From: Greg Kroah-Hartman Date: Thu, 4 Mar 2021 14:35:14 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.260~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c1ee4ef2198f3db54dc6f207678105a98772b5b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: erofs-fix-shift-out-of-bounds-of-blkszbits.patch jfs-more-checks-for-invalid-superblock.patch media-mceusb-sanity-check-for-prescaler-value.patch media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch riscv-get-rid-of-max_early_mapping_size.patch sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch smackfs-restrict-bytes-count-in-smackfs-write-functions.patch tomoyo-ignore-data-race-while-checking-quota.patch udlfb-fix-memory-leak-in-dlfb_usb_probe.patch xfs-fix-assert-failure-in-xfs_setattr_size.patch --- diff --git a/queue-5.10/erofs-fix-shift-out-of-bounds-of-blkszbits.patch b/queue-5.10/erofs-fix-shift-out-of-bounds-of-blkszbits.patch new file mode 100644 index 00000000000..059dd032a05 --- /dev/null +++ b/queue-5.10/erofs-fix-shift-out-of-bounds-of-blkszbits.patch @@ -0,0 +1,37 @@ +From bde545295b710bdd13a0fcd4b9fddd2383eeeb3a Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Wed, 20 Jan 2021 09:30:16 +0800 +Subject: erofs: fix shift-out-of-bounds of blkszbits + +From: Gao Xiang + +commit bde545295b710bdd13a0fcd4b9fddd2383eeeb3a upstream. + +syzbot generated a crafted bitszbits which can be shifted +out-of-bounds[1]. So directly print unsupported blkszbits +instead of blksize. + +[1] https://lore.kernel.org/r/000000000000c72ddd05b9444d2f@google.com + +Link: https://lore.kernel.org/r/20210120013016.14071-1-hsiangkao@aol.com +Reported-by: syzbot+c68f467cd7c45860e8d4@syzkaller.appspotmail.com +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -158,8 +158,8 @@ static int erofs_read_superblock(struct + blkszbits = dsb->blkszbits; + /* 9(512 bytes) + LOG_SECTORS_PER_BLOCK == LOG_BLOCK_SIZE */ + if (blkszbits != LOG_BLOCK_SIZE) { +- erofs_err(sb, "blksize %u isn't supported on this platform", +- 1 << blkszbits); ++ erofs_err(sb, "blkszbits %u isn't supported on this platform", ++ blkszbits); + goto out; + } + diff --git a/queue-5.10/jfs-more-checks-for-invalid-superblock.patch b/queue-5.10/jfs-more-checks-for-invalid-superblock.patch new file mode 100644 index 00000000000..e9897508613 --- /dev/null +++ b/queue-5.10/jfs-more-checks-for-invalid-superblock.patch @@ -0,0 +1,82 @@ +From 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 18 Dec 2020 12:17:16 -0800 +Subject: JFS: more checks for invalid superblock + +From: Randy Dunlap + +commit 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 upstream. + +syzbot is feeding invalid superblock data to JFS for mount testing. +JFS does not check several of the fields -- just assumes that they +are good since the JFS_MAGIC and version fields are good. + +In this case (syzbot reproducer), we have s_l2bsize == 0xda0c, +pad == 0xf045, and s_state == 0x50, all of which are invalid IMO. +Having s_l2bsize == 0xda0c causes this UBSAN warning: + UBSAN: shift-out-of-bounds in fs/jfs/jfs_mount.c:373:25 + shift exponent -9716 is negative + +s_l2bsize can be tested for correctness. pad can be tested for non-0 +and punted. s_state can be tested for its valid values and punted. + +Do those 3 tests and if any of them fails, report the superblock as +invalid/corrupt and let fsck handle it. + +With this patch, chkSuper() says this when JFS_DEBUG is enabled: + jfs_mount: Mount Failure: superblock is corrupt! + Mount JFS Failure: -22 + jfs_mount failed w/return code = -22 + +The obvious problem with this method is that next week there could +be another syzbot test that uses different fields for invalid values, +this making this like a game of whack-a-mole. + +syzkaller link: https://syzkaller.appspot.com/bug?extid=36315852ece4132ec193 + +Reported-by: syzbot+36315852ece4132ec193@syzkaller.appspotmail.com +Reported-by: kernel test robot # v2 +Signed-off-by: Randy Dunlap +Signed-off-by: Dave Kleikamp +Cc: jfs-discussion@lists.sourceforge.net +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_filsys.h | 1 + + fs/jfs/jfs_mount.c | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -268,5 +268,6 @@ + * fsck() must be run to repair + */ + #define FM_EXTENDFS 0x00000008 /* file system extendfs() in progress */ ++#define FM_STATE_MAX 0x0000000f /* max value of s_state */ + + #endif /* _H_JFS_FILSYS */ +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + #include "jfs_incore.h" + #include "jfs_filsys.h" +@@ -366,6 +367,15 @@ static int chkSuper(struct super_block * + sbi->bsize = bsize; + sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize); + ++ /* check some fields for possible corruption */ ++ if (sbi->l2bsize != ilog2((u32)bsize) || ++ j_sb->pad != 0 || ++ le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) { ++ rc = -EINVAL; ++ jfs_err("jfs_mount: Mount Failure: superblock is corrupt!"); ++ goto out; ++ } ++ + /* + * For now, ignore s_pbsize, l2bfactor. All I/O going through buffer + * cache. diff --git a/queue-5.10/media-mceusb-sanity-check-for-prescaler-value.patch b/queue-5.10/media-mceusb-sanity-check-for-prescaler-value.patch new file mode 100644 index 00000000000..d4e312ba129 --- /dev/null +++ b/queue-5.10/media-mceusb-sanity-check-for-prescaler-value.patch @@ -0,0 +1,42 @@ +From 9dec0f48a75e0dadca498002d25ef4e143e60194 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Tue, 19 Jan 2021 14:53:50 +0100 +Subject: media: mceusb: sanity check for prescaler value + +From: Sean Young + +commit 9dec0f48a75e0dadca498002d25ef4e143e60194 upstream. + +prescaler larger than 8 would mean the carrier is at most 152Hz, +which does not make sense for IR carriers. + +Reported-by: syzbot+6d31bf169a8265204b8d@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -701,11 +701,18 @@ static void mceusb_dev_printdata(struct + data[0], data[1]); + break; + case MCE_RSP_EQIRCFS: ++ if (!data[0] && !data[1]) { ++ dev_dbg(dev, "%s: no carrier", inout); ++ break; ++ } ++ // prescaler should make sense ++ if (data[0] > 8) ++ break; + period = DIV_ROUND_CLOSEST((1U << data[0] * 2) * + (data[1] + 1), 10); + if (!period) + break; +- carrier = (1000 * 1000) / period; ++ carrier = USEC_PER_SEC / period; + dev_dbg(dev, "%s carrier of %u Hz (period %uus)", + inout, carrier, period); + break; diff --git a/queue-5.10/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch b/queue-5.10/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch new file mode 100644 index 00000000000..9ccde7a4cc7 --- /dev/null +++ b/queue-5.10/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch @@ -0,0 +1,32 @@ +From 048c96e28674f15c0403deba2104ffba64544a06 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 20 Jan 2021 09:28:02 +0100 +Subject: media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate + +From: Hans Verkuil + +commit 048c96e28674f15c0403deba2104ffba64544a06 upstream. + +If a menu has more than 64 items, then don't check menu_skip_mask +for items 65 and up. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+42d8c7c3d3e594b34346@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -1987,7 +1987,8 @@ static int std_validate(const struct v4l + case V4L2_CTRL_TYPE_INTEGER_MENU: + if (ptr.p_s32[idx] < ctrl->minimum || ptr.p_s32[idx] > ctrl->maximum) + return -ERANGE; +- if (ctrl->menu_skip_mask & (1ULL << ptr.p_s32[idx])) ++ if (ptr.p_s32[idx] < BITS_PER_LONG_LONG && ++ (ctrl->menu_skip_mask & BIT_ULL(ptr.p_s32[idx]))) + return -EINVAL; + if (ctrl->type == V4L2_CTRL_TYPE_MENU && + ctrl->qmenu[ptr.p_s32[idx]][0] == '\0') diff --git a/queue-5.10/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch b/queue-5.10/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch new file mode 100644 index 00000000000..fd15129ff37 --- /dev/null +++ b/queue-5.10/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch @@ -0,0 +1,83 @@ +From a1ba9da8f0f9a37d900ff7eff66482cf7de8015e Mon Sep 17 00:00:00 2001 +From: Li Xinhai +Date: Wed, 24 Feb 2021 12:06:54 -0800 +Subject: mm/hugetlb.c: fix unnecessary address expansion of pmd sharing + +From: Li Xinhai + +commit a1ba9da8f0f9a37d900ff7eff66482cf7de8015e upstream. + +The current code would unnecessarily expand the address range. Consider +one example, (start, end) = (1G-2M, 3G+2M), and (vm_start, vm_end) = +(1G-4M, 3G+4M), the expected adjustment should be keep (1G-2M, 3G+2M) +without expand. But the current result will be (1G-4M, 3G+4M). Actually, +the range (1G-4M, 1G) and (3G, 3G+4M) would never been involved in pmd +sharing. + +After this patch, we will check that the vma span at least one PUD aligned +size and the start,end range overlap the aligned range of vma. + +With above example, the aligned vma range is (1G, 3G), so if (start, end) +range is within (1G-4M, 1G), or within (3G, 3G+4M), then no adjustment to +both start and end. Otherwise, we will have chance to adjust start +downwards or end upwards without exceeding (vm_start, vm_end). + +Mike: + +: The 'adjusted range' is used for calls to mmu notifiers and cache(tlb) +: flushing. Since the current code unnecessarily expands the range in some +: cases, more entries than necessary would be flushed. This would/could +: result in performance degradation. However, this is highly dependent on +: the user runtime. Is there a combination of vma layout and calls to +: actually hit this issue? If the issue is hit, will those entries +: unnecessarily flushed be used again and need to be unnecessarily reloaded? + +Link: https://lkml.kernel.org/r/20210104081631.2921415-1-lixinhai.lxh@gmail.com +Fixes: 75802ca66354 ("mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible") +Signed-off-by: Li Xinhai +Suggested-by: Mike Kravetz +Reviewed-by: Mike Kravetz +Cc: Peter Xu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5302,21 +5302,23 @@ static bool vma_shareable(struct vm_area + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end) + { +- unsigned long a_start, a_end; ++ unsigned long v_start = ALIGN(vma->vm_start, PUD_SIZE), ++ v_end = ALIGN_DOWN(vma->vm_end, PUD_SIZE); + +- if (!(vma->vm_flags & VM_MAYSHARE)) ++ /* ++ * vma need span at least one aligned PUD size and the start,end range ++ * must at least partialy within it. ++ */ ++ if (!(vma->vm_flags & VM_MAYSHARE) || !(v_end > v_start) || ++ (*end <= v_start) || (*start >= v_end)) + return; + + /* Extend the range to be PUD aligned for a worst case scenario */ +- a_start = ALIGN_DOWN(*start, PUD_SIZE); +- a_end = ALIGN(*end, PUD_SIZE); ++ if (*start > v_start) ++ *start = ALIGN_DOWN(*start, PUD_SIZE); + +- /* +- * Intersect the range with the vma range, since pmd sharing won't be +- * across vma after all +- */ +- *start = max(vma->vm_start, a_start); +- *end = min(vma->vm_end, a_end); ++ if (*end < v_end) ++ *end = ALIGN(*end, PUD_SIZE); + } + + /* diff --git a/queue-5.10/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch b/queue-5.10/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch new file mode 100644 index 00000000000..0fa4e9146d8 --- /dev/null +++ b/queue-5.10/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch @@ -0,0 +1,211 @@ +From c9a2f90f4d6b9d42b9912f7aaf68e8d748acfffd Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 22 Feb 2021 15:09:53 -0500 +Subject: nbd: handle device refs for DESTROY_ON_DISCONNECT properly + +From: Josef Bacik + +commit c9a2f90f4d6b9d42b9912f7aaf68e8d748acfffd upstream. + +There exists a race where we can be attempting to create a new nbd +configuration while a previous configuration is going down, both +configured with DESTROY_ON_DISCONNECT. Normally devices all have a +reference of 1, as they won't be cleaned up until the module is torn +down. However with DESTROY_ON_DISCONNECT we'll make sure that there is +only 1 reference (generally) on the device for the config itself, and +then once the config is dropped, the device is torn down. + +The race that exists looks like this + +TASK1 TASK2 +nbd_genl_connect() + idr_find() + refcount_inc_not_zero(nbd) + * count is 2 here ^^ + nbd_config_put() + nbd_put(nbd) (count is 1) + setup new config + check DESTROY_ON_DISCONNECT + put_dev = true + if (put_dev) nbd_put(nbd) + * free'd here ^^ + +In nbd_genl_connect() we assume that the nbd ref count will be 2, +however clearly that won't be true if the nbd device had been setup as +DESTROY_ON_DISCONNECT with its prior configuration. Fix this by getting +rid of the runtime flag to check if we need to mess with the nbd device +refcount, and use the device NBD_DESTROY_ON_DISCONNECT flag to check if +we need to adjust the ref counts. This was reported by syzkaller with +the following kasan dump + +BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline] +BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] +BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76 +Read of size 4 at addr ffff888143bf71a0 by task systemd-udevd/8451 + +CPU: 0 PID: 8451 Comm: systemd-udevd Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 + __kasan_report mm/kasan/report.c:396 [inline] + kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 + check_memory_region_inline mm/kasan/generic.c:179 [inline] + check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 + instrument_atomic_read include/linux/instrumented.h:71 [inline] + atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] + refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76 + refcount_dec_and_mutex_lock+0x19/0x140 lib/refcount.c:115 + nbd_put drivers/block/nbd.c:248 [inline] + nbd_release+0x116/0x190 drivers/block/nbd.c:1508 + __blkdev_put+0x548/0x800 fs/block_dev.c:1579 + blkdev_put+0x92/0x570 fs/block_dev.c:1632 + blkdev_close+0x8c/0xb0 fs/block_dev.c:1640 + __fput+0x283/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x190 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201 + __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] + syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fc1e92b5270 +Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 +RSP: 002b:00007ffe8beb2d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1e92b5270 +RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007 +RBP: 00007fc1ea16f710 R08: 000000000000004a R09: 0000000000000008 +R10: 0000562f8cb0b2a8 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000562f8cb0afd0 R14: 0000000000000003 R15: 000000000000000e + +Allocated by task 1: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:401 [inline] + ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 + kmalloc include/linux/slab.h:552 [inline] + kzalloc include/linux/slab.h:682 [inline] + nbd_dev_add+0x44/0x8e0 drivers/block/nbd.c:1673 + nbd_init+0x250/0x271 drivers/block/nbd.c:2394 + do_one_initcall+0x103/0x650 init/main.c:1223 + do_initcall_level init/main.c:1296 [inline] + do_initcalls init/main.c:1312 [inline] + do_basic_setup init/main.c:1332 [inline] + kernel_init_freeable+0x605/0x689 init/main.c:1533 + kernel_init+0xd/0x1b8 init/main.c:1421 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 + +Freed by task 8451: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 + ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 + kasan_slab_free include/linux/kasan.h:192 [inline] + slab_free_hook mm/slub.c:1547 [inline] + slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 + slab_free mm/slub.c:3143 [inline] + kfree+0xdb/0x3b0 mm/slub.c:4139 + nbd_dev_remove drivers/block/nbd.c:243 [inline] + nbd_put.part.0+0x180/0x1d0 drivers/block/nbd.c:251 + nbd_put drivers/block/nbd.c:295 [inline] + nbd_config_put+0x6dd/0x8c0 drivers/block/nbd.c:1242 + nbd_release+0x103/0x190 drivers/block/nbd.c:1507 + __blkdev_put+0x548/0x800 fs/block_dev.c:1579 + blkdev_put+0x92/0x570 fs/block_dev.c:1632 + blkdev_close+0x8c/0xb0 fs/block_dev.c:1640 + __fput+0x283/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x190 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201 + __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] + syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff888143bf7000 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 416 bytes inside of + 1024-byte region [ffff888143bf7000, ffff888143bf7400) +The buggy address belongs to the page: +page:000000005238f4ce refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143bf0 +head:000000005238f4ce order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x57ff00000010200(slab|head) +raw: 057ff00000010200 ffffea00004b1400 0000000300000003 ffff888010c41140 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888143bf7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888143bf7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888143bf7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888143bf7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Reported-and-tested-by: syzbot+429d3f82d757c211bff3@syzkaller.appspotmail.com +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -78,8 +78,7 @@ struct link_dead_args { + #define NBD_RT_HAS_PID_FILE 3 + #define NBD_RT_HAS_CONFIG_REF 4 + #define NBD_RT_BOUND 5 +-#define NBD_RT_DESTROY_ON_DISCONNECT 6 +-#define NBD_RT_DISCONNECT_ON_CLOSE 7 ++#define NBD_RT_DISCONNECT_ON_CLOSE 6 + + #define NBD_DESTROY_ON_DISCONNECT 0 + #define NBD_DISCONNECT_REQUESTED 1 +@@ -1955,12 +1954,21 @@ again: + if (info->attrs[NBD_ATTR_CLIENT_FLAGS]) { + u64 flags = nla_get_u64(info->attrs[NBD_ATTR_CLIENT_FLAGS]); + if (flags & NBD_CFLAG_DESTROY_ON_DISCONNECT) { +- set_bit(NBD_RT_DESTROY_ON_DISCONNECT, +- &config->runtime_flags); +- set_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); +- put_dev = true; ++ /* ++ * We have 1 ref to keep the device around, and then 1 ++ * ref for our current operation here, which will be ++ * inherited by the config. If we already have ++ * DESTROY_ON_DISCONNECT set then we know we don't have ++ * that extra ref already held so we don't need the ++ * put_dev. ++ */ ++ if (!test_and_set_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) ++ put_dev = true; + } else { +- clear_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); ++ if (test_and_clear_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) ++ refcount_inc(&nbd->refs); + } + if (flags & NBD_CFLAG_DISCONNECT_ON_CLOSE) { + set_bit(NBD_RT_DISCONNECT_ON_CLOSE, +@@ -2131,15 +2139,13 @@ static int nbd_genl_reconfigure(struct s + if (info->attrs[NBD_ATTR_CLIENT_FLAGS]) { + u64 flags = nla_get_u64(info->attrs[NBD_ATTR_CLIENT_FLAGS]); + if (flags & NBD_CFLAG_DESTROY_ON_DISCONNECT) { +- if (!test_and_set_bit(NBD_RT_DESTROY_ON_DISCONNECT, +- &config->runtime_flags)) ++ if (!test_and_set_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) + put_dev = true; +- set_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); + } else { +- if (test_and_clear_bit(NBD_RT_DESTROY_ON_DISCONNECT, +- &config->runtime_flags)) ++ if (test_and_clear_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) + refcount_inc(&nbd->refs); +- clear_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); + } + + if (flags & NBD_CFLAG_DISCONNECT_ON_CLOSE) { diff --git a/queue-5.10/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch b/queue-5.10/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch new file mode 100644 index 00000000000..7b3e1babff5 --- /dev/null +++ b/queue-5.10/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch @@ -0,0 +1,57 @@ +From 27e9c1de529919d8dd7d072415d3bcae77709300 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Thu, 28 Jan 2021 12:41:04 +0100 +Subject: net/af_iucv: remove WARN_ONCE on malformed RX packets + +From: Alexander Egorenkov + +commit 27e9c1de529919d8dd7d072415d3bcae77709300 upstream. + +syzbot reported the following finding: + +AF_IUCV failed to receive skb, len=0 +WARNING: CPU: 0 PID: 522 at net/iucv/af_iucv.c:2039 afiucv_hs_rcv+0x174/0x190 net/iucv/af_iucv.c:2039 +CPU: 0 PID: 522 Comm: syz-executor091 Not tainted 5.10.0-rc1-syzkaller-07082-g55027a88ec9f #0 +Hardware name: IBM 3906 M04 701 (KVM/Linux) +Call Trace: + [<00000000b87ea538>] afiucv_hs_rcv+0x178/0x190 net/iucv/af_iucv.c:2039 +([<00000000b87ea534>] afiucv_hs_rcv+0x174/0x190 net/iucv/af_iucv.c:2039) + [<00000000b796533e>] __netif_receive_skb_one_core+0x13e/0x188 net/core/dev.c:5315 + [<00000000b79653ce>] __netif_receive_skb+0x46/0x1c0 net/core/dev.c:5429 + [<00000000b79655fe>] netif_receive_skb_internal+0xb6/0x220 net/core/dev.c:5534 + [<00000000b796ac3a>] netif_receive_skb+0x42/0x318 net/core/dev.c:5593 + [<00000000b6fd45f4>] tun_rx_batched.isra.0+0x6fc/0x860 drivers/net/tun.c:1485 + [<00000000b6fddc4e>] tun_get_user+0x1c26/0x27f0 drivers/net/tun.c:1939 + [<00000000b6fe0f00>] tun_chr_write_iter+0x158/0x248 drivers/net/tun.c:1968 + [<00000000b4f22bfa>] call_write_iter include/linux/fs.h:1887 [inline] + [<00000000b4f22bfa>] new_sync_write+0x442/0x648 fs/read_write.c:518 + [<00000000b4f238fe>] vfs_write.part.0+0x36e/0x5d8 fs/read_write.c:605 + [<00000000b4f2984e>] vfs_write+0x10e/0x148 fs/read_write.c:615 + [<00000000b4f29d0e>] ksys_write+0x166/0x290 fs/read_write.c:658 + [<00000000b8dc4ab4>] system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 +Last Breaking-Event-Address: + [<00000000b8dc64d4>] __s390_indirect_jump_r14+0x0/0xc + +Malformed RX packets shouldn't generate any warnings because +debugging info already flows to dropmon via the kfree_skb(). + +Signed-off-by: Alexander Egorenkov +Reviewed-by: Julian Wiedmann +Signed-off-by: Julian Wiedmann +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/iucv/af_iucv.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -2036,7 +2036,6 @@ static int afiucv_hs_rcv(struct sk_buff + char nullstring[8]; + + if (!pskb_may_pull(skb, sizeof(*trans_hdr))) { +- WARN_ONCE(1, "AF_IUCV failed to receive skb, len=%u", skb->len); + kfree_skb(skb); + return NET_RX_SUCCESS; + } diff --git a/queue-5.10/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch b/queue-5.10/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch new file mode 100644 index 00000000000..5b2c7357bf6 --- /dev/null +++ b/queue-5.10/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch @@ -0,0 +1,54 @@ +From 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Mon, 1 Feb 2021 17:04:20 +0100 +Subject: net: fix up truesize of cloned skb in skb_prepare_for_shift() + +From: Marco Elver + +commit 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 upstream. + +Avoid the assumption that ksize(kmalloc(S)) == ksize(kmalloc(S)): when +cloning an skb, save and restore truesize after pskb_expand_head(). This +can occur if the allocator decides to service an allocation of the same +size differently (e.g. use a different size class, or pass the +allocation on to KFENCE). + +Because truesize is used for bookkeeping (such as sk_wmem_queued), a +modified truesize of a cloned skb may result in corrupt bookkeeping and +relevant warnings (such as in sk_stream_kill_queues()). + +Link: https://lkml.kernel.org/r/X9JR/J6dMMOy1obu@elver.google.com +Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Marco Elver +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210201160420.2826895-1-elver@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3285,7 +3285,19 @@ EXPORT_SYMBOL(skb_split); + */ + static int skb_prepare_for_shift(struct sk_buff *skb) + { +- return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ int ret = 0; ++ ++ if (skb_cloned(skb)) { ++ /* Save and restore truesize: pskb_expand_head() may reallocate ++ * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we ++ * cannot change truesize at this point. ++ */ ++ unsigned int save_truesize = skb->truesize; ++ ++ ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ skb->truesize = save_truesize; ++ } ++ return ret; + } + + /** diff --git a/queue-5.10/riscv-get-rid-of-max_early_mapping_size.patch b/queue-5.10/riscv-get-rid-of-max_early_mapping_size.patch new file mode 100644 index 00000000000..279e1f6fd93 --- /dev/null +++ b/queue-5.10/riscv-get-rid-of-max_early_mapping_size.patch @@ -0,0 +1,98 @@ +From 0f02de4481da684aad6589aed0ea47bd1ab391c9 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Sun, 21 Feb 2021 09:22:33 -0500 +Subject: riscv: Get rid of MAX_EARLY_MAPPING_SIZE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +commit 0f02de4481da684aad6589aed0ea47bd1ab391c9 upstream. + +At early boot stage, we have a whole PGDIR to map the kernel, so there +is no need to restrict the early mapping size to 128MB. Removing this +define also allows us to simplify some compile time logic. + +This fixes large kernel mappings with a size greater than 128MB, as it +is the case for syzbot kernels whose size was just ~130MB. + +Note that on rv64, for now, we are then limited to PGDIR size for early +mapping as we can't use PGD mappings (see [1]). That should be enough +given the relative small size of syzbot kernels compared to PGDIR_SIZE +which is 1GB. + +[1] https://lore.kernel.org/lkml/20200603153608.30056-1-alex@ghiti.fr/ + +Reported-by: Dmitry Vyukov +Signed-off-by: Alexandre Ghiti +Tested-by: Dmitry Vyukov +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/init.c | 21 +++++---------------- + 1 file changed, 5 insertions(+), 16 deletions(-) + +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -222,8 +222,6 @@ pgd_t swapper_pg_dir[PTRS_PER_PGD] __pag + pgd_t trampoline_pg_dir[PTRS_PER_PGD] __page_aligned_bss; + pte_t fixmap_pte[PTRS_PER_PTE] __page_aligned_bss; + +-#define MAX_EARLY_MAPPING_SIZE SZ_128M +- + pgd_t early_pg_dir[PTRS_PER_PGD] __initdata __aligned(PAGE_SIZE); + + void __set_fixmap(enum fixed_addresses idx, phys_addr_t phys, pgprot_t prot) +@@ -298,13 +296,7 @@ static void __init create_pte_mapping(pt + + pmd_t trampoline_pmd[PTRS_PER_PMD] __page_aligned_bss; + pmd_t fixmap_pmd[PTRS_PER_PMD] __page_aligned_bss; +- +-#if MAX_EARLY_MAPPING_SIZE < PGDIR_SIZE +-#define NUM_EARLY_PMDS 1UL +-#else +-#define NUM_EARLY_PMDS (1UL + MAX_EARLY_MAPPING_SIZE / PGDIR_SIZE) +-#endif +-pmd_t early_pmd[PTRS_PER_PMD * NUM_EARLY_PMDS] __initdata __aligned(PAGE_SIZE); ++pmd_t early_pmd[PTRS_PER_PMD] __initdata __aligned(PAGE_SIZE); + pmd_t early_dtb_pmd[PTRS_PER_PMD] __initdata __aligned(PAGE_SIZE); + + static pmd_t *__init get_pmd_virt_early(phys_addr_t pa) +@@ -326,11 +318,9 @@ static pmd_t *get_pmd_virt_late(phys_add + + static phys_addr_t __init alloc_pmd_early(uintptr_t va) + { +- uintptr_t pmd_num; ++ BUG_ON((va - PAGE_OFFSET) >> PGDIR_SHIFT); + +- pmd_num = (va - PAGE_OFFSET) >> PGDIR_SHIFT; +- BUG_ON(pmd_num >= NUM_EARLY_PMDS); +- return (uintptr_t)&early_pmd[pmd_num * PTRS_PER_PMD]; ++ return (uintptr_t)early_pmd; + } + + static phys_addr_t __init alloc_pmd_fixmap(uintptr_t va) +@@ -448,7 +438,7 @@ asmlinkage void __init setup_vm(uintptr_ + uintptr_t va, pa, end_va; + uintptr_t load_pa = (uintptr_t)(&_start); + uintptr_t load_sz = (uintptr_t)(&_end) - load_pa; +- uintptr_t map_size = best_map_size(load_pa, MAX_EARLY_MAPPING_SIZE); ++ uintptr_t map_size; + #ifndef __PAGETABLE_PMD_FOLDED + pmd_t fix_bmap_spmd, fix_bmap_epmd; + #endif +@@ -460,12 +450,11 @@ asmlinkage void __init setup_vm(uintptr_ + * Enforce boot alignment requirements of RV32 and + * RV64 by only allowing PMD or PGD mappings. + */ +- BUG_ON(map_size == PAGE_SIZE); ++ map_size = PMD_SIZE; + + /* Sanity check alignment and size */ + BUG_ON((PAGE_OFFSET % PGDIR_SIZE) != 0); + BUG_ON((load_pa % map_size) != 0); +- BUG_ON(load_sz > MAX_EARLY_MAPPING_SIZE); + + pt_ops.alloc_pte = alloc_pte_early; + pt_ops.get_pte_virt = get_pte_virt_early; diff --git a/queue-5.10/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch b/queue-5.10/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch new file mode 100644 index 00000000000..683892a50a3 --- /dev/null +++ b/queue-5.10/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch @@ -0,0 +1,61 @@ +From 1b7af295541d75535374325fd617944534853919 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Sat, 29 Aug 2020 10:22:24 -0700 +Subject: sched/core: Allow try_invoke_on_locked_down_task() with irqs disabled + +From: Peter Zijlstra + +commit 1b7af295541d75535374325fd617944534853919 upstream. + +The try_invoke_on_locked_down_task() function currently requires +that interrupts be enabled, but it is called with interrupts +disabled from rcu_print_task_stall(), resulting in an "IRQs not +enabled as expected" diagnostic. This commit therefore updates +try_invoke_on_locked_down_task() to use raw_spin_lock_irqsave() instead +of raw_spin_lock_irq(), thus allowing use from either context. + +Link: https://lore.kernel.org/lkml/000000000000903d5805ab908fc4@google.com/ +Link: https://lore.kernel.org/lkml/20200928075729.GC2611@hirez.programming.kicks-ass.net/ +Reported-by: syzbot+cb3b69ae80afd6535b0e@syzkaller.appspotmail.com +Signed-off-by: Peter Zijlstra +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2989,7 +2989,7 @@ out: + + /** + * try_invoke_on_locked_down_task - Invoke a function on task in fixed state +- * @p: Process for which the function is to be invoked. ++ * @p: Process for which the function is to be invoked, can be @current. + * @func: Function to invoke. + * @arg: Argument to function. + * +@@ -3007,12 +3007,11 @@ out: + */ + bool try_invoke_on_locked_down_task(struct task_struct *p, bool (*func)(struct task_struct *t, void *arg), void *arg) + { +- bool ret = false; + struct rq_flags rf; ++ bool ret = false; + struct rq *rq; + +- lockdep_assert_irqs_enabled(); +- raw_spin_lock_irq(&p->pi_lock); ++ raw_spin_lock_irqsave(&p->pi_lock, rf.flags); + if (p->on_rq) { + rq = __task_rq_lock(p, &rf); + if (task_rq(p) == rq) +@@ -3029,7 +3028,7 @@ bool try_invoke_on_locked_down_task(stru + ret = func(p, arg); + } + } +- raw_spin_unlock_irq(&p->pi_lock); ++ raw_spin_unlock_irqrestore(&p->pi_lock, rf.flags); + return ret; + } + diff --git a/queue-5.10/series b/queue-5.10/series index f8038a9af9b..f98db729a01 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -3,3 +3,17 @@ input-elantech-fix-protocol-errors-for-some-trackpoints-in-smbus-mode.patch input-elan_i2c-add-new-trackpoint-report-type-0x5f.patch drm-virtio-use-kvmalloc-for-large-allocations.patch x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch +jfs-more-checks-for-invalid-superblock.patch +sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch +udlfb-fix-memory-leak-in-dlfb_usb_probe.patch +media-mceusb-sanity-check-for-prescaler-value.patch +erofs-fix-shift-out-of-bounds-of-blkszbits.patch +media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch +xfs-fix-assert-failure-in-xfs_setattr_size.patch +net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch +smackfs-restrict-bytes-count-in-smackfs-write-functions.patch +tomoyo-ignore-data-race-while-checking-quota.patch +net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch +riscv-get-rid-of-max_early_mapping_size.patch +nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch +mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch diff --git a/queue-5.10/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch b/queue-5.10/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch new file mode 100644 index 00000000000..e896b53a95a --- /dev/null +++ b/queue-5.10/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch @@ -0,0 +1,108 @@ +From 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 Mon Sep 17 00:00:00 2001 +From: Sabyrzhan Tasbolatov +Date: Thu, 28 Jan 2021 17:58:01 +0600 +Subject: smackfs: restrict bytes count in smackfs write functions + +From: Sabyrzhan Tasbolatov + +commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream. + +syzbot found WARNINGs in several smackfs write operations where +bytes count is passed to memdup_user_nul which exceeds +GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. + +Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, +smk_write_net6addr accepts any label or -DELETE. I couldn't find +any general rule for other label lengths except SMK_LABELLEN, +SMK_LONGLABEL, SMK_CIPSOMAX which are documented. + +Let's constrain, in general, smackfs label lengths for PAGE_SIZE. +Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. + +Here is a quick way to reproduce the WARNING: +python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel + +Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com +Signed-off-by: Sabyrzhan Tasbolatov +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smackfs.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct + return -EPERM; + if (*ppos != 0) + return -EINVAL; +- if (count < SMK_NETLBLADDRMIN) ++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) + return -EINVAL; + + data = memdup_user_nul(buf, count); +@@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct + return -EPERM; + if (*ppos != 0) + return -EINVAL; +- if (count < SMK_NETLBLADDRMIN) ++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) + return -EINVAL; + + data = memdup_user_nul(buf, count); +@@ -1834,6 +1834,10 @@ static ssize_t smk_write_ambient(struct + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ /* Enough data must be present */ ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ if (count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2092,6 +2099,9 @@ static ssize_t smk_write_unconfined(stru + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ if (count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2647,6 +2657,10 @@ static ssize_t smk_write_syslog(struct f + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ /* Enough data must be present */ ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2739,10 +2753,13 @@ static ssize_t smk_write_relabel_self(st + return -EPERM; + + /* ++ * No partial write. + * Enough data must be present. + */ + if (*ppos != 0) + return -EINVAL; ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; + + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) diff --git a/queue-5.10/tomoyo-ignore-data-race-while-checking-quota.patch b/queue-5.10/tomoyo-ignore-data-race-while-checking-quota.patch new file mode 100644 index 00000000000..de1215cb507 --- /dev/null +++ b/queue-5.10/tomoyo-ignore-data-race-while-checking-quota.patch @@ -0,0 +1,177 @@ +From 5797e861e402fff2bedce4ec8b7c89f4248b6073 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 1 Feb 2021 11:52:11 +0900 +Subject: tomoyo: ignore data race while checking quota + +From: Tetsuo Handa + +commit 5797e861e402fff2bedce4ec8b7c89f4248b6073 upstream. + +syzbot is reporting that tomoyo's quota check is racy [1]. But this check +is tolerant of some degree of inaccuracy. Thus, teach KCSAN to ignore +this data race. + +[1] https://syzkaller.appspot.com/bug?id=999533deec7ba6337f8aa25d8bd1a4d5f7e50476 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +--- + security/tomoyo/file.c | 16 ++++++++-------- + security/tomoyo/network.c | 8 ++++---- + security/tomoyo/util.c | 24 ++++++++++++------------ + 3 files changed, 24 insertions(+), 24 deletions(-) + +--- a/security/tomoyo/file.c ++++ b/security/tomoyo/file.c +@@ -362,14 +362,14 @@ static bool tomoyo_merge_path_acl(struct + { + u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) + ->perm; +- u16 perm = *a_perm; ++ u16 perm = READ_ONCE(*a_perm); + const u16 b_perm = container_of(b, struct tomoyo_path_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -437,7 +437,7 @@ static bool tomoyo_merge_mkdev_acl(struc + { + u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, + head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_mkdev_acl, head) + ->perm; + +@@ -445,7 +445,7 @@ static bool tomoyo_merge_mkdev_acl(struc + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -517,14 +517,14 @@ static bool tomoyo_merge_path2_acl(struc + { + u8 * const a_perm = &container_of(a, struct tomoyo_path2_acl, head) + ->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_path2_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -655,7 +655,7 @@ static bool tomoyo_merge_path_number_acl + { + u8 * const a_perm = &container_of(a, struct tomoyo_path_number_acl, + head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_path_number_acl, head) + ->perm; + +@@ -663,7 +663,7 @@ static bool tomoyo_merge_path_number_acl + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +--- a/security/tomoyo/network.c ++++ b/security/tomoyo/network.c +@@ -233,14 +233,14 @@ static bool tomoyo_merge_inet_acl(struct + { + u8 * const a_perm = + &container_of(a, struct tomoyo_inet_acl, head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_inet_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -259,14 +259,14 @@ static bool tomoyo_merge_unix_acl(struct + { + u8 * const a_perm = + &container_of(a, struct tomoyo_unix_acl, head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_unix_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +--- a/security/tomoyo/util.c ++++ b/security/tomoyo/util.c +@@ -1053,30 +1053,30 @@ bool tomoyo_domain_quota_is_ok(struct to + + if (ptr->is_deleted) + continue; ++ /* ++ * Reading perm bitmap might race with tomoyo_merge_*() because ++ * caller does not hold tomoyo_policy_lock mutex. But exceeding ++ * max_learning_entry parameter by a few entries does not harm. ++ */ + switch (ptr->type) { + case TOMOYO_TYPE_PATH_ACL: +- perm = container_of(ptr, struct tomoyo_path_acl, head) +- ->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_path_acl, head)->perm); + break; + case TOMOYO_TYPE_PATH2_ACL: +- perm = container_of(ptr, struct tomoyo_path2_acl, head) +- ->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_path2_acl, head)->perm); + break; + case TOMOYO_TYPE_PATH_NUMBER_ACL: +- perm = container_of(ptr, struct tomoyo_path_number_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_path_number_acl, head) ++ ->perm); + break; + case TOMOYO_TYPE_MKDEV_ACL: +- perm = container_of(ptr, struct tomoyo_mkdev_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_mkdev_acl, head)->perm); + break; + case TOMOYO_TYPE_INET_ACL: +- perm = container_of(ptr, struct tomoyo_inet_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_inet_acl, head)->perm); + break; + case TOMOYO_TYPE_UNIX_ACL: +- perm = container_of(ptr, struct tomoyo_unix_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_unix_acl, head)->perm); + break; + case TOMOYO_TYPE_MANUAL_TASK_ACL: + perm = 0; diff --git a/queue-5.10/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch b/queue-5.10/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch new file mode 100644 index 00000000000..c3fa16b2388 --- /dev/null +++ b/queue-5.10/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch @@ -0,0 +1,59 @@ +From 5c0e4110f751934e748a66887c61f8e73805f0f9 Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Tue, 15 Dec 2020 14:30:22 +0800 +Subject: udlfb: Fix memory leak in dlfb_usb_probe + +From: Zqiang + +commit 5c0e4110f751934e748a66887c61f8e73805f0f9 upstream. + +The dlfb_alloc_urb_list function is called in dlfb_usb_probe function, +after that if an error occurs, the dlfb_free_urb_list function need to +be called. + +BUG: memory leak +unreferenced object 0xffff88810adde100 (size 32): + comm "kworker/1:0", pid 17, jiffies 4294947788 (age 19.520s) + hex dump (first 32 bytes): + 10 30 c3 0d 81 88 ff ff c0 fa 63 12 81 88 ff ff .0........c..... + 00 30 c3 0d 81 88 ff ff 80 d1 3a 08 81 88 ff ff .0........:..... + backtrace: + [<0000000019512953>] kmalloc include/linux/slab.h:552 [inline] + [<0000000019512953>] kzalloc include/linux/slab.h:664 [inline] + [<0000000019512953>] dlfb_alloc_urb_list drivers/video/fbdev/udlfb.c:1892 [inline] + [<0000000019512953>] dlfb_usb_probe.cold+0x289/0x988 drivers/video/fbdev/udlfb.c:1704 + [<0000000072160152>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [<00000000a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 + [<00000000c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 + [<00000000e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 + [<00000000de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 + [<00000000463fbcb4>] __device_attach+0x122/0x250 drivers/base/dd.c:912 + [<00000000b881a711>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 + [<00000000364bbda5>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 + [<00000000eecca418>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 + [<00000000edfeca2d>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 + [<000000001830872b>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 + [<00000000a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 + [<00000000c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 + [<00000000e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 + [<00000000de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 + +Reported-by: syzbot+c9e365d7f450e8aa615d@syzkaller.appspotmail.com +Signed-off-by: Zqiang +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201215063022.16746-1-qiang.zhang@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1017,6 +1017,7 @@ static void dlfb_ops_destroy(struct fb_i + } + vfree(dlfb->backing_buffer); + kfree(dlfb->edid); ++ dlfb_free_urb_list(dlfb); + usb_put_dev(dlfb->udev); + kfree(dlfb); + diff --git a/queue-5.10/xfs-fix-assert-failure-in-xfs_setattr_size.patch b/queue-5.10/xfs-fix-assert-failure-in-xfs_setattr_size.patch new file mode 100644 index 00000000000..ff6ed55b51d --- /dev/null +++ b/queue-5.10/xfs-fix-assert-failure-in-xfs_setattr_size.patch @@ -0,0 +1,35 @@ +From 88a9e03beef22cc5fabea344f54b9a0dfe63de08 Mon Sep 17 00:00:00 2001 +From: Yumei Huang +Date: Fri, 22 Jan 2021 16:48:19 -0800 +Subject: xfs: Fix assert failure in xfs_setattr_size() + +From: Yumei Huang + +commit 88a9e03beef22cc5fabea344f54b9a0dfe63de08 upstream. + +An assert failure is triggered by syzkaller test due to +ATTR_KILL_PRIV is not cleared before xfs_setattr_size. +As ATTR_KILL_PRIV is not checked/used by xfs_setattr_size, +just remove it from the assert. + +Signed-off-by: Yumei Huang +Reviewed-by: Brian Foster +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_iops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -865,7 +865,7 @@ xfs_setattr_size( + ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL)); + ASSERT(S_ISREG(inode->i_mode)); + ASSERT((iattr->ia_valid & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| +- ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); ++ ATTR_MTIME_SET|ATTR_TIMES_SET)) == 0); + + oldsize = inode->i_size; + newsize = iattr->ia_size;