From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Jun 2022 11:21:26 +0000 (+0200)
Subject: 5.18-stable patches
X-Git-Tag: v5.10.121~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2644288ad785e421b1907daaf0c41ddeb800d309;p=thirdparty%2Fkernel%2Fstable-queue.git

5.18-stable patches

added patches:
	macsec-fix-uaf-bug-for-real_dev.patch
	md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch
	md-don-t-set-mddev-private-to-null-in-raid0-pers-free.patch
	md-fix-double-free-of-io_acct_set-bioset.patch
---

diff --git a/queue-5.18/macsec-fix-uaf-bug-for-real_dev.patch b/queue-5.18/macsec-fix-uaf-bug-for-real_dev.patch
new file mode 100644
index 00000000000..a50d152d256
--- /dev/null
+++ b/queue-5.18/macsec-fix-uaf-bug-for-real_dev.patch
@@ -0,0 +1,92 @@
+From 196a888ca6571deb344468e1d7138e3273206335 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Tue, 31 May 2022 15:45:00 +0800
+Subject: macsec: fix UAF bug for real_dev
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 196a888ca6571deb344468e1d7138e3273206335 upstream.
+
+Create a new macsec device but not get reference to real_dev. That can
+not ensure that real_dev is freed after macsec. That will trigger the
+UAF bug for real_dev as following:
+
+==================================================================
+BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
+Call Trace:
+ ...
+ macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
+ dev_get_iflink+0x73/0xe0 net/core/dev.c:637
+ default_operstate net/core/link_watch.c:42 [inline]
+ rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54
+ linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161
+
+Allocated by task 22209:
+ ...
+ alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549
+ rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235
+ veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748
+
+Freed by task 8:
+ ...
+ kfree+0xd6/0x4d0 mm/slub.c:4552
+ kvfree+0x42/0x50 mm/util.c:615
+ device_release+0x9f/0x240 drivers/base/core.c:2229
+ kobject_cleanup lib/kobject.c:673 [inline]
+ kobject_release lib/kobject.c:704 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ kobject_put+0x1c8/0x540 lib/kobject.c:721
+ netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327
+
+After commit faab39f63c1f ("net: allow out-of-order netdev unregistration")
+and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we
+can add dev_hold_track() in macsec_dev_init() and dev_put_track() in
+macsec_free_netdev() to fix the problem.
+
+Fixes: 2bce1ebed17d ("macsec: fix refcnt leak in module exit routine")
+Reported-by: syzbot+d0e94b65ac259c29ce7a@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/r/20220531074500.1272846-1-william.xuanziyang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -99,6 +99,7 @@ struct pcpu_secy_stats {
+  * struct macsec_dev - private data
+  * @secy: SecY config
+  * @real_dev: pointer to underlying netdevice
++ * @dev_tracker: refcount tracker for @real_dev reference
+  * @stats: MACsec device stats
+  * @secys: linked list of SecY's on the underlying device
+  * @gro_cells: pointer to the Generic Receive Offload cell
+@@ -107,6 +108,7 @@ struct pcpu_secy_stats {
+ struct macsec_dev {
+ 	struct macsec_secy secy;
+ 	struct net_device *real_dev;
++	netdevice_tracker dev_tracker;
+ 	struct pcpu_secy_stats __percpu *stats;
+ 	struct list_head secys;
+ 	struct gro_cells gro_cells;
+@@ -3459,6 +3461,9 @@ static int macsec_dev_init(struct net_de
+ 	if (is_zero_ether_addr(dev->broadcast))
+ 		memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
+ 
++	/* Get macsec's reference to real_dev */
++	dev_hold_track(real_dev, &macsec->dev_tracker, GFP_KERNEL);
++
+ 	return 0;
+ }
+ 
+@@ -3704,6 +3709,8 @@ static void macsec_free_netdev(struct ne
+ 	free_percpu(macsec->stats);
+ 	free_percpu(macsec->secy.tx_sc.stats);
+ 
++	/* Get rid of the macsec's reference to real_dev */
++	dev_put_track(macsec->real_dev, &macsec->dev_tracker);
+ }
+ 
+ static void macsec_setup(struct net_device *dev)
diff --git a/queue-5.18/md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch b/queue-5.18/md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch
new file mode 100644
index 00000000000..8f4dd90dbd2
--- /dev/null
+++ b/queue-5.18/md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch
@@ -0,0 +1,38 @@
+From 40f567bbb3b0639d2ec7d1c6ad4b1b018f80cf19 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 27 May 2022 23:28:18 +0800
+Subject: md: bcache: check the return value of kzalloc() in detached_dev_do_request()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+commit 40f567bbb3b0639d2ec7d1c6ad4b1b018f80cf19 upstream.
+
+The function kzalloc() in detached_dev_do_request() can fail, so its
+return value should be checked.
+
+Fixes: bc082a55d25c ("bcache: fix inaccurate io state for detached bcache devices")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20220527152818.27545-4-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/request.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -1105,6 +1105,12 @@ static void detached_dev_do_request(stru
+ 	 * which would call closure_get(&dc->disk.cl)
+ 	 */
+ 	ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO);
++	if (!ddip) {
++		bio->bi_status = BLK_STS_RESOURCE;
++		bio->bi_end_io(bio);
++		return;
++	}
++
+ 	ddip->d = d;
+ 	/* Count on the bcache device */
+ 	ddip->orig_bdev = orig_bdev;
diff --git a/queue-5.18/md-don-t-set-mddev-private-to-null-in-raid0-pers-free.patch b/queue-5.18/md-don-t-set-mddev-private-to-null-in-raid0-pers-free.patch
new file mode 100644
index 00000000000..e02ca58d59a
--- /dev/null
+++ b/queue-5.18/md-don-t-set-mddev-private-to-null-in-raid0-pers-free.patch
@@ -0,0 +1,72 @@
+From 0f2571ad7a30ff6b33cde142439f9378669f8b4f Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 12 May 2022 17:21:08 +0800
+Subject: md: Don't set mddev private to NULL in raid0 pers->free
+
+From: Xiao Ni <xni@redhat.com>
+
+commit 0f2571ad7a30ff6b33cde142439f9378669f8b4f upstream.
+
+In normal stop process, it does like this:
+   do_md_stop
+      |
+   __md_stop (pers->free(); mddev->private=NULL)
+      |
+   md_free (free mddev)
+__md_stop sets mddev->private to NULL after pers->free. The raid device
+will be stopped and mddev memory is free. But in reshape, it doesn't
+free the mddev and mddev will still be used in new raid.
+
+In reshape, it first sets mddev->private to new_pers and then runs
+old_pers->free(). Now raid0 sets mddev->private to NULL in raid0_free.
+The new raid can't work anymore. It will panic when dereference
+mddev->private because of NULL pointer dereference.
+
+It can panic like this:
+[63010.814972] kernel BUG at drivers/md/raid10.c:928!
+[63010.819778] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[63010.825011] CPU: 3 PID: 44437 Comm: md0_resync Kdump: loaded Not tainted 5.14.0-86.el9.x86_64 #1
+[63010.833789] Hardware name: Dell Inc. PowerEdge R6415/07YXFK, BIOS 1.15.0 09/11/2020
+[63010.841440] RIP: 0010:raise_barrier+0x161/0x170 [raid10]
+[63010.865508] RSP: 0018:ffffc312408bbc10 EFLAGS: 00010246
+[63010.870734] RAX: 0000000000000000 RBX: ffffa00bf7d39800 RCX: 0000000000000000
+[63010.877866] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa00bf7d39800
+[63010.884999] RBP: 0000000000000000 R08: fffffa4945e74400 R09: 0000000000000000
+[63010.892132] R10: ffffa00eed02f798 R11: 0000000000000000 R12: ffffa00bbc435200
+[63010.899266] R13: ffffa00bf7d39800 R14: 0000000000000400 R15: 0000000000000003
+[63010.906399] FS:  0000000000000000(0000) GS:ffffa00eed000000(0000) knlGS:0000000000000000
+[63010.914485] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[63010.920229] CR2: 00007f5cfbe99828 CR3: 0000000105efe000 CR4: 00000000003506e0
+[63010.927363] Call Trace:
+[63010.929822]  ? bio_reset+0xe/0x40
+[63010.933144]  ? raid10_alloc_init_r10buf+0x60/0xa0 [raid10]
+[63010.938629]  raid10_sync_request+0x756/0x1610 [raid10]
+[63010.943770]  md_do_sync.cold+0x3e4/0x94c
+[63010.947698]  md_thread+0xab/0x160
+[63010.951024]  ? md_write_inc+0x50/0x50
+[63010.954688]  kthread+0x149/0x170
+[63010.957923]  ? set_kthread_struct+0x40/0x40
+[63010.962107]  ret_from_fork+0x22/0x30
+
+Removing the code that sets mddev->private to NULL in raid0 can fix
+problem.
+
+Fixes: 0c031fd37f69 (md: Move alloc/free acct bioset in to personality)
+Reported-by: Fine Fan <ffan@redhat.com>
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid0.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -361,7 +361,6 @@ static void free_conf(struct mddev *mdde
+ 	kfree(conf->strip_zone);
+ 	kfree(conf->devlist);
+ 	kfree(conf);
+-	mddev->private = NULL;
+ }
+ 
+ static void raid0_free(struct mddev *mddev, void *priv)
diff --git a/queue-5.18/md-fix-double-free-of-io_acct_set-bioset.patch b/queue-5.18/md-fix-double-free-of-io_acct_set-bioset.patch
new file mode 100644
index 00000000000..c5a269ebad5
--- /dev/null
+++ b/queue-5.18/md-fix-double-free-of-io_acct_set-bioset.patch
@@ -0,0 +1,40 @@
+From 42b805af102471f53e3c7867b8c2b502ea4eef7e Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 12 May 2022 17:21:09 +0800
+Subject: md: fix double free of io_acct_set bioset
+
+From: Xiao Ni <xni@redhat.com>
+
+commit 42b805af102471f53e3c7867b8c2b502ea4eef7e upstream.
+
+Now io_acct_set is alloc and free in personality. Remove the codes that
+free io_acct_set in md_free and md_stop.
+
+Fixes: 0c031fd37f69 (md: Move alloc/free acct bioset in to personality)
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c |    4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5598,8 +5598,6 @@ static void md_free(struct kobject *ko)
+ 
+ 	bioset_exit(&mddev->bio_set);
+ 	bioset_exit(&mddev->sync_set);
+-	if (mddev->level != 1 && mddev->level != 10)
+-		bioset_exit(&mddev->io_acct_set);
+ 	kfree(mddev);
+ }
+ 
+@@ -6286,8 +6284,6 @@ void md_stop(struct mddev *mddev)
+ 	__md_stop(mddev);
+ 	bioset_exit(&mddev->bio_set);
+ 	bioset_exit(&mddev->sync_set);
+-	if (mddev->level != 1 && mddev->level != 10)
+-		bioset_exit(&mddev->io_acct_set);
+ }
+ 
+ EXPORT_SYMBOL_GPL(md_stop);
diff --git a/queue-5.18/series b/queue-5.18/series
index 3489826a464..346ded72d8d 100644
--- a/queue-5.18/series
+++ b/queue-5.18/series
@@ -873,3 +873,7 @@ ext4-only-allow-test_dummy_encryption-when-supported.patch
 fs-add-two-trivial-lookup-helpers.patch
 exportfs-support-idmapped-mounts.patch
 fs-ntfs3-fix-invalid-free-in-log_replay.patch
+md-don-t-set-mddev-private-to-null-in-raid0-pers-free.patch
+md-fix-double-free-of-io_acct_set-bioset.patch
+md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch
+macsec-fix-uaf-bug-for-real_dev.patch