From: Sasha Levin Date: Thu, 24 Sep 2020 23:38:17 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.19.148~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5af0e7c61f1eeb054ad4ea8f8e4c0604ae9ae8a0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch b/queue-4.9/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch new file mode 100644 index 00000000000..f190b0fe3ea --- /dev/null +++ b/queue-4.9/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch @@ -0,0 +1,70 @@ +From 37400519a282b95e8101ea0836a4aad434ff0b63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 21:20:21 -0700 +Subject: kprobes: fix kill kprobe which has been marked as gone + +From: Muchun Song + +[ Upstream commit b0399092ccebd9feef68d4ceb8d6219a8c0caa05 ] + +If a kprobe is marked as gone, we should not kill it again. Otherwise, we +can disarm the kprobe more than once. In that case, the statistics of +kprobe_ftrace_enabled can unbalance which can lead to that kprobe do not +work. + +Fixes: e8386a0cb22f ("kprobes: support probing module __exit function") +Co-developed-by: Chengming Zhou +Signed-off-by: Muchun Song +Signed-off-by: Chengming Zhou +Signed-off-by: Andrew Morton +Acked-by: Masami Hiramatsu +Cc: "Naveen N . Rao" +Cc: Anil S Keshavamurthy +Cc: David S. Miller +Cc: Song Liu +Cc: Steven Rostedt +Cc: +Link: https://lkml.kernel.org/r/20200822030055.32383-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 9aa2dbe6a4568..6f63d78aceeca 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2012,6 +2012,9 @@ static void kill_kprobe(struct kprobe *p) + { + struct kprobe *kp; + ++ if (WARN_ON_ONCE(kprobe_gone(p))) ++ return; ++ + p->flags |= KPROBE_FLAG_GONE; + if (kprobe_aggrprobe(p)) { + /* +@@ -2154,7 +2157,10 @@ static int kprobes_module_callback(struct notifier_block *nb, + mutex_lock(&kprobe_mutex); + for (i = 0; i < KPROBE_TABLE_SIZE; i++) { + head = &kprobe_table[i]; +- hlist_for_each_entry_rcu(p, head, hlist) ++ hlist_for_each_entry_rcu(p, head, hlist) { ++ if (kprobe_gone(p)) ++ continue; ++ + if (within_module_init((unsigned long)p->addr, mod) || + (checkcore && + within_module_core((unsigned long)p->addr, mod))) { +@@ -2165,6 +2171,7 @@ static int kprobes_module_callback(struct notifier_block *nb, + */ + kill_kprobe(p); + } ++ } + } + mutex_unlock(&kprobe_mutex); + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-4.9/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch b/queue-4.9/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch new file mode 100644 index 00000000000..15024423b7d --- /dev/null +++ b/queue-4.9/kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch @@ -0,0 +1,71 @@ +From 70ba5d792e3a5824281eb36dd79de983377a83e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:55:35 -0700 +Subject: KVM: fix memory leak in kvm_io_bus_unregister_dev() + +From: Rustam Kovhaev + +[ Upstream commit f65886606c2d3b562716de030706dfe1bea4ed5e ] + +when kmalloc() fails in kvm_io_bus_unregister_dev(), before removing +the bus, we should iterate over all other devices linked to it and call +kvm_iodevice_destructor() for them + +Fixes: 90db10434b16 ("KVM: kvm_io_bus_unregister_dev() should never fail") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+f196caa45793d6374707@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=f196caa45793d6374707 +Signed-off-by: Rustam Kovhaev +Reviewed-by: Vitaly Kuznetsov +Message-Id: <20200907185535.233114-1-rkovhaev@gmail.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + virt/kvm/kvm_main.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 4e4bb5dd2dcd5..010d8aee9346b 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3639,7 +3639,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, + void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + struct kvm_io_device *dev) + { +- int i; ++ int i, j; + struct kvm_io_bus *new_bus, *bus; + + bus = kvm->buses[bus_idx]; +@@ -3656,17 +3656,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, + + new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) * + sizeof(struct kvm_io_range)), GFP_KERNEL); +- if (!new_bus) { ++ if (new_bus) { ++ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); ++ new_bus->dev_count--; ++ memcpy(new_bus->range + i, bus->range + i + 1, ++ (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); ++ } else { + pr_err("kvm: failed to shrink bus, removing it completely\n"); +- goto broken; ++ for (j = 0; j < bus->dev_count; j++) { ++ if (j == i) ++ continue; ++ kvm_iodevice_destructor(bus->range[j].dev); ++ } + } + +- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); +- new_bus->dev_count--; +- memcpy(new_bus->range + i, bus->range + i + 1, +- (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); +- +-broken: + rcu_assign_pointer(kvm->buses[bus_idx], new_bus); + synchronize_srcu_expedited(&kvm->srcu); + kfree(bus); +-- +2.25.1 + diff --git a/queue-4.9/mtd-fix-comparison-in-map_word_andequal.patch b/queue-4.9/mtd-fix-comparison-in-map_word_andequal.patch new file mode 100644 index 00000000000..deab24e8d49 --- /dev/null +++ b/queue-4.9/mtd-fix-comparison-in-map_word_andequal.patch @@ -0,0 +1,42 @@ +From cf2cbd6d5ca12a11574c673426e8c9c04c22e072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 19:00:54 +0900 +Subject: mtd: Fix comparison in map_word_andequal() + +From: Ben Hutchings + +commit ea739a287f4f16d6250bea779a1026ead79695f2 upstream. + +Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +changed map_word_andequal() into a macro, but also changed the right +hand side of the comparison from val3 to val2. Change it back to use +val3 on the right hand side. + +Thankfully this did not cause a regression because all callers +currently pass the same argument for val2 and val3. + +Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +Signed-off-by: Ben Hutchings +Signed-off-by: Boris Brezillon +Signed-off-by: Nobuhiro Iwamatsu (CIP) +Signed-off-by: Sasha Levin +--- + include/linux/mtd/map.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h +index b5b43f94f3116..01b990e4b228a 100644 +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd); + ({ \ + int i, ret = 1; \ + for (i = 0; i < map_words(map); i++) { \ +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \ ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \ + ret = 0; \ + break; \ + } \ +-- +2.25.1 + diff --git a/queue-4.9/rdma-ucma-ucma_context-reference-leak-in-error-path.patch b/queue-4.9/rdma-ucma-ucma_context-reference-leak-in-error-path.patch new file mode 100644 index 00000000000..44da99a0662 --- /dev/null +++ b/queue-4.9/rdma-ucma-ucma_context-reference-leak-in-error-path.patch @@ -0,0 +1,47 @@ +From 31975ab5ce2ff4b940ab69d547389198d657ea9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 18:24:49 +0900 +Subject: RDMA/ucma: ucma_context reference leak in error path + +From: Shamir Rabinovitch + +commit ef95a90ae6f4f21990e1f7ced6719784a409e811 upstream. + +Validating input parameters should be done before getting the cm_id +otherwise it can leak a cm_id reference. + +Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") +Signed-off-by: Shamir Rabinovitch +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +[iwamatsu: Backported to 4.4, 4.9 and 4.14: adjust context] +Signed-off-by: Nobuhiro Iwamatsu (CIP) +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index a4f4cd4932657..bb0d728f4b76f 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1296,13 +1296,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) +- return -EINVAL; +- + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 421138f841e..b3162062e6a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,5 @@ af_key-pfkey_dump-needs-parameter-validation.patch +kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch +kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch +rdma-ucma-ucma_context-reference-leak-in-error-path.patch +mtd-fix-comparison-in-map_word_andequal.patch