From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 24 Sep 2019 16:30:04 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.3.2~46
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2cc840eea4a61530c8e11cf977665a597152a7cf;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	crypto-talitos-fix-missing-break-in-switch-statement.patch
	net-rds-fix-null-ptr-use-in-rds_tcp_kill_sock.patch
---

diff --git a/queue-4.4/crypto-talitos-fix-missing-break-in-switch-statement.patch b/queue-4.4/crypto-talitos-fix-missing-break-in-switch-statement.patch
new file mode 100644
index 00000000000..ea2527bd023
--- /dev/null
+++ b/queue-4.4/crypto-talitos-fix-missing-break-in-switch-statement.patch
@@ -0,0 +1,34 @@
+From 5fc194ea6d34dfad9833d3043ce41d6c52aff39a Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 9 Sep 2019 00:29:52 -0500
+Subject: crypto: talitos - fix missing break in switch statement
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 5fc194ea6d34dfad9833d3043ce41d6c52aff39a upstream.
+
+Add missing break statement in order to prevent the code from falling
+through to case CRYPTO_ALG_TYPE_AHASH.
+
+Fixes: aeb4c132f33d ("crypto: talitos - Convert to new AEAD interface")
+Cc: stable@vger.kernel.org
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -2730,6 +2730,7 @@ static int talitos_remove(struct platfor
+ 			break;
+ 		case CRYPTO_ALG_TYPE_AEAD:
+ 			crypto_unregister_aead(&t_alg->algt.alg.aead);
++			break;
+ 		case CRYPTO_ALG_TYPE_AHASH:
+ 			crypto_unregister_ahash(&t_alg->algt.alg.hash);
+ 			break;
diff --git a/queue-4.4/net-rds-fix-null-ptr-use-in-rds_tcp_kill_sock.patch b/queue-4.4/net-rds-fix-null-ptr-use-in-rds_tcp_kill_sock.patch
new file mode 100644
index 00000000000..c0afb0055c1
--- /dev/null
+++ b/queue-4.4/net-rds-fix-null-ptr-use-in-rds_tcp_kill_sock.patch
@@ -0,0 +1,71 @@
+From maowenan@huawei.com  Tue Sep 24 18:27:28 2019
+From: Mao Wenan <maowenan@huawei.com>
+Date: Wed, 18 Sep 2019 16:37:33 +0800
+Subject: [PATCH stable 4.4 net] net: rds: Fix NULL ptr use in rds_tcp_kill_sock
+To: <chien.yen@oracle.com>, <davem@davemloft.net>, <stable@vger.kernel.org>
+Cc: <rds-devel@oss.oracle.com>, <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <kernel-janitors@vger.kernel.org>, Mao Wenan <maowenan@huawei.com>
+Message-ID: <20190918083733.50266-1-maowenan@huawei.com>
+
+From: Mao Wenan <maowenan@huawei.com>
+
+After the commit c4e97b06cfdc ("net: rds: force to destroy
+connection if t_sock is NULL in rds_tcp_kill_sock()."),
+it introduced null-ptr-deref in rds_tcp_kill_sock as below:
+
+BUG: KASAN: null-ptr-deref on address 0000000000000020
+Read of size 8 by task kworker/u16:10/910
+CPU: 3 PID: 910 Comm: kworker/u16:10 Not tainted 4.4.178+ #3
+Hardware name: linux,dummy-virt (DT)
+Workqueue: netns cleanup_net
+Call trace:
+[<ffffff90080abb50>] dump_backtrace+0x0/0x618
+[<ffffff90080ac1a0>] show_stack+0x38/0x60
+[<ffffff9008c42b78>] dump_stack+0x1a8/0x230
+[<ffffff90085d469c>] kasan_report_error+0xc8c/0xfc0
+[<ffffff90085d54a4>] kasan_report+0x94/0xd8
+[<ffffff90085d1b28>] __asan_load8+0x88/0x150
+[<ffffff9009c9cc2c>] rds_tcp_dev_event+0x734/0xb48
+[<ffffff90081eacb0>] raw_notifier_call_chain+0x150/0x1e8
+[<ffffff900973fec0>] call_netdevice_notifiers_info+0x90/0x110
+[<ffffff9009764874>] netdev_run_todo+0x2f4/0xb08
+[<ffffff9009796d34>] rtnl_unlock+0x2c/0x48
+[<ffffff9009756484>] default_device_exit_batch+0x444/0x528
+[<ffffff9009720498>] ops_exit_list+0x1c0/0x240
+[<ffffff9009724a80>] cleanup_net+0x738/0xbf8
+[<ffffff90081ca6cc>] process_one_work+0x96c/0x13e0
+[<ffffff90081cf370>] worker_thread+0x7e0/0x1910
+[<ffffff90081e7174>] kthread+0x304/0x390
+[<ffffff9008094280>] ret_from_fork+0x10/0x50
+
+If the first loop add the tc->t_sock = NULL to the tmp_list,
+1). list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node)
+
+then the second loop is to find connections to destroy, tc->t_sock
+might equal NULL, and tc->t_sock->sk happens null-ptr-deref.
+2). list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node)
+
+Fixes: c4e97b06cfdc ("net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().")
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/tcp.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -352,9 +352,11 @@ static void rds_tcp_kill_sock(struct net
+ 	}
+ 	spin_unlock_irq(&rds_tcp_conn_lock);
+ 	list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node) {
+-		sk = tc->t_sock->sk;
+-		sk->sk_prot->disconnect(sk, 0);
+-		tcp_done(sk);
++		if (tc->t_sock) {
++			sk = tc->t_sock->sk;
++			sk->sk_prot->disconnect(sk, 0);
++			tcp_done(sk);
++		}
+ 		if (tc->conn->c_passive)
+ 			rds_conn_destroy(tc->conn->c_passive);
+ 		rds_conn_destroy(tc->conn);
diff --git a/queue-4.4/series b/queue-4.4/series
index 5735362954d..f0e233f1a13 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -4,3 +4,5 @@ hid-lg-make-transfer-buffers-dma-capable.patch
 hid-logitech-fix-general-protection-fault-caused-by-logitech-driver.patch
 hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch
 mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch
+crypto-talitos-fix-missing-break-in-switch-statement.patch
+net-rds-fix-null-ptr-use-in-rds_tcp_kill_sock.patch