From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 13 Mar 2025 16:15:05 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v6.6.84~62
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0f2c3b00c87b3b719bc46b714351b88edf48be0;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
	revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
	sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
	sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
---

diff --git a/queue-5.4/revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch b/queue-5.4/revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
new file mode 100644
index 0000000000..bd237054db
--- /dev/null
+++ b/queue-5.4/revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
@@ -0,0 +1,31 @@
+From stable+bounces-124081-greg=kroah.com@vger.kernel.org Tue Mar 11 19:55:19 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:25 -0300
+Subject: Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-3-magali.lemes@canonical.com>
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+This reverts commit 10c869a52f266e40f548cc3c565d14930a5edafc as it
+was backported incorrectly.
+A subsequent commit will re-backport the original patch.
+
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -326,7 +326,7 @@ static int proc_sctp_do_hmac_alg(struct
+ 				void __user *buffer, size_t *lenp,
+ 				loff_t *ppos)
+ {
+-	struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
++	struct net *net = current->nsproxy->net_ns;
+ 	struct ctl_table tbl;
+ 	bool changed = false;
+ 	char *none = "none";
diff --git a/queue-5.4/revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch b/queue-5.4/revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
new file mode 100644
index 0000000000..d8279b49b5
--- /dev/null
+++ b/queue-5.4/revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
@@ -0,0 +1,32 @@
+From stable+bounces-124080-greg=kroah.com@vger.kernel.org Tue Mar 11 19:55:18 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:24 -0300
+Subject: Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-2-magali.lemes@canonical.com>
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+This reverts commit 1031462a944ba0fa83c25ab1111465f8345b5589 as it
+was backported incorrectly.
+A subsequent commit will re-backport the original patch.
+
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -441,8 +441,7 @@ static int proc_sctp_do_auth(struct ctl_
+ 			     void __user *buffer, size_t *lenp,
+ 			     loff_t *ppos)
+ {
+-	struct net *net = container_of(ctl->data, struct net,
+-				       sctp.sctp_hmac_alg);
++	struct net *net = current->nsproxy->net_ns;
+ 	struct ctl_table tbl;
+ 	int new_value, ret;
+ 
diff --git a/queue-5.4/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch b/queue-5.4/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
new file mode 100644
index 0000000000..bb932e1e56
--- /dev/null
+++ b/queue-5.4/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
@@ -0,0 +1,53 @@
+From magali.lemes@canonical.com Tue Mar 11 19:55:13 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:27 -0300
+Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-5-magali.lemes@canonical.com>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+  from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+  (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+  syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, but that would
+increase the size of this fix, while 'sctp.ctl_sock' still needs to be
+retrieved from 'net' structure.
+
+Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -442,7 +442,7 @@ static int proc_sctp_do_auth(struct ctl_
+ 			     void __user *buffer, size_t *lenp,
+ 			     loff_t *ppos)
+ {
+-	struct net *net = current->nsproxy->net_ns;
++	struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
+ 	struct ctl_table tbl;
+ 	int new_value, ret;
+ 
diff --git a/queue-5.4/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch b/queue-5.4/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
new file mode 100644
index 0000000000..44bf642cc0
--- /dev/null
+++ b/queue-5.4/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
@@ -0,0 +1,55 @@
+From magali.lemes@canonical.com Tue Mar 11 19:55:13 2025
+From: Magali Lemes <magali.lemes@canonical.com>
+Date: Tue, 11 Mar 2025 15:54:26 -0300
+Subject: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20250311185427.1070104-4-magali.lemes@canonical.com>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+  from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+  (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+  syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, as this is the only
+member needed from the 'net' structure, but that would increase the size
+of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is
+used.
+
+Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -326,7 +326,8 @@ static int proc_sctp_do_hmac_alg(struct
+ 				void __user *buffer, size_t *lenp,
+ 				loff_t *ppos)
+ {
+-	struct net *net = current->nsproxy->net_ns;
++	struct net *net = container_of(ctl->data, struct net,
++				       sctp.sctp_hmac_alg);
+ 	struct ctl_table tbl;
+ 	bool changed = false;
+ 	char *none = "none";
diff --git a/queue-5.4/series b/queue-5.4/series
index 038082ecb7..4b5c2bcc62 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1,3 +1,7 @@
 vlan-fix-memory-leak-in-vlan_newlink.patch
 clockevents-drivers-i8253-fix-stop-sequence-for-timer-0.patch
 sched-isolation-prevent-boot-crash-when-the-boot-cpu-is-nohz_full.patch
+revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
+revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
+sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
+sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch