From 4de4b98e607ed5d17a836b979688ccf9e4c04374 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 19 Apr 2024 07:43:51 -0400 Subject: Fixes for 5.4 Signed-off-by: Sasha Levin --- ...f_tables-fix-potential-data-race-in-__nft.patch | 58 ++++++++++++++ queue-5.4/series | 2 + ...rinting-rate-when-illegal-packet-received.patch | 91 ++++++++++++++++++++++ 3 files changed, 151 insertions(+) create mode 100644 queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch create mode 100644 queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch diff --git a/queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch b/queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch new file mode 100644 index 0000000000..552b11d5aa --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch @@ -0,0 +1,58 @@ +From 518fe96715e41fc744cabf20338b86c159b00533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 14:56:04 +0800 +Subject: netfilter: nf_tables: Fix potential data-race in + __nft_expr_type_get() + +From: Ziyang Xuan + +[ Upstream commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf ] + +nft_unregister_expr() can concurrent with __nft_expr_type_get(), +and there is not any protection when iterate over nf_tables_expressions +list in __nft_expr_type_get(). Therefore, there is potential data-race +of nf_tables_expressions list entry. + +Use list_for_each_entry_rcu() to iterate over nf_tables_expressions +list in __nft_expr_type_get(), and use rcu_read_lock() in the caller +nft_expr_type_get() to protect the entire type query process. + +Fixes: ef1f7df9170d ("netfilter: nf_tables: expression ops overloading") +Signed-off-by: Ziyang Xuan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b4bb93b9aafc7..8131d858f38d9 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2239,7 +2239,7 @@ static const struct nft_expr_type *__nft_expr_type_get(u8 family, + { + const struct nft_expr_type *type, *candidate = NULL; + +- list_for_each_entry(type, &nf_tables_expressions, list) { ++ list_for_each_entry_rcu(type, &nf_tables_expressions, list) { + if (!nla_strcmp(nla, type->name)) { + if (!type->family && !candidate) + candidate = type; +@@ -2271,9 +2271,13 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, + if (nla == NULL) + return ERR_PTR(-EINVAL); + ++ rcu_read_lock(); + type = __nft_expr_type_get(family, nla); +- if (type != NULL && try_module_get(type->owner)) ++ if (type != NULL && try_module_get(type->owner)) { ++ rcu_read_unlock(); + return type; ++ } ++ rcu_read_unlock(); + + lockdep_nfnl_nft_mutex_not_held(); + #ifdef CONFIG_MODULES +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index f612c8e6d8..6f1cc464c2 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -21,3 +21,5 @@ ring-buffer-only-update-pages_touched-when-a-new-pag.patch selftests-ftrace-limit-length-in-subsystem-enable-tests.patch kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch revert-tracing-trigger-fix-to-return-error-if-failed-to-alloc-snapshot.patch +netfilter-nf_tables-fix-potential-data-race-in-__nft.patch +tun-limit-printing-rate-when-illegal-packet-received.patch diff --git a/queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch b/queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch new file mode 100644 index 0000000000..4367f0e02b --- /dev/null +++ b/queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch @@ -0,0 +1,91 @@ +From b25cc791c711d29bcb87a39452649d9a050ace9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 22:02:46 -0400 +Subject: tun: limit printing rate when illegal packet received by tun dev + +From: Lei Chen + +[ Upstream commit f8bbc07ac535593139c875ffa19af924b1084540 ] + +vhost_worker will call tun call backs to receive packets. If too many +illegal packets arrives, tun_do_read will keep dumping packet contents. +When console is enabled, it will costs much more cpu time to dump +packet and soft lockup will be detected. + +net_ratelimit mechanism can be used to limit the dumping rate. + +PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" + #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 + #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 + #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e + #3 [fffffe00003fced0] do_nmi at ffffffff8922660d + #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 + [exception RIP: io_serial_in+20] + RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 + RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 + RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 + RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f + R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 + R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 + #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 + #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 + #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 + #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 + #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 + #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 + #12 [ffffa65531497b68] printk at ffffffff89318306 + #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 + #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] + #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] + #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] + #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] + #18 [ffffa65531497f10] kthread at ffffffff892d2e72 + #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f + +Fixes: ef3db4a59542 ("tun: avoid BUG, dump packet on GSO errors") +Signed-off-by: Lei Chen +Reviewed-by: Willem de Bruijn +Acked-by: Jason Wang +Reviewed-by: Eric Dumazet +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20240415020247.2207781-1-lei.chen@smartx.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 47958e6bd77fb..3c52d0d24704f 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2208,14 +2208,16 @@ static ssize_t tun_put_user(struct tun_struct *tun, + tun_is_little_endian(tun), true, + vlan_hlen)) { + struct skb_shared_info *sinfo = skb_shinfo(skb); +- pr_err("unexpected GSO type: " +- "0x%x, gso_size %d, hdr_len %d\n", +- sinfo->gso_type, tun16_to_cpu(tun, gso.gso_size), +- tun16_to_cpu(tun, gso.hdr_len)); +- print_hex_dump(KERN_ERR, "tun: ", +- DUMP_PREFIX_NONE, +- 16, 1, skb->head, +- min((int)tun16_to_cpu(tun, gso.hdr_len), 64), true); ++ ++ if (net_ratelimit()) { ++ netdev_err(tun->dev, "unexpected GSO type: 0x%x, gso_size %d, hdr_len %d\n", ++ sinfo->gso_type, tun16_to_cpu(tun, gso.gso_size), ++ tun16_to_cpu(tun, gso.hdr_len)); ++ print_hex_dump(KERN_ERR, "tun: ", ++ DUMP_PREFIX_NONE, ++ 16, 1, skb->head, ++ min((int)tun16_to_cpu(tun, gso.hdr_len), 64), true); ++ } + WARN_ON_ONCE(1); + return -EINVAL; + } +-- +2.43.0 + -- cgit 1.2.3-korg