From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Jun 2022 09:54:56 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.10.121~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0a3552968df05e8250ba51451e1640956f2b106;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	mips-ip27-remove-incorrect-cpu_has_fpu-override.patch
	netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch
---

diff --git a/queue-4.9/mips-ip27-remove-incorrect-cpu_has_fpu-override.patch b/queue-4.9/mips-ip27-remove-incorrect-cpu_has_fpu-override.patch
new file mode 100644
index 00000000000..8aec3f73143
--- /dev/null
+++ b/queue-4.9/mips-ip27-remove-incorrect-cpu_has_fpu-override.patch
@@ -0,0 +1,39 @@
+From 424c3781dd1cb401857585331eaaa425a13f2429 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Sun, 1 May 2022 23:14:16 +0100
+Subject: MIPS: IP27: Remove incorrect `cpu_has_fpu' override
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 424c3781dd1cb401857585331eaaa425a13f2429 upstream.
+
+Remove unsupported forcing of `cpu_has_fpu' to 1, which makes the `nofpu'
+kernel parameter non-functional, and also causes a link error:
+
+ld: arch/mips/kernel/traps.o: in function `trap_init':
+./arch/mips/include/asm/msa.h:(.init.text+0x348): undefined reference to `handle_fpe'
+ld: ./arch/mips/include/asm/msa.h:(.init.text+0x354): undefined reference to `handle_fpe'
+ld: ./arch/mips/include/asm/msa.h:(.init.text+0x360): undefined reference to `handle_fpe'
+
+where the CONFIG_MIPS_FP_SUPPORT configuration option has been disabled.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Reported-by: Stephen Zhang <starzhangzsd@gmail.com>
+Fixes: 0ebb2f4159af ("MIPS: IP27: Update/restructure CPU overrides")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h
++++ b/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h
+@@ -28,7 +28,6 @@
+ #define cpu_has_6k_cache		0
+ #define cpu_has_8k_cache		0
+ #define cpu_has_tx39_cache		0
+-#define cpu_has_fpu			1
+ #define cpu_has_nofpuex			0
+ #define cpu_has_32fpr			1
+ #define cpu_has_counter			1
diff --git a/queue-4.9/netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch b/queue-4.9/netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch
new file mode 100644
index 00000000000..565def72479
--- /dev/null
+++ b/queue-4.9/netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch
@@ -0,0 +1,99 @@
+From 520778042ccca019f3ffa136dd0ca565c486cedd Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 25 May 2022 10:36:38 +0200
+Subject: netfilter: nf_tables: disallow non-stateful expression in sets earlier
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 520778042ccca019f3ffa136dd0ca565c486cedd upstream.
+
+Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
+instantiation"), it is possible to attach stateful expressions to set
+elements.
+
+cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
+and destroy phase") introduces conditional destruction on the object to
+accomodate transaction semantics.
+
+nft_expr_init() calls expr->ops->init() first, then check for
+NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
+lookup expressions which points to a set, which might lead to UAF since
+the set is not properly detached from the set->binding for this case.
+Anyway, this combination is non-sense from nf_tables perspective.
+
+This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
+expr->ops->init() is called.
+
+The reporter provides a KASAN splat and a poc reproducer (similar to
+those autogenerated by syzbot to report use-after-free errors). It is
+unknown to me if they are using syzbot or if they use similar automated
+tool to locate the bug that they are reporting.
+
+For the record, this is the KASAN splat.
+
+[   85.431824] ==================================================================
+[   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
+[   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
+[   85.434756]
+[   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
+[   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+
+Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
+Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[Ajay: Regenerated the patch for v4.9.y]
+Signed-off-by: Ajay Kaher <akaher@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |   16 ++++++++++------
+ net/netfilter/nft_dynset.c    |    3 ---
+ 2 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1756,23 +1756,27 @@ struct nft_expr *nft_expr_init(const str
+ 
+ 	err = nf_tables_expr_parse(ctx, nla, &info);
+ 	if (err < 0)
+-		goto err1;
++		goto err_expr_parse;
++
++	err = -EOPNOTSUPP;
++	if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
++		goto err_expr_stateful;
+ 
+ 	err = -ENOMEM;
+ 	expr = kzalloc(info.ops->size, GFP_KERNEL);
+ 	if (expr == NULL)
+-		goto err2;
++		goto err_expr_stateful;
+ 
+ 	err = nf_tables_newexpr(ctx, &info, expr);
+ 	if (err < 0)
+-		goto err3;
++		goto err_expr_new;
+ 
+ 	return expr;
+-err3:
++err_expr_new:
+ 	kfree(expr);
+-err2:
++err_expr_stateful:
+ 	module_put(info.ops->type->owner);
+-err1:
++err_expr_parse:
+ 	return ERR_PTR(err);
+ }
+ 
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -196,9 +196,6 @@ static int nft_dynset_init(const struct
+ 		if (IS_ERR(priv->expr))
+ 			return PTR_ERR(priv->expr);
+ 
+-		err = -EOPNOTSUPP;
+-		if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
+-			goto err1;
+ 	} else if (set->flags & NFT_SET_EVAL)
+ 		return -EINVAL;
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 62eb7c915fc..5fc971e5c2d 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -104,3 +104,5 @@ gma500-fix-an-incorrect-null-check-on-list-iterator.patch
 docs-conf.py-cope-with-removal-of-language-none-in-sphinx-5.0.0.patch
 dt-bindings-gpio-altera-correct-interrupt-cells.patch
 rdma-rxe-generate-a-completion-for-unsupported-invalid-opcode.patch
+mips-ip27-remove-incorrect-cpu_has_fpu-override.patch
+netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch