]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
5.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 16 Jun 2020 11:20:41 +0000 (13:20 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 16 Jun 2020 11:20:41 +0000 (13:20 +0200)
added patches:
drm-vkms-hold-gem-object-while-still-in-use.patch
fat-don-t-allow-to-mount-if-the-fat-length-0.patch
mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
perf-add-cond_resched-to-task_function_call.patch

queue-5.4/drm-vkms-hold-gem-object-while-still-in-use.patch [new file with mode: 0644]
queue-5.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch [new file with mode: 0644]
queue-5.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch [new file with mode: 0644]
queue-5.4/perf-add-cond_resched-to-task_function_call.patch [new file with mode: 0644]
queue-5.4/series

diff --git a/queue-5.4/drm-vkms-hold-gem-object-while-still-in-use.patch b/queue-5.4/drm-vkms-hold-gem-object-while-still-in-use.patch
new file mode 100644 (file)
index 0000000..706d527
--- /dev/null
@@ -0,0 +1,78 @@
+From 0ea2ea42b31abc1141f2fd3911f952a97d401fcb Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@collabora.com>
+Date: Mon, 27 Apr 2020 18:44:05 -0300
+Subject: drm/vkms: Hold gem object while still in-use
+
+From: Ezequiel Garcia <ezequiel@collabora.com>
+
+commit 0ea2ea42b31abc1141f2fd3911f952a97d401fcb upstream.
+
+We need to keep the reference to the drm_gem_object
+until the last access by vkms_dumb_create.
+
+Therefore, the put the object after it is used.
+
+This fixes a use-after-free issue reported by syzbot.
+
+While here, change vkms_gem_create() symbol to static.
+
+Reported-and-tested-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200427214405.13069-1-ezequiel@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vkms/vkms_drv.h |    5 -----
+ drivers/gpu/drm/vkms/vkms_gem.c |   11 ++++++-----
+ 2 files changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/vkms/vkms_drv.h
++++ b/drivers/gpu/drm/vkms/vkms_drv.h
+@@ -121,11 +121,6 @@ struct drm_plane *vkms_plane_init(struct
+                                 enum drm_plane_type type, int index);
+ /* Gem stuff */
+-struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
+-                                     struct drm_file *file,
+-                                     u32 *handle,
+-                                     u64 size);
+-
+ vm_fault_t vkms_gem_fault(struct vm_fault *vmf);
+ int vkms_dumb_create(struct drm_file *file, struct drm_device *dev,
+--- a/drivers/gpu/drm/vkms/vkms_gem.c
++++ b/drivers/gpu/drm/vkms/vkms_gem.c
+@@ -95,10 +95,10 @@ vm_fault_t vkms_gem_fault(struct vm_faul
+       return ret;
+ }
+-struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
+-                                     struct drm_file *file,
+-                                     u32 *handle,
+-                                     u64 size)
++static struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
++                                            struct drm_file *file,
++                                            u32 *handle,
++                                            u64 size)
+ {
+       struct vkms_gem_object *obj;
+       int ret;
+@@ -111,7 +111,6 @@ struct drm_gem_object *vkms_gem_create(s
+               return ERR_CAST(obj);
+       ret = drm_gem_handle_create(file, &obj->gem, handle);
+-      drm_gem_object_put_unlocked(&obj->gem);
+       if (ret)
+               return ERR_PTR(ret);
+@@ -140,6 +139,8 @@ int vkms_dumb_create(struct drm_file *fi
+       args->size = gem_obj->size;
+       args->pitch = pitch;
++      drm_gem_object_put_unlocked(gem_obj);
++
+       DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
+       return 0;
diff --git a/queue-5.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch b/queue-5.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch
new file mode 100644 (file)
index 0000000..4bd1e90
--- /dev/null
@@ -0,0 +1,42 @@
+From b1b65750b8db67834482f758fc385bfa7560d228 Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Thu, 4 Jun 2020 16:50:56 -0700
+Subject: fat: don't allow to mount if the FAT length == 0
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit b1b65750b8db67834482f758fc385bfa7560d228 upstream.
+
+If FAT length == 0, the image doesn't have any data. And it can be the
+cause of overlapping the root dir and FAT entries.
+
+Also Windows treats it as invalid format.
+
+Reported-by: syzbot+6f1624f937d9d6911e2d@syzkaller.appspotmail.com
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Marco Elver <elver@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/87r1wz8mrd.fsf@mail.parknet.co.jp
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fat/inode.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/fat/inode.c
++++ b/fs/fat/inode.c
+@@ -1519,6 +1519,12 @@ static int fat_read_bpb(struct super_blo
+               goto out;
+       }
++      if (bpb->fat_fat_length == 0 && bpb->fat32_length == 0) {
++              if (!silent)
++                      fat_msg(sb, KERN_ERR, "bogus number of FAT sectors");
++              goto out;
++      }
++
+       error = 0;
+ out:
diff --git a/queue-5.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-5.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
new file mode 100644 (file)
index 0000000..78d61ff
--- /dev/null
@@ -0,0 +1,77 @@
+From dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Wed, 3 Jun 2020 15:56:21 -0700
+Subject: mm/slub: fix a memory leak in sysfs_slab_add()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 upstream.
+
+syzkaller reports for memory leak when kobject_init_and_add() returns an
+error in the function sysfs_slab_add() [1]
+
+When this happened, the function kobject_put() is not called for the
+corresponding kobject, which potentially leads to memory leak.
+
+This patch fixes the issue by calling kobject_put() even if
+kobject_init_and_add() fails.
+
+[1]
+  BUG: memory leak
+  unreferenced object 0xffff8880a6d4be88 (size 8):
+  comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s)
+  hex dump (first 8 bytes):
+    70 69 64 5f 33 00 ff ff                          pid_3...
+  backtrace:
+     kstrdup+0x35/0x70 mm/util.c:60
+     kstrdup_const+0x3d/0x50 mm/util.c:82
+     kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
+     kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289
+     kobject_add_varg lib/kobject.c:384 [inline]
+     kobject_init_and_add+0xd8/0x170 lib/kobject.c:473
+     sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811
+     __kmem_cache_create+0x50a/0x570 mm/slub.c:4384
+     create_cache+0x113/0x1e0 mm/slab_common.c:407
+     kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505
+     kmem_cache_create+0xd/0x10 mm/slab_common.c:564
+     create_pid_cachep kernel/pid_namespace.c:54 [inline]
+     create_pid_namespace kernel/pid_namespace.c:96 [inline]
+     copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148
+     create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95
+     unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229
+     ksys_unshare+0x3d2/0x770 kernel/fork.c:2969
+     __do_sys_unshare kernel/fork.c:3037 [inline]
+     __se_sys_unshare kernel/fork.c:3035 [inline]
+     __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035
+     do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
+
+Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5776,8 +5776,10 @@ static int sysfs_slab_add(struct kmem_ca
+       s->kobj.kset = kset;
+       err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
+-      if (err)
++      if (err) {
++              kobject_put(&s->kobj);
+               goto out;
++      }
+       err = sysfs_create_group(&s->kobj, &slab_attr_group);
+       if (err)
diff --git a/queue-5.4/perf-add-cond_resched-to-task_function_call.patch b/queue-5.4/perf-add-cond_resched-to-task_function_call.patch
new file mode 100644 (file)
index 0000000..41c8e60
--- /dev/null
@@ -0,0 +1,68 @@
+From 2ed6edd33a214bca02bd2b45e3fc3038a059436b Mon Sep 17 00:00:00 2001
+From: Barret Rhoden <brho@google.com>
+Date: Tue, 14 Apr 2020 18:29:20 -0400
+Subject: perf: Add cond_resched() to task_function_call()
+
+From: Barret Rhoden <brho@google.com>
+
+commit 2ed6edd33a214bca02bd2b45e3fc3038a059436b upstream.
+
+Under rare circumstances, task_function_call() can repeatedly fail and
+cause a soft lockup.
+
+There is a slight race where the process is no longer running on the cpu
+we targeted by the time remote_function() runs.  The code will simply
+try again.  If we are very unlucky, this will continue to fail, until a
+watchdog fires.  This can happen in a heavily loaded, multi-core virtual
+machine.
+
+Reported-by: syzbot+bb4935a5c09b5ff79940@syzkaller.appspotmail.com
+Signed-off-by: Barret Rhoden <brho@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200414222920.121401-1-brho@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c |   23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -93,11 +93,11 @@ static void remote_function(void *data)
+  * @info:     the function call argument
+  *
+  * Calls the function @func when the task is currently running. This might
+- * be on the current CPU, which just calls the function directly
++ * be on the current CPU, which just calls the function directly.  This will
++ * retry due to any failures in smp_call_function_single(), such as if the
++ * task_cpu() goes offline concurrently.
+  *
+- * returns: @func return value, or
+- *        -ESRCH  - when the process isn't running
+- *        -EAGAIN - when the process moved away
++ * returns @func return value or -ESRCH when the process isn't running
+  */
+ static int
+ task_function_call(struct task_struct *p, remote_function_f func, void *info)
+@@ -110,11 +110,16 @@ task_function_call(struct task_struct *p
+       };
+       int ret;
+-      do {
+-              ret = smp_call_function_single(task_cpu(p), remote_function, &data, 1);
+-              if (!ret)
+-                      ret = data.ret;
+-      } while (ret == -EAGAIN);
++      for (;;) {
++              ret = smp_call_function_single(task_cpu(p), remote_function,
++                                             &data, 1);
++              ret = !ret ? data.ret : -EAGAIN;
++
++              if (ret != -EAGAIN)
++                      break;
++
++              cond_resched();
++      }
+       return ret;
+ }
index 6e13f0da9a70740ef197830898fbe6cc947e8e58..6bd747bc69111010ad1c607864e82abd4f63a9ef 100644 (file)
@@ -116,3 +116,7 @@ ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch
 ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch
 ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch
 smack-slab-out-of-bounds-in-vsscanf.patch
+drm-vkms-hold-gem-object-while-still-in-use.patch
+mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
+fat-don-t-allow-to-mount-if-the-fat-length-0.patch
+perf-add-cond_resched-to-task_function_call.patch