fixes for 5.3

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.3/lsm-safesetid-stop-releasing-uninitialized-ruleset.patch b/queue-5.3/lsm-safesetid-stop-releasing-uninitialized-ruleset.patch
new file mode 100644 (file)
index 0000000..b293724
--- /dev/null
+++ b/queue-5.3/lsm-safesetid-stop-releasing-uninitialized-ruleset.patch
@@ -0,0 +1,39 @@
+From e92fb51d2aeb05ee0405ca1063d4ca68ff004a8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2019 11:27:05 -0700
+Subject: LSM: SafeSetID: Stop releasing uninitialized ruleset
+
+From: Micah Morton <mortonm@chromium.org>
+
+[ Upstream commit 21ab8580b383f27b7f59b84ac1699cb26d6c3d69 ]
+
+The first time a rule set is configured for SafeSetID, we shouldn't be
+trying to release the previously configured ruleset, since there isn't
+one. Currently, the pointer that would point to a previously configured
+ruleset is uninitialized on first rule set configuration, leading to a
+crash when we try to call release_ruleset with that pointer.
+
+Acked-by: Jann Horn <jannh@google.com>
+Signed-off-by: Micah Morton <mortonm@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/safesetid/securityfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
+index d568e17dd7739..74a13d432ed80 100644
+--- a/security/safesetid/securityfs.c
++++ b/security/safesetid/securityfs.c
+@@ -187,7 +187,8 @@ static ssize_t handle_policy_update(struct file *file,
+ out_free_buf:
+       kfree(buf);
+ out_free_pol:
+-      release_ruleset(pol);
++      if (pol)
++                release_ruleset(pol);
+       return err;
+ }
+ 
+-- 
+2.20.1
+

diff --git a/queue-5.3/rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch b/queue-5.3/rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch
new file mode 100644 (file)
index 0000000..d30b0da
--- /dev/null
+++ b/queue-5.3/rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch
@@ -0,0 +1,74 @@
+From d30f737abcba5e729d5760315dea557b6f360741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2019 06:04:38 -0700
+Subject: rxrpc: use rcu protection while reading sk->sk_user_data
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2ca4f6ca4562594ef161e4140c2a5e0e5282967b ]
+
+We need to extend the rcu_read_lock() section in rxrpc_error_report()
+and use rcu_dereference_sk_user_data() instead of plain access
+to sk->sk_user_data to make sure all rules are respected.
+
+The compiler wont reload sk->sk_user_data at will, and RCU rules
+prevent memory beeing freed too soon.
+
+Fixes: f0308fb07080 ("rxrpc: Fix possible NULL pointer access in ICMP handling")
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/peer_event.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
+index 61451281d74a3..48f67a9b1037c 100644
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -147,13 +147,16 @@ void rxrpc_error_report(struct sock *sk)
+ {
+       struct sock_exterr_skb *serr;
+       struct sockaddr_rxrpc srx;
+-      struct rxrpc_local *local = sk->sk_user_data;
++      struct rxrpc_local *local;
+       struct rxrpc_peer *peer;
+       struct sk_buff *skb;
+ 
+-      if (unlikely(!local))
++      rcu_read_lock();
++      local = rcu_dereference_sk_user_data(sk);
++      if (unlikely(!local)) {
++              rcu_read_unlock();
+               return;
+-
++      }
+       _enter("%p{%d}", sk, local->debug_id);
+ 
+       /* Clear the outstanding error value on the socket so that it doesn't
+@@ -163,6 +166,7 @@ void rxrpc_error_report(struct sock *sk)
+ 
+       skb = sock_dequeue_err_skb(sk);
+       if (!skb) {
++              rcu_read_unlock();
+               _leave("UDP socket errqueue empty");
+               return;
+       }
+@@ -170,11 +174,11 @@ void rxrpc_error_report(struct sock *sk)
+       serr = SKB_EXT_ERR(skb);
+       if (!skb->len && serr->ee.ee_origin == SO_EE_ORIGIN_TIMESTAMPING) {
+               _leave("UDP empty message");
++              rcu_read_unlock();
+               rxrpc_free_skb(skb, rxrpc_skb_freed);
+               return;
+       }
+ 
+-      rcu_read_lock();
+       peer = rxrpc_lookup_peer_icmp_rcu(local, skb, &srx);
+       if (peer && !rxrpc_get_peer_maybe(peer))
+               peer = NULL;
+-- 
+2.20.1
+

diff --git a/queue-5.3/series b/queue-5.3/series
index 4e9563e9cf0004795284cba52b4ce3fa95ca9d14..d1901f7ee338120f02ab994930bc32a6811d67c2 100644 (file)
--- a/queue-5.3/series
+++ b/queue-5.3/series
@@ -89,3 +89,5 @@ net-sched-fix-corrupted-l2-header-with-mpls-push-and-pop-actions.patch
 netdevsim-fix-error-handling-in-nsim_fib_init-and-nsim_fib_exit.patch
 net-ethernet-broadcom-have-drivers-select-dimlib-as-needed.patch
 net-phy-fix-link-partner-information-disappear-issue.patch
+lsm-safesetid-stop-releasing-uninitialized-ruleset.patch
+rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch