fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.9/series b/queue-4.9/series
index 135292d2defa9e1483dbca7d5b54d819163d8d9c..d7910d8913192b0b48b3488d39455e949136aae0 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -47,3 +47,4 @@ drivers-net-xgene-fix-the-order-of-the-arguments-of-alloc_etherdev_mqs.patch
 perf-hists-browser-restore-esc-as-zoom-out-of-dso-thread-etc.patch
 mm-huge_memory.c-use-head-to-check-huge-zero-page.patch
 audit-always-check-the-netlink-payload-length-in-aud.patch
+vhost-check-docket-sk_family-instead-of-call-getname.patch

diff --git a/queue-4.9/vhost-check-docket-sk_family-instead-of-call-getname.patch b/queue-4.9/vhost-check-docket-sk_family-instead-of-call-getname.patch
new file mode 100644 (file)
index 0000000..f07c10a
--- /dev/null
+++ b/queue-4.9/vhost-check-docket-sk_family-instead-of-call-getname.patch
@@ -0,0 +1,64 @@
+From 9c5b0a9949748179c6f6e2d3b1c13cadfa2f64ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2020 17:30:05 +0100
+Subject: vhost: Check docket sk_family instead of call getname
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+[ Upstream commit 42d84c8490f9f0931786f1623191fcab397c3d64 ]
+
+Doing so, we save one call to get data we already have in the struct.
+
+Also, since there is no guarantee that getname use sockaddr_ll
+parameter beyond its size, we add a little bit of security here.
+It should do not do beyond MAX_ADDR_LEN, but syzbot found that
+ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,
+versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).
+
+Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
+Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index dd8798bf88e7c..861f43f8f9cea 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -914,11 +914,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
+ 
+ static struct socket *get_raw_socket(int fd)
+ {
+-      struct {
+-              struct sockaddr_ll sa;
+-              char  buf[MAX_ADDR_LEN];
+-      } uaddr;
+-      int uaddr_len = sizeof uaddr, r;
++      int r;
+       struct socket *sock = sockfd_lookup(fd, &r);
+ 
+       if (!sock)
+@@ -930,12 +926,7 @@ static struct socket *get_raw_socket(int fd)
+               goto err;
+       }
+ 
+-      r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa,
+-                             &uaddr_len, 0);
+-      if (r)
+-              goto err;
+-
+-      if (uaddr.sa.sll_family != AF_PACKET) {
++      if (sock->sk->sk_family != AF_PACKET) {
+               r = -EPFNOSUPPORT;
+               goto err;
+       }
+-- 
+2.20.1
+