5.4-stable patches

added patches:
	tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index 505d5e7eeafecec11b1ffc1739916fc80d634df5..8a0b3b22b70f7568d2ad38cba079b5f4f1c8b60c 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -206,3 +206,4 @@ drm-etnaviv-reference-mmu-context-when-setting-up-hardware-state.patch
 drm-etnaviv-add-missing-mmu-context-put-when-reaping-mmu-mapping.patch
 s390-sclp-fix-secure-ipl-facility-detection.patch
 x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch
+tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch

diff --git a/queue-5.4/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch b/queue-5.4/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
new file mode 100644 (file)
index 0000000..65b9075
--- /dev/null
+++ b/queue-5.4/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
@@ -0,0 +1,56 @@
+From cc19862ffe454a5b632ca202e5a51bfec9f89fd2 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 23 Jul 2021 13:25:36 -0400
+Subject: tipc: fix an use-after-free issue in tipc_recvmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit cc19862ffe454a5b632ca202e5a51bfec9f89fd2 upstream.
+
+syzbot reported an use-after-free crash:
+
+  BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979
+  Call Trace:
+   tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979
+   sock_recvmsg_nosec net/socket.c:943 [inline]
+   sock_recvmsg net/socket.c:961 [inline]
+   sock_recvmsg+0xca/0x110 net/socket.c:957
+   tipc_conn_rcv_from_sock+0x162/0x2f0 net/tipc/topsrv.c:398
+   tipc_conn_recv_work+0xeb/0x190 net/tipc/topsrv.c:421
+   process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
+   worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
+
+As Hoang pointed out, it was caused by skb_cb->bytes_read still accessed
+after calling tsk_advance_rx_queue() to free the skb in tipc_recvmsg().
+
+This patch is to fix it by accessing skb_cb->bytes_read earlier than
+calling tsk_advance_rx_queue().
+
+Fixes: f4919ff59c28 ("tipc: keep the skb in rcv queue until the whole data is read")
+Reported-by: syzbot+e6741b97d5552f97c24d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1849,10 +1849,12 @@ static int tipc_recvmsg(struct socket *s
+               tipc_node_distr_xmit(sock_net(sk), &xmitq);
+       }
+ 
+-      if (!skb_cb->bytes_read)
+-              tsk_advance_rx_queue(sk);
++      if (skb_cb->bytes_read)
++              goto exit;
++
++      tsk_advance_rx_queue(sk);
+ 
+-      if (likely(!connected) || skb_cb->bytes_read)
++      if (likely(!connected))
+               goto exit;
+ 
+       /* Send connection flow control advertisement when applicable */