From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 Jul 2022 15:31:24 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.4.209~46
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f273c253881a584f9997193227cb79837f4bbc41;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	net-ping6-fix-memleak-in-ipv6_renew_options.patch
	scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
	tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch
---

diff --git a/queue-4.19/net-ping6-fix-memleak-in-ipv6_renew_options.patch b/queue-4.19/net-ping6-fix-memleak-in-ipv6_renew_options.patch
new file mode 100644
index 00000000000..6154a1669e2
--- /dev/null
+++ b/queue-4.19/net-ping6-fix-memleak-in-ipv6_renew_options.patch
@@ -0,0 +1,105 @@
+From e27326009a3d247b831eda38878c777f6f4eb3d1 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 27 Jul 2022 18:22:20 -0700
+Subject: net: ping6: Fix memleak in ipv6_renew_options().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream.
+
+When we close ping6 sockets, some resources are left unfreed because
+pingv6_prot is missing sk->sk_prot->destroy().  As reported by
+syzbot [0], just three syscalls leak 96 bytes and easily cause OOM.
+
+    struct ipv6_sr_hdr *hdr;
+    char data[24] = {0};
+    int fd;
+
+    hdr = (struct ipv6_sr_hdr *)data;
+    hdr->hdrlen = 2;
+    hdr->type = IPV6_SRCRT_TYPE_4;
+
+    fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP);
+    setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24);
+    close(fd);
+
+To fix memory leaks, let's add a destroy function.
+
+Note the socket() syscall checks if the GID is within the range of
+net.ipv4.ping_group_range.  The default value is [1, 0] so that no
+GID meets the condition (1 <= GID <= 0).  Thus, the local DoS does
+not succeed until we change the default value.  However, at least
+Ubuntu/Fedora/RHEL loosen it.
+
+    $ cat /usr/lib/sysctl.d/50-default.conf
+    ...
+    -net.ipv4.ping_group_range = 0 2147483647
+
+Also, there could be another path reported with these options, and
+some of them require CAP_NET_RAW.
+
+  setsockopt
+      IPV6_ADDRFORM (inet6_sk(sk)->pktoptions)
+      IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu)
+      IPV6_HOPOPTS (inet6_sk(sk)->opt)
+      IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt)
+      IPV6_RTHDR (inet6_sk(sk)->opt)
+      IPV6_DSTOPTS (inet6_sk(sk)->opt)
+      IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt)
+
+  getsockopt
+      IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list)
+
+For the record, I left a different splat with syzbot's one.
+
+  unreferenced object 0xffff888006270c60 (size 96):
+    comm "repro2", pid 231, jiffies 4294696626 (age 13.118s)
+    hex dump (first 32 bytes):
+      01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00  ....D...........
+      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    backtrace:
+      [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554)
+      [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715)
+      [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024)
+      [<000000007096a025>] __sys_setsockopt (net/socket.c:2254)
+      [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262)
+      [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+      [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176
+
+Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com
+Reported-by: Ayushman Dutta <ayudutta@amazon.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ping.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -27,6 +27,11 @@
+ #include <linux/proc_fs.h>
+ #include <net/ping.h>
+ 
++static void ping_v6_destroy(struct sock *sk)
++{
++	inet6_destroy_sock(sk);
++}
++
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+ static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
+ 				 int *addr_len)
+@@ -170,6 +175,7 @@ struct proto pingv6_prot = {
+ 	.owner =	THIS_MODULE,
+ 	.init =		ping_init_sock,
+ 	.close =	ping_close,
++	.destroy =	ping_v6_destroy,
+ 	.connect =	ip6_datagram_connect_v6_only,
+ 	.disconnect =	__udp_disconnect,
+ 	.setsockopt =	ipv6_setsockopt,
diff --git a/queue-4.19/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch b/queue-4.19/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
new file mode 100644
index 00000000000..42e5a203310
--- /dev/null
+++ b/queue-4.19/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
@@ -0,0 +1,56 @@
+From a3435afba87dc6cd83f5595e7607f3c40f93ef01 Mon Sep 17 00:00:00 2001
+From: Liang He <windhl@126.com>
+Date: Tue, 19 Jul 2022 15:15:29 +0800
+Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle()
+
+From: Liang He <windhl@126.com>
+
+commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream.
+
+In ufshcd_populate_vreg(), we should hold the reference returned by
+of_parse_phandle() and then use it to call of_node_put() for refcount
+balance.
+
+Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com
+Fixes: aa4976130934 ("ufs: Add regulator enable support")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd-pltfrm.c |   15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -124,9 +124,20 @@ out:
+ 	return ret;
+ }
+ 
++static bool phandle_exists(const struct device_node *np,
++			   const char *phandle_name, int index)
++{
++	struct device_node *parse_np = of_parse_phandle(np, phandle_name, index);
++
++	if (parse_np)
++		of_node_put(parse_np);
++
++	return parse_np != NULL;
++}
++
+ #define MAX_PROP_SIZE 32
+ static int ufshcd_populate_vreg(struct device *dev, const char *name,
+-		struct ufs_vreg **out_vreg)
++				struct ufs_vreg **out_vreg)
+ {
+ 	int ret = 0;
+ 	char prop_name[MAX_PROP_SIZE];
+@@ -139,7 +150,7 @@ static int ufshcd_populate_vreg(struct d
+ 	}
+ 
+ 	snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name);
+-	if (!of_parse_phandle(np, prop_name, 0)) {
++	if (!phandle_exists(np, prop_name, 0)) {
+ 		dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n",
+ 				__func__, prop_name);
+ 		goto out;
diff --git a/queue-4.19/series b/queue-4.19/series
index 1d38e2c05b4..f6fbf461cf2 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -6,3 +6,6 @@ tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch
 tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch
 tcp-fix-a-data-race-around-sysctl_tcp_frto.patch
 tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch
+scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
+tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch
+net-ping6-fix-memleak-in-ipv6_renew_options.patch
diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch
new file mode 100644
index 00000000000..509bf6ec16e
--- /dev/null
+++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch
@@ -0,0 +1,31 @@
+From db3815a2fa691da145cfbe834584f31ad75df9ff Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 20 Jul 2022 09:50:21 -0700
+Subject: tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream.
+
+While reading sysctl_tcp_challenge_ack_limit, it can be changed
+concurrently.  Thus, we need to add READ_ONCE() to its reader.
+
+Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3468,7 +3468,7 @@ static void tcp_send_challenge_ack(struc
+ 	/* Then check host-wide RFC 5961 rate limit. */
+ 	now = jiffies / HZ;
+ 	if (now != challenge_timestamp) {
+-		u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit;
++		u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit);
+ 		u32 half = (ack_limit + 1) >> 1;
+ 
+ 		challenge_timestamp = now;