Список изменений в Linux 5.4.209

 
ARM: crypto: comment out gcc warning that breaks clang builds [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sun Jul 31 12:05:51 2022 +0200

    ARM: crypto: comment out gcc warning that breaks clang builds
    
    The gcc build warning prevents all clang-built kernels from working
    properly, so comment it out to fix the build.
    
    This is a -stable kernel only patch for now, it will be resolved
    differently in mainline releases in the future.
    
    Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
    Cc: "Justin M. Forbes" <jforbes@fedoraproject.org>
    Cc: Ard Biesheuvel <ardb@kernel.org>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Cc: Nicolas Pitre <nico@linaro.org>
    Cc: Nathan Chancellor <nathan@kernel.org>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Thu Jul 21 09:10:50 2022 -0700

    Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
    
    commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream.
    
    This fixes the following trace which is caused by hci_rx_work starting up
    *after* the final channel reference has been put() during sock_close() but
    *before* the references to the channel have been destroyed, so instead
    the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to
    prevent referencing a channel that is about to be destroyed.
    
      refcount_t: increment on 0; use-after-free.
      BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0
      Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705
    
      CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S      W
      4.14.234-00003-g1fb6d0bd49a4-dirty #28
      Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150
      Google Inc. MSM sm8150 Flame DVT (DT)
      Workqueue: hci0 hci_rx_work
      Call trace:
       dump_backtrace+0x0/0x378
       show_stack+0x20/0x2c
       dump_stack+0x124/0x148
       print_address_description+0x80/0x2e8
       __kasan_report+0x168/0x188
       kasan_report+0x10/0x18
       __asan_load4+0x84/0x8c
       refcount_dec_and_test+0x20/0xd0
       l2cap_chan_put+0x48/0x12c
       l2cap_recv_frame+0x4770/0x6550
       l2cap_recv_acldata+0x44c/0x7a4
       hci_acldata_packet+0x100/0x188
       hci_rx_work+0x178/0x23c
       process_one_work+0x35c/0x95c
       worker_thread+0x4cc/0x960
       kthread+0x1a8/0x1c4
       ret_from_fork+0x10/0x18
    
    Cc: stable@kernel.org
    Reported-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Tested-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
Documentation: fix sctp_wmem in ip-sysctl.rst [+ + +]
Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Jul 21 10:35:46 2022 -0400

    Documentation: fix sctp_wmem in ip-sysctl.rst
    
    [ Upstream commit aa709da0e032cee7c202047ecd75f437bb0126ed ]
    
    Since commit 1033990ac5b2 ("sctp: implement memory accounting on tx path"),
    SCTP has supported memory accounting on tx path where 'sctp_wmem' is used
    by sk_wmem_schedule(). So we should fix the description for this option in
    ip-sysctl.rst accordingly.
    
    v1->v2:
      - Improve the description as Marcelo suggested.
    
    Fixes: 1033990ac5b2 ("sctp: implement memory accounting on tx path")
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i40e: Fix interface init with MSI interrupts (no MSI-X) [+ + +]
Author: Michal Maloszewski <michal.maloszewski@intel.com>
Date:   Fri Jul 22 10:54:01 2022 -0700

    i40e: Fix interface init with MSI interrupts (no MSI-X)
    
    [ Upstream commit 5fcbb711024aac6d4db385623e6f2fdf019f7782 ]
    
    Fix the inability to bring an interface up on a setup with
    only MSI interrupts enabled (no MSI-X).
    Solution is to add a default number of QPs = 1. This is enough,
    since without MSI-X support driver enables only a basic feature set.
    
    Fixes: bc6d33c8d93f ("i40e: Fix the number of queues available to be mapped for use")
    Signed-off-by: Dawid Lukwinski <dawid.lukwinski@intel.com>
    Signed-off-by: Michal Maloszewski <michal.maloszewski@intel.com>
    Tested-by: Dave Switzer <david.switzer@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://lore.kernel.org/r/20220722175401.112572-1-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Thu Jul 7 12:20:42 2022 +0200

    ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
    
    commit 283d736ff7c7e96ac5b32c6c0de40372f8eb171e upstream.
    
    Tx side sets EOP and RS bits on descriptors to indicate that a
    particular descriptor is the last one and needs to generate an irq when
    it was sent. These bits should not be checked on completion path
    regardless whether it's the Tx or the Rx. DD bit serves this purpose and
    it indicates that a particular descriptor is either for Rx or was
    successfully Txed. EOF is also set as loopback test does not xmit
    fragmented frames.
    
    Look at (DD | EOF) bits setting in ice_lbtest_receive_frames() instead
    of EOP and RS pair.
    
    Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest")
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ice: do not setup vlan for loopback VSI [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Thu Jul 7 12:20:43 2022 +0200

    ice: do not setup vlan for loopback VSI
    
    commit cc019545a238518fa9da1e2a889f6e1bb1005a63 upstream.
    
    Currently loopback test is failiing due to the error returned from
    ice_vsi_vlan_setup(). Skip calling it when preparing loopback VSI.
    
    Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest")
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
igmp: Fix data-races around sysctl_igmp_qrv. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Jul 15 10:17:44 2022 -0700

    igmp: Fix data-races around sysctl_igmp_qrv.
    
    [ Upstream commit 8ebcc62c738f68688ee7c6fec2efe5bc6d3d7e60 ]
    
    While reading sysctl_igmp_qrv, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its readers.
    
    This test can be packed into a helper, so such changes will be in the
    follow-up series after net is merged into net-next.
    
      qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv);
    
    Fixes: a9fe8e29945d ("ipv4: implement igmp_qrv sysctl to tune igmp robustness variable")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr [+ + +]
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date:   Thu Jul 28 09:33:07 2022 +0800

    ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
    
    commit 85f0173df35e5462d89947135a6a5599c6c3ef6f upstream.
    
    Change net device's MTU to smaller than IPV6_MIN_MTU or unregister
    device while matching route. That may trigger null-ptr-deref bug
    for ip6_ptr probability as following.
    
    =========================================================
    BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134
    Read of size 4 at addr 0000000000000308 by task ping6/263
    
    CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14
    Call trace:
     dump_backtrace+0x1a8/0x230
     show_stack+0x20/0x70
     dump_stack_lvl+0x68/0x84
     print_report+0xc4/0x120
     kasan_report+0x84/0x120
     __asan_load4+0x94/0xd0
     find_match.part.0+0x70/0x134
     __find_rr_leaf+0x408/0x470
     fib6_table_lookup+0x264/0x540
     ip6_pol_route+0xf4/0x260
     ip6_pol_route_output+0x58/0x70
     fib6_rule_lookup+0x1a8/0x330
     ip6_route_output_flags_noref+0xd8/0x1a0
     ip6_route_output_flags+0x58/0x160
     ip6_dst_lookup_tail+0x5b4/0x85c
     ip6_dst_lookup_flow+0x98/0x120
     rawv6_sendmsg+0x49c/0xc70
     inet_sendmsg+0x68/0x94
    
    Reproducer as following:
    Firstly, prepare conditions:
    $ip netns add ns1
    $ip netns add ns2
    $ip link add veth1 type veth peer name veth2
    $ip link set veth1 netns ns1
    $ip link set veth2 netns ns2
    $ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1
    $ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2
    $ip netns exec ns1 ifconfig veth1 up
    $ip netns exec ns2 ifconfig veth2 up
    $ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1
    $ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1
    
    Secondly, execute the following two commands in two ssh windows
    respectively:
    $ip netns exec ns1 sh
    $while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done
    
    $ip netns exec ns1 sh
    $while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done
    
    It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly,
    then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check.
    
            cpu0                    cpu1
    fib6_table_lookup
    __find_rr_leaf
                            addrconf_notify [ NETDEV_CHANGEMTU ]
                            addrconf_ifdown
                            RCU_INIT_POINTER(dev->ip6_ptr, NULL)
    find_match
    ip6_ignore_linkdown
    
    So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to
    fix the null-ptr-deref bug.
    
    Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev")
    Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.4.209 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Aug 3 11:59:42 2022 +0200

    Linux 5.4.209
    
    Link: https://lore.kernel.org/r/20220801114128.025615151@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. [+ + +]
Author: Wei Mingzhi <whistler@member.fsf.org>
Date:   Sat Jun 19 00:08:40 2021 +0800

    mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle.
    
    commit 829eea7c94e0bac804e65975639a2f2e5f147033 upstream.
    
    USB device ID of some versions of XiaoDu WiFi Dongle is 2955:1003
    instead of 2955:1001. Both are the same mt7601u hardware.
    
    Signed-off-by: Wei Mingzhi <whistler@member.fsf.org>
    Acked-by: Jakub Kicinski <kubakici@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20210618160840.305024-1-whistler@member.fsf.org
    Cc: Yan Xinyu <sdlyyxy@bupt.edu.cn>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net: ping6: Fix memleak in ipv6_renew_options(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 27 18:22:20 2022 -0700

    net: ping6: Fix memleak in ipv6_renew_options().
    
    commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream.
    
    When we close ping6 sockets, some resources are left unfreed because
    pingv6_prot is missing sk->sk_prot->destroy().  As reported by
    syzbot [0], just three syscalls leak 96 bytes and easily cause OOM.
    
        struct ipv6_sr_hdr *hdr;
        char data[24] = {0};
        int fd;
    
        hdr = (struct ipv6_sr_hdr *)data;
        hdr->hdrlen = 2;
        hdr->type = IPV6_SRCRT_TYPE_4;
    
        fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP);
        setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24);
        close(fd);
    
    To fix memory leaks, let's add a destroy function.
    
    Note the socket() syscall checks if the GID is within the range of
    net.ipv4.ping_group_range.  The default value is [1, 0] so that no
    GID meets the condition (1 <= GID <= 0).  Thus, the local DoS does
    not succeed until we change the default value.  However, at least
    Ubuntu/Fedora/RHEL loosen it.
    
        $ cat /usr/lib/sysctl.d/50-default.conf
        ...
        -net.ipv4.ping_group_range = 0 2147483647
    
    Also, there could be another path reported with these options, and
    some of them require CAP_NET_RAW.
    
      setsockopt
          IPV6_ADDRFORM (inet6_sk(sk)->pktoptions)
          IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu)
          IPV6_HOPOPTS (inet6_sk(sk)->opt)
          IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt)
          IPV6_RTHDR (inet6_sk(sk)->opt)
          IPV6_DSTOPTS (inet6_sk(sk)->opt)
          IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt)
    
      getsockopt
          IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list)
    
    For the record, I left a different splat with syzbot's one.
    
      unreferenced object 0xffff888006270c60 (size 96):
        comm "repro2", pid 231, jiffies 4294696626 (age 13.118s)
        hex dump (first 32 bytes):
          01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00  ....D...........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554)
          [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715)
          [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024)
          [<000000007096a025>] __sys_setsockopt (net/socket.c:2254)
          [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262)
          [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
          [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
    
    [0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176
    
    Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
    Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com
    Reported-by: Ayushman Dutta <ayudutta@amazon.com>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() [+ + +]
Author: Liang He <windhl@126.com>
Date:   Wed Jul 20 21:10:03 2022 +0800

    net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
    
    [ Upstream commit ebbbe23fdf6070e31509638df3321688358cc211 ]
    
    In bcm5421_init(), we should call of_node_put() for the reference
    returned by of_get_parent() which has increased the refcount.
    
    Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem")
    Signed-off-by: Liang He <windhl@126.com>
    Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: nf_queue: do not allow packet truncation below transport header offset [+ + +]
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 26 12:42:06 2022 +0200

    netfilter: nf_queue: do not allow packet truncation below transport header offset
    
    [ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ]
    
    Domingo Dirutigliano and Nicola Guerrera report kernel panic when
    sending nf_queue verdict with 1-byte nfta_payload attribute.
    
    The IP/IPv6 stack pulls the IP(v6) header from the packet after the
    input hook.
    
    If user truncates the packet below the header size, this skb_pull() will
    result in a malformed skb (skb->len < 0).
    
    Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
    Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ntfs: fix use-after-free in ntfs_ucsncmp() [+ + +]
Author: ChenXiaoSong <chenxiaosong2@huawei.com>
Date:   Thu Jul 7 18:53:29 2022 +0800

    ntfs: fix use-after-free in ntfs_ucsncmp()
    
    commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream.
    
    Syzkaller reported use-after-free bug as follows:
    
    ==================================================================
    BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130
    Read of size 2 at addr ffff8880751acee8 by task a.out/879
    
    CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
    Call Trace:
     <TASK>
     dump_stack_lvl+0x1c0/0x2b0
     print_address_description.constprop.0.cold+0xd4/0x484
     print_report.cold+0x55/0x232
     kasan_report+0xbf/0xf0
     ntfs_ucsncmp+0x123/0x130
     ntfs_are_names_equal.cold+0x2b/0x41
     ntfs_attr_find+0x43b/0xb90
     ntfs_attr_lookup+0x16d/0x1e0
     ntfs_read_locked_attr_inode+0x4aa/0x2360
     ntfs_attr_iget+0x1af/0x220
     ntfs_read_locked_inode+0x246c/0x5120
     ntfs_iget+0x132/0x180
     load_system_files+0x1cc6/0x3480
     ntfs_fill_super+0xa66/0x1cf0
     mount_bdev+0x38d/0x460
     legacy_get_tree+0x10d/0x220
     vfs_get_tree+0x93/0x300
     do_new_mount+0x2da/0x6d0
     path_mount+0x496/0x19d0
     __x64_sys_mount+0x284/0x300
     do_syscall_64+0x3b/0xc0
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
    RIP: 0033:0x7f3f2118d9ea
    Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48
    RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea
    RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00
    RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44
    R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
     </TASK>
    
    The buggy address belongs to the physical page:
    page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac
    memcg:ffff888101f7e180
    anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff)
    raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201
    raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                              ^
     ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ==================================================================
    
    The reason is that struct ATTR_RECORD->name_offset is 6485, end address of
    name string is out of bounds.
    
    Fix this by adding sanity check on end address of attribute name string.
    
    [akpm@linux-foundation.org: coding-style cleanups]
    [chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei]
      Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com
    Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com
    Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
    Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
    Cc: Anton Altaparmakov <anton@tuxera.com>
    Cc: ChenXiaoSong <chenxiaosong2@huawei.com>
    Cc: Yongqiang Liu <liuyongqiang13@huawei.com>
    Cc: Zhang Yi <yi.zhang@huawei.com>
    Cc: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
perf symbol: Correct address for bss symbols [+ + +]
Author: Leo Yan <leo.yan@linaro.org>
Date:   Sun Jul 24 14:00:12 2022 +0800

    perf symbol: Correct address for bss symbols
    
    [ Upstream commit 2d86612aacb7805f72873691a2644d7279ed0630 ]
    
    When using 'perf mem' and 'perf c2c', an issue is observed that tool
    reports the wrong offset for global data symbols.  This is a common
    issue on both x86 and Arm64 platforms.
    
    Let's see an example, for a test program, below is the disassembly for
    its .bss section which is dumped with objdump:
    
      ...
    
      Disassembly of section .bss:
    
      0000000000004040 <completed.0>:
            ...
    
      0000000000004080 <buf1>:
            ...
    
      00000000000040c0 <buf2>:
            ...
    
      0000000000004100 <thread>:
            ...
    
    First we used 'perf mem record' to run the test program and then used
    'perf --debug verbose=4 mem report' to observe what's the symbol info
    for 'buf1' and 'buf2' structures.
    
      # ./perf mem record -e ldlat-loads,ldlat-stores -- false_sharing.exe 8
      # ./perf --debug verbose=4 mem report
        ...
        dso__load_sym_internal: adjusting symbol: st_value: 0x40c0 sh_addr: 0x4040 sh_offset: 0x3028
        symbol__new: buf2 0x30a8-0x30e8
        ...
        dso__load_sym_internal: adjusting symbol: st_value: 0x4080 sh_addr: 0x4040 sh_offset: 0x3028
        symbol__new: buf1 0x3068-0x30a8
        ...
    
    The perf tool relies on libelf to parse symbols, in executable and
    shared object files, 'st_value' holds a virtual address; 'sh_addr' is
    the address at which section's first byte should reside in memory, and
    'sh_offset' is the byte offset from the beginning of the file to the
    first byte in the section.  The perf tool uses below formula to convert
    a symbol's memory address to a file address:
    
      file_address = st_value - sh_addr + sh_offset
                        ^
                        ` Memory address
    
    We can see the final adjusted address ranges for buf1 and buf2 are
    [0x30a8-0x30e8) and [0x3068-0x30a8) respectively, apparently this is
    incorrect, in the code, the structure for 'buf1' and 'buf2' specifies
    compiler attribute with 64-byte alignment.
    
    The problem happens for 'sh_offset', libelf returns it as 0x3028 which
    is not 64-byte aligned, combining with disassembly, it's likely libelf
    doesn't respect the alignment for .bss section, therefore, it doesn't
    return the aligned value for 'sh_offset'.
    
    Suggested by Fangrui Song, ELF file contains program header which
    contains PT_LOAD segments, the fields p_vaddr and p_offset in PT_LOAD
    segments contain the execution info.  A better choice for converting
    memory address to file address is using the formula:
    
      file_address = st_value - p_vaddr + p_offset
    
    This patch introduces elf_read_program_header() which returns the
    program header based on the passed 'st_value', then it uses the formula
    above to calculate the symbol file address; and the debugging log is
    updated respectively.
    
    After applying the change:
    
      # ./perf --debug verbose=4 mem report
        ...
        dso__load_sym_internal: adjusting symbol: st_value: 0x40c0 p_vaddr: 0x3d28 p_offset: 0x2d28
        symbol__new: buf2 0x30c0-0x3100
        ...
        dso__load_sym_internal: adjusting symbol: st_value: 0x4080 p_vaddr: 0x3d28 p_offset: 0x2d28
        symbol__new: buf1 0x3080-0x30c0
        ...
    
    Fixes: f17e04afaff84b5c ("perf report: Fix ELF symbol parsing")
    Reported-by: Chang Rui <changruinj@gmail.com>
    Suggested-by: Fangrui Song <maskray@google.com>
    Signed-off-by: Leo Yan <leo.yan@linaro.org>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Ian Rogers <irogers@google.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20220724060013.171050-2-leo.yan@linaro.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/archrandom: prevent CPACF trng invocations in interrupt context [+ + +]
Author: Harald Freudenberger <freude@linux.ibm.com>
Date:   Wed Jul 13 15:17:21 2022 +0200

    s390/archrandom: prevent CPACF trng invocations in interrupt context
    
    commit 918e75f77af7d2e049bb70469ec0a2c12782d96a upstream.
    
    This patch slightly reworks the s390 arch_get_random_seed_{int,long}
    implementation: Make sure the CPACF trng instruction is never
    called in any interrupt context. This is done by adding an
    additional condition in_task().
    
    Justification:
    
    There are some constrains to satisfy for the invocation of the
    arch_get_random_seed_{int,long}() functions:
    - They should provide good random data during kernel initialization.
    - They should not be called in interrupt context as the TRNG
      instruction is relatively heavy weight and may for example
      make some network loads cause to timeout and buck.
    
    However, it was not clear what kind of interrupt context is exactly
    encountered during kernel init or network traffic eventually calling
    arch_get_random_seed_long().
    
    After some days of investigations it is clear that the s390
    start_kernel function is not running in any interrupt context and
    so the trng is called:
    
    Jul 11 18:33:39 t35lp54 kernel:  [<00000001064e90ca>] arch_get_random_seed_long.part.0+0x32/0x70
    Jul 11 18:33:39 t35lp54 kernel:  [<000000010715f246>] random_init+0xf6/0x238
    Jul 11 18:33:39 t35lp54 kernel:  [<000000010712545c>] start_kernel+0x4a4/0x628
    Jul 11 18:33:39 t35lp54 kernel:  [<000000010590402a>] startup_continue+0x2a/0x40
    
    The condition in_task() is true and the CPACF trng provides random data
    during kernel startup.
    
    The network traffic however, is more difficult. A typical call stack
    looks like this:
    
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b5600fc>] extract_entropy.constprop.0+0x23c/0x240
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b560136>] crng_reseed+0x36/0xd8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b5604b8>] crng_make_state+0x78/0x340
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b5607e0>] _get_random_bytes+0x60/0xf8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b56108a>] get_random_u32+0xda/0x248
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008aefe7a8>] kfence_guarded_alloc+0x48/0x4b8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008aeff35e>] __kfence_alloc+0x18e/0x1b8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008aef7f10>] __kmalloc_node_track_caller+0x368/0x4d8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b611eac>] kmalloc_reserve+0x44/0xa0
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b611f98>] __alloc_skb+0x90/0x178
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b6120dc>] __napi_alloc_skb+0x5c/0x118
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b8f06b4>] qeth_extract_skb+0x13c/0x680
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b8f6526>] qeth_poll+0x256/0x3f8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b63d76e>] __napi_poll.constprop.0+0x46/0x2f8
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b63dbec>] net_rx_action+0x1cc/0x408
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b937302>] __do_softirq+0x132/0x6b0
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008abf46ce>] __irq_exit_rcu+0x13e/0x170
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008abf531a>] irq_exit_rcu+0x22/0x50
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b922506>] do_io_irq+0xe6/0x198
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b935826>] io_int_handler+0xd6/0x110
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b9358a6>] psw_idle_exit+0x0/0xa
    Jul 06 17:37:07 t35lp54 kernel: ([<000000008ab9c59a>] arch_cpu_idle+0x52/0xe0)
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b933cfe>] default_idle_call+0x6e/0xd0
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008ac59f4e>] do_idle+0xf6/0x1b0
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008ac5a28e>] cpu_startup_entry+0x36/0x40
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008abb0d90>] smp_start_secondary+0x148/0x158
    Jul 06 17:37:07 t35lp54 kernel:  [<000000008b935b9e>] restart_int_handler+0x6e/0x90
    
    which confirms that the call is in softirq context. So in_task() covers exactly
    the cases where we want to have CPACF trng called: not in nmi, not in hard irq,
    not in soft irq but in normal task context and during kernel init.
    
    Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
    Acked-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Reviewed-by: Juergen Christ <jchrist@linux.ibm.com>
    Link: https://lore.kernel.org/r/20220713131721.257907-1-freude@linux.ibm.com
    Fixes: e4f74400308c ("s390/archrandom: simplify back to earlier design and initialize earlier")
    [agordeev@linux.ibm.com changed desc, added Fixes and Link, removed -stable]
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
scsi: core: Fix race between handling STS_RESOURCE and completion [+ + +]
Author: Ming Lei <ming.lei@redhat.com>
Date:   Wed Dec 2 18:04:19 2020 +0800

    scsi: core: Fix race between handling STS_RESOURCE and completion
    
    commit 673235f915318ced5d7ec4b2bfd8cb909e6a4a55 upstream.
    
    When queuing I/O request to LLD, STS_RESOURCE may be returned because:
    
     - Host is in recovery or blocked
    
     - Target queue throttling or target is blocked
    
     - LLD rejection
    
    In these scenarios BLK_STS_DEV_RESOURCE is returned to the block layer to
    avoid an unnecessary re-run of the queue. However, all of the requests
    queued to this SCSI device may complete immediately after reading
    'sdev->device_busy' and BLK_STS_DEV_RESOURCE is returned to block layer. In
    that case the current I/O won't get a chance to get queued since it is
    invisible at that time for both scsi_run_queue_async() and blk-mq's
    RESTART.
    
    Fix the issue by not returning BLK_STS_DEV_RESOURCE in this situation.
    
    Link: https://lore.kernel.org/r/20201202100419.525144-1-ming.lei@redhat.com
    Fixes: 86ff7c2a80cd ("blk-mq: introduce BLK_STS_DEV_RESOURCE")
    Cc: Hannes Reinecke <hare@suse.com>
    Cc: Sumit Saxena <sumit.saxena@broadcom.com>
    Cc: Kashyap Desai <kashyap.desai@broadcom.com>
    Cc: Bart Van Assche <bvanassche@acm.org>
    Cc: Ewan Milne <emilne@redhat.com>
    Cc: Long Li <longli@microsoft.com>
    Reported-by: John Garry <john.garry@huawei.com>
    Tested-by: "chenxiang (M)" <chenxiang66@hisilicon.com>
    Signed-off-by: Ming Lei <ming.lei@redhat.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

scsi: ufs: host: Hold reference returned by of_parse_phandle() [+ + +]
Author: Liang He <windhl@126.com>
Date:   Tue Jul 19 15:15:29 2022 +0800

    scsi: ufs: host: Hold reference returned by of_parse_phandle()
    
    commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream.
    
    In ufshcd_populate_vreg(), we should hold the reference returned by
    of_parse_phandle() and then use it to call of_node_put() for refcount
    balance.
    
    Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com
    Fixes: aa4976130934 ("ufs: Add regulator enable support")
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Liang He <windhl@126.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
sctp: fix sleep in atomic context bug in timer handlers [+ + +]
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Sat Jul 23 09:58:09 2022 +0800

    sctp: fix sleep in atomic context bug in timer handlers
    
    [ Upstream commit b89fc26f741d9f9efb51cba3e9b241cf1380ec5a ]
    
    There are sleep in atomic context bugs in timer handlers of sctp
    such as sctp_generate_t3_rtx_event(), sctp_generate_probe_event(),
    sctp_generate_t1_init_event(), sctp_generate_timeout_event(),
    sctp_generate_t3_rtx_event() and so on.
    
    The root cause is sctp_sched_prio_init_sid() with GFP_KERNEL parameter
    that may sleep could be called by different timer handlers which is in
    interrupt context.
    
    One of the call paths that could trigger bug is shown below:
    
          (interrupt context)
    sctp_generate_probe_event
      sctp_do_sm
        sctp_side_effects
          sctp_cmd_interpreter
            sctp_outq_teardown
              sctp_outq_init
                sctp_sched_set_sched
                  n->init_sid(..,GFP_KERNEL)
                    sctp_sched_prio_init_sid //may sleep
    
    This patch changes gfp_t parameter of init_sid in sctp_sched_set_sched()
    from GFP_KERNEL to GFP_ATOMIC in order to prevent sleep in atomic
    context bugs.
    
    Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Link: https://lore.kernel.org/r/20220723015809.11553-1-duoming@zju.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

sctp: leave the err path free in sctp_stream_init to sctp_stream_free [+ + +]
Author: Xin Long <lucien.xin@gmail.com>
Date:   Mon Jul 25 18:11:06 2022 -0400

    sctp: leave the err path free in sctp_stream_init to sctp_stream_free
    
    [ Upstream commit 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d ]
    
    A NULL pointer dereference was reported by Wei Chen:
    
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      RIP: 0010:__list_del_entry_valid+0x26/0x80
      Call Trace:
       <TASK>
       sctp_sched_dequeue_common+0x1c/0x90
       sctp_sched_prio_dequeue+0x67/0x80
       __sctp_outq_teardown+0x299/0x380
       sctp_outq_free+0x15/0x20
       sctp_association_free+0xc3/0x440
       sctp_do_sm+0x1ca7/0x2210
       sctp_assoc_bh_rcv+0x1f6/0x340
    
    This happens when calling sctp_sendmsg without connecting to server first.
    In this case, a data chunk already queues up in send queue of client side
    when processing the INIT_ACK from server in sctp_process_init() where it
    calls sctp_stream_init() to alloc stream_in. If it fails to alloc stream_in
    all stream_out will be freed in sctp_stream_init's err path. Then in the
    asoc freeing it will crash when dequeuing this data chunk as stream_out
    is missing.
    
    As we can't free stream out before dequeuing all data from send queue, and
    this patch is to fix it by moving the err path stream_out/in freeing in
    sctp_stream_init() to sctp_stream_free() which is eventually called when
    freeing the asoc in sctp_association_free(). This fix also makes the code
    in sctp_process_init() more clear.
    
    Note that in sctp_association_init() when it fails in sctp_stream_init(),
    sctp_association_free() will not be called, and in that case it should
    go to 'stream_free' err path to free stream instead of 'fail_init'.
    
    Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
    Reported-by: Wei Chen <harperchen1110@gmail.com>
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Link: https://lore.kernel.org/r/831a3dc100c4908ff76e5bcc363be97f2778bc0b.1658787066.git.lucien.xin@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sfc: disable softirqs for ptp TX [+ + +]
Author: Alejandro Lucero <alejandro.lucero-palau@amd.com>
Date:   Tue Jul 26 08:45:04 2022 +0200

    sfc: disable softirqs for ptp TX
    
    [ Upstream commit 67c3b611d92fc238c43734878bc3e232ab570c79 ]
    
    Sending a PTP packet can imply to use the normal TX driver datapath but
    invoked from the driver's ptp worker. The kernel generic TX code
    disables softirqs and preemption before calling specific driver TX code,
    but the ptp worker does not. Although current ptp driver functionality
    does not require it, there are several reasons for doing so:
    
       1) The invoked code is always executed with softirqs disabled for non
          PTP packets.
       2) Better if a ptp packet transmission is not interrupted by softirq
          handling which could lead to high latencies.
       3) netdev_xmit_more used by the TX code requires preemption to be
          disabled.
    
    Indeed a solution for dealing with kernel preemption state based on static
    kernel configuration is not possible since the introduction of dynamic
    preemption level configuration at boot time using the static calls
    functionality.
    
    Fixes: f79c957a0b537 ("drivers: net: sfc: use netdev_xmit_more helper")
    Signed-off-by: Alejandro Lucero <alejandro.lucero-palau@amd.com>
    Link: https://lore.kernel.org/r/20220726064504.49613-1-alejandro.lucero-palau@amd.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: Fix a data-race around sysctl_tcp_adv_win_scale. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:14 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
    
    commit 36eeee75ef0157e42fb6593dcc65daab289b559e upstream.
    
    While reading sysctl_tcp_adv_win_scale, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix a data-race around sysctl_tcp_app_win. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:13 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_app_win.
    
    commit 02ca527ac5581cf56749db9fd03d854e842253dd upstream.
    
    While reading sysctl_tcp_app_win, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix a data-race around sysctl_tcp_autocorking. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:25 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_autocorking.
    
    [ Upstream commit 85225e6f0a76e6745bc841c9f25169c509b573d8 ]
    
    While reading sysctl_tcp_autocorking, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: f54b311142a9 ("tcp: auto corking")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:21 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
    
    commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream.
    
    While reading sysctl_tcp_challenge_ack_limit, it can be changed
    concurrently.  Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Jul 22 11:22:01 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
    
    [ Upstream commit 4866b2b0f7672b6d760c4b8ece6fb56f965dcc8a ]
    
    While reading sysctl_tcp_comp_sack_delay_ns, it can be changed
    concurrently.  Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 6d82aa242092 ("tcp: add tcp_comp_sack_delay_ns sysctl")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Jul 22 11:22:03 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
    
    [ Upstream commit 79f55473bfc8ac51bd6572929a679eeb4da22251 ]
    
    While reading sysctl_tcp_comp_sack_nr, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 9c21d2fc41c0 ("tcp: add tcp_comp_sack_nr sysctl")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix a data-race around sysctl_tcp_frto. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:15 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_frto.
    
    commit 706c6202a3589f290e1ef9be0584a8f4a3cc0507 upstream.
    
    While reading sysctl_tcp_frto, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:26 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
    
    [ Upstream commit 2afdbe7b8de84c28e219073a6661080e1b3ded48 ]
    
    While reading sysctl_tcp_invalid_ratelimit, it can be changed
    concurrently.  Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 032ee4236954 ("tcp: helpers to mitigate ACK loops by rate-limiting out-of-window dupacks")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:20 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
    
    commit 9fb90193fbd66b4c5409ef729fd081861f8b6351 upstream.
    
    While reading sysctl_tcp_limit_output_bytes, it can be changed
    concurrently.  Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 46d3ceabd8d9 ("tcp: TCP Small Queues")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:24 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
    
    [ Upstream commit 1330ffacd05fc9ac4159d19286ce119e22450ed2 ]
    
    While reading sysctl_tcp_min_rtt_wlen, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: f672258391b4 ("tcp: track min RTT using windowed min-filter")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix a data-race around sysctl_tcp_min_tso_segs. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:22 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
    
    [ Upstream commit e0bb4ab9dfddd872622239f49fb2bd403b70853b ]
    
    While reading sysctl_tcp_min_tso_segs, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 95bd09eb2750 ("tcp: TSO packets automatic sizing")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix a data-race around sysctl_tcp_nometrics_save. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:16 2022 -0700

    tcp: Fix a data-race around sysctl_tcp_nometrics_save.
    
    commit 8499a2454d9e8a55ce616ede9f9580f36fd5b0f3 upstream.
    
    While reading sysctl_tcp_nometrics_save, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its reader.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix data-races around sysctl_tcp_dsack. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Jul 20 09:50:12 2022 -0700

    tcp: Fix data-races around sysctl_tcp_dsack.
    
    commit 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d upstream.
    
    While reading sysctl_tcp_dsack, it can be changed concurrently.
    Thus, we need to add READ_ONCE() to its readers.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
virtio-net: fix the race between refill work and close [+ + +]
Author: Jason Wang <jasowang@redhat.com>
Date:   Mon Jul 25 15:21:59 2022 +0800

    virtio-net: fix the race between refill work and close
    
    [ Upstream commit 5a159128faff151b7fe5f4eb0f310b1e0a2d56bf ]
    
    We try using cancel_delayed_work_sync() to prevent the work from
    enabling NAPI. This is insufficient since we don't disable the source
    of the refill work scheduling. This means an NAPI poll callback after
    cancel_delayed_work_sync() can schedule the refill work then can
    re-enable the NAPI that leads to use-after-free [1].
    
    Since the work can enable NAPI, we can't simply disable NAPI before
    calling cancel_delayed_work_sync(). So fix this by introducing a
    dedicated boolean to control whether or not the work could be
    scheduled from NAPI.
    
    [1]
    ==================================================================
    BUG: KASAN: use-after-free in refill_work+0x43/0xd4
    Read of size 2 at addr ffff88810562c92e by task kworker/2:1/42
    
    CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 5.19.0-rc1+ #480
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
    Workqueue: events refill_work
    Call Trace:
     <TASK>
     dump_stack_lvl+0x34/0x44
     print_report.cold+0xbb/0x6ac
     ? _printk+0xad/0xde
     ? refill_work+0x43/0xd4
     kasan_report+0xa8/0x130
     ? refill_work+0x43/0xd4
     refill_work+0x43/0xd4
     process_one_work+0x43d/0x780
     worker_thread+0x2a0/0x6f0
     ? process_one_work+0x780/0x780
     kthread+0x167/0x1a0
     ? kthread_exit+0x50/0x50
     ret_from_fork+0x22/0x30
     </TASK>
    ...
    
    Fixes: b2baed69e605c ("virtio_net: set/cancel work on ndo_open/ndo_stop")
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>