--- /dev/null
+From e00d91b846b5824e69f9e1925442584074baf965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 15:13:14 +0800
+Subject: ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
+
+When I perform the following test operations:
+1.ip link add br0 type bridge
+2.brctl addif br0 eth0
+3.ip addr add 239.0.0.1/32 dev eth0
+4.ip addr add 239.0.0.1/32 dev br0
+5.ip addr add 224.0.0.1/32 dev br0
+6.while ((1))
+ do
+ ifconfig br0 up
+ ifconfig br0 down
+ done
+7.send IGMPv2 query packets to port eth0 continuously. For example,
+./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
+1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
+
+The preceding tests may trigger the refcnt uaf issue of the mc list. The
+stack is as follows:
+ refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
+ CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
+ RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
+ RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
+ RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
+ R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
+ R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
+ FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
+ Call Trace:
+ <TASK>
+ igmp_heard_query (net/ipv4/igmp.c:1068)
+ igmp_rcv (net/ipv4/igmp.c:1132)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:234)
+ __netif_receive_skb_one_core (net/core/dev.c:5529)
+ netif_receive_skb_internal (net/core/dev.c:5729)
+ netif_receive_skb (net/core/dev.c:5788)
+ br_handle_frame_finish (net/bridge/br_input.c:216)
+ nf_hook_bridge_pre (net/bridge/br_input.c:294)
+ __netif_receive_skb_core (net/core/dev.c:5423)
+ __netif_receive_skb_list_core (net/core/dev.c:5606)
+ __netif_receive_skb_list (net/core/dev.c:5674)
+ netif_receive_skb_list_internal (net/core/dev.c:5764)
+ napi_gro_receive (net/core/gro.c:609)
+ e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
+ e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
+ __napi_poll (net/core/dev.c:6533)
+ net_rx_action (net/core/dev.c:6735)
+ __do_softirq (kernel/softirq.c:554)
+ run_ksoftirqd (kernel/softirq.c:913)
+ smpboot_thread_fn (kernel/smpboot.c:164)
+ kthread (kernel/kthread.c:388)
+ ret_from_fork (arch/x86/kernel/process.c:153)
+ ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
+ </TASK>
+
+The root causes are as follows:
+Thread A Thread B
+... netif_receive_skb
+br_dev_stop ...
+ br_multicast_leave_snoopers ...
+ __ip_mc_dec_group ...
+ __igmp_group_dropped igmp_rcv
+ igmp_stop_timer igmp_heard_query //ref = 1
+ ip_ma_put igmp_mod_timer
+ refcount_dec_and_test igmp_start_timer //ref = 0
+ ... refcount_inc //ref increases from 0
+When the device receives an IGMPv2 Query message, it starts the timer
+immediately, regardless of whether the device is running. If the device is
+down and has left the multicast group, it will cause the mc list refcount
+uaf issue.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index bdc232f6f27c8..42c7b412da2ac 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -224,8 +224,10 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
+ int tv = prandom_u32() % max_delay;
+
+ im->tm_running = 1;
+- if (!mod_timer(&im->timer, jiffies+tv+2))
+- refcount_inc(&im->refcnt);
++ if (refcount_inc_not_zero(&im->refcnt)) {
++ if (mod_timer(&im->timer, jiffies + tv + 2))
++ ip_ma_put(im);
++ }
+ }
+
+ static void igmp_gq_start_timer(struct in_device *in_dev)
+--
+2.42.0
+
--- /dev/null
+From 86ac4e5fe3bd507d355d9581d990e9f78427494c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 10:04:37 +0200
+Subject: net: ravb: Start TX queues after HW initialization succeeded
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 6f32c086602050fc11157adeafaa1c1eb393f0af ]
+
+ravb_phy_start() may fail. If that happens, the TX queues will remain
+started. Thus, move the netif_tx_start_all_queues() after PHY is
+successfully initialized.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 4db3495ef3370..b97d450214dfd 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1429,13 +1429,13 @@ static int ravb_open(struct net_device *ndev)
+ if (priv->chip_id == RCAR_GEN2)
+ ravb_ptp_init(ndev, priv->pdev);
+
+- netif_tx_start_all_queues(ndev);
+-
+ /* PHY control start */
+ error = ravb_phy_start(ndev);
+ if (error)
+ goto out_ptp_stop;
+
++ netif_tx_start_all_queues(ndev);
++
+ return 0;
+
+ out_ptp_stop:
+--
+2.42.0
+
--- /dev/null
+From ebcaaba16eea0308f446d7bf5498d314ba8b87d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 21:24:20 +0900
+Subject: ravb: Fix races between ravb_tx_timeout_work() and net related ops
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 9870257a0a338cd8d6c1cddab74e703f490f6779 ]
+
+Fix races between ravb_tx_timeout_work() and functions of net_device_ops
+and ethtool_ops by using rtnl_trylock() and rtnl_unlock(). Note that
+since ravb_close() is under the rtnl lock and calls cancel_work_sync(),
+ravb_tx_timeout_work() should calls rtnl_trylock(). Otherwise, a deadlock
+may happen in ravb_tx_timeout_work() like below:
+
+CPU0 CPU1
+ ravb_tx_timeout()
+ schedule_work()
+...
+__dev_close_many()
+// Under rtnl lock
+ravb_close()
+cancel_work_sync()
+// Waiting
+ ravb_tx_timeout_work()
+ rtnl_lock()
+ // This is possible to cause a deadlock
+
+If rtnl_trylock() fails, rescheduling the work with sleep for 1 msec.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20231127122420.3706751-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 4acea1ab60008..4db3495ef3370 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1484,6 +1484,12 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ struct net_device *ndev = priv->ndev;
+ int error;
+
++ if (!rtnl_trylock()) {
++ usleep_range(1000, 2000);
++ schedule_work(&priv->work);
++ return;
++ }
++
+ netif_tx_stop_all_queues(ndev);
+
+ /* Stop PTP Clock driver */
+@@ -1516,7 +1522,7 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ */
+ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n",
+ __func__, error);
+- return;
++ goto out_unlock;
+ }
+ ravb_emac_init(ndev);
+
+@@ -1526,6 +1532,9 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ ravb_ptp_init(ndev, priv->pdev);
+
+ netif_tx_start_all_queues(ndev);
++
++out_unlock:
++ rtnl_unlock();
+ }
+
+ /* Packet transmit function for Ethernet AVB */
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
