From 9155648ea738b180e4e30a713484567d579e6d8b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 27 Sep 2024 10:01:53 +0200 Subject: [PATCH] 5.15-stable patches added patches: gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch --- ...lation-leaks-in-gpio_device_get_desc.patch | 50 ++++++++ ...missing-iterator-type-in-lookup-walk.patch | 45 +++++++ ...lk-over-current-view-on-netlink-dump.patch | 114 ++++++++++++++++++ ...k-wiphy-mutex-is-held-for-wdev-mutex.patch | 67 ++++++++++ queue-5.15/series | 4 + 5 files changed, 280 insertions(+) create mode 100644 queue-5.15/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch create mode 100644 queue-5.15/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch create mode 100644 queue-5.15/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch create mode 100644 queue-5.15/revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch diff --git a/queue-5.15/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch b/queue-5.15/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch new file mode 100644 index 00000000000..0621edebb5b --- /dev/null +++ b/queue-5.15/gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch @@ -0,0 +1,50 @@ +From d795848ecce24a75dfd46481aee066ae6fe39775 Mon Sep 17 00:00:00 2001 +From: Hagar Hemdan +Date: Thu, 23 May 2024 08:53:32 +0000 +Subject: gpio: prevent potential speculation leaks in gpio_device_get_desc() + +From: Hagar Hemdan + +commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream. + +Userspace may trigger a speculative read of an address outside the gpio +descriptor array. +Users can do that by calling gpio_ioctl() with an offset out of range. +Offset is copied from user and then used as an array index to get +the gpio descriptor without sanitization in gpio_device_get_desc(). + +This change ensures that the offset is sanitized by using +array_index_nospec() to mitigate any possibility of speculative +information leaks. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Signed-off-by: Hagar Hemdan +Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Hugo SIMELIERE +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -146,7 +147,7 @@ struct gpio_desc *gpiochip_get_desc(stru + if (hwnum >= gdev->ngpio) + return ERR_PTR(-EINVAL); + +- return &gdev->descs[hwnum]; ++ return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)]; + } + EXPORT_SYMBOL_GPL(gpiochip_get_desc); + diff --git a/queue-5.15/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch b/queue-5.15/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch new file mode 100644 index 00000000000..134c80b388f --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch @@ -0,0 +1,45 @@ +From stable+bounces-76614-greg=kroah.com@vger.kernel.org Tue Sep 17 22:25:39 2024 +From: Pablo Neira Ayuso +Date: Tue, 17 Sep 2024 22:25:15 +0200 +Subject: netfilter: nf_tables: missing iterator type in lookup walk +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Message-ID: <20240917202515.179699-3-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +commit efefd4f00c967d00ad7abe092554ffbb70c1a793 upstream. + +Add missing decorator type to lookup expression and tighten WARN_ON_ONCE +check in pipapo to spot earlier that this is unset. + +Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_lookup.c | 1 + + net/netfilter/nft_set_pipapo.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -211,6 +211,7 @@ static int nft_lookup_validate(const str + return 0; + + iter.genmask = nft_genmask_next(ctx->net); ++ iter.type = NFT_ITER_UPDATE; + iter.skip = 0; + iter.count = 0; + iter.err = 0; +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -2046,7 +2046,8 @@ static void nft_pipapo_walk(const struct + const struct nft_pipapo_field *f; + int i, r; + +- WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC); ++ WARN_ON_ONCE(iter->type != NFT_ITER_READ && ++ iter->type != NFT_ITER_UPDATE); + + rcu_read_lock(); + if (iter->type == NFT_ITER_READ) diff --git a/queue-5.15/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch b/queue-5.15/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch new file mode 100644 index 00000000000..eff3062893e --- /dev/null +++ b/queue-5.15/netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch @@ -0,0 +1,114 @@ +From stable+bounces-76613-greg=kroah.com@vger.kernel.org Tue Sep 17 22:25:35 2024 +From: Pablo Neira Ayuso +Date: Tue, 17 Sep 2024 22:25:14 +0200 +Subject: netfilter: nft_set_pipapo: walk over current view on netlink dump +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Message-ID: <20240917202515.179699-2-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +commit 29b359cf6d95fd60730533f7f10464e95bd17c73 upstream. + +The generation mask can be updated while netlink dump is in progress. +The pipapo set backend walk iterator cannot rely on it to infer what +view of the datastructure is to be used. Add notation to specify if user +wants to read/update the set. + +Based on patch from Florian Westphal. + +Fixes: 2b84e215f874 ("netfilter: nft_set_pipapo: .walk does not deal with generations") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 13 +++++++++++++ + net/netfilter/nf_tables_api.c | 5 +++++ + net/netfilter/nft_set_pipapo.c | 5 +++-- + 3 files changed, 21 insertions(+), 2 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -283,9 +283,22 @@ struct nft_set_elem { + void *priv; + }; + ++/** ++ * enum nft_iter_type - nftables set iterator type ++ * ++ * @NFT_ITER_READ: read-only iteration over set elements ++ * @NFT_ITER_UPDATE: iteration under mutex to update set element state ++ */ ++enum nft_iter_type { ++ NFT_ITER_UNSPEC, ++ NFT_ITER_READ, ++ NFT_ITER_UPDATE, ++}; ++ + struct nft_set; + struct nft_set_iter { + u8 genmask; ++ enum nft_iter_type type:8; + unsigned int count; + unsigned int skip; + int err; +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -628,6 +628,7 @@ static void nft_map_deactivate(const str + { + struct nft_set_iter iter = { + .genmask = nft_genmask_next(ctx->net), ++ .type = NFT_ITER_UPDATE, + .fn = nft_mapelem_deactivate, + }; + +@@ -5073,6 +5074,7 @@ int nf_tables_bind_set(const struct nft_ + } + + iter.genmask = nft_genmask_next(ctx->net); ++ iter.type = NFT_ITER_UPDATE; + iter.skip = 0; + iter.count = 0; + iter.err = 0; +@@ -5148,6 +5150,7 @@ static void nft_map_activate(const struc + { + struct nft_set_iter iter = { + .genmask = nft_genmask_next(ctx->net), ++ .type = NFT_ITER_UPDATE, + .fn = nft_mapelem_activate, + }; + +@@ -5504,6 +5507,7 @@ static int nf_tables_dump_set(struct sk_ + args.cb = cb; + args.skb = skb; + args.iter.genmask = nft_genmask_cur(net); ++ args.iter.type = NFT_ITER_READ; + args.iter.skip = cb->args[0]; + args.iter.count = 0; + args.iter.err = 0; +@@ -6833,6 +6837,7 @@ static int nft_set_flush(struct nft_ctx + { + struct nft_set_iter iter = { + .genmask = genmask, ++ .type = NFT_ITER_UPDATE, + .fn = nft_setelem_flush, + }; + +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -2042,13 +2042,14 @@ static void nft_pipapo_walk(const struct + struct nft_set_iter *iter) + { + struct nft_pipapo *priv = nft_set_priv(set); +- struct net *net = read_pnet(&set->net); + const struct nft_pipapo_match *m; + const struct nft_pipapo_field *f; + int i, r; + ++ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC); ++ + rcu_read_lock(); +- if (iter->genmask == nft_genmask_cur(net)) ++ if (iter->type == NFT_ITER_READ) + m = rcu_dereference(priv->match); + else + m = priv->clone; diff --git a/queue-5.15/revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch b/queue-5.15/revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch new file mode 100644 index 00000000000..cbd8e6f50cb --- /dev/null +++ b/queue-5.15/revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch @@ -0,0 +1,67 @@ +From pkshih@realtek.com Fri Sep 27 09:45:55 2024 +From: Ping-Ke Shih +Date: Thu, 26 Sep 2024 08:30:17 +0800 +Subject: Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex" +To: +Cc: , +Message-ID: <20240926003017.5427-1-pkshih@realtek.com> + +From: Ping-Ke Shih + +This reverts commit 89795eeba6d13b5ba432425dd43c34c66f2cebde which is +commmit 1474bc87fe57deac726cc10203f73daa6c3212f7 upstream. + +The reverted commit is based on implementation of wiphy locking that isn't +planned to redo on a stable kernel, so revert it to avoid warning: + + WARNING: CPU: 0 PID: 9 at net/wireless/core.h:231 disconnect_work+0xb8/0x144 [cfg80211] + CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.51-00141-ga1649b6f8ed6 #7 + Hardware name: Freescale i.MX6 SoloX (Device Tree) + Workqueue: events disconnect_work [cfg80211] + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x58/0x70 + dump_stack_lvl from __warn+0x70/0x1c0 + __warn from warn_slowpath_fmt+0x16c/0x294 + warn_slowpath_fmt from disconnect_work+0xb8/0x144 [cfg80211] + disconnect_work [cfg80211] from process_one_work+0x204/0x620 + process_one_work from worker_thread+0x1b0/0x474 + worker_thread from kthread+0x10c/0x12c + kthread from ret_from_fork+0x14/0x24 + +Reported-by: petter@technux.se +Closes: https://lore.kernel.org/linux-wireless/9e98937d781c990615ef27ee0c858ff9@technux.se/T/#t +Cc: Johannes Berg +Signed-off-by: Ping-Ke Shih +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.h | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -217,7 +217,6 @@ void cfg80211_register_wdev(struct cfg80 + static inline void wdev_lock(struct wireless_dev *wdev) + __acquires(wdev) + { +- lockdep_assert_held(&wdev->wiphy->mtx); + mutex_lock(&wdev->mtx); + __acquire(wdev->mtx); + } +@@ -225,16 +224,11 @@ static inline void wdev_lock(struct wire + static inline void wdev_unlock(struct wireless_dev *wdev) + __releases(wdev) + { +- lockdep_assert_held(&wdev->wiphy->mtx); + __release(wdev->mtx); + mutex_unlock(&wdev->mtx); + } + +-static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev) +-{ +- lockdep_assert_held(&wdev->wiphy->mtx); +- lockdep_assert_held(&wdev->mtx); +-} ++#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx) + + static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev) + { diff --git a/queue-5.15/series b/queue-5.15/series index e1268a8f492..17a4e654933 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -64,3 +64,7 @@ spi-spidev-add-missing-spi_device_id-for-jg10309-01.patch ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch cgroup-make-operations-on-the-cgroup-root_list-rcu-s.patch +netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch +netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch +revert-wifi-cfg80211-check-wiphy-mutex-is-held-for-wdev-mutex.patch +gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch -- 2.47.3