--- /dev/null
+From 81a86e1bd8e7060ebba1718b284d54f1238e9bf9 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 25 Jan 2021 07:09:49 -0800
+Subject: iwlwifi: provide gso_type to GSO packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 81a86e1bd8e7060ebba1718b284d54f1238e9bf9 upstream.
+
+net/core/tso.c got recent support for USO, and this broke iwlfifi
+because the driver implemented a limited form of GSO.
+
+Providing ->gso_type allows for skb_is_gso_tcp() to provide
+a correct result.
+
+Fixes: 3d5b459ba0e3 ("net: tso: add UDP segmentation support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Ben Greear <greearb@candelatech.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Cc: Luca Coelho <luciano.coelho@intel.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209913
+Link: https://lore.kernel.org/r/20210125150949.619309-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Robert Hancock <hancockrwd@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -833,6 +833,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
+
+ next = skb_gso_segment(skb, netdev_flags);
+ skb_shinfo(skb)->gso_size = mss;
++ skb_shinfo(skb)->gso_type = ipv4 ? SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
+ if (WARN_ON_ONCE(IS_ERR(next)))
+ return -EINVAL;
+ else if (next)
+@@ -855,6 +856,8 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
+
+ if (tcp_payload_len > mss) {
+ skb_shinfo(tmp)->gso_size = mss;
++ skb_shinfo(tmp)->gso_type = ipv4 ? SKB_GSO_TCPV4 :
++ SKB_GSO_TCPV6;
+ } else {
+ if (qos) {
+ u8 *qc;
--- /dev/null
+From b98e762e3d71e893b221f871825dc64694cfb258 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 25 Jan 2021 12:21:02 -0500
+Subject: nbd: freeze the queue while we're adding connections
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit b98e762e3d71e893b221f871825dc64694cfb258 upstream.
+
+When setting up a device, we can krealloc the config->socks array to add
+new sockets to the configuration. However if we happen to get a IO
+request in at this point even though we aren't setup we could hit a UAF,
+as we deref config->socks without any locking, assuming that the
+configuration was setup already and that ->socks is safe to access it as
+we have a reference on the configuration.
+
+But there's nothing really preventing IO from occurring at this point of
+the device setup, we don't want to incur the overhead of a lock to
+access ->socks when it will never change while the device is running.
+To fix this UAF scenario simply freeze the queue if we are adding
+sockets. This will protect us from this particular case without adding
+any additional overhead for the normal running case.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1029,6 +1029,12 @@ static int nbd_add_socket(struct nbd_dev
+ if (!sock)
+ return err;
+
++ /*
++ * We need to make sure we don't get any errant requests while we're
++ * reallocating the ->socks array.
++ */
++ blk_mq_freeze_queue(nbd->disk->queue);
++
+ if (!netlink && !nbd->task_setup &&
+ !test_bit(NBD_RT_BOUND, &config->runtime_flags))
+ nbd->task_setup = current;
+@@ -1067,10 +1073,12 @@ static int nbd_add_socket(struct nbd_dev
+ nsock->cookie = 0;
+ socks[config->num_connections++] = nsock;
+ atomic_inc(&config->live_connections);
++ blk_mq_unfreeze_queue(nbd->disk->queue);
+
+ return 0;
+
+ put_socket:
++ blk_mq_unfreeze_queue(nbd->disk->queue);
+ sockfd_put(sock);
+ return err;
+ }
--- /dev/null
+From a9cbbb80e3e7dd38ceac166e0698f161862a18ae Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 29 Jan 2021 12:28:20 -0800
+Subject: tty: avoid using vfs_iocb_iter_write() for redirected console writes
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a9cbbb80e3e7dd38ceac166e0698f161862a18ae upstream.
+
+It turns out that the vfs_iocb_iter_{read,write}() functions are
+entirely broken, and don't actually use the passed-in file pointer for
+IO - only for the preparatory work (permission checking and for the
+write_iter function lookup).
+
+That worked fine for overlayfs, which always builds the new iocb with
+the same file pointer that it passes in, but in the general case it ends
+up doing nonsensical things (and could cause an iterator call that
+doesn't even match the passed-in file pointer).
+
+This subtly broke the tty conversion to write_iter in commit
+9bb48c82aced ("tty: implement write_iter"), because the console
+redirection didn't actually end up redirecting anything, since the
+passed-in file pointer was basically ignored, and the actual write was
+done with the original non-redirected console tty after all.
+
+The main visible effect of this is that the console messages were no
+longer logged to /var/log/boot.log during graphical boot.
+
+Fix the issue by simply not using the vfs write "helper" function at
+all, and just redirecting the write entirely internally to the tty
+layer. Do the target writability permission checks when actually
+registering the target tty with TIOCCONS instead of at write time.
+
+Fixes: 9bb48c82aced ("tty: implement write_iter")
+Reported-and-tested-by: Hans de Goede <hdegoede@redhat.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1027,9 +1027,8 @@ void tty_write_message(struct tty_struct
+ * write method will not be invoked in parallel for each device.
+ */
+
+-static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
++static ssize_t file_tty_write(struct file *file, struct kiocb *iocb, struct iov_iter *from)
+ {
+- struct file *file = iocb->ki_filp;
+ struct tty_struct *tty = file_tty(file);
+ struct tty_ldisc *ld;
+ ssize_t ret;
+@@ -1052,6 +1051,11 @@ static ssize_t tty_write(struct kiocb *i
+ return ret;
+ }
+
++static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
++{
++ return file_tty_write(iocb->ki_filp, iocb, from);
++}
++
+ ssize_t redirected_tty_write(struct kiocb *iocb, struct iov_iter *iter)
+ {
+ struct file *p = NULL;
+@@ -1061,9 +1065,13 @@ ssize_t redirected_tty_write(struct kioc
+ p = get_file(redirect);
+ spin_unlock(&redirect_lock);
+
++ /*
++ * We know the redirected tty is just another tty, we can can
++ * call file_tty_write() directly with that file pointer.
++ */
+ if (p) {
+ ssize_t res;
+- res = vfs_iocb_iter_write(p, iocb, iter);
++ res = file_tty_write(p, iocb, iter);
+ fput(p);
+ return res;
+ }
+@@ -2306,6 +2314,12 @@ static int tioccons(struct file *file)
+ fput(f);
+ return 0;
+ }
++ if (file->f_op->write_iter != tty_write)
++ return -ENOTTY;
++ if (!(file->f_mode & FMODE_WRITE))
++ return -EBADF;
++ if (!(file->f_mode & FMODE_CAN_WRITE))
++ return -EINVAL;
+ spin_lock(&redirect_lock);
+ if (redirect) {
+ spin_unlock(&redirect_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
