fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch b/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch
new file mode 100644 (file)
index 0000000..e32b89e
--- /dev/null
+++ b/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch
@@ -0,0 +1,35 @@
+From ae820f97a4418e5dc6b9be02c71b8001375fa2d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 15:01:29 +0800
+Subject: md: make sure desc_nr less than MD_SB_DISKS
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+[ Upstream commit 3b7436cc9449d5ff7fa1c1fd5bc3edb6402ff5b8 ]
+
+For super_90_load, we need to make sure 'desc_nr' less
+than MD_SB_DISKS, avoiding invalid memory access of 'sb->disks'.
+
+Fixes: 228fc7d76db6 ("md: avoid invalid memory access for array sb->dev_roles")
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 805b33e27496..4e7c9f398bc6 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1159,6 +1159,7 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor
+       /* not spare disk, or LEVEL_MULTIPATH */
+       if (sb->level == LEVEL_MULTIPATH ||
+               (rdev->desc_nr >= 0 &&
++               rdev->desc_nr < MD_SB_DISKS &&
+                sb->disks[rdev->desc_nr].state &
+                ((1<<MD_DISK_SYNC) | (1 << MD_DISK_ACTIVE))))
+               spare_disk = false;
+-- 
+2.20.1
+

diff --git a/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch b/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch
new file mode 100644 (file)
index 0000000..5179561
--- /dev/null
+++ b/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch
@@ -0,0 +1,110 @@
+From b17510990d867bc3fdb4f50a3f6a248cc75fc35a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2019 15:03:44 -0300
+Subject: sctp: fix err handling of stream initialization
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 61d5d4062876e21331c3d0ba4b02dbd50c06a658 ]
+
+The fix on 951c6db954a1 fixed the issued reported there but introduced
+another. When the allocation fails within sctp_stream_init() it is
+okay/necessary to free the genradix. But it is also called when adding
+new streams, from sctp_send_add_streams() and
+sctp_process_strreset_addstrm_in() and in those situations it cannot
+just free the genradix because by then it is a fully operational
+association.
+
+The fix here then is to only free the genradix in sctp_stream_init()
+and on those other call sites  move on with what it already had and let
+the subsequent error handling to handle it.
+
+Tested with the reproducers from this report and the previous one,
+with lksctp-tools and sctp-tests.
+
+Reported-by: syzbot+9a1bc632e78a1a98488b@syzkaller.appspotmail.com
+Fixes: 951c6db954a1 ("sctp: fix memleak on err handling of stream initialization")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/stream.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/net/sctp/stream.c b/net/sctp/stream.c
+index 6a30392068a0..c1a100d2fed3 100644
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -84,10 +84,8 @@ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
+               return 0;
+ 
+       ret = genradix_prealloc(&stream->out, outcnt, gfp);
+-      if (ret) {
+-              genradix_free(&stream->out);
++      if (ret)
+               return ret;
+-      }
+ 
+       stream->outcnt = outcnt;
+       return 0;
+@@ -102,10 +100,8 @@ static int sctp_stream_alloc_in(struct sctp_stream *stream, __u16 incnt,
+               return 0;
+ 
+       ret = genradix_prealloc(&stream->in, incnt, gfp);
+-      if (ret) {
+-              genradix_free(&stream->in);
++      if (ret)
+               return ret;
+-      }
+ 
+       stream->incnt = incnt;
+       return 0;
+@@ -123,7 +119,7 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
+        * a new one with new outcnt to save memory if needed.
+        */
+       if (outcnt == stream->outcnt)
+-              goto in;
++              goto handle_in;
+ 
+       /* Filter out chunks queued on streams that won't exist anymore */
+       sched->unsched_all(stream);
+@@ -132,24 +128,28 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
+ 
+       ret = sctp_stream_alloc_out(stream, outcnt, gfp);
+       if (ret)
+-              goto out;
++              goto out_err;
+ 
+       for (i = 0; i < stream->outcnt; i++)
+               SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
+ 
+-in:
++handle_in:
+       sctp_stream_interleave_init(stream);
+       if (!incnt)
+               goto out;
+ 
+       ret = sctp_stream_alloc_in(stream, incnt, gfp);
+-      if (ret) {
+-              sched->free(stream);
+-              genradix_free(&stream->out);
+-              stream->outcnt = 0;
+-              goto out;
+-      }
++      if (ret)
++              goto in_err;
++
++      goto out;
+ 
++in_err:
++      sched->free(stream);
++      genradix_free(&stream->in);
++out_err:
++      genradix_free(&stream->out);
++      stream->outcnt = 0;
+ out:
+       return ret;
+ }
+-- 
+2.20.1
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 8a479e2512c5cf0ac0e46ae8824458bc5d6076fc..719ec37ff7afd52f653bba16c0e4b23405ecfd53 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -129,3 +129,5 @@ mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch
 kernel-sysctl-make-drop_caches-write-only.patch
 userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch
 revert-powerpc-vcpu-assume-dedicated-processors-as-non-preempt.patch
+sctp-fix-err-handling-of-stream-initialization.patch
+md-make-sure-desc_nr-less-than-md_sb_disks.patch