256c18b0c6
67453 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Eric Dumazet
|
5edef79864 |
ipv6: annotate data-races around cnf.disable_ipv6
commit d289ab65b89c1d4d88417cb6c03e923f21f95fae upstream.
disable_ipv6 is read locklessly, add appropriate READ_ONCE()
and WRITE_ONCE() annotations.
v2: do not preload net before rtnl_trylock() in
addrconf_disable_ipv6() (Jiri)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Ashwin: Regenerated the Patch for v5.10]
Signed-off-by: Ashwin Dayanand Kamat <ashwin.kamat@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Ilya Dryomov
|
34b76d1922 |
libceph: fix race between delayed_work() and ceph_monc_stop()
commit 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 upstream.
The way the delayed work is handled in ceph_monc_stop() is prone to
races with mon_fault() and possibly also finish_hunting(). Both of
these can requeue the delayed work which wouldn't be canceled by any of
the following code in case that happens after cancel_delayed_work_sync()
runs -- __close_session() doesn't mess with the delayed work in order
to avoid interfering with the hunting interval logic. This part was
missed in commit
|
||
|
Eric Dumazet
|
5d7e64d70a |
tcp: avoid too many retransmit packets
commit 97a9063518f198ec0adb2ecb89789de342bb8283 upstream.
If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
retracted its window to zero, tcp_retransmit_timer() can
retransmit a packet every two jiffies (2 ms for HZ=1000),
for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.
The fix is to make sure tcp_rtx_probe0_timed_out() takes
icsk->icsk_user_timeout into account.
Before blamed commit, the socket would not timeout after
icsk->icsk_user_timeout, but would use standard exponential
backoff for the retransmits.
Also worth noting that before commit e89688e3e978 ("net: tcp:
fix unexcepted socket die when snd_wnd is 0"), the issue
would last 2 minutes instead of 4.
Fixes:
|
||
|
Eric Dumazet
|
24b9fafe34 |
tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
commit 36534d3c54537bf098224a32dc31397793d4594d upstream.
Due to timer wheel implementation, a timer will usually fire
after its schedule.
For instance, for HZ=1000, a timeout between 512ms and 4s
has a granularity of 64ms.
For this range of values, the extra delay could be up to 63ms.
For TCP, this means that tp->rcv_tstamp may be after
inet_csk(sk)->icsk_timeout whenever the timer interrupt
finally triggers, if one packet came during the extra delay.
We need to make sure tcp_rtx_probe0_timed_out() handles this case.
Fixes: e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Menglong Dong <imagedong@tencent.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Link: https://lore.kernel.org/r/20240607125652.1472540-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Chengen Du
|
b81a523d54 |
net/sched: Fix UAF when resolving a clash
[ Upstream commit 26488172b0292bed837b95a006a3f3431d1898c3 ]
KASAN reports the following UAF:
BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
Read of size 1 at addr ffff888c07603600 by task handler130/6469
Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
print_address_description.constprop.0+0x33/0x3d0
print_report+0xc0/0x2b0
kasan_report+0xd0/0x120
__asan_load1+0x6c/0x80
tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
tcf_ct_act+0x886/0x1350 [act_ct]
tcf_action_exec+0xf8/0x1f0
fl_classify+0x355/0x360 [cls_flower]
__tcf_classify+0x1fd/0x330
tcf_classify+0x21c/0x3c0
sch_handle_ingress.constprop.0+0x2c5/0x500
__netif_receive_skb_core.constprop.0+0xb25/0x1510
__netif_receive_skb_list_core+0x220/0x4c0
netif_receive_skb_list_internal+0x446/0x620
napi_complete_done+0x157/0x3d0
gro_cell_poll+0xcf/0x100
__napi_poll+0x65/0x310
net_rx_action+0x30c/0x5c0
__do_softirq+0x14f/0x491
__irq_exit_rcu+0x82/0xc0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa1/0xb0
</IRQ>
<TASK>
asm_common_interrupt+0x27/0x40
Allocated by task 6469:
kasan_save_stack+0x38/0x70
kasan_set_track+0x25/0x40
kasan_save_alloc_info+0x1e/0x40
__kasan_krealloc+0x133/0x190
krealloc+0xaa/0x130
nf_ct_ext_add+0xed/0x230 [nf_conntrack]
tcf_ct_act+0x1095/0x1350 [act_ct]
tcf_action_exec+0xf8/0x1f0
fl_classify+0x355/0x360 [cls_flower]
__tcf_classify+0x1fd/0x330
tcf_classify+0x21c/0x3c0
sch_handle_ingress.constprop.0+0x2c5/0x500
__netif_receive_skb_core.constprop.0+0xb25/0x1510
__netif_receive_skb_list_core+0x220/0x4c0
netif_receive_skb_list_internal+0x446/0x620
napi_complete_done+0x157/0x3d0
gro_cell_poll+0xcf/0x100
__napi_poll+0x65/0x310
net_rx_action+0x30c/0x5c0
__do_softirq+0x14f/0x491
Freed by task 6469:
kasan_save_stack+0x38/0x70
kasan_set_track+0x25/0x40
kasan_save_free_info+0x2b/0x60
____kasan_slab_free+0x180/0x1f0
__kasan_slab_free+0x12/0x30
slab_free_freelist_hook+0xd2/0x1a0
__kmem_cache_free+0x1a2/0x2f0
kfree+0x78/0x120
nf_conntrack_free+0x74/0x130 [nf_conntrack]
nf_ct_destroy+0xb2/0x140 [nf_conntrack]
__nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]
nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]
__nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]
tcf_ct_act+0x12ad/0x1350 [act_ct]
tcf_action_exec+0xf8/0x1f0
fl_classify+0x355/0x360 [cls_flower]
__tcf_classify+0x1fd/0x330
tcf_classify+0x21c/0x3c0
sch_handle_ingress.constprop.0+0x2c5/0x500
__netif_receive_skb_core.constprop.0+0xb25/0x1510
__netif_receive_skb_list_core+0x220/0x4c0
netif_receive_skb_list_internal+0x446/0x620
napi_complete_done+0x157/0x3d0
gro_cell_poll+0xcf/0x100
__napi_poll+0x65/0x310
net_rx_action+0x30c/0x5c0
__do_softirq+0x14f/0x491
The ct may be dropped if a clash has been resolved but is still passed to
the tcf_ct_flow_table_process_conn function for further usage. This issue
can be fixed by retrieving ct from skb again after confirming conntrack.
Fixes: 0cc254e5aa37 ("net/sched: act_ct: Offload connections with commit action")
Co-developed-by: Gerald Yang <gerald.yang@canonical.com>
Signed-off-by: Gerald Yang <gerald.yang@canonical.com>
Signed-off-by: Chengen Du <chengen.du@canonical.com>
Link: https://patch.msgid.link/20240710053747.13223-1-chengen.du@canonical.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Kuniyuki Iwashima
|
9f965684c5 |
udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
[ Upstream commit 5c0b485a8c6116516f33925b9ce5b6104a6eadfd ]
syzkaller triggered the warning [0] in udp_v4_early_demux().
In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount
of the looked-up sk and use sock_pfree() as skb->destructor, so we check
SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace
period.
Currently, SOCK_RCU_FREE is flagged for a bound socket after being put
into the hash table. Moreover, the SOCK_RCU_FREE check is done too early
in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race
window:
CPU1 CPU2
---- ----
udp_v4_early_demux() udp_lib_get_port()
| |- hlist_add_head_rcu()
|- sk = __udp4_lib_demux_lookup() |
|- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));
`- sock_set_flag(sk, SOCK_RCU_FREE)
We had the same bug in TCP and fixed it in commit 871019b22d1b ("net:
set SOCK_RCU_FREE before inserting socket into hashtable").
Let's apply the same fix for UDP.
[0]:
WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
Modules linked in:
CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52
RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c
RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001
RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680
R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e
FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349
ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624
__netif_receive_skb+0x21/0xd0 net/core/dev.c:5738
netif_receive_skb_internal net/core/dev.c:5824 [inline]
netif_receive_skb+0x271/0x300 net/core/dev.c:5884
tun_rx_batched drivers/net/tun.c:1549 [inline]
tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002
tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x76f/0x8d0 fs/read_write.c:590
ksys_write+0xbf/0x190 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x41/0x50 fs/read_write.c:652
x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fc44a68bc1f
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48
RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f
RDX: 0000000000000032 RSI: 00000000200000c0 RDI: 00000000000000c8
RBP: 00000000004bc050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000032 R11: 0000000000000293 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc44a5ec530 R15: 0000000000000000
</TASK>
Fixes:
|
||
Oleksij Rempel
|
c184be30b1 |
ethtool: netlink: do not return SQI value if link is down
[ Upstream commit c184cf94e73b04ff7048d045f5413899bc664788 ]
Do not attach SQI value if link is down. "SQI values are only valid if
link-up condition is present" per OpenAlliance specification of
100Base-T1 Interoperability Test suite [1]. The same rule would apply
for other link types.
[1] https://opensig.org/automotive-ethernet-specifications/#
Fixes:
|
||
Neal Cardwell
|
893e140dcc |
tcp: fix incorrect undo caused by DSACK of TLP retransmit
[ Upstream commit 0ec986ed7bab6801faed1440e8839dcc710331ff ] Loss recovery undo_retrans bookkeeping had a long-standing bug where a DSACK from a spurious TLP retransmit packet could cause an erroneous undo of a fast recovery or RTO recovery that repaired a single really-lost packet (in a sequence range outside that of the TLP retransmit). Basically, because the loss recovery state machine didn't account for the fact that it sent a TLP retransmit, the DSACK for the TLP retransmit could erroneously be implicitly be interpreted as corresponding to the normal fast recovery or RTO recovery retransmit that plugged a real hole, thus resulting in an improper undo. For example, consider the following buggy scenario where there is a real packet loss but the congestion control response is improperly undone because of this bug: + send packets P1, P2, P3, P4 + P1 is really lost + send TLP retransmit of P4 + receive SACK for original P2, P3, P4 + enter fast recovery, fast-retransmit P1, increment undo_retrans to 1 + receive DSACK for TLP P4, decrement undo_retrans to 0, undo (bug!) + receive cumulative ACK for P1-P4 (fast retransmit plugged real hole) The fix: when we initialize undo machinery in tcp_init_undo(), if there is a TLP retransmit in flight, then increment tp->undo_retrans so that we make sure that we receive a DSACK corresponding to the TLP retransmit, as well as DSACKs for all later normal retransmits, before triggering a loss recovery undo. Note that we also have to move the line that clears tp->tlp_high_seq for RTO recovery, so that upon RTO we remember the tp->tlp_high_seq value until tcp_init_undo() and clear it only afterward. Also note that the bug dates back to the original 2013 TLP implementation, commit |
||
Wang Yufen
|
37c59198bc |
bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues
commit d8616ee2affcff37c5d315310da557a694a3303d upstream. During TCP sockmap redirect pressure test, the following warning is triggered: WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0 CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G W 5.10.0+ #9 Call Trace: inet_csk_destroy_sock+0x55/0x110 inet_csk_listen_stop+0xbb/0x380 tcp_close+0x41b/0x480 inet_release+0x42/0x80 __sock_release+0x3d/0xa0 sock_close+0x11/0x20 __fput+0x9d/0x240 task_work_run+0x62/0x90 exit_to_user_mode_prepare+0x110/0x120 syscall_exit_to_user_mode+0x27/0x190 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The reason we observed is that: When the listener is closing, a connection may have completed the three-way handshake but not accepted, and the client has sent some packets. The child sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(), but psocks of child sks have not released. To fix, add sock_map_destroy to release psocks. Signed-off-by: Wang Yufen <wangyufen@huawei.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Jakub Sitnicki <jakub@cloudflare.com> Acked-by: John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com [ Conflict in include/linux/bpf.h due to function declaration position and remove non-existed sk_psock_stop helper from sock_map_destroy. ] Signed-off-by: Wen Gu <guwen@linux.alibaba.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Shigeru Yoshida
|
7ef519c8ef |
inet_diag: Initialize pad field in struct inet_diag_req_v2
[ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ]
KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
sockets uses the pad field in struct inet_diag_req_v2 for the
underlying protocol. This field corresponds to the sdiag_raw_protocol
field in struct inet_diag_req_raw.
inet_diag_get_exact_compat() converts inet_diag_req to
inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
occurs when raw_lookup() accesses the sdiag_raw_protocol field.
Fix this by initializing the pad field in
inet_diag_get_exact_compat(). Also, do the same fix in
inet_diag_dump_compat() to avoid the similar issue in the future.
[1]
BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
raw_lookup net/ipv4/raw_diag.c:49 [inline]
raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
inet_diag_cmd_exact+0x7d9/0x980
inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x332/0x3d0 net/socket.c:745
____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
__sys_sendmsg net/socket.c:2668 [inline]
__do_sys_sendmsg net/socket.c:2677 [inline]
__se_sys_sendmsg net/socket.c:2675 [inline]
__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
inet_diag_cmd_exact+0x7d9/0x980
inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x332/0x3d0 net/socket.c:745
____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
__sys_sendmsg net/socket.c:2668 [inline]
__do_sys_sendmsg net/socket.c:2677 [inline]
__se_sys_sendmsg net/socket.c:2675 [inline]
__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable req.i created at:
inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
Fixes:
|
||
Jakub Kicinski
|
cdffc35871 |
tcp_metrics: validate source addr length
[ Upstream commit 66be40e622e177316ae81717aa30057ba9e61dff ]
I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4
is at least 4 bytes long, and the policy doesn't have an entry
for this attribute at all (neither does it for IPv6 but v6 is
manually validated).
Reviewed-by: Eric Dumazet <edumazet@google.com>
Fixes:
|
||
|
Neal Cardwell
|
febed740a3 |
UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
[ Upstream commit a6458ab7fd4f427d4f6f54380453ad255b7fde83 ]
In some production workloads we noticed that connections could
sometimes close extremely prematurely with ETIMEDOUT after
transmitting only 1 TLP and RTO retransmission (when we would normally
expect roughly tcp_retries2 = TCP_RETR2 = 15 RTOs before a connection
closes with ETIMEDOUT).
From tracing we determined that these workloads can suffer from a
scenario where in fast recovery, after some retransmits, a DSACK undo
can happen at a point where the scoreboard is totally clear (we have
retrans_out == sacked_out == lost_out == 0). In such cases, calling
tcp_try_keep_open() means that we do not execute any code path that
clears tp->retrans_stamp to 0. That means that tp->retrans_stamp can
remain erroneously set to the start time of the undone fast recovery,
even after the fast recovery is undone. If minutes or hours elapse,
and then a TLP/RTO/RTO sequence occurs, then the start_ts value in
retransmits_timed_out() (which is from tp->retrans_stamp) will be
erroneously ancient (left over from the fast recovery undone via
DSACKs). Thus this ancient tp->retrans_stamp value can cause the
connection to die very prematurely with ETIMEDOUT via
tcp_write_err().
The fix: we change DSACK undo in fast recovery (TCP_CA_Recovery) to
call tcp_try_to_open() instead of tcp_try_keep_open(). This ensures
that if no retransmits are in flight at the time of DSACK undo in fast
recovery then we properly zero retrans_stamp. Note that calling
tcp_try_to_open() is more consistent with other loss recovery
behavior, since normal fast recovery (CA_Recovery) and RTO recovery
(CA_Loss) both normally end when tp->snd_una meets or exceeds
tp->high_seq and then in tcp_fastretrans_alert() the "default" switch
case executes tcp_try_to_open(). Also note that by inspection this
change to call tcp_try_to_open() implies at least one other nice bug
fix, where now an ECE-marked DSACK that causes an undo will properly
invoke tcp_enter_cwr() rather than ignoring the ECE mark.
Fixes:
|
||
Erick Archer
|
5a18ea7d86 |
sctp: prefer struct_size over open coded arithmetic
[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ]
This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1][2].
As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
structure ends in a flexible array:
struct sctp_assoc_ids {
[...]
sctp_assoc_t gaids_assoc_id[];
};
the preferred way in the kernel is to use the struct_size() helper to
do the arithmetic instead of the calculation "size + size * count" in
the kmalloc() function.
Also, refactor the code adding the "ids_size" variable to avoid sizing
twice.
This way, the code is more readable and safer.
This code was detected with the help of Coccinelle, and audited and
modified manually.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
Link: https://github.com/KSPP/linux/issues/160 [2]
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Greg Kroah-Hartman
|
2ebd481b31 |
Merge 5.10.221 into android12-5.10-lts
Changes in 5.10.221 tracing/selftests: Fix kprobe event name test for .isra. functions null_blk: Print correct max open zones limit in null_init_zoned_dev() wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: cfg80211: pmsr: use correct nla_get_uX functions wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef wifi: iwlwifi: mvm: check n_ssids before accessing the ssids wifi: iwlwifi: mvm: don't read past the mfuart notifcation wifi: mac80211: correctly parse Spatial Reuse Parameter Set element net/ncsi: add NCSI Intel OEM command to keep PHY up net/ncsi: Simplify Kconfig/dts control flow net/ncsi: Fix the multi thread manner of NCSI driver ipv6: sr: block BH in seg6_output_core() and seg6_input_core() net: sched: sch_multiq: fix possible OOB write in multiq_tune() vxlan: Fix regression when dropping packets due to invalid src addresses tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP ptp: Fix error message on failed pin verification af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). ipv6: fix possible race in __fib6_drop_pcpu_from() usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete drm/amd/display: Handle Y carry-over in VCP X.Y calculation serial: sc16is7xx: replace hardcoded divisor value with BIT() macro serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler mmc: davinci: Don't strip remove function when driver is builtin selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages selftests/mm: conform test to TAP format output selftests/mm: compaction_test: fix bogus test success on Aarch64 btrfs: fix leak of qgroup extent records after transaction abort nilfs2: Remove check for PageError nilfs2: return the mapped address from nilfs_get_page() nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages mei: me: release irq in mei_me_pci_resume error path jfs: xattr: fix buffer overflow for invalid xattr xhci: Set correct transferred length for cancelled bulk transfers xhci: Apply reset resume quirk to Etron EJ188 xHCI host xhci: Apply broken streams quirk to Etron EJ188 xHCI host scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory powerpc/uaccess: Fix build errors seen with GCC 13/14 Input: try trimming too long modalias strings SUNRPC: return proper error from gss_wrap_req_priv gpio: tqmx86: fix typo in Kconfig label HID: core: remove unnecessary WARN_ON() in implement() gpio: tqmx86: store IRQ trigger type and unmask status separately iommu/amd: Introduce pci segment structure iommu/amd: Fix sysfs leak in iommu init iommu: Return right value in iommu_sva_bind_device() HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() drm/vmwgfx: 3D disabled should not effect STDU memory limits net: sfp: Always call `sfp_sm_mod_remove()` on remove net: hns3: add cond_resched() to hns3 ring buffer init process liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet drm/komeda: check for error-valued pointer drm/bridge/panel: Fix runtime warning on panel bridge release tcp: fix race in tcp_v6_syn_recv_sock() net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters net/ipv6: Fix the RT cache flush via sysctl using a previous delay ionic: fix use after netif_napi_del() iio: adc: ad9467: fix scan type sign iio: dac: ad5592r: fix temperature channel scaling value iio: imu: inv_icm42600: delete unneeded update watermark call drivers: core: synchronize really_probe() and dev_uevent() drm/exynos/vidi: fix memory leak in .get_modes() drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found vmci: prevent speculation leaks by sanitizing event in event_deliver() fs/proc: fix softlockup in __read_vmcore ocfs2: use coarse time for new created files ocfs2: fix races between hole punching and AIO+DIO PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id dmaengine: axi-dmac: fix possible race in remove() remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs intel_th: pci: Add Granite Rapids support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Lunar Lake support nilfs2: fix potential kernel bug due to lack of writeback flag waiting tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level hugetlb_encode.h: fix undefined behaviour (34 << 26) mptcp: ensure snd_una is properly initialized on connect mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID mptcp: pm: update add_addr counters after connect remoteproc: k3-r5: Jump to error handling labels in start/stop errors greybus: Fix use-after-free bug in gb_interface_release due to race condition. usb-storage: alauda: Check whether the media is initialized i2c: at91: Fix the functionality flags of the slave-only interface i2c: designware: Fix the functionality flags of the slave-only interface zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING padata: Disable BH when taking works lock on MT path rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment rcutorture: Fix invalid context warning when enable srcu barrier testing block/ioctl: prefer different overflow check selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh selftests/bpf: Fix flaky test btf_map_in_map/lookup_update batman-adv: bypass empty buckets in batadv_purge_orig_ref() wifi: ath9k: work around memset overflow warning af_packet: avoid a false positive warning in packet_setsockopt() drop_monitor: replace spin_lock by raw_spin_lock scsi: qedi: Fix crash while reading debugfs attribute kselftest: arm64: Add a null pointer check netpoll: Fix race condition in netpoll_owner_active HID: Add quirk for Logitech Casa touchpad ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl drm/amd/display: Exit idle optimizations before HDCP execution ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 drm/lima: add mask irq callback to gp and pp drm/lima: mask irqs in timeout path before hard reset powerpc/pseries: Enforce hcall result buffer validity and size powerpc/io: Avoid clang null pointer arithmetic warnings power: supply: cros_usbpd: provide ID table for avoiding fallback match iommu/arm-smmu-v3: Free MSIs in case of ENOMEM f2fs: remove clear SB_INLINECRYPT flag in default_options usb: misc: uss720: check for incompatible versions of the Belkin F5U002 udf: udftime: prevent overflow in udf_disk_stamp_to_time() PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports MIPS: Octeon: Add PCIe link status check serial: exar: adding missing CTI and Exar PCI ids MIPS: Routerboard 532: Fix vendor retry check code mips: bmips: BCM6358: make sure CBR is correctly set tracing: Build event generation tests only as modules cipso: fix total option length computation netrom: Fix a memory leak in nr_heartbeat_expiry() ipv6: prevent possible NULL deref in fib6_nh_init() ipv6: prevent possible NULL dereference in rt6_probe() xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() netns: Make get_net_ns() handle zero refcount net qca_spi: Make interrupt remembering atomic net/sched: act_api: rely on rcu in tcf_idr_check_alloc net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() tipc: force a dst refcount before doing decryption net/sched: act_ct: set 'net' pointer when creating new nf_flow_table sched: act_ct: add netns into the key of tcf_ct_flow_table net: stmmac: No need to calculate speed divider when offload is disabled virtio_net: checksum offloading handling fix netfilter: ipset: Fix suspicious rcu_dereference_protected() net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings regulator: core: Fix modpost error "regulator_get_regmap" undefined dmaengine: ioat: switch from 'pci_' to 'dma_' API dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() dmaengine: ioatdma: Fix leaking on version mismatch dmaengine: ioat: use PCI core macros for PCIe Capability dmaengine: ioatdma: Fix error path in ioat3_dma_probe() dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() dmaengine: ioatdma: Fix missing kmem_cache_destroy() ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." RDMA/mlx5: Add check for srq max_sge attribute ALSA: hda/realtek: Limit mic boost on N14AP7 drm/radeon: fix UBSAN warning in kv_dpm.c gcov: add support for GCC 14 kcov: don't lose track of remote references during softirqs i2c: ocores: set IACK bit after core is enabled dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema drm/amd/display: revert Exit idle optimizations before HDCP execution ARM: dts: samsung: smdkv310: fix keypad no-autorepeat ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat ARM: dts: samsung: smdk4412: fix keypad no-autorepeat rtlwifi: rtl8192de: Style clean-ups wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power pmdomain: ti-sci: Fix duplicate PD referrals knfsd: LOOKUP can return an illegal error value spmi: hisi-spmi-controller: Do not override device identifier bcache: fix variable length array abuse in btree_iter tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test x86/cpu/vfm: Add new macros to work with (vendor/family/model) values x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL r8169: remove unneeded memory barrier in rtl_tx r8169: improve rtl_tx r8169: improve rtl8169_start_xmit r8169: remove nr_frags argument from rtl_tx_slots_avail r8169: remove not needed check in rtl8169_start_xmit r8169: Fix possible ring buffer corruption on fragmented Tx packets. Revert "kheaders: substituting --sort in archive creation" kheaders: explicitly define file modes for archived headers perf/core: Fix missing wakeup when waiting for context reference PCI: Add PCI_ERROR_RESPONSE and related definitions x86/amd_nb: Check for invalid SMN reads cifs: missed ref-counting smb session in find smb: client: fix deadlock in smb2_find_smb_tcon() ACPI: Add quirks for AMD Renoir/Lucienne CPUs to force the D3 hint ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable ACPI: x86: Add another system to quirk list for forcing StorageD3Enable ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable ACPI: x86: Force StorageD3Enable on more products Input: ili210x - fix ili251x_read_touch_data() return value pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins pinctrl/rockchip: separate struct rockchip_pin_bank to a head file pinctrl: rockchip: use dedicated pinctrl type for RK3328 pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set drm/amdgpu: fix UBSAN warning in kv_dpm.c netfilter: nf_tables: validate family when identifying table via handle SUNRPC: Fix null pointer dereference in svc_rqst_free() SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency() SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation SUNRPC: Fix svcxdr_init_encode's buflen calculation nfsd: hold a lighter-weight client reference over CB_RECALL_ANY ASoC: fsl-asoc-card: set priv->pdev before using it net: dsa: microchip: fix initial port flush problem net: phy: micrel: add Microchip KSZ 9477 to the device table xdp: Move the rxq_info.mem clearing to unreg_mem_model() xdp: Allow registering memory model without rxq reference xdp: Remove WARN() from __xdp_reg_mem_model() sparc: fix old compat_sys_select() sparc: fix compat recv/recvfrom syscalls parisc: use correct compat recv/recvfrom syscalls netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep mtd: partitions: redboot: Added conversion of operands to a larger type bpf: Add a check for struct bpf_fib_lookup size net/iucv: Avoid explicit cpumask var allocation on stack net/dpaa2: Avoid explicit cpumask var allocation on stack ALSA: emux: improve patch ioctl data validation media: dvbdev: Initialize sbuf soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message drm/radeon/radeon_display: Decrease the size of allocated memory nvme: fixup comment for nvme RDMA Provider Type drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA gpio: davinci: Validate the obtained number of IRQs gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) x86: stop playing stack games in profile_pc() ocfs2: fix DIO failure due to insufficient transaction credits mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos mmc: sdhci: Do not invert write-protect twice mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() counter: ti-eqep: enable clock at probe iio: adc: ad7266: Fix variable checking bug iio: chemical: bme680: Fix pressure value output iio: chemical: bme680: Fix calibration data variable iio: chemical: bme680: Fix overflows in compensate() functions iio: chemical: bme680: Fix sensor data read operation net: usb: ax88179_178a: improve link status logs usb: gadget: printer: SS+ support usb: gadget: printer: fix races against disable usb: musb: da8xx: fix a resource leak in probe() usb: atm: cxacru: fix endpoint checking in cxacru_bind() serial: 8250_omap: Implementation of Errata i2310 tty: mcf: MCF54418 has 10 UARTS net: can: j1939: Initialize unused data in j1939_send_one() net: can: j1939: recover socket queue on CAN bus error during BAM transmission net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new kbuild: Install dtb files as 0644 in Makefile.dtbinst csky, hexagon: fix broken sys_sync_file_range hexagon: fix fadvise64_64 calling conventions drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes drm/i915/gt: Fix potential UAF by revoke of fence registers drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes batman-adv: Don't accept TT entries for out-of-spec VIDs ata: ahci: Clean up sysfs file on error ata: libata-core: Fix double free on error ftruncate: pass a signed offset syscalls: fix compat_sys_io_pgetevents_time64 usage mtd: spinand: macronix: Add support for serial NAND flash pwm: stm32: Refuse too small period requests nfs: Leave pages in the pagecache if readpage failed ipv6: annotate some data-races around sk->sk_prot ipv6: Fix data races around sk->sk_prot. tcp: Fix data races around icsk->icsk_af_ops. drivers: fix typo in firmware/efi/memmap.c efi: Correct comment on efi_memmap_alloc efi: memmap: Move manipulation routines into x86 arch tree efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures efi/x86: Free EFI memory map only when installing a new one. KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node arm64: dts: rockchip: Add sound-dai-cells for RK3368 xdp: xdp_mem_allocator can be NULL in trace_mem_connect(). serial: 8250_omap: Fix Errata i2310 with RX FIFO level check tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Linux 5.10.221 Change-Id: Icac1c62fcbda5102be7ea031121f28d6fee36875 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
88eb084d18 |
Revert "Merge 5.10.220 into android12-5.10-lts"
This reverts commit |
||
|
Greg Kroah-Hartman
|
87a7f35a24 |
Merge 5.10.220 into android12-5.10-lts
Changes in 5.10.220
SUNRPC: Rename svc_encode_read_payload()
NFSD: Invoke svc_encode_result_payload() in "read" NFSD encoders
NFSD: A semicolon is not needed after a switch statement.
nfsd/nfs3: remove unused macro nfsd3_fhandleres
NFSD: Clean up the show_nf_may macro
NFSD: Remove extra "0x" in tracepoint format specifier
NFSD: Add SPDX header for fs/nfsd/trace.c
nfsd: Fix error return code in nfsd_file_cache_init()
SUNRPC: Add xdr_set_scratch_page() and xdr_reset_scratch_buffer()
SUNRPC: Prepare for xdr_stream-style decoding on the server-side
NFSD: Add common helpers to decode void args and encode void results
NFSD: Add tracepoints in nfsd_dispatch()
NFSD: Add tracepoints in nfsd4_decode/encode_compound()
NFSD: Replace the internals of the READ_BUF() macro
NFSD: Replace READ* macros in nfsd4_decode_access()
NFSD: Replace READ* macros in nfsd4_decode_close()
NFSD: Replace READ* macros in nfsd4_decode_commit()
NFSD: Change the way the expected length of a fattr4 is checked
NFSD: Replace READ* macros that decode the fattr4 size attribute
NFSD: Replace READ* macros that decode the fattr4 acl attribute
NFSD: Replace READ* macros that decode the fattr4 mode attribute
NFSD: Replace READ* macros that decode the fattr4 owner attribute
NFSD: Replace READ* macros that decode the fattr4 owner_group attribute
NFSD: Replace READ* macros that decode the fattr4 time_set attributes
NFSD: Replace READ* macros that decode the fattr4 security label attribute
NFSD: Replace READ* macros that decode the fattr4 umask attribute
NFSD: Replace READ* macros in nfsd4_decode_fattr()
NFSD: Replace READ* macros in nfsd4_decode_create()
NFSD: Replace READ* macros in nfsd4_decode_delegreturn()
NFSD: Replace READ* macros in nfsd4_decode_getattr()
NFSD: Replace READ* macros in nfsd4_decode_link()
NFSD: Relocate nfsd4_decode_opaque()
NFSD: Add helpers to decode a clientid4 and an NFSv4 state owner
NFSD: Add helper for decoding locker4
NFSD: Replace READ* macros in nfsd4_decode_lock()
NFSD: Replace READ* macros in nfsd4_decode_lockt()
NFSD: Replace READ* macros in nfsd4_decode_locku()
NFSD: Replace READ* macros in nfsd4_decode_lookup()
NFSD: Add helper to decode NFSv4 verifiers
NFSD: Add helper to decode OPEN's createhow4 argument
NFSD: Add helper to decode OPEN's openflag4 argument
NFSD: Replace READ* macros in nfsd4_decode_share_access()
NFSD: Replace READ* macros in nfsd4_decode_share_deny()
NFSD: Add helper to decode OPEN's open_claim4 argument
NFSD: Replace READ* macros in nfsd4_decode_open()
NFSD: Replace READ* macros in nfsd4_decode_open_confirm()
NFSD: Replace READ* macros in nfsd4_decode_open_downgrade()
NFSD: Replace READ* macros in nfsd4_decode_putfh()
NFSD: Replace READ* macros in nfsd4_decode_read()
NFSD: Replace READ* macros in nfsd4_decode_readdir()
NFSD: Replace READ* macros in nfsd4_decode_remove()
NFSD: Replace READ* macros in nfsd4_decode_rename()
NFSD: Replace READ* macros in nfsd4_decode_renew()
NFSD: Replace READ* macros in nfsd4_decode_secinfo()
NFSD: Replace READ* macros in nfsd4_decode_setattr()
NFSD: Replace READ* macros in nfsd4_decode_setclientid()
NFSD: Replace READ* macros in nfsd4_decode_setclientid_confirm()
NFSD: Replace READ* macros in nfsd4_decode_verify()
NFSD: Replace READ* macros in nfsd4_decode_write()
NFSD: Replace READ* macros in nfsd4_decode_release_lockowner()
NFSD: Replace READ* macros in nfsd4_decode_cb_sec()
NFSD: Replace READ* macros in nfsd4_decode_backchannel_ctl()
NFSD: Replace READ* macros in nfsd4_decode_bind_conn_to_session()
NFSD: Add a separate decoder to handle state_protect_ops
NFSD: Add a separate decoder for ssv_sp_parms
NFSD: Add a helper to decode state_protect4_a
NFSD: Add a helper to decode nfs_impl_id4
NFSD: Add a helper to decode channel_attrs4
NFSD: Replace READ* macros in nfsd4_decode_create_session()
NFSD: Replace READ* macros in nfsd4_decode_destroy_session()
NFSD: Replace READ* macros in nfsd4_decode_free_stateid()
NFSD: Replace READ* macros in nfsd4_decode_getdeviceinfo()
NFSD: Replace READ* macros in nfsd4_decode_layoutcommit()
NFSD: Replace READ* macros in nfsd4_decode_layoutget()
NFSD: Replace READ* macros in nfsd4_decode_layoutreturn()
NFSD: Replace READ* macros in nfsd4_decode_secinfo_no_name()
NFSD: Replace READ* macros in nfsd4_decode_sequence()
NFSD: Replace READ* macros in nfsd4_decode_test_stateid()
NFSD: Replace READ* macros in nfsd4_decode_destroy_clientid()
NFSD: Replace READ* macros in nfsd4_decode_reclaim_complete()
NFSD: Replace READ* macros in nfsd4_decode_fallocate()
NFSD: Replace READ* macros in nfsd4_decode_nl4_server()
NFSD: Replace READ* macros in nfsd4_decode_copy()
NFSD: Replace READ* macros in nfsd4_decode_copy_notify()
NFSD: Replace READ* macros in nfsd4_decode_offload_status()
NFSD: Replace READ* macros in nfsd4_decode_seek()
NFSD: Replace READ* macros in nfsd4_decode_clone()
NFSD: Replace READ* macros in nfsd4_decode_xattr_name()
NFSD: Replace READ* macros in nfsd4_decode_setxattr()
NFSD: Replace READ* macros in nfsd4_decode_listxattrs()
NFSD: Make nfsd4_ops::opnum a u32
NFSD: Replace READ* macros in nfsd4_decode_compound()
NFSD: Remove macros that are no longer used
nfsd: only call inode_query_iversion in the I_VERSION case
nfsd: simplify nfsd4_change_info
nfsd: minor nfsd4_change_attribute cleanup
nfsd4: don't query change attribute in v2/v3 case
Revert "nfsd4: support change_attr_type attribute"
nfsd: add a new EXPORT_OP_NOWCC flag to struct export_operations
nfsd: allow filesystems to opt out of subtree checking
nfsd: close cached files prior to a REMOVE or RENAME that would replace target
exportfs: Add a function to return the raw output from fh_to_dentry()
nfsd: Fix up nfsd to ensure that timeout errors don't result in ESTALE
nfsd: Set PF_LOCAL_THROTTLE on local filesystems only
nfsd: Record NFSv4 pre/post-op attributes as non-atomic
exec: Don't open code get_close_on_exec
exec: Move unshare_files to fix posix file locking during exec
exec: Simplify unshare_files
exec: Remove reset_files_struct
kcmp: In kcmp_epoll_target use fget_task
bpf: In bpf_task_fd_query use fget_task
proc/fd: In proc_fd_link use fget_task
Revert "fget: clarify and improve __fget_files() implementation"
file: Rename __fcheck_files to files_lookup_fd_raw
file: Factor files_lookup_fd_locked out of fcheck_files
file: Replace fcheck_files with files_lookup_fd_rcu
file: Rename fcheck lookup_fd_rcu
file: Implement task_lookup_fd_rcu
proc/fd: In tid_fd_mode use task_lookup_fd_rcu
kcmp: In get_file_raw_ptr use task_lookup_fd_rcu
file: Implement task_lookup_next_fd_rcu
proc/fd: In proc_readfd_common use task_lookup_next_fd_rcu
proc/fd: In fdinfo seq_show don't use get_files_struct
file: Merge __fd_install into fd_install
file: In f_dupfd read RLIMIT_NOFILE once.
file: Merge __alloc_fd into alloc_fd
file: Rename __close_fd to close_fd and remove the files parameter
file: Replace ksys_close with close_fd
inotify: Increase default inotify.max_user_watches limit to 1048576
fs/lockd: convert comma to semicolon
NFSD: Fix sparse warning in nfssvc.c
NFSD: Restore NFSv4 decoding's SAVEMEM functionality
SUNRPC: Make trace_svc_process() display the RPC procedure symbolically
SUNRPC: Display RPC procedure names instead of proc numbers
SUNRPC: Move definition of XDR_UNIT
NFSD: Update GETATTR3args decoder to use struct xdr_stream
NFSD: Update ACCESS3arg decoder to use struct xdr_stream
NFSD: Update READ3arg decoder to use struct xdr_stream
NFSD: Update WRITE3arg decoder to use struct xdr_stream
NFSD: Update READLINK3arg decoder to use struct xdr_stream
NFSD: Fix returned READDIR offset cookie
NFSD: Add helper to set up the pages where the dirlist is encoded
NFSD: Update READDIR3args decoders to use struct xdr_stream
NFSD: Update COMMIT3arg decoder to use struct xdr_stream
NFSD: Update the NFSv3 DIROPargs decoder to use struct xdr_stream
NFSD: Update the RENAME3args decoder to use struct xdr_stream
NFSD: Update the LINK3args decoder to use struct xdr_stream
NFSD: Update the SETATTR3args decoder to use struct xdr_stream
NFSD: Update the CREATE3args decoder to use struct xdr_stream
NFSD: Update the MKDIR3args decoder to use struct xdr_stream
NFSD: Update the SYMLINK3args decoder to use struct xdr_stream
NFSD: Update the MKNOD3args decoder to use struct xdr_stream
NFSD: Update the NFSv2 GETATTR argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 READ argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 WRITE argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 READLINK argument decoder to use struct xdr_stream
NFSD: Add helper to set up the pages where the dirlist is encoded
NFSD: Update the NFSv2 READDIR argument decoder to use struct xdr_stream
NFSD: Update NFSv2 diropargs decoding to use struct xdr_stream
NFSD: Update the NFSv2 RENAME argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 LINK argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 SETATTR argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 CREATE argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 SYMLINK argument decoder to use struct xdr_stream
NFSD: Remove argument length checking in nfsd_dispatch()
NFSD: Update the NFSv2 GETACL argument decoder to use struct xdr_stream
NFSD: Add an xdr_stream-based decoder for NFSv2/3 ACLs
NFSD: Update the NFSv2 SETACL argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL GETATTR argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL ACCESS argument decoder to use struct xdr_stream
NFSD: Clean up after updating NFSv2 ACL decoders
NFSD: Update the NFSv3 GETACL argument decoder to use struct xdr_stream
NFSD: Update the NFSv2 SETACL argument decoder to use struct xdr_stream
NFSD: Clean up after updating NFSv3 ACL decoders
nfsd: remove unused stats counters
nfsd: protect concurrent access to nfsd stats counters
nfsd: report per-export stats
nfsd4: simplify process_lookup1
nfsd: simplify process_lock
nfsd: simplify nfsd_renew
nfsd: rename lookup_clientid->set_client
nfsd: refactor set_client
nfsd: find_cpntf_state cleanup
nfsd: remove unused set_client argument
nfsd: simplify nfsd4_check_open_reclaim
nfsd: cstate->session->se_client -> cstate->clp
NFSv4_2: SSC helper should use its own config.
nfs: use change attribute for NFS re-exports
nfsd: skip some unnecessary stats in the v4 case
inotify, memcg: account inotify instances to kmemcg
module: unexport find_module and module_mutex
module: use RCU to synchronize find_module
kallsyms: refactor {,module_}kallsyms_on_each_symbol
kallsyms: only build {,module_}kallsyms_on_each_symbol when required
fs: add file and path permissions helpers
namei: introduce struct renamedata
NFSD: Extract the svcxdr_init_encode() helper
NFSD: Update the GETATTR3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 ACCESS3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 LOOKUP3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 wccstat result encoder to use struct xdr_stream
NFSD: Update the NFSv3 READLINK3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 READ3res encode to use struct xdr_stream
NFSD: Update the NFSv3 WRITE3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 CREATE family of encoders to use struct xdr_stream
NFSD: Update the NFSv3 RENAMEv3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 LINK3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 FSSTAT3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 FSINFO3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 PATHCONF3res encoder to use struct xdr_stream
NFSD: Update the NFSv3 COMMIT3res encoder to use struct xdr_stream
NFSD: Add a helper that encodes NFSv3 directory offset cookies
NFSD: Count bytes instead of pages in the NFSv3 READDIR encoder
NFSD: Update the NFSv3 READDIR3res encoder to use struct xdr_stream
NFSD: Update NFSv3 READDIR entry encoders to use struct xdr_stream
NFSD: Remove unused NFSv3 directory entry encoders
NFSD: Reduce svc_rqst::rq_pages churn during READDIR operations
NFSD: Update the NFSv2 stat encoder to use struct xdr_stream
NFSD: Update the NFSv2 attrstat encoder to use struct xdr_stream
NFSD: Update the NFSv2 diropres encoder to use struct xdr_stream
NFSD: Update the NFSv2 READLINK result encoder to use struct xdr_stream
NFSD: Update the NFSv2 READ result encoder to use struct xdr_stream
NFSD: Update the NFSv2 STATFS result encoder to use struct xdr_stream
NFSD: Add a helper that encodes NFSv3 directory offset cookies
NFSD: Count bytes instead of pages in the NFSv2 READDIR encoder
NFSD: Update the NFSv2 READDIR result encoder to use struct xdr_stream
NFSD: Update the NFSv2 READDIR entry encoder to use struct xdr_stream
NFSD: Remove unused NFSv2 directory entry encoders
NFSD: Add an xdr_stream-based encoder for NFSv2/3 ACLs
NFSD: Update the NFSv2 GETACL result encoder to use struct xdr_stream
NFSD: Update the NFSv2 SETACL result encoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL GETATTR result encoder to use struct xdr_stream
NFSD: Update the NFSv2 ACL ACCESS result encoder to use struct xdr_stream
NFSD: Clean up after updating NFSv2 ACL encoders
NFSD: Update the NFSv3 GETACL result encoder to use struct xdr_stream
NFSD: Update the NFSv3 SETACL result encoder to use struct xdr_stream
NFSD: Clean up after updating NFSv3 ACL encoders
NFSD: Add a tracepoint to record directory entry encoding
NFSD: Clean up NFSDDBG_FACILITY macro
nfsd: helper for laundromat expiry calculations
nfsd: Log client tracking type log message as info instead of warning
nfsd: Fix typo "accesible"
nfsd: COPY with length 0 should copy to end of file
nfsd: don't ignore high bits of copy count
nfsd: report client confirmation status in "info" file
SUNRPC: Export svc_xprt_received()
UAPI: nfsfh.h: Replace one-element array with flexible-array member
NFSD: Use DEFINE_SPINLOCK() for spinlock
fsnotify: allow fsnotify_{peek,remove}_first_event with empty queue
Revert "fanotify: limit number of event merge attempts"
fanotify: reduce event objectid to 29-bit hash
fanotify: mix event info and pid into merge key hash
fsnotify: use hash table for faster events merge
fanotify: limit number of event merge attempts
fanotify: configurable limits via sysfs
fanotify: support limited functionality for unprivileged users
fanotify_user: use upper_32_bits() to verify mask
nfsd: remove unused function
nfsd: removed unused argument in nfsd_startup_generic()
nfsd: hash nfs4_files by inode number
nfsd: track filehandle aliasing in nfs4_files
nfsd: reshuffle some code
nfsd: grant read delegations to clients holding writes
nfsd: Fix fall-through warnings for Clang
NFSv4.2: Remove ifdef CONFIG_NFSD from NFSv4.2 client SSC code.
NFS: fix nfs_fetch_iversion()
fanotify: fix permission model of unprivileged group
NFSD: Add an RPC authflavor tracepoint display helper
NFSD: Add nfsd_clid_cred_mismatch tracepoint
NFSD: Add nfsd_clid_verf_mismatch tracepoint
NFSD: Remove trace_nfsd_clid_inuse_err
NFSD: Add nfsd_clid_confirmed tracepoint
NFSD: Add nfsd_clid_reclaim_complete tracepoint
NFSD: Add nfsd_clid_destroyed tracepoint
NFSD: Add a couple more nfsd_clid_expired call sites
NFSD: Add tracepoints for SETCLIENTID edge cases
NFSD: Add tracepoints for EXCHANGEID edge cases
NFSD: Constify @fh argument of knfsd_fh_hash()
NFSD: Capture every CB state transition
NFSD: Drop TRACE_DEFINE_ENUM for NFSD4_CB_<state> macros
NFSD: Add cb_lost tracepoint
NFSD: Adjust cb_shutdown tracepoint
NFSD: Enhance the nfsd_cb_setup tracepoint
NFSD: Add an nfsd_cb_lm_notify tracepoint
NFSD: Add an nfsd_cb_offload tracepoint
NFSD: Replace the nfsd_deleg_break tracepoint
NFSD: Add an nfsd_cb_probe tracepoint
NFSD: Remove the nfsd_cb_work and nfsd_cb_done tracepoints
NFSD: Update nfsd_cb_args tracepoint
nfsd: Prevent truncation of an unlinked inode from blocking access to its directory
nfsd: move some commit_metadata()s outside the inode lock
NFSD add vfs_fsync after async copy is done
NFSD: delay unmount source's export after inter-server copy completed.
nfsd: move fsnotify on client creation outside spinlock
nfsd4: Expose the callback address and state of each NFS4 client
nfsd: fix kernel test robot warning in SSC code
NFSD: Fix error return code in nfsd4_interssc_connect()
nfsd: rpc_peeraddr2str needs rcu lock
lockd: Remove stale comments
lockd: Create a simplified .vs_dispatch method for NLM requests
lockd: Common NLM XDR helpers
lockd: Update the NLMv1 void argument decoder to use struct xdr_stream
lockd: Update the NLMv1 TEST arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 LOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 CANCEL arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 UNLOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 nlm_res arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 SM_NOTIFY arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 SHARE arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 FREE_ALL arguments decoder to use struct xdr_stream
lockd: Update the NLMv1 void results encoder to use struct xdr_stream
lockd: Update the NLMv1 TEST results encoder to use struct xdr_stream
lockd: Update the NLMv1 nlm_res results encoder to use struct xdr_stream
lockd: Update the NLMv1 SHARE results encoder to use struct xdr_stream
lockd: Update the NLMv4 void arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 TEST arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 LOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 CANCEL arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 UNLOCK arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 nlm_res arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 SM_NOTIFY arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 SHARE arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 FREE_ALL arguments decoder to use struct xdr_stream
lockd: Update the NLMv4 void results encoder to use struct xdr_stream
lockd: Update the NLMv4 TEST results encoder to use struct xdr_stream
lockd: Update the NLMv4 nlm_res results encoder to use struct xdr_stream
lockd: Update the NLMv4 SHARE results encoder to use struct xdr_stream
nfsd: remove redundant assignment to pointer 'this'
NFSD: Prevent a possible oops in the nfs_dirent() tracepoint
nfsd: fix NULL dereference in nfs3svc_encode_getaclres
kernel/pid.c: remove static qualifier from pidfd_create()
kernel/pid.c: implement additional checks upon pidfd_create() parameters
fanotify: minor cosmetic adjustments to fid labels
fanotify: introduce a generic info record copying helper
fanotify: add pidfd support to the fanotify API
fsnotify: replace igrab() with ihold() on attach connector
fsnotify: count s_fsnotify_inode_refs for attached connectors
fsnotify: count all objects with attached connectors
fsnotify: optimize the case of no marks of any type
NFSD: Clean up splice actor
SUNRPC: Add svc_rqst_replace_page() API
NFSD: Batch release pages during splice read
NFSD: remove vanity comments
sysctl: introduce new proc handler proc_dobool
lockd: change the proc_handler for nsm_use_hostnames
nlm: minor nlm_lookup_file argument change
nlm: minor refactoring
lockd: update nlm_lookup_file reexport comment
Keep read and write fds with each nlm_file
nfs: don't atempt blocking locks on nfs reexports
lockd: don't attempt blocking locks on nfs reexports
nfs: don't allow reexport reclaims
SUNRPC: Add svc_rqst::rq_auth_stat
SUNRPC: Set rq_auth_stat in the pg_authenticate() callout
SUNRPC: Eliminate the RQ_AUTHERR flag
NFS: Add a private local dispatcher for NFSv4 callback operations
NFS: Remove unused callback void decoder
fsnotify: fix sb_connectors leak
NLM: Fix svcxdr_encode_owner()
nfsd: Fix a warning for nfsd_file_close_inode
fsnotify: pass data_type to fsnotify_name()
fsnotify: pass dentry instead of inode data
fsnotify: clarify contract for create event hooks
fsnotify: Don't insert unmergeable events in hashtable
fanotify: Fold event size calculation to its own function
fanotify: Split fsid check from other fid mode checks
inotify: Don't force FS_IN_IGNORED
fsnotify: Add helper to detect overflow_event
fsnotify: Add wrapper around fsnotify_add_event
fsnotify: Retrieve super block from the data field
fsnotify: Protect fsnotify_handle_inode_event from no-inode events
fsnotify: Pass group argument to free_event
fanotify: Support null inode event in fanotify_dfid_inode
fanotify: Allow file handle encoding for unhashed events
fanotify: Encode empty file handle when no inode is provided
fanotify: Require fid_mode for any non-fd event
fsnotify: Support FS_ERROR event type
fanotify: Reserve UAPI bits for FAN_FS_ERROR
fanotify: Pre-allocate pool of error events
fanotify: Support enqueueing of error events
fanotify: Support merging of error events
fanotify: Wrap object_fh inline space in a creator macro
fanotify: Add helpers to decide whether to report FID/DFID
fanotify: WARN_ON against too large file handles
fanotify: Report fid info for file related file system errors
fanotify: Emit generic error info for error event
fanotify: Allow users to request FAN_FS_ERROR events
SUNRPC: Trace calls to .rpc_call_done
NFSD: Optimize DRC bucket pruning
NFSD: move filehandle format declarations out of "uapi".
NFSD: drop support for ancient filehandles
NFSD: simplify struct nfsfh
NFSD: Initialize pointer ni with NULL and not plain integer 0
NFSD: Have legacy NFSD WRITE decoders use xdr_stream_subsegment()
SUNRPC: Replace the "__be32 *p" parameter to .pc_decode
SUNRPC: Change return value type of .pc_decode
NFSD: Save location of NFSv4 COMPOUND status
SUNRPC: Replace the "__be32 *p" parameter to .pc_encode
SUNRPC: Change return value type of .pc_encode
nfsd: update create verifier comment
NFSD:fix boolreturn.cocci warning
nfsd4: remove obselete comment
NFSD: Fix exposure in nfsd4_decode_bitmap()
NFSD: Fix READDIR buffer overflow
fsnotify: clarify object type argument
fsnotify: separate mark iterator type from object type enum
fanotify: introduce group flag FAN_REPORT_TARGET_FID
fsnotify: generate FS_RENAME event with rich information
fanotify: use macros to get the offset to fanotify_info buffer
fanotify: use helpers to parcel fanotify_info buffer
fanotify: support secondary dir fh and name in fanotify_info
fanotify: record old and new parent and name in FAN_RENAME event
fanotify: record either old name new name or both for FAN_RENAME
fanotify: report old and/or new parent+name in FAN_RENAME event
fanotify: wire up FAN_RENAME event
exit: Implement kthread_exit
exit: Rename module_put_and_exit to module_put_and_kthread_exit
NFSD: Fix sparse warning
NFSD: handle errors better in write_ports_addfd()
SUNRPC: change svc_get() to return the svc.
SUNRPC/NFSD: clean up get/put functions.
SUNRPC: stop using ->sv_nrthreads as a refcount
nfsd: make nfsd_stats.th_cnt atomic_t
SUNRPC: use sv_lock to protect updates to sv_nrthreads.
NFSD: narrow nfsd_mutex protection in nfsd thread
NFSD: Make it possible to use svc_set_num_threads_sync
SUNRPC: discard svo_setup and rename svc_set_num_threads_sync()
NFSD: simplify locking for network notifier.
lockd: introduce nlmsvc_serv
lockd: simplify management of network status notifiers
lockd: move lockd_start_svc() call into lockd_create_svc()
lockd: move svc_exit_thread() into the thread
lockd: introduce lockd_put()
lockd: rename lockd_create_svc() to lockd_get()
SUNRPC: move the pool_map definitions (back) into svc.c
SUNRPC: always treat sv_nrpools==1 as "not pooled"
lockd: use svc_set_num_threads() for thread start and stop
NFS: switch the callback service back to non-pooled.
NFSD: Remove be32_to_cpu() from DRC hash function
NFSD: Fix inconsistent indenting
NFSD: simplify per-net file cache management
NFSD: Combine XDR error tracepoints
nfsd: improve stateid access bitmask documentation
NFSD: De-duplicate nfsd4_decode_bitmap4()
nfs: block notification on fs with its own ->lock
nfsd4: add refcount for nfsd4_blocked_lock
NFSD: Fix zero-length NFSv3 WRITEs
nfsd: map EBADF
nfsd: Add errno mapping for EREMOTEIO
nfsd: Retry once in nfsd_open on an -EOPENSTALE return
NFSD: Clean up nfsd_vfs_write()
NFSD: De-duplicate net_generic(SVC_NET(rqstp), nfsd_net_id)
NFSD: De-duplicate net_generic(nf->nf_net, nfsd_net_id)
nfsd: Add a tracepoint for errors in nfsd4_clone_file_range()
NFSD: Write verifier might go backwards
NFSD: Clean up the nfsd_net::nfssvc_boot field
NFSD: Rename boot verifier functions
NFSD: Trace boot verifier resets
Revert "nfsd: skip some unnecessary stats in the v4 case"
NFSD: Move fill_pre_wcc() and fill_post_wcc()
nfsd: fix crash on COPY_NOTIFY with special stateid
fanotify: remove variable set but not used
lockd: fix server crash on reboot of client holding lock
lockd: fix failure to cleanup client locks
NFSD: Fix the behavior of READ near OFFSET_MAX
NFSD: Fix ia_size underflow
NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
NFSD: COMMIT operations must not return NFS?ERR_INVAL
NFSD: Deprecate NFS_OFFSET_MAX
nfsd: Add support for the birth time attribute
NFSD: De-duplicate hash bucket indexing
NFSD: Skip extra computation for RC_NOCACHE case
NFSD: Streamline the rare "found" case
SUNRPC: Remove the .svo_enqueue_xprt method
SUNRPC: Merge svc_do_enqueue_xprt() into svc_enqueue_xprt()
SUNRPC: Remove svo_shutdown method
SUNRPC: Rename svc_create_xprt()
SUNRPC: Rename svc_close_xprt()
SUNRPC: Remove svc_shutdown_net()
NFSD: Remove svc_serv_ops::svo_module
NFSD: Move svc_serv_ops::svo_function into struct svc_serv
NFSD: Remove CONFIG_NFSD_V3
NFSD: Clean up _lm_ operation names
nfsd: fix using the correct variable for sizeof()
fsnotify: fix merge with parent's ignored mask
fsnotify: optimize FS_MODIFY events with no ignored masks
fsnotify: remove redundant parameter judgment
SUNRPC: Return true/false (not 1/0) from bool functions
nfsd: Fix a write performance regression
nfsd: Clean up nfsd_file_put()
fanotify: do not allow setting dirent events in mask of non-dir
fs/lock: documentation cleanup. Replace inode->i_lock with flc_lock.
inotify: move control flags from mask to mark flags
fsnotify: pass flags argument to fsnotify_alloc_group()
fsnotify: make allow_dups a property of the group
fsnotify: create helpers for group mark_mutex lock
inotify: use fsnotify group lock helpers
nfsd: use fsnotify group lock helpers
dnotify: use fsnotify group lock helpers
fsnotify: allow adding an inode mark without pinning inode
fanotify: create helper fanotify_mark_user_flags()
fanotify: factor out helper fanotify_mark_update_flags()
fanotify: implement "evictable" inode marks
fanotify: use fsnotify group lock helpers
fanotify: enable "evictable" inode marks
fsnotify: introduce mark type iterator
fsnotify: consistent behavior for parent not watching children
fanotify: fix incorrect fmode_t casts
NFSD: Clean up nfsd_splice_actor()
NFSD: add courteous server support for thread with only delegation
NFSD: add support for share reservation conflict to courteous server
NFSD: move create/destroy of laundry_wq to init_nfsd and exit_nfsd
fs/lock: add helper locks_owner_has_blockers to check for blockers
fs/lock: add 2 callbacks to lock_manager_operations to resolve conflict
NFSD: add support for lock conflict to courteous server
NFSD: Show state of courtesy client in client info
NFSD: Clean up nfsd3_proc_create()
NFSD: Avoid calling fh_drop_write() twice in do_nfsd_create()
NFSD: Refactor nfsd_create_setattr()
NFSD: Refactor NFSv3 CREATE
NFSD: Refactor NFSv4 OPEN(CREATE)
NFSD: Remove do_nfsd_create()
NFSD: Clean up nfsd_open_verified()
NFSD: Instantiate a struct file when creating a regular NFSv4 file
NFSD: Remove dprintk call sites from tail of nfsd4_open()
NFSD: Fix whitespace
NFSD: Move documenting comment for nfsd4_process_open2()
NFSD: Trace filecache opens
NFSD: Clean up the show_nf_flags() macro
SUNRPC: Use RMW bitops in single-threaded hot paths
nfsd: Unregister the cld notifier when laundry_wq create failed
nfsd: Fix null-ptr-deref in nfsd_fill_super()
nfsd: destroy percpu stats counters after reply cache shutdown
NFSD: Modernize nfsd4_release_lockowner()
NFSD: Add documenting comment for nfsd4_release_lockowner()
NFSD: nfsd_file_put() can sleep
NFSD: Fix potential use-after-free in nfsd_file_put()
SUNRPC: Optimize xdr_reserve_space()
fanotify: refine the validation checks on non-dir inode mask
NFS: restore module put when manager exits.
NFSD: Decode NFSv4 birth time attribute
lockd: set fl_owner when unlocking files
lockd: fix nlm_close_files
fs: inotify: Fix typo in inotify comment
fanotify: prepare for setting event flags in ignore mask
fanotify: cleanups for fanotify_mark() input validations
fanotify: introduce FAN_MARK_IGNORE
fsnotify: Fix comment typo
nfsd: eliminate the NFSD_FILE_BREAK_* flags
SUNRPC: Fix xdr_encode_bool()
NLM: Defend against file_lock changes after vfs_test_lock()
NFSD: Fix space and spelling mistake
nfsd: remove redundant assignment to variable len
NFSD: Demote a WARN to a pr_warn()
NFSD: Report filecache LRU size
NFSD: Report count of calls to nfsd_file_acquire()
NFSD: Report count of freed filecache items
NFSD: Report average age of filecache items
NFSD: Add nfsd_file_lru_dispose_list() helper
NFSD: Refactor nfsd_file_gc()
NFSD: Refactor nfsd_file_lru_scan()
NFSD: Report the number of items evicted by the LRU walk
NFSD: Record number of flush calls
NFSD: Zero counters when the filecache is re-initialized
NFSD: Hook up the filecache stat file
NFSD: WARN when freeing an item still linked via nf_lru
NFSD: Trace filecache LRU activity
NFSD: Leave open files out of the filecache LRU
NFSD: Fix the filecache LRU shrinker
NFSD: Never call nfsd_file_gc() in foreground paths
NFSD: No longer record nf_hashval in the trace log
NFSD: Remove lockdep assertion from unhash_and_release_locked()
NFSD: nfsd_file_unhash can compute hashval from nf->nf_inode
NFSD: Refactor __nfsd_file_close_inode()
NFSD: nfsd_file_hash_remove can compute hashval
NFSD: Remove nfsd_file::nf_hashval
NFSD: Replace the "init once" mechanism
NFSD: Set up an rhashtable for the filecache
NFSD: Convert the filecache to use rhashtable
NFSD: Clean up unused code after rhashtable conversion
NFSD: Separate tracepoints for acquire and create
NFSD: Move nfsd_file_trace_alloc() tracepoint
NFSD: NFSv4 CLOSE should release an nfsd_file immediately
NFSD: Ensure nf_inode is never dereferenced
NFSD: refactoring v4 specific code to a helper in nfs4state.c
NFSD: keep track of the number of v4 clients in the system
NFSD: limit the number of v4 clients to 1024 per 1GB of system memory
nfsd: silence extraneous printk on nfsd.ko insertion
NFSD: Optimize nfsd4_encode_operation()
NFSD: Optimize nfsd4_encode_fattr()
NFSD: Clean up SPLICE_OK in nfsd4_encode_read()
NFSD: Add an nfsd4_read::rd_eof field
NFSD: Optimize nfsd4_encode_readv()
NFSD: Simplify starting_len
NFSD: Use xdr_pad_size()
NFSD: Clean up nfsd4_encode_readlink()
NFSD: Fix strncpy() fortify warning
NFSD: nfserrno(-ENOMEM) is nfserr_jukebox
NFSD: Shrink size of struct nfsd4_copy_notify
NFSD: Shrink size of struct nfsd4_copy
NFSD: Reorder the fields in struct nfsd4_op
NFSD: Make nfs4_put_copy() static
NFSD: Replace boolean fields in struct nfsd4_copy
NFSD: Refactor nfsd4_cleanup_inter_ssc() (1/2)
NFSD: Refactor nfsd4_cleanup_inter_ssc() (2/2)
NFSD: Refactor nfsd4_do_copy()
NFSD: Remove kmalloc from nfsd4_do_async_copy()
NFSD: Add nfsd4_send_cb_offload()
NFSD: Move copy offload callback arguments into a separate structure
NFSD: drop fh argument from alloc_init_deleg
NFSD: verify the opened dentry after setting a delegation
NFSD: introduce struct nfsd_attrs
NFSD: set attributes when creating symlinks
NFSD: add security label to struct nfsd_attrs
NFSD: add posix ACLs to struct nfsd_attrs
NFSD: change nfsd_create()/nfsd_symlink() to unlock directory before returning.
NFSD: always drop directory lock in nfsd_unlink()
NFSD: only call fh_unlock() once in nfsd_link()
NFSD: reduce locking in nfsd_lookup()
NFSD: use explicit lock/unlock for directory ops
NFSD: use (un)lock_inode instead of fh_(un)lock for file operations
NFSD: discard fh_locked flag and fh_lock/fh_unlock
lockd: detect and reject lock arguments that overflow
NFSD: fix regression with setting ACLs.
nfsd_splice_actor(): handle compound pages
NFSD: move from strlcpy with unused retval to strscpy
lockd: move from strlcpy with unused retval to strscpy
NFSD enforce filehandle check for source file in COPY
NFSD: remove redundant variable status
nfsd: Avoid some useless tests
nfsd: Propagate some error code returned by memdup_user()
NFSD: Increase NFSD_MAX_OPS_PER_COMPOUND
NFSD: Protect against send buffer overflow in NFSv2 READDIR
NFSD: Protect against send buffer overflow in NFSv3 READDIR
NFSD: Protect against send buffer overflow in NFSv2 READ
NFSD: Protect against send buffer overflow in NFSv3 READ
NFSD: drop fname and flen args from nfsd_create_locked()
NFSD: Fix handling of oversized NFSv4 COMPOUND requests
nfsd: clean up mounted_on_fileid handling
nfsd: remove nfsd4_prepare_cb_recall() declaration
NFSD: Add tracepoints to report NFSv4 callback completions
NFSD: Add a mechanism to wait for a DELEGRETURN
NFSD: Refactor nfsd_setattr()
NFSD: Make nfsd4_setattr() wait before returning NFS4ERR_DELAY
NFSD: Make nfsd4_rename() wait before returning NFS4ERR_DELAY
NFSD: Make nfsd4_remove() wait before returning NFS4ERR_DELAY
NFSD: keep track of the number of courtesy clients in the system
NFSD: add shrinker to reap courtesy clients on low memory condition
SUNRPC: Parametrize how much of argsize should be zeroed
NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing
NFSD: Refactor common code out of dirlist helpers
NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks
NFSD: Clean up WRITE arg decoders
NFSD: Clean up nfs4svc_encode_compoundres()
NFSD: Remove "inline" directives on op_rsize_bop helpers
NFSD: Remove unused nfsd4_compoundargs::cachetype field
NFSD: Pack struct nfsd4_compoundres
nfsd: use DEFINE_PROC_SHOW_ATTRIBUTE to define nfsd_proc_ops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define export_features_fops and supported_enctypes_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define client_info_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_reply_cache_stats_fops
nfsd: use DEFINE_SHOW_ATTRIBUTE to define nfsd_file_cache_stats_fops
NFSD: Rename the fields in copy_stateid_t
NFSD: Cap rsize_bop result based on send buffer size
nfsd: only fill out return pointer on success in nfsd4_lookup_stateid
nfsd: fix comments about spinlock handling with delegations
nfsd: make nfsd4_run_cb a bool return function
nfsd: extra checks when freeing delegation stateids
fs/notify: constify path
fsnotify: remove unused declaration
fanotify: Remove obsoleted fanotify_event_has_path()
nfsd: fix nfsd_file_unhash_and_dispose
nfsd: rework hashtable handling in nfsd_do_file_acquire
NFSD: unregister shrinker when nfsd_init_net() fails
nfsd: fix net-namespace logic in __nfsd_file_cache_purge
nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint
nfsd: put the export reference in nfsd4_verify_deleg_dentry
NFSD: Fix reads with a non-zero offset that don't end on a page boundary
filelock: add a new locks_inode_context accessor function
lockd: use locks_inode_context helper
nfsd: use locks_inode_context helper
NFSD: Simplify READ_PLUS
NFSD: Remove redundant assignment to variable host_err
NFSD: Finish converting the NFSv2 GETACL result encoder
NFSD: Finish converting the NFSv3 GETACL result encoder
nfsd: ignore requests to disable unsupported versions
nfsd: move nfserrno() to vfs.c
nfsd: allow disabling NFSv2 at compile time
exportfs: use pr_debug for unreachable debug statements
NFSD: Pass the target nfsd_file to nfsd_commit()
NFSD: Revert "NFSD: NFSv4 CLOSE should release an nfsd_file immediately"
NFSD: Add an NFSD_FILE_GC flag to enable nfsd_file garbage collection
NFSD: Flesh out a documenting comment for filecache.c
NFSD: Clean up nfs4_preprocess_stateid_op() call sites
NFSD: Trace stateids returned via DELEGRETURN
NFSD: Trace delegation revocations
NFSD: Use const pointers as parameters to fh_ helpers
NFSD: Update file_hashtbl() helpers
NFSD: Clean up nfsd4_init_file()
NFSD: Add a nfsd4_file_hash_remove() helper
NFSD: Clean up find_or_add_file()
NFSD: Refactor find_file()
NFSD: Use rhashtable for managing nfs4_file objects
NFSD: Fix licensing header in filecache.c
nfsd: remove the pages_flushed statistic from filecache
nfsd: reorganize filecache.c
nfsd: fix up the filecache laundrette scheduling
NFSD: Add an nfsd_file_fsync tracepoint
lockd: set other missing fields when unlocking files
nfsd: return error if nfs4_setacl fails
NFSD: Use struct_size() helper in alloc_session()
lockd: set missing fl_flags field when retrieving args
lockd: ensure we use the correct file descriptor when unlocking
lockd: fix file selection in nlmsvc_cancel_blocked
NFSD: pass range end to vfs_fsync_range() instead of count
NFSD: refactoring courtesy_client_reaper to a generic low memory shrinker
NFSD: add support for sending CB_RECALL_ANY
NFSD: add delegation reaper to react to low memory condition
NFSD: Use only RQ_DROPME to signal the need to drop a reply
NFSD: Avoid clashing function prototypes
nfsd: rework refcounting in filecache
nfsd: fix handling of cached open files in nfsd4_open codepath
Revert "SUNRPC: Use RMW bitops in single-threaded hot paths"
NFSD: Use set_bit(RQ_DROPME)
NFSD: fix use-after-free in nfsd4_ssc_setup_dul()
NFSD: register/unregister of nfsd-client shrinker at nfsd startup/shutdown time
NFSD: replace delayed_work with work_struct for nfsd_client_shrinker
nfsd: don't free files unconditionally in __nfsd_file_cache_purge
nfsd: don't destroy global nfs4_file table in per-net shutdown
NFSD: enhance inter-server copy cleanup
nfsd: allow nfsd_file_get to sanely handle a NULL pointer
nfsd: clean up potential nfsd_file refcount leaks in COPY codepath
NFSD: fix leaked reference count of nfsd4_ssc_umount_item
nfsd: don't hand out delegation on setuid files being opened for write
NFSD: fix problems with cleanup on errors in nfsd4_copy
nfsd: fix courtesy client with deny mode handling in nfs4_upgrade_open
nfsd: don't fsync nfsd_files on last close
NFSD: copy the whole verifier in nfsd_copy_write_verifier
NFSD: Protect against filesystem freezing
lockd: set file_lock start and end when decoding nlm4 testargs
nfsd: don't replace page in rq_pages if it's a continuation of last page
NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
nfsd: call op_release, even when op_func returns an error
nfsd: don't open-code clear_and_wake_up_bit
nfsd: NFSD_FILE_KEY_INODE only needs to find GC'ed entries
nfsd: simplify test_bit return in NFSD_FILE_KEY_FULL comparator
nfsd: don't kill nfsd_files because of lease break error
nfsd: add some comments to nfsd_file_do_acquire
nfsd: don't take/put an extra reference when putting a file
nfsd: update comment over __nfsd_file_cache_purge
nfsd: allow reaping files still under writeback
NFSD: Convert filecache to rhltable
nfsd: simplify the delayed disposal list code
NFSD: Fix problem of COMMIT and NFS4ERR_DELAY in infinite loop
nfsd: make a copy of struct iattr before calling notify_change
nfsd: fix double fget() bug in __write_ports_addfd()
lockd: drop inappropriate svc_get() from locked_get()
NFSD: Add an nfsd4_encode_nfstime4() helper
nfsd: Fix creation time serialization order
nfsd: don't allow nfsd threads to be signalled.
nfsd: Simplify code around svc_exit_thread() call in nfsd()
nfsd: separate nfsd_last_thread() from nfsd_put()
Documentation: Add missing documentation for EXPORT_OP flags
NFSD: fix possible oops when nfsd/pool_stats is closed.
nfsd: call nfsd_last_thread() before final nfsd_put()
nfsd: drop the nfsd_put helper
nfsd: fix RELEASE_LOCKOWNER
nfsd: don't take fi_lock in nfsd_break_deleg_cb()
nfsd: don't call locks_release_private() twice concurrently
nfsd: Fix a regression in nfsd_setattr()
Linux 5.10.220
Change-Id: I589ec5e63d1f985ab69f9755b9a87330627d44c5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
054258ff89 |
ANDROID: ABI fixup for abi break in struct dst_ops
In commit 92f1655aa2b2 ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters. But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.
However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required. To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.
Bug: 343727534
Fixes: 92f1655aa2b2 ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
fedef46c69 |
This is the 5.10.219 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZuzl4ACgkQONu9yGCS
aT7+ohAAyRkTis6xeME1FWIJthCJl8FzUq9nfN+OccK3TwCbXyZKXlZK8lVz0T5U
DvG1Tg+rR76+hIJghMIy2FEPRBA19WMq9a+Ms2ZyyggPrlgksFivO8N8YgnIxabb
EJPN7pAzO+GA+vd8YeGeK1ldq8QUISlN35s+hkur1jeBctWRcpHeOTjIej/Qytmj
ny1o7hCp179+SPygSEYEYtguACaQflhfBjOgAQ9DwWjP6vO2W9Vb16X4tiT0udHm
ExPjOwxbEMN/7m9gKrnl6WcIROSOy55FnfcYZP+NRY4jBlANUgXF1ca9hAhcIKSv
oOyeRN5S3FZAdxIHG9SFU9b6MPwJSeO5ETQyfiRGNFRkXOa2tKknNSsuACu8kSwx
SKJIpcuW1DkortwsYFbilXdl6TrK6oCcEczV5qtludcRoDznfUGejb5e81v3yYkO
no6ORvBJSBnEObY+gpexvxQp2Ae1+YkSLJaDzYWMC+JHBIgWTz2F2qJJkP6bRAUV
QduFTdTenDnL7zW3DseZGJKotU95cUoKNAwa7wfboZeygHc2+KaUOchKcqI0P9dZ
pS27RzcAJJ2uufujofyxOOhzFKw98WFurfNsMZTDBwHuqReoiRAS7pi0PeTMuqUv
GC8V1eIKgeWdI+pdTZLXylziiM41IylLjU/hxCrsykb+EwFa5NY=
=B1lK
-----END PGP SIGNATURE-----
Merge 5.10.219 into android12-5.10-lts
Changes in 5.10.219
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
speakup: Fix sizeof() vs ARRAY_SIZE() bug
ring-buffer: Fix a race between readers and resize checks
net: smc91x: Fix m68k kernel compilation for ColdFire CPU
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
nilfs2: fix potential hang in nilfs_detach_log_writer()
ALSA: core: Fix NULL module pointer assignment at card init
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
net: usb: qmi_wwan: add Telit FN920C04 compositions
drm/amd/display: Set color_mgmt_changed to true on unsuspend
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
regulator: vqmmc-ipq4019: fix module autoloading
ASoC: rt715: add vendor clear control register
ASoC: da7219-aad: fix usage of device_get_named_child_node()
drm/amdkfd: Flush the process wq before creating a kfd_process
nvme: find numa distance only if controller has valid numa id
openpromfs: finish conversion to the new mount API
crypto: bcm - Fix pointer arithmetic
firmware: raspberrypi: Use correct device for DMA mappings
ecryptfs: Fix buffer size for tag 66 packet
nilfs2: fix out-of-range warning
parisc: add missing export of __cmpxchg_u8()
crypto: ccp - drop platform ifdef checks
crypto: x86/nh-avx2 - add missing vzeroupper
crypto: x86/sha256-avx2 - add missing vzeroupper
s390/cio: fix tracepoint subchannel type field
jffs2: prevent xattr node from overflowing the eraseblock
soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE
null_blk: Fix missing mutex_destroy() at module removal
md: fix resync softlockup when bitmap size is less than array size
wifi: ath10k: poll service ready message before failing
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
qed: avoid truncating work queue length
scsi: ufs: qcom: Perform read back after writing reset bit
scsi: ufs-qcom: Fix ufs RST_n spec violation
scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US
scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0
scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5
scsi: ufs: qcom: Perform read back after writing unipro mode
scsi: ufs: qcom: Perform read back after writing CGC enable
scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
irqchip/alpine-msi: Fix off-by-one in allocation error path
irqchip/loongson-pch-msi: Fix off-by-one on allocation error path
ACPI: disable -Wstringop-truncation
gfs2: Fix "ignore unlock failures after withdraw"
selftests/bpf: Fix umount cgroup2 error in test_sockmap
cpufreq: Reorganize checks in cpufreq_offline()
cpufreq: Split cpufreq_offline()
cpufreq: Rearrange locking in cpufreq_remove_dev()
cpufreq: exit() callback is optional
net: export inet_lookup_reuseport and inet6_lookup_reuseport
net: remove duplicate reuseport_lookup functions
udp: Avoid call to compute_score on multiple sites
scsi: libsas: Fix the failure of adding phy with zero-address to port
scsi: hpsa: Fix allocation size for Scsi_Host private data
x86/purgatory: Switch to the position-independent small code model
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
wifi: ath10k: populate board data for WCN3990
tcp: avoid premature drops in tcp_add_backlog()
net: give more chances to rcu in netdev_wait_allrefs_any()
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
wifi: carl9170: add a proper sanity check for endpoints
wifi: ar5523: enable proper endpoint verification
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
Revert "sh: Handle calling csum_partial with misaligned data"
selftests/binderfs: use the Makefile's rules, not Make's implicit rules
HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
scsi: bfa: Ensure the copied buf is NUL terminated
scsi: qedf: Ensure the copied buf is NUL terminated
wifi: mwl8k: initialize cmd->addr[] properly
usb: aqc111: stop lying about skb->truesize
net: usb: sr9700: stop lying about skb->truesize
m68k: Fix spinlock race in kernel thread creation
m68k: mac: Fix reboot hang on Mac IIci
net: ipv6: fix wrong start position when receive hop-by-hop fragment
eth: sungem: remove .ndo_poll_controller to avoid deadlocks
net: ethernet: cortina: Locking fixes
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
net: usb: smsc95xx: stop lying about skb->truesize
net: openvswitch: fix overwriting ct original tuple for ICMPv6
ipv6: sr: add missing seg6_local_exit
ipv6: sr: fix incorrect unregister order
ipv6: sr: fix invalid unregister error path
net/mlx5: Discard command completions in internal error
drm/amd/display: Fix potential index out of bounds in color transformation function
ASoC: soc-acpi: add helper to identify parent driver.
ASoC: Intel: Disable route checks for Skylake boards
mtd: rawnand: hynix: fixed typo
fbdev: shmobile: fix snprintf truncation
drm/meson: vclk: fix calculation of 59.94 fractional rates
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
powerpc/fsl-soc: hide unused const variable
fbdev: sisfb: hide unused variables
media: ngene: Add dvb_ca_en50221_init return value check
media: radio-shark2: Avoid led_names truncations
drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
fbdev: sh7760fb: allow modular build
media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries
drm/arm/malidp: fix a possible null pointer dereference
drm: vc4: Fix possible null pointer dereference
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
drm/bridge: lt9611: Don't log an error when DSI host can't be found
drm/bridge: tc358775: Don't log an error when DSI host can't be found
drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
drm/mipi-dsi: use correct return type for the DSC functions
RDMA/hns: Refactor the hns_roce_buf allocation flow
RDMA/hns: Create QP with selected QPN for bank load balance
RDMA/hns: Fix incorrect symbol types
RDMA/hns: Fix return value in hns_roce_map_mr_sg
RDMA/hns: Use complete parentheses in macros
RDMA/hns: Modify the print level of CQE error
clk: qcom: mmcc-msm8998: fix venus clock issue
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ext4: avoid excessive credit estimate in ext4_tmpfile()
sunrpc: removed redundant procp check
ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple
ext4: fix unit mismatch in ext4_mb_new_blocks_simple
ext4: try all groups in ext4_mb_new_blocks_simple
ext4: remove unused parameter from ext4_mb_new_blocks_simple()
ext4: fix potential unnitialized variable
SUNRPC: Fix gss_free_in_token_pages()
selftests/kcmp: Make the test output consistent and clear
selftests/kcmp: remove unused open mode
RDMA/IPoIB: Fix format truncation compilation errors
net: qrtr: fix null-ptr-deref in qrtr_ns_remove
net: qrtr: ns: Fix module refcnt
netrom: fix possible dead-lock in nr_rt_ioctl()
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
greybus: lights: check return of get_channel_from_mode
f2fs: fix to wait on page writeback in __clone_blkaddrs()
soundwire: cadence: fix invalid PDI offset
dmaengine: idma64: Add check for dma_set_max_seg_size
firmware: dmi-id: add a release callback function
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Fix bitwise types
greybus: arche-ctrl: move device table to its right location
serial: sc16is7xx: add proper sched.h include for sched_set_fifo()
f2fs: compress: support chksum
f2fs: add compress_mode mount option
f2fs: compress: clean up parameter of __f2fs_cluster_blocks()
f2fs: compress: remove unneeded preallocation
f2fs: introduce FI_COMPRESS_RELEASED instead of using IMMUTABLE bit
f2fs: compress: fix to relocate check condition in f2fs_{release,reserve}_compress_blocks()
f2fs: add cp_error check in f2fs_write_compressed_pages
f2fs: fix to force keeping write barrier for strict fsync mode
f2fs: do not allow partial truncation on pinned file
f2fs: fix typos in comments
f2fs: fix to relocate check condition in f2fs_fallocate()
f2fs: fix to check pinfile flag in f2fs_move_file_range()
iio: pressure: dps310: support negative temperature values
fpga: region: change FPGA indirect article to an
fpga: region: Rename dev to parent for parent device
docs: driver-api: fpga: avoid using UTF-8 chars
fpga: region: Use standard dev_release for class driver
fpga: region: add owner module and take its refcount
microblaze: Remove gcc flag for non existing early_printk.c file
microblaze: Remove early printk call from cpuinfo-static.c
usb: gadget: u_audio: Clear uac pointer when freed.
stm class: Fix a double free in stm_register_device()
ppdev: Remove usage of the deprecated ida_simple_xx() API
ppdev: Add an error check in register_device
extcon: max8997: select IRQ_DOMAIN instead of depending on it
PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3
PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3
f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock
f2fs: fix to release node block count in error path of f2fs_new_node_page()
f2fs: compress: don't allow unaligned truncation on released compress inode
serial: sh-sci: protect invalidating RXDMA on shutdown
libsubcmd: Fix parse-options memory leak
s390/ipl: Fix incorrect initialization of len fields in nvme reipl block
s390/ipl: Fix incorrect initialization of nvme dump block
Input: ims-pcu - fix printf string overflow
Input: ioc3kbd - convert to platform remove callback returning void
Input: ioc3kbd - add device table
mmc: sdhci_am654: Add tuning algorithm for delay chain
mmc: sdhci_am654: Write ITAPDLY for DDR52 timing
mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel
mmc: sdhci_am654: Add OTAP/ITAP delay enable
mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock
mmc: sdhci_am654: Fix ITAPDLY for HS400 timing
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
drm/msm/dpu: Always flush the slave INTF on the CTL
um: Fix return value in ubd_init()
um: Add winch to winch_handlers before registering winch IRQ
um: vector: fix bpfflash parameter evaluation
drm/bridge: tc358775: fix support for jeida-18 and jeida-24
media: stk1160: fix bounds checking in stk1160_copy_video()
scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
media: flexcop-usb: clean up endpoint sanity checks
media: flexcop-usb: fix sanity check of bNumEndpoints
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
um: Fix the -Wmissing-prototypes warning for __switch_mm
media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
media: cec: cec-api: add locking in cec_release()
media: core headers: fix kernel-doc warnings
media: cec: fix a deadlock situation
media: cec: call enable_adap on s_log_addrs
media: cec: abort if the current transmit was canceled
media: cec: correctly pass on reply results
media: cec: use call_op and check for !unregistered
media: cec-adap.c: drop activate_cnt, use state info instead
media: cec: core: avoid recursive cec_claim_log_addrs
media: cec: core: avoid confusing "transmit timed out" message
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
regulator: bd71828: Don't overwrite runtime voltages
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
nfc: nci: Fix uninit-value in nci_rx_work
ASoC: tas2552: Add TX path for capturing AUDIO-OUT data
sunrpc: fix NFSACL RPC retry on soft mount
rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL
ipv6: sr: fix memleak in seg6_hmac_init_algo
params: lift param_set_uint_minmax to common code
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
openvswitch: Set the skbuff pkt_type for proper pmtud support.
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
net: fec: avoid lock evasion when reading pps_enable
tls: fix missing memory barrier in tls_init
nfc: nci: Fix kcov check in nci_rx_work()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
netfilter: nft_payload: restore vlan q-in-q match support
spi: Don't mark message DMA mapped when no transfer in it is
nvmet: fix ns enable/disable possible hang
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
bpf: Fix potential integer overflow in resolve_btfids
enic: Validate length of nl attributes in enic_set_vf_port
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
bpf: Allow delete from sockmap/sockhash only if update is allowed
net:fec: Add fec_enet_deinit()
netfilter: tproxy: bail out if IP has been disabled on the device
kconfig: fix comparison to constant symbols, 'm', 'n'
spi: stm32: Don't warn about spurious interrupts
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
hwmon: (shtc1) Fix property misspelling
ALSA: timer: Set lower bound of start tick time
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
media: cec: core: add adap_nb_transmit_canceled() callback
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
binder: fix max_thread type inconsistency
mmc: core: Do not force a retune before RPMB switch
io_uring: fail NOP if non-zero op flags is passed in
afs: Don't cross .backup mountpoint from backup volume
nilfs2: fix use-after-free of timer for log writer thread
vxlan: Fix regression when dropping packets due to invalid src addresses
x86/mm: Remove broken vsyscall emulation code from the page fault code
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
media: lgdt3306a: Add a check against null-pointer-def
drm/amdgpu: add error handle to avoid out-of-bounds
ata: pata_legacy: make legacy_exit() work again
ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx
arm64: tegra: Correct Tegra132 I2C alias
arm64: dts: qcom: qcs404: fix bluetooth device address
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE
wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path
arm64: dts: hi3798cv200: fix the size of GICR
media: mc: mark the media devnode as registered from the, start
media: mxl5xx: Move xpt structures off stack
media: v4l2-core: hold videodev_lock until dev reg, finishes
mmc: core: Add mmc_gpiod_set_cd_config() function
mmc: sdhci-acpi: Sort DMI quirks alphabetically
mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working
mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A
fbdev: savage: Handle err return when savagefb_check_var failed
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
crypto: ecrdsa - Fix module auto-load on add_key
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
net/ipv6: Fix route deleting failure when metric equals 0
net/9p: fix uninit-value in p9_client_rpc()
intel_th: pci: Add Meteor Lake-S CPU support
sparc64: Fix number of online CPUs
watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin
kdb: Fix buffer overflow during tab-complete
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Merge identical case statements in kdb_read()
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
net: fix __dst_negative_advice() race
sparc: move struct termio to asm/termios.h
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
s390/ap: Fix crash in AP internal function modify_bitmap()
nfs: fix undefined behavior in nfs_block_bits()
NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS
scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5
f2fs: compress: fix compression chksum
RDMA/hns: Use mutex instead of spinlock for ida allocation
RDMA/hns: Fix CQ and QP cache affinity
Linux 5.10.219
Change-Id: I0e21ff44d28df2a2802a9fb35f0959bb5ab528fc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Sebastian Andrzej Siewior
|
1bd2dc7702 |
xdp: xdp_mem_allocator can be NULL in trace_mem_connect().
commit e0ae713023a9d09d6e1b454bdc8e8c1dd32c586e upstream.
Since the commit mentioned below __xdp_reg_mem_model() can return a NULL
pointer. This pointer is dereferenced in trace_mem_connect() which leads
to segfault.
The trace points (mem_connect + mem_disconnect) were put in place to
pair connect/disconnect using the IDs. The ID is only assigned if
__xdp_reg_mem_model() does not return NULL. That connect trace point is
of no use if there is no ID.
Skip that connect trace point if xdp_alloc is NULL.
[ Toke Høiland-Jørgensen delivered the reasoning for skipping the trace
point ]
Fixes: 4a48ef70b93b8 ("xdp: Allow registering memory model without rxq reference")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/YikmmXsffE+QajTB@linutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kuniyuki Iwashima
|
3b32f26580 |
tcp: Fix data races around icsk->icsk_af_ops.
commit f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 upstream.
setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
under lock_sock(), but tcp_(get|set)sockopt() read it locklessly. To
avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE()
for the reads and writes.
Thanks to Eric Dumazet for providing the syzbot report:
BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect
write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
__inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
__sys_connect_file net/socket.c:1976 [inline]
__sys_connect+0x197/0x1b0 net/socket.c:1993
__do_sys_connect net/socket.c:2003 [inline]
__se_sys_connect net/socket.c:2000 [inline]
__x64_sys_connect+0x3d/0x50 net/socket.c:2000
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
__sys_setsockopt+0x212/0x2b0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263 [inline]
__se_sys_setsockopt net/socket.c:2260 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted
6.0.0-rc4-syzkaller-00331-g4ed9c1e971b1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 08/26/2022
Fixes:
|
||
|
Kuniyuki Iwashima
|
ea2ed3f78a |
ipv6: Fix data races around sk->sk_prot.
commit 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 upstream.
Commit 086d49058cd8 ("ipv6: annotate some data-races around sk->sk_prot")
fixed some data-races around sk->sk_prot but it was not enough.
Some functions in inet6_(stream|dgram)_ops still access sk->sk_prot
without lock_sock() or rtnl_lock(), so they need READ_ONCE() to avoid
load tearing.
Fixes:
|
||
|
Eric Dumazet
|
d3bf338e9c |
ipv6: annotate some data-races around sk->sk_prot
commit 086d49058cd8471046ae9927524708820f5fd1c7 upstream. IPv6 has this hack changing sk->sk_prot when an IPv6 socket is 'converted' to an IPv4 one with IPV6_ADDRFORM option. This operation is only performed for TCP and UDP, knowing their 'struct proto' for the two network families are populated in the same way, and can not disappear while a reader might use and dereference sk->sk_prot. If we think about it all reads of sk->sk_prot while either socket lock or RTNL is not acquired should be using READ_ONCE(). Also note that other layers like MPTCP, XFRM, CHELSIO_TLS also write over sk->sk_prot. BUG: KCSAN: data-race in inet6_recvmsg / ipv6_setsockopt write to 0xffff8881386f7aa8 of 8 bytes by task 26932 on cpu 0: do_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:492 [inline] ipv6_setsockopt+0x3758/0x3910 net/ipv6/ipv6_sockglue.c:1019 udpv6_setsockopt+0x85/0x90 net/ipv6/udp.c:1649 sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3489 __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff8881386f7aa8 of 8 bytes by task 26911 on cpu 1: inet6_recvmsg+0x7a/0x210 net/ipv6/af_inet6.c:659 ____sys_recvmsg+0x16c/0x320 ___sys_recvmsg net/socket.c:2674 [inline] do_recvmmsg+0x3f5/0xae0 net/socket.c:2768 __sys_recvmmsg net/socket.c:2847 [inline] __do_sys_recvmmsg net/socket.c:2870 [inline] __se_sys_recvmmsg net/socket.c:2863 [inline] __x64_sys_recvmmsg+0xde/0x160 net/socket.c:2863 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0xffffffff85e0e980 -> 0xffffffff85e01580 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 26911 Comm: syz-executor.3 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Sven Eckelmann
|
692858d9ed |
batman-adv: Don't accept TT entries for out-of-spec VIDs
commit 537a350d14321c8cca5efbf0a33a404fec3a9f9e upstream.
The internal handling of VLAN IDs in batman-adv is only specified for
following encodings:
* VLAN is used
- bit 15 is 1
- bit 11 - bit 0 is the VLAN ID (0-4095)
- remaining bits are 0
* No VLAN is used
- bit 15 is 0
- remaining bits are 0
batman-adv was only preparing new translation table entries (based on its
soft interface information) using this encoding format. But the receive
path was never checking if entries in the roam or TT TVLVs were also
following this encoding.
It was therefore possible to create more than the expected maximum of 4096
+ 1 entries in the originator VLAN list. Simply by setting the "remaining
bits" to "random" values in corresponding TVLV.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Oleksij Rempel
|
f6c839e717 |
net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new
commit d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb upstream.
This patch enhances error handling in scenarios with RTS (Request to
Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE
backtraces with a new error handling method. This provides clearer error
messages and allows for the early termination of problematic sessions.
Previously, sessions were only released at the end of j1939_xtp_rx_rts().
Potentially this could be reproduced with something like:
testj1939 -r vcan0:0x80 &
while true; do
# send first RTS
cansend vcan0 18EC8090#1014000303002301;
# send second RTS
cansend vcan0 18EC8090#1014000303002301;
# send abort
cansend vcan0 18EC8090#ff00000000002301;
done
Fixes:
|
||
|
Oleksij Rempel
|
3f177e46c9 |
net: can: j1939: recover socket queue on CAN bus error during BAM transmission
commit 9ad1da14ab3bf23087ae45fe399d84a109ddb81a upstream.
Addresses an issue where a CAN bus error during a BAM transmission
could stall the socket queue, preventing further transmissions even
after the bus error is resolved. The fix activates the next queued
session after the error recovery, allowing communication to continue.
Fixes:
|
||
|
Shigeru Yoshida
|
a2a0ebff7f |
net: can: j1939: Initialize unused data in j1939_send_one()
commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134 upstream.
syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
creates full frame including unused data, but it doesn't initialize
it. This causes the kernel-infoleak issue. Fix this by initializing
unused data.
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
copy_to_iter include/linux/uio.h:196 [inline]
memcpy_to_msg include/linux/skbuff.h:4113 [inline]
raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x2c4/0x340 net/socket.c:1068
____sys_recvmsg+0x18a/0x620 net/socket.c:2803
___sys_recvmsg+0x223/0x840 net/socket.c:2845
do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1313 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
sock_alloc_send_skb include/net/sock.h:1842 [inline]
j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
____sys_sendmsg+0x877/0xb60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Bytes 12-15 of 16 are uninitialized
Memory access of size 16 starts at ffff888120969690
Data copied to user address 00000000200017c0
CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Fixes:
|
||
Dawei Li
|
9dadab0db7 |
net/iucv: Avoid explicit cpumask var allocation on stack
[ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ] For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it. Signed-off-by: Dawei Li <dawei.li@shingroup.cn> Reviewed-by: Alexandra Winter <wintera@linux.ibm.com> Link: https://lore.kernel.org/r/20240331053441.1276826-2-dawei.li@shingroup.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Anton Protopopov
|
3d6432f20f |
bpf: Add a check for struct bpf_fib_lookup size
[ Upstream commit 59b418c7063d30e0a3e1f592d47df096db83185c ] The struct bpf_fib_lookup should not grow outside of its 64 bytes. Add a static assert to validate this. Suggested-by: David Ahern <dsahern@kernel.org> Signed-off-by: Anton Protopopov <aspsk@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20240326101742.17421-4-aspsk@isovalent.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Pablo Neira Ayuso
|
5d43d789b5 |
netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
[ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ]
register store validation for NFT_DATA_VALUE is conditional, however,
the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
only requires a new helper function to infer the register type from the
set datatype so this conditional check can be removed. Otherwise,
pointer to chain object can be leaked through the registers.
Fixes:
|
||
Daniil Dulov
|
1095b8efbb |
xdp: Remove WARN() from __xdp_reg_mem_model()
[ Upstream commit 7e9f79428372c6eab92271390851be34ab26bfb4 ]
syzkaller reports a warning in __xdp_reg_mem_model().
The warning occurs only if __mem_id_init_hash_table() returns an error. It
returns the error in two cases:
1. memory allocation fails;
2. rhashtable_init() fails when some fields of rhashtable_params
struct are not initialized properly.
The second case cannot happen since there is a static const rhashtable_params
struct with valid fields. So, warning is only triggered when there is a
problem with memory allocation.
Thus, there is no sense in using WARN() to handle this error and it can be
safely removed.
WARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299
CPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299
Call Trace:
xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344
xdp_test_run_setup net/bpf/test_run.c:188 [inline]
bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377
bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267
bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240
__sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
Fixes:
|
||
Toke Høiland-Jørgensen
|
5a3035306a |
xdp: Allow registering memory model without rxq reference
[ Upstream commit 4a48ef70b93b8c7ed5190adfca18849e76387b80 ] The functions that register an XDP memory model take a struct xdp_rxq as parameter, but the RXQ is not actually used for anything other than pulling out the struct xdp_mem_info that it embeds. So refactor the register functions and export variants that just take a pointer to the xdp_mem_info. This is in preparation for enabling XDP_REDIRECT in bpf_prog_run(), using a page_pool instance that is not connected to any network device. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20220103150812.87914-2-toke@redhat.com Stable-dep-of: 7e9f79428372 ("xdp: Remove WARN() from __xdp_reg_mem_model()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Jakub Kicinski
|
f4aa8268d7 |
xdp: Move the rxq_info.mem clearing to unreg_mem_model()
[ Upstream commit a78cae2476812cecaa4a33d0086bbb53986906bc ] xdp_rxq_info_unreg() implicitly calls xdp_rxq_info_unreg_mem_model(). This may well be confusing to the driver authors, and lead to double free if they call xdp_rxq_info_unreg_mem_model() before xdp_rxq_info_unreg() (when mem model type == MEM_TYPE_PAGE_POOL). In fact error path of mvpp2_rxq_init() seems to currently do exactly that. The double free will result in refcount underflow in page_pool_destroy(). Make the interface a little more programmer friendly by clearing type and id so that xdp_rxq_info_unreg_mem_model() can be called multiple times. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20210625221612.2637086-1-kuba@kernel.org Stable-dep-of: 7e9f79428372 ("xdp: Remove WARN() from __xdp_reg_mem_model()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Chuck Lever
|
be20af2458 |
SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency()
[ Upstream commit 5c11720767f70d34357d00a15ba5a0ad052c40fe ]
Some paths through svc_process() leave rqst->rq_procinfo set to
NULL, which triggers a crash if tracing happens to be enabled.
Fixes: 89ff87494c6e ("SUNRPC: Display RPC procedure names instead of proc numbers")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Yunjian Wang
|
3de81c1e84 |
SUNRPC: Fix null pointer dereference in svc_rqst_free()
[ Upstream commit b9f83ffaa0c096b4c832a43964fe6bff3acffe10 ]
When alloc_pages_node() returns null in svc_rqst_alloc(), the
null rq_scratch_page pointer will be dereferenced when calling
put_page() in svc_rqst_free(). Fix it by adding a null check.
Addresses-Coverity: ("Dereference after null check")
Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
310dee7235 |
netfilter: nf_tables: validate family when identifying table via handle
[ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ]
Validate table family when looking up for it via NFTA_TABLE_HANDLE.
Fixes:
|
||
Jozsef Kadlecsik
|
72d9611968 |
netfilter: ipset: Fix suspicious rcu_dereference_protected()
[ Upstream commit 8ecd06277a7664f4ef018abae3abd3451d64e7a6 ]
When destroying all sets, we are either in pernet exit phase or
are executing a "destroy all sets command" from userspace. The latter
was taken into account in ip_set_dereference() (nfnetlink mutex is held),
but the former was not. The patch adds the required check to
rcu_dereference_protected() in ip_set_dereference().
Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type")
Reported-by: syzbot+b62c37cdd58103293a5a@syzkaller.appspotmail.com
Reported-by: syzbot+cfbe1da5fdfc39efc293@syzkaller.appspotmail.com
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202406141556.e0b6f17e-lkp@intel.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Xin Long
|
03f625505e |
sched: act_ct: add netns into the key of tcf_ct_flow_table
[ Upstream commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a ]
zones_ht is a global hashtable for flow_table with zone as key. However,
it does not consider netns when getting a flow_table from zones_ht in
tcf_ct_init(), and it means an act_ct action in netns A may get a
flow_table that belongs to netns B if it has the same zone value.
In Shuang's test with the TOPO:
tcf2_c <---> tcf2_sw1 <---> tcf2_sw2 <---> tcf2_s
tcf2_sw1 and tcf2_sw2 saw the same flow and used the same flow table,
which caused their ct entries entering unexpected states and the
TCP connection not able to end normally.
This patch fixes the issue simply by adding netns into the key of
tcf_ct_flow_table so that an act_ct action gets a flow_table that
belongs to its own netns in tcf_ct_init().
Note that for easy coding we don't use tcf_ct_flow_table.nf_ft.net,
as the ct_ft is initialized after inserting it to the hashtable in
tcf_ct_flow_table_get() and also it requires to implement several
functions in rhashtable_params including hashfn, obj_hashfn and
obj_cmpfn.
Fixes:
|
||
Vlad Buslov
|
b4899d75b8 |
net/sched: act_ct: set 'net' pointer when creating new nf_flow_table
[ Upstream commit fc54d9065f90dd25063883f404e6ff9a76913e73 ]
Following patches in series use the pointer to access flow table offload
debug variables.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Xin Long
|
3eb1b39627 |
tipc: force a dst refcount before doing decryption
[ Upstream commit 2ebe8f840c7450ecbfca9d18ac92e9ce9155e269 ] As it says in commit |
||
David Ruth
|
c6a7da65a2 |
net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
[ Upstream commit d864319871b05fadd153e0aede4811ca7008f5d6 ]
syzbot found hanging tasks waiting on rtnl_lock [1]
A reproducer is available in the syzbot bug.
When a request to add multiple actions with the same index is sent, the
second request will block forever on the first request. This holds
rtnl_lock, and causes tasks to hang.
Return -EAGAIN to prevent infinite looping, while keeping documented
behavior.
[1]
INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
Workqueue: events_power_efficient reg_check_chans_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xf15/0x5d00 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
wiphy_lock include/net/cfg80211.h:5953 [inline]
reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
Fixes:
|
||
Pedro Tammela
|
66c7aa157a |
net/sched: act_api: rely on rcu in tcf_idr_check_alloc
[ Upstream commit 4b55e86736d5b492cf689125da2600f59c7d2c39 ]
Instead of relying only on the idrinfo->lock mutex for
bind/alloc logic, rely on a combination of rcu + mutex + atomics
to better scale the case where multiple rtnl-less filters are
binding to the same action object.
Action binding happens when an action index is specified explicitly and
an action exists which such index exists. Example:
tc actions add action drop index 1
tc filter add ... matchall action drop index 1
tc filter add ... matchall action drop index 1
tc filter add ... matchall action drop index 1
tc filter ls ...
filter protocol all pref 49150 matchall chain 0 filter protocol all pref 49150 matchall chain 0 handle 0x1
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 4 bind 3
filter protocol all pref 49151 matchall chain 0 filter protocol all pref 49151 matchall chain 0 handle 0x1
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 4 bind 3
filter protocol all pref 49152 matchall chain 0 filter protocol all pref 49152 matchall chain 0 handle 0x1
not_in_hw
action order 1: gact action drop
random type none pass val 0
index 1 ref 4 bind 3
When no index is specified, as before, grab the mutex and allocate
in the idr the next available id. In this version, as opposed to before,
it's simplified to store the -EBUSY pointer instead of the previous
alloc + replace combination.
When an index is specified, rely on rcu to find if there's an object in
such index. If there's none, fallback to the above, serializing on the
mutex and reserving the specified id. If there's one, it can be an -EBUSY
pointer, in which case we just try again until it's an action, or an action.
Given the rcu guarantees, the action found could be dead and therefore
we need to bump the refcount if it's not 0, handling the case it's
in fact 0.
As bind and the action refcount are already atomics, these increments can
happen without the mutex protection while many tcf_idr_check_alloc race
to bind to the same action instance.
In case binding encounters a parallel delete or add, it will return
-EAGAIN in order to try again. Both filter and action apis already
have the retry machinery in-place. In case it's an unlocked filter it
retries under the rtnl lock.
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
Link: https://lore.kernel.org/r/20231211181807.96028-2-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: d864319871b0 ("net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Yue Haibing
|
2b82028a1f |
netns: Make get_net_ns() handle zero refcount net
[ Upstream commit ff960f9d3edbe08a736b5a224d91a305ccc946b0 ]
Syzkaller hit a warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
Modules linked in:
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0xa3/0xc0
? __warn+0xa5/0x1c0
? refcount_warn_saturate+0xdf/0x1d0
? report_bug+0x1fc/0x2d0
? refcount_warn_saturate+0xdf/0x1d0
? handle_bug+0xa1/0x110
? exc_invalid_op+0x3c/0xb0
? asm_exc_invalid_op+0x1f/0x30
? __warn_printk+0xcc/0x140
? __warn_printk+0xd5/0x140
? refcount_warn_saturate+0xdf/0x1d0
get_net_ns+0xa4/0xc0
? __pfx_get_net_ns+0x10/0x10
open_related_ns+0x5a/0x130
__tun_chr_ioctl+0x1616/0x2370
? __sanitizer_cov_trace_switch+0x58/0xa0
? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
? __pfx_tun_chr_ioctl+0x10/0x10
tun_chr_ioctl+0x2f/0x40
__x64_sys_ioctl+0x11b/0x160
x64_sys_call+0x1211/0x20d0
do_syscall_64+0x9e/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b28f165d7
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
This is trigger as below:
ns0 ns1
tun_set_iff() //dev is tun0
tun->dev = dev
//ip link set tun0 netns ns1
put_net() //ref is 0
__tun_chr_ioctl() //TUNGETDEVNETNS
net = dev_net(tun->dev);
open_related_ns(&net->ns, get_net_ns); //ns1
get_net_ns()
get_net() //addition on 0
Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
Fixes:
|
||
|
Eric Dumazet
|
20427b8578 |
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
[ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ]
ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
RSP: 0018:ffffc90000117378 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Fixes:
|
||
|
Eric Dumazet
|
1ed9849fdf |
ipv6: prevent possible NULL dereference in rt6_probe()
[ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ]
syzbot caught a NULL dereference in rt6_probe() [1]
Bail out if __in6_dev_get() returns NULL.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
RSP: 0018:ffffc900034af070 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
__find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
find_rr_leaf net/ipv6/route.c:853 [inline]
rt6_select net/ipv6/route.c:897 [inline]
fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
pol_lookup_func include/net/ip6_fib.h:616 [inline]
fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590
ksys_write+0x1f8/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes:
|
||
|
Eric Dumazet
|
de5ad4d45c |
ipv6: prevent possible NULL deref in fib6_nh_init()
[ Upstream commit 2eab4543a2204092c3a7af81d7d6c506e59a03a6 ]
syzbot reminds us that in6_dev_get() can return NULL.
fib6_nh_init()
ip6_validate_gw( &idev )
ip6_route_check_nh( idev )
*idev = in6_dev_get(dev); // can be NULL
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f940f07cea9
Fixes:
|
||
Gavrilov Ilia
|
5391f9db2c |
netrom: Fix a memory leak in nr_heartbeat_expiry()
[ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ]
syzbot reported a memory leak in nr_create() [0].
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."
nr_connect
nr_establish_data_link
nr_start_heartbeat
nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let's call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Ondrej Mosnacek
|
1aabe0f850 |
cipso: fix total option length computation
[ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ]
As evident from the definition of ip_options_get(), the IP option
IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet
the loop that walks the IP options to determine the total IP options
length in cipso_v4_delopt() doesn't take IPOPT_END into account.
Fix it by recognizing the IPOPT_END value as the end of actual options.
Fixes:
|
||
Breno Leitao
|
43c0ca793a |
netpoll: Fix race condition in netpoll_owner_active
[ Upstream commit c2e6a872bde9912f1a7579639c5ca3adf1003916 ] KCSAN detected a race condition in netpoll: BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822) <snip> read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2: netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393) netpoll_send_udp (net/core/netpoll.c:?) <snip> value changed: 0x0000000a -> 0xffffffff This happens because netpoll_owner_active() needs to check if the current CPU is the owner of the lock, touching napi->poll_owner non atomically. The ->poll_owner field contains the current CPU holding the lock. Use an atomic read to check if the poll owner is the current CPU. Signed-off-by: Breno Leitao <leitao@debian.org> Link: https://lore.kernel.org/r/20240429100437.3487432-1-leitao@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Wander Lairson Costa
|
96941f29eb |
drop_monitor: replace spin_lock by raw_spin_lock
[ Upstream commit f1e197a665c2148ebc25fe09c53689e60afea195 ] trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 5 locks held by rcuc/47/449: #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 ... trace_drop_common() also disables interrupts, but this is a minor issue because we could easily replace it with a local_lock. Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context. Signed-off-by: Wander Lairson Costa <wander@redhat.com> Reported-by: Hu Chunyu <chuhu@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
a720d71dd4 |
af_packet: avoid a false positive warning in packet_setsockopt()
[ Upstream commit 86d43e2bf93ccac88ef71cee36a23282ebd9e427 ] Although the code is correct, the following line copy_from_sockptr(&req_u.req, optval, len)); triggers this warning : memcpy: detected field-spanning write (size 28) of single field "dst" at include/linux/sockptr.h:49 (size 16) Refactor the code to be more explicit. Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
82cdea8f3a |
batman-adv: bypass empty buckets in batadv_purge_orig_ref()
[ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ] Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000 x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0 x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49 cpuidle_idle_call kernel/sched/idle.c:170 [inline] do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410 secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272 __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404 Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
YonglongLi
|
990d071010 |
mptcp: pm: update add_addr counters after connect
commit 40eec1795cc27b076d49236649a29507c7ed8c2d upstream.
The creation of new subflows can fail for different reasons. If no
subflow have been created using the received ADD_ADDR, the related
counters should not be updated, otherwise they will never be decremented
for events related to this ID later on.
For the moment, the number of accepted ADD_ADDR is only decremented upon
the reception of a related RM_ADDR, and only if the remote address ID is
currently being used by at least one subflow. In other words, if no
subflow can be created with the received address, the counter will not
be decremented. In this case, it is then important not to increment
pm.add_addr_accepted counter, and not to modify pm.accept_addr bit.
Note that this patch does not modify the behaviour in case of failures
later on, e.g. if the MP Join is dropped or rejected.
The "remove invalid addresses" MP Join subtest has been modified to
validate this case. The broadcast IP address is added before the "valid"
address that will be used to successfully create a subflow, and the
limit is decreased by one: without this patch, it was not possible to
create the last subflow, because:
- the broadcast address would have been accepted even if it was not
usable: the creation of a subflow to this address results in an error,
- the limit of 2 accepted ADD_ADDR would have then been reached.
Fixes:
|
||
|
YonglongLi
|
5a4efafcf8 |
mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID
commit 6a09788c1a66e3d8b04b3b3e7618cc817bb60ae9 upstream.
The RmAddr MIB counter is supposed to be incremented once when a valid
RM_ADDR has been received. Before this patch, it could have been
incremented as many times as the number of subflows connected to the
linked address ID, so it could have been 0, 1 or more than 1.
The "RmSubflow" is incremented after a local operation. In this case,
it is normal to tied it with the number of subflows that have been
actually removed.
The "remove invalid addresses" MP Join subtest has been modified to
validate this case. A broadcast IP address is now used instead: the
client will not be able to create a subflow to this address. The
consequence is that when receiving the RM_ADDR with the ID attached to
this broadcast IP address, no subflow linked to this ID will be found.
Fixes:
|
||
Paolo Abeni
|
208cd22ef5 |
mptcp: ensure snd_una is properly initialized on connect
commit 8031b58c3a9b1db3ef68b3bd749fbee2e1e1aaa3 upstream.
This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt
is properly initialized on connect"). It turns out that syzkaller can
trigger the retransmit after fallback and before processing any other
incoming packet - so that snd_una is still left uninitialized.
Address the issue explicitly initializing snd_una together with snd_nxt
and write_seq.
Suggested-by: Mat Martineau <martineau@kernel.org>
Fixes:
|
||
Petr Pavlu
|
b278f9b458 |
net/ipv6: Fix the RT cache flush via sysctl using a previous delay
[ Upstream commit 14a20e5b4ad998793c5f43b0330d9e1388446cf3 ]
The net.ipv6.route.flush system parameter takes a value which specifies
a delay used during the flush operation for aging exception routes. The
written value is however not used in the currently requested flush and
instead utilized only in the next one.
A problem is that ipv6_sysctl_rtcache_flush() first reads the old value
of net->ipv6.sysctl.flush_delay into a local delay variable and then
calls proc_dointvec() which actually updates the sysctl based on the
provided input.
Fix the problem by switching the order of the two operations.
Fixes:
|
||
|
Jozsef Kadlecsik
|
93b53c202b |
netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
[ Upstream commit 4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10 ] Lion Ackermann reported that there is a race condition between namespace cleanup in ipset and the garbage collection of the list:set type. The namespace cleanup can destroy the list:set type of sets while the gc of the set type is waiting to run in rcu cleanup. The latter uses data from the destroyed set which thus leads use after free. The patch contains the following parts: - When destroying all sets, first remove the garbage collectors, then wait if needed and then destroy the sets. - Fix the badly ordered "wait then remove gc" for the destroy a single set case. - Fix the missing rcu locking in the list:set type in the userspace test case. - Use proper RCU list handlings in the list:set type. The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc). Fixes: 97f7cf1cd80e (netfilter: ipset: fix performance regression in swap operation) Reported-by: Lion Ackermann <nnamrec@gmail.com> Tested-by: Lion Ackermann <nnamrec@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Luiz Augusto von Dentz
|
ea1a98c9a3 |
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
[ Upstream commit 806a5198c05987b748b50f3d0c0cfb3d417381a4 ] This removes the bogus check for max > hcon->le_conn_max_interval since the later is just the initial maximum conn interval not the maximum the stack could support which is really 3200=4000ms. In order to pass GAP/CONN/CPUP/BV-05-C one shall probably enter values of the following fields in IXIT that would cause hci_check_conn_params to fail: TSPX_conn_update_int_min TSPX_conn_update_int_max TSPX_conn_update_peripheral_latency TSPX_conn_update_supervision_timeout Link: https://github.com/bluez/bluez/issues/847 Fixes: e4b019515f95 ("Bluetooth: Enforce validation on max value of connection interval") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
330c8661c9 |
tcp: fix race in tcp_v6_syn_recv_sock()
[ Upstream commit d37fe4255abe8e7b419b90c5847e8ec2b8debb08 ]
tcp_v6_syn_recv_sock() calls ip6_dst_store() before
inet_sk(newsk)->pinet6 has been set up.
This means ip6_dst_store() writes over the parent (listener)
np->dst_cookie.
This is racy because multiple threads could share the same
parent and their final np->dst_cookie could be wrong.
Move ip6_dst_store() call after inet_sk(newsk)->pinet6
has been changed and after the copy of parent ipv6_pinfo.
Fixes:
|
||
Chen Hanxiao
|
66c79c5acc |
SUNRPC: return proper error from gss_wrap_req_priv
[ Upstream commit 33c94d7e3cb84f6d130678d6d59ba475a6c489cf ]
don't return 0 if snd_buf->len really greater than snd_buf->buflen
Signed-off-by: Chen Hanxiao <chenhx.fnst@fujitsu.com>
Fixes:
|
||
|
Eric Dumazet
|
c693698787 |
ipv6: fix possible race in __fib6_drop_pcpu_from()
[ Upstream commit b01e1c030770ff3b4fe37fc7cc6bca03f594133f ]
syzbot found a race in __fib6_drop_pcpu_from() [1]
If compiler reads more than once (*ppcpu_rt),
second read could read NULL, if another cpu clears
the value in rt6_get_pcpu_route().
Add a READ_ONCE() to prevent this race.
Also add rcu_read_lock()/rcu_read_unlock() because
we rely on RCU protection while dereferencing pcpu_rt.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: netns cleanup_net
RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984
Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48
RSP: 0018:ffffc900040df070 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16
RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8
R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]
fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]
fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038
fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]
fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043
fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205
fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127
fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175
fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255
__fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271
rt6_sync_down_dev net/ipv6/route.c:4906 [inline]
rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911
addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855
addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778
notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
dev_close_many+0x333/0x6a0 net/core/dev.c:1585
unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193
unregister_netdevice_many net/core/dev.c:11276 [inline]
default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759
ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Fixes:
|
||
|
Kuniyuki Iwashima
|
74c97c8003 |
af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
[ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ]
While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock().
Let's use READ_ONCE() to read sk->sk_shutdown.
Fixes:
|
||
|
Kuniyuki Iwashima
|
35a69f9e5d |
af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
[ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ]
We can dump the socket queue length via UNIX_DIAG by specifying
UDIAG_SHOW_RQLEN.
If sk->sk_state is TCP_LISTEN, we return the recv queue length,
but here we do not hold recvq lock.
Let's use skb_queue_len_lockless() in sk_diag_show_rqlen().
Fixes:
|
||
|
Kuniyuki Iwashima
|
a64e4b8f9b |
af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
[ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ]
Once sk->sk_state is changed to TCP_LISTEN, it never changes.
unix_accept() takes advantage of this characteristics; it does not
hold the listener's unix_state_lock() and only acquires recvq lock
to pop one skb.
It means unix_state_lock() does not prevent the queue length from
changing in unix_stream_connect().
Thus, we need to use unix_recvq_full_lockless() to avoid data-race.
Now we remove unix_recvq_full() as no one uses it.
Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in
unix_recvq_full_lockless() because of the following reasons:
(1) For SOCK_DGRAM, it is a written-once field in unix_create1()
(2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the
listener's unix_state_lock() in unix_listen(), and we hold
the lock in unix_stream_connect()
Fixes:
|
||
|
Kuniyuki Iwashima
|
f70ef84b82 |
af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
[ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ]
net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be
changed concurrently.
Let's use READ_ONCE() in unix_create1().
Fixes:
|
||
|
Kuniyuki Iwashima
|
44a2437c60 |
af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
[ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ] While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read locklessly. Let's use READ_ONCE() there. Note that the result could be inconsistent if the socket is dumped during the state change. This is common for other SOCK_DIAG and similar interfaces. Fixes: |
||
|
Kuniyuki Iwashima
|
b5a6507c61 |
af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().
[ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ] The following functions read sk->sk_state locklessly and proceed only if the state is TCP_ESTABLISHED. * unix_stream_sendmsg * unix_stream_read_generic * unix_seqpacket_sendmsg * unix_seqpacket_recvmsg Let's use READ_ONCE() there. Fixes: |
||
|
Kuniyuki Iwashima
|
cc5d123ce4 |
af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll().
[ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ] unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and calls unix_writable() which also reads sk->sk_state without holding unix_state_lock(). Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass it to unix_writable(). While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as that state does not exist for AF_UNIX socket since the code was added. Fixes: |
||
|
Kuniyuki Iwashima
|
d2c53bedeb |
af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
[ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ]
ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first
and returns -EINVAL if it's TCP_LISTEN.
Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of
bytes in recvq.
However, unix_inq_len() does not hold unix_state_lock(), and the
concurrent listen() might change the state after checking sk->sk_state.
If the race occurs, 0 is returned for the listener, instead of -EINVAL,
because the length of skb with embryo is 0.
We could hold unix_state_lock() in unix_inq_len(), but it's overkill
given the result is true for pre-listen() TCP_CLOSE state.
So, let's use READ_ONCE() for sk->sk_state in unix_inq_len().
Fixes:
|
||
|
Eric Dumazet
|
6db4af0998 |
net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
[ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ]
If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,
taprio_parse_mqprio_opt() must validate it, or userspace
can inject arbitrary data to the kernel, the second time
taprio_change() is called.
First call (with valid attributes) sets dev->num_tc
to a non zero value.
Second call (with arbitrary mqprio attributes)
returns early from taprio_parse_mqprio_opt()
and bad things can happen.
Fixes:
|
||
Jason Xing
|
d8c79ae03e |
tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
[ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ]
According to RFC 1213, we should also take CLOSE-WAIT sockets into
consideration:
"tcpCurrEstab OBJECT-TYPE
...
The number of TCP connections for which the current state
is either ESTABLISHED or CLOSE- WAIT."
After this, CurrEstab counter will display the total number of
ESTABLISHED and CLOSE-WAIT sockets.
The logic of counting
When we increment the counter?
a) if we change the state to ESTABLISHED.
b) if we change the state from SYN-RECEIVED to CLOSE-WAIT.
When we decrement the counter?
a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT,
say, on the client side, changing from ESTABLISHED to FIN-WAIT-1.
b) if the socket leaves CLOSE-WAIT, say, on the server side, changing
from CLOSE-WAIT to LAST-ACK.
Please note: there are two chances that old state of socket can be changed
to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED.
So we have to take care of the former case.
Fixes:
|
||
Hangyu Hua
|
52b1aa07cd |
net: sched: sch_multiq: fix possible OOB write in multiq_tune()
[ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ]
q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.
Fixes:
|
||
|
Eric Dumazet
|
f9f69e3f69 |
ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
[ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ] As explained in commit |
||
DelphineCCChiu
|
3cbb2ba0a0 |
net/ncsi: Fix the multi thread manner of NCSI driver
[ Upstream commit e85e271dec0270982afed84f70dc37703fcc1d52 ]
Currently NCSI driver will send several NCSI commands back to back without
waiting the response of previous NCSI command or timeout in some state
when NIC have multi channel. This operation against the single thread
manner defined by NCSI SPEC(section 6.3.2.3 in DSP0222_1.1.1)
According to NCSI SPEC(section 6.2.13.1 in DSP0222_1.1.1), we should probe
one channel at a time by sending NCSI commands (Clear initial state, Get
version ID, Get capabilities...), than repeat this steps until the max
number of channels which we got from NCSI command (Get capabilities) has
been probed.
Fixes:
|
||
Peter Delevoryas
|
7329bc66b4 |
net/ncsi: Simplify Kconfig/dts control flow
[ Upstream commit c797ce168930ce3d62a9b7fc4d7040963ee6a01e ]
Background:
1. CONFIG_NCSI_OEM_CMD_KEEP_PHY
If this is enabled, we send an extra OEM Intel command in the probe
sequence immediately after discovering a channel (e.g. after "Clear
Initial State").
2. CONFIG_NCSI_OEM_CMD_GET_MAC
If this is enabled, we send one of 3 OEM "Get MAC Address" commands from
Broadcom, Mellanox (Nvidida), and Intel in the *configuration* sequence
for a channel.
3. mellanox,multi-host (or mlx,multi-host)
Introduced by this patch:
https://lore.kernel.org/all/20200108234341.2590674-1-vijaykhemka@fb.com/
Which was actually originally from cosmo.chou@quantatw.com:
|
||
Ivan Mikhaylov
|
f40cac4e70 |
net/ncsi: add NCSI Intel OEM command to keep PHY up
[ Upstream commit abd2fddc94a619b96bf41c60429d4c32bd118e17 ]
This allows to keep PHY link up and prevents any channel resets during
the host load.
It is KEEP_PHY_LINK_UP option(Veto bit) in i210 datasheet which
block PHY reset and power state changes.
Signed-off-by: Ivan Mikhaylov <i.mikhaylov@yadro.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: e85e271dec02 ("net/ncsi: Fix the multi thread manner of NCSI driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Lingbo Kong
|
7c9b9f822e |
wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
[ Upstream commit a26d8dc5227f449a54518a8b40733a54c6600a8b ]
Currently, the way of parsing Spatial Reuse Parameter Set element is
incorrect and some members of struct ieee80211_he_obss_pd are not assigned.
To address this issue, it must be parsed in the order of the elements of
Spatial Reuse Parameter Set defined in the IEEE Std 802.11ax specification.
The diagram of the Spatial Reuse Parameter Set element (IEEE Std 802.11ax
-2021-9.4.2.252).
-------------------------------------------------------------------------
| | | | |Non-SRG| SRG | SRG | SRG | SRG |
|Element|Length| Element | SR |OBSS PD|OBSS PD|OBSS PD| BSS |Partial|
| ID | | ID |Control| Max | Min | Max |Color | BSSID |
| | |Extension| | Offset| Offset|Offset |Bitmap|Bitmap |
-------------------------------------------------------------------------
Fixes:
|
||
Lin Ma
|
8d5c7d7bfd |
wifi: cfg80211: pmsr: use correct nla_get_uX functions
[ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ] The commit |
||
Remi Pommarel
|
e7e916d693 |
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
[ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ]
The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
softirq context. However using only spin_lock() to get sta->ps_lock in
ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
take this same lock ending in deadlock. Below is an example of rcu stall
that arises in such situation.
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
Hardware name: RPT (r1) (DT)
pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : queued_spin_lock_slowpath+0x58/0x2d0
lr : invoke_tx_handlers_early+0x5b4/0x5c0
sp : ffff00001ef64660
x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
Call trace:
queued_spin_lock_slowpath+0x58/0x2d0
ieee80211_tx+0x80/0x12c
ieee80211_tx_pending+0x110/0x278
tasklet_action_common.constprop.0+0x10c/0x144
tasklet_action+0x20/0x28
_stext+0x11c/0x284
____do_softirq+0xc/0x14
call_on_irq_stack+0x24/0x34
do_softirq_own_stack+0x18/0x20
do_softirq+0x74/0x7c
__local_bh_enable_ip+0xa0/0xa4
_ieee80211_wake_txqs+0x3b0/0x4b8
__ieee80211_wake_queue+0x12c/0x168
ieee80211_add_pending_skbs+0xec/0x138
ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
ieee80211_mps_sta_status_update+0x18/0x24
sta_apply_parameters+0x3bc/0x4c0
ieee80211_change_station+0x1b8/0x2dc
nl80211_set_station+0x444/0x49c
genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
genl_rcv_msg+0x1b0/0x244
netlink_rcv_skb+0x38/0x10c
genl_rcv+0x34/0x48
netlink_unicast+0x254/0x2bc
netlink_sendmsg+0x190/0x3b4
____sys_sendmsg+0x1e8/0x218
___sys_sendmsg+0x68/0x8c
__sys_sendmsg+0x44/0x84
__arm64_sys_sendmsg+0x20/0x28
do_el0_svc+0x6c/0xe8
el0_svc+0x14/0x48
el0t_64_sync_handler+0xb0/0xb4
el0t_64_sync+0x14c/0x150
Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
on the same CPU that is holding the lock.
Fixes:
|
||
Nicolas Escande
|
7518e20a18 |
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
[ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ]
The hwmp code use objects of type mesh_preq_queue, added to a list in
ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
gets deleted, ex mesh interface is removed, the entries in that list will
never get cleaned. Fix this by flushing all corresponding items of the
preq_queue in mesh_path_flush_pending().
This should take care of KASAN reports like this:
unreferenced object 0xffff00000668d800 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
hex dump (first 32 bytes):
00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....
8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
unreferenced object 0xffff000009051f00 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
hex dump (first 32 bytes):
90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....
36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
Fixes:
|
||
Michal Luczaj
|
5029fcf980
|
UPSTREAM: af_unix: Fix garbage collector racing against connect()
[ Upstream commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51 ]
Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.
sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped
connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
---------------- ------------------------- -----------
NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
// V count=1 inflight=0
NS = unix_peer(S)
skb2 = sock_alloc()
skb_queue_tail(NS, skb2[V])
// V became in-flight
// V count=2 inflight=1
close(V)
// V count=1 inflight=1
// GC candidate condition met
for u in gc_inflight_list:
if (total_refs == inflight_refs)
add u to gc_candidates
// gc_candidates={L, V}
for u in gc_candidates:
scan_children(u, dec_inflight)
// embryo (skb1) was not
// reachable from L yet, so V's
// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
for u in gc_candidates:
if (u.inflight)
scan_children(u, inc_inflight_move_tail)
// V count=1 inflight=2 (!)
If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.
Bug: 336226035
Fixes:
|
||
|
Kuniyuki Iwashima
|
ba0f0ddc61
|
UPSTREAM: af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
[ Upstream commit 97af84a6bba2ab2b9c704c08e67de3b5ea551bb2 ] When touching unix_sk(sk)->inflight, we are always under spin_lock(&unix_gc_lock). Let's convert unix_sk(sk)->inflight to the normal unsigned long. Bug: 336226035 Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 47d8ac011fe1 ("af_unix: Fix garbage collector racing against connect()") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 301fdbaa0bba4653570f07789909939f977a7620) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I0d965d5f2a863d798c06de9f21d0467f256b538e |
||
|
Greg Kroah-Hartman
|
b07354bd32 |
Merge tag 'android12-5.10.214_r00' into android12-5.10
This catches the android12-5.10 branch up to the 5.10.214 LTS release. Included in here are the following commits: * |
||
|
Michal Luczaj
|
0a36a75b28 |
UPSTREAM: af_unix: Fix garbage collector racing against connect()
[ Upstream commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51 ]
Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.
sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped
connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
---------------- ------------------------- -----------
NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
// V count=1 inflight=0
NS = unix_peer(S)
skb2 = sock_alloc()
skb_queue_tail(NS, skb2[V])
// V became in-flight
// V count=2 inflight=1
close(V)
// V count=1 inflight=1
// GC candidate condition met
for u in gc_inflight_list:
if (total_refs == inflight_refs)
add u to gc_candidates
// gc_candidates={L, V}
for u in gc_candidates:
scan_children(u, dec_inflight)
// embryo (skb1) was not
// reachable from L yet, so V's
// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
for u in gc_candidates:
if (u.inflight)
scan_children(u, inc_inflight_move_tail)
// V count=1 inflight=2 (!)
If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.
Bug: 336226035
Fixes:
|
||
Michael Bestas
|
768f49ccbc
|
Merge tag 'ASB-2024-06-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-06-01 CVE-2024-26926 * tag 'ASB-2024-06-05_12-5.10' of https://android.googlesource.com/kernel/common: ANDROID: GKI: Update symbols to symbol list ANDROID: ABI fixup for abi break in struct dst_ops BACKPORT: net: fix __dst_negative_advice() race ANDROID: Add __nocfi return for swsusp_arch_resume BACKPORT: arm64: mm: Make hibernation aware of KFENCE UPSTREAM: selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior ANDROID: kbuild: Search external devicetree path when running clean target ANDROID: kbuild: add support for compiling external device trees ANDROID: usb: gadget: ncm: Introduce vendor opts to deal with ABI breakage UPSTREAM: usb: gadget: ncm: Fix endianness of wMaxSegmentSize variable in ecm_desc UPSTREAM: usb: gadget: ncm: Add support to update wMaxSegmentSize via configfs ANDROID: usb: Optimize the problem of slow transfer rate in USB accessory mode ANDROID: ABI: Update honor symbol list ANDROID: add vendor hook in do_read_fault to tune fault_around_bytes FROMGIT: usb: dwc3: Wait unconditionally after issuing EndXfer command ANDROID: irq: put irq_resolve_mapping under protection of __irq_enter_raw ANDROID: abi_gki_aarch64_qcom: Add clk_restore_context and clk_save_context UPSTREAM: usb: gadget: ncm: Fix handling of zero block length packets UPSTREAM: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs Revert "hrtimer: Report offline hrtimer enqueue" Revert "scsi: core: Introduce enum scsi_disposition" Revert "scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler" Revert "scsi: core: Move scsi_host_busy() out of host lock if it is for per-command" Revert "bpf: Add map and need_defer parameters to .map_fd_put_ptr()" Revert "drm/mipi-dsi: Fix detach call without attach" Revert "serial: Add rs485_supported to uart_port" Revert "serial: 8250_exar: Fill in rs485_supported" Revert "serial: 8250_exar: Set missing rs485_supported flag" Revert "ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()" Linux 5.10.210 PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq() net: bcmgenet: Fix EEE implementation netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() drm/msm/dsi: Enable runtime PM PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() PM: runtime: add devm_pm_runtime_enable helper dm: limit the number of targets and parameter size area nilfs2: replace WARN_ONs for invalid DAT metadata block requests nilfs2: fix potential bug in end_buffer_async_write sched/membarrier: reduce the ability to hammer on sys_membarrier net: prevent mss overflow in skb_segment() Revert "arm64: Stash shadow stack pointer in the task struct on interrupt" hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range() netfilter: ipset: Missing gc cancellations fixed netfilter: ipset: fix performance regression in swap operation scripts/decode_stacktrace.sh: optionally use LLVM utilities scripts: decode_stacktrace: demangle Rust symbols scripts/decode_stacktrace.sh: support old bash version scripts/decode_stacktrace.sh: silence stderr messages from addr2line/nm serial: 8250_exar: Set missing rs485_supported flag serial: 8250_exar: Fill in rs485_supported serial: Add rs485_supported to uart_port crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init mips: Fix max_mapnr being uninitialized on early stages PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support bus: moxtet: Add spi device table Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" tracing: Inform kmemleak of saved_cmdlines allocation pmdomain: core: Move the unused cleanup to a _sync initcall can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) of: property: fix typo in io-channels ceph: prevent use-after-free in encode_cap_msg() s390/qeth: Fix potential loss of L3-IP@ in case of network issues irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update irqchip/irq-brcmstb-l2: Add write memory barrier before exit wifi: mac80211: reload info pointer in ieee80211_tx_dequeue() nfp: flower: prevent re-adding mac index for bonded port nfp: use correct macro for LengthSelect in BAR config crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() nilfs2: fix data corruption in dsync block recovery for small block sizes ALSA: hda/conexant: Add quirk for SWS JS201D mmc: slot-gpio: Allow non-sleeping GPIO ro x86/mm/ident_map: Use gbpages only where full GB page should be mapped. x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 serial: max310x: improve crystal stable clock detection serial: max310x: set default value when reading clock ready bit ring-buffer: Clean ring_buffer_poll_wait() error return hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove media: rc: bpf attach/detach requires write permission iio: accel: bma400: Fix a compilation problem iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC staging: iio: ad5933: fix type mismatch regression tracing: Fix wasted memory in saved_cmdlines logic ext4: fix double-free of blocks due to wrong extents moved_len misc: fastrpc: Mark all sessions as invalid in cb_remove binder: signal epoll threads of self-work ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL xen-netback: properly sync TX responses net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() nfc: nci: free rx_data_reassembly skb on NCI device cleanup kbuild: Fix changing ELF file type for output of gen_btf for big endian firewire: core: correct documentation of fw_csr_string() kernel API lsm: fix the logic in security_inode_getsecctx() scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" modpost: trim leading spaces when processing source files list i2c: i801: Fix block process call transactions i2c: i801: Remove i801_set_block_buffer_mode powerpc/kasan: Fix addr error caused by page alignment media: ir_toy: fix a memleak in irtoy_tx usb: f_mass_storage: forbid async queue when shutdown happen USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT usb: ucsi_acpi: Fix command completion handling HID: wacom: Do not register input devices until after hid_hw_start HID: wacom: generic: Avoid reporting a serial of '0' to userspace ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32 mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again tracing/trigger: Fix to return error if failed to alloc snapshot i40e: Fix waiting for queues of all VSIs to be disabled MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler net: sysfs: Fix /sys/class/net/<iface> path for statistics ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() spi: ppc4xx: Drop write-only variable net: openvswitch: limit the number of recursions from action sets of: unittest: Fix compile in the non-dynamic case btrfs: send: return EOPNOTSUPP on unknown flags btrfs: forbid deleting live subvol qgroup btrfs: do not ASSERT() if the newly created subvolume already got read btrfs: forbid creating subvol qgroups netfilter: nft_set_rbtree: skip end interval element from gc net: stmmac: xgmac: fix a typo of register name in DPP safety handling net: stmmac: xgmac: use #define for string constants clocksource: Skip watchdog check for large watchdog intervals vhost: use kzalloc() instead of kmalloc() followed by memset() Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU hrtimer: Report offline hrtimer enqueue usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK USB: serial: cp210x: add ID for IMST iM871A-USB USB: serial: option: add Fibocom FM101-GL variant USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e net/af_iucv: clean up a try_then_request_module() blk-iocost: Fix an UBSAN shift-out-of-bounds warning scsi: core: Move scsi_host_busy() out of host lock if it is for per-command netfilter: nft_set_pipapo: remove scratch_aligned pointer netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_ct: reject direction for ct id netfilter: nft_compat: restrict match/target protocol to u16 netfilter: nft_compat: reject unused compat flag ppp_async: limit MRU to 64K tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() rxrpc: Fix response to PING RESPONSE ACKs to a dead call inet: read sk->sk_family once in inet_recv_error() hwmon: (coretemp) Fix bogus core_id to attr name mapping hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (aspeed-pwm-tacho) mutex for tach reading atm: idt77252: fix a memleak in open_card_ubr0 tunnels: fix out of bounds access when building IPv6 PMTU error selftests: net: avoid just another constant wait net: stmmac: xgmac: fix handling of DPP safety error for DMA channels drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV phy: renesas: rcar-gen3-usb2: Fix returning wrong error code dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA dmaengine: ti: k3-udma: Report short packet errors dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools PM: sleep: Fix error handling in dpm_prepare() uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ bonding: remove print in bond_verify_device_path HID: apple: Add 2021 magic keyboard FN key mapping HID: apple: Add support for the 2021 Magic Keyboard net: sysfs: Fix /sys/class/net/<iface> path af_unix: fix lockdep positive in sk_diag_dump_icons() net: ipv4: fix a memleak in ip_setup_cork netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger llc: call sock_orphan() at release time ipv6: Ensure natural alignment of const ipv6 loopback and router addresses ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() ixgbe: Refactor overtemp event handling ixgbe: Refactor returning internal error codes ixgbe: Remove non-inclusive language tcp: add sanity checks to rx zerocopy net-zerocopy: Refactor frag-is-remappable test. ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() ip6_tunnel: use dev_sw_netstats_rx_add() scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler scsi: core: Introduce enum scsi_disposition scsi: isci: Fix an error code problem in isci_io_request_build() drm: using mul_u32_u32() requires linux/math64.h wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update perf: Fix the nr_addr_filters fix drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()' drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()' ceph: fix deadlock or deadcode of misusing dget() blk-mq: fix IO hang from sbitmap wakeup race virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings libsubcmd: Fix memory leak in uniq() PCI/AER: Decode Requester ID when no error info found fs/kernfs/dir: obey S_ISGID tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE usb: hub: Replace hardcoded quirk value with BIT() macro PCI: switchtec: Fix stdev_release() crash after surprise hot remove PCI: Only override AMD USB controller if required mfd: ti_am335x_tscadc: Fix TI SoC dependencies xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import i3c: master: cdns: Update maximum prescaler value for i2c clock um: net: Fix return type of uml_net_start_xmit() um: Don't use vfprintf() for os_info() um: Fix naming clash between UML and scheduler leds: trigger: panic: Don't register panic notifier if creating the trigger failed drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' drm/amdgpu: Let KFD sync with VM fences watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786 clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() drm/msm/dpu: Ratelimit framedone timeout msgs media: ddbridge: fix an error code problem in ddb_probe IB/ipoib: Fix mcast list locking drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL ALSA: hda: Intel: add HDA_ARL PCI ID support PCI: add INTEL_HDA_ARL to pci_ids.h media: rockchip: rga: fix swizzling for RGB formats media: stk1160: Fixed high volume of stk1160_dbg messages drm/mipi-dsi: Fix detach call without attach drm/framebuffer: Fix use of uninitialized variable drm/drm_file: fix use of uninitialized variable f2fs: fix write pointers on zoned device after roll forward drm/amd/display: Fix tiled display misalignment RDMA/IPoIB: Fix error code return in ipoib_mcast_join fast_dput(): handle underflows gracefully ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument ALSA: hda: Refer to correct stream index at loops f2fs: fix to check return value of f2fs_reserve_new_block() i40e: Fix VF disable behavior to block all traffic Bluetooth: L2CAP: Fix possible multiple reject send Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066 wifi: cfg80211: free beacon_ies when overridden from hidden BSS wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property md: Whenassemble the array, consult the superblock of the freshest device block: prevent an integer overflow in bvec_try_merge_hw_page net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path ARM: dts: imx23/28: Fix the DMA controller node name ARM: dts: imx23-sansa: Use preferred i2c-gpios properties ARM: dts: imx27-apf27dev: Fix LED name ARM: dts: imx25/27: Pass timing0 ARM: dts: imx25: Fix the iim compatible string block/rnbd-srv: Check for unlikely string overflow ionic: pass opcode to devcmd_wait ARM: dts: imx1: Fix sram node ARM: dts: imx27: Fix sram node ARM: dts: imx: Use flash@0,0 pattern ARM: dts: imx25/27-eukrea: Fix RTC node name ARM: dts: rockchip: fix rk3036 hdmi ports node bpf: Set uattr->batch.count as zero before batched update or deletion scsi: libfc: Fix up timeout error in fc_fcp_rec_error() scsi: libfc: Don't schedule abort twice bpf: Add map and need_defer parameters to .map_fd_put_ptr() wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() ARM: dts: imx7s: Fix nand-controller #size-cells ARM: dts: imx7s: Fix lcdif compatible ARM: dts: imx7d: Fix coresight funnel ports scsi: arcmsr: Support new PCI device IDs 1883 and 1886 bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk PCI: Add no PM reset quirk for NVIDIA Spectrum devices scsi: lpfc: Fix possible file string name overflow when updating firmware selftests/bpf: Fix pyperf180 compilation failure with clang18 selftests/bpf: satisfy compiler by having explicit return in btf test wifi: rt2x00: restart beacon queue when hardware reset ext4: avoid online resizing failures due to oversized flex bg ext4: remove unnecessary check from alloc_flex_gd() ext4: unify the type of flexbg_size to unsigned int ext4: fix inconsistent between segment fstrim and full fstrim ecryptfs: Reject casefold directory inodes SUNRPC: Fix a suspicious RCU usage warning KVM: s390: fix setting of fpc register s390/ptrace: handle setting of fpc register correctly jfs: fix array-index-out-of-bounds in diNewExt rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu() crypto: stm32/crc32 - fix parsing list of devices pstore/ram: Fix crash when setting number of cpus to an odd number jfs: fix uaf in jfs_evict_inode jfs: fix array-index-out-of-bounds in dbAdjTree jfs: fix slab-out-of-bounds Read in dtSearch UBSAN: array-index-out-of-bounds in dtSplitRoot FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events PM / devfreq: Synchronize devfreq_monitor_[start/stop] ACPI: extlog: fix NULL pointer dereference check PNP: ACPI: fix fortify warning ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop audit: Send netlink ACK before setting connection in auditd_set regulator: core: Only increment use_count when enable_count changes debugobjects: Stop accessing objects after releasing hash bucket lock perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel powerpc/lib: Validate size for vector operations powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE x86/boot: Ignore NMIs during very early boot powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() powerpc: Fix build error due to is_valid_bugaddr() drivers/perf: pmuv3: don't expose SW_INCR event in sysfs powerpc/mm: Fix null-pointer dereference in pgtable_cache_add x86/entry/ia32: Ensure s32 is sign extended to s64 tick/sched: Preserve number of idle sleeps across CPU hotplug events mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan spi: bcm-qspi: fix SFDP BFPT read by usig mspi read gpio: eic-sprd: Clear interrupt after set the interrupt type drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume drm/exynos: fix accidental on-stack copy of exynos_drm_plane drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33] btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted btrfs: remove err variable from btrfs_delete_subvolume mm/sparsemem: fix race in accessing memory_section->usage mm: use __pfn_to_section() instead of open coding it media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run arm64: dts: qcom: sc7180: fix USB wakeup interrupt types arm64: dts: qcom: sc7180: Use pdc interrupts for USB instead of GIC interrupts ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12 pipe: wakeup wr_wait after setting max_usage fs/pipe: move check to pipe_has_watch_queue() PM: sleep: Fix possible deadlocks in core system-wide PM code PM: core: Remove unnecessary (void *) conversions PM: sleep: Avoid calling put_device() under dpm_list_mtx PM: sleep: Use dev_printk() when possible drm/bridge: nxp-ptn3460: simplify some error checking drm/tidss: Fix atomic_flush check drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking drm: Don't unref the same fb many times by mistake due to deadlock handling gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 netfilter: nf_tables: reject QUEUE/DROP verdict parameters netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain wifi: iwlwifi: fix a memory corruption exec: Fix error handling in begin_new_exec() rbd: don't move requests to the running list on errors btrfs: don't abort filesystem when attempting to snapshot deleted subvolume btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args btrfs: don't warn if discard range is not aligned to sector btrfs: tree-checker: fix inline ref size in error messages btrfs: ref-verify: free ref cache before clearing mount opt net: fec: fix the unhandled context fault from smmu fjes: fix memleaks in fjes_hw_setup selftests: netdevsim: fix the udp_tunnel_nic test net: mvpp2: clear BM pool before initialization netfilter: nf_tables: validate NFPROTO_* family netfilter: nf_tables: restrict anonymous set and map names to 16 bytes net/mlx5e: fix a double-free in arfs_create_groups net/mlx5: DR, Use the right GVMI number for drop action ipv6: init the accept_queue's spinlocks in inet6_create netlink: fix potential sleeping issue in mqueue_flush_file tcp: Add memory barrier to tcp_push() afs: Hide silly-rename files from userspace tracing: Ensure visibility when inserting an element into tracing_map net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv llc: Drop support for ETH_P_TR_802_2. llc: make llc_ui_sendmsg() more robust against bonding changes vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING bnxt_en: Wait for FLR to complete during probe tcp: make sure init the accept_queue's spinlocks once net/smc: fix illegal rmb_desc access in SMC-D connection dump KVM: use __vcalloc for very large allocations mm: vmalloc: introduce array allocation functions smb3: Replace smb2pdu 1-element arrays with flex-arrays stddef: Introduce DECLARE_FLEX_ARRAY() helper block: Remove special-casing of compound pages rename(): fix the locking of subdirectories ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path nouveau/vmm: don't set addr on the fail path to avoid warning rtc: Adjust failure return code for cmos_set_alarm() mmc: mmc_spi: remove custom DMA mapped buffers mmc: core: Use mrq.sbc in close-ended ffu scripts/get_abi: fix source path leak lsm: new security_file_ioctl_compat() hook arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts arm64: dts: qcom: sdm845: fix USB wakeup interrupt types async: Introduce async_schedule_dev_nocall() async: Split async_schedule_node_domain() parisc/firmware: Fix F-extend for PDC addresses bus: mhi: host: Drop chan lock before queuing buffers rpmsg: virtio: Free driver_override when rpmsg_remove() crypto: s390/aes - Fix buffer overread in CTR mode hwrng: core - Fix page fault dead lock on mmap-ed hwrng PM: hibernate: Enforce ordering during image compression/decompression crypto: api - Disallow identical driver names ext4: allow for the last group to be marked as trimmed iio:adc:ad7091r: Move exports into IIO_AD7091R namespace. dmaengine: fix NULL pointer in channel unregistration function iio: adc: ad7091r: Enable internal vref if external vref is not supplied iio: adc: ad7091r: Allow users to configure device events iio: adc: ad7091r: Set alert bit in config register serial: sc16is7xx: add check for unsupported SPI modes during probe spi: introduce SPI_MODE_X_MASK macro serial: sc16is7xx: set safe default SPI clock frequency units: add the HZ macros units: change from 'L' to 'UL' PCI: mediatek: Clear interrupt status before dispatching handler usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled usb: cdns3: fix iso transfer error when mult is not zero usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config usb: cdns3: fix uvc failure work since sg support enabled usb: cdns3: Fixes for sparse warnings Conflicts: Makefile scripts/Makefile.lib scripts/decode_stacktrace.sh Change-Id: I843d5be296c4237694a7ff1c21600b0ee1d57b5f |
||
|
Chuck Lever
|
7229200f68 |
nfsd: don't allow nfsd threads to be signalled.
[ Upstream commit 3903902401451b1cd9d797a8c79769eb26ac7fe5 ]
The original implementation of nfsd used signals to stop threads during
shutdown.
In Linux 2.3.46pre5 nfsd gained the ability to shutdown threads
internally it if was asked to run "0" threads. After this user-space
transitioned to using "rpc.nfsd 0" to stop nfsd and sending signals to
threads was no longer an important part of the API.
In commit 3ebdbe5203a8 ("SUNRPC: discard svo_setup and rename
svc_set_num_threads_sync()") (v5.17-rc1~75^2~41) we finally removed the
use of signals for stopping threads, using kthread_stop() instead.
This patch makes the "obvious" next step and removes the ability to
signal nfsd threads - or any svc threads. nfsd stops allowing signals
and we don't check for their delivery any more.
This will allow for some simplification in later patches.
A change worth noting is in nfsd4_ssc_setup_dul(). There was previously
a signal_pending() check which would only succeed when the thread was
being shut down. It should really have tested kthread_should_stop() as
well. Now it just does the latter, not the former.
Signed-off-by: NeilBrown <neilb@suse.de>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
[ cel: adjusted to apply to v5.10.y ]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Dan Carpenter
|
b28b5c726e |
nfsd: fix double fget() bug in __write_ports_addfd()
[ Upstream commit c034203b6a9dae6751ef4371c18cb77983e30c28 ]
The bug here is that you cannot rely on getting the same socket
from multiple calls to fget() because userspace can influence
that. This is a kind of double fetch bug.
The fix is to delete the svc_alien_sock() function and instead do
the checking inside the svc_addsock() function.
Fixes:
|
||
|
Chuck Lever
|
115b58b56f |
Revert "SUNRPC: Use RMW bitops in single-threaded hot paths"
[ Upstream commit 7827c81f0248e3c2f40d438b020f3d222f002171 ]
The premise that "Once an svc thread is scheduled and executing an
RPC, no other processes will touch svc_rqst::rq_flags" is false.
svc_xprt_enqueue() examines the RQ_BUSY flag in scheduled nfsd
threads when determining which thread to wake up next.
Found via KCSAN.
Fixes: 28df0988815f ("SUNRPC: Use RMW bitops in single-threaded hot paths")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Chuck Lever
|
d08acee648 |
NFSD: Refactor common code out of dirlist helpers
[ Upstream commit 98124f5bd6c76699d514fbe491dd95265369cc99 ] The dust has settled a bit and it's become obvious what code is totally common between nfsd_init_dirlist_pages() and nfsd3_init_dirlist_pages(). Move that common code to SUNRPC. The new helper brackets the existing xdr_init_decode_pages() API. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
5ed2524893 |
SUNRPC: Parametrize how much of argsize should be zeroed
[ Upstream commit 103cc1fafee48adb91fca0e19deb869fd23e46ab ] Currently, SUNRPC clears the whole of .pc_argsize before processing each incoming RPC transaction. Add an extra parameter to struct svc_procedure to enable upper layers to reduce the amount of each operation's argument structure that is zeroed by SUNRPC. The size of struct nfsd4_compoundargs, in particular, is a lot to clear on each incoming RPC Call. A subsequent patch will cut this down to something closer to what NFSv2 and NFSv3 uses. This patch should cause no behavior changes. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
6943f1073a |
SUNRPC: Optimize xdr_reserve_space()
[ Upstream commit 62ed448cc53b654036f7d7f3c99f299d79ad14c3 ] Transitioning between encode buffers is quite infrequent. It happens about 1 time in 400 calls to xdr_reserve_space(), measured on NFSD with a typical build/test workload. Force the compiler to remove that code from xdr_reserve_space(), which is a hot path on both the server and the client. This change reduces the size of xdr_reserve_space() from 10 cache lines to 2 when compiled with -Os. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Reviewed-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
e1e87709c4 |
SUNRPC: Use RMW bitops in single-threaded hot paths
[ Upstream commit 28df0988815f63e2af5e6718193c9f68681ad7ff ] I noticed CPU pipeline stalls while using perf. Once an svc thread is scheduled and executing an RPC, no other processes will touch svc_rqst::rq_flags. Thus bus-locked atomics are not needed outside the svc thread scheduler. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
7e4328b3b9 |
NFSD: Move svc_serv_ops::svo_function into struct svc_serv
[ Upstream commit 37902c6313090235c847af89c5515591261ee338 ] Hoist svo_function back into svc_serv and remove struct svc_serv_ops, since the struct is now devoid of fields. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
9802c57460 |
NFSD: Remove svc_serv_ops::svo_module
[ Upstream commit f49169c97fceb21ad6a0aaf671c50b0f520f15a5 ] struct svc_serv_ops is about to be removed. Neil Brown says: > I suspect svo_module can go as well - I don't think the thread is > ever the thing that primarily keeps a module active. A random sample of kthread_create() callers shows sunrpc is the only one that manages module reference count in this way. Suggested-by: Neil Brown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
36c57b27a7 |
SUNRPC: Remove svc_shutdown_net()
[ Upstream commit c7d7ec8f043e53ad16e30f5ebb8b9df415ec0f2b ] Clean up: svc_shutdown_net() now does nothing but call svc_close_net(). Replace all external call sites. svc_close_net() is renamed to be the inverse of svc_xprt_create(). Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
a4bbb1ab69 |
SUNRPC: Rename svc_close_xprt()
[ Upstream commit 4355d767a21b9445958fc11bce9a9701f76529d3 ] Clean up: Use the "svc_xprt_<task>" function naming convention as is used for other external APIs. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
c58a9cfd20 |
SUNRPC: Rename svc_create_xprt()
[ Upstream commit 352ad31448fecc78a2e9b78da64eea5d63b8d0ce ] Clean up: Use the "svc_xprt_<task>" function naming convention as is used for other external APIs. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
9a43ddd6b6 |
SUNRPC: Remove svo_shutdown method
[ Upstream commit 87cdd8641c8a1ec6afd2468265e20840a57fd888 ] Clean up. Neil observed that "any code that calls svc_shutdown_net() knows what the shutdown function should be, and so can call it directly." Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Reviewed-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
8c60a47670 |
SUNRPC: Merge svc_do_enqueue_xprt() into svc_enqueue_xprt()
[ Upstream commit c0219c499799c1e92bd570c15a47e6257a27bb15 ]
Neil says:
"These functions were separated in commit
|
||
|
Chuck Lever
|
99ab6abc88 |
SUNRPC: Remove the .svo_enqueue_xprt method
[ Upstream commit a9ff2e99e9fa501ec965da03c18a5422b37a2f44 ]
We have never been able to track down and address the underlying
cause of the performance issues with workqueue-based service
support. svo_enqueue_xprt is called multiple times per RPC, so
it adds instruction path length, but always ends up at the same
function: svc_xprt_do_enqueue(). We do not anticipate needing
this flexibility for dynamic nfsd thread management support.
As a micro-optimization, remove .svo_enqueue_xprt because
Spectre/Meltdown makes virtual function calls more costly.
This change essentially reverts commit
|
||
NeilBrown
|
948e4664cc |
lockd: use svc_set_num_threads() for thread start and stop
[ Upstream commit 6b044fbaab02292fedb17565dbb3f2528083b169 ] svc_set_num_threads() does everything that lockd_start_svc() does, except set sv_maxconn. It also (when passed 0) finds the threads and stops them with kthread_stop(). So move the setting for sv_maxconn, and use svc_set_num_thread() We now don't need nlmsvc_task. Now that we use svc_set_num_threads() it makes sense to set svo_module. This request that the thread exists with module_put_and_exit(). Also fix the documentation for svo_module to make this explicit. svc_prepare_thread is now only used where it is defined, so it can be made static. Signed-off-by: NeilBrown <neilb@suse.de> [ cel: address merge conflict with fd2468fa1301 ] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
deeda24a67 |
SUNRPC: always treat sv_nrpools==1 as "not pooled"
[ Upstream commit 93aa619eb0b42eec2f3a9b4d9db41f5095390aec ] Currently 'pooled' services hold a reference on the pool_map, and 'unpooled' services do not. svc_destroy() uses the presence of ->svo_function (via svc_serv_is_pooled()) to determine if the reference should be dropped. There is no direct correlation between being pooled and the use of svo_function, though in practice, lockd is the only non-pooled service, and the only one not to use svo_function. This is untidy and would cause problems if we changed lockd to use svc_set_num_threads(), which requires the use of ->svo_function. So change the test for "is the service pooled" to "is sv_nrpools > 1". This means that when svc_pool_map_get() returns 1, it must NOT take a reference to the pool. We discard svc_serv_is_pooled(), and test sv_nrpools directly. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
74a0e37a20 |
SUNRPC: move the pool_map definitions (back) into svc.c
[ Upstream commit cf0e124e0a489944d08fcc3c694d2b234d2cc658 ] These definitions are not used outside of svc.c, and there is no evidence that they ever have been. So move them into svc.c and make the declarations 'static'. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
7149250bee |
SUNRPC: discard svo_setup and rename svc_set_num_threads_sync()
[ Upstream commit 3ebdbe5203a874614819700d3f470724cb803709 ] The ->svo_setup callback serves no purpose. It is always called from within the same module that chooses which callback is needed. So discard it and call the relevant function directly. Now that svc_set_num_threads() is no longer used remove it and rename svc_set_num_threads_sync() to remove the "_sync" suffix. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
61d12fc30a |
SUNRPC: use sv_lock to protect updates to sv_nrthreads.
[ Upstream commit 2a36395fac3b72771f87c3ee4387e3a96d85a7cc ] Using sv_lock means we don't need to hold the service mutex over these updates. In particular, svc_exit_thread() no longer requires synchronisation, so threads can exit asynchronously. Note that we could use an atomic_t, but as there are many more read sites than writes, that would add unnecessary noise to the code. Some reads are already racy, and there is no need for them to not be. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
17041f0140 |
SUNRPC: stop using ->sv_nrthreads as a refcount
[ Upstream commit ec52361df99b490f6af412b046df9799b92c1050 ] The use of sv_nrthreads as a general refcount results in clumsy code, as is seen by various comments needed to explain the situation. This patch introduces a 'struct kref' and uses that for reference counting, leaving sv_nrthreads to be a pure count of threads. The kref is managed particularly in svc_get() and svc_put(), and also nfsd_put(); svc_destroy() now takes a pointer to the embedded kref, rather than to the serv. nfsd allows the svc_serv to exist with ->sv_nrhtreads being zero. This happens when a transport is created before the first thread is started. To support this, a 'keep_active' flag is introduced which holds a ref on the svc_serv. This is set when any listening socket is successfully added (unless there are running threads), and cleared when the number of threads is set. So when the last thread exits, the nfs_serv will be destroyed. The use of 'keep_active' replaces previous code which checked if there were any permanent sockets. We no longer clear ->rq_server when nfsd() exits. This was done to prevent svc_exit_thread() from calling svc_destroy(). Instead we take an extra reference to the svc_serv to prevent svc_destroy() from being called. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
NeilBrown
|
64312a7c9f |
SUNRPC/NFSD: clean up get/put functions.
[ Upstream commit 8c62d12740a1450d2e8456d5747f440e10db281a ] svc_destroy() is poorly named - it doesn't necessarily destroy the svc, it might just reduce the ref count. nfsd_destroy() is poorly named for the same reason. This patch: - removes the refcount functionality from svc_destroy(), moving it to a new svc_put(). Almost all previous callers of svc_destroy() now call svc_put(). - renames nfsd_destroy() to nfsd_put() and improves the code, using the new svc_destroy() rather than svc_put() - removes a few comments that explain the important for balanced get/put calls. This should be obvious. The only non-trivial part of this is that svc_destroy() would call svc_sock_update() on a non-final decrement. It can no longer do that, and svc_put() isn't really a good place of it. This call is now made from svc_exit_thread() which seems like a good place. This makes the call *before* sv_nrthreads is decremented rather than after. This is not particularly important as the call just sets a flag which causes sv_nrthreads set be checked later. A subsequent patch will improve the ordering. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Eric W. Biederman
|
c59dc174b2 |
exit: Rename module_put_and_exit to module_put_and_kthread_exit
[ Upstream commit ca3574bd653aba234a4b31955f2778947403be16 ] Update module_put_and_exit to call kthread_exit instead of do_exit. Change the name to reflect this change in functionality. All of the users of module_put_and_exit are causing the current kthread to exit so this change makes it clear what is happening. There is no functional change. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
396b359832 |
NFSD: Have legacy NFSD WRITE decoders use xdr_stream_subsegment()
[ Upstream commit dae9a6cab8009e526570e7477ce858dcdfeb256e ] Refactor. Now that the NFSv2 and NFSv3 XDR decoders have been converted to use xdr_streams, the WRITE decoder functions can use xdr_stream_subsegment() to extract the WRITE payload into its own xdr_buf, just as the NFSv4 WRITE XDR decoder currently does. That makes it possible to pass the first kvec, pages array + length, page_base, and total payload length via a single function parameter. The payload's page_base is not yet assigned or used, but will be in subsequent patches. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> [ cel: adjusted to apply to v5.10.y ] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
2b2963c72c |
SUNRPC: Trace calls to .rpc_call_done
[ Upstream commit b40887e10dcacc5e8ae3c1a99dcba20877c4831b ] Introduce a single tracepoint that can replace simple dprintk call sites in upper layer "rpc_call_done" callbacks. Example: kworker/u24:2-1254 [001] 771.026677: rpc_stats_latency: task:00000001@00000002 xid=0x16a6f3c0 rpcbindv2 GETPORT backlog=446 rtt=101 execute=555 kworker/u24:2-1254 [001] 771.026677: rpc_task_call_done: task:00000001@00000002 flags=ASYNC|DYNAMIC|SOFT|SOFTCONN|SENT runstate=RUNNING|ACTIVE status=0 action=rpcb_getport_done kworker/u24:2-1254 [001] 771.026678: rpcb_setport: task:00000001@00000002 status=0 port=20048 Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
91bbbffece |
SUNRPC: Eliminate the RQ_AUTHERR flag
[ Upstream commit 9082e1d914f8b27114352b1940bbcc7522f682e7 ] Now that there is an alternate method for returning an auth_stat value, replace the RQ_AUTHERR flag with use of that new method. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
febf43bcdc |
SUNRPC: Set rq_auth_stat in the pg_authenticate() callout
[ Upstream commit 5c2465dfd457f3015eebcc3ace50570e1d896aeb ] In a few moments, rq_auth_stat will need to be explicitly set to rpc_auth_ok before execution gets to the dispatcher. svc_authenticate() already sets it, but it often gets reset to rpc_autherr_badcred right after that call, even when authentication is successful. Let's ensure that the pg_authenticate callout and svc_set_client() set it properly in every case. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
a96da583ff |
SUNRPC: Add svc_rqst::rq_auth_stat
[ Upstream commit 438623a06bacd69c40c4af633bb09a3bbb9dfc78 ]
I'd like to take commit
|
||
|
Chuck Lever
|
a4f616afb4 |
SUNRPC: Add svc_rqst_replace_page() API
[ Upstream commit 2f0f88f42f2eab0421ed37d7494de9124fdf0d34 ] Replacing a page in rq_pages[] requires a get_page(), which is a bus-locked operation, and a put_page(), which can be even more costly. To reduce the cost of replacing a page in rq_pages[], batch the put_page() operations by collecting "freed" pages in a pagevec, and then release those pages when the pagevec is full. This pagevec is also emptied when each RPC completes. [ cel: adjusted to apply without f6e70aab9dfe ] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
117dac268d |
SUNRPC: Export svc_xprt_received()
[ Upstream commit 7dcfbd86adc45f6d6b37278efd22530cf80ab474 ] Prepare svc_xprt_received() to be called from transport code instead of from generic RPC server code. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Christian Brauner
|
b0fa673c8c |
fs: add file and path permissions helpers
[ Upstream commit 02f92b3868a1b34ab98464e76b0e4e060474ba10 ] Add two simple helpers to check permissions on a file and path respectively and convert over some callers. It simplifies quite a few codepaths and also reduces the churn in later patches quite a bit. Christoph also correctly points out that this makes codepaths (e.g. ioctls) way easier to follow that would otherwise have to do more complex argument passing than necessary. Link: https://lore.kernel.org/r/20210121131959.646623-4-christian.brauner@ubuntu.com Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Suggested-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
bbb0a710a2 |
NFSD: Replace the internals of the READ_BUF() macro
[ Upstream commit c1346a1216ab5cb04a265380ac9035d91b16b6d5 ] Convert the READ_BUF macro in nfs4xdr.c from open code to instead use the new xdr_stream-style decoders already in use by the encode side (and by the in-kernel NFS client implementation). Once this conversion is done, each individual NFSv4 argument decoder can be independently cleaned up to replace these macros with C code. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
79e4e0d489 |
SUNRPC: Prepare for xdr_stream-style decoding on the server-side
[ Upstream commit 5191955d6fc65e6d4efe8f4f10a6028298f57281 ] A "permanent" struct xdr_stream is allocated in struct svc_rqst so that it is usable by all server-side decoders. A per-rqst scratch buffer is also allocated to handle decoding XDR data items that cross page boundaries. To demonstrate how it will be used, add the first call site for the new svcxdr_init_decode() API. As an additional part of the overall conversion, add symbolic constants for successful and failed XDR operations. Returning "0" is overloaded. Sometimes it means something failed, but sometimes it means success. To make it more clear when XDR decoding functions succeed or fail, introduce symbolic constants. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
2f46cc8141 |
SUNRPC: Add xdr_set_scratch_page() and xdr_reset_scratch_buffer()
[ Upstream commit 0ae4c3e8a64ace1b8d7de033b0751afe43024416 ] Clean up: De-duplicate some frequently-used code. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
a2f25c3208 |
NFSD: Invoke svc_encode_result_payload() in "read" NFSD encoders
[ Upstream commit 76e5492b161f555c0fb69cad9eb39a7d8467f5fe ] Have the NFSD encoders annotate the boundaries of every direct-data-placement eligible result data payload. Then change svcrdma to use that annotation instead of the xdr->page_len when handling Write chunks. For NFSv4 on RDMA, that enables the ability to recognize multiple result payloads per compound. This is a pre-requisite for supporting multiple Write chunks per RPC transaction. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Chuck Lever
|
9aa0a43a55 |
SUNRPC: Rename svc_encode_read_payload()
[ Upstream commit 03493bca084fdca48abc59b00e06ce733aa9eb7d ] Clean up: "result payload" is a less confusing name for these payloads. "READ payload" reflects only the NFS usage. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
2295a7ef5c |
net: fix __dst_negative_advice() race
commit 92f1655aa2b2294d0b49925f3b875a634bd3b59e upstream.
__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).
Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.
Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
Fixes:
|
||
Nikita Zhandarovich
|
1249478555 |
net/9p: fix uninit-value in p9_client_rpc()
commit 25460d6f39024cc3b8241b14c7ccf0d6f11a736a upstream.
Syzbot with the help of KMSAN reported the following error:
BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]
BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
trace_9p_client_res include/trace/events/9p.h:146 [inline]
p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
legacy_get_tree+0x114/0x290 fs/fs_context.c:662
vfs_get_tree+0xa7/0x570 fs/super.c:1797
do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
path_mount+0x742/0x1f20 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x725/0x810 fs/namespace.c:3875
__x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
__alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0x2de/0x1400 mm/slub.c:2391
___slab_alloc+0x1184/0x33d0 mm/slub.c:3525
__slab_alloc mm/slub.c:3610 [inline]
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852
p9_tag_alloc net/9p/client.c:278 [inline]
p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641
p9_client_rpc+0x27e/0x1340 net/9p/client.c:688
p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
legacy_get_tree+0x114/0x290 fs/fs_context.c:662
vfs_get_tree+0xa7/0x570 fs/super.c:1797
do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
path_mount+0x742/0x1f20 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x725/0x810 fs/namespace.c:3875
__x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag
will not be properly initialized. However, trace_9p_client_res()
ends up trying to print it out anyway before p9_client_rpc()
finishes.
Fix this issue by assigning default values to p9_fcall fields
such as 'tag' and (just in case KMSAN unearths something new) 'id'
during the tag allocation stage.
Reported-and-tested-by: syzbot+ff14db38f56329ef68df@syzkaller.appspotmail.com
Fixes:
|
||
xu xin
|
3cc7687f7f |
net/ipv6: Fix route deleting failure when metric equals 0
commit bb487272380d120295e955ad8acfcbb281b57642 upstream. Problem ========= After commit |
||
Ziyang Xuan
|
cade34279c |
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
commit d78d867dcea69c328db30df665be5be7d0148484 upstream.
nft_unregister_obj() can concurrent with __nft_obj_type_get(),
and there is not any protection when iterate over nf_tables_objects
list in __nft_obj_type_get(). Therefore, there is potential data-race
of nf_tables_objects list entry.
Use list_for_each_entry_rcu() to iterate over nf_tables_objects
list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
nft_obj_type_get() to protect the entire type query process.
Fixes:
|
||
|
Pablo Neira Ayuso
|
9c1c2ea099 |
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
commit 776d451648443f9884be4a1b4e38e8faf1c621f9 upstream.
Bail out on using the tunnel dst template from other than netdev family.
Add the infrastructure to check for the family in objects.
Fixes:
|
||
|
Chuck Lever
|
4cefcd0af7 |
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
commit 4a77c3dead97339478c7422eb07bf4bf63577008 upstream.
The in_token->pages[] array is not NULL terminated. This results in
the following KASAN splat:
KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]
Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()")
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Florian Westphal
|
07eeedafc5 |
netfilter: tproxy: bail out if IP has been disabled on the device
[ Upstream commit 21a673bddc8fd4873c370caf9ae70ffc6d47e8d3 ]
syzbot reports:
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[..]
RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62
Call Trace:
nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]
nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168
__in_dev_get_rcu() can return NULL, so check for this.
Reported-and-tested-by: syzbot+b94a6818504ea90d7661@syzkaller.appspotmail.com
Fixes:
|
||
|
Pablo Neira Ayuso
|
7ca9cf24b0 |
netfilter: nft_payload: restore vlan q-in-q match support
[ Upstream commit aff5c01fa1284d606f8e7cbdaafeef2511bb46c1 ] Revert |
||
|
Eric Dumazet
|
e01065b339 |
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
[ Upstream commit dc21c6cc3d6986d938efbf95de62473982c98dec ]
syzbot reported that nf_reinject() could be called without rcu_read_lock() :
WARNING: suspicious RCU usage
6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted
net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor.4/13427:
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172
stack backtrace:
CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]
nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397
nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]
instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172
rcu_do_batch kernel/rcu/tree.c:2196 [inline]
rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471
handle_softirqs+0x2d6/0x990 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
Fixes:
|
||
Ryosuke Yasuoka
|
0f26983c24 |
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
[ Upstream commit 6671e352497ca4bb07a96c48e03907065ff77d8a ]
When nci_rx_work() receives a zero-length payload packet, it should not
discard the packet and exit the loop. Instead, it should continue
processing subsequent packets.
Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Tetsuo Handa
|
728fb8b3b5 |
nfc: nci: Fix kcov check in nci_rx_work()
[ Upstream commit 19e35f24750ddf860c51e51c68cf07ea181b4881 ]
Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added
kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(),
with an assumption that kcov_remote_stop() is called upon continue of
the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in
nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before
break of the for loop.
Reported-by: syzbot <syzbot+0438378d6f157baae1a2@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2
Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
Suggested-by: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA.ne.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 6671e352497c ("nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Dae R. Jeong
|
d72e126e9a |
tls: fix missing memory barrier in tls_init
[ Upstream commit 91e61dd7a0af660408e87372d8330ceb218be302 ]
In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.
CPU0 CPU1
----- -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)
// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots) -(2)
// In sock_common_setsockopt()
READ_ONCE(sk->sk_prot)->setsockopt()
// In tls_{setsockopt,getsockopt}()
ctx->sk_proto->setsockopt() -(3)
In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.
To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.
Fixes:
|
||
Aaron Conole
|
8cae65ace4 |
openvswitch: Set the skbuff pkt_type for proper pmtud support.
[ Upstream commit 30a92c9e3d6b073932762bef2ac66f4ee784c657 ]
Open vSwitch is originally intended to switch at layer 2, only dealing with
Ethernet frames. With the introduction of l3 tunnels support, it crossed
into the realm of needing to care a bit about some routing details when
making forwarding decisions. If an oversized packet would need to be
fragmented during this forwarding decision, there is a chance for pmtu
to get involved and generate a routing exception. This is gated by the
skbuff->pkt_type field.
When a flow is already loaded into the openvswitch module this field is
set up and transitioned properly as a packet moves from one port to
another. In the case that a packet execute is invoked after a flow is
newly installed this field is not properly initialized. This causes the
pmtud mechanism to omit sending the required exception messages across
the tunnel boundary and a second attempt needs to be made to make sure
that the routing exception is properly setup. To fix this, we set the
outgoing packet's pkt_type to PACKET_OUTGOING, since it can only get
to the openvswitch module via a port device or packet command.
Even for bridge ports as users, the pkt_type needs to be reset when
doing the transmit as the packet is truly outgoing and routing needs
to get involved post packet transformations, in the case of
VXLAN/GENEVE/udp-tunnel packets. In general, the pkt_type on output
gets ignored, since we go straight to the driver, but in the case of
tunnel ports they go through IP routing layer.
This issue is periodically encountered in complex setups, such as large
openshift deployments, where multiple sets of tunnel traversal occurs.
A way to recreate this is with the ovn-heater project that can setup
a networking environment which mimics such large deployments. We need
larger environments for this because we need to ensure that flow
misses occur. In these environment, without this patch, we can see:
./ovn_cluster.sh start
podman exec ovn-chassis-1 ip r a 170.168.0.5/32 dev eth1 mtu 1200
podman exec ovn-chassis-1 ip netns exec sw01p1 ip r flush cache
podman exec ovn-chassis-1 ip netns exec sw01p1 \
ping 21.0.0.3 -M do -s 1300 -c2
PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data.
From 21.0.0.3 icmp_seq=2 Frag needed and DF set (mtu = 1142)
--- 21.0.0.3 ping statistics ---
...
Using tcpdump, we can also see the expected ICMP FRAG_NEEDED message is not
sent into the server.
With this patch, setting the pkt_type, we see the following:
podman exec ovn-chassis-1 ip netns exec sw01p1 \
ping 21.0.0.3 -M do -s 1300 -c2
PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data.
From 21.0.0.3 icmp_seq=1 Frag needed and DF set (mtu = 1222)
ping: local error: message too long, mtu=1222
--- 21.0.0.3 ping statistics ---
...
In this case, the first ping request receives the FRAG_NEEDED message and
a local routing exception is created.
Tested-by: Jaime Caamano <jcaamano@redhat.com>
Reported-at: https://issues.redhat.com/browse/FDP-164
Fixes:
|
||
|
Kuniyuki Iwashima
|
e9b2f60636 |
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
[ Upstream commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66 ]
In dctcp_update_alpha(), we use a module parameter dctcp_shift_g
as follows:
alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);
...
delivered_ce <<= (10 - dctcp_shift_g);
It seems syzkaller started fuzzing module parameters and triggered
shift-out-of-bounds [0] by setting 100 to dctcp_shift_g:
memcpy((void*)0x20000080,
"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47);
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,
/*flags=*/2ul, /*mode=*/0ul);
memcpy((void*)0x20000000, "100\000", 4);
syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);
Let's limit the max value of dctcp_shift_g by param_set_uint_minmax().
With this patch:
# echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
# cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g
10
# echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
-bash: echo: write error: Invalid argument
[0]:
UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12
shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')
CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143
tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]
tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948
tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711
tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937
sk_backlog_rcv include/net/sock.h:1106 [inline]
__release_sock+0x20f/0x350 net/core/sock.c:2983
release_sock+0x61/0x1f0 net/core/sock.c:3549
mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907
mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976
__mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072
mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127
inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:659 [inline]
sock_close+0xc0/0x240 net/socket.c:1421
__fput+0x41b/0x890 fs/file_table.c:422
task_work_run+0x23b/0x300 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x9c8/0x2540 kernel/exit.c:878
do_group_exit+0x201/0x2b0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f6c2b5005b6
Code: Unable to access opcode bytes at 0x7f6c2b50058c.
RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: Yue Sun <samsun1006219@gmail.com>
Reported-by: xingwei lee <xrivendell7@gmail.com>
Closes: https://lore.kernel.org/netdev/CAEkJfYNJM=cw-8x7_Vmj1J6uYVCWMbbvD=EFmDPVBGpTsqOxEA@mail.gmail.com/
Fixes:
|
||
Sagi Grimberg
|
42bd4e491c |
params: lift param_set_uint_minmax to common code
[ Upstream commit 2a14c9ae15a38148484a128b84bff7e9ffd90d68 ]
It is a useful helper hence move it to common code so others can enjoy
it.
Suggested-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Stable-dep-of: 3ebc46ca8675 ("tcp: Fix shift-out-of-bounds in dctcp_update_alpha().")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Hangbin Liu
|
daf341e0a2 |
ipv6: sr: fix memleak in seg6_hmac_init_algo
[ Upstream commit efb9f4f19f8e37fde43dfecebc80292d179f56c6 ]
seg6_hmac_init_algo returns without cleaning up the previous allocations
if one fails, so it's going to leak all that memory and the crypto tfms.
Update seg6_hmac_exit to only free the memory when allocated, so we can
reuse the code directly.
Fixes:
|
||
Dan Aloni
|
1c65ebce7d |
rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL
[ Upstream commit 4836da219781ec510c4c0303df901aa643507a7a ]
Under the scenario of IB device bonding, when bringing down one of the
ports, or all ports, we saw xprtrdma entering a non-recoverable state
where it is not even possible to complete the disconnect and shut it
down the mount, requiring a reboot. Following debug, we saw that
transport connect never ended after receiving the
RDMA_CM_EVENT_DEVICE_REMOVAL callback.
The DEVICE_REMOVAL callback is irrespective of whether the CM_ID is
connected, and ESTABLISHED may not have happened. So need to work with
each of these states accordingly.
Fixes:
|
||
|
Dan Aloni
|
f2b326b774 |
sunrpc: fix NFSACL RPC retry on soft mount
[ Upstream commit 0dc9f430027b8bd9073fdafdfcdeb1a073ab5594 ] It used to be quite awhile ago since |
||
|
Ryosuke Yasuoka
|
f80b786ab0 |
nfc: nci: Fix uninit-value in nci_rx_work
[ Upstream commit e4a87abf588536d1cdfb128595e6e680af5cf3ed ]
syzbot reported the following uninit-value access issue [1]
nci_rx_work() parses received packet from ndev->rx_q. It should be
validated header size, payload size and total packet size before
processing the packet. If an invalid packet is detected, it should be
silently discarded.
Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1]
Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
e892f9932d |
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
[ Upstream commit 581073f626e387d3e7eed55c48c8495584ead7ba ] trafgen performance considerably sank on hosts with many cores after the blamed commit. packet_read_pending() is very expensive, and calling it in af_packet fast path defeats Daniel intent in commit |
||
|
Eric Dumazet
|
b117e5b4f2 |
netrom: fix possible dead-lock in nr_rt_ioctl()
[ Upstream commit e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 ]
syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]
Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)
[1]
WARNING: possible circular locking dependency detected
6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted
------------------------------------------------------
syz-executor350/5129 is trying to acquire lock:
ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]
ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]
ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697
but task is already holding lock:
ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]
ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (nr_node_list_lock){+...}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:356 [inline]
nr_remove_node net/netrom/nr_route.c:299 [inline]
nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355
nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&nr_node->node_lock){+...}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:356 [inline]
nr_node_lock include/net/netrom.h:152 [inline]
nr_dec_obs net/netrom/nr_route.c:464 [inline]
nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(nr_node_list_lock);
lock(&nr_node->node_lock);
lock(nr_node_list_lock);
lock(&nr_node->node_lock);
*** DEADLOCK ***
1 lock held by syz-executor350/5129:
#0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]
#0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697
stack backtrace:
CPU: 0 PID: 5129 Comm: syz-executor350 Not tainted 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:356 [inline]
nr_node_lock include/net/netrom.h:152 [inline]
nr_dec_obs net/netrom/nr_route.c:464 [inline]
nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes:
|
||
Chris Lew
|
cafccde429 |
net: qrtr: ns: Fix module refcnt
[ Upstream commit fd76e5ccc48f9f54eb44909dd7c0b924005f1582 ]
The qrtr protocol core logic and the qrtr nameservice are combined into
a single module. Neither the core logic or nameservice provide much
functionality by themselves; combining the two into a single module also
prevents any possible issues that may stem from client modules loading
inbetween qrtr and the ns.
Creating a socket takes two references to the module that owns the
socket protocol. Since the ns needs to create the control socket, this
creates a scenario where there are always two references to the qrtr
module. This prevents the execution of 'rmmod' for qrtr.
To resolve this, forcefully put the module refcount for the socket
opened by the nameservice.
Fixes: a365023a76f2 ("net: qrtr: combine nameservice into main module")
Reported-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Tested-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Chris Lew <quic_clew@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Qinglang Miao
|
66fd37d0a8 |
net: qrtr: fix null-ptr-deref in qrtr_ns_remove
[ Upstream commit 4beb17e553b49c3dd74505c9f361e756aaae653e ]
A null-ptr-deref bug is reported by Hulk Robot like this:
--------------
KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
Call Trace:
qrtr_ns_remove+0x22/0x40 [ns]
qrtr_proto_fini+0xa/0x31 [qrtr]
__x64_sys_delete_module+0x337/0x4e0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
--------------
When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would
be called later on would raise a null-ptr-deref because qrtr_ns.workqueue
has been destroyed.
Fix it by making qrtr_ns_init have a return value and adding a check in
qrtr_proto_init.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: fd76e5ccc48f ("net: qrtr: ns: Fix module refcnt")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Chuck Lever
|
f148a95f68 |
SUNRPC: Fix gss_free_in_token_pages()
[ Upstream commit bafa6b4d95d97877baa61883ff90f7e374427fae ] Dan Carpenter says: > Commit |
||
Aleksandr Aprelkov
|
2a2bba3cbd |
sunrpc: removed redundant procp check
[ Upstream commit a576f36971ab4097b6aa76433532aa1fb5ee2d3b ]
since vs_proc pointer is dereferenced before getting it's address there's
no need to check for NULL.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes:
|
||
|
Hangbin Liu
|
00e6335329 |
ipv6: sr: fix invalid unregister error path
[ Upstream commit 160e9d2752181fcf18c662e74022d77d3164cd45 ] The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. This issue exist since commit |
||
|
Hangbin Liu
|
d33327a7c0 |
ipv6: sr: fix incorrect unregister order
[ Upstream commit 6e370a771d2985107e82d0f6174381c1acb49c20 ]
Commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and
null-ptr-deref") changed the register order in seg6_init(). But the
unregister order in seg6_exit() is not updated.
Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240509131812.1662197-3-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Hangbin Liu
|
1ba1b4cc3a |
ipv6: sr: add missing seg6_local_exit
[ Upstream commit 3321687e321307629c71b664225b861ebf3e5753 ]
Currently, we only call seg6_local_exit() in seg6_init() if
seg6_local_init() failed. But forgot to call it in seg6_exit().
Fixes:
|
||
Ilya Maximets
|
5ab6aecbed |
net: openvswitch: fix overwriting ct original tuple for ICMPv6
[ Upstream commit 7c988176b6c16c516474f6fceebe0f055af5eb56 ]
OVS_PACKET_CMD_EXECUTE has 3 main attributes:
- OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.
- OVS_PACKET_ATTR_PACKET - Binary packet content.
- OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.
OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure
with the metadata like conntrack state, input port, recirculation id,
etc. Then the packet itself gets parsed to populate the rest of the
keys from the packet headers.
Whenever the packet parsing code starts parsing the ICMPv6 header, it
first zeroes out fields in the key corresponding to Neighbor Discovery
information even if it is not an ND packet.
It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares
the space between 'nd' and 'ct_orig' that holds the original tuple
conntrack metadata parsed from the OVS_PACKET_ATTR_KEY.
ND packets should not normally have conntrack state, so it's fine to
share the space, but normal ICMPv6 Echo packets or maybe other types of
ICMPv6 can have the state attached and it should not be overwritten.
The issue results in all but the last 4 bytes of the destination
address being wiped from the original conntrack tuple leading to
incorrect packet matching and potentially executing wrong actions
in case this packet recirculates within the datapath or goes back
to userspace.
ND fields should not be accessed in non-ND packets, so not clearing
them should be fine. Executing memset() only for actual ND packets to
avoid the issue.
Initializing the whole thing before parsing is needed because ND packet
may not contain all the options.
The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't
affect packets entering OVS datapath from network interfaces, because
in this case CT metadata is populated from skb after the packet is
already parsed.
Fixes:
|
||
|
Breno Leitao
|
4d51845d73 |
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
[ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ]
A data-race condition has been identified in af_unix. In one data path,
the write function unix_release_sock() atomically writes to
sk->sk_shutdown using WRITE_ONCE. However, on the reader side,
unix_stream_sendmsg() does not read it atomically. Consequently, this
issue is causing the following KCSAN splat to occur:
BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg
write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:
unix_release_sock (net/unix/af_unix.c:640)
unix_release (net/unix/af_unix.c:1050)
sock_close (net/socket.c:659 net/socket.c:1421)
__fput (fs/file_table.c:422)
__fput_sync (fs/file_table.c:508)
__se_sys_close (fs/open.c:1559 fs/open.c:1541)
__x64_sys_close (fs/open.c:1541)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:
unix_stream_sendmsg (net/unix/af_unix.c:2273)
__sock_sendmsg (net/socket.c:730 net/socket.c:745)
____sys_sendmsg (net/socket.c:2584)
__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)
__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
value changed: 0x01 -> 0x03
The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7").
Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.")
addressed a comparable issue in the past regarding sk->sk_shutdown.
However, it overlooked resolving this particular data path.
This patch only offending unix_stream_sendmsg() function, since the
other reads seem to be protected by unix_state_lock() as discussed in
Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/
Fixes:
|
||
gaoxingwang
|
ad31e0e765 |
net: ipv6: fix wrong start position when receive hop-by-hop fragment
[ Upstream commit 1cd354fe1e4864eeaff62f66ee513080ec946f20 ]
In IPv6, ipv6_rcv_core will parse the hop-by-hop type extension header and increase skb->transport_header by one extension header length.
But if there are more other extension headers like fragment header at this time, the skb->transport_header points to the second extension header,
not the transport layer header or the first extension header.
This will result in the start and nexthdrp variable not pointing to the same position in ipv6frag_thdr_trunced,
and ipv6_skip_exthdr returning incorrect offset and frag_off.Sometimes,the length of the last sharded packet is smaller than the calculated incorrect offset, resulting in packet loss.
We can use network header to offset and calculate the correct position to solve this problem.
Fixes:
|
||
|
Eric Dumazet
|
9d13202922 |
net: give more chances to rcu in netdev_wait_allrefs_any()
[ Upstream commit cd42ba1c8ac9deb9032add6adf491110e7442040 ]
This came while reviewing commit c4e86b4363ac ("net: add two more
call_rcu_hurry()").
Paolo asked if adding one synchronize_rcu() would help.
While synchronize_rcu() does not help, making sure to call
rcu_barrier() before msleep(wait) is definitely helping
to make sure lazy call_rcu() are completed.
Instead of waiting ~100 seconds in my tests, the ref_tracker
splats occurs one time only, and netdev_wait_allrefs_any()
latency is reduced to the strict minimum.
Ideally we should audit our call_rcu() users to make sure
no refcount (or cascading call_rcu()) is held too long,
because rcu_barrier() is quite expensive.
Fixes:
|
||
|
Eric Dumazet
|
bc7cae63fa |
tcp: avoid premature drops in tcp_add_backlog()
[ Upstream commit ec00ed472bdb7d0af840da68c8c11bff9f4d9caa ]
While testing TCP performance with latest trees,
I saw suspect SOCKET_BACKLOG drops.
tcp_add_backlog() computes its limit with :
limit = (u32)READ_ONCE(sk->sk_rcvbuf) +
(u32)(READ_ONCE(sk->sk_sndbuf) >> 1);
limit += 64 * 1024;
This does not take into account that sk->sk_backlog.len
is reset only at the very end of __release_sock().
Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach
sk_rcvbuf in normal conditions.
We should double sk->sk_rcvbuf contribution in the formula
to absorb bubbles in the backlog, which happen more often
for very fast flows.
This change maintains decent protection against abuses.
Fixes:
|
||
Gabriel Krisman Bertazi
|
69fab9d2e2 |
udp: Avoid call to compute_score on multiple sites
[ Upstream commit 50aee97d15113b95a68848db1f0cb2a6c09f753a ]
We've observed a 7-12% performance regression in iperf3 UDP ipv4 and
ipv6 tests with multiple sockets on Zen3 cpus, which we traced back to
commit f0ea27e7bfe1 ("udp: re-score reuseport groups when connected
sockets are present"). The failing tests were those that would spawn
UDP sockets per-cpu on systems that have a high number of cpus.
Unsurprisingly, it is not caused by the extra re-scoring of the reused
socket, but due to the compiler no longer inlining compute_score, once
it has the extra call site in udp4_lib_lookup2. This is augmented by
the "Safe RET" mitigation for SRSO, needed in our Zen3 cpus.
We could just explicitly inline it, but compute_score() is quite a large
function, around 300b. Inlining in two sites would almost double
udp4_lib_lookup2, which is a silly thing to do just to workaround a
mitigation. Instead, this patch shuffles the code a bit to avoid the
multiple calls to compute_score. Since it is a static function used in
one spot, the compiler can safely fold it in, as it did before, without
increasing the text size.
With this patch applied I ran my original iperf3 testcases. The failing
cases all looked like this (ipv4):
iperf3 -c 127.0.0.1 --udp -4 -f K -b $R -l 8920 -t 30 -i 5 -P 64 -O 2
where $R is either 1G/10G/0 (max, unlimited). I ran 3 times each.
baseline is v6.9-rc3. harmean == harmonic mean; CV == coefficient of
variation.
ipv4:
1G 10G MAX
HARMEAN (CV) HARMEAN (CV) HARMEAN (CV)
baseline 1743852.66(0.0208) 1725933.02(0.0167) 1705203.78(0.0386)
patched 1968727.61(0.0035) 1962283.22(0.0195) 1923853.50(0.0256)
ipv6:
1G 10G MAX
HARMEAN (CV) HARMEAN (CV) HARMEAN (CV)
baseline 1729020.03(0.0028) 1691704.49(0.0243) 1692251.34(0.0083)
patched 1900422.19(0.0067) 1900968.01(0.0067) 1568532.72(0.1519)
This restores the performance we had before the change above with this
benchmark. We obviously don't expect any real impact when mitigations
are disabled, but just to be sure it also doesn't regresses:
mitigations=off ipv4:
1G 10G MAX
HARMEAN (CV) HARMEAN (CV) HARMEAN (CV)
baseline 3230279.97(0.0066) 3229320.91(0.0060) 2605693.19(0.0697)
patched 3242802.36(0.0073) 3239310.71(0.0035) 2502427.19(0.0882)
Cc: Lorenz Bauer <lmb@isovalent.com>
Fixes: f0ea27e7bfe1 ("udp: re-score reuseport groups when connected sockets are present")
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Lorenz Bauer
|
452f8dc251 |
net: remove duplicate reuseport_lookup functions
[ Upstream commit 0f495f7617229772403e683033abc473f0f0553c ] There are currently four copies of reuseport_lookup: one each for (TCP, UDP)x(IPv4, IPv6). This forces us to duplicate all callers of those functions as well. This is already the case for sk_lookup helpers (inet,inet6,udp4,udp6)_lookup_run_bpf. There are two differences between the reuseport_lookup helpers: 1. They call different hash functions depending on protocol 2. UDP reuseport_lookup checks that sk_state != TCP_ESTABLISHED Move the check for sk_state into the caller and use the INDIRECT_CALL infrastructure to cut down the helpers to one per IP version. Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-4-7021b683cdae@isovalent.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Stable-dep-of: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Lorenz Bauer
|
0ce990e6ef |
net: export inet_lookup_reuseport and inet6_lookup_reuseport
[ Upstream commit ce796e60b3b196b61fcc565df195443cbb846ef0 ] Rename the existing reuseport helpers for IPv4 and IPv6 so that they can be invoked in the follow up commit. Export them so that building DCCP and IPv6 as a module works. No change in functionality. Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-3-7021b683cdae@isovalent.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Stable-dep-of: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Igor Artemiev
|
c7d22022ec |
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
[ Upstream commit 9ef369973cd2c97cce3388d2c0c7e3c056656e8a ] The declarations of the tx_rx_evt class and the rdev_set_antenna event use the wrong order of arguments in the TP_ARGS macro. Fix the order of arguments in the TP_ARGS macro. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru> Link: https://msgid.link/20240405152431.270267-1-Igor.A.Artemiev@mcst.ru Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
3a2d2273f6 |
Merge 5.10.218 into android12-5.10-lts
Changes in 5.10.218 pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() x86/xen: Drop USERGS_SYSRET64 paravirt call Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize UMAC_CMD access ima: fix deadlock when traversing "ima_default_rules". netlink: annotate lockless accesses to nlk->max_recvmsg_len KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection firmware: arm_scmi: Harden accesses to the reset domains mptcp: ensure snd_nxt is properly initialized on connect btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() usb: typec: ucsi: displayport: Fix potential deadlock serial: kgdboc: Fix NMI-safety problems from keyboard reset code docs: kernel_include.py: Cope with docutils 0.21 Linux 5.10.218 Change-Id: Ic5eed7370c42b3d8637a72edd4f82f5efa706e09 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
dde5ece421 |
Merge 5.10.217 into android12-5.10-lts
Changes in 5.10.217
dmaengine: pl330: issue_pending waits until WFP state
dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
wifi: nl80211: don't free NULL coalescing rule
eeprom: at24: Use dev_err_probe for nvmem register failure
eeprom: at24: Probe for DDR3 thermal sensor in the SPD case
eeprom: at24: fix memory corruption race condition
pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T
pinctrl/meson: fix typo in PDM's pin name
pinctrl: core: delete incorrect free in pinctrl_enable()
pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic
pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback
pinctrl: mediatek: paris: Rework support for PIN_CONFIG_{INPUT,OUTPUT}_ENABLE
sunrpc: add a struct rpc_stats arg to rpc_create_args
nfs: expose /proc/net/sunrpc/nfs in net namespaces
nfs: make the rpc_stat per net namespace
nfs: Handle error of rpc_proc_register() in nfs_net_init().
power: rt9455: hide unused rt9455_boost_voltage_values
pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
regulator: mt6360: De-capitalize devicetree regulator subnodes
s390/mm: Fix storage key clearing for guest huge pages
s390/mm: Fix clearing storage keys for huge pages
bna: ensure the copied buf is NUL terminated
octeontx2-af: avoid off-by-one read from userspace
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
net l2tp: drop flow hash on forward
s390/vdso: Add CFI for RA register to asm macro vdso_func
net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()
net: qede: use return from qede_parse_flow_attr() for flower
net: qede: use return from qede_parse_flow_attr() for flow_spec
net: qede: use return from qede_parse_actions()
ASoC: Fix 7/8 spaces indentation in Kconfig
ASoC: meson: cards: select SND_DYNAMIC_MINORS
cxgb4: Properly lock TX queue for the selftest.
net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
net: bridge: fix multicast-to-unicast with fraglist GSO
net: core: reject skb_copy(_expand) for fraglist GSO skbs
tipc: fix a possible memleak in tipc_buf_append
net: gro: add flush check in udp_gro_receive_segment
clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id
KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()
scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
gfs2: Fix invalid metadata access in punch_hole
wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
wifi: cfg80211: fix rdev_dump_mpp() arguments order
net: mark racy access on sk->sk_rcvbuf
scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload
btrfs: return accurate error code on open failure in open_fs_devices()
ALSA: line6: Zero-initialize message buffers
net: bcmgenet: Reset RBUF on first open
ata: sata_gemini: Check clk_enable() result
firewire: ohci: mask bus reset interrupts between ISR and bottom half
tools/power turbostat: Fix added raw MSR output
tools/power turbostat: Fix Bzy_MHz documentation typo
btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve
btrfs: always clear PERTRANS metadata during commit
scsi: target: Fix SELinux error when systemd-modules loads the target module
blk-iocost: avoid out of bounds shift
gpu: host1x: Do not setup DMA for virtual devices
MIPS: scall: Save thread_info.syscall unconditionally on entry
selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior
fs/9p: only translate RWX permissions for plain 9P2000
fs/9p: translate O_TRUNC into OTRUNC
9p: explicitly deny setlease attempts
gpio: wcove: Use -ENOTSUPP consistently
gpio: crystalcove: Use -ENOTSUPP consistently
clk: Don't hold prepare_lock when calling kref_put()
fs/9p: drop inodes immediately on non-.L too
drm/nouveau/dp: Don't probe eDP ports twice harder
net:usb:qmi_wwan: support Rolling modules
xfrm: Preserve vlan tags for transport mode software GRO
tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
hwmon: (corsair-cpro) Use a separate buffer for sending commands
hwmon: (corsair-cpro) Use complete_all() instead of complete() in ccp_raw_event()
hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock
phonet: fix rtm_phonet_notify() skb allocation
kcov: Remove kcov include from sched.h and move it to its users.
net: bridge: fix corrupted ethernet header on multicast-to-unicast
ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
net: hns3: use appropriate barrier function after setting a bit value
btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send()
firewire: nosy: ensure user_length is taken into account when fetching packet contents
arm64: dts: qcom: Fix 'interrupt-map' parent address cells
usb: typec: ucsi: Check for notifications after init
usb: typec: ucsi: Fix connector check on init
usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed device
usb: ohci: Prevent missed ohci interrupts
usb: gadget: composite: fix OS descriptors w_value logic
usb: gadget: f_fs: Fix a race condition when processing setup packets.
usb: xhci-plat: Don't include xhci.h
usb: dwc3: core: Prevent phy suspend during init
ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU
iio:imu: adis16475: Fix sync mode setting
iio: accel: mxc4005: Interrupt handling fixes
tipc: fix UAF in error path
net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()
ASoC: tegra: Fix DSPK 16-bit playback
dyndbg: fix old BUG_ON in >control parser
mei: me: add lunar lake point M DID
drm/vmwgfx: Fix invalid reads in fence signaled events
net: fix out-of-bounds access in ops_init
hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us
regulator: core: fix debugfs creation regression
keys: Fix overwrite of key expiration on instantiation
md: fix kmemleak of rdev->serial
Linux 5.10.217
Change-Id: I63eef00187948953d29febc26cc4c2c30166f7aa
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
c15c1199d6 |
Merge 5.10.216 into android12-5.10-lts
Changes in 5.10.216
batman-adv: Avoid infinite loop trying to resize local TT
Bluetooth: Fix memory leak in hci_req_sync_complete()
media: cec: core: remove length check of Timer Status
nouveau: fix function cast warning
net: openvswitch: fix unwanted error log on timeout policy probing
u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
geneve: fix header validation in geneve[6]_xmit_skb
octeontx2-af: Fix NIX SQ mode and BP config
ipv6: fib: hide unused 'pn' variable
ipv4/route: avoid unused-but-set-variable warning
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
Bluetooth: SCO: Fix not validating setsockopt user input
netfilter: complete validation of user input
net/mlx5: Properly link new fs rules into the tree
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
af_unix: Fix garbage collector racing against connect()
net: ena: Fix potential sign extension issue
net: ena: Wrong missing IO completions check order
net: ena: Fix incorrect descriptor free behavior
iommu/vt-d: Allocate local memory for page request queue
mailbox: imx: fix suspend failue
btrfs: qgroup: correctly model root qgroup rsv in convert
drm/client: Fully protect modes[] with dev->mode_config.mutex
vhost: Add smp_rmb() in vhost_vq_avail_empty()
x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
selftests: timers: Fix abs() warning in posix_timers test
x86/apic: Force native_apic_mem_read() to use the MOV instruction
irqflags: Explicitly ignore lockdep_hrtimer_exit() argument
btrfs: record delayed inode root in transaction
riscv: Enable per-task stack canaries
riscv: process: Fix kernel gp leakage
selftests/ftrace: Limit length in subsystem-enable tests
kprobes: Fix possible use-after-free issue on kprobe registration
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
netfilter: nft_set_pipapo: do not free live element
tun: limit printing rate when illegal packet received by tun dev
RDMA/rxe: Fix the problem "mutex_destroy missing"
RDMA/cm: Print the old state when cm_destroy_id gets timeout
RDMA/mlx5: Fix port number for counter query in multi-port configuration
drm: nv04: Fix out of bounds access
drm/panel: visionox-rm69299: don't unregister DSI device
clk: Remove prepare_lock hold assertion in __clk_release()
clk: Mark 'all_lists' as const
clk: remove extra empty line
clk: Print an info line before disabling unused clocks
clk: Initialize struct clk_core kref earlier
clk: Get runtime PM before walking tree during disable_unused
x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ
binder: check offset alignment in binder_get_object()
thunderbolt: Avoid notify PM core about runtime PM resume
thunderbolt: Fix wake configurations after device unplug
comedi: vmk80xx: fix incomplete endpoint checking
serial/pmac_zilog: Remove flawed mitigation for rx irq flood
USB: serial: option: add Fibocom FM135-GL variants
USB: serial: option: add support for Fibocom FM650/FG650
USB: serial: option: add Lonsung U8300/U9300 product
USB: serial: option: support Quectel EM060K sub-models
USB: serial: option: add Rolling RW101-GL and RW135-GL support
USB: serial: option: add Telit FN920C04 rmnet compositions
Revert "usb: cdc-wdm: close race between read and workqueue"
usb: dwc2: host: Fix dereference issue in DDMA completion flow.
usb: Disable USB3 LPM at shutdown
mei: me: disable RPL-S on SPS and IGN firmwares
speakup: Avoid crash on very long word
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
init/main.c: Fix potential static_command_line memory overflow
drm/amdgpu: validate the parameters of bo mapping operations more clearly
nouveau: fix instmem race condition around ptr stores
nilfs2: fix OOB in nilfs_set_de_type
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts
arm64: dts: mediatek: mt7622: add support for coherent DMA
arm64: dts: mediatek: mt7622: introduce nodes for Wireless Ethernet Dispatch
arm64: dts: mediatek: mt7622: fix clock controllers
arm64: dts: mediatek: mt7622: fix IR nodename
arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
arm64: dts: mediatek: mt2712: fix validation errors
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
wifi: iwlwifi: mvm: remove old PASN station when adding a new one
vxlan: drop packets from invalid src-address
mlxsw: core: Unregister EMAD trap using FORWARD action
NFC: trf7970a: disable all regulators on removal
ipv4: check for NULL idev in ip_route_use_hint()
net: usb: ax88179_178a: stop lying about skb->truesize
net: gtp: Fix Use-After-Free in gtp_dellink
ipvs: Fix checksumming on GSO of SCTP packets
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
mlxsw: spectrum_acl_tcam: Rate limit error message
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
mlxsw: spectrum_acl_tcam: Fix warning during rehash
mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
netfilter: nf_tables: honor table dormant flag from netdev release event path
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
i40e: Report MFS in decimal base instead of hex
iavf: Fix TC config comparison with existing adapter TC config
net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
serial: core: Provide port lock wrappers
serial: mxs-auart: add spinlock around changing cts state
Revert "crypto: api - Disallow identical driver names"
net/mlx5e: Fix a race in command alloc flow
tracing: Show size of requested perf buffer
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
PM / devfreq: Fix buffer overflow in trans_stat_show
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
cpu: Re-enable CPU mitigations by default for !X86 architectures
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3
drm/amdgpu: Fix leak when GPU memory allocation fails
irqchip/gic-v3-its: Prevent double free on error
ethernet: Add helper for assigning packet type when dest address does not match device address
net: b44: set pause params only when interface is up
stackdepot: respect __GFP_NOLOCKDEP allocation flag
mtd: diskonchip: work around ubsan link failure
tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
dmaengine: owl: fix register access functions
idma64: Don't try to serve interrupts when device is powered off
dma: xilinx_dpdma: Fix locking
riscv: fix VMALLOC_START definition
riscv: Fix TASK_SIZE on 64-bit NOMMU
i2c: smbus: fix NULL function pointer dereference
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
udp: preserve the connected status if only UDP cmsg
serial: core: fix kernel-doc for uart_port_unlock_irqrestore()
riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled
Linux 5.10.216
Change-Id: Ia2bf3ba6ed3f36a56f71543442427eb770a2400b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Kuniyuki Iwashima
|
f91f368b2e |
UPSTREAM: af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
[ Upstream commit 97af84a6bba2ab2b9c704c08e67de3b5ea551bb2 ] When touching unix_sk(sk)->inflight, we are always under spin_lock(&unix_gc_lock). Let's convert unix_sk(sk)->inflight to the normal unsigned long. Bug: 336226035 Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 47d8ac011fe1 ("af_unix: Fix garbage collector racing against connect()") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 301fdbaa0bba4653570f07789909939f977a7620) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I0d965d5f2a863d798c06de9f21d0467f256b538e |
||
|
Greg Kroah-Hartman
|
9d06d47cd2 |
ANDROID: ABI fixup for abi break in struct dst_ops
In commit 92f1655aa2b2 ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters. But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.
However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required. To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.
Bug: 343727534
Fixes: 92f1655aa2b2 ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Eric Dumazet
|
bff4c6bace |
BACKPORT: net: fix __dst_negative_advice() race
__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).
Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.
Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
Bug: 343727534
Fixes:
|
||
|
Greg Kroah-Hartman
|
9100d24dfd |
This is the 5.10.215 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmYaZdgACgkQONu9yGCS
aT4oMxAA0pATFAq8RN5f9CmYlMg5HqHgzZ8lJv8P0/reOINhUa+F5sJb1n+x+Ch4
WQbmiFeZRzfsKZ2qKhIdNR0Lg+9JOr/DtYXdSBZ6InfSWrTAIrQ9fjl5Warkmcgg
O4WbgF5BVgU3vGFATgxLvnUZwhR1D7WK93oMDunzrT7+OqyncU3f1Uj53ZAu9030
z18UNqnTxDLYH/CMGwAeRkaZqBev9gZ1HdgQWA27SVLqWQwZq0al81Cmlo+ECVmk
5dF6V2pid4qfKGJjDDfx1NS0PVnoP68iK4By1SXyoFV9VBiSwp77nUUyDr7YsHsT
u8GpZHr9jZvSO5/xtKv20NPLejTPCRKc06CbkwpikDRtGOocBL8em0GuVqlf8hMs
KwDb6ZEzYhXZGPJHbJM+aRD1tq/KHw9X7TrldOszMQPr6lubBtscPbg1FCg3OlcC
HUrtub0i275x7TH0dJeRTD8TRE9jRmF+tl7KQytEJM3JRrquFjLyhDj+/VJnZkiB
lzj3FRf4zshzgz4+CAeqXO/8Lu8b3fGYmcW1acCmk7emjDcXUKojPj/Aig6T4l7P
oCWDY3+w1E6eiyE8BazxY1KUa/41ld0VJnlW5JWGRaDFTJwrk0h6/rvf9qImSckw
IGx24UezRyp6NS1op3Qm2iwHLr41pFRfKxNm9ppgH9iBPzOhe38=
=pkLL
-----END PGP SIGNATURE-----
Merge 5.10.215 into android12-5.10-lts
Changes in 5.10.215
amdkfd: use calloc instead of kzalloc to avoid integer overflow
Documentation/hw-vuln: Update spectre doc
x86/cpu: Support AMD Automatic IBRS
x86/bugs: Use sysfs_emit()
timers: Update kernel-doc for various functions
timers: Use del_timer_sync() even on UP
timers: Rename del_timer_sync() to timer_delete_sync()
wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
media: staging: ipu3-imgu: Set fields before media_entity_pads_init()
clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd
smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()
smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()
arm: dts: marvell: Fix maxium->maxim typo in brownstone dts
drm/vmwgfx: stop using ttm_bo_create v2
drm/vmwgfx: switch over to the new pin interface v2
drm/vmwgfx/vmwgfx_cmdbuf_res: Remove unused variable 'ret'
drm/vmwgfx: Fix some static checker warnings
drm/vmwgfx: Fix possible null pointer derefence with invalid contexts
serial: max310x: fix NULL pointer dereference in I2C instantiation
media: xc4000: Fix atomicity violation in xc4000_get_frequency
KVM: Always flush async #PF workqueue when vCPU is being destroyed
sparc64: NMI watchdog: fix return value of __setup handler
sparc: vDSO: fix return value of __setup handler
crypto: qat - fix double free during reset
crypto: qat - resolve race condition during AER recovery
selftests/mqueue: Set timeout to 180 seconds
ext4: correct best extent lstart adjustment logic
block: introduce zone_write_granularity limit
block: Clear zone limits for a non-zoned stacked queue
bounds: support non-power-of-two CONFIG_NR_CPUS
fat: fix uninitialized field in nostale filehandles
ubifs: Set page uptodate in the correct place
ubi: Check for too small LEB size in VTBL code
ubi: correct the calculation of fastmap size
mtd: rawnand: meson: fix scrambling mode value in command macro
parisc: Avoid clobbering the C/B bits in the PSW with tophys and tovirt macros
parisc: Fix ip_fast_csum
parisc: Fix csum_ipv6_magic on 32-bit systems
parisc: Fix csum_ipv6_magic on 64-bit systems
parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds
PM: suspend: Set mem_sleep_current during kernel command line setup
clk: qcom: gcc-ipq6018: fix terminating of frequency table arrays
clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays
clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays
clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
powerpc/fsl: Fix mfpmr build errors with newer binutils
USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB
USB: serial: add device ID for VeriFone adapter
USB: serial: cp210x: add ID for MGP Instruments PDS100
USB: serial: option: add MeiG Smart SLM320 product
USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M
PM: sleep: wakeirq: fix wake irq warning in system suspend
mmc: tmio: avoid concurrent runs of mmc_request_done()
fuse: fix root lookup with nonzero generation
fuse: don't unhash root
usb: typec: ucsi: Clean up UCSI_CABLE_PROP macros
printk/console: Split out code that enables default console
serial: Lock console when calling into driver before registration
btrfs: fix off-by-one chunk length calculation at contains_pending_extent()
PCI: Drop pci_device_remove() test of pci_dev->driver
PCI/PM: Drain runtime-idle callbacks before driver removal
PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities()
PCI: Cache PCIe Device Capabilities register
PCI: Work around Intel I210 ROM BAR overlap defect
PCI/ASPM: Make Intel DG2 L1 acceptable latency unlimited
PCI/DPC: Quirk PIO log size for certain Intel Root Ports
PCI/DPC: Quirk PIO log size for Intel Raptor Lake Root Ports
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
dm-raid: fix lockdep waring in "pers->hot_add_disk"
mac802154: fix llsec key resources release in mac802154_llsec_key_del
mm: swap: fix race between free_swap_and_cache() and swapoff()
mmc: core: Fix switch on gp3 partition
drm/etnaviv: Restore some id values
hwmon: (amc6821) add of_match table
ext4: fix corruption during on-line resize
nvmem: meson-efuse: fix function pointer type mismatch
slimbus: core: Remove usage of the deprecated ida_simple_xx() API
phy: tegra: xusb: Add API to retrieve the port number of phy
usb: gadget: tegra-xudc: Use dev_err_probe()
usb: gadget: tegra-xudc: Fix USB3 PHY retrieval logic
speakup: Fix 8bit characters from direct synth
PCI/ERR: Clear AER status only when we control AER
PCI/AER: Block runtime suspend when handling errors
nfs: fix UAF in direct writes
kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1
PCI: dwc: endpoint: Fix advertised resizable BAR size
vfio/platform: Disable virqfds on cleanup
ring-buffer: Fix waking up ring buffer readers
ring-buffer: Do not set shortest_full when full target is hit
ring-buffer: Fix resetting of shortest_full
ring-buffer: Fix full_waiters_pending in poll
soc: fsl: qbman: Always disable interrupts when taking cgr_lock
soc: fsl: qbman: Add helper for sanity checking cgr ops
soc: fsl: qbman: Add CGR update function
soc: fsl: qbman: Use raw spinlock for cgr_lock
s390/zcrypt: fix reference counting on zcrypt card objects
drm/panel: do not return negative error codes from drm_panel_get_modes()
drm/exynos: do not return negative values from .get_modes()
drm/imx/ipuv3: do not return negative values from .get_modes()
drm/vc4: hdmi: do not return negative values from .get_modes()
memtest: use {READ,WRITE}_ONCE in memory scanning
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
nilfs2: prevent kernel bug at submit_bh_wbc()
cpufreq: dt: always allocate zeroed cpumask
x86/CPU/AMD: Update the Zenbleed microcode revisions
net: hns3: tracing: fix hclgevf trace event strings
wireguard: netlink: check for dangling peer via is_dead instead of empty list
wireguard: netlink: access device through ctx instead of peer
ahci: asm1064: correct count of reported ports
ahci: asm1064: asm1166: don't limit reported ports
drm/amd/display: Return the correct HDCP error code
drm/amd/display: Fix noise issue on HDMI AV mute
dm snapshot: fix lockup in dm_exception_table_exit
vxge: remove unnecessary cast in kfree()
x86/stackprotector/32: Make the canary into a regular percpu variable
x86/pm: Work around false positive kmemleak report in msr_build_context()
scripts: kernel-doc: Fix syntax error due to undeclared args variable
comedi: comedi_test: Prevent timers rescheduling during deletion
cpufreq: brcmstb-avs-cpufreq: fix up "add check for cpufreq_cpu_get's return value"
netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
netfilter: nf_tables: disallow anonymous set with timeout flag
netfilter: nf_tables: reject constant set with timeout
Drivers: hv: vmbus: Calculate ring buffer size for more efficient use of memory
xfrm: Avoid clang fortify warning in copy_to_user_tmpl()
KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
usb: gadget: ncm: Fix handling of zero block length packets
usb: port: Don't try to peer unused USB ports based on location
tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
mei: me: add arrow lake point S DID
mei: me: add arrow lake point H DID
vt: fix unicode buffer corruption when deleting characters
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
tee: optee: Fix kernel panic caused by incorrect error handling
xen/events: close evtchn after mapping cleanup
printk: Update @console_may_schedule in console_trylock_spinning()
btrfs: allocate btrfs_ioctl_defrag_range_args on stack
x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix
x86/bugs: Add asm helpers for executing VERW
x86/entry_64: Add VERW just before userspace transition
x86/entry_32: Add VERW just before userspace transition
x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key
KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH
KVM/VMX: Move VERW closer to VMentry for MDS mitigation
x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set
Documentation/hw-vuln: Add documentation for RFDS
x86/rfds: Mitigate Register File Data Sampling (RFDS)
KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests
perf/core: Fix reentry problem in perf_output_read_group()
efivarfs: Request at most 512 bytes for variable names
powerpc: xor_vmx: Add '-mhard-float' to CFLAGS
serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
mm/memory-failure: fix an incorrect use of tail pages
mm/migrate: set swap entry values of THP tail pages properly.
init: open /initrd.image with O_LARGEFILE
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
hexagon: vmlinux.lds.S: handle attributes section
mmc: core: Initialize mmc_blk_ioc_data
mmc: core: Avoid negative index with array access
net: ll_temac: platform_get_resource replaced by wrong function
usb: cdc-wdm: close race between read and workqueue
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
scsi: core: Fix unremoved procfs host directory regression
staging: vc04_services: changen strncpy() to strscpy_pad()
staging: vc04_services: fix information leak in create_component()
USB: core: Add hub_get() and hub_put() routines
usb: dwc2: host: Fix remote wakeup from hibernation
usb: dwc2: host: Fix hibernation flow
usb: dwc2: host: Fix ISOC flow in DDMA mode
usb: dwc2: gadget: LPM flow fix
usb: udc: remove warning when queue disabled ep
usb: typec: ucsi: Ack unsupported commands
usb: typec: ucsi: Clear UCSI_CCI_RESET_COMPLETE before reset
scsi: qla2xxx: Split FCE|EFT trace control
scsi: qla2xxx: Fix command flush on cable pull
scsi: qla2xxx: Delay I/O Abort on PCI error
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports
scsi: lpfc: Correct size for wqe for memset()
USB: core: Fix deadlock in usb_deauthorize_interface()
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()
tcp: properly terminate timers for kernel sockets
ACPICA: debugger: check status of acpi_evaluate_object() in acpi_db_walk_for_fields()
bpf: Protect against int overflow for stack access size
Octeontx2-af: fix pause frame configuration in GMP mode
dm integrity: fix out-of-range warning
r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d
x86/cpufeatures: Add new word for scattered features
Bluetooth: hci_event: set the conn encrypted before conn establishes
Bluetooth: Fix TOCTOU in HCI debugfs implementation
netfilter: nf_tables: disallow timeout for anonymous sets
net/rds: fix possible cp null dereference
vfio/pci: Disable auto-enable of exclusive INTx IRQ
vfio/pci: Lock external INTx masking ops
vfio: Introduce interface to flush virqfd inject workqueue
vfio/pci: Create persistent INTx handler
vfio/platform: Create persistent IRQ handlers
vfio/fsl-mc: Block calling interrupt handler without trigger
io_uring: ensure '0' is returned on file registration success
Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped."
mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
x86/srso: Add SRSO mitigation for Hygon processors
block: add check that partition length needs to be aligned with block size
netfilter: nf_tables: reject new basechain after table flag update
netfilter: nf_tables: flush pending destroy work before exit_net release
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
netfilter: validate user input for expected length
vboxsf: Avoid an spurious warning if load_nls_xxx() fails
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
net/sched: act_skbmod: prevent kernel-infoleak
net: stmmac: fix rx queue priority assignment
erspan: make sure erspan_base_hdr is present in skb->head
selftests: reuseaddr_conflict: add missing new line at the end of the output
ipv6: Fix infinite recursion in fib6_dump_done().
udp: do not transition UDP GRO fraglist partial checksums to unnecessary
octeontx2-pf: check negative error code in otx2_open()
i40e: fix i40e_count_filters() to count only active/new filters
i40e: fix vf may be used uninitialized in this function warning
scsi: qla2xxx: Update manufacturer details
scsi: qla2xxx: Update manufacturer detail
Revert "usb: phy: generic: Get the vbus supply"
udp: do not accept non-tunnel GSO skbs landing in a tunnel
net: ravb: Always process TX descriptor ring
arm64: dts: qcom: sc7180: Remove clock for bluetooth on Trogdor
arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken
ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
scsi: mylex: Fix sysfs buffer lengths
ata: sata_mv: Fix PCI device ID table declaration compilation warning
ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
driver core: Introduce device_link_wait_removal()
of: dynamic: Synchronize of_changeset_destroy() with the devlink removals
x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()
s390/entry: align system call table on 8 bytes
riscv: Fix spurious errors from __get/put_kernel_nofault
x86/bugs: Fix the SRSO mitigation on Zen3/4
x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO
mptcp: don't account accept() of non-MPC client as fallback to TCP
x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word
objtool: Add asm version of STACK_FRAME_NON_STANDARD
wifi: ath9k: fix LNA selection in ath_ant_try_scan()
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
panic: Flush kernel log buffer at the end
arm64: dts: rockchip: fix rk3328 hdmi ports node
arm64: dts: rockchip: fix rk3399 hdmi ports node
ionic: set adminq irq affinity
pstore/zone: Add a null pointer check to the psz_kmsg_read
tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
btrfs: send: handle path ref underflow in header iterate_inode_ref()
net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()
Bluetooth: btintel: Fix null ptr deref in btintel_read_version
Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails
pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs
sysv: don't call sb_bread() with pointers_lock held
scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
isofs: handle CDs with bad root inode but good Joliet root directory
media: sta2x11: fix irq handler cast
ext4: add a hint for block bitmap corrupt state in mb_groups
ext4: forbid commit inconsistent quota data when errors=remount-ro
drm/amd/display: Fix nanosec stat overflow
SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int
Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default"
libperf evlist: Avoid out-of-bounds access
block: prevent division by zero in blk_rq_stat_sum()
RDMA/cm: add timeout to cm_destroy_id wait
Input: allocate keycode for Display refresh rate toggle
platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet
ktest: force $buildonly = 1 for 'make_warnings_file' test type
ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in concurrent environment
tools: iio: replace seekdir() in iio_generic_buffer
usb: typec: tcpci: add generic tcpci fallback compatible
usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
drivers/nvme: Add quirks for device 126f:2262
fbmon: prevent division by zero in fb_videomode_from_videomode()
netfilter: nf_tables: release batch on table validation from abort path
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
netfilter: nf_tables: discard table flag update with pending basechain deletion
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
virtio: reenable config if freezing device failed
x86/mm/pat: fix VM_PAT handling in COW mappings
drm/i915/gt: Reset queue_priority_hint on parking
Bluetooth: btintel: Fixe build regression
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
kbuild: dummy-tools: adjust to stricter stackprotector check
scsi: sd: Fix wrong zone_write_granularity value during revalidate
x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk
x86/head/64: Re-enable stack protection
Linux 5.10.215
Change-Id: I45a0a9c4a0683ff5ef97315690f1f884f666e1b5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
e9b3e47f65 |
Merge branch 'android12-5.10' into branch 'android12-5.10-lts'
Catch up with the latest android12-5.10 changes into android12-5.10-lts. Included in here are the following commits: * |
||
|
Greg Kroah-Hartman
|
d615d2d800 |
Merge tag 'android12-5.10.210_r00' into branch android12-5.10
This merges the 5.10.210 LTS releases into the android12-5.10 branch. Included in here are the following commits: * |
||
|
Paolo Abeni
|
99951b62bf |
mptcp: ensure snd_nxt is properly initialized on connect
commit fb7a0d334894206ae35f023a82cad5a290fd7386 upstream.
Christoph reported a splat hinting at a corrupted snd_una:
WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005
Modules linked in:
CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005
Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8
8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe
<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9
RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4
RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000
R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000
FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0
Call Trace:
<TASK>
__mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]
mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]
__mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615
mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767
process_one_work+0x1e0/0x560 kernel/workqueue.c:3254
process_scheduled_works kernel/workqueue.c:3335 [inline]
worker_thread+0x3c7/0x640 kernel/workqueue.c:3416
kthread+0x121/0x170 kernel/kthread.c:388
ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
When fallback to TCP happens early on a client socket, snd_nxt
is not yet initialized and any incoming ack will copy such value
into snd_una. If the mptcp worker (dumbly) tries mptcp-level
re-injection after such ack, that would unconditionally trigger a send
buffer cleanup using 'bad' snd_una values.
We could easily disable re-injection for fallback sockets, but such
dumb behavior already helped catching a few subtle issues and a very
low to zero impact in practice.
Instead address the issue always initializing snd_nxt (and write_seq,
for consistency) at connect time.
Fixes:
|
||
|
Eric Dumazet
|
05c9e3fc93 |
netlink: annotate lockless accesses to nlk->max_recvmsg_len
commit a1865f2e7d10dde00d35a2122b38d2e469ae67ed upstream.
syzbot reported a data-race in data-race in netlink_recvmsg() [1]
Indeed, netlink_recvmsg() can be run concurrently,
and netlink_dump() also needs protection.
[1]
BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:
netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194
__do_sys_recvfrom net/socket.c:2212 [inline]
__se_sys_recvfrom net/socket.c:2208 [inline]
__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:
netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
____sys_recvmsg+0x156/0x310 net/socket.c:2720
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x0000000000000000 -> 0x0000000000001000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Fixes:
|
||
|
Michael Bestas
|
3d555eb27b
|
Merge tag 'ASB-2024-05-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-05-01 CVE-2023-4622 * tag 'ASB-2024-05-05_12-5.10' of https://android.googlesource.com/kernel/common: ANDROID: 16K: Fix show maps CFI failure ANDROID: 16K: Handle pad VMA splits and merges ANDROID: 16K: madvise_vma_pad_pages: Remove filemap_fault check ANDROID: 16K: Only madvise padding from dynamic linker context ANDROID: 16K: Separate padding from ELF LOAD segment mappings ANDROID: 16K: Exclude ELF padding for fault around range ANDROID: 16K: Use MADV_DONTNEED to save VMA padding pages. ANDROID: 16K: Introduce ELF padding representation for VMAs ANDROID: 16K: Introduce /sys/kernel/mm/pgsize_miration/enabled ANDROID: GKI: Update symbols to symbol list UPSTREAM: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path UPSTREAM: netfilter: nf_tables: release batch on table validation from abort path UPSTREAM: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout UPSTREAM: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain BACKPORT: mm: update mark_victim tracepoints fields Revert "FROMGIT: BACKPORT: mm: update mark_victim tracepoints fields" UPSTREAM: usb: gadget: uvc: decrease the interrupt load to a quarter UPSTREAM: netfilter: nft_set_pipapo: release elements in clone only from destroy path Conflicts: android/abi_gki_aarch64.xml Change-Id: Id61e44a9518520f6e8915e5f6a4368d64b805533 |
||
|
Michael Bestas
|
42fc85e576
|
Merge tag 'ASB-2024-04-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-04-01 * tag 'ASB-2024-04-05_12-5.10' of https://android.googlesource.com/kernel/common: (442 commits) FROMLIST: binder: check offset alignment in binder_get_object() ANDROID: enable CONFIG_USB_XHCI_PCI_RENESAS in gki_defconfig UPSTREAM: usb: dwc3: core: set force_gen1 bit in USB31 devices if max speed is SS ANDROID: userfaultfd: abort uffdio ops if mmap_lock is contended ANDROID: userfaultfd: add MMAP_TRYLOCK mode for COPY/ZEROPAGE UPSTREAM: coresight: etm4x: Remove bogous __exit annotation for some functions UPSTREAM: ASoC: hdmi-codec: register hpd callback on component probe UPSTREAM: usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() UPSTREAM: mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() UPSTREAM: task_work: add kerneldoc annotation for 'data' argument UPSTREAM: x86/purgatory: Remove LTO flags UPSTREAM: tcpm: Avoid soft reset when partner does not support get_status UPSTREAM: block/mq-deadline: use correct way to throttling write requests UPSTREAM: usb: typec: tcpm: Fix response to vsafe0V event UPSTREAM: clk: Fix memory leak in devm_clk_notifier_register() UPSTREAM: selftests: damon: add config file ANDROID: abi_gki_aarch64_qcom: Export trace_android_vh_try_fixup_sea ANDROID: arm64: Call fixup_exception() within do_sea() ANDROID: userfaultfd: allow SPF for UFFD_FEATURE_SIGBUS on private+anon ANDROID: GKI: db845c: Update symbols list and ABI ... Conflicts: Documentation/devicetree/bindings/nvmem/mxs-ocotp.yaml Documentation/devicetree/bindings~HEAD arch/powerpc/lib/Makefile Change-Id: I6524da89cb855824fa28a95396d3683af4a10046 |
||
Thadeu Lima de Souza Cascardo
|
0c3248bc70 |
net: fix out-of-bounds access in ops_init
commit a26ff37e624d12e28077e5b24d2b264f62764ad6 upstream.
net_alloc_generic is called by net_alloc, which is called without any
locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It
is read twice, first to allocate an array, then to set s.len, which is
later used to limit the bounds of the array access.
It is possible that the array is allocated and another thread is
registering a new pernet ops, increments max_gen_ptrs, which is then used
to set s.len with a larger than allocated length for the variable array.
Fix it by reading max_gen_ptrs only once in net_alloc_generic. If
max_gen_ptrs is later incremented, it will be caught in net_assign_generic.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Fixes:
|
||
|
Paolo Abeni
|
367766ff9e |
tipc: fix UAF in error path
commit 080cbb890286cd794f1ee788bbc5463e2deb7c2b upstream.
Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported
a UAF in the tipc_buf_append() error path:
BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0
linux/net/core/skbuff.c:1183
Read of size 8 at addr ffff88804d2a7c80 by task poc/8034
CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.0-debian-1.16.0-5 04/01/2014
Call Trace:
<IRQ>
__dump_stack linux/lib/dump_stack.c:88
dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106
print_address_description linux/mm/kasan/report.c:377
print_report+0xc4/0x620 linux/mm/kasan/report.c:488
kasan_report+0xda/0x110 linux/mm/kasan/report.c:601
kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183
skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026
skb_release_all linux/net/core/skbuff.c:1094
__kfree_skb linux/net/core/skbuff.c:1108
kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144
kfree_skb linux/./include/linux/skbuff.h:1244
tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186
tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324
tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824
tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159
tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390
udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108
udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186
udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346
__udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422
ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233
NF_HOOK linux/./include/linux/netfilter.h:314
NF_HOOK linux/./include/linux/netfilter.h:308
ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254
dst_input linux/./include/net/dst.h:461
ip_rcv_finish linux/net/ipv4/ip_input.c:449
NF_HOOK linux/./include/linux/netfilter.h:314
NF_HOOK linux/./include/linux/netfilter.h:308
ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534
__netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648
process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976
__napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576
napi_poll linux/net/core/dev.c:6645
net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781
__do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553
do_softirq linux/kernel/softirq.c:454
do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441
</IRQ>
<TASK>
__local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381
local_bh_enable linux/./include/linux/bottom_half.h:33
rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851
__dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378
dev_queue_xmit linux/./include/linux/netdevice.h:3169
neigh_hh_output linux/./include/net/neighbour.h:526
neigh_output linux/./include/net/neighbour.h:540
ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235
__ip_finish_output linux/net/ipv4/ip_output.c:313
__ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295
ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323
NF_HOOK_COND linux/./include/linux/netfilter.h:303
ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433
dst_output linux/./include/net/dst.h:451
ip_local_out linux/net/ipv4/ip_output.c:129
ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492
udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963
udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250
inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850
sock_sendmsg_nosec linux/net/socket.c:730
__sock_sendmsg linux/net/socket.c:745
__sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191
__do_sys_sendto linux/net/socket.c:2203
__se_sys_sendto linux/net/socket.c:2199
__x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199
do_syscall_x64 linux/arch/x86/entry/common.c:52
do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120
RIP: 0033:0x7f3434974f29
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29
RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003
RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
In the critical scenario, either the relevant skb is freed or its
ownership is transferred into a frag_lists. In both cases, the cleanup
code must not free it again: we need to clear the skb reference earlier.
Fixes:
|
||
|
Eric Dumazet
|
674c951ab8 |
ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
[ Upstream commit d101291b2681e5ab938554e3e323f7a7ee33e3aa ]
syzbot is able to trigger the following crash [1],
caused by unsafe ip6_dst_idev() use.
Indeed ip6_dst_idev() can return NULL, and must always be checked.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]
RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267
Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c
RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700
RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760
RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd
R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000
R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00
FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317
fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108
ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]
ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649
ip6_route_output include/net/ip6_route.h:93 [inline]
ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120
ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250
sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326
sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455
sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662
sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099
__sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197
sctp_connect net/sctp/socket.c:4819 [inline]
sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834
__sys_connect_file net/socket.c:2048 [inline]
__sys_connect+0x2df/0x310 net/socket.c:2065
__do_sys_connect net/socket.c:2075 [inline]
__se_sys_connect net/socket.c:2072 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2072
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes:
|
||
Felix Fietkau
|
9a2a5cd84f |
net: bridge: fix corrupted ethernet header on multicast-to-unicast
[ Upstream commit 86b29d830ad69eecff25b22dc96c14c6573718e6 ]
The change from skb_copy to pskb_copy unfortunately changed the data
copying to omit the ethernet header, since it was pulled before reaching
this point. Fix this by calling __skb_push/pull around pskb_copy.
Fixes: 59c878cbcdd8 ("net: bridge: fix multicast-to-unicast with fraglist GSO")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Sebastian Andrzej Siewior
|
e7eb0737c6 |
kcov: Remove kcov include from sched.h and move it to its users.
[ Upstream commit 183f47fcaa54a5ffe671d990186d330ac8c63b10 ] The recent addition of in_serving_softirq() to kconv.h results in compile failure on PREEMPT_RT because it requires task_struct::softirq_disable_cnt. This is not available if kconv.h is included from sched.h. It is not needed to include kconv.h from sched.h. All but the net/ user already include the kconv header file. Move the include of the kconv.h header from sched.h it its users. Additionally include sched.h from kconv.h to ensure that everything task_struct related is available. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Acked-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Andrey Konovalov <andreyknvl@google.com> Link: https://lkml.kernel.org/r/20210218173124.iy5iyqv3a4oia4vv@linutronix.de Stable-dep-of: 19e35f24750d ("nfc: nci: Fix kcov check in nci_rx_work()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
f085e02f0a |
phonet: fix rtm_phonet_notify() skb allocation
[ Upstream commit d8cac8568618dcb8a51af3db1103e8d4cc4aeea7 ]
fill_route() stores three components in the skb:
- struct rtmsg
- RTA_DST (u8)
- RTA_OIF (u32)
Therefore, rtm_phonet_notify() should use
NLMSG_ALIGN(sizeof(struct rtmsg)) +
nla_total_size(1) +
nla_total_size(4)
Fixes:
|
||
Roded Zats
|
6c8f44b025 |
rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
[ Upstream commit 1aec77b2bb2ed1db0f5efc61c4c1ca3813307489 ]
Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a
struct ifla_vf_vlan_info so the size of such attribute needs to be at least
of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.
The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)
which is less than sizeof(struct ifla_vf_vlan_info) so this validation
is not enough and a too small attribute might be cast to a
struct ifla_vf_vlan_info, this might result in an out of bands
read access when accessing the saved (casted) entry in ivvl.
Fixes:
|
||
Duoming Zhou
|
06acb75e7e |
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
[ Upstream commit adf0398cee86643b8eacde95f17d073d022f782c ]
There is a race condition between l2cap_chan_timeout() and
l2cap_chan_del(). When we use l2cap_chan_del() to delete the
channel, the chan->conn will be set to null. But the conn could
be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
As a result the null pointer dereference bug will happen. The
KASAN report triggered by POC is shown below:
[ 472.074580] ==================================================================
[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
[ 472.075308]
[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.075308] Workqueue: events l2cap_chan_timeout
[ 472.075308] Call Trace:
[ 472.075308] <TASK>
[ 472.075308] dump_stack_lvl+0x137/0x1a0
[ 472.075308] print_report+0x101/0x250
[ 472.075308] ? __virt_addr_valid+0x77/0x160
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_report+0x139/0x170
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_check_range+0x2c3/0x2e0
[ 472.075308] mutex_lock+0x68/0xc0
[ 472.075308] l2cap_chan_timeout+0x181/0x300
[ 472.075308] process_one_work+0x5d2/0xe00
[ 472.075308] worker_thread+0xe1d/0x1660
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] kthread+0x2b7/0x350
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork+0x4d/0x80
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork_asm+0x11/0x20
[ 472.075308] </TASK>
[ 472.075308] ==================================================================
[ 472.094860] Disabling lock debugging due to kernel taint
[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 472.096136] #PF: supervisor write access in kernel mode
[ 472.096136] #PF: error_code(0x0002) - not-present page
[ 472.096136] PGD 0 P4D 0
[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.096136] Workqueue: events l2cap_chan_timeout
[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
[ 472.096136] Call Trace:
[ 472.096136] <TASK>
[ 472.096136] ? __die_body+0x8d/0xe0
[ 472.096136] ? page_fault_oops+0x6b8/0x9a0
[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0
[ 472.096136] ? do_user_addr_fault+0x1027/0x1340
[ 472.096136] ? _printk+0x7a/0xa0
[ 472.096136] ? mutex_lock+0x68/0xc0
[ 472.096136] ? add_taint+0x42/0xd0
[ 472.096136] ? exc_page_fault+0x6a/0x1b0
[ 472.096136] ? asm_exc_page_fault+0x26/0x30
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] ? mutex_lock+0x88/0xc0
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] l2cap_chan_timeout+0x181/0x300
[ 472.096136] process_one_work+0x5d2/0xe00
[ 472.096136] worker_thread+0xe1d/0x1660
[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
[ 472.096136] kthread+0x2b7/0x350
[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
[ 472.096136] ? kthread_blkcg+0xd0/0xd0
[ 472.096136] ret_from_fork+0x4d/0x80
[ 472.096136] ? kthread_blkcg+0xd0/0xd0
[ 472.096136] ret_from_fork_asm+0x11/0x20
[ 472.096136] </TASK>
[ 472.096136] Modules linked in:
[ 472.096136] CR2: 0000000000000158
[ 472.096136] ---[ end trace 0000000000000000 ]---
[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
[ 472.132932] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
[ 472.132932] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
[ 472.132932] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 472.132932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 472.132932] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
[ 472.132932] Kernel panic - not syncing: Fatal exception
[ 472.132932] Kernel Offset: disabled
[ 472.132932] ---[ end Kernel panic - not syncing: Fatal exception ]---
Add a check to judge whether the conn is null in l2cap_chan_timeout()
in order to mitigate the bug.
Fixes:
|
||
|
Duoming Zhou
|
33a6e92161 |
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
[ Upstream commit 483bc08181827fc475643272ffb69c533007e546 ]
When the sco connection is established and then, the sco socket
is releasing, timeout_work will be scheduled to judge whether
the sco disconnection is timeout. The sock will be deallocated
later, but it is dereferenced again in sco_sock_timeout. As a
result, the use-after-free bugs will happen. The root cause is
shown below:
Cleanup Thread | Worker Thread
sco_sock_release |
sco_sock_close |
__sco_sock_close |
sco_sock_set_timer |
schedule_delayed_work |
sco_sock_kill | (wait a time)
sock_put(sk) //FREE | sco_sock_timeout
| sock_hold(sk) //USE
The KASAN report triggered by POC is shown below:
[ 95.890016] ==================================================================
[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
...
[ 95.890755] Workqueue: events sco_sock_timeout
[ 95.890755] Call Trace:
[ 95.890755] <TASK>
[ 95.890755] dump_stack_lvl+0x45/0x110
[ 95.890755] print_address_description+0x78/0x390
[ 95.890755] print_report+0x11b/0x250
[ 95.890755] ? __virt_addr_valid+0xbe/0xf0
[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
[ 95.890755] kasan_report+0x139/0x170
[ 95.890755] ? update_load_avg+0xe5/0x9f0
[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
[ 95.890755] kasan_check_range+0x2c3/0x2e0
[ 95.890755] sco_sock_timeout+0x5e/0x1c0
[ 95.890755] process_one_work+0x561/0xc50
[ 95.890755] worker_thread+0xab2/0x13c0
[ 95.890755] ? pr_cont_work+0x490/0x490
[ 95.890755] kthread+0x279/0x300
[ 95.890755] ? pr_cont_work+0x490/0x490
[ 95.890755] ? kthread_blkcg+0xa0/0xa0
[ 95.890755] ret_from_fork+0x34/0x60
[ 95.890755] ? kthread_blkcg+0xa0/0xa0
[ 95.890755] ret_from_fork_asm+0x11/0x20
[ 95.890755] </TASK>
[ 95.890755]
[ 95.890755] Allocated by task 506:
[ 95.890755] kasan_save_track+0x3f/0x70
[ 95.890755] __kasan_kmalloc+0x86/0x90
[ 95.890755] __kmalloc+0x17f/0x360
[ 95.890755] sk_prot_alloc+0xe1/0x1a0
[ 95.890755] sk_alloc+0x31/0x4e0
[ 95.890755] bt_sock_alloc+0x2b/0x2a0
[ 95.890755] sco_sock_create+0xad/0x320
[ 95.890755] bt_sock_create+0x145/0x320
[ 95.890755] __sock_create+0x2e1/0x650
[ 95.890755] __sys_socket+0xd0/0x280
[ 95.890755] __x64_sys_socket+0x75/0x80
[ 95.890755] do_syscall_64+0xc4/0x1b0
[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
[ 95.890755]
[ 95.890755] Freed by task 506:
[ 95.890755] kasan_save_track+0x3f/0x70
[ 95.890755] kasan_save_free_info+0x40/0x50
[ 95.890755] poison_slab_object+0x118/0x180
[ 95.890755] __kasan_slab_free+0x12/0x30
[ 95.890755] kfree+0xb2/0x240
[ 95.890755] __sk_destruct+0x317/0x410
[ 95.890755] sco_sock_release+0x232/0x280
[ 95.890755] sock_close+0xb2/0x210
[ 95.890755] __fput+0x37f/0x770
[ 95.890755] task_work_run+0x1ae/0x210
[ 95.890755] get_signal+0xe17/0xf70
[ 95.890755] arch_do_signal_or_restart+0x3f/0x520
[ 95.890755] syscall_exit_to_user_mode+0x55/0x120
[ 95.890755] do_syscall_64+0xd1/0x1b0
[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
[ 95.890755]
[ 95.890755] The buggy address belongs to the object at ffff88800c388000
[ 95.890755] which belongs to the cache kmalloc-1k of size 1024
[ 95.890755] The buggy address is located 128 bytes inside of
[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)
[ 95.890755]
[ 95.890755] The buggy address belongs to the physical page:
[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388
[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 95.890755] anon flags: 0x100000000000840(slab|head|node=0|zone=1)
[ 95.890755] page_type: 0xffffffff()
[ 95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
[ 95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
[ 95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
[ 95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
[ 95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff
[ 95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 95.890755] page dumped because: kasan: bad access detected
[ 95.890755]
[ 95.890755] Memory state around the buggy address:
[ 95.890755] ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 95.890755] ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] ^
[ 95.890755] ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 95.890755] ==================================================================
Fix this problem by adding a check protected by sco_conn_lock to judget
whether the conn->hcon is null. Because the conn->hcon will be set to null,
when the sock is releasing.
Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Kuniyuki Iwashima
|
1d9cf07810 |
tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
[ Upstream commit f2db7230f73a80dbb179deab78f88a7947f0ab7e ] Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit |
||
|
Eric Dumazet
|
413c33b9f3 |
tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
[ Upstream commit 94062790aedb505bdda209b10bea47b294d6394f ]
TCP_SYN_RECV state is really special, it is only used by
cross-syn connections, mostly used by fuzzers.
In the following crash [1], syzbot managed to trigger a divide
by zero in tcp_rcv_space_adjust()
A socket makes the following state transitions,
without ever calling tcp_init_transfer(),
meaning tcp_init_buffer_space() is also not called.
TCP_CLOSE
connect()
TCP_SYN_SENT
TCP_SYN_RECV
shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
TCP_FIN_WAIT1
To fix this issue, change tcp_shutdown() to not
perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
which makes no sense anyway.
When tcp_rcv_state_process() later changes socket state
from TCP_SYN_RECV to TCP_ESTABLISH, then look at
sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
and send a FIN packet from a sane socket state.
This means tcp_send_fin() can now be called from BH
context, and must use GFP_ATOMIC allocations.
[1]
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1068
____sys_recvmsg+0x1db/0x470 net/socket.c:2803
___sys_recvmsg net/socket.c:2845 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faeb6363db9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
Fixes:
|
||
Paul Davey
|
a4b7606732 |
xfrm: Preserve vlan tags for transport mode software GRO
[ Upstream commit 58fbfecab965014b6e3cc956a76b4a96265a1add ]
The software GRO path for esp transport mode uses skb_mac_header_rebuild
prior to re-injecting the packet via the xfrm_napi_dev. This only
copies skb->mac_len bytes of header which may not be sufficient if the
packet contains 802.1Q tags or other VLAN tags. Worse copying only the
initial header will leave a packet marked as being VLAN tagged but
without the corresponding tag leading to mangling when it is later
untagged.
The VLAN tags are important when receiving the decrypted esp transport
mode packet after GRO processing to ensure it is received on the correct
interface.
Therefore record the full mac header length in xfrm*_transport_input for
later use in corresponding xfrm*_transport_finish to copy the entire mac
header when rebuilding the mac header for GRO. The skb->data pointer is
left pointing skb->mac_header bytes after the start of the mac header as
is expected by the network stack and network and transport header
offsets reset to this location.
Fixes:
|
||
linke li
|
d21475d29d |
net: mark racy access on sk->sk_rcvbuf
[ Upstream commit c2deb2e971f5d9aca941ef13ee05566979e337a4 ] sk->sk_rcvbuf in __sock_queue_rcv_skb() and __sk_receive_skb() can be changed by other threads. Mark this as benign using READ_ONCE(). This patch is aimed at reducing the number of benign races reported by KCSAN in order to focus future debugging effort on harmful races. Signed-off-by: linke li <lilinke99@qq.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Igor Artemiev
|
a762b8e041 |
wifi: cfg80211: fix rdev_dump_mpp() arguments order
[ Upstream commit ec50f3114e55406a1aad24b7dfaa1c3f4336d8eb ] Fix the order of arguments in the TP_ARGS macro for the rdev_dump_mpp tracepoint event. Found by Linux Verification Center (linuxtesting.org). Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru> Link: https://msgid.link/20240311164519.118398-1-Igor.A.Artemiev@mcst.ru Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jeff Johnson
|
a21712550a |
wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
[ Upstream commit 774f8841f55d7ac4044c79812691649da203584a ] Running kernel-doc on ieee80211_i.h flagged the following: net/mac80211/ieee80211_i.h:145: warning: expecting prototype for enum ieee80211_corrupt_data_flags. Prototype was for enum ieee80211_bss_corrupt_data_flags instead net/mac80211/ieee80211_i.h:162: warning: expecting prototype for enum ieee80211_valid_data_flags. Prototype was for enum ieee80211_bss_valid_data_flags instead Fix these warnings. Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://msgid.link/20240314-kdoc-ieee80211_i-v1-1-72b91b55b257@quicinc.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Richard Gobert
|
7df798dd59 |
net: gro: add flush check in udp_gro_receive_segment
[ Upstream commit 5babae777c61aa8a8679d59d3cdc54165ad96d42 ]
GRO-GSO path is supposed to be transparent and as such L3 flush checks are
relevant to all UDP flows merging in GRO. This patch uses the same logic
and code from tcp_gro_receive, terminating merge if flush is non zero.
Fixes:
|
||
|
Xin Long
|
adbce6d20d |
tipc: fix a possible memleak in tipc_buf_append
[ Upstream commit 97bf6f81b29a8efaf5d0983251a7450e5794370d ]
__skb_linearize() doesn't free the skb when it fails, so move
'*buf = NULL' after __skb_linearize(), so that the skb can be
freed on the err path.
Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Felix Fietkau
|
faa83a7797 |
net: core: reject skb_copy(_expand) for fraglist GSO skbs
[ Upstream commit d091e579b864fa790dd6a0cd537a22c383126681 ]
SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.
Fixes:
|
||
|
Felix Fietkau
|
48ab384d2b |
net: bridge: fix multicast-to-unicast with fraglist GSO
[ Upstream commit 59c878cbcdd80ed39315573b3511d0acfd3501b5 ]
Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
an invalid linearized skb. This code only needs to change the ethernet
header, so pskb_copy is the right function to call here.
Fixes:
|
||
David Bauer
|
553b2f6c34 |
net l2tp: drop flow hash on forward
[ Upstream commit 42f853b42899d9b445763b55c3c8adc72be0f0e1 ]
Drop the flow-hash of the skb when forwarding to the L2TP netdev.
This avoids the L2TP qdisc from using the flow-hash from the outer
packet, which is identical for every flow within the tunnel.
This does not affect every platform but is specific for the ethernet
driver. It depends on the platform including L4 information in the
flow-hash.
One such example is the Mediatek Filogic MT798x family of networking
processors.
Fixes:
|
||
|
Kuniyuki Iwashima
|
bbccf0caef |
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
[ Upstream commit 4b911a9690d72641879ea6d13cce1de31d346d79 ]
syzbot triggered various splats (see [0] and links) by a crafted GSO
packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:
ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP
NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner
protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
skb_mac_gso_segment() to invoke inner protocol GSO handlers.
nsh_gso_segment() does the following for the original skb before
calling skb_mac_gso_segment()
1. reset skb->network_header
2. save the original skb->{mac_heaeder,mac_len} in a local variable
3. pull the NSH header
4. resets skb->mac_header
5. set up skb->mac_len and skb->protocol for the inner protocol.
and does the following for the segmented skb
6. set ntohs(ETH_P_NSH) to skb->protocol
7. push the NSH header
8. restore skb->mac_header
9. set skb->mac_header + mac_len to skb->network_header
10. restore skb->mac_len
There are two problems in 6-7 and 8-9.
(a)
After 6 & 7, skb->data points to the NSH header, so the outer header
(ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.
Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
skb_pull() in the first nsh_gso_segment() will make skb->data point
to the middle of the outer NSH or Ethernet header because the Ethernet
header is not pulled by the second nsh_gso_segment().
(b)
While restoring skb->{mac_header,network_header} in 8 & 9,
nsh_gso_segment() does not assume that the data in the linear
buffer is shifted.
However, udp6_ufo_fragment() could shift the data and change
skb->mac_header accordingly as demonstrated by syzbot.
If this happens, even the restored skb->mac_header points to
the middle of the outer header.
It seems nsh_gso_segment() has never worked with outer headers so far.
At the end of nsh_gso_segment(), the outer header must be restored for
the segmented skb, instead of the NSH header.
To do that, let's calculate the outer header position relatively from
the inner header and set skb->{data,mac_header,protocol} properly.
[0]:
BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
__dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3819 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
__do_kmalloc_node mm/slub.c:3980 [inline]
__kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
__alloc_skb+0x352/0x790 net/core/skbuff.c:651
skb_segment+0x20aa/0x7080 net/core/skbuff.c:4647
udp6_ufo_fragment+0xcab/0x1150 net/ipv6/udp_offload.c:109
ipv6_gso_segment+0x14be/0x2ca0 net/ipv6/ip6_offload.c:152
skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
nsh_gso_segment+0x6f4/0xf70 net/nsh/nsh.c:108
skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
__skb_gso_segment+0x4b0/0x730 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x107f/0x1930 net/core/dev.c:3628
__dev_queue_xmit+0x1f28/0x51c0 net/core/dev.c:4343
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5101 Comm: syz-executor421 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Fixes:
|
||
Josef Bacik
|
95ebd5fc15 |
sunrpc: add a struct rpc_stats arg to rpc_create_args
[ Upstream commit 2057a48d0dd00c6a2a94ded7df2bf1d3f2a4a0da ]
We want to be able to have our rpc stats handled in a per network
namespace manner, so add an option to rpc_create_args to specify a
different rpc_stats struct instead of using the one on the rpc_program.
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Stable-dep-of: 24457f1be29f ("nfs: Handle error of rpc_proc_register() in nfs_net_init().")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Johannes Berg
|
5a730a161a |
wifi: nl80211: don't free NULL coalescing rule
[ Upstream commit 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 ]
If the parsing fails, we can dereference a NULL pointer here.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Greg Kroah-Hartman
|
38a24db1c2 |
Revert "net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
dd27b89022 |
Merge 5.10.214 into android12-5.10-lts
Changes in 5.10.214
io_uring/unix: drop usage of io_uring socket
io_uring: drop any code related to SCM_RIGHTS
rcu-tasks: Provide rcu_trace_implies_rcu_gp()
bpf: Defer the free of inner map when necessary
selftests: tls: use exact comparison in recv_partial
ASoC: rt5645: Make LattePanda board DMI match more precise
x86/xen: Add some null pointer checking to smp.c
MIPS: Clear Cause.BD in instruction_pointer_set
HID: multitouch: Add required quirk for Synaptics 0xcddc device
gen_compile_commands: fix invalid escape sequence warning
RDMA/mlx5: Fix fortify source warning while accessing Eth segment
RDMA/mlx5: Relax DEVX access upon modify commands
x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h
x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
net/iucv: fix the allocation size of iucv_path_table array
parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check
block: sed-opal: handle empty atoms when parsing response
dm-verity, dm-crypt: align "struct bvec_iter" correctly
scsi: mpt3sas: Prevent sending diag_reset when the controller is ready
Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
firewire: core: use long bus reset on gap count error
ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet
Input: gpio_keys_polled - suppress deferred probe error for gpio
ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC
ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode
ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll
x86/paravirt: Fix build due to __text_gen_insn() backport
do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
nbd: null check for nla_nest_start
fs/select: rework stack allocation hack for clang
block: add a new set_read_only method
md: implement ->set_read_only to hook into BLKROSET processing
md: Don't clear MD_CLOSING when the raid is about to stop
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
timekeeping: Fix cross-timestamp interpolation on counter wrap
timekeeping: Fix cross-timestamp interpolation corner case decision
timekeeping: Fix cross-timestamp interpolation for non-x86
wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled
wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled
wifi: b43: Stop correct queue in DMA worker when QoS is disabled
wifi: b43: Disable QoS for bcm4331
wifi: wilc1000: fix declarations ordering
wifi: wilc1000: fix RCU usage in connect path
wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work
wifi: wilc1000: fix multi-vif management when deleting a vif
wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir()
cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value
sock_diag: annotate data-races around sock_diag_handlers[family]
inet_diag: annotate data-races around inet_diag_table[]
bpftool: Silence build warning about calloc()
af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete
wifi: iwlwifi: dbg-tlv: ensure NUL termination
wifi: iwlwifi: fix EWRD table validity check
net: blackhole_dev: fix build warning for ethh set but not used
wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
arm64: dts: mediatek: mt7622: add missing "device_type" to memory nodes
bpf: Factor out bpf_spin_lock into helpers.
bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly
wireless: Remove redundant 'flush_workqueue()' calls
wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces
ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()
bus: tegra-aconnect: Update dependency to ARCH_TEGRA
iommu/amd: Mark interrupt as managed
wifi: brcmsmac: avoid function pointer casts
net: ena: Remove ena_select_queue
ARM: dts: arm: realview: Fix development chip ROM compatible value
ARM: dts: imx6dl-yapp4: Move phy reset into switch node
ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address
ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node
arm64: dts: marvell: reorder crypto interrupts on Armada SoCs
ACPI: scan: Fix device check notification handling
x86, relocs: Ignore relocations in .notes section
SUNRPC: fix some memleaks in gssx_dec_option_array
mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function
wifi: rtw88: 8821c: Fix false alarm count
PCI: Make pci_dev_is_disconnected() helper public for other drivers
iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected
igb: move PEROUT and EXTTS isr logic to separate functions
igb: Fix missing time sync events
Bluetooth: Remove superfluous call to hci_conn_check_pending()
Bluetooth: hci_core: Fix possible buffer overflow
sr9800: Add check for usbnet_get_endpoints
bpf: Eliminate rlimit-based memory accounting for devmap maps
bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
bpf: Fix hashtab overflow check on 32-bit arches
bpf: Fix stackmap overflow check on 32-bit arches
ipv6: fib6_rules: flush route cache when rule is changed
net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
net: phy: fix phy_get_internal_delay accessing an empty array
net: hns3: fix port duplex configure error in IMP reset
net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii
net: phy: dp83822: Fix RGMII TX delay configuration
OPP: debugfs: Fix warning around icc_get_name()
tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function
net/ipv4: Replace one-element array with flexible-array member
net/ipv4: Revert use of struct_size() helper
net/ipv4/ipv6: Replace one-element arraya with flexible-array members
bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument
ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function
l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function
udp: fix incorrect parameter validation in the udp_lib_getsockopt() function
net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
nfp: flower: handle acti_netdevs allocation failure
dm raid: fix false positive for requeue needed during reshape
dm: call the resume method on internal suspend
drm/tegra: dsi: Add missing check for of_find_device_by_node
drm/tegra: dsi: Make use of the helper function dev_err_probe()
drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()
drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe()
drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths of tegra_output_probe()
drm/rockchip: inno_hdmi: Fix video timing
drm: Don't treat 0 as -1 in drm_fixp2int_ceil
drm/rockchip: lvds: do not overwrite error code
drm/rockchip: lvds: do not print scary message when probing defer
drm/lima: fix a memleak in lima_heap_alloc
dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA
media: tc358743: register v4l2 async device only after successful setup
PCI/DPC: Print all TLP Prefixes, not just the first
perf record: Fix possible incorrect free in record__switch_output()
HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd
drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'
drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'
perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample()
media: em28xx: annotate unchecked call to media_device_register()
media: v4l2-tpg: fix some memleaks in tpg_alloc
media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity
media: edia: dvbdev: fix a use-after-free
pinctrl: mediatek: Drop bogus slew rate register range for MT8192
clk: qcom: reset: Commonize the de/assert functions
clk: qcom: reset: Ensure write completion on reset de/assertion
quota: simplify drop_dquot_ref()
quota: Fix potential NULL pointer dereference
quota: Fix rcu annotations of inode dquot pointers
PCI: switchtec: Fix an error handling path in switchtec_pci_probe()
crypto: xilinx - call finalize with bh disabled
perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()
drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()
ALSA: seq: fix function cast warnings
perf stat: Avoid metric-only segv
ASoC: meson: Use dev_err_probe() helper
ASoC: meson: aiu: fix function pointer type mismatch
ASoC: meson: t9015: fix function pointer type mismatch
media: sun8i-di: Fix coefficient writes
media: sun8i-di: Fix power on/off sequences
media: sun8i-di: Fix chroma difference threshold
media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak
media: go7007: add check of return value of go7007_read_addr()
media: pvrusb2: remove redundant NULL check
media: pvrusb2: fix pvr2_stream_callback casts
clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times
drm/mediatek: dsi: Fix DSI RGB666 formats and definitions
PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister()
drm/tegra: put drm_gem_object ref on error in tegra_fb_create
mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref
mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref
crypto: arm/sha - fix function cast warnings
drm/tidss: Fix initial plane zpos values
mtd: maps: physmap-core: fix flash size larger than 32-bit
mtd: rawnand: lpc32xx_mlc: fix irq handler prototype
ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs
ASoC: meson: axg-tdm-interface: add frame rate constraint
drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()
media: pvrusb2: fix uaf in pvr2_context_set_notify
media: dvb-frontends: avoid stack overflow warnings with clang
media: go7007: fix a memleak in go7007_load_encoder
media: ttpci: fix two memleaks in budget_av_attach
media: mediatek: vcodec: avoid -Wcast-function-type-strict warning
drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip
powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks
drm/msm/dpu: add division of drm_display_mode's hskew parameter
powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.
leds: aw2013: Unlock mutex before destroying it
leds: sgm3140: Add missing timer cleanup and flash gpio control
backlight: lm3630a: Initialize backlight_properties on init
backlight: lm3630a: Don't set bl->props.brightness in get_brightness
backlight: da9052: Fully initialize backlight_properties during probe
backlight: lm3639: Fully initialize backlight_properties during probe
backlight: lp8788: Fully initialize backlight_properties during probe
sparc32: Fix section mismatch in leon_pci_grpci
clk: Fix clk_core_get NULL dereference
ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops
ALSA: usb-audio: Stop parsing channels bits when all channels are found.
RDMA/srpt: Do not register event handler until srpt device is fully setup
f2fs: compress: fix to check unreleased compressed cluster
scsi: csiostor: Avoid function pointer casts
RDMA/device: Fix a race between mad_client and cm_client init
scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102
NFSv4.2: fix listxattr maximum XDR buffer size
watchdog: stm32_iwdg: initialize default timeout
NFS: Fix an off by one in root_nfs_cat()
afs: Revert "afs: Hide silly-rename files from userspace"
remoteproc: stm32: Constify st_rproc_ops
remoteproc: Add new get_loaded_rsc_table() to rproc_ops
remoteproc: stm32: Move resource table setup to rproc_ops
remoteproc: stm32: use correct format strings on 64-bit
remoteproc: stm32: Fix incorrect type in assignment for va
remoteproc: stm32: Fix incorrect type assignment returned by stm32_rproc_get_loaded_rsc_tablef
tty: vt: fix 20 vs 0x20 typo in EScsiignore
serial: max310x: fix syntax error in IRQ error message
tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT
kconfig: fix infinite loop when expanding a macro at the end of file
rtc: mt6397: select IRQ_DOMAIN instead of depending on it
serial: 8250_exar: Don't remove GPIO device on suspend
staging: greybus: fix get_channel_from_mode() failure path
usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin
io_uring: don't save/restore iowait state
octeontx2-af: Use matching wake_up API variant in CGX command interface
s390/vtime: fix average steal time calculation
soc: fsl: dpio: fix kcalloc() argument order
hsr: Fix uninit-value access in hsr_get_node()
packet: annotate data-races around ignore_outgoing
net: dsa: mt7530: prevent possible incorrect XTAL frequency selection
wireguard: receive: annotate data-race around receiving_counter.counter
rds: introduce acquire/release ordering in acquire/release_in_xmit()
hsr: Handle failures in module init
net/bnx2x: Prevent access to a freed page in page_pool
octeontx2-af: Use separate handlers for interrupts
netfilter: nft_set_pipapo: release elements in clone only from destroy path
scsi: fc: Update formal FPIN descriptor definitions
ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and vcc1v2
netfilter: nf_tables: do not compare internal table flags on updates
rcu: add a helper to report consolidated flavor QS
bpf: report RCU QS in cpumap kthread
spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
regmap: Add missing map->bus check
remoteproc: stm32: fix phys_addr_t format string
Linux 5.10.214
Change-Id: Iad0cc6acbf53bac96c0409ce61dc6836d83ed7bc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Yick Xie
|
16affc4d73 |
udp: preserve the connected status if only UDP cmsg
commit 680d11f6e5427b6af1321932286722d24a8b16c1 upstream.
If "udp_cmsg_send()" returned 0 (i.e. only UDP cmsg),
"connected" should not be set to 0. Otherwise it stops
the connected socket from using the cached route.
Fixes:
|
||
|
Eric Dumazet
|
ab31bc5022 |
tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
commit 1c4e97dd2d3c9a3e84f7e26346aa39bc426d3249 upstream.
inet_twsk_purge() uses rcu to find TIME_WAIT and NEW_SYN_RECV
objects to purge.
These objects use SLAB_TYPESAFE_BY_RCU semantic and need special
care. We need to use refcount_inc_not_zero(&sk->sk_refcnt).
Reuse the existing correct logic I wrote for TIME_WAIT,
because both structures have common locations for
sk_state, sk_family, and netns pointer.
If after the refcount_inc_not_zero() the object fields longer match
the keys, use sock_gen_put(sk) to release the refcount.
Then we can call inet_twsk_deschedule_put() for TIME_WAIT,
inet_csk_reqsk_queue_drop_and_put() for NEW_SYN_RECV sockets,
with BH disabled.
Then we need to restart the loop because we had drop rcu_read_lock().
Fixes: 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()")
Link: https://lore.kernel.org/netdev/CANn89iLvFuuihCtt9PME2uS1WJATnf5fKjDToa1WzVnRzHnPfg@mail.gmail.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240308200122.64357-2-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[shaozhengchao: resolved conflicts in 5.10]
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kuniyuki Iwashima
|
74e5e5601d |
tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
commit 740ea3c4a0b2e326b23d7cdf05472a0e92aa39bc upstream. Eric Dumazet reported a use-after-free related to the per-netns ehash series. [0] When we create a TCP socket from userspace, the socket always holds a refcnt of the netns. This guarantees that a reqsk timer is always fired before netns dismantle. Each reqsk has a refcnt of its listener, so the listener is not freed before the reqsk, and the net is not freed before the listener as well. OTOH, when in-kernel users create a TCP socket, it might not hold a refcnt of its netns. Thus, a reqsk timer can be fired after the netns dismantle and access freed per-netns ehash. To avoid the use-after-free, we need to clean up TCP_NEW_SYN_RECV sockets in inet_twsk_purge() if the netns uses a per-netns ehash. [0]: https://lore.kernel.org/netdev/CANn89iLXMup0dRD_Ov79Xt8N9FM0XdhCHEN05sf3eLwxKweM6w@mail.gmail.com/ BUG: KASAN: use-after-free in tcp_or_dccp_get_hashinfo include/net/inet_hashtables.h:181 [inline] BUG: KASAN: use-after-free in reqsk_queue_unlink+0x320/0x350 net/ipv4/inet_connection_sock.c:913 Read of size 8 at addr ffff88807545bd80 by task syz-executor.2/8301 CPU: 1 PID: 8301 Comm: syz-executor.2 Not tainted 6.0.0-syzkaller-02757-gaf7d23f9d96a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 tcp_or_dccp_get_hashinfo include/net/inet_hashtables.h:181 [inline] reqsk_queue_unlink+0x320/0x350 net/ipv4/inet_connection_sock.c:913 inet_csk_reqsk_queue_drop net/ipv4/inet_connection_sock.c:927 [inline] inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:939 [inline] reqsk_timer_handler+0x724/0x1160 net/ipv4/inet_connection_sock.c:1053 call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 __run_timers kernel/time/timer.c:1768 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107 </IRQ> Fixes: d1e5e6408b30 ("tcp: Introduce optional per-netns ehash.") Reported-by: syzbot <syzkaller@googlegroups.com> Reported-by: Eric Dumazet <edumazet@google.com> Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20221012145036.74960-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> [shaozhengchao: resolved conflicts in 5.10] Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Rahul Rameshbabu
|
f3a2f186a1 |
ethernet: Add helper for assigning packet type when dest address does not match device address
commit 6e159fd653d7ebf6290358e0330a0cb8a75cf73b upstream. Enable reuse of logic in eth_type_trans for determining packet type. Suggested-by: Sabrina Dubroca <sd@queasysnail.net> Cc: stable@vger.kernel.org Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://lore.kernel.org/r/20240423181319.115860-3-rrameshbabu@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Nathan Chancellor
|
de657b2109 |
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream.
After an innocuous optimization change in LLVM main (19.0.0), x86_64
allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to
build due to the checks in check_copy_size():
In file included from net/bluetooth/sco.c:27:
In file included from include/linux/module.h:13:
In file included from include/linux/stat.h:19:
In file included from include/linux/time.h:60:
In file included from include/linux/time32.h:13:
In file included from include/linux/timex.h:67:
In file included from arch/x86/include/asm/timex.h:6:
In file included from arch/x86/include/asm/tsc.h:10:
In file included from arch/x86/include/asm/msr.h:15:
In file included from include/linux/percpu.h:7:
In file included from include/linux/smp.h:118:
include/linux/thread_info.h:244:4: error: call to '__bad_copy_from'
declared with 'error' attribute: copy source size is too small
244 | __bad_copy_from();
| ^
The same exact error occurs in l2cap_sock.c. The copy_to_user()
statements that are failing come from l2cap_sock_getsockopt_old() and
sco_sock_getsockopt_old(). This does not occur with GCC with or without
KCSAN or Clang without KCSAN enabled.
len is defined as an 'int' because it is assigned from
'__user int *optlen'. However, it is clamped against the result of
sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit
platforms). This is done with min_t() because min() requires compatible
types, which results in both len and the result of sizeof() being casted
to 'unsigned int', meaning len changes signs and the result of sizeof()
is truncated. From there, len is passed to copy_to_user(), which has a
third parameter type of 'unsigned long', so it is widened and changes
signs again. This excessive casting in combination with the KCSAN
instrumentation causes LLVM to fail to eliminate the __bad_copy_from()
call, failing the build.
The official recommendation from LLVM developers is to consistently use
long types for all size variables to avoid the unnecessary casting in
the first place. Change the type of len to size_t in both
l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears
up the error while allowing min_t() to be replaced with min(), resulting
in simpler code with no casts and fewer implicit conversions. While len
is a different type than optlen now, it should result in no functional
change because the result of sizeof() will clamp all values of optlen in
the same manner as before.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2007
Link: https://github.com/llvm/llvm-project/issues/85647
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kuniyuki Iwashima
|
ae7c8f52aa |
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
[ Upstream commit 1971d13ffa84a551d29a81fdf5b5ec5be166ac83 ] syzbot reported a lockdep splat regarding unix_gc_lock and unix_state_lock(). One is called from recvmsg() for a connected socket, and another is called from GC for TCP_LISTEN socket. So, the splat is false-positive. Let's add a dedicated lock class for the latter to suppress the splat. Note that this change is not necessary for net-next.git as the issue is only applied to the old GC impl. [0]: WARNING: possible circular locking dependency detected 6.9.0-rc5-syzkaller-00007-g4d2008430ce8 #0 Not tainted ----------------------------------------------------- kworker/u8:1/11 is trying to acquire lock: ffff88807cea4e70 (&u->lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff88807cea4e70 (&u->lock){+.+.}-{2:2}, at: __unix_gc+0x40e/0xf70 net/unix/garbage.c:302 but task is already holding lock: ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: __unix_gc+0x117/0xf70 net/unix/garbage.c:261 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (unix_gc_lock){+.+.}-{2:2}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] unix_notinflight+0x13d/0x390 net/unix/garbage.c:140 unix_detach_fds net/unix/af_unix.c:1819 [inline] unix_destruct_scm+0x221/0x350 net/unix/af_unix.c:1876 skb_release_head_state+0x100/0x250 net/core/skbuff.c:1188 skb_release_all net/core/skbuff.c:1200 [inline] __kfree_skb net/core/skbuff.c:1216 [inline] kfree_skb_reason+0x16d/0x3b0 net/core/skbuff.c:1252 kfree_skb include/linux/skbuff.h:1262 [inline] manage_oob net/unix/af_unix.c:2672 [inline] unix_stream_read_generic+0x1125/0x2700 net/unix/af_unix.c:2749 unix_stream_splice_read+0x239/0x320 net/unix/af_unix.c:2981 do_splice_read fs/splice.c:985 [inline] splice_file_to_pipe+0x299/0x500 fs/splice.c:1295 do_splice+0xf2d/0x1880 fs/splice.c:1379 __do_splice fs/splice.c:1436 [inline] __do_sys_splice fs/splice.c:1652 [inline] __se_sys_splice+0x331/0x4a0 fs/splice.c:1634 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&u->lock){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __unix_gc+0x40e/0xf70 net/unix/garbage.c:302 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(unix_gc_lock); lock(&u->lock); lock(unix_gc_lock); lock(&u->lock); *** DEADLOCK *** 3 locks held by kworker/u8:1/11: #0: ffff888015089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline] #0: ffff888015089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x17c0 kernel/workqueue.c:3335 #1: ffffc90000107d00 (unix_gc_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline] #1: ffffc90000107d00 (unix_gc_work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x17c0 kernel/workqueue.c:3335 #2: ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #2: ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: __unix_gc+0x117/0xf70 net/unix/garbage.c:261 stack backtrace: CPU: 0 PID: 11 Comm: kworker/u8:1 Not tainted 6.9.0-rc5-syzkaller-00007-g4d2008430ce8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: events_unbound __unix_gc Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __unix_gc+0x40e/0xf70 net/unix/garbage.c:302 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Fixes: 47d8ac011fe1 ("af_unix: Fix garbage collector racing against connect()") Reported-and-tested-by: syzbot+fa379358c28cc87cc307@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fa379358c28cc87cc307 Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240424170443.9832-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Pablo Neira Ayuso
|
e4bb6da24d |
netfilter: nf_tables: honor table dormant flag from netdev release event path
[ Upstream commit 8e30abc9ace4f0add4cd761dfdbfaebae5632dd2 ]
Check for table dormant flag otherwise netdev release event path tries
to unregister an already unregistered hook.
[524854.857999] ------------[ cut here ]------------
[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260
[...]
[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365
[524854.858869] Workqueue: netns cleanup_net
[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260
[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41
[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246
[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a
[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438
[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34
[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005
[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00
[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000
[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0
[524854.859000] Call Trace:
[524854.859006] <TASK>
[524854.859013] ? __warn+0x9f/0x1a0
[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260
[524854.859044] ? report_bug+0x1b1/0x1e0
[524854.859060] ? handle_bug+0x3c/0x70
[524854.859071] ? exc_invalid_op+0x17/0x40
[524854.859083] ? asm_exc_invalid_op+0x1a/0x20
[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260
[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260
[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]
[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]
[524854.859461] ? packet_notifier+0xb3/0x360
[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40
[524854.859489] ? dcbnl_netdevice_event+0x35/0x140
[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]
[524854.859661] notifier_call_chain+0x7d/0x140
[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0
Fixes:
|
||
Hyunwoo Kim
|
35880c3fa6 |
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
[ Upstream commit 5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2 ]
Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal
of ovs_ct_limit_exit, is not part of the RCU read critical section, it
is possible that the RCU grace period will pass during the traversal and
the key will be free.
To prevent this, it should be changed to hlist_for_each_entry_safe.
Fixes:
|
||
Ismael Luceno
|
aca5dadab1 |
ipvs: Fix checksumming on GSO of SCTP packets
[ Upstream commit e10d3ba4d434ed172914617ed8d74bd411421193 ]
It was observed in the wild that pairs of consecutive packets would leave
the IPVS with the same wrong checksum, and the issue only went away when
disabling GSO.
IPVS needs to avoid computing the SCTP checksum when using GSO.
Fixes:
|
||
|
Eric Dumazet
|
7da0f91681 |
ipv4: check for NULL idev in ip_route_use_hint()
[ Upstream commit 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 ]
syzbot was able to trigger a NULL deref in fib_validate_source()
in an old tree [1].
It appears the bug exists in latest trees.
All calls to __in_dev_get_rcu() must be checked for a NULL result.
[1]
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425
Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf
RSP: 0018:ffffc900015fee40 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0
RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0
RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000
R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000
FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231
ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327
ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]
ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638
ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673
__netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]
__netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620
__netif_receive_skb_list net/core/dev.c:5672 [inline]
netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764
netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816
xdp_recv_frames net/bpf/test_run.c:257 [inline]
xdp_test_run_batch net/bpf/test_run.c:335 [inline]
bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363
bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376
bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736
__sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115
__do_sys_bpf kernel/bpf/syscall.c:5201 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5199 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199
Fixes:
|
||
|
Florian Westphal
|
e3b887a9c1 |
netfilter: nft_set_pipapo: do not free live element
[ Upstream commit 3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc ]
Pablo reports a crash with large batches of elements with a
back-to-back add/remove pattern. Quoting Pablo:
add_elem("00000000") timeout 100 ms
...
add_elem("0000000X") timeout 100 ms
del_elem("0000000X") <---------------- delete one that was just added
...
add_elem("00005000") timeout 100 ms
1) nft_pipapo_remove() removes element 0000000X
Then, KASAN shows a splat.
Looking at the remove function there is a chance that we will drop a
rule that maps to a non-deactivated element.
Removal happens in two steps, first we do a lookup for key k and return the
to-be-removed element and mark it as inactive in the next generation.
Then, in a second step, the element gets removed from the set/map.
The _remove function does not work correctly if we have more than one
element that share the same key.
This can happen if we insert an element into a set when the set already
holds an element with same key, but the element mapping to the existing
key has timed out or is not active in the next generation.
In such case its possible that removal will unmap the wrong element.
If this happens, we will leak the non-deactivated element, it becomes
unreachable.
The element that got deactivated (and will be freed later) will
remain reachable in the set data structure, this can result in
a crash when such an element is retrieved during lookup (stale
pointer).
Add a check that the fully matching key does in fact map to the element
that we have marked as inactive in the deactivation step.
If not, we need to continue searching.
Add a bug/warn trap at the end of the function as well, the remove
function must not ever be called with an invisible/unreachable/non-existent
element.
v2: avoid uneeded temporary variable (Stefano)
Fixes:
|
||
|
Ziyang Xuan
|
934e66e231 |
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
[ Upstream commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf ]
nft_unregister_expr() can concurrent with __nft_expr_type_get(),
and there is not any protection when iterate over nf_tables_expressions
list in __nft_expr_type_get(). Therefore, there is potential data-race
of nf_tables_expressions list entry.
Use list_for_each_entry_rcu() to iterate over nf_tables_expressions
list in __nft_expr_type_get(), and use rcu_read_lock() in the caller
nft_expr_type_get() to protect the entire type query process.
Fixes:
|
||
|
Michal Luczaj
|
2e2a03787f |
af_unix: Fix garbage collector racing against connect()
[ Upstream commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51 ]
Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.
sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped
connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
---------------- ------------------------- -----------
NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
// V count=1 inflight=0
NS = unix_peer(S)
skb2 = sock_alloc()
skb_queue_tail(NS, skb2[V])
// V became in-flight
// V count=2 inflight=1
close(V)
// V count=1 inflight=1
// GC candidate condition met
for u in gc_inflight_list:
if (total_refs == inflight_refs)
add u to gc_candidates
// gc_candidates={L, V}
for u in gc_candidates:
scan_children(u, dec_inflight)
// embryo (skb1) was not
// reachable from L yet, so V's
// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
for u in gc_candidates:
if (u.inflight)
scan_children(u, inc_inflight_move_tail)
// V count=1 inflight=2 (!)
If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.
Fixes:
|
||
|
Kuniyuki Iwashima
|
14bea27d1c |
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
[ Upstream commit 97af84a6bba2ab2b9c704c08e67de3b5ea551bb2 ] When touching unix_sk(sk)->inflight, we are always under spin_lock(&unix_gc_lock). Let's convert unix_sk(sk)->inflight to the normal unsigned long. Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 47d8ac011fe1 ("af_unix: Fix garbage collector racing against connect()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
cf4bc359b7 |
netfilter: complete validation of user input
[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]
In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.
In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:
if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
return -EINVAL;
Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Luiz Augusto von Dentz
|
b0e30c3769 |
Bluetooth: SCO: Fix not validating setsockopt user input
[ Upstream commit 51eda36d33e43201e7a4fd35232e069b2c850b01 ] syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578 Fixes: |
||
Jiri Benc
|
3fb02ec57e |
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
[ Upstream commit 7633c4da919ad51164acbf1aa322cc1a3ead6129 ]
Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it
still means hlist_for_each_entry_rcu can return an item that got removed
from the list. The memory itself of such item is not freed thanks to RCU
but nothing guarantees the actual content of the memory is sane.
In particular, the reference count can be zero. This can happen if
ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry
from inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all
references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough
timing, this can happen:
1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.
2. Then, the whole ipv6_del_addr is executed for the given entry. The
reference count drops to zero and kfree_rcu is scheduled.
3. ipv6_get_ifaddr continues and tries to increments the reference count
(in6_ifa_hold).
4. The rcu is unlocked and the entry is freed.
5. The freed entry is returned.
Prevent increasing of the reference count in such case. The name
in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.
[ 41.506330] refcount_t: addition on 0; use-after-free.
[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130
[ 41.507413] Modules linked in: veth bridge stp llc
[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14
[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130
[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff
[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282
[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000
[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900
[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff
[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000
[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48
[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000
[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0
[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 41.516799] Call Trace:
[ 41.517037] <TASK>
[ 41.517249] ? __warn+0x7b/0x120
[ 41.517535] ? refcount_warn_saturate+0xa5/0x130
[ 41.517923] ? report_bug+0x164/0x190
[ 41.518240] ? handle_bug+0x3d/0x70
[ 41.518541] ? exc_invalid_op+0x17/0x70
[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20
[ 41.521325] ? refcount_warn_saturate+0xa5/0x130
[ 41.521708] ipv6_get_ifaddr+0xda/0xe0
[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0
[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10
[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0
[ 41.523102] ? netlink_unicast+0x30f/0x390
[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 41.523832] netlink_rcv_skb+0x53/0x100
[ 41.524157] netlink_unicast+0x23b/0x390
[ 41.524484] netlink_sendmsg+0x1f2/0x440
[ 41.524826] __sys_sendto+0x1d8/0x1f0
[ 41.525145] __x64_sys_sendto+0x1f/0x30
[ 41.525467] do_syscall_64+0xa5/0x1b0
[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 41.526213] RIP: 0033:0x7fbc4cfcea9a
[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[ 41.527942] RSP: 002b:00007ffcf54012a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 41.528593] RAX: ffffffffffffffda RBX: 00007ffcf5401368 RCX: 00007fbc4cfcea9a
[ 41.529173] RDX: 000000000000002c RSI: 00007fbc4b9d9bd0 RDI: 0000000000000005
[ 41.529786] RBP: 00007fbc4bafb040 R08: 00007ffcf54013e0 R09: 000000000000000c
[ 41.530375] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 41.530977] R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007fbc4ca85d1b
[ 41.531573] </TASK>
Fixes:
|
||
Arnd Bergmann
|
9e55a650ac |
ipv4/route: avoid unused-but-set-variable warning
[ Upstream commit cf1b7201df59fb936f40f4a807433fe3f2ce310a ]
The log_martians variable is only used in an #ifdef, causing a 'make W=1'
warning with gcc:
net/ipv4/route.c: In function 'ip_rt_send_redirect':
net/ipv4/route.c:880:13: error: variable 'log_martians' set but not used [-Werror=unused-but-set-variable]
Change the #ifdef to an equivalent IS_ENABLED() to let the compiler
see where the variable is used.
Fixes:
|
||
|
Arnd Bergmann
|
1afc86bcfb |
ipv6: fib: hide unused 'pn' variable
[ Upstream commit 74043489fcb5e5ca4074133582b5b8011b67f9e7 ]
When CONFIG_IPV6_SUBTREES is disabled, the only user is hidden, causing
a 'make W=1' warning:
net/ipv6/ip6_fib.c: In function 'fib6_add':
net/ipv6/ip6_fib.c:1388:32: error: variable 'pn' set but not used [-Werror=unused-but-set-variable]
Add another #ifdef around the variable declaration, matching the other
uses in this file.
Fixes:
|
||
|
Eric Dumazet
|
a82984b3c6 |
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
[ Upstream commit 237f3cf13b20db183d3706d997eedc3c49eacd44 ]
syzbot reported an illegal copy in xsk_setsockopt() [1]
Make sure to validate setsockopt() @optlen parameter.
[1]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420
Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549
CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
copy_from_sockptr include/linux/sockptr.h:55 [inline]
xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420
do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fb40587de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69
RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006
RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000
R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08
</TASK>
Allocated by task 7549:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x233/0x4a0 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
__cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
The buggy address belongs to the object at ffff888028c6cde0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 1 bytes to the right of
allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)
The buggy address belongs to the physical page:
page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c
anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001
raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
__alloc_pages+0x256/0x680 mm/page_alloc.c:4569
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x5f/0x160 mm/slub.c:2175
allocate_slab mm/slub.c:2338 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2391
___slab_alloc+0xc73/0x1260 mm/slub.c:3525
__slab_alloc mm/slub.c:3610 [inline]
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc_node+0x2db/0x4e0 mm/slub.c:3973
kmalloc_node include/linux/slab.h:648 [inline]
__vmalloc_area_node mm/vmalloc.c:3197 [inline]
__vmalloc_node_range+0x5f9/0x14a0 mm/vmalloc.c:3392
__vmalloc_node mm/vmalloc.c:3457 [inline]
vzalloc+0x79/0x90 mm/vmalloc.c:3530
bpf_check+0x260/0x19010 kernel/bpf/verifier.c:21162
bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895
__sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
page last free pid 6650 tgid 6647 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x95d/0xa80 mm/page_alloc.c:2346
free_unref_page_list+0x5a3/0x850 mm/page_alloc.c:2532
release_pages+0x2117/0x2400 mm/swap.c:1042
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34d/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:392
exit_mmap+0x4b6/0xd40 mm/mmap.c:3300
__mmput+0x115/0x3c0 kernel/fork.c:1345
exit_mm+0x220/0x310 kernel/exit.c:569
do_exit+0x99e/0x27e0 kernel/exit.c:865
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
get_signal+0x176e/0x1850 kernel/signal.c:2907
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212
do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Memory state around the buggy address:
ffff888028c6cc80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff888028c6cd00: fa fc fc fc fa fc fc fc 00 fc fc fc 06 fc fc fc
>ffff888028c6cd80: fa fc fc fc fa fc fc fc fa fc fc fc 02 fc fc fc
^
ffff888028c6ce00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff888028c6ce80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
Fixes:
|
||
|
Ilya Maximets
|
583b7b856f |
net: openvswitch: fix unwanted error log on timeout policy probing
[ Upstream commit 4539f91f2a801c0c028c252bffae56030cfb2cae ]
On startup, ovs-vswitchd probes different datapath features including
support for timeout policies. While probing, it tries to execute
certain operations with OVS_PACKET_ATTR_PROBE or OVS_FLOW_ATTR_PROBE
attributes set. These attributes tell the openvswitch module to not
log any errors when they occur as it is expected that some of the
probes will fail.
For some reason, setting the timeout policy ignores the PROBE attribute
and logs a failure anyway. This is causing the following kernel log
on each re-start of ovs-vswitchd:
kernel: Failed to associated timeout policy `ovs_test_tp'
Fix that by using the same logging macro that all other messages are
using. The message will still be printed at info level when needed
and will be rate limited, but with a net rate limiter instead of
generic printk one.
The nf_ct_set_timeout() itself will still print some info messages,
but at least this change makes logging in openvswitch module more
consistent.
Fixes:
|
||
Dmitry Antipov
|
8478394f76 |
Bluetooth: Fix memory leak in hci_req_sync_complete()
commit 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 upstream.
In 'hci_req_sync_complete()', always free the previous sync
request state before assigning reference to a new one.
Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=39ec16ff6cc18b1d066d
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Sven Eckelmann
|
70a8be9dc2 |
batman-adv: Avoid infinite loop trying to resize local TT
commit b1f532a3b1e6d2e5559c7ace49322922637a28aa upstream.
If the MTU of one of an attached interface becomes too small to transmit
the local translation table then it must be resized to fit inside all
fragments (when enabled) or a single packet.
But if the MTU becomes too low to transmit even the header + the VLAN
specific part then the resizing of the local TT will never succeed. This
can for example happen when the usable space is 110 bytes and 11 VLANs are
on top of batman-adv. In this case, at least 116 byte would be needed.
There will just be an endless spam of
batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)
in the log but the function will never finish. Problem here is that the
timeout will be halved all the time and will then stagnate at 0 and
therefore never be able to reduce the table even more.
There are other scenarios possible with a similar result. The number of
BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too
high to fit inside a packet. Such a scenario can therefore happen also with
only a single VLAN + 7 non-purgable addresses - requiring at least 120
bytes.
While this should be handled proactively when:
* interface with too low MTU is added
* VLAN is added
* non-purgeable local mac is added
* MTU of an attached interface is reduced
* fragmentation setting gets disabled (which most likely requires dropping
attached interfaces)
not all of these scenarios can be prevented because batman-adv is only
consuming events without the the possibility to prevent these actions
(non-purgable MAC address added, MTU of an attached interface is reduced).
It is therefore necessary to also make sure that the code is able to handle
also the situations when there were already incompatible system
configuration are present.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Greg Kroah-Hartman
|
578a3af78b |
Merge 5.10.213 into android12-5.10-lts
Changes in 5.10.213
mmc: mmci: stm32: use a buffer for unaligned DMA requests
mmc: mmci: stm32: fix DMA API overlapping mappings warning
lan78xx: Fix white space and style issues
lan78xx: Add missing return code checks
lan78xx: Fix partial packet errors on suspend/resume
lan78xx: Fix race conditions in suspend/resume handling
net: lan78xx: fix runtime PM count underflow on link stop
ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able
i40e: disable NAPI right after disabling irqs when handling xsk_pool
tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string
geneve: make sure to pull inner header in geneve_rx()
net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()
net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
cpumap: Zero-initialise xdp_rxq_info struct before running XDP program
net/rds: fix WARNING in rds_conn_connect_if_down
netfilter: nft_ct: fix l3num expectations with inet pseudo family
netfilter: nf_conntrack_h323: Add protection for bmp length out of range
netrom: Fix a data-race around sysctl_netrom_default_path_quality
netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser
netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
netrom: Fix a data-race around sysctl_netrom_transport_timeout
netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay
netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size
netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout
netrom: Fix a data-race around sysctl_netrom_routing_control
netrom: Fix a data-race around sysctl_netrom_link_fails_count
netrom: Fix data-races around sysctl_net_busy_read
selftests/mm: switch to bash from sh
selftests: mm: fix map_hugetlb failure on 64K page size systems
um: allow not setting extra rpaths in the linux binary
xhci: remove extra loop in interrupt context
xhci: prevent double-fetch of transfer and transfer event TRBs
xhci: process isoc TD properly when there was a transaction error mid TD.
xhci: handle isoc Babble and Buffer Overrun events properly
serial: max310x: Use devm_clk_get_optional() to get the input clock
serial: max310x: Try to get crystal clock rate from property
serial: max310x: fail probe if clock crystal is unstable
serial: max310x: Make use of device properties
serial: max310x: use regmap methods for SPI batch operations
serial: max310x: use a separate regmap for each port
serial: max310x: prevent infinite while() loop in port startup
net: Change sock_getsockopt() to take the sk ptr instead of the sock ptr
bpf: net: Change sk_getsockopt() to take the sockptr_t argument
lsm: make security_socket_getpeersec_stream() sockptr_t safe
lsm: fix default return value of the socket_getpeersec_*() hooks
ext4: make ext4_es_insert_extent() return void
ext4: refactor ext4_da_map_blocks()
ext4: convert to exclusive lock while inserting delalloc extents
Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening
hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening
hv_netvsc: Wait for completion on request SWITCH_DATA_PATH
hv_netvsc: Process NETDEV_GOING_DOWN on VF hot remove
hv_netvsc: Make netvsc/VF binding check both MAC and serial number
hv_netvsc: use netif_is_bond_master() instead of open code
hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed
mm/hugetlb: change hugetlb_reserve_pages() to type bool
mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE
getrusage: add the "signal_struct *sig" local variable
getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand()
getrusage: use __for_each_thread()
getrusage: use sig->stats_lock rather than lock_task_sighand()
serial: max310x: Unprepare and disable clock in error path
Drivers: hv: vmbus: Drop error message when 'No request id available'
regmap: allow to define reg_update_bits for no bus configuration
regmap: Add bulk read/write callbacks into regmap_config
serial: max310x: make accessing revision id interface-agnostic
serial: max310x: implement I2C support
serial: max310x: fix IO data corruption in batched operations
Linux 5.10.213
Change-Id: I3450b2b1b545eeb2e3eb862f39d1846a31d17a0a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
52795b4903 |
Merge 5.10.212 into android12-5.10-lts
Changes in 5.10.212 platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names crypto: virtio/akcipher - Fix stack overflow on memcpy mtd: spinand: gigadevice: Support GD5F1GQ5UExxG mtd: spinand: gigadevice: Fix the get ecc status issue netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter net: ip_tunnel: prevent perpetual headroom growth tun: Fix xdp_rxq_info's queue_index when detaching ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected net: usb: dm9601: fix wrong return value in dm9601_mdio_read Bluetooth: Avoid potential use-after-free in hci_error_reset Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Bluetooth: Enforce validation on max value of connection interval netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back efi/capsule-loader: fix incorrect allocation size power: supply: bq27xxx-i2c: Do not free non existing IRQ ALSA: Drop leftover snd-rtctimer stuff from Makefile afs: Fix endless loop in directory parsing riscv: Sparse-Memory/vmemmap out-of-bounds fix tomoyo: fix UAF write bug in tomoyo_write_control() gtp: fix use-after-free and null-ptr-deref in gtp_newlink() wifi: nl80211: reject iftype change with mesh ID change btrfs: dev-replace: properly validate device names dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read dmaengine: fsl-qdma: init irq after reg initialization mmc: core: Fix eMMC initialization with 1-bit bus connection mmc: sdhci-xenon: add timeout for PHY init complete mmc: sdhci-xenon: fix PHY init clock stability pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers mptcp: fix possible deadlock in subflow diag ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() cachefiles: fix memory leak in cachefiles_add_cache() fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super gpio: 74x164: Enable output pins after registers are reset gpiolib: Fix the error path order in gpiochip_add_data_with_key() gpio: fix resource unwinding order in error path mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG mptcp: fix double-free on socket dismantle Linux 5.10.212 Change-Id: I680869be06e0ddfdbd9f63255616ba316f655cb1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
67b086c845 |
Revert "mptcp: fix lockless access in subflow ULP diag"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
92a0d7e20f |
Revert "net: dev: Convert sa_data to flexible array in struct sockaddr"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
bb807b14f3 |
Revert "arp: Prevent overflow in arp_req_get()."
This reverts commit
|
||
|
Greg Kroah-Hartman
|
e92b643b4b |
Merge 5.10.211 into android12-5.10-lts
Changes in 5.10.211
net/sched: Retire CBQ qdisc
net/sched: Retire ATM qdisc
net/sched: Retire dsmark qdisc
smb: client: fix OOB in receive_encrypted_standard()
smb: client: fix potential OOBs in smb2_parse_contexts()
smb: client: fix parsing of SMB3.1.1 POSIX create context
sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset
userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb
zonefs: Improve error handling
sched/rt: Fix sysctl_sched_rr_timeslice intial value
sched/rt: Disallow writing invalid values to sched_rt_period_us
scsi: target: core: Add TMF to tmr_list handling
dmaengine: shdma: increase size of 'dev_id'
dmaengine: fsl-qdma: increase size of 'irq_name'
wifi: cfg80211: fix missing interfaces when dumping
wifi: mac80211: fix race condition on enabling fast-xmit
fbdev: savage: Error out if pixclock equals zero
fbdev: sis: Error out if pixclock equals zero
spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected
ahci: asm1166: correct count of reported ports
ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers
ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()
ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()
dmaengine: ti: edma: Add some null pointer checks to the edma_probe
regulator: pwm-regulator: Add validity checks in continuous .get_voltage
nvmet-tcp: fix nvme tcp ida memory leak
ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616
spi: sh-msiof: avoid integer overflow in constants
netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new
nvme-fc: do not wait in vain when unloading module
nvmet-fcloop: swap the list_add_tail arguments
nvmet-fc: release reference on target port
nvmet-fc: abort command when there is no binding
ext4: correct the hole length returned by ext4_map_blocks()
Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table
efi: runtime: Fix potential overflow of soft-reserved region size
efi: Don't add memblocks for soft-reserved memory
hwmon: (coretemp) Enlarge per package core count limit
scsi: lpfc: Use unsigned type for num_sge
firewire: core: send bus reset promptly on gap count error
virtio-blk: Ensure no requests in virtqueues before deleting vqs.
pmdomain: renesas: r8a77980-sysc: CR7 must be always on
ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger
irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable
ARM: dts: imx: Set default tuning step for imx6sx usdhc
ASoC: fsl_micfil: register platform component before registering cpu dai
media: av7110: prevent underflow in write_ts_to_decoder()
hvc/xen: prevent concurrent accesses to the shared ring
hsr: Avoid double remove of a node.
x86/uaccess: Implement macros for CMPXCHG on user addresses
seccomp: Invalidate seccomp mode to catch death failures
block: ataflop: fix breakage introduced at blk-mq refactoring
powerpc/watchpoint: Workaround P10 DD1 issue with VSX-32 byte instructions
powerpc/watchpoints: Annotate atomic context in more places
cifs: add a warning when the in-flight count goes negative
mtd: spinand: macronix: Add support for MX35LFxGE4AD
ASoC: Intel: boards: harden codec property handling
ASoC: Intel: boards: get codec device with ACPI instead of bus search
ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use
task_stack, x86/cea: Force-inline stack helpers
btrfs: tree-checker: check for overlapping extent items
btrfs: introduce btrfs_lookup_match_dir
btrfs: unify lookup return value when dir entry is missing
btrfs: do not pin logs too early during renames
lan743x: fix for potential NULL pointer dereference with bare card
platform/x86: intel-vbtn: Support for tablet mode on HP Pavilion 13 x360 PC
iwlwifi: mvm: do more useful queue sync accounting
iwlwifi: mvm: write queue_sync_state only for sync
jbd2: remove redundant buffer io error checks
jbd2: recheck chechpointing non-dirty buffer
jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint
x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm()
erofs: fix lz4 inplace decompression
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
s390/cio: fix invalid -EBUSY on ccw_device_start
dm-crypt: don't modify the data when using authenticated encryption
KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler
KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()
gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
PCI/MSI: Prevent MSI hardware interrupt number truncation
l2tp: pass correct message length to ip6_append_data
ARM: ep93xx: Add terminator to gpiod_lookup_table
Revert "x86/ftrace: Use alternative RET encoding"
x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR
x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch()
x86/ftrace: Use alternative RET encoding
x86/returnthunk: Allow different return thunks
Revert "x86/alternative: Make custom return thunk unconditional"
x86/alternative: Make custom return thunk unconditional
usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
usb: cdns3: fix memory double free when handle zero packet
usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs
usb: roles: fix NULL pointer issue when put module's reference
usb: roles: don't get/set_role() when usb_role_switch is unregistered
mptcp: fix lockless access in subflow ULP diag
IB/hfi1: Fix a memleak in init_credit_return
RDMA/bnxt_re: Return error for SRQ resize
RDMA/srpt: Support specifying the srpt_service_guid parameter
RDMA/qedr: Fix qedr_create_user_qp error flow
arm64: dts: rockchip: set num-cs property for spi on px30
RDMA/srpt: fix function pointer cast warnings
bpf, scripts: Correct GPL license name
scsi: jazz_esp: Only build if SCSI core is builtin
nouveau: fix function cast warnings
ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid
ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid
afs: Increase buffer size in afs_update_volume_status()
ipv6: sr: fix possible use-after-free and null-ptr-deref
packet: move from strlcpy with unused retval to strscpy
net: dev: Convert sa_data to flexible array in struct sockaddr
s390: use the correct count for __iowrite64_copy()
tls: rx: jump to a more appropriate label
tls: rx: drop pointless else after goto
tls: stop recv() if initial process_rx_list gave us non-DATA
netfilter: nf_tables: set dormant flag on hook register failure
drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3
drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set
drm/amd/display: Fix memory leak in dm_sw_fini()
block: ataflop: more blk-mq refactoring fixes
fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
arp: Prevent overflow in arp_req_get().
ext4: regenerate buddy after block freeing failed if under fc replay
Linux 5.10.211
Note, this merges away the following commit:
|
||
|
Greg Kroah-Hartman
|
8755d58540 |
Revert "ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()"
This reverts commit
|
||
|
Pablo Neira Ayuso
|
1016230309 |
UPSTREAM: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream. The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. Bug: 332996726 Cc: stable@vger.kernel.org Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path") Reported-by: Kuan-Ting Chen <hexrabbit@devco.re> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8038ee3c3e5b59bcd78467686db5270c68544e30) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I637389421d8eca5ab59a41bd1a4b70432440034c |
||
|
Pablo Neira Ayuso
|
582e001b25 |
UPSTREAM: netfilter: nf_tables: release batch on table validation from abort path
commit a45e6889575c2067d3c0212b6bc1022891e65b91 upstream.
Unlike early commit path stage which triggers a call to abort, an
explicit release of the batch is required on abort, otherwise mutex is
released and commit_list remains in place.
Add WARN_ON_ONCE to ensure commit_list is empty from the abort path
before releasing the mutex.
After this patch, commit_list is always assumed to be empty before
grabbing the mutex, therefore
03c1f1ef1584 ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()")
only needs to release the pending modules for registration.
Bug: 332996726
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Pablo Neira Ayuso
|
cd2fc5a605 |
UPSTREAM: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
commit 552705a3650bbf46a22b1adedc1b04181490fc36 upstream.
While the rhashtable set gc runs asynchronously, a race allows it to
collect elements from anonymous sets with timeouts while it is being
released from the commit path.
Mingi Cho originally reported this issue in a different path in 6.1.x
with a pipapo set with low timeouts which is not possible upstream since
7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set
element timeout").
Fix this by setting on the dead flag for anonymous sets to skip async gc
in this case.
According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on
transaction abort"), Florian plans to accelerate abort path by releasing
objects via workqueue, therefore, this sets on the dead flag for abort
path too.
Bug: 329205787
Cc: stable@vger.kernel.org
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Mingi Cho <mgcho.minic@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 406b0241d0eb598a0b330ab20ae325537d8d8163)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I6170493c267e020c50a739150f8c421deb635b35
|
||
|
Pablo Neira Ayuso
|
b58d0ac35f |
netfilter: nf_tables: discard table flag update with pending basechain deletion
commit 1bc83a019bbe268be3526406245ec28c2458a518 upstream.
Hook unregistration is deferred to the commit phase, same occurs with
hook updates triggered by the table dormant flag. When both commands are
combined, this results in deleting a basechain while leaving its hook
still registered in the core.
Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
2cee2ff7f8 |
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream. The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. Cc: stable@vger.kernel.org Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path") Reported-by: Kuan-Ting Chen <hexrabbit@devco.re> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Pablo Neira Ayuso
|
453c8da7ef |
netfilter: nf_tables: release batch on table validation from abort path
commit a45e6889575c2067d3c0212b6bc1022891e65b91 upstream.
Unlike early commit path stage which triggers a call to abort, an
explicit release of the batch is required on abort, otherwise mutex is
released and commit_list remains in place.
Add WARN_ON_ONCE to ensure commit_list is empty from the abort path
before releasing the mutex.
After this patch, commit_list is always assumed to be empty before
grabbing the mutex, therefore
03c1f1ef1584 ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()")
only needs to release the pending modules for registration.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Eric Dumazet
|
bc4d1ebca1 |
net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()
[ Upstream commit 00af2aa93b76b1bade471ad0d0525d4d29ca5cc0 ] Many syzbot reports show extreme rtnl pressure, and many of them hint that smc acquires rtnl in netns creation for no good reason [1] This patch returns early from smc_pnet_net_init() if there is no netdevice yet. I am not even sure why smc_pnet_create_pnetids_list() even exists, because smc_pnet_netdev_event() is also calling smc_pnet_add_base_pnetid() when handling NETDEV_UP event. [1] extract of typical syzbot reports 2 locks held by syz-executor.3/12252: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12253: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12257: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12261: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.0/12265: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.3/12268: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12271: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12274: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12280: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Wenjia Zhang <wenjia@linux.ibm.com> Cc: Jan Karcher <jaka@linux.ibm.com> Cc: "D. Wythe" <alibuda@linux.alibaba.com> Cc: Tony Lu <tonylu@linux.alibaba.com> Cc: Wen Gu <guwen@linux.alibaba.com> Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com> Link: https://lore.kernel.org/r/20240302100744.3868021-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Davide Caratti
|
c137ee44c5 |
mptcp: don't account accept() of non-MPC client as fallback to TCP
commit 7a1b3490f47e88ec4cbde65f1a77a0f4bc972282 upstream.
Current MPTCP servers increment MPTcpExtMPCapableFallbackACK when they
accept non-MPC connections. As reported by Christoph, this is "surprising"
because the counter might become greater than MPTcpExtMPCapableSYNRX.
MPTcpExtMPCapableFallbackACK counter's name suggests it should only be
incremented when a connection was seen using MPTCP options, then a
fallback to TCP has been done. Let's do that by incrementing it when
the subflow context of an inbound MPC connection attempt is dropped.
Also, update mptcp_connect.sh kselftest, to ensure that the
above MIB does not increment in case a pure TCP client connects to a
MPTCP server.
Fixes:
|
||
Antoine Tenart
|
3391b15778 |
udp: do not accept non-tunnel GSO skbs landing in a tunnel
[ Upstream commit 3d010c8031e39f5fa1e8b13ada77e0321091011f ]
When rx-udp-gro-forwarding is enabled UDP packets might be GROed when
being forwarded. If such packets might land in a tunnel this can cause
various issues and udp_gro_receive makes sure this isn't the case by
looking for a matching socket. This is performed in
udp4/6_gro_lookup_skb but only in the current netns. This is an issue
with tunneled packets when the endpoint is in another netns. In such
cases the packets will be GROed at the UDP level, which leads to various
issues later on. The same thing can happen with rx-gro-list.
We saw this with geneve packets being GROed at the UDP level. In such
case gso_size is set; later the packet goes through the geneve rx path,
the geneve header is pulled, the offset are adjusted and frag_list skbs
are not adjusted with regard to geneve. When those skbs hit
skb_fragment, it will misbehave. Different outcomes are possible
depending on what the GROed skbs look like; from corrupted packets to
kernel crashes.
One example is a BUG_ON[1] triggered in skb_segment while processing the
frag_list. Because gso_size is wrong (geneve header was pulled)
skb_segment thinks there is "geneve header size" of data in frag_list,
although it's in fact the next packet. The BUG_ON itself has nothing to
do with the issue. This is only one of the potential issues.
Looking up for a matching socket in udp_gro_receive is fragile: the
lookup could be extended to all netns (not speaking about performances)
but nothing prevents those packets from being modified in between and we
could still not find a matching socket. It's OK to keep the current
logic there as it should cover most cases but we also need to make sure
we handle tunnel packets being GROed too early.
This is done by extending the checks in udp_unexpected_gso: GSO packets
lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must
be segmented.
[1] kernel BUG at net/core/skbuff.c:4408!
RIP: 0010:skb_segment+0xd2a/0xf70
__udp_gso_segment+0xaa/0x560
Fixes:
|
||
|
Antoine Tenart
|
360edeb621 |
udp: do not transition UDP GRO fraglist partial checksums to unnecessary
commit f0b8c30345565344df2e33a8417a27503589247d upstream.
UDP GRO validates checksums and in udp4/6_gro_complete fraglist packets
are converted to CHECKSUM_UNNECESSARY to avoid later checks. However
this is an issue for CHECKSUM_PARTIAL packets as they can be looped in
an egress path and then their partial checksums are not fixed.
Different issues can be observed, from invalid checksum on packets to
traces like:
gen01: hw csum failure
skb len=3008 headroom=160 headlen=1376 tailroom=0
mac=(106,14) net=(120,40) trans=160
shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
csum(0xffff232e ip_summed=2 complete_sw=0 valid=0 level=0)
hash(0x77e3d716 sw=1 l4=1) proto=0x86dd pkttype=0 iif=12
...
Fix this by only converting CHECKSUM_NONE packets to
CHECKSUM_UNNECESSARY by reusing __skb_incr_checksum_unnecessary. All
other checksum types are kept as-is, including CHECKSUM_COMPLETE as
fraglist packets being segmented back would have their skb->csum valid.
Fixes:
|
||
|
Kuniyuki Iwashima
|
fd307f2d91 |
ipv6: Fix infinite recursion in fib6_dump_done().
commit d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae upstream.
syzkaller reported infinite recursive calls of fib6_dump_done() during
netlink socket destruction. [1]
From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
the response was generated. The following recvmmsg() resumed the dump
for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
to the fault injection. [0]
12:01:34 executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, ... snip ...)
recvmmsg(r0, ... snip ...) (fail_nth: 8)
Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped
receiving the response halfway through, and finally netlink_sock_destruct()
called nlk_sk(sk)->cb.done().
fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
itself recursively and hitting the stack guard page.
To avoid the issue, let's set the destructor after kzalloc().
[0]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117)
should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
should_failslab (mm/slub.c:3733)
kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
rtnl_dump_all (net/core/rtnetlink.c:4029)
netlink_dump (net/netlink/af_netlink.c:2269)
netlink_recvmsg (net/netlink/af_netlink.c:1988)
____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
___sys_recvmsg (net/socket.c:2846)
do_recvmmsg (net/socket.c:2943)
__x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)
[1]:
BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
stack guard page: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<#DF>
</#DF>
<TASK>
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
...
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
netlink_sock_destruct (net/netlink/af_netlink.c:401)
__sk_destruct (net/core/sock.c:2177 (discriminator 2))
sk_destruct (net/core/sock.c:2224)
__sk_free (net/core/sock.c:2235)
sk_free (net/core/sock.c:2246)
process_one_work (kernel/workqueue.c:3259)
worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
Modules linked in:
Fixes:
|
||
|
Eric Dumazet
|
b14b9f9503 |
erspan: make sure erspan_base_hdr is present in skb->head
commit 17af420545a750f763025149fa7b833a4fc8b8f0 upstream.
syzbot reported a problem in ip6erspan_rcv() [1]
Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
sure erspan_base_hdr is present in skb linear part (skb->head)
before getting @ver field from it.
Add the missing pskb_may_pull() calls.
v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
because skb->head might have changed.
[1]
BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
pskb_may_pull include/linux/skbuff.h:2756 [inline]
ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
dst_input include/net/dst.h:460 [inline]
ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:314 [inline]
ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5538 [inline]
__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
netif_receive_skb_internal net/core/dev.c:5738 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5798
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
tun_alloc_skb drivers/net/tun.c:1525 [inline]
tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
Fixes:
|
||
|
Eric Dumazet
|
5e45dc4408 |
net/sched: act_skbmod: prevent kernel-infoleak
commit d313eb8b77557a6d5855f42d2234bd592c7b50dd upstream.
syzbot found that tcf_skbmod_dump() was copying four bytes
from kernel stack to user space [1].
The issue here is that 'struct tc_skbmod' has a four bytes hole.
We need to clear the structure before filling fields.
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
copy_to_iter include/linux/uio.h:196 [inline]
simple_copy_to_iter net/core/datagram.c:532 [inline]
__skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x2c4/0x340 net/socket.c:1068
__sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
__do_sys_recvfrom net/socket.c:2260 [inline]
__se_sys_recvfrom net/socket.c:2256 [inline]
__x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was stored to memory at:
pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
nlmsg_unicast include/net/netlink.h:1144 [inline]
nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
tcf_add_notify net/sched/act_api.c:2048 [inline]
tcf_action_add net/sched/act_api.c:2071 [inline]
tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
____sys_sendmsg+0x877/0xb60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was stored to memory at:
__nla_put lib/nlattr.c:1041 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1099
tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
tcf_action_dump_old net/sched/act_api.c:1191 [inline]
tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
tcf_add_notify net/sched/act_api.c:2042 [inline]
tcf_action_add net/sched/act_api.c:2071 [inline]
tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
____sys_sendmsg+0x877/0xb60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Local variable opt created at:
tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
tcf_action_dump_old net/sched/act_api.c:1191 [inline]
tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
Bytes 188-191 of 248 are uninitialized
Memory access of size 248 starts at ffff888117697680
Data copied to user address 00007ffe56d855f0
Fixes:
|
||
Jakub Sitnicki
|
dd54b48db0 |
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
commit ff91059932401894e6c86341915615c5eb0eca48 upstream.
syzkaller started using corpuses where a BPF tracing program deletes
elements from a sockmap/sockhash map. Because BPF tracing programs can be
invoked from any interrupt context, locks taken during a map_delete_elem
operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
is possible, as reported by lockdep:
CPU0 CPU1
---- ----
lock(&htab->buckets[i].lock);
local_irq_disable();
lock(&host->lock);
lock(&htab->buckets[i].lock);
<Interrupt>
lock(&host->lock);
Locks in sockmap are hardirq-unsafe by design. We expects elements to be
deleted from sockmap/sockhash only in task (normal) context with interrupts
enabled, or in softirq context.
Detect when map_delete_elem operation is invoked from a context which is
_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
error.
Note that map updates are not affected by this issue. BPF verifier does not
allow updating sockmap/sockhash from a BPF tracing program today.
Fixes:
|
||
|
Eric Dumazet
|
0f038242b7 |
netfilter: validate user input for expected length
commit 0c83842df40f86e529db6842231154772c20edcc upstream.
I got multiple syzbot reports showing old bugs exposed
by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc
in cgroup/{s,g}etsockopt")
setsockopt() @optlen argument should be taken into account
before copying data.
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238
CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
copy_from_sockptr include/linux/sockptr.h:55 [inline]
do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101
do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7fd22067dde9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8
</TASK>
Allocated by task 7238:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:4069 [inline]
__kmalloc_noprof+0x200/0x410 mm/slub.c:4082
kmalloc_noprof include/linux/slab.h:664 [inline]
__cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x72/0x7a
The buggy address belongs to the object at ffff88802cd73da0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73
flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffefff(slab)
raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122
raw: ffff88802cd73020 000000008080007f 00000001ffffefff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5103, tgid 2119833701 (syz-executor.4), ts 5103, free_ts 70804600828
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1490
prep_new_page mm/page_alloc.c:1498 [inline]
get_page_from_freelist+0x2e7e/0x2f40 mm/page_alloc.c:3454
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4712
__alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
alloc_slab_page+0x5f/0x120 mm/slub.c:2249
allocate_slab+0x5a/0x2e0 mm/slub.c:2412
new_slab mm/slub.c:2465 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3615
__slab_alloc+0x58/0xa0 mm/slub.c:3705
__slab_alloc_node mm/slub.c:3758 [inline]
slab_alloc_node mm/slub.c:3936 [inline]
__do_kmalloc_node mm/slub.c:4068 [inline]
kmalloc_node_track_caller_noprof+0x286/0x450 mm/slub.c:4089
kstrdup+0x3a/0x80 mm/util.c:62
device_rename+0xb5/0x1b0 drivers/base/core.c:4558
dev_change_name+0x275/0x860 net/core/dev.c:1232
do_setlink+0xa4b/0x41f0 net/core/rtnetlink.c:2864
__rtnl_newlink net/core/rtnetlink.c:3680 [inline]
rtnl_newlink+0x180b/0x20a0 net/core/rtnetlink.c:3727
rtnetlink_rcv_msg+0x89b/0x10d0 net/core/rtnetlink.c:6594
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2559
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1361
page last free pid 5146 tgid 5146 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1110 [inline]
free_unref_page+0xd3c/0xec0 mm/page_alloc.c:2617
discard_slab mm/slub.c:2511 [inline]
__put_partials+0xeb/0x130 mm/slub.c:2980
put_cpu_partial+0x17c/0x250 mm/slub.c:3055
__slab_free+0x2ea/0x3d0 mm/slub.c:4254
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3888 [inline]
slab_alloc_node mm/slub.c:3948 [inline]
__do_kmalloc_node mm/slub.c:4068 [inline]
__kmalloc_node_noprof+0x1d7/0x450 mm/slub.c:4076
kmalloc_node_noprof include/linux/slab.h:681 [inline]
kvmalloc_node_noprof+0x72/0x190 mm/util.c:634
bucket_table_alloc lib/rhashtable.c:186 [inline]
rhashtable_rehash_alloc+0x9e/0x290 lib/rhashtable.c:367
rht_deferred_worker+0x4e1/0x2440 lib/rhashtable.c:427
process_one_work kernel/workqueue.c:3218 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3299
worker_thread+0x86d/0xd70 kernel/workqueue.c:3380
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
Memory state around the buggy address:
ffff88802cd73c80: 07 fc fc fc 05 fc fc fc 05 fc fc fc fa fc fc fc
ffff88802cd73d00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
>ffff88802cd73d80: fa fc fc fc 01 fc fc fc fa fc fc fc fa fc fc fc
^
ffff88802cd73e00: fa fc fc fc fa fc fc fc 05 fc fc fc 07 fc fc fc
ffff88802cd73e80: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc
Fixes:
|
||
|
Ziyang Xuan
|
940d41caa7 |
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream.
nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can
concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().
And thhere is not any protection when iterate over nf_tables_flowtables
list in __nft_flowtable_type_get(). Therefore, there is pertential
data-race of nf_tables_flowtables list entry.
Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list
in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller
nft_flowtable_type_get() to protect the entire type query process.
Fixes:
|
||
|
Pablo Neira Ayuso
|
46c4481938 |
netfilter: nf_tables: flush pending destroy work before exit_net release
commit 24cea9677025e0de419989ecb692acd4bb34cac2 upstream.
Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy
work before netlink notifier") to address a race between exit_net and
the destroy workqueue.
The trace below shows an element to be released via destroy workqueue
while exit_net path (triggered via module removal) has already released
the set that is used in such transaction.
[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465
[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359
[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
[ 1360.547984] Call Trace:
[ 1360.547991] <TASK>
[ 1360.547998] dump_stack_lvl+0x53/0x70
[ 1360.548014] print_report+0xc4/0x610
[ 1360.548026] ? __virt_addr_valid+0xba/0x160
[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
[ 1360.548176] kasan_report+0xae/0xe0
[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]
[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]
[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30
[ 1360.548591] process_one_work+0x2f1/0x670
[ 1360.548610] worker_thread+0x4d3/0x760
[ 1360.548627] ? __pfx_worker_thread+0x10/0x10
[ 1360.548640] kthread+0x16b/0x1b0
[ 1360.548653] ? __pfx_kthread+0x10/0x10
[ 1360.548665] ret_from_fork+0x2f/0x50
[ 1360.548679] ? __pfx_kthread+0x10/0x10
[ 1360.548690] ret_from_fork_asm+0x1a/0x30
[ 1360.548707] </TASK>
[ 1360.548719] Allocated by task 192061:
[ 1360.548726] kasan_save_stack+0x20/0x40
[ 1360.548739] kasan_save_track+0x14/0x30
[ 1360.548750] __kasan_kmalloc+0x8f/0xa0
[ 1360.548760] __kmalloc_node+0x1f1/0x450
[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]
[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]
[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]
[ 1360.548927] netlink_unicast+0x367/0x4f0
[ 1360.548935] netlink_sendmsg+0x34b/0x610
[ 1360.548944] ____sys_sendmsg+0x4d4/0x510
[ 1360.548953] ___sys_sendmsg+0xc9/0x120
[ 1360.548961] __sys_sendmsg+0xbe/0x140
[ 1360.548971] do_syscall_64+0x55/0x120
[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d
[ 1360.548994] Freed by task 192222:
[ 1360.548999] kasan_save_stack+0x20/0x40
[ 1360.549009] kasan_save_track+0x14/0x30
[ 1360.549019] kasan_save_free_info+0x3b/0x60
[ 1360.549028] poison_slab_object+0x100/0x180
[ 1360.549036] __kasan_slab_free+0x14/0x30
[ 1360.549042] kfree+0xb6/0x260
[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]
[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]
[ 1360.549221] ops_exit_list+0x50/0xa0
[ 1360.549229] free_exit_list+0x101/0x140
[ 1360.549236] unregister_pernet_operations+0x107/0x160
[ 1360.549245] unregister_pernet_subsys+0x1c/0x30
[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]
[ 1360.549345] __do_sys_delete_module+0x253/0x370
[ 1360.549352] do_syscall_64+0x55/0x120
[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d
(gdb) list *__nft_release_table+0x473
0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).
11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11350 list_del(&flowtable->list);
11351 nft_use_dec(&table->use);
11352 nf_tables_flowtable_destroy(flowtable);
11353 }
11354 list_for_each_entry_safe(set, ns, &table->sets, list) {
11355 list_del(&set->list);
11356 nft_use_dec(&table->use);
11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11358 nft_map_deactivate(&ctx, set);
(gdb)
[ 1360.549372] Last potentially related work creation:
[ 1360.549376] kasan_save_stack+0x20/0x40
[ 1360.549384] __kasan_record_aux_stack+0x9b/0xb0
[ 1360.549392] __queue_work+0x3fb/0x780
[ 1360.549399] queue_work_on+0x4f/0x60
[ 1360.549407] nft_rhash_remove+0x33b/0x340 [nf_tables]
[ 1360.549516] nf_tables_commit+0x1c6a/0x2620 [nf_tables]
[ 1360.549625] nfnetlink_rcv_batch+0x728/0xdc0 [nfnetlink]
[ 1360.549647] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]
[ 1360.549671] netlink_unicast+0x367/0x4f0
[ 1360.549680] netlink_sendmsg+0x34b/0x610
[ 1360.549690] ____sys_sendmsg+0x4d4/0x510
[ 1360.549697] ___sys_sendmsg+0xc9/0x120
[ 1360.549706] __sys_sendmsg+0xbe/0x140
[ 1360.549715] do_syscall_64+0x55/0x120
[ 1360.549725] entry_SYSCALL_64_after_hwframe+0x55/0x5d
Fixes:
|
||
|
Pablo Neira Ayuso
|
7b6fba6918 |
netfilter: nf_tables: reject new basechain after table flag update
commit 994209ddf4f430946f6247616b2e33d179243769 upstream.
When dormant flag is toggled, hooks are disabled in the commit phase by
iterating over current chains in table (existing and new).
The following configuration allows for an inconsistent state:
add table x
add chain x y { type filter hook input priority 0; }
add table x { flags dormant; }
add chain x w { type filter hook input priority 1; }
which triggers the following warning when trying to unregister chain w
which is already unregistered.
[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260
[...]
[ 127.322519] Call Trace:
[ 127.322521] <TASK>
[ 127.322524] ? __warn+0x9f/0x1a0
[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260
[ 127.322537] ? report_bug+0x1b1/0x1e0
[ 127.322545] ? handle_bug+0x3c/0x70
[ 127.322552] ? exc_invalid_op+0x17/0x40
[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20
[ 127.322563] ? kasan_save_free_info+0x3b/0x60
[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260
[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260
[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260
[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]
[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]
[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]
Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Mahmoud Adam
|
cfb786b03b |
net/rds: fix possible cp null dereference
commit 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b upstream.
cp might be null, calling cp->cp_conn would produce null dereference
[Simon Horman adds:]
Analysis:
* cp is a parameter of __rds_rdma_map and is not reassigned.
* The following call-sites pass a NULL cp argument to __rds_rdma_map()
- rds_get_mr()
- rds_get_mr_for_dest
* Prior to the code above, the following assumes that cp may be NULL
(which is indicative, but could itself be unnecessary)
trans_private = rs->rs_transport->get_mr(
sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,
args->vec.addr, args->vec.bytes,
need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);
* The code modified by this patch is guarded by IS_ERR(trans_private),
where trans_private is assigned as per the previous point in this analysis.
The only implementation of get_mr that I could locate is rds_ib_get_mr()
which can return an ERR_PTR if the conn (4th) argument is NULL.
* ret is set to PTR_ERR(trans_private).
rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.
Thus ret may be -ENODEV in which case the code in question will execute.
Conclusion:
* cp may be NULL at the point where this patch adds a check;
this patch does seem to address a possible bug
Fixes: c055fc00c07b ("net/rds: fix WARNING in rds_conn_connect_if_down")
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240326153132.55580-1-mngyadam@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
6f3ae02bbb |
netfilter: nf_tables: disallow timeout for anonymous sets
commit e26d3009efda338f19016df4175f354a9bd0a4ab upstream. Never used from userspace, disallow these parameters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [Keerthana: code surrounding the patch is different because nft_set_desc is not present in v4.19-v5.10] Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Bastien Nocera
|
e470880754 |
Bluetooth: Fix TOCTOU in HCI debugfs implementation
commit 7835fcfd132eb88b87e8eb901f88436f63ab60f7 upstream. struct hci_dev members conn_info_max_age, conn_info_min_age, le_conn_max_interval, le_conn_min_interval, le_adv_max_interval, and le_adv_min_interval can be modified from the HCI core code, as well through debugfs. The debugfs implementation, that's only available to privileged users, will check for boundaries, making sure that the minimum value being set is strictly above the maximum value that already exists, and vice-versa. However, as both minimum and maximum values can be changed concurrently to us modifying them, we need to make sure that the value we check is the value we end up using. For example, with ->conn_info_max_age set to 10, conn_info_min_age_set() gets called from vfs handlers to set conn_info_min_age to 8. In conn_info_min_age_set(), this goes through: if (val == 0 || val > hdev->conn_info_max_age) return -EINVAL; Concurrently, conn_info_max_age_set() gets called to set to set the conn_info_max_age to 7: if (val == 0 || val > hdev->conn_info_max_age) return -EINVAL; That check will also pass because we used the old value (10) for conn_info_max_age. After those checks that both passed, the struct hci_dev access is mutex-locked, disabling concurrent access, but that does not matter because the invalid value checks both passed, and we'll end up with conn_info_min_age = 8 and conn_info_max_age = 7 To fix this problem, we need to lock the structure access before so the check and assignment are not interrupted. This fix was originally devised by the BassCheck[1] team, and considered the problem to be an atomicity one. This isn't the case as there aren't any concerns about the variable changing while we check it, but rather after we check it parallel to another change. This patch fixes CVE-2024-24858 and CVE-2024-24857. [1] https://sites.google.com/view/basscheck/ Co-developed-by: Gui-Dong Han <2045gemini@gmail.com> Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> Link: https://lore.kernel.org/linux-bluetooth/20231222161317.6255-1-2045gemini@gmail.com/ Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24858 Link: https://lore.kernel.org/linux-bluetooth/20231222162931.6553-1-2045gemini@gmail.com/ Link: https://lore.kernel.org/linux-bluetooth/20231222162310.6461-1-2045gemini@gmail.com/ Link: https://nvd.nist.gov/vuln/detail/CVE-2024-24857 Fixes: |
||
Hui Wang
|
7160569281 |
Bluetooth: hci_event: set the conn encrypted before conn establishes
commit c569242cd49287d53b73a94233db40097d838535 upstream.
We have a BT headset (Lenovo Thinkplus XT99), the pairing and
connecting has no problem, once this headset is paired, bluez will
remember this device and will auto re-connect it whenever the device
is powered on. The auto re-connecting works well with Windows and
Android, but with Linux, it always fails. Through debugging, we found
at the rfcomm connection stage, the bluetooth stack reports
"Connection refused - security block (0x0003)".
For this device, the re-connecting negotiation process is different
from other BT headsets, it sends the Link_KEY_REQUEST command before
the CONNECT_REQUEST completes, and it doesn't send ENCRYPT_CHANGE
command during the negotiation. When the device sends the "connect
complete" to hci, the ev->encr_mode is 1.
So here in the conn_complete_evt(), if ev->encr_mode is 1, link type
is ACL and HCI_CONN_ENCRYPT is not set, we set HCI_CONN_ENCRYPT to
this conn, and update conn->enc_key_size accordingly.
After this change, this BT headset could re-connect with Linux
successfully. This is the btmon log after applying the patch, after
receiving the "Connect Complete" with "Encryption: Enabled", will send
the command to read encryption key size:
> HCI Event: Connect Request (0x04) plen 10
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
Class: 0x240404
Major class: Audio/Video (headset, speaker, stereo, video, vcr)
Minor class: Wearable Headset Device
Rendering (Printing, Speaker)
Audio (Speaker, Microphone, Headset)
Link type: ACL (0x01)
...
> HCI Event: Link Key Request (0x17) plen 6
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
Link key: ${32-hex-digits-key}
...
> HCI Event: Connect Complete (0x03) plen 11
Status: Success (0x00)
Handle: 256
Address: 8C:3C:AA:D8:11:67 (OUI 8C-3C-AA)
Link type: ACL (0x01)
Encryption: Enabled (0x01)
< HCI Command: Read Encryption Key... (0x05|0x0008) plen 2
Handle: 256
< ACL Data TX: Handle 256 flags 0x00 dlen 10
L2CAP: Information Request (0x0a) ident 1 len 2
Type: Extended features supported (0x0002)
> HCI Event: Command Complete (0x0e) plen 7
Read Encryption Key Size (0x05|0x0008) ncmd 1
Status: Success (0x00)
Handle: 256
Key size: 16
Cc: stable@vger.kernel.org
Link: https://github.com/bluez/bluez/issues/704
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
e3e27d2b44 |
tcp: properly terminate timers for kernel sockets
[ Upstream commit 151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada ]
We had various syzbot reports about tcp timers firing after
the corresponding netns has been dismantled.
Fortunately Josef Bacik could trigger the issue more often,
and could test a patch I wrote two years ago.
When TCP sockets are closed, we call inet_csk_clear_xmit_timers()
to 'stop' the timers.
inet_csk_clear_xmit_timers() can be called from any context,
including when socket lock is held.
This is the reason it uses sk_stop_timer(), aka del_timer().
This means that ongoing timers might finish much later.
For user sockets, this is fine because each running timer
holds a reference on the socket, and the user socket holds
a reference on the netns.
For kernel sockets, we risk that the netns is freed before
timer can complete, because kernel sockets do not hold
reference on the netns.
This patch adds inet_csk_clear_xmit_timers_sync() function
that using sk_stop_timer_sync() to make sure all timers
are terminated before the kernel socket is released.
Modules using kernel sockets close them in their netns exit()
handler.
Also add sock_not_owned_by_me() helper to get LOCKDEP
support : inet_csk_clear_xmit_timers_sync() must not be called
while socket lock is held.
It is very possible we can revert in the future commit
3a58f13a881e ("net: rds: acquire refcount on TCP sockets")
which attempted to solve the issue in rds only.
(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)
We probably can remove the check_net() tests from
tcp_out_of_resources() and __tcp_close() in the future.
Reported-by: Josef Bacik <josef@toxicpanda.com>
Closes: https://lore.kernel.org/netdev/20240314210740.GA2823176@perftesting/
Fixes:
|
||
|
Ryosuke Yasuoka
|
755e53bbc6 |
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
[ Upstream commit d24b03535e5eb82e025219c2f632b485409c898f ]
syzbot reported the following uninit-value access issue [1][2]:
nci_rx_work() parses and processes received packet. When the payload
length is zero, each message type handler reads uninitialized payload
and KMSAN detects this issue. The receipt of a packet with a zero-size
payload is considered unexpected, and therefore, such packets should be
silently discarded.
This patch resolved this issue by checking payload size before calling
each message type handler codes.
Fixes:
|
||
|
Felix Fietkau
|
e8b067c405 |
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream. When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change. Cc: stable@vger.kernel.org Reported-by: ranygh@riseup.net Signed-off-by: Felix Fietkau <nbd@nbd.name> Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |