_file_net(seq); + struct ipv6_route_iter *iter = seq->private; +@@ -2654,7 +2654,7 @@ static void ipv6_route_native_seq_stop(s + if (ipv6_route_iter_active(iter)) + fib6_walker_unlink(net, &iter->w); + +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + } + + #if IS_BUILTIN(CONFIG_IPV6) && defined(CONFIG_BPF_SYSCALL) diff --git a/queue-6.1/netlink-remove-the-flex-array-from-struct-nlmsghdr.patch b/queue-6.1/netlink-remove-the-flex-array-from-struct-nlmsghdr.patch new file mode 100644 index 00000000000..5093f5ef3c7 --- /dev/null +++ b/queue-6.1/netlink-remove-the-flex-array-from-struct-nlmsghdr.patch @@ -0,0 +1,55 @@ +From c73a72f4cbb47672c8cc7f7d7aba52f1cb15baca Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Thu, 17 Nov 2022 19:39:03 -0800 +Subject: netlink: remove the flex array from struct nlmsghdr + +From: Jakub Kicinski + +commit c73a72f4cbb47672c8cc7f7d7aba52f1cb15baca upstream. + +I've added a flex array to struct nlmsghdr in +commit 738136a0e375 ("netlink: split up copies in the ack construction") +to allow accessing the data easily. It leads to warnings with clang, +if user space wraps this structure into another struct and the flex +array is not at the end of the container. + +Reviewed-by: Kees Cook +Reviewed-by: David Ahern +Link: https://lore.kernel.org/all/20221114023927.GA685@u2004-local/ +Link: https://lore.kernel.org/r/20221118033903.1651026-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/netlink.h | 2 -- + net/netlink/af_netlink.c | 2 +- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/include/uapi/linux/netlink.h ++++ b/include/uapi/linux/netlink.h +@@ -48,7 +48,6 @@ struct sockaddr_nl { + * @nlmsg_flags: Additional flags + * @nlmsg_seq: Sequence number + * @nlmsg_pid: Sending process port ID +- * @nlmsg_data: Message payload + */ + struct nlmsghdr { + __u32 nlmsg_len; +@@ -56,7 +55,6 @@ struct nlmsghdr { + __u16 nlmsg_flags; + __u32 nlmsg_seq; + __u32 nlmsg_pid; +- __u8 nlmsg_data[]; + }; + + /* Flags values */ +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2458,7 +2458,7 @@ void netlink_ack(struct sk_buff *in_skb, + if (!nlmsg_append(skb, nlmsg_len(nlh))) + goto err_bad_put; + +- memcpy(errmsg->msg.nlmsg_data, nlh->nlmsg_data, ++ memcpy(nlmsg_data(&errmsg->msg), nlmsg_data(nlh), + nlmsg_len(nlh)); + } + diff --git a/queue-6.1/series b/queue-6.1/series index 003b226d41f..01d3b92e90e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -155,3 +155,8 @@ x86-sev-use-the-ghcb-protocol-when-available-for-snp-cpuid-requests.patch ksmbd-fix-race-condition-between-session-lookup-and-expire.patch ksmbd-fix-uaf-in-smb20_oplock_break_ack.patch parisc-restore-__ldcw_align-for-pa-risc-2.0-processors.patch +ipv6-remove-nexthop_fib6_nh_bh.patch +vrf-fix-lockdep-splat-in-output-path.patch +btrfs-fix-an-error-handling-path-in-btrfs_rename.patch +btrfs-fix-fscrypt-name-leak-after-failure-to-join-log-transaction.patch +netlink-remove-the-flex-array-from-struct-nlmsghdr.patch diff --git a/queue-6.1/vrf-fix-lockdep-splat-in-output-path.patch b/queue-6.1/vrf-fix-lockdep-splat-in-output-path.patch new file mode 100644 index 00000000000..be03f97e861 --- /dev/null +++ b/queue-6.1/vrf-fix-lockdep-splat-in-output-path.patch @@ -0,0 +1,151 @@ +From 2033ab90380d46e0e9f0520fd6776a73d107fd95 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Sat, 15 Jul 2023 18:36:05 +0300 +Subject: vrf: Fix lockdep splat in output path + +From: Ido Schimmel + +commit 2033ab90380d46e0e9f0520fd6776a73d107fd95 upstream. + +Cited commit converted the neighbour code to use the standard RCU +variant instead of the RCU-bh variant, but the VRF code still uses +rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup +code in its IPv4 and IPv6 output paths, resulting in lockdep splats +[1][2]. Can be reproduced using [3]. + +Fix by switching to rcu_read_lock() / rcu_read_unlock(). + +[1] +============================= +WARNING: suspicious RCU usage +6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted +----------------------------- +include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ping/183: + #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0 + #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030 + +stack backtrace: +CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc1/0xf0 + lockdep_rcu_suspicious+0x211/0x3b0 + vrf_output+0x1380/0x2030 + ip_push_pending_frames+0x125/0x2a0 + raw_sendmsg+0x200d/0x33c0 + inet_sendmsg+0xa2/0xe0 + __sys_sendto+0x2aa/0x420 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +[2] +============================= +WARNING: suspicious RCU usage +6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted +----------------------------- +include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ping6/182: + #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50 + #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310 + +stack backtrace: +CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc1/0xf0 + lockdep_rcu_suspicious+0x211/0x3b0 + vrf_output6+0xd32/0x1310 + ip6_local_out+0xb4/0x1a0 + ip6_send_skb+0xbc/0x340 + ip6_push_pending_frames+0xe5/0x110 + rawv6_sendmsg+0x2e6e/0x3e50 + inet_sendmsg+0xa2/0xe0 + __sys_sendto+0x2aa/0x420 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +[3] +#!/bin/bash + +ip link add name vrf-red up numtxqueues 2 type vrf table 10 +ip link add name swp1 up master vrf-red type dummy +ip address add 192.0.2.1/24 dev swp1 +ip address add 2001:db8:1::1/64 dev swp1 +ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1 +ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1 +ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null +ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null + +Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh") +Reported-by: Naresh Kamboju +Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/ +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -664,7 +664,7 @@ static int vrf_finish_output6(struct net + skb->protocol = htons(ETH_P_IPV6); + skb->dev = dev; + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr); + neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop); + if (unlikely(!neigh)) +@@ -672,10 +672,10 @@ static int vrf_finish_output6(struct net + if (!IS_ERR(neigh)) { + sock_confirm_neigh(skb, neigh); + ret = neigh_output(neigh, skb, false); +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + return ret; + } +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + + IP6_INC_STATS(dev_net(dst->dev), + ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); +@@ -889,7 +889,7 @@ static int vrf_finish_output(struct net + } + } + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + + neigh = ip_neigh_for_gw(rt, skb, &is_v6gw); + if (!IS_ERR(neigh)) { +@@ -898,11 +898,11 @@ static int vrf_finish_output(struct net + sock_confirm_neigh(skb, neigh); + /* if crossing protocols, can not use the cached header */ + ret = neigh_output(neigh, skb, is_v6gw); +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + return ret; + } + +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + vrf_tx_error(skb->dev, skb); + return -EINVAL; + }