From fce0e84860fa4f71dc13adc7326413f47ce433cd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 24 Mar 2022 13:56:55 +0100 Subject: [PATCH] 5.10-stable patches added patches: exfat-avoid-incorrectly-releasing-for-root-inode.patch net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch --- ...incorrectly-releasing-for-root-inode.patch | 33 +++++++++++++ ...-skb_over_panic-in-__ip6_append_data.patch | 47 +++++++++++++++++++ queue-5.10/series | 2 + 3 files changed, 82 insertions(+) create mode 100644 queue-5.10/exfat-avoid-incorrectly-releasing-for-root-inode.patch create mode 100644 queue-5.10/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch diff --git a/queue-5.10/exfat-avoid-incorrectly-releasing-for-root-inode.patch b/queue-5.10/exfat-avoid-incorrectly-releasing-for-root-inode.patch new file mode 100644 index 00000000000..2ca61f0af53 --- /dev/null +++ b/queue-5.10/exfat-avoid-incorrectly-releasing-for-root-inode.patch @@ -0,0 +1,33 @@ +From 839a534f1e853f1aec100d06040c0037b89c2dc3 Mon Sep 17 00:00:00 2001 +From: Chen Li +Date: Wed, 9 Jun 2021 11:48:55 +0800 +Subject: exfat: avoid incorrectly releasing for root inode + +From: Chen Li + +commit 839a534f1e853f1aec100d06040c0037b89c2dc3 upstream. + +In d_make_root, when we fail to allocate dentry for root inode, +we will iput root inode and returned value is NULL in this function. + +So we do not need to release this inode again at d_make_root's caller. + +Signed-off-by: Chen Li +Signed-off-by: Namjae Jeon +Cc: Tadeusz Struk +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exfat/super.c ++++ b/fs/exfat/super.c +@@ -690,7 +690,7 @@ static int exfat_fill_super(struct super + if (!sb->s_root) { + exfat_err(sb, "failed to get the root dentry"); + err = -ENOMEM; +- goto put_inode; ++ goto free_table; + } + + return 0; diff --git a/queue-5.10/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch b/queue-5.10/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch new file mode 100644 index 00000000000..36ada632ac0 --- /dev/null +++ b/queue-5.10/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch @@ -0,0 +1,47 @@ +From 5e34af4142ffe68f01c8a9acae83300f8911e20c Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Thu, 10 Mar 2022 15:25:38 -0800 +Subject: net: ipv6: fix skb_over_panic in __ip6_append_data + +From: Tadeusz Struk + +commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream. + +Syzbot found a kernel bug in the ipv6 stack: +LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580 +The reproducer triggers it by sending a crafted message via sendmmsg() +call, which triggers skb_over_panic, and crashes the kernel: + +skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575 +head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0 +dev: + +Update the check that prevents an invalid packet with MTU equal +to the fregment header size to eat up all the space for payload. + +The reproducer can be found here: +LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000 + +Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com +Signed-off-by: Tadeusz Struk +Acked-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1500,8 +1500,8 @@ static int __ip6_append_data(struct sock + sizeof(struct frag_hdr) : 0) + + rt->rt6i_nfheader_len; + +- if (mtu < fragheaderlen || +- ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr)) ++ if (mtu <= fragheaderlen || ++ ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) + goto emsgsize; + + maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - diff --git a/queue-5.10/series b/queue-5.10/series index 1972e51d926..4ddbabe1541 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1 +1,3 @@ nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch +net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch +exfat-avoid-incorrectly-releasing-for-root-inode.patch -- 2.47.3