From: Sasha Levin <sashal@kernel.org>
Date: Wed, 1 Jan 2020 16:34:41 +0000 (-0500)
Subject: fixes for 5.4
X-Git-Tag: v4.4.208~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c091ae588d0d94fcf994136b70274d475ee64287;p=thirdparty%2Fkernel%2Fstable-queue.git

fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch b/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch
new file mode 100644
index 00000000000..e32b89e1825
--- /dev/null
+++ b/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch
@@ -0,0 +1,35 @@
+From ae820f97a4418e5dc6b9be02c71b8001375fa2d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 15:01:29 +0800
+Subject: md: make sure desc_nr less than MD_SB_DISKS
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+[ Upstream commit 3b7436cc9449d5ff7fa1c1fd5bc3edb6402ff5b8 ]
+
+For super_90_load, we need to make sure 'desc_nr' less
+than MD_SB_DISKS, avoiding invalid memory access of 'sb->disks'.
+
+Fixes: 228fc7d76db6 ("md: avoid invalid memory access for array sb->dev_roles")
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 805b33e27496..4e7c9f398bc6 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1159,6 +1159,7 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor
+ 	/* not spare disk, or LEVEL_MULTIPATH */
+ 	if (sb->level == LEVEL_MULTIPATH ||
+ 		(rdev->desc_nr >= 0 &&
++		 rdev->desc_nr < MD_SB_DISKS &&
+ 		 sb->disks[rdev->desc_nr].state &
+ 		 ((1<<MD_DISK_SYNC) | (1 << MD_DISK_ACTIVE))))
+ 		spare_disk = false;
+-- 
+2.20.1
+
diff --git a/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch b/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch
new file mode 100644
index 00000000000..5179561f07b
--- /dev/null
+++ b/queue-5.4/sctp-fix-err-handling-of-stream-initialization.patch
@@ -0,0 +1,110 @@
+From b17510990d867bc3fdb4f50a3f6a248cc75fc35a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2019 15:03:44 -0300
+Subject: sctp: fix err handling of stream initialization
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 61d5d4062876e21331c3d0ba4b02dbd50c06a658 ]
+
+The fix on 951c6db954a1 fixed the issued reported there but introduced
+another. When the allocation fails within sctp_stream_init() it is
+okay/necessary to free the genradix. But it is also called when adding
+new streams, from sctp_send_add_streams() and
+sctp_process_strreset_addstrm_in() and in those situations it cannot
+just free the genradix because by then it is a fully operational
+association.
+
+The fix here then is to only free the genradix in sctp_stream_init()
+and on those other call sites  move on with what it already had and let
+the subsequent error handling to handle it.
+
+Tested with the reproducers from this report and the previous one,
+with lksctp-tools and sctp-tests.
+
+Reported-by: syzbot+9a1bc632e78a1a98488b@syzkaller.appspotmail.com
+Fixes: 951c6db954a1 ("sctp: fix memleak on err handling of stream initialization")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/stream.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/net/sctp/stream.c b/net/sctp/stream.c
+index 6a30392068a0..c1a100d2fed3 100644
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -84,10 +84,8 @@ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
+ 		return 0;
+ 
+ 	ret = genradix_prealloc(&stream->out, outcnt, gfp);
+-	if (ret) {
+-		genradix_free(&stream->out);
++	if (ret)
+ 		return ret;
+-	}
+ 
+ 	stream->outcnt = outcnt;
+ 	return 0;
+@@ -102,10 +100,8 @@ static int sctp_stream_alloc_in(struct sctp_stream *stream, __u16 incnt,
+ 		return 0;
+ 
+ 	ret = genradix_prealloc(&stream->in, incnt, gfp);
+-	if (ret) {
+-		genradix_free(&stream->in);
++	if (ret)
+ 		return ret;
+-	}
+ 
+ 	stream->incnt = incnt;
+ 	return 0;
+@@ -123,7 +119,7 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
+ 	 * a new one with new outcnt to save memory if needed.
+ 	 */
+ 	if (outcnt == stream->outcnt)
+-		goto in;
++		goto handle_in;
+ 
+ 	/* Filter out chunks queued on streams that won't exist anymore */
+ 	sched->unsched_all(stream);
+@@ -132,24 +128,28 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
+ 
+ 	ret = sctp_stream_alloc_out(stream, outcnt, gfp);
+ 	if (ret)
+-		goto out;
++		goto out_err;
+ 
+ 	for (i = 0; i < stream->outcnt; i++)
+ 		SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
+ 
+-in:
++handle_in:
+ 	sctp_stream_interleave_init(stream);
+ 	if (!incnt)
+ 		goto out;
+ 
+ 	ret = sctp_stream_alloc_in(stream, incnt, gfp);
+-	if (ret) {
+-		sched->free(stream);
+-		genradix_free(&stream->out);
+-		stream->outcnt = 0;
+-		goto out;
+-	}
++	if (ret)
++		goto in_err;
++
++	goto out;
+ 
++in_err:
++	sched->free(stream);
++	genradix_free(&stream->in);
++out_err:
++	genradix_free(&stream->out);
++	stream->outcnt = 0;
+ out:
+ 	return ret;
+ }
+-- 
+2.20.1
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 8a479e2512c..719ec37ff7a 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -129,3 +129,5 @@ mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch
 kernel-sysctl-make-drop_caches-write-only.patch
 userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch
 revert-powerpc-vcpu-assume-dedicated-processors-as-non-preempt.patch
+sctp-fix-err-handling-of-stream-initialization.patch
+md-make-sure-desc_nr-less-than-md_sb_disks.patch