--- /dev/null
+From c42b65e363ce97a828f81b59033c3558f8fa7f70 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 1 Aug 2018 15:42:56 -0700
+Subject: bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit c42b65e363ce97a828f81b59033c3558f8fa7f70 upstream.
+
+A lot of code become ugly because of open coding allocations for bitmaps.
+
+Introduce three helpers to allow users be more clear of intention
+and keep their code neat.
+
+Note, due to multiple circular dependencies we may not provide
+the helpers as inliners. For now we keep them exported and, perhaps,
+at some point in the future we will sort out header inclusion and
+inheritance.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/bitmap.h | 8 ++++++++
+ lib/bitmap.c | 20 ++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+--- a/include/linux/bitmap.h
++++ b/include/linux/bitmap.h
+@@ -86,6 +86,14 @@
+ */
+
+ /*
++ * Allocation and deallocation of bitmap.
++ * Provided in lib/bitmap.c to avoid circular dependency.
++ */
++extern unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags);
++extern unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags);
++extern void bitmap_free(const unsigned long *bitmap);
++
++/*
+ * lib/bitmap.c provides these functions:
+ */
+
+--- a/lib/bitmap.c
++++ b/lib/bitmap.c
+@@ -13,6 +13,7 @@
+ #include <linux/bitops.h>
+ #include <linux/bug.h>
+ #include <linux/kernel.h>
++#include <linux/slab.h>
+ #include <linux/string.h>
+ #include <linux/uaccess.h>
+
+@@ -1129,6 +1130,25 @@ bitmap_from_u32array(unsigned long *bitm
+ if (src_idx < nwords)
+ part = buf[src_idx++];
+
++unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags)
++{
++ return kmalloc_array(BITS_TO_LONGS(nbits), sizeof(unsigned long),
++ flags);
++}
++EXPORT_SYMBOL(bitmap_alloc);
++
++unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags)
++{
++ return bitmap_alloc(nbits, flags | __GFP_ZERO);
++}
++EXPORT_SYMBOL(bitmap_zalloc);
++
++void bitmap_free(const unsigned long *bitmap)
++{
++ kfree(bitmap);
++}
++EXPORT_SYMBOL(bitmap_free);
++
+ #if BITS_PER_LONG == 64
+ if (src_idx < nwords)
+ part |= ((unsigned long) buf[src_idx++]) << 32;
--- /dev/null
+From e21dba7a4df4d93da237da65a096084b4f2e87b4 Mon Sep 17 00:00:00 2001
+From: Martin Schiller <ms@dev.tdt.de>
+Date: Thu, 9 Jan 2020 07:31:14 +0100
+Subject: net/x25: fix nonblocking connect
+
+From: Martin Schiller <ms@dev.tdt.de>
+
+commit e21dba7a4df4d93da237da65a096084b4f2e87b4 upstream.
+
+This patch fixes 2 issues in x25_connect():
+
+1. It makes absolutely no sense to reset the neighbour and the
+connection state after a (successful) nonblocking call of x25_connect.
+This prevents any connection from being established, since the response
+(call accept) cannot be processed.
+
+2. Any further calls to x25_connect() while a call is pending should
+simply return, instead of creating new Call Request (on different
+logical channels).
+
+This patch should also fix the "KASAN: null-ptr-deref Write in
+x25_connect" and "BUG: unable to handle kernel NULL pointer dereference
+in x25_connect" bugs reported by syzbot.
+
+Signed-off-by: Martin Schiller <ms@dev.tdt.de>
+Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com
+Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/x25/af_x25.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -764,6 +764,10 @@ static int x25_connect(struct socket *so
+ if (sk->sk_state == TCP_ESTABLISHED)
+ goto out;
+
++ rc = -EALREADY; /* Do nothing if call is already in progress */
++ if (sk->sk_state == TCP_SYN_SENT)
++ goto out;
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+@@ -810,7 +814,7 @@ static int x25_connect(struct socket *so
+ /* Now the loop */
+ rc = -EINPROGRESS;
+ if (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))
+- goto out_put_neigh;
++ goto out;
+
+ rc = x25_wait_for_connection_establishment(sk);
+ if (rc)
--- /dev/null
+From 32c72165dbd0e246e69d16a3ad348a4851afd415 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Kadlecsik=20J=C3=B3zsef?= <kadlec@blackhole.kfki.hu>
+Date: Sun, 19 Jan 2020 22:06:49 +0100
+Subject: netfilter: ipset: use bitmap infrastructure completely
+
+From: Kadlecsik József <kadlec@blackhole.kfki.hu>
+
+commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream.
+
+The bitmap allocation did not use full unsigned long sizes
+when calculating the required size and that was triggered by KASAN
+as slab-out-of-bounds read in several places. The patch fixes all
+of them.
+
+Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com
+Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com
+Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com
+Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com
+Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com
+Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com
+Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter/ipset/ip_set.h | 7 -------
+ net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +++---
+ net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++---
+ net/netfilter/ipset/ip_set_bitmap_port.c | 6 +++---
+ 5 files changed, 10 insertions(+), 17 deletions(-)
+
+--- a/include/linux/netfilter/ipset/ip_set.h
++++ b/include/linux/netfilter/ipset/ip_set.h
+@@ -537,13 +537,6 @@ ip6addrptr(const struct sk_buff *skb, bo
+ sizeof(*addr));
+ }
+
+-/* Calculate the bytes required to store the inclusive range of a-b */
+-static inline int
+-bitmap_bytes(u32 a, u32 b)
+-{
+- return 4 * ((((b - a + 8) / 8) + 3) / 4);
+-}
+-
+ #include <linux/netfilter/ipset/ip_set_timeout.h>
+ #include <linux/netfilter/ipset/ip_set_comment.h>
+
+--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
+@@ -81,7 +81,7 @@ mtype_flush(struct ip_set *set)
+
+ if (set->extensions & IPSET_EXT_DESTROY)
+ mtype_ext_cleanup(set);
+- memset(map->members, 0, map->memsize);
++ bitmap_zero(map->members, map->elements);
+ }
+
+ static int
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -40,7 +40,7 @@ MODULE_ALIAS("ip_set_bitmap:ip");
+
+ /* Type structure */
+ struct bitmap_ip {
+- void *members; /* the set members */
++ unsigned long *members; /* the set members */
+ u32 first_ip; /* host byte order, included in range */
+ u32 last_ip; /* host byte order, included in range */
+ u32 elements; /* number of max elements in the set */
+@@ -222,7 +222,7 @@ init_map_ip(struct ip_set *set, struct b
+ u32 first_ip, u32 last_ip,
+ u32 elements, u32 hosts, u8 netmask)
+ {
+- map->members = ip_set_alloc(map->memsize);
++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
+ if (!map->members)
+ return false;
+ map->first_ip = first_ip;
+@@ -315,7 +315,7 @@ bitmap_ip_create(struct net *net, struct
+ if (!map)
+ return -ENOMEM;
+
+- map->memsize = bitmap_bytes(0, elements - 1);
++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_ip;
+ if (!init_map_ip(set, map, first_ip, last_ip,
+ elements, hosts, netmask)) {
+--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+@@ -46,7 +46,7 @@ enum {
+
+ /* Type structure */
+ struct bitmap_ipmac {
+- void *members; /* the set members */
++ unsigned long *members; /* the set members */
+ u32 first_ip; /* host byte order, included in range */
+ u32 last_ip; /* host byte order, included in range */
+ u32 elements; /* number of max elements in the set */
+@@ -299,7 +299,7 @@ static bool
+ init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
+ u32 first_ip, u32 last_ip, u32 elements)
+ {
+- map->members = ip_set_alloc(map->memsize);
++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
+ if (!map->members)
+ return false;
+ map->first_ip = first_ip;
+@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, str
+ if (!map)
+ return -ENOMEM;
+
+- map->memsize = bitmap_bytes(0, elements - 1);
++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_ipmac;
+ if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
+ kfree(map);
+--- a/net/netfilter/ipset/ip_set_bitmap_port.c
++++ b/net/netfilter/ipset/ip_set_bitmap_port.c
+@@ -34,7 +34,7 @@ MODULE_ALIAS("ip_set_bitmap:port");
+
+ /* Type structure */
+ struct bitmap_port {
+- void *members; /* the set members */
++ unsigned long *members; /* the set members */
+ u16 first_port; /* host byte order, included in range */
+ u16 last_port; /* host byte order, included in range */
+ u32 elements; /* number of max elements in the set */
+@@ -207,7 +207,7 @@ static bool
+ init_map_port(struct ip_set *set, struct bitmap_port *map,
+ u16 first_port, u16 last_port)
+ {
+- map->members = ip_set_alloc(map->memsize);
++ map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN);
+ if (!map->members)
+ return false;
+ map->first_port = first_port;
+@@ -250,7 +250,7 @@ bitmap_port_create(struct net *net, stru
+ return -ENOMEM;
+
+ map->elements = elements;
+- map->memsize = bitmap_bytes(0, map->elements);
++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_port;
+ if (!init_map_port(set, map, first_port, last_port)) {
+ kfree(map);
projects / thirdparty / kernel / stable-queue.git / commitdiff
