--- /dev/null
+From 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 Jan 2020 20:49:04 +0300
+Subject: Bluetooth: Fix race condition in hci_release_sock()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 upstream.
+
+Syzbot managed to trigger a use after free "KASAN: use-after-free Write
+in hci_sock_bind". I have reviewed the code manually and one possibly
+cause I have found is that we are not holding lock_sock(sk) when we do
+the hci_dev_put(hdev) in hci_sock_release(). My theory is that the bind
+and the release are racing against each other which results in this use
+after free.
+
+Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -826,6 +826,8 @@ static int hci_sock_release(struct socke
+ if (!sk)
+ return 0;
+
++ lock_sock(sk);
++
+ switch (hci_pi(sk)->channel) {
+ case HCI_CHANNEL_MONITOR:
+ atomic_dec(&monitor_promisc);
+@@ -873,6 +875,7 @@ static int hci_sock_release(struct socke
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
+
++ release_sock(sk);
+ sock_put(sk);
+ return 0;
+ }
--- /dev/null
+From 51d0c99b391f0cac61ad7b827c26f549ee55672c Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 10 Nov 2019 11:15:37 +0100
+Subject: media: af9005: uninitialized variable printked
+
+From: Sean Young <sean@mess.org>
+
+commit 51d0c99b391f0cac61ad7b827c26f549ee55672c upstream.
+
+If usb_bulk_msg() fails, actual_length can be uninitialized.
+
+Reported-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/af9005.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/af9005.c
++++ b/drivers/media/usb/dvb-usb/af9005.c
+@@ -567,7 +567,7 @@ static int af9005_boot_packet(struct usb
+ u8 *buf, int size)
+ {
+ u16 checksum;
+- int act_len, i, ret;
++ int act_len = 0, i, ret;
+
+ memset(buf, 0, size);
+ buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff);
--- /dev/null
+From eecc70d22ae51225de1ef629c1159f7116476b2e Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 10 Nov 2019 11:04:40 +0100
+Subject: media: digitv: don't continue if remote control state can't be read
+
+From: Sean Young <sean@mess.org>
+
+commit eecc70d22ae51225de1ef629c1159f7116476b2e upstream.
+
+This results in an uninitialized variable read.
+
+Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/digitv.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/digitv.c
++++ b/drivers/media/usb/dvb-usb/digitv.c
+@@ -233,18 +233,22 @@ static struct rc_map_table rc_map_digitv
+
+ static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
+- int i;
++ int ret, i;
+ u8 key[5];
+ u8 b[4] = { 0 };
+
+ *event = 0;
+ *state = REMOTE_NO_KEY_PRESSED;
+
+- digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4);
++ ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4);
++ if (ret)
++ return ret;
+
+ /* Tell the device we've read the remote. Not sure how necessary
+ this is, but the Nebula SDK does it. */
+- digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0);
++ ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0);
++ if (ret)
++ return ret;
+
+ /* if something is inside the buffer, simulate key press */
+ if (key[1] != 0)
--- /dev/null
+From 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 12 Nov 2019 10:22:28 +0100
+Subject: media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 upstream.
+
+This fixes a syzbot failure since actlen could be uninitialized,
+but it was still used.
+
+Syzbot link:
+
+https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1
+
+Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c
+@@ -11,7 +11,7 @@
+ int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf,
+ u16 rlen, int delay_ms)
+ {
+- int actlen,ret = -ENOMEM;
++ int actlen = 0, ret = -ENOMEM;
+
+ if (!d || wbuf == NULL || wlen == 0)
+ return -EINVAL;
--- /dev/null
+From de89d0864f66c2a1b75becfdd6bf3793c07ce870 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 12 Nov 2019 10:22:24 +0100
+Subject: media: gspca: zero usb_buf
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit de89d0864f66c2a1b75becfdd6bf3793c07ce870 upstream.
+
+Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to
+ensure it is property zeroed. This fixes various syzbot errors
+about uninitialized data.
+
+Syzbot links:
+
+https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074
+https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2
+https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e
+
+Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/gspca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -2043,7 +2043,7 @@ int gspca_dev_probe2(struct usb_interfac
+ pr_err("couldn't kzalloc gspca struct\n");
+ return -ENOMEM;
+ }
+- gspca_dev->usb_buf = kmalloc(USB_BUF_SZ, GFP_KERNEL);
++ gspca_dev->usb_buf = kzalloc(USB_BUF_SZ, GFP_KERNEL);
+ if (!gspca_dev->usb_buf) {
+ pr_err("out of memory\n");
+ ret = -ENOMEM;
--- /dev/null
+From c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 30 Jan 2020 22:11:07 -0800
+Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream.
+
+What we are trying to do is change the '=' character to a NUL terminator
+and then at the end of the function we restore it back to an '='. The
+problem is there are two error paths where we jump to the end of the
+function before we have replaced the '=' with NUL.
+
+We end up putting the '=' in the wrong place (possibly one element
+before the start of the buffer).
+
+Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain
+Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com
+Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Dmitry Vyukov <dvyukov@google.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2744,6 +2744,9 @@ int mpol_parse_str(char *str, struct mem
+ char *flags = strchr(str, '=');
+ int err = 1;
+
++ if (flags)
++ *flags++ = '\0'; /* terminate mode string */
++
+ if (nodelist) {
+ /* NUL-terminate mode or flags string */
+ *nodelist++ = '\0';
+@@ -2754,9 +2757,6 @@ int mpol_parse_str(char *str, struct mem
+ } else
+ nodes_clear(nodes);
+
+- if (flags)
+- *flags++ = '\0'; /* terminate mode string */
+-
+ for (mode = 0; mode < MPOL_MAX; mode++) {
+ if (!strcmp(str, policy_modes[mode])) {
+ break;
--- /dev/null
+From 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 12 Dec 2019 11:30:03 +0100
+Subject: reiserfs: Fix memory leak of journal device string
+
+From: Jan Kara <jack@suse.cz>
+
+commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream.
+
+When a filesystem is mounted with jdev mount option, we store the
+journal device name in an allocated string in superblock. However we
+fail to ever free that string. Fix it.
+
+Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com
+Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -599,6 +599,7 @@ static void reiserfs_put_super(struct su
+ reiserfs_write_unlock(s);
+ mutex_destroy(&REISERFS_SB(s)->lock);
+ destroy_workqueue(REISERFS_SB(s)->commit_wq);
++ kfree(REISERFS_SB(s)->s_jdev);
+ kfree(s->s_fs_info);
+ s->s_fs_info = NULL;
+ }
+@@ -2217,6 +2218,7 @@ error_unlocked:
+ kfree(qf_names[j]);
+ }
+ #endif
++ kfree(sbi->s_jdev);
+ kfree(sbi);
+
+ s->s_fs_info = NULL;
iio-gyro-st_gyro-fix-l3gd20h-support.patch
tools-lib-fix-builds-when-glibc-contains-strlcpy.patch
arm64-kbuild-remove-compressed-images-on-make-arch-arm64-dist-clean.patch
+mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch
+reiserfs-fix-memory-leak-of-journal-device-string.patch
+media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch
+media-af9005-uninitialized-variable-printked.patch
+media-gspca-zero-usb_buf.patch
+media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch
+ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch
+bluetooth-fix-race-condition-in-hci_release_sock.patch
--- /dev/null
+From 9a655c77ff8fc65699a3f98e237db563b37c439b Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Date: Mon, 13 Jan 2020 11:48:42 +0800
+Subject: ttyprintk: fix a potential deadlock in interrupt context issue
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+commit 9a655c77ff8fc65699a3f98e237db563b37c439b upstream.
+
+tpk_write()/tpk_close() could be interrupted when holding a mutex, then
+in timer handler tpk_write() may be called again trying to acquire same
+mutex, lead to deadlock.
+
+Google syzbot reported this issue with CONFIG_DEBUG_ATOMIC_SLEEP
+enabled:
+
+BUG: sleeping function called from invalid context at
+kernel/locking/mutex.c:938
+in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/1
+1 lock held by swapper/1/0:
+...
+Call Trace:
+ <IRQ>
+ dump_stack+0x197/0x210
+ ___might_sleep.cold+0x1fb/0x23e
+ __might_sleep+0x95/0x190
+ __mutex_lock+0xc5/0x13c0
+ mutex_lock_nested+0x16/0x20
+ tpk_write+0x5d/0x340
+ resync_tnc+0x1b6/0x320
+ call_timer_fn+0x1ac/0x780
+ run_timer_softirq+0x6c3/0x1790
+ __do_softirq+0x262/0x98c
+ irq_exit+0x19b/0x1e0
+ smp_apic_timer_interrupt+0x1a3/0x610
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+
+See link https://syzkaller.appspot.com/bug?extid=2eeef62ee31f9460ad65 for
+more details.
+
+Fix it by using spinlock in process context instead of mutex and having
+interrupt disabled in critical section.
+
+Reported-by: syzbot+2eeef62ee31f9460ad65@syzkaller.appspotmail.com
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200113034842.435-1-zhenzhong.duan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ttyprintk.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/ttyprintk.c
++++ b/drivers/char/ttyprintk.c
+@@ -18,10 +18,11 @@
+ #include <linux/serial.h>
+ #include <linux/tty.h>
+ #include <linux/module.h>
++#include <linux/spinlock.h>
+
+ struct ttyprintk_port {
+ struct tty_port port;
+- struct mutex port_write_mutex;
++ spinlock_t spinlock;
+ };
+
+ static struct ttyprintk_port tpk_port;
+@@ -100,11 +101,12 @@ static int tpk_open(struct tty_struct *t
+ static void tpk_close(struct tty_struct *tty, struct file *filp)
+ {
+ struct ttyprintk_port *tpkp = tty->driver_data;
++ unsigned long flags;
+
+- mutex_lock(&tpkp->port_write_mutex);
++ spin_lock_irqsave(&tpkp->spinlock, flags);
+ /* flush tpk_printk buffer */
+ tpk_printk(NULL, 0);
+- mutex_unlock(&tpkp->port_write_mutex);
++ spin_unlock_irqrestore(&tpkp->spinlock, flags);
+
+ tty_port_close(&tpkp->port, tty, filp);
+ }
+@@ -116,13 +118,14 @@ static int tpk_write(struct tty_struct *
+ const unsigned char *buf, int count)
+ {
+ struct ttyprintk_port *tpkp = tty->driver_data;
++ unsigned long flags;
+ int ret;
+
+
+ /* exclusive use of tpk_printk within this tty */
+- mutex_lock(&tpkp->port_write_mutex);
++ spin_lock_irqsave(&tpkp->spinlock, flags);
+ ret = tpk_printk(buf, count);
+- mutex_unlock(&tpkp->port_write_mutex);
++ spin_unlock_irqrestore(&tpkp->spinlock, flags);
+
+ return ret;
+ }
+@@ -172,7 +175,7 @@ static int __init ttyprintk_init(void)
+ {
+ int ret = -ENOMEM;
+
+- mutex_init(&tpk_port.port_write_mutex);
++ spin_lock_init(&tpk_port.spinlock);
+
+ ttyprintk_driver = tty_alloc_driver(1,
+ TTY_DRIVER_RESET_TERMIOS |
projects / thirdparty / kernel / stable-queue.git / commitdiff
