From: Greg Kroah-Hartman Date: Wed, 12 Jun 2024 14:49:57 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.19.316~109 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93212887ff65745945c65df1e0df8634b32be7cf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: f2fs-fix-to-do-sanity-check-on-i_xattr_nid-in-sanity_check_inode.patch media-lgdt3306a-add-a-check-against-null-pointer-def.patch netfilter-nf_tables-fix-potential-data-race-in-__nft_obj_type_get.patch netfilter-nf_tables-restrict-tunnel-object-to-nfproto_netdev.patch --- diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-i_xattr_nid-in-sanity_check_inode.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-i_xattr_nid-in-sanity_check_inode.patch new file mode 100644 index 00000000000..572baefd018 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-i_xattr_nid-in-sanity_check_inode.patch @@ -0,0 +1,69 @@ +From 20faaf30e55522bba2b56d9c46689233205d7717 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 25 Apr 2024 16:58:38 +0800 +Subject: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() + +From: Chao Yu + +commit 20faaf30e55522bba2b56d9c46689233205d7717 upstream. + +syzbot reports a kernel bug as below: + +F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 +================================================================== +BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] +BUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline] +BUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 +Read of size 1 at addr ffff88807a58c76c by task syz-executor280/5076 + +CPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline] + current_nat_addr fs/f2fs/node.h:213 [inline] + f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 + f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline] + f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925 + ioctl_fiemap fs/ioctl.c:220 [inline] + do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838 + __do_sys_ioctl fs/ioctl.c:902 [inline] + __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is we missed to do sanity check on i_xattr_nid during +f2fs_iget(), so that in fiemap() path, current_nat_addr() will access +nat_bitmap w/ offset from invalid i_xattr_nid, result in triggering +kasan bug report, fix it. + +Reported-and-tested-by: syzbot+3694e283cf5c40df6d14@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/00000000000094036c0616e72a1d@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -326,6 +326,12 @@ static bool sanity_check_inode(struct in + } + } + ++ if (fi->i_xattr_nid && f2fs_check_nid_range(sbi, fi->i_xattr_nid)) { ++ f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_xattr_nid: %u, run fsck to fix.", ++ __func__, inode->i_ino, fi->i_xattr_nid); ++ return false; ++ } ++ + return true; + } + diff --git a/queue-5.10/media-lgdt3306a-add-a-check-against-null-pointer-def.patch b/queue-5.10/media-lgdt3306a-add-a-check-against-null-pointer-def.patch new file mode 100644 index 00000000000..52d475b88d2 --- /dev/null +++ b/queue-5.10/media-lgdt3306a-add-a-check-against-null-pointer-def.patch @@ -0,0 +1,51 @@ +From c1115ddbda9c930fba0fdd062e7a8873ebaf898d Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Tue, 5 Apr 2022 10:50:18 +0100 +Subject: media: lgdt3306a: Add a check against null-pointer-def + +From: Zheyu Ma + +commit c1115ddbda9c930fba0fdd062e7a8873ebaf898d upstream. + +The driver should check whether the client provides the platform_data. + +The following log reveals it: + +[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 +[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 +[ 29.612820] Call Trace: +[ 29.613030] +[ 29.613201] dump_stack_lvl+0x56/0x6f +[ 29.613496] ? kmemdup+0x30/0x40 +[ 29.613754] print_report.cold+0x494/0x6b7 +[ 29.614082] ? kmemdup+0x30/0x40 +[ 29.614340] kasan_report+0x8a/0x190 +[ 29.614628] ? kmemdup+0x30/0x40 +[ 29.614888] kasan_check_range+0x14d/0x1d0 +[ 29.615213] memcpy+0x20/0x60 +[ 29.615454] kmemdup+0x30/0x40 +[ 29.615700] lgdt3306a_probe+0x52/0x310 +[ 29.616339] i2c_device_probe+0x951/0xa90 + +Link: https://lore.kernel.org/linux-media/20220405095018.3993578-1-zheyuma97@gmail.com +Signed-off-by: Zheyu Ma +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/lgdt3306a.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/dvb-frontends/lgdt3306a.c ++++ b/drivers/media/dvb-frontends/lgdt3306a.c +@@ -2213,6 +2213,11 @@ static int lgdt3306a_probe(struct i2c_cl + struct dvb_frontend *fe; + int ret; + ++ if (!client->dev.platform_data) { ++ dev_err(&client->dev, "platform data is mandatory\n"); ++ return -EINVAL; ++ } ++ + config = kmemdup(client->dev.platform_data, + sizeof(struct lgdt3306a_config), GFP_KERNEL); + if (config == NULL) { diff --git a/queue-5.10/netfilter-nf_tables-fix-potential-data-race-in-__nft_obj_type_get.patch b/queue-5.10/netfilter-nf_tables-fix-potential-data-race-in-__nft_obj_type_get.patch new file mode 100644 index 00000000000..330c5c918a0 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-fix-potential-data-race-in-__nft_obj_type_get.patch @@ -0,0 +1,53 @@ +From d78d867dcea69c328db30df665be5be7d0148484 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Sun, 7 Apr 2024 14:56:05 +0800 +Subject: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() + +From: Ziyang Xuan + +commit d78d867dcea69c328db30df665be5be7d0148484 upstream. + +nft_unregister_obj() can concurrent with __nft_obj_type_get(), +and there is not any protection when iterate over nf_tables_objects +list in __nft_obj_type_get(). Therefore, there is potential data-race +of nf_tables_objects list entry. + +Use list_for_each_entry_rcu() to iterate over nf_tables_objects +list in __nft_obj_type_get(), and use rcu_read_lock() in the caller +nft_obj_type_get() to protect the entire type query process. + +Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects") +Signed-off-by: Ziyang Xuan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Kuntal Nayak +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6238,7 +6238,7 @@ static const struct nft_object_type *__n + { + const struct nft_object_type *type; + +- list_for_each_entry(type, &nf_tables_objects, list) { ++ list_for_each_entry_rcu(type, &nf_tables_objects, list) { + if (type->family != NFPROTO_UNSPEC && + type->family != family) + continue; +@@ -6254,9 +6254,13 @@ nft_obj_type_get(struct net *net, u32 ob + { + const struct nft_object_type *type; + ++ rcu_read_lock(); + type = __nft_obj_type_get(objtype, family); +- if (type != NULL && try_module_get(type->owner)) ++ if (type != NULL && try_module_get(type->owner)) { ++ rcu_read_unlock(); + return type; ++ } ++ rcu_read_unlock(); + + lockdep_nfnl_nft_mutex_not_held(); + #ifdef CONFIG_MODULES diff --git a/queue-5.10/netfilter-nf_tables-restrict-tunnel-object-to-nfproto_netdev.patch b/queue-5.10/netfilter-nf_tables-restrict-tunnel-object-to-nfproto_netdev.patch new file mode 100644 index 00000000000..6db0a2d4213 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-restrict-tunnel-object-to-nfproto_netdev.patch @@ -0,0 +1,102 @@ +From 776d451648443f9884be4a1b4e38e8faf1c621f9 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 23 Jan 2024 23:45:32 +0100 +Subject: netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV + +From: Pablo Neira Ayuso + +commit 776d451648443f9884be4a1b4e38e8faf1c621f9 upstream. + +Bail out on using the tunnel dst template from other than netdev family. +Add the infrastructure to check for the family in objects. + +Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") +Signed-off-by: Pablo Neira Ayuso +[KN: Backport patch according to v5.10.x source] +Signed-off-by: Kuntal Nayak +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nf_tables_api.c | 14 +++++++++----- + net/netfilter/nft_tunnel.c | 1 + + 3 files changed, 12 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1174,6 +1174,7 @@ void nft_obj_notify(struct net *net, con + * @type: stateful object numeric type + * @owner: module owner + * @maxattr: maximum netlink attribute ++ * @family: address family for AF-specific object types + * @policy: netlink attribute policy + */ + struct nft_object_type { +@@ -1183,6 +1184,7 @@ struct nft_object_type { + struct list_head list; + u32 type; + unsigned int maxattr; ++ u8 family; + struct module *owner; + const struct nla_policy *policy; + }; +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6234,11 +6234,15 @@ nla_put_failure: + return -1; + } + +-static const struct nft_object_type *__nft_obj_type_get(u32 objtype) ++static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) + { + const struct nft_object_type *type; + + list_for_each_entry(type, &nf_tables_objects, list) { ++ if (type->family != NFPROTO_UNSPEC && ++ type->family != family) ++ continue; ++ + if (objtype == type->type) + return type; + } +@@ -6246,11 +6250,11 @@ static const struct nft_object_type *__n + } + + static const struct nft_object_type * +-nft_obj_type_get(struct net *net, u32 objtype) ++nft_obj_type_get(struct net *net, u32 objtype, u8 family) + { + const struct nft_object_type *type; + +- type = __nft_obj_type_get(objtype); ++ type = __nft_obj_type_get(objtype, family); + if (type != NULL && try_module_get(type->owner)) + return type; + +@@ -6343,7 +6347,7 @@ static int nf_tables_newobj(struct net * + if (nlh->nlmsg_flags & NLM_F_REPLACE) + return -EOPNOTSUPP; + +- type = __nft_obj_type_get(objtype); ++ type = __nft_obj_type_get(objtype, family); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); + + return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); +@@ -6354,7 +6358,7 @@ static int nf_tables_newobj(struct net * + if (!nft_use_inc(&table->use)) + return -EMFILE; + +- type = nft_obj_type_get(net, objtype); ++ type = nft_obj_type_get(net, objtype, family); + if (IS_ERR(type)) { + err = PTR_ERR(type); + goto err_type; +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -684,6 +684,7 @@ static const struct nft_object_ops nft_t + + static struct nft_object_type nft_tunnel_obj_type __read_mostly = { + .type = NFT_OBJECT_TUNNEL, ++ .family = NFPROTO_NETDEV, + .ops = &nft_tunnel_obj_ops, + .maxattr = NFTA_TUNNEL_KEY_MAX, + .policy = nft_tunnel_key_policy, diff --git a/queue-5.10/series b/queue-5.10/series index 3688166aea2..c48d4f9a4f6 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -270,3 +270,7 @@ afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch x86-mm-remove-broken-vsyscall-emulation-code-from-the-page-fault-code.patch +netfilter-nf_tables-restrict-tunnel-object-to-nfproto_netdev.patch +netfilter-nf_tables-fix-potential-data-race-in-__nft_obj_type_get.patch +f2fs-fix-to-do-sanity-check-on-i_xattr_nid-in-sanity_check_inode.patch +media-lgdt3306a-add-a-check-against-null-pointer-def.patch