From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 23 Jul 2023 14:09:22 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v6.1.41~46
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5778cdf4a0ff3bd694ea2ffa5a44c69a58a9a184;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	can-bcm-fix-uaf-in-bcm_proc_show.patch
	fuse-revalidate-don-t-invalidate-if-interrupted.patch
	perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch
---

diff --git a/queue-4.14/can-bcm-fix-uaf-in-bcm_proc_show.patch b/queue-4.14/can-bcm-fix-uaf-in-bcm_proc_show.patch
new file mode 100644
index 00000000000..7d2e25329d0
--- /dev/null
+++ b/queue-4.14/can-bcm-fix-uaf-in-bcm_proc_show.patch
@@ -0,0 +1,92 @@
+From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 15 Jul 2023 17:25:43 +0800
+Subject: can: bcm: Fix UAF in bcm_proc_show()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream.
+
+BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
+Read of size 8 at addr ffff888155846230 by task cat/7862
+
+CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xd5/0x150
+ print_report+0xc1/0x5e0
+ kasan_report+0xba/0xf0
+ bcm_proc_show+0x969/0xa80
+ seq_read_iter+0x4f6/0x1260
+ seq_read+0x165/0x210
+ proc_reg_read+0x227/0x300
+ vfs_read+0x1d5/0x8d0
+ ksys_read+0x11e/0x240
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Allocated by task 7846:
+ kasan_save_stack+0x1e/0x40
+ kasan_set_track+0x21/0x30
+ __kasan_kmalloc+0x9e/0xa0
+ bcm_sendmsg+0x264b/0x44e0
+ sock_sendmsg+0xda/0x180
+ ____sys_sendmsg+0x735/0x920
+ ___sys_sendmsg+0x11d/0x1b0
+ __sys_sendmsg+0xfa/0x1d0
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Freed by task 7846:
+ kasan_save_stack+0x1e/0x40
+ kasan_set_track+0x21/0x30
+ kasan_save_free_info+0x27/0x40
+ ____kasan_slab_free+0x161/0x1c0
+ slab_free_freelist_hook+0x119/0x220
+ __kmem_cache_free+0xb4/0x2e0
+ rcu_core+0x809/0x1bd0
+
+bcm_op is freed before procfs entry be removed in bcm_release(),
+this lead to bcm_proc_show() may read the freed bcm_op.
+
+Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/bcm.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1572,6 +1572,12 @@ static int bcm_release(struct socket *so
+ 
+ 	lock_sock(sk);
+ 
++#if IS_ENABLED(CONFIG_PROC_FS)
++	/* remove procfs entry */
++	if (net->can.bcmproc_dir && bo->bcm_proc_read)
++		remove_proc_entry(bo->procname, net->can.bcmproc_dir);
++#endif /* CONFIG_PROC_FS */
++
+ 	list_for_each_entry_safe(op, next, &bo->tx_ops, list)
+ 		bcm_remove_op(op);
+ 
+@@ -1607,12 +1613,6 @@ static int bcm_release(struct socket *so
+ 	list_for_each_entry_safe(op, next, &bo->rx_ops, list)
+ 		bcm_remove_op(op);
+ 
+-#if IS_ENABLED(CONFIG_PROC_FS)
+-	/* remove procfs entry */
+-	if (net->can.bcmproc_dir && bo->bcm_proc_read)
+-		remove_proc_entry(bo->procname, net->can.bcmproc_dir);
+-#endif /* CONFIG_PROC_FS */
+-
+ 	/* remove device reference */
+ 	if (bo->bound) {
+ 		bo->bound   = 0;
diff --git a/queue-4.14/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/queue-4.14/fuse-revalidate-don-t-invalidate-if-interrupted.patch
new file mode 100644
index 00000000000..c8e0c5efb28
--- /dev/null
+++ b/queue-4.14/fuse-revalidate-don-t-invalidate-if-interrupted.patch
@@ -0,0 +1,34 @@
+From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 7 Jun 2023 17:49:20 +0200
+Subject: fuse: revalidate: don't invalidate if interrupted
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream.
+
+If the LOOKUP request triggered from fuse_dentry_revalidate() is
+interrupted, then the dentry will be invalidated, possibly resulting in
+submounts being unmounted.
+
+Reported-by: Xu Rongbo <xurongbo@baidu.com>
+Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/
+Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dir.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -232,7 +232,7 @@ static int fuse_dentry_revalidate(struct
+ 			spin_unlock(&fc->lock);
+ 		}
+ 		kfree(forget);
+-		if (ret == -ENOMEM)
++		if (ret == -ENOMEM || ret == -EINTR)
+ 			goto out;
+ 		if (ret || fuse_invalid_attr(&outarg.attr) ||
+ 		    (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
diff --git a/queue-4.14/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/queue-4.14/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch
new file mode 100644
index 00000000000..ac282bd2634
--- /dev/null
+++ b/queue-4.14/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch
@@ -0,0 +1,115 @@
+From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Georg=20M=C3=BCller?= <georgmueller@gmx.net>
+Date: Wed, 28 Jun 2023 10:45:50 +0200
+Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Georg Müller <georgmueller@gmx.net>
+
+commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream.
+
+This patch adds a test to validate that 'perf probe' works for binaries
+where DWARF info is split into multiple CUs
+
+Signed-off-by: Georg Müller <georgmueller@gmx.net>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: regressions@lists.linux.dev
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/shell/test_uprobe_from_different_cu.sh |   77 ++++++++++++++++
+ 1 file changed, 77 insertions(+)
+ create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh
+
+--- /dev/null
++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh
+@@ -0,0 +1,77 @@
++#!/bin/bash
++# test perf probe of function from different CU
++# SPDX-License-Identifier: GPL-2.0
++
++set -e
++
++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX)
++
++cleanup()
++{
++	trap - EXIT TERM INT
++	if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then
++		echo "--- Cleaning up ---"
++		perf probe -x ${temp_dir}/testfile -d foo
++		rm -f "${temp_dir}/"*
++		rmdir "${temp_dir}"
++	fi
++}
++
++trap_cleanup()
++{
++        cleanup
++        exit 1
++}
++
++trap trap_cleanup EXIT TERM INT
++
++cat > ${temp_dir}/testfile-foo.h << EOF
++struct t
++{
++  int *p;
++  int c;
++};
++
++extern int foo (int i, struct t *t);
++EOF
++
++cat > ${temp_dir}/testfile-foo.c << EOF
++#include "testfile-foo.h"
++
++int
++foo (int i, struct t *t)
++{
++  int j, res = 0;
++  for (j = 0; j < i && j < t->c; j++)
++    res += t->p[j];
++
++  return res;
++}
++EOF
++
++cat > ${temp_dir}/testfile-main.c << EOF
++#include "testfile-foo.h"
++
++static struct t g;
++
++int
++main (int argc, char **argv)
++{
++  int i;
++  int j[argc];
++  g.c = argc;
++  g.p = j;
++  for (i = 0; i < argc; i++)
++    j[i] = (int) argv[i][0];
++  return foo (3, &g);
++}
++EOF
++
++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o
++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o
++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o
++
++perf probe -x ${temp_dir}/testfile --funcs foo
++perf probe -x ${temp_dir}/testfile foo
++
++cleanup
diff --git a/queue-4.14/series b/queue-4.14/series
index 9652e39578c..ec180409888 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -122,3 +122,6 @@ scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
 scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
 scsi-qla2xxx-pointer-may-be-dereferenced.patch
 serial-atmel-don-t-enable-irqs-prematurely.patch
+perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch
+fuse-revalidate-don-t-invalidate-if-interrupted.patch
+can-bcm-fix-uaf-in-bcm_proc_show.patch