From: Xiangyu Chen <xiangyu.chen(a)windriver.com>
Following series is a backport of CVE-2024-36915
The fix is "nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies"
This required 1 extra commit to make sure the picks are clean:
net: add copy_safe_from_sockptr() helper
Eric Dumazet (2):
net: add copy_safe_from_sockptr() helper
nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
include/linux/sockptr.h | 25 +++++++++++++++++++++++++
net/nfc/llcp_sock.c | 12 ++++++------
2 files changed, 31 insertions(+), 6 deletions(-)
--
2.43.0
Greg recently reported 3 patches that could not be applied without
conflict in v6.1:
- e0266319413d ("mptcp: update local address flags when setting it")
- f642c5c4d528 ("mptcp: hold pm lock when deleting entry")
- db3eab8110bc ("mptcp: pm: use _rcu variant under rcu_read_lock")
Conflicts, if any, have been resolved, and documented in each patch.
Note that there are 3 extra patches added to avoid some conflicts:
- 14cb0e0bf39b ("mptcp: define more local variables sk")
- 06afe09091ee ("mptcp: add userspace_pm_lookup_addr_by_id helper")
- af250c27ea1c ("mptcp: drop lookup_by_id in lookup_addr")
The Stable-dep-of tags have been added to these patches.
1 extra patch has been included, it is supposed to be backported, but it
was missing the Cc stable tag and it had conflicts:
- ce7356ae3594 ("mptcp: cope racing subflow creation in
mptcp_rcv_space_adjust")
Geliang Tang (5):
mptcp: define more local variables sk
mptcp: add userspace_pm_lookup_addr_by_id helper
mptcp: update local address flags when setting it
mptcp: hold pm lock when deleting entry
mptcp: drop lookup_by_id in lookup_addr
Matthieu Baerts (NGI0) (1):
mptcp: pm: use _rcu variant under rcu_read_lock
Paolo Abeni (1):
mptcp: cope racing subflow creation in mptcp_rcv_space_adjust
net/mptcp/pm_netlink.c | 15 ++++----
net/mptcp/pm_userspace.c | 77 ++++++++++++++++++++++++++--------------
net/mptcp/protocol.c | 3 +-
3 files changed, 60 insertions(+), 35 deletions(-)
--
2.45.2
From: Paolo Abeni <pabeni(a)redhat.com>
commit ce7356ae35943cc6494cc692e62d51a734062b7d upstream.
Additional active subflows - i.e. created by the in kernel path
manager - are included into the subflow list before starting the
3whs.
A racing recvmsg() spooling data received on an already established
subflow would unconditionally call tcp_cleanup_rbuf() on all the
current subflows, potentially hitting a divide by zero error on
the newly created ones.
Explicitly check that the subflow is in a suitable state before
invoking tcp_cleanup_rbuf().
Fixes: c76c6956566f ("mptcp: call tcp_cleanup_rbuf on subflows")
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org>
Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.173106087…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
[ Conflicts in protocol.c, because commit f410cbea9f3d ("tcp: annotate
data-races around tp->window_clamp") has not been backported to this
version. The conflict is easy to resolve, because only the context is
different, but not the line to modify. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org>
---
net/mptcp/protocol.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 34c98596350e..bcbb1f92ce24 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1986,7 +1986,8 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied)
slow = lock_sock_fast(ssk);
WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf);
tcp_sk(ssk)->window_clamp = window_clamp;
- tcp_cleanup_rbuf(ssk, 1);
+ if (tcp_can_send_ack(ssk))
+ tcp_cleanup_rbuf(ssk, 1);
unlock_sock_fast(ssk, slow);
}
}
--
2.45.2
From: Xiangyu Chen <xiangyu.chen(a)windriver.com>
Backport to fix CVE-2024-36478
https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@g…
The CVE fix is "null_blk: fix null-ptr-dereference while configuring 'power'
and 'submit_queues'"
This required 1 extra commit to make sure the picks are clean:
null_blk: Remove usage of the deprecated ida_simple_xx() API
Christophe JAILLET (1):
null_blk: Remove usage of the deprecated ida_simple_xx() API
Yu Kuai (1):
null_blk: fix null-ptr-dereference while configuring 'power' and
'submit_queues'
drivers/block/null_blk/main.c | 44 ++++++++++++++++++++++-------------
1 file changed, 28 insertions(+), 16 deletions(-)
--
2.43.0