--- /dev/null
+From 962a991c5de18452d6c429d99f3039387cf5cbb0 Mon Sep 17 00:00:00 2001
+From: Bharath Vedartham <linux.bhar@gmail.com>
+Date: Thu, 23 May 2019 01:15:19 +0530
+Subject: 9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie
+
+From: Bharath Vedartham <linux.bhar@gmail.com>
+
+commit 962a991c5de18452d6c429d99f3039387cf5cbb0 upstream.
+
+v9fs_cache_session_get_cookie assigns a random cachetag to v9ses->cachetag,
+if the cachetag is not assigned previously.
+
+v9fs_random_cachetag allocates memory to v9ses->cachetag with kmalloc and uses
+scnprintf to fill it up with a cachetag.
+
+But if scnprintf fails, v9ses->cachetag is not freed in the current
+code causing a memory leak.
+
+Fix this by freeing v9ses->cachetag it v9fs_random_cachetag fails.
+
+This was reported by syzbot, the link to the report is below:
+https://syzkaller.appspot.com/bug?id=f012bdf297a7a4c860c38a88b44fbee43fd9bbf3
+
+Link: http://lkml.kernel.org/r/20190522194519.GA5313@bharath12345-Inspiron-5559
+Reported-by: syzbot+3a030a73b6c1e9833815@syzkaller.appspotmail.com
+Signed-off-by: Bharath Vedartham <linux.bhar@gmail.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/cache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/9p/cache.c
++++ b/fs/9p/cache.c
+@@ -51,6 +51,8 @@ void v9fs_cache_session_get_cookie(struc
+ if (!v9ses->cachetag) {
+ if (v9fs_random_cachetag(v9ses) < 0) {
+ v9ses->fscache = NULL;
++ kfree(v9ses->cachetag);
++ v9ses->cachetag = NULL;
+ return;
+ }
+ }
--- /dev/null
+From 7c3a6aedcd6aae0a32a527e68669f7dd667492d1 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 25 Sep 2019 16:47:33 -0700
+Subject: kexec: bail out upon SIGKILL when allocating memory.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 7c3a6aedcd6aae0a32a527e68669f7dd667492d1 upstream.
+
+syzbot found that a thread can stall for minutes inside kexec_load() after
+that thread was killed by SIGKILL [1]. It turned out that the reproducer
+was trying to allocate 2408MB of memory using kimage_alloc_page() from
+kimage_load_normal_segment(). Let's check for SIGKILL before doing memory
+allocation.
+
+[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e
+
+Link: http://lkml.kernel.org/r/993c9185-d324-2640-d061-bed2dd18b1f7@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kexec_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/kexec_core.c
++++ b/kernel/kexec_core.c
+@@ -300,6 +300,8 @@ static struct page *kimage_alloc_pages(g
+ {
+ struct page *pages;
+
++ if (fatal_signal_pending(current))
++ return NULL;
+ pages = alloc_pages(gfp_mask & ~__GFP_ZERO, order);
+ if (pages) {
+ unsigned int count, i;
--- /dev/null
+From a073d7e3ad687a7ef32b65affe80faa7ce89bf92 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Mon, 16 Sep 2019 15:42:32 +0800
+Subject: KVM: hyperv: Fix Direct Synthetic timers assert an interrupt w/o lapic_in_kernel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit a073d7e3ad687a7ef32b65affe80faa7ce89bf92 upstream.
+
+Reported by syzkaller:
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN
+ RIP: 0010:__apic_accept_irq+0x46/0x740 arch/x86/kvm/lapic.c:1029
+ Call Trace:
+ kvm_apic_set_irq+0xb4/0x140 arch/x86/kvm/lapic.c:558
+ stimer_notify_direct arch/x86/kvm/hyperv.c:648 [inline]
+ stimer_expiration arch/x86/kvm/hyperv.c:659 [inline]
+ kvm_hv_process_stimers+0x594/0x1650 arch/x86/kvm/hyperv.c:686
+ vcpu_enter_guest+0x2b2a/0x54b0 arch/x86/kvm/x86.c:7896
+ vcpu_run+0x393/0xd40 arch/x86/kvm/x86.c:8152
+ kvm_arch_vcpu_ioctl_run+0x636/0x900 arch/x86/kvm/x86.c:8360
+ kvm_vcpu_ioctl+0x6cf/0xaf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2765
+
+The testcase programs HV_X64_MSR_STIMERn_CONFIG/HV_X64_MSR_STIMERn_COUNT,
+in addition, there is no lapic in the kernel, the counters value are small
+enough in order that kvm_hv_process_stimers() inject this already-expired
+timer interrupt into the guest through lapic in the kernel which triggers
+the NULL deferencing. This patch fixes it by don't advertise direct mode
+synthetic timers and discarding the inject when lapic is not in kernel.
+
+syzkaller source: https://syzkaller.appspot.com/x/repro.c?x=1752fe0a600000
+
+Reported-by: syzbot+dff25ee91f0c7d5c1695@syzkaller.appspotmail.com
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/hyperv.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -645,7 +645,9 @@ static int stimer_notify_direct(struct k
+ .vector = stimer->config.apic_vector
+ };
+
+- return !kvm_apic_set_irq(vcpu, &irq, NULL);
++ if (lapic_in_kernel(vcpu))
++ return !kvm_apic_set_irq(vcpu, &irq, NULL);
++ return 0;
+ }
+
+ static void stimer_expiration(struct kvm_vcpu_hv_stimer *stimer)
+@@ -1854,7 +1856,13 @@ int kvm_vcpu_ioctl_get_hv_cpuid(struct k
+
+ ent->edx |= HV_FEATURE_FREQUENCY_MSRS_AVAILABLE;
+ ent->edx |= HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE;
+- ent->edx |= HV_STIMER_DIRECT_MODE_AVAILABLE;
++
++ /*
++ * Direct Synthetic timers only make sense with in-kernel
++ * LAPIC
++ */
++ if (lapic_in_kernel(vcpu))
++ ent->edx |= HV_STIMER_DIRECT_MODE_AVAILABLE;
+
+ break;
+
--- /dev/null
+From 18917d51472fe3b126a3a8f756c6b18085eb8130 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Mon, 29 Jul 2019 16:35:01 +0300
+Subject: NFC: fix attrs checks in netlink interface
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream.
+
+nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX
+attribute being present, but doesn't check whether it is actually
+provided by the user. Same goes for nfc_genl_fw_download() and
+NFC_ATTR_FIRMWARE_NAME.
+
+This patch adds appropriate checks.
+
+Found with syzkaller.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -970,7 +970,8 @@ static int nfc_genl_dep_link_down(struct
+ int rc;
+ u32 idx;
+
+- if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++ !info->attrs[NFC_ATTR_TARGET_INDEX])
+ return -EINVAL;
+
+ idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
+@@ -1018,7 +1019,8 @@ static int nfc_genl_llc_get_params(struc
+ struct sk_buff *msg = NULL;
+ u32 idx;
+
+- if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++ !info->attrs[NFC_ATTR_FIRMWARE_NAME])
+ return -EINVAL;
+
+ idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
dm-raid-fix-updating-of-max_discard_sectors-limit.patch
+nfc-fix-attrs-checks-in-netlink-interface.patch
+kexec-bail-out-upon-sigkill-when-allocating-memory.patch
+kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch
+9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch
+vfs-set-fs_context-user_ns-for-reconfigure.patch
--- /dev/null
+From 1dd9bc08cf1420d466dd8dcfcc233777e61ca5d2 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 21 Aug 2019 22:16:33 -0700
+Subject: vfs: set fs_context::user_ns for reconfigure
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 1dd9bc08cf1420d466dd8dcfcc233777e61ca5d2 upstream.
+
+fs_context::user_ns is used by fuse_parse_param(), even during remount,
+so it needs to be set to the existing value for reconfigure.
+
+Reproducer:
+
+ #include <fcntl.h>
+ #include <sys/mount.h>
+
+ int main()
+ {
+ char opts[128];
+ int fd = open("/dev/fuse", O_RDWR);
+
+ sprintf(opts, "fd=%d,rootmode=040000,user_id=0,group_id=0", fd);
+ mkdir("mnt", 0777);
+ mount("foo", "mnt", "fuse.foo", 0, opts);
+ mount("foo", "mnt", "fuse.foo", MS_REMOUNT, opts);
+ }
+
+Crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 129 Comm: syz_make_kuid Not tainted 5.3.0-rc5-next-20190821 #3
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
+ RIP: 0010:map_id_range_down+0xb/0xc0 kernel/user_namespace.c:291
+ [...]
+ Call Trace:
+ map_id_down kernel/user_namespace.c:312 [inline]
+ make_kuid+0xe/0x10 kernel/user_namespace.c:389
+ fuse_parse_param+0x116/0x210 fs/fuse/inode.c:523
+ vfs_parse_fs_param+0xdb/0x1b0 fs/fs_context.c:145
+ vfs_parse_fs_string+0x6a/0xa0 fs/fs_context.c:188
+ generic_parse_monolithic+0x85/0xc0 fs/fs_context.c:228
+ parse_monolithic_mount_data+0x1b/0x20 fs/fs_context.c:708
+ do_remount fs/namespace.c:2525 [inline]
+ do_mount+0x39a/0xa60 fs/namespace.c:3107
+ ksys_mount+0x7d/0xd0 fs/namespace.c:3325
+ __do_sys_mount fs/namespace.c:3339 [inline]
+ __se_sys_mount fs/namespace.c:3336 [inline]
+ __x64_sys_mount+0x20/0x30 fs/namespace.c:3336
+ do_syscall_64+0x4a/0x1a0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Reported-by: syzbot+7d6a57304857423318a5@syzkaller.appspotmail.com
+Fixes: 408cbe695350 ("vfs: Convert fuse to use the new mount API")
+Cc: David Howells <dhowells@redhat.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fs_context.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/fs_context.c
++++ b/fs/fs_context.c
+@@ -279,10 +279,8 @@ static struct fs_context *alloc_fs_conte
+ fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
+ break;
+ case FS_CONTEXT_FOR_RECONFIGURE:
+- /* We don't pin any namespaces as the superblock's
+- * subscriptions cannot be changed at this point.
+- */
+ atomic_inc(&reference->d_sb->s_active);
++ fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
+ fc->root = dget(reference);
+ break;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
