--- /dev/null
+From 37400519a282b95e8101ea0836a4aad434ff0b63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Sep 2020 21:20:21 -0700
+Subject: kprobes: fix kill kprobe which has been marked as gone
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+[ Upstream commit b0399092ccebd9feef68d4ceb8d6219a8c0caa05 ]
+
+If a kprobe is marked as gone, we should not kill it again. Otherwise, we
+can disarm the kprobe more than once. In that case, the statistics of
+kprobe_ftrace_enabled can unbalance which can lead to that kprobe do not
+work.
+
+Fixes: e8386a0cb22f ("kprobes: support probing module __exit function")
+Co-developed-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>
+Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200822030055.32383-1-songmuchun@bytedance.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index 9aa2dbe6a4568..6f63d78aceeca 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2012,6 +2012,9 @@ static void kill_kprobe(struct kprobe *p)
+ {
+ struct kprobe *kp;
+
++ if (WARN_ON_ONCE(kprobe_gone(p)))
++ return;
++
+ p->flags |= KPROBE_FLAG_GONE;
+ if (kprobe_aggrprobe(p)) {
+ /*
+@@ -2154,7 +2157,10 @@ static int kprobes_module_callback(struct notifier_block *nb,
+ mutex_lock(&kprobe_mutex);
+ for (i = 0; i < KPROBE_TABLE_SIZE; i++) {
+ head = &kprobe_table[i];
+- hlist_for_each_entry_rcu(p, head, hlist)
++ hlist_for_each_entry_rcu(p, head, hlist) {
++ if (kprobe_gone(p))
++ continue;
++
+ if (within_module_init((unsigned long)p->addr, mod) ||
+ (checkcore &&
+ within_module_core((unsigned long)p->addr, mod))) {
+@@ -2165,6 +2171,7 @@ static int kprobes_module_callback(struct notifier_block *nb,
+ */
+ kill_kprobe(p);
+ }
++ }
+ }
+ mutex_unlock(&kprobe_mutex);
+ return NOTIFY_DONE;
+--
+2.25.1
+
--- /dev/null
+From 70ba5d792e3a5824281eb36dd79de983377a83e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 11:55:35 -0700
+Subject: KVM: fix memory leak in kvm_io_bus_unregister_dev()
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+[ Upstream commit f65886606c2d3b562716de030706dfe1bea4ed5e ]
+
+when kmalloc() fails in kvm_io_bus_unregister_dev(), before removing
+the bus, we should iterate over all other devices linked to it and call
+kvm_iodevice_destructor() for them
+
+Fixes: 90db10434b16 ("KVM: kvm_io_bus_unregister_dev() should never fail")
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+f196caa45793d6374707@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=f196caa45793d6374707
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Message-Id: <20200907185535.233114-1-rkovhaev@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/kvm_main.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 4e4bb5dd2dcd5..010d8aee9346b 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3639,7 +3639,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
+ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+ struct kvm_io_device *dev)
+ {
+- int i;
++ int i, j;
+ struct kvm_io_bus *new_bus, *bus;
+
+ bus = kvm->buses[bus_idx];
+@@ -3656,17 +3656,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+
+ new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) *
+ sizeof(struct kvm_io_range)), GFP_KERNEL);
+- if (!new_bus) {
++ if (new_bus) {
++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
++ new_bus->dev_count--;
++ memcpy(new_bus->range + i, bus->range + i + 1,
++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
++ } else {
+ pr_err("kvm: failed to shrink bus, removing it completely\n");
+- goto broken;
++ for (j = 0; j < bus->dev_count; j++) {
++ if (j == i)
++ continue;
++ kvm_iodevice_destructor(bus->range[j].dev);
++ }
+ }
+
+- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
+- new_bus->dev_count--;
+- memcpy(new_bus->range + i, bus->range + i + 1,
+- (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
+-
+-broken:
+ rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
+ synchronize_srcu_expedited(&kvm->srcu);
+ kfree(bus);
+--
+2.25.1
+
--- /dev/null
+From cf2cbd6d5ca12a11574c673426e8c9c04c22e072 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 19:00:54 +0900
+Subject: mtd: Fix comparison in map_word_andequal()
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit ea739a287f4f16d6250bea779a1026ead79695f2 upstream.
+
+Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros")
+changed map_word_andequal() into a macro, but also changed the right
+hand side of the comparison from val3 to val2. Change it back to use
+val3 on the right hand side.
+
+Thankfully this did not cause a regression because all callers
+currently pass the same argument for val2 and val3.
+
+Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Nobuhiro Iwamatsu (CIP) <noburhio1.nobuhiro@toshiba.co.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mtd/map.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h
+index b5b43f94f3116..01b990e4b228a 100644
+--- a/include/linux/mtd/map.h
++++ b/include/linux/mtd/map.h
+@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd);
+ ({ \
+ int i, ret = 1; \
+ for (i = 0; i < map_words(map); i++) { \
+- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \
++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \
+ ret = 0; \
+ break; \
+ } \
+--
+2.25.1
+
--- /dev/null
+From 31975ab5ce2ff4b940ab69d547389198d657ea9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 18:24:49 +0900
+Subject: RDMA/ucma: ucma_context reference leak in error path
+
+From: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
+
+commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream.
+
+Validating input parameters should be done before getting the cm_id
+otherwise it can leak a cm_id reference.
+
+Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size")
+Signed-off-by: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+[iwamatsu: Backported to 4.4, 4.9 and 4.14: adjust context]
+Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/ucma.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index a4f4cd4932657..bb0d728f4b76f 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1296,13 +1296,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
+ if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+ return -EFAULT;
+
++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
++ return -EINVAL;
++
+ ctx = ucma_get_ctx(file, cmd.id);
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
+
+- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
+- return -EINVAL;
+-
+ optval = memdup_user((void __user *) (unsigned long) cmd.optval,
+ cmd.optlen);
+ if (IS_ERR(optval)) {
+--
+2.25.1
+
af_key-pfkey_dump-needs-parameter-validation.patch
+kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch
+kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch
+rdma-ucma-ucma_context-reference-leak-in-error-path.patch
+mtd-fix-comparison-in-map_word_andequal.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
