From: Sasha Levin Date: Sun, 3 Dec 2023 20:07:06 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.14.332~23^2~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f0b0e90e744450f6427d6df4b11ab98dc02edf3e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch b/queue-4.14/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch new file mode 100644 index 00000000000..e0eca114e36 --- /dev/null +++ b/queue-4.14/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch @@ -0,0 +1,114 @@ +From e00d91b846b5824e69f9e1925442584074baf965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 15:13:14 +0800 +Subject: ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet + +From: Zhengchao Shao + +[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ] + +When I perform the following test operations: +1.ip link add br0 type bridge +2.brctl addif br0 eth0 +3.ip addr add 239.0.0.1/32 dev eth0 +4.ip addr add 239.0.0.1/32 dev br0 +5.ip addr add 224.0.0.1/32 dev br0 +6.while ((1)) + do + ifconfig br0 up + ifconfig br0 down + done +7.send IGMPv2 query packets to port eth0 continuously. For example, +./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00 +1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00" + +The preceding tests may trigger the refcnt uaf issue of the mc list. The +stack is as follows: + refcount_t: addition on 0; use-after-free. + WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25) + CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:refcount_warn_saturate (lib/refcount.c:25) + RSP: 0018:ffffb68f00657910 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908 + RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900 + RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff + R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680 + R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00 + FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0 + Call Trace: + + igmp_heard_query (net/ipv4/igmp.c:1068) + igmp_rcv (net/ipv4/igmp.c:1132) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) + ip_local_deliver_finish (net/ipv4/ip_input.c:234) + __netif_receive_skb_one_core (net/core/dev.c:5529) + netif_receive_skb_internal (net/core/dev.c:5729) + netif_receive_skb (net/core/dev.c:5788) + br_handle_frame_finish (net/bridge/br_input.c:216) + nf_hook_bridge_pre (net/bridge/br_input.c:294) + __netif_receive_skb_core (net/core/dev.c:5423) + __netif_receive_skb_list_core (net/core/dev.c:5606) + __netif_receive_skb_list (net/core/dev.c:5674) + netif_receive_skb_list_internal (net/core/dev.c:5764) + napi_gro_receive (net/core/gro.c:609) + e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467) + e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805) + __napi_poll (net/core/dev.c:6533) + net_rx_action (net/core/dev.c:6735) + __do_softirq (kernel/softirq.c:554) + run_ksoftirqd (kernel/softirq.c:913) + smpboot_thread_fn (kernel/smpboot.c:164) + kthread (kernel/kthread.c:388) + ret_from_fork (arch/x86/kernel/process.c:153) + ret_from_fork_asm (arch/x86/entry/entry_64.S:250) + + +The root causes are as follows: +Thread A Thread B +... netif_receive_skb +br_dev_stop ... + br_multicast_leave_snoopers ... + __ip_mc_dec_group ... + __igmp_group_dropped igmp_rcv + igmp_stop_timer igmp_heard_query //ref = 1 + ip_ma_put igmp_mod_timer + refcount_dec_and_test igmp_start_timer //ref = 0 + ... refcount_inc //ref increases from 0 +When the device receives an IGMPv2 Query message, it starts the timer +immediately, regardless of whether the device is running. If the device is +down and has left the multicast group, it will cause the mc list refcount +uaf issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhengchao Shao +Reviewed-by: Eric Dumazet +Reviewed-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index bdc232f6f27c8..42c7b412da2ac 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -224,8 +224,10 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay) + int tv = prandom_u32() % max_delay; + + im->tm_running = 1; +- if (!mod_timer(&im->timer, jiffies+tv+2)) +- refcount_inc(&im->refcnt); ++ if (refcount_inc_not_zero(&im->refcnt)) { ++ if (mod_timer(&im->timer, jiffies + tv + 2)) ++ ip_ma_put(im); ++ } + } + + static void igmp_gq_start_timer(struct in_device *in_dev) +-- +2.42.0 + diff --git a/queue-4.14/net-ravb-start-tx-queues-after-hw-initialization-suc.patch b/queue-4.14/net-ravb-start-tx-queues-after-hw-initialization-suc.patch new file mode 100644 index 00000000000..de09ae70cfa --- /dev/null +++ b/queue-4.14/net-ravb-start-tx-queues-after-hw-initialization-suc.patch @@ -0,0 +1,46 @@ +From 86ac4e5fe3bd507d355d9581d990e9f78427494c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 10:04:37 +0200 +Subject: net: ravb: Start TX queues after HW initialization succeeded + +From: Claudiu Beznea + +[ Upstream commit 6f32c086602050fc11157adeafaa1c1eb393f0af ] + +ravb_phy_start() may fail. If that happens, the TX queues will remain +started. Thus, move the netif_tx_start_all_queues() after PHY is +successfully initialized. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Reviewed-by: Sergey Shtylyov +Signed-off-by: Claudiu Beznea +Reviewed-by: Kalesh AP +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 4db3495ef3370..b97d450214dfd 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1429,13 +1429,13 @@ static int ravb_open(struct net_device *ndev) + if (priv->chip_id == RCAR_GEN2) + ravb_ptp_init(ndev, priv->pdev); + +- netif_tx_start_all_queues(ndev); +- + /* PHY control start */ + error = ravb_phy_start(ndev); + if (error) + goto out_ptp_stop; + ++ netif_tx_start_all_queues(ndev); ++ + return 0; + + out_ptp_stop: +-- +2.42.0 + diff --git a/queue-4.14/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch b/queue-4.14/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch new file mode 100644 index 00000000000..632c0126a83 --- /dev/null +++ b/queue-4.14/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch @@ -0,0 +1,79 @@ +From ebcaaba16eea0308f446d7bf5498d314ba8b87d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 21:24:20 +0900 +Subject: ravb: Fix races between ravb_tx_timeout_work() and net related ops + +From: Yoshihiro Shimoda + +[ Upstream commit 9870257a0a338cd8d6c1cddab74e703f490f6779 ] + +Fix races between ravb_tx_timeout_work() and functions of net_device_ops +and ethtool_ops by using rtnl_trylock() and rtnl_unlock(). Note that +since ravb_close() is under the rtnl lock and calls cancel_work_sync(), +ravb_tx_timeout_work() should calls rtnl_trylock(). Otherwise, a deadlock +may happen in ravb_tx_timeout_work() like below: + +CPU0 CPU1 + ravb_tx_timeout() + schedule_work() +... +__dev_close_many() +// Under rtnl lock +ravb_close() +cancel_work_sync() +// Waiting + ravb_tx_timeout_work() + rtnl_lock() + // This is possible to cause a deadlock + +If rtnl_trylock() fails, rescheduling the work with sleep for 1 msec. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231127122420.3706751-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 4acea1ab60008..4db3495ef3370 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1484,6 +1484,12 @@ static void ravb_tx_timeout_work(struct work_struct *work) + struct net_device *ndev = priv->ndev; + int error; + ++ if (!rtnl_trylock()) { ++ usleep_range(1000, 2000); ++ schedule_work(&priv->work); ++ return; ++ } ++ + netif_tx_stop_all_queues(ndev); + + /* Stop PTP Clock driver */ +@@ -1516,7 +1522,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) + */ + netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n", + __func__, error); +- return; ++ goto out_unlock; + } + ravb_emac_init(ndev); + +@@ -1526,6 +1532,9 @@ static void ravb_tx_timeout_work(struct work_struct *work) + ravb_ptp_init(ndev, priv->pdev); + + netif_tx_start_all_queues(ndev); ++ ++out_unlock: ++ rtnl_unlock(); + } + + /* Packet transmit function for Ethernet AVB */ +-- +2.42.0 + diff --git a/queue-4.14/series b/queue-4.14/series index c8dd3020294..9ff4c35353f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -24,3 +24,6 @@ dm-verity-don-t-perform-fec-for-failed-readahead-io.patch powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch btrfs-send-ensure-send_fd-is-writable.patch +ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch +ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch +net-ravb-start-tx-queues-after-hw-initialization-suc.patch