4.19-stable patches

added patches:
	net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch

diff --git a/queue-4.19/net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch b/queue-4.19/net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch
new file mode 100644 (file)
index 0000000..6588fc9
--- /dev/null
+++ b/queue-4.19/net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch
@@ -0,0 +1,75 @@
+From 04c55383fa5689357bcdd2c8036725a55ed632bc Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee@kernel.org>
+Date: Thu, 8 Jun 2023 08:29:03 +0100
+Subject: net/sched: cls_u32: Fix reference counter leak leading to overflow
+
+From: Lee Jones <lee@kernel.org>
+
+commit 04c55383fa5689357bcdd2c8036725a55ed632bc upstream.
+
+In the event of a failure in tcf_change_indev(), u32_set_parms() will
+immediately return without decrementing the recently incremented
+reference counter.  If this happens enough times, the counter will
+rollover and the reference freed, leading to a double free which can be
+used to do 'bad things'.
+
+In order to prevent this, move the point of possible failure above the
+point where the reference counter is incremented.  Also save any
+meaningful return values to be applied to the return data at the
+appropriate point in time.
+
+This issue was caught with KASAN.
+
+Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Rishabh Bhatnagar <risbhat@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_u32.c |   20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -778,11 +778,22 @@ static int u32_set_parms(struct net *net
+                        struct netlink_ext_ack *extack)
+ {
+       int err;
++#ifdef CONFIG_NET_CLS_IND
++      int ifindex = -1;
++#endif
+ 
+       err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr, extack);
+       if (err < 0)
+               return err;
+ 
++#ifdef CONFIG_NET_CLS_IND
++      if (tb[TCA_U32_INDEV]) {
++              ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
++              if (ifindex < 0)
++                      return -EINVAL;
++      }
++#endif
++
+       if (tb[TCA_U32_LINK]) {
+               u32 handle = nla_get_u32(tb[TCA_U32_LINK]);
+               struct tc_u_hnode *ht_down = NULL, *ht_old;
+@@ -814,13 +825,8 @@ static int u32_set_parms(struct net *net
+       }
+ 
+ #ifdef CONFIG_NET_CLS_IND
+-      if (tb[TCA_U32_INDEV]) {
+-              int ret;
+-              ret = tcf_change_indev(net, tb[TCA_U32_INDEV], extack);
+-              if (ret < 0)
+-                      return -EINVAL;
+-              n->ifindex = ret;
+-      }
++      if (ifindex >= 0)
++              n->ifindex = ifindex;
+ #endif
+       return 0;
+ }

diff --git a/queue-4.19/series b/queue-4.19/series
index aebba10a4df5812958d24b682fa0196bedee5caa..fbaa372607e7d5ea0a6b9065878b4ecc649f213e 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -283,3 +283,4 @@ drm-client-fix-memory-leak-in-drm_client_target_cloned.patch
 net-sched-cls_fw-fix-improper-refcount-update-leads-to-use-after-free.patch
 net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
 asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch
+net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch