From: Greg Kroah-Hartman Date: Tue, 28 Feb 2023 18:44:31 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.275~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1bfe7945fd7eaf8d6c4afedbd37829b54b2c7789;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch md-flush-workqueue-md_rdev_misc_wq-in-md_alloc.patch net-remove-warn_on_once-sk-sk_forward_alloc-from-sk_stream_kill_queues.patch vc_screen-don-t-clobber-return-value-in-vcs_read.patch --- diff --git a/queue-5.10/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch b/queue-5.10/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch new file mode 100644 index 00000000000..089d4ef6ced --- /dev/null +++ b/queue-5.10/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch @@ -0,0 +1,48 @@ +From 1fe4850b34ab512ff911e2c035c75fb6438f7307 Mon Sep 17 00:00:00 2001 +From: Martin KaFai Lau +Date: Thu, 16 Feb 2023 16:41:48 -0800 +Subject: bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state + +From: Martin KaFai Lau + +commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream. + +The bpf_fib_lookup() helper does not only look up the fib (ie. route) +but it also looks up the neigh. Before returning the neigh, the helper +does not check for NUD_VALID. When a neigh state (neigh->nud_state) +is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper +still returns SUCCESS instead of NO_NEIGH in this case. Because of the +SUCCESS return value, the bpf prog directly uses the returned dmac +and ends up filling all zero in the eth header. + +This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is +not valid. + +Signed-off-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -5401,7 +5401,7 @@ static int bpf_ipv4_fib_lookup(struct ne + neigh = __ipv6_neigh_lookup_noref_stub(dev, dst); + } + +- if (!neigh) ++ if (!neigh || !(neigh->nud_state & NUD_VALID)) + return BPF_FIB_LKUP_RET_NO_NEIGH; + + return bpf_fib_set_fwd_params(params, neigh, dev); +@@ -5514,7 +5514,7 @@ static int bpf_ipv6_fib_lookup(struct ne + * not needed here. + */ + neigh = __ipv6_neigh_lookup_noref_stub(dev, dst); +- if (!neigh) ++ if (!neigh || !(neigh->nud_state & NUD_VALID)) + return BPF_FIB_LKUP_RET_NO_NEIGH; + + return bpf_fib_set_fwd_params(params, neigh, dev); diff --git a/queue-5.10/md-flush-workqueue-md_rdev_misc_wq-in-md_alloc.patch b/queue-5.10/md-flush-workqueue-md_rdev_misc_wq-in-md_alloc.patch new file mode 100644 index 00000000000..68c6ce82726 --- /dev/null +++ b/queue-5.10/md-flush-workqueue-md_rdev_misc_wq-in-md_alloc.patch @@ -0,0 +1,42 @@ +From 5e8daf906f890560df430d30617c692a794acb73 Mon Sep 17 00:00:00 2001 +From: David Sloan +Date: Thu, 11 Aug 2022 11:14:13 -0600 +Subject: md: Flush workqueue md_rdev_misc_wq in md_alloc() + +From: David Sloan + +commit 5e8daf906f890560df430d30617c692a794acb73 upstream. + +A race condition still exists when removing and re-creating md devices +in test cases. However, it is only seen on some setups. + +The race condition was tracked down to a reference still being held +to the kobject by the rdev in the md_rdev_misc_wq which will be released +in rdev_delayed_delete(). + +md_alloc() waits for previous deletions by waiting on the md_misc_wq, +but the md_rdev_misc_wq may still be holding a reference to a recently +removed device. + +To fix this, also flush the md_rdev_misc_wq in md_alloc(). + +Signed-off-by: David Sloan +[logang@deltatee.com: rewrote commit message] +Signed-off-by: Logan Gunthorpe +Signed-off-by: Song Liu +Signed-off-by: Hou Tao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5683,6 +5683,7 @@ static int md_alloc(dev_t dev, char *nam + * completely removed (mddev_delayed_delete). + */ + flush_workqueue(md_misc_wq); ++ flush_workqueue(md_rdev_misc_wq); + + mutex_lock(&disks_mutex); + error = -EEXIST; diff --git a/queue-5.10/net-remove-warn_on_once-sk-sk_forward_alloc-from-sk_stream_kill_queues.patch b/queue-5.10/net-remove-warn_on_once-sk-sk_forward_alloc-from-sk_stream_kill_queues.patch new file mode 100644 index 00000000000..ede34708059 --- /dev/null +++ b/queue-5.10/net-remove-warn_on_once-sk-sk_forward_alloc-from-sk_stream_kill_queues.patch @@ -0,0 +1,100 @@ +From 62ec33b44e0f7168ff2886520fec6fb62d03b5a3 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Thu, 9 Feb 2023 16:22:02 -0800 +Subject: net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). + +From: Kuniyuki Iwashima + +commit 62ec33b44e0f7168ff2886520fec6fb62d03b5a3 upstream. + +Christoph Paasch reported that commit b5fc29233d28 ("inet6: Remove +inet6_destroy_sock() in sk->sk_prot->destroy().") started triggering +WARN_ON_ONCE(sk->sk_forward_alloc) in sk_stream_kill_queues(). [0 - 2] +Also, we can reproduce it by a program in [3]. + +In the commit, we delay freeing ipv6_pinfo.pktoptions from sk->destroy() +to sk->sk_destruct(), so sk->sk_forward_alloc is no longer zero in +inet_csk_destroy_sock(). + +The same check has been in inet_sock_destruct() from at least v2.6, +we can just remove the WARN_ON_ONCE(). However, among the users of +sk_stream_kill_queues(), only CAIF is not calling inet_sock_destruct(). +Thus, we add the same WARN_ON_ONCE() to caif_sock_destructor(). + +[0]: https://lore.kernel.org/netdev/39725AB4-88F1-41B3-B07F-949C5CAEFF4F@icloud.com/ +[1]: https://github.com/multipath-tcp/mptcp_net-next/issues/341 +[2]: +WARNING: CPU: 0 PID: 3232 at net/core/stream.c:212 sk_stream_kill_queues+0x2f9/0x3e0 +Modules linked in: +CPU: 0 PID: 3232 Comm: syz-executor.0 Not tainted 6.2.0-rc5ab24eb4698afbe147b424149c529e2a43ec24eb5 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:sk_stream_kill_queues+0x2f9/0x3e0 +Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ec 00 00 00 8b ab 08 01 00 00 e9 60 ff ff ff e8 d0 5f b6 fe 0f 0b eb 97 e8 c7 5f b6 fe <0f> 0b eb a0 e8 be 5f b6 fe 0f 0b e9 6a fe ff ff e8 02 07 e3 fe e9 +RSP: 0018:ffff88810570fc68 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff888101f38f40 RSI: ffffffff8285e529 RDI: 0000000000000005 +RBP: 0000000000000ce0 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000ce0 R11: 0000000000000001 R12: ffff8881009e9488 +R13: ffffffff84af2cc0 R14: 0000000000000000 R15: ffff8881009e9458 +FS: 00007f7fdfbd5800(0000) GS:ffff88811b600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32923000 CR3: 00000001062fc006 CR4: 0000000000170ef0 +Call Trace: + + inet_csk_destroy_sock+0x1a1/0x320 + __tcp_close+0xab6/0xe90 + tcp_close+0x30/0xc0 + inet_release+0xe9/0x1f0 + inet6_release+0x4c/0x70 + __sock_release+0xd2/0x280 + sock_close+0x15/0x20 + __fput+0x252/0xa20 + task_work_run+0x169/0x250 + exit_to_user_mode_prepare+0x113/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + do_syscall_64+0x48/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f7fdf7ae28d +Code: c1 20 00 00 75 10 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 37 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 +RSP: 002b:00000000007dfbb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7fdf7ae28d +RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003 +RBP: 0000000000000000 R08: 000000007f338e0f R09: 0000000000000e0f +R10: 000000007f338e13 R11: 0000000000000293 R12: 00007f7fdefff000 +R13: 00007f7fdefffcd8 R14: 00007f7fdefffce0 R15: 00007f7fdefffcd8 + + +[3]: https://lore.kernel.org/netdev/20230208004245.83497-1-kuniyu@amazon.com/ + +Fixes: b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().") +Reported-by: syzbot +Reported-by: Christoph Paasch +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_socket.c | 1 + + net/core/stream.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -1020,6 +1020,7 @@ static void caif_sock_destructor(struct + return; + } + sk_stream_kill_queues(&cf_sk->sk); ++ WARN_ON(sk->sk_forward_alloc); + caif_free_client(&cf_sk->layer); + } + +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -209,7 +209,6 @@ void sk_stream_kill_queues(struct sock * + sk_mem_reclaim(sk); + + WARN_ON(sk->sk_wmem_queued); +- WARN_ON(sk->sk_forward_alloc); + + /* It is _impossible_ for the backlog to contain anything + * when we get here. All user references to this socket diff --git a/queue-5.10/series b/queue-5.10/series index 5afbbdb9f2b..868e39f087c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -6,3 +6,7 @@ btrfs-send-limit-number-of-clones-and-allocated-memo.patch ib-hfi1-assign-npages-earlier.patch neigh-make-sure-used-and-confirmed-times-are-valid.patch hid-core-fix-deadloop-in-hid_apply_multiplier.patch +bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch +net-remove-warn_on_once-sk-sk_forward_alloc-from-sk_stream_kill_queues.patch +vc_screen-don-t-clobber-return-value-in-vcs_read.patch +md-flush-workqueue-md_rdev_misc_wq-in-md_alloc.patch diff --git a/queue-5.10/vc_screen-don-t-clobber-return-value-in-vcs_read.patch b/queue-5.10/vc_screen-don-t-clobber-return-value-in-vcs_read.patch new file mode 100644 index 00000000000..00449a24a07 --- /dev/null +++ b/queue-5.10/vc_screen-don-t-clobber-return-value-in-vcs_read.patch @@ -0,0 +1,56 @@ +From ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 20 Feb 2023 06:46:12 +0000 +Subject: vc_screen: don't clobber return value in vcs_read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e upstream. + +Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in +vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop. + +While doing this it also moved the unconditional assignment of + + ret = -ENXIO; + +This unconditional assignment was valid outside the loop but within it +it clobbers the actual value of ret. + +To avoid this only assign "ret = -ENXIO" when actually needed. + +[ Also, the 'goto unlock_out" needs to be just a "break", so that it + does the right thing when it exits on later iterations when partial + success has happened - Linus ] + +Reported-by: Storm Dragon +Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/ +Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vc_screen.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -403,10 +403,11 @@ vcs_read(struct file *file, char __user + unsigned int this_round, skip = 0; + int size; + +- ret = -ENXIO; + vc = vcs_vc(inode, &viewed); +- if (!vc) +- goto unlock_out; ++ if (!vc) { ++ ret = -ENXIO; ++ break; ++ } + + /* Check whether we are above size each round, + * as copy_to_user at the end of this loop