--- /dev/null
+From 47caf685a6854593348f216e0b489b71c10cbe03 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 19 Aug 2020 10:46:48 +0200
+Subject: cfg80211: regulatory: reject invalid hints
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 47caf685a6854593348f216e0b489b71c10cbe03 upstream.
+
+Reject invalid hints early in order to not cause a kernel
+WARN later if they're restored to or similar.
+
+Reported-by: syzbot+d451401ffd00a60677ee@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=d451401ffd00a60677ee
+Link: https://lore.kernel.org/r/20200819084648.13956-1-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/reg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2936,6 +2936,9 @@ int regulatory_hint_user(const char *alp
+ if (WARN_ON(!alpha2))
+ return -EINVAL;
+
++ if (!is_world_regdom(alpha2) && !is_an_alpha2(alpha2))
++ return -EINVAL;
++
+ request = kzalloc(sizeof(struct regulatory_request), GFP_KERNEL);
+ if (!request)
+ return -ENOMEM;
--- /dev/null
+From 13e45417cedbfc44b1926124b1846f5ee8c6ba4a Mon Sep 17 00:00:00 2001
+From: Mrinal Pandey <mrinalmni@gmail.com>
+Date: Fri, 4 Sep 2020 16:35:52 -0700
+Subject: checkpatch: fix the usage of capture group ( ... )
+
+From: Mrinal Pandey <mrinalmni@gmail.com>
+
+commit 13e45417cedbfc44b1926124b1846f5ee8c6ba4a upstream.
+
+The usage of "capture group (...)" in the immediate condition after `&&`
+results in `$1` being uninitialized. This issues a warning "Use of
+uninitialized value $1 in regexp compilation at ./scripts/checkpatch.pl
+line 2638".
+
+I noticed this bug while running checkpatch on the set of commits from
+v5.7 to v5.8-rc1 of the kernel on the commits with a diff content in
+their commit message.
+
+This bug was introduced in the script by commit e518e9a59ec3
+("checkpatch: emit an error when there's a diff in a changelog"). It
+has been in the script since then.
+
+The author intended to store the match made by capture group in variable
+`$1`. This should have contained the name of the file as `[\w/]+`
+matched. However, this couldn't be accomplished due to usage of capture
+group and `$1` in the same regular expression.
+
+Fix this by placing the capture group in the condition before `&&`.
+Thus, `$1` can be initialized to the text that capture group matches
+thereby setting it to the desired and required value.
+
+Fixes: e518e9a59ec3 ("checkpatch: emit an error when there's a diff in a changelog")
+Signed-off-by: Mrinal Pandey <mrinalmni@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Reviewed-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Link: https://lkml.kernel.org/r/20200714032352.f476hanaj2dlmiot@mrinalpandey
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/checkpatch.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -2541,8 +2541,8 @@ sub process {
+
+ # Check if the commit log has what seems like a diff which can confuse patch
+ if ($in_commit_log && !$commit_log_has_diff &&
+- (($line =~ m@^\s+diff\b.*a/[\w/]+@ &&
+- $line =~ m@^\s+diff\b.*a/([\w/]+)\s+b/$1\b@) ||
++ (($line =~ m@^\s+diff\b.*a/([\w/]+)@ &&
++ $line =~ m@^\s+diff\b.*a/[\w/]+\s+b/$1\b@) ||
+ $line =~ m@^\s*(?:\-\-\-\s+a/|\+\+\+\s+b/)@ ||
+ $line =~ m/^\s*\@\@ \-\d+,\d+ \+\d+,\d+ \@\@/)) {
+ ERROR("DIFF_IN_COMMIT_MSG",
--- /dev/null
+From 17743798d81238ab13050e8e2833699b54e15467 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Fri, 4 Sep 2020 16:36:13 -0700
+Subject: mm/hugetlb: fix a race between hugetlb sysctl handlers
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 17743798d81238ab13050e8e2833699b54e15467 upstream.
+
+There is a race between the assignment of `table->data` and write value
+to the pointer of `table->data` in the __do_proc_doulongvec_minmax() on
+the other thread.
+
+ CPU0: CPU1:
+ proc_sys_write
+ hugetlb_sysctl_handler proc_sys_call_handler
+ hugetlb_sysctl_handler_common hugetlb_sysctl_handler
+ table->data = &tmp; hugetlb_sysctl_handler_common
+ table->data = &tmp;
+ proc_doulongvec_minmax
+ do_proc_doulongvec_minmax sysctl_head_finish
+ __do_proc_doulongvec_minmax unuse_table
+ i = table->data;
+ *i = val; // corrupt CPU1's stack
+
+Fix this by duplicating the `table`, and only update the duplicate of
+it. And introduce a helper of proc_hugetlb_doulongvec_minmax() to
+simplify the code.
+
+The following oops was seen:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor instruction fetch in kernel mode
+ #PF: error_code(0x0010) - not-present page
+ Code: Bad RIP value.
+ ...
+ Call Trace:
+ ? set_max_huge_pages+0x3da/0x4f0
+ ? alloc_pool_huge_page+0x150/0x150
+ ? proc_doulongvec_minmax+0x46/0x60
+ ? hugetlb_sysctl_handler_common+0x1c7/0x200
+ ? nr_hugepages_store+0x20/0x20
+ ? copy_fd_bitmaps+0x170/0x170
+ ? hugetlb_sysctl_handler+0x1e/0x20
+ ? proc_sys_call_handler+0x2f1/0x300
+ ? unregister_sysctl_table+0xb0/0xb0
+ ? __fd_install+0x78/0x100
+ ? proc_sys_write+0x14/0x20
+ ? __vfs_write+0x4d/0x90
+ ? vfs_write+0xef/0x240
+ ? ksys_write+0xc0/0x160
+ ? __ia32_sys_read+0x50/0x50
+ ? __close_fd+0x129/0x150
+ ? __x64_sys_write+0x43/0x50
+ ? do_syscall_64+0x6c/0x200
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: e5ff215941d5 ("hugetlb: multiple hstates for multiple page sizes")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Link: http://lkml.kernel.org/r/20200828031146.43035-1-songmuchun@bytedance.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2918,6 +2918,22 @@ static unsigned int cpuset_mems_nr(unsig
+ }
+
+ #ifdef CONFIG_SYSCTL
++static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int write,
++ void *buffer, size_t *length,
++ loff_t *ppos, unsigned long *out)
++{
++ struct ctl_table dup_table;
++
++ /*
++ * In order to avoid races with __do_proc_doulongvec_minmax(), we
++ * can duplicate the @table and alter the duplicate of it.
++ */
++ dup_table = *table;
++ dup_table.data = out;
++
++ return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos);
++}
++
+ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
+ struct ctl_table *table, int write,
+ void __user *buffer, size_t *length, loff_t *ppos)
+@@ -2929,9 +2945,8 @@ static int hugetlb_sysctl_handler_common
+ if (!hugepages_supported())
+ return -EOPNOTSUPP;
+
+- table->data = &tmp;
+- table->maxlen = sizeof(unsigned long);
+- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos,
++ &tmp);
+ if (ret)
+ goto out;
+
+@@ -2975,9 +2990,8 @@ int hugetlb_overcommit_handler(struct ct
+ if (write && hstate_is_gigantic(h))
+ return -EINVAL;
+
+- table->data = &tmp;
+- table->maxlen = sizeof(unsigned long);
+- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos,
++ &tmp);
+ if (ret)
+ goto out;
+
--- /dev/null
+From a092b7233f0e000cc6f2c71a49e2ecc6f917a5fc Mon Sep 17 00:00:00 2001
+From: Himadri Pandya <himadrispandya@gmail.com>
+Date: Thu, 27 Aug 2020 12:23:55 +0530
+Subject: net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
+
+From: Himadri Pandya <himadrispandya@gmail.com>
+
+commit a092b7233f0e000cc6f2c71a49e2ecc6f917a5fc upstream.
+
+The buffer size is 2 Bytes and we expect to receive the same amount of
+data. But sometimes we receive less data and run into uninit-was-stored
+issue upon read. Hence modify the error check on the return value to match
+with the buffer size as a prevention.
+
+Reported-and-tested by: syzbot+a7e220df5a81d1ab400e@syzkaller.appspotmail.com
+Signed-off-by: Himadri Pandya <himadrispandya@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/asix_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -309,7 +309,7 @@ int asix_read_phy_addr(struct usbnet *de
+
+ netdev_dbg(dev->net, "asix_get_phy_addr()\n");
+
+- if (ret < 0) {
++ if (ret < 2) {
+ netdev_err(dev->net, "Error reading PHYID register: %02x\n", ret);
+ goto out;
+ }
kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch
kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch
vfio-pci-fix-sr-iov-vf-handling-with-mmio-blocking.patch
+checkpatch-fix-the-usage-of-capture-group.patch
+mm-hugetlb-fix-a-race-between-hugetlb-sysctl-handlers.patch
+cfg80211-regulatory-reject-invalid-hints.patch
+net-usb-fix-uninit-was-stored-issue-in-asix_read_phy_addr.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
