--- /dev/null
+From b1b65750b8db67834482f758fc385bfa7560d228 Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Thu, 4 Jun 2020 16:50:56 -0700
+Subject: fat: don't allow to mount if the FAT length == 0
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit b1b65750b8db67834482f758fc385bfa7560d228 upstream.
+
+If FAT length == 0, the image doesn't have any data. And it can be the
+cause of overlapping the root dir and FAT entries.
+
+Also Windows treats it as invalid format.
+
+Reported-by: syzbot+6f1624f937d9d6911e2d@syzkaller.appspotmail.com
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Marco Elver <elver@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/87r1wz8mrd.fsf@mail.parknet.co.jp
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fat/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/fat/inode.c
++++ b/fs/fat/inode.c
+@@ -1512,6 +1512,12 @@ static int fat_read_bpb(struct super_blo
+ goto out;
+ }
+
++ if (bpb->fat_fat_length == 0 && bpb->fat32_length == 0) {
++ if (!silent)
++ fat_msg(sb, KERN_ERR, "bogus number of FAT sectors");
++ goto out;
++ }
++
+ error = 0;
+
+ out:
--- /dev/null
+From dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Wed, 3 Jun 2020 15:56:21 -0700
+Subject: mm/slub: fix a memory leak in sysfs_slab_add()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 upstream.
+
+syzkaller reports for memory leak when kobject_init_and_add() returns an
+error in the function sysfs_slab_add() [1]
+
+When this happened, the function kobject_put() is not called for the
+corresponding kobject, which potentially leads to memory leak.
+
+This patch fixes the issue by calling kobject_put() even if
+kobject_init_and_add() fails.
+
+[1]
+ BUG: memory leak
+ unreferenced object 0xffff8880a6d4be88 (size 8):
+ comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s)
+ hex dump (first 8 bytes):
+ 70 69 64 5f 33 00 ff ff pid_3...
+ backtrace:
+ kstrdup+0x35/0x70 mm/util.c:60
+ kstrdup_const+0x3d/0x50 mm/util.c:82
+ kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
+ kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289
+ kobject_add_varg lib/kobject.c:384 [inline]
+ kobject_init_and_add+0xd8/0x170 lib/kobject.c:473
+ sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811
+ __kmem_cache_create+0x50a/0x570 mm/slub.c:4384
+ create_cache+0x113/0x1e0 mm/slab_common.c:407
+ kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505
+ kmem_cache_create+0xd/0x10 mm/slab_common.c:564
+ create_pid_cachep kernel/pid_namespace.c:54 [inline]
+ create_pid_namespace kernel/pid_namespace.c:96 [inline]
+ copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148
+ create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95
+ unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229
+ ksys_unshare+0x3d2/0x770 kernel/fork.c:2969
+ __do_sys_unshare kernel/fork.c:3037 [inline]
+ __se_sys_unshare kernel/fork.c:3035 [inline]
+ __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035
+ do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
+
+Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5727,8 +5727,10 @@ static int sysfs_slab_add(struct kmem_ca
+
+ s->kobj.kset = kset;
+ err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
+- if (err)
++ if (err) {
++ kobject_put(&s->kobj);
+ goto out;
++ }
+
+ err = sysfs_create_group(&s->kobj, &slab_attr_group);
+ if (err)
--- /dev/null
+From 2ed6edd33a214bca02bd2b45e3fc3038a059436b Mon Sep 17 00:00:00 2001
+From: Barret Rhoden <brho@google.com>
+Date: Tue, 14 Apr 2020 18:29:20 -0400
+Subject: perf: Add cond_resched() to task_function_call()
+
+From: Barret Rhoden <brho@google.com>
+
+commit 2ed6edd33a214bca02bd2b45e3fc3038a059436b upstream.
+
+Under rare circumstances, task_function_call() can repeatedly fail and
+cause a soft lockup.
+
+There is a slight race where the process is no longer running on the cpu
+we targeted by the time remote_function() runs. The code will simply
+try again. If we are very unlucky, this will continue to fail, until a
+watchdog fires. This can happen in a heavily loaded, multi-core virtual
+machine.
+
+Reported-by: syzbot+bb4935a5c09b5ff79940@syzkaller.appspotmail.com
+Signed-off-by: Barret Rhoden <brho@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200414222920.121401-1-brho@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -94,11 +94,11 @@ static void remote_function(void *data)
+ * @info: the function call argument
+ *
+ * Calls the function @func when the task is currently running. This might
+- * be on the current CPU, which just calls the function directly
++ * be on the current CPU, which just calls the function directly. This will
++ * retry due to any failures in smp_call_function_single(), such as if the
++ * task_cpu() goes offline concurrently.
+ *
+- * returns: @func return value, or
+- * -ESRCH - when the process isn't running
+- * -EAGAIN - when the process moved away
++ * returns @func return value or -ESRCH when the process isn't running
+ */
+ static int
+ task_function_call(struct task_struct *p, remote_function_f func, void *info)
+@@ -111,11 +111,16 @@ task_function_call(struct task_struct *p
+ };
+ int ret;
+
+- do {
+- ret = smp_call_function_single(task_cpu(p), remote_function, &data, 1);
+- if (!ret)
+- ret = data.ret;
+- } while (ret == -EAGAIN);
++ for (;;) {
++ ret = smp_call_function_single(task_cpu(p), remote_function,
++ &data, 1);
++ ret = !ret ? data.ret : -EAGAIN;
++
++ if (ret != -EAGAIN)
++ break;
++
++ cond_resched();
++ }
+
+ return ret;
+ }
ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch
ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch
smack-slab-out-of-bounds-in-vsscanf.patch
+mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
+fat-don-t-allow-to-mount-if-the-fat-length-0.patch
+perf-add-cond_resched-to-task_function_call.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
