From c2be6a72a5257eac587d4aac58d4a6dfc6e4a00f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 3 Aug 2020 10:19:25 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	net-x25-fix-null-ptr-deref-in-x25_disconnect.patch
	net-x25-fix-x25_neigh-refcnt-leak-when-x25-disconnect.patch
---
 ...fix-null-ptr-deref-in-x25_disconnect.patch | 66 +++++++++++++++++++
 ...eigh-refcnt-leak-when-x25-disconnect.patch | 45 +++++++++++++
 queue-5.4/series                              |  2 +
 3 files changed, 113 insertions(+)
 create mode 100644 queue-5.4/net-x25-fix-null-ptr-deref-in-x25_disconnect.patch
 create mode 100644 queue-5.4/net-x25-fix-x25_neigh-refcnt-leak-when-x25-disconnect.patch

diff --git a/queue-5.4/net-x25-fix-null-ptr-deref-in-x25_disconnect.patch b/queue-5.4/net-x25-fix-null-ptr-deref-in-x25_disconnect.patch
new file mode 100644
index 00000000000..344c1bccb34
--- /dev/null
+++ b/queue-5.4/net-x25-fix-null-ptr-deref-in-x25_disconnect.patch
@@ -0,0 +1,66 @@
+From 8999dc89497ab1c80d0718828e838c7cd5f6bffe Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 28 Apr 2020 16:12:08 +0800
+Subject: net/x25: Fix null-ptr-deref in x25_disconnect
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 8999dc89497ab1c80d0718828e838c7cd5f6bffe upstream.
+
+We should check null before do x25_neigh_put in x25_disconnect,
+otherwise may cause null-ptr-deref like this:
+
+ #include <sys/socket.h>
+ #include <linux/x25.h>
+
+ int main() {
+    int sck_x25;
+    sck_x25 = socket(AF_X25, SOCK_SEQPACKET, 0);
+    close(sck_x25);
+    return 0;
+ }
+
+BUG: kernel NULL pointer dereference, address: 00000000000000d8
+CPU: 0 PID: 4817 Comm: t2 Not tainted 5.7.0-rc3+ #159
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-
+RIP: 0010:x25_disconnect+0x91/0xe0
+Call Trace:
+ x25_release+0x18a/0x1b0
+ __sock_release+0x3d/0xc0
+ sock_close+0x13/0x20
+ __fput+0x107/0x270
+ ____fput+0x9/0x10
+ task_work_run+0x6d/0xb0
+ exit_to_usermode_loop+0x102/0x110
+ do_syscall_64+0x23c/0x260
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Reported-by: syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com
+Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/x25/x25_subr.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/x25/x25_subr.c
++++ b/net/x25/x25_subr.c
+@@ -357,10 +357,12 @@ void x25_disconnect(struct sock *sk, int
+ 		sk->sk_state_change(sk);
+ 		sock_set_flag(sk, SOCK_DEAD);
+ 	}
+-	read_lock_bh(&x25_list_lock);
+-	x25_neigh_put(x25->neighbour);
+-	x25->neighbour = NULL;
+-	read_unlock_bh(&x25_list_lock);
++	if (x25->neighbour) {
++		read_lock_bh(&x25_list_lock);
++		x25_neigh_put(x25->neighbour);
++		x25->neighbour = NULL;
++		read_unlock_bh(&x25_list_lock);
++	}
+ }
+ 
+ /*
diff --git a/queue-5.4/net-x25-fix-x25_neigh-refcnt-leak-when-x25-disconnect.patch b/queue-5.4/net-x25-fix-x25_neigh-refcnt-leak-when-x25-disconnect.patch
new file mode 100644
index 00000000000..3187d7e471d
--- /dev/null
+++ b/queue-5.4/net-x25-fix-x25_neigh-refcnt-leak-when-x25-disconnect.patch
@@ -0,0 +1,45 @@
+From 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sat, 25 Apr 2020 21:06:25 +0800
+Subject: net/x25: Fix x25_neigh refcnt leak when x25 disconnect
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 upstream.
+
+x25_connect() invokes x25_get_neigh(), which returns a reference of the
+specified x25_neigh object to "x25->neighbour" with increased refcnt.
+
+When x25 connect success and returns, the reference still be hold by
+"x25->neighbour", so the refcount should be decreased in
+x25_disconnect() to keep refcount balanced.
+
+The reference counting issue happens in x25_disconnect(), which forgets
+to decrease the refcnt increased by x25_get_neigh() in x25_connect(),
+causing a refcnt leak.
+
+Fix this issue by calling x25_neigh_put() before x25_disconnect()
+returns.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/x25/x25_subr.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/x25/x25_subr.c
++++ b/net/x25/x25_subr.c
+@@ -357,6 +357,10 @@ void x25_disconnect(struct sock *sk, int
+ 		sk->sk_state_change(sk);
+ 		sock_set_flag(sk, SOCK_DEAD);
+ 	}
++	read_lock_bh(&x25_list_lock);
++	x25_neigh_put(x25->neighbour);
++	x25->neighbour = NULL;
++	read_unlock_bh(&x25_list_lock);
+ }
+ 
+ /*
diff --git a/queue-5.4/series b/queue-5.4/series
index 07f8f8e7bf3..0de5682f74a 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -30,3 +30,5 @@ random-fix-circular-include-dependency-on-arm64-after-addition-of-percpu.h.patch
 random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch
 rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
 libtraceevent-fix-build-with-binutils-2.35.patch
+net-x25-fix-x25_neigh-refcnt-leak-when-x25-disconnect.patch
+net-x25-fix-null-ptr-deref-in-x25_disconnect.patch
-- 
2.47.3