--- /dev/null
+From f7e0e8b2f1b0a09b527885babda3e912ba820798 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Wed, 9 Sep 2020 03:17:00 -0400
+Subject: Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream.
+
+`num_reports` is not being properly checked. A malformed event packet with
+a large `num_reports` number makes hci_le_direct_adv_report_evt() read out
+of bounds. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events")
+Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5711,21 +5711,19 @@ static void hci_le_direct_adv_report_evt
+ struct sk_buff *skb)
+ {
+ u8 num_reports = skb->data[0];
+- void *ptr = &skb->data[1];
++ struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1];
+
+- hci_dev_lock(hdev);
++ if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1)
++ return;
+
+- while (num_reports--) {
+- struct hci_ev_le_direct_adv_info *ev = ptr;
++ hci_dev_lock(hdev);
+
++ for (; num_reports; num_reports--, ev++)
+ process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+ ev->bdaddr_type, &ev->direct_addr,
+ ev->direct_addr_type, ev->rssi, NULL, 0,
+ false);
+
+- ptr += sizeof(*ev);
+- }
+-
+ hci_dev_unlock(hdev);
+ }
+
--- /dev/null
+From 92eb6c3060ebe3adf381fd9899451c5b047bb14d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 26 Oct 2020 13:07:15 -0700
+Subject: crypto: af_alg - avoid undefined behavior accessing salg_name
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream.
+
+Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm
+names") made the kernel start accepting arbitrarily long algorithm names
+in sockaddr_alg. However, the actual length of the salg_name field
+stayed at the original 64 bytes.
+
+This is broken because the kernel can access indices >= 64 in salg_name,
+which is undefined behavior -- even though the memory that is accessed
+is still located within the sockaddr structure. It would only be
+defined behavior if the array were properly marked as arbitrary-length
+(either by making it a flexible array, which is the recommended way
+these days, or by making it an array of length 0 or 1).
+
+We can't simply change salg_name into a flexible array, since that would
+break source compatibility with userspace programs that embed
+sockaddr_alg into another struct, or (more commonly) declare a
+sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'.
+
+One solution would be to change salg_name into a flexible array only
+when '#ifdef __KERNEL__'. However, that would keep userspace without an
+easy way to actually use the longer algorithm names.
+
+Instead, add a new structure 'sockaddr_alg_new' that has the flexible
+array field, and expose it to both userspace and the kernel.
+Make the kernel use it correctly in alg_bind().
+
+This addresses the syzbot report
+"UBSAN: array-index-out-of-bounds in alg_bind"
+(https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e).
+
+Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com
+Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 10 +++++++---
+ include/uapi/linux/if_alg.h | 16 ++++++++++++++++
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -147,7 +147,7 @@ static int alg_bind(struct socket *sock,
+ const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
+ struct sock *sk = sock->sk;
+ struct alg_sock *ask = alg_sk(sk);
+- struct sockaddr_alg *sa = (void *)uaddr;
++ struct sockaddr_alg_new *sa = (void *)uaddr;
+ const struct af_alg_type *type;
+ void *private;
+ int err;
+@@ -155,7 +155,11 @@ static int alg_bind(struct socket *sock,
+ if (sock->state == SS_CONNECTED)
+ return -EINVAL;
+
+- if (addr_len < sizeof(*sa))
++ BUILD_BUG_ON(offsetof(struct sockaddr_alg_new, salg_name) !=
++ offsetof(struct sockaddr_alg, salg_name));
++ BUILD_BUG_ON(offsetof(struct sockaddr_alg, salg_name) != sizeof(*sa));
++
++ if (addr_len < sizeof(*sa) + 1)
+ return -EINVAL;
+
+ /* If caller uses non-allowed flag, return error. */
+@@ -163,7 +167,7 @@ static int alg_bind(struct socket *sock,
+ return -EINVAL;
+
+ sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
+- sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0;
++ sa->salg_name[addr_len - sizeof(*sa) - 1] = 0;
+
+ type = alg_get_type(sa->salg_type);
+ if (IS_ERR(type) && PTR_ERR(type) == -ENOENT) {
+--- a/include/uapi/linux/if_alg.h
++++ b/include/uapi/linux/if_alg.h
+@@ -24,6 +24,22 @@ struct sockaddr_alg {
+ __u8 salg_name[64];
+ };
+
++/*
++ * Linux v4.12 and later removed the 64-byte limit on salg_name[]; it's now an
++ * arbitrary-length field. We had to keep the original struct above for source
++ * compatibility with existing userspace programs, though. Use the new struct
++ * below if support for very long algorithm names is needed. To do this,
++ * allocate 'sizeof(struct sockaddr_alg_new) + strlen(algname) + 1' bytes, and
++ * copy algname (including the null terminator) into salg_name.
++ */
++struct sockaddr_alg_new {
++ __u16 salg_family;
++ __u8 salg_type[14];
++ __u32 salg_feat;
++ __u32 salg_mask;
++ __u8 salg_name[];
++};
++
+ struct af_alg_iv {
+ __u32 ivlen;
+ __u8 iv[0];
--- /dev/null
+From c731b84b51bf7fe83448bea8f56a6d55006b0615 Mon Sep 17 00:00:00 2001
+From: "Dae R. Jeong" <dae.r.jeong@kaist.ac.kr>
+Date: Thu, 22 Oct 2020 10:21:28 +0900
+Subject: md: fix a warning caused by a race between concurrent md_ioctl()s
+
+From: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+
+commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream.
+
+Syzkaller reports a warning as belows.
+WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169
+...
+Call Trace:
+...
+RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169
+RSP: 0018:ffff888096027950 EFLAGS: 00010293
+RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2
+RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007
+RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482
+R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932
+R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408
+ __blkdev_driver_ioctl block/ioctl.c:304 [inline]
+ blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606
+ block_ioctl+0xee/0x130 fs/block_dev.c:1930
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is caused by a race between two concurrenct md_ioctl()s closing
+the array.
+CPU1 (md_ioctl()) CPU2 (md_ioctl())
+------ ------
+set_bit(MD_CLOSING, &mddev->flags);
+did_set_md_closing = true;
+ WARN_ON_ONCE(test_bit(MD_CLOSING,
+ &mddev->flags));
+if(did_set_md_closing)
+ clear_bit(MD_CLOSING, &mddev->flags);
+
+Fix the warning by returning immediately if the MD_CLOSING bit is set
+in &mddev->flags which indicates that the array is being closed.
+
+Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop")
+Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7371,8 +7371,11 @@ static int md_ioctl(struct block_device
+ err = -EBUSY;
+ goto out;
+ }
+- WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags));
+- set_bit(MD_CLOSING, &mddev->flags);
++ if (test_and_set_bit(MD_CLOSING, &mddev->flags)) {
++ mutex_unlock(&mddev->open_mutex);
++ err = -EBUSY;
++ goto out;
++ }
+ did_set_md_closing = true;
+ mutex_unlock(&mddev->open_mutex);
+ sync_blockdev(bdev);
--- /dev/null
+From 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 Mon Sep 17 00:00:00 2001
+From: Antti Palosaari <crope@iki.fi>
+Date: Sat, 17 Aug 2019 03:12:10 +0200
+Subject: media: msi2500: assign SPI bus number dynamically
+
+From: Antti Palosaari <crope@iki.fi>
+
+commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream.
+
+SPI bus number must be assigned dynamically for each device, otherwise it
+will crash when multiple devices are plugged to system.
+
+Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/msi2500/msi2500.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/msi2500/msi2500.c
++++ b/drivers/media/usb/msi2500/msi2500.c
+@@ -1230,7 +1230,7 @@ static int msi2500_probe(struct usb_inte
+ }
+
+ dev->master = master;
+- master->bus_num = 0;
++ master->bus_num = -1;
+ master->num_chipselect = 1;
+ master->transfer_one_message = msi2500_transfer_one_message;
+ spi_master_set_devdata(master, dev);
--- /dev/null
+From 11c514a99bb960941535134f0587102855e8ddee Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 2 Nov 2020 16:16:29 +0100
+Subject: quota: Sanity-check quota file headers on load
+
+From: Jan Kara <jack@suse.cz>
+
+commit 11c514a99bb960941535134f0587102855e8ddee upstream.
+
+Perform basic sanity checks of quota headers to avoid kernel crashes on
+corrupted quota files.
+
+CC: stable@vger.kernel.org
+Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/quota_v2.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/quota/quota_v2.c
++++ b/fs/quota/quota_v2.c
+@@ -159,6 +159,25 @@ static int v2_read_file_info(struct supe
+ qinfo->dqi_entry_size = sizeof(struct v2r1_disk_dqblk);
+ qinfo->dqi_ops = &v2r1_qtree_ops;
+ }
++ ret = -EUCLEAN;
++ /* Some sanity checks of the read headers... */
++ if ((loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits >
++ i_size_read(sb_dqopt(sb)->files[type])) {
++ quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).",
++ (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits,
++ i_size_read(sb_dqopt(sb)->files[type]));
++ goto out;
++ }
++ if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) {
++ quota_error(sb, "Free block number too big (%u >= %u).",
++ qinfo->dqi_free_blk, qinfo->dqi_blocks);
++ goto out;
++ }
++ if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) {
++ quota_error(sb, "Block with free entry too big (%u >= %u).",
++ qinfo->dqi_free_entry, qinfo->dqi_blocks);
++ goto out;
++ }
+ ret = 0;
+ out:
+ up_read(&dqopt->dqio_sem);
scsi-megaraid_sas-check-user-provided-offsets.patch
hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
serial_core-check-for-port-state-when-tty-is-in-error-state.patch
+bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch
+quota-sanity-check-quota-file-headers-on-load.patch
+media-msi2500-assign-spi-bus-number-dynamically.patch
+crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch
+md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
