From 3d9798b39a1126cc2403b3ec4588e9a2f115529b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 Jan 2021 11:52:33 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	block-fix-use-after-free-in-disk_part_iter_next.patch
	net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch
---
 ...se-after-free-in-disk_part_iter_next.patch | 46 +++++++++++++++++
 ...-offset-beyond-end-of-trimmed-packet.patch | 50 +++++++++++++++++++
 queue-4.14/series                             |  2 +
 3 files changed, 98 insertions(+)
 create mode 100644 queue-4.14/block-fix-use-after-free-in-disk_part_iter_next.patch
 create mode 100644 queue-4.14/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch

diff --git a/queue-4.14/block-fix-use-after-free-in-disk_part_iter_next.patch b/queue-4.14/block-fix-use-after-free-in-disk_part_iter_next.patch
new file mode 100644
index 00000000000..572583fd721
--- /dev/null
+++ b/queue-4.14/block-fix-use-after-free-in-disk_part_iter_next.patch
@@ -0,0 +1,46 @@
+From aebf5db917055b38f4945ed6d621d9f07a44ff30 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 21 Dec 2020 12:33:35 +0800
+Subject: block: fix use-after-free in disk_part_iter_next
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit aebf5db917055b38f4945ed6d621d9f07a44ff30 upstream.
+
+Make sure that bdgrab() is done on the 'block_device' instance before
+referring to it for avoiding use-after-free.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -208,14 +208,17 @@ struct hd_struct *disk_part_iter_next(st
+ 		part = rcu_dereference(ptbl->part[piter->idx]);
+ 		if (!part)
+ 			continue;
++		get_device(part_to_dev(part));
++		piter->part = part;
+ 		if (!part_nr_sects_read(part) &&
+ 		    !(piter->flags & DISK_PITER_INCL_EMPTY) &&
+ 		    !(piter->flags & DISK_PITER_INCL_EMPTY_PART0 &&
+-		      piter->idx == 0))
++		      piter->idx == 0)) {
++			put_device(part_to_dev(part));
++			piter->part = NULL;
+ 			continue;
++		}
+ 
+-		get_device(part_to_dev(part));
+-		piter->part = part;
+ 		piter->idx += inc;
+ 		break;
+ 	}
diff --git a/queue-4.14/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch b/queue-4.14/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch
new file mode 100644
index 00000000000..98027462c71
--- /dev/null
+++ b/queue-4.14/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch
@@ -0,0 +1,50 @@
+From 54970a2fbb673f090b7f02d7f57b10b2e0707155 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 14 Dec 2020 22:07:39 +0300
+Subject: net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 54970a2fbb673f090b7f02d7f57b10b2e0707155 upstream.
+
+syzbot reproduces BUG_ON in skb_checksum_help():
+tun creates (bogus) skb with huge partial-checksummed area and
+small ip packet inside. Then ip_rcv trims the skb based on size
+of internal ip packet, after that csum offset points beyond of
+trimmed skb. Then checksum_tg() called via netfilter hook
+triggers BUG_ON:
+
+        offset = skb_checksum_start_offset(skb);
+        BUG_ON(offset >= skb_headlen(skb));
+
+To work around the problem this patch forces pskb_trim_rcsum_slow()
+to return -EINVAL in described scenario. It allows its callers to
+drop such kind of packets.
+
+Link: https://syzkaller.appspot.com/bug?id=b419a5ca95062664fe1a60b764621eb4526e2cd0
+Reported-by: syzbot+7010af67ced6105e5ab6@syzkaller.appspotmail.com
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/1b2494af-2c56-8ee2-7bc0-923fcad1cdf8@virtuozzo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -1850,6 +1850,12 @@ int pskb_trim_rcsum_slow(struct sk_buff
+ 		skb->csum = csum_block_sub(skb->csum,
+ 					   skb_checksum(skb, len, delta, 0),
+ 					   len);
++	} else if (skb->ip_summed == CHECKSUM_PARTIAL) {
++		int hdlen = (len > skb_headlen(skb)) ? skb_headlen(skb) : len;
++		int offset = skb_checksum_start_offset(skb) + skb->csum_offset;
++
++		if (offset + sizeof(__sum16) > hdlen)
++			return -EINVAL;
+ 	}
+ 	return __pskb_trim(skb, len);
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
index a117c93a9c6..61c2c6e0033 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -24,3 +24,5 @@ net-mlx5e-fix-memleak-in-mlx5e_create_l2_table_groups.patch
 net-mlx5e-fix-two-double-free-cases.patch
 wan-ds26522-select-config_bitreverse.patch
 kvm-arm64-don-t-access-pmcr_el0-when-no-pmu-is-available.patch
+block-fix-use-after-free-in-disk_part_iter_next.patch
+net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch
-- 
2.47.3