From a8378a3d7d26ffb8afb6232d0c0a5c788a709c4f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 15 Jul 2021 13:58:00 +0200 Subject: [PATCH] 4.4-stable patches added patches: can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch mac80211-fix-memory-corruption-in-eapol-handling.patch powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch --- ...-struct-bcm_op-after-synchronize_rcu.patch | 65 +++++++++++++++++++ ...rations-before-removing-gw-job-entry.patch | 51 +++++++++++++++ ...-memory-corruption-in-eapol-handling.patch | 36 ++++++++++ ...ollision-with-clang-s-__lwsync-macro.patch | 57 ++++++++++++++++ queue-4.4/series | 4 ++ 5 files changed, 213 insertions(+) create mode 100644 queue-4.4/can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch create mode 100644 queue-4.4/can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch create mode 100644 queue-4.4/mac80211-fix-memory-corruption-in-eapol-handling.patch create mode 100644 queue-4.4/powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch diff --git a/queue-4.4/can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch b/queue-4.4/can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch new file mode 100644 index 00000000000..9bdd43887ac --- /dev/null +++ b/queue-4.4/can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch @@ -0,0 +1,65 @@ +From d5f9023fa61ee8b94f37a93f08e94b136cf1e463 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Sat, 19 Jun 2021 13:18:13 -0300 +Subject: can: bcm: delay release of struct bcm_op after synchronize_rcu() + +From: Thadeu Lima de Souza Cascardo + +commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 upstream. + +can_rx_register() callbacks may be called concurrently to the call to +can_rx_unregister(). The callbacks and callback data, though, are +protected by RCU and the struct sock reference count. + +So the callback data is really attached to the life of sk, meaning +that it should be released on sk_destruct. However, bcm_remove_op() +calls tasklet_kill(), and RCU callbacks may be called under RCU +softirq, so that cannot be used on kernels before the introduction of +HRTIMER_MODE_SOFT. + +However, bcm_rx_handler() is called under RCU protection, so after +calling can_rx_unregister(), we may call synchronize_rcu() in order to +wait for any RCU read-side critical sections to finish. That is, +bcm_rx_handler() won't be called anymore for those ops. So, we only +free them, after we do that synchronize_rcu(). + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com +Cc: linux-stable +Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com +Reported-by: Norbert Slusarek +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + + +--- + net/can/bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -813,6 +813,7 @@ static int bcm_delete_rx_op(struct list_ + bcm_rx_handler, op); + + list_del(&op->list); ++ synchronize_rcu(); + bcm_remove_op(op); + return 1; /* done */ + } +@@ -1538,9 +1539,13 @@ static int bcm_release(struct socket *so + REGMASK(op->can_id), + bcm_rx_handler, op); + +- bcm_remove_op(op); + } + ++ synchronize_rcu(); ++ ++ list_for_each_entry_safe(op, next, &bo->rx_ops, list) ++ bcm_remove_op(op); ++ + /* remove procfs entry */ + if (proc_dir && bo->bcm_proc_read) + remove_proc_entry(bo->procname, proc_dir); diff --git a/queue-4.4/can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch b/queue-4.4/can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch new file mode 100644 index 00000000000..000d90e2290 --- /dev/null +++ b/queue-4.4/can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch @@ -0,0 +1,51 @@ +From fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Fri, 18 Jun 2021 19:36:45 +0200 +Subject: can: gw: synchronize rcu operations before removing gw job entry + +From: Oliver Hartkopp + +commit fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 upstream. + +can_can_gw_rcv() is called under RCU protection, so after calling +can_rx_unregister(), we have to call synchronize_rcu in order to wait +for any RCU read-side critical sections to finish before removing the +kmem_cache entry with the referenced gw job entry. + +Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net +Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing") +Cc: linux-stable +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/gw.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -497,6 +497,7 @@ static int cgw_notifier(struct notifier_ + if (gwj->src.dev == dev || gwj->dst.dev == dev) { + hlist_del(&gwj->list); + cgw_unregister_filter(gwj); ++ synchronize_rcu(); + kmem_cache_free(cgw_cache, gwj); + } + } +@@ -941,6 +942,7 @@ static void cgw_remove_all_jobs(void) + hlist_for_each_entry_safe(gwj, nx, &cgw_list, list) { + hlist_del(&gwj->list); + cgw_unregister_filter(gwj); ++ synchronize_rcu(); + kmem_cache_free(cgw_cache, gwj); + } + } +@@ -1008,6 +1010,7 @@ static int cgw_remove_job(struct sk_buff + + hlist_del(&gwj->list); + cgw_unregister_filter(gwj); ++ synchronize_rcu(); + kmem_cache_free(cgw_cache, gwj); + err = 0; + break; diff --git a/queue-4.4/mac80211-fix-memory-corruption-in-eapol-handling.patch b/queue-4.4/mac80211-fix-memory-corruption-in-eapol-handling.patch new file mode 100644 index 00000000000..f947c18f9a9 --- /dev/null +++ b/queue-4.4/mac80211-fix-memory-corruption-in-eapol-handling.patch @@ -0,0 +1,36 @@ +From davis@mosenkovs.lv Thu Jul 15 13:54:04 2021 +From: Davis Mosenkovs +Date: Sat, 10 Jul 2021 21:37:10 +0300 +Subject: mac80211: fix memory corruption in EAPOL handling +To: johannes@sipsolutions.net +Cc: linux-wireless@vger.kernel.org, stable@vger.kernel.org, Davis Mosenkovs +Message-ID: <20210710183710.5687-1-davis@mosenkovs.lv> + +From: Davis Mosenkovs + +Commit e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL +frames") uses skb_mac_header() before eth_type_trans() is called +leading to incorrect pointer, the pointer gets written to. This issue +has appeared during backporting to 4.4, 4.9 and 4.14. + +Fixes: e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames") +Link: https://lore.kernel.org/r/CAHQn7pKcyC_jYmGyTcPCdk9xxATwW5QPNph=bsZV8d-HPwNsyA@mail.gmail.com +Cc: # 4.4.x +Signed-off-by: Davis Mosenkovs +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2234,7 +2234,7 @@ ieee80211_deliver_skb(struct ieee80211_r + #endif + + if (skb) { +- struct ethhdr *ehdr = (void *)skb_mac_header(skb); ++ struct ethhdr *ehdr = (struct ethhdr *)skb->data; + + /* deliver to local stack */ + skb->protocol = eth_type_trans(skb, dev); diff --git a/queue-4.4/powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch b/queue-4.4/powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch new file mode 100644 index 00000000000..a9b88e10b7a --- /dev/null +++ b/queue-4.4/powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch @@ -0,0 +1,57 @@ +From 015d98149b326e0f1f02e44413112ca8b4330543 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 28 May 2021 11:27:52 -0700 +Subject: powerpc/barrier: Avoid collision with clang's __lwsync macro + +From: Nathan Chancellor + +commit 015d98149b326e0f1f02e44413112ca8b4330543 upstream. + +A change in clang 13 results in the __lwsync macro being defined as +__builtin_ppc_lwsync, which emits 'lwsync' or 'msync' depending on what +the target supports. This breaks the build because of -Werror in +arch/powerpc, along with thousands of warnings: + + In file included from arch/powerpc/kernel/pmc.c:12: + In file included from include/linux/bug.h:5: + In file included from arch/powerpc/include/asm/bug.h:109: + In file included from include/asm-generic/bug.h:20: + In file included from include/linux/kernel.h:12: + In file included from include/linux/bitops.h:32: + In file included from arch/powerpc/include/asm/bitops.h:62: + arch/powerpc/include/asm/barrier.h:49:9: error: '__lwsync' macro redefined [-Werror,-Wmacro-redefined] + #define __lwsync() __asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory") + ^ + :308:9: note: previous definition is here + #define __lwsync __builtin_ppc_lwsync + ^ + 1 error generated. + +Undefine this macro so that the runtime patching introduced by +commit 2d1b2027626d ("powerpc: Fixup lwsync at runtime") continues to +work properly with clang and the build no longer breaks. + +Cc: stable@vger.kernel.org +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Michael Ellerman +Link: https://github.com/ClangBuiltLinux/linux/issues/1386 +Link: https://github.com/llvm/llvm-project/commit/62b5df7fe2b3fda1772befeda15598fbef96a614 +Link: https://lore.kernel.org/r/20210528182752.1852002-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/barrier.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/include/asm/barrier.h ++++ b/arch/powerpc/include/asm/barrier.h +@@ -43,6 +43,8 @@ + # define SMPWMB eieio + #endif + ++/* clang defines this macro for a builtin, which will not work with runtime patching */ ++#undef __lwsync + #define __lwsync() __asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory") + #define dma_rmb() __lwsync() + #define dma_wmb() __asm__ __volatile__ (stringify_in_c(SMPWMB) : : :"memory") diff --git a/queue-4.4/series b/queue-4.4/series index 8903dea0930..29c55a2bba8 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -122,3 +122,7 @@ bluetooth-shutdown-controller-after-workqueues-are-f.patch bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch sctp-add-size-validation-when-walking-chunks.patch fuse-reject-internal-errno.patch +can-gw-synchronize-rcu-operations-before-removing-gw-job-entry.patch +can-bcm-delay-release-of-struct-bcm_op-after-synchronize_rcu.patch +mac80211-fix-memory-corruption-in-eapol-handling.patch +powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch -- 2.47.3