From: Greg Kroah-Hartman Date: Mon, 6 Jan 2020 20:10:03 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.163~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e6371a67aedca216511ec702d33f8e3c34981f4;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch alsa-pcm-yet-another-missing-check-of-non-cached-buffer-type.patch apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch dmaengine-virt-dma-fix-access-after-free-in-vchan_complete.patch exit-panic-before-exit_mm-on-global-init-exit.patch gen_initramfs_list.sh-fix-bad-variable-name-error.patch io_uring-use-current-task-creds-instead-of-allocating-a-new-one.patch mm-gup-fix-memory-leak-in-__gup_benchmark_ioctl.patch scsi-lpfc-fix-rpi-release-when-deleting-vport.patch --- diff --git a/queue-5.4/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch b/queue-5.4/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch new file mode 100644 index 00000000000..4c16f838c75 --- /dev/null +++ b/queue-5.4/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch @@ -0,0 +1,37 @@ +From d60229d84846a8399257006af9c5444599f64361 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 22 Nov 2019 13:13:54 +0000 +Subject: ALSA: cs4236: fix error return comparison of an unsigned integer + +From: Colin Ian King + +commit d60229d84846a8399257006af9c5444599f64361 upstream. + +The return from pnp_irq is an unsigned integer type resource_size_t +and hence the error check for a positive non-error code is always +going to be true. A check for a non-failure return from pnp_irq +should in fact be for (resource_size_t)-1 rather than >= 0. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/isa/cs423x/cs4236.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/isa/cs423x/cs4236.c ++++ b/sound/isa/cs423x/cs4236.c +@@ -278,7 +278,8 @@ static int snd_cs423x_pnp_init_mpu(int d + } else { + mpu_port[dev] = pnp_port_start(pdev, 0); + if (mpu_irq[dev] >= 0 && +- pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) { ++ pnp_irq_valid(pdev, 0) && ++ pnp_irq(pdev, 0) != (resource_size_t)-1) { + mpu_irq[dev] = pnp_irq(pdev, 0); + } else { + mpu_irq[dev] = -1; /* disable interrupt */ diff --git a/queue-5.4/alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch b/queue-5.4/alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch new file mode 100644 index 00000000000..b73dabf6285 --- /dev/null +++ b/queue-5.4/alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch @@ -0,0 +1,32 @@ +From 0929249e3be3bb82ee6cfec0025f4dde952210b3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Oct 2019 11:09:21 +0100 +Subject: ALSA: firewire-motu: Correct a typo in the clock proc string + +From: Takashi Iwai + +commit 0929249e3be3bb82ee6cfec0025f4dde952210b3 upstream. + +Just fix a typo of "S/PDIF" in the clock name string. + +Fixes: 4638ec6ede08 ("ALSA: firewire-motu: add proc node to show current statuc of clock and packet formats") +Acked-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20191030100921.3826-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/motu/motu-proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/motu/motu-proc.c ++++ b/sound/firewire/motu/motu-proc.c +@@ -16,7 +16,7 @@ static const char *const clock_names[] = + [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT] = "S/PDIF on optical interface", + [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT_A] = "S/PDIF on optical interface A", + [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT_B] = "S/PDIF on optical interface B", +- [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_COAX] = "S/PCIF on coaxial interface", ++ [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_COAX] = "S/PDIF on coaxial interface", + [SND_MOTU_CLOCK_SOURCE_AESEBU_ON_XLR] = "AESEBU on XLR interface", + [SND_MOTU_CLOCK_SOURCE_WORD_ON_BNC] = "Word clock on BNC interface", + }; diff --git a/queue-5.4/alsa-pcm-yet-another-missing-check-of-non-cached-buffer-type.patch b/queue-5.4/alsa-pcm-yet-another-missing-check-of-non-cached-buffer-type.patch new file mode 100644 index 00000000000..38bea1ee984 --- /dev/null +++ b/queue-5.4/alsa-pcm-yet-another-missing-check-of-non-cached-buffer-type.patch @@ -0,0 +1,38 @@ +From 2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 8 Nov 2019 17:56:26 +0100 +Subject: ALSA: pcm: Yet another missing check of non-cached buffer type + +From: Takashi Iwai + +commit 2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14 upstream. + +For non-x86 architectures, SNDRV_DMA_TYPE_DEV_UC should be treated +equivalent with SNDRV_DMA_TYPE_DEV, where the default mmap handler +still checks only about SNDRV_DMA_TYPE_DEV. Make the check more +proper. + +Note that all existing users of *_UC buffer types are x86-only, so +this doesn't fix any bug, but just for consistency. + +Fixes: 42e748a0b325 ("ALSA: memalloc: Add non-cached buffer type") +Link: https://lore.kernel.org/r/20191108165626.5947-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -3408,7 +3408,8 @@ int snd_pcm_lib_default_mmap(struct snd_ + #endif /* CONFIG_GENERIC_ALLOCATOR */ + #ifndef CONFIG_X86 /* for avoiding warnings arch/x86/mm/pat.c */ + if (IS_ENABLED(CONFIG_HAS_DMA) && !substream->ops->page && +- substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV) ++ (substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV || ++ substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV_UC)) + return dma_mmap_coherent(substream->dma_buffer.dev.dev, + area, + substream->runtime->dma_area, diff --git a/queue-5.4/apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch b/queue-5.4/apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch new file mode 100644 index 00000000000..8595e6fa073 --- /dev/null +++ b/queue-5.4/apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch @@ -0,0 +1,207 @@ +From 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 2 Jan 2020 05:31:22 -0800 +Subject: apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock + +From: John Johansen + +commit 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 upstream. + +aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a +context protected by an rcu_read_lock. This can not be done as +vfs_getxattr_alloc() may sleep regardles of the gfp_t value being +passed to it. + +Fix this by breaking the rcu_read_lock on the policy search when the +xattr match feature is requested and restarting the search if a policy +changes occur. + +Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr, presence and value") +Reported-by: Jia-Ju Bai +Reported-by: Al Viro +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/apparmorfs.c | 2 - + security/apparmor/domain.c | 80 +++++++++++++++++++++-------------------- + security/apparmor/policy.c | 4 +- + 3 files changed, 45 insertions(+), 41 deletions(-) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -593,7 +593,7 @@ static __poll_t ns_revision_poll(struct + + void __aa_bump_ns_revision(struct aa_ns *ns) + { +- ns->revision++; ++ WRITE_ONCE(ns->revision, ns->revision + 1); + wake_up_interruptible(&ns->wait); + } + +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -317,6 +317,7 @@ static int aa_xattrs_match(const struct + + if (!bprm || !profile->xattr_count) + return 0; ++ might_sleep(); + + /* transition from exec match to xattr set */ + state = aa_dfa_null_transition(profile->xmatch, state); +@@ -361,10 +362,11 @@ out: + } + + /** +- * __attach_match_ - find an attachment match ++ * find_attach - do attachment search for unconfined processes + * @bprm - binprm structure of transitioning task +- * @name - to match against (NOT NULL) ++ * @ns: the current namespace (NOT NULL) + * @head - profile list to walk (NOT NULL) ++ * @name - to match against (NOT NULL) + * @info - info message if there was an error (NOT NULL) + * + * Do a linear search on the profiles in the list. There is a matching +@@ -374,12 +376,11 @@ out: + * + * Requires: @head not be shared or have appropriate locks held + * +- * Returns: profile or NULL if no match found ++ * Returns: label or NULL if no match found + */ +-static struct aa_profile *__attach_match(const struct linux_binprm *bprm, +- const char *name, +- struct list_head *head, +- const char **info) ++static struct aa_label *find_attach(const struct linux_binprm *bprm, ++ struct aa_ns *ns, struct list_head *head, ++ const char *name, const char **info) + { + int candidate_len = 0, candidate_xattrs = 0; + bool conflict = false; +@@ -388,6 +389,8 @@ static struct aa_profile *__attach_match + AA_BUG(!name); + AA_BUG(!head); + ++ rcu_read_lock(); ++restart: + list_for_each_entry_rcu(profile, head, base.list) { + if (profile->label.flags & FLAG_NULL && + &profile->label == ns_unconfined(profile->ns)) +@@ -413,16 +416,32 @@ static struct aa_profile *__attach_match + perm = dfa_user_allow(profile->xmatch, state); + /* any accepting state means a valid match. */ + if (perm & MAY_EXEC) { +- int ret; ++ int ret = 0; + + if (count < candidate_len) + continue; + +- ret = aa_xattrs_match(bprm, profile, state); +- /* Fail matching if the xattrs don't match */ +- if (ret < 0) +- continue; ++ if (bprm && profile->xattr_count) { ++ long rev = READ_ONCE(ns->revision); + ++ if (!aa_get_profile_not0(profile)) ++ goto restart; ++ rcu_read_unlock(); ++ ret = aa_xattrs_match(bprm, profile, ++ state); ++ rcu_read_lock(); ++ aa_put_profile(profile); ++ if (rev != ++ READ_ONCE(ns->revision)) ++ /* policy changed */ ++ goto restart; ++ /* ++ * Fail matching if the xattrs don't ++ * match ++ */ ++ if (ret < 0) ++ continue; ++ } + /* + * TODO: allow for more flexible best match + * +@@ -445,43 +464,28 @@ static struct aa_profile *__attach_match + candidate_xattrs = ret; + conflict = false; + } +- } else if (!strcmp(profile->base.name, name)) ++ } else if (!strcmp(profile->base.name, name)) { + /* + * old exact non-re match, without conditionals such + * as xattrs. no more searching required + */ +- return profile; ++ candidate = profile; ++ goto out; ++ } + } + +- if (conflict) { +- *info = "conflicting profile attachments"; ++ if (!candidate || conflict) { ++ if (conflict) ++ *info = "conflicting profile attachments"; ++ rcu_read_unlock(); + return NULL; + } + +- return candidate; +-} +- +-/** +- * find_attach - do attachment search for unconfined processes +- * @bprm - binprm structure of transitioning task +- * @ns: the current namespace (NOT NULL) +- * @list: list to search (NOT NULL) +- * @name: the executable name to match against (NOT NULL) +- * @info: info message if there was an error +- * +- * Returns: label or NULL if no match found +- */ +-static struct aa_label *find_attach(const struct linux_binprm *bprm, +- struct aa_ns *ns, struct list_head *list, +- const char *name, const char **info) +-{ +- struct aa_profile *profile; +- +- rcu_read_lock(); +- profile = aa_get_profile(__attach_match(bprm, name, list, info)); ++out: ++ candidate = aa_get_newest_profile(candidate); + rcu_read_unlock(); + +- return profile ? &profile->label : NULL; ++ return &candidate->label; + } + + static const char *next_name(int xtype, const char *name) +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1124,8 +1124,8 @@ ssize_t aa_remove_profiles(struct aa_ns + if (!name) { + /* remove namespace - can only happen if fqname[0] == ':' */ + mutex_lock_nested(&ns->parent->lock, ns->level); +- __aa_remove_ns(ns); + __aa_bump_ns_revision(ns); ++ __aa_remove_ns(ns); + mutex_unlock(&ns->parent->lock); + } else { + /* remove profile */ +@@ -1137,9 +1137,9 @@ ssize_t aa_remove_profiles(struct aa_ns + goto fail_ns_lock; + } + name = profile->base.hname; ++ __aa_bump_ns_revision(ns); + __remove_profile(profile); + __aa_labelset_update_subtree(ns); +- __aa_bump_ns_revision(ns); + mutex_unlock(&ns->lock); + } + diff --git a/queue-5.4/dmaengine-virt-dma-fix-access-after-free-in-vchan_complete.patch b/queue-5.4/dmaengine-virt-dma-fix-access-after-free-in-vchan_complete.patch new file mode 100644 index 00000000000..ab7a2873084 --- /dev/null +++ b/queue-5.4/dmaengine-virt-dma-fix-access-after-free-in-vchan_complete.patch @@ -0,0 +1,38 @@ +From 24461d9792c2c706092805ff1b067628933441bd Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Fri, 20 Dec 2019 15:11:00 +0200 +Subject: dmaengine: virt-dma: Fix access after free in vchan_complete() + +From: Peter Ujfalusi + +commit 24461d9792c2c706092805ff1b067628933441bd upstream. + +vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is +via already freed up memory. + +Move the vchan_vdesc_fini() after invoking the callback to avoid this. + +Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma descriptor") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Alexandru Ardelean +Link: https://lore.kernel.org/r/20191220131100.21804-1-peter.ujfalusi@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/virt-dma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/dma/virt-dma.c ++++ b/drivers/dma/virt-dma.c +@@ -104,9 +104,8 @@ static void vchan_complete(unsigned long + dmaengine_desc_get_callback(&vd->tx, &cb); + + list_del(&vd->node); +- vchan_vdesc_fini(vd); +- + dmaengine_desc_callback_invoke(&cb, &vd->tx_result); ++ vchan_vdesc_fini(vd); + } + } + diff --git a/queue-5.4/exit-panic-before-exit_mm-on-global-init-exit.patch b/queue-5.4/exit-panic-before-exit_mm-on-global-init-exit.patch new file mode 100644 index 00000000000..201df66c1a6 --- /dev/null +++ b/queue-5.4/exit-panic-before-exit_mm-on-global-init-exit.patch @@ -0,0 +1,62 @@ +From 43cf75d96409a20ef06b756877a2e72b10a026fc Mon Sep 17 00:00:00 2001 +From: chenqiwu +Date: Thu, 19 Dec 2019 14:29:53 +0800 +Subject: exit: panic before exit_mm() on global init exit + +From: chenqiwu + +commit 43cf75d96409a20ef06b756877a2e72b10a026fc upstream. + +Currently, when global init and all threads in its thread-group have exited +we panic via: +do_exit() +-> exit_notify() + -> forget_original_parent() + -> find_child_reaper() +This makes it hard to extract a useable coredump for global init from a +kernel crashdump because by the time we panic exit_mm() will have already +released global init's mm. +This patch moves the panic futher up before exit_mm() is called. As was the +case previously, we only panic when global init and all its threads in the +thread-group have exited. + +Signed-off-by: chenqiwu +Acked-by: Christian Brauner +Acked-by: Oleg Nesterov +[christian.brauner@ubuntu.com: fix typo, rewrite commit message] +Link: https://lore.kernel.org/r/1576736993-10121-1-git-send-email-qiwuchen55@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -517,10 +517,6 @@ static struct task_struct *find_child_re + } + + write_unlock_irq(&tasklist_lock); +- if (unlikely(pid_ns == &init_pid_ns)) { +- panic("Attempted to kill init! exitcode=0x%08x\n", +- father->signal->group_exit_code ?: father->exit_code); +- } + + list_for_each_entry_safe(p, n, dead, ptrace_entry) { + list_del_init(&p->ptrace_entry); +@@ -766,6 +762,14 @@ void __noreturn do_exit(long code) + acct_update_integrals(tsk); + group_dead = atomic_dec_and_test(&tsk->signal->live); + if (group_dead) { ++ /* ++ * If the last thread of global init has exited, panic ++ * immediately to get a useable coredump. ++ */ ++ if (unlikely(is_global_init(tsk))) ++ panic("Attempted to kill init! exitcode=0x%08x\n", ++ tsk->signal->group_exit_code ?: (int)code); ++ + #ifdef CONFIG_POSIX_TIMERS + hrtimer_cancel(&tsk->signal->real_timer); + exit_itimers(tsk->signal); diff --git a/queue-5.4/gen_initramfs_list.sh-fix-bad-variable-name-error.patch b/queue-5.4/gen_initramfs_list.sh-fix-bad-variable-name-error.patch new file mode 100644 index 00000000000..01d1ed68318 --- /dev/null +++ b/queue-5.4/gen_initramfs_list.sh-fix-bad-variable-name-error.patch @@ -0,0 +1,48 @@ +From cc976614f59bd8e45de8ce988a6bcb5de711d994 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Mon, 30 Dec 2019 22:20:06 +0900 +Subject: gen_initramfs_list.sh: fix 'bad variable name' error + +From: Masahiro Yamada + +commit cc976614f59bd8e45de8ce988a6bcb5de711d994 upstream. + +Prior to commit 858805b336be ("kbuild: add $(BASH) to run scripts with +bash-extension"), this shell script was almost always run by bash since +bash is usually installed on the system by default. + +Now, this script is run by sh, which might be a symlink to dash. On such +distributions, the following code emits an error: + + local dev=`LC_ALL=C ls -l "${location}"` + +You can reproduce the build error, for example by setting +CONFIG_INITRAMFS_SOURCE="/dev". + + GEN usr/initramfs_data.cpio.gz + ./usr/gen_initramfs_list.sh: 131: local: 1: bad variable name + make[1]: *** [usr/Makefile:61: usr/initramfs_data.cpio.gz] Error 2 + +This is because `LC_ALL=C ls -l "${location}"` contains spaces. +Surrounding it with double-quotes fixes the error. + +Fixes: 858805b336be ("kbuild: add $(BASH) to run scripts with bash-extension") +Reported-by: Jory A. Pratt +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + usr/gen_initramfs_list.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/usr/gen_initramfs_list.sh ++++ b/usr/gen_initramfs_list.sh +@@ -128,7 +128,7 @@ parse() { + str="${ftype} ${name} ${location} ${str}" + ;; + "nod") +- local dev=`LC_ALL=C ls -l "${location}"` ++ local dev="`LC_ALL=C ls -l "${location}"`" + local maj=`field 5 ${dev}` + local min=`field 6 ${dev}` + maj=${maj%,} diff --git a/queue-5.4/io_uring-use-current-task-creds-instead-of-allocating-a-new-one.patch b/queue-5.4/io_uring-use-current-task-creds-instead-of-allocating-a-new-one.patch new file mode 100644 index 00000000000..92c6c20c557 --- /dev/null +++ b/queue-5.4/io_uring-use-current-task-creds-instead-of-allocating-a-new-one.patch @@ -0,0 +1,94 @@ +From 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 2 Dec 2019 08:50:00 -0700 +Subject: io_uring: use current task creds instead of allocating a new one + +From: Jens Axboe + +commit 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a upstream. + +syzbot reports: + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 9217 Comm: io_uring-sq Not tainted 5.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline] +RIP: 0010:__validate_creds include/linux/cred.h:187 [inline] +RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550 +Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c +24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 +c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf +RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318 +RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010 +RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849 +R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000 +R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + io_sq_thread+0x1c7/0xa20 fs/io_uring.c:3274 + kthread+0x361/0x430 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 +Modules linked in: +---[ end trace f2e1a4307fbe2245 ]--- +RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline] +RIP: 0010:__validate_creds include/linux/cred.h:187 [inline] +RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550 +Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c +24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 +c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf +RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318 +RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010 +RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849 +R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000 +R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +which is caused by slab fault injection triggering a failure in +prepare_creds(). We don't actually need to create a copy of the creds +as we're not modifying it, we just need a reference on the current task +creds. This avoids the failure case as well, and propagates the const +throughout the stack. + +Fixes: 181e448d8709 ("io_uring: async workers should inherit the user creds") +Reported-by: syzbot+5320383e16029ba057ff@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +[ only use the io_uring.c portion of the patch - gregkh] +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -239,7 +239,7 @@ struct io_ring_ctx { + + struct user_struct *user; + +- struct cred *creds; ++ const struct cred *creds; + + struct completion ctx_done; + +@@ -3876,7 +3876,7 @@ static int io_uring_create(unsigned entr + ctx->account_mem = account_mem; + ctx->user = user; + +- ctx->creds = prepare_creds(); ++ ctx->creds = get_current_cred(); + if (!ctx->creds) { + ret = -ENOMEM; + goto err; diff --git a/queue-5.4/mm-gup-fix-memory-leak-in-__gup_benchmark_ioctl.patch b/queue-5.4/mm-gup-fix-memory-leak-in-__gup_benchmark_ioctl.patch new file mode 100644 index 00000000000..c30e91abadb --- /dev/null +++ b/queue-5.4/mm-gup-fix-memory-leak-in-__gup_benchmark_ioctl.patch @@ -0,0 +1,64 @@ +From a7c46c0c0e3d62f2764cd08b90934cd2aaaf8545 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Sat, 4 Jan 2020 13:00:12 -0800 +Subject: mm/gup: fix memory leak in __gup_benchmark_ioctl + +From: Navid Emamdoost + +commit a7c46c0c0e3d62f2764cd08b90934cd2aaaf8545 upstream. + +In the implementation of __gup_benchmark_ioctl() the allocated pages +should be released before returning in case of an invalid cmd. Release +pages via kvfree(). + +[akpm@linux-foundation.org: rework code flow, return -EINVAL rather than -1] +Link: http://lkml.kernel.org/r/20191211174653.4102-1-navid.emamdoost@gmail.com +Fixes: 714a3a1ebafe ("mm/gup_benchmark.c: add additional pinning methods") +Signed-off-by: Navid Emamdoost +Reviewed-by: Andrew Morton +Reviewed-by: Ira Weiny +Reviewed-by: John Hubbard +Cc: Keith Busch +Cc: Kirill A. Shutemov +Cc: Dave Hansen +Cc: Dan Williams +Cc: David Hildenbrand +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/gup_benchmark.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/gup_benchmark.c ++++ b/mm/gup_benchmark.c +@@ -26,6 +26,7 @@ static int __gup_benchmark_ioctl(unsigne + unsigned long i, nr_pages, addr, next; + int nr; + struct page **pages; ++ int ret = 0; + + if (gup->size > ULONG_MAX) + return -EINVAL; +@@ -63,7 +64,9 @@ static int __gup_benchmark_ioctl(unsigne + NULL); + break; + default: +- return -1; ++ kvfree(pages); ++ ret = -EINVAL; ++ goto out; + } + + if (nr <= 0) +@@ -85,7 +88,8 @@ static int __gup_benchmark_ioctl(unsigne + gup->put_delta_usec = ktime_us_delta(end_time, start_time); + + kvfree(pages); +- return 0; ++out: ++ return ret; + } + + static long gup_benchmark_ioctl(struct file *filep, unsigned int cmd, diff --git a/queue-5.4/scsi-lpfc-fix-rpi-release-when-deleting-vport.patch b/queue-5.4/scsi-lpfc-fix-rpi-release-when-deleting-vport.patch new file mode 100644 index 00000000000..eae95f9a927 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-rpi-release-when-deleting-vport.patch @@ -0,0 +1,162 @@ +From 97acd0019d5dadd9c0e111c2083c889bfe548f25 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Sat, 21 Sep 2019 20:58:51 -0700 +Subject: scsi: lpfc: Fix rpi release when deleting vport + +From: James Smart + +commit 97acd0019d5dadd9c0e111c2083c889bfe548f25 upstream. + +A prior use-after-free mailbox fix solved it's problem by null'ing a ndlp +pointer. However, further testing has shown that this change causes a +later state change to occasionally be skipped, which results in a reference +count never being decremented thus the rpi is never released, which causes +a vport delete to never succeed. + +Revise the fix in the prior patch to no longer null the ndlp. Instead the +RELEASE_RPI flag is set which will drive the release of the rpi. + +Given the new code was added at a deep indentation level, refactor the code +block using a new routine that avoids the indentation issues. + +Fixes: 9b1640686470 ("scsi: lpfc: Fix use-after-free mailbox cmd completion") +Link: https://lore.kernel.org/r/20190922035906.10977-6-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 88 ++++++++++++++++++++++++++------------- + drivers/scsi/lpfc/lpfc_sli.c | 2 + 2 files changed, 61 insertions(+), 29 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -4844,6 +4844,44 @@ lpfc_nlp_logo_unreg(struct lpfc_hba *phb + } + + /* ++ * Sets the mailbox completion handler to be used for the ++ * unreg_rpi command. The handler varies based on the state of ++ * the port and what will be happening to the rpi next. ++ */ ++static void ++lpfc_set_unreg_login_mbx_cmpl(struct lpfc_hba *phba, struct lpfc_vport *vport, ++ struct lpfc_nodelist *ndlp, LPFC_MBOXQ_t *mbox) ++{ ++ unsigned long iflags; ++ ++ if (ndlp->nlp_flag & NLP_ISSUE_LOGO) { ++ mbox->ctx_ndlp = ndlp; ++ mbox->mbox_cmpl = lpfc_nlp_logo_unreg; ++ ++ } else if (phba->sli_rev == LPFC_SLI_REV4 && ++ (!(vport->load_flag & FC_UNLOADING)) && ++ (bf_get(lpfc_sli_intf_if_type, &phba->sli4_hba.sli_intf) >= ++ LPFC_SLI_INTF_IF_TYPE_2) && ++ (kref_read(&ndlp->kref) > 0)) { ++ mbox->ctx_ndlp = lpfc_nlp_get(ndlp); ++ mbox->mbox_cmpl = lpfc_sli4_unreg_rpi_cmpl_clr; ++ } else { ++ if (vport->load_flag & FC_UNLOADING) { ++ if (phba->sli_rev == LPFC_SLI_REV4) { ++ spin_lock_irqsave(&vport->phba->ndlp_lock, ++ iflags); ++ ndlp->nlp_flag |= NLP_RELEASE_RPI; ++ spin_unlock_irqrestore(&vport->phba->ndlp_lock, ++ iflags); ++ } ++ lpfc_nlp_get(ndlp); ++ } ++ mbox->ctx_ndlp = ndlp; ++ mbox->mbox_cmpl = lpfc_sli_def_mbox_cmpl; ++ } ++} ++ ++/* + * Free rpi associated with LPFC_NODELIST entry. + * This routine is called from lpfc_freenode(), when we are removing + * a LPFC_NODELIST entry. It is also called if the driver initiates a +@@ -4893,33 +4931,12 @@ lpfc_unreg_rpi(struct lpfc_vport *vport, + + lpfc_unreg_login(phba, vport->vpi, rpi, mbox); + mbox->vport = vport; +- if (ndlp->nlp_flag & NLP_ISSUE_LOGO) { +- mbox->ctx_ndlp = ndlp; +- mbox->mbox_cmpl = lpfc_nlp_logo_unreg; +- } else { +- if (phba->sli_rev == LPFC_SLI_REV4 && +- (!(vport->load_flag & FC_UNLOADING)) && +- (bf_get(lpfc_sli_intf_if_type, +- &phba->sli4_hba.sli_intf) >= +- LPFC_SLI_INTF_IF_TYPE_2) && +- (kref_read(&ndlp->kref) > 0)) { +- mbox->ctx_ndlp = lpfc_nlp_get(ndlp); +- mbox->mbox_cmpl = +- lpfc_sli4_unreg_rpi_cmpl_clr; +- /* +- * accept PLOGIs after unreg_rpi_cmpl +- */ +- acc_plogi = 0; +- } else if (vport->load_flag & FC_UNLOADING) { +- mbox->ctx_ndlp = NULL; +- mbox->mbox_cmpl = +- lpfc_sli_def_mbox_cmpl; +- } else { +- mbox->ctx_ndlp = ndlp; +- mbox->mbox_cmpl = +- lpfc_sli_def_mbox_cmpl; +- } +- } ++ lpfc_set_unreg_login_mbx_cmpl(phba, vport, ndlp, mbox); ++ if (mbox->mbox_cmpl == lpfc_sli4_unreg_rpi_cmpl_clr) ++ /* ++ * accept PLOGIs after unreg_rpi_cmpl ++ */ ++ acc_plogi = 0; + if (((ndlp->nlp_DID & Fabric_DID_MASK) != + Fabric_DID_MASK) && + (!(vport->fc_flag & FC_OFFLINE_MODE))) +@@ -5060,6 +5077,7 @@ lpfc_cleanup_node(struct lpfc_vport *vpo + struct lpfc_hba *phba = vport->phba; + LPFC_MBOXQ_t *mb, *nextmb; + struct lpfc_dmabuf *mp; ++ unsigned long iflags; + + /* Cleanup node for NPort */ + lpfc_printf_vlog(vport, KERN_INFO, LOG_NODE, +@@ -5141,8 +5159,20 @@ lpfc_cleanup_node(struct lpfc_vport *vpo + lpfc_cleanup_vports_rrqs(vport, ndlp); + if (phba->sli_rev == LPFC_SLI_REV4) + ndlp->nlp_flag |= NLP_RELEASE_RPI; +- lpfc_unreg_rpi(vport, ndlp); +- ++ if (!lpfc_unreg_rpi(vport, ndlp)) { ++ /* Clean up unregistered and non freed rpis */ ++ if ((ndlp->nlp_flag & NLP_RELEASE_RPI) && ++ !(ndlp->nlp_rpi == LPFC_RPI_ALLOC_ERROR)) { ++ lpfc_sli4_free_rpi(vport->phba, ++ ndlp->nlp_rpi); ++ spin_lock_irqsave(&vport->phba->ndlp_lock, ++ iflags); ++ ndlp->nlp_flag &= ~NLP_RELEASE_RPI; ++ ndlp->nlp_rpi = LPFC_RPI_ALLOC_ERROR; ++ spin_unlock_irqrestore(&vport->phba->ndlp_lock, ++ iflags); ++ } ++ } + return 0; + } + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -2526,6 +2526,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba * + } else { + __lpfc_sli_rpi_release(vport, ndlp); + } ++ if (vport->load_flag & FC_UNLOADING) ++ lpfc_nlp_put(ndlp); + pmb->ctx_ndlp = NULL; + } + } diff --git a/queue-5.4/series b/queue-5.4/series index 5a2f72dec69..35ec18efe0e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -117,3 +117,13 @@ tracing-avoid-memory-leak-in-process_system_preds.patch tracing-have-the-histogram-compare-functions-convert-to-u64-first.patch tracing-fix-endianness-bug-in-histogram-trigger.patch samples-trace_printk-wait-for-irq-work-to-finish.patch +io_uring-use-current-task-creds-instead-of-allocating-a-new-one.patch +mm-gup-fix-memory-leak-in-__gup_benchmark_ioctl.patch +apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch +dmaengine-virt-dma-fix-access-after-free-in-vchan_complete.patch +gen_initramfs_list.sh-fix-bad-variable-name-error.patch +alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch +alsa-pcm-yet-another-missing-check-of-non-cached-buffer-type.patch +alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch +scsi-lpfc-fix-rpi-release-when-deleting-vport.patch +exit-panic-before-exit_mm-on-global-init-exit.patch