--- /dev/null
+From d3f07c049dab1a3f1740f476afd3d5e5b738c21c Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Thu, 2 Aug 2018 22:59:12 +0800
+Subject: f2fs: fix invalid memory access
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit d3f07c049dab1a3f1740f476afd3d5e5b738c21c upstream.
+
+syzbot found the following crash on:
+
+HEAD commit: d9bd94c0bcaa Add linux-next specific files for 20180801
+git tree: linux-next
+console output: https://syzkaller.appspot.com/x/log.txt?x=1001189c400000
+kernel config: https://syzkaller.appspot.com/x/.config?x=cc8964ea4d04518c
+dashboard link: https://syzkaller.appspot.com/bug?extid=c966a82db0b14aa37e81
+compiler: gcc (GCC) 8.0.1 20180413 (experimental)
+
+Unfortunately, I don't have any reproducer for this crash yet.
+
+IMPORTANT: if you fix the bug, please add the following tag to the commit:
+Reported-by: syzbot+c966a82db0b14aa37e81@syzkaller.appspotmail.com
+
+loop7: rw=12288, want=8200, limit=20
+netlink: 65342 bytes leftover after parsing attributes in process `syz-executor4'.
+openvswitch: netlink: Message has 8 unknown bytes.
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+CPU: 1 PID: 7615 Comm: syz-executor7 Not tainted 4.18.0-rc7-next-20180801+ #29
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
+RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
+RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline]
+RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline]
+RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835
+Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00
+RSP: 0018:ffff8801937cebe8 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff8801937cef30 RCX: ffffc90006035000
+RDX: 0000000000000000 RSI: ffffffff82fd9658 RDI: 0000000000000005
+RBP: ffff8801937cef58 R08: ffff8801ab254700 R09: fffff94000d9e026
+R10: fffff94000d9e026 R11: ffffea0006cf0137 R12: fffffffffffffffb
+R13: ffff8801937ceeb0 R14: 0000000000000003 R15: ffff880193419b40
+FS: 00007f36a61d5700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc04ff93000 CR3: 00000001d0562000 CR4: 00000000001426e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ f2fs_get_valid_checkpoint+0x436/0x1ec0 fs/f2fs/checkpoint.c:860
+ f2fs_fill_super+0x2d42/0x8110 fs/f2fs/super.c:2883
+ mount_bdev+0x314/0x3e0 fs/super.c:1344
+ f2fs_mount+0x3c/0x50 fs/f2fs/super.c:3133
+ legacy_get_tree+0x131/0x460 fs/fs_context.c:729
+ vfs_get_tree+0x1cb/0x5c0 fs/super.c:1743
+ do_new_mount fs/namespace.c:2603 [inline]
+ do_mount+0x6f2/0x1e20 fs/namespace.c:2927
+ ksys_mount+0x12d/0x140 fs/namespace.c:3143
+ __do_sys_mount fs/namespace.c:3157 [inline]
+ __se_sys_mount fs/namespace.c:3154 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3154
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x45943a
+Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 bd 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 9a 8a fb ff c3 66 0f 1f 84 00 00 00 00 00
+RSP: 002b:00007f36a61d4a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+RAX: ffffffffffffffda RBX: 00007f36a61d4b30 RCX: 000000000045943a
+RDX: 00007f36a61d4ad0 RSI: 0000000020000100 RDI: 00007f36a61d4af0
+RBP: 0000000020000100 R08: 00007f36a61d4b30 R09: 00007f36a61d4ad0
+R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000013
+R13: 0000000000000000 R14: 00000000004c8ea0 R15: 0000000000000000
+Modules linked in:
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+---[ end trace bd8550c129352286 ]---
+RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
+RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
+RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline]
+RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline]
+RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835
+Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00
+RSP: 0018:ffff8801937cebe8 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff8801937cef30 RCX: ffffc90006035000
+RDX: 0000000000000000 RSI: ffffffff82fd9658 RDI: 0000000000000005
+netlink: 65342 bytes leftover after parsing attributes in process `syz-executor4'.
+RBP: ffff8801937cef58 R08: ffff8801ab254700 R09: fffff94000d9e026
+openvswitch: netlink: Message has 8 unknown bytes.
+R10: fffff94000d9e026 R11: ffffea0006cf0137 R12: fffffffffffffffb
+R13: ffff8801937ceeb0 R14: 0000000000000003 R15: ffff880193419b40
+FS: 00007f36a61d5700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc04ff93000 CR3: 00000001d0562000 CR4: 00000000001426e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+In validate_checkpoint(), if we failed to call get_checkpoint_version(), we
+will pass returned invalid page pointer into f2fs_put_page, cause accessing
+invalid memory, this patch tries to handle error path correctly to fix this
+issue.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+
+---
+ fs/f2fs/checkpoint.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -746,6 +746,7 @@ static int get_checkpoint_version(struct
+
+ crc_offset = le32_to_cpu((*cp_block)->checksum_offset);
+ if (crc_offset > (blk_size - sizeof(__le32))) {
++ f2fs_put_page(*cp_page, 1);
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "invalid crc_offset: %zu", crc_offset);
+ return -EINVAL;
+@@ -753,6 +754,7 @@ static int get_checkpoint_version(struct
+
+ crc = cur_cp_crc(*cp_block);
+ if (!f2fs_crc_valid(sbi, crc, *cp_block, crc_offset)) {
++ f2fs_put_page(*cp_page, 1);
+ f2fs_msg(sbi->sb, KERN_WARNING, "invalid crc value");
+ return -EINVAL;
+ }
+@@ -772,14 +774,14 @@ static struct page *validate_checkpoint(
+ err = get_checkpoint_version(sbi, cp_addr, &cp_block,
+ &cp_page_1, version);
+ if (err)
+- goto invalid_cp1;
++ return NULL;
+ pre_version = *version;
+
+ cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1;
+ err = get_checkpoint_version(sbi, cp_addr, &cp_block,
+ &cp_page_2, version);
+ if (err)
+- goto invalid_cp2;
++ goto invalid_cp;
+ cur_version = *version;
+
+ if (cur_version == pre_version) {
+@@ -787,9 +789,8 @@ static struct page *validate_checkpoint(
+ f2fs_put_page(cp_page_2, 1);
+ return cp_page_1;
+ }
+-invalid_cp2:
+ f2fs_put_page(cp_page_2, 1);
+-invalid_cp1:
++invalid_cp:
+ f2fs_put_page(cp_page_1, 1);
+ return NULL;
+ }
powerpc-avoid-code-patching-freed-init-sections.patch
powerpc-lib-fix-book3s-32-boot-failure-due-to-code-patching.patch
arc-clone-syscall-to-setp-r25-as-thread-pointer.patch
+f2fs-fix-invalid-memory-access.patch
+tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch
+ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
+ubifs-check-for-name-being-null-while-mounting.patch
--- /dev/null
+From 8f5c5fcf353302374b36232d6885c1a3b579e5ca Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 4 Sep 2018 14:54:55 -0700
+Subject: tipc: call start and done ops directly in __tipc_nl_compat_dumpit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit 8f5c5fcf353302374b36232d6885c1a3b579e5ca upstream.
+
+__tipc_nl_compat_dumpit() uses a netlink_callback on stack,
+so the only way to align it with other ->dumpit() call path
+is calling tipc_dump_start() and tipc_dump_done() directly
+inside it. Otherwise ->dumpit() would always get NULL from
+cb->args[].
+
+But tipc_dump_start() uses sock_net(cb->skb->sk) to retrieve
+net pointer, the cb->skb here doesn't set skb->sk, the net pointer
+is saved in msg->net instead, so introduce a helper function
+__tipc_dump_start() to pass in msg->net.
+
+Ying pointed out cb->args[0...3] are already used by other
+callbacks on this call path, so we can't use cb->args[0] any
+more, use cb->args[4] instead.
+
+Fixes: 9a07efa9aea2 ("tipc: switch to rhashtable iterator")
+Reported-and-tested-by: syzbot+e93a2c41f91b8e2c7d9b@syzkaller.appspotmail.com
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 2 ++
+ net/tipc/socket.c | 17 +++++++++++------
+ net/tipc/socket.h | 1 +
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -185,6 +185,7 @@ static int __tipc_nl_compat_dumpit(struc
+ return -ENOMEM;
+
+ buf->sk = msg->dst_sk;
++ __tipc_dump_start(&cb, msg->net);
+
+ do {
+ int rem;
+@@ -216,6 +217,7 @@ static int __tipc_nl_compat_dumpit(struc
+ err = 0;
+
+ err_out:
++ tipc_dump_done(&cb);
+ kfree_skb(buf);
+
+ if (err == -EMSGSIZE) {
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -3233,7 +3233,7 @@ int tipc_nl_sk_walk(struct sk_buff *skb,
+ struct netlink_callback *cb,
+ struct tipc_sock *tsk))
+ {
+- struct rhashtable_iter *iter = (void *)cb->args[0];
++ struct rhashtable_iter *iter = (void *)cb->args[4];
+ struct tipc_sock *tsk;
+ int err;
+
+@@ -3269,8 +3269,14 @@ EXPORT_SYMBOL(tipc_nl_sk_walk);
+
+ int tipc_dump_start(struct netlink_callback *cb)
+ {
+- struct rhashtable_iter *iter = (void *)cb->args[0];
+- struct net *net = sock_net(cb->skb->sk);
++ return __tipc_dump_start(cb, sock_net(cb->skb->sk));
++}
++EXPORT_SYMBOL(tipc_dump_start);
++
++int __tipc_dump_start(struct netlink_callback *cb, struct net *net)
++{
++ /* tipc_nl_name_table_dump() uses cb->args[0...3]. */
++ struct rhashtable_iter *iter = (void *)cb->args[4];
+ struct tipc_net *tn = tipc_net(net);
+
+ if (!iter) {
+@@ -3278,17 +3284,16 @@ int tipc_dump_start(struct netlink_callb
+ if (!iter)
+ return -ENOMEM;
+
+- cb->args[0] = (long)iter;
++ cb->args[4] = (long)iter;
+ }
+
+ rhashtable_walk_enter(&tn->sk_rht, iter);
+ return 0;
+ }
+-EXPORT_SYMBOL(tipc_dump_start);
+
+ int tipc_dump_done(struct netlink_callback *cb)
+ {
+- struct rhashtable_iter *hti = (void *)cb->args[0];
++ struct rhashtable_iter *hti = (void *)cb->args[4];
+
+ rhashtable_walk_exit(hti);
+ kfree(hti);
+--- a/net/tipc/socket.h
++++ b/net/tipc/socket.h
+@@ -69,5 +69,6 @@ int tipc_nl_sk_walk(struct sk_buff *skb,
+ struct netlink_callback *cb,
+ struct tipc_sock *tsk));
+ int tipc_dump_start(struct netlink_callback *cb);
++int __tipc_dump_start(struct netlink_callback *cb, struct net *net);
+ int tipc_dump_done(struct netlink_callback *cb);
+ #endif
--- /dev/null
+From 37f31b6ca4311b94d985fb398a72e5399ad57925 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 3 Sep 2018 23:06:23 +0200
+Subject: ubifs: Check for name being NULL while mounting
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 37f31b6ca4311b94d985fb398a72e5399ad57925 upstream.
+
+The requested device name can be NULL or an empty string.
+Check for that and refuse to continue. UBIFS has to do this manually
+since we cannot use mount_bdev(), which checks for this condition.
+
+Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
+Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/super.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -1929,6 +1929,9 @@ static struct ubi_volume_desc *open_ubi(
+ int dev, vol;
+ char *endptr;
+
++ if (!name || !*name)
++ return ERR_PTR(-EINVAL);
++
+ /* First, try to open using the device node path method */
+ ubi = ubi_open_volume_path(name, mode);
+ if (!IS_ERR(ubi))
--- /dev/null
+From 5fe23f262e0548ca7f19fb79f89059a60d087d22 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 12 Sep 2018 16:27:44 -0700
+Subject: ucma: fix a use-after-free in ucma_resolve_ip()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 upstream.
+
+There is a race condition between ucma_close() and ucma_resolve_ip():
+
+CPU0 CPU1
+ucma_resolve_ip(): ucma_close():
+
+ctx = ucma_get_ctx(file, cmd.id);
+
+ list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) {
+ mutex_lock(&mut);
+ idr_remove(&ctx_idr, ctx->id);
+ mutex_unlock(&mut);
+ ...
+ mutex_lock(&mut);
+ if (!ctx->closing) {
+ mutex_unlock(&mut);
+ rdma_destroy_id(ctx->cm_id);
+ ...
+ ucma_free_ctx(ctx);
+
+ret = rdma_resolve_addr();
+ucma_put_ctx(ctx);
+
+Before idr_remove(), ucma_get_ctx() could still find the ctx
+and after rdma_destroy_id(), rdma_resolve_addr() may still
+access id_priv pointer. Also, ucma_put_ctx() may use ctx after
+ucma_free_ctx() too.
+
+ucma_close() should call ucma_put_ctx() too which tests the
+refcnt and waits for the last one releasing it. The similar
+pattern is already used by ucma_destroy_id().
+
+Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com
+Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com
+Cc: Jason Gunthorpe <jgg@mellanox.com>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1759,6 +1759,8 @@ static int ucma_close(struct inode *inod
+ mutex_lock(&mut);
+ if (!ctx->closing) {
+ mutex_unlock(&mut);
++ ucma_put_ctx(ctx);
++ wait_for_completion(&ctx->comp);
+ /* rdma_destroy_id ensures that no event handlers are
+ * inflight for that id before releasing it.
+ */
projects / thirdparty / kernel / stable-queue.git / commitdiff
