From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 14:57:27 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.297~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d58f69d7785fe36f540fd04a84b4aa0b6cefb33e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ax25-npd-bug-when-detaching-ax25-device.patch hamradio-defer-ax25-kfree-after-unregister_netdev.patch hamradio-improve-the-incomplete-fix-to-avoid-npd.patch hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch phonet-pep-refuse-to-enable-an-unbound-pipe.patch --- diff --git a/queue-4.19/ax25-npd-bug-when-detaching-ax25-device.patch b/queue-4.19/ax25-npd-bug-when-detaching-ax25-device.patch new file mode 100644 index 00000000000..efc88aa8917 --- /dev/null +++ b/queue-4.19/ax25-npd-bug-when-detaching-ax25-device.patch @@ -0,0 +1,58 @@ +From 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Fri, 17 Dec 2021 10:29:41 +0800 +Subject: ax25: NPD bug when detaching AX25 device + +From: Lin Ma + +commit 1ade48d0c27d5da1ccf4b583d8c5fc8b534a3ac8 upstream. + +The existing cleanup routine implementation is not well synchronized +with the syscall routine. When a device is detaching, below race could +occur. + +static int ax25_sendmsg(...) { + ... + lock_sock() + ax25 = sk_to_ax25(sk); + if (ax25->ax25_dev == NULL) // CHECK + ... + ax25_queue_xmit(skb, ax25->ax25_dev->dev); // USE + ... +} + +static void ax25_kill_by_device(...) { + ... + if (s->ax25_dev == ax25_dev) { + s->ax25_dev = NULL; + ... +} + +Other syscall functions like ax25_getsockopt, ax25_getname, +ax25_info_show also suffer from similar races. To fix them, this patch +introduce lock_sock() into ax25_kill_by_device in order to guarantee +that the nullify action in cleanup routine cannot proceed when another +socket request is pending. + +Signed-off-by: Hanjie Wu +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -88,8 +88,10 @@ static void ax25_kill_by_device(struct n + again: + ax25_for_each(s, &ax25_list) { + if (s->ax25_dev == ax25_dev) { +- s->ax25_dev = NULL; + spin_unlock_bh(&ax25_list_lock); ++ lock_sock(s->sk); ++ s->ax25_dev = NULL; ++ release_sock(s->sk); + ax25_disconnect(s, ENETUNREACH); + spin_lock_bh(&ax25_list_lock); + diff --git a/queue-4.19/hamradio-defer-ax25-kfree-after-unregister_netdev.patch b/queue-4.19/hamradio-defer-ax25-kfree-after-unregister_netdev.patch new file mode 100644 index 00000000000..1f3214b68b0 --- /dev/null +++ b/queue-4.19/hamradio-defer-ax25-kfree-after-unregister_netdev.patch @@ -0,0 +1,66 @@ +From 3e0588c291d6ce225f2b891753ca41d45ba42469 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Mon, 8 Nov 2021 18:37:21 +0800 +Subject: hamradio: defer ax25 kfree after unregister_netdev + +From: Lin Ma + +commit 3e0588c291d6ce225f2b891753ca41d45ba42469 upstream. + +There is a possible race condition (use-after-free) like below + + (USE) | (FREE) +ax25_sendmsg | + ax25_queue_xmit | + dev_queue_xmit | + __dev_queue_xmit | + __dev_xmit_skb | + sch_direct_xmit | ... + xmit_one | + netdev_start_xmit | tty_ldisc_kill + __netdev_start_xmit | mkiss_close + ax_xmit | kfree + ax_encaps | + | + +Even though there are two synchronization primitives before the kfree: +1. wait_for_completion(&ax->dead). This can prevent the race with +routines from mkiss_ioctl. However, it cannot stop the routine coming +from upper layer, i.e., the ax25_sendmsg. + +2. netif_stop_queue(ax->dev). It seems that this line of code aims to +halt the transmit queue but it fails to stop the routine that already +being xmit. + +This patch reorder the kfree after the unregister_netdev to avoid the +possible UAF as the unregister_netdev() is well synchronized and won't +return if there is a running routine. + +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/mkiss.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -803,13 +803,14 @@ static void mkiss_close(struct tty_struc + */ + netif_stop_queue(ax->dev); + +- /* Free all AX25 frame buffers. */ +- kfree(ax->rbuff); +- kfree(ax->xbuff); +- + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ ++ /* Free all AX25 frame buffers after unreg. */ ++ kfree(ax->rbuff); ++ kfree(ax->xbuff); ++ + free_netdev(ax->dev); + } + diff --git a/queue-4.19/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch b/queue-4.19/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch new file mode 100644 index 00000000000..68ab7f44c77 --- /dev/null +++ b/queue-4.19/hamradio-improve-the-incomplete-fix-to-avoid-npd.patch @@ -0,0 +1,74 @@ +From b2f37aead1b82a770c48b5d583f35ec22aabb61e Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Fri, 17 Dec 2021 10:13:56 +0800 +Subject: hamradio: improve the incomplete fix to avoid NPD + +From: Lin Ma + +commit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream. + +The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after +unregister_netdev") reorder the kfree operations and unregister_netdev +operation to prevent UAF. + +This commit improves the previous one by also deferring the nullify of +the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs. +Partial of the stack trace is shown below. + +BUG: kernel NULL pointer dereference, address: 0000000000000538 +RIP: 0010:ax_xmit+0x1f9/0x400 +... +Call Trace: + dev_hard_start_xmit+0xec/0x320 + sch_direct_xmit+0xea/0x240 + __qdisc_run+0x166/0x5c0 + __dev_queue_xmit+0x2c7/0xaf0 + ax25_std_establish_data_link+0x59/0x60 + ax25_connect+0x3a0/0x500 + ? security_socket_connect+0x2b/0x40 + __sys_connect+0x96/0xc0 + ? __hrtimer_init+0xc0/0xc0 + ? common_nsleep+0x2e/0x50 + ? switch_fpu_return+0x139/0x1a0 + __x64_sys_connect+0x11/0x20 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The crash point is shown as below + +static void ax_encaps(...) { + ... + set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL! + ... +} + +By placing the nullify action after the unregister_netdev, the ax->tty +pointer won't be assigned as NULL net_device framework layer is well +synchronized. + +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/mkiss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -803,14 +803,14 @@ static void mkiss_close(struct tty_struc + */ + netif_stop_queue(ax->dev); + +- ax->tty = NULL; +- + unregister_netdev(ax->dev); + + /* Free all AX25 frame buffers after unreg. */ + kfree(ax->rbuff); + kfree(ax->xbuff); + ++ ax->tty = NULL; ++ + free_netdev(ax->dev); + } + diff --git a/queue-4.19/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch b/queue-4.19/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch new file mode 100644 index 00000000000..2e6bffebb8e --- /dev/null +++ b/queue-4.19/hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch @@ -0,0 +1,38 @@ +From cdc5287acad9ede121924a9c9313544b80d15842 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 3 Dec 2021 13:42:22 -0800 +Subject: hwmon: (lm90) Do not report 'busy' status bit as alarm + +From: Guenter Roeck + +commit cdc5287acad9ede121924a9c9313544b80d15842 upstream. + +Bit 7 of the status register indicates that the chip is busy +doing a conversion. It does not indicate an alarm status. +Stop reporting it as alarm status bit. + +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/lm90.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/lm90.c ++++ b/drivers/hwmon/lm90.c +@@ -197,6 +197,7 @@ enum chips { lm90, adm1032, lm99, lm86, + #define LM90_STATUS_RHIGH (1 << 4) /* remote high temp limit tripped */ + #define LM90_STATUS_LLOW (1 << 5) /* local low temp limit tripped */ + #define LM90_STATUS_LHIGH (1 << 6) /* local high temp limit tripped */ ++#define LM90_STATUS_BUSY (1 << 7) /* conversion is ongoing */ + + #define MAX6696_STATUS2_R2THRM (1 << 1) /* remote2 THERM limit tripped */ + #define MAX6696_STATUS2_R2OPEN (1 << 2) /* remote2 is an open circuit */ +@@ -786,7 +787,7 @@ static int lm90_update_device(struct dev + val = lm90_read_reg(client, LM90_REG_R_STATUS); + if (val < 0) + return val; +- data->alarms = val; /* lower 8 bit of alarms */ ++ data->alarms = val & ~LM90_STATUS_BUSY; + + if (data->kind == max6696) { + val = lm90_select_remote_channel(client, data, 1); diff --git a/queue-4.19/phonet-pep-refuse-to-enable-an-unbound-pipe.patch b/queue-4.19/phonet-pep-refuse-to-enable-an-unbound-pipe.patch new file mode 100644 index 00000000000..eaf24fa50b7 --- /dev/null +++ b/queue-4.19/phonet-pep-refuse-to-enable-an-unbound-pipe.patch @@ -0,0 +1,39 @@ +From 75a2f31520095600f650597c0ac41f48b5ba0068 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Sun, 19 Dec 2021 19:03:39 +0200 +Subject: phonet/pep: refuse to enable an unbound pipe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rémi Denis-Courmont + +commit 75a2f31520095600f650597c0ac41f48b5ba0068 upstream. + +This ioctl() implicitly assumed that the socket was already bound to +a valid local socket name, i.e. Phonet object. If the socket was not +bound, two separate problems would occur: + +1) We'd send an pipe enablement request with an invalid source object. +2) Later socket calls could BUG on the socket unexpectedly being + connected yet not bound to a valid object. + +Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com +Signed-off-by: Rémi Denis-Courmont +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pep.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -959,6 +959,8 @@ static int pep_ioctl(struct sock *sk, in + ret = -EBUSY; + else if (sk->sk_state == TCP_ESTABLISHED) + ret = -EISCONN; ++ else if (!pn->pn_sk.sobject) ++ ret = -EADDRNOTAVAIL; + else + ret = pep_sock_enable(sk, NULL, 0); + release_sock(sk); diff --git a/queue-4.19/series b/queue-4.19/series index b4481324a96..c56dcfe06ee 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -31,3 +31,8 @@ f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch kvm-vmx-fix-stale-docs-for-kvm-intel.emulate_invalid_guest_state.patch input-i8042-enable-deferred-probe-quirk-for-asus-um325ua.patch +hwmon-lm90-do-not-report-busy-status-bit-as-alarm.patch +ax25-npd-bug-when-detaching-ax25-device.patch +hamradio-defer-ax25-kfree-after-unregister_netdev.patch +hamradio-improve-the-incomplete-fix-to-avoid-npd.patch +phonet-pep-refuse-to-enable-an-unbound-pipe.patch