From c120486a3cc2c59545e95b85ae9bc3f5d0f6ba90 Mon Sep 17 00:00:00 2001 From: Denis Kirjanov Date: Jun 07 2022 11:05:50 +0000 Subject: Merge remote-tracking branch 'origin/SLE12-SP5' into SLE12-SP5_EMBARGO --- diff --git a/patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch b/patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch new file mode 100644 index 0000000..a7ceb77 --- /dev/null +++ b/patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch @@ -0,0 +1,83 @@ +From: Pablo Neira Ayuso +Date: Wed, 25 May 2022 10:36:38 +0200 +Subject: netfilter: nf_tables: disallow non-stateful expression in sets earlier +Patch-mainline: v5.19-rc1 +Git-commit: 520778042ccca019f3ffa136dd0ca565c486cedd +References: bsc#1200015 + +Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression +instantiation"), it is possible to attach stateful expressions to set +elements. + +cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate +and destroy phase") introduces conditional destruction on the object to +accomodate transaction semantics. + +nft_expr_init() calls expr->ops->init() first, then check for +NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful +lookup expressions which points to a set, which might lead to UAF since +the set is not properly detached from the set->binding for this case. +Anyway, this combination is non-sense from nf_tables perspective. + +This patch fixes this problem by checking for NFT_STATEFUL_EXPR before +expr->ops->init() is called. + +The reporter provides a KASAN splat and a poc reproducer (similar to +those autogenerated by syzbot to report use-after-free errors). It is +unknown to me if they are using syzbot or if they use similar automated +tool to locate the bug that they are reporting. + +For the record, this is the KASAN splat. + +[ 85.431824] ================================================================== +[ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 +[ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 +[ 85.434756] +[ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 +[ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + +Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") +Reported-and-tested-by: Aaron Adams +Signed-off-by: Pablo Neira Ayuso +Acked-by: Michal Kubecek + +--- + net/netfilter/nf_tables_api.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1808,23 +1808,27 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, + + err = nf_tables_expr_parse(ctx, nla, &info); + if (err < 0) +- goto err1; ++ goto err_expr_parse; ++ ++ err = -EOPNOTSUPP; ++ if (!(info.ops->type->flags & NFT_EXPR_STATEFUL)) ++ goto err_expr_stateful; + + err = -ENOMEM; + expr = kzalloc(info.ops->size, GFP_KERNEL); + if (expr == NULL) +- goto err2; ++ goto err_expr_stateful; + + err = nf_tables_newexpr(ctx, &info, expr); + if (err < 0) +- goto err3; ++ goto err_expr_new; + + return expr; +-err3: ++err_expr_new: + kfree(expr); +-err2: ++err_expr_stateful: + module_put(info.ops->type->owner); +-err1: ++err_expr_parse: + return ERR_PTR(err); + } + diff --git a/patches.suse/powerpc-numa-Prefer-node-id-queried-from-vphn.patch b/patches.suse/powerpc-numa-Prefer-node-id-queried-from-vphn.patch new file mode 100644 index 0000000..8276c91 --- /dev/null +++ b/patches.suse/powerpc-numa-Prefer-node-id-queried-from-vphn.patch @@ -0,0 +1,61 @@ +From 6398eaa268168b528dd1d3d0e70e61e9c13bea23 Mon Sep 17 00:00:00 2001 +From: Srikar Dronamraju +Date: Tue, 18 Aug 2020 13:41:03 +0530 +Subject: [PATCH] powerpc/numa: Prefer node id queried from vphn + +References: bsc#1199237 bsc#1200173 ltc#198329 +Patch-mainline: v5.10-rc1 +Git-commit: 6398eaa268168b528dd1d3d0e70e61e9c13bea23 + +Node id queried from the static device tree may not +be correct. For example: it may always show 0 on a shared processor. +Hence prefer the node id queried from vphn and fallback on the device tree +based node id if vphn query fails. + +Signed-off-by: Srikar Dronamraju +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200818081104.57888-3-srikar@linux.vnet.ibm.com +Acked-by: Michal Suchanek +--- + arch/powerpc/mm/numa.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index f63e1a41402f..9f0127cfb978 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -728,21 +728,22 @@ static int __init parse_numa_properties(void) + */ + for_each_present_cpu(i) { + struct device_node *cpu; +- int nid; +- +- cpu = of_get_cpu_node(i, NULL); +- BUG_ON(!cpu); +- nid = of_node_to_nid_single(cpu); +- of_node_put(cpu); ++ int nid = vphn_get_nid(i); + + /* + * Don't fall back to default_nid yet -- we will plug + * cpus into nodes once the memory scan has discovered + * the topology. + */ +- if (nid < 0) +- continue; +- node_set_online(nid); ++ if (nid == NUMA_NO_NODE) { ++ cpu = of_get_cpu_node(i, NULL); ++ BUG_ON(!cpu); ++ nid = of_node_to_nid_single(cpu); ++ of_node_put(cpu); ++ } ++ ++ if (likely(nid > 0)) ++ node_set_online(nid); + } + + get_n_mem_cells(&n_mem_addr_cells, &n_mem_size_cells); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 77b200a..8bc3b2d 100644 --- a/series.conf +++ b/series.conf @@ -57842,6 +57842,7 @@ patches.suse/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch patches.suse/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch patches.suse/powerepc-book3s64-hash-Align-start-end-address-corre.patch + patches.suse/powerpc-numa-Prefer-node-id-queried-from-vphn.patch patches.suse/powerpc-powernv-elog-Fix-race-while-processing-OPAL-.patch patches.suse/powerpc-pseries-add-new-branch-prediction-security-b.patch patches.suse/powerpc-rtas-Restrict-RTAS-requests-from-userspace.patch @@ -61314,6 +61315,7 @@ patches.suse/powerpc-xive-Fix-refcount-leak-in-xive_spapr_init.patch patches.suse/powerpc-64s-Add-CPU_FTRS_POWER9_DD2_2-to-CPU_FTRS_AL.patch patches.suse/powerpc-Enable-the-DAWR-on-POWER9-DD2.3-and-above.patch + patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch patches.suse/net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch # dhowells/linux-fs keys-uefi