fixes for 5.2

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.2/rxrpc-fix-local-refcounting.patch b/queue-5.2/rxrpc-fix-local-refcounting.patch
new file mode 100644 (file)
index 0000000..6ba2d07
--- /dev/null
+++ b/queue-5.2/rxrpc-fix-local-refcounting.patch
@@ -0,0 +1,73 @@
+From 538b95803f29e038e66876d89b8bf0c2abc6b43c Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 9 Aug 2019 22:47:47 +0100
+Subject: rxrpc: Fix local refcounting
+
+[ Upstream commit 68553f1a6f746bf860bce3eb42d78c26a717d9c0 ]
+
+Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called
+on an unbound socket on which rx->local is not yet set.
+
+The following reproduced (includes omitted):
+
+       int main(void)
+       {
+               socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
+               return 0;
+       }
+
+causes the following oops to occur:
+
+       BUG: kernel NULL pointer dereference, address: 0000000000000010
+       ...
+       RIP: 0010:rxrpc_unuse_local+0x8/0x1b
+       ...
+       Call Trace:
+        rxrpc_release+0x2b5/0x338
+        __sock_release+0x37/0xa1
+        sock_close+0x14/0x17
+        __fput+0x115/0x1e9
+        task_work_run+0x72/0x98
+        do_exit+0x51b/0xa7a
+        ? __context_tracking_exit+0x4e/0x10e
+        do_group_exit+0xab/0xab
+        __x64_sys_exit_group+0x14/0x17
+        do_syscall_64+0x89/0x1d4
+        entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com
+Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/local_object.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index 68e9342fd4335..72a6e12a9304f 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -403,11 +403,13 @@ void rxrpc_unuse_local(struct rxrpc_local *local)
+ {
+       unsigned int au;
+ 
+-      au = atomic_dec_return(&local->active_users);
+-      if (au == 0)
+-              rxrpc_queue_local(local);
+-      else
+-              rxrpc_put_local(local);
++      if (local) {
++              au = atomic_dec_return(&local->active_users);
++              if (au == 0)
++                      rxrpc_queue_local(local);
++              else
++                      rxrpc_put_local(local);
++      }
+ }
+ 
+ /*
+-- 
+2.20.1
+

diff --git a/queue-5.2/series b/queue-5.2/series
index 374f055128ec3f80f1930e06ac8f778071a12cdc..18da484470415fa7acd7d51bb738dd0c7f43fe3b 100644 (file)
--- a/queue-5.2/series
+++ b/queue-5.2/series
@@ -161,3 +161,4 @@ powerpc-allow-flush_-inval_-dcache_range-to-work-across-ranges-4gb.patch
 rxrpc-fix-local-endpoint-refcounting.patch
 rxrpc-fix-read-after-free-in-rxrpc_queue_local.patch
 rxrpc-fix-local-endpoint-replacement.patch
+rxrpc-fix-local-refcounting.patch