--- /dev/null
+From d10285a25e29f13353bbf7760be8980048c1ef2f Mon Sep 17 00:00:00 2001
+From: Karol Herbst <kherbst@redhat.com>
+Date: Wed, 7 Oct 2020 00:05:28 +0200
+Subject: drm/nouveau/mem: guard against NULL pointer access in mem_del
+
+From: Karol Herbst <kherbst@redhat.com>
+
+commit d10285a25e29f13353bbf7760be8980048c1ef2f upstream.
+
+other drivers seems to do something similar
+
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Cc: dri-devel <dri-devel@lists.freedesktop.org>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201006220528.13925-2-kherbst@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nouveau_mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_mem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
+@@ -176,6 +176,8 @@ void
+ nouveau_mem_del(struct ttm_mem_reg *reg)
+ {
+ struct nouveau_mem *mem = nouveau_mem(reg);
++ if (!mem)
++ return;
+ nouveau_mem_fini(mem);
+ kfree(reg->mm_node);
+ reg->mm_node = NULL;
--- /dev/null
+From 3dc289f8f139997f4e9d3cfccf8738f20d23e47b Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 7 Oct 2020 09:24:01 +0530
+Subject: net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream.
+
+In nl80211_parse_key(), key.idx is first initialized as -1.
+If this value of key.idx remains unmodified and gets returned, and
+nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
+with key.idx = -1.
+This causes an out-of-bounds array access.
+
+Handle this issue by checking if the value of key.idx after
+nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3975,6 +3975,9 @@ static int nl80211_del_key(struct sk_buf
+ if (err)
+ return err;
+
++ if (key.idx < 0)
++ return -EINVAL;
++
+ if (info->attrs[NL80211_ATTR_MAC])
+ mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+
io_uring-fix-missing-smp_mb-in-io_cancel_async_work.patch
io_uring-fix-remove-irrelevant-req-from-the-task_list.patch
io_uring-fix-double-list-add-in-io_queue_async_work.patch
+net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch
+drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch
+vhost-don-t-call-access_ok-when-using-iotlb.patch
+vhost-use-vhost_get_used_size-in-vhost_vring_set_addr.patch
+usermodehelper-reset-umask-to-default-before-executing-user-process.patch
--- /dev/null
+From 4013c1496c49615d90d36b9d513eee8e369778e9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 5 Oct 2020 10:56:22 -0700
+Subject: usermodehelper: reset umask to default before executing user process
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4013c1496c49615d90d36b9d513eee8e369778e9 upstream.
+
+Kernel threads intentionally do CLONE_FS in order to follow any changes
+that 'init' does to set up the root directory (or cwd).
+
+It is admittedly a bit odd, but it avoids the situation where 'init'
+does some extensive setup to initialize the system environment, and then
+we execute a usermode helper program, and it uses the original FS setup
+from boot time that may be very limited and incomplete.
+
+[ Both Al Viro and Eric Biederman point out that 'pivot_root()' will
+ follow the root regardless, since it fixes up other users of root (see
+ chroot_fs_refs() for details), but overmounting root and doing a
+ chroot() would not. ]
+
+However, Vegard Nossum noticed that the CLONE_FS not only means that we
+follow the root and current working directories, it also means we share
+umask with whatever init changed it to. That wasn't intentional.
+
+Just reset umask to the original default (0022) before actually starting
+the usermode helper program.
+
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/umh.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/kernel/umh.c
++++ b/kernel/umh.c
+@@ -14,6 +14,7 @@
+ #include <linux/cred.h>
+ #include <linux/file.h>
+ #include <linux/fdtable.h>
++#include <linux/fs_struct.h>
+ #include <linux/workqueue.h>
+ #include <linux/security.h>
+ #include <linux/mount.h>
+@@ -76,6 +77,14 @@ static int call_usermodehelper_exec_asyn
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ /*
++ * Initial kernel threads share ther FS with init, in order to
++ * get the init root directory. But we've now created a new
++ * thread that is going to execve a user process and has its own
++ * 'struct fs_struct'. Reset umask to the default.
++ */
++ current->fs->umask = 0022;
++
++ /*
+ * Our parent (unbound workqueue) runs with elevated scheduling
+ * priority. Avoid propagating that into the userspace child.
+ */
--- /dev/null
+From 0210a8db2aeca393fb3067e234967877e3146266 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Sat, 3 Oct 2020 12:01:52 +0200
+Subject: vhost: Don't call access_ok() when using IOTLB
+
+From: Greg Kurz <groug@kaod.org>
+
+commit 0210a8db2aeca393fb3067e234967877e3146266 upstream.
+
+When the IOTLB device is enabled, the vring addresses we get
+from userspace are GIOVAs. It is thus wrong to pass them down
+to access_ok() which only takes HVAs.
+
+Access validation is done at prefetch time with IOTLB. Teach
+vq_access_ok() about that by moving the (vq->iotlb) check
+from vhost_vq_access_ok() to vq_access_ok(). This prevents
+vhost_vring_set_addr() to fail when verifying the accesses.
+No behavior change for vhost_vq_access_ok().
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1883084
+Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
+Cc: jasowang@redhat.com
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/160171931213.284610.2052489816407219136.stgit@bahia.lan
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1299,6 +1299,11 @@ static bool vq_access_ok(struct vhost_vi
+ struct vring_used __user *used)
+
+ {
++ /* If an IOTLB device is present, the vring addresses are
++ * GIOVAs. Access validation occurs at prefetch time. */
++ if (vq->iotlb)
++ return true;
++
+ return access_ok(desc, vhost_get_desc_size(vq, num)) &&
+ access_ok(avail, vhost_get_avail_size(vq, num)) &&
+ access_ok(used, vhost_get_used_size(vq, num));
+@@ -1394,10 +1399,6 @@ bool vhost_vq_access_ok(struct vhost_vir
+ if (!vq_log_access_ok(vq, vq->log_base))
+ return false;
+
+- /* Access validation occurs at prefetch time with IOTLB */
+- if (vq->iotlb)
+- return true;
+-
+ return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used);
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_access_ok);
--- /dev/null
+From 71878fa46c7e3b40fa7b3f1b6e4ba3f92f1ac359 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Sat, 3 Oct 2020 12:02:03 +0200
+Subject: vhost: Use vhost_get_used_size() in vhost_vring_set_addr()
+
+From: Greg Kurz <groug@kaod.org>
+
+commit 71878fa46c7e3b40fa7b3f1b6e4ba3f92f1ac359 upstream.
+
+The open-coded computation of the used size doesn't take the event
+into account when the VIRTIO_RING_F_EVENT_IDX feature is present.
+Fix that by using vhost_get_used_size().
+
+Fixes: 8ea8cf89e19a ("vhost: support event index")
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Link: https://lore.kernel.org/r/160171932300.284610.11846106312938909461.stgit@bahia.lan
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1545,8 +1545,7 @@ static long vhost_vring_set_addr(struct
+ /* Also validate log access for used ring if enabled. */
+ if ((a.flags & (0x1 << VHOST_VRING_F_LOG)) &&
+ !log_access_ok(vq->log_base, a.log_guest_addr,
+- sizeof *vq->used +
+- vq->num * sizeof *vq->used->ring))
++ vhost_get_used_size(vq, vq->num)))
+ return -EINVAL;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
