January 2025 - Linux-stable-mirror

[PATCH 3/3] accel/ivpu: Fix error handling in recovery/reset

by Jacek Lawrynowicz

Disable runtime PM for the duration of reset/recovery so it is possible to set the correct runtime PM state depending on the outcome of the `ivpu_resume()`. Don’t suspend or reset the HW if the NPU is suspended when the reset/recovery is requested. Also, move common reset/recovery code to separate functions for better code readability. Fixes: 27d19268cf39 ("accel/ivpu: Improve recovery and reset support") Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Maciej Falkowski <maciej.falkowski(a)linux.intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_pm.c | 79 ++++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 36 deletions(-) diff --git a/drivers/accel/ivpu/ivpu_pm.c b/drivers/accel/ivpu/ivpu_pm.c index c3774d2221326..8b2b050cc41a9 100644 --- a/drivers/accel/ivpu/ivpu_pm.c +++ b/drivers/accel/ivpu/ivpu_pm.c @@ -115,41 +115,57 @@ static int ivpu_resume(struct ivpu_device *vdev) return ret; } -static void ivpu_pm_recovery_work(struct work_struct *work) +static void ivpu_pm_reset_begin(struct ivpu_device *vdev) { - struct ivpu_pm_info *pm = container_of(work, struct ivpu_pm_info, recovery_work); - struct ivpu_device *vdev = pm->vdev; - char *evt[2] = {"IVPU_PM_EVENT=IVPU_RECOVER", NULL}; - int ret; - - ivpu_err(vdev, "Recovering the NPU (reset #%d)\n", atomic_read(&vdev->pm->reset_counter)); - - ret = pm_runtime_resume_and_get(vdev->drm.dev); - if (ret) - ivpu_err(vdev, "Failed to resume NPU: %d\n", ret); - - ivpu_jsm_state_dump(vdev); - ivpu_dev_coredump(vdev); + pm_runtime_disable(vdev->drm.dev); atomic_inc(&vdev->pm->reset_counter); atomic_set(&vdev->pm->reset_pending, 1); down_write(&vdev->pm->reset_lock); +} + +static void ivpu_pm_reset_complete(struct ivpu_device *vdev) +{ + int ret; - ivpu_suspend(vdev); ivpu_pm_prepare_cold_boot(vdev); ivpu_jobs_abort_all(vdev); ivpu_ms_cleanup_all(vdev); ret = ivpu_resume(vdev); - if (ret) + if (ret) { ivpu_err(vdev, "Failed to resume NPU: %d\n", ret); + pm_runtime_set_suspended(vdev->drm.dev); + } else { + pm_runtime_set_active(vdev->drm.dev); + } up_write(&vdev->pm->reset_lock); atomic_set(&vdev->pm->reset_pending, 0); - kobject_uevent_env(&vdev->drm.dev->kobj, KOBJ_CHANGE, evt); pm_runtime_mark_last_busy(vdev->drm.dev); - pm_runtime_put_autosuspend(vdev->drm.dev); + pm_runtime_enable(vdev->drm.dev); +} + +static void ivpu_pm_recovery_work(struct work_struct *work) +{ + struct ivpu_pm_info *pm = container_of(work, struct ivpu_pm_info, recovery_work); + struct ivpu_device *vdev = pm->vdev; + char *evt[2] = {"IVPU_PM_EVENT=IVPU_RECOVER", NULL}; + + ivpu_err(vdev, "Recovering the NPU (reset #%d)\n", atomic_read(&vdev->pm->reset_counter)); + + ivpu_pm_reset_begin(vdev); + + if (!pm_runtime_status_suspended(vdev->drm.dev)) { + ivpu_jsm_state_dump(vdev); + ivpu_dev_coredump(vdev); + ivpu_suspend(vdev); + } + + ivpu_pm_reset_complete(vdev); + + kobject_uevent_env(&vdev->drm.dev->kobj, KOBJ_CHANGE, evt); } void ivpu_pm_trigger_recovery(struct ivpu_device *vdev, const char *reason) @@ -328,16 +344,13 @@ void ivpu_pm_reset_prepare_cb(struct pci_dev *pdev) struct ivpu_device *vdev = pci_get_drvdata(pdev); ivpu_dbg(vdev, PM, "Pre-reset..\n"); - atomic_inc(&vdev->pm->reset_counter); - atomic_set(&vdev->pm->reset_pending, 1); - pm_runtime_get_sync(vdev->drm.dev); - down_write(&vdev->pm->reset_lock); - ivpu_prepare_for_reset(vdev); - ivpu_hw_reset(vdev); - ivpu_pm_prepare_cold_boot(vdev); - ivpu_jobs_abort_all(vdev); - ivpu_ms_cleanup_all(vdev); + ivpu_pm_reset_begin(vdev); + + if (!pm_runtime_status_suspended(vdev->drm.dev)) { + ivpu_prepare_for_reset(vdev); + ivpu_hw_reset(vdev); + } ivpu_dbg(vdev, PM, "Pre-reset done.\n"); } @@ -345,18 +358,12 @@ void ivpu_pm_reset_prepare_cb(struct pci_dev *pdev) void ivpu_pm_reset_done_cb(struct pci_dev *pdev) { struct ivpu_device *vdev = pci_get_drvdata(pdev); - int ret; ivpu_dbg(vdev, PM, "Post-reset..\n"); - ret = ivpu_resume(vdev); - if (ret) - ivpu_err(vdev, "Failed to set RESUME state: %d\n", ret); - up_write(&vdev->pm->reset_lock); - atomic_set(&vdev->pm->reset_pending, 0); - ivpu_dbg(vdev, PM, "Post-reset done.\n"); - pm_runtime_mark_last_busy(vdev->drm.dev); - pm_runtime_put_autosuspend(vdev->drm.dev); + ivpu_pm_reset_complete(vdev); + + ivpu_dbg(vdev, PM, "Post-reset done.\n"); } void ivpu_pm_init(struct ivpu_device *vdev) -- 2.45.1

9 months

2
1
0 0

[PATCH 2/3] accel/ivpu: Clear runtime_error after pm_runtime_resume_and_get() fails

by Jacek Lawrynowicz

pm_runtime_resume_and_get() sets dev->power.runtime_error that causes all subsequent pm_runtime_get_sync() calls to fail. Clear the runtime_error using pm_runtime_set_suspended(), so the driver doesn't have to be reloaded to recover when the NPU fails to boot during runtime resume. Fixes: 7d4b4c74432d ("accel/ivpu: Remove suspend_reschedule_counter") Cc: <stable(a)vger.kernel.org> # v6.11+ Reviewed-by: Maciej Falkowski <maciej.falkowski(a)linux.intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_pm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/accel/ivpu/ivpu_pm.c b/drivers/accel/ivpu/ivpu_pm.c index 949f4233946c6..c3774d2221326 100644 --- a/drivers/accel/ivpu/ivpu_pm.c +++ b/drivers/accel/ivpu/ivpu_pm.c @@ -309,7 +309,10 @@ int ivpu_rpm_get(struct ivpu_device *vdev) int ret; ret = pm_runtime_resume_and_get(vdev->drm.dev); - drm_WARN_ON(&vdev->drm, ret < 0); + if (ret < 0) { + ivpu_err(vdev, "Failed to resume NPU: %d\n", ret); + pm_runtime_set_suspended(vdev->drm.dev); + } return ret; } -- 2.45.1

9 months

2
1
0 0

[PATCH 1/3] accel/ivpu: Fix error handling in ivpu_boot()

by Jacek Lawrynowicz

Ensure IRQs and IPC are properly disabled if HW sched or DCT initialization fails. Fixes: cc3c72c7e610 ("accel/ivpu: Refactor failure diagnostics during boot") Cc: <stable(a)vger.kernel.org> # v6.13+ Reviewed-by: Karol Wachowski <karol.wachowski(a)intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_drv.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c index ca2bf47ce2484..0c4a82271c26d 100644 --- a/drivers/accel/ivpu/ivpu_drv.c +++ b/drivers/accel/ivpu/ivpu_drv.c @@ -397,15 +397,19 @@ int ivpu_boot(struct ivpu_device *vdev) if (ivpu_fw_is_cold_boot(vdev)) { ret = ivpu_pm_dct_init(vdev); if (ret) - goto err_diagnose_failure; + goto err_disable_ipc; ret = ivpu_hw_sched_init(vdev); if (ret) - goto err_diagnose_failure; + goto err_disable_ipc; } return 0; +err_disable_ipc: + ivpu_ipc_disable(vdev); + ivpu_hw_irq_disable(vdev); + disable_irq(vdev->irq); err_diagnose_failure: ivpu_hw_diagnose_failure(vdev); ivpu_mmu_evtq_dump(vdev); -- 2.45.1

9 months

2
1
0 0

[PATCH v2] jiffies: Cast to unsigned long for secs_to_jiffies() conversion

by Easwar Hariharan

While converting users of msecs_to_jiffies(), lkp reported that some range checks would always be true because of the mismatch between the implied int value of secs_to_jiffies() vs the unsigned long return value of the msecs_to_jiffies() calls it was replacing. Fix this by casting secs_to_jiffies() values as unsigned long. Fixes: b35108a51cf7ba ("jiffies: Define secs_to_jiffies()") CC: stable(a)vger.kernel.org # 6.13+ CC: Andrew Morton <akpm(a)linux-foundation.org> Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202501301334.NB6NszQR-lkp@intel.com/ Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- include/linux/jiffies.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h index ed945f42e064..0ea8c9887429 100644 --- a/include/linux/jiffies.h +++ b/include/linux/jiffies.h @@ -537,7 +537,7 @@ static __always_inline unsigned long msecs_to_jiffies(const unsigned int m) * * Return: jiffies value */ -#define secs_to_jiffies(_secs) ((_secs) * HZ) +#define secs_to_jiffies(_secs) (unsigned long)((_secs) * HZ) extern unsigned long __usecs_to_jiffies(const unsigned int u); #if !(USEC_PER_SEC % HZ) -- 2.43.0

9 months

4
5
0 0

[PATCH] arm64: Move storage of idreg overrides into mmuoff section

by Oliver Upton

There are a few places where the idreg overrides are read w/ the MMU off, for example the VHE and hVHE checks in __finalise_el2. And while the infrastructure gets this _mostly_ right (i.e. does the appropriate cache maintenance), the placement of the data itself is problematic and could share a cache line with something else. Depending on how unforgiving an implementation's handling of mismatched attributes is, this could lead to data corruption. In one observed case, the system_cpucaps shared a line with arm64_sw_feature_override and the cpucaps got nuked after entering the hyp stub... Even though only a few overrides are read without the MMU on, just throw the whole lot into the mmuoff section and be done with it. Cc: stable(a)vger.kernel.org # v5.15+ Tested-by: Moritz Fischer <moritzf(a)google.com> Tested-by: Pedro Martelletto <martelletto(a)google.com> Reported-by: Jon Masters <jonmasters(a)google.com> Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> --- arch/arm64/kernel/cpufeature.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index d41128e37701..92506d9f90db 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -755,17 +755,20 @@ static const struct arm64_ftr_bits ftr_raz[] = { #define ARM64_FTR_REG(id, table) \ __ARM64_FTR_REG_OVERRIDE(#id, id, table, &no_override) -struct arm64_ftr_override id_aa64mmfr0_override; -struct arm64_ftr_override id_aa64mmfr1_override; -struct arm64_ftr_override id_aa64mmfr2_override; -struct arm64_ftr_override id_aa64pfr0_override; -struct arm64_ftr_override id_aa64pfr1_override; -struct arm64_ftr_override id_aa64zfr0_override; -struct arm64_ftr_override id_aa64smfr0_override; -struct arm64_ftr_override id_aa64isar1_override; -struct arm64_ftr_override id_aa64isar2_override; - -struct arm64_ftr_override arm64_sw_feature_override; +#define DEFINE_FTR_OVERRIDE(name) \ + struct arm64_ftr_override __section(".mmuoff.data.read") name + +DEFINE_FTR_OVERRIDE(id_aa64mmfr0_override); +DEFINE_FTR_OVERRIDE(id_aa64mmfr1_override); +DEFINE_FTR_OVERRIDE(id_aa64mmfr2_override); +DEFINE_FTR_OVERRIDE(id_aa64pfr0_override); +DEFINE_FTR_OVERRIDE(id_aa64pfr1_override); +DEFINE_FTR_OVERRIDE(id_aa64zfr0_override); +DEFINE_FTR_OVERRIDE(id_aa64smfr0_override); +DEFINE_FTR_OVERRIDE(id_aa64isar1_override); +DEFINE_FTR_OVERRIDE(id_aa64isar2_override); + +DEFINE_FTR_OVERRIDE(arm64_sw_feature_override); static const struct __ftr_reg_entry { u32 sys_id; base-commit: 1dd3393696efba1598aa7692939bba99d0cffae3 -- 2.39.5

9 months

3
3
0 0

[PATCH 5.4 00/91] 5.4.290-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.290 release. There are 91 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 01 Feb 2025 14:01:13 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.290-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.290-rc1 Jack Greiner <jack(a)emoss.org> Input: xpad - add support for wooting two he (arm) Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add unofficial Xbox 360 wireless receiver clone Mark Pearson <mpearson-lenovo(a)squebb.ca> Input: atkbd - map F23 key to support default copilot shortcut Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Qasim Ijaz <qasdev00(a)gmail.com> USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() Theodore Ts'o <tytso(a)mit.edu> ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: check the bounds of read/write syscalls Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Madhuparna Bhowmik <madhuparnabhowmik04(a)gmail.com> net: xen-netback: hash.c: Use built-in RCU list checking Eric W. Biederman <ebiederm(a)xmission.com> signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die Liam Howlett <liam.howlett(a)oracle.com> m68k: Add missing mmap_read_lock() to sys_cacheflush() Al Viro <viro(a)zeniv.linux.org.uk> m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Philippe Simons <simons.philippe(a)gmail.com> irqchip/sunxi-nmi: Add missing SKIP_WAKE flag Xiang Zhang <hawkxiang.cpp(a)gmail.com> scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8994: Add depends on MFD core Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Suraj Sonawane <surajsonawane0215(a)gmail.com> scsi: sg: Fix slab-use-after-free read in sg_release() Eric Dumazet <edumazet(a)google.com> ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Yajun Deng <yajun.deng(a)linux.dev> net: net_namespace: Optimize the code Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Anup Patel <anup.patel(a)wdc.com> RISC-V: Don't enable all interrupts in trap_init() Paul Walmsley <paul.walmsley(a)sifive.com> riscv: prefix IRQ_ macro names with an RV_ namespace Nam Cao <namcao(a)linutronix.de> riscv: Fix sleeping in invalid context in die() Mattias Nissler <mnissler(a)rivosinc.com> riscv: Avoid enabling interrupts in die() Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: Avoid dereferening NULL regs in die() Rouven Czerwinski <rouven(a)czerwinskis.de> riscv: remove unused handle_exception symbol Christoph Hellwig <hch(a)lst.de> riscv: abstract out CSR names for supervisor vs machine mode Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: rto_min/max: avoid using current->nsproxy Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: correct return value of ocfs2_local_free_info() Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider Vinod Koul <vkoul(a)kernel.org> phy: core: fix code style in devm_of_phy_provider_unregister Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: add hevc power domain clock to rk3328 Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: add #power-domain-cells to power domain nodes Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: fix defines in pd_vio node for rk3399 Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: inkern: call iio_device_put() only on mapped devices Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: adc: at91: call input_free_device() on allocated iio_dev Fabio Estevam <festevam(a)gmail.com> iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Carlos Song <carlos.song(a)nxp.com> iio: gyro: fxas21002c: Fix missing data update in trigger handler Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: imu: kmx61: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: vcnl4035: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: zpa2326: fix information leak in triggered buffer Akash M <akash.m5(a)samsung.com> usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Ma Ke <make_ruc2021(a)163.com> usb: fix reference leak in usb_new_device() Kai-Heng Feng <kaihengf(a)nvidia.com> USB: core: Disable LPM only for non-suspended ports Jun Yan <jerrysteve1101(a)gmail.com> USB: usblp: return error when setting unsupported protocol Lianqin Hu <hulianqin(a)vivo.com> usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add Phoenix Contact UPS Device Lubomir Rintel <lrintel(a)redhat.com> usb-storage: Add max sectors quirk for Nokia 208 Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9832: Correct phase range check Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9834: Correct phase range check Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add Neoway N723-EA support Chukun Pan <amadeus(a)jmu.edu.cn> USB: serial: option: add MeiG Smart SRM815 Melissa Wen <mwen(a)igalia.com> drm/amd/display: increase MAX_SURFACES to the value supported by hw Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Roman Li <Roman.Li(a)amd.com> drm/amd/display: Add check for granularity in dml ceil/floor helpers Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: auth_enable: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Krister Johansen <kjlx(a)templeofstupid.com> dm thin: make get_first_thin use rcu-safe list first function Benjamin Coddington <bcodding(a)redhat.com> tls: Fix tls_sw_sendmsg error handling Eric Dumazet <edumazet(a)google.com> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Zhongqiu Duan <dzq.aishenghu0(a)gmail.com> tcp/dccp: allow a connection when sk_max_ack_backlog is zero Jason Xing <kernelxing(a)tencent.com> tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Antonio Pastor <antonio.pastor(a)gmail.com> net: 802: LLC+SNAP OID:PID lookup on start of skb data Keisuke Nishimura <keisuke.nishimura(a)inria.fr> ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix cursor index when skipping across block boundaries Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix unreleased btree blocks on closing a faulty array cursor Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix releasing a faulty array block twice in dm_array_cursor_end Zhang Yi <yi.zhang(a)huawei.com> jbd2: flush filesystem device before updating tail sequence ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/px30.dtsi | 8 +++ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 4 ++ arch/arm64/boot/dts/rockchip/rk3399.dtsi | 40 ++++++++--- arch/m68k/fpsp040/skeleton.S | 3 +- arch/m68k/kernel/entry.S | 2 + arch/m68k/kernel/sys_m68k.c | 2 + arch/m68k/kernel/traps.c | 2 +- arch/riscv/Kconfig | 4 ++ arch/riscv/include/asm/csr.h | 72 ++++++++++++++++--- arch/riscv/include/asm/irqflags.h | 12 ++-- arch/riscv/include/asm/processor.h | 2 +- arch/riscv/include/asm/ptrace.h | 16 ++--- arch/riscv/include/asm/switch_to.h | 10 +-- arch/riscv/kernel/asm-offsets.c | 8 +-- arch/riscv/kernel/entry.S | 74 +++++++++++-------- arch/riscv/kernel/fpu.S | 8 +-- arch/riscv/kernel/head.S | 12 ++-- arch/riscv/kernel/irq.c | 17 ++--- arch/riscv/kernel/perf_callchain.c | 2 +- arch/riscv/kernel/process.c | 17 ++--- arch/riscv/kernel/signal.c | 21 +++--- arch/riscv/kernel/smp.c | 2 +- arch/riscv/kernel/traps.c | 34 ++++----- arch/riscv/lib/uaccess.S | 12 ++-- arch/riscv/mm/extable.c | 4 +- arch/riscv/mm/fault.c | 6 +- drivers/acpi/resource.c | 18 +++++ drivers/clocksource/timer-riscv.c | 8 +-- drivers/gpu/drm/amd/display/dc/dc.h | 2 +- .../gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 +++ drivers/gpu/drm/v3d/v3d_irq.c | 4 ++ drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/adc/at91_adc.c | 2 +- drivers/iio/adc/ti-ads124s08.c | 4 +- drivers/iio/adc/ti-ads8688.c | 2 +- drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- drivers/iio/gyro/fxas21002c_core.c | 11 ++- drivers/iio/imu/kmx61.c | 2 +- drivers/iio/inkern.c | 2 +- drivers/iio/light/vcnl4035.c | 2 +- drivers/iio/pressure/zpa2326.c | 2 + drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irq-sifive-plic.c | 11 +-- drivers/irqchip/irq-sunxi-nmi.c | 3 +- drivers/md/dm-thin.c | 5 +- drivers/md/persistent-data/dm-array.c | 19 +++-- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +---- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 ++-- drivers/net/gtp.c | 42 ++++++----- drivers/net/ieee802154/ca8210.c | 6 +- drivers/net/xen-netback/hash.c | 7 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/phy/phy-core.c | 7 +- drivers/scsi/scsi_transport_iscsi.c | 4 +- drivers/scsi/sg.c | 2 +- drivers/staging/iio/frequency/ad9832.c | 2 +- drivers/staging/iio/frequency/ad9834.c | 2 +- drivers/usb/class/usblp.c | 7 +- drivers/usb/core/hub.c | 6 +- drivers/usb/core/port.c | 7 +- drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 4 +- drivers/usb/serial/quatech2.c | 2 +- drivers/usb/storage/unusual_devs.h | 7 ++ drivers/vfio/platform/vfio_platform_common.c | 10 +++ fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 64 ++++++++++++++--- fs/gfs2/file.c | 1 + fs/hfs/super.c | 4 +- fs/jbd2/commit.c | 4 +- fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 10 ++- fs/proc/vmcore.c | 2 + include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 ++- include/net/inet_connection_sock.h | 2 +- include/net/net_namespace.h | 3 + kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 ++- net/802/psnap.c | 4 +- net/core/net_namespace.c | 83 ++++++++++++++-------- net/dccp/ipv6.c | 2 +- net/ipv6/route.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 ++ net/sched/cls_flow.c | 3 +- net/sctp/sysctl.c | 9 +-- net/tls/tls_sw.c | 2 +- sound/soc/codecs/Kconfig | 1 + 95 files changed, 589 insertions(+), 314 deletions(-)

9 months

5
96
0 0

[PATCH 5.10 5/5] net: test for not too small csum_start in virtio_net_hdr_to_skb()

by Denis Arefev

From: Eric Dumazet <edumazet(a)google.com> commit 49d14b54a527289d09a9480f214b8c586322310a upstream. syzbot was able to trigger this warning [1], after injecting a malicious packet through af_packet, setting skb->csum_start and thus the transport header to an incorrect value. We can at least make sure the transport header is after the end of the network header (with a estimated minimal size). [1] [ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0 mac=(-1,-1) mac_len=0 net=(16,-6) trans=10 shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0)) csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0) hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0 priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0 encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0) [ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9 [ 67.877764] sk family=17 type=3 proto=0 [ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00 [ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02 [ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00 [ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e [ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00 [ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.887384] skb frag: 00000100: 00 00 [ 67.887878] ------------[ cut here ]------------ [ 67.887908] offset (-6) >= skb_headlen() (14) [ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs [ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011 [ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891043] Call Trace: [ 67.891173] <TASK> [ 67.891274] ? __warn (kernel/panic.c:741) [ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239) [ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) [ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1)) [ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:113) [ 67.891459] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200) [ 67.891470] ? ip_route_output_flow (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:96 (discriminator 13) ./include/linux/rcupdate.h:871 (discriminator 13) net/ipv4/route.c:2625 (discriminator 13) ./include/net/route.h:141 (discriminator 13) net/ipv4/route.c:2852 (discriminator 13)) [ 67.891484] ipvlan_process_v4_outbound (drivers/net/ipvlan/ipvlan_core.c:445 (discriminator 1)) [ 67.891581] ipvlan_queue_xmit (drivers/net/ipvlan/ipvlan_core.c:542 drivers/net/ipvlan/ipvlan_core.c:604 drivers/net/ipvlan/ipvlan_core.c:670) [ 67.891596] ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:227) [ 67.891607] dev_hard_start_xmit (./include/linux/netdevice.h:4916 ./include/linux/netdevice.h:4925 net/core/dev.c:3588 net/core/dev.c:3604) [ 67.891620] __dev_queue_xmit (net/core/dev.h:168 (discriminator 25) net/core/dev.c:4425 (discriminator 25)) [ 67.891630] ? skb_copy_bits (./include/linux/uaccess.h:233 (discriminator 1) ./include/linux/uaccess.h:260 (discriminator 1) ./include/linux/highmem-internal.h:230 (discriminator 1) net/core/skbuff.c:3018 (discriminator 1)) [ 67.891645] ? __pskb_pull_tail (net/core/skbuff.c:2848 (discriminator 4)) [ 67.891655] ? skb_partial_csum_set (net/core/skbuff.c:5657) [ 67.891666] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/skbuff.h:2791 (discriminator 3) ./include/linux/skbuff.h:2799 (discriminator 3) ./include/linux/virtio_net.h:109 (discriminator 3)) [ 67.891684] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1)) [ 67.891700] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4)) [ 67.891716] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1)) [ 67.891734] ? do_sock_setsockopt (net/socket.c:2335) [ 67.891747] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355) [ 67.891761] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1)) [ 67.891772] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) [ 67.891785] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fixes: 9181d6f8a2bb ("net: add more sanity check in virtio_net_hdr_to_skb()") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Link: https://patch.msgid.link/20240926165836.3797406-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2024-43817 Link: https://nvd.nist.gov/vuln/detail/cve-2024-43817 --- include/linux/virtio_net.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index e9e681fab607..b56f032de16a 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -96,8 +96,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (!skb_partial_csum_set(skb, start, off)) return -EINVAL; + if (skb_transport_offset(skb) < nh_min_len) + return -EINVAL; - nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb)); + nh_min_len = skb_transport_offset(skb); p_off = nh_min_len + thlen; if (!pskb_may_pull(skb, p_off)) return -EINVAL; -- 2.43.0

9 months

1
0
0 0

[PATCH 5.10 4/5] net: add more sanity check in virtio_net_hdr_to_skb()

by Denis Arefev

From: Eric Dumazet <edumazet(a)google.com> commit 9181d6f8a2bb32d158de66a84164fac05e3ddd18 upstream. syzbot/KMSAN reports access to uninitialized data from gso_features_check() [1] The repro use af_packet, injecting a gso packet and hdrlen == 0. We could fix the issue making gso_features_check() more careful while dealing with NETIF_F_TSO_MANGLEID in fast path. Or we can make sure virtio_net_hdr_to_skb() pulls minimal network and transport headers as intended. Note that for GSO packets coming from untrusted sources, SKB_GSO_DODGY bit forces a proper header validation (and pull) before the packet can hit any device ndo_start_xmit(), thus we do not need a precise disection at virtio_net_hdr_to_skb() stage. [1] BUG: KMSAN: uninit-value in skb_gso_segment include/net/gso.h:83 [inline] BUG: KMSAN: uninit-value in validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629 __dev_queue_xmit+0x1eac/0x5130 net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5025 Comm: syz-executor279 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Reported-by: syzbot+7f4d0ea3df4d4fa9a65f(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/netdev/0000000000005abd7b060eb160cd@google.com/ Fixes: 9274124f023b ("net: stricter validation of untrusted gso packets") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Willem de Bruijn <willemb(a)google.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2024-43817 Link: https://nvd.nist.gov/vuln/detail/cve-2024-43817 --- include/linux/virtio_net.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 62613d4d84b7..e9e681fab607 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -3,6 +3,8 @@ #define _LINUX_VIRTIO_NET_H #include <linux/if_vlan.h> +#include <linux/ip.h> +#include <linux/ipv6.h> #include <linux/udp.h> #include <uapi/linux/tcp.h> #include <uapi/linux/virtio_net.h> @@ -47,6 +49,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, const struct virtio_net_hdr *hdr, bool little_endian) { + unsigned int nh_min_len = sizeof(struct iphdr); unsigned int gso_type = 0; unsigned int thlen = 0; unsigned int p_off = 0; @@ -63,6 +66,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, gso_type = SKB_GSO_TCPV6; ip_proto = IPPROTO_TCP; thlen = sizeof(struct tcphdr); + nh_min_len = sizeof(struct ipv6hdr); break; case VIRTIO_NET_HDR_GSO_UDP: gso_type = SKB_GSO_UDP; @@ -93,7 +97,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (!skb_partial_csum_set(skb, start, off)) return -EINVAL; - p_off = skb_transport_offset(skb) + thlen; + nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb)); + p_off = nh_min_len + thlen; if (!pskb_may_pull(skb, p_off)) return -EINVAL; } else { @@ -133,7 +138,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, skb_set_transport_header(skb, keys.control.thoff); } else if (gso_type) { - p_off = thlen; + p_off = nh_min_len + thlen; if (!pskb_may_pull(skb, p_off)) return -EINVAL; } -- 2.43.0

9 months

1
0
0 0

[PATCH 5.10 3/5] net: tighten bad gso csum offset check in virtio_net_hdr

by Denis Arefev

From: Willem de Bruijn <willemb(a)google.com> commit 6513eb3d3191574b58859ef2d6dc26c0277c6f81 upstream. The referenced commit drops bad input, but has false positives. Tighten the check to avoid these. The check detects illegal checksum offload requests, which produce csum_start/csum_off beyond end of packet after segmentation. But it is based on two incorrect assumptions: 1. virtio_net_hdr_to_skb with VIRTIO_NET_HDR_GSO_TCP[46] implies GSO. True in callers that inject into the tx path, such as tap. But false in callers that inject into rx, like virtio-net. Here, the flags indicate GRO, and CHECKSUM_UNNECESSARY or CHECKSUM_NONE without VIRTIO_NET_HDR_F_NEEDS_CSUM is normal. 2. TSO requires checksum offload, i.e., ip_summed == CHECKSUM_PARTIAL. False, as tcp[46]_gso_segment will fix up csum_start and offset for all other ip_summed by calling __tcp_v4_send_check. Because of 2, we can limit the scope of the fix to virtio_net_hdr that do try to set these fields, with a bogus value. Link: https://lore.kernel.org/netdev/20240909094527.GA3048202@port70.net/ Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr") Signed-off-by: Willem de Bruijn <willemb(a)google.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20240910213553.839926-1-willemdebruijn.kernel@gmai… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2024-43817 Link: https://nvd.nist.gov/vuln/detail/cve-2024-43817 --- include/linux/virtio_net.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 823e28042f41..62613d4d84b7 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -161,7 +161,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, break; case SKB_GSO_TCPV4: case SKB_GSO_TCPV6: - if (skb->csum_offset != offsetof(struct tcphdr, check)) + if (skb->ip_summed == CHECKSUM_PARTIAL && + skb->csum_offset != offsetof(struct tcphdr, check)) return -EINVAL; break; } -- 2.43.0

9 months

1
0
0 0

[PATCH 5.10 2/5] net: drop bad gso csum_start and offset in virtio_net_hdr

by Denis Arefev

From: Willem de Bruijn <willemb(a)google.com> commit 89add40066f9ed9abe5f7f886fe5789ff7e0c50e upstream. Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org Fixes: e269d79c7d35 ("net: missing check virtio") Cc: stable(a)vger.kernel.org Signed-off-by: Willem de Bruijn <willemb(a)google.com> Link: https://patch.msgid.link/20240729201108.1615114-1-willemdebruijn.kernel@gma… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2024-43817 Link: https://nvd.nist.gov/vuln/detail/cve-2024-43817 --- include/linux/virtio_net.h | 5 +++++ net/ipv4/tcp_offload.c | 3 +++ net/ipv4/udp_offload.c | 14 ++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 9bdba0c00c07..823e28042f41 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -159,6 +159,11 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (gso_type != SKB_GSO_UDP_L4) return -EINVAL; break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: + if (skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; } /* Kernel has a special handling for GSO_BY_FRAGS. */ diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index fc61cd3fea65..357d3be04f84 100644 --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -71,6 +71,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, if (thlen < sizeof(*th)) goto out; + if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb))) + goto out; + if (!pskb_may_pull(skb, thlen)) goto out; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 6e36eb1ba276..9b757394ad4f 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -276,6 +276,20 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, if (gso_skb->len <= sizeof(*uh) + mss) return ERR_PTR(-EINVAL); + if (unlikely(skb_checksum_start(gso_skb) != + skb_transport_header(gso_skb))) + return ERR_PTR(-EINVAL); + + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { + /* Packet is from an untrusted source, reset gso_segs. */ + skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), + mss); + return NULL; + } + + if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + skb_pull(gso_skb, sizeof(*uh)); /* clear destructor to avoid skb_segment assigning it to tail */ -- 2.43.0

9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025