kernel: backport 6.2 patch to fix kernel WARNING issues (#10936)

target/linux/generic/backport-5.4/904-v6.2-net-Remove-WARN_ON_ONCE-sk-sk_forward_alloc-from-sk_.patch

@@ -0,0 +1,103 @@
+From d8c9fd6fcdb9e0acec0cbefd3eedc19de83ea1b1 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Thu, 9 Feb 2023 16:22:02 -0800
+Subject: [PATCH] net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from
+ sk_stream_kill_queues().
+
+Christoph Paasch reported that commit b5fc29233d28 ("inet6: Remove
+inet6_destroy_sock() in sk->sk_prot->destroy().") started triggering
+WARN_ON_ONCE(sk->sk_forward_alloc) in sk_stream_kill_queues().  [0 - 2]
+Also, we can reproduce it by a program in [3].
+
+In the commit, we delay freeing ipv6_pinfo.pktoptions from sk->destroy()
+to sk->sk_destruct(), so sk->sk_forward_alloc is no longer zero in
+inet_csk_destroy_sock().
+
+The same check has been in inet_sock_destruct() from at least v2.6,
+we can just remove the WARN_ON_ONCE().  However, among the users of
+sk_stream_kill_queues(), only CAIF is not calling inet_sock_destruct().
+Thus, we add the same WARN_ON_ONCE() to caif_sock_destructor().
+
+[0]: https://lore.kernel.org/netdev/39725AB4-88F1-41B3-B07F-949C5CAEFF4F@icloud.com/
+[1]: https://github.com/multipath-tcp/mptcp_net-next/issues/341
+[2]:
+WARNING: CPU: 0 PID: 3232 at net/core/stream.c:212 sk_stream_kill_queues+0x2f9/0x3e0
+Modules linked in:
+CPU: 0 PID: 3232 Comm: syz-executor.0 Not tainted 6.2.0-rc5ab24eb4698afbe147b424149c529e2a43ec24eb5 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:sk_stream_kill_queues+0x2f9/0x3e0
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ec 00 00 00 8b ab 08 01 00 00 e9 60 ff ff ff e8 d0 5f b6 fe 0f 0b eb 97 e8 c7 5f b6 fe <0f> 0b eb a0 e8 be 5f b6 fe 0f 0b e9 6a fe ff ff e8 02 07 e3 fe e9
+RSP: 0018:ffff88810570fc68 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff888101f38f40 RSI: ffffffff8285e529 RDI: 0000000000000005
+RBP: 0000000000000ce0 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000ce0 R11: 0000000000000001 R12: ffff8881009e9488
+R13: ffffffff84af2cc0 R14: 0000000000000000 R15: ffff8881009e9458
+FS:  00007f7fdfbd5800(0000) GS:ffff88811b600000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32923000 CR3: 00000001062fc006 CR4: 0000000000170ef0
+Call Trace:
+ <TASK>
+ inet_csk_destroy_sock+0x1a1/0x320
+ __tcp_close+0xab6/0xe90
+ tcp_close+0x30/0xc0
+ inet_release+0xe9/0x1f0
+ inet6_release+0x4c/0x70
+ __sock_release+0xd2/0x280
+ sock_close+0x15/0x20
+ __fput+0x252/0xa20
+ task_work_run+0x169/0x250
+ exit_to_user_mode_prepare+0x113/0x120
+ syscall_exit_to_user_mode+0x1d/0x40
+ do_syscall_64+0x48/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x7f7fdf7ae28d
+Code: c1 20 00 00 75 10 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 37 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
+RSP: 002b:00000000007dfbb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7fdf7ae28d
+RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
+RBP: 0000000000000000 R08: 000000007f338e0f R09: 0000000000000e0f
+R10: 000000007f338e13 R11: 0000000000000293 R12: 00007f7fdefff000
+R13: 00007f7fdefffcd8 R14: 00007f7fdefffce0 R15: 00007f7fdefffcd8
+ </TASK>
+
+[3]: https://lore.kernel.org/netdev/20230208004245.83497-1-kuniyu@amazon.com/
+
+Fixes: b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Christoph Paasch <christophpaasch@icloud.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/caif/caif_socket.c | 1 +
+ net/core/stream.c      | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 8fa98c62c4fc..53f19ee5642f 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -1022,6 +1022,7 @@ static void caif_sock_destructor(struct sock *sk)
+ 		return;
+ 	}
+ 	sk_stream_kill_queues(&cf_sk->sk);
++	WARN_ON(sk->sk_forward_alloc);
+ 	caif_free_client(&cf_sk->layer);
+ }
+ 
+diff --git a/net/core/stream.c b/net/core/stream.c
+index d7c5413d16d5..cd60746877b1 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -209,7 +209,6 @@ void sk_stream_kill_queues(struct sock *sk)
+ 	sk_mem_reclaim(sk);
+ 
+ 	WARN_ON(sk->sk_wmem_queued);
+-	WARN_ON(sk->sk_forward_alloc);
+ 
+ 	/* It is _impossible_ for the backlog to contain anything
+ 	 * when we get here.  All user references to this socket
+-- 
+2.34.1
+

target/linux/generic/backport-6.1/990-v6.2-net-Remove-WARN_ON_ONCE-sk-sk_forward_alloc-from-sk_.patch

@@ -0,0 +1,103 @@
+From 5d410c67ac7bfdf3e2487bf7b0189f1b767385df Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Thu, 9 Feb 2023 16:22:02 -0800
+Subject: [PATCH] net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from
+ sk_stream_kill_queues().
+
+Christoph Paasch reported that commit b5fc29233d28 ("inet6: Remove
+inet6_destroy_sock() in sk->sk_prot->destroy().") started triggering
+WARN_ON_ONCE(sk->sk_forward_alloc) in sk_stream_kill_queues().  [0 - 2]
+Also, we can reproduce it by a program in [3].
+
+In the commit, we delay freeing ipv6_pinfo.pktoptions from sk->destroy()
+to sk->sk_destruct(), so sk->sk_forward_alloc is no longer zero in
+inet_csk_destroy_sock().
+
+The same check has been in inet_sock_destruct() from at least v2.6,
+we can just remove the WARN_ON_ONCE().  However, among the users of
+sk_stream_kill_queues(), only CAIF is not calling inet_sock_destruct().
+Thus, we add the same WARN_ON_ONCE() to caif_sock_destructor().
+
+[0]: https://lore.kernel.org/netdev/39725AB4-88F1-41B3-B07F-949C5CAEFF4F@icloud.com/
+[1]: https://github.com/multipath-tcp/mptcp_net-next/issues/341
+[2]:
+WARNING: CPU: 0 PID: 3232 at net/core/stream.c:212 sk_stream_kill_queues+0x2f9/0x3e0
+Modules linked in:
+CPU: 0 PID: 3232 Comm: syz-executor.0 Not tainted 6.2.0-rc5ab24eb4698afbe147b424149c529e2a43ec24eb5 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:sk_stream_kill_queues+0x2f9/0x3e0
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ec 00 00 00 8b ab 08 01 00 00 e9 60 ff ff ff e8 d0 5f b6 fe 0f 0b eb 97 e8 c7 5f b6 fe <0f> 0b eb a0 e8 be 5f b6 fe 0f 0b e9 6a fe ff ff e8 02 07 e3 fe e9
+RSP: 0018:ffff88810570fc68 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff888101f38f40 RSI: ffffffff8285e529 RDI: 0000000000000005
+RBP: 0000000000000ce0 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000ce0 R11: 0000000000000001 R12: ffff8881009e9488
+R13: ffffffff84af2cc0 R14: 0000000000000000 R15: ffff8881009e9458
+FS:  00007f7fdfbd5800(0000) GS:ffff88811b600000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32923000 CR3: 00000001062fc006 CR4: 0000000000170ef0
+Call Trace:
+ <TASK>
+ inet_csk_destroy_sock+0x1a1/0x320
+ __tcp_close+0xab6/0xe90
+ tcp_close+0x30/0xc0
+ inet_release+0xe9/0x1f0
+ inet6_release+0x4c/0x70
+ __sock_release+0xd2/0x280
+ sock_close+0x15/0x20
+ __fput+0x252/0xa20
+ task_work_run+0x169/0x250
+ exit_to_user_mode_prepare+0x113/0x120
+ syscall_exit_to_user_mode+0x1d/0x40
+ do_syscall_64+0x48/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x7f7fdf7ae28d
+Code: c1 20 00 00 75 10 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 37 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
+RSP: 002b:00000000007dfbb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7fdf7ae28d
+RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
+RBP: 0000000000000000 R08: 000000007f338e0f R09: 0000000000000e0f
+R10: 000000007f338e13 R11: 0000000000000293 R12: 00007f7fdefff000
+R13: 00007f7fdefffcd8 R14: 00007f7fdefffce0 R15: 00007f7fdefffcd8
+ </TASK>
+
+[3]: https://lore.kernel.org/netdev/20230208004245.83497-1-kuniyu@amazon.com/
+
+Fixes: b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Christoph Paasch <christophpaasch@icloud.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/caif/caif_socket.c | 1 +
+ net/core/stream.c      | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 748be7253248..78c9729a6057 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -1015,6 +1015,7 @@ static void caif_sock_destructor(struct sock *sk)
+ 		return;
+ 	}
+ 	sk_stream_kill_queues(&cf_sk->sk);
++	WARN_ON_ONCE(sk->sk_forward_alloc);
+ 	caif_free_client(&cf_sk->layer);
+ }
+ 
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 516895f48235..cbb268c15251 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -209,7 +209,6 @@ void sk_stream_kill_queues(struct sock *sk)
+ 	sk_mem_reclaim_final(sk);
+ 
+ 	WARN_ON_ONCE(sk->sk_wmem_queued);
+-	WARN_ON_ONCE(sk->sk_forward_alloc);
+ 
+ 	/* It is _impossible_ for the backlog to contain anything
+ 	 * when we get here.  All user references to this socket
+-- 
+2.34.1
+

target/linux/generic/hack-6.1/993-Revert-dccp-tcp-Avoid-negative-sk_forward_alloc.patch

@@ -1,112 +0,0 @@
-From b925cb66d56c34213ada3283b90ac21348e47ed5 Mon Sep 17 00:00:00 2001
-From: 1054009064 <44148148+1054009064@users.noreply.github.com>
-Date: Sun, 26 Feb 2023 05:50:02 +0800
-Subject: [PATCH] Revert "dccp/tcp: Avoid negative sk_forward_alloc by
- ipv6_pinfo.pktoptions."
-
-This reverts commit ca43ccf41224b023fc290073d5603a755fd12eed.
----
- include/net/sock.h  | 13 -------------
- net/dccp/ipv6.c     |  7 +++++--
- net/ipv6/tcp_ipv6.c | 10 +++++++---
- 3 files changed, 12 insertions(+), 18 deletions(-)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index 573f2bf7e0de..2cb258fde072 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -2411,19 +2411,6 @@ static inline __must_check bool skb_set_owner_sk_safe(struct sk_buff *skb, struc
- 	return false;
- }
- 
--static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk)
--{
--	skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
--	if (skb) {
--		if (sk_rmem_schedule(sk, skb, skb->truesize)) {
--			skb_set_owner_r(skb, sk);
--			return skb;
--		}
--		__kfree_skb(skb);
--	}
--	return NULL;
--}
--
- static inline void skb_prepare_for_gro(struct sk_buff *skb)
- {
- 	if (skb->destructor != sock_wfree) {
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index b9d7c3dd1cb3..4260fe466993 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -551,9 +551,11 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
- 	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
- 	/* Clone pktoptions received with SYN, if we own the req */
- 	if (*own_req && ireq->pktopts) {
--		newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
-+		newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC);
- 		consume_skb(ireq->pktopts);
- 		ireq->pktopts = NULL;
-+		if (newnp->pktoptions)
-+			skb_set_owner_r(newnp->pktoptions, newsk);
- 	}
- 
- 	return newsk;
-@@ -613,7 +615,7 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
- 					       --ANK (980728)
- 	 */
- 	if (np->rxopt.all)
--		opt_skb = skb_clone_and_charge_r(skb, sk);
-+		opt_skb = skb_clone(skb, GFP_ATOMIC);
- 
- 	if (sk->sk_state == DCCP_OPEN) { /* Fast path */
- 		if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
-@@ -677,6 +679,7 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
- 			np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
- 		if (ipv6_opt_accepted(sk, opt_skb,
- 				      &DCCP_SKB_CB(opt_skb)->header.h6)) {
-+			skb_set_owner_r(opt_skb, sk);
- 			memmove(IP6CB(opt_skb),
- 				&DCCP_SKB_CB(opt_skb)->header.h6,
- 				sizeof(struct inet6_skb_parm));
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 1bf93b61aa06..926adb67863f 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1388,11 +1388,14 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
- 
- 		/* Clone pktoptions received with SYN, if we own the req */
- 		if (ireq->pktopts) {
--			newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
-+			newnp->pktoptions = skb_clone(ireq->pktopts,
-+						      sk_gfp_mask(sk, GFP_ATOMIC));
- 			consume_skb(ireq->pktopts);
- 			ireq->pktopts = NULL;
--			if (newnp->pktoptions)
-+			if (newnp->pktoptions) {
- 				tcp_v6_restore_cb(newnp->pktoptions);
-+				skb_set_owner_r(newnp->pktoptions, newsk);
-+			}
- 		}
- 	} else {
- 		if (!req_unhash && found_dup_sk) {
-@@ -1464,7 +1467,7 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
- 					       --ANK (980728)
- 	 */
- 	if (np->rxopt.all)
--		opt_skb = skb_clone_and_charge_r(skb, sk);
-+		opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
- 
- 	reason = SKB_DROP_REASON_NOT_SPECIFIED;
- 	if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
-@@ -1550,6 +1553,7 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
- 		if (np->repflow)
- 			np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
- 		if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
-+			skb_set_owner_r(opt_skb, sk);
- 			tcp_v6_restore_cb(opt_skb);
- 			opt_skb = xchg(&np->pktoptions, opt_skb);
- 		} else {
--- 
-2.34.1
-