--- /dev/null
+From 26528be6720bb40bc8844e97ee73a37e530e9c5e Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Thu, 14 Feb 2019 15:22:57 -0800
+Subject: binder: fix handling of misaligned binder object
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 26528be6720bb40bc8844e97ee73a37e530e9c5e upstream.
+
+Fixes crash found by syzbot:
+kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
+
+Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: stable <stable@vger.kernel.org> # 5.0, 4.19, 4.14
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -959,14 +959,13 @@ enum lru_status binder_alloc_free_page(s
+
+ index = page - alloc->pages;
+ page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
++
++ mm = alloc->vma_vm_mm;
++ if (!mmget_not_zero(mm))
++ goto err_mmget;
++ if (!down_write_trylock(&mm->mmap_sem))
++ goto err_down_write_mmap_sem_failed;
+ vma = binder_alloc_get_vma(alloc);
+- if (vma) {
+- if (!mmget_not_zero(alloc->vma_vm_mm))
+- goto err_mmget;
+- mm = alloc->vma_vm_mm;
+- if (!down_write_trylock(&mm->mmap_sem))
+- goto err_down_write_mmap_sem_failed;
+- }
+
+ list_lru_isolate(lru, item);
+ spin_unlock(lock);
+@@ -979,10 +978,9 @@ enum lru_status binder_alloc_free_page(s
+ PAGE_SIZE);
+
+ trace_binder_unmap_user_end(alloc, index);
+-
+- up_write(&mm->mmap_sem);
+- mmput(mm);
+ }
++ up_write(&mm->mmap_sem);
++ mmput(mm);
+
+ trace_binder_unmap_kernel_start(alloc, index);
+
--- /dev/null
+From 40853d6fc619a6fd3d3177c3973a2eac9b598a80 Mon Sep 17 00:00:00 2001
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Fri, 22 Feb 2019 22:10:19 +0800
+Subject: loop: do not print warn message if partition scan is successful
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+commit 40853d6fc619a6fd3d3177c3973a2eac9b598a80 upstream.
+
+Do not print warn message when the partition scan returns 0.
+
+Fixes: d57f3374ba48 ("loop: Move special partition reread handling in loop_clr_fd()")
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1111,8 +1111,9 @@ out_unlock:
+ err = __blkdev_reread_part(bdev);
+ else
+ err = blkdev_reread_part(bdev);
+- pr_warn("%s: partition scan of loop%d failed (rc=%d)\n",
+- __func__, lo_number, err);
++ if (err)
++ pr_warn("%s: partition scan of loop%d failed (rc=%d)\n",
++ __func__, lo_number, err);
+ /* Device is gone, no point in returning error */
+ err = 0;
+ }
--- /dev/null
+From 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f Mon Sep 17 00:00:00 2001
+From: luca abeni <luca.abeni@santannapisa.it>
+Date: Mon, 25 Mar 2019 14:15:30 +0100
+Subject: sched/deadline: Correctly handle active 0-lag timers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: luca abeni <luca.abeni@santannapisa.it>
+
+commit 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f upstream.
+
+syzbot reported the following warning:
+
+ [ ] WARNING: CPU: 4 PID: 17089 at kernel/sched/deadline.c:255 task_non_contending+0xae0/0x1950
+
+line 255 of deadline.c is:
+
+ WARN_ON(hrtimer_active(&dl_se->inactive_timer));
+
+in task_non_contending().
+
+Unfortunately, in some cases (for example, a deadline task
+continuosly blocking and waking immediately) it can happen that
+a task blocks (and task_non_contending() is called) while the
+0-lag timer is still active.
+
+In this case, the safest thing to do is to immediately decrease
+the running bandwidth of the task, without trying to re-arm the 0-lag timer.
+
+Signed-off-by: luca abeni <luca.abeni@santannapisa.it>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: chengjian (D) <cj.chengjian@huawei.com>
+Link: https://lkml.kernel.org/r/20190325131530.34706-1-luca.abeni@santannapisa.it
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/deadline.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -252,7 +252,6 @@ static void task_non_contending(struct t
+ if (dl_entity_is_special(dl_se))
+ return;
+
+- WARN_ON(hrtimer_active(&dl_se->inactive_timer));
+ WARN_ON(dl_se->dl_non_contending);
+
+ zerolag_time = dl_se->deadline -
+@@ -269,7 +268,7 @@ static void task_non_contending(struct t
+ * If the "0-lag time" already passed, decrease the active
+ * utilization now, instead of starting a timer
+ */
+- if (zerolag_time < 0) {
++ if ((zerolag_time < 0) || hrtimer_active(&dl_se->inactive_timer)) {
+ if (dl_task(p))
+ sub_running_bw(dl_se, dl_rq);
+ if (!dl_task(p) || p->state == TASK_DEAD) {
usb-add-new-usb-lpm-helpers.patch
usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch
ext4-fix-some-error-pointer-dereferences.patch
+loop-do-not-print-warn-message-if-partition-scan-is-successful.patch
+tipc-handle-the-err-returned-from-cmd-header-function.patch
+slip-make-slhc_free-silently-accept-an-error-pointer.patch
+workqueue-try-to-catch-flush_work-without-init_work.patch
+binder-fix-handling-of-misaligned-binder-object.patch
+sched-deadline-correctly-handle-active-0-lag-timers.patch
--- /dev/null
+From baf76f0c58aec435a3a864075b8f6d8ee5d1f17e Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 25 Apr 2019 16:13:58 -0700
+Subject: slip: make slhc_free() silently accept an error pointer
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream.
+
+This way, slhc_free() accepts what slhc_init() returns, whether that is
+an error or not.
+
+In particular, the pattern in sl_alloc_bufs() is
+
+ slcomp = slhc_init(16, 16);
+ ...
+ slhc_free(slcomp);
+
+for the error handling path, and rather than complicate that code, just
+make it ok to always free what was returned by the init function.
+
+That's what the code used to do before commit 4ab42d78e37a ("ppp, slip:
+Validate VJ compression slot parameters completely") when slhc_init()
+just returned NULL for the error case, with no actual indication of the
+details of the error.
+
+Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com
+Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely")
+Acked-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/slip/slhc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -153,7 +153,7 @@ out_fail:
+ void
+ slhc_free(struct slcompress *comp)
+ {
+- if ( comp == NULLSLCOMPR )
++ if ( IS_ERR_OR_NULL(comp) )
+ return;
+
+ if ( comp->tstate != NULLSLSTATE )
--- /dev/null
+From 2ac695d1d602ce00b12170242f58c3d3a8e36d04 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:10 +0800
+Subject: tipc: handle the err returned from cmd header function
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 2ac695d1d602ce00b12170242f58c3d3a8e36d04 upstream.
+
+Syzbot found a crash:
+
+ BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
+ Call Trace:
+ tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
+ __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215
+ tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline]
+ tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265
+ genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
+ genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+ Uninit was created at:
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
+ alloc_skb include/linux/skbuff.h:1012 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+It was supposed to be fixed on commit 974cb0e3e7c9 ("tipc: fix uninit-value
+in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req)
+in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called
+ahead of tipc_nl_compat_name_table_dump().
+
+However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd
+header function. It means even when the check added in that fix fails, it
+won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be
+triggered again.
+
+So this patch is to add the process for the err returned from cmd header
+function in tipc_nl_compat_dumpit().
+
+Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct
+ if (msg->rep_type)
+ tipc_tlv_init(msg->rep, msg->rep_type);
+
+- if (cmd->header)
+- (*cmd->header)(msg);
++ if (cmd->header) {
++ err = (*cmd->header)(msg);
++ if (err) {
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return err;
++ }
++ }
+
+ arg = nlmsg_new(0, GFP_KERNEL);
+ if (!arg) {
--- /dev/null
+From 4d43d395fed124631ca02356c711facb90185175 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Wed, 23 Jan 2019 09:44:12 +0900
+Subject: workqueue: Try to catch flush_work() without INIT_WORK().
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 4d43d395fed124631ca02356c711facb90185175 upstream.
+
+syzbot found a flush_work() caller who forgot to call INIT_WORK()
+because that work_struct was allocated by kzalloc() [1]. But the message
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+
+by lock_map_acquire() is failing to tell that INIT_WORK() is missing.
+
+Since flush_work() without INIT_WORK() is a bug, and INIT_WORK() should
+set ->func field to non-zero, let's warn if ->func field is zero.
+
+[1] https://syzkaller.appspot.com/bug?id=a5954455fcfa51c29ca2ab55b203076337e1c770
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/workqueue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -2931,6 +2931,9 @@ static bool __flush_work(struct work_str
+ if (WARN_ON(!wq_online))
+ return false;
+
++ if (WARN_ON(!work->func))
++ return false;
++
+ if (!from_cancel) {
+ lock_map_acquire(&work->lockdep_map);
+ lock_map_release(&work->lockdep_map);
projects / thirdparty / kernel / stable-queue.git / commitdiff
