From: Greg Kroah-Hartman Date: Fri, 3 Feb 2023 09:54:43 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.305~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd542296e79f797ee4f1cfc0491231c831776a67;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: net-fix-null-pointer-in-skb_segment_list.patch net-mctp-purge-receive-queues-on-sk-destruction.patch rust-print-avoid-evaluating-arguments-in-pr_-macros-in-unsafe-blocks.patch --- diff --git a/queue-6.1/net-fix-null-pointer-in-skb_segment_list.patch b/queue-6.1/net-fix-null-pointer-in-skb_segment_list.patch new file mode 100644 index 00000000000..eaebedeb871 --- /dev/null +++ b/queue-6.1/net-fix-null-pointer-in-skb_segment_list.patch @@ -0,0 +1,76 @@ +From 876e8ca8366735a604bac86ff7e2732fc9d85d2d Mon Sep 17 00:00:00 2001 +From: Yan Zhai +Date: Mon, 30 Jan 2023 12:51:48 -0800 +Subject: net: fix NULL pointer in skb_segment_list + +From: Yan Zhai + +commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d upstream. + +Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") +introduced UDP listifyed GRO. The segmentation relies on frag_list being +untouched when passing through the network stack. This assumption can be +broken sometimes, where frag_list itself gets pulled into linear area, +leaving frag_list being NULL. When this happens it can trigger +following NULL pointer dereference, and panic the kernel. Reverse the +test condition should fix it. + +[19185.577801][ C1] BUG: kernel NULL pointer dereference, address: +... +[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390 +... +[19185.834644][ C1] Call Trace: +[19185.841730][ C1] +[19185.848563][ C1] __udp_gso_segment+0x33e/0x510 +[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0 +[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110 +[19185.874939][ C1] __skb_gso_segment+0xb2/0x160 +[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0 +[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90 +[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200 +[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60 +[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0 +[19185.927834][ C1] process_backlog+0x88/0x130 +[19185.935840][ C1] __napi_poll+0x27/0x150 +[19185.943447][ C1] net_rx_action+0x27e/0x5f0 +[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core] +[19185.960848][ C1] __do_softirq+0xbc/0x25d +[19185.968607][ C1] irq_exit_rcu+0x83/0xb0 +[19185.976247][ C1] common_interrupt+0x43/0xa0 +[19185.984235][ C1] asm_common_interrupt+0x22/0x40 +... +[19186.094106][ C1] + +Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") +Suggested-by: Daniel Borkmann +Reviewed-by: Willem de Bruijn +Signed-off-by: Yan Zhai +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4034,7 +4034,7 @@ struct sk_buff *skb_segment_list(struct + + skb_shinfo(skb)->frag_list = NULL; + +- do { ++ while (list_skb) { + nskb = list_skb; + list_skb = list_skb->next; + +@@ -4080,8 +4080,7 @@ struct sk_buff *skb_segment_list(struct + if (skb_needs_linearize(nskb, features) && + __skb_linearize(nskb)) + goto err_linearize; +- +- } while (list_skb); ++ } + + skb->truesize = skb->truesize - delta_truesize; + skb->data_len = skb->data_len - delta_len; diff --git a/queue-6.1/net-mctp-purge-receive-queues-on-sk-destruction.patch b/queue-6.1/net-mctp-purge-receive-queues-on-sk-destruction.patch new file mode 100644 index 00000000000..d9e87dc48b2 --- /dev/null +++ b/queue-6.1/net-mctp-purge-receive-queues-on-sk-destruction.patch @@ -0,0 +1,46 @@ +From 60bd1d9008a50cc78c4033a16a6f5d78210d481c Mon Sep 17 00:00:00 2001 +From: Jeremy Kerr +Date: Thu, 26 Jan 2023 14:45:51 +0800 +Subject: net: mctp: purge receive queues on sk destruction + +From: Jeremy Kerr + +commit 60bd1d9008a50cc78c4033a16a6f5d78210d481c upstream. + +We may have pending skbs in the receive queue when the sk is being +destroyed; add a destructor to purge the queue. + +MCTP doesn't use the error queue, so only the receive_queue is purged. + +Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") +Signed-off-by: Jeremy Kerr +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230126064551.464468-1-jk@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mctp/af_mctp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -587,6 +587,11 @@ static void mctp_sk_unhash(struct sock * + del_timer_sync(&msk->key_expiry); + } + ++static void mctp_sk_destruct(struct sock *sk) ++{ ++ skb_queue_purge(&sk->sk_receive_queue); ++} ++ + static struct proto mctp_proto = { + .name = "MCTP", + .owner = THIS_MODULE, +@@ -623,6 +628,7 @@ static int mctp_pf_create(struct net *ne + return -ENOMEM; + + sock_init_data(sock, sk); ++ sk->sk_destruct = mctp_sk_destruct; + + rc = 0; + if (sk->sk_prot->init) diff --git a/queue-6.1/rust-print-avoid-evaluating-arguments-in-pr_-macros-in-unsafe-blocks.patch b/queue-6.1/rust-print-avoid-evaluating-arguments-in-pr_-macros-in-unsafe-blocks.patch new file mode 100644 index 00000000000..38b4e46eb63 --- /dev/null +++ b/queue-6.1/rust-print-avoid-evaluating-arguments-in-pr_-macros-in-unsafe-blocks.patch @@ -0,0 +1,74 @@ +From 6618d69aa129a8fc613e64775d5019524c6f231b Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Tue, 13 Dec 2022 19:03:55 +0100 +Subject: rust: print: avoid evaluating arguments in `pr_*` macros in `unsafe` blocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miguel Ojeda + +commit 6618d69aa129a8fc613e64775d5019524c6f231b upstream. + +At the moment it is possible to perform unsafe operations in +the arguments of `pr_*` macros since they are evaluated inside +an `unsafe` block: + + let x = &10u32 as *const u32; + pr_info!("{}", *x); + +In other words, this is a soundness issue. + +Fix it so that it requires an explicit `unsafe` block. + +Reported-by: Wedson Almeida Filho +Reported-by: Domen Puncer Kugler +Link: https://github.com/Rust-for-Linux/linux/issues/479 +Signed-off-by: Miguel Ojeda +Reviewed-by: Boqun Feng +Reviewed-by: Gary Guo +Reviewed-by: Björn Roy Baron +Reviewed-by: Vincenzo Palazzo +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/print.rs | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +--- a/rust/kernel/print.rs ++++ b/rust/kernel/print.rs +@@ -115,17 +115,24 @@ pub unsafe fn call_printk( + macro_rules! print_macro ( + // The non-continuation cases (most of them, e.g. `INFO`). + ($format_string:path, $($arg:tt)+) => ( +- // SAFETY: This hidden macro should only be called by the documented +- // printing macros which ensure the format string is one of the fixed +- // ones. All `__LOG_PREFIX`s are null-terminated as they are generated +- // by the `module!` proc macro or fixed values defined in a kernel +- // crate. +- unsafe { +- $crate::print::call_printk( +- &$format_string, +- crate::__LOG_PREFIX, +- format_args!($($arg)+), +- ); ++ // To remain sound, `arg`s must be expanded outside the `unsafe` block. ++ // Typically one would use a `let` binding for that; however, `format_args!` ++ // takes borrows on the arguments, but does not extend the scope of temporaries. ++ // Therefore, a `match` expression is used to keep them around, since ++ // the scrutinee is kept until the end of the `match`. ++ match format_args!($($arg)+) { ++ // SAFETY: This hidden macro should only be called by the documented ++ // printing macros which ensure the format string is one of the fixed ++ // ones. All `__LOG_PREFIX`s are null-terminated as they are generated ++ // by the `module!` proc macro or fixed values defined in a kernel ++ // crate. ++ args => unsafe { ++ $crate::print::call_printk( ++ &$format_string, ++ crate::__LOG_PREFIX, ++ args, ++ ); ++ } + } + ); + ); diff --git a/queue-6.1/series b/queue-6.1/series index c83321d223e..ac147b54c99 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -23,3 +23,6 @@ cifs-fix-return-of-uninitialized-rc-in-dfs_cache_upd.patch nvme-apple-only-reset-the-controller-when-rtkit-is-r.patch gpiolib-acpi-add-a-ignore-wakeup-quirk-for-clevo-nl5.patch gpiolib-acpi-don-t-set-gpios-for-wakeup-in-s3-mode.patch +net-fix-null-pointer-in-skb_segment_list.patch +rust-print-avoid-evaluating-arguments-in-pr_-macros-in-unsafe-blocks.patch +net-mctp-purge-receive-queues-on-sk-destruction.patch