From: Greg Kroah-Hartman Date: Sun, 11 Oct 2020 08:39:23 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.239~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57f6c80deedbc26e000a725d22bc854cfc72e4b3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: macsec-avoid-use-after-free-in-macsec_handle_frame.patch nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch --- diff --git a/queue-5.4/macsec-avoid-use-after-free-in-macsec_handle_frame.patch b/queue-5.4/macsec-avoid-use-after-free-in-macsec_handle_frame.patch new file mode 100644 index 00000000000..082708d2c9d --- /dev/null +++ b/queue-5.4/macsec-avoid-use-after-free-in-macsec_handle_frame.patch @@ -0,0 +1,45 @@ +From c7cc9200e9b4a2ac172e990ef1975cd42975dad6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 7 Oct 2020 01:42:46 -0700 +Subject: macsec: avoid use-after-free in macsec_handle_frame() + +From: Eric Dumazet + +commit c7cc9200e9b4a2ac172e990ef1975cd42975dad6 upstream. + +De-referencing skb after call to gro_cells_receive() is not allowed. +We need to fetch skb->len earlier. + +Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices") +Signed-off-by: Eric Dumazet +Cc: Paolo Abeni +Acked-by: Paolo Abeni +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macsec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1080,6 +1080,7 @@ static rx_handler_result_t macsec_handle + struct macsec_rx_sa *rx_sa; + struct macsec_rxh_data *rxd; + struct macsec_dev *macsec; ++ unsigned int len; + sci_t sci; + u32 pn; + bool cbit; +@@ -1236,9 +1237,10 @@ deliver: + macsec_rxsc_put(rx_sc); + + skb_orphan(skb); ++ len = skb->len; + ret = gro_cells_receive(&macsec->gro_cells, skb); + if (ret == NET_RX_SUCCESS) +- count_rx(dev, skb->len); ++ count_rx(dev, len); + else + macsec->secy.netdev->stats.rx_dropped++; + diff --git a/queue-5.4/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch b/queue-5.4/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch new file mode 100644 index 00000000000..4d2204495af --- /dev/null +++ b/queue-5.4/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch @@ -0,0 +1,39 @@ +From 4bab69093044ca81f394bd0780be1b71c5a4d308 Mon Sep 17 00:00:00 2001 +From: Chaitanya Kulkarni +Date: Tue, 6 Oct 2020 16:36:47 -0700 +Subject: nvme-core: put ctrl ref when module ref get fail + +From: Chaitanya Kulkarni + +commit 4bab69093044ca81f394bd0780be1b71c5a4d308 upstream. + +When try_module_get() fails in the nvme_dev_open() it returns without +releasing the ctrl reference which was taken earlier. + +Put the ctrl reference which is taken before calling the +try_module_get() in the error return code path. + +Fixes: 52a3974feb1a "nvme-core: get/put ctrl and transport module in nvme_dev_open/release()" +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Logan Gunthorpe +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2932,8 +2932,10 @@ static int nvme_dev_open(struct inode *i + } + + nvme_get_ctrl(ctrl); +- if (!try_module_get(ctrl->ops->module)) ++ if (!try_module_get(ctrl->ops->module)) { ++ nvme_put_ctrl(ctrl); + return -EINVAL; ++ } + + file->private_data = ctrl; + return 0; diff --git a/queue-5.4/series b/queue-5.4/series index 403568fc7f5..2e94331afed 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,5 @@ btrfs-volumes-use-more-straightforward-way-to-calculate-map-length.patch btrfs-ensure-we-trim-ranges-across-block-group-boundary.patch btrfs-fix-rwf_nowait-write-not-failling-when-we-need-to-cow.patch btrfs-allow-btrfs_truncate_block-to-fallback-to-nocow-for-data-space-reservation.patch +nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch +macsec-avoid-use-after-free-in-macsec_handle_frame.patch