From: Greg Kroah-Hartman Date: Wed, 28 Nov 2018 09:52:11 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.6~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21a0c5db1e2208be3f79fa59f20e6e8d862a3e9d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bfs-add-sanity-check-at-bfs_fill_super.patch gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch input-synaptics-avoid-using-uninitialized-variable-when-probing.patch llc-do-not-use-sk_eat_skb.patch mm-don-t-warn-about-large-allocations-for-slab.patch mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch tcp-do-not-release-socket-ownership-in-tcp_close.patch v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch --- diff --git a/queue-4.19/bfs-add-sanity-check-at-bfs_fill_super.patch b/queue-4.19/bfs-add-sanity-check-at-bfs_fill_super.patch new file mode 100644 index 00000000000..258112bfddf --- /dev/null +++ b/queue-4.19/bfs-add-sanity-check-at-bfs_fill_super.patch @@ -0,0 +1,57 @@ +From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 2 Nov 2018 15:48:42 -0700 +Subject: bfs: add sanity check at bfs_fill_super() + +From: Tetsuo Handa + +commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream. + +syzbot is reporting too large memory allocation at bfs_fill_super() [1]. +Since file system image is corrupted such that bfs_sb->s_start == 0, +bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix +this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and +printf(). + +[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96 + +Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Andrew Morton +Cc: Tigran Aivazian +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/bfs/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/bfs/inode.c ++++ b/fs/bfs/inode.c +@@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b + + s->s_magic = BFS_MAGIC; + +- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) { ++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) || ++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) { + printf("Superblock is corrupted\n"); + goto out1; + } +@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b + sizeof(struct bfs_inode) + + BFS_ROOT_INO - 1; + imap_len = (info->si_lasti / 8) + 1; +- info->si_imap = kzalloc(imap_len, GFP_KERNEL); +- if (!info->si_imap) ++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN); ++ if (!info->si_imap) { ++ printf("Cannot allocate %u bytes\n", imap_len); + goto out1; ++ } + for (i = 0; i < BFS_ROOT_INO; i++) + set_bit(i, info->si_imap); + diff --git a/queue-4.19/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch b/queue-4.19/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch new file mode 100644 index 00000000000..7537b49e5d0 --- /dev/null +++ b/queue-4.19/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch @@ -0,0 +1,40 @@ +From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001 +From: Andrew Price +Date: Mon, 8 Oct 2018 07:52:43 -0500 +Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd + +From: Andrew Price + +commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream. + +When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points +to the same address. Move the assignment after that error check so that +s_fs_info can only point to a valid sdp or NULL, which is checked for +later in the error path, in gfs2_kill_super(). + +Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com +Signed-off-by: Andrew Price +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/ops_fstype.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -72,13 +72,13 @@ static struct gfs2_sbd *init_sbd(struct + if (!sdp) + return NULL; + +- sb->s_fs_info = sdp; + sdp->sd_vfs = sb; + sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats); + if (!sdp->sd_lkstats) { + kfree(sdp); + return NULL; + } ++ sb->s_fs_info = sdp; + + set_bit(SDF_NOJOURNALID, &sdp->sd_flags); + gfs2_tune_init(&sdp->sd_tune); diff --git a/queue-4.19/input-synaptics-avoid-using-uninitialized-variable-when-probing.patch b/queue-4.19/input-synaptics-avoid-using-uninitialized-variable-when-probing.patch new file mode 100644 index 00000000000..3b6f67c13a8 --- /dev/null +++ b/queue-4.19/input-synaptics-avoid-using-uninitialized-variable-when-probing.patch @@ -0,0 +1,37 @@ +From f39f8688888ae74fa8deae2d01289b69b4727394 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 16 Oct 2018 17:07:35 -0700 +Subject: Input: synaptics - avoid using uninitialized variable when probing + +From: Dmitry Torokhov + +commit f39f8688888ae74fa8deae2d01289b69b4727394 upstream. + +synaptics_detect() does not check whether sending commands to the +device succeeds and instead relies on getting unique data from the +device. Let's make sure we seed entire buffer with zeroes to make sure +we will not use garbage on stack that just happen to be 0x47. + +Reported-by: syzbot+13cb3b01d0784e4ffc3f@syzkaller.appspotmail.com +Reviewed-by: Benjamin Tissoires +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -99,9 +99,7 @@ static int synaptics_mode_cmd(struct psm + int synaptics_detect(struct psmouse *psmouse, bool set_properties) + { + struct ps2dev *ps2dev = &psmouse->ps2dev; +- u8 param[4]; +- +- param[0] = 0; ++ u8 param[4] = { 0 }; + + ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES); + ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES); diff --git a/queue-4.19/llc-do-not-use-sk_eat_skb.patch b/queue-4.19/llc-do-not-use-sk_eat_skb.patch new file mode 100644 index 00000000000..d8468d1b377 --- /dev/null +++ b/queue-4.19/llc-do-not-use-sk_eat_skb.patch @@ -0,0 +1,164 @@ +From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 22 Oct 2018 09:24:27 -0700 +Subject: llc: do not use sk_eat_skb() + +From: Eric Dumazet + +commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream. + +syzkaller triggered a use-after-free [1], caused by a combination of +skb_get() in llc_conn_state_process() and usage of sk_eat_skb() + +sk_eat_skb() is assuming the skb about to be freed is only used by +the current thread. TCP/DCCP stacks enforce this because current +thread holds the socket lock. + +llc_conn_state_process() wants to make sure skb does not disappear, +and holds a reference on the skb it manipulates. But as soon as this +skb is added to socket receive queue, another thread can consume it. + +This means that llc must use regular skb_unlink() and kfree_skb() +so that both producer and consumer can safely work on the same skb. + +[1] +BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] +BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] +BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline] +BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655 +Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18 + +CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113 + print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 + atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] + refcount_read include/linux/refcount.h:43 [inline] + skb_unref include/linux/skbuff.h:967 [inline] + kfree_skb+0xb7/0x580 net/core/skbuff.c:655 + llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224 + llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297 + llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438 + llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208 + __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 + process_backlog+0x218/0x6f0 net/core/dev.c:5829 + napi_poll net/core/dev.c:6249 [inline] + net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 + __do_softirq+0x30c/0xb03 kernel/softirq.c:292 + run_ksoftirqd+0x94/0x100 kernel/softirq.c:653 + smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164 + kthread+0x35a/0x420 kernel/kthread.c:246 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 + +Allocated by task 18: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 + kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644 + __alloc_skb+0x119/0x770 net/core/skbuff.c:193 + alloc_skb include/linux/skbuff.h:995 [inline] + llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54 + llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline] + llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111 + llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220 + __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 + process_backlog+0x218/0x6f0 net/core/dev.c:5829 + napi_poll net/core/dev.c:6249 [inline] + net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 + __do_softirq+0x30c/0xb03 kernel/softirq.c:292 + +Freed by task 16383: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 + __cache_free mm/slab.c:3498 [inline] + kmem_cache_free+0x83/0x290 mm/slab.c:3756 + kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 + __kfree_skb+0x1d/0x20 net/core/skbuff.c:642 + sk_eat_skb include/net/sock.h:2366 [inline] + llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882 + sock_recvmsg_nosec net/socket.c:794 [inline] + sock_recvmsg+0xd0/0x110 net/socket.c:801 + ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278 + __sys_recvmmsg+0x303/0xb90 net/socket.c:2390 + do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466 + __do_sys_recvmmsg net/socket.c:2484 [inline] + __se_sys_recvmmsg net/socket.c:2480 [inline] + __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8801d1f6fac0 + which belongs to the cache skbuff_head_cache of size 232 +The buggy address is located 228 bytes inside of + 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8) +The buggy address belongs to the page: +page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680 +raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/af_llc.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -730,7 +730,6 @@ static int llc_ui_recvmsg(struct socket + struct sk_buff *skb = NULL; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- unsigned long cpu_flags; + size_t copied = 0; + u32 peek_seq = 0; + u32 *seq, skb_len; +@@ -855,9 +854,8 @@ static int llc_ui_recvmsg(struct socket + goto copy_uaddr; + + if (!(flags & MSG_PEEK)) { +- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); +- sk_eat_skb(sk, skb); +- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); ++ skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + *seq = 0; + } + +@@ -878,9 +876,8 @@ copy_uaddr: + llc_cmsg_rcv(msg, skb); + + if (!(flags & MSG_PEEK)) { +- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); +- sk_eat_skb(sk, skb); +- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); ++ skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + *seq = 0; + } + diff --git a/queue-4.19/mm-don-t-warn-about-large-allocations-for-slab.patch b/queue-4.19/mm-don-t-warn-about-large-allocations-for-slab.patch new file mode 100644 index 00000000000..ef8289e49fd --- /dev/null +++ b/queue-4.19/mm-don-t-warn-about-large-allocations-for-slab.patch @@ -0,0 +1,107 @@ +From 61448479a9f2c954cde0cfe778cb6bec5d0a748d Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Fri, 26 Oct 2018 15:03:12 -0700 +Subject: mm: don't warn about large allocations for slab + +From: Dmitry Vyukov + +commit 61448479a9f2c954cde0cfe778cb6bec5d0a748d upstream. + +Slub does not call kmalloc_slab() for sizes > KMALLOC_MAX_CACHE_SIZE, +instead it falls back to kmalloc_large(). + +For slab KMALLOC_MAX_CACHE_SIZE == KMALLOC_MAX_SIZE and it calls +kmalloc_slab() for all allocations relying on NULL return value for +over-sized allocations. + +This inconsistency leads to unwanted warnings from kmalloc_slab() for +over-sized allocations for slab. Returning NULL for failed allocations is +the expected behavior. + +Make slub and slab code consistent by checking size > +KMALLOC_MAX_CACHE_SIZE in slab before calling kmalloc_slab(). + +While we are here also fix the check in kmalloc_slab(). We should check +against KMALLOC_MAX_CACHE_SIZE rather than KMALLOC_MAX_SIZE. It all kinda +worked because for slab the constants are the same, and slub always checks +the size against KMALLOC_MAX_CACHE_SIZE before kmalloc_slab(). But if we +get there with size > KMALLOC_MAX_CACHE_SIZE anyhow bad things will +happen. For example, in case of a newly introduced bug in slub code. + +Also move the check in kmalloc_slab() from function entry to the size > +192 case. This partially compensates for the additional check in slab +code and makes slub code a bit faster (at least theoretically). + +Also drop __GFP_NOWARN in the warning check. This warning means a bug in +slab code itself, user-passed flags have nothing to do with it. + +Nothing of this affects slob. + +Link: http://lkml.kernel.org/r/20180927171502.226522-1-dvyukov@gmail.com +Signed-off-by: Dmitry Vyukov +Reported-by: syzbot+87829a10073277282ad1@syzkaller.appspotmail.com +Reported-by: syzbot+ef4e8fc3a06e9019bb40@syzkaller.appspotmail.com +Reported-by: syzbot+6e438f4036df52cbb863@syzkaller.appspotmail.com +Reported-by: syzbot+8574471d8734457d98aa@syzkaller.appspotmail.com +Reported-by: syzbot+af1504df0807a083dbd9@syzkaller.appspotmail.com +Acked-by: Christoph Lameter +Acked-by: Vlastimil Babka +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab.c | 4 ++++ + mm/slab_common.c | 12 ++++++------ + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -3675,6 +3675,8 @@ __do_kmalloc_node(size_t size, gfp_t fla + struct kmem_cache *cachep; + void *ret; + ++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) ++ return NULL; + cachep = kmalloc_slab(size, flags); + if (unlikely(ZERO_OR_NULL_PTR(cachep))) + return cachep; +@@ -3710,6 +3712,8 @@ static __always_inline void *__do_kmallo + struct kmem_cache *cachep; + void *ret; + ++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) ++ return NULL; + cachep = kmalloc_slab(size, flags); + if (unlikely(ZERO_OR_NULL_PTR(cachep))) + return cachep; +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1027,18 +1027,18 @@ struct kmem_cache *kmalloc_slab(size_t s + { + unsigned int index; + +- if (unlikely(size > KMALLOC_MAX_SIZE)) { +- WARN_ON_ONCE(!(flags & __GFP_NOWARN)); +- return NULL; +- } +- + if (size <= 192) { + if (!size) + return ZERO_SIZE_PTR; + + index = size_index[size_index_elem(size)]; +- } else ++ } else { ++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) { ++ WARN_ON(1); ++ return NULL; ++ } + index = fls(size - 1); ++ } + + #ifdef CONFIG_ZONE_DMA + if (unlikely((flags & GFP_DMA))) diff --git a/queue-4.19/mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch b/queue-4.19/mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch new file mode 100644 index 00000000000..4b22df7a435 --- /dev/null +++ b/queue-4.19/mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch @@ -0,0 +1,84 @@ +From ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Fri, 26 Oct 2018 15:09:01 -0700 +Subject: mm/memory.c: recheck page table entry with page table lock held + +From: Aneesh Kumar K.V + +commit ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 upstream. + +We clear the pte temporarily during read/modify/write update of the pte. +If we take a page fault while the pte is cleared, the application can get +SIGBUS. One such case is with remap_pfn_range without a backing +vm_ops->fault callback. do_fault will return SIGBUS in that case. + +cpu 0 cpu1 +mprotect() +ptep_modify_prot_start()/pte cleared. +. +. page fault. +. +. +prep_modify_prot_commit() + +Fix this by taking page table lock and rechecking for pte_none. + +[aneesh.kumar@linux.ibm.com: fix crash observed with syzkaller run] + Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@linux.ibm.com +Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Aneesh Kumar K.V +Acked-by: Kirill A. Shutemov +Cc: Willem de Bruijn +Cc: Eric Dumazet +Cc: Ido Schimmel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3745,10 +3745,36 @@ static vm_fault_t do_fault(struct vm_fau + struct vm_area_struct *vma = vmf->vma; + vm_fault_t ret; + +- /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ +- if (!vma->vm_ops->fault) +- ret = VM_FAULT_SIGBUS; +- else if (!(vmf->flags & FAULT_FLAG_WRITE)) ++ /* ++ * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND ++ */ ++ if (!vma->vm_ops->fault) { ++ /* ++ * If we find a migration pmd entry or a none pmd entry, which ++ * should never happen, return SIGBUS ++ */ ++ if (unlikely(!pmd_present(*vmf->pmd))) ++ ret = VM_FAULT_SIGBUS; ++ else { ++ vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm, ++ vmf->pmd, ++ vmf->address, ++ &vmf->ptl); ++ /* ++ * Make sure this is not a temporary clearing of pte ++ * by holding ptl and checking again. A R/M/W update ++ * of pte involves: take ptl, clearing the pte so that ++ * we don't have concurrent modification by hardware ++ * followed by an update. ++ */ ++ if (unlikely(pte_none(*vmf->pte))) ++ ret = VM_FAULT_SIGBUS; ++ else ++ ret = VM_FAULT_NOPAGE; ++ ++ pte_unmap_unlock(vmf->pte, vmf->ptl); ++ } ++ } else if (!(vmf->flags & FAULT_FLAG_WRITE)) + ret = do_read_fault(vmf); + else if (!(vma->vm_flags & VM_SHARED)) + ret = do_cow_fault(vmf); diff --git a/queue-4.19/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch b/queue-4.19/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch new file mode 100644 index 00000000000..30b31f8178b --- /dev/null +++ b/queue-4.19/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch @@ -0,0 +1,59 @@ +From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 29 Oct 2018 23:10:29 +0800 +Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer + +From: Xin Long + +commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream. + +If a transport is removed by asconf but there still are some chunks with +this transport queuing on out_chunk_list, later an use-after-free issue +will be caused when accessing this transport from these chunks in +sctp_outq_flush(). + +This is an old bug, we fix it by clearing the transport of these chunks +in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). + +Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/associola.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -499,8 +499,9 @@ void sctp_assoc_set_primary(struct sctp_ + void sctp_assoc_rm_peer(struct sctp_association *asoc, + struct sctp_transport *peer) + { +- struct list_head *pos; +- struct sctp_transport *transport; ++ struct sctp_transport *transport; ++ struct list_head *pos; ++ struct sctp_chunk *ch; + + pr_debug("%s: association:%p addr:%pISpc\n", + __func__, asoc, &peer->ipaddr.sa); +@@ -564,7 +565,6 @@ void sctp_assoc_rm_peer(struct sctp_asso + */ + if (!list_empty(&peer->transmitted)) { + struct sctp_transport *active = asoc->peer.active_path; +- struct sctp_chunk *ch; + + /* Reset the transport of each chunk on this list */ + list_for_each_entry(ch, &peer->transmitted, +@@ -586,6 +586,10 @@ void sctp_assoc_rm_peer(struct sctp_asso + sctp_transport_hold(active); + } + ++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list) ++ if (ch->transport == peer) ++ ch->transport = NULL; ++ + asoc->peer.transport_count--; + + sctp_transport_free(peer); diff --git a/queue-4.19/selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch b/queue-4.19/selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch new file mode 100644 index 00000000000..cff0b106b3c --- /dev/null +++ b/queue-4.19/selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch @@ -0,0 +1,35 @@ +From 4458bba09788e70e8fb39ad003f087cd9dfbd6ac Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 8 Sep 2018 01:42:58 +0900 +Subject: selinux: Add __GFP_NOWARN to allocation at str_read() + +From: Tetsuo Handa + +commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream. + +syzbot is hitting warning at str_read() [1] because len parameter can +become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for +this case. + +[1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/policydb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -1101,7 +1101,7 @@ static int str_read(char **strp, gfp_t f + if ((len == 0) || (len == (u32)-1)) + return -EINVAL; + +- str = kmalloc(len + 1, flags); ++ str = kmalloc(len + 1, flags | __GFP_NOWARN); + if (!str) + return -ENOMEM; + diff --git a/queue-4.19/series b/queue-4.19/series index 166869482f6..c07bfac765f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -27,3 +27,13 @@ brcmfmac-fix-reporting-support-for-160-mhz-channels.patch opp-ti-opp-supply-dynamically-update-u_volt_min.patch opp-ti-opp-supply-correct-the-supply-in-_get_optimal_vdd_voltage-call.patch tools-power-cpupower-fix-compilation-with-static-true.patch +v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch +selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch +input-synaptics-avoid-using-uninitialized-variable-when-probing.patch +bfs-add-sanity-check-at-bfs_fill_super.patch +sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch +gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch +llc-do-not-use-sk_eat_skb.patch +mm-don-t-warn-about-large-allocations-for-slab.patch +mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch +tcp-do-not-release-socket-ownership-in-tcp_close.patch diff --git a/queue-4.19/tcp-do-not-release-socket-ownership-in-tcp_close.patch b/queue-4.19/tcp-do-not-release-socket-ownership-in-tcp_close.patch new file mode 100644 index 00000000000..13ef1941080 --- /dev/null +++ b/queue-4.19/tcp-do-not-release-socket-ownership-in-tcp_close.patch @@ -0,0 +1,81 @@ +From 8873c064d1de579ea23412a6d3eee972593f142b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 1 Oct 2018 23:24:26 -0700 +Subject: tcp: do not release socket ownership in tcp_close() + +From: Eric Dumazet + +commit 8873c064d1de579ea23412a6d3eee972593f142b upstream. + +syzkaller was able to hit the WARN_ON(sock_owned_by_user(sk)); +in tcp_close() + +While a socket is being closed, it is very possible other +threads find it in rtnetlink dump. + +tcp_get_info() will acquire the socket lock for a short amount +of time (slow = lock_sock_fast(sk)/unlock_sock_fast(sk, slow);), +enough to trigger the warning. + +Fixes: 67db3e4bfbc9 ("tcp: no longer hold ehash lock while calling tcp_get_info()") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sock.h | 1 + + net/core/sock.c | 2 +- + net/ipv4/tcp.c | 11 +++-------- + 3 files changed, 5 insertions(+), 9 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1491,6 +1491,7 @@ static inline void lock_sock(struct sock + lock_sock_nested(sk, 0); + } + ++void __release_sock(struct sock *sk); + void release_sock(struct sock *sk); + + /* BH context may only use the following locking interface. */ +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2317,7 +2317,7 @@ static void __lock_sock(struct sock *sk) + finish_wait(&sk->sk_lock.wq, &wait); + } + +-static void __release_sock(struct sock *sk) ++void __release_sock(struct sock *sk) + __releases(&sk->sk_lock.slock) + __acquires(&sk->sk_lock.slock) + { +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2403,16 +2403,10 @@ adjudge_to_death: + sock_hold(sk); + sock_orphan(sk); + +- /* It is the last release_sock in its life. It will remove backlog. */ +- release_sock(sk); +- +- +- /* Now socket is owned by kernel and we acquire BH lock +- * to finish close. No need to check for user refs. +- */ + local_bh_disable(); + bh_lock_sock(sk); +- WARN_ON(sock_owned_by_user(sk)); ++ /* remove backlog if any, without releasing ownership. */ ++ __release_sock(sk); + + percpu_counter_inc(sk->sk_prot->orphan_count); + +@@ -2481,6 +2475,7 @@ adjudge_to_death: + out: + bh_unlock_sock(sk); + local_bh_enable(); ++ release_sock(sk); + sock_put(sk); + } + EXPORT_SYMBOL(tcp_close); diff --git a/queue-4.19/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch b/queue-4.19/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch new file mode 100644 index 00000000000..8dc371cfd40 --- /dev/null +++ b/queue-4.19/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch @@ -0,0 +1,56 @@ +From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Mon, 27 Aug 2018 15:12:05 +0900 +Subject: v9fs_dir_readdir: fix double-free on p9stat_read error + +From: Dominique Martinet + +commit 81c99089bce693b94b775b6eb888115d2d540086 upstream. + +p9stat_read will call p9stat_free on error, we should only free the +struct content on success. + +There also is no need to "p9stat_init" st as the read function will +zero the whole struct for us anyway, so clean up the code a bit while +we are here. + +Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_dir.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/fs/9p/vfs_dir.c ++++ b/fs/9p/vfs_dir.c +@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta + return rettype; + } + +-static void p9stat_init(struct p9_wstat *stbuf) +-{ +- stbuf->name = NULL; +- stbuf->uid = NULL; +- stbuf->gid = NULL; +- stbuf->muid = NULL; +- stbuf->extension = NULL; +-} +- + /** + * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir + * @filp: opened file structure +@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file + rdir->tail = n; + } + while (rdir->head < rdir->tail) { +- p9stat_init(&st); + err = p9stat_read(fid->clnt, rdir->buf + rdir->head, + rdir->tail - rdir->head, &st); + if (err) { + p9_debug(P9_DEBUG_VFS, "returned %d\n", err); +- p9stat_free(&st); + return -EIO; + } + reclen = st.size+2;