From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 27 Sep 2024 07:54:33 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v6.1.112~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6646ae22a63996ee5b4cb6d337812701bffdca52;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch
	netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch
	netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch
---

diff --git a/queue-5.10/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch b/queue-5.10/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch
new file mode 100644
index 00000000000..29485eaa005
--- /dev/null
+++ b/queue-5.10/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch
@@ -0,0 +1,50 @@
+From d795848ecce24a75dfd46481aee066ae6fe39775 Mon Sep 17 00:00:00 2001
+From: Hagar Hemdan <hagarhem@amazon.com>
+Date: Thu, 23 May 2024 08:53:32 +0000
+Subject: gpio: prevent potential speculation leaks in gpio_device_get_desc()
+
+From: Hagar Hemdan <hagarhem@amazon.com>
+
+commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream.
+
+Userspace may trigger a speculative read of an address outside the gpio
+descriptor array.
+Users can do that by calling gpio_ioctl() with an offset out of range.
+Offset is copied from user and then used as an array index to get
+the gpio descriptor without sanitization in gpio_device_get_desc().
+
+This change ensures that the offset is sanitized by using
+array_index_nospec() to mitigate any possibility of speculative
+information leaks.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -4,6 +4,7 @@
+ #include <linux/module.h>
+ #include <linux/interrupt.h>
+ #include <linux/irq.h>
++#include <linux/nospec.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
+ #include <linux/device.h>
+@@ -143,7 +144,7 @@ struct gpio_desc *gpiochip_get_desc(stru
+ 	if (hwnum >= gdev->ngpio)
+ 		return ERR_PTR(-EINVAL);
+ 
+-	return &gdev->descs[hwnum];
++	return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)];
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_get_desc);
+ 
diff --git a/queue-5.10/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch b/queue-5.10/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch
new file mode 100644
index 00000000000..29b1f3ede86
--- /dev/null
+++ b/queue-5.10/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch
@@ -0,0 +1,45 @@
+From stable+bounces-76616-greg=kroah.com@vger.kernel.org Tue Sep 17 22:26:07 2024
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Sep 2024 22:25:50 +0200
+Subject: netfilter: nf_tables: missing iterator type in lookup walk
+To: netfilter-devel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Message-ID: <20240917202550.188220-3-pablo@netfilter.org>
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit efefd4f00c967d00ad7abe092554ffbb70c1a793 upstream.
+
+Add missing decorator type to lookup expression and tighten WARN_ON_ONCE
+check in pipapo to spot earlier that this is unset.
+
+Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_lookup.c     |    1 +
+ net/netfilter/nft_set_pipapo.c |    3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -207,6 +207,7 @@ static int nft_lookup_validate(const str
+ 		return 0;
+ 
+ 	iter.genmask	= nft_genmask_next(ctx->net);
++	iter.type	= NFT_ITER_UPDATE;
+ 	iter.skip	= 0;
+ 	iter.count	= 0;
+ 	iter.err	= 0;
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2030,7 +2030,8 @@ static void nft_pipapo_walk(const struct
+ 	struct nft_pipapo_field *f;
+ 	int i, r;
+ 
+-	WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
++	WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
++		     iter->type != NFT_ITER_UPDATE);
+ 
+ 	rcu_read_lock();
+ 	if (iter->type == NFT_ITER_READ)
diff --git a/queue-5.10/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch b/queue-5.10/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch
new file mode 100644
index 00000000000..4091bd09b7e
--- /dev/null
+++ b/queue-5.10/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch
@@ -0,0 +1,114 @@
+From stable+bounces-76617-greg=kroah.com@vger.kernel.org Tue Sep 17 22:26:07 2024
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Sep 2024 22:25:49 +0200
+Subject: netfilter: nft_set_pipapo: walk over current view on netlink dump
+To: netfilter-devel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Message-ID: <20240917202550.188220-2-pablo@netfilter.org>
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 29b359cf6d95fd60730533f7f10464e95bd17c73 upstream.
+
+The generation mask can be updated while netlink dump is in progress.
+The pipapo set backend walk iterator cannot rely on it to infer what
+view of the datastructure is to be used. Add notation to specify if user
+wants to read/update the set.
+
+Based on patch from Florian Westphal.
+
+Fixes: 2b84e215f874 ("netfilter: nft_set_pipapo: .walk does not deal with generations")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h |   13 +++++++++++++
+ net/netfilter/nf_tables_api.c     |    5 +++++
+ net/netfilter/nft_set_pipapo.c    |    5 +++--
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -262,9 +262,22 @@ struct nft_set_elem {
+ 	void			*priv;
+ };
+ 
++/**
++ * enum nft_iter_type - nftables set iterator type
++ *
++ * @NFT_ITER_READ: read-only iteration over set elements
++ * @NFT_ITER_UPDATE: iteration under mutex to update set element state
++ */
++enum nft_iter_type {
++	NFT_ITER_UNSPEC,
++	NFT_ITER_READ,
++	NFT_ITER_UPDATE,
++};
++
+ struct nft_set;
+ struct nft_set_iter {
+ 	u8		genmask;
++	enum nft_iter_type type:8;
+ 	unsigned int	count;
+ 	unsigned int	skip;
+ 	int		err;
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -594,6 +594,7 @@ static void nft_map_deactivate(const str
+ {
+ 	struct nft_set_iter iter = {
+ 		.genmask	= nft_genmask_next(ctx->net),
++		.type		= NFT_ITER_UPDATE,
+ 		.fn		= nft_mapelem_deactivate,
+ 	};
+ 
+@@ -4777,6 +4778,7 @@ int nf_tables_bind_set(const struct nft_
+ 		}
+ 
+ 		iter.genmask	= nft_genmask_next(ctx->net);
++		iter.type	= NFT_ITER_UPDATE;
+ 		iter.skip 	= 0;
+ 		iter.count	= 0;
+ 		iter.err	= 0;
+@@ -4830,6 +4832,7 @@ static void nft_map_activate(const struc
+ {
+ 	struct nft_set_iter iter = {
+ 		.genmask	= nft_genmask_next(ctx->net),
++		.type		= NFT_ITER_UPDATE,
+ 		.fn		= nft_mapelem_activate,
+ 	};
+ 
+@@ -5142,6 +5145,7 @@ static int nf_tables_dump_set(struct sk_
+ 	args.cb			= cb;
+ 	args.skb		= skb;
+ 	args.iter.genmask	= nft_genmask_cur(net);
++	args.iter.type		= NFT_ITER_READ;
+ 	args.iter.skip		= cb->args[0];
+ 	args.iter.count		= 0;
+ 	args.iter.err		= 0;
+@@ -6065,6 +6069,7 @@ static int nf_tables_delsetelem(struct n
+ 	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
+ 		struct nft_set_iter iter = {
+ 			.genmask	= genmask,
++			.type		= NFT_ITER_UPDATE,
+ 			.fn		= nft_flush_set,
+ 		};
+ 		set->ops->walk(&ctx, set, &iter);
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2026,13 +2026,14 @@ static void nft_pipapo_walk(const struct
+ 			    struct nft_set_iter *iter)
+ {
+ 	struct nft_pipapo *priv = nft_set_priv(set);
+-	struct net *net = read_pnet(&set->net);
+ 	struct nft_pipapo_match *m;
+ 	struct nft_pipapo_field *f;
+ 	int i, r;
+ 
++	WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
++
+ 	rcu_read_lock();
+-	if (iter->genmask == nft_genmask_cur(net))
++	if (iter->type == NFT_ITER_READ)
+ 		m = rcu_dereference(priv->match);
+ 	else
+ 		m = priv->clone;
diff --git a/queue-5.10/series b/queue-5.10/series
index e287deae1fd..5f5f2464580 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -42,3 +42,6 @@ x86-hyperv-set-x86_feature_tsc_known_freq-when-hyper.patch
 ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
 ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch
 cgroup-make-operations-on-the-cgroup-root_list-rcu-s.patch
+netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch
+netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch
+gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch