5.4-stable patches

added patches:
	net-qrtr-fix-__netdev_alloc_skb-call.patch

diff --git a/queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch b/queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch
new file mode 100644 (file)
index 0000000..08be244
--- /dev/null
+++ b/queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch
@@ -0,0 +1,54 @@
+From 093b036aa94e01a0bea31a38d7f0ee28a2749023 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 1 Mar 2021 02:22:40 +0300
+Subject: net/qrtr: fix __netdev_alloc_skb call
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream.
+
+syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER.
+It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(),
+which tries to allocate skb. Since the value comes from the untrusted source
+there is no need to raise a warning in __alloc_pages_nodemask().
+
+[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014
+Call Trace:
+ __alloc_pages include/linux/gfp.h:511 [inline]
+ __alloc_pages_node include/linux/gfp.h:524 [inline]
+ alloc_pages_node include/linux/gfp.h:538 [inline]
+ kmalloc_large_node+0x60/0x110 mm/slub.c:3999
+ __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496
+ __kmalloc_reserve net/core/skbuff.c:150 [inline]
+ __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210
+ __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446
+ netdev_alloc_skb include/linux/skbuff.h:2832 [inline]
+ qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442
+ qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write+0x426/0x650 fs/read_write.c:518
+ vfs_write+0x791/0xa30 fs/read_write.c:605
+ ksys_write+0x12d/0x250 fs/read_write.c:658
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Acked-by: Alexander Lobakin <alobakin@pm.me>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -264,7 +264,7 @@ int qrtr_endpoint_post(struct qrtr_endpo
+       if (len == 0 || len & 3)
+               return -EINVAL;
+ 
+-      skb = netdev_alloc_skb(NULL, len);
++      skb = __netdev_alloc_skb(NULL, len, GFP_ATOMIC | __GFP_NOWARN);
+       if (!skb)
+               return -ENOMEM;
+ 

diff --git a/queue-5.4/series b/queue-5.4/series
index e37baf78df87d2d75b437cabc4de5ecefe0fc984..eb0cec8f3f669665ef1679b34d103cf445376516 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -24,3 +24,4 @@ nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch
 svcrdma-disable-timeouts-on-rdma-backchannel.patch
 vfio-iommu_api-should-be-selected.patch
 sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch
+net-qrtr-fix-__netdev_alloc_skb-call.patch