From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 26 Nov 2019 10:45:42 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.204~67
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=764ac4619f65184c400b7cae3a757602e7dd0768;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	md-raid10-prevent-access-of-uninitialized-resync_pages-offset.patch
---

diff --git a/queue-4.19/md-raid10-prevent-access-of-uninitialized-resync_pages-offset.patch b/queue-4.19/md-raid10-prevent-access-of-uninitialized-resync_pages-offset.patch
new file mode 100644
index 00000000000..7b6cdec4598
--- /dev/null
+++ b/queue-4.19/md-raid10-prevent-access-of-uninitialized-resync_pages-offset.patch
@@ -0,0 +1,40 @@
+From 45422b704db392a6d79d07ee3e3670b11048bd53 Mon Sep 17 00:00:00 2001
+From: John Pittman <jpittman@redhat.com>
+Date: Mon, 11 Nov 2019 16:43:20 -0800
+Subject: md/raid10: prevent access of uninitialized resync_pages offset
+
+From: John Pittman <jpittman@redhat.com>
+
+commit 45422b704db392a6d79d07ee3e3670b11048bd53 upstream.
+
+Due to unneeded multiplication in the out_free_pages portion of
+r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
+possible to access a resync_pages offset that has not been
+initialized.  This access translates into a crash of the system
+within resync_free_pages() while passing a bad pointer to
+put_page().  Remove the multiplication, preventing access to the
+uninitialized area.
+
+Fixes: f0250618361db ("md: raid10: don't use bio's vec table to manage resync pages")
+Cc: stable@vger.kernel.org # 4.12+
+Signed-off-by: John Pittman <jpittman@redhat.com>
+Suggested-by: David Jeffery <djeffery@redhat.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid10.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -229,7 +229,7 @@ static void * r10buf_pool_alloc(gfp_t gf
+ 
+ out_free_pages:
+ 	while (--j >= 0)
+-		resync_free_pages(&rps[j * 2]);
++		resync_free_pages(&rps[j]);
+ 
+ 	j = 0;
+ out_free_bio:
diff --git a/queue-4.19/series b/queue-4.19/series
index 1e330492a09..97f670981d4 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -257,3 +257,4 @@ bluetooth-fix-invalid-free-in-bcsp_close.patch
 kvm-mmu-do-not-treat-zone_device-pages-as-being-reserved.patch
 ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch
 ath9k_hw-fix-uninitialized-variable-data.patch
+md-raid10-prevent-access-of-uninitialized-resync_pages-offset.patch