From: Greg Kroah-Hartman Date: Mon, 3 Feb 2020 13:04:55 +0000 (+0000) Subject: 4.19-stable patches X-Git-Tag: v5.5.2~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58a8c5a400ad64e411083e356f8cfa4b5969ba2e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bluetooth-fix-race-condition-in-hci_release_sock.patch cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch ext4-validate-the-debug_want_extra_isize-mount-option-at-parse-time.patch media-af9005-uninitialized-variable-printked.patch media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch media-gspca-zero-usb_buf.patch media-vp7045-do-not-read-uninitialized-values-if-usb-transfer-fails.patch mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch reiserfs-fix-memory-leak-of-journal-device-string.patch tomoyo-use-atomic_t-for-statistics-counter.patch ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch --- diff --git a/queue-4.19/bluetooth-fix-race-condition-in-hci_release_sock.patch b/queue-4.19/bluetooth-fix-race-condition-in-hci_release_sock.patch new file mode 100644 index 00000000000..9ec4aece1b6 --- /dev/null +++ b/queue-4.19/bluetooth-fix-race-condition-in-hci_release_sock.patch @@ -0,0 +1,44 @@ +From 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 15 Jan 2020 20:49:04 +0300 +Subject: Bluetooth: Fix race condition in hci_release_sock() + +From: Dan Carpenter + +commit 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 upstream. + +Syzbot managed to trigger a use after free "KASAN: use-after-free Write +in hci_sock_bind". I have reviewed the code manually and one possibly +cause I have found is that we are not holding lock_sock(sk) when we do +the hci_dev_put(hdev) in hci_sock_release(). My theory is that the bind +and the release are racing against each other which results in this use +after free. + +Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com +Signed-off-by: Dan Carpenter +Signed-off-by: Johan Hedberg +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -831,6 +831,8 @@ static int hci_sock_release(struct socke + if (!sk) + return 0; + ++ lock_sock(sk); ++ + switch (hci_pi(sk)->channel) { + case HCI_CHANNEL_MONITOR: + atomic_dec(&monitor_promisc); +@@ -878,6 +880,7 @@ static int hci_sock_release(struct socke + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); + ++ release_sock(sk); + sock_put(sk); + return 0; + } diff --git a/queue-4.19/cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch b/queue-4.19/cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch new file mode 100644 index 00000000000..877d4ba39c9 --- /dev/null +++ b/queue-4.19/cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch @@ -0,0 +1,88 @@ +From 3bc0bb36fa30e95ca829e9cf480e1ef7f7638333 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Thu, 9 Jan 2020 16:05:59 +0100 +Subject: cgroup: Prevent double killing of css when enabling threaded cgroup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +commit 3bc0bb36fa30e95ca829e9cf480e1ef7f7638333 upstream. + +The test_cgcore_no_internal_process_constraint_on_threads selftest when +running with subsystem controlling noise triggers two warnings: + +> [ 597.443115] WARNING: CPU: 1 PID: 28167 at kernel/cgroup/cgroup.c:3131 cgroup_apply_control_enable+0xe0/0x3f0 +> [ 597.443413] WARNING: CPU: 1 PID: 28167 at kernel/cgroup/cgroup.c:3177 cgroup_apply_control_disable+0xa6/0x160 + +Both stem from a call to cgroup_type_write. The first warning was also +triggered by syzkaller. + +When we're switching cgroup to threaded mode shortly after a subsystem +was disabled on it, we can see the respective subsystem css dying there. + +The warning in cgroup_apply_control_enable is harmless in this case +since we're not adding new subsys anyway. +The warning in cgroup_apply_control_disable indicates an attempt to kill +css of recently disabled subsystem repeatedly. + +The commit prevents these situations by making cgroup_type_write wait +for all dying csses to go away before re-applying subtree controls. +When at it, the locations of WARN_ON_ONCE calls are moved so that +warning is triggered only when we are about to misuse the dying css. + +Reported-by: syzbot+5493b2a54d31d6aea629@syzkaller.appspotmail.com +Reported-by: Christian Brauner +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -2940,8 +2940,6 @@ static int cgroup_apply_control_enable(s + for_each_subsys(ss, ssid) { + struct cgroup_subsys_state *css = cgroup_css(dsct, ss); + +- WARN_ON_ONCE(css && percpu_ref_is_dying(&css->refcnt)); +- + if (!(cgroup_ss_mask(dsct) & (1 << ss->id))) + continue; + +@@ -2951,6 +2949,8 @@ static int cgroup_apply_control_enable(s + return PTR_ERR(css); + } + ++ WARN_ON_ONCE(percpu_ref_is_dying(&css->refcnt)); ++ + if (css_visible(css)) { + ret = css_populate_dir(css); + if (ret) +@@ -2986,11 +2986,11 @@ static void cgroup_apply_control_disable + for_each_subsys(ss, ssid) { + struct cgroup_subsys_state *css = cgroup_css(dsct, ss); + +- WARN_ON_ONCE(css && percpu_ref_is_dying(&css->refcnt)); +- + if (!css) + continue; + ++ WARN_ON_ONCE(percpu_ref_is_dying(&css->refcnt)); ++ + if (css->parent && + !(cgroup_ss_mask(dsct) & (1 << ss->id))) { + kill_css(css); +@@ -3277,7 +3277,8 @@ static ssize_t cgroup_type_write(struct + if (strcmp(strstrip(buf), "threaded")) + return -EINVAL; + +- cgrp = cgroup_kn_lock_live(of->kn, false); ++ /* drain dying csses before we re-apply (threaded) subtree control */ ++ cgrp = cgroup_kn_lock_live(of->kn, true); + if (!cgrp) + return -ENOENT; + diff --git a/queue-4.19/ext4-validate-the-debug_want_extra_isize-mount-option-at-parse-time.patch b/queue-4.19/ext4-validate-the-debug_want_extra_isize-mount-option-at-parse-time.patch new file mode 100644 index 00000000000..5aa8f5b4546 --- /dev/null +++ b/queue-4.19/ext4-validate-the-debug_want_extra_isize-mount-option-at-parse-time.patch @@ -0,0 +1,195 @@ +From 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 15 Dec 2019 01:09:03 -0500 +Subject: ext4: validate the debug_want_extra_isize mount option at parse time + +From: Theodore Ts'o + +commit 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 upstream. + +Instead of setting s_want_extra_size and then making sure that it is a +valid value afterwards, validate the field before we set it. This +avoids races and other problems when remounting the file system. + +Link: https://lore.kernel.org/r/20191215063020.GA11512@mit.edu +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Reported-and-tested-by: syzbot+4a39a025912b265cacef@syzkaller.appspotmail.com +Signed-off-by: Zubin Mithra +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 127 +++++++++++++++++++++++++++++--------------------------- + 1 file changed, 66 insertions(+), 61 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1842,6 +1842,13 @@ static int handle_mount_opt(struct super + arg = JBD2_DEFAULT_MAX_COMMIT_AGE; + sbi->s_commit_interval = HZ * arg; + } else if (token == Opt_debug_want_extra_isize) { ++ if ((arg & 1) || ++ (arg < 4) || ++ (arg > (sbi->s_inode_size - EXT4_GOOD_OLD_INODE_SIZE))) { ++ ext4_msg(sb, KERN_ERR, ++ "Invalid want_extra_isize %d", arg); ++ return -1; ++ } + sbi->s_want_extra_isize = arg; + } else if (token == Opt_max_batch_time) { + sbi->s_max_batch_time = arg; +@@ -3513,40 +3520,6 @@ int ext4_calculate_overhead(struct super + return 0; + } + +-static void ext4_clamp_want_extra_isize(struct super_block *sb) +-{ +- struct ext4_sb_info *sbi = EXT4_SB(sb); +- struct ext4_super_block *es = sbi->s_es; +- unsigned def_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; +- +- if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) { +- sbi->s_want_extra_isize = 0; +- return; +- } +- if (sbi->s_want_extra_isize < 4) { +- sbi->s_want_extra_isize = def_extra_isize; +- if (ext4_has_feature_extra_isize(sb)) { +- if (sbi->s_want_extra_isize < +- le16_to_cpu(es->s_want_extra_isize)) +- sbi->s_want_extra_isize = +- le16_to_cpu(es->s_want_extra_isize); +- if (sbi->s_want_extra_isize < +- le16_to_cpu(es->s_min_extra_isize)) +- sbi->s_want_extra_isize = +- le16_to_cpu(es->s_min_extra_isize); +- } +- } +- /* Check if enough inode space is available */ +- if ((sbi->s_want_extra_isize > sbi->s_inode_size) || +- (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > +- sbi->s_inode_size)) { +- sbi->s_want_extra_isize = def_extra_isize; +- ext4_msg(sb, KERN_INFO, +- "required extra inode space not available"); +- } +-} +- + static void ext4_set_resv_clusters(struct super_block *sb) + { + ext4_fsblk_t resv_clusters; +@@ -3754,6 +3727,65 @@ static int ext4_fill_super(struct super_ + */ + sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT; + ++ if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) { ++ sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE; ++ sbi->s_first_ino = EXT4_GOOD_OLD_FIRST_INO; ++ } else { ++ sbi->s_inode_size = le16_to_cpu(es->s_inode_size); ++ sbi->s_first_ino = le32_to_cpu(es->s_first_ino); ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", ++ sbi->s_first_ino); ++ goto failed_mount; ++ } ++ if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || ++ (!is_power_of_2(sbi->s_inode_size)) || ++ (sbi->s_inode_size > blocksize)) { ++ ext4_msg(sb, KERN_ERR, ++ "unsupported inode size: %d", ++ sbi->s_inode_size); ++ goto failed_mount; ++ } ++ /* ++ * i_atime_extra is the last extra field available for ++ * [acm]times in struct ext4_inode. Checking for that ++ * field should suffice to ensure we have extra space ++ * for all three. ++ */ ++ if (sbi->s_inode_size >= offsetof(struct ext4_inode, i_atime_extra) + ++ sizeof(((struct ext4_inode *)0)->i_atime_extra)) { ++ sb->s_time_gran = 1; ++ } else { ++ sb->s_time_gran = NSEC_PER_SEC; ++ } ++ } ++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { ++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) - ++ EXT4_GOOD_OLD_INODE_SIZE; ++ if (ext4_has_feature_extra_isize(sb)) { ++ unsigned v, max = (sbi->s_inode_size - ++ EXT4_GOOD_OLD_INODE_SIZE); ++ ++ v = le16_to_cpu(es->s_want_extra_isize); ++ if (v > max) { ++ ext4_msg(sb, KERN_ERR, ++ "bad s_want_extra_isize: %d", v); ++ goto failed_mount; ++ } ++ if (sbi->s_want_extra_isize < v) ++ sbi->s_want_extra_isize = v; ++ ++ v = le16_to_cpu(es->s_min_extra_isize); ++ if (v > max) { ++ ext4_msg(sb, KERN_ERR, ++ "bad s_min_extra_isize: %d", v); ++ goto failed_mount; ++ } ++ if (sbi->s_want_extra_isize < v) ++ sbi->s_want_extra_isize = v; ++ } ++ } ++ + if (sbi->s_es->s_mount_opts[0]) { + char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, + sizeof(sbi->s_es->s_mount_opts), +@@ -3955,29 +3987,6 @@ static int ext4_fill_super(struct super_ + has_huge_files); + sb->s_maxbytes = ext4_max_size(sb->s_blocksize_bits, has_huge_files); + +- if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) { +- sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE; +- sbi->s_first_ino = EXT4_GOOD_OLD_FIRST_INO; +- } else { +- sbi->s_inode_size = le16_to_cpu(es->s_inode_size); +- sbi->s_first_ino = le32_to_cpu(es->s_first_ino); +- if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { +- ext4_msg(sb, KERN_ERR, "invalid first ino: %u", +- sbi->s_first_ino); +- goto failed_mount; +- } +- if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || +- (!is_power_of_2(sbi->s_inode_size)) || +- (sbi->s_inode_size > blocksize)) { +- ext4_msg(sb, KERN_ERR, +- "unsupported inode size: %d", +- sbi->s_inode_size); +- goto failed_mount; +- } +- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) +- sb->s_time_gran = 1 << (EXT4_EPOCH_BITS - 2); +- } +- + sbi->s_desc_size = le16_to_cpu(es->s_desc_size); + if (ext4_has_feature_64bit(sb)) { + if (sbi->s_desc_size < EXT4_MIN_DESC_SIZE_64BIT || +@@ -4421,8 +4430,6 @@ no_journal: + } else if (ret) + goto failed_mount4a; + +- ext4_clamp_want_extra_isize(sb); +- + ext4_set_resv_clusters(sb); + + err = ext4_setup_system_zone(sb); +@@ -5207,8 +5214,6 @@ static int ext4_remount(struct super_blo + goto restore_opts; + } + +- ext4_clamp_want_extra_isize(sb); +- + if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^ + test_opt(sb, JOURNAL_CHECKSUM)) { + ext4_msg(sb, KERN_ERR, "changing journal_checksum " diff --git a/queue-4.19/media-af9005-uninitialized-variable-printked.patch b/queue-4.19/media-af9005-uninitialized-variable-printked.patch new file mode 100644 index 00000000000..81720adc5eb --- /dev/null +++ b/queue-4.19/media-af9005-uninitialized-variable-printked.patch @@ -0,0 +1,31 @@ +From 51d0c99b391f0cac61ad7b827c26f549ee55672c Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:15:37 +0100 +Subject: media: af9005: uninitialized variable printked + +From: Sean Young + +commit 51d0c99b391f0cac61ad7b827c26f549ee55672c upstream. + +If usb_bulk_msg() fails, actual_length can be uninitialized. + +Reported-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/af9005.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -563,7 +563,7 @@ static int af9005_boot_packet(struct usb + u8 *buf, int size) + { + u16 checksum; +- int act_len, i, ret; ++ int act_len = 0, i, ret; + + memset(buf, 0, size); + buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff); diff --git a/queue-4.19/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch b/queue-4.19/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch new file mode 100644 index 00000000000..bb093501cbc --- /dev/null +++ b/queue-4.19/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch @@ -0,0 +1,48 @@ +From eecc70d22ae51225de1ef629c1159f7116476b2e Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:04:40 +0100 +Subject: media: digitv: don't continue if remote control state can't be read + +From: Sean Young + +commit eecc70d22ae51225de1ef629c1159f7116476b2e upstream. + +This results in an uninitialized variable read. + +Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/digitv.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/dvb-usb/digitv.c ++++ b/drivers/media/usb/dvb-usb/digitv.c +@@ -233,18 +233,22 @@ static struct rc_map_table rc_map_digitv + + static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { +- int i; ++ int ret, i; + u8 key[5]; + u8 b[4] = { 0 }; + + *event = 0; + *state = REMOTE_NO_KEY_PRESSED; + +- digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4); ++ ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4); ++ if (ret) ++ return ret; + + /* Tell the device we've read the remote. Not sure how necessary + this is, but the Nebula SDK does it. */ +- digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0); ++ ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0); ++ if (ret) ++ return ret; + + /* if something is inside the buffer, simulate key press */ + if (key[1] != 0) diff --git a/queue-4.19/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch b/queue-4.19/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch new file mode 100644 index 00000000000..d8ec7c33ac3 --- /dev/null +++ b/queue-4.19/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch @@ -0,0 +1,38 @@ +From 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 12 Nov 2019 10:22:28 +0100 +Subject: media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 + +From: Hans Verkuil + +commit 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 upstream. + +This fixes a syzbot failure since actlen could be uninitialized, +but it was still used. + +Syzbot link: + +https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1 + +Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Acked-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c +@@ -12,7 +12,7 @@ + int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf, + u16 rlen, int delay_ms) + { +- int actlen,ret = -ENOMEM; ++ int actlen = 0, ret = -ENOMEM; + + if (!d || wbuf == NULL || wlen == 0) + return -EINVAL; diff --git a/queue-4.19/media-gspca-zero-usb_buf.patch b/queue-4.19/media-gspca-zero-usb_buf.patch new file mode 100644 index 00000000000..6947d168ac9 --- /dev/null +++ b/queue-4.19/media-gspca-zero-usb_buf.patch @@ -0,0 +1,42 @@ +From de89d0864f66c2a1b75becfdd6bf3793c07ce870 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 12 Nov 2019 10:22:24 +0100 +Subject: media: gspca: zero usb_buf + +From: Hans Verkuil + +commit de89d0864f66c2a1b75becfdd6bf3793c07ce870 upstream. + +Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to +ensure it is property zeroed. This fixes various syzbot errors +about uninitialized data. + +Syzbot links: + +https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074 +https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2 +https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e + +Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/gspca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -1473,7 +1473,7 @@ int gspca_dev_probe2(struct usb_interfac + pr_err("couldn't kzalloc gspca struct\n"); + return -ENOMEM; + } +- gspca_dev->usb_buf = kmalloc(USB_BUF_SZ, GFP_KERNEL); ++ gspca_dev->usb_buf = kzalloc(USB_BUF_SZ, GFP_KERNEL); + if (!gspca_dev->usb_buf) { + pr_err("out of memory\n"); + ret = -ENOMEM; diff --git a/queue-4.19/media-vp7045-do-not-read-uninitialized-values-if-usb-transfer-fails.patch b/queue-4.19/media-vp7045-do-not-read-uninitialized-values-if-usb-transfer-fails.patch new file mode 100644 index 00000000000..52f1960c81f --- /dev/null +++ b/queue-4.19/media-vp7045-do-not-read-uninitialized-values-if-usb-transfer-fails.patch @@ -0,0 +1,64 @@ +From 26cff637121d8bb866ebd6515c430ac890e6ec80 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:25:13 +0100 +Subject: media: vp7045: do not read uninitialized values if usb transfer fails + +From: Sean Young + +commit 26cff637121d8bb866ebd6515c430ac890e6ec80 upstream. + +It is not a fatal error if reading the mac address or the remote control +decoder state fails. + +Reported-by: syzbot+ec869945d3dde5f33b43@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/vp7045.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/media/usb/dvb-usb/vp7045.c ++++ b/drivers/media/usb/dvb-usb/vp7045.c +@@ -99,10 +99,14 @@ static int vp7045_power_ctrl(struct dvb_ + + static int vp7045_rc_query(struct dvb_usb_device *d) + { ++ int ret; + u8 key; +- vp7045_usb_op(d,RC_VAL_READ,NULL,0,&key,1,20); + +- deb_rc("remote query key: %x %d\n",key,key); ++ ret = vp7045_usb_op(d, RC_VAL_READ, NULL, 0, &key, 1, 20); ++ if (ret) ++ return ret; ++ ++ deb_rc("remote query key: %x\n", key); + + if (key != 0x44) { + /* +@@ -118,15 +122,18 @@ static int vp7045_rc_query(struct dvb_us + + static int vp7045_read_eeprom(struct dvb_usb_device *d,u8 *buf, int len, int offset) + { +- int i = 0; +- u8 v,br[2]; ++ int i, ret; ++ u8 v, br[2]; + for (i=0; i < len; i++) { + v = offset + i; +- vp7045_usb_op(d,GET_EE_VALUE,&v,1,br,2,5); ++ ret = vp7045_usb_op(d, GET_EE_VALUE, &v, 1, br, 2, 5); ++ if (ret) ++ return ret; ++ + buf[i] = br[1]; + } +- deb_info("VP7045 EEPROM read (offs: %d, len: %d) : ",offset, i); +- debug_dump(buf,i,deb_info); ++ deb_info("VP7045 EEPROM read (offs: %d, len: %d) : ", offset, i); ++ debug_dump(buf, i, deb_info); + return 0; + } + diff --git a/queue-4.19/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch b/queue-4.19/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch new file mode 100644 index 00000000000..eb60cd1a232 --- /dev/null +++ b/queue-4.19/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch @@ -0,0 +1,59 @@ +From c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 30 Jan 2020 22:11:07 -0800 +Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str() + +From: Dan Carpenter + +commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream. + +What we are trying to do is change the '=' character to a NUL terminator +and then at the end of the function we restore it back to an '='. The +problem is there are two error paths where we jump to the end of the +function before we have replaced the '=' with NUL. + +We end up putting the '=' in the wrong place (possibly one element +before the start of the buffer). + +Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain +Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com +Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") +Signed-off-by: Dan Carpenter +Acked-by: Vlastimil Babka +Dmitry Vyukov +Cc: Michal Hocko +Cc: Dan Carpenter +Cc: Lee Schermerhorn +Cc: Andrea Arcangeli +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2808,6 +2808,9 @@ int mpol_parse_str(char *str, struct mem + char *flags = strchr(str, '='); + int err = 1; + ++ if (flags) ++ *flags++ = '\0'; /* terminate mode string */ ++ + if (nodelist) { + /* NUL-terminate mode or flags string */ + *nodelist++ = '\0'; +@@ -2818,9 +2821,6 @@ int mpol_parse_str(char *str, struct mem + } else + nodes_clear(nodes); + +- if (flags) +- *flags++ = '\0'; /* terminate mode string */ +- + for (mode = 0; mode < MPOL_MAX; mode++) { + if (!strcmp(str, policy_modes[mode])) { + break; diff --git a/queue-4.19/reiserfs-fix-memory-leak-of-journal-device-string.patch b/queue-4.19/reiserfs-fix-memory-leak-of-journal-device-string.patch new file mode 100644 index 00000000000..4924f3f6d04 --- /dev/null +++ b/queue-4.19/reiserfs-fix-memory-leak-of-journal-device-string.patch @@ -0,0 +1,41 @@ +From 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 12 Dec 2019 11:30:03 +0100 +Subject: reiserfs: Fix memory leak of journal device string + +From: Jan Kara + +commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream. + +When a filesystem is mounted with jdev mount option, we store the +journal device name in an allocated string in superblock. However we +fail to ever free that string. Fix it. + +Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com +Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -629,6 +629,7 @@ static void reiserfs_put_super(struct su + reiserfs_write_unlock(s); + mutex_destroy(&REISERFS_SB(s)->lock); + destroy_workqueue(REISERFS_SB(s)->commit_wq); ++ kfree(REISERFS_SB(s)->s_jdev); + kfree(s->s_fs_info); + s->s_fs_info = NULL; + } +@@ -2243,6 +2244,7 @@ error_unlocked: + kfree(qf_names[j]); + } + #endif ++ kfree(sbi->s_jdev); + kfree(sbi); + + s->s_fs_info = NULL; diff --git a/queue-4.19/series b/queue-4.19/series index 56179a9333e..205555a4c78 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -9,3 +9,15 @@ perf-c2c-fix-return-type-for-histogram-sorting-comparision-functions.patch pm-devfreq-add-new-name-attribute-for-sysfs.patch tools-lib-fix-builds-when-glibc-contains-strlcpy.patch arm64-kbuild-remove-compressed-images-on-make-arch-arm64-dist-clean.patch +ext4-validate-the-debug_want_extra_isize-mount-option-at-parse-time.patch +mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch +reiserfs-fix-memory-leak-of-journal-device-string.patch +media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch +media-af9005-uninitialized-variable-printked.patch +media-vp7045-do-not-read-uninitialized-values-if-usb-transfer-fails.patch +media-gspca-zero-usb_buf.patch +media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch +tomoyo-use-atomic_t-for-statistics-counter.patch +ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch +bluetooth-fix-race-condition-in-hci_release_sock.patch +cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch diff --git a/queue-4.19/tomoyo-use-atomic_t-for-statistics-counter.patch b/queue-4.19/tomoyo-use-atomic_t-for-statistics-counter.patch new file mode 100644 index 00000000000..49d1ee1dc07 --- /dev/null +++ b/queue-4.19/tomoyo-use-atomic_t-for-statistics-counter.patch @@ -0,0 +1,58 @@ +From a8772fad0172aeae339144598b809fd8d4823331 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 2 Jan 2020 12:53:49 +0900 +Subject: tomoyo: Use atomic_t for statistics counter + +From: Tetsuo Handa + +commit a8772fad0172aeae339144598b809fd8d4823331 upstream. + +syzbot is reporting that there is a race at tomoyo_stat_update() [1]. +Although it is acceptable to fail to track exact number of times policy +was updated, convert to atomic_t because this is not a hot path. + +[1] https://syzkaller.appspot.com/bug?id=a4d7b973972eeed410596e6604580e0133b0fc04 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman + +--- + security/tomoyo/common.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/security/tomoyo/common.c ++++ b/security/tomoyo/common.c +@@ -2254,9 +2254,9 @@ static const char * const tomoyo_memory_ + [TOMOYO_MEMORY_QUERY] = "query message:", + }; + +-/* Timestamp counter for last updated. */ +-static unsigned int tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; + /* Counter for number of updates. */ ++static atomic_t tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; ++/* Timestamp counter for last updated. */ + static time64_t tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; + + /** +@@ -2268,10 +2268,7 @@ static time64_t tomoyo_stat_modified[TOM + */ + void tomoyo_update_stat(const u8 index) + { +- /* +- * I don't use atomic operations because race condition is not fatal. +- */ +- tomoyo_stat_updated[index]++; ++ atomic_inc(&tomoyo_stat_updated[index]); + tomoyo_stat_modified[index] = ktime_get_real_seconds(); + } + +@@ -2291,7 +2288,7 @@ static void tomoyo_read_stat(struct tomo + for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { + tomoyo_io_printf(head, "Policy %-30s %10u", + tomoyo_policy_headers[i], +- tomoyo_stat_updated[i]); ++ atomic_read(&tomoyo_stat_updated[i])); + if (tomoyo_stat_modified[i]) { + struct tomoyo_time stamp; + tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); diff --git a/queue-4.19/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch b/queue-4.19/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch new file mode 100644 index 00000000000..742ff70b864 --- /dev/null +++ b/queue-4.19/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch @@ -0,0 +1,111 @@ +From 9a655c77ff8fc65699a3f98e237db563b37c439b Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Mon, 13 Jan 2020 11:48:42 +0800 +Subject: ttyprintk: fix a potential deadlock in interrupt context issue + +From: Zhenzhong Duan + +commit 9a655c77ff8fc65699a3f98e237db563b37c439b upstream. + +tpk_write()/tpk_close() could be interrupted when holding a mutex, then +in timer handler tpk_write() may be called again trying to acquire same +mutex, lead to deadlock. + +Google syzbot reported this issue with CONFIG_DEBUG_ATOMIC_SLEEP +enabled: + +BUG: sleeping function called from invalid context at +kernel/locking/mutex.c:938 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/1 +1 lock held by swapper/1/0: +... +Call Trace: + + dump_stack+0x197/0x210 + ___might_sleep.cold+0x1fb/0x23e + __might_sleep+0x95/0x190 + __mutex_lock+0xc5/0x13c0 + mutex_lock_nested+0x16/0x20 + tpk_write+0x5d/0x340 + resync_tnc+0x1b6/0x320 + call_timer_fn+0x1ac/0x780 + run_timer_softirq+0x6c3/0x1790 + __do_softirq+0x262/0x98c + irq_exit+0x19b/0x1e0 + smp_apic_timer_interrupt+0x1a3/0x610 + apic_timer_interrupt+0xf/0x20 + + +See link https://syzkaller.appspot.com/bug?extid=2eeef62ee31f9460ad65 for +more details. + +Fix it by using spinlock in process context instead of mutex and having +interrupt disabled in critical section. + +Reported-by: syzbot+2eeef62ee31f9460ad65@syzkaller.appspotmail.com +Signed-off-by: Zhenzhong Duan +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20200113034842.435-1-zhenzhong.duan@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ttyprintk.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/char/ttyprintk.c ++++ b/drivers/char/ttyprintk.c +@@ -18,10 +18,11 @@ + #include + #include + #include ++#include + + struct ttyprintk_port { + struct tty_port port; +- struct mutex port_write_mutex; ++ spinlock_t spinlock; + }; + + static struct ttyprintk_port tpk_port; +@@ -100,11 +101,12 @@ static int tpk_open(struct tty_struct *t + static void tpk_close(struct tty_struct *tty, struct file *filp) + { + struct ttyprintk_port *tpkp = tty->driver_data; ++ unsigned long flags; + +- mutex_lock(&tpkp->port_write_mutex); ++ spin_lock_irqsave(&tpkp->spinlock, flags); + /* flush tpk_printk buffer */ + tpk_printk(NULL, 0); +- mutex_unlock(&tpkp->port_write_mutex); ++ spin_unlock_irqrestore(&tpkp->spinlock, flags); + + tty_port_close(&tpkp->port, tty, filp); + } +@@ -116,13 +118,14 @@ static int tpk_write(struct tty_struct * + const unsigned char *buf, int count) + { + struct ttyprintk_port *tpkp = tty->driver_data; ++ unsigned long flags; + int ret; + + + /* exclusive use of tpk_printk within this tty */ +- mutex_lock(&tpkp->port_write_mutex); ++ spin_lock_irqsave(&tpkp->spinlock, flags); + ret = tpk_printk(buf, count); +- mutex_unlock(&tpkp->port_write_mutex); ++ spin_unlock_irqrestore(&tpkp->spinlock, flags); + + return ret; + } +@@ -172,7 +175,7 @@ static int __init ttyprintk_init(void) + { + int ret = -ENOMEM; + +- mutex_init(&tpk_port.port_write_mutex); ++ spin_lock_init(&tpk_port.spinlock); + + ttyprintk_driver = tty_alloc_driver(1, + TTY_DRIVER_RESET_TERMIOS |