[PATCH 5.15.y 0/6] Few missing CVE fixes

List overview All Threads
Download

newer

older

[PATCH] drm/xe/userptr: fix...

[PATCH v5.4.y] usb: dwc3: core: Do...

Harshit Mogalapalli

14 Apr 2025 14 Apr '25

6:50 p.m.

Hi stable maintainers,

I have tried backporting some fixes to stable kernel 5.15.y which also have CVE numbers and are fixing commits in 5.15.y.

I am not a subsystem expert and have only done overall testing that we do for stable release candidate testing and not any patch specific testing.

Note: All these patches are present in 6.1.y.

Patch 1 -- minor conflicts resolved due to few missing commits.

Patch 2, 3, 4 -- clean cherry-picks from 6.1.y commits and will therefore have additional SOBs from backporter/stable maintainers

Patch 5 -- Minor conflict resolved as 5.15.y don't have folios.

Patch 6 -- Resolve conflicts due to missing unrcu_pointer() helper and other commit

Please let me know if there are any comments.

Thanks, Harshit

Michal Schmidt (1): bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

Paolo Abeni (1): ipv6: release nexthop on device removal

Rémi Denis-Courmont (1): phonet/pep: fix racy skb_queue_empty() use

Souradeep Chakrabarti (1): net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

Trond Myklebust (1): filemap: Fix bounds checking in filemap_read()

Wang Liang (1): net: fix crash when config small gso_max_size/gso_ipv4_max_size

-- 2.47.1

Show replies by date

Harshit Mogalapalli

14 Apr 14 Apr

6:50 p.m.

New subject: [PATCH 5.15.y 1/6] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

From: Souradeep Chakrabarti schakrabarti@linux.microsoft.com

[ Upstream commit b6ecc662037694488bfff7c9fd21c405df8411f2 ]

Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic.

? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80

Cc: stable@vger.kernel.org Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ") Signed-off-by: Souradeep Chakrabarti schakrabarti@linux.microsoft.com Reviewed-by: Haiyang Zhang haiyangz@microsoft.com Reviewed-by: Shradha Gupta shradhagupta@linux.microsoft.com Signed-off-by: David S. Miller davem@davemloft.net (cherry picked from commit b6ecc662037694488bfff7c9fd21c405df8411f2) [Harshit: conflicts resolved due to missing commit: ed5356b53f07 ("net: mana: Add XDP support") and commit: d356abb95b98 ("net: mana: Add counter for XDP_TX") in 5.15.y] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- drivers/net/ethernet/microsoft/mana/mana.h | 2 ++ drivers/net/ethernet/microsoft/mana/mana_en.c | 21 ++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/microsoft/mana/mana.h b/drivers/net/ethernet/microsoft/mana/mana.h index 35e937a7079c..6aac4824090c 100644 --- a/drivers/net/ethernet/microsoft/mana/mana.h +++ b/drivers/net/ethernet/microsoft/mana/mana.h @@ -76,6 +76,8 @@ struct mana_txq {

atomic_t pending_sends;

+ bool napi_initialized; + struct mana_stats stats; };

diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index b0963fda4d9f..3c754b31c30d 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -1154,10 +1154,12 @@ static void mana_destroy_txq(struct mana_port_context *apc)

for (i = 0; i < apc->num_queues; i++) { napi = &apc->tx_qp[i].tx_cq.napi; - napi_synchronize(napi); - napi_disable(napi); - netif_napi_del(napi); - + if (apc->tx_qp[i].txq.napi_initialized) { + napi_synchronize(napi); + napi_disable(napi); + netif_napi_del(napi); + apc->tx_qp[i].txq.napi_initialized = false; + } mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object);

mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq); @@ -1213,6 +1215,7 @@ static int mana_create_txq(struct mana_port_context *apc, txq->ndev = net; txq->net_txq = netdev_get_tx_queue(net, i); txq->vp_offset = apc->tx_vp_offset; + txq->napi_initialized = false; skb_queue_head_init(&txq->pending_skbs);

memset(&spec, 0, sizeof(spec)); @@ -1277,6 +1280,7 @@ static int mana_create_txq(struct mana_port_context *apc,

netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT); napi_enable(&cq->napi); + txq->napi_initialized = true;

mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); } @@ -1288,7 +1292,7 @@ static int mana_create_txq(struct mana_port_context *apc, }

static void mana_destroy_rxq(struct mana_port_context *apc, - struct mana_rxq *rxq, bool validate_state) + struct mana_rxq *rxq, bool napi_initialized)

{ struct gdma_context *gc = apc->ac->gdma_dev->gdma_context; @@ -1302,12 +1306,13 @@ static void mana_destroy_rxq(struct mana_port_context *apc,

napi = &rxq->rx_cq.napi;

- if (validate_state) + if (napi_initialized) { napi_synchronize(napi);

- napi_disable(napi); - netif_napi_del(napi); + napi_disable(napi);

+ netif_napi_del(napi); + } mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);

mana_deinit_cq(apc, &rxq->rx_cq);

-- 2.47.1

Sasha Levin

15 Apr 15 Apr

9:43 p.m.

New subject: [PATCH 5.15.y 1/6] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: b6ecc662037694488bfff7c9fd21c405df8411f2

WARNING: Author mismatch between patch and upstream commit: Backport author: Harshit Mogalapalliharshit.m.mogalapalli@oracle.com Commit author: Souradeep Chakrabartischakrabarti@linux.microsoft.com

Note: The patch differs from the upstream commit: --- 1: b6ecc66203769 ! 1: 63ebacf9b41b2 net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup @@ Metadata ## Commit message ## net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

+ [ Upstream commit b6ecc662037694488bfff7c9fd21c405df8411f2 ] + Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. @@ Commit message Reviewed-by: Haiyang Zhang haiyangz@microsoft.com Reviewed-by: Shradha Gupta shradhagupta@linux.microsoft.com Signed-off-by: David S. Miller davem@davemloft.net + (cherry picked from commit b6ecc662037694488bfff7c9fd21c405df8411f2) + [Harshit: conflicts resolved due to missing commit: ed5356b53f07 ("net: + mana: Add XDP support") and commit: d356abb95b98 ("net: mana: Add + counter for XDP_TX") in 5.15.y] + Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com + + ## drivers/net/ethernet/microsoft/mana/mana.h ## +@@ drivers/net/ethernet/microsoft/mana/mana.h: struct mana_txq { + + atomic_t pending_sends; + ++ bool napi_initialized; ++ + struct mana_stats stats; + }; +

## drivers/net/ethernet/microsoft/mana/mana_en.c ## @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static void mana_destroy_txq(struct mana_port_context *apc) @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static int mana_create_txq(struct memset(&spec, 0, sizeof(spec)); @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static int mana_create_txq(struct mana_port_context *apc,

- netif_napi_add_tx(net, &cq->napi, mana_poll); + netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT); napi_enable(&cq->napi); + txq->napi_initialized = true;

@@ drivers/net/ethernet/microsoft/mana/mana_en.c: static void mana_destroy_rxq(stru napi_synchronize(napi);

- napi_disable(napi); +- netif_napi_del(napi); + napi_disable(napi);

+ netif_napi_del(napi); + } - xdp_rxq_info_unreg(&rxq->xdp_rxq); - -- netif_napi_del(napi); -- mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);

mana_deinit_cq(apc, &rxq->rx_cq); - - ## include/net/mana/mana.h ## -@@ include/net/mana/mana.h: struct mana_txq { - - atomic_t pending_sends; - -+ bool napi_initialized; -+ - struct mana_stats_tx stats; - }; - ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |

Harshit Mogalapalli

14 Apr 14 Apr

6:50 p.m.

New subject: [PATCH 5.15.y 2/6] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

From: Michal Schmidt mschmidt@redhat.com

commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.

Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0.

Fix it in the one caller that had this combination.

The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---

Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") Signed-off-by: Michal Schmidt mschmidt@redhat.com Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com Acked-by: Selvin Xavier selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky leon@kernel.org Signed-off-by: Xiangyu Chen xiangyu.chen@windriver.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [Harshit: backport to 5.15.y, this is a clean cherrypick from 6.1.y commit ] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c index 3725f05ad297..be895398df09 100644 --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c @@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) hwq_attr.stride = sizeof(struct sq_sge); hwq_attr.depth = bnxt_qplib_get_depth(sq); hwq_attr.aux_stride = psn_sz; - hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode); + hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode) + : 0; hwq_attr.type = HWQ_TYPE_QUEUE; rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr); if (rc)

-- 2.47.1

Sasha Levin

15 Apr 15 Apr

9:43 p.m.

New subject: [PATCH 5.15.y 2/6] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: 78cfd17142ef70599d6409cbd709d94b3da58659

WARNING: Author mismatch between patch and upstream commit: Backport author: Harshit Mogalapalliharshit.m.mogalapalli@oracle.com Commit author: Michal Schmidtmschmidt@redhat.com

Note: The patch differs from the upstream commit: --- 1: 78cfd17142ef7 ! 1: 2baf62a035300 bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq @@ Metadata ## Commit message ## bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

+ commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream. + Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. @@ Commit message Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com Acked-by: Selvin Xavier selvin.xavier@broadcom.com Signed-off-by: Leon Romanovsky leon@kernel.org + Signed-off-by: Xiangyu Chen xiangyu.chen@windriver.com + Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org + [Harshit: backport to 5.15.y, this is a clean cherrypick from 6.1.y + commit ] + Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com

## drivers/infiniband/hw/bnxt_re/qplib_fp.c ## @@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) @@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_q - hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode); + hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode) + : 0; - /* Update msn tbl size */ - if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) { - hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode)); + hwq_attr.type = HWQ_TYPE_QUEUE; + rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr); + if (rc) ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |

Harshit Mogalapalli

14 Apr 14 Apr

6:50 p.m.

New subject: [PATCH 5.15.y 3/6] phonet/pep: fix racy skb_queue_empty() use

From: Rémi Denis-Courmont courmisch@gmail.com

[ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ]

The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer.

Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol") Signed-off-by: Rémi Denis-Courmont courmisch@gmail.com Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org [Harshit: backport to 5.15.y, clean cherrypick from 6.1.y commit] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/net/phonet/pep.c b/net/phonet/pep.c index 65d463ad8770..3ea23e7caab6 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -916,6 +916,37 @@ static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len) return 0; }

+static unsigned int pep_first_packet_length(struct sock *sk) +{ + struct pep_sock *pn = pep_sk(sk); + struct sk_buff_head *q; + struct sk_buff *skb; + unsigned int len = 0; + bool found = false; + + if (sock_flag(sk, SOCK_URGINLINE)) { + q = &pn->ctrlreq_queue; + spin_lock_bh(&q->lock); + skb = skb_peek(q); + if (skb) { + len = skb->len; + found = true; + } + spin_unlock_bh(&q->lock); + } + + if (likely(!found)) { + q = &sk->sk_receive_queue; + spin_lock_bh(&q->lock); + skb = skb_peek(q); + if (skb) + len = skb->len; + spin_unlock_bh(&q->lock); + } + + return len; +} + static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg) { struct pep_sock *pn = pep_sk(sk); @@ -929,15 +960,7 @@ static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg) break; }

- lock_sock(sk); - if (sock_flag(sk, SOCK_URGINLINE) && - !skb_queue_empty(&pn->ctrlreq_queue)) - answ = skb_peek(&pn->ctrlreq_queue)->len; - else if (!skb_queue_empty(&sk->sk_receive_queue)) - answ = skb_peek(&sk->sk_receive_queue)->len; - else - answ = 0; - release_sock(sk); + answ = pep_first_packet_length(sk); ret = put_user(answ, (int __user *)arg); break;

-- 2.47.1

Sasha Levin

15 Apr 15 Apr

9:43 p.m.

New subject: [PATCH 5.15.y 3/6] phonet/pep: fix racy skb_queue_empty() use

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: 7d2a894d7f487dcb894df023e9d3014cf5b93fe5

WARNING: Author mismatch between patch and upstream commit: Backport author: Harshit Mogalapalliharshit.m.mogalapalli@oracle.com Commit author: Rémi Denis-Courmontcourmisch@gmail.com

Note: The patch differs from the upstream commit: --- 1: 7d2a894d7f487 ! 1: cf507fe643590 phonet/pep: fix racy skb_queue_empty() use @@ Metadata ## Commit message ## phonet/pep: fix racy skb_queue_empty() use

+ [ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ] + The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer. @@ Commit message Signed-off-by: Rémi Denis-Courmont courmisch@gmail.com Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net Signed-off-by: Paolo Abeni pabeni@redhat.com + Signed-off-by: Sasha Levin sashal@kernel.org + [Harshit: backport to 5.15.y, clean cherrypick from 6.1.y commit] + Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com

## net/phonet/pep.c ## @@ net/phonet/pep.c: static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len) @@ net/phonet/pep.c: static int pep_sock_enable(struct sock *sk, struct sockaddr *a + return len; +} + - static int pep_ioctl(struct sock *sk, int cmd, int *karg) + static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg) { struct pep_sock *pn = pep_sk(sk); -@@ net/phonet/pep.c: static int pep_ioctl(struct sock *sk, int cmd, int *karg) +@@ net/phonet/pep.c: static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg) break; }

- lock_sock(sk); - if (sock_flag(sk, SOCK_URGINLINE) && - !skb_queue_empty(&pn->ctrlreq_queue)) -- *karg = skb_peek(&pn->ctrlreq_queue)->len; +- answ = skb_peek(&pn->ctrlreq_queue)->len; - else if (!skb_queue_empty(&sk->sk_receive_queue)) -- *karg = skb_peek(&sk->sk_receive_queue)->len; +- answ = skb_peek(&sk->sk_receive_queue)->len; - else -- *karg = 0; +- answ = 0; - release_sock(sk); -+ *karg = pep_first_packet_length(sk); - ret = 0; ++ answ = pep_first_packet_length(sk); + ret = put_user(answ, (int __user *)arg); break;

---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |

Harshit Mogalapalli

14 Apr 14 Apr

6:50 p.m.

New subject: [PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size

From: Wang Liang wangliang74@huawei.com

[ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]

Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size.

Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") Signed-off-by: Wang Liang wangliang74@huawei.com Reviewed-by: Eric Dumazet edumazet@google.com Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski kuba@kernel.org [ Resolve minor conflicts to fix CVE-2024-50258 ] Signed-off-by: Bin Lan bin.lan.cn@windriver.com Signed-off-by: Sasha Levin sashal@kernel.org [Harshit: Clean cherrypick from 6.1.y commit] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- net/core/rtnetlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 46a97c915e93..e8e67429e437 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1899,7 +1899,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = { [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 }, [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 }, [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 }, - [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 }, + [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1), [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },

-- 2.47.1

Sasha Levin

15 Apr 15 Apr

9:43 p.m.

New subject: [PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: 9ab5cf19fb0e4680f95e506d6c544259bf1111c4

WARNING: Author mismatch between patch and upstream commit: Backport author: Harshit Mogalapalliharshit.m.mogalapalli@oracle.com Commit author: Wang Liangwangliang74@huawei.com

Note: The patch differs from the upstream commit: --- 1: 9ab5cf19fb0e4 ! 1: 92a2aab3e8a99 net: fix crash when config small gso_max_size/gso_ipv4_max_size @@ Metadata ## Commit message ## net: fix crash when config small gso_max_size/gso_ipv4_max_size

+ [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ] + Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. @@ Commit message Reviewed-by: Eric Dumazet edumazet@google.com Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski kuba@kernel.org + [ Resolve minor conflicts to fix CVE-2024-50258 ] + Signed-off-by: Bin Lan bin.lan.cn@windriver.com + Signed-off-by: Sasha Levin sashal@kernel.org + [Harshit: Clean cherrypick from 6.1.y commit] + Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com

## net/core/rtnetlink.c ## @@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = { @@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = { [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, -@@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = { - [IFLA_TSO_MAX_SIZE] = { .type = NLA_REJECT }, - [IFLA_TSO_MAX_SEGS] = { .type = NLA_REJECT }, - [IFLA_ALLMULTI] = { .type = NLA_REJECT }, -- [IFLA_GSO_IPV4_MAX_SIZE] = { .type = NLA_U32 }, -+ [IFLA_GSO_IPV4_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1), - [IFLA_GRO_IPV4_MAX_SIZE] = { .type = NLA_U32 }, - }; - ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |

Harshit Mogalapalli

14 Apr 14 Apr

6:50 p.m.

New subject: [PATCH 5.15.y 5/6] filemap: Fix bounds checking in filemap_read()

From: Trond Myklebust trond.myklebust@hammerspace.com

[ Upstream commit ace149e0830c380ddfce7e466fe860ca502fe4ee ]

If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop.

This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts.

Reported-by: Mike Snitzer snitzer@kernel.org Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") Tested-by: Mike Snitzer snitzer@kernel.org Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org (cherry picked from commit ace149e0830c380ddfce7e466fe860ca502fe4ee) [Harshit: Minor conflict resolved due to missing commit: 25d6a23e8d28 ("filemap: Convert filemap_get_read_batch() to use a folio_batch") in 5.15.y] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/filemap.c b/mm/filemap.c index c71e86c12418..cc86c5a127b9 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2617,7 +2617,7 @@ ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter, if (unlikely(!iov_iter_count(iter))) return 0;

- iov_iter_truncate(iter, inode->i_sb->s_maxbytes); + iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos); pagevec_init(&pvec);

do {

-- 2.47.1

Sasha Levin

15 Apr 15 Apr

9:43 p.m.

New subject: [PATCH 5.15.y 5/6] filemap: Fix bounds checking in filemap_read()

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: ace149e0830c380ddfce7e466fe860ca502fe4ee

WARNING: Author mismatch between patch and upstream commit: Backport author: Harshit Mogalapalliharshit.m.mogalapalli@oracle.com Commit author: Trond Myklebusttrond.myklebust@hammerspace.com

Note: The patch differs from the upstream commit: --- 1: ace149e0830c3 ! 1: dea76eb0a8d6e filemap: Fix bounds checking in filemap_read() @@ Metadata ## Commit message ## filemap: Fix bounds checking in filemap_read()

+ [ Upstream commit ace149e0830c380ddfce7e466fe860ca502fe4ee ] + If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop. @@ Commit message Tested-by: Mike Snitzer snitzer@kernel.org Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org + (cherry picked from commit ace149e0830c380ddfce7e466fe860ca502fe4ee) + [Harshit: Minor conflict resolved due to missing commit: 25d6a23e8d28 + ("filemap: Convert filemap_get_read_batch() to use a folio_batch") in + 5.15.y] + Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com

## mm/filemap.c ## @@ mm/filemap.c: ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter, @@ mm/filemap.c: ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter,

- iov_iter_truncate(iter, inode->i_sb->s_maxbytes); + iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos); - folio_batch_init(&fbatch); + pagevec_init(&pvec);

do { ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |

Harshit Mogalapalli

14 Apr 14 Apr

6:50 p.m.

New subject: [PATCH 5.15.y 6/6] ipv6: release nexthop on device removal

From: Paolo Abeni pabeni@redhat.com

[ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ]

The CI is hitting some aperiodic hangup at device removal time in the pmtu.sh self-test:

unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6 ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at dst_init+0x84/0x4a0 dst_alloc+0x97/0x150 ip6_dst_alloc+0x23/0x90 ip6_rt_pcpu_alloc+0x1e6/0x520 ip6_pol_route+0x56f/0x840 fib6_rule_lookup+0x334/0x630 ip6_route_output_flags+0x259/0x480 ip6_dst_lookup_tail.constprop.0+0x5c2/0x940 ip6_dst_lookup_flow+0x88/0x190 udp_tunnel6_dst_lookup+0x2a7/0x4c0 vxlan_xmit_one+0xbde/0x4a50 [vxlan] vxlan_xmit+0x9ad/0xf20 [vxlan] dev_hard_start_xmit+0x10e/0x360 __dev_queue_xmit+0xf95/0x18c0 arp_solicit+0x4a2/0xe00 neigh_probe+0xaa/0xf0

While the first suspect is the dst_cache, explicitly tracking the dst owing the last device reference via probes proved such dst is held by the nexthop in the originating fib6_info.

Similar to commit f5b51fe804ec ("ipv6: route: purge exception on removal"), we need to explicitly release the originating fib info when disconnecting a to-be-removed device from a live ipv6 dst: move the fib6_info cleanup into ip6_dst_ifdown().

Tested running:

./pmtu.sh cleanup_ipv6_exception

in a tight loop for more than 400 iterations with no spat, running an unpatched kernel I observed a splat every ~10 iterations.

Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info") Signed-off-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Eric Dumazet edumazet@google.com Reviewed-by: David Ahern dsahern@kernel.org Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007... Signed-off-by: Jakub Kicinski kuba@kernel.org (cherry picked from commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe) [Harshit: Resolved conflict due to missing commit: e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev") and commit: b4cb4a1391dc ("net: use unrcu_pointer() helper") in linux-5.15.y] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- net/ipv6/route.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c index f8b2fdaef67f..f30a5b7d93f4 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -377,6 +377,7 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, struct inet6_dev *idev = rt->rt6i_idev; struct net_device *loopback_dev = dev_net(dev)->loopback_dev; + struct fib6_info *from;

if (idev && idev->dev != loopback_dev) { struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev); @@ -385,6 +386,8 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, in6_dev_put(idev); } } + from = xchg((__force struct fib6_info **)&rt->from, NULL); + fib6_info_release(from); }

static bool __rt6_check_expired(const struct rt6_info *rt) @@ -1443,7 +1446,6 @@ static DEFINE_SPINLOCK(rt6_exception_lock); static void rt6_remove_exception(struct rt6_exception_bucket *bucket, struct rt6_exception *rt6_ex) { - struct fib6_info *from; struct net *net;

if (!bucket || !rt6_ex) @@ -1455,8 +1457,6 @@ static void rt6_remove_exception(struct rt6_exception_bucket *bucket, /* purge completely the exception to allow releasing the held resources: * some [sk] cache may keep the dst around for unlimited time */ - from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL); - fib6_info_release(from); dst_dev_put(&rt6_ex->rt6i->dst);

hlist_del_rcu(&rt6_ex->hlist);

-- 2.47.1

Sasha Levin

15 Apr 15 Apr

9:44 p.m.

New subject: [PATCH 5.15.y 6/6] ipv6: release nexthop on device removal

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: eb02688c5c45c3e7af7e71f036a7144f5639cbfe

WARNING: Author mismatch between patch and upstream commit: Backport author: Harshit Mogalapalliharshit.m.mogalapalli@oracle.com Commit author: Paolo Abenipabeni@redhat.com

Note: The patch differs from the upstream commit: --- 1: eb02688c5c45c ! 1: 47cc8122c9644 ipv6: release nexthop on device removal @@ Metadata ## Commit message ## ipv6: release nexthop on device removal

+ [ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ] + The CI is hitting some aperiodic hangup at device removal time in the pmtu.sh self-test:

@@ Commit message Reviewed-by: David Ahern dsahern@kernel.org Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007... Signed-off-by: Jakub Kicinski kuba@kernel.org + (cherry picked from commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe) + [Harshit: Resolved conflict due to missing commit: e5f80fcf869a ("ipv6: + give an IPv6 dev to blackhole_netdev") and commit: b4cb4a1391dc ("net: + use unrcu_pointer() helper") in linux-5.15.y] + Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com

## net/ipv6/route.c ## -@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev) - { - struct rt6_info *rt = dst_rt6_info(dst); +@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, struct inet6_dev *idev = rt->rt6i_idev; + struct net_device *loopback_dev = + dev_net(dev)->loopback_dev; + struct fib6_info *from;

- if (idev && idev->dev != blackhole_netdev) { - struct inet6_dev *blackhole_idev = in6_dev_get(blackhole_netdev); -@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev) + if (idev && idev->dev != loopback_dev) { + struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev); +@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, in6_dev_put(idev); } } -+ from = unrcu_pointer(xchg(&rt->from, NULL)); ++ from = xchg((__force struct fib6_info **)&rt->from, NULL); + fib6_info_release(from); }

@@ net/ipv6/route.c: static void rt6_remove_exception(struct rt6_exception_bucket * /* purge completely the exception to allow releasing the held resources: * some [sk] cache may keep the dst around for unlimited time */ -- from = unrcu_pointer(xchg(&rt6_ex->rt6i->from, NULL)); +- from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL); - fib6_info_release(from); dst_dev_put(&rt6_ex->rt6i->dst);

---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |

days inactive

days old

linux-stable-mirror@lists.linaro.org

12 comments

participants

tags (0)

participants (2)

Harshit Mogalapalli
Sasha Levin