From 7acce37729213194cb4b7be1db10d564ade390dc Mon Sep 17 00:00:00 2001
From: Oscar Salvador <osalvador@suse.de>
Date: Sep 06 2022 05:05:37 +0000
Subject: Merge remote-tracking branch 'origin/cve/linux-5.3' into SLE15-SP3


---

diff --git a/patches.suse/mm-Force-TLB-flush-for-PFNMAP-mappings-before-unlink_file_vma.patch b/patches.suse/mm-Force-TLB-flush-for-PFNMAP-mappings-before-unlink_file_vma.patch
new file mode 100644
index 0000000..434a05f
--- /dev/null
+++ b/patches.suse/mm-Force-TLB-flush-for-PFNMAP-mappings-before-unlink_file_vma.patch
@@ -0,0 +1,54 @@
+From: Jann Horn <jannh@google.com>
+Date: Wed, 31 Aug 2022 21:13:48 +0200
+Subject: mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
+Git-commit: b67fbebd4cf980aecbcc750e1462128bffe8ae15
+Patch-mainline: v5.19-rc8
+References: CVE-2022-39188, bsc#1203107
+
+commit b67fbebd4cf980aecbcc750e1462128bffe8ae15 upstream.
+
+Some drivers rely on having all VMAs through which a PFN might be
+accessible listed in the rmap for correctness.
+However, on X86, it was possible for a VMA with stale TLB entries
+to not be listed in the rmap.
+
+This was fixed in mainline with
+commit b67fbebd4cf9 ("mmu_gather: Force tlb-flush VM_PFNMAP vmas"),
+but that commit relies on preceding refactoring in
+commit 18ba064e42df3 ("mmu_gather: Let there be one tlb_{start,end}_vma()
+implementation") and commit 1e9fdf21a4339 ("mmu_gather: Remove per arch
+tlb_{start,end}_vma()").
+
+This patch provides equivalent protection without needing that
+refactoring, by forcing a TLB flush between removing PTEs in
+unmap_vmas() and the call to unlink_file_vma() in free_pgtables().
+
+[This is a stable-specific rewrite of the upstream commit!]
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ mm/mmap.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2588,6 +2588,18 @@ static void unmap_region(struct mm_struc
+ 	tlb_gather_mmu(&tlb, mm, start, end);
+ 	update_hiwater_rss(mm);
+ 	unmap_vmas(&tlb, vma, start, end);
++
++	/*
++	 * Ensure we have no stale TLB entries by the time this mapping is
++	 * removed from the rmap.
++	 * Note that we don't have to worry about nested flushes here because
++	 * we're holding the mm semaphore for removing the mapping - so any
++	 * concurrent flush in this region has to be coming through the rmap,
++	 * and we synchronize against that using the rmap lock.
++	 */
++	if ((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) != 0)
++		tlb_flush_mmu(&tlb);
++
+ 	free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS,
+ 				 next ? next->vm_start : USER_PGTABLES_CEILING);
+ 	tlb_finish_mmu(&tlb, start, end);
diff --git a/patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch b/patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch
new file mode 100644
index 0000000..41aa872
--- /dev/null
+++ b/patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch
@@ -0,0 +1,38 @@
+From: David Leadbeater <dgl@dgl.cx>
+Date: Fri, 26 Aug 2022 14:56:58 +1000
+Subject: netfilter: nf_conntrack_irc: Fix forged IP logic
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git
+Git-commit: 0efe125cfb99e6773a7434f3463f7c2fa28f3a43
+References: CVE-2022-2663 bsc#1202097
+
+Ensure the match happens in the right direction, previously the
+destination used was the server, not the NAT host, as the comment
+shows the code intended.
+
+Additionally nf_nat_irc uses port 0 as a signal and there's no valid way
+it can appear in a DCC message, so consider port 0 also forged.
+
+Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
+Signed-off-by: David Leadbeater <dgl@dgl.cx>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/netfilter/nf_conntrack_irc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_irc.c
++++ b/net/netfilter/nf_conntrack_irc.c
+@@ -185,8 +185,9 @@ static int help(struct sk_buff *skb, unsigned int protoff,
+ 
+ 			/* dcc_ip can be the internal OR external (NAT'ed) IP */
+ 			tuple = &ct->tuplehash[dir].tuple;
+-			if (tuple->src.u3.ip != dcc_ip &&
+-			    tuple->dst.u3.ip != dcc_ip) {
++			if ((tuple->src.u3.ip != dcc_ip &&
++			     ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) ||
++			    dcc_port == 0) {
+ 				net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
+ 						     &tuple->src.u3.ip,
+ 						     &dcc_ip, dcc_port);
diff --git a/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch b/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch
new file mode 100644
index 0000000..39e082b
--- /dev/null
+++ b/patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch
@@ -0,0 +1,70 @@
+From: David Leadbeater <dgl@dgl.cx>
+Date: Fri, 26 Aug 2022 14:56:57 +1000
+Subject: netfilter: nf_conntrack_irc: Tighten matching on DCC message
+Patch-mainline: Submitted - 2022-08-26 - 20220826045658.100360-1-dgl@dgl.cx
+References: CVE-2022-2663 bsc#1202097
+
+CTCP messages should only be at the start of an IRC message, not
+anywhere within it.
+
+Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
+Signed-off-by: David Leadbeater <dgl@dgl.cx>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/netfilter/nf_conntrack_irc.c | 34 ++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_irc.c
++++ b/net/netfilter/nf_conntrack_irc.c
+@@ -148,15 +148,37 @@ static int help(struct sk_buff *skb, unsigned int protoff,
+ 	data = ib_ptr;
+ 	data_limit = ib_ptr + skb->len - dataoff;
+ 
+-	/* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24
+-	 * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */
+-	while (data < data_limit - (19 + MINMATCHLEN)) {
+-		if (memcmp(data, "\1DCC ", 5)) {
++	/* Skip any whitespace */
++	while (data < data_limit - 10) {
++		if (*data == ' ' || *data == '\r' || *data == '\n')
++			data++;
++		else
++			break;
++	}
++
++	/* strlen("PRIVMSG x ")=10 */
++	if (data < data_limit - 10) {
++		if (strncasecmp("PRIVMSG ", data, 8))
++			goto out;
++		data += 8;
++	}
++
++	/* strlen(" :\1DCC SENT t AAAAAAAA P\1\n")=26
++	 * 7+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=26
++	 */
++	while (data < data_limit - (21 + MINMATCHLEN)) {
++		/* Find first " :", the start of message */
++		if (memcmp(data, " :", 2)) {
+ 			data++;
+ 			continue;
+ 		}
++		data += 2;
++
++		/* then check that place only for the DCC command */
++		if (memcmp(data, "\1DCC ", 5))
++			goto out;
+ 		data += 5;
+-		/* we have at least (19+MINMATCHLEN)-5 bytes valid data left */
++		/* we have at least (21+MINMATCHLEN)-(2+5) bytes valid data left */
+ 
+ 		iph = ip_hdr(skb);
+ 		pr_debug("DCC found in master %pI4:%u %pI4:%u\n",
+@@ -172,7 +194,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
+ 			pr_debug("DCC %s detected\n", dccprotos[i]);
+ 
+ 			/* we have at least
+-			 * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
++			 * (21+MINMATCHLEN)-7-dccprotos[i].matchlen bytes valid
+ 			 * data left (== 14/13 bytes) */
+ 			if (parse_dcc(data, data_limit, &dcc_ip,
+ 				       &dcc_port, &addr_beg_p, &addr_end_p)) {
diff --git a/series.conf b/series.conf
index ac4f3d5..2aee049 100644
--- a/series.conf
+++ b/series.conf
@@ -56539,6 +56539,7 @@
 	patches.suse/power-reset-arm-versatile-Fix-refcount-leak-in-versa.patch
 	patches.suse/x86-bugs-remove-apostrophe-typo.patch
 	patches.suse/lockdown-Fix-kexec-lockdown-bypass-with-ima-policy.patch
+	patches.suse/mm-Force-TLB-flush-for-PFNMAP-mappings-before-unlink_file_vma.patch
 	patches.suse/xfrm-xfrm_policy-fix-a-possible-double-xfrm_pols_put.patch
 	patches.suse/gpio-pca953x-only-use-single-read-write-for-No-AI-mo.patch
 	patches.suse/gpio-pca953x-use-the-correct-range-when-do-regmap-sy.patch
@@ -56960,6 +56961,9 @@
 	patches.suse/Input-iforce-wake-up-after-clearing-IFORCE_XMIT_RUNN.patch
 	patches.suse/gpio-pca953x-Add-mutex_lock-for-regcache-sync-in-PM.patch
 
+	# netdev/net
+	patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch
+
 	# mkp/scsi queue
 	patches.suse/scsi-lpfc-Fix-unsolicited-FLOGI-receive-handling-dur.patch
 	patches.suse/scsi-lpfc-Fix-null-ndlp-ptr-dereference-in-abnormal-.patch
@@ -57013,6 +57017,7 @@
 	patches.suse/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch
 	patches.suse/netfilter-nf_tables-stricter-validation-of-element-d.patch
 	patches.suse/bpf-Don-t-use-tnum_range-on-array-range-checking-for.patch
+	patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch
 
 	########################################################
 	# kbuild/module infrastructure fixes