ipv6-avoid-possible-null-deref-in-rt6_uncached_list_flush_dev.patch
nfsd-add-list_head-nf_gc-to-struct-nfsd_file.patch
fou-remove-warn-in-gue_gro_receive-on-unsupported-protocol.patch
+vsock-virtio-discard-packets-if-the-transport-changes.patch
+vsock-prevent-null-ptr-deref-in-vsock_.patch
+x86-xen-fix-sls-mitigation-in-xen_hypercall_iret.patch
--- /dev/null
+From 91751e248256efc111e52e15115840c35d85abaf Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:11 +0100
+Subject: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 91751e248256efc111e52e15115840c35d85abaf upstream.
+
+Recent reports have shown how we sometimes call vsock_*_has_data()
+when a vsock socket has been de-assigned from a transport (see attached
+links), but we shouldn't.
+
+Previous commits should have solved the real problems, but we may have
+more in the future, so to avoid null-ptr-deref, we can return 0
+(no space, no data available) but with a warning.
+
+This way the code should continue to run in a nearly consistent state
+and have a warning that allows us to debug future problems.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/
+Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
+Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/
+Co-developed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Co-developed-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[SG: fixed conflict since this tree is missing vsock_connectible_has_data()
+ added by commit 0798e78b102b ("af_vsock: rest of SEQPACKET support")]
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -837,12 +837,18 @@ EXPORT_SYMBOL_GPL(vsock_create_connected
+
+ s64 vsock_stream_has_data(struct vsock_sock *vsk)
+ {
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ return vsk->transport->stream_has_data(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_data);
+
+ s64 vsock_stream_has_space(struct vsock_sock *vsk)
+ {
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ return vsk->transport->stream_has_space(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_space);
--- /dev/null
+From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:07 +0100
+Subject: vsock/virtio: discard packets if the transport changes
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 upstream.
+
+If the socket has been de-assigned or assigned to another transport,
+we must discard any packets received because they are not expected
+and would cause issues when we access vsk->transport.
+
+A possible scenario is described by Hyunwoo Kim in the attached link,
+where after a first connect() interrupted by a signal, and a second
+connect() failed, we can find `vsk->transport` at NULL, leading to a
+NULL pointer dereference.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Reported-by: Wongi Lee <qwerty@theori.io>
+Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[SG: fixed context conflict since this tree is missing commit 71dc9ec9ac7d
+ ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")]
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1171,8 +1171,11 @@ void virtio_transport_recv_pkt(struct vi
+
+ lock_sock(sk);
+
+- /* Check if sk has been closed before lock_sock */
+- if (sock_flag(sk, SOCK_DONE)) {
++ /* Check if sk has been closed or assigned to another transport before
++ * lock_sock (note: listener sockets are not assigned to any transport)
++ */
++ if (sock_flag(sk, SOCK_DONE) ||
++ (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) {
+ (void)virtio_transport_reset_no_sock(t, pkt);
+ release_sock(sk);
+ sock_put(sk);
--- /dev/null
+From jgross@suse.com Tue Jan 21 15:16:05 2025
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 17 Jan 2025 12:05:51 +0100
+Subject: x86/xen: fix SLS mitigation in xen_hypercall_iret()
+To: gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, Juergen Gross <jgross@suse.com>
+Message-ID: <20250117110551.13930-1-jgross@suse.com>
+
+From: Juergen Gross <jgross@suse.com>
+
+The backport of upstream patch a2796dff62d6 ("x86/xen: don't do PV iret
+hypercall through hypercall page") missed to adapt the SLS mitigation
+config check from CONFIG_MITIGATION_SLS to CONFIG_SLS.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/xen-asm.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/xen/xen-asm.S
++++ b/arch/x86/xen/xen-asm.S
+@@ -242,7 +242,7 @@ SYM_CODE_END(xen_early_idt_handler_array
+ push %rax
+ mov $__HYPERVISOR_iret, %eax
+ syscall /* Do the IRET. */
+-#ifdef CONFIG_MITIGATION_SLS
++#ifdef CONFIG_SLS
+ int3
+ #endif
+ .endm
projects / thirdparty / kernel / stable-queue.git / commitdiff
