From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 Oct 2018 13:34:28 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.124~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1d43f88b3fe96723f56cd4b08ce7bf96a149a63;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ubifs-check-for-name-being-null-while-mounting.patch
	ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index af9587e6c62..960f761dd15 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -15,3 +15,5 @@ cgroup-fix-deadlock-in-cpu-hotplug-path.patch
 ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch
 powerpc-fadump-return-error-when-fadump-registration-fails.patch
 arc-clone-syscall-to-setp-r25-as-thread-pointer.patch
+ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
+ubifs-check-for-name-being-null-while-mounting.patch
diff --git a/queue-4.4/ubifs-check-for-name-being-null-while-mounting.patch b/queue-4.4/ubifs-check-for-name-being-null-while-mounting.patch
new file mode 100644
index 00000000000..14a9b9b82d7
--- /dev/null
+++ b/queue-4.4/ubifs-check-for-name-being-null-while-mounting.patch
@@ -0,0 +1,34 @@
+From 37f31b6ca4311b94d985fb398a72e5399ad57925 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 3 Sep 2018 23:06:23 +0200
+Subject: ubifs: Check for name being NULL while mounting
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 37f31b6ca4311b94d985fb398a72e5399ad57925 upstream.
+
+The requested device name can be NULL or an empty string.
+Check for that and refuse to continue. UBIFS has to do this manually
+since we cannot use mount_bdev(), which checks for this condition.
+
+Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
+Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/super.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -1918,6 +1918,9 @@ static struct ubi_volume_desc *open_ubi(
+ 	int dev, vol;
+ 	char *endptr;
+ 
++	if (!name || !*name)
++		return ERR_PTR(-EINVAL);
++
+ 	/* First, try to open using the device node path method */
+ 	ubi = ubi_open_volume_path(name, mode);
+ 	if (!IS_ERR(ubi))
diff --git a/queue-4.4/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch b/queue-4.4/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
new file mode 100644
index 00000000000..b66fe4be83d
--- /dev/null
+++ b/queue-4.4/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
@@ -0,0 +1,65 @@
+From 5fe23f262e0548ca7f19fb79f89059a60d087d22 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 12 Sep 2018 16:27:44 -0700
+Subject: ucma: fix a use-after-free in ucma_resolve_ip()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 upstream.
+
+There is a race condition between ucma_close() and ucma_resolve_ip():
+
+CPU0				CPU1
+ucma_resolve_ip():		ucma_close():
+
+ctx = ucma_get_ctx(file, cmd.id);
+
+        list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
+                mutex_lock(&mut);
+                idr_remove(&ctx_idr, ctx->id);
+                mutex_unlock(&mut);
+		...
+                mutex_lock(&mut);
+                if (!ctx->closing) {
+                        mutex_unlock(&mut);
+                        rdma_destroy_id(ctx->cm_id);
+		...
+                ucma_free_ctx(ctx);
+
+ret = rdma_resolve_addr();
+ucma_put_ctx(ctx);
+
+Before idr_remove(), ucma_get_ctx() could still find the ctx
+and after rdma_destroy_id(), rdma_resolve_addr() may still
+access id_priv pointer. Also, ucma_put_ctx() may use ctx after
+ucma_free_ctx() too.
+
+ucma_close() should call ucma_put_ctx() too which tests the
+refcnt and waits for the last one releasing it. The similar
+pattern is already used by ucma_destroy_id().
+
+Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
+Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
+Cc: Jason Gunthorpe <jgg@mellanox.com>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1709,6 +1709,8 @@ static int ucma_close(struct inode *inod
+ 		mutex_lock(&mut);
+ 		if (!ctx->closing) {
+ 			mutex_unlock(&mut);
++			ucma_put_ctx(ctx);
++			wait_for_completion(&ctx->comp);
+ 			/* rdma_destroy_id ensures that no event handlers are
+ 			 * inflight for that id before releasing it.
+ 			 */