From e50da64ed788e52a141a3c4a6c255dd2982c97b6 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 10 Aug 2020 15:55:07 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	i40e-add-num_vectors-checker-in-iwarp-handler.patch
	i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
	i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
	i40e-wrong-truncation-from-u16-to-u8.patch
	smack-fix-use-after-free-in-smk_write_relabel_self.patch
---
 ...num_vectors-checker-in-iwarp-handler.patch | 45 ++++++++++
 ...nteger-truncation-in-i40e_virtchnl.c.patch | 87 +++++++++++++++++++
 ...ory-leak-in-i40e_config_iwarp_qvlist.patch | 87 +++++++++++++++++++
 ...i40e-wrong-truncation-from-u16-to-u8.patch | 39 +++++++++
 queue-4.19/series                             |  5 ++
 ...after-free-in-smk_write_relabel_self.patch | 79 +++++++++++++++++
 6 files changed, 342 insertions(+)
 create mode 100644 queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch
 create mode 100644 queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
 create mode 100644 queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
 create mode 100644 queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch
 create mode 100644 queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch

diff --git a/queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch b/queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch
new file mode 100644
index 00000000000..39485b496e6
--- /dev/null
+++ b/queue-4.19/i40e-add-num_vectors-checker-in-iwarp-handler.patch
@@ -0,0 +1,45 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:14 -0700
+Subject: i40e: add num_vectors checker in iwarp handler
+To: stable@vger.kernel.org
+Cc: Sergey Nemov <sergey.nemov@intel.com>, aleksandr.loktionov@intel.com, Andrew Bowers <andrewx.bowers@intel.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-2-jesse.brandeburg@intel.com>
+
+From: Sergey Nemov <sergey.nemov@intel.com>
+
+[ Upstream commit 7015ca3df965378bcef072cca9cd63ed098665b5 ]
+
+Field num_vectors from struct virtchnl_iwarp_qvlist_info should not be
+larger than num_msix_vectors_vf in the hw struct.  The iwarp uses the
+same set of vectors as the LAN VF driver.
+
+Fixes: e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Sergey Nemov <sergey.nemov@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -442,6 +442,16 @@ static int i40e_config_iwarp_qvlist(stru
+ 	u32 next_q_idx, next_q_type;
+ 	u32 msix_vf, size;
+ 
++	msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
++
++	if (qvlist_info->num_vectors > msix_vf) {
++		dev_warn(&pf->pdev->dev,
++			 "Incorrect number of iwarp vectors %u. Maximum %u allowed.\n",
++			 qvlist_info->num_vectors,
++			 msix_vf);
++		goto err;
++	}
++
+ 	size = sizeof(struct virtchnl_iwarp_qvlist_info) +
+ 	       (sizeof(struct virtchnl_iwarp_qv_info) *
+ 						(qvlist_info->num_vectors - 1));
diff --git a/queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch b/queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
new file mode 100644
index 00000000000..ed0f161e6a9
--- /dev/null
+++ b/queue-4.19/i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
@@ -0,0 +1,87 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:16 -0700
+Subject: i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
+To: stable@vger.kernel.org
+Cc: Martyna Szapar <martyna.szapar@intel.com>, aleksandr.loktionov@intel.com, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-4-jesse.brandeburg@intel.com>
+
+From: Martyna Szapar <martyna.szapar@intel.com>
+
+[ Upstream commit 24474f2709af6729b9b1da1c5e160ab62e25e3a4 ]
+
+Fixed possible memory leak in i40e_vc_add_cloud_filter function:
+cfilter is being allocated and in some error conditions
+the function returns without freeing the memory.
+
+Fix of integer truncation from u16 (type of queue_id value) to u8
+when calling i40e_vc_isvalid_queue_id function.
+
+Fixes: e284fc280473b ("i40e: Add and delete cloud filter")
+Signed-off-by: Martyna Szapar <martyna.szapar@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_i
+  * check for the valid queue id
+  **/
+ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id,
+-					    u8 qid)
++					    u16 qid)
+ {
+ 	struct i40e_pf *pf = vf->pf;
+ 	struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id);
+@@ -3345,7 +3345,7 @@ static int i40e_vc_add_cloud_filter(stru
+ 
+ 	if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) {
+ 		aq_ret = I40E_ERR_PARAM;
+-		goto err;
++		goto err_out;
+ 	}
+ 
+ 	if (!vf->adq_enabled) {
+@@ -3353,15 +3353,15 @@ static int i40e_vc_add_cloud_filter(stru
+ 			 "VF %d: ADq is not enabled, can't apply cloud filter\n",
+ 			 vf->vf_id);
+ 		aq_ret = I40E_ERR_PARAM;
+-		goto err;
++		goto err_out;
+ 	}
+ 
+ 	if (i40e_validate_cloud_filter(vf, vcf)) {
+ 		dev_info(&pf->pdev->dev,
+ 			 "VF %d: Invalid input/s, can't apply cloud filter\n",
+ 			 vf->vf_id);
+-			aq_ret = I40E_ERR_PARAM;
+-			goto err;
++		aq_ret = I40E_ERR_PARAM;
++		goto err_out;
+ 	}
+ 
+ 	cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+@@ -3422,13 +3422,17 @@ static int i40e_vc_add_cloud_filter(stru
+ 			"VF %d: Failed to add cloud filter, err %s aq_err %s\n",
+ 			vf->vf_id, i40e_stat_str(&pf->hw, ret),
+ 			i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status));
+-		goto err;
++		goto err_free;
+ 	}
+ 
+ 	INIT_HLIST_NODE(&cfilter->cloud_node);
+ 	hlist_add_head(&cfilter->cloud_node, &vf->cloud_filter_list);
++	/* release the pointer passing it to the collection */
++	cfilter = NULL;
+ 	vf->num_cloud_filters++;
+-err:
++err_free:
++	kfree(cfilter);
++err_out:
+ 	return i40e_vc_send_resp_to_vf(vf, VIRTCHNL_OP_ADD_CLOUD_FILTER,
+ 				       aq_ret);
+ }
diff --git a/queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch b/queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
new file mode 100644
index 00000000000..ea42a4ec71c
--- /dev/null
+++ b/queue-4.19/i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
@@ -0,0 +1,87 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:17 -0700
+Subject: i40e: Memory leak in i40e_config_iwarp_qvlist
+To: stable@vger.kernel.org
+Cc: Martyna Szapar <martyna.szapar@intel.com>, aleksandr.loktionov@intel.com, Andrew Bowers <andrewx.bowers@intel.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-5-jesse.brandeburg@intel.com>
+
+From: Martyna Szapar <martyna.szapar@intel.com>
+
+[ Upstream commit 0b63644602cfcbac849f7ea49272a39e90fa95eb ]
+
+Added freeing the old allocation of vf->qvlist_info in function
+i40e_config_iwarp_qvlist before overwriting it with
+the new allocation.
+
+Fixes: e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver")
+Signed-off-by: Martyna Szapar <martyna.szapar@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   23 +++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -441,6 +441,7 @@ static int i40e_config_iwarp_qvlist(stru
+ 	u32 v_idx, i, reg_idx, reg;
+ 	u32 next_q_idx, next_q_type;
+ 	u32 msix_vf, size;
++	int ret = 0;
+ 
+ 	msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
+ 
+@@ -449,16 +450,19 @@ static int i40e_config_iwarp_qvlist(stru
+ 			 "Incorrect number of iwarp vectors %u. Maximum %u allowed.\n",
+ 			 qvlist_info->num_vectors,
+ 			 msix_vf);
+-		goto err;
++		ret = -EINVAL;
++		goto err_out;
+ 	}
+ 
+ 	size = sizeof(struct virtchnl_iwarp_qvlist_info) +
+ 	       (sizeof(struct virtchnl_iwarp_qv_info) *
+ 						(qvlist_info->num_vectors - 1));
++	kfree(vf->qvlist_info);
+ 	vf->qvlist_info = kzalloc(size, GFP_KERNEL);
+-	if (!vf->qvlist_info)
+-		return -ENOMEM;
+-
++	if (!vf->qvlist_info) {
++		ret = -ENOMEM;
++		goto err_out;
++	}
+ 	vf->qvlist_info->num_vectors = qvlist_info->num_vectors;
+ 
+ 	msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
+@@ -469,8 +473,10 @@ static int i40e_config_iwarp_qvlist(stru
+ 		v_idx = qv_info->v_idx;
+ 
+ 		/* Validate vector id belongs to this vf */
+-		if (!i40e_vc_isvalid_vector_id(vf, v_idx))
+-			goto err;
++		if (!i40e_vc_isvalid_vector_id(vf, v_idx)) {
++			ret = -EINVAL;
++			goto err_free;
++		}
+ 
+ 		vf->qvlist_info->qv_info[i] = *qv_info;
+ 
+@@ -512,10 +518,11 @@ static int i40e_config_iwarp_qvlist(stru
+ 	}
+ 
+ 	return 0;
+-err:
++err_free:
+ 	kfree(vf->qvlist_info);
+ 	vf->qvlist_info = NULL;
+-	return -EINVAL;
++err_out:
++	return ret;
+ }
+ 
+ /**
diff --git a/queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch b/queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch
new file mode 100644
index 00000000000..7706241a9f4
--- /dev/null
+++ b/queue-4.19/i40e-wrong-truncation-from-u16-to-u8.patch
@@ -0,0 +1,39 @@
+From foo@baz Mon 10 Aug 2020 03:36:49 PM CEST
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri,  7 Aug 2020 13:55:15 -0700
+Subject: i40e: Wrong truncation from u16 to u8
+To: stable@vger.kernel.org
+Cc: Grzegorz Siwik <grzegorz.siwik@intel.com>, aleksandr.loktionov@intel.com, Andrew Bowers <andrewx.bowers@intel.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>
+Message-ID: <20200807205517.1740307-3-jesse.brandeburg@intel.com>
+
+From: Grzegorz Siwik <grzegorz.siwik@intel.com>
+
+[ Upstream commit c004804dceee9ca384d97d9857ea2e2795c2651d ]
+
+In this patch fixed wrong truncation method from u16 to u8 during
+validation.
+
+It was changed by changing u8 to u32 parameter in method declaration
+and arguments were changed to u32.
+
+Fixes: 5c3c48ac6bf56 ("i40e: implement virtual device interface")
+Signed-off-by: Grzegorz Siwik <grzegorz.siwik@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -196,7 +196,7 @@ static inline bool i40e_vc_isvalid_queue
+  *
+  * check for the valid vector id
+  **/
+-static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u8 vector_id)
++static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u32 vector_id)
+ {
+ 	struct i40e_pf *pf = vf->pf;
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 145e280b515..1a5dd401de4 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -41,3 +41,8 @@ openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch
 revert-vxlan-fix-tos-value-before-xmit.patch
 selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch
 rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch
+i40e-add-num_vectors-checker-in-iwarp-handler.patch
+i40e-wrong-truncation-from-u16-to-u8.patch
+i40e-fix-of-memory-leak-and-integer-truncation-in-i40e_virtchnl.c.patch
+i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
+smack-fix-use-after-free-in-smk_write_relabel_self.patch
diff --git a/queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch b/queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch
new file mode 100644
index 00000000000..bf3d64c9a24
--- /dev/null
+++ b/queue-4.19/smack-fix-use-after-free-in-smk_write_relabel_self.patch
@@ -0,0 +1,79 @@
+From beb4ee6770a89646659e6a2178538d2b13e2654e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 8 Jul 2020 13:15:20 -0700
+Subject: Smack: fix use-after-free in smk_write_relabel_self()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream.
+
+smk_write_relabel_self() frees memory from the task's credentials with
+no locking, which can easily cause a use-after-free because multiple
+tasks can share the same credentials structure.
+
+Fix this by using prepare_creds() and commit_creds() to correctly modify
+the task's credentials.
+
+Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
+
+	#include <fcntl.h>
+	#include <pthread.h>
+	#include <unistd.h>
+
+	static void *thrproc(void *arg)
+	{
+		int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
+		for (;;) write(fd, "foo", 3);
+	}
+
+	int main()
+	{
+		pthread_t t;
+		pthread_create(&t, NULL, thrproc, NULL);
+		thrproc(NULL);
+	}
+
+Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com
+Fixes: 38416e53936e ("Smack: limited capability for changing process label")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smackfs.c |   13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -2746,7 +2746,6 @@ static int smk_open_relabel_self(struct
+ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
+ 				size_t count, loff_t *ppos)
+ {
+-	struct task_smack *tsp = current_security();
+ 	char *data;
+ 	int rc;
+ 	LIST_HEAD(list_tmp);
+@@ -2771,11 +2770,21 @@ static ssize_t smk_write_relabel_self(st
+ 	kfree(data);
+ 
+ 	if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
++		struct cred *new;
++		struct task_smack *tsp;
++
++		new = prepare_creds();
++		if (!new) {
++			rc = -ENOMEM;
++			goto out;
++		}
++		tsp = new->security;
+ 		smk_destroy_label_list(&tsp->smk_relabel);
+ 		list_splice(&list_tmp, &tsp->smk_relabel);
++		commit_creds(new);
+ 		return count;
+ 	}
+-
++out:
+ 	smk_destroy_label_list(&list_tmp);
+ 	return rc;
+ }
-- 
2.47.3