--- /dev/null
+From e27326009a3d247b831eda38878c777f6f4eb3d1 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 27 Jul 2022 18:22:20 -0700
+Subject: net: ping6: Fix memleak in ipv6_renew_options().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream.
+
+When we close ping6 sockets, some resources are left unfreed because
+pingv6_prot is missing sk->sk_prot->destroy(). As reported by
+syzbot [0], just three syscalls leak 96 bytes and easily cause OOM.
+
+ struct ipv6_sr_hdr *hdr;
+ char data[24] = {0};
+ int fd;
+
+ hdr = (struct ipv6_sr_hdr *)data;
+ hdr->hdrlen = 2;
+ hdr->type = IPV6_SRCRT_TYPE_4;
+
+ fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP);
+ setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24);
+ close(fd);
+
+To fix memory leaks, let's add a destroy function.
+
+Note the socket() syscall checks if the GID is within the range of
+net.ipv4.ping_group_range. The default value is [1, 0] so that no
+GID meets the condition (1 <= GID <= 0). Thus, the local DoS does
+not succeed until we change the default value. However, at least
+Ubuntu/Fedora/RHEL loosen it.
+
+ $ cat /usr/lib/sysctl.d/50-default.conf
+ ...
+ -net.ipv4.ping_group_range = 0 2147483647
+
+Also, there could be another path reported with these options, and
+some of them require CAP_NET_RAW.
+
+ setsockopt
+ IPV6_ADDRFORM (inet6_sk(sk)->pktoptions)
+ IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu)
+ IPV6_HOPOPTS (inet6_sk(sk)->opt)
+ IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt)
+ IPV6_RTHDR (inet6_sk(sk)->opt)
+ IPV6_DSTOPTS (inet6_sk(sk)->opt)
+ IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt)
+
+ getsockopt
+ IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list)
+
+For the record, I left a different splat with syzbot's one.
+
+ unreferenced object 0xffff888006270c60 (size 96):
+ comm "repro2", pid 231, jiffies 4294696626 (age 13.118s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D...........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554)
+ [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715)
+ [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024)
+ [<000000007096a025>] __sys_setsockopt (net/socket.c:2254)
+ [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262)
+ [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176
+
+Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com
+Reported-by: Ayushman Dutta <ayudutta@amazon.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ping.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -27,6 +27,11 @@
+ #include <linux/proc_fs.h>
+ #include <net/ping.h>
+
++static void ping_v6_destroy(struct sock *sk)
++{
++ inet6_destroy_sock(sk);
++}
++
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+ static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
+ int *addr_len)
+@@ -170,6 +175,7 @@ struct proto pingv6_prot = {
+ .owner = THIS_MODULE,
+ .init = ping_init_sock,
+ .close = ping_close,
++ .destroy = ping_v6_destroy,
+ .connect = ip6_datagram_connect_v6_only,
+ .disconnect = __udp_disconnect,
+ .setsockopt = ipv6_setsockopt,
--- /dev/null
+From a3435afba87dc6cd83f5595e7607f3c40f93ef01 Mon Sep 17 00:00:00 2001
+From: Liang He <windhl@126.com>
+Date: Tue, 19 Jul 2022 15:15:29 +0800
+Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle()
+
+From: Liang He <windhl@126.com>
+
+commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream.
+
+In ufshcd_populate_vreg(), we should hold the reference returned by
+of_parse_phandle() and then use it to call of_node_put() for refcount
+balance.
+
+Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com
+Fixes: aa4976130934 ("ufs: Add regulator enable support")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -124,9 +124,20 @@ out:
+ return ret;
+ }
+
++static bool phandle_exists(const struct device_node *np,
++ const char *phandle_name, int index)
++{
++ struct device_node *parse_np = of_parse_phandle(np, phandle_name, index);
++
++ if (parse_np)
++ of_node_put(parse_np);
++
++ return parse_np != NULL;
++}
++
+ #define MAX_PROP_SIZE 32
+ static int ufshcd_populate_vreg(struct device *dev, const char *name,
+- struct ufs_vreg **out_vreg)
++ struct ufs_vreg **out_vreg)
+ {
+ int ret = 0;
+ char prop_name[MAX_PROP_SIZE];
+@@ -139,7 +150,7 @@ static int ufshcd_populate_vreg(struct d
+ }
+
+ snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name);
+- if (!of_parse_phandle(np, prop_name, 0)) {
++ if (!phandle_exists(np, prop_name, 0)) {
+ dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n",
+ __func__, prop_name);
+ goto out;
--- /dev/null
+From db3815a2fa691da145cfbe834584f31ad75df9ff Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 20 Jul 2022 09:50:21 -0700
+Subject: tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream.
+
+While reading sysctl_tcp_challenge_ack_limit, it can be changed
+concurrently. Thus, we need to add READ_ONCE() to its reader.
+
+Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3468,7 +3468,7 @@ static void tcp_send_challenge_ack(struc
+ /* Then check host-wide RFC 5961 rate limit. */
+ now = jiffies / HZ;
+ if (now != challenge_timestamp) {
+- u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit;
++ u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit);
+ u32 half = (ack_limit + 1) >> 1;
+
+ challenge_timestamp = now;
projects / thirdparty / kernel / stable-queue.git / commitdiff
