--- /dev/null
+From 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Wed, 11 Jan 2023 11:57:39 +0000
+Subject: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream.
+
+When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
+an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
+to overflow due to a failure casting operands to a larger data type
+before performing the arithmetic.
+
+Note that it's harmless since the value will be checked at the next step.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct
+ return -IPSET_ERR_BITMAP_RANGE;
+
+ pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
+- hosts = 2 << (32 - netmask - 1);
+- elements = 2 << (netmask - mask_bits - 1);
++ hosts = 2U << (32 - netmask - 1);
++ elements = 2UL << (netmask - mask_bits - 1);
+ }
+ if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+ return -IPSET_ERR_BITMAP_RANGE_SIZE;
--- /dev/null
+From 87ca4f9efbd7cc649ff43b87970888f2812945b8 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Fri, 30 Dec 2022 23:11:19 -0500
+Subject: sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Waiman Long <longman@redhat.com>
+
+commit 87ca4f9efbd7cc649ff43b87970888f2812945b8 upstream.
+
+Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
+restricted on asymmetric systems"), the setting and clearing of
+user_cpus_ptr are done under pi_lock for arm64 architecture. However,
+dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
+protection. Since sched_setaffinity() can be invoked from another
+process, the process being modified may be undergoing fork() at
+the same time. When racing with the clearing of user_cpus_ptr in
+__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
+possibly double-free in arm64 kernel.
+
+Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
+cpumask") fixes this problem as user_cpus_ptr, once set, will never
+be cleared in a task's lifetime. However, this bug was re-introduced
+in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
+do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
+do_set_cpus_allowed(). This time, it will affect all arches.
+
+Fix this bug by always clearing the user_cpus_ptr of the newly
+cloned/forked task before the copying process starts and check the
+user_cpus_ptr state of the source task under pi_lock.
+
+Note to stable, this patch won't be applicable to stable releases.
+Just copy the new dup_user_cpus_ptr() function over.
+
+Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems")
+Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()")
+Reported-by: David Wang 王标 <wangbiao3@xiaomi.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221231041120.440785-2-longman@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2587,14 +2587,43 @@ void do_set_cpus_allowed(struct task_str
+ int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src,
+ int node)
+ {
+- if (!src->user_cpus_ptr)
++ cpumask_t *user_mask;
++ unsigned long flags;
++
++ /*
++ * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's
++ * may differ by now due to racing.
++ */
++ dst->user_cpus_ptr = NULL;
++
++ /*
++ * This check is racy and losing the race is a valid situation.
++ * It is not worth the extra overhead of taking the pi_lock on
++ * every fork/clone.
++ */
++ if (data_race(!src->user_cpus_ptr))
+ return 0;
+
+- dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
+- if (!dst->user_cpus_ptr)
++ user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
++ if (!user_mask)
+ return -ENOMEM;
+
+- cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
++ /*
++ * Use pi_lock to protect content of user_cpus_ptr
++ *
++ * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent
++ * do_set_cpus_allowed().
++ */
++ raw_spin_lock_irqsave(&src->pi_lock, flags);
++ if (src->user_cpus_ptr) {
++ swap(dst->user_cpus_ptr, user_mask);
++ cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
++ }
++ raw_spin_unlock_irqrestore(&src->pi_lock, flags);
++
++ if (unlikely(user_mask))
++ kfree(user_mask);
++
+ return 0;
+ }
+
--- /dev/null
+From c273289fac370b6488757236cd62cc2cf04830b7 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 4 Jan 2023 12:54:42 +0100
+Subject: selftests: netfilter: fix transaction test script timeout handling
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c273289fac370b6488757236cd62cc2cf04830b7 upstream.
+
+The kselftest framework uses a default timeout of 45 seconds for
+all test scripts.
+
+Increase the timeout to two minutes for the netfilter tests, this
+should hopefully be enough,
+
+Make sure that, should the script be canceled, the net namespace and
+the spawned ping instances are removed.
+
+Fixes: 25d8bcedbf43 ("selftests: add script to stress-test nft packet path vs. control plane")
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Tested-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/netfilter/nft_trans_stress.sh | 16 +++++++++-------
+ tools/testing/selftests/netfilter/settings | 1 +
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+ create mode 100644 tools/testing/selftests/netfilter/settings
+
+--- a/tools/testing/selftests/netfilter/nft_trans_stress.sh
++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+@@ -10,12 +10,20 @@
+ ksft_skip=4
+
+ testns=testns-$(mktemp -u "XXXXXXXX")
++tmp=""
+
+ tables="foo bar baz quux"
+ global_ret=0
+ eret=0
+ lret=0
+
++cleanup() {
++ ip netns pids "$testns" | xargs kill 2>/dev/null
++ ip netns del "$testns"
++
++ rm -f "$tmp"
++}
++
+ check_result()
+ {
+ local r=$1
+@@ -43,6 +51,7 @@ if [ $? -ne 0 ];then
+ exit $ksft_skip
+ fi
+
++trap cleanup EXIT
+ tmp=$(mktemp)
+
+ for table in $tables; do
+@@ -139,11 +148,4 @@ done
+
+ check_result $lret "add/delete with nftrace enabled"
+
+-pkill -9 ping
+-
+-wait
+-
+-rm -f "$tmp"
+-ip netns del "$testns"
+-
+ exit $global_ret
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/settings
+@@ -0,0 +1 @@
++timeout=120
iommu-mediatek-v1-fix-an-error-handling-path-in-mtk_iommu_v1_probe.patch
iommu-arm-smmu-don-t-unregister-on-shutdown.patch
iommu-arm-smmu-report-iommu_cap_cache_coherency-even-betterer.patch
+sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch
+netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
+selftests-netfilter-fix-transaction-test-script-timeout-handling.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
