From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16476C433EF for ; Fri, 4 Feb 2022 09:21:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357507AbiBDJVX (ORCPT ); Fri, 4 Feb 2022 04:21:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357401AbiBDJVH (ORCPT ); Fri, 4 Feb 2022 04:21:07 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9388AC061757; Fri, 4 Feb 2022 01:21:07 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 515EFB836EE; Fri, 4 Feb 2022 09:21:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BA8FC004E1; Fri, 4 Feb 2022 09:21:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966465; bh=rkWayZZC0RqM6hI7nNtYbd4ASzlnGge0fvI4FQpwk0c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ai4EftW1035fBxRlraM/zVueUzEc0tq6D75EQuJ0JqFClkOLUYjLPPpNYjeGRebuu FGQfprmyCy6kCIdagFicQJPzwriWMyBeXIx1sQ7GwA0ztKzdT26/RVwxURShHaTP/M epG/s/E5ALIlRFGBap8xWZDZRHRqo2kSaXGTAVis= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Joseph Bao , Lukas Wunner , Bjorn Helgaas , Stuart Hayes Subject: [PATCH 5.4 01/10] PCI: pciehp: Fix infinite loop in IRQ handler upon power fault Date: Fri, 4 Feb 2022 10:20:14 +0100 Message-Id: <20220204091912.377649204@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Lukas Wunner commit 23584c1ed3e15a6f4bfab8dc5a88d94ab929ee12 upstream. The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler. Link: https://bugzilla.kernel.org/show_bug.cgi?id=3D214989 Link: https://lore.kernel.org/linux-pci/DM8PR11MB5702255A6A92F735D90A444686= 8B9@DM8PR11MB5702.namprd11.prod.outlook.com Fixes: 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race") Link: https://lore.kernel.org/r/66eaeef31d4997ceea357ad93259f290ededecfd.16= 37187226.git.lukas@wunner.de Reported-by: Joseph Bao Tested-by: Joseph Bao Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v4.19+ Cc: Stuart Hayes Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/pci/hotplug/pciehp_hpc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/pci/hotplug/pciehp_hpc.c +++ b/drivers/pci/hotplug/pciehp_hpc.c @@ -577,6 +577,8 @@ read_status: */ if (ctrl->power_fault_detected) status &=3D ~PCI_EXP_SLTSTA_PFD; + else if (status & PCI_EXP_SLTSTA_PFD) + ctrl->power_fault_detected =3D true; =20 events |=3D status; if (!events) { @@ -586,7 +588,7 @@ read_status: } =20 if (status) { - pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events); + pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, status); =20 /* * In MSI mode, all event bits must be zero before the port @@ -660,8 +662,7 @@ static irqreturn_t pciehp_ist(int irq, v } =20 /* Check Power Fault Detected */ - if ((events & PCI_EXP_SLTSTA_PFD) && !ctrl->power_fault_detected) { - ctrl->power_fault_detected =3D 1; + if (events & PCI_EXP_SLTSTA_PFD) { ctrl_err(ctrl, "Slot(%s): Power fault\n", slot_name(ctrl)); pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF, PCI_EXP_SLTCTL_ATTN_IND_ON); From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D26DC4332F for ; Fri, 4 Feb 2022 09:20:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357310AbiBDJUu (ORCPT ); Fri, 4 Feb 2022 04:20:50 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:40016 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356576AbiBDJUh (ORCPT ); Fri, 4 Feb 2022 04:20:37 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2F3AE615E3; Fri, 4 Feb 2022 09:20:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0522C004E1; Fri, 4 Feb 2022 09:20:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966435; bh=SiOTYl4HAbhjx6akmKnFtzuK+pK0LowwAHkRI2cD5fY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2wS98hxrT4/HnO8Wrp0qf86rHvcAkaWCpGTLjPcrjtMyHcPcz80o0HQh7VjUbLMou dkJ5oEBqGx4a8SYlx/YHhpRx2BZhqojSp3V5GGAsv1MHEKfo0oEaLf8Pk6y1Jo/Fgb BfAF8qpwN9j/kHvXwSIcfJI3cuMruQCYD0FIgbSM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com, Linus Torvalds , Suren Baghdasaryan , "Peter Zijlstra (Intel)" , Eric Biggers , Johannes Weiner , Eric Biggers Subject: [PATCH 5.4 02/10] psi: Fix uaf issue when psi trigger is destroyed while being polled Date: Fri, 4 Feb 2022 10:20:15 +0100 Message-Id: <20220204091912.407481190@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Suren Baghdasaryan commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream. With write operation on psi files replacing old trigger with a new one, the lifetime of its waitqueue is totally arbitrary. Overwriting an existing trigger causes its waitqueue to be freed and pending poll() will stumble on trigger->event_wait which was destroyed. Fix this by disallowing to redefine an existing psi trigger. If a write operation is used on a file descriptor with an already existing psi trigger, the operation will fail with EBUSY error. Also bypass a check for psi_disabled in the psi_trigger_destroy as the flag can be flipped after the trigger is created, leading to a memory leak. Fixes: 0e94682b73bf ("psi: introduce psi monitor") Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com Suggested-by: Linus Torvalds Analyzed-by: Eric Biggers Signed-off-by: Suren Baghdasaryan Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Eric Biggers Acked-by: Johannes Weiner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com [surenb: backported to 5.4 kernel] CC: stable@vger.kernel.org # 5.4 Signed-off-by: Suren Baghdasaryan Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- Documentation/accounting/psi.rst | 3 + include/linux/psi.h | 2 - include/linux/psi_types.h | 3 - kernel/cgroup/cgroup.c | 11 ++++-- kernel/sched/psi.c | 66 +++++++++++++++++-----------------= ----- 5 files changed, 40 insertions(+), 45 deletions(-) --- a/Documentation/accounting/psi.rst +++ b/Documentation/accounting/psi.rst @@ -90,7 +90,8 @@ Triggers can be set on more than one psi for the same psi metric can be specified. However for each trigger a separ= ate file descriptor is required to be able to poll it separately from others, therefore for each trigger a separate open() syscall should be made even -when opening the same psi interface file. +when opening the same psi interface file. Write operations to a file descr= iptor +with an already existing psi trigger will fail with EBUSY. =20 Monitors activate only when system enters stall state for the monitored psi metric and deactivates upon exit from the stall state. While system is --- a/include/linux/psi.h +++ b/include/linux/psi.h @@ -31,7 +31,7 @@ void cgroup_move_task(struct task_struct =20 struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, size_t nbytes, enum psi_res res); -void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t); +void psi_trigger_destroy(struct psi_trigger *t); =20 __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, poll_table *wait); --- a/include/linux/psi_types.h +++ b/include/linux/psi_types.h @@ -120,9 +120,6 @@ struct psi_trigger { * events to one per window */ u64 last_event_time; - - /* Refcounting to prevent premature destruction */ - struct kref refcount; }; =20 struct psi_group { --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -3659,6 +3659,12 @@ static ssize_t cgroup_pressure_write(str cgroup_get(cgrp); cgroup_kn_unlock(of->kn); =20 + /* Allow only one trigger per file descriptor */ + if (of->priv) { + cgroup_put(cgrp); + return -EBUSY; + } + psi =3D cgroup_ino(cgrp) =3D=3D 1 ? &psi_system : &cgrp->psi; new =3D psi_trigger_create(psi, buf, nbytes, res); if (IS_ERR(new)) { @@ -3666,8 +3672,7 @@ static ssize_t cgroup_pressure_write(str return PTR_ERR(new); } =20 - psi_trigger_replace(&of->priv, new); - + smp_store_release(&of->priv, new); cgroup_put(cgrp); =20 return nbytes; @@ -3702,7 +3707,7 @@ static __poll_t cgroup_pressure_poll(str =20 static void cgroup_pressure_release(struct kernfs_open_file *of) { - psi_trigger_replace(&of->priv, NULL); + psi_trigger_destroy(of->priv); } #endif /* CONFIG_PSI */ =20 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -1046,7 +1046,6 @@ struct psi_trigger *psi_trigger_create(s t->event =3D 0; t->last_event_time =3D 0; init_waitqueue_head(&t->event_wait); - kref_init(&t->refcount); =20 mutex_lock(&group->trigger_lock); =20 @@ -1079,15 +1078,19 @@ struct psi_trigger *psi_trigger_create(s return t; } =20 -static void psi_trigger_destroy(struct kref *ref) +void psi_trigger_destroy(struct psi_trigger *t) { - struct psi_trigger *t =3D container_of(ref, struct psi_trigger, refcount); - struct psi_group *group =3D t->group; + struct psi_group *group; struct kthread_worker *kworker_to_destroy =3D NULL; =20 - if (static_branch_likely(&psi_disabled)) + /* + * We do not check psi_disabled since it might have been disabled after + * the trigger got created. + */ + if (!t) return; =20 + group =3D t->group; /* * Wakeup waiters to stop polling. Can happen if cgroup is deleted * from under a polling process. @@ -1122,9 +1125,9 @@ static void psi_trigger_destroy(struct k mutex_unlock(&group->trigger_lock); =20 /* - * Wait for both *trigger_ptr from psi_trigger_replace and - * poll_kworker RCUs to complete their read-side critical sections - * before destroying the trigger and optionally the poll_kworker + * Wait for psi_schedule_poll_work RCU to complete its read-side + * critical section before destroying the trigger and optionally the + * poll_task. */ synchronize_rcu(); /* @@ -1146,18 +1149,6 @@ static void psi_trigger_destroy(struct k kfree(t); } =20 -void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new) -{ - struct psi_trigger *old =3D *trigger_ptr; - - if (static_branch_likely(&psi_disabled)) - return; - - rcu_assign_pointer(*trigger_ptr, new); - if (old) - kref_put(&old->refcount, psi_trigger_destroy); -} - __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, poll_table *wait) { @@ -1167,24 +1158,15 @@ __poll_t psi_trigger_poll(void **trigger if (static_branch_likely(&psi_disabled)) return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; =20 - rcu_read_lock(); - - t =3D rcu_dereference(*(void __rcu __force **)trigger_ptr); - if (!t) { - rcu_read_unlock(); + t =3D smp_load_acquire(trigger_ptr); + if (!t) return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; - } - kref_get(&t->refcount); - - rcu_read_unlock(); =20 poll_wait(file, &t->event_wait, wait); =20 if (cmpxchg(&t->event, 1, 0) =3D=3D 1) ret |=3D EPOLLPRI; =20 - kref_put(&t->refcount, psi_trigger_destroy); - return ret; } =20 @@ -1208,14 +1190,24 @@ static ssize_t psi_write(struct file *fi =20 buf[buf_size - 1] =3D '\0'; =20 - new =3D psi_trigger_create(&psi_system, buf, nbytes, res); - if (IS_ERR(new)) - return PTR_ERR(new); - seq =3D file->private_data; + /* Take seq->lock to protect seq->private from concurrent writes */ mutex_lock(&seq->lock); - psi_trigger_replace(&seq->private, new); + + /* Allow only one trigger per file descriptor */ + if (seq->private) { + mutex_unlock(&seq->lock); + return -EBUSY; + } + + new =3D psi_trigger_create(&psi_system, buf, nbytes, res); + if (IS_ERR(new)) { + mutex_unlock(&seq->lock); + return PTR_ERR(new); + } + + smp_store_release(&seq->private, new); mutex_unlock(&seq->lock); =20 return nbytes; @@ -1250,7 +1242,7 @@ static int psi_fop_release(struct inode { struct seq_file *seq =3D file->private_data; =20 - psi_trigger_replace(&seq->private, NULL); + psi_trigger_destroy(seq->private); return single_release(inode, file); } =20 From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57B2FC433EF for ; Fri, 4 Feb 2022 09:20:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357331AbiBDJUy (ORCPT ); Fri, 4 Feb 2022 04:20:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60374 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357323AbiBDJUj (ORCPT ); Fri, 4 Feb 2022 04:20:39 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8FB0C061401; Fri, 4 Feb 2022 01:20:39 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 39DED615E9; Fri, 4 Feb 2022 09:20:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 161FBC004E1; Fri, 4 Feb 2022 09:20:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966438; bh=43+sPse4muwhJ98h31p3qiOK339+7kYSkgBhc3wXxA4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L3Wk4fhbfkztimCNcx0fNOziHwCCYLDyk+gDmOzhlgNOZePjBVGPbwxsnRhwG8iwD PMww3pPK1+O2sNMgqUeutq2ll0HyYz5sNyZgw5cp83g/KYZYpqyVIRDWHNoOVQZV+K u1Ejfb6zBYXbNc8JyKsIpMmKDrfGyVv4MowakauA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tabitha Sable , "Eric W. Biederman" , Tejun Heo Subject: [PATCH 5.4 03/10] cgroup-v1: Require capabilities to set release_agent Date: Fri, 4 Feb 2022 10:20:16 +0100 Message-Id: <20220204091912.439546581@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric W. Biederman commit 24f6008564183aa120d07c03d9289519c2fe02af upstream. The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilitie= s. Therefore require capabilities when setting the release_agaent. Reported-by: Tabitha Sable Tested-by: Tabitha Sable Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification= of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- kernel/cgroup/cgroup-v1.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -549,6 +549,14 @@ static ssize_t cgroup_release_agent_writ =20 BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); =20 + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if ((of->file->f_cred->user_ns !=3D &init_user_ns) || + !capable(CAP_SYS_ADMIN)) + return -EPERM; + cgrp =3D cgroup_kn_lock_live(of->kn, false); if (!cgrp) return -ENODEV; @@ -961,6 +969,12 @@ int cgroup1_parse_param(struct fs_contex /* Specifying two release agents is forbidden */ if (ctx->release_agent) return cg_invalf(fc, "cgroup1: release_agent respecified"); + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if ((fc->user_ns !=3D &init_user_ns) || !capable(CAP_SYS_ADMIN)) + return cg_invalf(fc, "cgroup1: Setting release_agent not allowed"); ctx->release_agent =3D param->string; param->string =3D NULL; break; From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A95BC4332F for ; Fri, 4 Feb 2022 09:20:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357305AbiBDJU5 (ORCPT ); Fri, 4 Feb 2022 04:20:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357343AbiBDJUo (ORCPT ); Fri, 4 Feb 2022 04:20:44 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA5A0C061714; Fri, 4 Feb 2022 01:20:44 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 814A4B836EA; Fri, 4 Feb 2022 09:20:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8CB9AC004E1; Fri, 4 Feb 2022 09:20:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966442; bh=iaE1IqOh0EjTj9ysylMCuepe6iN/kPDrrbFWOLuRBw8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qo+2Kf7zZWDbp1xkPDzJLHZarC74zzG2KeXhXZTtZ71JQizn50eImg6kXbHUJBEfB hjBPV7XuPjoEmCQurAnckQlLuY1Bn0U5G/XVh50OYObqxVHcT2A9oA3fcKSanpqHVN +1lXGjpdqvl29fyWdZDLuMXaAUxp7cktwJ5P8jlw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Georgi Valkov , Jan Kiszka , Jakub Kicinski Subject: [PATCH 5.4 04/10] ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback Date: Fri, 4 Feb 2022 10:20:17 +0100 Message-Id: <20220204091912.471614654@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Georgi Valkov commit 63e4b45c82ed1bde979da7052229a4229ce9cabf upstream. When rx_buf is allocated we need to account for IPHETH_IP_ALIGN, which reduces the usable size by 2 bytes. Otherwise we have 1512 bytes usable instead of 1514, and if we receive more than 1512 bytes, ipheth_rcvbulk_callback is called with status -EOVERFLOW, after which the driver malfunctiones and all communication stops. Resolves ipheth 2-1:4.2: ipheth_rcvbulk_callback: urb status: -75 Fixes: f33d9e2b48a3 ("usbnet: ipheth: fix connectivity with iOS 14") Signed-off-by: Georgi Valkov Tested-by: Jan Kiszka Link: https://lore.kernel.org/all/B60B8A4B-92A0-49B3-805D-809A2433B46C@abv.= bg/ Link: https://lore.kernel.org/all/24851bd2769434a5fc24730dce8e8a984c5a4505.= 1643699778.git.jan.kiszka@siemens.com/ Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/net/usb/ipheth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -121,7 +121,7 @@ static int ipheth_alloc_urbs(struct iphe if (tx_buf =3D=3D NULL) goto free_rx_urb; =20 - rx_buf =3D usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE, + rx_buf =3D usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_A= LIGN, GFP_KERNEL, &rx_urb->transfer_dma); if (rx_buf =3D=3D NULL) goto free_tx_buf; @@ -146,7 +146,7 @@ error_nomem: =20 static void ipheth_free_urbs(struct ipheth_device *iphone) { - usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf, + usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone= ->rx_buf, iphone->rx_urb->transfer_dma); usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf, iphone->tx_urb->transfer_dma); @@ -317,7 +317,7 @@ static int ipheth_rx_submit(struct iphet =20 usb_fill_bulk_urb(dev->rx_urb, udev, usb_rcvbulkpipe(udev, dev->bulk_in), - dev->rx_buf, IPHETH_BUF_SIZE, + dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, ipheth_rcvbulk_callback, dev); dev->rx_urb->transfer_flags |=3D URB_NO_TRANSFER_DMA_MAP; From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC80CC433EF for ; Fri, 4 Feb 2022 09:21:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357362AbiBDJVA (ORCPT ); Fri, 4 Feb 2022 04:21:00 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:50220 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357348AbiBDJUr (ORCPT ); Fri, 4 Feb 2022 04:20:47 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C58F1B836B9; Fri, 4 Feb 2022 09:20:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E97A8C004E1; Fri, 4 Feb 2022 09:20:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966445; bh=QrZLry4insApv+gQ37l7e+SnTkVoC6w8ESMnHsJwm00=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S4g/gw3XOyyzRB1irMDjHgOQXBYOMYRD050rKvKLmodIXlMGiORHVHUDdq/f47ydU 3XesUwOvu1Rz6yE335ahrXB2ivfKQTuOiGZJsNYjZnMDCAt+crH/LIXaKAMl4hT5ym usLT8miUqNRAkPlKoWqDSc8H57/I9+wFaAC6mQYU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sudheesh Mavila , Raju Rangoju , Tom Lendacky , Jakub Kicinski Subject: [PATCH 5.4 05/10] net: amd-xgbe: ensure to reset the tx_timer_active flag Date: Fri, 4 Feb 2022 10:20:18 +0100 Message-Id: <20220204091912.501626346@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Raju Rangoju commit 7674b7b559b683478c3832527c59bceb169e701d upstream. Ensure to reset the tx_timer_active flag in xgbe_stop(), otherwise a port restart may result in tx timeout due to uncleared flag. Fixes: c635eaacbf77 ("amd-xgbe: Remove Tx coalescing") Co-developed-by: Sudheesh Mavila Signed-off-by: Sudheesh Mavila Signed-off-by: Raju Rangoju Acked-by: Tom Lendacky Link: https://lore.kernel.org/r/20220127060222.453371-1-Raju.Rangoju@amd.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c @@ -721,7 +721,9 @@ static void xgbe_stop_timers(struct xgbe if (!channel->tx_ring) break; =20 + /* Deactivate the Tx timer */ del_timer_sync(&channel->tx_timer); + channel->tx_timer_active =3D 0; } } =20 From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 992BDC433F5 for ; Fri, 4 Feb 2022 09:21:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357383AbiBDJVD (ORCPT ); Fri, 4 Feb 2022 04:21:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354004AbiBDJUt (ORCPT ); Fri, 4 Feb 2022 04:20:49 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A9F82C061714; Fri, 4 Feb 2022 01:20:49 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2600F615A5; Fri, 4 Feb 2022 09:20:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 06301C004E1; Fri, 4 Feb 2022 09:20:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966448; bh=YWoW/7v5KkKae/MNw/dQ5LSHtZkTGL4gFL1Eye8gEeg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aUXjI7y6Bc/L0z7J9BJKN+vmxDh3Ib8spfc8KPiEoSON8Irb4o4j2KPR88AX9YHdP JZna7icWjUKFvMf6+44L9XVFV6B6qRAee3yuJE7SN6VSb5jf6ZPe6g4NzJKsOGeeNo Bi6EbFmch4vc3XoWfPXMK0P7zY4WqYwizibwO8oA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tom Lendacky , Shyam Sundar S K , Jakub Kicinski Subject: [PATCH 5.4 06/10] net: amd-xgbe: Fix skb data length underflow Date: Fri, 4 Feb 2022 10:20:19 +0100 Message-Id: <20220204091912.532370181@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Shyam Sundar S K commit 5aac9108a180fc06e28d4e7fb00247ce603b72ee upstream. There will be BUG_ON() triggered in include/linux/skbuff.h leading to intermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length underflows are seen because of inconsistencies in the hardware descriptors. Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware") Suggested-by: Tom Lendacky Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Link: https://lore.kernel.org/r/20220127092003.2812745-1-Shyam-sundar.S-k@a= md.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c @@ -2767,6 +2767,14 @@ read_again: buf2_len =3D xgbe_rx_buf2_len(rdata, packet, len); len +=3D buf2_len; =20 + if (buf2_len > rdata->rx.buf.dma_len) { + /* Hardware inconsistency within the descriptors + * that has resulted in a length underflow. + */ + error =3D 1; + goto skip_data; + } + if (!skb) { skb =3D xgbe_create_skb(pdata, napi, rdata, buf1_len); @@ -2796,8 +2804,10 @@ skip_data: if (!last || context_next) goto read_again; =20 - if (!skb) + if (!skb || error) { + dev_kfree_skb(skb); goto next_packet; + } =20 /* Be sure we don't exceed the configured MTU */ max_len =3D netdev->mtu + ETH_HLEN; From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 129E4C433FE for ; Fri, 4 Feb 2022 09:21:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357356AbiBDJVG (ORCPT ); Fri, 4 Feb 2022 04:21:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357341AbiBDJUz (ORCPT ); Fri, 4 Feb 2022 04:20:55 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F55AC061749; Fri, 4 Feb 2022 01:20:54 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D0263B836EA; Fri, 4 Feb 2022 09:20:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0D158C004E1; Fri, 4 Feb 2022 09:20:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966451; bh=gl5fvLmz/9CmwlUdjxsSDEnwJhcmo9Bg7jWVIjpcaYo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bwjC64sBdllL+MqIKb7ebQGvNQ0y4aaMhbrTn1ZSgzWLOEtyQ6W/eoGcICxw+8X1v IYy7ADaaQMNi/PkMX89/dalVcXvmSijPG+59uUU9Reki7awzFvKJm4DZj7v+v1LH1O 3OL1nQKbg7qkaNJEIZMVcUI7ecUwrPWoK5UDnZwI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Vlad Buslov , Jiri Pirko , Cong Wang , syzbot , Jakub Kicinski Subject: [PATCH 5.4 07/10] net: sched: fix use-after-free in tc_new_tfilter() Date: Fri, 4 Feb 2022 10:20:20 +0100 Message-Id: <20220204091912.563536303@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 upstream. Whenever tc_new_tfilter() jumps back to replay: label, we need to make sure @q and @chain local variables are cleared again, or risk use-after-free as in [1] For consistency, apply the same fix in tc_ctl_chain() BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sc= h_generic.c:1581 Write of size 8 at addr ffff8880985c4b08 by task syz-executor.4/1945 CPU: 0 PID: 1945 Comm: syz-executor.4 Not tainted 5.17.0-rc1-syzkaller-0049= 5-gff58831fa02d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581 tcf_chain_head_change_item net/sched/cls_api.c:372 [inline] tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:386 tcf_chain_tp_insert net/sched/cls_api.c:1657 [inline] tcf_chain_tp_insert_unique net/sched/cls_api.c:1707 [inline] tc_new_tfilter+0x1e67/0x2350 net/sched/cls_api.c:2086 rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x331/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f2647172059 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 = 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff f= f 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2645aa5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f2647285100 RCX: 00007f2647172059 RDX: 040000000000009f RSI: 00000000200002c0 RDI: 0000000000000006 RBP: 00007f26471cc08d R08: 0000000000000000 R09: 0000000000000000 R10: 9e00000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffb3f7f02f R14: 00007f2645aa5300 R15: 0000000000022000 Allocated by task 1944: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc_node include/linux/slab.h:604 [inline] kzalloc_node include/linux/slab.h:726 [inline] qdisc_alloc+0xac/0xa10 net/sched/sch_generic.c:941 qdisc_create.constprop.0+0xce/0x10f0 net/sched/sch_api.c:1211 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5592 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x331/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 3609: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xcb/0x280 mm/slub.c:4562 rcu_do_batch kernel/rcu/tree.c:2527 [inline] rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 __call_rcu kernel/rcu/tree.c:3026 [inline] call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106 qdisc_put_unlocked+0x6f/0x90 net/sched/sch_generic.c:1109 tcf_block_release+0x86/0x90 net/sched/cls_api.c:1238 tc_new_tfilter+0xc0d/0x2350 net/sched/cls_api.c:2148 rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x331/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8880985c4800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 776 bytes inside of 1024-byte region [ffff8880985c4800, ffff8880985c4c00) The buggy address belongs to the page: page:ffffea0002617000 refcount:1 mapcount:0 mapping:0000000000000000 index:= 0x0 pfn:0x985c0 head:ffffea0002617000 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=3D0|zone=3D1|lastcpupid=3D0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(_= _GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__G= FP_HARDWALL), pid 1941, ts 1038999441284, free_ts 1033444432829 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab mm/slub.c:1944 [inline] new_slab+0x28a/0x3b0 mm/slub.c:2004 ___slab_alloc+0x87c/0xe90 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] __kmalloc+0x2fb/0x340 mm/slub.c:4420 kmalloc include/linux/slab.h:586 [inline] kzalloc include/linux/slab.h:715 [inline] __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1335 neigh_sysctl_register+0x2c8/0x5e0 net/core/neighbour.c:3787 devinet_sysctl_register+0xb1/0x230 net/ipv4/devinet.c:2618 inetdev_init+0x286/0x580 net/ipv4/devinet.c:278 inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] call_netdevice_notifiers net/core/dev.c:1945 [inline] register_netdevice+0x1073/0x1500 net/core/dev.c:9698 veth_newlink+0x59c/0xa90 drivers/net/veth.c:1722 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 release_pages+0x748/0x1220 mm/swap.c:956 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline] tlb_flush_mmu_free mm/mmu_gather.c:243 [inline] tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:250 zap_pte_range mm/memory.c:1441 [inline] zap_pmd_range mm/memory.c:1490 [inline] zap_pud_range mm/memory.c:1519 [inline] zap_p4d_range mm/memory.c:1540 [inline] unmap_page_range+0x1d1d/0x2a30 mm/memory.c:1561 unmap_single_vma+0x198/0x310 mm/memory.c:1606 unmap_vmas+0x16b/0x2f0 mm/memory.c:1638 exit_mmap+0x201/0x670 mm/mmap.c:3178 __mmput+0x122/0x4b0 kernel/fork.c:1114 mmput+0x56/0x60 kernel/fork.c:1135 exit_mm kernel/exit.c:507 [inline] do_exit+0xa3c/0x2a30 kernel/exit.c:793 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff8880985c4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880985c4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880985c4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880985c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880985c4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 470502de5bdb ("net: sched: unlock rules update API") Signed-off-by: Eric Dumazet Cc: Vlad Buslov Cc: Jiri Pirko Cc: Cong Wang Reported-by: syzbot Link: https://lore.kernel.org/r/20220131172018.3704490-1-eric.dumazet@gmail= .com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/sched/cls_api.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1928,9 +1928,9 @@ static int tc_new_tfilter(struct sk_buff bool prio_allocate; u32 parent; u32 chain_index; - struct Qdisc *q =3D NULL; + struct Qdisc *q; struct tcf_chain_info chain_info; - struct tcf_chain *chain =3D NULL; + struct tcf_chain *chain; struct tcf_block *block; struct tcf_proto *tp; unsigned long cl; @@ -1958,6 +1958,8 @@ replay: tp =3D NULL; cl =3D 0; block =3D NULL; + q =3D NULL; + chain =3D NULL; =20 if (prio =3D=3D 0) { /* If no priority is provided by the user, @@ -2764,8 +2766,8 @@ static int tc_ctl_chain(struct sk_buff * struct tcmsg *t; u32 parent; u32 chain_index; - struct Qdisc *q =3D NULL; - struct tcf_chain *chain =3D NULL; + struct Qdisc *q; + struct tcf_chain *chain; struct tcf_block *block; unsigned long cl; int err; @@ -2775,6 +2777,7 @@ static int tc_ctl_chain(struct sk_buff * return -EPERM; =20 replay: + q =3D NULL; err =3D nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX, rtm_tca_policy, extack); if (err < 0) From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84253C433F5 for ; Fri, 4 Feb 2022 09:21:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357414AbiBDJVK (ORCPT ); Fri, 4 Feb 2022 04:21:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357328AbiBDJU4 (ORCPT ); Fri, 4 Feb 2022 04:20:56 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2477CC06173D; Fri, 4 Feb 2022 01:20:56 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A5EB8615F4; Fri, 4 Feb 2022 09:20:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B019C004E1; Fri, 4 Feb 2022 09:20:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966455; bh=Buyr2y4TEqLxbZmnYSPF0uitMkHzi9EYfbtbFaPM5As=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zc2asGB4NPIpzDr3ShJthHwBGDpaQ0ACGBzxl5pg59IYkFmSK+HQ+M4iX4wv2NrhB E3qS83WhyC7sTfWSTnJTbSbLPmt540bP1F6bCPOUE0h8auuRtI7Oh3hjvAQVBvKfd4 XoLIugsBAG62mcaLT0m/RjCj+tTdsfTlOXWr7DpM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Jiri Pirko , Jakub Kicinski Subject: [PATCH 5.4 08/10] rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() Date: Fri, 4 Feb 2022 10:20:21 +0100 Message-Id: <20220204091912.593539145@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit c6f6f2444bdbe0079e41914a35081530d0409963 upstream. While looking at one unrelated syzbot bug, I found the replay logic in __rtnl_newlink() to potentially trigger use-after-free. It is better to clear master_dev and m_ops inside the loop, in case we have to replay it. Fixes: ba7d49b1f0f8 ("rtnetlink: provide api for getting and setting slave = info") Signed-off-by: Eric Dumazet Cc: Jiri Pirko Link: https://lore.kernel.org/r/20220201012106.216495-1-eric.dumazet@gmail.= com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/core/rtnetlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -3022,8 +3022,8 @@ static int __rtnl_newlink(struct sk_buff struct nlattr *slave_attr[RTNL_SLAVE_MAX_TYPE + 1]; unsigned char name_assign_type =3D NET_NAME_USER; struct nlattr *linkinfo[IFLA_INFO_MAX + 1]; - const struct rtnl_link_ops *m_ops =3D NULL; - struct net_device *master_dev =3D NULL; + const struct rtnl_link_ops *m_ops; + struct net_device *master_dev; struct net *net =3D sock_net(skb->sk); const struct rtnl_link_ops *ops; struct nlattr *tb[IFLA_MAX + 1]; @@ -3063,6 +3063,8 @@ replay: dev =3D NULL; } =20 + master_dev =3D NULL; + m_ops =3D NULL; if (dev) { master_dev =3D netdev_master_upper_dev_get(dev); if (master_dev) From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B028C433F5 for ; Fri, 4 Feb 2022 09:21:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357456AbiBDJVQ (ORCPT ); Fri, 4 Feb 2022 04:21:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357355AbiBDJU7 (ORCPT ); Fri, 4 Feb 2022 04:20:59 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E936C061741; Fri, 4 Feb 2022 01:20:59 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AC70D615DC; Fri, 4 Feb 2022 09:20:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 82921C004E1; Fri, 4 Feb 2022 09:20:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966458; bh=pe+rjSYtf6W6CfYVu9AZX/jgeU3hf3dspXjjWJn5qaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QWvcOwnZHW6Q7WPppg4+pmfsxlfsgNA7qoYx/+l9ZkWRztIuUlNGqsiW+jJ2Pjk8U /1LU89LniRwRYBK/vBQ1mKhE/tEadLwcDiHgaq+3RsObt5MNcte2U/ptp+Dg2ONORV h1H0r/h/HlZ8b9Ue9eQxB4OolXx7Zg3HMX2c4qiE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tianchen Ding , Waiman Long , Tejun Heo Subject: [PATCH 5.4 09/10] cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() Date: Fri, 4 Feb 2022 10:20:22 +0100 Message-Id: <20220204091912.624395230@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Tianchen Ding commit c80d401c52a2d1baf2a5afeb06f0ffe678e56d23 upstream. subparts_cpus should be limited as a subset of cpus_allowed, but it is updated wrongly by using cpumask_andnot(). Use cpumask_and() instead to fix it. Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") Signed-off-by: Tianchen Ding Reviewed-by: Waiman Long Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- kernel/cgroup/cpuset.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -1558,8 +1558,7 @@ static int update_cpumask(struct cpuset * Make sure that subparts_cpus is a subset of cpus_allowed. */ if (cs->nr_subparts_cpus) { - cpumask_andnot(cs->subparts_cpus, cs->subparts_cpus, - cs->cpus_allowed); + cpumask_and(cs->subparts_cpus, cs->subparts_cpus, cs->cpus_allowed); cs->nr_subparts_cpus =3D cpumask_weight(cs->subparts_cpus); } spin_unlock_irq(&callback_lock); From nobody Mon Jun 29 18:37:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5384DC433F5 for ; Fri, 4 Feb 2022 09:21:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357477AbiBDJVS (ORCPT ); Fri, 4 Feb 2022 04:21:18 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:40376 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357371AbiBDJVC (ORCPT ); Fri, 4 Feb 2022 04:21:02 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 41BD1615C6; Fri, 4 Feb 2022 09:21:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10EE1C004E1; Fri, 4 Feb 2022 09:21:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643966461; bh=8NajeQp6ilUXadJKo2K571oXpd6t9H5urZJb5mZn+Y8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yywlq7NN6dJbe5GrIUmYuhSy43htTX4KoGX1AW68qImp/8GWJ8E1qXncsaZMV6rL0 YoEtEYajae4DKzdZtgoMzvLT38mGmSgPIaCmkgJztAByV1AAK58QEKFtoYs7/TtbEQ 5yKh7Z8+xlL70sKQSjIgxmT5kleX6jOdbVBlDQEU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Willem de Bruijn , syzbot , Jakub Kicinski Subject: [PATCH 5.4 10/10] af_packet: fix data-race in packet_setsockopt / packet_setsockopt Date: Fri, 4 Feb 2022 10:20:23 +0100 Message-Id: <20220204091912.655153755@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220204091912.329106021@linuxfoundation.org> References: <20220204091912.329106021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream. When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout, no lock is held, meaning that another thread can change po->fanout. Given that po->fanout can only be set once during the socket lifetime (it is only cleared from fanout_release()), we can use READ_ONCE()/WRITE_ONCE() to document the race. BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0: fanout_add net/packet/af_packet.c:1791 [inline] packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931 __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1: packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935 __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x0000000000000000 -> 0xffff888106f8c000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 01/01/2011 Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Reported-by: syzbot Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.= com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/packet/af_packet.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1729,7 +1729,10 @@ static int fanout_add(struct sock *sk, u err =3D -ENOSPC; if (refcount_read(&match->sk_ref) < PACKET_FANOUT_MAX) { __dev_remove_pack(&po->prot_hook); - po->fanout =3D match; + + /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */ + WRITE_ONCE(po->fanout, match); + po->rollover =3D rollover; rollover =3D NULL; refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1); @@ -3876,7 +3879,8 @@ packet_setsockopt(struct socket *sock, i } case PACKET_FANOUT_DATA: { - if (!po->fanout) + /* Paired with the WRITE_ONCE() in fanout_add() */ + if (!READ_ONCE(po->fanout)) return -EINVAL; =20 return fanout_set_data(po, optval, optlen);