5.15-stable patches

added patches:
	gve-fix-use-after-free-vulnerability.patch

diff --git a/queue-5.15/gve-fix-use-after-free-vulnerability.patch b/queue-5.15/gve-fix-use-after-free-vulnerability.patch
new file mode 100644 (file)
index 0000000..43498f4
--- /dev/null
+++ b/queue-5.15/gve-fix-use-after-free-vulnerability.patch
@@ -0,0 +1,60 @@
+From pkaligineedi@google.com  Fri Feb  2 17:28:54 2024
+From: Praveen Kaligineedi <pkaligineedi@google.com>
+Date: Tue, 30 Jan 2024 13:45:07 -0800
+Subject: [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, Bailey Forrest <bcf@google.com>,  Praveen Kaligineedi <pkaligineedi@google.com>, Eric Dumazet <edumazet@google.com>,  Jeroen de Borst <jeroendb@google.com>, Kevin DeCabooter <decabooter@google.com>
+Message-ID: <20240130214507.3391252-1-pkaligineedi@google.com>
+
+From: Praveen Kaligineedi <pkaligineedi@google.com>
+
+From: Bailey Forrest <bcf@google.com>
+
+Call skb_shinfo() after gve_prep_tso() on DQO TX path.
+gve_prep_tso() calls skb_cow_head(), which may reallocate
+shinfo causing a use after free.
+
+This bug was unintentionally fixed by 'a6fb8d5a8b69
+("gve: Tx path for DQO-QPL")' while adding DQO-QPL format
+support in 6.6. That patch is not appropriate for stable releases.
+
+Fixes: a57e5de476be ("gve: DQO: Add TX path")
+Signed-off-by: Praveen Kaligineedi <pkaligineedi@google.com>
+Signed-off-by: Bailey Forrest <bcf@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jeroen de Borst <jeroendb@google.com>
+Reviewed-by: Kevin DeCabooter <decabooter@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_tx_dqo.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+@@ -350,6 +350,7 @@ static void gve_tx_fill_pkt_desc_dqo(str
+ /* Validates and prepares `skb` for TSO.
+  *
+  * Returns header length, or < 0 if invalid.
++ * Warning : Might change skb->head (and thus skb_shinfo).
+  */
+ static int gve_prep_tso(struct sk_buff *skb)
+ {
+@@ -451,8 +452,8 @@ gve_tx_fill_general_ctx_desc(struct gve_
+ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx,
+                                     struct sk_buff *skb)
+ {
+-      const struct skb_shared_info *shinfo = skb_shinfo(skb);
+       const bool is_gso = skb_is_gso(skb);
++      struct skb_shared_info *shinfo;
+       u32 desc_idx = tx->dqo_tx.tail;
+ 
+       struct gve_tx_pending_packet_dqo *pkt;
+@@ -477,6 +478,8 @@ static int gve_tx_add_skb_no_copy_dqo(st
+               desc_idx = (desc_idx + 1) & tx->mask;
+       }
+ 
++      /* Must get after gve_prep_tso(), which can change shinfo. */
++      shinfo = skb_shinfo(skb);
+       gve_tx_fill_general_ctx_desc(&tx->dqo.tx_ring[desc_idx].general_ctx,
+                                    &metadata);
+       desc_idx = (desc_idx + 1) & tx->mask;

diff --git a/queue-5.15/series b/queue-5.15/series
index 88e7c3ac03cdbdfcc9ca6a0f4f8f7914db314828..30a5d7fd7dca438b63c5fa1d79ad94248ded0a7a 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -294,3 +294,4 @@ selftests-net-fix-available-tunnels-detection.patch
 net-sysfs-fix-sys-class-net-iface-path.patch
 arm64-irq-set-the-correct-node-for-shadow-call-stack.patch
 arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch
+gve-fix-use-after-free-vulnerability.patch