From 84edb75beeb4dd99ab39fc84c158dcf8a8d224cd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 30 Jul 2022 16:47:13 +0200 Subject: [PATCH] 4.19-stable patches added patches: bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch tcp-fix-a-data-race-around-sysctl_tcp_frto.patch tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch tcp-fix-data-races-around-sysctl_tcp_dsack.patch --- ...-after-free-caused-by-l2cap_chan_put.patch | 264 ++++++++++++++++++ ...s-fix-use-after-free-in-ntfs_ucsncmp.patch | 107 +++++++ ...rng-invocations-in-interrupt-context.patch | 125 +++++++++ queue-4.19/series | 8 + ...race-around-sysctl_tcp_adv_win_scale.patch | 31 ++ ...-data-race-around-sysctl_tcp_app_win.patch | 31 ++ ...x-a-data-race-around-sysctl_tcp_frto.patch | 31 ++ ...ace-around-sysctl_tcp_nometrics_save.patch | 31 ++ ...x-data-races-around-sysctl_tcp_dsack.patch | 40 +++ 9 files changed, 668 insertions(+) create mode 100644 queue-4.19/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch create mode 100644 queue-4.19/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch create mode 100644 queue-4.19/s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch create mode 100644 queue-4.19/series create mode 100644 queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch create mode 100644 queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch create mode 100644 queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch create mode 100644 queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch create mode 100644 queue-4.19/tcp-fix-data-races-around-sysctl_tcp_dsack.patch diff --git a/queue-4.19/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch b/queue-4.19/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch new file mode 100644 index 00000000000..0a00942f19f --- /dev/null +++ b/queue-4.19/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch @@ -0,0 +1,264 @@ +From d0be8347c623e0ac4202a1d4e0373882821f56b0 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 21 Jul 2022 09:10:50 -0700 +Subject: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put + +From: Luiz Augusto von Dentz + +commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream. + +This fixes the following trace which is caused by hci_rx_work starting up +*after* the final channel reference has been put() during sock_close() but +*before* the references to the channel have been destroyed, so instead +the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to +prevent referencing a channel that is about to be destroyed. + + refcount_t: increment on 0; use-after-free. + BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 + Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 + + CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W + 4.14.234-00003-g1fb6d0bd49a4-dirty #28 + Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 + Google Inc. MSM sm8150 Flame DVT (DT) + Workqueue: hci0 hci_rx_work + Call trace: + dump_backtrace+0x0/0x378 + show_stack+0x20/0x2c + dump_stack+0x124/0x148 + print_address_description+0x80/0x2e8 + __kasan_report+0x168/0x188 + kasan_report+0x10/0x18 + __asan_load4+0x84/0x8c + refcount_dec_and_test+0x20/0xd0 + l2cap_chan_put+0x48/0x12c + l2cap_recv_frame+0x4770/0x6550 + l2cap_recv_acldata+0x44c/0x7a4 + hci_acldata_packet+0x100/0x188 + hci_rx_work+0x178/0x23c + process_one_work+0x35c/0x95c + worker_thread+0x4cc/0x960 + kthread+0x1a8/0x1c4 + ret_from_fork+0x10/0x18 + +Cc: stable@kernel.org +Reported-by: Lee Jones +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Lee Jones +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/l2cap.h | 1 + net/bluetooth/l2cap_core.c | 61 +++++++++++++++++++++++++++++++++--------- + 2 files changed, 49 insertions(+), 13 deletions(-) + +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -798,6 +798,7 @@ enum { + }; + + void l2cap_chan_hold(struct l2cap_chan *c); ++struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c); + void l2cap_chan_put(struct l2cap_chan *c); + + static inline void l2cap_chan_lock(struct l2cap_chan *chan) +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -113,7 +113,8 @@ static struct l2cap_chan *__l2cap_get_ch + } + + /* Find channel with given SCID. +- * Returns locked channel. */ ++ * Returns a reference locked channel. ++ */ + static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, + u16 cid) + { +@@ -121,15 +122,19 @@ static struct l2cap_chan *l2cap_get_chan + + mutex_lock(&conn->chan_lock); + c = __l2cap_get_chan_by_scid(conn, cid); +- if (c) +- l2cap_chan_lock(c); ++ if (c) { ++ /* Only lock if chan reference is not 0 */ ++ c = l2cap_chan_hold_unless_zero(c); ++ if (c) ++ l2cap_chan_lock(c); ++ } + mutex_unlock(&conn->chan_lock); + + return c; + } + + /* Find channel with given DCID. +- * Returns locked channel. ++ * Returns a reference locked channel. + */ + static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, + u16 cid) +@@ -138,8 +143,12 @@ static struct l2cap_chan *l2cap_get_chan + + mutex_lock(&conn->chan_lock); + c = __l2cap_get_chan_by_dcid(conn, cid); +- if (c) +- l2cap_chan_lock(c); ++ if (c) { ++ /* Only lock if chan reference is not 0 */ ++ c = l2cap_chan_hold_unless_zero(c); ++ if (c) ++ l2cap_chan_lock(c); ++ } + mutex_unlock(&conn->chan_lock); + + return c; +@@ -164,8 +173,12 @@ static struct l2cap_chan *l2cap_get_chan + + mutex_lock(&conn->chan_lock); + c = __l2cap_get_chan_by_ident(conn, ident); +- if (c) +- l2cap_chan_lock(c); ++ if (c) { ++ /* Only lock if chan reference is not 0 */ ++ c = l2cap_chan_hold_unless_zero(c); ++ if (c) ++ l2cap_chan_lock(c); ++ } + mutex_unlock(&conn->chan_lock); + + return c; +@@ -491,6 +504,16 @@ void l2cap_chan_hold(struct l2cap_chan * + kref_get(&c->kref); + } + ++struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) ++{ ++ BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); ++ ++ if (!kref_get_unless_zero(&c->kref)) ++ return NULL; ++ ++ return c; ++} ++ + void l2cap_chan_put(struct l2cap_chan *c) + { + BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref)); +@@ -1803,7 +1826,10 @@ static struct l2cap_chan *l2cap_global_c + src_match = !bacmp(&c->src, src); + dst_match = !bacmp(&c->dst, dst); + if (src_match && dst_match) { +- l2cap_chan_hold(c); ++ c = l2cap_chan_hold_unless_zero(c); ++ if (!c) ++ continue; ++ + read_unlock(&chan_list_lock); + return c; + } +@@ -1818,7 +1844,7 @@ static struct l2cap_chan *l2cap_global_c + } + + if (c1) +- l2cap_chan_hold(c1); ++ c1 = l2cap_chan_hold_unless_zero(c1); + + read_unlock(&chan_list_lock); + +@@ -4204,6 +4230,7 @@ static inline int l2cap_config_req(struc + + unlock: + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + return err; + } + +@@ -4316,6 +4343,7 @@ static inline int l2cap_config_rsp(struc + + done: + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + return err; + } + +@@ -5044,6 +5072,7 @@ send_move_response: + l2cap_send_move_chan_rsp(chan, result); + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + return 0; + } +@@ -5136,6 +5165,7 @@ static void l2cap_move_continue(struct l + } + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + + static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, +@@ -5165,6 +5195,7 @@ static void l2cap_move_fail(struct l2cap + l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + + static int l2cap_move_channel_rsp(struct l2cap_conn *conn, +@@ -5228,6 +5259,7 @@ static int l2cap_move_channel_confirm(st + l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + return 0; + } +@@ -5263,6 +5295,7 @@ static inline int l2cap_move_channel_con + } + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + return 0; + } +@@ -5635,12 +5668,11 @@ static inline int l2cap_le_credits(struc + if (credits > max_credits) { + BT_ERR("LE credits overflow"); + l2cap_send_disconn_req(chan, ECONNRESET); +- l2cap_chan_unlock(chan); + + /* Return 0 so that we don't trigger an unnecessary + * command reject packet. + */ +- return 0; ++ goto unlock; + } + + chan->tx_credits += credits; +@@ -5651,7 +5683,9 @@ static inline int l2cap_le_credits(struc + if (chan->tx_credits) + chan->ops->resume(chan); + ++unlock: + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + return 0; + } +@@ -6949,6 +6983,7 @@ drop: + + done: + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + + static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, +@@ -7353,7 +7388,7 @@ static struct l2cap_chan *l2cap_global_f + if (src_type != c->src_type) + continue; + +- l2cap_chan_hold(c); ++ c = l2cap_chan_hold_unless_zero(c); + read_unlock(&chan_list_lock); + return c; + } diff --git a/queue-4.19/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch b/queue-4.19/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch new file mode 100644 index 00000000000..75937219c57 --- /dev/null +++ b/queue-4.19/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch @@ -0,0 +1,107 @@ +From 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 Mon Sep 17 00:00:00 2001 +From: ChenXiaoSong +Date: Thu, 7 Jul 2022 18:53:29 +0800 +Subject: ntfs: fix use-after-free in ntfs_ucsncmp() + +From: ChenXiaoSong + +commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream. + +Syzkaller reported use-after-free bug as follows: + +================================================================== +BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 +Read of size 2 at addr ffff8880751acee8 by task a.out/879 + +CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x1c0/0x2b0 + print_address_description.constprop.0.cold+0xd4/0x484 + print_report.cold+0x55/0x232 + kasan_report+0xbf/0xf0 + ntfs_ucsncmp+0x123/0x130 + ntfs_are_names_equal.cold+0x2b/0x41 + ntfs_attr_find+0x43b/0xb90 + ntfs_attr_lookup+0x16d/0x1e0 + ntfs_read_locked_attr_inode+0x4aa/0x2360 + ntfs_attr_iget+0x1af/0x220 + ntfs_read_locked_inode+0x246c/0x5120 + ntfs_iget+0x132/0x180 + load_system_files+0x1cc6/0x3480 + ntfs_fill_super+0xa66/0x1cf0 + mount_bdev+0x38d/0x460 + legacy_get_tree+0x10d/0x220 + vfs_get_tree+0x93/0x300 + do_new_mount+0x2da/0x6d0 + path_mount+0x496/0x19d0 + __x64_sys_mount+0x284/0x300 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +RIP: 0033:0x7f3f2118d9ea +Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea +RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 +RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 +R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The buggy address belongs to the physical page: +page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac +memcg:ffff888101f7e180 +anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff) +raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 +raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +The reason is that struct ATTR_RECORD->name_offset is 6485, end address of +name string is out of bounds. + +Fix this by adding sanity check on end address of attribute name string. + +[akpm@linux-foundation.org: coding-style cleanups] +[chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] + Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com +Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com +Signed-off-by: ChenXiaoSong +Signed-off-by: Hawkins Jiawei +Cc: Anton Altaparmakov +Cc: ChenXiaoSong +Cc: Yongqiang Liu +Cc: Zhang Yi +Cc: Zhang Xiaoxu +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs/attrib.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ntfs/attrib.c ++++ b/fs/ntfs/attrib.c +@@ -606,8 +606,12 @@ static int ntfs_attr_find(const ATTR_TYP + a = (ATTR_RECORD*)((u8*)ctx->attr + + le32_to_cpu(ctx->attr->length)); + for (;; a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) { +- if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec + +- le32_to_cpu(ctx->mrec->bytes_allocated)) ++ u8 *mrec_end = (u8 *)ctx->mrec + ++ le32_to_cpu(ctx->mrec->bytes_allocated); ++ u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) + ++ a->name_length * sizeof(ntfschar); ++ if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end || ++ name_end > mrec_end) + break; + ctx->attr = a; + if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) || diff --git a/queue-4.19/s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch b/queue-4.19/s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch new file mode 100644 index 00000000000..2f13db206c8 --- /dev/null +++ b/queue-4.19/s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch @@ -0,0 +1,125 @@ +From 918e75f77af7d2e049bb70469ec0a2c12782d96a Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 13 Jul 2022 15:17:21 +0200 +Subject: s390/archrandom: prevent CPACF trng invocations in interrupt context + +From: Harald Freudenberger + +commit 918e75f77af7d2e049bb70469ec0a2c12782d96a upstream. + +This patch slightly reworks the s390 arch_get_random_seed_{int,long} +implementation: Make sure the CPACF trng instruction is never +called in any interrupt context. This is done by adding an +additional condition in_task(). + +Justification: + +There are some constrains to satisfy for the invocation of the +arch_get_random_seed_{int,long}() functions: +- They should provide good random data during kernel initialization. +- They should not be called in interrupt context as the TRNG + instruction is relatively heavy weight and may for example + make some network loads cause to timeout and buck. + +However, it was not clear what kind of interrupt context is exactly +encountered during kernel init or network traffic eventually calling +arch_get_random_seed_long(). + +After some days of investigations it is clear that the s390 +start_kernel function is not running in any interrupt context and +so the trng is called: + +Jul 11 18:33:39 t35lp54 kernel: [<00000001064e90ca>] arch_get_random_seed_long.part.0+0x32/0x70 +Jul 11 18:33:39 t35lp54 kernel: [<000000010715f246>] random_init+0xf6/0x238 +Jul 11 18:33:39 t35lp54 kernel: [<000000010712545c>] start_kernel+0x4a4/0x628 +Jul 11 18:33:39 t35lp54 kernel: [<000000010590402a>] startup_continue+0x2a/0x40 + +The condition in_task() is true and the CPACF trng provides random data +during kernel startup. + +The network traffic however, is more difficult. A typical call stack +looks like this: + +Jul 06 17:37:07 t35lp54 kernel: [<000000008b5600fc>] extract_entropy.constprop.0+0x23c/0x240 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b560136>] crng_reseed+0x36/0xd8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b5604b8>] crng_make_state+0x78/0x340 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b5607e0>] _get_random_bytes+0x60/0xf8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b56108a>] get_random_u32+0xda/0x248 +Jul 06 17:37:07 t35lp54 kernel: [<000000008aefe7a8>] kfence_guarded_alloc+0x48/0x4b8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008aeff35e>] __kfence_alloc+0x18e/0x1b8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008aef7f10>] __kmalloc_node_track_caller+0x368/0x4d8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b611eac>] kmalloc_reserve+0x44/0xa0 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b611f98>] __alloc_skb+0x90/0x178 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b6120dc>] __napi_alloc_skb+0x5c/0x118 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f06b4>] qeth_extract_skb+0x13c/0x680 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f6526>] qeth_poll+0x256/0x3f8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b63d76e>] __napi_poll.constprop.0+0x46/0x2f8 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b63dbec>] net_rx_action+0x1cc/0x408 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b937302>] __do_softirq+0x132/0x6b0 +Jul 06 17:37:07 t35lp54 kernel: [<000000008abf46ce>] __irq_exit_rcu+0x13e/0x170 +Jul 06 17:37:07 t35lp54 kernel: [<000000008abf531a>] irq_exit_rcu+0x22/0x50 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b922506>] do_io_irq+0xe6/0x198 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b935826>] io_int_handler+0xd6/0x110 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b9358a6>] psw_idle_exit+0x0/0xa +Jul 06 17:37:07 t35lp54 kernel: ([<000000008ab9c59a>] arch_cpu_idle+0x52/0xe0) +Jul 06 17:37:07 t35lp54 kernel: [<000000008b933cfe>] default_idle_call+0x6e/0xd0 +Jul 06 17:37:07 t35lp54 kernel: [<000000008ac59f4e>] do_idle+0xf6/0x1b0 +Jul 06 17:37:07 t35lp54 kernel: [<000000008ac5a28e>] cpu_startup_entry+0x36/0x40 +Jul 06 17:37:07 t35lp54 kernel: [<000000008abb0d90>] smp_start_secondary+0x148/0x158 +Jul 06 17:37:07 t35lp54 kernel: [<000000008b935b9e>] restart_int_handler+0x6e/0x90 + +which confirms that the call is in softirq context. So in_task() covers exactly +the cases where we want to have CPACF trng called: not in nmi, not in hard irq, +not in soft irq but in normal task context and during kernel init. + +Signed-off-by: Harald Freudenberger +Acked-by: Jason A. Donenfeld +Reviewed-by: Juergen Christ +Link: https://lore.kernel.org/r/20220713131721.257907-1-freude@linux.ibm.com +Fixes: e4f74400308c ("s390/archrandom: simplify back to earlier design and initialize earlier") +[agordeev@linux.ibm.com changed desc, added Fixes and Link, removed -stable] +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/archrandom.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/s390/include/asm/archrandom.h ++++ b/arch/s390/include/asm/archrandom.h +@@ -2,7 +2,7 @@ + /* + * Kernel interface for the s390 arch_random_* functions + * +- * Copyright IBM Corp. 2017, 2020 ++ * Copyright IBM Corp. 2017, 2022 + * + * Author: Harald Freudenberger + * +@@ -14,6 +14,7 @@ + #ifdef CONFIG_ARCH_RANDOM + + #include ++#include + #include + #include + +@@ -32,7 +33,8 @@ static inline bool __must_check arch_get + + static inline bool __must_check arch_get_random_seed_long(unsigned long *v) + { +- if (static_branch_likely(&s390_arch_random_available)) { ++ if (static_branch_likely(&s390_arch_random_available) && ++ in_task()) { + cpacf_trng(NULL, 0, (u8 *)v, sizeof(*v)); + atomic64_add(sizeof(*v), &s390_arch_random_counter); + return true; +@@ -42,7 +44,8 @@ static inline bool __must_check arch_get + + static inline bool __must_check arch_get_random_seed_int(unsigned int *v) + { +- if (static_branch_likely(&s390_arch_random_available)) { ++ if (static_branch_likely(&s390_arch_random_available) && ++ in_task()) { + cpacf_trng(NULL, 0, (u8 *)v, sizeof(*v)); + atomic64_add(sizeof(*v), &s390_arch_random_counter); + return true; diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..1d38e2c05b4 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,8 @@ +bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch +ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch +s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch +tcp-fix-data-races-around-sysctl_tcp_dsack.patch +tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch +tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch +tcp-fix-a-data-race-around-sysctl_tcp_frto.patch +tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch new file mode 100644 index 00000000000..d6ddf376fc2 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch @@ -0,0 +1,31 @@ +From 36eeee75ef0157e42fb6593dcc65daab289b559e Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:14 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_adv_win_scale. + +From: Kuniyuki Iwashima + +commit 36eeee75ef0157e42fb6593dcc65daab289b559e upstream. + +While reading sysctl_tcp_adv_win_scale, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1355,7 +1355,7 @@ void tcp_select_initial_window(const str + + static inline int tcp_win_from_space(const struct sock *sk, int space) + { +- int tcp_adv_win_scale = sock_net(sk)->ipv4.sysctl_tcp_adv_win_scale; ++ int tcp_adv_win_scale = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_adv_win_scale); + + return tcp_adv_win_scale <= 0 ? + (space>>(-tcp_adv_win_scale)) : diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch new file mode 100644 index 00000000000..a4e74d6c5be --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch @@ -0,0 +1,31 @@ +From 02ca527ac5581cf56749db9fd03d854e842253dd Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:13 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_app_win. + +From: Kuniyuki Iwashima + +commit 02ca527ac5581cf56749db9fd03d854e842253dd upstream. + +While reading sysctl_tcp_app_win, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -432,7 +432,7 @@ static void tcp_grow_window(struct sock + */ + void tcp_init_buffer_space(struct sock *sk) + { +- int tcp_app_win = sock_net(sk)->ipv4.sysctl_tcp_app_win; ++ int tcp_app_win = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_app_win); + struct tcp_sock *tp = tcp_sk(sk); + int maxwin; + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch new file mode 100644 index 00000000000..d792df8a3eb --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch @@ -0,0 +1,31 @@ +From 706c6202a3589f290e1ef9be0584a8f4a3cc0507 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:15 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_frto. + +From: Kuniyuki Iwashima + +commit 706c6202a3589f290e1ef9be0584a8f4a3cc0507 upstream. + +While reading sysctl_tcp_frto, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2018,7 +2018,7 @@ void tcp_enter_loss(struct sock *sk) + * loss recovery is underway except recurring timeout(s) on + * the same SND.UNA (sec 3.2). Disable F-RTO on path MTU probing + */ +- tp->frto = net->ipv4.sysctl_tcp_frto && ++ tp->frto = READ_ONCE(net->ipv4.sysctl_tcp_frto) && + (new_recovery || icsk->icsk_retransmits) && + !inet_csk(sk)->icsk_mtup.probe_size; + } diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch new file mode 100644 index 00000000000..52398e90057 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch @@ -0,0 +1,31 @@ +From 8499a2454d9e8a55ce616ede9f9580f36fd5b0f3 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:16 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_nometrics_save. + +From: Kuniyuki Iwashima + +commit 8499a2454d9e8a55ce616ede9f9580f36fd5b0f3 upstream. + +While reading sysctl_tcp_nometrics_save, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_metrics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -329,7 +329,7 @@ void tcp_update_metrics(struct sock *sk) + int m; + + sk_dst_confirm(sk); +- if (net->ipv4.sysctl_tcp_nometrics_save || !dst) ++ if (READ_ONCE(net->ipv4.sysctl_tcp_nometrics_save) || !dst) + return; + + rcu_read_lock(); diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_dsack.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_dsack.patch new file mode 100644 index 00000000000..d951487365f --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_dsack.patch @@ -0,0 +1,40 @@ +From 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:12 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_dsack. + +From: Kuniyuki Iwashima + +commit 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d upstream. + +While reading sysctl_tcp_dsack, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4197,7 +4197,7 @@ static void tcp_dsack_set(struct sock *s + { + struct tcp_sock *tp = tcp_sk(sk); + +- if (tcp_is_sack(tp) && sock_net(sk)->ipv4.sysctl_tcp_dsack) { ++ if (tcp_is_sack(tp) && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_dsack)) { + int mib_idx; + + if (before(seq, tp->rcv_nxt)) +@@ -4232,7 +4232,7 @@ static void tcp_send_dupack(struct sock + NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKLOST); + tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS); + +- if (tcp_is_sack(tp) && sock_net(sk)->ipv4.sysctl_tcp_dsack) { ++ if (tcp_is_sack(tp) && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_dsack)) { + u32 end_seq = TCP_SKB_CB(skb)->end_seq; + + if (after(TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt)) -- 2.47.3