From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 15 Jan 2023 08:05:44 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.14.303~59
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e26a9f2edb2befb4243d5f6e02852e5030a473bc;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	xfrm-fix-rcu-lock-in-xfrm_notify_userpolicy.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index fb460c2f5ca..b488f7ac5fe 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -31,3 +31,4 @@ xhci-move-and-rename-xhci_cleanup_halted_endpoint.patch
 xhci-prevent-infinite-loop-in-transaction-errors-rec.patch
 usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch
 ext4-fix-uninititialized-value-in-ext4_evict_inode.patch
+xfrm-fix-rcu-lock-in-xfrm_notify_userpolicy.patch
diff --git a/queue-5.10/xfrm-fix-rcu-lock-in-xfrm_notify_userpolicy.patch b/queue-5.10/xfrm-fix-rcu-lock-in-xfrm_notify_userpolicy.patch
new file mode 100644
index 00000000000..aeaaf091a36
--- /dev/null
+++ b/queue-5.10/xfrm-fix-rcu-lock-in-xfrm_notify_userpolicy.patch
@@ -0,0 +1,44 @@
+From 93ec1320b0170d7a207eda2d119c669b673401ed Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Wed, 22 Sep 2021 10:50:06 +0200
+Subject: xfrm: fix rcu lock in xfrm_notify_userpolicy()
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+commit 93ec1320b0170d7a207eda2d119c669b673401ed upstream.
+
+As stated in the comment above xfrm_nlmsg_multicast(), rcu read lock must
+be held before calling this function.
+
+Reported-by: syzbot+3d9866419b4aa8f985d6@syzkaller.appspotmail.com
+Fixes: 703b94b93c19 ("xfrm: notify default policy on update")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1920,6 +1920,7 @@ static int xfrm_notify_userpolicy(struct
+ 	int len = NLMSG_ALIGN(sizeof(*up));
+ 	struct nlmsghdr *nlh;
+ 	struct sk_buff *skb;
++	int err;
+ 
+ 	skb = nlmsg_new(len, GFP_ATOMIC);
+ 	if (skb == NULL)
+@@ -1938,7 +1939,11 @@ static int xfrm_notify_userpolicy(struct
+ 
+ 	nlmsg_end(skb, nlh);
+ 
+-	return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
++	rcu_read_lock();
++	err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
++	rcu_read_unlock();
++
++	return err;
+ }
+ 
+ static bool xfrm_userpolicy_is_valid(__u8 policy)