--- /dev/null
+From c7cc9200e9b4a2ac172e990ef1975cd42975dad6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 7 Oct 2020 01:42:46 -0700
+Subject: macsec: avoid use-after-free in macsec_handle_frame()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit c7cc9200e9b4a2ac172e990ef1975cd42975dad6 upstream.
+
+De-referencing skb after call to gro_cells_receive() is not allowed.
+We need to fetch skb->len earlier.
+
+Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macsec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1080,6 +1080,7 @@ static rx_handler_result_t macsec_handle
+ struct macsec_rx_sa *rx_sa;
+ struct macsec_rxh_data *rxd;
+ struct macsec_dev *macsec;
++ unsigned int len;
+ sci_t sci;
+ u32 pn;
+ bool cbit;
+@@ -1236,9 +1237,10 @@ deliver:
+ macsec_rxsc_put(rx_sc);
+
+ skb_orphan(skb);
++ len = skb->len;
+ ret = gro_cells_receive(&macsec->gro_cells, skb);
+ if (ret == NET_RX_SUCCESS)
+- count_rx(dev, skb->len);
++ count_rx(dev, len);
+ else
+ macsec->secy.netdev->stats.rx_dropped++;
+
--- /dev/null
+From 4bab69093044ca81f394bd0780be1b71c5a4d308 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Date: Tue, 6 Oct 2020 16:36:47 -0700
+Subject: nvme-core: put ctrl ref when module ref get fail
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+commit 4bab69093044ca81f394bd0780be1b71c5a4d308 upstream.
+
+When try_module_get() fails in the nvme_dev_open() it returns without
+releasing the ctrl reference which was taken earlier.
+
+Put the ctrl reference which is taken before calling the
+try_module_get() in the error return code path.
+
+Fixes: 52a3974feb1a "nvme-core: get/put ctrl and transport module in nvme_dev_open/release()"
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2932,8 +2932,10 @@ static int nvme_dev_open(struct inode *i
+ }
+
+ nvme_get_ctrl(ctrl);
+- if (!try_module_get(ctrl->ops->module))
++ if (!try_module_get(ctrl->ops->module)) {
++ nvme_put_ctrl(ctrl);
+ return -EINVAL;
++ }
+
+ file->private_data = ctrl;
+ return 0;
btrfs-ensure-we-trim-ranges-across-block-group-boundary.patch
btrfs-fix-rwf_nowait-write-not-failling-when-we-need-to-cow.patch
btrfs-allow-btrfs_truncate_block-to-fallback-to-nocow-for-data-space-reservation.patch
+nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch
+macsec-avoid-use-after-free-in-macsec_handle_frame.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
