--- /dev/null
+From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 14 Mar 2019 13:47:59 +0800
+Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 9804501fa1228048857910a6bf23e085aade37cc upstream.
+
+register_snap_client may return NULL, all the callers
+check it, but only print a warning. This will result in
+NULL pointer dereference in unregister_snap_client and other
+places.
+
+It has always been used like this since v2.6
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to <4.15: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/aarp.c | 15 ++++++++++++---
+ net/appletalk/ddp.c | 20 ++++++++++++--------
+ 3 files changed, 25 insertions(+), 12 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -107,7 +107,7 @@ static __inline__ struct elapaarp *aarp_
+ #define AARP_RESOLVE_TIME (10 * HZ)
+
+ extern struct datalink_proto *ddp_dl, *aarp_dl;
+-extern void aarp_proto_init(void);
++extern int aarp_proto_init(void);
+
+ /* Inter module exports */
+
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi
+
+ static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
+
+-void __init aarp_proto_init(void)
++int __init aarp_proto_init(void)
+ {
++ int rc;
++
+ aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
+- if (!aarp_dl)
++ if (!aarp_dl) {
+ printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
++ return -ENOMEM;
++ }
+ setup_timer(&aarp_timer, aarp_expire_timeout, 0);
+ aarp_timer.expires = jiffies + sysctl_aarp_expiry_time;
+ add_timer(&aarp_timer);
+- register_netdevice_notifier(&aarp_notifier);
++ rc = register_netdevice_notifier(&aarp_notifier);
++ if (rc) {
++ del_timer_sync(&aarp_timer);
++ unregister_snap_client(aarp_dl);
++ }
++ return rc;
+ }
+
+ /* Remove the AARP entries associated with a device. */
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1911,9 +1911,6 @@ static unsigned char ddp_snap_id[] = { 0
+ EXPORT_SYMBOL(atrtr_get_dev);
+ EXPORT_SYMBOL(atalk_find_dev_addr);
+
+-static const char atalk_err_snap[] __initconst =
+- KERN_CRIT "Unable to register DDP with SNAP.\n";
+-
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+@@ -1928,17 +1925,22 @@ static int __init atalk_init(void)
+ goto out_proto;
+
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+- if (!ddp_dl)
+- printk(atalk_err_snap);
++ if (!ddp_dl) {
++ pr_crit("Unable to register DDP with SNAP.\n");
++ goto out_sock;
++ }
+
+ dev_add_pack(<alk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+ rc = register_netdevice_notifier(&ddp_notifier);
+ if (rc)
+- goto out_sock;
++ goto out_snap;
++
++ rc = aarp_proto_init();
++ if (rc)
++ goto out_dev;
+
+- aarp_proto_init();
+ rc = atalk_proc_init();
+ if (rc)
+ goto out_aarp;
+@@ -1952,11 +1954,13 @@ out_proc:
+ atalk_proc_exit();
+ out_aarp:
+ aarp_cleanup_module();
++out_dev:
+ unregister_netdevice_notifier(&ddp_notifier);
+-out_sock:
++out_snap:
+ dev_remove_pack(&ppptalk_packet_type);
+ dev_remove_pack(<alk_packet_type);
+ unregister_snap_client(ddp_dl);
++out_sock:
+ sock_unregister(PF_APPLETALK);
+ out_proto:
+ proto_unregister(&ddp_proto);
--- /dev/null
+From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 30 Apr 2019 19:34:08 +0800
+Subject: appletalk: Set error code if register_snap_client failed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream.
+
+If register_snap_client fails in atalk_init,
+error code should be set, otherwise it will
+triggers NULL pointer dereference while unloading
+module.
+
+Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1927,6 +1927,7 @@ static int __init atalk_init(void)
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl) {
+ pr_crit("Unable to register DDP with SNAP.\n");
++ rc = -ENOMEM;
+ goto out_sock;
+ }
+
--- /dev/null
+From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Dec 2019 10:28:54 +0100
+Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 433f4ba1904100da65a311033f17a9bf586b287e upstream.
+
+The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
+KVM_GET_EMULATED_CPUID.
+
+Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
+Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -389,7 +389,7 @@ static inline int __do_cpuid_ent(struct
+
+ r = -E2BIG;
+
+- if (*nent >= maxnent)
++ if (WARN_ON(*nent >= maxnent))
+ goto out;
+
+ do_cpuid_1_ent(entry, function, index);
+@@ -691,6 +691,9 @@ out:
+ static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func,
+ u32 idx, int *nent, int maxnent, unsigned int type)
+ {
++ if (*nent >= maxnent)
++ return -E2BIG;
++
+ if (type == KVM_GET_EMULATED_CPUID)
+ return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
