diff --git a/patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch b/patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch new file mode 100644 index 0000000..2c42120 --- /dev/null +++ b/patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch @@ -0,0 +1,34 @@ +From: Pietro Borrello +Date: Thu, 9 Feb 2023 12:26:23 +0000 +Subject: rds: rds_rm_zerocopy_callback() correct order for list_add_tail() +Git-commit: 68762148d1b011d47bc2ceed7321739b5aea1e63 +Patch-mainline: v6.3-rc1 +References: CVE-2023-1078 bsc#1208601 + +rds_rm_zerocopy_callback() uses list_add_tail() with swapped +arguments. This links the list head with the new entry, losing +the references to the remaining part of the list. + +Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") +Suggested-by: Paolo Abeni +Signed-off-by: Pietro Borrello +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + net/rds/message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/message.c b/net/rds/message.c +index c19c93561227..7af59d2443e5 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -118,7 +118,7 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs, + ck = &info->zcookies; + memset(ck, 0, sizeof(*ck)); + WARN_ON(!rds_zcookie_add(info, cookie)); +- list_add_tail(&q->zcookie_head, &info->rs_zcookie_next); ++ list_add_tail(&info->rs_zcookie_next, &q->zcookie_head); + + spin_unlock_irqrestore(&q->lock, flags); + /* caller invokes rds_wake_sk_sleep() */ + diff --git a/patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch b/patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch new file mode 100644 index 0000000..a5a7c06 --- /dev/null +++ b/patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch @@ -0,0 +1,40 @@ +From: Pietro Borrello +Date: Tue, 7 Feb 2023 18:26:34 +0000 +Subject: rds: rds_rm_zerocopy_callback() use list_first_entry() +Git-commit: f753a68980cf4b59a80fe677619da2b1804f526d +Patch-mainline: v6.2-rc8 +References: CVE-2023-1078 bsc#1208601 + +rds_rm_zerocopy_callback() uses list_entry() on the head of a list +causing a type confusion. +Use list_first_entry() to actually access the first element of the +rs_zcookie_queue list. + +Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") +Reviewed-by: Willem de Bruijn +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230202-rds-zerocopy-v3-1-83b0df974f9a@diag.uniroma1.it +Signed-off-by: Paolo Abeni +Acked-by: Miroslav Franc +--- + net/rds/message.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/rds/message.c b/net/rds/message.c +index b47e4f0a1639..c19c93561227 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -104,9 +104,9 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs, + spin_lock_irqsave(&q->lock, flags); + head = &q->zcookie_head; + if (!list_empty(head)) { +- info = list_entry(head, struct rds_msg_zcopy_info, +- rs_zcookie_next); +- if (info && rds_zcookie_add(info, cookie)) { ++ info = list_first_entry(head, struct rds_msg_zcopy_info, ++ rs_zcookie_next); ++ if (rds_zcookie_add(info, cookie)) { + spin_unlock_irqrestore(&q->lock, flags); + kfree(rds_info_from_znotifier(znotif)); + /* caller invokes rds_wake_sk_sleep() */ + diff --git a/series.conf b/series.conf index 2208bc5..5d70e6d 100644 --- a/series.conf +++ b/series.conf @@ -36874,9 +36874,11 @@ patches.suse/gsmi-fix-null-deref-in-gsmi_get_variable.patch patches.suse/VMCI-Use-threaded-irqs-instead-of-tasklets.patch patches.suse/module-Don-t-wait-for-GOING-modules.patch + patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch patches.suse/Fix-page-corruption-caused-by-racy-check-in-__free_pages.patch patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch patches.suse/ibmvnic-Toggle-between-queue-types-in-affinity-mappi.patch + patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch patches.suse/ipmi-ssif-resend_msg-cannot-fail.patch patches.suse/ipmi_ssif-Rename-idle-state-and-check.patch patches.suse/ipmi-ssif-Remove-rtc_us_timer.patch