From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Sep 2021 07:30:12 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.284~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d71b731b57d4ee984f782fdd0d30687bbee05a91;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
---

diff --git a/queue-5.4/series b/queue-5.4/series
index 505d5e7eeaf..8a0b3b22b70 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -206,3 +206,4 @@ drm-etnaviv-reference-mmu-context-when-setting-up-hardware-state.patch
 drm-etnaviv-add-missing-mmu-context-put-when-reaping-mmu-mapping.patch
 s390-sclp-fix-secure-ipl-facility-detection.patch
 x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch
+tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
diff --git a/queue-5.4/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch b/queue-5.4/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
new file mode 100644
index 00000000000..65b90759a52
--- /dev/null
+++ b/queue-5.4/tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
@@ -0,0 +1,56 @@
+From cc19862ffe454a5b632ca202e5a51bfec9f89fd2 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 23 Jul 2021 13:25:36 -0400
+Subject: tipc: fix an use-after-free issue in tipc_recvmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit cc19862ffe454a5b632ca202e5a51bfec9f89fd2 upstream.
+
+syzbot reported an use-after-free crash:
+
+  BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979
+  Call Trace:
+   tipc_recvmsg+0xf77/0xf90 net/tipc/socket.c:1979
+   sock_recvmsg_nosec net/socket.c:943 [inline]
+   sock_recvmsg net/socket.c:961 [inline]
+   sock_recvmsg+0xca/0x110 net/socket.c:957
+   tipc_conn_rcv_from_sock+0x162/0x2f0 net/tipc/topsrv.c:398
+   tipc_conn_recv_work+0xeb/0x190 net/tipc/topsrv.c:421
+   process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
+   worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
+
+As Hoang pointed out, it was caused by skb_cb->bytes_read still accessed
+after calling tsk_advance_rx_queue() to free the skb in tipc_recvmsg().
+
+This patch is to fix it by accessing skb_cb->bytes_read earlier than
+calling tsk_advance_rx_queue().
+
+Fixes: f4919ff59c28 ("tipc: keep the skb in rcv queue until the whole data is read")
+Reported-by: syzbot+e6741b97d5552f97c24d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1849,10 +1849,12 @@ static int tipc_recvmsg(struct socket *s
+ 		tipc_node_distr_xmit(sock_net(sk), &xmitq);
+ 	}
+ 
+-	if (!skb_cb->bytes_read)
+-		tsk_advance_rx_queue(sk);
++	if (skb_cb->bytes_read)
++		goto exit;
++
++	tsk_advance_rx_queue(sk);
+ 
+-	if (likely(!connected) || skb_cb->bytes_read)
++	if (likely(!connected))
+ 		goto exit;
+ 
+ 	/* Send connection flow control advertisement when applicable */