From: Greg Kroah-Hartman Date: Sun, 11 Oct 2020 08:39:10 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.239~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2a3169f055683dc3571c49bb5727b972bd664b2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: macsec-avoid-use-after-free-in-macsec_handle_frame.patch nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch --- diff --git a/queue-4.19/macsec-avoid-use-after-free-in-macsec_handle_frame.patch b/queue-4.19/macsec-avoid-use-after-free-in-macsec_handle_frame.patch new file mode 100644 index 00000000000..d5628579185 --- /dev/null +++ b/queue-4.19/macsec-avoid-use-after-free-in-macsec_handle_frame.patch @@ -0,0 +1,45 @@ +From c7cc9200e9b4a2ac172e990ef1975cd42975dad6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 7 Oct 2020 01:42:46 -0700 +Subject: macsec: avoid use-after-free in macsec_handle_frame() + +From: Eric Dumazet + +commit c7cc9200e9b4a2ac172e990ef1975cd42975dad6 upstream. + +De-referencing skb after call to gro_cells_receive() is not allowed. +We need to fetch skb->len earlier. + +Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices") +Signed-off-by: Eric Dumazet +Cc: Paolo Abeni +Acked-by: Paolo Abeni +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macsec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1085,6 +1085,7 @@ static rx_handler_result_t macsec_handle + struct macsec_rx_sa *rx_sa; + struct macsec_rxh_data *rxd; + struct macsec_dev *macsec; ++ unsigned int len; + sci_t sci; + u32 pn; + bool cbit; +@@ -1240,9 +1241,10 @@ deliver: + macsec_rxsc_put(rx_sc); + + skb_orphan(skb); ++ len = skb->len; + ret = gro_cells_receive(&macsec->gro_cells, skb); + if (ret == NET_RX_SUCCESS) +- count_rx(dev, skb->len); ++ count_rx(dev, len); + else + macsec->secy.netdev->stats.rx_dropped++; + diff --git a/queue-4.19/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch b/queue-4.19/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch new file mode 100644 index 00000000000..59f8c28fb9c --- /dev/null +++ b/queue-4.19/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch @@ -0,0 +1,39 @@ +From 4bab69093044ca81f394bd0780be1b71c5a4d308 Mon Sep 17 00:00:00 2001 +From: Chaitanya Kulkarni +Date: Tue, 6 Oct 2020 16:36:47 -0700 +Subject: nvme-core: put ctrl ref when module ref get fail + +From: Chaitanya Kulkarni + +commit 4bab69093044ca81f394bd0780be1b71c5a4d308 upstream. + +When try_module_get() fails in the nvme_dev_open() it returns without +releasing the ctrl reference which was taken earlier. + +Put the ctrl reference which is taken before calling the +try_module_get() in the error return code path. + +Fixes: 52a3974feb1a "nvme-core: get/put ctrl and transport module in nvme_dev_open/release()" +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Logan Gunthorpe +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2606,8 +2606,10 @@ static int nvme_dev_open(struct inode *i + } + + nvme_get_ctrl(ctrl); +- if (!try_module_get(ctrl->ops->module)) ++ if (!try_module_get(ctrl->ops->module)) { ++ nvme_put_ctrl(ctrl); + return -EINVAL; ++ } + + file->private_data = ctrl; + return 0; diff --git a/queue-4.19/series b/queue-4.19/series index 27f4a718995..90071940b2f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -14,3 +14,5 @@ perf-top-fix-stdio-interface-input-handling-with-glibc-2.28.patch i2c-i801-exclude-device-from-suspend-direct-complete-optimization.patch mtd-rawnand-sunxi-fix-the-probe-error-path.patch arm64-dts-stratix10-add-status-to-qspi-dts-node.patch +nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch +macsec-avoid-use-after-free-in-macsec_handle_frame.patch