--- /dev/null
+From 3612af783cf52c74a031a2f11b82247b2599d3cd Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 1 Mar 2019 22:05:29 +0100
+Subject: bpf: fix sanitation rewrite in case of non-pointers
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 3612af783cf52c74a031a2f11b82247b2599d3cd upstream.
+
+Marek reported that he saw an issue with the below snippet in that
+timing measurements where off when loaded as unpriv while results
+were reasonable when loaded as privileged:
+
+ [...]
+ uint64_t a = bpf_ktime_get_ns();
+ uint64_t b = bpf_ktime_get_ns();
+ uint64_t delta = b - a;
+ if ((int64_t)delta > 0) {
+ [...]
+
+Turns out there is a bug where a corner case is missing in the fix
+d3bd7413e0ca ("bpf: fix sanitation of alu op with pointer / scalar
+type from different paths"), namely fixup_bpf_calls() only checks
+whether aux has a non-zero alu_state, but it also needs to test for
+the case of BPF_ALU_NON_POINTER since in both occasions we need to
+skip the masking rewrite (as there is nothing to mask).
+
+Fixes: d3bd7413e0ca ("bpf: fix sanitation of alu op with pointer / scalar type from different paths")
+Reported-by: Marek Majkowski <marek@cloudflare.com>
+Reported-by: Arthur Fabre <afabre@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/netdev/CAJPywTJqP34cK20iLM5YmUMz9KXQOdu1-+BZrGMAGgLuBWz7fg@mail.gmail.com/T/
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/verifier.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6035,7 +6035,8 @@ static int fixup_bpf_calls(struct bpf_ve
+ u32 off_reg;
+
+ aux = &env->insn_aux_data[i + delta];
+- if (!aux->alu_state)
++ if (!aux->alu_state ||
++ aux->alu_state == BPF_ALU_NON_POINTER)
+ continue;
+
+ isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
--- /dev/null
+From f612acfae86af7ecad754ae6a46019be9da05b8e Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 19 Feb 2019 10:10:38 +0800
+Subject: exec: Fix mem leak in kernel_read_file
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream.
+
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffffc9000488d000 (size 9195520):
+ comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
+ hex dump (first 32 bytes):
+ ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
+ 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
+ backtrace:
+ [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
+ [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
+ [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
+ [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
+ [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
+ [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
+ [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000241f889b>] 0xffffffffffffffff
+
+It should goto 'out_free' lable to free allocated buf while kernel_read
+fails.
+
+Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Thibaut Sautereau <thibaut@sautereau.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -929,7 +929,7 @@ int kernel_read_file(struct file *file,
+ bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
+ if (bytes < 0) {
+ ret = bytes;
+- goto out;
++ goto out_free;
+ }
+
+ if (bytes == 0)
--- /dev/null
+From 4a067cf823d9d8e50d41cfb618011c0d4a969c72 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Thu, 14 Feb 2019 22:57:41 +0100
+Subject: scsi: core: reset host byte in DID_NEXUS_FAILURE case
+
+From: Martin Wilck <mwilck@suse.com>
+
+commit 4a067cf823d9d8e50d41cfb618011c0d4a969c72 upstream.
+
+Up to 4.12, __scsi_error_from_host_byte() would reset the host byte to
+DID_OK for various cases including DID_NEXUS_FAILURE. Commit
+2a842acab109 ("block: introduce new block status code type") replaced this
+function with scsi_result_to_blk_status() and removed the host-byte
+resetting code for the DID_NEXUS_FAILURE case. As the line
+set_host_byte(cmd, DID_OK) was preserved for the other cases, I suppose
+this was an editing mistake.
+
+The fact that the host byte remains set after 4.13 is causing problems with
+the sg_persist tool, which now returns success rather then exit status 24
+when a RESERVATION CONFLICT error is encountered.
+
+Fixes: 2a842acab109 "block: introduce new block status code type"
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -757,6 +757,7 @@ static blk_status_t scsi_result_to_blk_s
+ set_host_byte(cmd, DID_OK);
+ return BLK_STS_TARGET;
+ case DID_NEXUS_FAILURE:
++ set_host_byte(cmd, DID_OK);
+ return BLK_STS_NEXUS;
+ case DID_ALLOC_FAILURE:
+ set_host_byte(cmd, DID_OK);
selftests-firmware-fix-verify_reqs-return-value.patch
bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch
bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch
+exec-fix-mem-leak-in-kernel_read_file.patch
+scsi-core-reset-host-byte-in-did_nexus_failure-case.patch
+bpf-fix-sanitation-rewrite-in-case-of-non-pointers.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
