From: Greg Kroah-Hartman Date: Sat, 3 Feb 2024 01:30:02 +0000 (-0800) Subject: 5.15-stable patches X-Git-Tag: v6.1.77~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9da855f78ddc657e866a1de40b3853b4e1e07610;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: gve-fix-use-after-free-vulnerability.patch --- diff --git a/queue-5.15/gve-fix-use-after-free-vulnerability.patch b/queue-5.15/gve-fix-use-after-free-vulnerability.patch new file mode 100644 index 00000000000..43498f4ef6b --- /dev/null +++ b/queue-5.15/gve-fix-use-after-free-vulnerability.patch @@ -0,0 +1,60 @@ +From pkaligineedi@google.com Fri Feb 2 17:28:54 2024 +From: Praveen Kaligineedi +Date: Tue, 30 Jan 2024 13:45:07 -0800 +Subject: [PATCH 5.15 6.1] gve: Fix use-after-free vulnerability +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, Bailey Forrest , Praveen Kaligineedi , Eric Dumazet , Jeroen de Borst , Kevin DeCabooter +Message-ID: <20240130214507.3391252-1-pkaligineedi@google.com> + +From: Praveen Kaligineedi + +From: Bailey Forrest + +Call skb_shinfo() after gve_prep_tso() on DQO TX path. +gve_prep_tso() calls skb_cow_head(), which may reallocate +shinfo causing a use after free. + +This bug was unintentionally fixed by 'a6fb8d5a8b69 +("gve: Tx path for DQO-QPL")' while adding DQO-QPL format +support in 6.6. That patch is not appropriate for stable releases. + +Fixes: a57e5de476be ("gve: DQO: Add TX path") +Signed-off-by: Praveen Kaligineedi +Signed-off-by: Bailey Forrest +Reviewed-by: Eric Dumazet +Reviewed-by: Jeroen de Borst +Reviewed-by: Kevin DeCabooter +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +@@ -350,6 +350,7 @@ static void gve_tx_fill_pkt_desc_dqo(str + /* Validates and prepares `skb` for TSO. + * + * Returns header length, or < 0 if invalid. ++ * Warning : Might change skb->head (and thus skb_shinfo). + */ + static int gve_prep_tso(struct sk_buff *skb) + { +@@ -451,8 +452,8 @@ gve_tx_fill_general_ctx_desc(struct gve_ + static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + struct sk_buff *skb) + { +- const struct skb_shared_info *shinfo = skb_shinfo(skb); + const bool is_gso = skb_is_gso(skb); ++ struct skb_shared_info *shinfo; + u32 desc_idx = tx->dqo_tx.tail; + + struct gve_tx_pending_packet_dqo *pkt; +@@ -477,6 +478,8 @@ static int gve_tx_add_skb_no_copy_dqo(st + desc_idx = (desc_idx + 1) & tx->mask; + } + ++ /* Must get after gve_prep_tso(), which can change shinfo. */ ++ shinfo = skb_shinfo(skb); + gve_tx_fill_general_ctx_desc(&tx->dqo.tx_ring[desc_idx].general_ctx, + &metadata); + desc_idx = (desc_idx + 1) & tx->mask; diff --git a/queue-5.15/series b/queue-5.15/series index 88e7c3ac03c..30a5d7fd7dc 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -294,3 +294,4 @@ selftests-net-fix-available-tunnels-detection.patch net-sysfs-fix-sys-class-net-iface-path.patch arm64-irq-set-the-correct-node-for-shadow-call-stack.patch arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch +gve-fix-use-after-free-vulnerability.patch