4.4-stable patches

added patches:
	fat-don-t-allow-to-mount-if-the-fat-length-0.patch
	mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch

diff --git a/queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch b/queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch
new file mode 100644 (file)
index 0000000..b9a428d
--- /dev/null
+++ b/queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch
@@ -0,0 +1,42 @@
+From b1b65750b8db67834482f758fc385bfa7560d228 Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Thu, 4 Jun 2020 16:50:56 -0700
+Subject: fat: don't allow to mount if the FAT length == 0
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit b1b65750b8db67834482f758fc385bfa7560d228 upstream.
+
+If FAT length == 0, the image doesn't have any data. And it can be the
+cause of overlapping the root dir and FAT entries.
+
+Also Windows treats it as invalid format.
+
+Reported-by: syzbot+6f1624f937d9d6911e2d@syzkaller.appspotmail.com
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Marco Elver <elver@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/87r1wz8mrd.fsf@mail.parknet.co.jp
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fat/inode.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/fat/inode.c
++++ b/fs/fat/inode.c
+@@ -1422,6 +1422,12 @@ static int fat_read_bpb(struct super_blo
+               goto out;
+       }
+ 
++      if (bpb->fat_fat_length == 0 && bpb->fat32_length == 0) {
++              if (!silent)
++                      fat_msg(sb, KERN_ERR, "bogus number of FAT sectors");
++              goto out;
++      }
++
+       error = 0;
+ 
+ out:

diff --git a/queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
new file mode 100644 (file)
index 0000000..a794b12
--- /dev/null
+++ b/queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
@@ -0,0 +1,77 @@
+From dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Wed, 3 Jun 2020 15:56:21 -0700
+Subject: mm/slub: fix a memory leak in sysfs_slab_add()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 upstream.
+
+syzkaller reports for memory leak when kobject_init_and_add() returns an
+error in the function sysfs_slab_add() [1]
+
+When this happened, the function kobject_put() is not called for the
+corresponding kobject, which potentially leads to memory leak.
+
+This patch fixes the issue by calling kobject_put() even if
+kobject_init_and_add() fails.
+
+[1]
+  BUG: memory leak
+  unreferenced object 0xffff8880a6d4be88 (size 8):
+  comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s)
+  hex dump (first 8 bytes):
+    70 69 64 5f 33 00 ff ff                          pid_3...
+  backtrace:
+     kstrdup+0x35/0x70 mm/util.c:60
+     kstrdup_const+0x3d/0x50 mm/util.c:82
+     kvasprintf_const+0x112/0x170 lib/kasprintf.c:48
+     kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289
+     kobject_add_varg lib/kobject.c:384 [inline]
+     kobject_init_and_add+0xd8/0x170 lib/kobject.c:473
+     sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811
+     __kmem_cache_create+0x50a/0x570 mm/slub.c:4384
+     create_cache+0x113/0x1e0 mm/slab_common.c:407
+     kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505
+     kmem_cache_create+0xd/0x10 mm/slab_common.c:564
+     create_pid_cachep kernel/pid_namespace.c:54 [inline]
+     create_pid_namespace kernel/pid_namespace.c:96 [inline]
+     copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148
+     create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95
+     unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229
+     ksys_unshare+0x3d2/0x770 kernel/fork.c:2969
+     __do_sys_unshare kernel/fork.c:3037 [inline]
+     __se_sys_unshare kernel/fork.c:3035 [inline]
+     __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035
+     do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
+
+Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5424,8 +5424,10 @@ static int sysfs_slab_add(struct kmem_ca
+ 
+       s->kobj.kset = cache_kset(s);
+       err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
+-      if (err)
++      if (err) {
++              kobject_put(&s->kobj);
+               goto out;
++      }
+ 
+       err = sysfs_create_group(&s->kobj, &slab_attr_group);
+       if (err)

diff --git a/queue-4.4/series b/queue-4.4/series
index a57553338114685d2d038fe72aab29b16f2a2664..9348abf01686f4842d96e5366d9a68e3536be536 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -40,3 +40,5 @@ ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch
 ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch
 ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch
 smack-slab-out-of-bounds-in-vsscanf.patch
+mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
+fat-don-t-allow-to-mount-if-the-fat-length-0.patch