From 9a4dbe163035033368403bf8ab2fc74974752f09 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 15 Jan 2023 15:14:43 +0100 Subject: [PATCH] 6.1-stable patches added patches: netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch selftests-netfilter-fix-transaction-test-script-timeout-handling.patch --- ...den-in-the-bitmap_ip_create-function.patch | 41 ++++++++ ...-after-free-bug-in-dup_user_cpus_ptr.patch | 99 +++++++++++++++++++ ...saction-test-script-timeout-handling.patch | 77 +++++++++++++++ queue-6.1/series | 3 + 4 files changed, 220 insertions(+) create mode 100644 queue-6.1/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch create mode 100644 queue-6.1/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch create mode 100644 queue-6.1/selftests-netfilter-fix-transaction-test-script-timeout-handling.patch diff --git a/queue-6.1/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch b/queue-6.1/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch new file mode 100644 index 00000000000..cdabf343b50 --- /dev/null +++ b/queue-6.1/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch @@ -0,0 +1,41 @@ +From 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Wed, 11 Jan 2023 11:57:39 +0000 +Subject: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. + +From: Gavrilov Ilia + +commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream. + +When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of +an arithmetic expression 2 << (netmask - mask_bits - 1) is subject +to overflow due to a failure casting operands to a larger data type +before performing the arithmetic. + +Note that it's harmless since the value will be checked at the next step. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct + return -IPSET_ERR_BITMAP_RANGE; + + pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); +- hosts = 2 << (32 - netmask - 1); +- elements = 2 << (netmask - mask_bits - 1); ++ hosts = 2U << (32 - netmask - 1); ++ elements = 2UL << (netmask - mask_bits - 1); + } + if (elements > IPSET_BITMAP_MAX_RANGE + 1) + return -IPSET_ERR_BITMAP_RANGE_SIZE; diff --git a/queue-6.1/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch b/queue-6.1/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch new file mode 100644 index 00000000000..8bf3729b497 --- /dev/null +++ b/queue-6.1/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch @@ -0,0 +1,99 @@ +From 87ca4f9efbd7cc649ff43b87970888f2812945b8 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Fri, 30 Dec 2022 23:11:19 -0500 +Subject: sched/core: Fix use-after-free bug in dup_user_cpus_ptr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Waiman Long + +commit 87ca4f9efbd7cc649ff43b87970888f2812945b8 upstream. + +Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be +restricted on asymmetric systems"), the setting and clearing of +user_cpus_ptr are done under pi_lock for arm64 architecture. However, +dup_user_cpus_ptr() accesses user_cpus_ptr without any lock +protection. Since sched_setaffinity() can be invoked from another +process, the process being modified may be undergoing fork() at +the same time. When racing with the clearing of user_cpus_ptr in +__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and +possibly double-free in arm64 kernel. + +Commit 8f9ea86fdf99 ("sched: Always preserve the user requested +cpumask") fixes this problem as user_cpus_ptr, once set, will never +be cleared in a task's lifetime. However, this bug was re-introduced +in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in +do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in +do_set_cpus_allowed(). This time, it will affect all arches. + +Fix this bug by always clearing the user_cpus_ptr of the newly +cloned/forked task before the copying process starts and check the +user_cpus_ptr state of the source task under pi_lock. + +Note to stable, this patch won't be applicable to stable releases. +Just copy the new dup_user_cpus_ptr() function over. + +Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems") +Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") +Reported-by: David Wang 王标 +Signed-off-by: Waiman Long +Signed-off-by: Ingo Molnar +Reviewed-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221231041120.440785-2-longman@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2587,14 +2587,43 @@ void do_set_cpus_allowed(struct task_str + int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src, + int node) + { +- if (!src->user_cpus_ptr) ++ cpumask_t *user_mask; ++ unsigned long flags; ++ ++ /* ++ * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's ++ * may differ by now due to racing. ++ */ ++ dst->user_cpus_ptr = NULL; ++ ++ /* ++ * This check is racy and losing the race is a valid situation. ++ * It is not worth the extra overhead of taking the pi_lock on ++ * every fork/clone. ++ */ ++ if (data_race(!src->user_cpus_ptr)) + return 0; + +- dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node); +- if (!dst->user_cpus_ptr) ++ user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node); ++ if (!user_mask) + return -ENOMEM; + +- cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr); ++ /* ++ * Use pi_lock to protect content of user_cpus_ptr ++ * ++ * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent ++ * do_set_cpus_allowed(). ++ */ ++ raw_spin_lock_irqsave(&src->pi_lock, flags); ++ if (src->user_cpus_ptr) { ++ swap(dst->user_cpus_ptr, user_mask); ++ cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr); ++ } ++ raw_spin_unlock_irqrestore(&src->pi_lock, flags); ++ ++ if (unlikely(user_mask)) ++ kfree(user_mask); ++ + return 0; + } + diff --git a/queue-6.1/selftests-netfilter-fix-transaction-test-script-timeout-handling.patch b/queue-6.1/selftests-netfilter-fix-transaction-test-script-timeout-handling.patch new file mode 100644 index 00000000000..2c4087ec418 --- /dev/null +++ b/queue-6.1/selftests-netfilter-fix-transaction-test-script-timeout-handling.patch @@ -0,0 +1,77 @@ +From c273289fac370b6488757236cd62cc2cf04830b7 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 4 Jan 2023 12:54:42 +0100 +Subject: selftests: netfilter: fix transaction test script timeout handling + +From: Florian Westphal + +commit c273289fac370b6488757236cd62cc2cf04830b7 upstream. + +The kselftest framework uses a default timeout of 45 seconds for +all test scripts. + +Increase the timeout to two minutes for the netfilter tests, this +should hopefully be enough, + +Make sure that, should the script be canceled, the net namespace and +the spawned ping instances are removed. + +Fixes: 25d8bcedbf43 ("selftests: add script to stress-test nft packet path vs. control plane") +Reported-by: Mirsad Goran Todorovac +Signed-off-by: Florian Westphal +Tested-by: Mirsad Goran Todorovac +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/netfilter/nft_trans_stress.sh | 16 +++++++++------- + tools/testing/selftests/netfilter/settings | 1 + + 2 files changed, 10 insertions(+), 7 deletions(-) + create mode 100644 tools/testing/selftests/netfilter/settings + +--- a/tools/testing/selftests/netfilter/nft_trans_stress.sh ++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh +@@ -10,12 +10,20 @@ + ksft_skip=4 + + testns=testns-$(mktemp -u "XXXXXXXX") ++tmp="" + + tables="foo bar baz quux" + global_ret=0 + eret=0 + lret=0 + ++cleanup() { ++ ip netns pids "$testns" | xargs kill 2>/dev/null ++ ip netns del "$testns" ++ ++ rm -f "$tmp" ++} ++ + check_result() + { + local r=$1 +@@ -43,6 +51,7 @@ if [ $? -ne 0 ];then + exit $ksft_skip + fi + ++trap cleanup EXIT + tmp=$(mktemp) + + for table in $tables; do +@@ -139,11 +148,4 @@ done + + check_result $lret "add/delete with nftrace enabled" + +-pkill -9 ping +- +-wait +- +-rm -f "$tmp" +-ip netns del "$testns" +- + exit $global_ret +--- /dev/null ++++ b/tools/testing/selftests/netfilter/settings +@@ -0,0 +1 @@ ++timeout=120 diff --git a/queue-6.1/series b/queue-6.1/series index 6e754743c84..1d7bbe33023 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -85,3 +85,6 @@ iommu-arm-smmu-v3-don-t-unregister-on-shutdown.patch iommu-mediatek-v1-fix-an-error-handling-path-in-mtk_iommu_v1_probe.patch iommu-arm-smmu-don-t-unregister-on-shutdown.patch iommu-arm-smmu-report-iommu_cap_cache_coherency-even-betterer.patch +sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch +netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch +selftests-netfilter-fix-transaction-test-script-timeout-handling.patch -- 2.47.3