From 590edab0337cb3b85226598ba1054b9bad296d4a Mon Sep 17 00:00:00 2001 From: Miroslav Franc Date: Mar 14 2023 09:27:59 +0000 Subject: rds: rds_rm_zerocopy_callback() correct order for list_add_tail() (CVE-2023-1078 bsc#1208601). --- diff --git a/patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch b/patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch new file mode 100644 index 0000000..2c42120 --- /dev/null +++ b/patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch @@ -0,0 +1,34 @@ +From: Pietro Borrello +Date: Thu, 9 Feb 2023 12:26:23 +0000 +Subject: rds: rds_rm_zerocopy_callback() correct order for list_add_tail() +Git-commit: 68762148d1b011d47bc2ceed7321739b5aea1e63 +Patch-mainline: v6.3-rc1 +References: CVE-2023-1078 bsc#1208601 + +rds_rm_zerocopy_callback() uses list_add_tail() with swapped +arguments. This links the list head with the new entry, losing +the references to the remaining part of the list. + +Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") +Suggested-by: Paolo Abeni +Signed-off-by: Pietro Borrello +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + net/rds/message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/message.c b/net/rds/message.c +index c19c93561227..7af59d2443e5 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -118,7 +118,7 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs, + ck = &info->zcookies; + memset(ck, 0, sizeof(*ck)); + WARN_ON(!rds_zcookie_add(info, cookie)); +- list_add_tail(&q->zcookie_head, &info->rs_zcookie_next); ++ list_add_tail(&info->rs_zcookie_next, &q->zcookie_head); + + spin_unlock_irqrestore(&q->lock, flags); + /* caller invokes rds_wake_sk_sleep() */ + diff --git a/series.conf b/series.conf index c8423ef..65395d0 100644 --- a/series.conf +++ b/series.conf @@ -36874,6 +36874,7 @@ patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch patches.suse/Fix-page-corruption-caused-by-racy-check-in-__free_pages.patch patches.suse/ibmvnic-Toggle-between-queue-types-in-affinity-mappi.patch + patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch patches.suse/ipmi-ssif-resend_msg-cannot-fail.patch patches.suse/ipmi_ssif-Rename-idle-state-and-check.patch patches.suse/ipmi-ssif-Remove-rtc_us_timer.patch