From: Greg Kroah-Hartman Date: Tue, 28 Jan 2020 09:24:13 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.212~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f786aa8593062c8980a9e005bdb649040cec7568;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bitmap-add-bitmap_alloc-bitmap_zalloc-and-bitmap_free.patch net-x25-fix-nonblocking-connect.patch netfilter-ipset-use-bitmap-infrastructure-completely.patch --- diff --git a/queue-4.4/bitmap-add-bitmap_alloc-bitmap_zalloc-and-bitmap_free.patch b/queue-4.4/bitmap-add-bitmap_alloc-bitmap_zalloc-and-bitmap_free.patch new file mode 100644 index 00000000000..fd00f675f73 --- /dev/null +++ b/queue-4.4/bitmap-add-bitmap_alloc-bitmap_zalloc-and-bitmap_free.patch @@ -0,0 +1,78 @@ +From c42b65e363ce97a828f81b59033c3558f8fa7f70 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 1 Aug 2018 15:42:56 -0700 +Subject: bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() + +From: Andy Shevchenko + +commit c42b65e363ce97a828f81b59033c3558f8fa7f70 upstream. + +A lot of code become ugly because of open coding allocations for bitmaps. + +Introduce three helpers to allow users be more clear of intention +and keep their code neat. + +Note, due to multiple circular dependencies we may not provide +the helpers as inliners. For now we keep them exported and, perhaps, +at some point in the future we will sort out header inclusion and +inheritance. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bitmap.h | 8 ++++++++ + lib/bitmap.c | 20 ++++++++++++++++++++ + 2 files changed, 28 insertions(+) + +--- a/include/linux/bitmap.h ++++ b/include/linux/bitmap.h +@@ -84,6 +84,14 @@ + */ + + /* ++ * Allocation and deallocation of bitmap. ++ * Provided in lib/bitmap.c to avoid circular dependency. ++ */ ++extern unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags); ++extern unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags); ++extern void bitmap_free(const unsigned long *bitmap); ++ ++/* + * lib/bitmap.c provides these functions: + */ + +--- a/lib/bitmap.c ++++ b/lib/bitmap.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1081,3 +1082,22 @@ void bitmap_copy_le(unsigned long *dst, + } + EXPORT_SYMBOL(bitmap_copy_le); + #endif ++ ++unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags) ++{ ++ return kmalloc_array(BITS_TO_LONGS(nbits), sizeof(unsigned long), ++ flags); ++} ++EXPORT_SYMBOL(bitmap_alloc); ++ ++unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags) ++{ ++ return bitmap_alloc(nbits, flags | __GFP_ZERO); ++} ++EXPORT_SYMBOL(bitmap_zalloc); ++ ++void bitmap_free(const unsigned long *bitmap) ++{ ++ kfree(bitmap); ++} ++EXPORT_SYMBOL(bitmap_free); diff --git a/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch index 5f3e4cd9242..7073752f357 100644 --- a/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +++ b/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch @@ -40,16 +40,16 @@ Signed-off-by: Greg Kroah-Hartman /* Advance past IE header */ ie += 2; -@@ -1656,6 +1660,9 @@ static int lbs_change_intf(struct wiphy - { - struct lbs_private *priv = wiphy_priv(wiphy); +@@ -1783,6 +1787,9 @@ static int lbs_ibss_join_existing(struct + struct cmd_ds_802_11_ad_hoc_join cmd; + u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; + int hw, i; + u8 rates_max; + u8 *rates; - if (dev == priv->mesh_dev) - return -EOPNOTSUPP; + lbs_deb_enter(LBS_DEB_CFG80211); + @@ -1843,9 +1850,12 @@ static int lbs_ibss_join_existing(struct if (!rates_eid) { lbs_add_rates(cmd.bss.rates); diff --git a/queue-4.4/net-x25-fix-nonblocking-connect.patch b/queue-4.4/net-x25-fix-nonblocking-connect.patch new file mode 100644 index 00000000000..cde604cb05f --- /dev/null +++ b/queue-4.4/net-x25-fix-nonblocking-connect.patch @@ -0,0 +1,56 @@ +From e21dba7a4df4d93da237da65a096084b4f2e87b4 Mon Sep 17 00:00:00 2001 +From: Martin Schiller +Date: Thu, 9 Jan 2020 07:31:14 +0100 +Subject: net/x25: fix nonblocking connect + +From: Martin Schiller + +commit e21dba7a4df4d93da237da65a096084b4f2e87b4 upstream. + +This patch fixes 2 issues in x25_connect(): + +1. It makes absolutely no sense to reset the neighbour and the +connection state after a (successful) nonblocking call of x25_connect. +This prevents any connection from being established, since the response +(call accept) cannot be processed. + +2. Any further calls to x25_connect() while a call is pending should +simply return, instead of creating new Call Request (on different +logical channels). + +This patch should also fix the "KASAN: null-ptr-deref Write in +x25_connect" and "BUG: unable to handle kernel NULL pointer dereference +in x25_connect" bugs reported by syzbot. + +Signed-off-by: Martin Schiller +Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com +Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/x25/af_x25.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -764,6 +764,10 @@ static int x25_connect(struct socket *so + if (sk->sk_state == TCP_ESTABLISHED) + goto out; + ++ rc = -EALREADY; /* Do nothing if call is already in progress */ ++ if (sk->sk_state == TCP_SYN_SENT) ++ goto out; ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +@@ -810,7 +814,7 @@ static int x25_connect(struct socket *so + /* Now the loop */ + rc = -EINPROGRESS; + if (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK)) +- goto out_put_neigh; ++ goto out; + + rc = x25_wait_for_connection_establishment(sk); + if (rc) diff --git a/queue-4.4/netfilter-ipset-use-bitmap-infrastructure-completely.patch b/queue-4.4/netfilter-ipset-use-bitmap-infrastructure-completely.patch new file mode 100644 index 00000000000..76c781cd8aa --- /dev/null +++ b/queue-4.4/netfilter-ipset-use-bitmap-infrastructure-completely.patch @@ -0,0 +1,147 @@ +From 32c72165dbd0e246e69d16a3ad348a4851afd415 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kadlecsik=20J=C3=B3zsef?= +Date: Sun, 19 Jan 2020 22:06:49 +0100 +Subject: netfilter: ipset: use bitmap infrastructure completely + +From: Kadlecsik József + +commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream. + +The bitmap allocation did not use full unsigned long sizes +when calculating the required size and that was triggered by KASAN +as slab-out-of-bounds read in several places. The patch fixes all +of them. + +Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com +Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com +Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com +Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com +Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com +Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com +Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/ipset/ip_set.h | 7 ------- + net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- + net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +++--- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++--- + net/netfilter/ipset/ip_set_bitmap_port.c | 6 +++--- + 5 files changed, 10 insertions(+), 17 deletions(-) + +--- a/include/linux/netfilter/ipset/ip_set.h ++++ b/include/linux/netfilter/ipset/ip_set.h +@@ -530,13 +530,6 @@ ip6addrptr(const struct sk_buff *skb, bo + sizeof(*addr)); + } + +-/* Calculate the bytes required to store the inclusive range of a-b */ +-static inline int +-bitmap_bytes(u32 a, u32 b) +-{ +- return 4 * ((((b - a + 8) / 8) + 3) / 4); +-} +- + #include + #include + +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h +@@ -81,7 +81,7 @@ mtype_flush(struct ip_set *set) + + if (set->extensions & IPSET_EXT_DESTROY) + mtype_ext_cleanup(set); +- memset(map->members, 0, map->memsize); ++ bitmap_zero(map->members, map->elements); + } + + static int +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -40,7 +40,7 @@ MODULE_ALIAS("ip_set_bitmap:ip"); + + /* Type structure */ + struct bitmap_ip { +- void *members; /* the set members */ ++ unsigned long *members; /* the set members */ + u32 first_ip; /* host byte order, included in range */ + u32 last_ip; /* host byte order, included in range */ + u32 elements; /* number of max elements in the set */ +@@ -222,7 +222,7 @@ init_map_ip(struct ip_set *set, struct b + u32 first_ip, u32 last_ip, + u32 elements, u32 hosts, u8 netmask) + { +- map->members = ip_set_alloc(map->memsize); ++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN); + if (!map->members) + return false; + map->first_ip = first_ip; +@@ -315,7 +315,7 @@ bitmap_ip_create(struct net *net, struct + if (!map) + return -ENOMEM; + +- map->memsize = bitmap_bytes(0, elements - 1); ++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_ip; + if (!init_map_ip(set, map, first_ip, last_ip, + elements, hosts, netmask)) { +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -46,7 +46,7 @@ enum { + + /* Type structure */ + struct bitmap_ipmac { +- void *members; /* the set members */ ++ unsigned long *members; /* the set members */ + u32 first_ip; /* host byte order, included in range */ + u32 last_ip; /* host byte order, included in range */ + u32 elements; /* number of max elements in the set */ +@@ -297,7 +297,7 @@ static bool + init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map, + u32 first_ip, u32 last_ip, u32 elements) + { +- map->members = ip_set_alloc(map->memsize); ++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN); + if (!map->members) + return false; + map->first_ip = first_ip; +@@ -361,7 +361,7 @@ bitmap_ipmac_create(struct net *net, str + if (!map) + return -ENOMEM; + +- map->memsize = bitmap_bytes(0, elements - 1); ++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_ipmac; + if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) { + kfree(map); +--- a/net/netfilter/ipset/ip_set_bitmap_port.c ++++ b/net/netfilter/ipset/ip_set_bitmap_port.c +@@ -34,7 +34,7 @@ MODULE_ALIAS("ip_set_bitmap:port"); + + /* Type structure */ + struct bitmap_port { +- void *members; /* the set members */ ++ unsigned long *members; /* the set members */ + u16 first_port; /* host byte order, included in range */ + u16 last_port; /* host byte order, included in range */ + u32 elements; /* number of max elements in the set */ +@@ -207,7 +207,7 @@ static bool + init_map_port(struct ip_set *set, struct bitmap_port *map, + u16 first_port, u16 last_port) + { +- map->members = ip_set_alloc(map->memsize); ++ map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN); + if (!map->members) + return false; + map->first_port = first_port; +@@ -250,7 +250,7 @@ bitmap_port_create(struct net *net, stru + return -ENOMEM; + + map->elements = elements; +- map->memsize = bitmap_bytes(0, map->elements); ++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); + set->variant = &bitmap_port; + if (!init_map_port(set, map, first_port, last_port)) { + kfree(map); diff --git a/queue-4.4/series b/queue-4.4/series index 88b274bac9f..125786e8d19 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -175,5 +175,8 @@ scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch tracing-xen-ordered-comparison-of-function-pointers.patch do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch -libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch +bitmap-add-bitmap_alloc-bitmap_zalloc-and-bitmap_free.patch +netfilter-ipset-use-bitmap-infrastructure-completely.patch +net-x25-fix-nonblocking-connect.patch +libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch