From: Sasha Levin <sashal@kernel.org>
Date: Sat, 26 Oct 2019 16:44:33 +0000 (-0400)
Subject: fixes for 5.3
X-Git-Tag: v4.4.198~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=080f516f42faaef3715a7bb4807de3a8131e61d8;p=thirdparty%2Fkernel%2Fstable-queue.git

fixes for 5.3

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.3/lsm-safesetid-stop-releasing-uninitialized-ruleset.patch b/queue-5.3/lsm-safesetid-stop-releasing-uninitialized-ruleset.patch
new file mode 100644
index 00000000000..b2937248c2b
--- /dev/null
+++ b/queue-5.3/lsm-safesetid-stop-releasing-uninitialized-ruleset.patch
@@ -0,0 +1,39 @@
+From e92fb51d2aeb05ee0405ca1063d4ca68ff004a8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2019 11:27:05 -0700
+Subject: LSM: SafeSetID: Stop releasing uninitialized ruleset
+
+From: Micah Morton <mortonm@chromium.org>
+
+[ Upstream commit 21ab8580b383f27b7f59b84ac1699cb26d6c3d69 ]
+
+The first time a rule set is configured for SafeSetID, we shouldn't be
+trying to release the previously configured ruleset, since there isn't
+one. Currently, the pointer that would point to a previously configured
+ruleset is uninitialized on first rule set configuration, leading to a
+crash when we try to call release_ruleset with that pointer.
+
+Acked-by: Jann Horn <jannh@google.com>
+Signed-off-by: Micah Morton <mortonm@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/safesetid/securityfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
+index d568e17dd7739..74a13d432ed80 100644
+--- a/security/safesetid/securityfs.c
++++ b/security/safesetid/securityfs.c
+@@ -187,7 +187,8 @@ static ssize_t handle_policy_update(struct file *file,
+ out_free_buf:
+ 	kfree(buf);
+ out_free_pol:
+-	release_ruleset(pol);
++	if (pol)
++                release_ruleset(pol);
+ 	return err;
+ }
+ 
+-- 
+2.20.1
+
diff --git a/queue-5.3/rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch b/queue-5.3/rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch
new file mode 100644
index 00000000000..d30b0da3023
--- /dev/null
+++ b/queue-5.3/rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch
@@ -0,0 +1,74 @@
+From d30f737abcba5e729d5760315dea557b6f360741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2019 06:04:38 -0700
+Subject: rxrpc: use rcu protection while reading sk->sk_user_data
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2ca4f6ca4562594ef161e4140c2a5e0e5282967b ]
+
+We need to extend the rcu_read_lock() section in rxrpc_error_report()
+and use rcu_dereference_sk_user_data() instead of plain access
+to sk->sk_user_data to make sure all rules are respected.
+
+The compiler wont reload sk->sk_user_data at will, and RCU rules
+prevent memory beeing freed too soon.
+
+Fixes: f0308fb07080 ("rxrpc: Fix possible NULL pointer access in ICMP handling")
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/peer_event.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
+index 61451281d74a3..48f67a9b1037c 100644
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -147,13 +147,16 @@ void rxrpc_error_report(struct sock *sk)
+ {
+ 	struct sock_exterr_skb *serr;
+ 	struct sockaddr_rxrpc srx;
+-	struct rxrpc_local *local = sk->sk_user_data;
++	struct rxrpc_local *local;
+ 	struct rxrpc_peer *peer;
+ 	struct sk_buff *skb;
+ 
+-	if (unlikely(!local))
++	rcu_read_lock();
++	local = rcu_dereference_sk_user_data(sk);
++	if (unlikely(!local)) {
++		rcu_read_unlock();
+ 		return;
+-
++	}
+ 	_enter("%p{%d}", sk, local->debug_id);
+ 
+ 	/* Clear the outstanding error value on the socket so that it doesn't
+@@ -163,6 +166,7 @@ void rxrpc_error_report(struct sock *sk)
+ 
+ 	skb = sock_dequeue_err_skb(sk);
+ 	if (!skb) {
++		rcu_read_unlock();
+ 		_leave("UDP socket errqueue empty");
+ 		return;
+ 	}
+@@ -170,11 +174,11 @@ void rxrpc_error_report(struct sock *sk)
+ 	serr = SKB_EXT_ERR(skb);
+ 	if (!skb->len && serr->ee.ee_origin == SO_EE_ORIGIN_TIMESTAMPING) {
+ 		_leave("UDP empty message");
++		rcu_read_unlock();
+ 		rxrpc_free_skb(skb, rxrpc_skb_freed);
+ 		return;
+ 	}
+ 
+-	rcu_read_lock();
+ 	peer = rxrpc_lookup_peer_icmp_rcu(local, skb, &srx);
+ 	if (peer && !rxrpc_get_peer_maybe(peer))
+ 		peer = NULL;
+-- 
+2.20.1
+
diff --git a/queue-5.3/series b/queue-5.3/series
index 4e9563e9cf0..d1901f7ee33 100644
--- a/queue-5.3/series
+++ b/queue-5.3/series
@@ -89,3 +89,5 @@ net-sched-fix-corrupted-l2-header-with-mpls-push-and-pop-actions.patch
 netdevsim-fix-error-handling-in-nsim_fib_init-and-nsim_fib_exit.patch
 net-ethernet-broadcom-have-drivers-select-dimlib-as-needed.patch
 net-phy-fix-link-partner-information-disappear-issue.patch
+lsm-safesetid-stop-releasing-uninitialized-ruleset.patch
+rxrpc-use-rcu-protection-while-reading-sk-sk_user_da.patch