From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 21 Jan 2025 14:48:16 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v5.15.177~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=46809df06335b8109e342aa11eacc881f0580d95;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	vsock-prevent-null-ptr-deref-in-vsock_.patch
	vsock-virtio-discard-packets-if-the-transport-changes.patch
	x86-xen-fix-sls-mitigation-in-xen_hypercall_iret.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index cc1e9936ad..260289ed68 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -119,3 +119,6 @@ blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch
 ipv6-avoid-possible-null-deref-in-rt6_uncached_list_flush_dev.patch
 nfsd-add-list_head-nf_gc-to-struct-nfsd_file.patch
 fou-remove-warn-in-gue_gro_receive-on-unsupported-protocol.patch
+vsock-virtio-discard-packets-if-the-transport-changes.patch
+vsock-prevent-null-ptr-deref-in-vsock_.patch
+x86-xen-fix-sls-mitigation-in-xen_hypercall_iret.patch
diff --git a/queue-5.10/vsock-prevent-null-ptr-deref-in-vsock_.patch b/queue-5.10/vsock-prevent-null-ptr-deref-in-vsock_.patch
new file mode 100644
index 0000000000..a68142548a
--- /dev/null
+++ b/queue-5.10/vsock-prevent-null-ptr-deref-in-vsock_.patch
@@ -0,0 +1,62 @@
+From 91751e248256efc111e52e15115840c35d85abaf Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:11 +0100
+Subject: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 91751e248256efc111e52e15115840c35d85abaf upstream.
+
+Recent reports have shown how we sometimes call vsock_*_has_data()
+when a vsock socket has been de-assigned from a transport (see attached
+links), but we shouldn't.
+
+Previous commits should have solved the real problems, but we may have
+more in the future, so to avoid null-ptr-deref, we can return 0
+(no space, no data available) but with a warning.
+
+This way the code should continue to run in a nearly consistent state
+and have a warning that allows us to debug future problems.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/
+Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
+Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/
+Co-developed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Co-developed-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[SG: fixed conflict since this tree is missing vsock_connectible_has_data()
+ added by commit 0798e78b102b ("af_vsock: rest of SEQPACKET support")]
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -837,12 +837,18 @@ EXPORT_SYMBOL_GPL(vsock_create_connected
+ 
+ s64 vsock_stream_has_data(struct vsock_sock *vsk)
+ {
++	if (WARN_ON(!vsk->transport))
++		return 0;
++
+ 	return vsk->transport->stream_has_data(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_data);
+ 
+ s64 vsock_stream_has_space(struct vsock_sock *vsk)
+ {
++	if (WARN_ON(!vsk->transport))
++		return 0;
++
+ 	return vsk->transport->stream_has_space(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_space);
diff --git a/queue-5.10/vsock-virtio-discard-packets-if-the-transport-changes.patch b/queue-5.10/vsock-virtio-discard-packets-if-the-transport-changes.patch
new file mode 100644
index 0000000000..1660f986f9
--- /dev/null
+++ b/queue-5.10/vsock-virtio-discard-packets-if-the-transport-changes.patch
@@ -0,0 +1,50 @@
+From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:07 +0100
+Subject: vsock/virtio: discard packets if the transport changes
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 upstream.
+
+If the socket has been de-assigned or assigned to another transport,
+we must discard any packets received because they are not expected
+and would cause issues when we access vsk->transport.
+
+A possible scenario is described by Hyunwoo Kim in the attached link,
+where after a first connect() interrupted by a signal, and a second
+connect() failed, we can find `vsk->transport` at NULL, leading to a
+NULL pointer dereference.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Reported-by: Wongi Lee <qwerty@theori.io>
+Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[SG: fixed context conflict since this tree is missing commit 71dc9ec9ac7d
+ ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")]
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1171,8 +1171,11 @@ void virtio_transport_recv_pkt(struct vi
+ 
+ 	lock_sock(sk);
+ 
+-	/* Check if sk has been closed before lock_sock */
+-	if (sock_flag(sk, SOCK_DONE)) {
++	/* Check if sk has been closed or assigned to another transport before
++	 * lock_sock (note: listener sockets are not assigned to any transport)
++	 */
++	if (sock_flag(sk, SOCK_DONE) ||
++	    (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) {
+ 		(void)virtio_transport_reset_no_sock(t, pkt);
+ 		release_sock(sk);
+ 		sock_put(sk);
diff --git a/queue-5.10/x86-xen-fix-sls-mitigation-in-xen_hypercall_iret.patch b/queue-5.10/x86-xen-fix-sls-mitigation-in-xen_hypercall_iret.patch
new file mode 100644
index 0000000000..c7bce0a04f
--- /dev/null
+++ b/queue-5.10/x86-xen-fix-sls-mitigation-in-xen_hypercall_iret.patch
@@ -0,0 +1,31 @@
+From jgross@suse.com  Tue Jan 21 15:16:05 2025
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 17 Jan 2025 12:05:51 +0100
+Subject: x86/xen: fix SLS mitigation in xen_hypercall_iret()
+To: gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, Juergen Gross <jgross@suse.com>
+Message-ID: <20250117110551.13930-1-jgross@suse.com>
+
+From: Juergen Gross <jgross@suse.com>
+
+The backport of upstream patch a2796dff62d6 ("x86/xen: don't do PV iret
+hypercall through hypercall page") missed to adapt the SLS mitigation
+config check from CONFIG_MITIGATION_SLS to CONFIG_SLS.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/xen-asm.S |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/xen/xen-asm.S
++++ b/arch/x86/xen/xen-asm.S
+@@ -242,7 +242,7 @@ SYM_CODE_END(xen_early_idt_handler_array
+ 	push %rax
+ 	mov  $__HYPERVISOR_iret, %eax
+ 	syscall		/* Do the IRET. */
+-#ifdef CONFIG_MITIGATION_SLS
++#ifdef CONFIG_SLS
+ 	int3
+ #endif
+ .endm