From 90b170f0d54fb262fd1fd2befc836975cdcc96af Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 Jan 2021 15:57:18 +0100
Subject: [PATCH] 5.10-stable patches

added patches:
	iwlwifi-provide-gso_type-to-gso-packets.patch
	nbd-freeze-the-queue-while-we-re-adding-connections.patch
	tty-avoid-using-vfs_iocb_iter_write-for-redirected-console-writes.patch
---
 ...wifi-provide-gso_type-to-gso-packets.patch | 49 ++++++++++
 ...queue-while-we-re-adding-connections.patch | 60 ++++++++++++
 ..._write-for-redirected-console-writes.patch | 97 +++++++++++++++++++
 3 files changed, 206 insertions(+)
 create mode 100644 queue-5.10/iwlwifi-provide-gso_type-to-gso-packets.patch
 create mode 100644 queue-5.10/nbd-freeze-the-queue-while-we-re-adding-connections.patch
 create mode 100644 queue-5.10/tty-avoid-using-vfs_iocb_iter_write-for-redirected-console-writes.patch

diff --git a/queue-5.10/iwlwifi-provide-gso_type-to-gso-packets.patch b/queue-5.10/iwlwifi-provide-gso_type-to-gso-packets.patch
new file mode 100644
index 00000000000..644b6ce1bc7
--- /dev/null
+++ b/queue-5.10/iwlwifi-provide-gso_type-to-gso-packets.patch
@@ -0,0 +1,49 @@
+From 81a86e1bd8e7060ebba1718b284d54f1238e9bf9 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 25 Jan 2021 07:09:49 -0800
+Subject: iwlwifi: provide gso_type to GSO packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 81a86e1bd8e7060ebba1718b284d54f1238e9bf9 upstream.
+
+net/core/tso.c got recent support for USO, and this broke iwlfifi
+because the driver implemented a limited form of GSO.
+
+Providing ->gso_type allows for skb_is_gso_tcp() to provide
+a correct result.
+
+Fixes: 3d5b459ba0e3 ("net: tso: add UDP segmentation support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Ben Greear <greearb@candelatech.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Cc: Luca Coelho <luciano.coelho@intel.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209913
+Link: https://lore.kernel.org/r/20210125150949.619309-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Robert Hancock <hancockrwd@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -833,6 +833,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
+ 
+ 	next = skb_gso_segment(skb, netdev_flags);
+ 	skb_shinfo(skb)->gso_size = mss;
++	skb_shinfo(skb)->gso_type = ipv4 ? SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
+ 	if (WARN_ON_ONCE(IS_ERR(next)))
+ 		return -EINVAL;
+ 	else if (next)
+@@ -855,6 +856,8 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
+ 
+ 		if (tcp_payload_len > mss) {
+ 			skb_shinfo(tmp)->gso_size = mss;
++			skb_shinfo(tmp)->gso_type = ipv4 ? SKB_GSO_TCPV4 :
++							   SKB_GSO_TCPV6;
+ 		} else {
+ 			if (qos) {
+ 				u8 *qc;
diff --git a/queue-5.10/nbd-freeze-the-queue-while-we-re-adding-connections.patch b/queue-5.10/nbd-freeze-the-queue-while-we-re-adding-connections.patch
new file mode 100644
index 00000000000..4fd95823e3d
--- /dev/null
+++ b/queue-5.10/nbd-freeze-the-queue-while-we-re-adding-connections.patch
@@ -0,0 +1,60 @@
+From b98e762e3d71e893b221f871825dc64694cfb258 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 25 Jan 2021 12:21:02 -0500
+Subject: nbd: freeze the queue while we're adding connections
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit b98e762e3d71e893b221f871825dc64694cfb258 upstream.
+
+When setting up a device, we can krealloc the config->socks array to add
+new sockets to the configuration.  However if we happen to get a IO
+request in at this point even though we aren't setup we could hit a UAF,
+as we deref config->socks without any locking, assuming that the
+configuration was setup already and that ->socks is safe to access it as
+we have a reference on the configuration.
+
+But there's nothing really preventing IO from occurring at this point of
+the device setup, we don't want to incur the overhead of a lock to
+access ->socks when it will never change while the device is running.
+To fix this UAF scenario simply freeze the queue if we are adding
+sockets.  This will protect us from this particular case without adding
+any additional overhead for the normal running case.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1029,6 +1029,12 @@ static int nbd_add_socket(struct nbd_dev
+ 	if (!sock)
+ 		return err;
+ 
++	/*
++	 * We need to make sure we don't get any errant requests while we're
++	 * reallocating the ->socks array.
++	 */
++	blk_mq_freeze_queue(nbd->disk->queue);
++
+ 	if (!netlink && !nbd->task_setup &&
+ 	    !test_bit(NBD_RT_BOUND, &config->runtime_flags))
+ 		nbd->task_setup = current;
+@@ -1067,10 +1073,12 @@ static int nbd_add_socket(struct nbd_dev
+ 	nsock->cookie = 0;
+ 	socks[config->num_connections++] = nsock;
+ 	atomic_inc(&config->live_connections);
++	blk_mq_unfreeze_queue(nbd->disk->queue);
+ 
+ 	return 0;
+ 
+ put_socket:
++	blk_mq_unfreeze_queue(nbd->disk->queue);
+ 	sockfd_put(sock);
+ 	return err;
+ }
diff --git a/queue-5.10/tty-avoid-using-vfs_iocb_iter_write-for-redirected-console-writes.patch b/queue-5.10/tty-avoid-using-vfs_iocb_iter_write-for-redirected-console-writes.patch
new file mode 100644
index 00000000000..0e4cc6171ca
--- /dev/null
+++ b/queue-5.10/tty-avoid-using-vfs_iocb_iter_write-for-redirected-console-writes.patch
@@ -0,0 +1,97 @@
+From a9cbbb80e3e7dd38ceac166e0698f161862a18ae Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 29 Jan 2021 12:28:20 -0800
+Subject: tty: avoid using vfs_iocb_iter_write() for redirected console writes
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a9cbbb80e3e7dd38ceac166e0698f161862a18ae upstream.
+
+It turns out that the vfs_iocb_iter_{read,write}() functions are
+entirely broken, and don't actually use the passed-in file pointer for
+IO - only for the preparatory work (permission checking and for the
+write_iter function lookup).
+
+That worked fine for overlayfs, which always builds the new iocb with
+the same file pointer that it passes in, but in the general case it ends
+up doing nonsensical things (and could cause an iterator call that
+doesn't even match the passed-in file pointer).
+
+This subtly broke the tty conversion to write_iter in commit
+9bb48c82aced ("tty: implement write_iter"), because the console
+redirection didn't actually end up redirecting anything, since the
+passed-in file pointer was basically ignored, and the actual write was
+done with the original non-redirected console tty after all.
+
+The main visible effect of this is that the console messages were no
+longer logged to /var/log/boot.log during graphical boot.
+
+Fix the issue by simply not using the vfs write "helper" function at
+all, and just redirecting the write entirely internally to the tty
+layer.  Do the target writability permission checks when actually
+registering the target tty with TIOCCONS instead of at write time.
+
+Fixes: 9bb48c82aced ("tty: implement write_iter")
+Reported-and-tested-by: Hans de Goede <hdegoede@redhat.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c |   20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1027,9 +1027,8 @@ void tty_write_message(struct tty_struct
+  *	write method will not be invoked in parallel for each device.
+  */
+ 
+-static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
++static ssize_t file_tty_write(struct file *file, struct kiocb *iocb, struct iov_iter *from)
+ {
+-	struct file *file = iocb->ki_filp;
+ 	struct tty_struct *tty = file_tty(file);
+  	struct tty_ldisc *ld;
+ 	ssize_t ret;
+@@ -1052,6 +1051,11 @@ static ssize_t tty_write(struct kiocb *i
+ 	return ret;
+ }
+ 
++static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
++{
++	return file_tty_write(iocb->ki_filp, iocb, from);
++}
++
+ ssize_t redirected_tty_write(struct kiocb *iocb, struct iov_iter *iter)
+ {
+ 	struct file *p = NULL;
+@@ -1061,9 +1065,13 @@ ssize_t redirected_tty_write(struct kioc
+ 		p = get_file(redirect);
+ 	spin_unlock(&redirect_lock);
+ 
++	/*
++	 * We know the redirected tty is just another tty, we can can
++	 * call file_tty_write() directly with that file pointer.
++	 */
+ 	if (p) {
+ 		ssize_t res;
+-		res = vfs_iocb_iter_write(p, iocb, iter);
++		res = file_tty_write(p, iocb, iter);
+ 		fput(p);
+ 		return res;
+ 	}
+@@ -2306,6 +2314,12 @@ static int tioccons(struct file *file)
+ 			fput(f);
+ 		return 0;
+ 	}
++	if (file->f_op->write_iter != tty_write)
++		return -ENOTTY;
++	if (!(file->f_mode & FMODE_WRITE))
++		return -EBADF;
++	if (!(file->f_mode & FMODE_CAN_WRITE))
++		return -EINVAL;
+ 	spin_lock(&redirect_lock);
+ 	if (redirect) {
+ 		spin_unlock(&redirect_lock);
-- 
2.47.3