Список изменений в Linux 5.4.177

 
af_packet: fix data-race in packet_setsockopt / packet_setsockopt [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jan 31 18:23:58 2022 -0800

    af_packet: fix data-race in packet_setsockopt / packet_setsockopt
    
    commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream.
    
    When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout,
    no lock is held, meaning that another thread can change po->fanout.
    
    Given that po->fanout can only be set once during the socket lifetime
    (it is only cleared from fanout_release()), we can use
    READ_ONCE()/WRITE_ONCE() to document the race.
    
    BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt
    
    write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0:
     fanout_add net/packet/af_packet.c:1791 [inline]
     packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931
     __sys_setsockopt+0x209/0x2a0 net/socket.c:2180
     __do_sys_setsockopt net/socket.c:2191 [inline]
     __se_sys_setsockopt net/socket.c:2188 [inline]
     __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1:
     packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935
     __sys_setsockopt+0x209/0x2a0 net/socket.c:2180
     __do_sys_setsockopt net/socket.c:2191 [inline]
     __se_sys_setsockopt net/socket.c:2188 [inline]
     __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    value changed: 0x0000000000000000 -> 0xffff888106f8c000
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    
    Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
cgroup-v1: Require capabilities to set release_agent [+ + +]
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Jan 20 11:04:01 2022 -0600

    cgroup-v1: Require capabilities to set release_agent
    
    commit 24f6008564183aa120d07c03d9289519c2fe02af upstream.
    
    The cgroup release_agent is called with call_usermodehelper.  The function
    call_usermodehelper starts the release_agent with a full set fo capabilities.
    Therefore require capabilities when setting the release_agaent.
    
    Reported-by: Tabitha Sable <tabitha.c.sable@gmail.com>
    Tested-by: Tabitha Sable <tabitha.c.sable@gmail.com>
    Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups")
    Cc: stable@vger.kernel.org # v2.6.24+
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() [+ + +]
Author: Tianchen Ding <dtcccc@linux.alibaba.com>
Date:   Tue Jan 18 18:05:18 2022 +0800

    cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask()
    
    commit c80d401c52a2d1baf2a5afeb06f0ffe678e56d23 upstream.
    
    subparts_cpus should be limited as a subset of cpus_allowed, but it is
    updated wrongly by using cpumask_andnot(). Use cpumask_and() instead to
    fix it.
    
    Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag")
    Signed-off-by: Tianchen Ding <dtcccc@linux.alibaba.com>
    Reviewed-by: Waiman Long <longman@redhat.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback [+ + +]
Author: Georgi Valkov <gvalkov@abv.bg>
Date:   Tue Feb 1 08:16:18 2022 +0100

    ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback
    
    commit 63e4b45c82ed1bde979da7052229a4229ce9cabf upstream.
    
    When rx_buf is allocated we need to account for IPHETH_IP_ALIGN,
    which reduces the usable size by 2 bytes. Otherwise we have 1512
    bytes usable instead of 1514, and if we receive more than 1512
    bytes, ipheth_rcvbulk_callback is called with status -EOVERFLOW,
    after which the driver malfunctiones and all communication stops.
    
    Resolves ipheth 2-1:4.2: ipheth_rcvbulk_callback: urb status: -75
    
    Fixes: f33d9e2b48a3 ("usbnet: ipheth: fix connectivity with iOS 14")
    Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
    Tested-by: Jan Kiszka <jan.kiszka@siemens.com>
    Link: https://lore.kernel.org/all/B60B8A4B-92A0-49B3-805D-809A2433B46C@abv.bg/
    Link: https://lore.kernel.org/all/24851bd2769434a5fc24730dce8e8a984c5a4505.1643699778.git.jan.kiszka@siemens.com/
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.4.177 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Feb 5 12:35:37 2022 +0100

    Linux 5.4.177
    
    Link: https://lore.kernel.org/r/20220204091912.329106021@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Slade Watkins <slade@sladewatkins.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net: amd-xgbe: ensure to reset the tx_timer_active flag [+ + +]
Author: Raju Rangoju <Raju.Rangoju@amd.com>
Date:   Thu Jan 27 11:32:22 2022 +0530

    net: amd-xgbe: ensure to reset the tx_timer_active flag
    
    commit 7674b7b559b683478c3832527c59bceb169e701d upstream.
    
    Ensure to reset the tx_timer_active flag in xgbe_stop(),
    otherwise a port restart may result in tx timeout due to
    uncleared flag.
    
    Fixes: c635eaacbf77 ("amd-xgbe: Remove Tx coalescing")
    Co-developed-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
    Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
    Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
    Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
    Link: https://lore.kernel.org/r/20220127060222.453371-1-Raju.Rangoju@amd.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: amd-xgbe: Fix skb data length underflow [+ + +]
Author: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Date:   Thu Jan 27 14:50:03 2022 +0530

    net: amd-xgbe: Fix skb data length underflow
    
    commit 5aac9108a180fc06e28d4e7fb00247ce603b72ee upstream.
    
    There will be BUG_ON() triggered in include/linux/skbuff.h leading to
    intermittent kernel panic, when the skb length underflow is detected.
    
    Fix this by dropping the packet if such length underflows are seen
    because of inconsistencies in the hardware descriptors.
    
    Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware")
    Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
    Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
    Link: https://lore.kernel.org/r/20220127092003.2812745-1-Shyam-sundar.S-k@amd.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: sched: fix use-after-free in tc_new_tfilter() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jan 31 09:20:18 2022 -0800

    net: sched: fix use-after-free in tc_new_tfilter()
    
    commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 upstream.
    
    Whenever tc_new_tfilter() jumps back to replay: label,
    we need to make sure @q and @chain local variables are cleared again,
    or risk use-after-free as in [1]
    
    For consistency, apply the same fix in tc_ctl_chain()
    
    BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581
    Write of size 8 at addr ffff8880985c4b08 by task syz-executor.4/1945
    
    CPU: 0 PID: 1945 Comm: syz-executor.4 Not tainted 5.17.0-rc1-syzkaller-00495-gff58831fa02d #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
     print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
     __kasan_report mm/kasan/report.c:442 [inline]
     kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
     mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581
     tcf_chain_head_change_item net/sched/cls_api.c:372 [inline]
     tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:386
     tcf_chain_tp_insert net/sched/cls_api.c:1657 [inline]
     tcf_chain_tp_insert_unique net/sched/cls_api.c:1707 [inline]
     tc_new_tfilter+0x1e67/0x2350 net/sched/cls_api.c:2086
     rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583
     netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
     netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
     netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
     netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
     sock_sendmsg_nosec net/socket.c:705 [inline]
     sock_sendmsg+0xcf/0x120 net/socket.c:725
     ____sys_sendmsg+0x331/0x810 net/socket.c:2413
     ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
     __sys_sendmmsg+0x195/0x470 net/socket.c:2553
     __do_sys_sendmmsg net/socket.c:2582 [inline]
     __se_sys_sendmmsg net/socket.c:2579 [inline]
     __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7f2647172059
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f2645aa5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
    RAX: ffffffffffffffda RBX: 00007f2647285100 RCX: 00007f2647172059
    RDX: 040000000000009f RSI: 00000000200002c0 RDI: 0000000000000006
    RBP: 00007f26471cc08d R08: 0000000000000000 R09: 0000000000000000
    R10: 9e00000000000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 00007fffb3f7f02f R14: 00007f2645aa5300 R15: 0000000000022000
     </TASK>
    
    Allocated by task 1944:
     kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
     kasan_set_track mm/kasan/common.c:45 [inline]
     set_alloc_info mm/kasan/common.c:436 [inline]
     ____kasan_kmalloc mm/kasan/common.c:515 [inline]
     ____kasan_kmalloc mm/kasan/common.c:474 [inline]
     __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
     kmalloc_node include/linux/slab.h:604 [inline]
     kzalloc_node include/linux/slab.h:726 [inline]
     qdisc_alloc+0xac/0xa10 net/sched/sch_generic.c:941
     qdisc_create.constprop.0+0xce/0x10f0 net/sched/sch_api.c:1211
     tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660
     rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5592
     netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
     netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
     netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
     netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
     sock_sendmsg_nosec net/socket.c:705 [inline]
     sock_sendmsg+0xcf/0x120 net/socket.c:725
     ____sys_sendmsg+0x331/0x810 net/socket.c:2413
     ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
     __sys_sendmmsg+0x195/0x470 net/socket.c:2553
     __do_sys_sendmmsg net/socket.c:2582 [inline]
     __se_sys_sendmmsg net/socket.c:2579 [inline]
     __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Freed by task 3609:
     kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
     kasan_set_track+0x21/0x30 mm/kasan/common.c:45
     kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
     ____kasan_slab_free mm/kasan/common.c:366 [inline]
     ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328
     kasan_slab_free include/linux/kasan.h:236 [inline]
     slab_free_hook mm/slub.c:1728 [inline]
     slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
     slab_free mm/slub.c:3509 [inline]
     kfree+0xcb/0x280 mm/slub.c:4562
     rcu_do_batch kernel/rcu/tree.c:2527 [inline]
     rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778
     __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
    
    Last potentially related work creation:
     kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
     __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
     __call_rcu kernel/rcu/tree.c:3026 [inline]
     call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
     qdisc_put_unlocked+0x6f/0x90 net/sched/sch_generic.c:1109
     tcf_block_release+0x86/0x90 net/sched/cls_api.c:1238
     tc_new_tfilter+0xc0d/0x2350 net/sched/cls_api.c:2148
     rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583
     netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
     netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
     netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
     netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
     sock_sendmsg_nosec net/socket.c:705 [inline]
     sock_sendmsg+0xcf/0x120 net/socket.c:725
     ____sys_sendmsg+0x331/0x810 net/socket.c:2413
     ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
     __sys_sendmmsg+0x195/0x470 net/socket.c:2553
     __do_sys_sendmmsg net/socket.c:2582 [inline]
     __se_sys_sendmmsg net/socket.c:2579 [inline]
     __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    The buggy address belongs to the object at ffff8880985c4800
     which belongs to the cache kmalloc-1k of size 1024
    The buggy address is located 776 bytes inside of
     1024-byte region [ffff8880985c4800, ffff8880985c4c00)
    The buggy address belongs to the page:
    page:ffffea0002617000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x985c0
    head:ffffea0002617000 order:3 compound_mapcount:0 compound_pincount:0
    flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
    raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0
    raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    page_owner tracks the page as allocated
    page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 1941, ts 1038999441284, free_ts 1033444432829
     prep_new_page mm/page_alloc.c:2434 [inline]
     get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
     __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
     alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
     alloc_slab_page mm/slub.c:1799 [inline]
     allocate_slab mm/slub.c:1944 [inline]
     new_slab+0x28a/0x3b0 mm/slub.c:2004
     ___slab_alloc+0x87c/0xe90 mm/slub.c:3018
     __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
     slab_alloc_node mm/slub.c:3196 [inline]
     slab_alloc mm/slub.c:3238 [inline]
     __kmalloc+0x2fb/0x340 mm/slub.c:4420
     kmalloc include/linux/slab.h:586 [inline]
     kzalloc include/linux/slab.h:715 [inline]
     __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1335
     neigh_sysctl_register+0x2c8/0x5e0 net/core/neighbour.c:3787
     devinet_sysctl_register+0xb1/0x230 net/ipv4/devinet.c:2618
     inetdev_init+0x286/0x580 net/ipv4/devinet.c:278
     inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532
     notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
     call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
     call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
     call_netdevice_notifiers net/core/dev.c:1945 [inline]
     register_netdevice+0x1073/0x1500 net/core/dev.c:9698
     veth_newlink+0x59c/0xa90 drivers/net/veth.c:1722
    page last free stack trace:
     reset_page_owner include/linux/page_owner.h:24 [inline]
     free_pages_prepare mm/page_alloc.c:1352 [inline]
     free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
     free_unref_page_prepare mm/page_alloc.c:3325 [inline]
     free_unref_page+0x19/0x690 mm/page_alloc.c:3404
     release_pages+0x748/0x1220 mm/swap.c:956
     tlb_batch_pages_flush mm/mmu_gather.c:50 [inline]
     tlb_flush_mmu_free mm/mmu_gather.c:243 [inline]
     tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:250
     zap_pte_range mm/memory.c:1441 [inline]
     zap_pmd_range mm/memory.c:1490 [inline]
     zap_pud_range mm/memory.c:1519 [inline]
     zap_p4d_range mm/memory.c:1540 [inline]
     unmap_page_range+0x1d1d/0x2a30 mm/memory.c:1561
     unmap_single_vma+0x198/0x310 mm/memory.c:1606
     unmap_vmas+0x16b/0x2f0 mm/memory.c:1638
     exit_mmap+0x201/0x670 mm/mmap.c:3178
     __mmput+0x122/0x4b0 kernel/fork.c:1114
     mmput+0x56/0x60 kernel/fork.c:1135
     exit_mm kernel/exit.c:507 [inline]
     do_exit+0xa3c/0x2a30 kernel/exit.c:793
     do_group_exit+0xd2/0x2f0 kernel/exit.c:935
     __do_sys_exit_group kernel/exit.c:946 [inline]
     __se_sys_exit_group kernel/exit.c:944 [inline]
     __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Memory state around the buggy address:
     ffff8880985c4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8880985c4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff8880985c4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                          ^
     ffff8880985c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8880985c4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    
    Fixes: 470502de5bdb ("net: sched: unlock rules update API")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Vlad Buslov <vladbu@mellanox.com>
    Cc: Jiri Pirko <jiri@mellanox.com>
    Cc: Cong Wang <xiyou.wangcong@gmail.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Link: https://lore.kernel.org/r/20220131172018.3704490-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
PCI: pciehp: Fix infinite loop in IRQ handler upon power fault [+ + +]
Author: Lukas Wunner <lukas@wunner.de>
Date:   Wed Nov 17 23:22:09 2021 +0100

    PCI: pciehp: Fix infinite loop in IRQ handler upon power fault
    
    commit 23584c1ed3e15a6f4bfab8dc5a88d94ab929ee12 upstream.
    
    The Power Fault Detected bit in the Slot Status register differs from
    all other hotplug events in that it is sticky:  It can only be cleared
    after turning off slot power.  Per PCIe r5.0, sec. 6.7.1.8:
    
      If a power controller detects a main power fault on the hot-plug slot,
      it must automatically set its internal main power fault latch [...].
      The main power fault latch is cleared when software turns off power to
      the hot-plug slot.
    
    The stickiness used to cause interrupt storms and infinite loops which
    were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault
    interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable
    software notification on empty slots").
    
    Unfortunately in 2020 the infinite loop issue was inadvertently
    reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt
    race"):  The hardirq handler pciehp_isr() clears the PFD bit until
    pciehp's power_fault_detected flag is set.  That happens in the IRQ
    thread pciehp_ist(), which never learns of the event because the hardirq
    handler is stuck in an infinite loop.  Fix by setting the
    power_fault_detected flag already in the hardirq handler.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=214989
    Link: https://lore.kernel.org/linux-pci/DM8PR11MB5702255A6A92F735D90A4446868B9@DM8PR11MB5702.namprd11.prod.outlook.com
    Fixes: 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race")
    Link: https://lore.kernel.org/r/66eaeef31d4997ceea357ad93259f290ededecfd.1637187226.git.lukas@wunner.de
    Reported-by: Joseph Bao <joseph.bao@intel.com>
    Tested-by: Joseph Bao <joseph.bao@intel.com>
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org # v4.19+
    Cc: Stuart Hayes <stuart.w.hayes@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
psi: Fix uaf issue when psi trigger is destroyed while being polled [+ + +]
Author: Suren Baghdasaryan <surenb@google.com>
Date:   Tue Jan 11 15:23:09 2022 -0800

    psi: Fix uaf issue when psi trigger is destroyed while being polled
    
    commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream.
    
    With write operation on psi files replacing old trigger with a new one,
    the lifetime of its waitqueue is totally arbitrary. Overwriting an
    existing trigger causes its waitqueue to be freed and pending poll()
    will stumble on trigger->event_wait which was destroyed.
    Fix this by disallowing to redefine an existing psi trigger. If a write
    operation is used on a file descriptor with an already existing psi
    trigger, the operation will fail with EBUSY error.
    Also bypass a check for psi_disabled in the psi_trigger_destroy as the
    flag can be flipped after the trigger is created, leading to a memory
    leak.
    
    Fixes: 0e94682b73bf ("psi: introduce psi monitor")
    Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Analyzed-by: Eric Biggers <ebiggers@kernel.org>
    Signed-off-by: Suren Baghdasaryan <surenb@google.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com
    [surenb: backported to 5.4 kernel]
    CC: stable@vger.kernel.org # 5.4
    Signed-off-by: Suren Baghdasaryan <surenb@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jan 31 17:21:06 2022 -0800

    rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()
    
    commit c6f6f2444bdbe0079e41914a35081530d0409963 upstream.
    
    While looking at one unrelated syzbot bug, I found the replay logic
    in __rtnl_newlink() to potentially trigger use-after-free.
    
    It is better to clear master_dev and m_ops inside the loop,
    in case we have to replay it.
    
    Fixes: ba7d49b1f0f8 ("rtnetlink: provide api for getting and setting slave info")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Jiri Pirko <jiri@nvidia.com>
    Link: https://lore.kernel.org/r/20220201012106.216495-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>