From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 6 Nov 2023 11:27:05 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.14.329~24
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=497e9c8ab9817b07392a812b206f43727341bf63;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch
	nvmet-tcp-move-send-recv-error-handling-in-the-send-recv-methods-instead-of-call-sites.patch
---

diff --git a/queue-5.4/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch b/queue-5.4/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch
new file mode 100644
index 00000000000..0e99d98badf
--- /dev/null
+++ b/queue-5.4/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch
@@ -0,0 +1,62 @@
+From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 2 Oct 2023 13:54:28 +0300
+Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream.
+
+From Alon:
+"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
+a malicious user can cause a UAF and a double free, which may lead to
+RCE (may also lead to an LPE in case the attacker already has local
+privileges)."
+
+Hence, when a queue initialization fails after the ahash requests are
+allocated, it is guaranteed that the queue removal async work will be
+called, hence leave the deallocation to the queue removal.
+
+Also, be extra careful not to continue processing the socket, so set
+queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
+
+Cc: stable@vger.kernel.org
+Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
+Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/tcp.c |    7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -323,6 +323,7 @@ static void nvmet_tcp_fatal_error(struct
+ 
+ static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
+ {
++	queue->rcv_state = NVMET_TCP_RECV_ERR;
+ 	if (status == -EPIPE || status == -ECONNRESET)
+ 		kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+ 	else
+@@ -828,15 +829,11 @@ static int nvmet_tcp_handle_icreq(struct
+ 	iov.iov_len = sizeof(*icresp);
+ 	ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
+ 	if (ret < 0)
+-		goto free_crypto;
++		return ret; /* queue removal will cleanup */
+ 
+ 	queue->state = NVMET_TCP_Q_LIVE;
+ 	nvmet_prepare_receive_pdu(queue);
+ 	return 0;
+-free_crypto:
+-	if (queue->hdr_digest || queue->data_digest)
+-		nvmet_tcp_free_crypto(queue);
+-	return ret;
+ }
+ 
+ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
diff --git a/queue-5.4/nvmet-tcp-move-send-recv-error-handling-in-the-send-recv-methods-instead-of-call-sites.patch b/queue-5.4/nvmet-tcp-move-send-recv-error-handling-in-the-send-recv-methods-instead-of-call-sites.patch
new file mode 100644
index 00000000000..cad9df7d6ec
--- /dev/null
+++ b/queue-5.4/nvmet-tcp-move-send-recv-error-handling-in-the-send-recv-methods-instead-of-call-sites.patch
@@ -0,0 +1,106 @@
+From 0236d3437909ff888e5c79228e2d5a851651c4c6 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 18 May 2020 10:47:48 -0700
+Subject: nvmet-tcp: move send/recv error handling in the send/recv methods instead of call-sites
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 0236d3437909ff888e5c79228e2d5a851651c4c6 upstream.
+
+Have routines handle errors and just bail out of the poll loop.
+This simplifies the code and will help as we may enhance the poll
+loop logic and these are somewhat in the way.
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/tcp.c |   43 ++++++++++++++++++++++++-------------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -321,6 +321,14 @@ static void nvmet_tcp_fatal_error(struct
+ 		kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+ }
+ 
++static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
++{
++	if (status == -EPIPE || status == -ECONNRESET)
++		kernel_sock_shutdown(queue->sock, SHUT_RDWR);
++	else
++		nvmet_tcp_fatal_error(queue);
++}
++
+ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd)
+ {
+ 	struct nvme_sgl_desc *sgl = &cmd->req.cmd->common.dptr.sgl;
+@@ -714,11 +722,15 @@ static int nvmet_tcp_try_send(struct nvm
+ 
+ 	for (i = 0; i < budget; i++) {
+ 		ret = nvmet_tcp_try_send_one(queue, i == budget - 1);
+-		if (ret <= 0)
++		if (unlikely(ret < 0)) {
++			nvmet_tcp_socket_error(queue, ret);
++			goto done;
++		} else if (ret == 0) {
+ 			break;
++		}
+ 		(*sends)++;
+ 	}
+-
++done:
+ 	return ret;
+ }
+ 
+@@ -1167,11 +1179,15 @@ static int nvmet_tcp_try_recv(struct nvm
+ 
+ 	for (i = 0; i < budget; i++) {
+ 		ret = nvmet_tcp_try_recv_one(queue);
+-		if (ret <= 0)
++		if (unlikely(ret < 0)) {
++			nvmet_tcp_socket_error(queue, ret);
++			goto done;
++		} else if (ret == 0) {
+ 			break;
++		}
+ 		(*recvs)++;
+ 	}
+-
++done:
+ 	return ret;
+ }
+ 
+@@ -1196,27 +1212,16 @@ static void nvmet_tcp_io_work(struct wor
+ 		pending = false;
+ 
+ 		ret = nvmet_tcp_try_recv(queue, NVMET_TCP_RECV_BUDGET, &ops);
+-		if (ret > 0) {
++		if (ret > 0)
+ 			pending = true;
+-		} else if (ret < 0) {
+-			if (ret == -EPIPE || ret == -ECONNRESET)
+-				kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+-			else
+-				nvmet_tcp_fatal_error(queue);
++		else if (ret < 0)
+ 			return;
+-		}
+ 
+ 		ret = nvmet_tcp_try_send(queue, NVMET_TCP_SEND_BUDGET, &ops);
+-		if (ret > 0) {
+-			/* transmitted message/data */
++		if (ret > 0)
+ 			pending = true;
+-		} else if (ret < 0) {
+-			if (ret == -EPIPE || ret == -ECONNRESET)
+-				kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+-			else
+-				nvmet_tcp_fatal_error(queue);
++		else if (ret < 0)
+ 			return;
+-		}
+ 
+ 	} while (pending && ops < NVMET_TCP_IO_WORK_BUDGET);
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index a557a8c8179..be51cb44476 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -63,3 +63,5 @@ platform-mellanox-mlxbf-tmfifo-fix-a-warning-message.patch
 net-chelsio-cxgb4-add-an-error-code-check-in-t4_load.patch
 ata-ahci-fix-enum-constants-for-gcc-13.patch
 remove-the-sx8-block-driver.patch
+nvmet-tcp-move-send-recv-error-handling-in-the-send-recv-methods-instead-of-call-sites.patch
+nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch