From: Greg Kroah-Hartman Date: Sat, 23 Apr 2022 11:03:59 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.312~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5de8c709e2a554c19cff9c4533ddb036fdc80015;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch tcp-fix-potential-use-after-free-due-to-double-kfree.patch --- diff --git a/queue-5.4/alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch b/queue-5.4/alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch new file mode 100644 index 00000000000..9fe5ece3c26 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch @@ -0,0 +1,41 @@ +From 0665886ad1392e6b5bae85d7a6ccbed48dca1522 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 20 Apr 2022 15:02:47 +0200 +Subject: ALSA: usb-audio: Clear MIDI port active flag after draining + +From: Takashi Iwai + +commit 0665886ad1392e6b5bae85d7a6ccbed48dca1522 upstream. + +When a rawmidi output stream is closed, it calls the drain at first, +then does trigger-off only when the drain returns -ERESTARTSYS as a +fallback. It implies that each driver should turn off the stream +properly after the drain. Meanwhile, USB-audio MIDI interface didn't +change the port->active flag after the drain. This may leave the +output work picking up the port that is closed right now, which +eventually leads to a use-after-free for the already released rawmidi +object. + +This patch fixes the bug by properly clearing the port->active flag +after the output drain. + +Reported-by: syzbot+70e777a39907d6d5fd0a@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/00000000000011555605dceaff03@google.com +Link: https://lore.kernel.org/r/20220420130247.22062-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1210,6 +1210,7 @@ static void snd_usbmidi_output_drain(str + } while (drain_urbs && timeout); + finish_wait(&ep->drain_wait, &wait); + } ++ port->active = 0; + spin_unlock_irq(&ep->buffer_lock); + } + diff --git a/queue-5.4/series b/queue-5.4/series index b9400841f25..bfc21df7470 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,5 +3,7 @@ mm-page_alloc-fix-building-error-on-werror-array-compare.patch tracing-dump-stacktrace-trigger-to-the-corresponding-instance.patch can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch gfs2-assign-rgrp-glock-before-compute_bitstructs.patch -net-sched-cls_u32-fix-netns-refcount-changes-in-u32_change.patch tcp-fix-race-condition-when-creating-child-sockets-f.patch +net-sched-cls_u32-fix-netns-refcount-changes-in-u32_change.patch +tcp-fix-potential-use-after-free-due-to-double-kfree.patch +alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch diff --git a/queue-5.4/tcp-fix-potential-use-after-free-due-to-double-kfree.patch b/queue-5.4/tcp-fix-potential-use-after-free-due-to-double-kfree.patch new file mode 100644 index 00000000000..567379809ee --- /dev/null +++ b/queue-5.4/tcp-fix-potential-use-after-free-due-to-double-kfree.patch @@ -0,0 +1,76 @@ +From c89dffc70b340780e5b933832d8c3e045ef3791e Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Mon, 18 Jan 2021 14:59:20 +0900 +Subject: tcp: Fix potential use-after-free due to double kfree() + +From: Kuniyuki Iwashima + +commit c89dffc70b340780e5b933832d8c3e045ef3791e upstream. + +Receiving ACK with a valid SYN cookie, cookie_v4_check() allocates struct +request_sock and then can allocate inet_rsk(req)->ireq_opt. After that, +tcp_v4_syn_recv_sock() allocates struct sock and copies ireq_opt to +inet_sk(sk)->inet_opt. Normally, tcp_v4_syn_recv_sock() inserts the full +socket into ehash and sets NULL to ireq_opt. Otherwise, +tcp_v4_syn_recv_sock() has to reset inet_opt by NULL and free the full +socket. + +The commit 01770a1661657 ("tcp: fix race condition when creating child +sockets from syncookies") added a new path, in which more than one cores +create full sockets for the same SYN cookie. Currently, the core which +loses the race frees the full socket without resetting inet_opt, resulting +in that both sock_put() and reqsk_put() call kfree() for the same memory: + + sock_put + sk_free + __sk_free + sk_destruct + __sk_destruct + sk->sk_destruct/inet_sock_destruct + kfree(rcu_dereference_protected(inet->inet_opt, 1)); + + reqsk_put + reqsk_free + __reqsk_free + req->rsk_ops->destructor/tcp_v4_reqsk_destructor + kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1)); + +Calling kmalloc() between the double kfree() can lead to use-after-free, so +this patch fixes it by setting NULL to inet_opt before sock_put(). + +As a side note, this kind of issue does not happen for IPv6. This is +because tcp_v6_syn_recv_sock() clones both ipv6_opt and pktopts which +correspond to ireq_opt in IPv4. + +Fixes: 01770a166165 ("tcp: fix race condition when creating child sockets from syncookies") +CC: Ricardo Dias +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Benjamin Herrenschmidt +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210118055920.82516-1-kuniyu@amazon.co.jp +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1503,6 +1503,8 @@ struct sock *tcp_v4_syn_recv_sock(const + tcp_move_syn(newtp, req); + ireq->ireq_opt = NULL; + } else { ++ newinet->inet_opt = NULL; ++ + if (!req_unhash && found_dup_sk) { + /* This code path should only be executed in the + * syncookie case only +@@ -1510,8 +1512,6 @@ struct sock *tcp_v4_syn_recv_sock(const + bh_unlock_sock(newsk); + sock_put(newsk); + newsk = NULL; +- } else { +- newinet->inet_opt = NULL; + } + } + return newsk;