[PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[Zhengchao Shao]

There's no "pernet" variable in the struct hashinfo. The "pernet" variable
is introduced from v6.1-rc1. Revert pre-patch and post-patch.

Zhengchao Shao (2):
  Revert "tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()"
  Revert "tcp: Clean up kernel listener's reqsk in inet_twsk_purge()"

 net/ipv4/inet_timewait_sock.c | 32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

-- 
2.34.1

[PATCH stable,5.15 1/2] Revert "tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()"

[Zhengchao Shao]

This reverts commit 4fa0befa92f2adaef8eb268f724f38a213ab7dcc.

In order to revert commit 214a2dfbb84f("tcp: Clean up kernel listener's
reqsk in inet_twsk_purge()"), revert this patch.

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
---
 net/ipv4/inet_timewait_sock.c | 41 +++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 25809e06f111..9b891d6296ec 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -254,12 +254,12 @@ void __inet_twsk_schedule(struct inet_timewait_sock *tw, int timeo, bool rearm)
 }
 EXPORT_SYMBOL_GPL(__inet_twsk_schedule);
 
-/* Remove all non full sockets (TIME_WAIT and NEW_SYN_RECV) for dead netns */
 void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
 {
+	struct inet_timewait_sock *tw;
+	struct sock *sk;
 	struct hlist_nulls_node *node;
 	unsigned int slot;
-	struct sock *sk;
 
 	for (slot = 0; slot <= hashinfo->ehash_mask; slot++) {
 		struct inet_ehash_bucket *head = &hashinfo->ehash[slot];
@@ -268,35 +268,38 @@ void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
 		rcu_read_lock();
 restart:
 		sk_nulls_for_each_rcu(sk, node, &head->chain) {
-			int state = inet_sk_state_load(sk);
+			if (sk->sk_state != TCP_TIME_WAIT) {
+				/* A kernel listener socket might not hold refcnt for net,
+				 * so reqsk_timer_handler() could be fired after net is
+				 * freed.  Userspace listener and reqsk never exist here.
+				 */
+				if (unlikely(sk->sk_state == TCP_NEW_SYN_RECV &&
+					     hashinfo->pernet)) {
+					struct request_sock *req = inet_reqsk(sk);
+
+					inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, req);
+				}
 
-			if ((1 << state) & ~(TCPF_TIME_WAIT |
-					     TCPF_NEW_SYN_RECV))
 				continue;
+			}
 
-			if (sk->sk_family != family ||
-			    refcount_read(&sock_net(sk)->ns.count))
+			tw = inet_twsk(sk);
+			if ((tw->tw_family != family) ||
+				refcount_read(&twsk_net(tw)->ns.count))
 				continue;
 
-			if (unlikely(!refcount_inc_not_zero(&sk->sk_refcnt)))
+			if (unlikely(!refcount_inc_not_zero(&tw->tw_refcnt)))
 				continue;
 
-			if (unlikely(sk->sk_family != family ||
-				     refcount_read(&sock_net(sk)->ns.count))) {
-				sock_gen_put(sk);
+			if (unlikely((tw->tw_family != family) ||
+				     refcount_read(&twsk_net(tw)->ns.count))) {
+				inet_twsk_put(tw);
 				goto restart;
 			}
 
 			rcu_read_unlock();
 			local_bh_disable();
-			if (state == TCP_TIME_WAIT) {
-				inet_twsk_deschedule_put(inet_twsk(sk));
-			} else {
-				struct request_sock *req = inet_reqsk(sk);
-
-				inet_csk_reqsk_queue_drop_and_put(req->rsk_listener,
-								  req);
-			}
+			inet_twsk_deschedule_put(tw);
 			local_bh_enable();
 			goto restart_rcu;
 		}
-- 
2.34.1

[PATCH stable,5.15 2/2] Revert "tcp: Clean up kernel listener's reqsk in inet_twsk_purge()"

[Zhengchao Shao]

This reverts commit 214a2dfbb84fcbdada0b1909ce843b7671b29d27.

There's no "pernet" variable in the struct hashinfo. The "pernet" variable
is introduced from v6.1-rc1. Revert this patch.

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
---
 net/ipv4/inet_timewait_sock.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 9b891d6296ec..437afe392e66 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -268,21 +268,8 @@ void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
 		rcu_read_lock();
 restart:
 		sk_nulls_for_each_rcu(sk, node, &head->chain) {
-			if (sk->sk_state != TCP_TIME_WAIT) {
-				/* A kernel listener socket might not hold refcnt for net,
-				 * so reqsk_timer_handler() could be fired after net is
-				 * freed.  Userspace listener and reqsk never exist here.
-				 */
-				if (unlikely(sk->sk_state == TCP_NEW_SYN_RECV &&
-					     hashinfo->pernet)) {
-					struct request_sock *req = inet_reqsk(sk);
-
-					inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, req);
-				}
-
+			if (sk->sk_state != TCP_TIME_WAIT)
 				continue;
-			}
-
 			tw = inet_twsk(sk);
 			if ((tw->tw_family != family) ||
 				refcount_read(&twsk_net(tw)->ns.count))
-- 
2.34.1

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[Greg KH]

On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
> There's no "pernet" variable in the struct hashinfo. The "pernet" variable
> is introduced from v6.1-rc1. Revert pre-patch and post-patch.

I do not understand, why are these reverts needed?

How does the code currently build if there is no variable here?

confused,

greg k-h

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[Greg KH]

On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
> There's no "pernet" variable in the struct hashinfo. The "pernet" variable
> is introduced from v6.1-rc1. Revert pre-patch and post-patch.

But right now, there is no "pernet" variable in the tree.

I'm confused, what are you trying to do here by reverting these two
commits?  Why are reverts required?

greg k-h

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[shaozhengchao]

On 2024/5/23 19:34, Greg KH wrote:
> On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
>> There's no "pernet" variable in the struct hashinfo. The "pernet" variable
>> is introduced from v6.1-rc1. Revert pre-patch and post-patch.
> 
> I do not understand, why are these reverts needed?
> 
> How does the code currently build if there is no variable here?
> 
> confused,
> 
> greg k-h
Hi greg:
   If only the first patch is merged, compilation will fail.
There's no "pernet" variable in the struct hashinfo.

Thank you

Zhengchao Shao

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[Greg KH]

On Sat, May 25, 2024 at 05:33:00PM +0800, shaozhengchao wrote:
> 
> 
> On 2024/5/23 19:34, Greg KH wrote:
> > On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
> > > There's no "pernet" variable in the struct hashinfo. The "pernet" variable
> > > is introduced from v6.1-rc1. Revert pre-patch and post-patch.
> > 
> > I do not understand, why are these reverts needed?
> > 
> > How does the code currently build if there is no variable here?
> > 
> > confused,
> > 
> > greg k-h
> Hi greg:
>   If only the first patch is merged, compilation will fail.
> There's no "pernet" variable in the struct hashinfo.

But both patches are merged together here.  Does the released kernel
versions fail to build somehow?

thanks,

greg k-h

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[shaozhengchao]

On 2024/5/25 17:42, Greg KH wrote:
> On Sat, May 25, 2024 at 05:33:00PM +0800, shaozhengchao wrote:
>>
>>
>> On 2024/5/23 19:34, Greg KH wrote:
>>> On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
>>>> There's no "pernet" variable in the struct hashinfo. The "pernet" variable
>>>> is introduced from v6.1-rc1. Revert pre-patch and post-patch.
>>>
>>> I do not understand, why are these reverts needed?
>>>
>>> How does the code currently build if there is no variable here?
>>>
>>> confused,
>>>
>>> greg k-h
>> Hi greg:
>>    If only the first patch is merged, compilation will fail.
>> There's no "pernet" variable in the struct hashinfo.
> 
> But both patches are merged together here.  Does the released kernel
> versions fail to build somehow?
> 
> thanks,
> 
> greg k-h
> 
Work well, as I know.

Thank you

Zhengchao Shao

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[Greg KH]

On Sat, May 25, 2024 at 06:21:08PM +0800, shaozhengchao wrote:
> 
> 
> On 2024/5/25 17:42, Greg KH wrote:
> > On Sat, May 25, 2024 at 05:33:00PM +0800, shaozhengchao wrote:
> > > 
> > > 
> > > On 2024/5/23 19:34, Greg KH wrote:
> > > > On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
> > > > > There's no "pernet" variable in the struct hashinfo. The "pernet" variable
> > > > > is introduced from v6.1-rc1. Revert pre-patch and post-patch.
> > > > 
> > > > I do not understand, why are these reverts needed?
> > > > 
> > > > How does the code currently build if there is no variable here?
> > > > 
> > > > confused,
> > > > 
> > > > greg k-h
> > > Hi greg:
> > >    If only the first patch is merged, compilation will fail.
> > > There's no "pernet" variable in the struct hashinfo.
> > 
> > But both patches are merged together here.  Does the released kernel
> > versions fail to build somehow?
> > 
> > thanks,
> > 
> > greg k-h
> > 
> Work well, as I know.

Ok, then why send these reverts?  Are they needed, or are they not
needed?  And if needed, why?

still confused,

greg k-h

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[shaozhengchao]

On 2024/5/25 18:42, Greg KH wrote:
> On Sat, May 25, 2024 at 06:21:08PM +0800, shaozhengchao wrote:
>>
>>
>> On 2024/5/25 17:42, Greg KH wrote:
>>> On Sat, May 25, 2024 at 05:33:00PM +0800, shaozhengchao wrote:
>>>>
>>>>
>>>> On 2024/5/23 19:34, Greg KH wrote:
>>>>> On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
>>>>>> There's no "pernet" variable in the struct hashinfo. The "pernet" variable
>>>>>> is introduced from v6.1-rc1. Revert pre-patch and post-patch.
>>>>>
>>>>> I do not understand, why are these reverts needed?
>>>>>
>>>>> How does the code currently build if there is no variable here?
>>>>>
>>>>> confused,
>>>>>
>>>>> greg k-h
>>>> Hi greg:
>>>>     If only the first patch is merged, compilation will fail.
>>>> There's no "pernet" variable in the struct hashinfo.
>>>
>>> But both patches are merged together here.  Does the released kernel
>>> versions fail to build somehow?
>>>
>>> thanks,
>>>
>>> greg k-h
>>>
>> Work well, as I know.
> 
> Ok, then why send these reverts?  Are they needed, or are they not
> needed?  And if needed, why?
> 
> still confused,
> 
> greg k-h
> 
Hi greg:
   If the patchset is merged together, and the compilation is normal. I'm
just concerned that some people only put in one of the patchset and 
forget to put in both of them, which will be a problem.

Thank you.

Zhengchao Shao

Re: [PATCH stable,5.15 0/2] Revert the patchset for fix CVE-2024-26865

[Greg KH]

On Wed, May 29, 2024 at 03:59:31PM +0800, shaozhengchao wrote:
> 
> 
> On 2024/5/25 18:42, Greg KH wrote:
> > On Sat, May 25, 2024 at 06:21:08PM +0800, shaozhengchao wrote:
> > > 
> > > 
> > > On 2024/5/25 17:42, Greg KH wrote:
> > > > On Sat, May 25, 2024 at 05:33:00PM +0800, shaozhengchao wrote:
> > > > > 
> > > > > 
> > > > > On 2024/5/23 19:34, Greg KH wrote:
> > > > > > On Mon, May 06, 2024 at 11:05:52AM +0800, Zhengchao Shao wrote:
> > > > > > > There's no "pernet" variable in the struct hashinfo. The "pernet" variable
> > > > > > > is introduced from v6.1-rc1. Revert pre-patch and post-patch.
> > > > > > 
> > > > > > I do not understand, why are these reverts needed?
> > > > > > 
> > > > > > How does the code currently build if there is no variable here?
> > > > > > 
> > > > > > confused,
> > > > > > 
> > > > > > greg k-h
> > > > > Hi greg:
> > > > >     If only the first patch is merged, compilation will fail.
> > > > > There's no "pernet" variable in the struct hashinfo.
> > > > 
> > > > But both patches are merged together here.  Does the released kernel
> > > > versions fail to build somehow?
> > > > 
> > > > thanks,
> > > > 
> > > > greg k-h
> > > > 
> > > Work well, as I know.
> > 
> > Ok, then why send these reverts?  Are they needed, or are they not
> > needed?  And if needed, why?
> > 
> > still confused,
> > 
> > greg k-h
> > 
> Hi greg:
>   If the patchset is merged together, and the compilation is normal. I'm
> just concerned that some people only put in one of the patchset and forget
> to put in both of them, which will be a problem.

That's not our responsibility at all.  There is a reason we do releases,
not just individual commits.  We test and release changes all at the
same time, and so, you should just take them all please.  Otherwise you
are on your own and usually end up with a broken system.

good luck!

greg k-h