PATCH 54 000142 5444rc1 Review

Februari 13, 2023Januari 17, 2023 falma.u99 000142, 5444rc1, patch, review

LKML Archive on lore.kernel.orghelp / color / mirror / Atom feed* [PATCH 5.4 000/142] 5.4.44-rc1 review@ :52 Greg Kroah-Hartman :52 ` [PATCH 5.4 001/142] ax25: fix setsockopt(SO_BINDTODEVICE) Greg Kroah-Hartman ` (142 more replies) 0 siblings, 143 replies; 153+ messages in threadFrom: Greg Kroah-Hartman @ :52 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches, ben.hutchings, lkft-triage, stable This is the start of the stable review cycle for the 5.4.44 release. There are 142 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 03 Jun :38:19 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at:/pub/linux/kernel/v5.x/stable-review/patch-5.4.44-rc1.gzor in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 5.4.44-rc1 Changbin Du perf: Make perf able to build with latest libbfd Pablo Neira Ayuso netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build Nathan Chancellor netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update Pablo Neira Ayuso netfilter: conntrack: comparison of unsigned in cthelper confirmation Dmitry Torokhov Revert “Input: i add ThinkPad S230u to i8042 nomux list” Qiushi Wu bonding: Fix reference count leak in bond_sysfs_slave_add. Vladimir Oltean net: dsa: declare lockless TX feature for slave ports David Ahern ipv4: nexthop version of fib_info_nh_uses_dev David Ahern nexthop: Expand nexthop_is_multipath in a few places Nikolay Aleksandrov nexthops: don’t modify published nexthop groups David Ahern nexthops: Move code from remove_nexthop_from_groups to remove_nh_grp_entry Eric Dumazet crypto: chelsio/chtls: properly set tp->lsndtime Qiushi Wu qlcnic: fix missing release in qlcnic_83xx_interrupt_test. Björn Töpel xsk: Add overflow check for u64 division, stored into u32 Pradeep Kumar Chitrapu ieee80211: Fix incorrect mask for default PE duration Michael Chan bnxt_en: Fix accumulation of bp->net_stats_prev. Xin Long esp6: get the right proto for transport mode in esp6_gso_encap Pablo Neira Ayuso netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code Pablo Neira Ayuso netfilter: nfnetlink_cthelper: unbreak userspace helper support Pablo Neira Ayuso netfilter: conntrack: make conntrack userspace helpers work again Phil Sutter netfilter: ipset: Fix subcounter update skip Michael Braun netfilter: nft_reject_bridge: enable reject with bridge vlan Xin Long ip_vti: receive ipip packet by calling ip_tunnel_rcv Antony Antony xfrm: fix error in comment Xin Long xfrm: fix a NULL-ptr deref in xfrm_local_error Xin Long xfrm: fix a warning in xfrm_policy_insert_list Nicolas Dichtel xfrm interface: fix oops when deleting a x-netns interface Xin Long xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output Xin Long xfrm: remove the xfrm_state_put call becofe going to out_reset Xin Long xfrm: do pskb_pull properly in __xfrm_transport_prep Xin Long xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Al Viro copy_xstate_to_kernel(): don’t leave parts of destination uninitialized Alexander Dahl x86/dma: Fix max PFN arithmetic overflow on 32 bit systems Linus Lüssing mac80211: mesh: fix discovery timer re-arming issue / crash Andy Lutomirski x86/syscalls: Revert “x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long” Johannes Berg cfg80211: fix debugfs rename crash Helge Deller parisc: Fix kernel panic in mem_init() Qiushi Wu iommu: Fix reference count leak in iommu_group_alloc. Linus Walleij gpio: fix locking open drain IRQ lines Jens Axboe Revert “block: end bio with BLK_STS_AGAIN in case of non-mq devs and REQ_NOWAIT” Arnd Bergmann include/asm-generic/topology.h: guard cpumask_of_node() macro argument Alexander Potapenko fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Konstantin Khlebnikov mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() Hugh Dickins mm,thp: stop leaking unreleased file pages Valentine Fatiev IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode Simon Ser drm/amd/display: drop cursor position check in atomic test Jason Gunthorpe RDMA/core: Fix double destruction of uobject Jeff Layton ceph: flush release queue when handling caps for unknown inode Jerry Lee libceph: ignore pool overlay and cache logic on redirects Kailang Yang ALSA: hda/realtek – Add new codec supported for ALC287 Takashi Iwai ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio Vinod Koul clk: qcom: gcc: Fix parent for gpll0_out_even Eric W. Biederman exec: Always set cap_ambient in cap_bprm_set_creds Chris Chiu ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC Takashi Iwai ALSA: hda/realtek – Add a model for Thinkpad T570 without DAC workaround Changming Liu ALSA: hwdep: fix a left shifting 1 by 31 UB bug Qiushi Wu RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() Tiezhu Yang gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe() Tiezhu Yang gpio: pxa: Fix return value of pxa_gpio_probe() Peng Hao mmc: block: Fix use-after-free issue for rpmb Hamish Martin ARM: dts: bcm: HR2: Fix PPI interrupt types Vincent Stehlé ARM: dts: bcm2835-rpi-zero-w: Fix led polarity Robert Beckett ARM: dts/imx6q-bx50v3: Set display interface clock parents Kaike Wan IB/qib: Call kobject_put() when kobject_init_and_add() fails Paul Cercueil gpu/drm: Ingenic: Fix opaque pointer casted to wrong type Dennis YC Hsieh soc: mediatek: cmdq: return send msg error code Hsin-Yi Wang arm64: dts: mt8173: fix vcodec-enc clock Takashi Iwai gpio: exar: Fix bad handling for ida_simple_get error path Russell King ARM: uaccess: fix DACR mismatch with nested exceptions Russell King ARM: uaccess: integrate uaccess_save and uaccess_restore Russell King ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h Łukasz Stelmach ARM: 8970/1: decompressor: increase tag size Wei Yongjun Input: synaptics-rmi4 – fix error return code in rmi_driver_probe() Evan Green Input: synaptics-rmi4 – really fix attn_data use-after-free Kevin Locke Input: i add ThinkPad S230u to i8042 reset list Christophe JAILLET Input: dlink-dir685-touchkeys – fix a typo in driver name Łukasz Patron Input: xpad – add custom init packet for Xbox One S controllers Brendan Shanks Input: evdev – call input_flush_device() on release(), not flush() Kevin Locke Input: i add ThinkPad S230u to i8042 nomux list James Hilliard Input: usbtouchscreen – add support for BonXeon TP Madhuparna Bhowmik drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c Matteo Croce samples: bpf: Fix build error Al Viro csky: Fixup raw_copy_from_user() Steve French cifs: Fix null pointer check in cifs_read Amy Shih hwmon: (nct7904) Fix incorrect range of temperature limit registers Liu Yibin csky: Fixup remove duplicate irq_disable Mao Han csky: Fixup perf callchain unwind Liu Yibin csky: Fixup msa highest 3 bits mask Tero Kristo clk: ti: am33xx: fix RTC clock parent Kefeng Wang riscv: stacktrace: Fix undefined reference to `walk_stackframe’ Denis V. Lunev IB/i40iw: Remove bogus call to netdev_master_upper_dev_get() Arnd Bergmann net: freescale: select CONFIG_FIXED_PHY where needed Masahiro Yamada usb: gadget: legacy: fix redundant initialization warnings Christophe JAILLET usb: phy: twl6030-usb: Fix a resource leak in an error handling path in ‘twl6030_usb_probe()’ Andy Shevchenko usb: dwc3: pci: Enable extcon driver for Intel Merrifield Lei Xue cachefiles: Fix race between read_waiter and read_copier involving op->to_do Felix Kuehling drm/amdgpu: Use GEM obj reference for KFD BOs Evan Quan drm/amd/powerplay: perform PG ungate prior to CG ungate Evan Quan drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate Andreas Gruenbacher gfs2: Grab glock reference sooner in gfs2_add_revoke Bob Peterson gfs2: don’t call quota_unhold if quotas are not locked Bob Peterson gfs2: move privileged user check to gfs2_quota_lock_check Chuhong Yuan net: microchip: encx24j600: add missed kthread_stop Andrew Oakley ALSA: usb-audio: add mapping for ASRock TRX40 Creator Stephen Warren gpio: tegra: mask GPIO IRQs during IRQ shutdown Johan Jonker ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi Johan Jonker ARM: dts: rockchip: swap clock-names of gpu nodes Johan Jonker arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node Johan Jonker arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts Johan Jonker ARM: dts: rockchip: fix phy nodename for rk3229-xms6 Johan Jonker ARM: dts: rockchip: fix phy nodename for rk3228-evb Jiri Pirko mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails Qiushi Wu net/mlx4_core: fix a memory leak bug. Qiushi Wu net: sun: fix missing release regions in cas_init_one(). Vadim Fedorenko net/tls: free record only on encryption error Vadim Fedorenko net/tls: fix encryption error checking Roi Dayan net/mlx5: Annotate mutex destroy for root ns Shay Drory net/mlx5: Fix error flow in case of function_setup failure Moshe Shemesh net/mlx5e: Update netdev txq on completions during closure Moshe Shemesh net/mlx5: Fix memory leak in mlx5_events_init Roi Dayan net/mlx5e: Fix inner tirs handling Tariq Toukan net/mlx5e: kTLS, Destroy key object after destroying the TIS Eric Dumazet tipc: block BH before using dst_cache Jere Leppänen sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed Neil Horman sctp: Don’t add the shutdown timer if its already been added Marc Payne r8152: support additional Microsoft Surface Ethernet Adapter variant David Ahern nexthop: Fix attribute checking for groups Vinay Kumar Yadav net/tls: fix race condition causing kernel panic Roman Mashak net sched: fix reporting the first-time use timestamp Yuqi Jin net: revert “net: get rid of an signed integer overflow in ip_idents_reserve()” Manivannan Sadhasivam net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() Stephen Worley net: nlmsg_cancel() if put fails for nhmsg Russell King net: mvpp2: fix RX hashing for non-10G ports Moshe Shemesh net/mlx5: Add command entry handling completion Vadim Fedorenko net: ipip: fix wrong address family in init error path Martin KaFai Lau net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* Boris Sukholitko __netif_receive_skb_core: pass skb by reference Grygorii Strashko net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend DENG Qingfang net: dsa: mt7530: fix roaming from DSA user ports Sabrina Dubroca net: don’t return invalid table id error when we fall back to PF_UNSPEC Vladimir Oltean dpaa_eth: fix usage as DSA master, try 3 Eric Dumazet ax25: fix setsockopt(SO_BINDTODEVICE) Diffstat: Makefile | 4 +- arch/arm/boot/compressed/vmlinux.lds.S | 2 +- arch/arm/boot/dts/bcm-hr2.dtsi | 6 +- arch/arm/boot/dts/bcm2835-rpi-zero-w.dts | 2 +- arch/arm/boot/dts/imx6q-b450v3.dts | 7 — arch/arm/boot/dts/imx6q-b650v3.dts | 7 — arch/arm/boot/dts/imx6q-b850v3.dts | arch/arm/boot/dts/imx6q-bx50v3.dtsi | 15 +++ arch/arm/boot/dts/rk3036.dtsi | 2 +- arch/arm/boot/dts/rk3228-evb.dts | 2 +- arch/arm/boot/dts/rk3229-xms6.dts | 2 +- arch/arm/boot/dts/rk322x.dtsi | 6 +- arch/arm/boot/dts/rk3xxx.dtsi | 2 +- arch/arm/include/asm/assembler.h | 75 + arch/arm/include/asm/uaccess-asm.h | 117 +++++++++++++++++++++ arch/arm/kernel/entry-armv.S | 11 +- arch/arm/kernel/entry-header.S | 9 +- arch/arm64/boot/dts/mediatek/mt8173.dtsi | 4 +- arch/arm64/boot/dts/rockchip/rk3328-evb.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399.dtsi | 8 +- arch/csky/abiv1/inc/abi/entry.h | 4 +- arch/csky/abiv2/inc/abi/entry.h | 4 +- arch/csky/include/asm/uaccess.h | 49 +++++—- arch/csky/kernel/entry.S | 2 – arch/csky/kernel/perf_callchain.c | 9 +- arch/csky/lib/usercopy.c | 8 +- arch/parisc/mm/init.c | 2 +- arch/riscv/kernel/stacktrace.c | 2 +- arch/x86/include/asm/dma.h | 2 +- arch/x86/include/uapi/asm/unistd.h | 11 +- arch/x86/kernel/fpu/xstate.c | 86 ++++++++ block/blk-core.c | 11 +- drivers/clk/qcom/gcc-sm8150.c | 3 +- drivers/clk/ti/clk-33xx.c | 2 +- drivers/crypto/chelsio/chtls/chtls_io.c | 2 +- drivers/gpio/gpio-bcm-kona.c | 2 +- drivers/gpio/gpio-exar.c | 7 +- drivers/gpio/gpio-pxa.c | 4 +- drivers/gpio/gpio-tegra.c | 1 + drivers/gpio/gpiolib.c | 11 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 12 +– drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 7 — drivers/gpu/drm/amd/powerplay/amd_powerplay.c | 6 +- drivers/gpu/drm/amd/powerplay/amdgpu_smu.c | 6 +- drivers/gpu/drm/ingenic/ingenic-drm.c | 2 +- drivers/hwmon/nct7904.c | 4 +- drivers/infiniband/core/rdma_core.c | 20 ++– drivers/infiniband/hw/i40iw/i40iw_cm.c | 8 — drivers/infiniband/hw/qib/qib_sysfs.c | 9 +- drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c | 2 +- drivers/infiniband/ulp/ipoib/ipoib.h | 4 + drivers/infiniband/ulp/ipoib/ipoib_cm.c | 15 +– drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +- drivers/infiniband/ulp/ipoib/ipoib_main.c | 10 +- drivers/input/evdev.c | 19 +— drivers/input/joystick/xpad.c | 12 +++ drivers/input/keyboard/dlink-dir685-touchkeys.c | 2 +- drivers/input/rmi4/rmi_driver.c | 5 +- drivers/input/serio/i8042-x86ia64io.h | 7 ++ drivers/input/touchscreen/usbtouchscreen.c | 1 + drivers/iommu/iommu.c | 2 +- drivers/mmc/core/block.c | 2 +- drivers/net/bonding/bond_sysfs_slave.c | 4 +- drivers/net/dsa/mt7530.c | 9 +- drivers/net/dsa/mt7530.h | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- drivers/net/ethernet/freescale/Kconfig | 2 + drivers/net/ethernet/freescale/dpaa/Kconfig | 1 + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +- drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 14 +++ drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- …/ethernet/mellanox/mlx5/core/en_accel/ktls.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 12 ++- drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 9 +- drivers/net/ethernet/mellanox/mlx5/core/events.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 6 ++ …/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++- drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 8 ++ drivers/net/ethernet/microchip/encx24j600.c | 5 +- …/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +- drivers/net/ethernet/sun/cassini.c | 3 +- drivers/net/ethernet/ti/cpsw.c | 4 + drivers/net/hamradio/bpqether.c | 3 +- drivers/net/usb/cdc_ether.c | 11 +- drivers/net/usb/r8152.c | 1 + drivers/soc/mediatek/mtk-cmdq-helper.c | 4 +- drivers/usb/dwc3/dwc3-pci.c | 1 + drivers/usb/gadget/legacy/inode.c | 3 +- drivers/usb/phy/phy-twl6030-usb.c | 12 ++- fs/binfmt_elf.c | 2 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/caps.c | 2 +- fs/cifs/file.c | 2 +- fs/gfs2/log.c | 6 +- fs/gfs2/quota.c | 6 +- fs/gfs2/quota.h | 3 +- include/asm-generic/topology.h | 2 +- include/linux/ieee80211.h | 2 +- include/linux/mlx5/driver.h | 1 + include/linux/mm.h | 15 ++- include/linux/netfilter/nf_conntrack_pptp.h | 2 +- include/net/act_api.h | 3 +- include/net/ip_fib.h | 11 +- include/net/nexthop.h | 67 +++++++++— include/net/tls.h | 4 + include/rdma/uverbs_std_types.h | 2 +- include/uapi/linux/xfrm.h | 2 +- mm/khugepaged.c | 1 + net/ax25/af_ax25.c | 6 +- net/bridge/netfilter/nft_reject_bridge.c | 6 ++ net/ceph/osd_client.c | 4 +- net/core/dev.c | 20 +++- net/dsa/slave.c | 1 + net/dsa/tag_mtk.c | 15 +++ net/ipv4/esp4_offload.c | 4 +- net/ipv4/fib_frontend.c | 22 ++– net/ipv4/inet_connection_sock.c | 43 ++++—- net/ipv4/ip_vti.c | 23 +++- net/ipv4/ipip.c | 2 +- net/ipv4/ipmr.c | 2 +- net/ipv4/netfilter/nf_nat_pptp.c | 7 +- net/ipv4/nexthop.c | 105 +++++++++++ net/ipv4/route.c | 14 ++- net/ipv6/esp6_offload.c | 13 ++- net/ipv6/ip6_fib.c | 2 +- net/ipv6/ip6mr.c | 2 +- net/mac80211/mesh_hwmp.c | 7 ++ net/netfilter/ipset/ip_set_list_set.c | 2 +- net/netfilter/nf_conntrack_core.c | 80 ++++++++++++– net/netfilter/nf_conntrack_pptp.c | 62 ++++++—– net/netfilter/nfnetlink_cthelper.c | 3 +- net/qrtr/qrtr.c | 2 +- net/sctp/sm_sideeffect.c | 14 ++- net/sctp/sm_statefuns.c | 9 +- net/tipc/udp_media.c | 6 +- net/tls/tls_sw.c | 50 ++++++— net/wireless/core.c | 2 +- net/xdp/xdp_umem.c | 8 +- net/xfrm/xfrm_device.c | 8 +- net/xfrm/xfrm_input.c | 2 +- net/xfrm/xfrm_interface.c | 21 ++++ net/xfrm/xfrm_output.c | 15 +– net/xfrm/xfrm_policy.c | 7 +- samples/bpf/lwt_len_hist_user.c | 2 – security/commoncap.c | 1 + sound/core/hwdep.c | 4 +- sound/pci/hda/patch_realtek.c | 39 +++++– sound/usb/mixer.c | 8 ++ sound/usb/mixer_maps.c | 24 +++++ sound/usb/quirks-table.h | 26 +++++ tools/arch/x86/include/uapi/asm/unistd.h | 2 +- tools/perf/util/srcline.c | 16 ++- 159 files changed, 1101 insertions(+), 594 deletions(-)^ permalink raw reply[flat|nested] 153+ messages in thread * * [PATCH 5.4 001/142] ax25: fix setsockopt(SO_BINDTODEVICE) :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman
@ :52 ` Greg Kroah-Hartman :52 ` [PATCH 5.4 002/142] dpaa_eth: fix usage as DSA master, try 3 Greg Kroah-Hartman ` (141 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :52 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller
From: Eric Dumazet [ Upstream commit cec056b38a4c8f3291e0dd7a9145f7b667 ]
syzbot was able to trigger this trace [1], probably by using
a zero optlen.
While we are at it, cap optlen to IFNAMSIZ – 1 instead of IFNAMSIZ.
[1]
BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c: CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/ Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c: kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c: __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c: strnlen+0xf9/0x170 lib/string.c: dev_name_hash net/core/dev.c:207 [inline]
netdev_name_node_lookup net/core/dev.c:277 [inline]
__dev_get_by_name+0x75/0x2b0 net/core/dev.c: ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c: __compat_sys_setsockopt+0x4ed/0x910 net/compat.c: __do_compat_sys_setsockopt net/compat.c:413 [inline]
__se_compat_sys_setsockopt+0xdd/0x100 net/compat.c: __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c: do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c: entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S: RIP: 0023:0xf7f57dd9
Code: 90 e8 0b f3 90 0f ae e8 eb f9 8d c 24 c e5 0f 34 cd 80 5a 59 c eb 0d RSP: 002b: ffae8c1c EFLAGS: ORIG_RAX: e
RAX: ffffffffffffffda RBX: RCX: RDX: RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Local variable —- created at:
ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c: ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c: Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”)
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman net/ax25/af_ax25.c | 6 ++++ file changed, 4 insertions(+), 2 deletions(-) a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -635,8 +635,10 @@ static int ax25_setsockopt(struct socket break; case SO_BINDTODEVICE: if (optlen > IFNAMSIZ) optlen = IFNAMSIZ;
+ if (optlen > IFNAMSIZ – 1)
+ optlen = IFNAMSIZ – 1;
+
+ memset(devname, 0, sizeof(devname)); if (copy_from_user(devname, optval, optlen)) 2 + file changed, 1 insertion(+), 1 deletion(-) a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2802,7 +2802,7 @@ static int dpaa_eth_probe(struct platfor /* Do this here, so we can be verbose early */ SET_NETDEV_DEV(net_dev, dev);
+ SET_NETDEV_DEV(net_dev, dev->parent); dev_set_drvdata(dev, net_dev); priv = netdev_priv(net_dev);
^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 003/142] net: dont return invalid table id error when we fall back to PF_UNSPEC :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman :52 ` [PATCH 5.4 001/142] ax25: fix setsockopt(SO_BINDTODEVICE) Greg Kroah-Hartman :52 ` [PATCH 5.4 002/142] dpaa_eth: fix usage as DSA master, try 3 Greg Kroah-Hartman
@ :52 ` Greg Kroah-Hartman :52 ` [PATCH 5.4 004/142] net: dsa: mt7530: fix roaming from DSA user ports Greg Kroah-Hartman ` (139 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :52 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Sabrina Dubroca, David Ahern,
David S. Miller
From: Sabrina Dubroca [ Upstream commit 41b4bd986f86331efc599b9a3f5fb86ad92e9af9 ]
In case we can’t find a ->dumpit callback for the requested
(family,type) pair, we fall back to (PF_UNSPEC,type). In effect, we’re
in the same situation as if userspace had requested a PF_UNSPEC
dump. For RTM_GETROUTE, that handler is rtnl_dump_all, which calls all
the registered RTM_GETROUTE handlers.
The requested table id may or may not exist for all of those
families. commit ae677bbb4441 (“net: Don’t return invalid table id
error when dumping all families”) fixed the problem when userspace
explicitly requests a PF_UNSPEC dump, but missed the fallback case.
For example, when we pass ipv6.disable=1 to a kernel with
CONFIG_IP_MROUTE=y and CONFIG_IP_MROUTE_MULTIPLE_TABLES=y,
the (PF_INET6, RTM_GETROUTE) handler isn’t registered, so we end up in
rtnl_dump_all, and listing IPv6 routes will unexpectedly print: # ip -6 r Error: ipv4: MR table does not exist. Dump terminated
commit ae677bbb4441 introduced the dump_all_families variable, which
gets set when userspace requests a PF_UNSPEC dump. However, we can’t
simply set the family to PF_UNSPEC in rtnetlink_rcv_msg in the
fallback case to get dump_all_families == true, because some messages
types (for example RTM_GETRULE and RTM_GETNEIGH) only register the
PF_UNSPEC handler and use the family to filter in the kernel what is
dumped to userspace. We would then export more entries, that userspace
would have to filter. iproute does that, but other programs may not.
Instead, this patch removes dump_all_families and updates the
RTM_GETROUTE handlers to check if the family that is being dumped is
their own. When it’s not, which covers both the intentional PF_UNSPEC
dumps (as dump_all_families did) and the fallback case, ignore the
missing table id error.
Fixes: cb167893f41e (“net: Plumb support for filtering ipv4 and ipv6 multicast route dumps”)
Signed-off-by: Sabrina Dubroca
Reviewed-by: David Ahern
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman include/net/ip_fib.h | net/ipv4/fib_frontend.c | 3 + net/ipv4/ipmr.c | 2 + net/ipv6/ip6_fib.c | 2 + net/ipv6/ip6mr.c | 2 + files changed, 4 insertions(+), 6 deletions(-) a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -244,7 +244,6 @@ struct fib_dump_filter 14 ++++++ file changed, 6 insertions(+), 8 deletions(-) a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -490,18 +490,16 @@ u32 ip_idents_reserve(u32 hash, int segs atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ; u32 old = READ_ONCE(*p_tstamp); u32 now = (u32)jiffies; u32 new, delta = 0;
+ u32 delta = 0; if (old != now && cmpxchg(p_tstamp, old, now) == old) delta = prandom_u32_max(now – old); /* Do not use atomic_add_return() as it makes UBSAN unhappy */ do { old = (u32)atomic_read(p_id); new = old + delta + segs; } while (atomic_cmpxchg(p_id, old, new) != old); return new – segs;
+ /* If UBSAN reports an error there, please make sure your compiler
+ * supports -fno-strict-overflow before reporting it that was a bug
+ * in UBSAN, and it has been fixed in GCC-8.
+ */
+ return atomic_add_return(segs + delta, p_id) – segs;

EXPORT_SYMBOL(ip_idents_reserve);
^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 014/142] net sched: fix reporting the first-time use timestamp :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (12 preceding siblings …) :52 ` [PATCH 5.4 013/142] net: revert “net: get rid of an signed integer overflow in ip_idents_reserve()” Greg Kroah-Hartman
@ :52 ` Greg Kroah-Hartman :52 ` [PATCH 5.4 015/142] net/tls: fix race condition causing kernel panic Greg Kroah-Hartman ` (128 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :52 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, Roman Mashak,
David S. Miller
From: Roman Mashak [ Upstream commit b15e62631c5f19fea9895f7632dae9c1b27fe0cd ]
When a new action is installed, firstuse field of ‘tcf_t’ is explicitly set
to 0. Value of zero means “new action, not yet used”; as a packet hits the
action, ‘firstuse’ is stamped with the current jiffies value.
tcf_tm_dump() should return 0 for firstuse if action has not yet been hit.
Fixes: 48d8ee1694dd (“net sched actions: aggregate dumping of actions timeinfo”)
Cc: Jamal Hadi Salim
Signed-off-by: Roman Mashak
Acked-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman include/net/act_api.h | 3 ++ file changed, 2 insertions(+), 1 deletion(-) a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -69,7 +69,8 @@ static inline void tcf_tm_dump(struct tc
{ dtm->install = jiffies_to_clock_t(jiffies – stm->install); dtm->lastuse = jiffies_to_clock_t(jiffies – stm->lastuse); dtm->firstuse = jiffies_to_clock_t(jiffies – stm->firstuse);
+ dtm->firstuse = stm->firstuse ?
+ jiffies_to_clock_t(jiffies – stm->firstuse) : 0; dtm->expires = jiffies_to_clock_t(stm->expires);
}
^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 015/142] net/tls: fix race condition causing kernel panic :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (13 preceding siblings …) :52 ` [PATCH 5.4 014/142] net sched: fix reporting the first-time use timestamp Greg Kroah-Hartman
@ :52 ` Greg Kroah-Hartman :52 ` [PATCH 5.4 016/142] nexthop: Fix attribute checking for groups Greg Kroah-Hartman ` (127 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :52 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Vinay Kumar Yadav, Jakub Kicinski,
David S. Miller
From: Vinay Kumar Yadav [ Upstream commit 0cada33241d9de205522e3858b18e506ca5cce2c ]
tls_sw_recvmsg() and tls_decrypt_done() can be run concurrently.
// tls_sw_recvmsg()
if (atomic_read(&ctx->decrypt_pending)) crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
else reinit_completion(&ctx->async_wait.completion);
//tls_decrypt_done() pending = atomic_dec_return(&ctx->decrypt_pending); if (!pending && READ_ONCE(ctx->async_notify)) complete(&ctx->async_wait.completion);
Consider the scenario tls_decrypt_done() is about to run complete() if (!pending && READ_ONCE(ctx->async_notify))
and tls_sw_recvmsg() reads decrypt_pending == 0, does reinit_completion(),
then tls_decrypt_done() runs complete(). This sequence of execution
results in wrong completion. Consequently, for next decrypt request,
it will not wait for completion, eventually on connection close, crypto
resources freed, there is no way to handle pending decrypt response.
This race condition can be avoided by having atomic_read() mutually
exclusive with atomic_dec_return(),complete().Intoduced spin lock to
ensure the mutual exclution.
Addressed similar problem in tx direction.
v1->v2: More readable commit message. Corrected the lock to fix new race scenario. Removed barrier which is not needed now.
Fixes: a42055e8d2c3 (“net/tls: Add support for async encryption of records for performance”)
Signed-off-by: Vinay Kumar Yadav
Reviewed-by: Jakub Kicinski
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman include/net/tls.h | 4 ++++
net/tls/tls_sw.c | 33 +++++++++++++++++++++++++++ files changed, 31 insertions(+), 6 deletions(-) a/include/net/tls.h
+++ b/include/net/tls.h
@@ -157,6 +157,8 @@ struct tls_sw_context_tx { struct tls_rec *open_rec; struct list_head tx_list; atomic_t encrypt_pending;
+ /* protect crypto_wait with encrypt_pending */
+ spinlock_t encrypt_compl_lock; int async_notify; int async_capable;
@@ -177,6 +179,8 @@ struct tls_sw_context_rx { int async_capable; bool decrypted; atomic_t decrypt_pending;
+ /* protect crypto_wait with decrypt_pending*/
+ spinlock_t decrypt_compl_lock; bool async_notify;
}; a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -203,10 +203,12 @@ static void tls_decrypt_done(struct cryp kfree(aead_req);
+ spin_lock_bh(&ctx->decrypt_compl_lock); pending = atomic_dec_return(&ctx->decrypt_pending); if (!pending && READ_ONCE(ctx->async_notify))
+ if (!pending && ctx->async_notify) complete(&ctx->async_wait.completion);
+ spin_unlock_bh(&ctx->decrypt_compl_lock);
} static int tls_do_decryption(struct sock *sk,
@@ -464,10 +466,12 @@ static void tls_encrypt_done(struct cryp ready = true; }
+ spin_lock_bh(&ctx->encrypt_compl_lock); pending = atomic_dec_return(&ctx->encrypt_pending); if (!pending && READ_ONCE(ctx->async_notify))
+ if (!pending && ctx->async_notify) complete(&ctx->async_wait.completion);
+ spin_unlock_bh(&ctx->encrypt_compl_lock); if (!ready) return;
@@ -923,6 +927,7 @@ int tls_sw_sendmsg(struct sock *sk, stru int num_zc = 0; int orig_size; int ret = 0;
+ int pending; if (msg->msg_flags & ~(MSG_MORE | MSG_DONTWAIT | MSG_NOSIGNAL)) return -EOPNOTSUPP;
@@ -1089,13 +1094,19 @@ trim_sgl: goto send_end; } else if (num_zc) 6 +++ file changed, 3 insertions(+), 3 deletions(-)
diff –git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 47bc27d4169e..110e5c4db a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -598,13 +598,13 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd) struct buffer_head *bh = bd->bd_bh; struct gfs2_glock *gl = bd->bd_gl;
+ sdp->sd_log_num_revoke++;
+ if (atomic_inc_return(&gl->gl_revokes) == 1)
+ gfs2_glock_hold(gl); bh->b_private = NULL; bd->bd_blkno = bh->b_blocknr; gfs2_remove_from_ail(bd); /* drops ref on bh */ bd->bd_bh = NULL; sdp->sd_log_num_revoke++; if (atomic_inc_return(&gl->gl_revokes) == 1) gfs2_glock_hold(gl); set_bit(GLF_LFLUSH, &gl->gl_flags); list_add(&bd->bd_list, &sdp->sd_log_revokes);
.25. ^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 044/142] drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (42 preceding siblings …) :53 ` [PATCH 5.4 043/142] gfs2: Grab glock reference sooner in gfs2_add_revoke Greg Kroah-Hartman
@ :53 ` Greg Kroah-Hartman :53 ` [PATCH 5.4 045/142] drm/amd/powerplay: perform PG ungate prior to CG ungate Greg Kroah-Hartman ` (98 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :53 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Evan Quan, Alex Deucher, Sasha Levin
From: Evan Quan [ Upstream commit 1fe48ec08d9f2e26d893a6c05bd6c99a3490f9ef ]
As this is already properly handled in amdgpu_gfx_off_ctrl(). In fact,
this unnecessary cancel_delayed_work_sync may leave a small time window
for race condition and is dangerous.
Signed-off-by: Evan Quan
Reviewed-by: Alex Deucher
Signed-off-by: Alex Deucher
Signed-off-by: Sasha Levin drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 12 +++ files changed, 4 insertions(+), 14 deletions(-)
diff –git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
index 14417cebe38b..6f118292e40f a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
@@ -4290,11 +4290,7 @@ static int gfx_v10_0_set_powergating_state(void *handle, switch (adev->asic_type) case CHIP_NAVI10: case CHIP_NAVI14: if (!enable) { amdgpu_gfx_off_ctrl(adev, false); cancel_delayed_work_sync(&adev->gfx.gfx_off_delay_work); } else amdgpu_gfx_off_ctrl(adev, true);
+ amdgpu_gfx_off_ctrl(adev, enable); break; default: break;
diff –git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
index c34ddaa65324..6004fdacc a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -4839,10 +4839,9 @@ static int gfx_v9_0_set_powergating_state(void *handle, switch (adev->asic_type) AMDGPU_VM_PAGE_EXECUTABLE /* priv->tx_head, tx_tail & tx_outstanding are already 0 */
+ /* priv->tx_head, tx_tail and global_tx_tail/head are already 0 */ if (ipoib_transport_dev_init(dev, priv->ca)) nested] 153+ messages in thread

* * [PATCH 5.4 099/142] mm,thp: stop leaking unreleased file pages :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (97 preceding siblings …) :54 ` [PATCH 5.4 098/142] IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 100/142] mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() Greg Kroah-Hartman ` (43 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Hugh Dickins, Andrew Morton,
Song Liu, Kirill A. Shutemov, Johannes Weiner, Rik van Riel,
Linus Torvalds, Sasha Levin
From: Hugh Dickins [ Upstream commit 2f33a706027c94cd4f70fcd3e3f4a17c1ce4ea4b ]
When collapse_file() calls try_to_release_page(), it has already isolated
the page: so if releasing buffers happens to fail (as it sometimes does),
remember to putback_lru_page(): otherwise that page is left unreclaimable
and unfreeable, and the file extent uncollapsible.
Fixes: 99cb0dbd47a1 (“mm,thp: add read-only THP support for (non-shmem) FS”)
Signed-off-by: Hugh Dickins
Signed-off-by: Andrew Morton
Acked-by: Song Liu
Acked-by: Kirill A. Shutemov
Acked-by: Johannes Weiner
Cc: Rik van Riel
Cc: [5.4+]
Link: /r/alpine.LSU.2.11.
Signed-off-by: Linus Torvalds
Signed-off-by: Sasha Levin mm/khugepaged.c memcpy(kbuf + offset, data, copy);
+static void copy_part(unsigned offset, unsigned size, void *from,
+ void **kbuf, unsigned *pos, unsigned *count)
+{
+ fill_gap(offset, kbuf, pos, count);
+ if (size > *count)
+ size = *count;
+ if (size) {
+ memcpy(*kbuf, from, size);
+ *kbuf += size;
+ *pos += size;
+ *count -= size; }
}
@@ -976,8 +989,9 @@ __copy_xstate_to_kernel(void *kbuf, cons */
int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int offset_start, unsigned int size_total)
XFEATURE_MASK_YMM))
+ copy_part(off_mxcsr, MXCSR_AND_FLAGS_SIZE,
+ &xsave->i387.mxcsr, &kbuf, &offset_start, &count);
+ if (header.xfeatures & XFEATURE_MASK_FP)
+ copy_part(offsetof(struct fxregs_state, st_space), 128,
+ &xsave->i387.st_space, &kbuf, &offset_start, &count);
+ if (header.xfeatures & XFEATURE_MASK_SSE)
+ copy_part(xstate_offsets[XFEATURE_MASK_SSE], 256,
+ &xsave->i387.xmm_space, &kbuf, &offset_start, &count);
+ /*
+ * Fill xsave->i387.sw_reserved value for ptrace frame:
+ */
+ copy_part(offsetof(struct fxregs_state, sw_reserved), 48,
+ xstate_fx_sw_bytes, &kbuf, &offset_start, &count); /* * Copy xregs_state->header: */ offset = offsetof(struct xregs_state, header); size = sizeof(header); __copy_xstate_to_kernel(kbuf, &header, offset, size, size_total);
+ copy_part(offsetof(struct xregs_state, header), sizeof(header),
+ &header, &kbuf, &offset_start, &count); for (i = 0; i > i) & 1) { void *src = __raw_xsave_addr(xsave, i); offset = xstate_offsets[i]; size = xstate_sizes[i]; /* The next component has to fit fully into the output buffer: */ if (offset + size > size_total) break; __copy_xstate_to_kernel(kbuf, src, offset, size, size_total);
+ copy_part(xstate_offsets[i], xstate_sizes[i],
+ src, &kbuf, &offset_start, &count); } if (xfeatures_mxcsr_quirk(header.xfeatures)) { offset = offsetof(struct fxregs_state, mxcsr); size = MXCSR_AND_FLAGS_SIZE; __copy_xstate_to_kernel(kbuf, &xsave->i387.mxcsr, offset, size, size_total); } /* * Fill xsave->i387.sw_reserved value for ptrace frame: */ offset = offsetof(struct fxregs_state, sw_reserved); size = sizeof(xstate_fx_sw_bytes); __copy_xstate_to_kernel(kbuf, xstate_fx_sw_bytes, offset, size, size_total);
+ fill_gap(size_total, &kbuf, &offset_start, &count); return 0;

^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 112/142] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (110 preceding siblings …) :54 ` [PATCH 5.4 111/142] copy_xstate_to_kernel(): dont leave parts of destination uninitialized Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 113/142] xfrm: do pskb_pull properly in __xfrm_transport_prep Greg Kroah-Hartman ` (30 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xin Long, Steffen Klassert
From: Xin Long commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream.
For beet mode, when it’s ipv6 inner address with nexthdrs set,
the packet format might be: | outer | | dest | | | ESP | ESP | | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV | The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
continue processing the packet when nexthdr returns 0 in
xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
packet will be dropped.
I don’t see any error cases that nexthdr may return 0. So
fix it by removing the check for nexthdr == 0.
Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”)
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_input.c | 2 + file changed, 1 insertion(+), 1 deletion(-) a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -643,7 +643,7 @@ resume: dev_put(skb->dev); spin_lock(&x->lock); if (nexthdr type->proto);
^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 113/142] xfrm: do pskb_pull properly in __xfrm_transport_prep :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (111 preceding siblings …) :54 ` [PATCH 5.4 112/142] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 114/142] xfrm: remove the xfrm_state_put call becofe going to out_reset Greg Kroah-Hartman ` (29 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xin Long, Steffen Klassert
From: Xin Long commit 06a0afcfe2f551ff755849ea2549b0d8409fd9a0 upstream.
For transport mode, when ipv6 nexthdr is set, the packet format might
be like: | | dest | | | | ESP | ESP | | IP6 hdr| opts.| ESP | TCP | Data | Trailer | ICV | and in __xfrm_transport_prep(): pskb_pull(skb, skb->mac_len + sizeof(ip6hdr) + x->props.header_len);
it will pull the data pointer to the wrong position, as it missed the
nexthdrs/dest opts.
This patch is to fix it by using: pskb_pull(skb, skb_transport_offset(skb) + x->props.header_len);
as we can be sure transport_header points to ESP header at that moment.
It also fixes a panic when packets with ipv6 nexthdr are sent over
esp6 transport mode: [ 100.473845] kernel BUG at net/core/skbuff.c:4325! [ 100.478517] RIP: 0010:__skb_to_sgvec+0x252/0x [ 100.494355] Call Trace: [ 100.494829] skb_to_sgvec+0x11/0x [ 100.495492] esp6_output_tail+0x12e/0x550 [esp6] [ 100.496358] esp6_xmit+0x1d5/0x260 [esp6_offload] [ 100.498029] validate_xmit_xfrm+0x22f/0x2e [ 100.499604] __dev_queue_xmit+0x589/0x [ 100.502928] ip6_finish_output2+0x2a5/0x5a [ 100.503718] ip6_output+0x6c/0x [ 100.505198] xfrm_output_resume+0x4bf/0x [ 100.508683] xfrm6_output+0x3a/0xc [ 100.513446] inet6_csk_xmit+0xa1/0xf [ 100.517335] tcp_sendmsg+0x27/0x [ 100.517977] sock_sendmsg+0x3e/0x [ 100.518648] __sys_sendto+0xee/0x Fixes: c35fe4106b92 (“xfrm: Add mode handlers for IPsec on layer 2”)
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_device.c | 8 +++ file changed, 3 insertions(+), 5 deletions(-) a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -25,12 +25,10 @@ static void __xfrm_transport_prep(struct struct xfrm_offload *xo = xfrm_offload(skb); skb_reset_mac_len(skb); pskb_pull(skb, skb->mac_len + hsize + x->props.header_len); if (xo->flags & XFRM_GSO_SEGMENT) { skb_reset_transport_header(skb);
+ if (xo->flags & XFRM_GSO_SEGMENT) skb->transport_header -= x->props.header_len; }
+
+ pskb_pull(skb, skb_transport_offset(skb) + x->props.header_len);
} static void __xfrm_mode_tunnel_prep(struct xfrm_state *x, struct sk_buff *skb,
^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 114/142] xfrm: remove the xfrm_state_put call becofe going to out_reset :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (112 preceding siblings …) :54 ` [PATCH 5.4 113/142] xfrm: do pskb_pull properly in __xfrm_transport_prep Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 115/142] xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output Greg Kroah-Hartman ` (28 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xin Long, Steffen Klassert
From: Xin Long commit db87668ad1e4917cfe04e217307ba6ed e upstream.
This xfrm_state_put call in esp4/6_gro_receive() will cause
double put for state, as in out_reset path secpath_reset()
will put all states set in skb sec_path.
So fix it by simply remove the xfrm_state_put call.
Fixes: 6ed69184ed9c (“xfrm: Reset secpath in xfrm failure”)
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman net/ipv4/esp4_offload.c | 4 + net/ipv6/esp6_offload.c | 4 + files changed, 2 insertions(+), 6 deletions(-) a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -63,10 +63,8 @@ static struct sk_buff *esp4_gro_receive( sp->olen++; xo = xfrm_offload(skb); if (!xo) { xfrm_state_put(x);
+ if (!xo) goto out_reset; } } xo->flags |= XFRM_GRO; a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -85,10 +85,8 @@ static struct sk_buff *esp6_gro_receive( sp->olen++; xo = xfrm_offload(skb); if (!xo) { xfrm_state_put(x);
+ if (!xo) goto out_reset; } } xo->flags |= XFRM_GRO;
^ permalink raw reply [flat|nested] 153+ messages in thread

* * [PATCH 5.4 115/142] xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (113 preceding siblings …) :54 ` [PATCH 5.4 114/142] xfrm: remove the xfrm_state_put call becofe going to out_reset Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 116/142] xfrm interface: fix oops when deleting a x-netns interface Greg Kroah-Hartman ` (27 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Xiumei Mu, Xin Long, Steffen Klassert
From: Xin Long commit a204aef9fd77dce1efd9066ca4e44eede99cd858 upstream.
An use-after-free crash can be triggered when sending big packets over
vxlan over esp with esp offload enabled: [] BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e [] Call Trace: [] dump_stack+0x75/0xa [] kasan_report+0x37/0x [] ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e [] ipv6_gso_segment+0x2c8/0x13c [] skb_mac_gso_segment+0x1cb/0x [] skb_udp_tunnel_segment+0x6b5/0x1c [] inet_gso_segment+0x440/0x [] skb_mac_gso_segment+0x1cb/0x [] esp4_gso_segment+0xae8/0x1709 [esp4_offload] [] inet_gso_segment+0x440/0x [] skb_mac_gso_segment+0x1cb/0x [] __skb_gso_segment+0x2d7/0x5f [] validate_xmit_skb+0x527/0xb [] __dev_queue_xmit+0x10f8/0x2320 inner_network_header would be
set on vxlan_xmit() and xfrm4_tunnel_encap_add(), and the later one can
overwrite the former one. It causes skb_udp_tunnel_segment() to use a
wrong skb->inner_network_header, then the issue occurs.
This patch is to fix it by calling xfrm_output_gso() instead when the
inner_protocol is set, in which gso_segment of inner_protocol will be
done first.
While at it, also improve some code around.
Fixes: 7862b4058b9f (“esp: Add gso handlers for esp4 and esp6”)
Reported-by: Xiumei Mu
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_output.c | 12 +++++++ file changed, 7 insertions(+), 5 deletions(-) a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -586,18 +586,20 @@ int xfrm_output(struct sock *sk, struct xfrm_state_hold(x); if (skb_is_gso(skb)) = SKB_GSO_ESP;
+ goto out; if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM) goto out;
+ } else {
+ if (skb_is_gso(skb))
+ return xfrm_output_gso(net, sk, skb); } if (skb_is_gso(skb)) return xfrm_output_gso(net, sk, skb); if (skb->ip_summed == CHECKSUM_PARTIAL) err = skb_checksum_help(skb); if (err) nested] 153+ messages in thread

* * [PATCH 5.4 116/142] xfrm interface: fix oops when deleting a x-netns interface :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (114 preceding siblings …) :54 ` [PATCH 5.4 115/142] xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 117/142] xfrm: fix a warning in xfrm_policy_insert_list Greg Kroah-Hartman ` (26 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Christophe Gouault, Nicolas Dichtel,
Steffen Klassert
From: Nicolas Dichtel commit c95c5f58b35ef995f66cb55547eee6093ab5fcb8 upstream.
Here is the steps to reproduce the problem:
ip netns add foo
ip netns add bar
ip -n foo link add xfrmi0 type xfrm dev lo if_id ip -n foo link set xfrmi0 netns bar
ip netns del foo
ip netns del bar
Which results to:
[ 186.686395] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bd3: 0000 [#1] SMP PTI
[ 186.687665] CPU: 7 PID: 232 Comm: kworker/u16:2 Not tainted 5.6.0+ #1
[ 186.688430] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/ [ 186.689420] Workqueue: netns cleanup_net
[ 186.689903] RIP: 0010:xfrmi_dev_uninit+0x1b/0x4b [xfrm_interface]
[ 186.690657] Code: 44 f6 ff ff 31 c0 5b 5d 41 5c 41 5d 41 5e c3 48 8d 8f c b 05 ce b 97 d b 92 c0 0e b 14 c2 48 8b c c1 75 0c 48 8b 87 c [ 186.692838] RSP: 0018:ffffc900003b7d68 EFLAGS: [ 186.693435] RAX: d RBX: ffff8881b0f31000 RCX: ffff8881b0f318c0
[ 186.694334] RDX: 6b6b6b6b6b6b6b6b RSI: RDI: ffff8881b0f [ 186.695190] RBP: ffffc900003b7df0 R08: ffff888236c07740 R09: [ 186.696024] R10: ffffffff81fce1b8 R11: R12: ffffc900003b7d [ 186.696859] R13: ffff8881edcc6a40 R14: ffff8881a1b6e780 R15: ffffffff81ed47c8
[ 186.697738] FS: (0000) GS:ffff888237dc0000(0000) knlGS: [ 186.698705] CS: DS: 0000 ES: 0000 CR0: [ 186.699408] CR2: 00007f2129e93148 CR3: e0a000 CR4: e0
[ 186.700221] Call Trace:
[ 186.700508] rollback_registered_many+0x32b/0x3fd
[ 186.701058] ? __rtnl_unlock+0x20/0x3d
[ 186.701494] ? arch_local_irq_save+0x11/0x [ 186.702012] unregister_netdevice_many+0x12/0x [ 186.702594] default_device_exit_batch+0x12b/0x [ 186.703160] ? prepare_to_wait_exclusive+0x60/0x [ 186.703719] cleanup_net+0x17d/0x [ 186.704138] process_one_work+0x196/0x2e8
[ 186.704652] worker_thread+0x1a4/0x [ 186.705087] ? cancel_delayed_work+0x92/0x [ 186.705620] kthread+0x105/0x10f
[ 186.706000] ? __kthread_bind_mask+0x57/0x [ 186.706501] ret_from_fork+0x35/0x [ 186.706978] Modules linked in: xfrm_interface nfsv3 nfs_acl auth_rpcgss nfsv4 nfs lockd grace fscache sunrpc button parport_pc parport serio_raw evdev pcspkr loop ext4 crc16 mbcache jbd2 crc32c_generic 8139too ide_cd_mod cdrom ide_gd_mod ata_generic ata_piix libata scsi_mod piix psmouse i2c_piix4 ide_core 8139cp i2c_core mii floppy
[ 186.710423] —[ end trace 463bba e5 ] The problem is that x-netns xfrm interface are not removed when the link
netns is removed. This causes later this oops when thoses interfaces are
removed.
Let’s add a handler to remove all interfaces related to a netns when this
netns is removed.
Fixes: f203b76d7809 (“xfrm: Add virtual xfrm interfaces”)
Reported-by: Christophe Gouault
Signed-off-by: Nicolas Dichtel
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_interface.c
+static void __net_exit xfrmi_exit_batch_net(struct list_head *net_exit_list)
+{
+ struct net *net;
+ LIST_HEAD(list);
+
+ rtnl_lock();
+ list_for_each_entry(net, net_exit_list, exit_list) {
+ struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
+ struct xfrm_if __rcu **xip;
+ struct xfrm_if *xi;
+
+ for (xip = &xfrmn->xfrmi[0];
+ (xi = rtnl_dereference(*xip)) != NULL;
+ xip = &xi->next)
+ unregister_netdevice_queue(xi->dev, &list);
+ }
+ unregister_netdevice_many(&list);
+ rtnl_unlock();
+}
+
static struct pernet_operations xfrmi_net_ops = nested] 153+ messages in thread

* * [PATCH 5.4 117/142] xfrm: fix a warning in xfrm_policy_insert_list :52 [PATCH 5.4 000/142] 5.4.44-rc1 review Greg Kroah-Hartman ` (115 preceding siblings …) :54 ` [PATCH 5.4 116/142] xfrm interface: fix oops when deleting a x-netns interface Greg Kroah-Hartman
@ :54 ` Greg Kroah-Hartman :54 ` [PATCH 5.4 118/142] xfrm: fix a NULL-ptr deref in xfrm_local_error Greg Kroah-Hartman ` (25 subsequent siblings) siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ :54 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Xiumei Mu, Xin Long, Steffen Klassert
From: Xin Long commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream.
This waring can be triggered simply by: # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ priority 1 mark 0 mask 0x10 #[1] # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ priority 2 mark 0 mask 0x1 #[2] # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ priority 2 mark 0 mask 0x10 #[3]
Then dmesg shows: [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c: [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x [ ] Call Trace: [ ] xfrm_policy_inexact_insert+0x85/0xe [ ] xfrm_policy_insert+0x4ba/0x [ ] xfrm_add_policy+0x246/0x4d [ ] xfrm_user_rcv_msg+0x331/0x5c [ ] netlink_rcv_skb+0x121/0x [ ] xfrm_netlink_rcv+0x66/0x [ ] netlink_unicast+0x439/0x [ ] netlink_sendmsg+0x714/0xbf [ ] sock_sendmsg+0xe2/0x The issue was introduced by Commit 7cb8a93968e3 (“xfrm: Allow inserting
policies with matching mark and different priorities”). After that, the
policies [1] and [2] would be able to be added with different priorities.
However, policy [3] will actually match both [1] and [2]. Policy [1]
was matched due to the 1st ‘return true’ in xfrm_policy_mark_match(),
and policy [2] was matched due to the 2nd ‘return true’ in there. It
caused WARN_ON() in xfrm_policy_insert_list().
This patch is to fix it by only (the same value and priority) as the
same policy in xfrm_policy_mark_match().
Thanks to Yuehaibing, we could make this fix better.
v1->v2: check policy->mark.v == pol->mark.v only without mask.
Fixes: 7cb8a93968e3 (“xfrm: Allow inserting policies with matching mark and different priorities”)
Reported-by: Xiumei Mu
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_policy.c