From 4cf3615cbca55fa4d71454f20acfe0320333bde2 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon <kbuild@suse.de> Date: Mar 21 2025 06:18:26 +0000 Subject: Merge branch 'cve/linux-5.3-LTSS' into SLE15-SP3-LTSS --- diff --git a/patches.suse/udp-fix-race-between-close-and-udp_abort.patch b/patches.suse/udp-fix-race-between-close-and-udp_abort.patch new file mode 100644 index 0000000..65aab5d --- /dev/null +++ b/patches.suse/udp-fix-race-between-close-and-udp_abort.patch @@ -0,0 +1,73 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Wed, 9 Jun 2021 11:49:01 +0200 +Subject: udp: fix race between close() and udp_abort() +Git-commit: a8b897c7bcd47f4147d066e22cc01d1026d7640e +References: CVE-2021-47248 bsc#1224867 +Patch-mainline: v5.13-rc7 + +Kaustubh reported and diagnosed a panic in udp_lib_lookup(). +The root cause is udp_abort() racing with close(). Both +racing functions acquire the socket lock, but udp{v6}_destroy_sock() +release it before performing destructive actions. + +We can't easily extend the socket lock scope to avoid the race, +instead use the SOCK_DEAD flag to prevent udp_abort from doing +any action when the critical race happens. + +Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org> +Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets") +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Acked-by: Pedro Falcato <pfalcato@suse.de> +--- + net/ipv4/udp.c | 10 ++++++++++ + net/ipv6/udp.c | 3 +++ + 2 files changed, 13 insertions(+) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 15f5504adf5b..1307ad0d3b9e 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2607,6 +2607,9 @@ void udp_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + bool slow = lock_sock_fast(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_flush_pending_frames(sk); + unlock_sock_fast(sk, slow); + if (static_branch_unlikely(&udp_encap_needed_key)) { +@@ -2857,10 +2860,17 @@ int udp_abort(struct sock *sk, int err) + { + lock_sock(sk); + ++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing ++ * with close() ++ */ ++ if (sock_flag(sk, SOCK_DEAD)) ++ goto out; ++ + sk->sk_err = err; + sk->sk_error_report(sk); + __udp_disconnect(sk, 0); + ++out: + release_sock(sk); + + return 0; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 199b080d418a..3fcd86f4dfdc 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1598,6 +1598,9 @@ void udpv6_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + lock_sock(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_v6_flush_pending_frames(sk); + release_sock(sk); + + diff --git a/series.conf b/series.conf index 438082e..9ad8209 100644 --- a/series.conf +++ b/series.conf @@ -51718,6 +51718,7 @@ patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch patches.suse/net-dsa-felix-re-enable-TX-flow-control-in-ocelot_po.patch patches.suse/net-ena-fix-DMA-mapping-function-issues-in-XDP.patch + patches.suse/udp-fix-race-between-close-and-udp_abort.patch patches.suse/mac80211-remove-warning-in-ieee80211_get_sband.patch patches.suse/mac80211_hwsim-drop-pending-frames-on-stop.patch patches.suse/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch