--- /dev/null
+From d10285a25e29f13353bbf7760be8980048c1ef2f Mon Sep 17 00:00:00 2001
+From: Karol Herbst <kherbst@redhat.com>
+Date: Wed, 7 Oct 2020 00:05:28 +0200
+Subject: drm/nouveau/mem: guard against NULL pointer access in mem_del
+
+From: Karol Herbst <kherbst@redhat.com>
+
+commit d10285a25e29f13353bbf7760be8980048c1ef2f upstream.
+
+other drivers seems to do something similar
+
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Cc: dri-devel <dri-devel@lists.freedesktop.org>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201006220528.13925-2-kherbst@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nouveau_mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_mem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
+@@ -176,6 +176,8 @@ void
+ nouveau_mem_del(struct ttm_mem_reg *reg)
+ {
+ struct nouveau_mem *mem = nouveau_mem(reg);
++ if (!mem)
++ return;
+ nouveau_mem_fini(mem);
+ kfree(reg->mm_node);
+ reg->mm_node = NULL;
--- /dev/null
+From 3dc289f8f139997f4e9d3cfccf8738f20d23e47b Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 7 Oct 2020 09:24:01 +0530
+Subject: net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream.
+
+In nl80211_parse_key(), key.idx is first initialized as -1.
+If this value of key.idx remains unmodified and gets returned, and
+nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
+with key.idx = -1.
+This causes an out-of-bounds array access.
+
+Handle this issue by checking if the value of key.idx after
+nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3621,6 +3621,9 @@ static int nl80211_del_key(struct sk_buf
+ if (err)
+ return err;
+
++ if (key.idx < 0)
++ return -EINVAL;
++
+ if (info->attrs[NL80211_ATTR_MAC])
+ mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+
fonts-support-font_extra_words-macros-for-built-in-fonts.patch
fbcon-fix-global-out-of-bounds-read-in-fbcon_get_font.patch
revert-ravb-fixed-to-be-able-to-unload-modules.patch
+net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch
+drm-nouveau-mem-guard-against-null-pointer-access-in-mem_del.patch
+usermodehelper-reset-umask-to-default-before-executing-user-process.patch
--- /dev/null
+From 4013c1496c49615d90d36b9d513eee8e369778e9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 5 Oct 2020 10:56:22 -0700
+Subject: usermodehelper: reset umask to default before executing user process
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4013c1496c49615d90d36b9d513eee8e369778e9 upstream.
+
+Kernel threads intentionally do CLONE_FS in order to follow any changes
+that 'init' does to set up the root directory (or cwd).
+
+It is admittedly a bit odd, but it avoids the situation where 'init'
+does some extensive setup to initialize the system environment, and then
+we execute a usermode helper program, and it uses the original FS setup
+from boot time that may be very limited and incomplete.
+
+[ Both Al Viro and Eric Biederman point out that 'pivot_root()' will
+ follow the root regardless, since it fixes up other users of root (see
+ chroot_fs_refs() for details), but overmounting root and doing a
+ chroot() would not. ]
+
+However, Vegard Nossum noticed that the CLONE_FS not only means that we
+follow the root and current working directories, it also means we share
+umask with whatever init changed it to. That wasn't intentional.
+
+Just reset umask to the original default (0022) before actually starting
+the usermode helper program.
+
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/umh.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/kernel/umh.c
++++ b/kernel/umh.c
+@@ -13,6 +13,7 @@
+ #include <linux/cred.h>
+ #include <linux/file.h>
+ #include <linux/fdtable.h>
++#include <linux/fs_struct.h>
+ #include <linux/workqueue.h>
+ #include <linux/security.h>
+ #include <linux/mount.h>
+@@ -73,6 +74,14 @@ static int call_usermodehelper_exec_asyn
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ /*
++ * Initial kernel threads share ther FS with init, in order to
++ * get the init root directory. But we've now created a new
++ * thread that is going to execve a user process and has its own
++ * 'struct fs_struct'. Reset umask to the default.
++ */
++ current->fs->umask = 0022;
++
++ /*
+ * Our parent (unbound workqueue) runs with elevated scheduling
+ * priority. Avoid propagating that into the userspace child.
+ */
projects / thirdparty / kernel / stable-queue.git / commitdiff
