From b12ae58735deaa463ef6e44f051cfd745f1a5e59 Mon Sep 17 00:00:00 2001 From: Miroslav Franc Date: Mar 14 2023 09:27:59 +0000 Subject: rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078 bsc#1208601). --- diff --git a/patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch b/patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch new file mode 100644 index 0000000..a5a7c06 --- /dev/null +++ b/patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch @@ -0,0 +1,40 @@ +From: Pietro Borrello +Date: Tue, 7 Feb 2023 18:26:34 +0000 +Subject: rds: rds_rm_zerocopy_callback() use list_first_entry() +Git-commit: f753a68980cf4b59a80fe677619da2b1804f526d +Patch-mainline: v6.2-rc8 +References: CVE-2023-1078 bsc#1208601 + +rds_rm_zerocopy_callback() uses list_entry() on the head of a list +causing a type confusion. +Use list_first_entry() to actually access the first element of the +rs_zcookie_queue list. + +Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") +Reviewed-by: Willem de Bruijn +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230202-rds-zerocopy-v3-1-83b0df974f9a@diag.uniroma1.it +Signed-off-by: Paolo Abeni +Acked-by: Miroslav Franc +--- + net/rds/message.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/rds/message.c b/net/rds/message.c +index b47e4f0a1639..c19c93561227 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -104,9 +104,9 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs, + spin_lock_irqsave(&q->lock, flags); + head = &q->zcookie_head; + if (!list_empty(head)) { +- info = list_entry(head, struct rds_msg_zcopy_info, +- rs_zcookie_next); +- if (info && rds_zcookie_add(info, cookie)) { ++ info = list_first_entry(head, struct rds_msg_zcopy_info, ++ rs_zcookie_next); ++ if (rds_zcookie_add(info, cookie)) { + spin_unlock_irqrestore(&q->lock, flags); + kfree(rds_info_from_znotifier(znotif)); + /* caller invokes rds_wake_sk_sleep() */ + diff --git a/series.conf b/series.conf index 0aa9a6c..c8423ef 100644 --- a/series.conf +++ b/series.conf @@ -36871,6 +36871,7 @@ patches.suse/gsmi-fix-null-deref-in-gsmi_get_variable.patch patches.suse/VMCI-Use-threaded-irqs-instead-of-tasklets.patch patches.suse/module-Don-t-wait-for-GOING-modules.patch + patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch patches.suse/Fix-page-corruption-caused-by-racy-check-in-__free_pages.patch patches.suse/ibmvnic-Toggle-between-queue-types-in-affinity-mappi.patch patches.suse/ipmi-ssif-resend_msg-cannot-fail.patch