From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 16 Jul 2023 15:17:51 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.39~52
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2599960ec400123f9f7937e9e50ebbae466d2612;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch
	ovl-fix-null-pointer-dereference-in-ovl_permission.patch
---

diff --git a/queue-6.1/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch b/queue-6.1/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch
new file mode 100644
index 00000000000..43c285bfcc9
--- /dev/null
+++ b/queue-6.1/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch
@@ -0,0 +1,30 @@
+From 3e70489721b6c870252c9082c496703677240f53 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 26 Jun 2023 00:42:18 +0200
+Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 3e70489721b6c870252c9082c496703677240f53 upstream.
+
+Otherwise a dangling reference to a rule object that is gone remains
+in the set binding list.
+
+Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5139,6 +5139,8 @@ void nf_tables_deactivate_set(const stru
+ 		nft_set_trans_unbind(ctx, set);
+ 		if (nft_set_is_anonymous(set))
+ 			nft_deactivate_next(ctx->net, set);
++		else
++			list_del_rcu(&binding->list);
+ 
+ 		set->use--;
+ 		break;
diff --git a/queue-6.1/ovl-fix-null-pointer-dereference-in-ovl_permission.patch b/queue-6.1/ovl-fix-null-pointer-dereference-in-ovl_permission.patch
new file mode 100644
index 00000000000..dd10815770d
--- /dev/null
+++ b/queue-6.1/ovl-fix-null-pointer-dereference-in-ovl_permission.patch
@@ -0,0 +1,82 @@
+From 1a73f5b8f079fd42a544c1600beface50c63af7c Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Tue, 16 May 2023 22:16:18 +0800
+Subject: ovl: fix null pointer dereference in ovl_permission()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 1a73f5b8f079fd42a544c1600beface50c63af7c upstream.
+
+Following process:
+          P1                     P2
+ path_lookupat
+  link_path_walk
+   inode_permission
+    ovl_permission
+      ovl_i_path_real(inode, &realpath)
+        path->dentry = ovl_i_dentry_upper(inode)
+                          drop_cache
+			   __dentry_kill(ovl_dentry)
+		            iput(ovl_inode)
+		             ovl_destroy_inode(ovl_inode)
+		              dput(oi->__upperdentry)
+		               dentry_kill(upperdentry)
+		                dentry_unlink_inode
+				 upperdentry->d_inode = NULL
+      realinode = d_inode(realpath.dentry) // return NULL
+      inode_permission(realinode)
+       inode->i_sb  // NULL pointer dereference
+, will trigger an null pointer dereference at realinode:
+  [  335.664979] BUG: kernel NULL pointer dereference,
+                 address: 0000000000000002
+  [  335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0
+  [  335.669956] RIP: 0010:inode_permission+0x33/0x2c0
+  [  335.678939] Call Trace:
+  [  335.679165]  <TASK>
+  [  335.679371]  ovl_permission+0xde/0x320
+  [  335.679723]  inode_permission+0x15e/0x2c0
+  [  335.680090]  link_path_walk+0x115/0x550
+  [  335.680771]  path_lookupat.isra.0+0xb2/0x200
+  [  335.681170]  filename_lookup+0xda/0x240
+  [  335.681922]  vfs_statx+0xa6/0x1f0
+  [  335.682233]  vfs_fstatat+0x7b/0xb0
+
+Fetch a reproducer in [Link].
+
+Use the helper ovl_i_path_realinode() to get realinode and then do
+non-nullptr checking.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217405
+Fixes: 4b7791b2e958 ("ovl: handle idmappings in ovl_permission()")
+Cc: <stable@vger.kernel.org> # v5.19
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Suggested-by: Christian Brauner <brauner@kernel.org>
+Suggested-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -286,8 +286,8 @@ int ovl_permission(struct user_namespace
+ 	int err;
+ 
+ 	/* Careful in RCU walk mode */
+-	ovl_i_path_real(inode, &realpath);
+-	if (!realpath.dentry) {
++	realinode = ovl_i_path_real(inode, &realpath);
++	if (!realinode) {
+ 		WARN_ON(!(mask & MAY_NOT_BLOCK));
+ 		return -ECHILD;
+ 	}
+@@ -300,7 +300,6 @@ int ovl_permission(struct user_namespace
+ 	if (err)
+ 		return err;
+ 
+-	realinode = d_inode(realpath.dentry);
+ 	old_cred = ovl_override_creds(inode->i_sb);
+ 	if (!upperinode &&
+ 	    !special_file(realinode->i_mode) && mask & MAY_WRITE) {
diff --git a/queue-6.1/series b/queue-6.1/series
index 9ca21c4083e..044cd1ef274 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -592,3 +592,5 @@ drm-i915-fix-typec-mode-initialization-during-system-resume.patch
 drm-i915-tc-fix-tc-port-link-ref-init-for-dp-mst-during-hw-readout.patch
 drm-i915-tc-fix-system-resume-mst-mode-restore-for-dp-alt-sinks.patch
 mtd-parsers-refer-to-arch_bcmbca-instead-of-arch_bcm4908.patch
+ovl-fix-null-pointer-dereference-in-ovl_permission.patch
+netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch