diff options
Diffstat (limited to '')
7 files changed, 181 insertions, 517 deletions
diff --git a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch deleted file mode 100644 index 5e77d7985..000000000 --- a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch +++ /dev/null @@ -1,198 +0,0 @@ -From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Date: Thu, 11 Apr 2024 09:26:49 +0200 -Subject: Revert "scsi: core: Add struct for args to execution functions" -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=d1e620297a84caac1cd67615f4f4f6901527ca2b - -This reverts commit cf33e6ca12d814e1be2263cb76960d0019d7fb94 which is -commit d0949565811f0896c1c7e781ab2ad99d34273fdf upstream. - -It is known to cause problems and has asked to be dropped. - -Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com -Cc: Tasos Sahanidis <tasos@tasossah.com> -Cc: Ewan D. Milne <emilne@redhat.com> -Cc: Bart Van Assche <bvanassche@acm.org> -Cc: Tasos Sahanidis <tasos@tasossah.com> -Cc: Martin K. Petersen <martin.petersen@oracle.com> -Cc: James Bottomley <jejb@linux.ibm.com> -Cc: Sasha Levin <sashal@kernel.org> -Reported-by: John David Anglin <dave.anglin@bell.net> -Reported-by: Cyril Brulebois <kibi@debian.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++++------------------ - include/scsi/scsi_device.h | 51 ++++++++++--------------------------- - 2 files changed, 41 insertions(+), 62 deletions(-) - -diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index edd296f950a3..5c5954b78585 100644 ---- a/drivers/scsi/scsi_lib.c -+++ b/drivers/scsi/scsi_lib.c -@@ -185,37 +185,39 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason) - __scsi_queue_insert(cmd, reason, true); - } - -+ - /** -- * scsi_execute_cmd - insert request and wait for the result -- * @sdev: scsi_device -+ * __scsi_execute - insert request and wait for the result -+ * @sdev: scsi device - * @cmd: scsi command -- * @opf: block layer request cmd_flags -+ * @data_direction: data direction - * @buffer: data buffer - * @bufflen: len of buffer -+ * @sense: optional sense buffer -+ * @sshdr: optional decoded sense header - * @timeout: request timeout in HZ - * @retries: number of times to retry request -- * @args: Optional args. See struct definition for field descriptions -+ * @flags: flags for ->cmd_flags -+ * @rq_flags: flags for ->rq_flags -+ * @resid: optional residual length - * - * Returns the scsi_cmnd result field if a command was executed, or a negative - * Linux error code if we didn't get that far. - */ --int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, -- blk_opf_t opf, void *buffer, unsigned int bufflen, -- int timeout, int retries, -- const struct scsi_exec_args *args) -+int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, -+ int data_direction, void *buffer, unsigned bufflen, -+ unsigned char *sense, struct scsi_sense_hdr *sshdr, -+ int timeout, int retries, blk_opf_t flags, -+ req_flags_t rq_flags, int *resid) - { -- static const struct scsi_exec_args default_args; - struct request *req; - struct scsi_cmnd *scmd; - int ret; - -- if (!args) -- args = &default_args; -- else if (WARN_ON_ONCE(args->sense && -- args->sense_len != SCSI_SENSE_BUFFERSIZE)) -- return -EINVAL; -- -- req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags); -+ req = scsi_alloc_request(sdev->request_queue, -+ data_direction == DMA_TO_DEVICE ? -+ REQ_OP_DRV_OUT : REQ_OP_DRV_IN, -+ rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0); - if (IS_ERR(req)) - return PTR_ERR(req); - -@@ -230,7 +232,8 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, - memcpy(scmd->cmnd, cmd, scmd->cmd_len); - scmd->allowed = retries; - req->timeout = timeout; -- req->rq_flags |= RQF_QUIET; -+ req->cmd_flags |= flags; -+ req->rq_flags |= rq_flags | RQF_QUIET; - - /* - * head injection *required* here otherwise quiesce won't work -@@ -246,21 +249,20 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, - if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen)) - memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len); - -- if (args->resid) -- *args->resid = scmd->resid_len; -- if (args->sense) -- memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); -- if (args->sshdr) -+ if (resid) -+ *resid = scmd->resid_len; -+ if (sense && scmd->sense_len) -+ memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); -+ if (sshdr) - scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len, -- args->sshdr); -- -+ sshdr); - ret = scmd->result; - out: - blk_mq_free_request(req); - - return ret; - } --EXPORT_SYMBOL(scsi_execute_cmd); -+EXPORT_SYMBOL(__scsi_execute); - - /* - * Wake up the error handler if necessary. Avoid as follows that the error -diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h -index b407807cc669..d2751ed536df 100644 ---- a/include/scsi/scsi_device.h -+++ b/include/scsi/scsi_device.h -@@ -479,51 +479,28 @@ extern const char *scsi_device_state_name(enum scsi_device_state); - extern int scsi_is_sdev_device(const struct device *); - extern int scsi_is_target_device(const struct device *); - extern void scsi_sanitize_inquiry_string(unsigned char *s, int len); -- --/* Optional arguments to scsi_execute_cmd */ --struct scsi_exec_args { -- unsigned char *sense; /* sense buffer */ -- unsigned int sense_len; /* sense buffer len */ -- struct scsi_sense_hdr *sshdr; /* decoded sense header */ -- blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */ -- int *resid; /* residual length */ --}; -- --int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, -- blk_opf_t opf, void *buffer, unsigned int bufflen, -- int timeout, int retries, -- const struct scsi_exec_args *args); -- -+extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, -+ int data_direction, void *buffer, unsigned bufflen, -+ unsigned char *sense, struct scsi_sense_hdr *sshdr, -+ int timeout, int retries, blk_opf_t flags, -+ req_flags_t rq_flags, int *resid); - /* Make sure any sense buffer is the correct size. */ --#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \ -- _sshdr, _timeout, _retries, _flags, _rq_flags, \ -- _resid) \ -+#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \ -+ sshdr, timeout, retries, flags, rq_flags, resid) \ - ({ \ -- scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \ -- REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \ -- _buffer, _bufflen, _timeout, _retries, \ -- &(struct scsi_exec_args) { \ -- .sense = _sense, \ -- .sshdr = _sshdr, \ -- .req_flags = _rq_flags & RQF_PM ? \ -- BLK_MQ_REQ_PM : 0, \ -- .resid = _resid, \ -- }); \ -+ BUILD_BUG_ON((sense) != NULL && \ -+ sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \ -+ __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \ -+ sense, sshdr, timeout, retries, flags, rq_flags, \ -+ resid); \ - }) -- - static inline int scsi_execute_req(struct scsi_device *sdev, - const unsigned char *cmd, int data_direction, void *buffer, - unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout, - int retries, int *resid) - { -- return scsi_execute_cmd(sdev, cmd, -- data_direction == DMA_TO_DEVICE ? -- REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer, -- bufflen, timeout, retries, -- &(struct scsi_exec_args) { -- .sshdr = sshdr, -- .resid = resid, -- }); -+ return scsi_execute(sdev, cmd, data_direction, buffer, -+ bufflen, NULL, sshdr, timeout, retries, 0, 0, resid); - } - extern void sdev_disable_disk_events(struct scsi_device *sdev); - extern void sdev_enable_disk_events(struct scsi_device *sdev); --- -2.43.0 - diff --git a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch deleted file mode 100644 index 2b03fad36..000000000 --- a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch +++ /dev/null @@ -1,125 +0,0 @@ -From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Date: Thu, 11 Apr 2024 09:24:48 +0200 -Subject: Revert "scsi: sd: usb_storage: uas: Access media prior to querying - device properties" -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=fc7309d7c76e446d7804fcc075da53694cecd755 -Bug-Debian: https://bugs.debian.org/1068675 - -This reverts commit b73dd5f9997279715cd450ee8ca599aaff2eabb9 which is -commit 321da3dc1f3c92a12e3c5da934090d2992a8814c upstream. - -It is known to cause problems and has asked to be dropped. - -Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com -Cc: Tasos Sahanidis <tasos@tasossah.com> -Cc: Ewan D. Milne <emilne@redhat.com> -Cc: Bart Van Assche <bvanassche@acm.org> -Cc: Tasos Sahanidis <tasos@tasossah.com> -Cc: Martin K. Petersen <martin.petersen@oracle.com> -Cc: James Bottomley <jejb@linux.ibm.com> -Cc: Sasha Levin <sashal@kernel.org> -Reported-by: John David Anglin <dave.anglin@bell.net> -Reported-by: Cyril Brulebois <kibi@debian.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/scsi/sd.c | 26 +------------------------- - drivers/usb/storage/scsiglue.c | 7 ------- - drivers/usb/storage/uas.c | 7 ------- - include/scsi/scsi_device.h | 1 - - 4 files changed, 1 insertion(+), 40 deletions(-) - -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index f32236c3f81c..ad619f7c7418 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -3286,24 +3286,6 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, - return true; - } - --static void sd_read_block_zero(struct scsi_disk *sdkp) --{ -- unsigned int buf_len = sdkp->device->sector_size; -- char *buffer, cmd[10] = { }; -- -- buffer = kmalloc(buf_len, GFP_KERNEL); -- if (!buffer) -- return; -- -- cmd[0] = READ_10; -- put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ -- put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ -- -- scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len, -- SD_TIMEOUT, sdkp->max_retries, NULL); -- kfree(buffer); --} -- - /** - * sd_revalidate_disk - called the first time a new disk is seen, - * performs disk spin up, read_capacity, etc. -@@ -3343,13 +3325,7 @@ static int sd_revalidate_disk(struct gendisk *disk) - */ - if (sdkp->media_present) { - sd_read_capacity(sdkp, buffer); -- /* -- * Some USB/UAS devices return generic values for mode pages -- * until the media has been accessed. Trigger a READ operation -- * to force the device to populate mode pages. -- */ -- if (sdp->read_before_ms) -- sd_read_block_zero(sdkp); -+ - /* - * set the default to rotational. All non-rotational devices - * support the block characteristics VPD page, which will -diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c -index 12cf9940e5b6..c54e9805da53 100644 ---- a/drivers/usb/storage/scsiglue.c -+++ b/drivers/usb/storage/scsiglue.c -@@ -179,13 +179,6 @@ static int slave_configure(struct scsi_device *sdev) - */ - sdev->use_192_bytes_for_3f = 1; - -- /* -- * Some devices report generic values until the media has been -- * accessed. Force a READ(10) prior to querying device -- * characteristics. -- */ -- sdev->read_before_ms = 1; -- - /* - * Some devices don't like MODE SENSE with page=0x3f, - * which is the command used for checking if a device -diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c -index af619efe8eab..ee5621bdb11e 100644 ---- a/drivers/usb/storage/uas.c -+++ b/drivers/usb/storage/uas.c -@@ -876,13 +876,6 @@ static int uas_slave_configure(struct scsi_device *sdev) - if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) - sdev->guess_capacity = 1; - -- /* -- * Some devices report generic values until the media has been -- * accessed. Force a READ(10) prior to querying device -- * characteristics. -- */ -- sdev->read_before_ms = 1; -- - /* - * Some devices don't like MODE SENSE with page=0x3f, - * which is the command used for checking if a device -diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h -index a64713fe5264..b407807cc669 100644 ---- a/include/scsi/scsi_device.h -+++ b/include/scsi/scsi_device.h -@@ -204,7 +204,6 @@ struct scsi_device { - unsigned use_10_for_rw:1; /* first try 10-byte read / write */ - unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ - unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ -- unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ - unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ - unsigned no_write_same:1; /* no WRITE SAME command */ - unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ --- -2.43.0 - diff --git a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch deleted file mode 100644 index c59abc9f8..000000000 --- a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch +++ /dev/null @@ -1,155 +0,0 @@ -From: "Martin K. Petersen" <martin.petersen@oracle.com> -Date: Tue, 13 Feb 2024 09:33:06 -0500 -Subject: scsi: sd: usb_storage: uas: Access media prior to querying device - properties -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=46e587855c060a0fdcbb4349accb62b31e9ce70f - -[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ] - -It has been observed that some USB/UAS devices return generic properties -hardcoded in firmware for mode pages for a period of time after a device -has been discovered. The reported properties are either garbage or they do -not accurately reflect the characteristics of the physical storage device -attached in the case of a bridge. - -Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to -avoid calling revalidate twice") we would call revalidate several -times during device discovery. As a result, incorrect values would -eventually get replaced with ones accurately describing the attached -storage. When we did away with the redundant revalidate pass, several -cases were reported where devices reported nonsensical values or would -end up in write-protected state. - -An initial attempt at addressing this issue involved introducing a -delayed second revalidate invocation. However, this approach still -left some devices reporting incorrect characteristics. - -Tasos Sahanidis debugged the problem further and identified that -introducing a READ operation prior to MODE SENSE fixed the problem and that -it wasn't a timing issue. Issuing a READ appears to cause the devices to -update their state to reflect the actual properties of the storage -media. Device properties like vendor, model, and storage capacity appear to -be correctly reported from the get-go. It is unclear why these devices -defer populating the remaining characteristics. - -Match the behavior of a well known commercial operating system and -trigger a READ operation prior to querying device characteristics to -force the device to populate the mode pages. - -The additional READ is triggered by a flag set in the USB storage and -UAS drivers. We avoid issuing the READ for other transport classes -since some storage devices identify Linux through our particular -discovery command sequence. - -Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com -Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice") -Cc: stable@vger.kernel.org -Reported-by: Tasos Sahanidis <tasos@tasossah.com> -Reviewed-by: Ewan D. Milne <emilne@redhat.com> -Reviewed-by: Bart Van Assche <bvanassche@acm.org> -Tested-by: Tasos Sahanidis <tasos@tasossah.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/scsi/sd.c | 26 +++++++++++++++++++++++++- - drivers/usb/storage/scsiglue.c | 7 +++++++ - drivers/usb/storage/uas.c | 7 +++++++ - include/scsi/scsi_device.h | 1 + - 4 files changed, 40 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index ad619f7c7418..3ec9b324fdcf 100644 ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -3286,6 +3286,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, - return true; - } - -+static void sd_read_block_zero(struct scsi_disk *sdkp) -+{ -+ unsigned int buf_len = sdkp->device->sector_size; -+ char *buffer, cmd[10] = { }; -+ -+ buffer = kmalloc(buf_len, GFP_KERNEL); -+ if (!buffer) -+ return; -+ -+ cmd[0] = READ_10; -+ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ -+ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ -+ -+ scsi_execute_req(sdkp->device, cmd, DMA_FROM_DEVICE, buffer, buf_len, -+ NULL, SD_TIMEOUT, sdkp->max_retries, NULL); -+ kfree(buffer); -+} -+ - /** - * sd_revalidate_disk - called the first time a new disk is seen, - * performs disk spin up, read_capacity, etc. -@@ -3325,7 +3343,13 @@ static int sd_revalidate_disk(struct gendisk *disk) - */ - if (sdkp->media_present) { - sd_read_capacity(sdkp, buffer); -- -+ /* -+ * Some USB/UAS devices return generic values for mode pages -+ * until the media has been accessed. Trigger a READ operation -+ * to force the device to populate mode pages. -+ */ -+ if (sdp->read_before_ms) -+ sd_read_block_zero(sdkp); - /* - * set the default to rotational. All non-rotational devices - * support the block characteristics VPD page, which will -diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c -index c54e9805da53..12cf9940e5b6 100644 ---- a/drivers/usb/storage/scsiglue.c -+++ b/drivers/usb/storage/scsiglue.c -@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev) - */ - sdev->use_192_bytes_for_3f = 1; - -+ /* -+ * Some devices report generic values until the media has been -+ * accessed. Force a READ(10) prior to querying device -+ * characteristics. -+ */ -+ sdev->read_before_ms = 1; -+ - /* - * Some devices don't like MODE SENSE with page=0x3f, - * which is the command used for checking if a device -diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c -index ee5621bdb11e..af619efe8eab 100644 ---- a/drivers/usb/storage/uas.c -+++ b/drivers/usb/storage/uas.c -@@ -876,6 +876,13 @@ static int uas_slave_configure(struct scsi_device *sdev) - if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) - sdev->guess_capacity = 1; - -+ /* -+ * Some devices report generic values until the media has been -+ * accessed. Force a READ(10) prior to querying device -+ * characteristics. -+ */ -+ sdev->read_before_ms = 1; -+ - /* - * Some devices don't like MODE SENSE with page=0x3f, - * which is the command used for checking if a device -diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h -index d2751ed536df..1504d3137cc6 100644 ---- a/include/scsi/scsi_device.h -+++ b/include/scsi/scsi_device.h -@@ -204,6 +204,7 @@ struct scsi_device { - unsigned use_10_for_rw:1; /* first try 10-byte read / write */ - unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ - unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ -+ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ - unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ - unsigned no_write_same:1; /* no WRITE SAME command */ - unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ --- -2.43.0 - diff --git a/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch new file mode 100644 index 000000000..b21318ecc --- /dev/null +++ b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch @@ -0,0 +1,141 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Tue, 30 Apr 2024 15:53:37 +0200 +Subject: tipc: fix UAF in error path +Origin: https://git.kernel.org/linus/080cbb890286cd794f1ee788bbc5463e2deb7c2b + +Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported +a UAF in the tipc_buf_append() error path: + +BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 +linux/net/core/skbuff.c:1183 +Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 + +CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.0-debian-1.16.0-5 04/01/2014 +Call Trace: + <IRQ> + __dump_stack linux/lib/dump_stack.c:88 + dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 + print_address_description linux/mm/kasan/report.c:377 + print_report+0xc4/0x620 linux/mm/kasan/report.c:488 + kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 + kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 + skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 + skb_release_all linux/net/core/skbuff.c:1094 + __kfree_skb linux/net/core/skbuff.c:1108 + kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 + kfree_skb linux/./include/linux/skbuff.h:1244 + tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 + tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 + tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 + tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 + tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 + udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 + udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 + udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 + __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 + ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 + dst_input linux/./include/net/dst.h:461 + ip_rcv_finish linux/net/ipv4/ip_input.c:449 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 + __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 + process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 + __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 + napi_poll linux/net/core/dev.c:6645 + net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 + __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 + do_softirq linux/kernel/softirq.c:454 + do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 + </IRQ> + <TASK> + __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 + local_bh_enable linux/./include/linux/bottom_half.h:33 + rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 + __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 + dev_queue_xmit linux/./include/linux/netdevice.h:3169 + neigh_hh_output linux/./include/net/neighbour.h:526 + neigh_output linux/./include/net/neighbour.h:540 + ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 + __ip_finish_output linux/net/ipv4/ip_output.c:313 + __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 + ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 + NF_HOOK_COND linux/./include/linux/netfilter.h:303 + ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 + dst_output linux/./include/net/dst.h:451 + ip_local_out linux/net/ipv4/ip_output.c:129 + ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 + udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 + udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 + inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 + sock_sendmsg_nosec linux/net/socket.c:730 + __sock_sendmsg linux/net/socket.c:745 + __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 + __do_sys_sendto linux/net/socket.c:2203 + __se_sys_sendto linux/net/socket.c:2199 + __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 + do_syscall_x64 linux/arch/x86/entry/common.c:52 + do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120 +RIP: 0033:0x7f3434974f29 +Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29 +RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003 +RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + </TASK> + +In the critical scenario, either the relevant skb is freed or its +ownership is transferred into a frag_lists. In both cases, the cleanup +code must not free it again: we need to clear the skb reference earlier. + +Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852 +Acked-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/tipc/msg.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 5c9fd4791c4b..9a6e9bcbf694 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -156,6 +156,11 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (!head) + goto err; + ++ /* Either the input skb ownership is transferred to headskb ++ * or the input skb is freed, clear the reference to avoid ++ * bad access on error path. ++ */ ++ *buf = NULL; + if (skb_try_coalesce(head, frag, &headstolen, &delta)) { + kfree_skb_partial(frag, headstolen); + } else { +@@ -179,7 +184,6 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + *headbuf = NULL; + return 1; + } +- *buf = NULL; + return 0; + err: + kfree_skb(*buf); +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch new file mode 100644 index 000000000..0b0ac04c6 --- /dev/null +++ b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch @@ -0,0 +1,38 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Tue, 30 Apr 2024 10:03:38 -0400 +Subject: tipc: fix a possible memleak in tipc_buf_append +Origin: https://git.kernel.org/linus/97bf6f81b29a8efaf5d0983251a7450e5794370d + +__skb_linearize() doesn't free the skb when it fails, so move +'*buf = NULL' after __skb_linearize(), so that the skb can be +freed on the err path. + +Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs") +Reported-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Reviewed-by: Simon Horman <horms@kernel.org> +Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> +Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/tipc/msg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 9a6e9bcbf694..76284fc538eb 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- *buf = NULL; + if (skb_has_frag_list(frag) && __skb_linearize(frag)) + goto err; ++ *buf = NULL; + frag = skb_unshare(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch deleted file mode 100644 index bfb6301cf..000000000 --- a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> -Date: Mon, 31 Jul 2023 15:59:42 -0300 -Subject: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc -Origin: https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88 -Bug-Debian: https://bugs.debian.org/1068770 - -Any unprivileged user can attach N_GSM0710 ldisc, but it requires -CAP_NET_ADMIN to create a GSM network anyway. - -Require initial namespace CAP_NET_ADMIN to do that. - -Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> -Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/tty/n_gsm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index 1cdefac4dd1b..c7a787f10a9c 100644 ---- a/drivers/tty/n_gsm.c -+++ b/drivers/tty/n_gsm.c -@@ -3576,6 +3576,9 @@ static int gsmld_open(struct tty_struct *tty) - { - struct gsm_mux *gsm; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (tty->ops->write == NULL) - return -EINVAL; - --- -2.43.0 - diff --git a/debian/patches/series b/debian/patches/series index a8afed1fd..2ae6bae6f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -103,9 +103,6 @@ features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-Model-A-baseboard.patch # Miscellaneous bug fixes bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch -bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch -bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch -bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch # Miscellaneous features @@ -123,7 +120,8 @@ features/all/db-mok-keyring/trust-machine-keyring-by-default.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch +bugfix/all/tipc-fix-UAF-in-error-path.patch +bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |