From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 7 Sep 2023 11:30:49 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v6.1.53~141
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=283104c54b442038769bb4303c106c43b5b31400;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	net-avoid-address-overwrite-in-kernel_connect.patch
	of-kexec-mark-ima_-free-stable-_kexec_buffer-as-__init.patch
---

diff --git a/queue-5.15/net-avoid-address-overwrite-in-kernel_connect.patch b/queue-5.15/net-avoid-address-overwrite-in-kernel_connect.patch
new file mode 100644
index 00000000000..05175d2339a
--- /dev/null
+++ b/queue-5.15/net-avoid-address-overwrite-in-kernel_connect.patch
@@ -0,0 +1,51 @@
+From 0bdf399342c5acbd817c9098b6c7ed21f1974312 Mon Sep 17 00:00:00 2001
+From: Jordan Rife <jrife@google.com>
+Date: Mon, 21 Aug 2023 16:45:23 -0500
+Subject: net: Avoid address overwrite in kernel_connect
+
+From: Jordan Rife <jrife@google.com>
+
+commit 0bdf399342c5acbd817c9098b6c7ed21f1974312 upstream.
+
+BPF programs that run on connect can rewrite the connect address. For
+the connect system call this isn't a problem, because a copy of the address
+is made when it is moved into kernel space. However, kernel_connect
+simply passes through the address it is given, so the caller may observe
+its address value unexpectedly change.
+
+A practical example where this is problematic is where NFS is combined
+with a system such as Cilium which implements BPF-based load balancing.
+A common pattern in software-defined storage systems is to have an NFS
+mount that connects to a persistent virtual IP which in turn maps to an
+ephemeral server IP. This is usually done to achieve high availability:
+if your server goes down you can quickly spin up a replacement and remap
+the virtual IP to that endpoint. With BPF-based load balancing, mounts
+will forget the virtual IP address when the address rewrite occurs
+because a pointer to the only copy of that address is passed down the
+stack. Server failover then breaks, because clients have forgotten the
+virtual IP address. Reconnects fail and mounts remain broken. This patch
+was tested by setting up a scenario like this and ensuring that NFS
+reconnects worked after applying the patch.
+
+Signed-off-by: Jordan Rife <jrife@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -3453,7 +3453,11 @@ EXPORT_SYMBOL(kernel_accept);
+ int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
+ 		   int flags)
+ {
+-	return sock->ops->connect(sock, addr, addrlen, flags);
++	struct sockaddr_storage address;
++
++	memcpy(&address, addr, addrlen);
++
++	return sock->ops->connect(sock, (struct sockaddr *)&address, addrlen, flags);
+ }
+ EXPORT_SYMBOL(kernel_connect);
+ 
diff --git a/queue-5.15/of-kexec-mark-ima_-free-stable-_kexec_buffer-as-__init.patch b/queue-5.15/of-kexec-mark-ima_-free-stable-_kexec_buffer-as-__init.patch
new file mode 100644
index 00000000000..392f16aab37
--- /dev/null
+++ b/queue-5.15/of-kexec-mark-ima_-free-stable-_kexec_buffer-as-__init.patch
@@ -0,0 +1,85 @@
+From nathan@kernel.org  Thu Sep  7 12:29:23 2023
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 05 Sep 2023 13:36:11 -0700
+Subject: of: kexec: Mark ima_{free,stable}_kexec_buffer() as __init
+To: gregkh@linuxfoundation.org, sashal@kernel.org
+Cc: stable@vger.kernel.org, robh+dt@kernel.org, frowand.list@gmail.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, devicetree@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Nathan Chancellor <nathan@kernel.org>
+Message-ID: <20230905-5-15-of-kexec-modpost-warning-v1-1-4138b2e96b4e@kernel.org>
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+This commit has no direct upstream equivalent.
+
+After commit d48016d74836 ("mm,ima,kexec,of: use memblock_free_late from
+ima_free_kexec_buffer") in 5.15, there is a modpost warning for certain
+configurations:
+
+  WARNING: modpost: vmlinux.o(.text+0xb14064): Section mismatch in reference from the function ima_free_kexec_buffer() to the function .init.text:__memblock_free_late()
+  The function ima_free_kexec_buffer() references
+  the function __init __memblock_free_late().
+  This is often because ima_free_kexec_buffer lacks a __init
+  annotation or the annotation of __memblock_free_late is wrong.
+
+In mainline, there is no issue because ima_free_kexec_buffer() is marked
+as __init, which was done as part of commit b69a2afd5afc ("x86/kexec:
+Carry forward IMA measurement log on kexec") in 6.0, which is not
+suitable for stable.
+
+Mark ima_free_kexec_buffer() and its single caller
+ima_load_kexec_buffer() as __init in 5.15, as ima_load_kexec_buffer() is
+only called from ima_init(), which is __init, clearing up the warning.
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/kexec.c                 |    2 +-
+ include/linux/of.h                 |    2 +-
+ security/integrity/ima/ima.h       |    2 +-
+ security/integrity/ima/ima_kexec.c |    2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/of/kexec.c
++++ b/drivers/of/kexec.c
+@@ -165,7 +165,7 @@ int ima_get_kexec_buffer(void **addr, si
+ /**
+  * ima_free_kexec_buffer - free memory used by the IMA buffer
+  */
+-int ima_free_kexec_buffer(void)
++int __init ima_free_kexec_buffer(void)
+ {
+ 	int ret;
+ 	unsigned long addr;
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -574,7 +574,7 @@ void *of_kexec_alloc_and_setup_fdt(const
+ 				   unsigned long initrd_len,
+ 				   const char *cmdline, size_t extra_fdt_size);
+ int ima_get_kexec_buffer(void **addr, size_t *size);
+-int ima_free_kexec_buffer(void);
++int __init ima_free_kexec_buffer(void);
+ #else /* CONFIG_OF */
+ 
+ static inline void of_core_init(void)
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -122,7 +122,7 @@ struct ima_kexec_hdr {
+ extern const int read_idmap[];
+ 
+ #ifdef CONFIG_HAVE_IMA_KEXEC
+-void ima_load_kexec_buffer(void);
++void __init ima_load_kexec_buffer(void);
+ #else
+ static inline void ima_load_kexec_buffer(void) {}
+ #endif /* CONFIG_HAVE_IMA_KEXEC */
+--- a/security/integrity/ima/ima_kexec.c
++++ b/security/integrity/ima/ima_kexec.c
+@@ -137,7 +137,7 @@ void ima_add_kexec_buffer(struct kimage
+ /*
+  * Restore the measurement list from the previous kernel.
+  */
+-void ima_load_kexec_buffer(void)
++void __init ima_load_kexec_buffer(void)
+ {
+ 	void *kexec_buffer = NULL;
+ 	size_t kexec_buffer_size = 0;
diff --git a/queue-5.15/series b/queue-5.15/series
index 9f594e10b1c..59b93e24e40 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -48,3 +48,5 @@ tracing-introduce-pipe_cpumask-to-avoid-race-on-trac.patch
 platform-mellanox-fix-mlxbf-tmfifo-not-handling-all-.patch
 crypto-rsa-pkcs1pad-use-helper-to-set-reqsize.patch
 arm64-lib-import-latest-version-of-arm-optimized-routines-strncmp.patch
+net-avoid-address-overwrite-in-kernel_connect.patch
+of-kexec-mark-ima_-free-stable-_kexec_buffer-as-__init.patch