From: Sasha Levin Date: Mon, 30 Jan 2023 03:56:04 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.10.166~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96d41d4f374e18e464fb48dd025d663da6606bf0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch b/queue-4.19/ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch new file mode 100644 index 00000000000..dff2f135632 --- /dev/null +++ b/queue-4.19/ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch @@ -0,0 +1,49 @@ +From 70daf68521d8d0933c917e68c32ae83db8053f31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 13:30:40 +0000 +Subject: ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() + +From: Eric Dumazet + +[ Upstream commit 1d1d63b612801b3f0a39b7d4467cad0abd60e5c8 ] + +if (!type) + continue; + if (type > RTAX_MAX) + return -EINVAL; + ... + metrics[type - 1] = val; + +@type being used as an array index, we need to prevent +cpu speculation or risk leaking kernel memory content. + +Fixes: 6cf9dfd3bd62 ("net: fib: move metrics parsing to a helper") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230120133040.3623463-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/metrics.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c +index 04311f7067e2..9a6b01d85cd0 100644 +--- a/net/ipv4/metrics.c ++++ b/net/ipv4/metrics.c +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include +@@ -24,6 +25,7 @@ int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, int fc_mx_len, + if (type > RTAX_MAX) + return -EINVAL; + ++ type = array_index_nospec(type, RTAX_MAX + 1); + if (type == RTAX_CC_ALGO) { + char tmp[TCP_CA_NAME_MAX]; + +-- +2.39.0 + diff --git a/queue-4.19/net-fix-uaf-in-netns-ops-registration-error-path.patch b/queue-4.19/net-fix-uaf-in-netns-ops-registration-error-path.patch new file mode 100644 index 00000000000..50b5d8ad42b --- /dev/null +++ b/queue-4.19/net-fix-uaf-in-netns-ops-registration-error-path.patch @@ -0,0 +1,84 @@ +From 1141f92920cd4ca75cf493156256b697a22c44f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 19:55:45 +0100 +Subject: net: fix UaF in netns ops registration error path + +From: Paolo Abeni + +[ Upstream commit 71ab9c3e2253619136c31c89dbb2c69305cc89b1 ] + +If net_assign_generic() fails, the current error path in ops_init() tries +to clear the gen pointer slot. Anyway, in such error path, the gen pointer +itself has not been modified yet, and the existing and accessed one is +smaller than the accessed index, causing an out-of-bounds error: + + BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320 + Write of size 8 at addr ffff888109124978 by task modprobe/1018 + + CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 + Call Trace: + + dump_stack_lvl+0x6a/0x9f + print_address_description.constprop.0+0x86/0x2b5 + print_report+0x11b/0x1fb + kasan_report+0x87/0xc0 + ops_init+0x2de/0x320 + register_pernet_operations+0x2e4/0x750 + register_pernet_subsys+0x24/0x40 + tcf_register_action+0x9f/0x560 + do_one_initcall+0xf9/0x570 + do_init_module+0x190/0x650 + load_module+0x1fa5/0x23c0 + __do_sys_finit_module+0x10d/0x1b0 + do_syscall_64+0x58/0x80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + RIP: 0033:0x7f42518f778d + Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 + 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff + ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48 + RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d + RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003 + RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 + R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000 + + +This change addresses the issue by skipping the gen pointer +de-reference in the mentioned error-path. + +Found by code inspection and verified with explicit error injection +on a kasan-enabled kernel. + +Fixes: d266935ac43d ("net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed") +Signed-off-by: Paolo Abeni +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/cec4e0f3bb2c77ac03a6154a8508d3930beb5f0f.1674154348.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/net_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 56c240c98a56..a87774424829 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -132,12 +132,12 @@ static int ops_init(const struct pernet_operations *ops, struct net *net) + return 0; + + if (ops->id && ops->size) { +-cleanup: + ng = rcu_dereference_protected(net->gen, + lockdep_is_held(&pernet_ops_rwsem)); + ng->ptr[*ops->id] = NULL; + } + ++cleanup: + kfree(data); + + out: +-- +2.39.0 + diff --git a/queue-4.19/net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch b/queue-4.19/net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch new file mode 100644 index 00000000000..e5c3b8445ee --- /dev/null +++ b/queue-4.19/net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch @@ -0,0 +1,49 @@ +From 1e5ed7269260567ae2ccfc1e28cc0a8d1fc1566b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 09:02:11 +0900 +Subject: net: ravb: Fix possible hang if RIS2_QFF1 happen + +From: Yoshihiro Shimoda + +[ Upstream commit f3c07758c9007a6bfff5290d9e19d3c41930c897 ] + +Since this driver enables the interrupt by RIC2_QFE1, this driver +should clear the interrupt flag if it happens. Otherwise, the interrupt +causes to hang the system. + +Note that this also fix a minor coding style (a comment indentation) +around the fixed code. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index ff374d0d80a7..a1906804c139 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -738,14 +738,14 @@ static void ravb_error_interrupt(struct net_device *ndev) + ravb_write(ndev, ~(EIS_QFS | EIS_RESERVED), EIS); + if (eis & EIS_QFS) { + ris2 = ravb_read(ndev, RIS2); +- ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF | RIS2_RESERVED), ++ ravb_write(ndev, ~(RIS2_QFF0 | RIS2_QFF1 | RIS2_RFFF | RIS2_RESERVED), + RIS2); + + /* Receive Descriptor Empty int */ + if (ris2 & RIS2_QFF0) + priv->stats[RAVB_BE].rx_over_errors++; + +- /* Receive Descriptor Empty int */ ++ /* Receive Descriptor Empty int */ + if (ris2 & RIS2_QFF1) + priv->stats[RAVB_NC].rx_over_errors++; + +-- +2.39.0 + diff --git a/queue-4.19/net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch b/queue-4.19/net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch new file mode 100644 index 00000000000..d01d2e58d1e --- /dev/null +++ b/queue-4.19/net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch @@ -0,0 +1,119 @@ +From 6c45fd8472ed235c0a8d400ca5733f12301560f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 13:53:39 -0500 +Subject: net/tg3: resolve deadlock in tg3_reset_task() during EEH + +From: David Christensen + +[ Upstream commit 6c4ca03bd890566d873e3593b32d034bf2f5a087 ] + +During EEH error injection testing, a deadlock was encountered in the tg3 +driver when tg3_io_error_detected() was attempting to cancel outstanding +reset tasks: + +crash> foreach UN bt +... +PID: 159 TASK: c0000000067c6000 CPU: 8 COMMAND: "eehd" +... + #5 [c00000000681f990] __cancel_work_timer at c00000000019fd18 + #6 [c00000000681fa30] tg3_io_error_detected at c00800000295f098 [tg3] + #7 [c00000000681faf0] eeh_report_error at c00000000004e25c +... + +PID: 290 TASK: c000000036e5f800 CPU: 6 COMMAND: "kworker/6:1" +... + #4 [c00000003721fbc0] rtnl_lock at c000000000c940d8 + #5 [c00000003721fbe0] tg3_reset_task at c008000002969358 [tg3] + #6 [c00000003721fc60] process_one_work at c00000000019e5c4 +... + +PID: 296 TASK: c000000037a65800 CPU: 21 COMMAND: "kworker/21:1" +... + #4 [c000000037247bc0] rtnl_lock at c000000000c940d8 + #5 [c000000037247be0] tg3_reset_task at c008000002969358 [tg3] + #6 [c000000037247c60] process_one_work at c00000000019e5c4 +... + +PID: 655 TASK: c000000036f49000 CPU: 16 COMMAND: "kworker/16:2" +...:1 + + #4 [c0000000373ebbc0] rtnl_lock at c000000000c940d8 + #5 [c0000000373ebbe0] tg3_reset_task at c008000002969358 [tg3] + #6 [c0000000373ebc60] process_one_work at c00000000019e5c4 +... + +Code inspection shows that both tg3_io_error_detected() and +tg3_reset_task() attempt to acquire the RTNL lock at the beginning of +their code blocks. If tg3_reset_task() should happen to execute between +the times when tg3_io_error_deteced() acquires the RTNL lock and +tg3_reset_task_cancel() is called, a deadlock will occur. + +Moving tg3_reset_task_cancel() call earlier within the code block, prior +to acquiring RTNL, prevents this from happening, but also exposes another +deadlock issue where tg3_reset_task() may execute AFTER +tg3_io_error_detected() has executed: + +crash> foreach UN bt +PID: 159 TASK: c0000000067d2000 CPU: 9 COMMAND: "eehd" +... + #4 [c000000006867a60] rtnl_lock at c000000000c940d8 + #5 [c000000006867a80] tg3_io_slot_reset at c0080000026c2ea8 [tg3] + #6 [c000000006867b00] eeh_report_reset at c00000000004de88 +... +PID: 363 TASK: c000000037564000 CPU: 6 COMMAND: "kworker/6:1" +... + #3 [c000000036c1bb70] msleep at c000000000259e6c + #4 [c000000036c1bba0] napi_disable at c000000000c6b848 + #5 [c000000036c1bbe0] tg3_reset_task at c0080000026d942c [tg3] + #6 [c000000036c1bc60] process_one_work at c00000000019e5c4 +... + +This issue can be avoided by aborting tg3_reset_task() if EEH error +recovery is already in progress. + +Fixes: db84bf43ef23 ("tg3: tg3_reset_task() needs to use rtnl_lock to synchronize") +Signed-off-by: David Christensen +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230124185339.225806-1-drc@linux.vnet.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index d1ca3d3f51a7..2cf144bbef3e 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -11189,7 +11189,7 @@ static void tg3_reset_task(struct work_struct *work) + rtnl_lock(); + tg3_full_lock(tp, 0); + +- if (!netif_running(tp->dev)) { ++ if (tp->pcierr_recovery || !netif_running(tp->dev)) { + tg3_flag_clear(tp, RESET_TASK_PENDING); + tg3_full_unlock(tp); + rtnl_unlock(); +@@ -18240,6 +18240,9 @@ static pci_ers_result_t tg3_io_error_detected(struct pci_dev *pdev, + + netdev_info(netdev, "PCI I/O error detected\n"); + ++ /* Want to make sure that the reset task doesn't run */ ++ tg3_reset_task_cancel(tp); ++ + rtnl_lock(); + + /* Could be second call or maybe we don't have netdev yet */ +@@ -18256,9 +18259,6 @@ static pci_ers_result_t tg3_io_error_detected(struct pci_dev *pdev, + + tg3_timer_stop(tp); + +- /* Want to make sure that the reset task doesn't run */ +- tg3_reset_task_cancel(tp); +- + netif_device_detach(netdev); + + /* Clean up software state, even if MMIO is blocked */ +-- +2.39.0 + diff --git a/queue-4.19/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch b/queue-4.19/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch new file mode 100644 index 00000000000..d0ecf3ef5c9 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch @@ -0,0 +1,42 @@ +From c2dfaed5a7e97a50275d89aaf4ee79c650abeeeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 02:47:19 +0100 +Subject: netfilter: conntrack: fix bug in for_each_sctp_chunk + +From: Sriram Yagnaraman + +[ Upstream commit 98ee0077452527f971567db01386de3c3d97ce13 ] + +skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds +skb->len, so this offset < skb->len test is redundant. + +if sch->length == 0, this will end up in an infinite loop, add a check +for sch->length > 0 + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Suggested-by: Florian Westphal +Signed-off-by: Sriram Yagnaraman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_sctp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index cadeb22a48f2..08ed6402ba1e 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -163,8 +163,8 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) + + #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ + for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ +- (offset) < (skb)->len && \ +- ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ ++ ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ ++ (sch)->length; \ + (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) + + /* Some validity checks to make sure the chunks are fine */ +-- +2.39.0 + diff --git a/queue-4.19/netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch b/queue-4.19/netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch new file mode 100644 index 00000000000..c4c60ae2e29 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch @@ -0,0 +1,71 @@ +From b5acb2e75f00dd7b7320a513969d9275a1ebc1a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 02:47:18 +0100 +Subject: netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE + +From: Sriram Yagnaraman + +[ Upstream commit a9993591fa94246b16b444eea55d84c54608282a ] + +RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk +MUST be accepted if the vtag of the packet matches its own tag and the +T bit is not set OR if it is set to its peer's vtag and the T bit is set +in chunk flags. Otherwise the packet MUST be silently dropped. + +Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above +description. + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Signed-off-by: Sriram Yagnaraman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_sctp.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index 8cb62805fd68..cadeb22a48f2 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -317,22 +317,29 @@ static int sctp_packet(struct nf_conn *ct, + for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { + /* Special cases of Verification tag check (Sec 8.5.1) */ + if (sch->type == SCTP_CID_INIT) { +- /* Sec 8.5.1 (A) */ ++ /* (A) vtag MUST be zero */ + if (sh->vtag != 0) + goto out_unlock; + } else if (sch->type == SCTP_CID_ABORT) { +- /* Sec 8.5.1 (B) */ +- if (sh->vtag != ct->proto.sctp.vtag[dir] && +- sh->vtag != ct->proto.sctp.vtag[!dir]) ++ /* (B) vtag MUST match own vtag if T flag is unset OR ++ * MUST match peer's vtag if T flag is set ++ */ ++ if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[dir]) || ++ ((sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[!dir])) + goto out_unlock; + } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { +- /* Sec 8.5.1 (C) */ +- if (sh->vtag != ct->proto.sctp.vtag[dir] && +- sh->vtag != ct->proto.sctp.vtag[!dir] && +- sch->flags & SCTP_CHUNK_FLAG_T) ++ /* (C) vtag MUST match own vtag if T flag is unset OR ++ * MUST match peer's vtag if T flag is set ++ */ ++ if ((!(sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[dir]) || ++ ((sch->flags & SCTP_CHUNK_FLAG_T) && ++ sh->vtag != ct->proto.sctp.vtag[!dir])) + goto out_unlock; + } else if (sch->type == SCTP_CID_COOKIE_ECHO) { +- /* Sec 8.5.1 (D) */ ++ /* (D) vtag must be same as init_vtag as found in INIT_ACK */ + if (sh->vtag != ct->proto.sctp.vtag[dir]) + goto out_unlock; + } else if (sch->type == SCTP_CID_HEARTBEAT) { +-- +2.39.0 + diff --git a/queue-4.19/netfilter-nft_set_rbtree-skip-elements-in-transactio.patch b/queue-4.19/netfilter-nft_set_rbtree-skip-elements-in-transactio.patch new file mode 100644 index 00000000000..e172f3000e4 --- /dev/null +++ b/queue-4.19/netfilter-nft_set_rbtree-skip-elements-in-transactio.patch @@ -0,0 +1,69 @@ +From 3b92c6a8f1c9d42d65f1149d02812200baccab49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 23:49:46 +0100 +Subject: netfilter: nft_set_rbtree: skip elements in transaction from garbage + collection + +From: Pablo Neira Ayuso + +[ Upstream commit 5d235d6ce75c12a7fdee375eb211e4116f7ab01b ] + +Skip interference with an ongoing transaction, do not perform garbage +collection on inactive elements. Reset annotated previous end interval +if the expired element is marked as busy (control plane removed the +element right before expiration). + +Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 84d317418d18..78a0f4283787 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -375,23 +375,37 @@ static void nft_rbtree_gc(struct work_struct *work) + struct nft_rbtree *priv; + struct rb_node *node; + struct nft_set *set; ++ struct net *net; ++ u8 genmask; + + priv = container_of(work, struct nft_rbtree, gc_work.work); + set = nft_set_container_of(priv); ++ net = read_pnet(&set->net); ++ genmask = nft_genmask_cur(net); + + write_lock_bh(&priv->lock); + write_seqcount_begin(&priv->count); + for (node = rb_first(&priv->root); node != NULL; node = rb_next(node)) { + rbe = rb_entry(node, struct nft_rbtree_elem, node); + ++ if (!nft_set_elem_active(&rbe->ext, genmask)) ++ continue; ++ ++ /* elements are reversed in the rbtree for historical reasons, ++ * from highest to lowest value, that is why end element is ++ * always visited before the start element. ++ */ + if (nft_rbtree_interval_end(rbe)) { + rbe_end = rbe; + continue; + } + if (!nft_set_elem_expired(&rbe->ext)) + continue; +- if (nft_set_elem_mark_busy(&rbe->ext)) ++ ++ if (nft_set_elem_mark_busy(&rbe->ext)) { ++ rbe_end = NULL; + continue; ++ } + + if (rbe_prev) { + rb_erase(&rbe_prev->node, &priv->root); +-- +2.39.0 + diff --git a/queue-4.19/netlink-annotate-data-races-around-dst_portid-and-ds.patch b/queue-4.19/netlink-annotate-data-races-around-dst_portid-and-ds.patch new file mode 100644 index 00000000000..c6e8ee9886f --- /dev/null +++ b/queue-4.19/netlink-annotate-data-races-around-dst_portid-and-ds.patch @@ -0,0 +1,87 @@ +From 8f9542f9af592094ee2cf01784a45c5526c6862d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:59:54 +0000 +Subject: netlink: annotate data races around dst_portid and dst_group + +From: Eric Dumazet + +[ Upstream commit 004db64d185a5f23dfb891d7701e23713b2420ee ] + +netlink_getname(), netlink_sendmsg() and netlink_getsockbyportid() +can read nlk->dst_portid and nlk->dst_group while another +thread is changing them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 52bf99ed7093..5c630506b7cd 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1091,8 +1091,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + + if (addr->sa_family == AF_UNSPEC) { + sk->sk_state = NETLINK_UNCONNECTED; +- nlk->dst_portid = 0; +- nlk->dst_group = 0; ++ /* dst_portid and dst_group can be read locklessly */ ++ WRITE_ONCE(nlk->dst_portid, 0); ++ WRITE_ONCE(nlk->dst_group, 0); + return 0; + } + if (addr->sa_family != AF_NETLINK) +@@ -1114,8 +1115,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + + if (err == 0) { + sk->sk_state = NETLINK_CONNECTED; +- nlk->dst_portid = nladdr->nl_pid; +- nlk->dst_group = ffs(nladdr->nl_groups); ++ /* dst_portid and dst_group can be read locklessly */ ++ WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid); ++ WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups)); + } + + return err; +@@ -1132,8 +1134,9 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr, + nladdr->nl_pad = 0; + + if (peer) { +- nladdr->nl_pid = nlk->dst_portid; +- nladdr->nl_groups = netlink_group_mask(nlk->dst_group); ++ /* Paired with WRITE_ONCE() in netlink_connect() */ ++ nladdr->nl_pid = READ_ONCE(nlk->dst_portid); ++ nladdr->nl_groups = netlink_group_mask(READ_ONCE(nlk->dst_group)); + } else { + /* Paired with WRITE_ONCE() in netlink_insert() */ + nladdr->nl_pid = READ_ONCE(nlk->portid); +@@ -1163,8 +1166,9 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid) + + /* Don't bother queuing skb if kernel socket has no input function */ + nlk = nlk_sk(sock); ++ /* dst_portid can be changed in netlink_connect() */ + if (sock->sk_state == NETLINK_CONNECTED && +- nlk->dst_portid != nlk_sk(ssk)->portid) { ++ READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) { + sock_put(sock); + return ERR_PTR(-ECONNREFUSED); + } +@@ -1876,8 +1880,9 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + goto out; + netlink_skb_flags |= NETLINK_SKB_DST; + } else { +- dst_portid = nlk->dst_portid; +- dst_group = nlk->dst_group; ++ /* Paired with WRITE_ONCE() in netlink_connect() */ ++ dst_portid = READ_ONCE(nlk->dst_portid); ++ dst_group = READ_ONCE(nlk->dst_group); + } + + /* Paired with WRITE_ONCE() in netlink_insert() */ +-- +2.39.0 + diff --git a/queue-4.19/netlink-annotate-data-races-around-nlk-portid.patch b/queue-4.19/netlink-annotate-data-races-around-nlk-portid.patch new file mode 100644 index 00000000000..943a0568c58 --- /dev/null +++ b/queue-4.19/netlink-annotate-data-races-around-nlk-portid.patch @@ -0,0 +1,87 @@ +From bc4941ec3091aeb32d180d1f3d711e9dc171cddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:59:53 +0000 +Subject: netlink: annotate data races around nlk->portid + +From: Eric Dumazet + +[ Upstream commit c1bb9484e3b05166880da8574504156ccbd0549e ] + +syzbot reminds us netlink_getname() runs locklessly [1] + +This first patch annotates the race against nlk->portid. + +Following patches take care of the remaining races. + +[1] +BUG: KCSAN: data-race in netlink_getname / netlink_insert + +write to 0xffff88814176d310 of 4 bytes by task 2315 on cpu 1: +netlink_insert+0xf1/0x9a0 net/netlink/af_netlink.c:583 +netlink_autobind+0xae/0x180 net/netlink/af_netlink.c:856 +netlink_sendmsg+0x444/0x760 net/netlink/af_netlink.c:1895 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg net/socket.c:734 [inline] +____sys_sendmsg+0x38f/0x500 net/socket.c:2476 +___sys_sendmsg net/socket.c:2530 [inline] +__sys_sendmsg+0x19a/0x230 net/socket.c:2559 +__do_sys_sendmsg net/socket.c:2568 [inline] +__se_sys_sendmsg net/socket.c:2566 [inline] +__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88814176d310 of 4 bytes by task 2316 on cpu 0: +netlink_getname+0xcd/0x1a0 net/netlink/af_netlink.c:1144 +__sys_getsockname+0x11d/0x1b0 net/socket.c:2026 +__do_sys_getsockname net/socket.c:2041 [inline] +__se_sys_getsockname net/socket.c:2038 [inline] +__x64_sys_getsockname+0x3e/0x50 net/socket.c:2038 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00000000 -> 0xc9a49780 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 2316 Comm: syz-executor.2 Not tainted 6.2.0-rc3-syzkaller-00030-ge8f60cd7db24-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 966c709c3831..52bf99ed7093 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -578,7 +578,9 @@ static int netlink_insert(struct sock *sk, u32 portid) + if (nlk_sk(sk)->bound) + goto err; + +- nlk_sk(sk)->portid = portid; ++ /* portid can be read locklessly from netlink_getname(). */ ++ WRITE_ONCE(nlk_sk(sk)->portid, portid); ++ + sock_hold(sk); + + err = __netlink_insert(table, sk); +@@ -1133,7 +1135,8 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr, + nladdr->nl_pid = nlk->dst_portid; + nladdr->nl_groups = netlink_group_mask(nlk->dst_group); + } else { +- nladdr->nl_pid = nlk->portid; ++ /* Paired with WRITE_ONCE() in netlink_insert() */ ++ nladdr->nl_pid = READ_ONCE(nlk->portid); + netlink_lock_table(); + nladdr->nl_groups = nlk->groups ? nlk->groups[0] : 0; + netlink_unlock_table(); +-- +2.39.0 + diff --git a/queue-4.19/netlink-annotate-data-races-around-sk_state.patch b/queue-4.19/netlink-annotate-data-races-around-sk_state.patch new file mode 100644 index 00000000000..a9817da5852 --- /dev/null +++ b/queue-4.19/netlink-annotate-data-races-around-sk_state.patch @@ -0,0 +1,58 @@ +From 89256f8d1cfbb411f02e141b5da45b182d1615ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 12:59:55 +0000 +Subject: netlink: annotate data races around sk_state + +From: Eric Dumazet + +[ Upstream commit 9b663b5cbb15b494ef132a3c937641c90646eb73 ] + +netlink_getsockbyportid() reads sk_state while a concurrent +netlink_connect() can change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 5c630506b7cd..6a49c0aa55bd 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1090,7 +1090,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + return -EINVAL; + + if (addr->sa_family == AF_UNSPEC) { +- sk->sk_state = NETLINK_UNCONNECTED; ++ /* paired with READ_ONCE() in netlink_getsockbyportid() */ ++ WRITE_ONCE(sk->sk_state, NETLINK_UNCONNECTED); + /* dst_portid and dst_group can be read locklessly */ + WRITE_ONCE(nlk->dst_portid, 0); + WRITE_ONCE(nlk->dst_group, 0); +@@ -1114,7 +1115,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr, + err = netlink_autobind(sock); + + if (err == 0) { +- sk->sk_state = NETLINK_CONNECTED; ++ /* paired with READ_ONCE() in netlink_getsockbyportid() */ ++ WRITE_ONCE(sk->sk_state, NETLINK_CONNECTED); + /* dst_portid and dst_group can be read locklessly */ + WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid); + WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups)); +@@ -1166,8 +1168,8 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid) + + /* Don't bother queuing skb if kernel socket has no input function */ + nlk = nlk_sk(sock); +- /* dst_portid can be changed in netlink_connect() */ +- if (sock->sk_state == NETLINK_CONNECTED && ++ /* dst_portid and sk_state can be changed in netlink_connect() */ ++ if (READ_ONCE(sock->sk_state) == NETLINK_CONNECTED && + READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) { + sock_put(sock); + return ERR_PTR(-ECONNREFUSED); +-- +2.39.0 + diff --git a/queue-4.19/netlink-remove-hash-nelems-check-in-netlink_insert.patch b/queue-4.19/netlink-remove-hash-nelems-check-in-netlink_insert.patch new file mode 100644 index 00000000000..bf3cbb0cccf --- /dev/null +++ b/queue-4.19/netlink-remove-hash-nelems-check-in-netlink_insert.patch @@ -0,0 +1,44 @@ +From cf480de4d9c8f5e63a97d470d48f8f25f2e7a01c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Sep 2018 09:05:01 +0800 +Subject: netlink: remove hash::nelems check in netlink_insert + +From: Li RongQing + +[ Upstream commit 0041195d55bc38df6b574cc8c36dcf2266fbee39 ] + +The type of hash::nelems has been changed from size_t to atom_t +which in fact is int, so not need to check if BITS_PER_LONG, that +is bit number of size_t, is bigger than 32 + +and rht_grow_above_max() will be called to check if hashtable is +too big, ensure it can not bigger than 1<<31 + +Signed-off-by: Zhang Yu +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Stable-dep-of: c1bb9484e3b0 ("netlink: annotate data races around nlk->portid") +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 6ffa83319d08..966c709c3831 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -578,11 +578,6 @@ static int netlink_insert(struct sock *sk, u32 portid) + if (nlk_sk(sk)->bound) + goto err; + +- err = -ENOMEM; +- if (BITS_PER_LONG > 32 && +- unlikely(atomic_read(&table->hash.nelems) >= UINT_MAX)) +- goto err; +- + nlk_sk(sk)->portid = portid; + sock_hold(sk); + +-- +2.39.0 + diff --git a/queue-4.19/netrom-fix-use-after-free-of-a-listening-socket.patch b/queue-4.19/netrom-fix-use-after-free-of-a-listening-socket.patch new file mode 100644 index 00000000000..685bdcf6ce4 --- /dev/null +++ b/queue-4.19/netrom-fix-use-after-free-of-a-listening-socket.patch @@ -0,0 +1,161 @@ +From 365dd0bbf5fe7a4013aa81778c630d86b013414d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 15:19:27 -0800 +Subject: netrom: Fix use-after-free of a listening socket. + +From: Kuniyuki Iwashima + +[ Upstream commit 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 ] + +syzbot reported a use-after-free in do_accept(), precisely nr_accept() +as sk_prot_alloc() allocated the memory and sock_put() frees it. [0] + +The issue could happen if the heartbeat timer is fired and +nr_heartbeat_expiry() calls nr_destroy_socket(), where a socket +has SOCK_DESTROY or a listening socket has SOCK_DEAD. + +In this case, the first condition cannot be true. SOCK_DESTROY is +flagged in nr_release() only when the file descriptor is close()d, +but accept() is being called for the listening socket, so the second +condition must be true. + +Usually, the AF_NETROM listener neither starts timers nor sets +SOCK_DEAD. However, the condition is met if connect() fails before +listen(). connect() starts the t1 timer and heartbeat timer, and +t1timer calls nr_disconnect() when timeout happens. Then, SOCK_DEAD +is set, and if we call listen(), the heartbeat timer calls +nr_destroy_socket(). + + nr_connect + nr_establish_data_link(sk) + nr_start_t1timer(sk) + nr_start_heartbeat(sk) + nr_t1timer_expiry + nr_disconnect(sk, ETIMEDOUT) + nr_sk(sk)->state = NR_STATE_0 + sk->sk_state = TCP_CLOSE + sock_set_flag(sk, SOCK_DEAD) +nr_listen + if (sk->sk_state != TCP_LISTEN) + sk->sk_state = TCP_LISTEN + nr_heartbeat_expiry + switch (nr->state) + case NR_STATE_0 + if (sk->sk_state == TCP_LISTEN && + sock_flag(sk, SOCK_DEAD)) + nr_destroy_socket(sk) + +This path seems expected, and nr_destroy_socket() is called to clean +up resources. Initially, there was sock_hold() before nr_destroy_socket() +so that the socket would not be freed, but the commit 517a16b1a88b +("netrom: Decrease sock refcount when sock timers expire") accidentally +removed it. + +To fix use-after-free, let's add sock_hold(). + +[0]: +BUG: KASAN: use-after-free in do_accept+0x483/0x510 net/socket.c:1848 +Read of size 8 at addr ffff88807978d398 by task syz-executor.3/5315 + +CPU: 0 PID: 5315 Comm: syz-executor.3 Not tainted 6.2.0-rc3-syzkaller-00165-gd9fc1511728c #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + do_accept+0x483/0x510 net/socket.c:1848 + __sys_accept4_file net/socket.c:1897 [inline] + __sys_accept4+0x9a/0x120 net/socket.c:1927 + __do_sys_accept net/socket.c:1944 [inline] + __se_sys_accept net/socket.c:1941 [inline] + __x64_sys_accept+0x75/0xb0 net/socket.c:1941 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fa436a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa437784168 EFLAGS: 00000246 ORIG_RAX: 000000000000002b +RAX: ffffffffffffffda RBX: 00007fa436bac050 RCX: 00007fa436a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 +RBP: 00007fa436ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffebc6700df R14: 00007fa437784300 R15: 0000000000022000 + + +Allocated by task 5294: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 14: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_heartbeat_expiry+0x1d7/0x460 net/netrom/nr_timer.c:148 + call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700 + expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751 + __run_timers kernel/time/timer.c:2022 [inline] + __run_timers kernel/time/timer.c:1995 [inline] + run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 + __do_softirq+0x1fb/0xadc kernel/softirq.c:571 + +Fixes: 517a16b1a88b ("netrom: Decrease sock refcount when sock timers expire") +Reported-by: syzbot+5fafd5cfe1fc91f6b352@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230120231927.51711-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netrom/nr_timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c +index 426d49609524..2bf99bd5be58 100644 +--- a/net/netrom/nr_timer.c ++++ b/net/netrom/nr_timer.c +@@ -124,6 +124,7 @@ static void nr_heartbeat_expiry(struct timer_list *t) + is accepted() it isn't 'dead' so doesn't get removed. */ + if (sock_flag(sk, SOCK_DESTROY) || + (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { ++ sock_hold(sk); + bh_unlock_sock(sk); + nr_destroy_socket(sk); + goto out; +-- +2.39.0 + diff --git a/queue-4.19/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch b/queue-4.19/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch new file mode 100644 index 00000000000..337fada4ccc --- /dev/null +++ b/queue-4.19/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch @@ -0,0 +1,68 @@ +From 3bc6e2c45ccb6f3bdbb770dd88f0ddfc673467a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 14:59:33 -0300 +Subject: sctp: fail if no bound addresses can be used for a given scope + +From: Marcelo Ricardo Leitner + +[ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ] + +Currently, if you bind the socket to something like: + servaddr.sin6_family = AF_INET6; + servaddr.sin6_port = htons(0); + servaddr.sin6_scope_id = 0; + inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); + +And then request a connect to: + connaddr.sin6_family = AF_INET6; + connaddr.sin6_port = htons(20000); + connaddr.sin6_scope_id = if_nametoindex("lo"); + inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); + +What the stack does is: + - bind the socket + - create a new asoc + - to handle the connect + - copy the addresses that can be used for the given scope + - try to connect + +But the copy returns 0 addresses, and the effect is that it ends up +trying to connect as if the socket wasn't bound, which is not the +desired behavior. This unexpected behavior also allows KASLR leaks +through SCTP diag interface. + +The fix here then is, if when trying to copy the addresses that can +be used for the scope used in connect() it returns 0 addresses, bail +out. This is what TCP does with a similar reproducer. + +Reported-by: Pietro Borrello +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/bind_addr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c +index f8a283245672..d723942e5e65 100644 +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -88,6 +88,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, + } + } + ++ /* If somehow no addresses were found that can be used with this ++ * scope, it's an error. ++ */ ++ if (list_empty(&dest->address_list)) ++ error = -ENETUNREACH; ++ + out: + if (error) + sctp_bind_addr_clean(dest); +-- +2.39.0 + diff --git a/queue-4.19/series b/queue-4.19/series index cb8169725e3..e6f7b8bde27 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -47,3 +47,16 @@ smbd-make-upper-layer-decide-when-to-destroy-the-tra.patch cifs-fix-oops-due-to-uncleared-server-smbd_conn-in-r.patch arm-9280-1-mm-fix-warning-on-phys_addr_t-to-void-pointer-assignment.patch edac-device-respect-any-driver-supplied-workqueue-polling-value.patch +net-fix-uaf-in-netns-ops-registration-error-path.patch +netfilter-nft_set_rbtree-skip-elements-in-transactio.patch +netlink-remove-hash-nelems-check-in-netlink_insert.patch +netlink-annotate-data-races-around-nlk-portid.patch +netlink-annotate-data-races-around-dst_portid-and-ds.patch +netlink-annotate-data-races-around-sk_state.patch +ipv4-prevent-potential-spectre-v1-gadget-in-ip_metri.patch +netfilter-conntrack-fix-vtag-checks-for-abort-shutdo.patch +netfilter-conntrack-fix-bug-in-for_each_sctp_chunk.patch +netrom-fix-use-after-free-of-a-listening-socket.patch +sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch +net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch +net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch