From e43688ea6e1bbe2625cfdfd9c7db01d80f02db55 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 May 2021 14:01:11 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
	kobject_uevent-remove-warning-in-init_uevent_argv.patch
---
 ...-bounds-array-access-when-no-devices.patch | 39 ++++++++++++++++
 ...t-remove-warning-in-init_uevent_argv.patch | 45 +++++++++++++++++++
 queue-4.4/series                              |  2 +
 3 files changed, 86 insertions(+)
 create mode 100644 queue-4.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
 create mode 100644 queue-4.4/kobject_uevent-remove-warning-in-init_uevent_argv.patch

diff --git a/queue-4.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch b/queue-4.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
new file mode 100644
index 00000000000..b4c3a1d871c
--- /dev/null
+++ b/queue-4.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
@@ -0,0 +1,39 @@
+From 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 26 Mar 2021 14:32:32 -0400
+Subject: dm ioctl: fix out of bounds array access when no devices
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream.
+
+If there are not any dm devices, we need to zero the "dev" argument in
+the first structure dm_name_list. However, this can cause out of
+bounds write, because the "needed" variable is zero and len may be
+less than eight.
+
+Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is
+too small to hold the "nl->dev" value.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+[iwamatsu: Adjust context]
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ioctl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl
+ 	 * Grab our output buffer.
+ 	 */
+ 	nl = get_result_buffer(param, param_size, &len);
+-	if (len < needed) {
++	if (len < needed || len < sizeof(nl->dev)) {
+ 		param->flags |= DM_BUFFER_FULL_FLAG;
+ 		goto out;
+ 	}
diff --git a/queue-4.4/kobject_uevent-remove-warning-in-init_uevent_argv.patch b/queue-4.4/kobject_uevent-remove-warning-in-init_uevent_argv.patch
new file mode 100644
index 00000000000..a32c91c4476
--- /dev/null
+++ b/queue-4.4/kobject_uevent-remove-warning-in-init_uevent_argv.patch
@@ -0,0 +1,45 @@
+From b4104180a2efb85f55e1ba1407885c9421970338 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 5 Apr 2021 11:48:52 +0200
+Subject: kobject_uevent: remove warning in init_uevent_argv()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit b4104180a2efb85f55e1ba1407885c9421970338 upstream.
+
+syzbot can trigger the WARN() in init_uevent_argv() which isn't the
+nicest as the code does properly recover and handle the error.  So
+change the WARN() call to pr_warn() and provide some more information on
+what the buffer size that was needed.
+
+Link: https://lore.kernel.org/r/20201107082206.GA19079@kroah.com
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: linux-kernel@vger.kernel.org
+Reported-by: syzbot+92340f7b2b4789907fdb@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20210405094852.1348499-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/kobject_uevent.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/lib/kobject_uevent.c
++++ b/lib/kobject_uevent.c
+@@ -128,12 +128,13 @@ static int kobj_usermode_filter(struct k
+ 
+ static int init_uevent_argv(struct kobj_uevent_env *env, const char *subsystem)
+ {
++	int buffer_size = sizeof(env->buf) - env->buflen;
+ 	int len;
+ 
+-	len = strlcpy(&env->buf[env->buflen], subsystem,
+-		      sizeof(env->buf) - env->buflen);
+-	if (len >= (sizeof(env->buf) - env->buflen)) {
+-		WARN(1, KERN_ERR "init_uevent_argv: buffer size too small\n");
++	len = strlcpy(&env->buf[env->buflen], subsystem, buffer_size);
++	if (len >= buffer_size) {
++		pr_warn("init_uevent_argv: buffer size of %d too small, needed %d\n",
++			buffer_size, len);
+ 		return -ENOMEM;
+ 	}
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index db9724825e4..3cee2fff185 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -172,3 +172,5 @@ mips-reinstate-platform-__div64_32-handler.patch
 mips-avoid-divu-in-__div64_32-is-result-would-be-zero.patch
 mips-avoid-handcoded-divu-in-__div64_32-altogether.patch
 thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch
+dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
+kobject_uevent-remove-warning-in-init_uevent_argv.patch
-- 
2.47.3