From f5e5f7397aacd96977afc8d02bcdf4dcc3818d13 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 1 Sep 2021 12:52:23 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch
---
 ...ser-a-struct-ifreq-for-socket-ioctls.patch | 80 +++++++++++++++++++
 queue-4.19/series                             |  1 +
 2 files changed, 81 insertions(+)
 create mode 100644 queue-4.19/net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch

diff --git a/queue-4.19/net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch b/queue-4.19/net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch
new file mode 100644
index 00000000000..d3cf6d6bd7e
--- /dev/null
+++ b/queue-4.19/net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch
@@ -0,0 +1,80 @@
+From d0efb16294d145d157432feda83877ae9d7cdf37 Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Thu, 26 Aug 2021 12:46:01 -0700
+Subject: net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit d0efb16294d145d157432feda83877ae9d7cdf37 upstream.
+
+A common implementation of isatty(3) involves calling a ioctl passing
+a dummy struct argument and checking whether the syscall failed --
+bionic and glibc use TCGETS (passing a struct termios), and musl uses
+TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
+copy sizeof(struct ifreq) bytes of data from the argument and return
+-EFAULT if that fails. The result is that the isatty implementations
+may return a non-POSIX-compliant value in errno in the case where part
+of the dummy struct argument is inaccessible, as both struct termios
+and struct winsize are smaller than struct ifreq (at least on arm64).
+
+Although there is usually enough stack space following the argument
+on the stack that this did not present a practical problem up to now,
+with MTE stack instrumentation it's more likely for the copy to fail,
+as the memory following the struct may have a different tag.
+
+Fix the problem by adding an early check for whether the ioctl is a
+valid socket ioctl, and return -ENOTTY if it isn't.
+
+Fixes: 44c02a2c3dc5 ("dev_ioctl(): move copyin/copyout to callers")
+Link: https://linux-review.googlesource.com/id/I869da6cf6daabc3e4b7b82ac979683ba05e27d4d
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Cc: <stable@vger.kernel.org> # 4.19
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h |    4 ++++
+ net/socket.c              |    6 +++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -3594,6 +3594,10 @@ int netdev_rx_handler_register(struct ne
+ void netdev_rx_handler_unregister(struct net_device *dev);
+ 
+ bool dev_valid_name(const char *name);
++static inline bool is_socket_ioctl_cmd(unsigned int cmd)
++{
++	return _IOC_TYPE(cmd) == SOCK_IOC_TYPE;
++}
+ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr,
+ 		bool *need_copyout);
+ int dev_ifconf(struct net *net, struct ifconf *, int);
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1030,7 +1030,7 @@ static long sock_do_ioctl(struct net *ne
+ 		rtnl_unlock();
+ 		if (!err && copy_to_user(argp, &ifc, sizeof(struct ifconf)))
+ 			err = -EFAULT;
+-	} else {
++	} else if (is_socket_ioctl_cmd(cmd)) {
+ 		struct ifreq ifr;
+ 		bool need_copyout;
+ 		if (copy_from_user(&ifr, argp, sizeof(struct ifreq)))
+@@ -1039,6 +1039,8 @@ static long sock_do_ioctl(struct net *ne
+ 		if (!err && need_copyout)
+ 			if (copy_to_user(argp, &ifr, sizeof(struct ifreq)))
+ 				return -EFAULT;
++	} else {
++		err = -ENOTTY;
+ 	}
+ 	return err;
+ }
+@@ -3064,6 +3066,8 @@ static int compat_ifr_data_ioctl(struct
+ 	struct ifreq ifreq;
+ 	u32 data32;
+ 
++	if (!is_socket_ioctl_cmd(cmd))
++		return -ENOTTY;
+ 	if (copy_from_user(ifreq.ifr_name, u_ifreq32->ifr_name, IFNAMSIZ))
+ 		return -EFAULT;
+ 	if (get_user(data32, &u_ifreq32->ifr_data))
diff --git a/queue-4.19/series b/queue-4.19/series
index 4cfd668559f..7723a478e4a 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -30,3 +30,4 @@ vt_kdsetmode-extend-console-locking.patch
 fbmem-add-margin-check-to-fb_check_caps.patch
 kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch
 revert-floppy-reintroduce-o_ndelay-fix.patch
+net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch
-- 
2.47.3