From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jan 2020 14:44:50 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v5.5.1~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3d393e8998605a2e1290da812a26e4382a99228;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
	rsi-fix-use-after-free-on-probe-errors.patch
---

diff --git a/queue-4.14/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch b/queue-4.14/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
new file mode 100644
index 00000000000..1d8c8450099
--- /dev/null
+++ b/queue-4.14/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
@@ -0,0 +1,43 @@
+From 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 Dec 2019 13:45:05 +0800
+Subject: crypto: af_alg - Use bh_lock_sock in sk_destruct
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.
+
+As af_alg_release_parent may be called from BH context (most notably
+due to an async request that only completes after socket closure,
+or as reported here because of an RCU-delayed sk_destruct call), we
+must use bh_lock_sock instead of lock_sock.
+
+Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -139,11 +139,13 @@ void af_alg_release_parent(struct sock *
+ 	sk = ask->parent;
+ 	ask = alg_sk(sk);
+ 
+-	lock_sock(sk);
++	local_bh_disable();
++	bh_lock_sock(sk);
+ 	ask->nokey_refcnt -= nokey;
+ 	if (!last)
+ 		last = !--ask->refcnt;
+-	release_sock(sk);
++	bh_unlock_sock(sk);
++	local_bh_enable();
+ 
+ 	if (last)
+ 		sock_put(sk);
diff --git a/queue-4.14/rsi-fix-use-after-free-on-probe-errors.patch b/queue-4.14/rsi-fix-use-after-free-on-probe-errors.patch
new file mode 100644
index 00000000000..25bfb57b864
--- /dev/null
+++ b/queue-4.14/rsi-fix-use-after-free-on-probe-errors.patch
@@ -0,0 +1,73 @@
+From 92aafe77123ab478e5f5095878856ab0424910da Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 18:22:01 +0100
+Subject: rsi: fix use-after-free on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92aafe77123ab478e5f5095878856ab0424910da upstream.
+
+The driver would fail to stop the command timer in most error paths,
+something which specifically could lead to the timer being freed while
+still active on I/O errors during probe.
+
+Fix this by making sure that each function starting the timer also stops
+it in all relevant error paths.
+
+Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com
+Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method")
+Cc: stable <stable@vger.kernel.org>     # 4.12
+Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
+Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_hal.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
+@@ -541,6 +541,7 @@ static int bl_cmd(struct rsi_hw *adapter
+ 	bl_start_cmd_timer(adapter, timeout);
+ 	status = bl_write_cmd(adapter, cmd, exp_resp, &regout_val);
+ 	if (status < 0) {
++		bl_stop_cmd_timer(adapter);
+ 		rsi_dbg(ERR_ZONE,
+ 			"%s: Command %s (%0x) writing failed..\n",
+ 			__func__, str, cmd);
+@@ -656,10 +657,9 @@ static int ping_pong_write(struct rsi_hw
+ 	}
+ 
+ 	status = bl_cmd(adapter, cmd_req, cmd_resp, str);
+-	if (status) {
+-		bl_stop_cmd_timer(adapter);
++	if (status)
+ 		return status;
+-	}
++
+ 	return 0;
+ }
+ 
+@@ -749,10 +749,9 @@ static int auto_fw_upgrade(struct rsi_hw
+ 
+ 	status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL,
+ 			"EOF_REACHED");
+-	if (status) {
+-		bl_stop_cmd_timer(adapter);
++	if (status)
+ 		return status;
+-	}
++
+ 	rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n");
+ 	return 0;
+ }
+@@ -773,6 +772,7 @@ static int rsi_load_firmware(struct rsi_
+ 		status = hif_ops->master_reg_read(adapter, SWBL_REGOUT,
+ 					      &regout_val, 2);
+ 		if (status < 0) {
++			bl_stop_cmd_timer(adapter);
+ 			rsi_dbg(ERR_ZONE,
+ 				"%s: REGOUT read failed\n", __func__);
+ 			return status;
diff --git a/queue-4.14/series b/queue-4.14/series
index bc7a250cefc..7d5942c53e7 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -28,3 +28,5 @@ atm-eni-fix-uninitialized-variable-warning.patch
 pci-add-dma-alias-quirk-for-intel-vca-ntb.patch
 usb-storage-disable-uas-on-jmicron-sata-enclosure.patch
 net_sched-ematch-reject-invalid-tcf_em_simple.patch
+rsi-fix-use-after-free-on-probe-errors.patch
+crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch