From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Jun 2024 13:37:55 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.1.95~82
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c87f86d1e30932b47e1c5843d9b1f7d7755f4d2a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch
	spmi-hisi-spmi-controller-do-not-override-device-identifier.patch
	tracing-add-module_description-to-preemptirq_delay_test.patch
	vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
---

diff --git a/queue-5.15/series b/queue-5.15/series
index 883230c43e8..77a0ff929cd 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -145,3 +145,7 @@ mptcp-ensure-snd_una-is-properly-initialized-on-connect.patch
 irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch
 tracing-selftests-fix-kprobe-event-name-test-for-.isra.-functions.patch
 null_blk-print-correct-max-open-zones-limit-in-null_init_zoned_dev.patch
+sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch
+tracing-add-module_description-to-preemptirq_delay_test.patch
+vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
+spmi-hisi-spmi-controller-do-not-override-device-identifier.patch
diff --git a/queue-5.15/sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch b/queue-5.15/sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch
new file mode 100644
index 00000000000..79add23d874
--- /dev/null
+++ b/queue-5.15/sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch
@@ -0,0 +1,115 @@
+From 4b4647add7d3c8530493f7247d11e257ee425bf0 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Fri, 24 May 2024 11:47:02 -0300
+Subject: sock_map: avoid race between sock_map_close and sk_psock_put
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 4b4647add7d3c8530493f7247d11e257ee425bf0 upstream.
+
+sk_psock_get will return NULL if the refcount of psock has gone to 0, which
+will happen when the last call of sk_psock_put is done. However,
+sk_psock_drop may not have finished yet, so the close callback will still
+point to sock_map_close despite psock being NULL.
+
+This can be reproduced with a thread deleting an element from the sock map,
+while the second one creates a socket, adds it to the map and closes it.
+
+That will trigger the WARN_ON_ONCE:
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701
+Modules linked in:
+CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701
+Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02
+RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293
+RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000
+RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0
+RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3
+R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840
+R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870
+FS:  000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0
+Call Trace:
+ <TASK>
+ unix_release+0x87/0xc0 net/unix/af_unix.c:1048
+ __sock_release net/socket.c:659 [inline]
+ sock_close+0xbe/0x240 net/socket.c:1421
+ __fput+0x42b/0x8a0 fs/file_table.c:422
+ __do_sys_close fs/open.c:1556 [inline]
+ __se_sys_close fs/open.c:1541 [inline]
+ __x64_sys_close+0x7f/0x110 fs/open.c:1541
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fb37d618070
+Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
+RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
+RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070
+RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004
+RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Use sk_psock, which will only check that the pointer is not been set to
+NULL yet, which should only happen after the callbacks are restored. If,
+then, a reference can still be gotten, we may call sk_psock_stop and cancel
+psock->work.
+
+As suggested by Paolo Abeni, reorder the condition so the control flow is
+less convoluted.
+
+After that change, the reproducer does not trigger the WARN_ON_ONCE
+anymore.
+
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Reported-by: syzbot+07a2e4a1a57118ef7355@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=07a2e4a1a57118ef7355
+Fixes: aadb2bb83ff7 ("sock_map: Fix a potential use-after-free in sock_map_close()")
+Fixes: 5b4a79ba65a1 ("bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/r/20240524144702.1178377-1-cascardo@igalia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_map.c |   16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1566,19 +1566,23 @@ void sock_map_close(struct sock *sk, lon
+ 
+ 	lock_sock(sk);
+ 	rcu_read_lock();
+-	psock = sk_psock_get(sk);
+-	if (unlikely(!psock)) {
+-		rcu_read_unlock();
+-		release_sock(sk);
+-		saved_close = READ_ONCE(sk->sk_prot)->close;
+-	} else {
++	psock = sk_psock(sk);
++	if (likely(psock)) {
+ 		saved_close = psock->saved_close;
+ 		sock_map_remove_links(sk, psock);
++		psock = sk_psock_get(sk);
++		if (unlikely(!psock))
++			goto no_psock;
+ 		rcu_read_unlock();
+ 		sk_psock_stop(psock);
+ 		release_sock(sk);
+ 		cancel_delayed_work_sync(&psock->work);
+ 		sk_psock_put(sk, psock);
++	} else {
++		saved_close = READ_ONCE(sk->sk_prot)->close;
++no_psock:
++		rcu_read_unlock();
++		release_sock(sk);
+ 	}
+ 
+ 	/* Make sure we do not recurse. This is a bug.
diff --git a/queue-5.15/spmi-hisi-spmi-controller-do-not-override-device-identifier.patch b/queue-5.15/spmi-hisi-spmi-controller-do-not-override-device-identifier.patch
new file mode 100644
index 00000000000..f0ac9e4daa3
--- /dev/null
+++ b/queue-5.15/spmi-hisi-spmi-controller-do-not-override-device-identifier.patch
@@ -0,0 +1,36 @@
+From eda4923d78d634482227c0b189d9b7ca18824146 Mon Sep 17 00:00:00 2001
+From: Vamshi Gajjela <vamshigajjela@google.com>
+Date: Tue, 7 May 2024 14:07:41 -0700
+Subject: spmi: hisi-spmi-controller: Do not override device identifier
+
+From: Vamshi Gajjela <vamshigajjela@google.com>
+
+commit eda4923d78d634482227c0b189d9b7ca18824146 upstream.
+
+'nr' member of struct spmi_controller, which serves as an identifier
+for the controller/bus. This value is a dynamic ID assigned in
+spmi_controller_alloc, and overriding it from the driver results in an
+ida_free error "ida_free called for id=xx which is not allocated".
+
+Signed-off-by: Vamshi Gajjela <vamshigajjela@google.com>
+Fixes: 70f59c90c819 ("staging: spmi: add Hikey 970 SPMI controller driver")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240228185116.1269-1-vamshigajjela@google.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20240507210809.3479953-5-sboyd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spmi/hisi-spmi-controller.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/spmi/hisi-spmi-controller.c
++++ b/drivers/spmi/hisi-spmi-controller.c
+@@ -303,7 +303,6 @@ static int spmi_controller_probe(struct
+ 
+ 	spin_lock_init(&spmi_controller->lock);
+ 
+-	ctrl->nr = spmi_controller->channel;
+ 	ctrl->dev.parent = pdev->dev.parent;
+ 	ctrl->dev.of_node = of_node_get(pdev->dev.of_node);
+ 
diff --git a/queue-5.15/tracing-add-module_description-to-preemptirq_delay_test.patch b/queue-5.15/tracing-add-module_description-to-preemptirq_delay_test.patch
new file mode 100644
index 00000000000..63514604d8b
--- /dev/null
+++ b/queue-5.15/tracing-add-module_description-to-preemptirq_delay_test.patch
@@ -0,0 +1,34 @@
+From 23748e3e0fbfe471eff5ce439921629f6a427828 Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+Date: Sat, 18 May 2024 15:54:49 -0700
+Subject: tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
+
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+
+commit 23748e3e0fbfe471eff5ce439921629f6a427828 upstream.
+
+Fix the 'make W=1' warning:
+
+WARNING: modpost: missing MODULE_DESCRIPTION() in kernel/trace/preemptirq_delay_test.o
+
+Link: https://lore.kernel.org/linux-trace-kernel/20240518-md-preemptirq_delay_test-v1-1-387d11b30d85@quicinc.com
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Fixes: f96e8577da10 ("lib: Add module for testing preemptoff/irqsoff latency tracers")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/preemptirq_delay_test.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/preemptirq_delay_test.c
++++ b/kernel/trace/preemptirq_delay_test.c
+@@ -215,4 +215,5 @@ static void __exit preemptirq_delay_exit
+ 
+ module_init(preemptirq_delay_init)
+ module_exit(preemptirq_delay_exit)
++MODULE_DESCRIPTION("Preempt / IRQ disable delay thread to test latency tracers");
+ MODULE_LICENSE("GPL v2");
diff --git a/queue-5.15/vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch b/queue-5.15/vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
new file mode 100644
index 00000000000..bec9e30cacd
--- /dev/null
+++ b/queue-5.15/vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
@@ -0,0 +1,56 @@
+From 8003f00d895310d409b2bf9ef907c56b42a4e0f4 Mon Sep 17 00:00:00 2001
+From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
+Date: Tue, 30 Apr 2024 08:59:16 +0000
+Subject: vmci: prevent speculation leaks by sanitizing event in event_deliver()
+
+From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
+
+commit 8003f00d895310d409b2bf9ef907c56b42a4e0f4 upstream.
+
+Coverity spotted that event_msg is controlled by user-space,
+event_msg->event_data.event is passed to event_deliver() and used
+as an index without sanitization.
+
+This change ensures that the event index is sanitized to mitigate any
+possibility of speculative information leaks.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Only compile tested, no access to HW.
+
+Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
+Link: https://lore.kernel.org/stable/20231127193533.46174-1-hagarhem%40amazon.com
+Link: https://lore.kernel.org/r/20240430085916.4753-1-hagarhem@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_event.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_event.c
++++ b/drivers/misc/vmw_vmci/vmci_event.c
+@@ -9,6 +9,7 @@
+ #include <linux/vmw_vmci_api.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
++#include <linux/nospec.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/rculist.h>
+@@ -86,9 +87,12 @@ static void event_deliver(struct vmci_ev
+ {
+ 	struct vmci_subscription *cur;
+ 	struct list_head *subscriber_list;
++	u32 sanitized_event, max_vmci_event;
+ 
+ 	rcu_read_lock();
+-	subscriber_list = &subscriber_array[event_msg->event_data.event];
++	max_vmci_event = ARRAY_SIZE(subscriber_array);
++	sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event);
++	subscriber_list = &subscriber_array[sanitized_event];
+ 	list_for_each_entry_rcu(cur, subscriber_list, node) {
+ 		cur->callback(cur->id, &event_msg->event_data,
+ 			      cur->callback_data);