--- /dev/null
+From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 2 Nov 2018 15:48:42 -0700
+Subject: bfs: add sanity check at bfs_fill_super()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream.
+
+syzbot is reporting too large memory allocation at bfs_fill_super() [1].
+Since file system image is corrupted such that bfs_sb->s_start == 0,
+bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix
+this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and
+printf().
+
+[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96
+
+Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+71c6b5d68e91149fc8a4@syzkaller.appspotmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tigran Aivazian <aivazian.tigran@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/bfs/inode.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/bfs/inode.c
++++ b/fs/bfs/inode.c
+@@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b
+
+ s->s_magic = BFS_MAGIC;
+
+- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
+ printf("Superblock is corrupted\n");
+ goto out1;
+ }
+@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b
+ sizeof(struct bfs_inode)
+ + BFS_ROOT_INO - 1;
+ imap_len = (info->si_lasti / 8) + 1;
+- info->si_imap = kzalloc(imap_len, GFP_KERNEL);
+- if (!info->si_imap)
++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
++ if (!info->si_imap) {
++ printf("Cannot allocate %u bytes\n", imap_len);
+ goto out1;
++ }
+ for (i = 0; i < BFS_ROOT_INO; i++)
+ set_bit(i, info->si_imap);
+
--- /dev/null
+From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001
+From: Andrew Price <anprice@redhat.com>
+Date: Mon, 8 Oct 2018 07:52:43 -0500
+Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
+
+From: Andrew Price <anprice@redhat.com>
+
+commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream.
+
+When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points
+to the same address. Move the assignment after that error check so that
+s_fs_info can only point to a valid sdp or NULL, which is checked for
+later in the error path, in gfs2_kill_super().
+
+Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -72,13 +72,13 @@ static struct gfs2_sbd *init_sbd(struct
+ if (!sdp)
+ return NULL;
+
+- sb->s_fs_info = sdp;
+ sdp->sd_vfs = sb;
+ sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats);
+ if (!sdp->sd_lkstats) {
+ kfree(sdp);
+ return NULL;
+ }
++ sb->s_fs_info = sdp;
+
+ set_bit(SDF_NOJOURNALID, &sdp->sd_flags);
+ gfs2_tune_init(&sdp->sd_tune);
--- /dev/null
+From f39f8688888ae74fa8deae2d01289b69b4727394 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 16 Oct 2018 17:07:35 -0700
+Subject: Input: synaptics - avoid using uninitialized variable when probing
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f39f8688888ae74fa8deae2d01289b69b4727394 upstream.
+
+synaptics_detect() does not check whether sending commands to the
+device succeeds and instead relies on getting unique data from the
+device. Let's make sure we seed entire buffer with zeroes to make sure
+we will not use garbage on stack that just happen to be 0x47.
+
+Reported-by: syzbot+13cb3b01d0784e4ffc3f@syzkaller.appspotmail.com
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -99,9 +99,7 @@ static int synaptics_mode_cmd(struct psm
+ int synaptics_detect(struct psmouse *psmouse, bool set_properties)
+ {
+ struct ps2dev *ps2dev = &psmouse->ps2dev;
+- u8 param[4];
+-
+- param[0] = 0;
++ u8 param[4] = { 0 };
+
+ ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES);
+ ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES);
--- /dev/null
+From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 22 Oct 2018 09:24:27 -0700
+Subject: llc: do not use sk_eat_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream.
+
+syzkaller triggered a use-after-free [1], caused by a combination of
+skb_get() in llc_conn_state_process() and usage of sk_eat_skb()
+
+sk_eat_skb() is assuming the skb about to be freed is only used by
+the current thread. TCP/DCCP stacks enforce this because current
+thread holds the socket lock.
+
+llc_conn_state_process() wants to make sure skb does not disappear,
+and holds a reference on the skb it manipulates. But as soon as this
+skb is added to socket receive queue, another thread can consume it.
+
+This means that llc must use regular skb_unlink() and kfree_skb()
+so that both producer and consumer can safely work on the same skb.
+
+[1]
+BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
+BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
+BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18
+
+CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
+ print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
+ atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+ refcount_read include/linux/refcount.h:43 [inline]
+ skb_unref include/linux/skbuff.h:967 [inline]
+ kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+ llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224
+ llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297
+ llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438
+ llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+ run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
+ smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
+ kthread+0x35a/0x420 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
+
+Allocated by task 18:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
+ kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
+ __alloc_skb+0x119/0x770 net/core/skbuff.c:193
+ alloc_skb include/linux/skbuff.h:995 [inline]
+ llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54
+ llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline]
+ llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111
+ llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+
+Freed by task 16383:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kmem_cache_free+0x83/0x290 mm/slab.c:3756
+ kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
+ __kfree_skb+0x1d/0x20 net/core/skbuff.c:642
+ sk_eat_skb include/net/sock.h:2366 [inline]
+ llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882
+ sock_recvmsg_nosec net/socket.c:794 [inline]
+ sock_recvmsg+0xd0/0x110 net/socket.c:801
+ ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278
+ __sys_recvmmsg+0x303/0xb90 net/socket.c:2390
+ do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466
+ __do_sys_recvmmsg net/socket.c:2484 [inline]
+ __se_sys_recvmmsg net/socket.c:2480 [inline]
+ __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8801d1f6fac0
+ which belongs to the cache skbuff_head_cache of size 232
+The buggy address is located 228 bytes inside of
+ 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8)
+The buggy address belongs to the page:
+page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680
+raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/llc/af_llc.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -730,7 +730,6 @@ static int llc_ui_recvmsg(struct socket
+ struct sk_buff *skb = NULL;
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
+- unsigned long cpu_flags;
+ size_t copied = 0;
+ u32 peek_seq = 0;
+ u32 *seq, skb_len;
+@@ -855,9 +854,8 @@ static int llc_ui_recvmsg(struct socket
+ goto copy_uaddr;
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
+@@ -878,9 +876,8 @@ copy_uaddr:
+ llc_cmsg_rcv(msg, skb);
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
--- /dev/null
+From 61448479a9f2c954cde0cfe778cb6bec5d0a748d Mon Sep 17 00:00:00 2001
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Fri, 26 Oct 2018 15:03:12 -0700
+Subject: mm: don't warn about large allocations for slab
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+commit 61448479a9f2c954cde0cfe778cb6bec5d0a748d upstream.
+
+Slub does not call kmalloc_slab() for sizes > KMALLOC_MAX_CACHE_SIZE,
+instead it falls back to kmalloc_large().
+
+For slab KMALLOC_MAX_CACHE_SIZE == KMALLOC_MAX_SIZE and it calls
+kmalloc_slab() for all allocations relying on NULL return value for
+over-sized allocations.
+
+This inconsistency leads to unwanted warnings from kmalloc_slab() for
+over-sized allocations for slab. Returning NULL for failed allocations is
+the expected behavior.
+
+Make slub and slab code consistent by checking size >
+KMALLOC_MAX_CACHE_SIZE in slab before calling kmalloc_slab().
+
+While we are here also fix the check in kmalloc_slab(). We should check
+against KMALLOC_MAX_CACHE_SIZE rather than KMALLOC_MAX_SIZE. It all kinda
+worked because for slab the constants are the same, and slub always checks
+the size against KMALLOC_MAX_CACHE_SIZE before kmalloc_slab(). But if we
+get there with size > KMALLOC_MAX_CACHE_SIZE anyhow bad things will
+happen. For example, in case of a newly introduced bug in slub code.
+
+Also move the check in kmalloc_slab() from function entry to the size >
+192 case. This partially compensates for the additional check in slab
+code and makes slub code a bit faster (at least theoretically).
+
+Also drop __GFP_NOWARN in the warning check. This warning means a bug in
+slab code itself, user-passed flags have nothing to do with it.
+
+Nothing of this affects slob.
+
+Link: http://lkml.kernel.org/r/20180927171502.226522-1-dvyukov@gmail.com
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+87829a10073277282ad1@syzkaller.appspotmail.com
+Reported-by: syzbot+ef4e8fc3a06e9019bb40@syzkaller.appspotmail.com
+Reported-by: syzbot+6e438f4036df52cbb863@syzkaller.appspotmail.com
+Reported-by: syzbot+8574471d8734457d98aa@syzkaller.appspotmail.com
+Reported-by: syzbot+af1504df0807a083dbd9@syzkaller.appspotmail.com
+Acked-by: Christoph Lameter <cl@linux.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab.c | 4 ++++
+ mm/slab_common.c | 12 ++++++------
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -3675,6 +3675,8 @@ __do_kmalloc_node(size_t size, gfp_t fla
+ struct kmem_cache *cachep;
+ void *ret;
+
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
++ return NULL;
+ cachep = kmalloc_slab(size, flags);
+ if (unlikely(ZERO_OR_NULL_PTR(cachep)))
+ return cachep;
+@@ -3710,6 +3712,8 @@ static __always_inline void *__do_kmallo
+ struct kmem_cache *cachep;
+ void *ret;
+
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
++ return NULL;
+ cachep = kmalloc_slab(size, flags);
+ if (unlikely(ZERO_OR_NULL_PTR(cachep)))
+ return cachep;
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -1027,18 +1027,18 @@ struct kmem_cache *kmalloc_slab(size_t s
+ {
+ unsigned int index;
+
+- if (unlikely(size > KMALLOC_MAX_SIZE)) {
+- WARN_ON_ONCE(!(flags & __GFP_NOWARN));
+- return NULL;
+- }
+-
+ if (size <= 192) {
+ if (!size)
+ return ZERO_SIZE_PTR;
+
+ index = size_index[size_index_elem(size)];
+- } else
++ } else {
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
++ WARN_ON(1);
++ return NULL;
++ }
+ index = fls(size - 1);
++ }
+
+ #ifdef CONFIG_ZONE_DMA
+ if (unlikely((flags & GFP_DMA)))
--- /dev/null
+From ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Fri, 26 Oct 2018 15:09:01 -0700
+Subject: mm/memory.c: recheck page table entry with page table lock held
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 upstream.
+
+We clear the pte temporarily during read/modify/write update of the pte.
+If we take a page fault while the pte is cleared, the application can get
+SIGBUS. One such case is with remap_pfn_range without a backing
+vm_ops->fault callback. do_fault will return SIGBUS in that case.
+
+cpu 0 cpu1
+mprotect()
+ptep_modify_prot_start()/pte cleared.
+.
+. page fault.
+.
+.
+prep_modify_prot_commit()
+
+Fix this by taking page table lock and rechecking for pte_none.
+
+[aneesh.kumar@linux.ibm.com: fix crash observed with syzkaller run]
+ Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@linux.ibm.com
+Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3745,10 +3745,36 @@ static vm_fault_t do_fault(struct vm_fau
+ struct vm_area_struct *vma = vmf->vma;
+ vm_fault_t ret;
+
+- /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
+- if (!vma->vm_ops->fault)
+- ret = VM_FAULT_SIGBUS;
+- else if (!(vmf->flags & FAULT_FLAG_WRITE))
++ /*
++ * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND
++ */
++ if (!vma->vm_ops->fault) {
++ /*
++ * If we find a migration pmd entry or a none pmd entry, which
++ * should never happen, return SIGBUS
++ */
++ if (unlikely(!pmd_present(*vmf->pmd)))
++ ret = VM_FAULT_SIGBUS;
++ else {
++ vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm,
++ vmf->pmd,
++ vmf->address,
++ &vmf->ptl);
++ /*
++ * Make sure this is not a temporary clearing of pte
++ * by holding ptl and checking again. A R/M/W update
++ * of pte involves: take ptl, clearing the pte so that
++ * we don't have concurrent modification by hardware
++ * followed by an update.
++ */
++ if (unlikely(pte_none(*vmf->pte)))
++ ret = VM_FAULT_SIGBUS;
++ else
++ ret = VM_FAULT_NOPAGE;
++
++ pte_unmap_unlock(vmf->pte, vmf->ptl);
++ }
++ } else if (!(vmf->flags & FAULT_FLAG_WRITE))
+ ret = do_read_fault(vmf);
+ else if (!(vma->vm_flags & VM_SHARED))
+ ret = do_cow_fault(vmf);
--- /dev/null
+From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 29 Oct 2018 23:10:29 +0800
+Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream.
+
+If a transport is removed by asconf but there still are some chunks with
+this transport queuing on out_chunk_list, later an use-after-free issue
+will be caused when accessing this transport from these chunks in
+sctp_outq_flush().
+
+This is an old bug, we fix it by clearing the transport of these chunks
+in out_chunk_list when removing a transport in sctp_assoc_rm_peer().
+
+Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/associola.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -499,8 +499,9 @@ void sctp_assoc_set_primary(struct sctp_
+ void sctp_assoc_rm_peer(struct sctp_association *asoc,
+ struct sctp_transport *peer)
+ {
+- struct list_head *pos;
+- struct sctp_transport *transport;
++ struct sctp_transport *transport;
++ struct list_head *pos;
++ struct sctp_chunk *ch;
+
+ pr_debug("%s: association:%p addr:%pISpc\n",
+ __func__, asoc, &peer->ipaddr.sa);
+@@ -564,7 +565,6 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ */
+ if (!list_empty(&peer->transmitted)) {
+ struct sctp_transport *active = asoc->peer.active_path;
+- struct sctp_chunk *ch;
+
+ /* Reset the transport of each chunk on this list */
+ list_for_each_entry(ch, &peer->transmitted,
+@@ -586,6 +586,10 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ sctp_transport_hold(active);
+ }
+
++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list)
++ if (ch->transport == peer)
++ ch->transport = NULL;
++
+ asoc->peer.transport_count--;
+
+ sctp_transport_free(peer);
--- /dev/null
+From 4458bba09788e70e8fb39ad003f087cd9dfbd6ac Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Sat, 8 Sep 2018 01:42:58 +0900
+Subject: selinux: Add __GFP_NOWARN to allocation at str_read()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream.
+
+syzbot is hitting warning at str_read() [1] because len parameter can
+become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for
+this case.
+
+[1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ac488b9811036cea7ea0@syzkaller.appspotmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -1101,7 +1101,7 @@ static int str_read(char **strp, gfp_t f
+ if ((len == 0) || (len == (u32)-1))
+ return -EINVAL;
+
+- str = kmalloc(len + 1, flags);
++ str = kmalloc(len + 1, flags | __GFP_NOWARN);
+ if (!str)
+ return -ENOMEM;
+
opp-ti-opp-supply-dynamically-update-u_volt_min.patch
opp-ti-opp-supply-correct-the-supply-in-_get_optimal_vdd_voltage-call.patch
tools-power-cpupower-fix-compilation-with-static-true.patch
+v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch
+selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch
+input-synaptics-avoid-using-uninitialized-variable-when-probing.patch
+bfs-add-sanity-check-at-bfs_fill_super.patch
+sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch
+gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch
+llc-do-not-use-sk_eat_skb.patch
+mm-don-t-warn-about-large-allocations-for-slab.patch
+mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch
+tcp-do-not-release-socket-ownership-in-tcp_close.patch
--- /dev/null
+From 8873c064d1de579ea23412a6d3eee972593f142b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 1 Oct 2018 23:24:26 -0700
+Subject: tcp: do not release socket ownership in tcp_close()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8873c064d1de579ea23412a6d3eee972593f142b upstream.
+
+syzkaller was able to hit the WARN_ON(sock_owned_by_user(sk));
+in tcp_close()
+
+While a socket is being closed, it is very possible other
+threads find it in rtnetlink dump.
+
+tcp_get_info() will acquire the socket lock for a short amount
+of time (slow = lock_sock_fast(sk)/unlock_sock_fast(sk, slow);),
+enough to trigger the warning.
+
+Fixes: 67db3e4bfbc9 ("tcp: no longer hold ehash lock while calling tcp_get_info()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sock.h | 1 +
+ net/core/sock.c | 2 +-
+ net/ipv4/tcp.c | 11 +++--------
+ 3 files changed, 5 insertions(+), 9 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1491,6 +1491,7 @@ static inline void lock_sock(struct sock
+ lock_sock_nested(sk, 0);
+ }
+
++void __release_sock(struct sock *sk);
+ void release_sock(struct sock *sk);
+
+ /* BH context may only use the following locking interface. */
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2317,7 +2317,7 @@ static void __lock_sock(struct sock *sk)
+ finish_wait(&sk->sk_lock.wq, &wait);
+ }
+
+-static void __release_sock(struct sock *sk)
++void __release_sock(struct sock *sk)
+ __releases(&sk->sk_lock.slock)
+ __acquires(&sk->sk_lock.slock)
+ {
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2403,16 +2403,10 @@ adjudge_to_death:
+ sock_hold(sk);
+ sock_orphan(sk);
+
+- /* It is the last release_sock in its life. It will remove backlog. */
+- release_sock(sk);
+-
+-
+- /* Now socket is owned by kernel and we acquire BH lock
+- * to finish close. No need to check for user refs.
+- */
+ local_bh_disable();
+ bh_lock_sock(sk);
+- WARN_ON(sock_owned_by_user(sk));
++ /* remove backlog if any, without releasing ownership. */
++ __release_sock(sk);
+
+ percpu_counter_inc(sk->sk_prot->orphan_count);
+
+@@ -2481,6 +2475,7 @@ adjudge_to_death:
+ out:
+ bh_unlock_sock(sk);
+ local_bh_enable();
++ release_sock(sk);
+ sock_put(sk);
+ }
+ EXPORT_SYMBOL(tcp_close);
--- /dev/null
+From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 27 Aug 2018 15:12:05 +0900
+Subject: v9fs_dir_readdir: fix double-free on p9stat_read error
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+commit 81c99089bce693b94b775b6eb888115d2d540086 upstream.
+
+p9stat_read will call p9stat_free on error, we should only free the
+struct content on success.
+
+There also is no need to "p9stat_init" st as the read function will
+zero the whole struct for us anyway, so clean up the code a bit while
+we are here.
+
+Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_dir.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/fs/9p/vfs_dir.c
++++ b/fs/9p/vfs_dir.c
+@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta
+ return rettype;
+ }
+
+-static void p9stat_init(struct p9_wstat *stbuf)
+-{
+- stbuf->name = NULL;
+- stbuf->uid = NULL;
+- stbuf->gid = NULL;
+- stbuf->muid = NULL;
+- stbuf->extension = NULL;
+-}
+-
+ /**
+ * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir
+ * @filp: opened file structure
+@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file
+ rdir->tail = n;
+ }
+ while (rdir->head < rdir->tail) {
+- p9stat_init(&st);
+ err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
+ rdir->tail - rdir->head, &st);
+ if (err) {
+ p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
+- p9stat_free(&st);
+ return -EIO;
+ }
+ reclen = st.size+2;
projects / thirdparty / kernel / stable-queue.git / commitdiff
