From: Sasha Levin <sashal@kernel.org>
Date: Mon, 17 Oct 2022 11:19:51 +0000 (-0400)
Subject: Fixes for 5.19
X-Git-Tag: v5.4.219~13^2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f1f93bbef04a67fdc44d0af467fd614ca342fe3e;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.19

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.19/net-ieee802154-don-t-warn-zero-sized-raw_sendmsg.patch b/queue-5.19/net-ieee802154-don-t-warn-zero-sized-raw_sendmsg.patch
new file mode 100644
index 00000000000..33980571c85
--- /dev/null
+++ b/queue-5.19/net-ieee802154-don-t-warn-zero-sized-raw_sendmsg.patch
@@ -0,0 +1,64 @@
+From d5d1c9cff67ffb18661a9d403b088306dca341ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Oct 2022 21:47:50 -0400
+Subject: net/ieee802154: don't warn zero-sized raw_sendmsg()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit b12e924a2f5b960373459c8f8a514f887adf5cac ]
+
+syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
+for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting
+__dev_queue_xmit() with skb->len == 0.
+
+Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was
+able to return 0, don't call __dev_queue_xmit() if packet length is 0.
+
+  ----------
+  #include <sys/socket.h>
+  #include <netinet/in.h>
+
+  int main(int argc, char *argv[])
+  {
+    struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
+    struct iovec iov = { };
+    struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
+    sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);
+    return 0;
+  }
+  ----------
+
+Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't
+redirect packets with invalid pkt_len") should be reverted, for
+skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
+
+Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4 [1]
+Reported-by: syzbot <syzbot+5ea725c25d06fb9114c4@syzkaller.appspotmail.com>
+Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20221005014750.3685555-2-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index 7889e1ef7fad..6e55fae4c686 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -272,6 +272,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+ 		err = -EMSGSIZE;
+ 		goto out_dev;
+ 	}
++	if (!size) {
++		err = 0;
++		goto out_dev;
++	}
+ 
+ 	hlen = LL_RESERVED_SPACE(dev);
+ 	tlen = dev->needed_tailroom;
+-- 
+2.35.1
+
diff --git a/queue-5.19/revert-net-ieee802154-reject-zero-sized-raw_sendmsg.patch b/queue-5.19/revert-net-ieee802154-reject-zero-sized-raw_sendmsg.patch
new file mode 100644
index 00000000000..ced507a6d18
--- /dev/null
+++ b/queue-5.19/revert-net-ieee802154-reject-zero-sized-raw_sendmsg.patch
@@ -0,0 +1,38 @@
+From 9dc2295e7994a193ccd2a0bfb36c8dd4bada645f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Oct 2022 21:47:49 -0400
+Subject: Revert "net/ieee802154: reject zero-sized raw_sendmsg()"
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 2eb2756f6c9e9621e022d78321ce40a62c4520b5 ]
+
+This reverts commit 3a4d061c699bd3eedc80dc97a4b2a2e1af83c6f5.
+
+There is a v2 which does return zero if zero length is given.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20221005014750.3685555-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index cbd0e2ac4ffe..7889e1ef7fad 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -251,9 +251,6 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+ 		return -EOPNOTSUPP;
+ 	}
+ 
+-	if (!size)
+-		return -EINVAL;
+-
+ 	lock_sock(sk);
+ 	if (!sk->sk_bound_dev_if)
+ 		dev = dev_getfirstbyhwtype(sock_net(sk), ARPHRD_IEEE802154);
+-- 
+2.35.1
+
diff --git a/queue-5.19/series b/queue-5.19/series
index 577f7437811..1ca6fdf61c8 100644
--- a/queue-5.19/series
+++ b/queue-5.19/series
@@ -831,3 +831,5 @@ alsa-usb-audio-fix-last-interface-check-for-registration.patch
 blk-wbt-fix-that-rwb-wc-is-always-set-to-1-in-wbt_init.patch
 net-ethernet-ti-davinci_mdio-fix-build-for-mdio-bitbang-uses.patch
 revert-drm-amd-display-correct-hostvm-flag.patch
+revert-net-ieee802154-reject-zero-sized-raw_sendmsg.patch
+net-ieee802154-don-t-warn-zero-sized-raw_sendmsg.patch