--- /dev/null
+From stable+bounces-124081-greg=kroah.com@vger.kernel.org Tue Mar 11 19:55:19 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:25 -0300
+Subject: Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-3-magali.lemes@canonical.com>
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+This reverts commit 10c869a52f266e40f548cc3c565d14930a5edafc as it
+was backported incorrectly.
+A subsequent commit will re-backport the original patch.
+
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -326,7 +326,7 @@ static int proc_sctp_do_hmac_alg(struct
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos)
+ {
+- struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
++ struct net *net = current->nsproxy->net_ns;
+ struct ctl_table tbl;
+ bool changed = false;
+ char *none = "none";
--- /dev/null
+From stable+bounces-124080-greg=kroah.com@vger.kernel.org Tue Mar 11 19:55:18 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:24 -0300
+Subject: Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-2-magali.lemes@canonical.com>
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+This reverts commit 1031462a944ba0fa83c25ab1111465f8345b5589 as it
+was backported incorrectly.
+A subsequent commit will re-backport the original patch.
+
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -441,8 +441,7 @@ static int proc_sctp_do_auth(struct ctl_
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos)
+ {
+- struct net *net = container_of(ctl->data, struct net,
+- sctp.sctp_hmac_alg);
++ struct net *net = current->nsproxy->net_ns;
+ struct ctl_table tbl;
+ int new_value, ret;
+
--- /dev/null
+From magali.lemes@canonical.com Tue Mar 11 19:55:13 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:27 -0300
+Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-5-magali.lemes@canonical.com>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, but that would
+increase the size of this fix, while 'sctp.ctl_sock' still needs to be
+retrieved from 'net' structure.
+
+Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -442,7 +442,7 @@ static int proc_sctp_do_auth(struct ctl_
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
+ struct ctl_table tbl;
+ int new_value, ret;
+
--- /dev/null
+From magali.lemes@canonical.com Tue Mar 11 19:55:13 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:26 -0300
+Subject: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-4-magali.lemes@canonical.com>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, as this is the only
+member needed from the 'net' structure, but that would increase the size
+of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is
+used.
+
+Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -326,7 +326,8 @@ static int proc_sctp_do_hmac_alg(struct
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net,
++ sctp.sctp_hmac_alg);
+ struct ctl_table tbl;
+ bool changed = false;
+ char *none = "none";
vlan-fix-memory-leak-in-vlan_newlink.patch
clockevents-drivers-i8253-fix-stop-sequence-for-timer-0.patch
sched-isolation-prevent-boot-crash-when-the-boot-cpu-is-nohz_full.patch
+revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
+revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
+sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
+sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
