From: Sasha Levin Date: Thu, 24 Sep 2020 23:38:17 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.19.148~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55168e984e0cf3cd8e3e198d9d7e3065454c3096;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch b/queue-4.4/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch new file mode 100644 index 00000000000..00f8dd185d5 --- /dev/null +++ b/queue-4.4/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch @@ -0,0 +1,60 @@ +From d4499be44f7e26007458b9252b6ded578f282b0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 02:05:53 +0800 +Subject: ftrace: Setup correct FTRACE_FL_REGS flags for module + +From: Chengming Zhou + +[ Upstream commit 8a224ffb3f52b0027f6b7279854c71a31c48fc97 ] + +When module loaded and enabled, we will use __ftrace_replace_code +for module if any ftrace_ops referenced it found. But we will get +wrong ftrace_addr for module rec in ftrace_get_addr_new, because +rec->flags has not been setup correctly. It can cause the callback +function of a ftrace_ops has FTRACE_OPS_FL_SAVE_REGS to be called +with pt_regs set to NULL. +So setup correct FTRACE_FL_REGS flags for rec when we call +referenced_filters to find ftrace_ops references it. + +Link: https://lkml.kernel.org/r/20200728180554.65203-1-zhouchengming@bytedance.com + +Cc: stable@vger.kernel.org +Fixes: 8c4f3c3fa9681 ("ftrace: Check module functions being traced on reload") +Signed-off-by: Chengming Zhou +Signed-off-by: Muchun Song +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index e4c6f89b6b11f..89ed01911a9a2 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -2823,8 +2823,11 @@ static int referenced_filters(struct dyn_ftrace *rec) + int cnt = 0; + + for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) { +- if (ops_references_rec(ops, rec)) +- cnt++; ++ if (ops_references_rec(ops, rec)) { ++ cnt++; ++ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) ++ rec->flags |= FTRACE_FL_REGS; ++ } + } + + return cnt; +@@ -2874,7 +2877,7 @@ static int ftrace_update_code(struct module *mod, struct ftrace_page *new_pgs) + p = &pg->records[i]; + if (test) + cnt += referenced_filters(p); +- p->flags = cnt; ++ p->flags += cnt; + + /* + * Do the initial record conversion from mcount jump +-- +2.25.1 + diff --git a/queue-4.4/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch b/queue-4.4/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch new file mode 100644 index 00000000000..6eeec3a6abc --- /dev/null +++ b/queue-4.4/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch @@ -0,0 +1,70 @@ +From f68249490a856a609f718a5598f20a5f6507c9bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 21:20:21 -0700 +Subject: kprobes: fix kill kprobe which has been marked as gone + +From: Muchun Song + +[ Upstream commit b0399092ccebd9feef68d4ceb8d6219a8c0caa05 ] + +If a kprobe is marked as gone, we should not kill it again. Otherwise, we +can disarm the kprobe more than once. In that case, the statistics of +kprobe_ftrace_enabled can unbalance which can lead to that kprobe do not +work. + +Fixes: e8386a0cb22f ("kprobes: support probing module __exit function") +Co-developed-by: Chengming Zhou +Signed-off-by: Muchun Song +Signed-off-by: Chengming Zhou +Signed-off-by: Andrew Morton +Acked-by: Masami Hiramatsu +Cc: "Naveen N . Rao" +Cc: Anil S Keshavamurthy +Cc: David S. Miller +Cc: Song Liu +Cc: Steven Rostedt +Cc: +Link: https://lkml.kernel.org/r/20200822030055.32383-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 9241a29a1f9de..574f650eb818b 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2012,6 +2012,9 @@ static void kill_kprobe(struct kprobe *p) + { + struct kprobe *kp; + ++ if (WARN_ON_ONCE(kprobe_gone(p))) ++ return; ++ + p->flags |= KPROBE_FLAG_GONE; + if (kprobe_aggrprobe(p)) { + /* +@@ -2154,7 +2157,10 @@ static int kprobes_module_callback(struct notifier_block *nb, + mutex_lock(&kprobe_mutex); + for (i = 0; i < KPROBE_TABLE_SIZE; i++) { + head = &kprobe_table[i]; +- hlist_for_each_entry_rcu(p, head, hlist) ++ hlist_for_each_entry_rcu(p, head, hlist) { ++ if (kprobe_gone(p)) ++ continue; ++ + if (within_module_init((unsigned long)p->addr, mod) || + (checkcore && + within_module_core((unsigned long)p->addr, mod))) { +@@ -2165,6 +2171,7 @@ static int kprobes_module_callback(struct notifier_block *nb, + */ + kill_kprobe(p); + } ++ } + } + mutex_unlock(&kprobe_mutex); + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-4.4/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch b/queue-4.4/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch new file mode 100644 index 00000000000..60a0457685a --- /dev/null +++ b/queue-4.4/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch @@ -0,0 +1,71 @@ +From 1458652513057030cb35cdefa1fadb7bcaa366f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:55:35 -0700 +Subject: KVM: fix memory leak in kvm_io_bus_unregister_dev() + +From: Rustam Kovhaev + +[ Upstream commit f65886606c2d3b562716de030706dfe1bea4ed5e ] + +when kmalloc() fails in kvm_io_bus_unregister_dev(), before removing +the bus, we should iterate over all other devices linked to it and call +kvm_iodevice_destructor() for them + +Fixes: 90db10434b16 ("KVM: kvm_io_bus_unregister_dev() should never fail") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+f196caa45793d6374707@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=f196caa45793d6374707 +Signed-off-by: Rustam Kovhaev +Reviewed-by: Vitaly Kuznetsov +Message-Id: <20200907185535.233114-1-rkovhaev@gmail.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + virt/kvm/kvm_main.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 82f3a9d78cab4..ba8e8840b94b2 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3392,7 +3392,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, + void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + struct kvm_io_device *dev) + { +- int i; ++ int i, j; + struct kvm_io_bus *new_bus, *bus; + + bus = kvm->buses[bus_idx]; +@@ -3409,17 +3409,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + + new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) * + sizeof(struct kvm_io_range)), GFP_KERNEL); +- if (!new_bus) { ++ if (new_bus) { ++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); ++ new_bus->dev_count--; ++ memcpy(new_bus->range + i, bus->range + i + 1, ++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); ++ } else { + pr_err("kvm: failed to shrink bus, removing it completely\n"); +- goto broken; ++ for (j = 0; j < bus->dev_count; j++) { ++ if (j == i) ++ continue; ++ kvm_iodevice_destructor(bus->range[j].dev); ++ } + } + +- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); +- new_bus->dev_count--; +- memcpy(new_bus->range + i, bus->range + i + 1, +- (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); +- +-broken: + rcu_assign_pointer(kvm->buses[bus_idx], new_bus); + synchronize_srcu_expedited(&kvm->srcu); + kfree(bus); +-- +2.25.1 + diff --git a/queue-4.4/mtd-fix-comparison-in-map_word_andequal.patch b/queue-4.4/mtd-fix-comparison-in-map_word_andequal.patch new file mode 100644 index 00000000000..e10efe5a334 --- /dev/null +++ b/queue-4.4/mtd-fix-comparison-in-map_word_andequal.patch @@ -0,0 +1,42 @@ +From 416ae5f46b9f72f048f2237f5d7a406ba06cb83e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 19:00:54 +0900 +Subject: mtd: Fix comparison in map_word_andequal() + +From: Ben Hutchings + +commit ea739a287f4f16d6250bea779a1026ead79695f2 upstream. + +Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +changed map_word_andequal() into a macro, but also changed the right +hand side of the comparison from val3 to val2. Change it back to use +val3 on the right hand side. + +Thankfully this did not cause a regression because all callers +currently pass the same argument for val2 and val3. + +Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +Signed-off-by: Ben Hutchings +Signed-off-by: Boris Brezillon +Signed-off-by: Nobuhiro Iwamatsu (CIP) +Signed-off-by: Sasha Levin +--- + include/linux/mtd/map.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h +index 676d3d2a1a0a9..d8bae7cb86f39 100644 +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -307,7 +307,7 @@ void map_destroy(struct mtd_info *mtd); + ({ \ + int i, ret = 1; \ + for (i = 0; i < map_words(map); i++) { \ +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \ ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \ + ret = 0; \ + break; \ + } \ +-- +2.25.1 + diff --git a/queue-4.4/rdma-ucma-ucma_context-reference-leak-in-error-path.patch b/queue-4.4/rdma-ucma-ucma_context-reference-leak-in-error-path.patch new file mode 100644 index 00000000000..6b3a142fd8e --- /dev/null +++ b/queue-4.4/rdma-ucma-ucma_context-reference-leak-in-error-path.patch @@ -0,0 +1,47 @@ +From 3129dfa3703c651749fe8998e591e04120f0902d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 18:24:49 +0900 +Subject: RDMA/ucma: ucma_context reference leak in error path + +From: Shamir Rabinovitch + +commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream. + +Validating input parameters should be done before getting the cm_id +otherwise it can leak a cm_id reference. + +Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") +Signed-off-by: Shamir Rabinovitch +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +[iwamatsu: Backported to 4.4, 4.9 and 4.14: adjust context] +Signed-off-by: Nobuhiro Iwamatsu (CIP) +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 3e4d3d5560bf1..6315f77b4a58c 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1295,13 +1295,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) +- return -EINVAL; +- + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 421138f841e..a5f69c5232e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,6 @@ af_key-pfkey_dump-needs-parameter-validation.patch +kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch +kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch +ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch +rdma-ucma-ucma_context-reference-leak-in-error-path.patch +mtd-fix-comparison-in-map_word_andequal.patch