From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Mar 2025 06:58:36 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v6.6.84~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9083a66fddd74e435f953729186350c07918cb87;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
	tcp-fix-races-in-tcp_abort.patch
---

diff --git a/queue-5.15/lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch b/queue-5.15/lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
new file mode 100644
index 0000000000..95ddcaa41f
--- /dev/null
+++ b/queue-5.15/lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
@@ -0,0 +1,62 @@
+From 5ac9b4e935dfc6af41eee2ddc21deb5c36507a9f Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Thu, 17 Oct 2024 10:47:13 -0700
+Subject: lib/buildid: Handle memfd_secret() files in build_id_parse()
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit 5ac9b4e935dfc6af41eee2ddc21deb5c36507a9f upstream.
+
+>From memfd_secret(2) manpage:
+
+  The memory areas backing the file created with memfd_secret(2) are
+  visible only to the processes that have access to the file descriptor.
+  The memory region is removed from the kernel page tables and only the
+  page tables of the processes holding the file descriptor map the
+  corresponding physical memory. (Thus, the pages in the region can't be
+  accessed by the kernel itself, so that, for example, pointers to the
+  region can't be passed to system calls.)
+
+We need to handle this special case gracefully in build ID fetching
+code. Return -EFAULT whenever secretmem file is passed to build_id_parse()
+family of APIs. Original report and repro can be found in [0].
+
+  [0] https://lore.kernel.org/bpf/ZwyG8Uro%2FSyTXAni@ly-workstation/
+
+Fixes: de3ec364c3c3 ("lib/buildid: add single folio-based file reader abstraction")
+Reported-by: Yi Lai <yi1.lai@intel.com>
+Suggested-by: Shakeel Butt <shakeel.butt@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
+Link: https://lore.kernel.org/bpf/20241017175431.6183-A-hca@linux.ibm.com
+Link: https://lore.kernel.org/bpf/20241017174713.2157873-1-andrii@kernel.org
+[ Chen Linxuan: backport same logic without folio-based changes ]
+Fixes: 88a16a130933 ("perf: Add build id data in mmap2 event")
+Signed-off-by: Chen Linxuan <chenlinxuan@deepin.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/buildid.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/lib/buildid.c
++++ b/lib/buildid.c
+@@ -5,6 +5,7 @@
+ #include <linux/elf.h>
+ #include <linux/kernel.h>
+ #include <linux/pagemap.h>
++#include <linux/secretmem.h>
+ 
+ #define BUILD_ID 3
+ 
+@@ -157,6 +158,10 @@ int build_id_parse(struct vm_area_struct
+ 	if (!vma->vm_file)
+ 		return -EINVAL;
+ 
++	/* reject secretmem folios created with memfd_secret() */
++	if (vma_is_secretmem(vma))
++		return -EFAULT;
++
+ 	page = find_get_page(vma->vm_file->f_mapping, 0);
+ 	if (!page)
+ 		return -EFAULT;	/* page not mapped */
diff --git a/queue-5.15/series b/queue-5.15/series
index 2ce822960b..69186454e6 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -60,3 +60,5 @@ drm-amd-display-restore-correct-backlight-brightness-after-a-gpu-reset.patch
 drm-amd-display-assign-normalized_pix_clk-when-color-depth-14.patch
 drm-amd-display-fix-slab-use-after-free-on-hdcp_work.patch
 qlcnic-fix-memory-leak-issues-in-qlcnic_sriov_common.c.patch
+lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
+tcp-fix-races-in-tcp_abort.patch
diff --git a/queue-5.15/tcp-fix-races-in-tcp_abort.patch b/queue-5.15/tcp-fix-races-in-tcp_abort.patch
new file mode 100644
index 0000000000..0cbc21610f
--- /dev/null
+++ b/queue-5.15/tcp-fix-races-in-tcp_abort.patch
@@ -0,0 +1,46 @@
+From 5ce4645c23cf5f048eb8e9ce49e514bababdee85 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 28 May 2024 12:52:52 +0000
+Subject: tcp: fix races in tcp_abort()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5ce4645c23cf5f048eb8e9ce49e514bababdee85 upstream.
+
+tcp_abort() has the same issue than the one fixed in the prior patch
+in tcp_write_err().
+
+In order to get consistent results from tcp_poll(), we must call
+sk_error_report() after tcp_done().
+
+We can use tcp_done_with_error() to centralize this logic.
+
+Fixes: c1e64e298b8c ("net: diag: Support destroying TCP sockets.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20240528125253.1966136-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[youngmin: Resolved minor conflict in net/ipv4/tcp.c]
+Signed-off-by: Youngmin Nam <youngmin.nam@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -4514,13 +4514,9 @@ int tcp_abort(struct sock *sk, int err)
+ 	bh_lock_sock(sk);
+ 
+ 	if (!sock_flag(sk, SOCK_DEAD)) {
+-		WRITE_ONCE(sk->sk_err, err);
+-		/* This barrier is coupled with smp_rmb() in tcp_poll() */
+-		smp_wmb();
+-		sk_error_report(sk);
+ 		if (tcp_need_reset(sk->sk_state))
+ 			tcp_send_active_reset(sk, GFP_ATOMIC);
+-		tcp_done(sk);
++		tcp_done_with_error(sk, err);
+ 	}
+ 
+ 	bh_unlock_sock(sk);