--- /dev/null
+From 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Wed, 11 Jan 2023 11:57:39 +0000
+Subject: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream.
+
+When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
+an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
+to overflow due to a failure casting operands to a larger data type
+before performing the arithmetic.
+
+Note that it's harmless since the value will be checked at the next step.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct
+ return -IPSET_ERR_BITMAP_RANGE;
+
+ pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
+- hosts = 2 << (32 - netmask - 1);
+- elements = 2 << (netmask - mask_bits - 1);
++ hosts = 2U << (32 - netmask - 1);
++ elements = 2UL << (netmask - mask_bits - 1);
+ }
+ if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+ return -IPSET_ERR_BITMAP_RANGE_SIZE;
--- /dev/null
+From 87ca4f9efbd7cc649ff43b87970888f2812945b8 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Fri, 30 Dec 2022 23:11:19 -0500
+Subject: sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Waiman Long <longman@redhat.com>
+
+commit 87ca4f9efbd7cc649ff43b87970888f2812945b8 upstream.
+
+Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
+restricted on asymmetric systems"), the setting and clearing of
+user_cpus_ptr are done under pi_lock for arm64 architecture. However,
+dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
+protection. Since sched_setaffinity() can be invoked from another
+process, the process being modified may be undergoing fork() at
+the same time. When racing with the clearing of user_cpus_ptr in
+__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
+possibly double-free in arm64 kernel.
+
+Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
+cpumask") fixes this problem as user_cpus_ptr, once set, will never
+be cleared in a task's lifetime. However, this bug was re-introduced
+in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
+do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
+do_set_cpus_allowed(). This time, it will affect all arches.
+
+Fix this bug by always clearing the user_cpus_ptr of the newly
+cloned/forked task before the copying process starts and check the
+user_cpus_ptr state of the source task under pi_lock.
+
+Note to stable, this patch won't be applicable to stable releases.
+Just copy the new dup_user_cpus_ptr() function over.
+
+Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems")
+Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()")
+Reported-by: David Wang 王标 <wangbiao3@xiaomi.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221231041120.440785-2-longman@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2501,14 +2501,43 @@ void do_set_cpus_allowed(struct task_str
+ int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src,
+ int node)
+ {
+- if (!src->user_cpus_ptr)
++ cpumask_t *user_mask;
++ unsigned long flags;
++
++ /*
++ * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's
++ * may differ by now due to racing.
++ */
++ dst->user_cpus_ptr = NULL;
++
++ /*
++ * This check is racy and losing the race is a valid situation.
++ * It is not worth the extra overhead of taking the pi_lock on
++ * every fork/clone.
++ */
++ if (data_race(!src->user_cpus_ptr))
+ return 0;
+
+- dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
+- if (!dst->user_cpus_ptr)
++ user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
++ if (!user_mask)
+ return -ENOMEM;
+
+- cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
++ /*
++ * Use pi_lock to protect content of user_cpus_ptr
++ *
++ * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent
++ * do_set_cpus_allowed().
++ */
++ raw_spin_lock_irqsave(&src->pi_lock, flags);
++ if (src->user_cpus_ptr) {
++ swap(dst->user_cpus_ptr, user_mask);
++ cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
++ }
++ raw_spin_unlock_irqrestore(&src->pi_lock, flags);
++
++ if (unlikely(user_mask))
++ kfree(user_mask);
++
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
