From c3e996ded5828c5d0c9dbb7d332da0d01b748519 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 9 Jan 2022 19:37:26 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...ze-__ip6_tnl_parm-struct-in-vti6_sio.patch | 110 ++++++++++++++++++ ...ocessing-multipath-route-even-if-gat.patch | 52 +++++++++ ...if-attribute-validation-fails-in-mul.patch | 46 ++++++++ ...ge-function-names-to-avoid-conflicts.patch | 100 ++++++++++++++++ ...x-alignment-problem-in-udp4_seq_show.patch | 48 ++++++++ ...x-uaf-in-iscsi_conn_get_param-iscsi_.patch | 69 +++++++++++ queue-4.14/series | 6 + 7 files changed, 431 insertions(+) create mode 100644 queue-4.14/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch create mode 100644 queue-4.14/ipv6-continue-processing-multipath-route-even-if-gat.patch create mode 100644 queue-4.14/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch create mode 100644 queue-4.14/misdn-change-function-names-to-avoid-conflicts.patch create mode 100644 queue-4.14/net-udp-fix-alignment-problem-in-udp4_seq_show.patch create mode 100644 queue-4.14/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch diff --git a/queue-4.14/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch b/queue-4.14/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch new file mode 100644 index 00000000000..48f9fbe4736 --- /dev/null +++ b/queue-4.14/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch @@ -0,0 +1,110 @@ +From 3bda8138391fc959ff10e554a8d962aa56e39dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 12:33:16 -0500 +Subject: ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate + +From: William Zhao + +[ Upstream commit c1833c3964d5bd8c163bd4e01736a38bc473cb8a ] + +The "__ip6_tnl_parm" struct was left uninitialized causing an invalid +load of random data when the "__ip6_tnl_parm" struct was used elsewhere. +As an example, in the function "ip6_tnl_xmit_ctl()", it tries to access +the "collect_md" member. With "__ip6_tnl_parm" being uninitialized and +containing random data, the UBSAN detected that "collect_md" held a +non-boolean value. + +The UBSAN issue is as follows: +=============================================================== +UBSAN: invalid-load in net/ipv6/ip6_tunnel.c:1025:14 +load of value 30 is not a valid value for type '_Bool' +CPU: 1 PID: 228 Comm: kworker/1:3 Not tainted 5.16.0-rc4+ #8 +Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + +dump_stack_lvl+0x44/0x57 +ubsan_epilogue+0x5/0x40 +__ubsan_handle_load_invalid_value+0x66/0x70 +? __cpuhp_setup_state+0x1d3/0x210 +ip6_tnl_xmit_ctl.cold.52+0x2c/0x6f [ip6_tunnel] +vti6_tnl_xmit+0x79c/0x1e96 [ip6_vti] +? lock_is_held_type+0xd9/0x130 +? vti6_rcv+0x100/0x100 [ip6_vti] +? lock_is_held_type+0xd9/0x130 +? rcu_read_lock_bh_held+0xc0/0xc0 +? lock_acquired+0x262/0xb10 +dev_hard_start_xmit+0x1e6/0x820 +__dev_queue_xmit+0x2079/0x3340 +? mark_lock.part.52+0xf7/0x1050 +? netdev_core_pick_tx+0x290/0x290 +? kvm_clock_read+0x14/0x30 +? kvm_sched_clock_read+0x5/0x10 +? sched_clock_cpu+0x15/0x200 +? find_held_lock+0x3a/0x1c0 +? lock_release+0x42f/0xc90 +? lock_downgrade+0x6b0/0x6b0 +? mark_held_locks+0xb7/0x120 +? neigh_connected_output+0x31f/0x470 +? lockdep_hardirqs_on+0x79/0x100 +? neigh_connected_output+0x31f/0x470 +? ip6_finish_output2+0x9b0/0x1d90 +? rcu_read_lock_bh_held+0x62/0xc0 +? ip6_finish_output2+0x9b0/0x1d90 +ip6_finish_output2+0x9b0/0x1d90 +? ip6_append_data+0x330/0x330 +? ip6_mtu+0x166/0x370 +? __ip6_finish_output+0x1ad/0xfb0 +? nf_hook_slow+0xa6/0x170 +ip6_output+0x1fb/0x710 +? nf_hook.constprop.32+0x317/0x430 +? ip6_finish_output+0x180/0x180 +? __ip6_finish_output+0xfb0/0xfb0 +? lock_is_held_type+0xd9/0x130 +ndisc_send_skb+0xb33/0x1590 +? __sk_mem_raise_allocated+0x11cf/0x1560 +? dst_output+0x4a0/0x4a0 +? ndisc_send_rs+0x432/0x610 +addrconf_dad_completed+0x30c/0xbb0 +? addrconf_rs_timer+0x650/0x650 +? addrconf_dad_work+0x73c/0x10e0 +addrconf_dad_work+0x73c/0x10e0 +? addrconf_dad_completed+0xbb0/0xbb0 +? rcu_read_lock_sched_held+0xaf/0xe0 +? rcu_read_lock_bh_held+0xc0/0xc0 +process_one_work+0x97b/0x1740 +? pwq_dec_nr_in_flight+0x270/0x270 +worker_thread+0x87/0xbf0 +? process_one_work+0x1740/0x1740 +kthread+0x3ac/0x490 +? set_kthread_struct+0x100/0x100 +ret_from_fork+0x22/0x30 + +=============================================================== + +The solution is to initialize "__ip6_tnl_parm" struct to zeros in the +"vti6_siocdevprivate()" function. + +Signed-off-by: William Zhao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 299226b57ba50..a4ba470186482 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -775,6 +775,8 @@ vti6_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + struct net *net = dev_net(dev); + struct vti6_net *ip6n = net_generic(net, vti6_net_id); + ++ memset(&p1, 0, sizeof(p1)); ++ + switch (cmd) { + case SIOCGETTUNNEL: + if (dev == ip6n->fb_tnl_dev) { +-- +2.34.1 + diff --git a/queue-4.14/ipv6-continue-processing-multipath-route-even-if-gat.patch b/queue-4.14/ipv6-continue-processing-multipath-route-even-if-gat.patch new file mode 100644 index 00000000000..3ba604d8e53 --- /dev/null +++ b/queue-4.14/ipv6-continue-processing-multipath-route-even-if-gat.patch @@ -0,0 +1,52 @@ +From e97cd8382d5aaf3bf2486e1f94bdc11d9143e3a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 10:19:11 -0700 +Subject: ipv6: Continue processing multipath route even if gateway attribute + is invalid + +From: David Ahern + +[ Upstream commit e30a845b0376eb51c9c94f56bbd53b2e08ba822f ] + +ip6_route_multipath_del loop continues processing the multipath +attribute even if delete of a nexthop path fails. For consistency, +do the same if the gateway attribute is invalid. + +Fixes: 1ff15a710a86 ("ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route") +Signed-off-by: David Ahern +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220103171911.94739-1-dsahern@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 9ae48a20c3207..008ebda35ed22 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3367,8 +3367,10 @@ static int ip6_route_multipath_del(struct fib6_config *cfg, + if (nla) { + err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, + extack); +- if (err) +- return err; ++ if (err) { ++ last_err = err; ++ goto next_rtnh; ++ } + + r_cfg.fc_flags |= RTF_GATEWAY; + } +@@ -3377,6 +3379,7 @@ static int ip6_route_multipath_del(struct fib6_config *cfg, + if (err) + last_err = err; + ++next_rtnh: + rtnh = rtnh_next(rtnh, &remaining); + } + +-- +2.34.1 + diff --git a/queue-4.14/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch b/queue-4.14/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch new file mode 100644 index 00000000000..49d53656dac --- /dev/null +++ b/queue-4.14/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch @@ -0,0 +1,46 @@ +From 5b43844d22345539e33564ecfd226fc2c803f619 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 10:05:55 -0700 +Subject: ipv6: Do cleanup if attribute validation fails in multipath route + +From: David Ahern + +[ Upstream commit 95bdba23b5b4aa75fe3e6c84335e638641c707bb ] + +As Nicolas noted, if gateway validation fails walking the multipath +attribute the code should jump to the cleanup to free previously +allocated memory. + +Fixes: 1ff15a710a86 ("ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route") +Signed-off-by: David Ahern +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220103170555.94638-1-dsahern@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 008ebda35ed22..79b67f8048b5b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3236,12 +3236,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, + + nla = nla_find(attrs, attrlen, RTA_GATEWAY); + if (nla) { +- int ret; +- +- ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, ++ err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, + extack); +- if (ret) +- return ret; ++ if (err) ++ goto cleanup; + + r_cfg.fc_flags |= RTF_GATEWAY; + } +-- +2.34.1 + diff --git a/queue-4.14/misdn-change-function-names-to-avoid-conflicts.patch b/queue-4.14/misdn-change-function-names-to-avoid-conflicts.patch new file mode 100644 index 00000000000..879a4a57b5c --- /dev/null +++ b/queue-4.14/misdn-change-function-names-to-avoid-conflicts.patch @@ -0,0 +1,100 @@ +From 6fe885f9158acf9bfb9e725d66b08706428f705a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 16:01:20 +0800 +Subject: mISDN: change function names to avoid conflicts + +From: wolfgang huang + +[ Upstream commit 8b5fdfc57cc2471179d1c51081424ded833c16c8 ] + +As we build for mips, we meet following error. l1_init error with +multiple definition. Some architecture devices usually marked with +l1, l2, lxx as the start-up phase. so we change the mISDN function +names, align with Isdnl2_xxx. + +mips-linux-gnu-ld: drivers/isdn/mISDN/layer1.o: in function `l1_init': +(.text+0x890): multiple definition of `l1_init'; \ +arch/mips/kernel/bmips_5xxx_init.o:(.text+0xf0): first defined here +make[1]: *** [home/mips/kernel-build/linux/Makefile:1161: vmlinux] Error 1 + +Signed-off-by: wolfgang huang +Reported-by: k2ci +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/core.c | 6 +++--- + drivers/isdn/mISDN/core.h | 4 ++-- + drivers/isdn/mISDN/layer1.c | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c +index faf505462a4f5..f5a06a6fb297f 100644 +--- a/drivers/isdn/mISDN/core.c ++++ b/drivers/isdn/mISDN/core.c +@@ -390,7 +390,7 @@ mISDNInit(void) + err = mISDN_inittimer(&debug); + if (err) + goto error2; +- err = l1_init(&debug); ++ err = Isdnl1_Init(&debug); + if (err) + goto error3; + err = Isdnl2_Init(&debug); +@@ -404,7 +404,7 @@ mISDNInit(void) + error5: + Isdnl2_cleanup(); + error4: +- l1_cleanup(); ++ Isdnl1_cleanup(); + error3: + mISDN_timer_cleanup(); + error2: +@@ -417,7 +417,7 @@ static void mISDN_cleanup(void) + { + misdn_sock_cleanup(); + Isdnl2_cleanup(); +- l1_cleanup(); ++ Isdnl1_cleanup(); + mISDN_timer_cleanup(); + class_unregister(&mISDN_class); + +diff --git a/drivers/isdn/mISDN/core.h b/drivers/isdn/mISDN/core.h +index 52695bb81ee7a..3c039b6ade2e1 100644 +--- a/drivers/isdn/mISDN/core.h ++++ b/drivers/isdn/mISDN/core.h +@@ -69,8 +69,8 @@ struct Bprotocol *get_Bprotocol4id(u_int); + extern int mISDN_inittimer(u_int *); + extern void mISDN_timer_cleanup(void); + +-extern int l1_init(u_int *); +-extern void l1_cleanup(void); ++extern int Isdnl1_Init(u_int *); ++extern void Isdnl1_cleanup(void); + extern int Isdnl2_Init(u_int *); + extern void Isdnl2_cleanup(void); + +diff --git a/drivers/isdn/mISDN/layer1.c b/drivers/isdn/mISDN/layer1.c +index 3192b0eb39445..284d3a9c7df7d 100644 +--- a/drivers/isdn/mISDN/layer1.c ++++ b/drivers/isdn/mISDN/layer1.c +@@ -407,7 +407,7 @@ create_l1(struct dchannel *dch, dchannel_l1callback *dcb) { + EXPORT_SYMBOL(create_l1); + + int +-l1_init(u_int *deb) ++Isdnl1_Init(u_int *deb) + { + debug = deb; + l1fsm_s.state_count = L1S_STATE_COUNT; +@@ -418,7 +418,7 @@ l1_init(u_int *deb) + } + + void +-l1_cleanup(void) ++Isdnl1_cleanup(void) + { + mISDN_FsmFree(&l1fsm_s); + } +-- +2.34.1 + diff --git a/queue-4.14/net-udp-fix-alignment-problem-in-udp4_seq_show.patch b/queue-4.14/net-udp-fix-alignment-problem-in-udp4_seq_show.patch new file mode 100644 index 00000000000..7b48f00df95 --- /dev/null +++ b/queue-4.14/net-udp-fix-alignment-problem-in-udp4_seq_show.patch @@ -0,0 +1,48 @@ +From 1cae7fddd5a8679012aea9fad255d39d469463bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 16:29:51 +0800 +Subject: net: udp: fix alignment problem in udp4_seq_show() + +From: yangxingwu + +[ Upstream commit 6c25449e1a32c594d743df8e8258e8ef870b6a77 ] + +$ cat /pro/net/udp + +before: + + sl local_address rem_address st tx_queue rx_queue tr tm->when +26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 +26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 +27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000 + +after: + + sl local_address rem_address st tx_queue rx_queue tr tm->when +26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 +26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 +27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000 + +Signed-off-by: yangxingwu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 4faeb698c33c9..fee1cdcc224e6 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2777,7 +2777,7 @@ int udp4_seq_show(struct seq_file *seq, void *v) + { + seq_setwidth(seq, 127); + if (v == SEQ_START_TOKEN) +- seq_puts(seq, " sl local_address rem_address st tx_queue " ++ seq_puts(seq, " sl local_address rem_address st tx_queue " + "rx_queue tr tm->when retrnsmt uid timeout " + "inode ref pointer drops"); + else { +-- +2.34.1 + diff --git a/queue-4.14/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch b/queue-4.14/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch new file mode 100644 index 00000000000..89685774ff5 --- /dev/null +++ b/queue-4.14/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch @@ -0,0 +1,69 @@ +From c2c82cb1c99d341875565033dc002abd3a3b16b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 19:39:06 +0800 +Subject: scsi: libiscsi: Fix UAF in + iscsi_conn_get_param()/iscsi_conn_teardown() + +From: Lixiaokeng + +[ Upstream commit 1b8d0300a3e9f216ae4901bab886db7299899ec6 ] + +|- iscsi_if_destroy_conn |-dev_attr_show + |-iscsi_conn_teardown + |-spin_lock_bh |-iscsi_sw_tcp_conn_get_param + + |-kfree(conn->persistent_address) |-iscsi_conn_get_param + |-kfree(conn->local_ipaddr) + ==>|-read persistent_address + ==>|-read local_ipaddr + |-spin_unlock_bh + +When iscsi_conn_teardown() and iscsi_conn_get_param() happen in parallel, a +UAF may be triggered. + +Link: https://lore.kernel.org/r/046ec8a0-ce95-d3fc-3235-666a7c65b224@huawei.com +Reported-by: Lu Tixiong +Reviewed-by: Mike Christie +Reviewed-by: Lee Duncan +Signed-off-by: Lixiaokeng +Signed-off-by: Linfeilong +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index f3dfec02abecc..ebf3a277d8bba 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -2991,6 +2991,8 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn) + { + struct iscsi_conn *conn = cls_conn->dd_data; + struct iscsi_session *session = conn->session; ++ char *tmp_persistent_address = conn->persistent_address; ++ char *tmp_local_ipaddr = conn->local_ipaddr; + + del_timer_sync(&conn->transport_timer); + +@@ -3012,8 +3014,6 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn) + spin_lock_bh(&session->frwd_lock); + free_pages((unsigned long) conn->data, + get_order(ISCSI_DEF_MAX_RECV_SEG_LEN)); +- kfree(conn->persistent_address); +- kfree(conn->local_ipaddr); + /* regular RX path uses back_lock */ + spin_lock_bh(&session->back_lock); + kfifo_in(&session->cmdpool.queue, (void*)&conn->login_task, +@@ -3025,6 +3025,8 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn) + mutex_unlock(&session->eh_mutex); + + iscsi_destroy_conn(cls_conn); ++ kfree(tmp_persistent_address); ++ kfree(tmp_local_ipaddr); + } + EXPORT_SYMBOL_GPL(iscsi_conn_teardown); + +-- +2.34.1 + diff --git a/queue-4.14/series b/queue-4.14/series index ee70c7a74db..d75af32ee2b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -14,3 +14,9 @@ xfs-map-unwritten-blocks-in-xfs_ioc_-alloc-free-sp-just-like-fallocate.patch power-reset-ltc2952-fix-use-of-floating-point-literals.patch rndis_host-support-hytera-digital-radios.patch phonet-refcount-leak-in-pep_sock_accep.patch +ipv6-continue-processing-multipath-route-even-if-gat.patch +ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch +scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch +ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch +net-udp-fix-alignment-problem-in-udp4_seq_show.patch +misdn-change-function-names-to-avoid-conflicts.patch -- 2.47.3