From: Sasha Levin Date: Sun, 25 Aug 2024 11:50:55 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.107~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b96a1da4ac179a8e0a2e3cd51382640294fe8add;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bluetooth-hci_core-fix-le-quote-calculation.patch b/queue-4.19/bluetooth-hci_core-fix-le-quote-calculation.patch new file mode 100644 index 00000000000..7addb10a3a6 --- /dev/null +++ b/queue-4.19/bluetooth-hci_core-fix-le-quote-calculation.patch @@ -0,0 +1,74 @@ +From c13248ba969d4a0d8493e10200b8533ee4117d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 11:22:08 -0400 +Subject: Bluetooth: hci_core: Fix LE quote calculation + +From: Luiz Augusto von Dentz + +[ Upstream commit 932021a11805b9da4bd6abf66fe233cccd59fe0e ] + +Function hci_sched_le needs to update the respective counter variable +inplace other the likes of hci_quote_sent would attempt to use the +possible outdated value of conn->{le_cnt,acl_cnt}. + +Link: https://github.com/bluez/bluez/issues/915 +Fixes: 73d80deb7bdf ("Bluetooth: prioritizing data over HCI") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 3360ae1e4c8ce..bb89ca37decbc 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4121,19 +4121,19 @@ static void hci_sched_le(struct hci_dev *hdev) + { + struct hci_chan *chan; + struct sk_buff *skb; +- int quote, cnt, tmp; ++ int quote, *cnt, tmp; + + BT_DBG("%s", hdev->name); + + if (!hci_conn_num(hdev, LE_LINK)) + return; + +- cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt; ++ cnt = hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt; + +- __check_timeout(hdev, cnt, LE_LINK); ++ __check_timeout(hdev, *cnt, LE_LINK); + +- tmp = cnt; +- while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { ++ tmp = *cnt; ++ while (*cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { + u32 priority = (skb_peek(&chan->data_q))->priority; + while (quote-- && (skb = skb_peek(&chan->data_q))) { + BT_DBG("chan %p skb %p len %d priority %u", chan, skb, +@@ -4148,18 +4148,13 @@ static void hci_sched_le(struct hci_dev *hdev) + hci_send_frame(hdev, skb); + hdev->le_last_tx = jiffies; + +- cnt--; ++ (*cnt)--; + chan->sent++; + chan->conn->sent++; + } + } + +- if (hdev->le_pkts) +- hdev->le_cnt = cnt; +- else +- hdev->acl_cnt = cnt; +- +- if (cnt != tmp) ++ if (*cnt != tmp) + hci_prio_recalculate(hdev, LE_LINK); + } + +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch b/queue-4.19/bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch new file mode 100644 index 00000000000..f53d54723f5 --- /dev/null +++ b/queue-4.19/bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch @@ -0,0 +1,105 @@ +From 9f0a4fb1bd305ea46a9b659a5df2be7191b655cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 15:44:42 -0700 +Subject: Bluetooth: hci_core: Fix not handling link timeouts propertly + +From: Luiz Augusto von Dentz + +[ Upstream commit 116523c8fac05d1d26f748fee7919a4ec5df67ea ] + +Change that introduced the use of __check_timeout did not account for +link types properly, it always assumes ACL_LINK is used thus causing +hdev->acl_last_tx to be used even in case of LE_LINK and then again +uses ACL_LINK with hci_link_tx_to. + +To fix this __check_timeout now takes the link type as parameter and +then procedure to use the right last_tx based on the link type and pass +it to hci_link_tx_to. + +Fixes: 1b1d29e51499 ("Bluetooth: Make use of __check_timeout on hci_sched_le") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: David Beinder +Stable-dep-of: 932021a11805 ("Bluetooth: hci_core: Fix LE quote calculation") +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 0221aa5785052..3360ae1e4c8ce 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3931,15 +3931,27 @@ static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb) + return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len); + } + +-static void __check_timeout(struct hci_dev *hdev, unsigned int cnt) ++static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type) + { +- if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { +- /* ACL tx timeout must be longer than maximum +- * link supervision timeout (40.9 seconds) */ +- if (!cnt && time_after(jiffies, hdev->acl_last_tx + +- HCI_ACL_TX_TIMEOUT)) +- hci_link_tx_to(hdev, ACL_LINK); ++ unsigned long last_tx; ++ ++ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) ++ return; ++ ++ switch (type) { ++ case LE_LINK: ++ last_tx = hdev->le_last_tx; ++ break; ++ default: ++ last_tx = hdev->acl_last_tx; ++ break; + } ++ ++ /* tx timeout must be longer than maximum link supervision timeout ++ * (40.9 seconds) ++ */ ++ if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT)) ++ hci_link_tx_to(hdev, type); + } + + static void hci_sched_acl_pkt(struct hci_dev *hdev) +@@ -3949,7 +3961,7 @@ static void hci_sched_acl_pkt(struct hci_dev *hdev) + struct sk_buff *skb; + int quote; + +- __check_timeout(hdev, cnt); ++ __check_timeout(hdev, cnt, ACL_LINK); + + while (hdev->acl_cnt && + (chan = hci_chan_sent(hdev, ACL_LINK, "e))) { +@@ -3988,8 +4000,6 @@ static void hci_sched_acl_blk(struct hci_dev *hdev) + int quote; + u8 type; + +- __check_timeout(hdev, cnt); +- + BT_DBG("%s", hdev->name); + + if (hdev->dev_type == HCI_AMP) +@@ -3997,6 +4007,8 @@ static void hci_sched_acl_blk(struct hci_dev *hdev) + else + type = ACL_LINK; + ++ __check_timeout(hdev, cnt, type); ++ + while (hdev->block_cnt > 0 && + (chan = hci_chan_sent(hdev, type, "e))) { + u32 priority = (skb_peek(&chan->data_q))->priority; +@@ -4118,7 +4130,7 @@ static void hci_sched_le(struct hci_dev *hdev) + + cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt; + +- __check_timeout(hdev, cnt); ++ __check_timeout(hdev, cnt, LE_LINK); + + tmp = cnt; + while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-make-use-of-__check_timeout-on-hci_sched_l.patch b/queue-4.19/bluetooth-make-use-of-__check_timeout-on-hci_sched_l.patch new file mode 100644 index 00000000000..aeb4d3ab059 --- /dev/null +++ b/queue-4.19/bluetooth-make-use-of-__check_timeout-on-hci_sched_l.patch @@ -0,0 +1,46 @@ +From 0d91463799e33fada0fd94dac08fe60f4142e93a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 13:02:18 -0800 +Subject: Bluetooth: Make use of __check_timeout on hci_sched_le + +From: Luiz Augusto von Dentz + +[ Upstream commit 1b1d29e5149990e44634b2e681de71effd463591 ] + +This reuse __check_timeout on hci_sched_le following the same logic +used hci_sched_acl. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Stable-dep-of: 932021a11805 ("Bluetooth: hci_core: Fix LE quote calculation") +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 504f6aa4e95db..0221aa5785052 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4116,15 +4116,10 @@ static void hci_sched_le(struct hci_dev *hdev) + if (!hci_conn_num(hdev, LE_LINK)) + return; + +- if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { +- /* LE tx timeout must be longer than maximum +- * link supervision timeout (40.9 seconds) */ +- if (!hdev->le_cnt && hdev->le_pkts && +- time_after(jiffies, hdev->le_last_tx + HZ * 45)) +- hci_link_tx_to(hdev, LE_LINK); +- } +- + cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt; ++ ++ __check_timeout(hdev, cnt); ++ + tmp = cnt; + while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { + u32 priority = (skb_peek(&chan->data_q))->priority; +-- +2.43.0 + diff --git a/queue-4.19/ipv6-prevent-uaf-in-ip6_send_skb.patch b/queue-4.19/ipv6-prevent-uaf-in-ip6_send_skb.patch new file mode 100644 index 00000000000..2f536afc883 --- /dev/null +++ b/queue-4.19/ipv6-prevent-uaf-in-ip6_send_skb.patch @@ -0,0 +1,158 @@ +From cd66cdc3d320a337c66f9b611be936fc8849bb3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 16:08:57 +0000 +Subject: ipv6: prevent UAF in ip6_send_skb() + +From: Eric Dumazet + +[ Upstream commit faa389b2fbaaec7fd27a390b4896139f9da662e3 ] + +syzbot reported an UAF in ip6_send_skb() [1] + +After ip6_local_out() has returned, we no longer can safely +dereference rt, unless we hold rcu_read_lock(). + +A similar issue has been fixed in commit +a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") + +Another potential issue in ip6_finish_output2() is handled in a +separate patch. + +[1] + BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 +Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 + +CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 + rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 + rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + sock_write_iter+0x2dd/0x400 net/socket.c:1160 + do_iter_readv_writev+0x60a/0x890 + vfs_writev+0x37c/0xbb0 fs/read_write.c:971 + do_writev+0x1b1/0x350 fs/read_write.c:1018 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f936bf79e79 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 +RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 +RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 + + +Allocated by task 6530: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + unpoison_slab_object mm/kasan/common.c:312 [inline] + __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slub.c:3988 [inline] + slab_alloc_node mm/slub.c:4037 [inline] + kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 + dst_alloc+0x12b/0x190 net/core/dst.c:89 + ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 + make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] + xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 + ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 + rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 + ___sys_sendmsg net/socket.c:2651 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 45: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 + poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 + __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2252 [inline] + slab_free mm/slub.c:4473 [inline] + kmem_cache_free+0x145/0x350 mm/slub.c:4548 + dst_destroy+0x2ac/0x460 net/core/dst.c:124 + rcu_do_batch kernel/rcu/tree.c:2569 [inline] + rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2843 + handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 + __do_softirq kernel/softirq.c:588 [inline] + invoke_softirq kernel/softirq.c:428 [inline] + __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] + sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 + +Last potentially related work creation: + kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 + __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 + __call_rcu_common kernel/rcu/tree.c:3106 [inline] + call_rcu+0x167/0xa70 kernel/rcu/tree.c:3210 + refdst_drop include/net/dst.h:263 [inline] + skb_dst_drop include/net/dst.h:275 [inline] + nf_ct_frag6_queue net/ipv6/netfilter/nf_conntrack_reasm.c:306 [inline] + nf_ct_frag6_gather+0xb9a/0x2080 net/ipv6/netfilter/nf_conntrack_reasm.c:485 + ipv6_defrag+0x2c8/0x3c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:67 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + __ip6_local_out+0x6fa/0x800 net/ipv6/output_core.c:143 + ip6_local_out+0x26/0x70 net/ipv6/output_core.c:153 + ip6_send_skb+0x112/0x230 net/ipv6/ip6_output.c:1959 + rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 + rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + sock_write_iter+0x2dd/0x400 net/socket.c:1160 + do_iter_readv_writev+0x60a/0x890 + +Fixes: 0625491493d9 ("ipv6: ip6_push_pending_frames() should increment IPSTATS_MIB_OUTDISCARDS") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20240820160859.3786976-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 0872df066a4e5..52f0ddb3835b0 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1757,6 +1757,7 @@ int ip6_send_skb(struct sk_buff *skb) + struct rt6_info *rt = (struct rt6_info *)skb_dst(skb); + int err; + ++ rcu_read_lock(); + err = ip6_local_out(net, skb->sk, skb); + if (err) { + if (err > 0) +@@ -1766,6 +1767,7 @@ int ip6_send_skb(struct sk_buff *skb) + IPSTATS_MIB_OUTDISCARDS); + } + ++ rcu_read_unlock(); + return err; + } + +-- +2.43.0 + diff --git a/queue-4.19/kcm-serialise-kcm_sendmsg-for-the-same-socket.patch b/queue-4.19/kcm-serialise-kcm_sendmsg-for-the-same-socket.patch new file mode 100644 index 00000000000..c587c067890 --- /dev/null +++ b/queue-4.19/kcm-serialise-kcm_sendmsg-for-the-same-socket.patch @@ -0,0 +1,223 @@ +From b124e949c367f9b7b178e239c555fa9eccf434b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 15:04:37 -0700 +Subject: kcm: Serialise kcm_sendmsg() for the same socket. + +From: Kuniyuki Iwashima + +[ Upstream commit 807067bf014d4a3ae2cc55bd3de16f22a01eb580 ] + +syzkaller reported UAF in kcm_release(). [0] + +The scenario is + + 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. + + 2. Thread A resumes building skb from kcm->seq_skb but is blocked + by sk_stream_wait_memory() + + 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb + and puts the skb to the write queue + + 4. Thread A faces an error and finally frees skb that is already in the + write queue + + 5. kcm_release() does double-free the skb in the write queue + +When a thread is building a MSG_MORE skb, another thread must not touch it. + +Let's add a per-sk mutex and serialise kcm_sendmsg(). + +[0]: +BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] +BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] +BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] +BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] +BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 +Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 + +CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Call trace: + dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x178/0x518 mm/kasan/report.c:488 + kasan_report+0xd8/0x138 mm/kasan/report.c:601 + __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 + __skb_unlink include/linux/skbuff.h:2366 [inline] + __skb_dequeue include/linux/skbuff.h:2385 [inline] + __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] + __skb_queue_purge include/linux/skbuff.h:3181 [inline] + kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 + __sock_release net/socket.c:659 [inline] + sock_close+0xa4/0x1e8 net/socket.c:1421 + __fput+0x30c/0x738 fs/file_table.c:376 + ____fput+0x20/0x30 fs/file_table.c:404 + task_work_run+0x230/0x2e0 kernel/task_work.c:180 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0x618/0x1f64 kernel/exit.c:871 + do_group_exit+0x194/0x22c kernel/exit.c:1020 + get_signal+0x1500/0x15ec kernel/signal.c:2893 + do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 + do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 + exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] + exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] + el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 + +Allocated by task 6166: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x40/0x78 mm/kasan/common.c:68 + kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 + unpoison_slab_object mm/kasan/common.c:314 [inline] + __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook mm/slub.c:3813 [inline] + slab_alloc_node mm/slub.c:3860 [inline] + kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 + __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 + alloc_skb include/linux/skbuff.h:1296 [inline] + kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + sock_sendmsg+0x220/0x2c0 net/socket.c:768 + splice_to_socket+0x7cc/0xd58 fs/splice.c:889 + do_splice_from fs/splice.c:941 [inline] + direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 + splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 + do_splice_direct_actor fs/splice.c:1207 [inline] + do_splice_direct+0x1e4/0x304 fs/splice.c:1233 + do_sendfile+0x460/0xb3c fs/read_write.c:1295 + __do_sys_sendfile64 fs/read_write.c:1362 [inline] + __se_sys_sendfile64 fs/read_write.c:1348 [inline] + __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1348 + __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 + +Freed by task 6167: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x40/0x78 mm/kasan/common.c:68 + kasan_save_free_info+0x5c/0x74 mm/kasan/generic.c:640 + poison_slab_object+0x124/0x18c mm/kasan/common.c:241 + __kasan_slab_free+0x3c/0x78 mm/kasan/common.c:257 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2121 [inline] + slab_free mm/slub.c:4299 [inline] + kmem_cache_free+0x15c/0x3d4 mm/slub.c:4363 + kfree_skbmem+0x10c/0x19c + __kfree_skb net/core/skbuff.c:1109 [inline] + kfree_skb_reason+0x240/0x6f4 net/core/skbuff.c:1144 + kfree_skb include/linux/skbuff.h:1244 [inline] + kcm_release+0x104/0x4c8 net/kcm/kcmsock.c:1685 + __sock_release net/socket.c:659 [inline] + sock_close+0xa4/0x1e8 net/socket.c:1421 + __fput+0x30c/0x738 fs/file_table.c:376 + ____fput+0x20/0x30 fs/file_table.c:404 + task_work_run+0x230/0x2e0 kernel/task_work.c:180 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0x618/0x1f64 kernel/exit.c:871 + do_group_exit+0x194/0x22c kernel/exit.c:1020 + get_signal+0x1500/0x15ec kernel/signal.c:2893 + do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 + do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 + exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] + exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] + el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 + +The buggy address belongs to the object at ffff0000ced0fc80 + which belongs to the cache skbuff_head_cache of size 240 +The buggy address is located 0 bytes inside of + freed 240-byte region [ffff0000ced0fc80, ffff0000ced0fd70) + +The buggy address belongs to the physical page: +page:00000000d35f4ae4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ed0f +flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff) +page_type: 0xffffffff() +raw: 05ffc00000000800 ffff0000c1cbf640 fffffdffc3423100 dead000000000004 +raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff0000ced0fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff0000ced0fc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc +>ffff0000ced0fc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff0000ced0fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc + ffff0000ced0fd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Reported-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b72d86aa5df17ce74c60 +Tested-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240815220437.69511-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/kcm.h | 1 + + net/kcm/kcmsock.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/include/net/kcm.h b/include/net/kcm.h +index 2a8965819db0f..2dc5e926dd3f6 100644 +--- a/include/net/kcm.h ++++ b/include/net/kcm.h +@@ -73,6 +73,7 @@ struct kcm_sock { + struct work_struct tx_work; + struct list_head wait_psock_list; + struct sk_buff *seq_skb; ++ struct mutex tx_mutex; + u32 tx_stopped : 1; + + /* Don't use bit fields here, these are set under different locks */ +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 45450f0fd9acb..b8b2b2cb6bdb7 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -912,6 +912,7 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + !(msg->msg_flags & MSG_MORE) : !!(msg->msg_flags & MSG_EOR); + int err = -EPIPE; + ++ mutex_lock(&kcm->tx_mutex); + lock_sock(sk); + + /* Per tcp_sendmsg this should be in poll */ +@@ -1060,6 +1061,7 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + KCM_STATS_ADD(kcm->stats.tx_bytes, copied); + + release_sock(sk); ++ mutex_unlock(&kcm->tx_mutex); + return copied; + + out_error: +@@ -1085,6 +1087,7 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + sk->sk_write_space(sk); + + release_sock(sk); ++ mutex_unlock(&kcm->tx_mutex); + return err; + } + +@@ -1327,6 +1330,7 @@ static void init_kcm_sock(struct kcm_sock *kcm, struct kcm_mux *mux) + spin_unlock_bh(&mux->lock); + + INIT_WORK(&kcm->tx_work, kcm_tx_work); ++ mutex_init(&kcm->tx_mutex); + + spin_lock_bh(&mux->rx_lock); + kcm_rcv_ready(kcm); +-- +2.43.0 + diff --git a/queue-4.19/net-xilinx-axienet-always-disable-promiscuous-mode.patch b/queue-4.19/net-xilinx-axienet-always-disable-promiscuous-mode.patch new file mode 100644 index 00000000000..77df704c125 --- /dev/null +++ b/queue-4.19/net-xilinx-axienet-always-disable-promiscuous-mode.patch @@ -0,0 +1,42 @@ +From 9d99c12fd7333e0a060d22d57937079265f874e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 11:40:55 -0400 +Subject: net: xilinx: axienet: Always disable promiscuous mode + +From: Sean Anderson + +[ Upstream commit 4ae738dfef2c0323752ab81786e2d298c9939321 ] + +If promiscuous mode is disabled when there are fewer than four multicast +addresses, then it will not be reflected in the hardware. Fix this by +always clearing the promiscuous mode flag even when we program multicast +addresses. + +Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") +Signed-off-by: Sean Anderson +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240822154059.1066595-2-sean.anderson@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 299162a74939f..71593b1a90e87 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -375,6 +375,10 @@ static void axienet_set_multicast_list(struct net_device *ndev) + } else if (!netdev_mc_empty(ndev)) { + struct netdev_hw_addr *ha; + ++ reg = axienet_ior(lp, XAE_FMI_OFFSET); ++ reg &= ~XAE_FMI_PM_MASK; ++ axienet_iow(lp, XAE_FMI_OFFSET, reg); ++ + i = 0; + netdev_for_each_mc_addr(ha, ndev) { + if (i >= XAE_MULTICAST_CAM_TABLE_NUM) +-- +2.43.0 + diff --git a/queue-4.19/netfilter-nft_counter-synchronize-nft_counter_reset-.patch b/queue-4.19/netfilter-nft_counter-synchronize-nft_counter_reset-.patch new file mode 100644 index 00000000000..b979c67e571 --- /dev/null +++ b/queue-4.19/netfilter-nft_counter-synchronize-nft_counter_reset-.patch @@ -0,0 +1,50 @@ +From cd9bc73ce3faeb4c3913bd409c186d7d1001740b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 09:54:31 +0200 +Subject: netfilter: nft_counter: Synchronize nft_counter_reset() against + reader. + +From: Sebastian Andrzej Siewior + +[ Upstream commit a0b39e2dc7017ac667b70bdeee5293e410fab2fb ] + +nft_counter_reset() resets the counter by subtracting the previously +retrieved value from the counter. This is a write operation on the +counter and as such it requires to be performed with a write sequence of +nft_counter_seq to serialize against its possible reader. + +Update the packets/ bytes within write-sequence of nft_counter_seq. + +Fixes: d84701ecbcd6a ("netfilter: nft_counter: rework atomic dump and reset") +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_counter.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c +index a61d7edfc290d..b4a4ed00506f1 100644 +--- a/net/netfilter/nft_counter.c ++++ b/net/netfilter/nft_counter.c +@@ -108,11 +108,16 @@ static void nft_counter_reset(struct nft_counter_percpu_priv __percpu *priv, + struct nft_counter *total) + { + struct nft_counter *this_cpu; ++ seqcount_t *myseq; + + local_bh_disable(); + this_cpu = this_cpu_ptr(priv->counter); ++ myseq = this_cpu_ptr(&nft_counter_seq); ++ ++ write_seqcount_begin(myseq); + this_cpu->packets -= total->packets; + this_cpu->bytes -= total->bytes; ++ write_seqcount_end(myseq); + local_bh_enable(); + } + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 8100fcbdd81..751022434f6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -51,3 +51,10 @@ nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch gtp-pull-network-headers-in-gtp_dev_xmit.patch block-use-unsigned-long-for-blk_validate_block_size.patch +bluetooth-make-use-of-__check_timeout-on-hci_sched_l.patch +bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch +bluetooth-hci_core-fix-le-quote-calculation.patch +kcm-serialise-kcm_sendmsg-for-the-same-socket.patch +netfilter-nft_counter-synchronize-nft_counter_reset-.patch +ipv6-prevent-uaf-in-ip6_send_skb.patch +net-xilinx-axienet-always-disable-promiscuous-mode.patch