From 4cf3615cbca55fa4d71454f20acfe0320333bde2 Mon Sep 17 00:00:00 2001
From: Kernel Build Daemon <kbuild@suse.de>
Date: Mar 21 2025 06:18:26 +0000
Subject: Merge branch 'cve/linux-5.3-LTSS' into SLE15-SP3-LTSS


---

diff --git a/patches.suse/udp-fix-race-between-close-and-udp_abort.patch b/patches.suse/udp-fix-race-between-close-and-udp_abort.patch
new file mode 100644
index 0000000..65aab5d
--- /dev/null
+++ b/patches.suse/udp-fix-race-between-close-and-udp_abort.patch
@@ -0,0 +1,73 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 9 Jun 2021 11:49:01 +0200
+Subject: udp: fix race between close() and udp_abort()
+Git-commit: a8b897c7bcd47f4147d066e22cc01d1026d7640e
+References: CVE-2021-47248 bsc#1224867
+Patch-mainline: v5.13-rc7
+
+Kaustubh reported and diagnosed a panic in udp_lib_lookup().
+The root cause is udp_abort() racing with close(). Both
+racing functions acquire the socket lock, but udp{v6}_destroy_sock()
+release it before performing destructive actions.
+
+We can't easily extend the socket lock scope to avoid the race,
+instead use the SOCK_DEAD flag to prevent udp_abort from doing
+any action when the critical race happens.
+
+Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
+Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Pedro Falcato <pfalcato@suse.de>
+---
+ net/ipv4/udp.c | 10 ++++++++++
+ net/ipv6/udp.c |  3 +++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 15f5504adf5b..1307ad0d3b9e 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2607,6 +2607,9 @@ void udp_destroy_sock(struct sock *sk)
+ {
+ 	struct udp_sock *up = udp_sk(sk);
+ 	bool slow = lock_sock_fast(sk);
++
++	/* protects from races with udp_abort() */
++	sock_set_flag(sk, SOCK_DEAD);
+ 	udp_flush_pending_frames(sk);
+ 	unlock_sock_fast(sk, slow);
+ 	if (static_branch_unlikely(&udp_encap_needed_key)) {
+@@ -2857,10 +2860,17 @@ int udp_abort(struct sock *sk, int err)
+ {
+ 	lock_sock(sk);
+ 
++	/* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing
++	 * with close()
++	 */
++	if (sock_flag(sk, SOCK_DEAD))
++		goto out;
++
+ 	sk->sk_err = err;
+ 	sk->sk_error_report(sk);
+ 	__udp_disconnect(sk, 0);
+ 
++out:
+ 	release_sock(sk);
+ 
+ 	return 0;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 199b080d418a..3fcd86f4dfdc 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1598,6 +1598,9 @@ void udpv6_destroy_sock(struct sock *sk)
+ {
+ 	struct udp_sock *up = udp_sk(sk);
+ 	lock_sock(sk);
++
++	/* protects from races with udp_abort() */
++	sock_set_flag(sk, SOCK_DEAD);
+ 	udp_v6_flush_pending_frames(sk);
+ 	release_sock(sk);
+ 
+
diff --git a/series.conf b/series.conf
index 438082e..9ad8209 100644
--- a/series.conf
+++ b/series.conf
@@ -51718,6 +51718,7 @@
 	patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch
 	patches.suse/net-dsa-felix-re-enable-TX-flow-control-in-ocelot_po.patch
 	patches.suse/net-ena-fix-DMA-mapping-function-issues-in-XDP.patch
+	patches.suse/udp-fix-race-between-close-and-udp_abort.patch
 	patches.suse/mac80211-remove-warning-in-ieee80211_get_sband.patch
 	patches.suse/mac80211_hwsim-drop-pending-frames-on-stop.patch
 	patches.suse/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch