4.19-stable patches

added patches:
	netfilter-nf_queue-fix-socket-leak.patch
	sched-rt-pick_next_rt_entity-check-list_entry.patch

diff --git a/queue-4.19/netfilter-nf_queue-fix-socket-leak.patch b/queue-4.19/netfilter-nf_queue-fix-socket-leak.patch
new file mode 100644 (file)
index 0000000..4183184
--- /dev/null
+++ b/queue-4.19/netfilter-nf_queue-fix-socket-leak.patch
@@ -0,0 +1,38 @@
+From vbrahmajosyula@vmware.com  Sun Aug 27 11:12:19 2023
+From: Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com>
+Date: Sat, 26 Aug 2023 06:50:56 +0000
+Subject: netfilter: nf_queue: fix socket leak
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, patches@lists.linux.dev, pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, amakhalov@vmware.com, srinidhir@vmware.com, vsirnapalli@vmware.com, akaher@vmware.com, tkundu@vmware.com, keerthanak@vmware.com, psinghchauha@vmware.com, Vimal Agrawal <vimal.agrawal@sophos.com>
+Message-ID: <20230826065055.4691-1-vbrahmajosyula@vmware.com>
+
+From: Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com>
+
+Removal of the sock_hold got lost when backporting commit c3873070247d
+("netfilter: nf_queue: fix possible use-after-free") to 4.19
+
+Fixes: 34dc4a6a7f26 ("netfilter: nf_queue: fix possible use-after-free") in 4.19
+
+Fixed in 4.14 with
+https://lore.kernel.org/all/20221024112958.115275475@linuxfoundation.org/
+
+Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+[vbrahmajosyula: The fix to the backport was missed in 4.19]
+Signed-off-by: Vamsi Krishna Brahmajosyula <vbrahmajosyula@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_queue.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -93,8 +93,6 @@ bool nf_queue_entry_get_refs(struct nf_q
+               dev_hold(state->in);
+       if (state->out)
+               dev_hold(state->out);
+-      if (state->sk)
+-              sock_hold(state->sk);
+ #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+       if (entry->skb->nf_bridge) {
+               struct net_device *physdev;

diff --git a/queue-4.19/sched-rt-pick_next_rt_entity-check-list_entry.patch b/queue-4.19/sched-rt-pick_next_rt_entity-check-list_entry.patch
new file mode 100644 (file)
index 0000000..6d80963
--- /dev/null
+++ b/queue-4.19/sched-rt-pick_next_rt_entity-check-list_entry.patch
@@ -0,0 +1,57 @@
+From 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 Mon Sep 17 00:00:00 2001
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+Date: Mon, 6 Feb 2023 22:33:54 +0000
+Subject: sched/rt: pick_next_rt_entity(): check list_entry
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+commit 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 upstream.
+
+Commit 326587b84078 ("sched: fix goto retry in pick_next_task_rt()")
+removed any path which could make pick_next_rt_entity() return NULL.
+However, BUG_ON(!rt_se) in _pick_next_task_rt() (the only caller of
+pick_next_rt_entity()) still checks the error condition, which can
+never happen, since list_entry() never returns NULL.
+Remove the BUG_ON check, and instead emit a warning in the only
+possible error condition here: the queue being empty which should
+never happen.
+
+Fixes: 326587b84078 ("sched: fix goto retry in pick_next_task_rt()")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Phil Auld <pauld@redhat.com>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Link: https://lore.kernel.org/r/20230128-list-entry-null-check-sched-v3-1-b1a71bd1ac6b@diag.uniroma1.it
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Fixes CVE-2023-1077: sched/rt: pick_next_rt_entity(): check list_entry
+  An insufficient list empty checking in pick_next_rt_entity().  The
+  _pick_next_task_rt() checks pick_next_rt_entity() returns NULL or not
+  but pick_next_rt_entity() never returns NULL.  So, even if the list is
+  empty, _pick_next_task_rt() continues its process. ]
+Signed-off-by: Srish Srinivasan <ssrish@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/rt.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -1522,6 +1522,8 @@ static struct sched_rt_entity *pick_next
+       BUG_ON(idx >= MAX_RT_PRIO);
+ 
+       queue = array->queue + idx;
++      if (SCHED_WARN_ON(list_empty(queue)))
++              return NULL;
+       next = list_entry(queue->next, struct sched_rt_entity, run_list);
+ 
+       return next;
+@@ -1535,7 +1537,8 @@ static struct task_struct *_pick_next_ta
+ 
+       do {
+               rt_se = pick_next_rt_entity(rq, rt_rq);
+-              BUG_ON(!rt_se);
++              if (unlikely(!rt_se))
++                      return NULL;
+               rt_rq = group_rt_rq(rt_se);
+       } while (rt_rq);
+ 

diff --git a/queue-4.19/series b/queue-4.19/series
index a673ef6867fb4183340a16703815e61b0d2a5af3..f177d3ca118b7f4255f6205c7f8b668a88e65432 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -129,3 +129,5 @@ media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch
 pci-acpiphp-use-pci_assign_unassigned_bridge_resources-only-for-non-root-bus.patch
 x86-fpu-set-x86_feature_osxsave-feature-after-enabling-osxsave-in-cr4.patch
 mmc-block-fix-in_flight-value-error.patch
+sched-rt-pick_next_rt_entity-check-list_entry.patch
+netfilter-nf_queue-fix-socket-leak.patch