--- /dev/null
+From 92eb6c3060ebe3adf381fd9899451c5b047bb14d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 26 Oct 2020 13:07:15 -0700
+Subject: crypto: af_alg - avoid undefined behavior accessing salg_name
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream.
+
+Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm
+names") made the kernel start accepting arbitrarily long algorithm names
+in sockaddr_alg. However, the actual length of the salg_name field
+stayed at the original 64 bytes.
+
+This is broken because the kernel can access indices >= 64 in salg_name,
+which is undefined behavior -- even though the memory that is accessed
+is still located within the sockaddr structure. It would only be
+defined behavior if the array were properly marked as arbitrary-length
+(either by making it a flexible array, which is the recommended way
+these days, or by making it an array of length 0 or 1).
+
+We can't simply change salg_name into a flexible array, since that would
+break source compatibility with userspace programs that embed
+sockaddr_alg into another struct, or (more commonly) declare a
+sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'.
+
+One solution would be to change salg_name into a flexible array only
+when '#ifdef __KERNEL__'. However, that would keep userspace without an
+easy way to actually use the longer algorithm names.
+
+Instead, add a new structure 'sockaddr_alg_new' that has the flexible
+array field, and expose it to both userspace and the kernel.
+Make the kernel use it correctly in alg_bind().
+
+This addresses the syzbot report
+"UBSAN: array-index-out-of-bounds in alg_bind"
+(https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e).
+
+Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com
+Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 10 +++++++---
+ include/uapi/linux/if_alg.h | 16 ++++++++++++++++
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -151,7 +151,7 @@ static int alg_bind(struct socket *sock,
+ const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
+ struct sock *sk = sock->sk;
+ struct alg_sock *ask = alg_sk(sk);
+- struct sockaddr_alg *sa = (void *)uaddr;
++ struct sockaddr_alg_new *sa = (void *)uaddr;
+ const struct af_alg_type *type;
+ void *private;
+ int err;
+@@ -159,7 +159,11 @@ static int alg_bind(struct socket *sock,
+ if (sock->state == SS_CONNECTED)
+ return -EINVAL;
+
+- if (addr_len < sizeof(*sa))
++ BUILD_BUG_ON(offsetof(struct sockaddr_alg_new, salg_name) !=
++ offsetof(struct sockaddr_alg, salg_name));
++ BUILD_BUG_ON(offsetof(struct sockaddr_alg, salg_name) != sizeof(*sa));
++
++ if (addr_len < sizeof(*sa) + 1)
+ return -EINVAL;
+
+ /* If caller uses non-allowed flag, return error. */
+@@ -167,7 +171,7 @@ static int alg_bind(struct socket *sock,
+ return -EINVAL;
+
+ sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
+- sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0;
++ sa->salg_name[addr_len - sizeof(*sa) - 1] = 0;
+
+ type = alg_get_type(sa->salg_type);
+ if (IS_ERR(type) && PTR_ERR(type) == -ENOENT) {
+--- a/include/uapi/linux/if_alg.h
++++ b/include/uapi/linux/if_alg.h
+@@ -24,6 +24,22 @@ struct sockaddr_alg {
+ __u8 salg_name[64];
+ };
+
++/*
++ * Linux v4.12 and later removed the 64-byte limit on salg_name[]; it's now an
++ * arbitrary-length field. We had to keep the original struct above for source
++ * compatibility with existing userspace programs, though. Use the new struct
++ * below if support for very long algorithm names is needed. To do this,
++ * allocate 'sizeof(struct sockaddr_alg_new) + strlen(algname) + 1' bytes, and
++ * copy algname (including the null terminator) into salg_name.
++ */
++struct sockaddr_alg_new {
++ __u16 salg_family;
++ __u8 salg_type[14];
++ __u32 salg_feat;
++ __u32 salg_mask;
++ __u8 salg_name[];
++};
++
+ struct af_alg_iv {
+ __u32 ivlen;
+ __u8 iv[0];
--- /dev/null
+From c731b84b51bf7fe83448bea8f56a6d55006b0615 Mon Sep 17 00:00:00 2001
+From: "Dae R. Jeong" <dae.r.jeong@kaist.ac.kr>
+Date: Thu, 22 Oct 2020 10:21:28 +0900
+Subject: md: fix a warning caused by a race between concurrent md_ioctl()s
+
+From: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+
+commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream.
+
+Syzkaller reports a warning as belows.
+WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169
+...
+Call Trace:
+...
+RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169
+RSP: 0018:ffff888096027950 EFLAGS: 00010293
+RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2
+RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007
+RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482
+R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932
+R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408
+ __blkdev_driver_ioctl block/ioctl.c:304 [inline]
+ blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606
+ block_ioctl+0xee/0x130 fs/block_dev.c:1930
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is caused by a race between two concurrenct md_ioctl()s closing
+the array.
+CPU1 (md_ioctl()) CPU2 (md_ioctl())
+------ ------
+set_bit(MD_CLOSING, &mddev->flags);
+did_set_md_closing = true;
+ WARN_ON_ONCE(test_bit(MD_CLOSING,
+ &mddev->flags));
+if(did_set_md_closing)
+ clear_bit(MD_CLOSING, &mddev->flags);
+
+Fix the warning by returning immediately if the MD_CLOSING bit is set
+in &mddev->flags which indicates that the array is being closed.
+
+Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop")
+Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7187,8 +7187,11 @@ static int md_ioctl(struct block_device
+ err = -EBUSY;
+ goto out;
+ }
+- WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags));
+- set_bit(MD_CLOSING, &mddev->flags);
++ if (test_and_set_bit(MD_CLOSING, &mddev->flags)) {
++ mutex_unlock(&mddev->open_mutex);
++ err = -EBUSY;
++ goto out;
++ }
+ did_set_md_closing = true;
+ mutex_unlock(&mddev->open_mutex);
+ sync_blockdev(bdev);
--- /dev/null
+From 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 Mon Sep 17 00:00:00 2001
+From: Antti Palosaari <crope@iki.fi>
+Date: Sat, 17 Aug 2019 03:12:10 +0200
+Subject: media: msi2500: assign SPI bus number dynamically
+
+From: Antti Palosaari <crope@iki.fi>
+
+commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream.
+
+SPI bus number must be assigned dynamically for each device, otherwise it
+will crash when multiple devices are plugged to system.
+
+Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/msi2500/msi2500.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/msi2500/msi2500.c
++++ b/drivers/media/usb/msi2500/msi2500.c
+@@ -1250,7 +1250,7 @@ static int msi2500_probe(struct usb_inte
+ }
+
+ dev->master = master;
+- master->bus_num = 0;
++ master->bus_num = -1;
+ master->num_chipselect = 1;
+ master->transfer_one_message = msi2500_transfer_one_message;
+ spi_master_set_devdata(master, dev);
--- /dev/null
+From 11c514a99bb960941535134f0587102855e8ddee Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 2 Nov 2020 16:16:29 +0100
+Subject: quota: Sanity-check quota file headers on load
+
+From: Jan Kara <jack@suse.cz>
+
+commit 11c514a99bb960941535134f0587102855e8ddee upstream.
+
+Perform basic sanity checks of quota headers to avoid kernel crashes on
+corrupted quota files.
+
+CC: stable@vger.kernel.org
+Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/quota_v2.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/quota/quota_v2.c
++++ b/fs/quota/quota_v2.c
+@@ -158,6 +158,25 @@ static int v2_read_file_info(struct supe
+ qinfo->dqi_entry_size = sizeof(struct v2r1_disk_dqblk);
+ qinfo->dqi_ops = &v2r1_qtree_ops;
+ }
++ ret = -EUCLEAN;
++ /* Some sanity checks of the read headers... */
++ if ((loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits >
++ i_size_read(sb_dqopt(sb)->files[type])) {
++ quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).",
++ (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits,
++ i_size_read(sb_dqopt(sb)->files[type]));
++ goto out;
++ }
++ if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) {
++ quota_error(sb, "Free block number too big (%u >= %u).",
++ qinfo->dqi_free_blk, qinfo->dqi_blocks);
++ goto out;
++ }
++ if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) {
++ quota_error(sb, "Block with free entry too big (%u >= %u).",
++ qinfo->dqi_free_entry, qinfo->dqi_blocks);
++ goto out;
++ }
+ ret = 0;
+ out:
+ up_read(&dqopt->dqio_sem);
arm-dts-exynos-fix-usb-3.0-pins-supply-being-turned-off-on-odroid-xu.patch
hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
serial_core-check-for-port-state-when-tty-is-in-error-state.patch
+quota-sanity-check-quota-file-headers-on-load.patch
+media-msi2500-assign-spi-bus-number-dynamically.patch
+crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch
+md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
