5.4-stable patches

added patches:
	nfp-fix-use-after-free-in-area_cache_get.patch

diff --git a/queue-5.4/nfp-fix-use-after-free-in-area_cache_get.patch b/queue-5.4/nfp-fix-use-after-free-in-area_cache_get.patch
new file mode 100644 (file)
index 0000000..0feff5b
--- /dev/null
+++ b/queue-5.4/nfp-fix-use-after-free-in-area_cache_get.patch
@@ -0,0 +1,74 @@
+From 02e1a114fdb71e59ee6770294166c30d437bf86a Mon Sep 17 00:00:00 2001
+From: Jialiang Wang <wangjialiang0806@163.com>
+Date: Wed, 10 Aug 2022 15:30:57 +0800
+Subject: nfp: fix use-after-free in area_cache_get()
+
+From: Jialiang Wang <wangjialiang0806@163.com>
+
+commit 02e1a114fdb71e59ee6770294166c30d437bf86a upstream.
+
+area_cache_get() is used to distribute cache->area and set cache->id,
+ and if cache->id is not 0 and cache->area->kref refcount is 0, it will
+ release the cache->area by nfp_cpp_area_release(). area_cache_get()
+ set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire().
+
+But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is
+ is already set but the refcount is not increased as expected. At this
+ time, calling the nfp_cpp_area_release() will cause use-after-free.
+
+To avoid the use-after-free, set cache->id after area_init() and
+ nfp_cpp_area_acquire() complete successfully.
+
+Note: This vulnerability is triggerable by providing emulated device
+ equipped with specified configuration.
+
+ BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)
+  Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1
+
+ Call Trace:
+  <TASK>
+ nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)
+ area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884)
+
+ Allocated by task 1:
+ nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303)
+ nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802)
+ nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230)
+ nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215)
+ nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744)
+
+ Freed by task 1:
+ kfree (mm/slub.c:4562)
+ area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873)
+ nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973)
+ nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48)
+
+Signed-off-by: Jialiang Wang <wangjialiang0806@163.com>
+Reviewed-by: Yinjun Zhang <yinjun.zhang@corigine.com>
+Acked-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
+@@ -874,7 +874,6 @@ area_cache_get(struct nfp_cpp *cpp, u32
+       }
+ 
+       /* Adjust the start address to be cache size aligned */
+-      cache->id = id;
+       cache->addr = addr & ~(u64)(cache->size - 1);
+ 
+       /* Re-init to the new ID and address */
+@@ -894,6 +893,8 @@ area_cache_get(struct nfp_cpp *cpp, u32
+               return NULL;
+       }
+ 
++      cache->id = id;
++
+ exit:
+       /* Adjust offset */
+       *offset = addr - cache->addr;

diff --git a/queue-5.4/series b/queue-5.4/series
index 3da4f4b3befb59871ec810decb9c79fdf264c1d3..73771aaaa51a29e629503f07393f284eb270069b 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -2,3 +2,4 @@ net-bpf-allow-tc-programs-to-call-bpf_func_skb_change_head.patch
 x86-smpboot-move-rcu_cpu_starting-earlier.patch
 mm-hugetlb-fix-races-when-looking-up-a-cont-pte-pmd-size-hugetlb-page.patch
 block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch
+nfp-fix-use-after-free-in-area_cache_get.patch