From: Greg Kroah-Hartman Date: Mon, 20 Sep 2021 07:31:40 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.4.284~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4cbf2651f41473df8a082d8e0a91ef4826f19247;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch x86-pat-pass-valid-address-to-sanitize_phys.patch --- diff --git a/queue-5.10/ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch b/queue-5.10/ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch new file mode 100644 index 00000000000..9aa4e6ac383 --- /dev/null +++ b/queue-5.10/ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch @@ -0,0 +1,88 @@ +From 9b29a161ef38040f000dcf9ccf78e34495edfd55 Mon Sep 17 00:00:00 2001 +From: Saeed Mahameed +Date: Mon, 26 Jul 2021 15:15:39 -0700 +Subject: ethtool: Fix rxnfc copy to user buffer overflow + +From: Saeed Mahameed + +commit 9b29a161ef38040f000dcf9ccf78e34495edfd55 upstream. + +In the cited commit, copy_to_user() got called with the wrong pointer, +instead of passing the actual buffer ptr to copy from, a pointer to +the pointer got passed, which causes a buffer overflow calltrace to pop +up when executing "ethtool -x ethX". + +Fix ethtool_rxnfc_copy_to_user() to use the rxnfc pointer as passed +to the function, instead of a pointer to it. + +This fixes below call trace: +[ 15.533533] ------------[ cut here ]------------ +[ 15.539007] Buffer overflow detected (8 < 192)! +[ 15.544110] WARNING: CPU: 3 PID: 1801 at include/linux/thread_info.h:200 copy_overflow+0x15/0x20 +[ 15.549308] Modules linked in: +[ 15.551449] CPU: 3 PID: 1801 Comm: ethtool Not tainted 5.14.0-rc2+ #1058 +[ 15.553919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 15.558378] RIP: 0010:copy_overflow+0x15/0x20 +[ 15.560648] Code: e9 7c ff ff ff b8 a1 ff ff ff eb c4 66 0f 1f 84 00 00 00 00 00 55 48 89 f2 89 fe 48 c7 c7 88 55 78 8a 48 89 e5 e8 06 5c 1e 00 <0f> 0b 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 +[ 15.565114] RSP: 0018:ffffad49c0523bd0 EFLAGS: 00010286 +[ 15.566231] RAX: 0000000000000000 RBX: 00000000000000c0 RCX: 0000000000000000 +[ 15.567616] RDX: 0000000000000001 RSI: ffffffff8a7912e7 RDI: 00000000ffffffff +[ 15.569050] RBP: ffffad49c0523bd0 R08: ffffffff8ab2ae28 R09: 00000000ffffdfff +[ 15.570534] R10: ffffffff8aa4ae40 R11: ffffffff8aa4ae40 R12: 0000000000000000 +[ 15.571899] R13: 00007ffd4cc2a230 R14: ffffad49c0523c00 R15: 0000000000000000 +[ 15.573584] FS: 00007f538112f740(0000) GS:ffff96d5bdd80000(0000) knlGS:0000000000000000 +[ 15.575639] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 15.577092] CR2: 00007f5381226d40 CR3: 0000000013542000 CR4: 00000000001506e0 +[ 15.578929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 15.580695] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 15.582441] Call Trace: +[ 15.582970] ethtool_rxnfc_copy_to_user+0x30/0x46 +[ 15.583815] ethtool_get_rxnfc.cold+0x23/0x2b +[ 15.584584] dev_ethtool+0x29c/0x25f0 +[ 15.585286] ? security_netlbl_sid_to_secattr+0x77/0xd0 +[ 15.586728] ? do_set_pte+0xc4/0x110 +[ 15.587349] ? _raw_spin_unlock+0x18/0x30 +[ 15.588118] ? __might_sleep+0x49/0x80 +[ 15.588956] dev_ioctl+0x2c1/0x490 +[ 15.589616] sock_ioctl+0x18e/0x330 +[ 15.591143] __x64_sys_ioctl+0x41c/0x990 +[ 15.591823] ? irqentry_exit_to_user_mode+0x9/0x20 +[ 15.592657] ? irqentry_exit+0x33/0x40 +[ 15.593308] ? exc_page_fault+0x32f/0x770 +[ 15.593877] ? exit_to_user_mode_prepare+0x3c/0x130 +[ 15.594775] do_syscall_64+0x35/0x80 +[ 15.595397] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 15.596037] RIP: 0033:0x7f5381226d4b +[ 15.596492] Code: 0f 1e fa 48 8b 05 3d b1 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0d b1 0c 00 f7 d8 64 89 01 48 +[ 15.598743] RSP: 002b:00007ffd4cc2a1f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 15.599804] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5381226d4b +[ 15.600795] RDX: 00007ffd4cc2a350 RSI: 0000000000008946 RDI: 0000000000000003 +[ 15.601712] RBP: 00007ffd4cc2a340 R08: 00007ffd4cc2a350 R09: 0000000000000001 +[ 15.602751] R10: 00007f538128a990 R11: 0000000000000246 R12: 0000000000000000 +[ 15.603882] R13: 00007ffd4cc2a350 R14: 00007ffd4cc2a4b0 R15: 0000000000000000 +[ 15.605042] ---[ end trace 325cf185e2795048 ]--- + +Fixes: dd98d2895de6 ("ethtool: improve compat ioctl handling") +Reported-by: Shannon Nelson +CC: Arnd Bergmann +CC: Christoph Hellwig +Signed-off-by: Saeed Mahameed +Tested-by: Shannon Nelson +Acked-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ethtool/ioctl.c ++++ b/net/ethtool/ioctl.c +@@ -906,7 +906,7 @@ static int ethtool_rxnfc_copy_to_user(vo + rule_buf); + useraddr += offsetof(struct compat_ethtool_rxnfc, rule_locs); + } else { +- ret = copy_to_user(useraddr, &rxnfc, size); ++ ret = copy_to_user(useraddr, rxnfc, size); + useraddr += offsetof(struct ethtool_rxnfc, rule_locs); + } + diff --git a/queue-5.10/net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch b/queue-5.10/net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch new file mode 100644 index 00000000000..99a83768ab8 --- /dev/null +++ b/queue-5.10/net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch @@ -0,0 +1,64 @@ +From 7c3a0a018e672a9723a79b128227272562300055 Mon Sep 17 00:00:00 2001 +From: Eli Cohen +Date: Wed, 15 Sep 2021 07:47:27 +0300 +Subject: net/{mlx5|nfp|bnxt}: Remove unnecessary RTNL lock assert + +From: Eli Cohen + +commit 7c3a0a018e672a9723a79b128227272562300055 upstream. + +Remove the assert from the callback priv lookup function since it does +not require RTNL lock and is already protected by flow_indr_block_lock. + +This will avoid warnings from being emitted to dmesg if the driver +registers its callback after an ingress qdisc was created for a +netdevice. + +The warnings started after the following patch was merged: +commit 74fc4f828769 ("net: Fix offloading indirect devices dependency on qdisc order creation") + +Signed-off-by: Eli Cohen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 3 --- + drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c | 3 --- + drivers/net/ethernet/netronome/nfp/flower/offload.c | 3 --- + 3 files changed, 9 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c +@@ -1870,9 +1870,6 @@ bnxt_tc_indr_block_cb_lookup(struct bnxt + { + struct bnxt_flower_indr_block_cb_priv *cb_priv; + +- /* All callback list access should be protected by RTNL. */ +- ASSERT_RTNL(); +- + list_for_each_entry(cb_priv, &bp->tc_indr_block_list, list) + if (cb_priv->tunnel_netdev == netdev) + return cb_priv; +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c +@@ -298,9 +298,6 @@ mlx5e_rep_indr_block_priv_lookup(struct + { + struct mlx5e_rep_indr_block_priv *cb_priv; + +- /* All callback list access should be protected by RTNL. */ +- ASSERT_RTNL(); +- + list_for_each_entry(cb_priv, + &rpriv->uplink_priv.tc_indr_block_priv_list, + list) +--- a/drivers/net/ethernet/netronome/nfp/flower/offload.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c +@@ -1732,9 +1732,6 @@ nfp_flower_indr_block_cb_priv_lookup(str + struct nfp_flower_indr_block_cb_priv *cb_priv; + struct nfp_flower_priv *priv = app->priv; + +- /* All callback list access should be protected by RTNL. */ +- ASSERT_RTNL(); +- + list_for_each_entry(cb_priv, &priv->indr_block_cb_priv, list) + if (cb_priv->netdev == netdev) + return cb_priv; diff --git a/queue-5.10/series b/queue-5.10/series index fdcc5a66f11..468bc3668b9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -16,3 +16,8 @@ drm-etnaviv-fix-mmu-context-leak-on-gpu-reset.patch drm-etnaviv-reference-mmu-context-when-setting-up-hardware-state.patch drm-etnaviv-add-missing-mmu-context-put-when-reaping-mmu-mapping.patch s390-sclp-fix-secure-ipl-facility-detection.patch +x86-pat-pass-valid-address-to-sanitize_phys.patch +x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch +tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch +ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch +net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch diff --git a/queue-5.10/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch b/queue-5.10/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch new file mode 100644 index 00000000000..4e099d8288d --- /dev/null +++ b/queue-5.10/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch @@ -0,0 +1,56 @@ +From cc19862ffe454a5b632ca202e5a51bfec9f89fd2 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 23 Jul 2021 13:25:36 -0400 +Subject: tipc: fix an use-after-free issue in tipc_recvmsg + +From: Xin Long + +commit cc19862ffe454a5b632ca202e5a51bfec9f89fd2 upstream. + +syzbot reported an use-after-free crash: + + BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979 + Call Trace: + tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979 + sock_recvmsg_nosec net/socket.c:943 [inline] + sock_recvmsg net/socket.c:961 [inline] + sock_recvmsg+0xca/0x110 net/socket.c:957 + tipc_conn_rcv_from_sock+0x162/0x2f0 net/tipc/topsrv.c:398 + tipc_conn_recv_work+0xeb/0x190 net/tipc/topsrv.c:421 + process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 + worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 + +As Hoang pointed out, it was caused by skb_cb->bytes_read still accessed +after calling tsk_advance_rx_queue() to free the skb in tipc_recvmsg(). + +This patch is to fix it by accessing skb_cb->bytes_read earlier than +calling tsk_advance_rx_queue(). + +Fixes: f4919ff59c28 ("tipc: keep the skb in rcv queue until the whole data is read") +Reported-by: syzbot+e6741b97d5552f97c24d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1980,10 +1980,12 @@ static int tipc_recvmsg(struct socket *s + tipc_node_distr_xmit(sock_net(sk), &xmitq); + } + +- if (!skb_cb->bytes_read) +- tsk_advance_rx_queue(sk); ++ if (skb_cb->bytes_read) ++ goto exit; ++ ++ tsk_advance_rx_queue(sk); + +- if (likely(!connected) || skb_cb->bytes_read) ++ if (likely(!connected)) + goto exit; + + /* Send connection flow control advertisement when applicable */ diff --git a/queue-5.10/x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch b/queue-5.10/x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch new file mode 100644 index 00000000000..fd0fac96ee1 --- /dev/null +++ b/queue-5.10/x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch @@ -0,0 +1,115 @@ +From 34b1999da935a33be6239226bfa6cd4f704c5c88 Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Thu, 19 Aug 2021 16:27:17 +0300 +Subject: x86/mm: Fix kern_addr_valid() to cope with existing but not present entries + +From: Mike Rapoport + +commit 34b1999da935a33be6239226bfa6cd4f704c5c88 upstream. + +Jiri Olsa reported a fault when running: + + # cat /proc/kallsyms | grep ksys_read + ffffffff8136d580 T ksys_read + # objdump -d --start-address=0xffffffff8136d580 --stop-address=0xffffffff8136d590 /proc/kcore + + /proc/kcore: file format elf64-x86-64 + + Segmentation fault + + general protection fault, probably for non-canonical address 0xf887ffcbff000: 0000 [#1] SMP PTI + CPU: 12 PID: 1079 Comm: objdump Not tainted 5.14.0-rc5qemu+ #508 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014 + RIP: 0010:kern_addr_valid + Call Trace: + read_kcore + ? rcu_read_lock_sched_held + ? rcu_read_lock_sched_held + ? rcu_read_lock_sched_held + ? trace_hardirqs_on + ? rcu_read_lock_sched_held + ? lock_acquire + ? lock_acquire + ? rcu_read_lock_sched_held + ? lock_acquire + ? rcu_read_lock_sched_held + ? rcu_read_lock_sched_held + ? rcu_read_lock_sched_held + ? lock_release + ? _raw_spin_unlock + ? __handle_mm_fault + ? rcu_read_lock_sched_held + ? lock_acquire + ? rcu_read_lock_sched_held + ? lock_release + proc_reg_read + ? vfs_read + vfs_read + ksys_read + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +The fault happens because kern_addr_valid() dereferences existent but not +present PMD in the high kernel mappings. + +Such PMDs are created when free_kernel_image_pages() frees regions larger +than 2Mb. In this case, a part of the freed memory is mapped with PMDs and +the set_memory_np_noalias() -> ... -> __change_page_attr() sequence will +mark the PMD as not present rather than wipe it completely. + +Have kern_addr_valid() check whether higher level page table entries are +present before trying to dereference them to fix this issue and to avoid +similar issues in the future. + +Stable backporting note: +------------------------ + +Note that the stable marking is for all active stable branches because +there could be cases where pagetable entries exist but are not valid - +see 9a14aefc1d28 ("x86: cpa, fix lookup_address"), for example. So make +sure to be on the safe side here and use pXY_present() accessors rather +than pXY_none() which could #GP when accessing pages in the direct map. + +Also see: + + c40a56a7818c ("x86/mm/init: Remove freed kernel image areas from alias mapping") + +for more info. + +Reported-by: Jiri Olsa +Signed-off-by: Mike Rapoport +Signed-off-by: Borislav Petkov +Reviewed-by: David Hildenbrand +Acked-by: Dave Hansen +Tested-by: Jiri Olsa +Cc: # 4.4+ +Link: https://lkml.kernel.org/r/20210819132717.19358-1-rppt@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/init_64.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1389,18 +1389,18 @@ int kern_addr_valid(unsigned long addr) + return 0; + + p4d = p4d_offset(pgd, addr); +- if (p4d_none(*p4d)) ++ if (!p4d_present(*p4d)) + return 0; + + pud = pud_offset(p4d, addr); +- if (pud_none(*pud)) ++ if (!pud_present(*pud)) + return 0; + + if (pud_large(*pud)) + return pfn_valid(pud_pfn(*pud)); + + pmd = pmd_offset(pud, addr); +- if (pmd_none(*pmd)) ++ if (!pmd_present(*pmd)) + return 0; + + if (pmd_large(*pmd)) diff --git a/queue-5.10/x86-pat-pass-valid-address-to-sanitize_phys.patch b/queue-5.10/x86-pat-pass-valid-address-to-sanitize_phys.patch new file mode 100644 index 00000000000..ac64a24b277 --- /dev/null +++ b/queue-5.10/x86-pat-pass-valid-address-to-sanitize_phys.patch @@ -0,0 +1,57 @@ +From aeef8b5089b76852bd84889f2809e69a7cfb414e Mon Sep 17 00:00:00 2001 +From: Jeff Moyer +Date: Wed, 11 Aug 2021 17:07:37 -0400 +Subject: x86/pat: Pass valid address to sanitize_phys() + +From: Jeff Moyer + +commit aeef8b5089b76852bd84889f2809e69a7cfb414e upstream. + +The end address passed to memtype_reserve() is handed directly to +sanitize_phys(). However, end is exclusive and sanitize_phys() expects +an inclusive address. If end falls at the end of the physical address +space, sanitize_phys() will return 0. This can result in drivers +failing to load, and the following warning: + + WARNING: CPU: 26 PID: 749 at arch/x86/mm/pat.c:354 reserve_memtype+0x262/0x450 + reserve_memtype failed: [mem 0x3ffffff00000-0xffffffffffffffff], req uncached-minus + Call Trace: + [] reserve_memtype+0x262/0x450 + [] ioremap_nocache+0x1a/0x20 + [] mpt3sas_base_map_resources+0x151/0xa60 [mpt3sas] + [] mpt3sas_base_attach+0xf5/0xa50 [mpt3sas] + ---[ end trace 6d6eea4438db89ef ]--- + ioremap reserve_memtype failed -22 + mpt3sas_cm0: unable to map adapter memory! or resource not found + mpt3sas_cm0: failure at drivers/scsi/mpt3sas/mpt3sas_scsih.c:10597/_scsih_probe()! + +Fix this by passing the inclusive end address to sanitize_phys(). + +Fixes: 510ee090abc3 ("x86/mm/pat: Prepare {reserve, free}_memtype() for "decoy" addresses") +Signed-off-by: Jeff Moyer +Signed-off-by: Thomas Gleixner +Reviewed-by: David Hildenbrand +Reviewed-by: Dan Williams +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/x49o8a3pu5i.fsf@segfault.boston.devel.redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pat/memtype.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/pat/memtype.c ++++ b/arch/x86/mm/pat/memtype.c +@@ -583,7 +583,12 @@ int memtype_reserve(u64 start, u64 end, + int err = 0; + + start = sanitize_phys(start); +- end = sanitize_phys(end); ++ ++ /* ++ * The end address passed into this function is exclusive, but ++ * sanitize_phys() expects an inclusive address. ++ */ ++ end = sanitize_phys(end - 1) + 1; + if (start >= end) { + WARN(1, "%s failed: [mem %#010Lx-%#010Lx], req %s\n", __func__, + start, end - 1, cattr_name(req_type));