--- /dev/null
+From 9419a3191dcb27f24478d288abaab697228d28e6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 4 Apr 2019 21:04:13 -0400
+Subject: acct_on(): don't mess with freeze protection
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 9419a3191dcb27f24478d288abaab697228d28e6 upstream.
+
+What happens there is that we are replacing file->path.mnt of
+a file we'd just opened with a clone and we need the write
+count contribution to be transferred from original mount to
+new one. That's it. We do *NOT* want any kind of freeze
+protection for the duration of switchover.
+
+IOW, we should just use __mnt_{want,drop}_write() for that
+switchover; no need to bother with mnt_{want,drop}_write()
+there.
+
+Tested-by: Amir Goldstein <amir73il@gmail.com>
+Reported-by: syzbot+2a73a6ea9507b7112141@syzkaller.appspotmail.com
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/internal.h | 2 --
+ include/linux/mount.h | 2 ++
+ kernel/acct.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/internal.h
++++ b/fs/internal.h
+@@ -80,9 +80,7 @@ extern int sb_prepare_remount_readonly(s
+
+ extern void __init mnt_init(void);
+
+-extern int __mnt_want_write(struct vfsmount *);
+ extern int __mnt_want_write_file(struct file *);
+-extern void __mnt_drop_write(struct vfsmount *);
+ extern void __mnt_drop_write_file(struct file *);
+
+ /*
+--- a/include/linux/mount.h
++++ b/include/linux/mount.h
+@@ -86,6 +86,8 @@ extern bool mnt_may_suid(struct vfsmount
+
+ struct path;
+ extern struct vfsmount *clone_private_mount(const struct path *path);
++extern int __mnt_want_write(struct vfsmount *);
++extern void __mnt_drop_write(struct vfsmount *);
+
+ struct file_system_type;
+ extern struct vfsmount *vfs_kern_mount(struct file_system_type *type,
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -227,7 +227,7 @@ static int acct_on(struct filename *path
+ filp_close(file, NULL);
+ return PTR_ERR(internal);
+ }
+- err = mnt_want_write(internal);
++ err = __mnt_want_write(internal);
+ if (err) {
+ mntput(internal);
+ kfree(acct);
+@@ -252,7 +252,7 @@ static int acct_on(struct filename *path
+ old = xchg(&ns->bacct, &acct->pin);
+ mutex_unlock(&acct->lock);
+ pin_kill(old);
+- mnt_drop_write(mnt);
++ __mnt_drop_write(mnt);
+ mntput(mnt);
+ return 0;
+ }
--- /dev/null
+From 09ac2694b0475f96be895848687ebcbba97eeecf Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 8 Apr 2019 11:45:29 +0800
+Subject: at76c50x-usb: Don't register led_trigger if usb_register_driver failed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream.
+
+Syzkaller report this:
+
+[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338
+[ 1213.469530] #PF error: [normal kernel read fault]
+[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0
+[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI
+[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8
+[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0
+[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
+[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246
+[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6
+[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0
+[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004
+[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900
+[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0
+[ 1213.473514] FS: 00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
+[ 1213.473514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0
+[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1213.473514] PKRU: 55555554
+[ 1213.473514] Call Trace:
+[ 1213.473514] led_trigger_register+0x112/0x3f0
+[ 1213.473514] led_trigger_register_simple+0x7a/0x110
+[ 1213.473514] ? 0xffffffffc1c10000
+[ 1213.473514] at76_mod_init+0x77/0x1000 [at76c50x_usb]
+[ 1213.473514] do_one_initcall+0xbc/0x47d
+[ 1213.473514] ? perf_trace_initcall_level+0x3a0/0x3a0
+[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40
+[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40
+[ 1213.473514] do_init_module+0x1b5/0x547
+[ 1213.473514] load_module+0x6405/0x8c10
+[ 1213.473514] ? module_frob_arch_sections+0x20/0x20
+[ 1213.473514] ? kernel_read_file+0x1e6/0x5d0
+[ 1213.473514] ? find_held_lock+0x32/0x1c0
+[ 1213.473514] ? cap_capable+0x1ae/0x210
+[ 1213.473514] ? __do_sys_finit_module+0x162/0x190
+[ 1213.473514] __do_sys_finit_module+0x162/0x190
+[ 1213.473514] ? __ia32_sys_init_module+0xa0/0xa0
+[ 1213.473514] ? __mutex_unlock_slowpath+0xdc/0x690
+[ 1213.473514] ? wait_for_completion+0x370/0x370
+[ 1213.473514] ? vfs_write+0x204/0x4a0
+[ 1213.473514] ? do_syscall_64+0x18/0x450
+[ 1213.473514] do_syscall_64+0x9f/0x450
+[ 1213.473514] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 1213.473514] RIP: 0033:0x462e99
+[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
+[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000
+[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc
+[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+If usb_register failed, no need to call led_trigger_register_simple.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 1264b951463a ("at76c50x-usb: add driver")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/atmel/at76c50x-usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -2585,8 +2585,8 @@ static int __init at76_mod_init(void)
+ if (result < 0)
+ printk(KERN_ERR DRIVER_NAME
+ ": usb_register failed (status %d)\n", result);
+-
+- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx);
++ else
++ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx);
+ return result;
+ }
+
--- /dev/null
+From a3c7cd0cdf1107f891aff847ad481e34df727055 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Wed, 24 Apr 2019 03:19:14 +0200
+Subject: batman-adv: mcast: fix multicast tt/tvlv worker locking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit a3c7cd0cdf1107f891aff847ad481e34df727055 upstream.
+
+Syzbot has reported some issues with the locking assumptions made for
+the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in
+batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add().
+While hard/not reproduceable for us so far it seems that the
+delayed_work_pending() we use might not be quite safe from reordering.
+
+Therefore this patch adds an explicit, new spinlock to protect the
+update of the mla_list and flags in bat_priv and then removes the
+WARN_ON(delayed_work_pending()).
+
+Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com
+Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com
+Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com
+Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com
+Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/main.c | 1 +
+ net/batman-adv/multicast.c | 11 +++--------
+ net/batman-adv/types.h | 5 +++++
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -161,6 +161,7 @@ int batadv_mesh_init(struct net_device *
+ spin_lock_init(&bat_priv->tt.commit_lock);
+ spin_lock_init(&bat_priv->gw.list_lock);
+ #ifdef CONFIG_BATMAN_ADV_MCAST
++ spin_lock_init(&bat_priv->mcast.mla_lock);
+ spin_lock_init(&bat_priv->mcast.want_lists_lock);
+ #endif
+ spin_lock_init(&bat_priv->tvlv.container_list_lock);
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -325,8 +325,6 @@ static void batadv_mcast_mla_list_free(s
+ * translation table except the ones listed in the given mcast_list.
+ *
+ * If mcast_list is NULL then all are retracted.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+ */
+ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
+ struct hlist_head *mcast_list)
+@@ -334,8 +332,6 @@ static void batadv_mcast_mla_tt_retract(
+ struct batadv_hw_addr *mcast_entry;
+ struct hlist_node *tmp;
+
+- WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+ hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list,
+ list) {
+ if (mcast_list &&
+@@ -359,8 +355,6 @@ static void batadv_mcast_mla_tt_retract(
+ *
+ * Adds multicast listener announcements from the given mcast_list to the
+ * translation table if they have not been added yet.
+- *
+- * Do not call outside of the mcast worker! (or cancel mcast worker first)
+ */
+ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
+ struct hlist_head *mcast_list)
+@@ -368,8 +362,6 @@ static void batadv_mcast_mla_tt_add(stru
+ struct batadv_hw_addr *mcast_entry;
+ struct hlist_node *tmp;
+
+- WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
+-
+ if (!mcast_list)
+ return;
+
+@@ -658,7 +650,10 @@ static void batadv_mcast_mla_update(stru
+ priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work);
+ bat_priv = container_of(priv_mcast, struct batadv_priv, mcast);
+
++ spin_lock(&bat_priv->mcast.mla_lock);
+ __batadv_mcast_mla_update(bat_priv);
++ spin_unlock(&bat_priv->mcast.mla_lock);
++
+ batadv_mcast_start_timer(bat_priv);
+ }
+
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1224,6 +1224,11 @@ struct batadv_priv_mcast {
+ unsigned char bridged:1;
+
+ /**
++ * @mla_lock: a lock protecting mla_list and mla_flags
++ */
++ spinlock_t mla_lock;
++
++ /**
+ * @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP
+ * traffic
+ */
--- /dev/null
+From 2baae3545327632167c0180e9ca1d467416f1919 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 13 May 2019 09:59:16 -0700
+Subject: bpf: devmap: fix use-after-free Read in __dev_map_entry_free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 2baae3545327632167c0180e9ca1d467416f1919 upstream.
+
+synchronize_rcu() is fine when the rcu callbacks only need
+to free memory (kfree_rcu() or direct kfree() call rcu call backs)
+
+__dev_map_entry_free() is a bit more complex, so we need to make
+sure that call queued __dev_map_entry_free() callbacks have completed.
+
+sysbot report:
+
+BUG: KASAN: use-after-free in dev_map_flush_old kernel/bpf/devmap.c:365
+[inline]
+BUG: KASAN: use-after-free in __dev_map_entry_free+0x2a8/0x300
+kernel/bpf/devmap.c:379
+Read of size 8 at addr ffff8801b8da38c8 by task ksoftirqd/1/18
+
+CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.17.0+ #39
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
+ dev_map_flush_old kernel/bpf/devmap.c:365 [inline]
+ __dev_map_entry_free+0x2a8/0x300 kernel/bpf/devmap.c:379
+ __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2558 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
+ __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
+ rcu_process_callbacks+0xe9d/0x1760 kernel/rcu/tree.c:2802
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:284
+ run_ksoftirqd+0x86/0x100 kernel/softirq.c:645
+ smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
+ kthread+0x345/0x410 kernel/kthread.c:240
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+Allocated by task 6675:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
+ kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
+ kmalloc include/linux/slab.h:513 [inline]
+ kzalloc include/linux/slab.h:706 [inline]
+ dev_map_alloc+0x208/0x7f0 kernel/bpf/devmap.c:102
+ find_and_alloc_map kernel/bpf/syscall.c:129 [inline]
+ map_create+0x393/0x1010 kernel/bpf/syscall.c:453
+ __do_sys_bpf kernel/bpf/syscall.c:2351 [inline]
+ __se_sys_bpf kernel/bpf/syscall.c:2328 [inline]
+ __x64_sys_bpf+0x303/0x510 kernel/bpf/syscall.c:2328
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 26:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kfree+0xd9/0x260 mm/slab.c:3813
+ dev_map_free+0x4fa/0x670 kernel/bpf/devmap.c:191
+ bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:262
+ process_one_work+0xc64/0x1b70 kernel/workqueue.c:2153
+ worker_thread+0x181/0x13a0 kernel/workqueue.c:2296
+ kthread+0x345/0x410 kernel/kthread.c:240
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+The buggy address belongs to the object at ffff8801b8da37c0
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 264 bytes inside of
+ 512-byte region [ffff8801b8da37c0, ffff8801b8da39c0)
+The buggy address belongs to the page:
+page:ffffea0006e368c0 count:1 mapcount:0 mapping:ffff8801da800940
+index:0xffff8801b8da3540
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0007217b88 ffffea0006e30cc8 ffff8801da800940
+raw: ffff8801b8da3540 ffff8801b8da3040 0000000100000004 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801b8da3780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8801b8da3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+> ffff8801b8da3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8801b8da3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801b8da3980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+457d3e2ffbcf31aee5c0@syzkaller.appspotmail.com
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/devmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -164,6 +164,9 @@ static void dev_map_free(struct bpf_map
+ bpf_clear_redirect_map(map);
+ synchronize_rcu();
+
++ /* Make sure prior __dev_map_entry_free() have completed. */
++ rcu_barrier();
++
+ /* To ensure all pending flush operations have completed wait for flush
+ * bitmap to indicate all flush_needed bits to be zero on _all_ cpus.
+ * Because the above synchronize_rcu() ensures the map is disconnected
--- /dev/null
+From 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Thu, 11 Apr 2019 19:25:12 +0200
+Subject: fbdev: fix WARNING in __alloc_pages_nodemask bug
+
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+
+commit 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f upstream.
+
+Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug.
+
+WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377
+__alloc_pages_nodemask+0x4da/0x2130
+Kernel panic - not syncing: panic_on_warn set ...
+
+Call Trace:
+ alloc_pages_current+0xb1/0x1e0
+ kmalloc_order+0x1f/0x60
+ kmalloc_order_trace+0x1d/0x120
+ fb_alloc_cmap_gfp+0x85/0x2b0
+ fb_set_user_cmap+0xff/0x370
+ do_fb_ioctl+0x949/0xa20
+ fb_ioctl+0xdd/0x120
+ do_vfs_ioctl+0x186/0x1070
+ ksys_ioctl+0x89/0xa0
+ __x64_sys_ioctl+0x74/0xb0
+ do_syscall_64+0xc8/0x550
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is a warning about order >= MAX_ORDER and the order is from
+userspace ioctl. Add flag __NOWARN to silence this warning.
+
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbcmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm
+ int size = len * sizeof(u16);
+ int ret = -ENOMEM;
+
++ flags |= __GFP_NOWARN;
++
+ if (cmap->len != len) {
+ fb_dealloc_cmap(cmap);
+ if (!len)
--- /dev/null
+From dea37a97265588da604c6ba80160a287b72c7bfd Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 6 Mar 2019 07:45:08 -0500
+Subject: media: cpia2: Fix use-after-free in cpia2_exit
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit dea37a97265588da604c6ba80160a287b72c7bfd upstream.
+
+Syzkaller report this:
+
+BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363
+
+CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
+ usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
+ cpia2_exit+0xa/0x16 [cpia2]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
+R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
+
+Allocated by task 8363:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
+ driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
+ usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
+ 0xffffffffc1b4817c
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 8363:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
+ slab_free_hook mm/slub.c:1430 [inline]
+ slab_free_freelist_hook mm/slub.c:1457 [inline]
+ slab_free mm/slub.c:3005 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3957
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
+ 0xffffffffc1b4817c
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f59a6b40
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 48 bytes inside of
+ 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
+The buggy address belongs to the page:
+page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
+flags: 0x2fffc0000000200(slab)
+raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
+>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ^
+ ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+cpia2_init does not check return value of cpia2_init, if it failed
+in usb_register_driver, there is already cleanup using driver_unregister.
+No need call cpia2_usb_cleanup on module exit.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cpia2/cpia2_v4l.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/usb/cpia2/cpia2_v4l.c
++++ b/drivers/media/usb/cpia2/cpia2_v4l.c
+@@ -1245,8 +1245,7 @@ static int __init cpia2_init(void)
+ LOG("%s v%s\n",
+ ABOUT, CPIA_VERSION);
+ check_parameters();
+- cpia2_usb_init();
+- return 0;
++ return cpia2_usb_init();
+ }
+
+
--- /dev/null
+From 56cd26b618855c9af48c8301aa6754ced8dd0beb Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 5 Mar 2019 00:40:26 -0500
+Subject: media: serial_ir: Fix use-after-free in serial_ir_init_module
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 56cd26b618855c9af48c8301aa6754ced8dd0beb upstream.
+
+Syzkaller report this:
+
+BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+Read of size 8 at addr ffff8881dc7ae030 by task syz-executor.0/6249
+
+CPU: 1 PID: 6249 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ ? 0xffffffffc1728000
+ sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ remove_bind_files drivers/base/bus.c:585 [inline]
+ bus_remove_driver+0x186/0x220 drivers/base/bus.c:725
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ serial_ir_init_module+0x169/0x1000 [serial_ir]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9450132c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
+RBP: 00007f9450132c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94501336bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+Allocated by task 6249:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
+ driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
+ serial_ir_init_module+0xe8/0x1000 [serial_ir]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 6249:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
+ slab_free_hook mm/slub.c:1430 [inline]
+ slab_free_freelist_hook mm/slub.c:1457 [inline]
+ slab_free mm/slub.c:3005 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3957
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ serial_ir_init_module+0x14c/0x1000 [serial_ir]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881dc7ae000
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 48 bytes inside of
+ 256-byte region [ffff8881dc7ae000, ffff8881dc7ae100)
+The buggy address belongs to the page:
+page:ffffea000771eb80 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
+flags: 0x2fffc0000000200(slab)
+raw: 02fffc0000000200 ffffea0007d14800 0000000400000002 ffff8881f6c02e00
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881dc7adf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881dc7adf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8881dc7ae000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881dc7ae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881dc7ae100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+
+There are already cleanup handlings in serial_ir_init error path,
+no need to call serial_ir_exit do it again in serial_ir_init_module,
+otherwise will trigger a use-after-free issue.
+
+Fixes: fa5dc29c1fcc ("[media] lirc_serial: move out of staging and rename to serial_ir")
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/serial_ir.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/media/rc/serial_ir.c
++++ b/drivers/media/rc/serial_ir.c
+@@ -773,8 +773,6 @@ static void serial_ir_exit(void)
+
+ static int __init serial_ir_init_module(void)
+ {
+- int result;
+-
+ switch (type) {
+ case IR_HOMEBREW:
+ case IR_IRDEO:
+@@ -802,12 +800,7 @@ static int __init serial_ir_init_module(
+ if (sense != -1)
+ sense = !!sense;
+
+- result = serial_ir_init();
+- if (!result)
+- return 0;
+-
+- serial_ir_exit();
+- return result;
++ return serial_ir_init();
+ }
+
+ static void __exit serial_ir_exit_module(void)
--- /dev/null
+From d65842f7126aa1a87fb44b7c9980c12630ed4f33 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Mon, 19 Nov 2018 06:09:00 -0500
+Subject: media: vb2: add waiting_in_dqbuf flag
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit d65842f7126aa1a87fb44b7c9980c12630ed4f33 upstream.
+
+Calling VIDIOC_DQBUF can release the core serialization lock pointed to
+by vb2_queue->lock if it has to wait for a new buffer to arrive.
+
+However, if userspace dup()ped the video device filehandle, then it is
+possible to read or call DQBUF from two filehandles at the same time.
+
+It is also possible to call REQBUFS from one filehandle while the other
+is waiting for a buffer. This will remove all the buffers and reallocate
+new ones. Removing all the buffers isn't the problem here (that's already
+handled correctly by DQBUF), but the reallocating part is: DQBUF isn't
+aware that the buffers have changed.
+
+This is fixed by setting a flag whenever the lock is released while waiting
+for a buffer to arrive. And checking the flag where needed so we can return
+-EBUSY.
+
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Reported-by: Syzbot <syzbot+4180ff9ca6810b06c1e9@syzkaller.appspotmail.com>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/videobuf2/videobuf2-core.c | 22 ++++++++++++++++++++++
+ include/media/videobuf2-core.h | 1 +
+ 2 files changed, 23 insertions(+)
+
+--- a/drivers/media/common/videobuf2/videobuf2-core.c
++++ b/drivers/media/common/videobuf2/videobuf2-core.c
+@@ -672,6 +672,11 @@ int vb2_core_reqbufs(struct vb2_queue *q
+ return -EBUSY;
+ }
+
++ if (q->waiting_in_dqbuf && *count) {
++ dprintk(1, "another dup()ped fd is waiting for a buffer\n");
++ return -EBUSY;
++ }
++
+ if (*count == 0 || q->num_buffers != 0 ||
+ (q->memory != VB2_MEMORY_UNKNOWN && q->memory != memory)) {
+ /*
+@@ -807,6 +812,10 @@ int vb2_core_create_bufs(struct vb2_queu
+ }
+
+ if (!q->num_buffers) {
++ if (q->waiting_in_dqbuf && *count) {
++ dprintk(1, "another dup()ped fd is waiting for a buffer\n");
++ return -EBUSY;
++ }
+ memset(q->alloc_devs, 0, sizeof(q->alloc_devs));
+ q->memory = memory;
+ q->waiting_for_buffers = !q->is_output;
+@@ -1638,6 +1647,11 @@ static int __vb2_wait_for_done_vb(struct
+ for (;;) {
+ int ret;
+
++ if (q->waiting_in_dqbuf) {
++ dprintk(1, "another dup()ped fd is waiting for a buffer\n");
++ return -EBUSY;
++ }
++
+ if (!q->streaming) {
+ dprintk(1, "streaming off, will not wait for buffers\n");
+ return -EINVAL;
+@@ -1665,6 +1679,7 @@ static int __vb2_wait_for_done_vb(struct
+ return -EAGAIN;
+ }
+
++ q->waiting_in_dqbuf = 1;
+ /*
+ * We are streaming and blocking, wait for another buffer to
+ * become ready or for streamoff. Driver's lock is released to
+@@ -1685,6 +1700,7 @@ static int __vb2_wait_for_done_vb(struct
+ * the locks or return an error if one occurred.
+ */
+ call_void_qop(q, wait_finish, q);
++ q->waiting_in_dqbuf = 0;
+ if (ret) {
+ dprintk(1, "sleep was interrupted\n");
+ return ret;
+@@ -2572,6 +2588,12 @@ static size_t __vb2_perform_fileio(struc
+ if (!data)
+ return -EINVAL;
+
++ if (q->waiting_in_dqbuf) {
++ dprintk(3, "another dup()ped fd is %s\n",
++ read ? "reading" : "writing");
++ return -EBUSY;
++ }
++
+ /*
+ * Initialize emulator on first call.
+ */
+--- a/include/media/videobuf2-core.h
++++ b/include/media/videobuf2-core.h
+@@ -586,6 +586,7 @@ struct vb2_queue {
+ unsigned int start_streaming_called:1;
+ unsigned int error:1;
+ unsigned int waiting_for_buffers:1;
++ unsigned int waiting_in_dqbuf:1;
+ unsigned int is_multiplanar:1;
+ unsigned int is_output:1;
+ unsigned int copy_timestamp:1;
--- /dev/null
+From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Thu, 4 Apr 2019 10:56:46 -0400
+Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
+
+From: Alexander Potapenko <glider@google.com>
+
+commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream.
+
+syzkaller reported crashes on kfree() called from
+vivid_vid_cap_s_selection(). This looks like a simple typo, as
+dev->bitmap_cap is allocated with vzalloc() throughout the file.
+
+Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output
+parts")
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reported-by: Syzbot <syzbot+6c0effb5877f6b0344e2@syzkaller.appspotmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-vid-cap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -1003,7 +1003,7 @@ int vivid_vid_cap_s_selection(struct fil
+ v4l2_rect_map_inside(&s->r, &dev->fmt_cap_rect);
+ if (dev->bitmap_cap && (compose->width != s->r.width ||
+ compose->height != s->r.height)) {
+- kfree(dev->bitmap_cap);
++ vfree(dev->bitmap_cap);
+ dev->bitmap_cap = NULL;
+ }
+ *compose = s->r;
--- /dev/null
+From acf3062a7e1ccf67c6f7e7c28671a6708fde63b0 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 28 Mar 2019 17:38:29 +0200
+Subject: ovl: relax WARN_ON() for overlapping layers use case
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit acf3062a7e1ccf67c6f7e7c28671a6708fde63b0 upstream.
+
+This nasty little syzbot repro:
+https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
+
+Creates overlay mounts where the same directory is both in upper and lower
+layers. Simplified example:
+
+ mkdir foo work
+ mount -t overlay none foo -o"lowerdir=.,upperdir=foo,workdir=work"
+
+The repro runs several threads in parallel that attempt to chdir into foo
+and attempt to symlink/rename/exec/mkdir the file bar.
+
+The repro hits a WARN_ON() I placed in ovl_instantiate(), which suggests
+that an overlay inode already exists in cache and is hashed by the pointer
+of the real upper dentry that ovl_create_real() has just created. At the
+point of the WARN_ON(), for overlay dir inode lock is held and upper dir
+inode lock, so at first, I did not see how this was possible.
+
+On a closer look, I see that after ovl_create_real(), because of the
+overlapping upper and lower layers, a lookup by another thread can find the
+file foo/bar that was just created in upper layer, at overlay path
+foo/foo/bar and hash the an overlay inode with the new real dentry as lower
+dentry. This is possible because the overlay directory foo/foo is not
+locked and the upper dentry foo/bar is in dcache, so ovl_lookup() can find
+it without taking upper dir inode shared lock.
+
+Overlapping layers is considered a wrong setup which would result in
+unexpected behavior, but it shouldn't crash the kernel and it shouldn't
+trigger WARN_ON() either, so relax this WARN_ON() and leave a pr_warn()
+instead to cover all cases of failure to get an overlay inode.
+
+The error returned from failure to insert new inode to cache with
+inode_insert5() was changed to -EEXIST, to distinguish from the error
+-ENOMEM returned on failure to get/allocate inode with iget5_locked().
+
+Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
+Fixes: 01b39dcc9568 ("ovl: use inode_insert5() to hash a newly...")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/dir.c | 2 +-
+ fs/overlayfs/inode.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -260,7 +260,7 @@ static int ovl_instantiate(struct dentry
+ * hashed directory inode aliases.
+ */
+ inode = ovl_get_inode(dentry->d_sb, &oip);
+- if (WARN_ON(IS_ERR(inode)))
++ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+ } else {
+ WARN_ON(ovl_inode_real(inode) != d_inode(newdentry));
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -832,7 +832,7 @@ struct inode *ovl_get_inode(struct super
+ int fsid = bylower ? oip->lowerpath->layer->fsid : 0;
+ bool is_dir, metacopy = false;
+ unsigned long ino = 0;
+- int err = -ENOMEM;
++ int err = oip->newinode ? -EEXIST : -ENOMEM;
+
+ if (!realinode)
+ realinode = d_inode(lowerdentry);
+@@ -917,6 +917,7 @@ out:
+ return inode;
+
+ out_err:
++ pr_warn_ratelimited("overlayfs: failed to get inode (%i)\n", err);
+ inode = ERR_PTR(err);
+ goto out;
+ }
brcmfmac-add-subtype-check-for-event-handling-in-data-path.patch
arm64-errata-add-workaround-for-cortex-a76-erratum-1463225.patch
btrfs-honor-path-skip_locking-in-backref-code.patch
+ovl-relax-warn_on-for-overlapping-layers-use-case.patch
+fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch
+media-cpia2-fix-use-after-free-in-cpia2_exit.patch
+media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch
+media-vb2-add-waiting_in_dqbuf-flag.patch
+media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch
+ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch
+bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
+batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
+at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
+acct_on-don-t-mess-with-freeze-protection.patch
--- /dev/null
+From b2c01aab9646ed8ffb7c549afe55d5349c482425 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 6 Mar 2019 19:56:58 +0800
+Subject: ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit b2c01aab9646ed8ffb7c549afe55d5349c482425 upstream.
+
+Syzkaller report this:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468
+Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d
+RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206
+RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952
+RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030
+RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed
+R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000
+R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000
+FS: 00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline]
+ pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209
+ ssb_modexit+0xa/0x1b [ssb]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc
+R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
+Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6
+ [last unloaded: 3c59x]
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+---[ end trace 3913cbf8011e1c05 ]---
+
+In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed,
+however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver
+unconditionally, which may tigger a NULL pointer dereference issue as above.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 399500da18f7 ("ssb: pick PCMCIA host code support from b43 driver")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ssb/bridge_pcmcia_80211.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/ssb/bridge_pcmcia_80211.c
++++ b/drivers/ssb/bridge_pcmcia_80211.c
+@@ -113,16 +113,21 @@ static struct pcmcia_driver ssb_host_pcm
+ .resume = ssb_host_pcmcia_resume,
+ };
+
++static int pcmcia_init_failed;
++
+ /*
+ * These are not module init/exit functions!
+ * The module_pcmcia_driver() helper cannot be used here.
+ */
+ int ssb_host_pcmcia_init(void)
+ {
+- return pcmcia_register_driver(&ssb_host_pcmcia_driver);
++ pcmcia_init_failed = pcmcia_register_driver(&ssb_host_pcmcia_driver);
++
++ return pcmcia_init_failed;
+ }
+
+ void ssb_host_pcmcia_exit(void)
+ {
+- pcmcia_unregister_driver(&ssb_host_pcmcia_driver);
++ if (!pcmcia_init_failed)
++ pcmcia_unregister_driver(&ssb_host_pcmcia_driver);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
