--- /dev/null
+From 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 Dec 2019 13:45:05 +0800
+Subject: crypto: af_alg - Use bh_lock_sock in sk_destruct
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.
+
+As af_alg_release_parent may be called from BH context (most notably
+due to an async request that only completes after socket closure,
+or as reported here because of an RCU-delayed sk_destruct call), we
+must use bh_lock_sock instead of lock_sock.
+
+Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -139,11 +139,13 @@ void af_alg_release_parent(struct sock *
+ sk = ask->parent;
+ ask = alg_sk(sk);
+
+- lock_sock(sk);
++ local_bh_disable();
++ bh_lock_sock(sk);
+ ask->nokey_refcnt -= nokey;
+ if (!last)
+ last = !--ask->refcnt;
+- release_sock(sk);
++ bh_unlock_sock(sk);
++ local_bh_enable();
+
+ if (last)
+ sock_put(sk);
--- /dev/null
+From 92aafe77123ab478e5f5095878856ab0424910da Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 18:22:01 +0100
+Subject: rsi: fix use-after-free on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92aafe77123ab478e5f5095878856ab0424910da upstream.
+
+The driver would fail to stop the command timer in most error paths,
+something which specifically could lead to the timer being freed while
+still active on I/O errors during probe.
+
+Fix this by making sure that each function starting the timer also stops
+it in all relevant error paths.
+
+Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com
+Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method")
+Cc: stable <stable@vger.kernel.org> # 4.12
+Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
+Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_hal.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
+@@ -541,6 +541,7 @@ static int bl_cmd(struct rsi_hw *adapter
+ bl_start_cmd_timer(adapter, timeout);
+ status = bl_write_cmd(adapter, cmd, exp_resp, ®out_val);
+ if (status < 0) {
++ bl_stop_cmd_timer(adapter);
+ rsi_dbg(ERR_ZONE,
+ "%s: Command %s (%0x) writing failed..\n",
+ __func__, str, cmd);
+@@ -656,10 +657,9 @@ static int ping_pong_write(struct rsi_hw
+ }
+
+ status = bl_cmd(adapter, cmd_req, cmd_resp, str);
+- if (status) {
+- bl_stop_cmd_timer(adapter);
++ if (status)
+ return status;
+- }
++
+ return 0;
+ }
+
+@@ -749,10 +749,9 @@ static int auto_fw_upgrade(struct rsi_hw
+
+ status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL,
+ "EOF_REACHED");
+- if (status) {
+- bl_stop_cmd_timer(adapter);
++ if (status)
+ return status;
+- }
++
+ rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n");
+ return 0;
+ }
+@@ -773,6 +772,7 @@ static int rsi_load_firmware(struct rsi_
+ status = hif_ops->master_reg_read(adapter, SWBL_REGOUT,
+ ®out_val, 2);
+ if (status < 0) {
++ bl_stop_cmd_timer(adapter);
+ rsi_dbg(ERR_ZONE,
+ "%s: REGOUT read failed\n", __func__);
+ return status;
projects / thirdparty / kernel / stable-queue.git / commitdiff
