From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 24 Nov 2021 13:45:15 +0000 (+0100)
Subject: drop net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch from 4.14 and 4.19
X-Git-Tag: v5.15.5~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a933de45c20ea0e5cc158089571fbdaf384d0b6;p=thirdparty%2Fkernel%2Fstable-queue.git

drop net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch from 4.14 and 4.19
---

diff --git a/queue-4.14/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch b/queue-4.14/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
deleted file mode 100644
index eb2b65333a0..00000000000
--- a/queue-4.14/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 4280cba2bad7b6ac69cb13a85a9c752b9588dbfa Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Nov 2021 10:12:18 +0800
-Subject: net: vlan: fix a UAF in vlan_dev_real_dev()
-
-From: Ziyang Xuan <william.xuanziyang@huawei.com>
-
-[ Upstream commit 563bcbae3ba233c275c244bfce2efe12938f5363 ]
-
-The real_dev of a vlan net_device may be freed after
-unregister_vlan_dev(). Access the real_dev continually by
-vlan_dev_real_dev() will trigger the UAF problem for the
-real_dev like following:
-
-==================================================================
-BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120
-Call Trace:
- kasan_report.cold+0x83/0xdf
- vlan_dev_real_dev+0xf9/0x120
- is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0
- is_eth_port_of_netdev_filter+0x28/0x40
- ib_enum_roce_netdev+0x1a3/0x300
- ib_enum_all_roce_netdevs+0xc7/0x140
- netdevice_event_work_handler+0x9d/0x210
-...
-
-Freed by task 9288:
- kasan_save_stack+0x1b/0x40
- kasan_set_track+0x1c/0x30
- kasan_set_free_info+0x20/0x30
- __kasan_slab_free+0xfc/0x130
- slab_free_freelist_hook+0xdd/0x240
- kfree+0xe4/0x690
- kvfree+0x42/0x50
- device_release+0x9f/0x240
- kobject_put+0x1c8/0x530
- put_device+0x1b/0x30
- free_netdev+0x370/0x540
- ppp_destroy_interface+0x313/0x3d0
-...
-
-Move the put_device(real_dev) to vlan_dev_free(). Ensure
-real_dev not be freed before vlan_dev unregistered.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Reported-by: syzbot+e4df4e1389e28972e955@syzkaller.appspotmail.com
-Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
-Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/8021q/vlan.c     | 3 ---
- net/8021q/vlan_dev.c | 3 +++
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
-index 0efdf83f78e7a..a8cee80e07a70 100644
---- a/net/8021q/vlan.c
-+++ b/net/8021q/vlan.c
-@@ -112,9 +112,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
- 	}
- 
- 	vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
--
--	/* Get rid of the vlan's reference to real_dev */
--	dev_put(real_dev);
- }
- 
- int vlan_check_real_dev(struct net_device *real_dev,
-diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
-index ed3717dc2d201..d28c22e59996c 100644
---- a/net/8021q/vlan_dev.c
-+++ b/net/8021q/vlan_dev.c
-@@ -814,6 +814,9 @@ static void vlan_dev_free(struct net_device *dev)
- 
- 	free_percpu(vlan->vlan_pcpu_stats);
- 	vlan->vlan_pcpu_stats = NULL;
-+
-+	/* Get rid of the vlan's reference to real_dev */
-+	dev_put(vlan->real_dev);
- }
- 
- void vlan_setup(struct net_device *dev)
--- 
-2.33.0
-
diff --git a/queue-4.14/series b/queue-4.14/series
index 23542fb1bae..289740db129 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -178,7 +178,6 @@ scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch
 i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch
 xen-pciback-fix-return-in-pm_ctrl_init.patch
 net-davinci_emac-fix-interrupt-pacing-disable.patch
-net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
 acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch
 bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch
 mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch
diff --git a/queue-4.19/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch b/queue-4.19/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
deleted file mode 100644
index 5a0613d9812..00000000000
--- a/queue-4.19/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 571472b0b82812d0b6d862e400b1002023fbd2bd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Nov 2021 10:12:18 +0800
-Subject: net: vlan: fix a UAF in vlan_dev_real_dev()
-
-From: Ziyang Xuan <william.xuanziyang@huawei.com>
-
-[ Upstream commit 563bcbae3ba233c275c244bfce2efe12938f5363 ]
-
-The real_dev of a vlan net_device may be freed after
-unregister_vlan_dev(). Access the real_dev continually by
-vlan_dev_real_dev() will trigger the UAF problem for the
-real_dev like following:
-
-==================================================================
-BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120
-Call Trace:
- kasan_report.cold+0x83/0xdf
- vlan_dev_real_dev+0xf9/0x120
- is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0
- is_eth_port_of_netdev_filter+0x28/0x40
- ib_enum_roce_netdev+0x1a3/0x300
- ib_enum_all_roce_netdevs+0xc7/0x140
- netdevice_event_work_handler+0x9d/0x210
-...
-
-Freed by task 9288:
- kasan_save_stack+0x1b/0x40
- kasan_set_track+0x1c/0x30
- kasan_set_free_info+0x20/0x30
- __kasan_slab_free+0xfc/0x130
- slab_free_freelist_hook+0xdd/0x240
- kfree+0xe4/0x690
- kvfree+0x42/0x50
- device_release+0x9f/0x240
- kobject_put+0x1c8/0x530
- put_device+0x1b/0x30
- free_netdev+0x370/0x540
- ppp_destroy_interface+0x313/0x3d0
-...
-
-Move the put_device(real_dev) to vlan_dev_free(). Ensure
-real_dev not be freed before vlan_dev unregistered.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Reported-by: syzbot+e4df4e1389e28972e955@syzkaller.appspotmail.com
-Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
-Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/8021q/vlan.c     | 3 ---
- net/8021q/vlan_dev.c | 3 +++
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
-index 512ada90657b2..64ad86419b08d 100644
---- a/net/8021q/vlan.c
-+++ b/net/8021q/vlan.c
-@@ -112,9 +112,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
- 	}
- 
- 	vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
--
--	/* Get rid of the vlan's reference to real_dev */
--	dev_put(real_dev);
- }
- 
- int vlan_check_real_dev(struct net_device *real_dev,
-diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
-index 84ef837721141..52428d9c93b06 100644
---- a/net/8021q/vlan_dev.c
-+++ b/net/8021q/vlan_dev.c
-@@ -816,6 +816,9 @@ static void vlan_dev_free(struct net_device *dev)
- 
- 	free_percpu(vlan->vlan_pcpu_stats);
- 	vlan->vlan_pcpu_stats = NULL;
-+
-+	/* Get rid of the vlan's reference to real_dev */
-+	dev_put(vlan->real_dev);
- }
- 
- void vlan_setup(struct net_device *dev)
--- 
-2.33.0
-
diff --git a/queue-4.19/series b/queue-4.19/series
index d18df901754..848f597926d 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -219,7 +219,6 @@ scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch
 i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch
 xen-pciback-fix-return-in-pm_ctrl_init.patch
 net-davinci_emac-fix-interrupt-pacing-disable.patch
-net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
 acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch
 bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch
 mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch