fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/rxrpc-fix-local-refcounting.patch b/queue-4.19/rxrpc-fix-local-refcounting.patch
new file mode 100644 (file)
index 0000000..fdadc6b
--- /dev/null
+++ b/queue-4.19/rxrpc-fix-local-refcounting.patch
@@ -0,0 +1,73 @@
+From ff320ff4fb793dbc818edab538f5e660259b0024 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 9 Aug 2019 22:47:47 +0100
+Subject: rxrpc: Fix local refcounting
+
+[ Upstream commit 68553f1a6f746bf860bce3eb42d78c26a717d9c0 ]
+
+Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called
+on an unbound socket on which rx->local is not yet set.
+
+The following reproduced (includes omitted):
+
+       int main(void)
+       {
+               socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
+               return 0;
+       }
+
+causes the following oops to occur:
+
+       BUG: kernel NULL pointer dereference, address: 0000000000000010
+       ...
+       RIP: 0010:rxrpc_unuse_local+0x8/0x1b
+       ...
+       Call Trace:
+        rxrpc_release+0x2b5/0x338
+        __sock_release+0x37/0xa1
+        sock_close+0x14/0x17
+        __fput+0x115/0x1e9
+        task_work_run+0x72/0x98
+        do_exit+0x51b/0xa7a
+        ? __context_tracking_exit+0x4e/0x10e
+        do_group_exit+0xab/0xab
+        __x64_sys_exit_group+0x14/0x17
+        do_syscall_64+0x89/0x1d4
+        entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com
+Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/local_object.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index 27f4bbe85e799..c752ad4870678 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -407,11 +407,13 @@ void rxrpc_unuse_local(struct rxrpc_local *local)
+ {
+       unsigned int au;
+ 
+-      au = atomic_dec_return(&local->active_users);
+-      if (au == 0)
+-              rxrpc_queue_local(local);
+-      else
+-              rxrpc_put_local(local);
++      if (local) {
++              au = atomic_dec_return(&local->active_users);
++              if (au == 0)
++                      rxrpc_queue_local(local);
++              else
++                      rxrpc_put_local(local);
++      }
+ }
+ 
+ /*
+-- 
+2.20.1
+

diff --git a/queue-4.19/series b/queue-4.19/series
index 2f60c4576cdbce65e916059f15ccc7158bf860ea..904bfca5a89d40dea7035d1e5400c75feb5f07c4 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -97,3 +97,4 @@ powerpc-allow-flush_-inval_-dcache_range-to-work-across-ranges-4gb.patch
 rxrpc-fix-local-endpoint-refcounting.patch
 rxrpc-fix-read-after-free-in-rxrpc_queue_local.patch
 rxrpc-fix-local-endpoint-replacement.patch
+rxrpc-fix-local-refcounting.patch