From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 29 Oct 2020 11:34:17 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.19.154~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0702dce5b6788a0d7ff92c8da574a6949d314891;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch
	objtool-support-clang-non-section-symbols-in-orc-generation.patch
	socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch
---

diff --git a/queue-5.4/netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch b/queue-5.4/netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch
new file mode 100644
index 00000000000..5c28d4f347d
--- /dev/null
+++ b/queue-5.4/netfilter-nftables_offload-kasan-slab-out-of-bounds-read-in-nft_flow_rule_create.patch
@@ -0,0 +1,95 @@
+From 31cc578ae2de19c748af06d859019dced68e325d Mon Sep 17 00:00:00 2001
+From: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+Date: Tue, 20 Oct 2020 13:41:36 +0200
+Subject: netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create
+
+From: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+
+commit 31cc578ae2de19c748af06d859019dced68e325d upstream.
+
+This patch fixes the issue due to:
+
+BUG: KASAN: slab-out-of-bounds in nft_flow_rule_create+0x622/0x6a2
+net/netfilter/nf_tables_offload.c:40
+Read of size 8 at addr ffff888103910b58 by task syz-executor227/16244
+
+The error happens when expr->ops is accessed early on before performing the boundary check and after nft_expr_next() moves the expr to go out-of-bounds.
+
+This patch checks the boundary condition before expr->ops that fixes the slab-out-of-bounds Read issue.
+
+Add nft_expr_more() and use it to fix this problem.
+
+Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_tables.h |    6 ++++++
+ net/netfilter/nf_tables_api.c     |    6 +++---
+ net/netfilter/nf_tables_offload.c |    4 ++--
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -872,6 +872,12 @@ static inline struct nft_expr *nft_expr_
+ 	return (struct nft_expr *)&rule->data[rule->dlen];
+ }
+ 
++static inline bool nft_expr_more(const struct nft_rule *rule,
++				 const struct nft_expr *expr)
++{
++	return expr != nft_expr_last(rule) && expr->ops;
++}
++
+ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
+ {
+ 	return (void *)&rule->data[rule->dlen];
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -254,7 +254,7 @@ static void nft_rule_expr_activate(const
+ 	struct nft_expr *expr;
+ 
+ 	expr = nft_expr_first(rule);
+-	while (expr != nft_expr_last(rule) && expr->ops) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (expr->ops->activate)
+ 			expr->ops->activate(ctx, expr);
+ 
+@@ -269,7 +269,7 @@ static void nft_rule_expr_deactivate(con
+ 	struct nft_expr *expr;
+ 
+ 	expr = nft_expr_first(rule);
+-	while (expr != nft_expr_last(rule) && expr->ops) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (expr->ops->deactivate)
+ 			expr->ops->deactivate(ctx, expr, phase);
+ 
+@@ -2642,7 +2642,7 @@ static void nf_tables_rule_destroy(const
+ 	 * is called on error from nf_tables_newrule().
+ 	 */
+ 	expr = nft_expr_first(rule);
+-	while (expr != nft_expr_last(rule) && expr->ops) {
++	while (nft_expr_more(rule, expr)) {
+ 		next = nft_expr_next(expr);
+ 		nf_tables_expr_destroy(ctx, expr);
+ 		expr = next;
+--- a/net/netfilter/nf_tables_offload.c
++++ b/net/netfilter/nf_tables_offload.c
+@@ -37,7 +37,7 @@ struct nft_flow_rule *nft_flow_rule_crea
+ 	struct nft_expr *expr;
+ 
+ 	expr = nft_expr_first(rule);
+-	while (expr->ops && expr != nft_expr_last(rule)) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)
+ 			num_actions++;
+ 
+@@ -61,7 +61,7 @@ struct nft_flow_rule *nft_flow_rule_crea
+ 	ctx->net = net;
+ 	ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;
+ 
+-	while (expr->ops && expr != nft_expr_last(rule)) {
++	while (nft_expr_more(rule, expr)) {
+ 		if (!expr->ops->offload) {
+ 			err = -EOPNOTSUPP;
+ 			goto err_out;
diff --git a/queue-5.4/objtool-support-clang-non-section-symbols-in-orc-generation.patch b/queue-5.4/objtool-support-clang-non-section-symbols-in-orc-generation.patch
new file mode 100644
index 00000000000..a48c49f77f8
--- /dev/null
+++ b/queue-5.4/objtool-support-clang-non-section-symbols-in-orc-generation.patch
@@ -0,0 +1,92 @@
+From e81e0724432542af8d8c702c31e9d82f57b1ff31 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Wed, 1 Apr 2020 13:23:27 -0500
+Subject: objtool: Support Clang non-section symbols in ORC generation
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit e81e0724432542af8d8c702c31e9d82f57b1ff31 upstream.
+
+When compiling the kernel with AS=clang, objtool produces a lot of
+warnings:
+
+  warning: objtool: missing symbol for section .text
+  warning: objtool: missing symbol for section .init.text
+  warning: objtool: missing symbol for section .ref.text
+
+It then fails to generate the ORC table.
+
+The problem is that objtool assumes text section symbols always exist.
+But the Clang assembler is aggressive about removing them.
+
+When generating relocations for the ORC table, objtool always tries to
+reference instructions by their section symbol offset.  If the section
+symbol doesn't exist, it bails.
+
+Do a fallback: when a section symbol isn't available, reference a
+function symbol instead.
+
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://github.com/ClangBuiltLinux/linux/issues/669
+Link: https://lkml.kernel.org/r/9a9cae7fcf628843aabe5a086b1a3c5bf50f42e8.1585761021.git.jpoimboe@redhat.com
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/objtool/orc_gen.c |   33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+--- a/tools/objtool/orc_gen.c
++++ b/tools/objtool/orc_gen.c
+@@ -88,11 +88,6 @@ static int create_orc_entry(struct secti
+ 	struct orc_entry *orc;
+ 	struct rela *rela;
+ 
+-	if (!insn_sec->sym) {
+-		WARN("missing symbol for section %s", insn_sec->name);
+-		return -1;
+-	}
+-
+ 	/* populate ORC data */
+ 	orc = (struct orc_entry *)u_sec->data->d_buf + idx;
+ 	memcpy(orc, o, sizeof(*orc));
+@@ -105,8 +100,32 @@ static int create_orc_entry(struct secti
+ 	}
+ 	memset(rela, 0, sizeof(*rela));
+ 
+-	rela->sym = insn_sec->sym;
+-	rela->addend = insn_off;
++	if (insn_sec->sym) {
++		rela->sym = insn_sec->sym;
++		rela->addend = insn_off;
++	} else {
++		/*
++		 * The Clang assembler doesn't produce section symbols, so we
++		 * have to reference the function symbol instead:
++		 */
++		rela->sym = find_symbol_containing(insn_sec, insn_off);
++		if (!rela->sym) {
++			/*
++			 * Hack alert.  This happens when we need to reference
++			 * the NOP pad insn immediately after the function.
++			 */
++			rela->sym = find_symbol_containing(insn_sec,
++							   insn_off - 1);
++		}
++		if (!rela->sym) {
++			WARN("missing symbol for insn at offset 0x%lx\n",
++			     insn_off);
++			return -1;
++		}
++
++		rela->addend = insn_off - rela->sym->offset;
++	}
++
+ 	rela->type = R_X86_64_PC32;
+ 	rela->offset = idx * sizeof(int);
+ 
diff --git a/queue-5.4/socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch b/queue-5.4/socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch
new file mode 100644
index 00000000000..0093e591615
--- /dev/null
+++ b/queue-5.4/socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch
@@ -0,0 +1,46 @@
+From 4e3bbb33e6f36e4b05be1b1b9b02e3dd5aaa3e69 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Mon, 12 Oct 2020 11:35:42 +0200
+Subject: socket: don't clear SOCK_TSTAMP_NEW when SO_TIMESTAMPNS is disabled
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 4e3bbb33e6f36e4b05be1b1b9b02e3dd5aaa3e69 upstream.
+
+SOCK_TSTAMP_NEW (timespec64 instead of timespec) is also used for
+hardware time stamps (configured via SO_TIMESTAMPING_NEW).
+
+User space (ptp4l) first configures hardware time stamping via
+SO_TIMESTAMPING_NEW which sets SOCK_TSTAMP_NEW. In the next step, ptp4l
+disables SO_TIMESTAMPNS(_NEW) (software time stamps), but this must not
+switch hardware time stamps back to "32 bit mode".
+
+This problem happens on 32 bit platforms were the libc has already
+switched to struct timespec64 (from SO_TIMExxx_OLD to SO_TIMExxx_NEW
+socket options). ptp4l complains with "missing timestamp on transmitted
+peer delay request" because the wrong format is received (and
+discarded).
+
+Fixes: 887feae36aee ("socket: Add SO_TIMESTAMP[NS]_NEW")
+Fixes: 783da70e8396 ("net: add sock_enable_timestamps")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/core/sock.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -923,7 +923,6 @@ set_rcvbuf:
+ 		} else {
+ 			sock_reset_flag(sk, SOCK_RCVTSTAMP);
+ 			sock_reset_flag(sk, SOCK_RCVTSTAMPNS);
+-			sock_reset_flag(sk, SOCK_TSTAMP_NEW);
+ 		}
+ 		break;
+