--- /dev/null
+From 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Fri, 17 Dec 2021 10:29:41 +0800
+Subject: ax25: NPD bug when detaching AX25 device
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 upstream.
+
+The existing cleanup routine implementation is not well synchronized
+with the syscall routine. When a device is detaching, below race could
+occur.
+
+static int ax25_sendmsg(...) {
+ ...
+ lock_sock()
+ ax25 = sk_to_ax25(sk);
+ if (ax25->ax25_dev == NULL) // CHECK
+ ...
+ ax25_queue_xmit(skb, ax25->ax25_dev->dev); // USE
+ ...
+}
+
+static void ax25_kill_by_device(...) {
+ ...
+ if (s->ax25_dev == ax25_dev) {
+ s->ax25_dev = NULL;
+ ...
+}
+
+Other syscall functions like ax25_getsockopt, ax25_getname,
+ax25_info_show also suffer from similar races. To fix them, this patch
+introduce lock_sock() into ax25_kill_by_device in order to guarantee
+that the nullify action in cleanup routine cannot proceed when another
+socket request is pending.
+
+Signed-off-by: Hanjie Wu <nagi@zju.edu.cn>
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -88,8 +88,10 @@ static void ax25_kill_by_device(struct n
+ again:
+ ax25_for_each(s, &ax25_list) {
+ if (s->ax25_dev == ax25_dev) {
+- s->ax25_dev = NULL;
+ spin_unlock_bh(&ax25_list_lock);
++ lock_sock(s->sk);
++ s->ax25_dev = NULL;
++ release_sock(s->sk);
+ ax25_disconnect(s, ENETUNREACH);
+ spin_lock_bh(&ax25_list_lock);
+
--- /dev/null
+From 3e0588c291d6ce225f2b891753ca41d45ba42469 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 8 Nov 2021 18:37:21 +0800
+Subject: hamradio: defer ax25 kfree after unregister_netdev
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 3e0588c291d6ce225f2b891753ca41d45ba42469 upstream.
+
+There is a possible race condition (use-after-free) like below
+
+ (USE) | (FREE)
+ax25_sendmsg |
+ ax25_queue_xmit |
+ dev_queue_xmit |
+ __dev_queue_xmit |
+ __dev_xmit_skb |
+ sch_direct_xmit | ...
+ xmit_one |
+ netdev_start_xmit | tty_ldisc_kill
+ __netdev_start_xmit | mkiss_close
+ ax_xmit | kfree
+ ax_encaps |
+ |
+
+Even though there are two synchronization primitives before the kfree:
+1. wait_for_completion(&ax->dead). This can prevent the race with
+routines from mkiss_ioctl. However, it cannot stop the routine coming
+from upper layer, i.e., the ax25_sendmsg.
+
+2. netif_stop_queue(ax->dev). It seems that this line of code aims to
+halt the transmit queue but it fails to stop the routine that already
+being xmit.
+
+This patch reorder the kfree after the unregister_netdev to avoid the
+possible UAF as the unregister_netdev() is well synchronized and won't
+return if there is a running routine.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/mkiss.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -803,13 +803,14 @@ static void mkiss_close(struct tty_struc
+ */
+ netif_stop_queue(ax->dev);
+
+- /* Free all AX25 frame buffers. */
+- kfree(ax->rbuff);
+- kfree(ax->xbuff);
+-
+ ax->tty = NULL;
+
+ unregister_netdev(ax->dev);
++
++ /* Free all AX25 frame buffers after unreg. */
++ kfree(ax->rbuff);
++ kfree(ax->xbuff);
++
+ free_netdev(ax->dev);
+ }
+
--- /dev/null
+From b2f37aead1b82a770c48b5d583f35ec22aabb61e Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Fri, 17 Dec 2021 10:13:56 +0800
+Subject: hamradio: improve the incomplete fix to avoid NPD
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream.
+
+The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after
+unregister_netdev") reorder the kfree operations and unregister_netdev
+operation to prevent UAF.
+
+This commit improves the previous one by also deferring the nullify of
+the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.
+Partial of the stack trace is shown below.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000538
+RIP: 0010:ax_xmit+0x1f9/0x400
+...
+Call Trace:
+ dev_hard_start_xmit+0xec/0x320
+ sch_direct_xmit+0xea/0x240
+ __qdisc_run+0x166/0x5c0
+ __dev_queue_xmit+0x2c7/0xaf0
+ ax25_std_establish_data_link+0x59/0x60
+ ax25_connect+0x3a0/0x500
+ ? security_socket_connect+0x2b/0x40
+ __sys_connect+0x96/0xc0
+ ? __hrtimer_init+0xc0/0xc0
+ ? common_nsleep+0x2e/0x50
+ ? switch_fpu_return+0x139/0x1a0
+ __x64_sys_connect+0x11/0x20
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The crash point is shown as below
+
+static void ax_encaps(...) {
+ ...
+ set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!
+ ...
+}
+
+By placing the nullify action after the unregister_netdev, the ax->tty
+pointer won't be assigned as NULL net_device framework layer is well
+synchronized.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -803,14 +803,14 @@ static void mkiss_close(struct tty_struc
+ */
+ netif_stop_queue(ax->dev);
+
+- ax->tty = NULL;
+-
+ unregister_netdev(ax->dev);
+
+ /* Free all AX25 frame buffers after unreg. */
+ kfree(ax->rbuff);
+ kfree(ax->xbuff);
+
++ ax->tty = NULL;
++
+ free_netdev(ax->dev);
+ }
+
--- /dev/null
+From cdc5287acad9ede121924a9c9313544b80d15842 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 3 Dec 2021 13:42:22 -0800
+Subject: hwmon: (lm90) Do not report 'busy' status bit as alarm
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit cdc5287acad9ede121924a9c9313544b80d15842 upstream.
+
+Bit 7 of the status register indicates that the chip is busy
+doing a conversion. It does not indicate an alarm status.
+Stop reporting it as alarm status bit.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/lm90.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm90.c
++++ b/drivers/hwmon/lm90.c
+@@ -197,6 +197,7 @@ enum chips { lm90, adm1032, lm99, lm86,
+ #define LM90_STATUS_RHIGH (1 << 4) /* remote high temp limit tripped */
+ #define LM90_STATUS_LLOW (1 << 5) /* local low temp limit tripped */
+ #define LM90_STATUS_LHIGH (1 << 6) /* local high temp limit tripped */
++#define LM90_STATUS_BUSY (1 << 7) /* conversion is ongoing */
+
+ #define MAX6696_STATUS2_R2THRM (1 << 1) /* remote2 THERM limit tripped */
+ #define MAX6696_STATUS2_R2OPEN (1 << 2) /* remote2 is an open circuit */
+@@ -786,7 +787,7 @@ static int lm90_update_device(struct dev
+ val = lm90_read_reg(client, LM90_REG_R_STATUS);
+ if (val < 0)
+ return val;
+- data->alarms = val; /* lower 8 bit of alarms */
++ data->alarms = val & ~LM90_STATUS_BUSY;
+
+ if (data->kind == max6696) {
+ val = lm90_select_remote_channel(client, data, 1);
--- /dev/null
+From 75a2f31520095600f650597c0ac41f48b5ba0068 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
+Date: Sun, 19 Dec 2021 19:03:39 +0200
+Subject: phonet/pep: refuse to enable an unbound pipe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rémi Denis-Courmont <remi@remlab.net>
+
+commit 75a2f31520095600f650597c0ac41f48b5ba0068 upstream.
+
+This ioctl() implicitly assumed that the socket was already bound to
+a valid local socket name, i.e. Phonet object. If the socket was not
+bound, two separate problems would occur:
+
+1) We'd send an pipe enablement request with an invalid source object.
+2) Later socket calls could BUG on the socket unexpectedly being
+ connected yet not bound to a valid object.
+
+Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com
+Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -959,6 +959,8 @@ static int pep_ioctl(struct sock *sk, in
+ ret = -EBUSY;
+ else if (sk->sk_state == TCP_ESTABLISHED)
+ ret = -EISCONN;
++ else if (!pn->pn_sk.sobject)
++ ret = -EADDRNOTAVAIL;
+ else
+ ret = pep_sock_enable(sk, NULL, 0);
+ release_sock(sk);
usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch
kvm-vmx-fix-stale-docs-for-kvm-intel.emulate_invalid_guest_state.patch
input-i8042-enable-deferred-probe-quirk-for-asus-um325ua.patch
+hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch
+ax25-npd-bug-when-detaching-ax25-device.patch
+hamradio-defer-ax25-kfree-after-unregister_netdev.patch
+hamradio-improve-the-incomplete-fix-to-avoid-npd.patch
+phonet-pep-refuse-to-enable-an-unbound-pipe.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
