From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 20 Sep 2023 11:08:21 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.10.196~14
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ad69a49bebd59907adc558de2e094e1dc9df46e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net-sched-cls_fw-no-longer-copy-tcf_result-on-update-to-avoid-use-after-free.patch
---

diff --git a/queue-4.14/net-sched-cls_fw-no-longer-copy-tcf_result-on-update-to-avoid-use-after-free.patch b/queue-4.14/net-sched-cls_fw-no-longer-copy-tcf_result-on-update-to-avoid-use-after-free.patch
new file mode 100644
index 00000000000..c80313a7a1e
--- /dev/null
+++ b/queue-4.14/net-sched-cls_fw-no-longer-copy-tcf_result-on-update-to-avoid-use-after-free.patch
@@ -0,0 +1,47 @@
+From 76e42ae831991c828cffa8c37736ebfb831ad5ec Mon Sep 17 00:00:00 2001
+From: valis <sec@valis.email>
+Date: Sat, 29 Jul 2023 08:32:01 -0400
+Subject: net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
+
+From: valis <sec@valis.email>
+
+commit 76e42ae831991c828cffa8c37736ebfb831ad5ec upstream.
+
+When fw_change() is called on an existing filter, the whole
+tcf_result struct is always copied into the new instance of the filter.
+
+This causes a problem when updating a filter bound to a class,
+as tcf_unbind_filter() is always called on the old instance in the
+success path, decreasing filter_cnt of the still referenced class
+and allowing it to be deleted, leading to a use-after-free.
+
+Fix this by no longer copying the tcf_result struct from the old filter.
+
+Fixes: e35a8ee5993b ("net: sched: fw use RCU")
+Reported-by: valis <sec@valis.email>
+Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Signed-off-by: valis <sec@valis.email>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
+Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Fixed small conflict as 'fnew->ifindex' assignment is not protected by
+  CONFIG_NET_CLS_IND on upstream since a51486266c3 ]
+Signed-off-by: Luiz Capitulino <luizcap@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_fw.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/sched/cls_fw.c
++++ b/net/sched/cls_fw.c
+@@ -281,7 +281,6 @@ static int fw_change(struct net *net, st
+ 			return -ENOBUFS;
+ 
+ 		fnew->id = f->id;
+-		fnew->res = f->res;
+ #ifdef CONFIG_NET_CLS_IND
+ 		fnew->ifindex = f->ifindex;
+ #endif /* CONFIG_NET_CLS_IND */
diff --git a/queue-4.14/series b/queue-4.14/series
index 131dd59024f..95277d6be5a 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -182,3 +182,4 @@ mtd-rawnand-brcmnand-fix-crash-during-the-panic_write.patch
 mtd-rawnand-brcmnand-fix-potential-false-time-out-warning.patch
 mtd-rawnand-brcmnand-fix-ecc-level-field-setting-for-v7.2-controller.patch
 mtd-rawnand-brcmnand-fix-potential-out-of-bounds-access-in-oob-write.patch
+net-sched-cls_fw-no-longer-copy-tcf_result-on-update-to-avoid-use-after-free.patch