--- /dev/null
+From 844f7eaaed9267ae17d33778efe65548cc940205 Mon Sep 17 00:00:00 2001
+From: Eugene Syromiatnikov <esyr@redhat.com>
+Date: Sun, 12 Sep 2021 14:22:34 +0200
+Subject: include/uapi/linux/xfrm.h: Fix XFRM_MSG_MAPPING ABI breakage
+
+From: Eugene Syromiatnikov <esyr@redhat.com>
+
+commit 844f7eaaed9267ae17d33778efe65548cc940205 upstream.
+
+Commit 2d151d39073a ("xfrm: Add possibility to set the default to block
+if we have no policy") broke ABI by changing the value of the XFRM_MSG_MAPPING
+enum item, thus also evading the build-time check
+in security/selinux/nlmsgtab.c:selinux_nlmsg_lookup for presence of proper
+security permission checks in nlmsg_xfrm_perms. Fix it by placing
+XFRM_MSG_SETDEFAULT/XFRM_MSG_GETDEFAULT to the end of the enum, right before
+__XFRM_MSG_MAX, and updating the nlmsg_xfrm_perms accordingly.
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+References: https://lore.kernel.org/netdev/20210901151402.GA2557@altlinux.org/
+Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
+Acked-by: Antony Antony <antony.antony@secunet.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/xfrm.h | 6 +++---
+ security/selinux/nlmsgtab.c | 4 +++-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/include/uapi/linux/xfrm.h
++++ b/include/uapi/linux/xfrm.h
+@@ -213,13 +213,13 @@ enum {
+ XFRM_MSG_GETSPDINFO,
+ #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
+
++ XFRM_MSG_MAPPING,
++#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
++
+ XFRM_MSG_SETDEFAULT,
+ #define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
+ XFRM_MSG_GETDEFAULT,
+ #define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
+-
+- XFRM_MSG_MAPPING,
+-#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
+ __XFRM_MSG_MAX
+ };
+ #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
+--- a/security/selinux/nlmsgtab.c
++++ b/security/selinux/nlmsgtab.c
+@@ -123,6 +123,8 @@ static const struct nlmsg_perm nlmsg_xfr
+ { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
++ { XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
++ { XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ };
+
+ static const struct nlmsg_perm nlmsg_audit_perms[] =
+@@ -186,7 +188,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16
+ * structures at the top of this file with the new mappings
+ * before updating the BUILD_BUG_ON() macro!
+ */
+- BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_MAPPING);
++ BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT);
+ err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
+ sizeof(nlmsg_xfrm_perms));
+ break;
--- /dev/null
+From 055f23b74b20f2824ce33047b4cf2e2aa856bf3b Mon Sep 17 00:00:00 2001
+From: Jessica Yu <jeyu@kernel.org>
+Date: Wed, 12 May 2021 15:45:46 +0200
+Subject: module: check for exit sections in layout_sections() instead of module_init_section()
+
+From: Jessica Yu <jeyu@kernel.org>
+
+commit 055f23b74b20f2824ce33047b4cf2e2aa856bf3b upstream.
+
+Previously, when CONFIG_MODULE_UNLOAD=n, the module loader just does not
+attempt to load exit sections since it never expects that any code in those
+sections will ever execute. However, dynamic code patching (alternatives,
+jump_label and static_call) can have sites in __exit code, even if __exit is
+never executed. Therefore __exit must be present at runtime, at least for as
+long as __init code is.
+
+Commit 33121347fb1c ("module: treat exit sections the same as init
+sections when !CONFIG_MODULE_UNLOAD") solves the requirements of
+jump_labels and static_calls by putting the exit sections in the init
+region of the module so that they are at least present at init, and
+discarded afterwards. It does this by including a check for exit
+sections in module_init_section(), so that it also returns true for exit
+sections, and the module loader will automatically sort them in the init
+region of the module.
+
+However, the solution there was not completely arch-independent. ARM is
+a special case where it supplies its own module_{init, exit}_section()
+functions. Instead of pushing the exit section checks into
+module_init_section(), just implement the exit section check in
+layout_sections(), so that we don't have to touch arch-dependent code.
+
+Fixes: 33121347fb1c ("module: treat exit sections the same as init sections when !CONFIG_MODULE_UNLOAD")
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2280,6 +2280,15 @@ void *__symbol_get(const char *symbol)
+ }
+ EXPORT_SYMBOL_GPL(__symbol_get);
+
++static bool module_init_layout_section(const char *sname)
++{
++#ifndef CONFIG_MODULE_UNLOAD
++ if (module_exit_section(sname))
++ return true;
++#endif
++ return module_init_section(sname);
++}
++
+ /*
+ * Ensure that an exported symbol [global namespace] does not already exist
+ * in the kernel or in some other module's exported symbol table.
+@@ -2489,7 +2498,7 @@ static void layout_sections(struct modul
+ if ((s->sh_flags & masks[m][0]) != masks[m][0]
+ || (s->sh_flags & masks[m][1])
+ || s->sh_entsize != ~0UL
+- || module_init_section(sname))
++ || module_init_layout_section(sname))
+ continue;
+ s->sh_entsize = get_offset(mod, &mod->core_layout.size, s, i);
+ pr_debug("\t%s\n", sname);
+@@ -2522,7 +2531,7 @@ static void layout_sections(struct modul
+ if ((s->sh_flags & masks[m][0]) != masks[m][0]
+ || (s->sh_flags & masks[m][1])
+ || s->sh_entsize != ~0UL
+- || !module_init_section(sname))
++ || !module_init_layout_section(sname))
+ continue;
+ s->sh_entsize = (get_offset(mod, &mod->init_layout.size, s, i)
+ | INIT_OFFSET_MASK);
+@@ -2861,11 +2870,7 @@ void * __weak module_alloc(unsigned long
+
+ bool __weak module_init_section(const char *name)
+ {
+-#ifndef CONFIG_MODULE_UNLOAD
+- return strstarts(name, ".init") || module_exit_section(name);
+-#else
+ return strstarts(name, ".init");
+-#endif
+ }
+
+ bool __weak module_exit_section(const char *name)
--- /dev/null
+From 3c10ffddc61f8a1a59e29a110ba70b47e679206a Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 2 Sep 2021 22:04:00 +0300
+Subject: net: xfrm: fix shift-out-of-bounds in xfrm_get_default
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 3c10ffddc61f8a1a59e29a110ba70b47e679206a upstream.
+
+Syzbot hit shift-out-of-bounds in xfrm_get_default. The problem was in
+missing validation check for user data.
+
+up->dirmask comes from user-space, so we need to check if this value
+is less than XFRM_USERPOLICY_DIRMASK_MAX to avoid shift-out-of-bounds bugs.
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Reported-and-tested-by: syzbot+b2be9dd8ca6f6c73ee2d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1989,6 +1989,11 @@ static int xfrm_get_default(struct sk_bu
+ return -EMSGSIZE;
+ }
+
++ if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX) {
++ kfree_skb(r_skb);
++ return -EINVAL;
++ }
++
+ r_up = nlmsg_data(r_nlh);
+ r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN];
+ r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD];
module-treat-exit-sections-the-same-as-init-sections-when-config_module_unload.patch
i2c-mt7621-fix-missing-clk_disable_unprepare-on-erro.patch
afs-fix-afs_getattr-to-refetch-file-status-if-callba.patch
+net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch
+include-uapi-linux-xfrm.h-fix-xfrm_msg_mapping-abi-breakage.patch
+module-check-for-exit-sections-in-layout_sections-instead-of-module_init_section.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
