--- /dev/null
+From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Sat, 29 Jun 2024 14:42:11 +0200
+Subject: ata: libata-core: Fix null pointer dereference on error
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream.
+
+If the ata_port_alloc() call in ata_host_alloc() fails,
+ata_host_release() will get called.
+
+However, the code in ata_host_release() tries to free ata_port struct
+members unconditionally, which can lead to the following:
+
+BUG: unable to handle page fault for address: 0000000000003990
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
+Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
+RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
+RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
+RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
+R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
+R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
+FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? __die_body.cold+0x19/0x27
+ ? page_fault_oops+0x15a/0x2f0
+ ? exc_page_fault+0x7e/0x180
+ ? asm_exc_page_fault+0x26/0x30
+ ? ata_host_release.cold+0x2f/0x6e [libata]
+ ? ata_host_release.cold+0x2f/0x6e [libata]
+ release_nodes+0x35/0xb0
+ devres_release_group+0x113/0x140
+ ata_host_alloc+0xed/0x120 [libata]
+ ata_host_alloc_pinfo+0x14/0xa0 [libata]
+ ahci_init_one+0x6c9/0xd20 [ahci]
+
+Do not access ata_port struct members unconditionally.
+
+Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it")
+Cc: stable@vger.kernel.org
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -5391,6 +5391,9 @@ static void ata_host_release(struct kref
+ for (i = 0; i < host->n_ports; i++) {
+ struct ata_port *ap = host->ports[i];
+
++ if (!ap)
++ continue;
++
+ kfree(ap->pmp_link);
+ kfree(ap->slave_link);
+ kfree(ap);
--- /dev/null
+From 1be59c97c83ccd67a519d8a49486b3a8a73ca28a Mon Sep 17 00:00:00 2001
+From: Chen Ridong <chenridong@huawei.com>
+Date: Fri, 28 Jun 2024 01:36:04 +0000
+Subject: cgroup/cpuset: Prevent UAF in proc_cpuset_show()
+
+From: Chen Ridong <chenridong@huawei.com>
+
+commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a upstream.
+
+An UAF can happen when /proc/cpuset is read as reported in [1].
+
+This can be reproduced by the following methods:
+1.add an mdelay(1000) before acquiring the cgroup_lock In the
+ cgroup_path_ns function.
+2.$cat /proc/<pid>/cpuset repeatly.
+3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/
+$umount /sys/fs/cgroup/cpuset/ repeatly.
+
+The race that cause this bug can be shown as below:
+
+(umount) | (cat /proc/<pid>/cpuset)
+css_release | proc_cpuset_show
+css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id);
+css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...);
+cgroup_destroy_root | mutex_lock(&cgroup_mutex);
+rebind_subsystems |
+cgroup_free_root |
+ | // cgrp was freed, UAF
+ | cgroup_path_ns_locked(cgrp,..);
+
+When the cpuset is initialized, the root node top_cpuset.css.cgrp
+will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will
+allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated
+&cgroup_root.cgrp. When the umount operation is executed,
+top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.
+
+The problem is that when rebinding to cgrp_dfl_root, there are cases
+where the cgroup_root allocated by setting up the root for cgroup v1
+is cached. This could lead to a Use-After-Free (UAF) if it is
+subsequently freed. The descendant cgroups of cgroup v1 can only be
+freed after the css is released. However, the css of the root will never
+be released, yet the cgroup_root should be freed when it is unmounted.
+This means that obtaining a reference to the css of the root does
+not guarantee that css.cgrp->root will not be freed.
+
+Fix this problem by using rcu_read_lock in proc_cpuset_show().
+As cgroup_root is kfree_rcu after commit d23b5c577715
+("cgroup: Make operations on the cgroup root_list RCU safe"),
+css->cgroup won't be freed during the critical section.
+To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to
+replace task_get_css with task_css.
+
+[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
+
+Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -22,6 +22,7 @@
+ * distribution for more details.
+ */
+
++#include "cgroup-internal.h"
+ #include <linux/cpu.h>
+ #include <linux/cpumask.h>
+ #include <linux/cpuset.h>
+@@ -3780,10 +3781,14 @@ int proc_cpuset_show(struct seq_file *m,
+ if (!buf)
+ goto out;
+
+- css = task_get_css(tsk, cpuset_cgrp_id);
+- retval = cgroup_path_ns(css->cgroup, buf, PATH_MAX,
+- current->nsproxy->cgroup_ns);
+- css_put(css);
++ rcu_read_lock();
++ spin_lock_irq(&css_set_lock);
++ css = task_css(tsk, cpuset_cgrp_id);
++ retval = cgroup_path_ns_locked(css->cgroup, buf, PATH_MAX,
++ current->nsproxy->cgroup_ns);
++ spin_unlock_irq(&css_set_lock);
++ rcu_read_unlock();
++
+ if (retval >= PATH_MAX)
+ retval = -ENAMETOOLONG;
+ if (retval < 0)
--- /dev/null
+From f1acf1ac84d2ae97b7889b87223c1064df850069 Mon Sep 17 00:00:00 2001
+From: Allison Henderson <allison.henderson@oracle.com>
+Date: Thu, 8 Feb 2024 19:28:54 -0700
+Subject: net:rds: Fix possible deadlock in rds_message_put
+
+From: Allison Henderson <allison.henderson@oracle.com>
+
+commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream.
+
+Functions rds_still_queued and rds_clear_recv_queue lock a given socket
+in order to safely iterate over the incoming rds messages. However
+calling rds_inc_put while under this lock creates a potential deadlock.
+rds_inc_put may eventually call rds_message_purge, which will lock
+m_rs_lock. This is the incorrect locking order since m_rs_lock is
+meant to be locked before the socket. To fix this, we move the message
+item to a local list or variable that wont need rs_recv_lock protection.
+Then we can safely call rds_inc_put on any item stored locally after
+rs_recv_lock is released.
+
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Reported-by: syzbot+f9db6ff27b9bfdcfeca0@syzkaller.appspotmail.com
+Reported-by: syzbot+dcd73ff9291e6d34b3ab@syzkaller.appspotmail.com
+Signed-off-by: Allison Henderson <allison.henderson@oracle.com>
+Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/recv.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -424,6 +424,7 @@ static int rds_still_queued(struct rds_s
+ struct sock *sk = rds_rs_to_sk(rs);
+ int ret = 0;
+ unsigned long flags;
++ struct rds_incoming *to_drop = NULL;
+
+ write_lock_irqsave(&rs->rs_recv_lock, flags);
+ if (!list_empty(&inc->i_item)) {
+@@ -434,11 +435,14 @@ static int rds_still_queued(struct rds_s
+ -be32_to_cpu(inc->i_hdr.h_len),
+ inc->i_hdr.h_dport);
+ list_del_init(&inc->i_item);
+- rds_inc_put(inc);
++ to_drop = inc;
+ }
+ }
+ write_unlock_irqrestore(&rs->rs_recv_lock, flags);
+
++ if (to_drop)
++ rds_inc_put(to_drop);
++
+ rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop);
+ return ret;
+ }
+@@ -757,16 +761,21 @@ void rds_clear_recv_queue(struct rds_soc
+ struct sock *sk = rds_rs_to_sk(rs);
+ struct rds_incoming *inc, *tmp;
+ unsigned long flags;
++ LIST_HEAD(to_drop);
+
+ write_lock_irqsave(&rs->rs_recv_lock, flags);
+ list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) {
+ rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong,
+ -be32_to_cpu(inc->i_hdr.h_len),
+ inc->i_hdr.h_dport);
++ list_move(&inc->i_item, &to_drop);
++ }
++ write_unlock_irqrestore(&rs->rs_recv_lock, flags);
++
++ list_for_each_entry_safe(inc, tmp, &to_drop, i_item) {
+ list_del_init(&inc->i_item);
+ rds_inc_put(inc);
+ }
+- write_unlock_irqrestore(&rs->rs_recv_lock, flags);
+ }
+
+ /*
mptcp-sched-check-both-backup-in-retrans.patch
revert-mips-loongson64-reset-prioritise-firmware-service.patch
drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch
+ata-libata-core-fix-null-pointer-dereference-on-error.patch
+cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch
+net-rds-fix-possible-deadlock-in-rds_message_put.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
