From: Sasha Levin Date: Mon, 6 Feb 2023 13:35:52 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v5.15.93~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce6494bddc729f1015b3ae41428043ac60059ddc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch b/queue-4.14/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch new file mode 100644 index 00000000000..055e1c46177 --- /dev/null +++ b/queue-4.14/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch @@ -0,0 +1,41 @@ +From 4fc14db2dd03bc12b960fbe24e258ce5265e25a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 00:22:59 -0800 +Subject: ALSA: hda/via: Avoid potential array out-of-bound in + add_secret_dac_path() + +From: Artemii Karasev + +[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ] + +snd_hda_get_connections() can return a negative error code. +It may lead to accessing 'conn' array at a negative index. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Artemii Karasev +Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs") +Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_via.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index 9dd104c308e1..5ab6d9b3e6d0 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -870,6 +870,9 @@ static int add_secret_dac_path(struct hda_codec *codec) + return 0; + nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn, + ARRAY_SIZE(conn) - 1); ++ if (nums < 0) ++ return nums; ++ + for (i = 0; i < nums; i++) { + if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT) + return 0; +-- +2.39.0 + diff --git a/queue-4.14/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch b/queue-4.14/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch new file mode 100644 index 00000000000..3aeb7f6d9fe --- /dev/null +++ b/queue-4.14/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch @@ -0,0 +1,46 @@ +From d1dd189c7eeb29402b07a42be35adcdf80cbfe86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:42:00 +0000 +Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + +From: Yuan Can + +[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ] + +The sunxi_rsb_init() returns the platform_driver_register() directly +without checking its return value, if platform_driver_register() failed, +the sunxi_rsb_bus is not unregistered. +Fix by unregister sunxi_rsb_bus when platform_driver_register() failed. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Yuan Can +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index d3fb350dc9ee..bf4db708f0bd 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -783,7 +783,13 @@ static int __init sunxi_rsb_init(void) + return ret; + } + +- return platform_driver_register(&sunxi_rsb_driver); ++ ret = platform_driver_register(&sunxi_rsb_driver); ++ if (ret) { ++ bus_unregister(&sunxi_rsb_bus); ++ return ret; ++ } ++ ++ return 0; + } + module_init(sunxi_rsb_init); + +-- +2.39.0 + diff --git a/queue-4.14/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch b/queue-4.14/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch new file mode 100644 index 00000000000..8dfe3a40c48 --- /dev/null +++ b/queue-4.14/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch @@ -0,0 +1,110 @@ +From 9fbb7787d30cda68d8caa7e07e6864ce9f168979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 00:02:18 +0300 +Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + +From: Fedor Pchelkin + +[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ] + +Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is +not freed when an allocation of a key fails. + +BUG: memory leak +unreferenced object 0xffff888116668000 (size 632): + comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] + [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 + [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 + [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 + [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 + [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 + [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 + [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 + [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 + [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 + [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 + [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +To fix this the patch rearranges the goto labels to reflect the order of +object allocations and adds appropriate goto statements on the error +paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Eelco Chaudron +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 8598bc101244..3ae4ccb9895d 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -961,14 +961,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + key = kzalloc(sizeof(*key), GFP_KERNEL); + if (!key) { + error = -ENOMEM; +- goto err_kfree_key; ++ goto err_kfree_flow; + } + + ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + ovs_flow_mask_key(&new_flow->key, key, true, &mask); + +@@ -976,14 +976,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], + key, log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); + if (error) { + OVS_NLERR(log, "Flow actions may not be safe on all matching packets."); +- goto err_kfree_flow; ++ goto err_kfree_key; + } + + reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false, +@@ -1083,10 +1083,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + kfree_skb(reply); + err_kfree_acts: + ovs_nla_free_flow_actions(acts); +-err_kfree_flow: +- ovs_flow_free(new_flow, false); + err_kfree_key: + kfree(key); ++err_kfree_flow: ++ ovs_flow_free(new_flow, false); + error: + return error; + } +-- +2.39.0 + diff --git a/queue-4.14/net-x25-fix-to-not-accept-on-connected-socket.patch b/queue-4.14/net-x25-fix-to-not-accept-on-connected-socket.patch new file mode 100644 index 00000000000..d547858f1e2 --- /dev/null +++ b/queue-4.14/net-x25-fix-to-not-accept-on-connected-socket.patch @@ -0,0 +1,47 @@ +From 75d02537d3fc1281c42776a1e5f3f3b6dec9d33f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 11:43:23 -0800 +Subject: net/x25: Fix to not accept on connected socket + +From: Hyunwoo Kim + +[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ] + +When listen() and accept() are called on an x25 socket +that connect() succeeds, accept() succeeds immediately. +This is because x25_connect() queues the skb to +sk->sk_receive_queue, and x25_accept() dequeues it. + +This creates a child socket with the sk of the parent +x25 socket, which can cause confusion. + +Fix x25_listen() to return -EINVAL if the socket has +already been successfully connect()ed to avoid this issue. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index e103ec39759f..73e293c3f2fb 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -496,6 +496,12 @@ static int x25_listen(struct socket *sock, int backlog) + int rc = -EOPNOTSUPP; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ rc = -EINVAL; ++ release_sock(sk); ++ return rc; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-4.14/netrom-fix-use-after-free-caused-by-accept-on-alread.patch b/queue-4.14/netrom-fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 00000000000..0ce3880773a --- /dev/null +++ b/queue-4.14/netrom-fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From d6b39f4bfaea6aec1f17f1a6ef831112655c71cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: netrom: Fix use-after-free caused by accept on already connected + socket + +From: Hyunwoo Kim + +[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ] + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index aebc804c10aa..b5a99b517207 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -403,6 +403,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-4.14/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch b/queue-4.14/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch new file mode 100644 index 00000000000..bdd8ec3039a --- /dev/null +++ b/queue-4.14/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch @@ -0,0 +1,69 @@ +From 15a626e455cef1515a5732fcef9ee4707d4d78eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:39:37 -0600 +Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost + ipaddress + +From: Mike Christie + +[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] + +If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, +userspace could be accessing the host's ipaddress attr. If we then free the +session via iscsi_session_teardown() while userspace is still accessing the +session we will hit a use after free bug. + +Set the tcp_sw_host->session after we have completed session creation and +can no longer fail. + +Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index e3ca16043f9a..9161fe8fba88 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -773,7 +773,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + enum iscsi_host_param param, char *buf) + { + struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost); +- struct iscsi_session *session = tcp_sw_host->session; ++ struct iscsi_session *session; + struct iscsi_conn *conn; + struct iscsi_tcp_conn *tcp_conn; + struct iscsi_sw_tcp_conn *tcp_sw_conn; +@@ -782,6 +782,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + + switch (param) { + case ISCSI_HOST_PARAM_IPADDRESS: ++ session = tcp_sw_host->session; + if (!session) + return -ENOTCONN; + +@@ -870,12 +871,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max, + if (!cls_session) + goto remove_host; + session = cls_session->dd_data; +- tcp_sw_host = iscsi_host_priv(shost); +- tcp_sw_host->session = session; + + shost->can_queue = session->scsi_cmds_max; + if (iscsi_tcp_r2tpool_alloc(session)) + goto remove_session; ++ ++ /* We are now fully setup so expose the session to sysfs. */ ++ tcp_sw_host = iscsi_host_priv(shost); ++ tcp_sw_host->session = session; + return cls_session; + + remove_session: +-- +2.39.0 + diff --git a/queue-4.14/scsi-target-core-fix-warning-on-rt-kernels.patch b/queue-4.14/scsi-target-core-fix-warning-on-rt-kernels.patch new file mode 100644 index 00000000000..0766b063628 --- /dev/null +++ b/queue-4.14/scsi-target-core-fix-warning-on-rt-kernels.patch @@ -0,0 +1,40 @@ +From 832c5a473acb386434f2d7d3cd607c1cf95f93e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:53:10 +0100 +Subject: scsi: target: core: Fix warning on RT kernels + +From: Maurizio Lombardi + +[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ] + +Calling spin_lock_irqsave() does not disable the interrupts on realtime +kernels, remove the warning and replace assert_spin_locked() with +lockdep_assert_held(). + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_tmr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index 9c7bc1ca341a..e72bfb10a3f0 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -114,8 +114,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd, + { + struct se_session *sess = se_cmd->se_sess; + +- assert_spin_locked(&sess->sess_cmd_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&sess->sess_cmd_lock); ++ + /* + * If command already reached CMD_T_COMPLETE state within + * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown, +-- +2.39.0 + diff --git a/queue-4.14/sctp-do-not-check-hb_timer.expires-when-resetting-hb.patch b/queue-4.14/sctp-do-not-check-hb_timer.expires-when-resetting-hb.patch new file mode 100644 index 00000000000..4845f90595d --- /dev/null +++ b/queue-4.14/sctp-do-not-check-hb_timer.expires-when-resetting-hb.patch @@ -0,0 +1,53 @@ +From f2101fdcb7a5483f2f2982bb9045d281b3fb17db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 11:25:33 -0500 +Subject: sctp: do not check hb_timer.expires when resetting hb_timer + +From: Xin Long + +[ Upstream commit 8f35ae17ef565a605de5f409e04bcd49a55d7646 ] + +It tries to avoid the frequently hb_timer refresh in commit ba6f5e33bdbb +("sctp: avoid refreshing heartbeat timer too often"), and it only allows +mod_timer when the new expires is after hb_timer.expires. It means even +a much shorter interval for hb timer gets applied, it will have to wait +until the current hb timer to time out. + +In sctp_do_8_2_transport_strike(), when a transport enters PF state, it +expects to update the hb timer to resend a heartbeat every rto after +calling sctp_transport_reset_hb_timer(), which will not work as the +change mentioned above. + +The frequently hb_timer refresh was caused by sctp_transport_reset_timers() +called in sctp_outq_flush() and it was already removed in the commit above. +So we don't have to check hb_timer.expires when resetting hb_timer as it is +now not called very often. + +Fixes: ba6f5e33bdbb ("sctp: avoid refreshing heartbeat timer too often") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Link: https://lore.kernel.org/r/d958c06985713ec84049a2d5664879802710179a.1675095933.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/transport.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index af56651169b2..79d2aa44c6e5 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -210,9 +210,7 @@ void sctp_transport_reset_hb_timer(struct sctp_transport *transport) + + /* When a data chunk is sent, reset the heartbeat interval. */ + expires = jiffies + sctp_transport_timeout(transport); +- if ((time_before(transport->hb_timer.expires, expires) || +- !timer_pending(&transport->hb_timer)) && +- !mod_timer(&transport->hb_timer, ++ if (!mod_timer(&transport->hb_timer, + expires + prandom_u32_max(transport->rto))) + sctp_transport_hold(transport); + } +-- +2.39.0 + diff --git a/queue-4.14/series b/queue-4.14/series index e8e31cc7adc..593b5d005db 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,10 @@ firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch +bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch +alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch +netrom-fix-use-after-free-caused-by-accept-on-alread.patch +squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch +sctp-do-not-check-hb_timer.expires-when-resetting-hb.patch +net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch +scsi-target-core-fix-warning-on-rt-kernels.patch +scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch +net-x25-fix-to-not-accept-on-connected-socket.patch diff --git a/queue-4.14/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch b/queue-4.14/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch new file mode 100644 index 00000000000..c869adf122b --- /dev/null +++ b/queue-4.14/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch @@ -0,0 +1,45 @@ +From bebe2bff014292fc16c1b288622217df975e6e32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:52:26 +0300 +Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table + +From: Fedor Pchelkin + +[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ] + +While mounting a corrupted filesystem, a signed integer '*xattr_ids' can +become less than zero. This leads to the incorrect computation of 'len' +and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() +or out-of-bounds accesses in the next sanity checks inside +squashfs_read_xattr_id_table(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Reported-by: +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Cc: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/xattr_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c +index 7f718d2bf357..0c0d7882bcca 100644 +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -89,7 +89,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, + /* Sanity check values */ + + /* there is always at least one xattr id */ +- if (*xattr_ids == 0) ++ if (*xattr_ids <= 0) + return ERR_PTR(-EINVAL); + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); +-- +2.39.0 +