From: Greg Kroah-Hartman Date: Fri, 25 Mar 2022 14:04:01 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.9.309~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=33d90468274b01f54ff57bffb435c5ab5d0716b5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: mac80211-fix-potential-double-free-on-mesh-join.patch tpm-use-try_get_ops-in-tpm-space.c.patch --- diff --git a/queue-5.10/mac80211-fix-potential-double-free-on-mesh-join.patch b/queue-5.10/mac80211-fix-potential-double-free-on-mesh-join.patch new file mode 100644 index 00000000000..0038a915ee3 --- /dev/null +++ b/queue-5.10/mac80211-fix-potential-double-free-on-mesh-join.patch @@ -0,0 +1,84 @@ +From 4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Thu, 10 Mar 2022 19:35:13 +0100 +Subject: mac80211: fix potential double free on mesh join +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit 4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3 upstream. + +While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving +mesh") fixed a memory leak on mesh leave / teardown it introduced a +potential memory corruption caused by a double free when rejoining the +mesh: + + ieee80211_leave_mesh() + -> kfree(sdata->u.mesh.ie); + ... + ieee80211_join_mesh() + -> copy_mesh_setup() + -> old_ie = ifmsh->ie; + -> kfree(old_ie); + +This double free / kernel panics can be reproduced by using wpa_supplicant +with an encrypted mesh (if set up without encryption via "iw" then +ifmsh->ie is always NULL, which avoids this issue). And then calling: + + $ iw dev mesh0 mesh leave + $ iw dev mesh0 mesh join my-mesh + +Note that typically these commands are not used / working when using +wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going +through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join +where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of +default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids +the memory corruption, too. + +The issue was first observed in an application which was not using +wpa_supplicant but "Senf" instead, which implements its own calls to +nl80211. + +Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh +join function and leaving it solely up to the mesh leave to free the +mesh IE. + +Cc: stable@vger.kernel.org +Fixes: 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh") +Reported-by: Matthias Kretschmer +Signed-off-by: Linus Lüssing +Tested-by: Mathias Kretschmer +Link: https://lore.kernel.org/r/20220310183513.28589-1-linus.luessing@c0d3.blue +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2076,14 +2076,12 @@ static int copy_mesh_setup(struct ieee80 + const struct mesh_setup *setup) + { + u8 *new_ie; +- const u8 *old_ie; + struct ieee80211_sub_if_data *sdata = container_of(ifmsh, + struct ieee80211_sub_if_data, u.mesh); + int i; + + /* allocate information elements */ + new_ie = NULL; +- old_ie = ifmsh->ie; + + if (setup->ie_len) { + new_ie = kmemdup(setup->ie, setup->ie_len, +@@ -2093,7 +2091,6 @@ static int copy_mesh_setup(struct ieee80 + } + ifmsh->ie_len = setup->ie_len; + ifmsh->ie = new_ie; +- kfree(old_ie); + + /* now copy the rest of the setup parameters */ + ifmsh->mesh_id_len = setup->mesh_id_len; diff --git a/queue-5.10/series b/queue-5.10/series index 680f50d0213..d00b1e07dec 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -32,3 +32,5 @@ acpi-video-force-backlight-native-for-clevo-nl5xru-and-nl5xnu.patch crypto-qat-disable-registration-of-algorithms.patch revert-ath-add-support-for-special-0x0-regulatory-domain.patch rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch +mac80211-fix-potential-double-free-on-mesh-join.patch +tpm-use-try_get_ops-in-tpm-space.c.patch diff --git a/queue-5.10/tpm-use-try_get_ops-in-tpm-space.c.patch b/queue-5.10/tpm-use-try_get_ops-in-tpm-space.c.patch new file mode 100644 index 00000000000..7c4f0e3eab4 --- /dev/null +++ b/queue-5.10/tpm-use-try_get_ops-in-tpm-space.c.patch @@ -0,0 +1,51 @@ +From fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Mon, 7 Mar 2022 15:58:03 -0500 +Subject: tpm: use try_get_ops() in tpm-space.c + +From: James Bottomley + +commit fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 upstream. + +As part of the series conversion to remove nested TPM operations: + +https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/ + +exposure of the chip->tpm_mutex was removed from much of the upper +level code. In this conversion, tpm2_del_space() was missed. This +didn't matter much because it's usually called closely after a +converted operation, so there's only a very tiny race window where the +chip can be removed before the space flushing is done which causes a +NULL deref on the mutex. However, there are reports of this window +being hit in practice, so fix this by converting tpm2_del_space() to +use tpm_try_get_ops(), which performs all the teardown checks before +acquring the mutex. + +Cc: stable@vger.kernel.org # 5.4.x +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-space.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -58,12 +58,12 @@ int tpm2_init_space(struct tpm_space *sp + + void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space) + { +- mutex_lock(&chip->tpm_mutex); +- if (!tpm_chip_start(chip)) { ++ ++ if (tpm_try_get_ops(chip) == 0) { + tpm2_flush_sessions(chip, space); +- tpm_chip_stop(chip); ++ tpm_put_ops(chip); + } +- mutex_unlock(&chip->tpm_mutex); ++ + kfree(space->context_buf); + kfree(space->session_buf); + }